pki-kra-10.5.18-17.el7_9>t  DH`pai$ƨyRAl)ۅTOC3B5,To({7-zi XP&XeS6οjxf˗Y F3hCStVߵBZ Wgu' ,q}n +zqYE9xͱA.f_cғH9mR"b]_kX#8lmT 0XM1`q&3Ue گ%gfí  ujS2d} ZD~8k=eed3CmW.+f+ZL-tCloP;@`v5`]ZumAfC'Iآiz|4Nv=yR p A0'Vo ñOב+|-qCڳiҧ݈7)X==\"(.)/2wP&KIsZ7b80573189def8c6318f29c69f39ccf43f8af7f0ai$ƨC/i5zxR,Ofe%݈0]2,@̝i9  )odF8o טFۓ`ؐLY@gʹJi5 _epߑVy+(EG&dlDZ%`OFBXA"Ģh6xZ^m-hfR%=e}~W_ѐ YHFl*sYn2'nwߕ@:5rEW5?iي2OXj}Yy׌ҾPOU't%Y-I!u˥_Gp0?^͋rz͝zI%CpiVqY +I[˭A)qAyoq1M۝ 7^vZ"hꤰ` O%(IDQXH,-e#_ȥ 0K~n2,|_`6 G'QuἚb<(:U🟙*>ظIkRR^mCQDˌ/>7O?Od   G        4 R X `ll l l pl (l )l+Xl-tl//l1d1l 1 2D (2u82|96:gG8dlH:lI;lX<0Y<4\-pki-server-theme NOTE: As a convenience for standalone deployments, top-level meta packages may be provided which bind a particular theme to these certificate server packages.ah#x86-02.bsys.centos.orgCentOSGPLv2CentOS BuildSystem System Environment/Daemonshttp://pki.fedoraproject.org/linuxnoarch=mYD M!6 S}F}\ g(; #%##"x/   P 9M]g')t K+7ehf`\ #+##'2<!k, " wA큤AA큤AA큤A큤AAA큤A큤AAAA큤A큤ah#^2ah#ah#ah#ah#rah#ah#^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2ah#^2ah#ah#ah#^2^2ah#^2^2^2ah#ah#ah#ah#ah#ah#ah#ah#ah#^2^2ah#ah#ah#^2^2^2^2^2^2^2^2ah#p^2^2^2^2ah#^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2d6bf5823021651d1cb53350adcf4bb818ac77768f5cbc43898ad06af1036b00edd6c5643bf6dfa1dc14f883fcd09f8b68fe7b742d33591720461352fa341b0a77b44149720eaf0407e16ee9e0f8ae72b352b4f6f4622bd810b001b5d85deb36e380b9107081800a248ca7a064562c80b123ebb13889486c8fffb533b5b5f63068f1dd8aacafde7444b474dc2bd8e3634df688009ca5c7f8015cbbb4351ca667388f7cb8f0cf201fbf0e12c62429b8e798438c7586948ed8878cbaf131a3b0f468075fca87218754d0e1cda0c922b6f3665d32cd15bd02f93ed245f68d4342ac4747a7ad8823f14f1e52344b158db9a5cac37858fd7d77fb62795426b40f153d4e5aa4c4ea965737cf4d247523765a5850cba9f086d276e92ae9cc224f8128123daf83af32352768f970da204178f58ccbdea0f2cf9f3bc82f28fac0a2a47e2a527ed767345475519c0b68cc96bd20f23cb2045c3829dcc72c67a4f1a133a7d155ec67643ebfdcec431c7d61966510fefc3e691ff14a09438257c5c23fe66d54bb14050386b6df46fef8e6214e41579d09c780d19d242741f29c2809ef973cefeb760a2dee6aef9a244f84690b0e80d22f419f277d615a90b129483aa669128f6767d3c20dc56e7c6f0ba342130b0160dd473330845cc80f17f5ea872d0fd5031448b089c45226bb2cf6dad3cdf581c3af18a90d6b911ccb66c7b2179a7a75fd1bca75eac7d894fd5cd1ea75a0ed89170c0d4d1580016ef8436ecf4e619543752303a3f673928e2839845976001deaec22af953bacd3b72fe5c49443a185a898c26d1e3ccc9375d6256e77b91817081f349ed0b5115ce58d43c2720c3473e5e440931144adecc3e739b8e90e79978a1c24da8e3f19df422256cdacb909942f04c1463861b5901af132d310917e6f413300c51d1550d3019a30cf22d1de3a94fe7e1f16dfc4891efbc5f8b12d38381041f75aeef95dda09a3c728bac964a8660a1bdde4c0aefb36f1162726bb551a958e9ff0de0333133702e0312e1bbe8c64c60f940b149f3278ebe2f7040e9224cb5d49ad2e896b807877864ae209975fdba39fe55d9dabe5730b830109f5d6bad9227eea0387e9b425cbdf52e9aecb5044ddffe8e98d26730ff60f728d0e080cf63e44ec0bc72932c375894c729bda2b364a1272612c2005dcad021f513cc99590d3eddcbd0943208feb340699371199f997cbdc94d667eb164fe14473fddcf73e6d94a900625a8b34413c3644876fa6cde884f4ab4dcaf087b7c4f19ee478f417cbed2a795077a6756951460095e218af9182e19f93b4be505b09e226e4a3b99d72eae82a72f405e7d89a22e8eda014d5d36a530cfa996d1101fb3b07ef12de2101bfe688fc4cd55ca9ccc33f9dca7087e8a831c3bd3e90d7f32167749ec6c6dcee365bf920f8e1cfa91af896404d1229ebce00d651d3984b45e8018392211eec9609f0f7ea34c4cb2b6d24cc4d38a9354508bbb1093626dba946d692324a87eace7f835e956cc86ac3a169fced8b2824878d5c34ffa37e009b172504474fec6f4aac965e0e1a463eb765e8c3b4c8a55cdf0aa1b54bceb5df380f7fb1ca90dc4d6ee9f1ab73ce43f532a85e944f5b371a591716b91bc1841c1f76c7e9824debc567c81da6b2357c72f2ba79bffaf4ba129bcf325bb79d689a8bb887992e43ac22aab0c187599395419df5d4d419a233f95549c80bd279299a5e3db6bf0f1446060bb9d3856342b145f76385ca1e42a6599f13cd074c49414cbab0bfbce300a5f52d998d99532a34bf8f0be8eaa97eb8b73fe7186e454bf11475fb89e70283aebd7d3b913baa865e57d465418ac32295631ab8de37b68b658435c45c3e79b8d91085063b4764cb63af21cefaca358c07ccba79aa72c6b2e52b47aac7e7d204effb742419b5194ca1e20369fdcc25d23b471ee9902c09334fc549604ff49152c6ab93e45b2d09989ed85c9e8de26953bdf3a4b161e364c199fdba6d7a9c62eb09a93db390b3225ee6b2e5267b5e016056ba8ef3c70533c10c58c6bb6e6b59b4e994df6f980a5bc0d77a7f4f96925389aefadc116b6074076964bd3421a6296f1fcb5505bac1f7a23a3833a7bf36d457ba09d3a5abbe69efd5d9e13de6a20d7ca2562313178d752460db591b4fe56b8fad305d2cfdb76516962bf699fad5d6291de370a4dab04c21ddec0aebc16659bb0952b895c5d3fc87e733619d451271518f58f95267472cfcf111d65a5ffbfec5d1598ccc6c9f7548e09de4cec6924e2cb4fefb9dbbfa52369f7b1de7d34889a279024677b6f464d0d9bb08c8157b7c92293e4245e735eacc25dae6c6b70a55f81ea3a1da930afb7a59f632ee20620c07c13d5294c195d77f9fb0a07db3743851d8a8aa27d72655b1f09c4e1d3c11c20f442118c706db0808f5a44a80a45619d6dfcd4be5607d1fd9f59439c5efd43308c1b45411ea51d59b894d29d788abd5dfe4d34f4878966dc1df54c8ccc2b9353a475063df6fe2c95426730695078a6839796ef1370ff75db78c7f69c17f1990c49f03adec681ca2966df1cf879c8393b16ac292df37b576035e32b1c0336c9fb9df2d6202a726d48179e1dd494db38f94b4aaba1dcf7d10bb925b7cc7738d0e77935d251b22c247119d61a369f5314da511568dc631b92e3241f7146840c6df40a1db607752671d475b91a7ee97584c73f2f5abec6aed611046c0fc83844860c83f52d7db63d17dead6ae2c472914f4b64c1ea83d2a834712471a12f07a5855c7c8a0c0a48eb38ad5777f5eec9ad7544a58a0831a0cff4bb4835af4b7eb04035738711dd50a4968482f656f88e8e68b4a4720fc6f5efcc0110a5f068759b2daef538471dd0c04721a7e8fdb24f4b186bcd6bb9fd3e2afa52e9fcf22f5c70d8a7130dfe1bdb06a1e7e0130e65ebda1e71f36992fef63cf339a1d478c2ba0c588bb1d4bedacbd0d032d6552a06ec98dbf416610661214af0dfd34996ddb2491353dae287b5ea640903601375e41df3a68ddcba44e9a04c7a623d5f397244a362112fc148b25a7f807b3f9006a07a5e6fa8e318b44d72d9a2cc1044698337f2afb6d22e7de75bb55e9b45319cacd292721976fc55cbd658411516cc9966e5d01b7524f3cd8e31d3db15878b22e175729fea56d74888a62fc22ae3b35ff72cb81e9c91b5ae40f0eda38421efaf6c2ea37ac2bf86a686c635ef630edc71443016cf5b652a848a5d497b94a0def8b35ae0d17b9d371890134b7e84bc26f2aa0151da75c0b4ee6a08c38c6923e144f7b719cd958990abe6dcdc74afad7b8b465a959b0fdcb8b288f6897c157ccbdb2c2f115e084ac06471cc99b3e2cf80956d139fe566364453ae08929677b123b5f36900eabf6205fc33947d99eeb97bdb30938ee64a837c220bbe58faa0f4f7ebceb785c8629b87c7f0fdae55ab0a638fde3851c29956fb1119af3ee29e945a3198bcc978be94922e2fabafe215a4f362b5c6129678597b18ea0add0bf4bcd3c944d37ac1e3a6d4ad93cbbee979c2b726448f8ef2e0a2df7617023e6eb26974199f246cf15d0e96dd06e4fffec521f96524624a589702d0c070efe06f3cafd7cf41af43c99f082f63463174ef492c4cfd60d1ea5ea81d71941755e29d55786dcbaacb5e8d4fadcd770a1d765583f70c9524152c1f10dc0b184a6e82f437d28c6d280dbd2457c9d784da59e6b2bab81e1e560573dad04db79cabffddc2bf2ccdf5cca914f4bf3a778c1dffee2dd8903584b6474653b660dc940ba8d515da7518817152b1369d945051134bd1c9dc4c50a21cb98fda4b797ddb9dd0496d4b23af1b0e300f28c72f815115/usr/share/java/pki/pki-certsrv.jar/usr/share/java/pki/pki-cms.jar/usr/share/java/pki/pki-cmsbundle.jar/usr/share/java/pki/pki-cmscore.jar/usr/share/java/pki/pki-cmsutil.jar/usr/share/java/pki/pki-kra.jar/usr/share/java/pki/pki-nsutil.jar/usr/share/pki/server/webapps/pki/admin/consolerootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpki-core-10.5.18-17.el7_9.src.rpmpki-kra    java-1.8.0-openjdk-headlesspki-serverrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)systemd-unitssystemd-unitssystemd-unitsrpmlib(PayloadIsXz)10.5.18-17.el7_93.0.4-14.6.0-14.0-15.2-14.11.3aA@a`@``e@`6?`%@_$_@_@^V@^@^@^U@^=@^@^]]@]@]]v>]R@] u@\\@\f\T4\R@\\U@\[@[{[l,[`O@[U@[>@[d@[@[o[@ZUZ@Z@ZZxG@Zg#Z.s@Z@Z ZYYY@Y@Y@YoIYlYGY>@Y5GY-^Y$$@Y"Y@Y#@X@XX@XO@X*XRXOX!@X&X2@WWҤ@WίW#W:WWt@W{@Wu WgWV@WV@WV@WV@WV@WV@W 10.5.18-17Dogtag Team 10.5.18-16Dogtag Team 10.5.18-15Dogtag Team 10.5.18-14Dogtag Team 10.5.18-13Dogtag Team 10.5.18-12Dogtag Team 10.5.18-11Dogtag Team 10.5.18-10Dogtag Team 10.5.18-9Dogtag Team 10.5.18-8Dogtag Team 10.5.18-7Dogtag Team 10.5.18-6Dogtag Team 10.5.18-5Dogtag Team 10.5.18-4Dogtag Team 10.5.18-3Dogtag Team 10.5.18-2Dogtag Team 10.5.18-1Dogtag Team 10.5.17-6Dogtag Team 10.5.17-5Dogtag Team 10.5.17-4Dogtag Team 10.5.17-3Dogtag Team 10.5.17-2Dogtag Team 10.5.17-1Dogtag Team 10.5.16-3Dogtag Team 10.5.16-2Dogtag Team 10.5.16-1Dogtag Team 10.5.9-13Dogtag Team 10.5.9-12Dogtag Team 10.5.9-11Dogtag Team 10.5.9-10Dogtag Team 10.5.9-9Dogtag Team 10.5.9-8Dogtag Team 10.5.9-7Dogtag Team 10.5.9-6Dogtag Team 10.5.9-5Dogtag Team 10.5.9-4Dogtag Team 10.5.9-3Dogtag Team 10.5.9-2Dogtag Team 10.5.9-1Dogtag Team 10.5.1-13.1Dogtag Team 10.5.1-13Dogtag Team 10.5.1-12Dogtag Team 10.5.1-11Dogtag Team 10.5.1-10Dogtag Team 10.5.1-9Dogtag Team 10.5.1-8Dogtag Team 10.5.1-7Dogtag Team 10.5.1-6Dogtag Team 10.5.1-5Dogtag Team 10.5.1-4Troy Dawson - 10.5.1-3Dogtag Team 10.5.1-2Dogtag Team 10.5.1-1Dogtag Team 10.5.0-1Dogtag Team 10.4.1-15Dogtag Team 10.4.1-14Dogtag Team 10.4.1-13Dogtag Team 10.4.1-12Dogtag Team 10.4.1-11Dogtag Team 10.4.1-10Dogtag Team 10.4.1-9Dogtag Team 10.4.1-8Dogtag Team 10.4.1-7Dogtag Team 10.4.1-6Dogtag Team 10.4.1-5Dogtag Team 10.4.1-4Dogtag Team 10.4.1-3Dogtag Team 10.4.1-2Dogtag Team 10.4.1-1Dogtag Team 10.4.0-1Dogtag Team 10.3.3-18Dogtag Team 10.3.3-17Dogtag Team 10.3.3-16Dogtag Team 10.3.3-15Dogtag Team 10.3.3-14Dogtag Team 10.3.3-13Dogtag Team 10.3.3-12Dogtag Team 10.3.3-11Dogtag Team 10.3.3-10Dogtag Team 10.3.3-9Dogtag Team 10.3.3-8Dogtag Team 10.3.3-7Dogtag Team 10.3.3-6Dogtag Team 10.3.3-5Dogtag Team 10.3.3-3Dogtag Team 10.3.3-2Dogtag Team 10.3.3-1Dogtag Team 10.3.3-0.1Dogtag Team 10.3.2-5Dogtag Team 10.3.2-4Dogtag Team 10.3.2-3Dogtag Team 10.3.2-2Dogtag Team 10.3.2-1Dogtag Team 10.3.2-0.1Dogtag Team 10.3.1-1Dogtag Team 10.3.0-1Dogtag Team 10.3.0.b1-1Dogtag Team 10.3.0.a2-2Dogtag Team 10.3.0.a2-1Dogtag Team 10.3.0.a1-2Dogtag Team 10.3.0.a1-1Dogtag Team 10.3.0-0.5Dogtag Team 10.3.0-0.4Dogtag Team 10.3.0-0.3Dogtag Team 10.3.0-0.2Dogtag Team 10.3.0-0.1Dogtag Team 10.2.7-0.3Tomas Radej - 10.2.7-0.2Dogtag Team 10.2.7-0.1Dogtag Team 10.2.6-1Dogtag Team 10.2.6-0.3Dogtag Team 10.2.6-0.2Dogtag Team 10.2.6-0.1Dogtag Team 10.2.5-1Dogtag Team 10.2.5-0.2Dogtag Team 10.2.5-0.1Dogtag Team 10.2.4-1Dogtag Team 10.2.4-0.2Dogtag Team 10.2.4-0.1Dogtag Team 10.2.3-1Dogtag Team 10.2.3-0.1Dogtag Team 10.3.0-0.1Dogtag Team 10.2.3-0.1Dogtag Team 10.2.2-1Dogtag Team 10.2.2-0.1Dogtag Team 10.2.1-1Matthew Harmsen - 10.2.1-0.4Ade Lee 10.2.1-0.3Christina Fu 10.2.1-0.2Dogtag Team 10.2.1-0.1Ade Lee 10.2.0-3Matthew Harmsen - 10.2.0-2Dogtag Team 10.2.0-1Matthew Harmsen - 10.2.0-0.10Matthew Harmsen - 10.2.0-0.9Matthew Harmsen - 10.2.0-0.8Fedora Release Engineering - 10.2.0-0.5Jack Magne - 10.2.0-0.7Matthew Harmsen - 10.2.0-0.6Matthew Harmsen - 10.2.0-0.5Ade Lee - 10.2.0-0.4Fedora Release Engineering - 10.2.0-0.3Michael Simacek - 10.2.0-0.2Dogtag Team 10.2.0-0.1Ade Lee 10.1.0-1Ade Lee 10.1.0-0.14Ade Lee 10.1.0-0.13Ade Lee 10.1.0-0.12Ade Lee 10.1.0-0.11Endi S. Dewata 10.1.0-0.10Abhishek Koneru 10.1.0.0.9Abhishek Koneru 10.1.0.0.8Endi S. Dewata 10.1.0-0.7Endi S. Dewata 10.1.0-0.6Endi S. Dewata 10.1.0-0.5Ade Lee 10.1.0-0.4Endi S. Dewata 10.1.0-0.3Matthew Harmsen 10.1.0-0.2Ade Lee 10.1.0-0.1Endi S. Dewata 10.0.2-5Ade Lee 10.0.2-4Ade Lee 10.0.2-3Endi S. Dewata 10.0.2-2Ade Lee 10.0.2-1Ade Lee 10.0.2-0.8Endi S. Dewata 10.0.2-0.7Endi S. Dewata 10.0.2-0.6Ade Lee 10.0.2-0.5Endi S. Dewata 10.0.2-0.4Endi S. Dewata 10.0.2-0.3Endi S. Dewata 10.0.2-0.2Endi S. Dewata 10.0.2-0.1Endi S. Dewata 10.0.1-9Ade Lee 10.0.1-8Endi S. Dewata 10.0.1-7Matthew Harmsen 10.0.1-6Endi S. Dewata 10.0.1-5Endi S. Dewata 10.0.1-4Matthew Harmsen 10.0.1-3Matthew Harmsen 10.0.1-2Ade Lee 10.0.1-1Matthew Harmsen 10.0.0-5Matthew Harmsen 10.0.0-4Ade Lee 10.0.0-3Ade Lee 10.0.0-2Ade Lee 10.0.0-1Matthew Harmsen 10.0.0-0.56.b3Endi S. Dewata 10.0.0-0.55.b3Endi S. Dewata 10.0.0-0.54.b3Ade Lee 10.0.0-0.53.b3Ade Lee 10.0.0-0.52.b3Endi S. Dewata 10.0.0-0.51.b2Endi S. Dewata 10.0.0-0.50.b2Matthew Harmsen 10.0.0-0.49.b2Ade Lee 10.0.0-0.48.b2Matthew Harmsen 10.0.0-0.47.b1Ade Lee 10.0.0-0.46.b1Ade Lee 10.0.0-0.45.b1Ade Lee 10.0.0-0.44.b1Ade Lee 10.0.0-0.43.b1Ade Lee 10.0.0-0.42.b1Ade Lee 10.0.0-0.41.b1Ade Lee 10.0.0-0.40.b1Endi S. Dewata 10.0.0-0.40.a2Endi S. Dewata 10.0.0-0.39.a2Ade Lee 10.0.0-0.38.a2Endi S. Dewata 10.0.0-0.37.a2Ade Lee 10.0.0-0.36.a2Endi S. Dewata 10.0.0-0.36.a1Endi S. Dewata 10.0.0-0.35.a1Endi S. Dewata 10.0.0-0.34.a1Ade Lee 10.0.0-0.33.a1Matthew Harmsen 10.0.0-0.32.a1Endi S. Dewata 10.0.0-0.31.a1Endi S. Dewata 10.0.0-0.30.a1Endi S. Dewata 10.0.0-0.29.a1Endi S. Dewata 10.0.0-0.28.a1Endi S. Dewata 10.0.0-0.27.a1Endi S. Dewata 10.0.0-0.26.a1Endi S. Dewata 10.0.0-0.25.a1Endi S. Dewata 10.0.0-0.24.a1Matthew Harmsen 10.0.0-0.23.a1Endi S. Dewata 10.0.0-0.22.a1Endi S. Dewata 10.0.0-0.21.a1Matthew Harmsen 10.0.0-0.20.a1Matthew Harmsen 10.0.0-0.19.a1Matthew Harmsen 10.0.0-0.18.a1Endi S. Dewata 10.0.0-0.17.a1Matthew Harmsen 10.0.0-0.16.a1Ade Lee 10.0.0-0.15.a1Christina Fu 10.0.0-0.14.a1Endi S. Dewata 10.0.0-0.13.a1Endi S. Dewata 10.0.0-0.12.a1Ade Lee 10.0.0-0.11.a1Matthew Harmsen 10.0.0-0.10.a1Matthew Harmsen 10.0.0-0.9.a1Jack Magne 10.0.0-0.8.a1Matthew Harmsen 10.0.0-0.7.a1Endi S. Dewata 10.0.0-0.6.a1Ade Lee 10.0.0-0.5.a1Endi S. Dewata 10.0.0-0.4.a1Matthew Harmsen 10.0.0-0.3.a1Matthew Harmsen 10.0.0-0.2.a1Nathan Kinder 10.0.0-0.1.a1Ade Lee 9.0.16-3Endi S. Dewata 9.0.16-2Matthew Harmsen 9.0.16-1Matthew Harmsen 9.0.15-1Matthew Harmsen 9.0.14-1Ade Lee 9.0.13-1Matthew Harmsen 9.0.12-1Matthew Harmsen 9.0.11-1Matthew Harmsen 9.0.10-1Matthew Harmsen 9.0.9-1Matthew Harmsen 9.0.8-2Matthew Harmsen 9.0.8-1Matthew Harmsen 9.0.7-1Matthew Harmsen 9.0.6-2Matthew Harmsen 9.0.6-1Matthew Harmsen 9.0.5-2Matthew Harmsen 9.0.5-1Matthew Harmsen 9.0.4-1Matthew Harmsen 9.0.3-2Matthew Harmsen 9.0.3-1Matthew Harmsen 9.0.2-1Matthew Harmsen 9.0.1-3Matthew Harmsen 9.0.1-2Matthew Harmsen 9.0.1-1Matthew Harmsen 9.0.0-3Matthew Harmsen 9.0.0-2Matthew Harmsen 9.0.0-1- ########################################################################## - # RHEL 7.9 (Batch Update 8): - ########################################################################## - Bugzilla Bug 1958788 - ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500 [ftweedal, ckelley] - ########################################################################## - # RHCS 9.7: - ########################################################################## - Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and pki-console to 10.5.18 in RHCS 9.7 (Batch Update 7)- ########################################################################## - # RHEL 7.9 (Batch Update 8): - ########################################################################## - Bugzilla Bug 1958277 - PKCS10Client EC Attribute Encoding [cfu] - Bugzilla Bug 1958788 - ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500 [ftweedale, ckelley] - ########################################################################## - # RHCS 9.7 (Batch Update 8): - ########################################################################## - Bugzilla Bug 1959937 - TPS Allowing Token Transactions while the CA is Down [cfu] - Bugzilla Bug 1979710 - TPS Not properly enforcing Token Profile Separation [cfu]- ########################################################################## - # RHEL 7.9: - ########################################################################## - Bugzilla Bug 1905374 - restrict EE profile list and enrollment submission per LDAP group without immediate issuance [rhel-7.9.z] (cfu) - ########################################################################## - # RHCS 9.7: - ########################################################################## - Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and pki-console to 10.5.18 in RHCS 9.7 (Batch Update 7)- ########################################################################## - # RHEL 7.9: - ########################################################################## - Bugzilla Bug 1911472 - Revoke via REST API not working when Agent certificate not issued by CA [rhel-7.9.z] (cfu) - Bugzilla Bug 1914587 - RHEL IPA PKI - Failed to read product version String.java.io.FileNotFoundException (ckelley) - Bugzilla Bug 1942687 - TPS not populating Token Policy, or switching PIN_RESET=YES to NO [rhel-7.9.z] (jmagne) - Bugzilla Bug 1955633 - Recovery of Keys migrated to latest version of KRA fail to recover and result in Null Point Exception [rhel-7.9.z] (jmagne) - ########################################################################## - # RHCS 9.7: - ########################################################################## - Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and pki-console to 10.5.18 in RHCS 9.7 (Batch Update 6)- ########################################################################## - # RHEL 7.9: - ########################################################################## - Bugzilla Bug 1949136 - PKI instance creation failed with new 389-ds-base build (jmagne) - Bugzilla Bug 1949656 - CRMF requests with extensions other than SKID cannot be processed (cfu) - ########################################################################## - # RHCS 9.7: - ########################################################################## - Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and pki-console to 10.5.18 in RHCS 9.7 (Batch Update 6)- Change variable 'TPS' to 'tps' - ########################################################################## - # RHEL 7.9: - ########################################################################## - Bugzilla Bug 1883639 - Add KRA Transport and Storage Certificates profiles, audit for IPA (edewata) - ########################################################################## - # Backported CVEs (ascheel): - ########################################################################## - Bugzilla Bug 1724697 - CVE-2019-10180 pki-core: unsanitized token parameters in TPS resulting in stored XSS [certificate_system_9-default] (edewata, ascheel) - Bugzilla Bug 1725128 - CVE-2019-10178 pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab [certificate_system_9-default] (edewata, ascheel) - Bugzilla Bug 1791100 - CVE-2020-1696 pki-core: Stored XSS in TPS profile creation [certificate_system_9-default] (edewata, ascheel) - Bugzilla Bug 1724688 - CVE-2019-10146 pki-core: Reflected Cross-Site Scripting in 'path length' constraint field in CA's Agent page [rhel-7.9.z] (dmoluguw, ascheel) - Bugzilla Bug 1789843 - CVE-2019-10221 pki-core: reflected cross site scripting in getcookies?url= endpoint in CA [rhel-7.9.z] (dmoluguw, ascheel) - Bugzilla Bug 1724713 - CVE-2019-10179 pki-core: pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab [rhel-7.9.z] (ascheel) - Bugzilla Bug 1798011 - CVE-2020-1721 pki-core: KRA vulnerable to reflected XSS via the getPk12 page [rhel-7.9.z] (ascheel,jmagne) - ########################################################################## - Update to jquery v3.4.1 (ascheel) - Update to jquery-i18n-properties v1.2.7 (ascheel) - Update to backbone v1.4.0 (ascheel) - Upgrade to underscore v1.9.2 (ascheel) - Update to patternfly v3.59.3 (ascheel) - Update to jQuery v3.5.1 (ascheel) - Upgrade to bootstrap v3.4.1 (ascheel) - Link in new Bootstrap CSS file (ascheel) - ########################################################################## - # RHCS 9.7: - ########################################################################## - # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- ########################################################################## - # RHEL 7.9: - ########################################################################## - Bugzilla Bug 1883639 - Add KRA Transport and Storage Certificates profiles, audit for IPA (edewata) - ########################################################################## - # Backported CVEs (ascheel): - ########################################################################## - Bugzilla Bug 1724697 - CVE-2019-10180 pki-core: unsanitized token parameters in TPS resulting in stored XSS [certificate_system_9-default] (edewata, ascheel) - Bugzilla Bug 1725128 - CVE-2019-10178 pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab [certificate_system_9-default] (edewata, ascheel) - Bugzilla Bug 1791100 - CVE-2020-1696 pki-core: Stored XSS in TPS profile creation [certificate_system_9-default] (edewata, ascheel) - Bugzilla Bug 1724688 - CVE-2019-10146 pki-core: Reflected Cross-Site Scripting in 'path length' constraint field in CA's Agent page [rhel-7.9.z] (dmoluguw, ascheel) - Bugzilla Bug 1789843 - CVE-2019-10221 pki-core: reflected cross site scripting in getcookies?url= endpoint in CA [rhel-7.9.z] (dmoluguw, ascheel) - Bugzilla Bug 1724713 - CVE-2019-10179 pki-core: pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab [rhel-7.9.z] (ascheel) - Bugzilla Bug 1798011 - CVE-2020-1721 pki-core: KRA vulnerable to reflected XSS via the getPk12 page [rhel-7.9.z] (ascheel,jmagne) - ########################################################################## - Update to jquery v3.4.1 (ascheel) - Update to jquery-i18n-properties v1.2.7 (ascheel) - Update to backbone v1.4.0 (ascheel) - Upgrade to underscore v1.9.2 (ascheel) - Update to patternfly v3.59.3 (ascheel) - Update to jQuery v3.5.1 (ascheel) - Upgrade to bootstrap v3.4.1 (ascheel) - Link in new Bootstrap CSS file (ascheel) - ########################################################################## - # RHCS 9.7: - ########################################################################## - # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- Bugzilla Bug #1883639 - additional fix to upgrade script (edewata)- Bugzilla Bug #1883639 - additional support on upgrade for audit cert profile and auditProfileUpgrade + auditProfileUpgrade part 2 (cfu)- ########################################################################## - # RHEL 7.9: - ########################################################################## - Bugzilla Bug #1883639 - add profile caAuditSigningCert (cfu) - ########################################################################## - # RHCS 9.7: - ########################################################################## - # Bugzilla Bug #1710978 - TPS - Add logging to tdbAddCertificatesForCUID if - # Bugzilla Bug #1858860 - TPS - Update Error Codes returned to client - # Bugzilla Bug #1858861 - TPS - Server side key generation is not working - # Bugzilla Bug #1858867 - TPS does not check token cuid on the user- Patch for CMCResponse tool - Bugzilla Bug #1710109 - add RSA PSS support - fix CMCResponse tool (jmagne)- Patch for CMC Credential Error, RSA PSS typo, and new profile for directory-authentication-based Server-Side keygen - ########################################################################## - # RHEL 7.9: - ########################################################################## - Bugzilla Bug #1710109 - add RSA PSS support (jmagne) - Bugzilla Bug #1794213 - Server-Side keygen Enrollment for EE (cfu) - ########################################################################## - # RHCS 9.7: - ########################################################################## - # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- Updated jss dependencies - Bugzilla Bug #1710109 - add RSA PSS support - fix SHA512 (jmagne)- ########################################################################## - # RHEL 7.9: - ########################################################################## - Bugzilla Bug #1794213 - Server-Side keygen Enrollment for EE additional support and touch-up (cfu) - ########################################################################## - # RHCS 9.7: - ########################################################################## - # Bugzilla Bug #1710975 - TPS - Searching the certificate DB for a brand new- Updated jss dependencies - ########################################################################## - # RHEL 7.9: - ########################################################################## - Bugzilla Bug #1794213 - Server-Side keygen Enrollment for EE (cfu) - Bugzilla Bug #1809273 - CRL generation performs an unindexed search (jmagne) - ########################################################################## - # RHCS 9.7: - ########################################################################## - # Bugzilla Bug #1549307 - No default TPS Auditor group (ascheel)- Bugzilla Bug #1710109 - add RSA PSS support - fix IPA installer (jmagne)- Updated jss dependencies - ########################################################################## - # RHEL 7.9: - ########################################################################## - Bugzilla Bug #1774174 - Rebase pki-core from 10.5.17 to 10.5.18 (RHEL) - ########################################################################## - # RHCS 9.7: - ########################################################################## - # Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and - # Bugzilla Bug #1774181 - Update RHCS version of CA, KRA, OCSP, and TKS so- ########################################################################## - # RHEL 7.8: - ########################################################################## - Bugzilla Bug #1723008 - ECC Key recovery failure with CKR_TEMPLATE_INCONSISTENT (cfu) - Bugzilla Bug #1774282 - pki-server-nuxwdog template has pid file name with non-breakable space char encoded instead of 0x20 space char (ascheel) - ########################################################################## - # RHCS 9.6: - ########################################################################## - # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- ########################################################################## - # RHEL 7.8: - ########################################################################## - Bugzilla Bug #1523330 - CC: missing audit event for CS acting as TLS client (cfu) - ########################################################################## - # RHCS 9.6: - ########################################################################## - # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- Include 'pistool' in the 'pki-tools' package- ########################################################################## - # RHEL 7.8: - ########################################################################## - Bugzilla Bug #1445479 - KRATool does not support netkeyKeyRecovery attribute (dmoluguw) - Bugzilla Bug #1534013 - Attempting to add new keys using a PUT KEY APDU to a token that is loaded only with the default/factory keys (Key Version Number 0xFF) returns an APDU with error code 0x6A88. (jmagne) - Bugzilla Bug #1709585 - PKI (test support) for PKCS#11 standard AES KeyWrap for HSM support (cfu, ftweedal) - Bugzilla Bug #1748766 - number range depletion when multiple clones created from same master (ftweedal) - ########################################################################## - # RHCS 9.6: - ########################################################################## - # Bugzilla Bug #1520258 - TPS token search fails to find entries , LDAP filter - # Bugzilla Bug #1535671 - RFE to have the users be able to use the- ########################################################################## - # RHEL 7.8: - ########################################################################## - Bugzilla Bug #1523330 - CC: missing audit event for CS acting as TLS client (cfu) - Bugzilla Bug #1597727 - CA - Unable to change a certificate’s revocation reason from superceded to key_compromised (rhcs-maint) - ########################################################################## - # RHCS 9.6: - ########################################################################## - # Bugzilla Bug #1470410 - TPS doesn't update revocation status when - # Bugzilla Bug #1470433 - Add supported transitions to TPS (rhcs-maint) - # Bugzilla Bug #1585722 - TMS - PKISocketFactory – Modify Logging to Allow - # Bugzilla Bug #1642577 - TPS – Revoked Encryption Certificates Marked as- Updated jss, nuxwdog, and tomcatjss dependencies - ########################################################################## - # RHEL 7.8: - ########################################################################## - Bugzilla Bug #1733586 - Rebase pki-core from 10.5.16 to 10.5.17 (RHEL) - ########################################################################## - # RHCS 9.6: - ########################################################################## - # Bugzilla Bug #1718418 - Update RHCS version of CA, KRA, OCSP, and TKS so - # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- ########################################################################## - # RHEL 7.7: - ########################################################################## - Bugzilla Bug #1638379 - PKI startup initialization process should not depend on LDAP operational attributes [ftweedal] - ########################################################################## - # RHCS 9.5: - ########################################################################## - # Bugzilla Bug #1633423 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- ########################################################################## - # RHEL 7.7: - ########################################################################## - Bugzilla Bug #1491453 - Need Method to Include SKI in CA Signing Certificate Request [ftweedal] - ########################################################################## - # RHCS 9.5: - ########################################################################## - # Bugzilla Bug #1633423 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- Updated jss dependencies - ########################################################################## - # RHEL 7.7: - ########################################################################## - Bugzilla Bug #1633422 - Rebase pki-core from 10.5.1 to 10.5.16 (RHEL) - ########################################################################## - # RHCS 9.5: - ########################################################################## - # Bugzilla Bug #1633423 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- Updated jss dependencies - ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1671245 - CC: unable to verify cert before import [rhel-7.6.z] [manpage] (ascheel) - Bugzilla Bug #1671303 - CC: Upgrade scripts for audit event names (RHEL) [rhel-7.6.z] (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1671586 - CC: Upgrade scripts for audit event names (RHCS)- Updated jss dependencies - ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1671245 - CC: unable to verify cert before import [rhel-7.6.z] (ascheel) - Bugzilla Bug #1671303 - CC: Upgrade scripts for audit event names (RHEL) [rhel-7.6.z] (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1671586 - CC: Upgrade scripts for audit event names (RHCS)- Updated jss dependencies - ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1671245 - CC: unable to verify cert before import [rhel-7.6.z] (ascheel) - Bugzilla Bug #1671303 - CC: Upgrade scripts for audit event names (RHEL) [rhel-7.6.z] (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1671586 - CC: Upgrade scripts for audit event names (RHCS)- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1659939 - CC: Simplifying Web UI session timeout configuration [rhel-7.6.z] (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1639836 - CC: Identify RHCS version of CA, KRA, - # Added Batch Update Information to Product Version (mharmsen)- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1657922 - CC: CA/OCSP startup fail on SystemCertsVerification if enableOCSP is true [rhel-7.6.z] (jmagne) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1639836 - CC: Identify RHCS version of CA, KRA,- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1645262 - pkidestroy may not remove all files [rhel-7.6.z] (dmoluguw) - Bugzilla Bug #1645263 - Auth plugins leave passwords in the access log and audit log using REST [rhel-7.6.z] (dmoluguw) - Bugzilla Bug #1645429 - pkispawn fails due to name collision with /var/log/pki/ [rhel-7.6.z] (dmoluguw) - Bugzilla Bug #1655951 - CC: tools supporting CMC requests output keyID needs to be captured in file [rhel-7.6.z] (cfu) - Bugzilla Bug #1656297 - Unable to install with admin-generated keys [rhel-7.6.z] (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1639836 - CC: Identify RHCS version of CA, KRA,- Require "tomcatjss >= 7.2.1-8" as a build and runtime requirement - ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1632116 - CC: missing audit event for CS acting as TLS client [rhel-7.6.z] (cfu) - Bugzilla Bug #1632120 - Unsupported RSA_ ciphers should be removed from the default ciphers list [rhel-7.6.z] (cfu) - Bugzilla Bug #1632615 - Permit certain SHA384 FIPS ciphers to be enabled by default for RSA and ECC . . . [rhel-7.6.z] (cfu) - Bugzilla Bug #1632616 - X500Name.directoryStringEncodingOrder overridden by CSR encoding (coverity changes) [rhel-7.6.z] (mharmsen) - Bugzilla Bug #1633104 - CMC: add config to allow non-clientAuth [rhel-7.6.z] (cfu) - Bugzilla Bug #1636490 - Installation of CA using an existing CA fails [rhel-7.6.z] (edewata) - Bugzilla Bug #1643878 - pki cli command for RHCS doesn't prompt for a password [rhel-7.6.z] (edewata) - Bugzilla Bug #1643879 - CC: Identify version/release of pki-ca, pki-kra, pki-ocsp, pki-tks, and pki-tps remotely [RHEL] [rhel-7.6.z] (cfu, jmagne) - Bugzilla Bug #1643880 - PKI subsystem process is not shutdown when there is no space on the disk to write logs [rhel-7.6.z] (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1639836 - CC: Identify RHCS version of CA, KRA,- Updated nuxwdog dependencies - ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #673182 - ECC keys not supported for signing audit logs (cfu) - Bugzilla Bug #1593805 - Better understanding of NSS_USE_DECODED_CKA_EC_POINT for ECC (cfu) - Bugzilla Bug #1601071 - Certificate generation happens with partial attributes in CMCRequest file (cfu) - Bugzilla Bug #1601569 - CC: Enable all config audit events (cfu) - Bugzilla Bug #1608375 - CMC Revocations throws exception with same reqIssuer & certissuer (cfu) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1596629 - ipa-replica-install --setup-kra broken on DL0 with latest version (abokovoy) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1548203 - pki console configurations that involves ldap passwords leave the plain text password in signed audit logs (cfu) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1494591 - keyGen fails when only Identity- Re-spin alpha builds- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1471935 - X500Name.directoryStringEncodingOrder overridden by CSR encoding (cfu) - Bugzilla Bug #1538311 - Using a Netmask produces an odd entry in a certificate (ftweedal) - Bugzilla Bug #1540440 - CMC: Audit Events needed for failures in SharedToken scenario's (cfu) - Bugzilla Bug #1550742 - Address ECC profile overrides (cfu) - Bugzilla Bug #1562841 - servlet profileSubmitCMCSimple throws NPE (cfu) - Bugzilla Bug #1572432 - AuditVerify failure due to line breaks (cfu) - Bugzilla Bug #1592961 - Need proper default subjectDN for CMC request authenticated through SharedToken (cfu) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1538311 - Using a Netmask produces an odd entry in a certifcate (ftweedal) - Bugzilla Bug #1544843 - ExternalCA: Installation failed during csr generation with ecc (rrelyea, gkapoor) - Bugzilla Bug #1557569 - Re-base pki-core from 10.5.1 to latest upstream 10.5.x (RHEL) (mharmsen) - Bugzilla Bug #1580394 - CMC CRMF requests result in InvalidKeyFormatException when signing algorithm is ECC (cfu) - Bugzilla Bug #1580527 - CVE-2018-1080 pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access (ftweedal, cfu) - Bugzilla Bug #1585866 - CRMFPopClient tool - should allow option to do no key archival (cfu) - Bugzilla Bug #1588655 - Cert validation for installation with external CA cert (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to- Rebuild due to build system database problem- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1553068 - Using a Netmask produces an odd entry in a certifcate [rhel-7.5.z] (ftweedal) - Bugzilla Bug #1585945 - CMC CRMF requests result in InvalidKeyFormatException when signing algorithm is ECC [rhel-7.5.z] (cfu) - Bugzilla Bug #1587826 - ExternalCA: Installation failed during csr generation with ecc [rhel-7.5.z] (rrelyea, gkapoor) - Bugzilla Bug #1588944 - Cert validation for installation with external CA cert [rhel-7.5.z] (edewata) - Bugzilla Bug #1588945 - CRMFPopClient tool - should allow option to do no key archival (cfu) - Bugzilla Bug #1589307 - CVE-2018-1080 pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access [rhel-7.5.z] (ftweedal, cfu) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,- Updated "jss" build and runtime requirements (mharmsen) - ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1571582 - [MAN] Missing Man pages for tools CMCRequest, CMCResponse, CMCSharedToken (typos) [rhel-7.5.z] (cfu) - Bugzilla Bug #1572548 - IPA install with external-CA is failing when FIPS mode enabled. [rhel-7.5.z] (edewata) - Bugzilla Bug #1574848 - servlet profileSubmitCMCSimple throws NPE [rhel-7.5.z] (cfu) - Bugzilla Bug #1575521 - subsystem -> subsystem SSL handshake issue with TLS_ECDHE_RSA_* on Thales HSM [rhel-7.5.z] (cfu) - Bugzilla Bug #1581134 - ECC installation for non CA subsystems needs improvement [rhel-7.5.z] (jmagne) - Bugzilla Bug #1581135 - SAN in internal SSL server certificate in pkispawn configuration step [rhel-7.5.z] (cfu) - Bugzilla Bug #1581167 - CC: CMC profiles: Some CMC profiles have wrong input class_id [rhel-7.5.z] (cfu) - Bugzilla Bug #1581382 - ECDSA Certificates Generated by Certificate System 9.3 fail NIST validation test with parameter field. [rhel-7.5.z] (cfu) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1554726 - Need ECC-specific Enrollment Profiles for standard conformance [rhel-7.5.z] (cfu) - Bugzilla Bug #1557880 - [MAN] Missing Man pages for tools CMCRequest, CMCResponse, CMCSharedToken [rhel-7.5.z] (cfu) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1560233 - libtps does not directly depend on libz- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1550581 - CMCAuth throws org.mozilla.jss.crypto.TokenException: Unable to insert certificate into temporary database [rhel-7.5.z] (cfu) - Bugzilla Bug #1551067 - [MAN] Add --skip-configuration and --skip-installation into pkispawn man page. [rhel-7.5.z] (edewata) - Bugzilla Bug #1552241 - Make sslget aware of TLSv1_2 ciphers [rhel-7.5.z] (cheimes, mharmsen) - Bugzilla Bug #1553068 - Using a Netmask produces an odd entry in a certifcate [rhel-7.5.z] (ftweedal) - Bugzilla Bug #1554726 - Need ECC-specific Enrollment Profiles for standard conformance [rhel-7.5.z] (cfu) - Bugzilla Bug #1554727 - Permit additional FIPS ciphers to be enabled by default for RSA . . . [rhel-7.5.z] (mharmsen, cfu) - Bugzilla Bug #1557880 - [MAN] Missing Man pages for tools CMCRequest, CMCResponse, CMCSharedToken [rhel-7.5.z] (cfu) - Bugzilla Bug #1557883 - Console: Adding ACL from pki-console gives StringIndexOutOfBoundsException [rhel-7.5.z] (ftweedal) - Bugzilla Bug #1558919 - Not able to generate certificate request with ECC using pki client-cert-request [rhel-7.5.z] (akahat) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1560233 - libtps does not directly depend on libz- ########################################################################## - # RHEL 7.5: - ########################################################################## - # Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release - Bugzilla Bug #1445532 - CC: Audit Events: Update the default audit event set (RHEL) (edewata) - Bugzilla Bug #1532867 - Inconsistent key ID encoding (edewata) - Bugzilla Bug #1540687 - CC: External OCSP Installation failure with HSM and FIPS (edewata) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, - # Bugzilla Bug #1404075 - CC: Audit Events: Update the default audit event- ########################################################################## - # RHEL 7.5: - ########################################################################## - # Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release - Bugzilla Bug #1542210 - pki console configurations that involves ldap passwords leave the plain text password in debug logs (jmagne) - Bugzilla Bug #1543242 - Regression in lightweight CA key replication (ftweedal) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,- ########################################################################## - # RHEL 7.5: - ########################################################################## - # Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release - Bugzilla Bug #1445532 - CC: Audit Events: Update the default audit event set (RHEL) (edewata) - Bugzilla Bug #1522938 - CC: Missing faillure resumption detection and audit event logging at startup (jmagne) - Bugzilla Bug #1523410 - Unable to have non "pkiuser" owned CA instance (alee) - Bugzilla Bug #1525306 - CC: missing CMC request and response record (cfu) - Bugzilla Bug #1532933 - Installing subsystems with external CMC certificates in HSM environment shows import error (edewata) - Bugzilla Bug #1535797 - ExternalCA: Failures when installed with hsm (edewata) - Bugzilla Bug #1539125 - restrict default cipher suite to those ciphers permitted in fips mode (mharmsen) - Bugzilla Bug #1539198 - Inconsistent CERT_REQUEST_PROCESSED outcomes. (edewata) - Bugzilla Bug #1540440 - CMC: Audit Events needed for failures in SharedToken scenario's (cfu) - Bugzilla Bug #1541526 - CMC: Revocation works with an unknown revRequest.issuer (cfu) - Bugzilla Bug #1541853 - ProfileService: config values with backslashes have backslashes removed (ftweedal) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, - # Bugzilla Bug #1404075 - CC: Audit Events: Update the default audit - # Bugzilla Bug #1501436 - TPS CS.cfg should be reflected with the- Updated jss, nuxwdog, and openssl dependencies - ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release (RHEL) - Bugzilla Bug #1402280 - CA Cloning: Failed to update number range in few cases (ftweedal) - Bugzilla Bug #1428021 - CC: shared token storage and retrieval mechanism (cfu) - Bugzilla Bug #1447145 - CMC: cmc.popLinkWitnessRequired=false would cause error (cfu) - Bugzilla Bug #1498957 - pkidestroy does not work with nuxwdog (alee) - Bugzilla Bug #1520277 - PR_FILE_NOT_FOUND_ERROR during pkispawn (alee) - Bugzilla Bug #1520526 - p12 admin certificate is missing when certificate is signed Externally (edewata) - Bugzilla Bug #1523410 - Unable to have non "pkiuser" owned CA instance (alee) - Bugzilla Bug #1523443 - HAProxy rejects OCSP responses due to missing nextupdate field (ftweedal) - Bugzilla Bug #1526881 - Not able to setup CA with ECC (mharmsen) - Bugzilla Bug #1532759 - pkispawn seems to be leaving our passwords in several different files after installation completes (alee) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release (RHEL) - Bugzilla Bug #1466066 - CC: Secure removal of secret data storage (jmagne) - Bugzilla Bug #1518096 - ExternalCA: Failures in ExternalCA when tried to setup with CMC signed certificates (cfu) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release (RHEL) - ########################################################################## - # RHCS 9.3: - ########################################################################## - #Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- dogtagpki Pagure Issue #2853 - Cleanup spec file conditionals- Patch applying check-ins since 10.5.1-1- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release (RHEL) - ########################################################################## - # RHCS 9.3: - ########################################################################## - #Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release (RHEL) - ########################################################################## - # RHCS 9.3: - ########################################################################## - #Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- #Bugzilla Bug #1492560 - ipa-replica-install --setup-kra broken on DL0- #Require "jss >= 4.4.0-8" as a build and runtime requirement - ########################################################################## - # RHEL 7.4: - ########################################################################## - # Resolves: rhbz #1486870,1485833,1487509,1490241,1491332 - # Bugzilla Bug #1486870 - Lightweight CA key replication fails (regressions) - # Bugzilla Bug #1485833 - Missing CN in user signing cert would cause error - # Bugzilla Bug #1487509 - pki-server-upgrade fails when upgrading from - # Bugzilla Bug #1490241 - PKCS12: upgrade to at least AES and SHA2 (FIPS) - # Bugzilla Bug #1491332 - TPS UI: need to display tokenType and tokenOrigin - # dogtagpki Pagure Issue #2764 - py3: pki.key.archive_encrypted_data: - ########################################################################## - # RHCS 9.2: - ########################################################################## - # Resolves: rhbz #1486870,1485833,1487509,1490241,1491332,1482729,1462271 - # Bugzilla Bug #1462271 - TPS incorrectly assigns "tokenOrigin" and - # Bugzilla Bug #1482729 - TPS UI: need to display tokenType and tokenOrigin- Resolves: rhbz #1463350 - ########################################################################## - # RHEL 7.4: - ########################################################################## - # Bugzilla Bug #1463350 - Access banner validation (edewata)- # Resolves: rhbz #1472615,1472617,1469447,1463350,1469449,1472619,1464970,1469437,1469439,1469446 - ########################################################################## - # RHEL 7.4: - ########################################################################## - # Bugzilla Bug #1472615 - CC: allow CA to process pre-signed CMC non-signing - # Bugzilla Bug #1472617 - CMC: cmc.popLinkWitnessRequired=false would cause - # Bugzilla Bug #1469447 - CC: CMC: check HTTPS client authentication cert - # Bugzilla Bug #1463350 - Access banner validation (edewata) - # Bugzilla Bug #1469449 - CC: allow CA to process pre-signed CMC renewal - # Bugzilla Bug #1472619 - Platform Dependent Python Import (mharmsen) - # Bugzilla Bug #1464970 - CC: CMC: replace id-cmc-statusInfo with - # Bugzilla Bug #1469437 - subsystem-cert-update command lacks --cert option - # Bugzilla Bug #1469439 - Fix Key Changeover with HSM to support SCP03 - # Bugzilla Bug #1469446 - CC: need CMC enrollment profiles for system- # Resolves: rhbz #1469432 - ########################################################################## - # RHEL 7.4: - ########################################################################## - # Bugzilla Bug #1469432 - CMC plugin default change - # Resolves CVE-2017-7537 - # Fixes BZ #1470948- ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1458043 - Key recovery on token fails with invalid public key error on KRA (alee) - Bugzilla Bug #1460764 - CC: CMC: check HTTPS client authentication cert against CMC signer (cfu) - Bugzilla Bug #1461533 - Unable to find keys in the p12 file after deleting the any of the subsystem certs from it (ftweedal)- ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1393633 - Creating symmetric key (sharedSecret) using tkstool is failing when RHEL 7.3 is in FIPS mode. (jmagne) - Bugzilla Bug #1419756 - CC: allow CA to process pre-signed CMC non-signing certificate requests (cfu) - Bugzilla Bug #1419777 - CC: allow CA to process pre-signed CMC revocation non-signing cert requests (cfu) - Bugzilla Bug #1458047 - change the way aes clients refer to aes keysets (alee) - Bugzilla Bug #1458055 - dont reuse IVs in the CMC code (alee) - Bugzilla Bug #1460028 - In keywrap mode, key recovery on KRA with HSM causes KRA to crash (ftweedal)- Require "selinux-policy-targeted >= 3.13.1-159" as a runtime requirement - Require "tomcatjss >= 7.2.1-4" as a build and runtime requirement - ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1400149 - pkispawn fails to create CA subsystem on FIPS enabled system (edewata) - Bugzilla Bug #1447144 - CA brought down during separate KRA instance creation (edewata) - Bugzilla Bug #1447762 - pkispawn fails occasionally with this failure ACCESS_SESSION_ESTABLISH_FAILURE (edewata) - Bugzilla Bug #1454450 - SubCA installation failure with 2 step installation in fips enabled mode (edewata) - Bugzilla Bug #1456597 - Certificate import using pki client-cert-import is asking for password when already provided (edewata) - Bugzilla Bug #1456940 - Build failure due to Pylint issues (cheimes) - Bugzilla Bug #1458043 - Key recovery using externalReg fails with java null pointer exception on KRA (alee) - Bugzilla Bug #1458379 - Upgrade script for keepAliveTimeout parameter (edewata) - Bugzilla Bug #1458429 - client-cert-import --ca-cert should import CA cert with trust bits "CT,C,C" (edewata) - ########################################################################## - # RHCS 9.2: - ########################################################################## - Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne)- ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1393633 - Creating symmetric key (sharedSecret) using tkstool is failing when RHEL 7.3 is in FIPS mode. (jmagne) - Bugzilla Bug #1445519 - CA Server installation with HSM fails (jmagne) - Bugzilla Bug #1452617 - Unable to create IPA Sub CA (ftweedal) - Bugzilla Bug #1454471 - Enabling all subsystems on startup (edewata) - Bugzilla Bug #1455617 - Key recovery on token fails because key record is not marked encrypted (alee)- Bugzilla Bug #1454603 - Unable to install IPA server due to pkispawn error (mharmsen)- ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1419761 - CC: allow CA to process pre-signed CMC renewal non-signing cert requests (cfu) - Bugzilla Bug #1447080 - CC: CMC: allow enrollment key signed (self-signed) CMC with identity proof (cfu) - Bugzilla Bug #1447144 - CA brought down during separate KRA instance creation (mharmsen) - Bugzilla Bug #1448903 - exception Invalid module "--ignore-banner" when defined in ~/.dogtag/pki.conf and run pki pkcs12-import --help (edewata) - Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails (jmagne) - Bugzilla Bug #1452123 - CA CS.cfg shows default port (mharmsen) - Bugzilla Bug #1452250 - Inconsistent CERT_REQUEST_PROCESSED event in ConnectorServlet. (edewata) - Bugzilla Bug #1452340 - Ensuring common audit log correctness (edewata) - Bugzilla Bug #1452344 - Adding serial number into CERT_REQUEST_PROCESSED audit event. (edewata)- ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1386303 - cannot extract generated private key from KRA when HSM is used. (alee) - Bugzilla Bug #1446364 - pkispawn returns before tomcat is ready (cheimes) - Bugzilla Bug #1447145 - CMC: cmc.popLinkWitnessRequired=false would cause error (cfu) - Bugzilla Bug #1448203 - CAInfoService: retrieve KRA-related values from the KRA (ftweedal) - Bugzilla Bug #1448204 - pkispawn of clone install fails with InvalidBERException (ftweedal) - Bugzilla Bug #1448521 - kra unable to extract symmetric keys generated on thales hsm (alee) - Updated "jss" build and runtime requirements (mharmsen) - ########################################################################## - # RHCS 9.2: - ########################################################################## - Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne)- ############################################################################ - # RHEL 7.4: - ############################################################################ - Bugzilla Bug #1303683 - dogtag should support GSSAPI based auth in conjuction with FreeIPA (ftweedal) - Bugzilla Bug #1385208 - RHCS 9.1 RC5 CA in the certificate profiles the startTime parameter is not working as expected. (jmagne) - Bugzilla Bug #1419756 - CC: allow CA to process pre-signed CMC non-signing certificate requests (cfu) - Bugzilla Bug #1426754 - PKCS12: upgrade to at least AES and SHA2 (ftweedal) - Bugzilla Bug #1445088 - profile modification cannot remove existing config parameters (ftweedal) - Bugzilla Bug #1445535 - CC: Crypto Operation (AES Encryption/Decryption) (RHEL) (alee) - Bugzilla Bug #1446874 - Missing ClientIP and ServerIP in audit log when pki CLI terminates SSL connection (edewata) - Bugzilla Bug #1446875 - Session timeout for PKI console (RHEL) (edewata) - ############################################################################ - # RHCS 9.2: - ############################################################################ - Bugzilla Bug #1404480 - CC: Crypto Operation (AES Encryption/Decryption) (RHCS) (alee)- ############################################################################ - # RHEL 7.4: - ############################################################################ - Bugzilla Bug #1282504 - Installing pki-server in container reports scriptlet failed, exit status 1 (jpazdziora) - Bugzilla Bug #1400149 - pkispawn fails to create CA subsystem on FIPS enabled system (edewata) - Bugzilla Bug #1410650 - [RFE] Add SCP03 support for sc 7 g & d cards (RHEL) (jmagne) - Bugzilla Bug #1437591 - cli authentication using expired cert throws an exception (edewata) - Bugzilla Bug #1437602 - non-CA cli looks for CA in the instance during a request (edewata) - ############################################################################ - # RHCS 9.2: - ############################################################################ - Bugzilla Bug #1274086 - [RFE] Add SCP03 support for sc 7 g & d cards (RHCS) (jmagne) - ############################################################################ - # Common Criteria - ############################################################################ - Bugzilla Bug #1404080 - CC: add audit event: various SSL/TLS failures (edewata) - Bugzilla Bug #1417307 - CC: Audit Review /Searches (edewata) - Bugzilla Bug #1419737 - CC: CMC: id-cmc-popLinkWitnessV2 feature implementation (cfu)- Require "nss >= 3.28.3" as a build and runtime requirement - Require "jss >= 4.4.0-4" as a build and runtime requirement - Require "tomcatjss >= 7.2.1-3" as a build and runtime requirement - dogtagpki Pagure Issue #2612 - Unable to clone due to pki pkcs12-cert-find failure (edewata) - ############################################################################ - Bugzilla Bug #1394309 - Rebase pki-core to 10.4.x in RHEL-7.4 - Bugzilla Bug #1394315 - Rebase redhat-pki, redhat-pki-theme, pki-core, and pki-console to 10.4.x - ############################################################################ - # RHEL 7.4: - ############################################################################ - ############################################################################ - # RHCS 9.2: - ############################################################################ - ############################################################################ - # Common Criteria - ############################################################################ - Bugzilla Bug #1419734 - CC: CMC: id-cmc-identityProofV2 feature implementation (cfu) - Bugzilla Bug #1419742 - CC: CMC: provide Proof of Possession for encryption cert requests (cfu) - Bugzilla Bug #1404080 - CC: add audit event: various SSL/TLS failures (edewata) - Bugzilla Bug #1428020 - CC: CMC feature support: provided issuance protection cert mechanism (cfu)- Require "jss >= 4.4.0-1" as a build and runtime requirement - Require "tomcatjss >= 7.2.1-1" as a build and runtime requirement - ############################################################################ - Bugzilla Bug #1394309 - Rebase pki-core to 10.4.x in RHEL-7.4 - Bugzilla Bug #1394315 - Rebase redhat-pki, redhat-pki-theme, pki-core, and pki-console to 10.4.x - ############################################################################ - # RHEL 7.4: - ############################################################################ - Bugzilla Bug #1222557 - ECDSA Certificates Generated by Certificate System 8.1 fail NIST validation test with parameter field. (cfu) - Bugzilla Bug #1238684 - Generting Symmetric key fails with key-generate when --usages verify (vakwetu) - Bugzilla Bug #1246635 - user-cert-add --serial CLI request to secure port with remote CA shows authentication failure (edewata) - Bugzilla Bug #1249400 - CA EE: Submit caUserCert request without uid does not show proper error message (vakwetu) - Bugzilla Bug #1305993 - Add profile component that copies CN to SAN (ftweedal) - Bugzilla Bug #1316653 - pki ca-cert-request-submit fails presumably because of missing authentication even if it should not require any (edewata) - Bugzilla Bug #1325071 - add options to enable/disable cert or crl publishing. (vakwetu) - Bugzilla Bug #1330800 - Failed to start pki-tomcatd Service ("ipa-cacert-manage renew" failed?) (edewata) - Bugzilla Bug #1368410 - Misleading Logging for HSM (edewata) - Bugzilla Bug #1372052 - Unable to search certificate requests using the latest request ID (edewata) - Bugzilla Bug #1375347 - Typo in comment line of UserPwdDirAuthentication.java (edewata) - Bugzilla Bug #1376226 - IPA replica-prepare failed with error "Profile caIPAserviceCert Not Found" (ftweedal) - Bugzilla Bug #1376488 - pkispawn fails as it is not able to find openssl as a dependency package (mharmsen) - Bugzilla Bug #1378275 - two-step externally-signed CA installation fails due to missing AuthorityID (ftweedal) - Bugzilla Bug #1378277 - Spurious host authority entries created (ftweedal) - Bugzilla Bug #1378527 - Miscellaneous Minor Changes (edewata) - Bugzilla Bug #1381084 - KRA installation failed against externally-signed CA with partial certificate chain (edewata) - Bugzilla Bug #1382066 - Problems with FIPS mode (edewata) - Bugzilla Bug #1386371 - Remove xenroll.dll from pki-core (mharmsen) - Bugzilla Bug #1386424 - Fix packaging duplicates of classes in multiple jar files (edewata) - Bugzilla Bug #1391737 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI (RHEL 7) (edewata) - Bugzilla Bug #1392068 - [RFE] add express archivals and retrievals from KRA (vakwetu) - Bugzilla Bug #1395817 - Unable to install subordinate CA with HSM in FIPS mode (edewata) - Bugzilla Bug #1397200 - pkispawn does not change default ecc key size from nistp256 when nistp384 is specified in spawn config (jmagne) - Bugzilla Bug #1399862 - Dogtag 10.3.9 Man Pages (edewata) - Bugzilla Bug #1404881 - TPS throws "err=6" when attempting to format and enroll G&D Cards (jmagne) - Bugzilla Bug #1405654 - Token memory not wiped after key deletion (RHEL) (jmagne) - Bugzilla Bug #1409946 - Request ID undefined for CA signing certificate (vakwetu) - Bugzilla Bug #1409949 - CA Certificate Issuance Date displayed on CA website incorrect (vakwetu) - Bugzilla Bug #1410650 - [RFE] Add SCP03 support (RHEL) (jmagne) - Bugzilla Bug #1411428 - Unable to create a CA clone in FIPS (edewata) - Bugzilla Bug #1412211 - Unable to set up KRA in FIPS (edewata) - Bugzilla Bug #1412681 - update to 7.3 IPA with otpd bugfixes, tomcat will not finish start, hangs (ftweedal) - Bugzilla Bug #1413132 - pki-tomcat for 10+ minutes before generating cert (edewata) - Bugzilla Bug #1413136 - Problem with default AJP hostname in IPv6 environment. (edewata) - ############################################################################ - # RHCS 9.2: - ############################################################################ - Bugzilla Bug #1248553 - TPS Enrollment always goes to "ca1 (cfu) - Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne) - Bugzilla Bug #1274096 - [BUG] Add ability to disallow TPS to enroll a single user on multiple tokens. (jmagne) - Bugzilla Bug #1379379 - Unable to read an encrypted email using renewed tokens (jmagne) - Bugzilla Bug #1379749 - Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued (jmagne) - Bugzilla Bug #1381375 - Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches (cfu) - Bugzilla Bug #1381635 - Token format with external reg fails when op.format.externalRegAddToToken.revokeCert=true (cfu) - Bugzilla Bug #1382762 - PIN_RESET policy is not giving expected results when set on a token (jmagne) - Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI (RHCS 9) (edewata) - Bugzilla Bug #1391207 - Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status (cfu) - Bugzilla Bug #1395479 - TPS throws "err=6" when attempting to format and enroll G&D Cards (RHCS) (jmagne) - Bugzilla Bug #1404900 - Dogtag 10.3.9 logging properties (edewata) - Bugzilla Bug #1405655 - Token memory not wiped after key deletion (RHCS) (jmagne) - ############################################################################- ## RHEL 7.3.z Batch Update 4 - Bugzilla Bug #1429492 - Add profile component that copies CN to SAN (ftweedal)- ## RHCS 9.1.z Batch Update 3 - Bugzilla Bug #1391207 - Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status (cfu) - ## RHEL 7.3.z Batch Update 3 - Bugzilla Bug #1417063 - ECDSA Certificates Generated by Certificate System 8.1 fail NIST validation test with parameter field. (cfu) - Bugzilla Bug #1417064 - Unable to search certificate requests using the latest request ID (edewata) - Bugzilla Bug #1417065 - CA Certificate Issuance Date displayed on CA website incorrect (alee) - Bugzilla Bug #1417066 - update to 7.3 IPA with otpd bugfixes, tomcat will not finish start, hangs (ftweedal) - Bugzilla Bug #1417067 - pki-tomcat for 10+ minutes before generating cert (edewata) - Bugzilla Bug #1417190 - Problem with default AJP hostname in IPv6 environment. (edewata)- Separate original patches into RHEL and RHCS portions - ## RHEL 7.3.z Batch Update 2 - Bugzilla Bug #1404176 - logging properties and man pages (edewata) - Bugzilla Bug #1405328 - TPS throws "err=6" when attempting to format and enroll G&D Cards (jmagne) - ## RHCS 9.1.z Batch Update 2 - Bugzilla Bug #1395479 - TPS throws "err=6" when attempting to format and enroll G&D Cards (jmagne) - Bugzilla Bug #1404900 - RHCS logging properties (edewata)- ## RHEL 7.3.z Batch Update 2 - Bugzilla Bug #1404173 - user-cert-add --serial CLI request to secure port with remote CA shows authentication failure (edewata) - Bugzilla Bug #1404175 - pki ca-cert-request-submit fails presumably because of missing authentication even if it should not require any (edewata) - Bugzilla Bug #1404178 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI [pki-base] (edewata) - Bugzilla Bug #1404172 - Unable to install subordinate CA with HSM in FIPS mode (edewata) - Bugzilla Bug #1403689 - pkispawn does not change default ecc key size from nistp256 when nistp384 is specified in spawn config (jmagne) - Bugzilla Bug #1404176 - logging properties and man pages (edewata) - ## RHCS 9.1.z Batch Update 2 - Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI [pki-tps] (edewata) - Bugzilla Bug #1391207 - Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status (cfu) - Bugzilla Bug #1395479 - TPS throws "err=6" when attempting to format and enroll G&D Cards (jmagne)- Marked the following RHCS 9.1.z bug: Bugzilla Bug #1382862 - TPS token enrollment fails to setupSecureChannel when TPS and TKS security db is on fips mode. (jmagne) as a duplicate of RHEL 7.3.z bug: Bugzilla Bug #1389757 - Problems with FIPS mode (edewata) and moved the patch from the RHCS 9.1.z bug to the RHEL 7.3.z bug.- ## RHEL 7.3.z Batch Update 1 - Bugzilla Bug #1389757 - Problems with FIPS mode (edewata) (added KRA key recovery via CLI in FIPS mode) - ## RHCS 9.1.z Batch Update 1 - Reverted patches associated with Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI (edewata)- ## RHEL 7.3.z Batch Update 1 - Bugzilla Bug #1390318 - CA EE: Submit caUserCert request without uid does not show proper error message (alee) - Bugzilla Bug #1390319 - Failed to start pki-tomcatd Service ("ipa-cacert-manage renew" failed?) (edewata) - Bugzilla Bug #1390320 - pkispawn fails as it is not able to find openssl as a dependency package (mharmsen) - Bugzilla Bug #1390321 - two-step externally-signed CA installation fails due to missing AuthorityID (ftweedal) - Bugzilla Bug #1390322 - Spurious host authority entries created (ftweedal) - Bugzilla Bug #1390324 - KRA installation failed against externally-signed CA with partial certificate chain (edewata) - Bugzilla Bug #1389757 - Problems with FIPS mode (edewata) - Bugzilla Bug #1390311 - Fix packaging duplicates of classes in multiple jar files (edewata) - Bugzilla Bug #1390325 - Typo in comment line of UserPwdDirAuthentication.java (edewata) - ## RHCS 9.1.z Batch Update 1 - Bugzilla Bug #1248553 - TPS Enrollment always goes to "ca1" (cfu) - Bugzilla Bug #1274096 - [BUG] Add ability to disallow TPS to enroll a single user on multiple tokens. (jmagne) - Bugzilla Bug #1379379 - Unable to read an encrypted email using renewed tokens (jmagne) - Bugzilla Bug #1379749 - Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued (jmagne) - Bugzilla Bug #1381375 - Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches - Bugzilla Bug #1381635 - Token format with external reg fails when op.format.externalRegAddToToken.revokeCert=true (cfu) - Bugzilla Bug #1382762 - PIN_RESET policy is not giving expected results when set on a token (jmagne) - Bugzilla Bug #1382862 - TPS token enrollment fails to setupSecureChannel when TPS and TKS security db is on fips mode. (jmagne) - Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI (edewata)- PKI TRAC Ticket #1527 - TPS Enrollment always goes to "ca1" (cfu) - PKI TRAC Ticket #1664 - [BUG] Add ability to disallow TPS to enroll a single user on multiple tokens. (jmagne) - PKI TRAC Ticket #2478 - pkispawn fails as it is not able to find openssl as a dependency package (mharmsen) - PKI TRAC Ticket #2483 - Unable to read an encrypted email using renewed tokens (jmagne) - PKI TRAC Ticket #2496 - Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches (cfu) - PKI TRAC Ticket #2505 - Fix packaging duplicates of classes in multiple jar files (edewata)- Revert Patch: PKI TRAC Ticket #2449 - Unable to create system certificates in different tokens (edewata) - Resolves: rhbz #1374054 - ipa-replica-install fails setting up certificate - Restores: rhbz #1319557 - pkispawn KRA instance is failing server - Removes from Errata: rhbz #1372041 - Unable to create system certificates in different tokens- PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA deletion (ftweedal) - PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements (edewata) - PKI TRAC Ticket #2443 - Prevent deletion of host CA's keys if LWCA entry deleted (ftweedal) - PKI TRAC Ticket #2444 - Authority entry without entryUSN is skipped even if USN plugin enabled (ftweedal) - PKI TRAC Ticket #2446 - pkispawn: make subject_dn defaults unique per instance name (for shared HSM) (cfu) - PKI TRAC Ticket #2447 - CertRequestInfo has incorrect URLs (vakwetu) - PKI TRAC Ticket #2449 - Unable to create system certificates in different tokens (edewata)- PKI TRAC Ticket #1578 - Authentication Instance Id PinDirEnrollment with authType value as SslclientAuth is not working (jmagne) - PKI TRAC TIcket #2414 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided (gkapoor) - PKI TRAC Ticket #2423 - pki_ca_signing_token when not specified does not fallback to pki_token_name value (edewata) - PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements (akasurde) - ticket remains open - PKI TRAC Ticket #2439 - Outdated deployment descriptors in upgraded server(edewata)- PKI TRAC Ticket #690 - [MAN] pki-tools man pages (mharmsen) - CMCEnroll - PKI TRAC Ticket #833 - pki user-mod fullName="" gives an error message "PKIException: LDAP error (21): error result" (edewata) - PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade. (cheimes, edewata, mharmsen) - PKI TRAC Ticket #2432 - Kra-selftest behavior is not as expected (edewata) - PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements (edewata, mharmsen) - PKI TRAC Ticket #2437 - TPS UI: while adding certs for users from TPSUI pem format with/without header works while pkcs7 with header is not allowed (edewata) - PKI TRAC Ticket #2440 - Optional CA signing CSR for migration (edewata)- Bugzilla Bug #1366465 - Errata TPS upgrade test fails- PKI TRAC Ticket #978 - TPS connector man page: add revocation routing info (cfu) - PKI TRAC Ticket #1285 - [MAN] Apply 'generateCRMFRequest() removed from Firefox' workarounds to appropriate 'pki' man page (jmagne) - PKI TRAC Ticket #2246 - [MAN] Man Page: AuditVerify (cfu) - PKI TRAC Ticket #2381 - Throws exception while providing invalid module. (edewata) - PKI TRAC Ticket #2383 - CLI :: pki client-cert-request --extractable should accept only boolean value (edewata) - PKI TRAC Ticket #2389 - Installation: subsystem certs could have notAfter beyond CA signing cert in case of external or existing CA (cfu) - PKI TRAC Ticket #2399 - Dogtag 10.3.5: Miscellaneous Enhancements (akasurde, alee, cheimes, edewata, jmagne, mharmsen) - PKI TRAC Ticket #2401 - pkispawn calls dnsdomainname even if it does not rpm-require hostname (mharmsen) - PKI TRAC Ticket #2402 - Conflict in file ownership in pki-base and pki-server (cheimes) - PKI TRAC Ticket #2403 - Deployment problem with RESTEasy 3.0.17 (edewata) - PKI TRAC Ticket #2406 - Make starting CRL Number configurable (jmagne) - PKI TRAC Ticket #2412 - pki client-cert-import --trust option does not apply the specified trust bits (alee) - PKI TRAC Ticket #2418 - [TPS] Some template substitution didn't happen during installation (alee) - PKI TRAC Ticket #2420 - CA subsystem OSCP responder fails when LWCAs are not used (ftweedal) - PKI TRAC Ticket #2421 - Incorrect SELinux contexts Installation/Configuration (edewata) - PKI TRAC Ticket #2424 - ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full (edewata) - PKI TRAC Ticket #2428 - broken request links for CA's system certs in agent request viewing (cfu) - PKI TRAC Ticket #2430 - CA Agent certificate list is not sorted by serial number in migration case (jmagne) - PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade. (mharmsen) - PKI TRAC Ticket #2433 - Lightweight CA GET /chain returns bogus PEM data (ftweedal)- PKI TRAC Ticket #691 - [MAN] pki-server man pages (mharmsen) - PKI TRAC Ticket #1114 - [MAN] Generting Symmetric key fails with key-generate when --usages verify is passed (jmagne) - PKI TRAC Ticket #1306 - [RFE] Add granularity to token termination in TPS (cfu) - PKI TRAC Ticket #1308 - [RFE] Provide ability to perform off-card key generation for non-encryption token keys (cfu) - PKI TRAC Ticket #1405 - [MAN] Add additional HSM details to 'pki_default.cfg' & 'pkispawn' man pages (mharmsen) - PKI TRAC Ticket #1607 - [MAN] man pkispawn has inadequate description for shared vs non shared tomcat instance installation (mharmsen) - PKI TRAC Ticket #1664 - [BUG] Add ability to disallow TPS to enroll a single user on multiple tokens. (jmagne) - PKI TRAC Ticket #1711 - CLI :: pki-server ca-cert-request-find throws IOError (edewata, ftweedal) - PKI TRAC Ticket #2285 - freeipa fails to start correctly after pki-core update on upgraded system (ftweedal) - PKI TRAC Ticket #2311 - When pki_token_name=Internal, consider normalizing it to "internal" (mharmsen) - PKI TRAC Ticket #2349 - Separated TPS does not automatically receive shared secret from remote TKS (jmagne) - PKI TRAC Ticket #2364 - CLI :: pki-server ca-cert-request-show throws attribute error (ftweedal) - PKI TRAC Ticket #2368 - pki-server subsystem subcommands throws error with --help option (edewata) - PKI TRAC Ticket #2374 - KRA cloning overwrites CA signing certificate trust flags (edewata) - PKI TRAC Ticket #2380 - Pki-server instance commands throws exception while specifying invalid parameters. (edewata) - PKI TRAC Ticket #2384 - CA installation with HSM prompts for HSM password during silent installation (edewata) - PKI TRAC Ticket #2385 - Upgraded CA lacks ca.sslserver.certreq in CS.cfg (ftweedal) - PKI TRAC Ticket #2387 - Add config for default OCSP URI if none given (ftweedal) - PKI TRAC Ticket #2388 - CA creation responds 500 if certificate issuance fails (ftweedal) - PKI TRAC Ticket #2389 - Installation: subsystem certs could have notAfter beyond CA signing cert in case of external or existing CA (cfu) - PKI TRAC Ticket #2390 - Dogtag 10.3.4: Miscellaneous Enhancements (akasurde, edewata)- PKI TRAC Ticket #2373 - Fedora 25: RestEasy 3.0.6 ==> 3.0.17 breaks pki-core (ftweedal)- Updated release number to 10.3.3-1- Updated version number to 10.3.3-0.1- Provided cleaner runtime dependency separation- Updated tomcatjss version dependencies- Updated 'java', 'java-headless', and 'java-devel' dependencies to 1:1.8.0.- Updated tomcat version dependencies- Updated version number to 10.3.2-1- Updated version number to 10.3.2-0.1- Updated version number to 10.3.1-1 (to allow upgrade from 10.3.0.b1)- Updated version number to 10.3.0-1- Build for F24 beta- PKI TRAC Ticket #2255 - PKCS #12 backup does not contain trust attributes.- Updated build for F24 alpha- PKI TRAC Ticket #1625 - Allow multiple ACLs of same name (union of rules) [ftweedal] - PKI TRAC Ticket #2237 - Add CRL dist points extension to OIDMap unconditionally [edewata] - PKI TRAC Ticket #1803 - Removed unnecessary URL encoding for admin cert request. [edewata] - PKI TRAC Ticket #1742 - Added support for cloning 3rd-party CA certificates. [edewata] - PKI TRAC Ticket #1482 - Added TPS token filter dialog. [edewata] - PKI TRAC Ticket #1808 - Fixed illegal token state transition via TEMP_LOST. [edewata]- Build for F24 alpha- PKI Trac Ticket #1399 - Move java components out of pki-base- PKI TRAC Ticket #1850 - Rename DRMTool --> KRATool- PKI TRAC Ticket #1714 - mod_revocator and mod_nss dependency for tps should be removed- PKI TRAC Ticket #1623 - Runtime dependency on python-nss is missing- Updated version number to 10.3.0-0.1- Added dep on tomcat-servlet-3.1-api [Fedora 23 and later] or dep on tomcat-servlet-3.0-api [Fedora 22 and later] to pki-tools - Updated dep on tomcatjss [Fedora 23 and later]- Updated dep on policycoreutils-python-utils [Fedora 23 and later]- Updated version number to 10.2.7-0.1- Update release number for release build- Remove setup directory and remaining Perl dependencies- Remove ExcludeArch directive- Updated version number to 10.2.6-0.1- Update release number for release build- Resolves rhbz #1230970 - Errata TPS tests for rpm verification failed- Updated version number to 10.2.5-0.1- Update release number for release build- Updated nuxwdog and tomcatjss requirements (alee)- Updated version number to 10.2.4-0.1 - Added nuxwdog systemd files- Update release number for release build- Reverted version number back to 10.2.3-0.1 - Added support for Tomcat 8.- Updated version number to 10.3.0-0.1- Updated version number to 10.2.3-0.1- Update release number for release build- Updated version number to 10.2.2-0.1 - Moved web application deployment locations. - Updated Resteasy and Jackson dependencies. - Added missing python-lxml build dependency.- Update release number for release build- PKI TRAC Ticket #1187 - mod_perl should be removed from requirements for 10.2 - PKI TRAC Ticket #1205 - Outdated selinux-policy dependency. - Removed perl(XML::LibXML), perl-Crypt-SSLeay, and perl-Mozilla-LDAP runtime dependencies- Change resteasy dependencies for F22+- Ticket 1198 Bugzilla 1158410 add TLS range support to server.xml by default and upgrade (cfu) - PKI Trac Ticket #1211 - New release overwrites old source tarball (mharmsen) - up the release number to 0.2- Updated version number to 10.2.1-0.1. - Added CLIs to simplify generating user certificates - Added enhancements to KRA Python API - Added a man page for pki ca-profile commands. - Added python api docs- Disable pylint dependency for RHEL builds - Added jakarta-commons-httpclient requirements - Added tomcat version for RHEL build - Added resteasy-base-client for RHEL build- PKI TRAC Ticket #1130 - Add RHEL/CentOS conditionals to spec- Update release number for release build- PKI TRAC Ticket #1017 - Rename pki-tps-tomcat to pki-tps- Merged jmagne@redhat.com's spec file changes from the stand-alone 'pki-tps-client' package needed to build/run the native 'tpsclient' command line utility into this 'pki-core' spec file under the 'tps' package. - Original tps libararies must be built to support this native utility. - Modifies tps package from 'noarch' into 'architecture-specific' package- PKI TRAC Ticket #1127 - Remove 'pki-ra', 'pki-setup', and 'pki-silent' packages . . .- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild- Respin to include the applet files with the rpm install. No change to spec file needed.- Bugzilla Bug #1120045 - pki-core: Switch to java-headless (build)requires -- drop dependency on java-atk-wrapper - Removed 'java-atk-wrapper' dependency from 'pki-server'- PKI TRAC Ticket #832 - Remove legacy 'systemctl' files . . .- Update rawhide build- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild- Use Requires: java-headless rebuild (#1067528)- Added option to build without server packages. - Replaced Jettison with Jackson. - Added python-nss build requirement - Bugzilla Bug #1057959 - pkispawn requires policycoreutils-python - TRAC Ticket #840 - pkispawn requires policycoreutils-python - Updated requirements for resteasy - Added template files for archive, retrieve and generate key requests to the client package.- Trac Ticket 788 - Clean up spec files - Update release number for release build - Updated requirements for resteasy- Change release number for beta build- Updated requirements for tomcat- Removed additional /var/run, /var/lock references.- Removed delivery of /var/lock and /var/run directories for fedora 20.- Moved Tomcat-based TPS into pki-core.- Listed new packages required during build, due to issues reported by pylint. - Packages added: python-requests, python-ldap, libselinux-python, policycoreutils-python- Added pylint scan to the build process.- Added man pages for upgrade tools.- Cleaned up the code to install man pages.- Reorganized deployment tools.- Bugzilla Bug 973224 - resteasy-base must be split into subpackages to simplify dependencies- Updated dependencies to Java 1.7.- TRAC Ticket 606 - add restart / start at boot info to pkispawn man page - TRAC Ticket 610 - Document limitation in using GUI install - TRAC Ticket 629 - Package ownership of '/usr/share/pki/etc/' directory- Change release number for 10.1 development- Fixed incorrect JNI_JAR_DIR.- TRAC Ticket 605 Junit internal function used in TestRunner, breaks F19 build- TRAC Ticket 604 Added fallback methods for pkispawn tests- Added default pki.conf in /usr/share/pki/etc - Create upgrade tracker on install and remove it on uninstall- Change release number for official release.- Added %pretrans script for f19 - Added java-atk-wrapper dependency- Added pki-server-upgrade script and pki.server module. - Call upgrade scripts in %post for pki-base and pki-server.- Added dependency on commons-io.- Add /var/log/pki and /var/lib/pki directories- Run pki-upgrade on post server installation.- Added dependency on python-lxml.- Added pki-upgrade script.- Updated version number to 10.0.2-0.1.- Renamed base/deploy to base/server. - Moved pki.conf into pki-base. - Removed redundant pki/server folder declaration.- Removed jython dependency- Added minimum python-requests version.- Bugzilla Bug #919476 - pkispawn crashes due to dangling symlink to jss4.jar- Added dependency on python-requests. - Reorganized Python module packaging.- Added dependency on python-ldap.- TRAC Ticket #517 - Clean up theme dependencies - TRAC Ticket #518 - Remove UI dependencies from pkispawn . . .- Removed runtime dependency on 'pki-server-theme' to resolve Bugzilla Bug #916134 - unresolved dependency in pki-server: pki-server-theme- TRAC Ticket 214 - Missing error description for duplicate user - TRAC Ticket 213 - Add nonces for cert revocation - TRAC Ticket 367 - pkidestroy does not remove connector - TRAC Ticket #430 - License for 3rd party code - Bugzilla Bug 839426 - [RFE] ECC CRL support for OCSP - Fix spec file to allow f17 to work with latest tomcatjss - TRAC Ticket 466 - Increase root CA validity to 20 years - TRAC Ticket 469 - Fix tomcatjss issue in spec files - TRAC Ticket 468 - pkispawn throws exception - TRAC Ticket 191 - Mapping HTTP Exceptions to HTTP error codes - TRAC Ticket 271 - Dogtag 10: Fix 'status' command in 'pkidaemon' . . . - TRAC Ticket 437 - Make admin cert p12 file location configurable - TRAC Ticket 393 - pkispawn fails when selinux is disabled - Punctuation and formatting changes in man pages - Revert to using default config file for pkidestroy - Hardcode setting of resteasy-lib for instance - TRAC Ticket 436 - Interpolation for pki_subsystem - TRAC Ticket 433 - Interpolation for paths - TRAC Ticket 435 - Identical instance id and instance name - TRAC Ticket 406 - Replace file dependencies with package dependencies- TRAC Ticket #430 - License for 3rd party code- TRAC Ticket #469 - Dogtag 10: Fix tomcatjss issue in pki-core.spec and dogtag-pki.spec . . . - TRAC Ticket #468 - pkispawn throws exception- Replaced file dependencies with package dependencies- Updated man pages- Update to official release for rc1- TRAC Ticket #315 - Man pages for pkispawn/pkidestroy. - Added place-holders for 'pki.1' and 'pki_default.cfg.5' man pages.- Added system-wide configuration /etc/pki/pki.conf. - Removed redundant lines in %files.- Moved default deployment configuration to /etc/pki.- Cleaned up spec file to provide only support rhel 7+, f17+ - Added resteasy-base dependency for rhel 7 - Update cmake version- Update release to b3- Removed dependency on CA, KRA, OCSP, TKS theme packages.- Renamed pki-common-theme to pki-server-theme.- TRAC Ticket #395 - Dogtag 10: Add a Tomcat 7 runtime requirement to 'pki-server'- Update release to b2- TRAC Ticket #350 - Dogtag 10: Remove version numbers from PKI jar files . . .- Added Obsoletes for pki-selinux- Remove build of pki-selinux for f18, use system policy instead- Update required tomcatjss version - Added net-tools dependency- Update selinux-policy version to fix error from latest policy changes- Fix typo in selinux policy versions- Added build requires for correct version of selinux-policy-devel- Update release to b1- Merged pki-silent into pki-server.- Renamed "shared" folder to "server".- Added required selinux versions for new policy.- Added Provides to packages replacing obsolete packages.- Update release to a2- Modified CMake to use RPM version number- Added VERSION file- Merged pki-setup into pki-server- Added Conflicts for IPA 2.X - Added build requires for zip to work around mock problem- TRAC Ticket #312 - Dogtag 10: Automatically restart any running instances upon RPM "update" . . . - TRAC Ticket #317 - Dogtag 10: Move "pkispawn"/"pkidestroy" from /usr/bin to /usr/sbin . . .- Fixed pki-server to include everything in shared dir.- Added build dependency on redhat-rpm-config.- Merged Javadoc packages.- Added pki-tomcat.jar.- Moved webapp creation code into pkispawn.- Split pki-client.jar into pki-certsrv.jar and pki-tools.jar.- Merged pki-native-tools and pki-java-tools into pki-tools. - Modified pki-server to depend on pki-tools.- Split pki-common into pki-base and pki-server. - Merged pki-util into pki-base. - Merged pki-deploy into pki-server.- Updated release of 'tomcatjss' to rely on Tomcat 7 for Fedora 17 - Changed Dogtag 10 build-time and runtime requirements for 'pki-deploy' - Altered PKI Package Dependency Chain (top-to-bottom): pki-ca, pki-kra, pki-ocsp, pki-tks --> pki-deploy --> pki-common- Added pki-client.jar.- Merged pki-jndi-realm.jar into pki-cmscore.jar.- PKI TRAC Task #254 - Dogtag 10: Fix spec file to build successfully via mock on Fedora 17 . . .- Moved 'pki-jndi-real.jar' link from 'tomcat6' to 'tomcat' (Tomcat 7)- Updated release of 'tomcatjss' to rely on Tomcat 7 for Fedora 18- Added CLI for REST services- Integration of Tomcat 7 - Addition of centralized 'pki-tomcatd' systemd functionality to the PKI Deployment strategy - Removal of 'pki_flavor' attribute- BZ 813075 - selinux denial for file size access- Bug 745278 - [RFE] ECC encryption keys cannot be archived- Replaced candlepin-deps with resteasy- Added option to build without Javadoc- BZ 802396 - Change location of TOMCAT_LOG to match tomcat6 changes - Corrected patch selected for selinux f17 rules- Corrected 'junit' dependency check- Initial attempt at PKI deployment framework described in 'http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment'.- Added support for pki-jndi-realm in tomcat6 in pki-common and pki-kra. - Ticket #69.- For 'mock' purposes, removed platform-specific logic from around the 'patch' files so that ALL 'patch' files will be included in the SRPM.- Removed dependency on OSUtil.- 'pki-selinux' - Added platform-dependent patches for SELinux component - Bugzilla Bug #739708 - Selinux fix for ephemeral ports (F16) - Bugzilla Bug #795966 - pki-selinux policy is kind of a mess (F17)- Added dependency on Apache Commons Codec.- Add '-DSYSTEMD_LIB_INSTALL_DIR' override flag to 'cmake' to address changes in fundamental path structure in Fedora 17 - 'pki-setup' - Hard-code Perl dependencies to protect against bugs such as Bugzilla Bug #772699 - Adapt perl and python fileattrs to changed file 5.10 magics - 'pki-selinux' - Bugzilla Bug #795966 - pki-selinux policy is kind of a mess- Integrated 'pki-kra' into 'pki-core' - Integrated 'pki-ocsp' into 'pki-core' - Integrated 'pki-tks' into 'pki-core' - Bugzilla Bug #788787 - added 'junit'/'junit4' build-time requirements- Updated package version number- Added resteasy-jettison-provider-2.3-RC1.jar to pki-setup- Added JUnit tests- 'pki-setup' - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - Bugzilla Bug #737122 - DRM: during archiving and recovering, wrapping unwrapping keys should be done in the token (cfu) - 'pki-java-tools' - 'pki-common' - Bugzilla Bug #744797 - KRA key recovery (retrieve pkcs#12) fails after the in-place upgrade( CS 8.0->8.1) (cfu) - 'pki-selinux' - 'pki-ca' - Bugzilla Bug #746367 - Typo in the profile name. (jmagne) - Bugzilla Bug #737122 - DRM: during archiving and recovering, wrapping unwrapping keys should be done in the token (cfu) - Bugzilla Bug #749927 - Java class conflicts using Java 7 in Fedora 17 (rawhide) . . . (mharmsen) - Bugzilla Bug #749945 - Installation error reported during CA, DRM, OCSP, and TKS package installation . . . (mharmsen) - 'pki-silent'- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen) - Bugzilla Bug #699809 - Convert CS to use systemd (alee) - 'pki-setup' - Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - Bugzilla Bug #737192 - Need script to upgrade proxy configuration (alee) - 'pki-symkey' - Bugzilla Bug #730162 - TPS/TKS token enrollment failure in FIPS mode (hsm+NSS). (jmagne) - 'pki-native-tools' - Bugzilla Bug #730801 - Coverity issues in native-tools area (awnuk) - Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - 'pki-util' - Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - 'pki-java-tools' - 'pki-common' - Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - Bugzilla Bug #737218 - Incorrect request attribute name matching ignores request attributes during request parsing. (awnuk) - Bugzilla Bug #730162 - TPS/TKS token enrollment failure in FIPS mode (hsm+NSS). (jmagne) - 'pki-selinux' - Bugzilla Bug #739708 - pki-selinux lacks rules in F16 (alee) - 'pki-ca' - Bugzilla Bug #712931 - CS requires too many ports to be open in the FW (alee) - Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - 'pki-silent' - Bugzilla Bug #739201 - pkisilent does not take arch into account as Java packages migrated to arch-dependent directories (mharmsen)- 'pki-setup' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - 'pki-symkey' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - 'pki-native-tools' - 'pki-util' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - 'pki-java-tools' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - 'pki-common' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - 'pki-selinux' - 'pki-ca' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - Bugzilla Bug #699809 - Convert CS to use systemd (alee) - 'pki-silent' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . .- 'pki-setup' - Bugzilla Bug #699809 - Convert CS to use systemd (alee) - 'pki-ca' - Bugzilla Bug #699809 - Convert CS to use systemd (alee) - 'pki-common' - Bugzilla Bug #699809 - Convert CS to use systemd (alee)- 'pki-setup' - Bugzilla Bug #712931 - CS requires too many ports to be open in the FW (alee) - 'pki-symkey' - 'pki-native-tools' - Bugzilla Bug #717643 - Fopen without NULL check and other Coverity issues (awnuk) - Bugzilla Bug #730801 - Coverity issues in native-tools area (awnuk) - 'pki-util' - 'pki-java-tools' - 'pki-common' - Bugzilla Bug #700522 - pki tomcat6 instances currently running unconfined, allow server to come up when selinux disabled (alee) - Bugzilla Bug #731741 - some CS.cfg nickname parameters not updated correctly when subsystem cloned (using hsm) (alee) - Bugzilla Bug #712931 - CS requires too many ports to be open in the FW (alee) - 'pki-selinux' - Bugzilla Bug #712931 - CS requires too many ports to be open in the FW (alee) - 'pki-ca' - Bugzilla Bug #712931 - CS requires too many ports to be open in the FW (alee) - 'pki-silent'- 'pki-setup' - Bugzilla Bug #689909 - Dogtag installation under IPA takes too much time - remove the inefficient sleeps (alee) - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Bugzilla Bug #724861 - DRMTool: fix duplicate "dn:" records by renumbering "cn=" (mharmsen) - 'pki-common' - Bugzilla Bug #717041 - Improve escaping of some enrollment inputs like (jmagne, awnuk) - Bugzilla Bug #689909 - Dogtag installation under IPA takes too much time - remove the inefficient sleeps (alee) - Bugzilla Bug #708075 - Clone installation does not work over NAT (alee) - Bugzilla Bug #726785 - If replication fails while setting up a clone it will wait forever (alee) - Bugzilla Bug #728332 - xml output has changed on cert requests (awnuk) - Bugzilla Bug #700505 - pki tomcat6 instances currently running unconfined (alee) - 'pki-selinux' - Bugzilla Bug #700505 - pki tomcat6 instances currently running unconfined (alee) - 'pki-ca' - Bugzilla Bug #728605 - RFE: increase default validity from 6mo to 2yrs in IPA profile (awnuk) - 'pki-silent' - Bugzilla Bug #689909 - Dogtag installation under IPA takes too much time - remove the inefficient sleeps (alee)- 'pki-setup' - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - Bugzilla Bug #719007 - Key Constraint keyParameter being ignored using an ECC CA to generate ECC certs from CRMF. (jmagne) - Bugzilla Bug #716307 - rhcs80 - DER shall not include an encoding for any component value which is equal to its default value (alee) - 'pki-java-tools' - 'pki-common' - Bugzilla Bug #720510 - Console: Adding a certificate into nethsm throws Token not found error. (jmagne) - Bugzilla Bug #719007 - Key Constraint keyParameter being ignored using an ECC CA to generate ECC certs from CRMF. (jmagne) - Bugzilla Bug #716307 - rhcs80 - DER shall not include an encoding for any component value which is equal to its default value (alee) - Bugzilla Bug #722989 - Registering an agent when a subsystem is created - does not log AUTHZ_SUCCESS event. (alee) - 'pki-selinux' - 'pki-ca' - Bugzilla Bug #719113 - Add client usage flag to caIPAserviceCert (awnuk) - 'pki-silent'- Updated release of 'jss' - Updated release of 'tomcatjss' for Fedora 15 - 'pki-setup' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser (jdennis) - Bugzilla Bug #694569 - parameter used by pkiremove not updated (alee) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-symkey' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-native-tools' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #717765 - TPS configuration: logging into security domain from tps does not work with clientauth=want. (alee) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-util' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-java-tools' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #532548 - Tool to do DRM re-key (mharmsen) - Bugzilla Bug #532548 - Tool to do DRM re-key (config file and record processing) (mharmsen) - Bugzilla Bug #532548 - Tool to do DRM re-key (tweaks) (mharmsen) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-common' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #695403 - Editing signedaudit or transaction, system logs throws 'Invalid protocol' for OCSP subsystems (alee) - Bugzilla Bug #694569 - parameter used by pkiremove not updated (alee) - Bugzilla Bug #695015 - Serial No. of a revoked certificate is not populated in the CA signedAudit messages (alee) - Bugzilla Bug #694143 - CA Agent not returning specified request (awnuk) - Bugzilla Bug #695015 - Serial No. of a revoked certificate is not populated in the CA signedAudit messages (jmagne) - Bugzilla Bug #698885 - Race conditions during IPA installation (alee) - Bugzilla Bug #704792 - CC_LAB_EVAL: CA agent interface: SubjectID=$Unidentified$ fails audit evaluation (jmagne) - Bugzilla Bug #705914 - SCEP mishandles nicknames when processing subsequent SCEP requests. (awnuk) - Bugzilla Bug #661142 - Verification should fail when a revoked certificate is added. (jmagne) - Bugzilla Bug #707416 - CC_LAB_EVAL: Security Domain: missing audit msgs for modify/add (alee) - Bugzilla Bug #707416 - additional audit messages for GetCookie (alee) - Bugzilla Bug #707607 - Published certificate summary has list of non-published certificates with succeeded status (jmagne) - Bugzilla Bug #717813 - EV_AUDIT_LOG_SHUTDOWN audit log not generated for tps and ca on server shutdown (jmagne) - Bugzilla Bug #697939 - DRM signed audit log message - operation should be read instead of modify (jmagne) - Bugzilla Bug #718427 - When audit log is full, server continue to function. (alee) - Bugzilla Bug #718607 - CC_LAB_EVAL: No AUTH message is generated in CA's signedaudit log when a directory based user enrollment is performed (jmagne) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-selinux' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #720503 - RA and TPS require additional SELinux permissions to run in "Enforcing" mode (alee) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-ca' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser (jdennis) - Bugzilla Bug #699837 - service command is not fully backwards compatible with Dogtag pki subsystems (mharmsen) - Bugzilla Bug #649910 - Console: an auditor or agent can be added to an administrator group. (jmagne) - Bugzilla Bug #707416 - CC_LAB_EVAL: Security Domain: missing audit msgs for modify/add (alee) - Bugzilla Bug #716269 - make ra authenticated profiles non-visible on ee pages (alee) - Bugzilla Bug #718621 - CC_LAB_EVAL: PRIVATE_KEY_ARCHIVE_REQUEST occurs for a revocation invoked by EE user (awnuk) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-silent' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen)- 'pki-setup' - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Added 'DRMTool.cfg' configuration file to inventory - 'pki-common' - 'pki-selinux' - 'pki-ca' - 'pki-silent'- 'pki-setup' - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Bugzilla Bug #532548 - Tool to do DRM re-key - 'pki-common' - 'pki-selinux' - 'pki-ca' - 'pki-silent'- 'pki-setup' - Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser - Bugzilla Bug #694569 - parameter used by pkiremove not updated - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - 'pki-common' - Bugzilla Bug #695403 - Editing signedaudit or transaction, system logs throws 'Invalid protocol' for OCSP subsystems - Bugzilla Bug #694569 - parameter used by pkiremove not updated - Bugzilla Bug #695015 - Serial No. of a revoked certificate is not populated in the CA signedAudit messages - Bugzilla Bug #694143 - CA Agent not returning specified request - Bugzilla Bug #695015 - Serial No. of a revoked certificate is not populated in the CA signedAudit messages - Bugzilla Bug #698885 - Race conditions during IPA installation - 'pki-selinux' - 'pki-ca' - Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser - Bugzilla Bug #699837 - service command is not fully backwards compatible with Dogtag pki subsystems - 'pki-silent'- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error.- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) - Bugzilla Bug #693327 - Missing requires: tomcatjss - 'pki-setup' - Bugzilla Bug #690626 - pkiremove removes the registry entry for all instances on a machine - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Bugzilla Bug #689453 - CRMFPopClient request to CA's unsecure port throws file not found exception. - 'pki-common' - Bugzilla Bug #692990 - Audit log messages needed to match CC doc: DRM Recovery audit log messages - 'pki-selinux' - 'pki-ca' - 'pki-silent'- Bugzilla Bug #693327 - Missing requires: tomcatjss- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) - Require "jss >= 4.2.6-15" as a build and runtime requirement - Require "tomcatjss >= 2.1.1" as a build and runtime requirement for Fedora 15 and later platforms - 'pki-setup' - Bugzilla Bug #688287 - Add "deprecation" notice regarding using "shared ports" in pkicreate -help . . . - Bugzilla Bug #688251 - Dogtag installation under IPA takes too much time - SELinux policy compilation - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Bugzilla Bug #689501 - ExtJoiner tool fails to join the multiple extensions - 'pki-common' - Bugzilla Bug #683581 - CA configuration with ECC(Default EC curve-nistp521) CA fails with 'signing operation failed' - Bugzilla Bug #689662 - ocsp publishing needs to be re-enabled on the EE port - 'pki-selinux' - Bugzilla Bug #684871 - ldaps selinux link change - 'pki-ca' - Bugzilla Bug #683581 - CA configuration with ECC(Default EC curve-nistp521) CA fails with 'signing operation failed' - Bugzilla Bug #684381 - CS.cfg specifies incorrect type of comments - Bugzilla Bug #689453 - CRMFPopClient request to CA's unsecure port throws file not found exception.(profile and CS.cfg only) - 'pki-silent'- Bugzilla Bug #688763 - Rebase updated Dogtag Packages for Fedora 15 (alpha) - Bugzilla Bug #676182 - IPA installation failing - Fails to create CA instance - Bugzilla Bug #675742 - Profile caIPAserviceCert Not Found - 'pki-setup' - Bugzilla Bug #678157 - uninitialized variable warnings from Perl - Bugzilla Bug #679574 - Velocity fails to load all dependent classes - Bugzilla Bug #680420 - xml-commons-apis.jar dependency - Bugzilla Bug #682013 - pkisilent needs xml-commons-apis.jar in it's classpath - Bugzilla Bug #673508 - CS8 64 bit pkicreate script uses wrong library name for SafeNet LunaSA - 'pki-common' - Bugzilla Bug #673638 - Installation within IPA hangs - Bugzilla Bug #678715 - netstat loop fixes needed - Bugzilla Bug #673609 - CC: authorize() call needs to be added to getStats servlet - 'pki-selinux' - Bugzilla Bug #674195: SELinux error message thrown during token enrollment - 'pki-ca' - Bugzilla Bug #673638 - Installation within IPA hangs - Bugzilla Bug #673609 - CC: authorize() call needs to be added to getStats servlet - Bugzilla Bug #676330 - init script cannot start service - 'pki-silent' - Bugzilla Bug #682013 - pkisilent needs xml-commons-apis.jar in it's classpath- 'pki-common' - Bugzilla Bug #676051 - IPA installation failing - Fails to create CA instance - Bugzilla Bug #676182 - IPA installation failing - Fails to create CA instance- 'pki-common' - Bugzilla Bug #674894 - ipactl restart : an annoy output line - Bugzilla Bug #675179 - ipactl restart : an annoy output line- Bugzilla Bug #673233 - Rebase pki-core to pick the latest features and fixes - 'pki-setup' - Bugzilla Bug #673638 - Installation within IPA hangs - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided by 'netscape.security.provider' package - 'pki-common' - Bugzilla Bug #672291 - CA is not publishing certificates issued using "Manual User Dual-Use Certificate Enrollment" - Bugzilla Bug #670337 - CA Clone configuration throws TCP connection error. - Bugzilla Bug #504056 - Completed SCEP requests are assigned to the "begin" state instead of "complete". - Bugzilla Bug #504055 - SCEP requests are not properly populated - Bugzilla Bug #564207 - Searches for completed requests in the agent interface returns zero entries - Bugzilla Bug #672291 - CA is not publishing certificates issued using "Manual User Dual-Use Certificate Enrollment" - - Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided by 'netscape.security.provider' package - Bugzilla Bug #672920 - CA console: adding policy to a profile throws 'Duplicate policy' error in some cases. - Bugzilla Bug #673199 - init script returns control before web apps have started - Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI subsystem instances - 'pki-selinux' - 'pki-ca' - Bugzilla Bug #504013 - sscep request is rejected due to authentication error if submitted through one time pin router certificate enrollment. - Bugzilla Bug #672111 - CC doc: certServer.usrgrp.administration missing information - Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml as part of CC interface review - Bugzilla Bug #672333 - Creation of RA agent fails in IPA installation - Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI subsystem instances - 'pki-silent' - Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided by 'netscape.security.provider' package- Bugzilla Bug #656661 - Please Update Spec File to use 'ghost' on files in /var/run and /var/lock- 'pki-symkey' - Bugzilla Bug #671265 - pki-symkey jar version incorrect - 'pki-common' - Bugzilla Bug #564207 - Searches for completed requests in the agent interface returns zero entries- Allow 'pki-native-tools' to be installed independently of 'pki-setup' - Removed explicit 'pki-setup' requirement from 'pki-ca' (since it already requires 'pki-common') - 'pki-setup' - Bugzilla Bug #223343 - pkicreate: should add 'pkiuser' to nfast group - Bugzilla Bug #629377 - Selinux errors during pkicreate CA, KRA, OCSP and TKS. - Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port fowarding for agent services - Bugzilla Bug #632425 - Port to tomcat6 - Bugzilla Bug #606946 - Convert Native Tools to use ldapAPI from OpenLDAP instead of the Mozldap - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #658926 - org.apache.commons.lang class not found on F13 - Bugzilla Bug #661514 - CMAKE build system requires rules to make javadocs - Bugzilla Bug #665388 - jakarta-* jars have been renamed to apache-*, pkicreate fails Fedora 14 and above - Bugzilla Bug #23346 - Two conflicting ACL list definitions in source repository - Bugzilla Bug #656733 - Standardize jar install location and jar names - 'pki-symkey' - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #644056 - CS build contains warnings - 'pki-native-tools' - template change - Bugzilla Bug #606946 - Convert Native Tools to use ldapAPI from OpenLDAP instead of the Mozldap - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #644056 - CS build contains warnings - 'pki-util' - Bugzilla Bug #615814 - rhcs80 - profile policyConstraintsCritical cannot be set to true - Bugzilla Bug #224945 - javadocs has missing descriptions, contains empty packages - Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. - Bugzilla Bug #621338 - Include a server randomly-generated 16 byte senderNonce in all signed SCEP responses. - Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade attack in SCEP - Bugzilla Bug #621334 - Provide an option to set default hash algorithm for signing SCEP response messages. - Bugzilla Bug #635033 - At installation wizard selecting key types other than CA's signing cert will fail - Bugzilla Bug #645874 - rfe ecc - add ecc curve name support in JSS and CS interface - Bugzilla Bug #488253 - com.netscape.cmsutil.ocsp.BasicOCSPResponse ASN.1 encoding/decoding is broken - Bugzilla Bug #551410 - com.netscape.cmsutil.ocsp.TBSRequest ASN.1 encoding/decoding is incomplete - Bugzilla Bug #550331 - com.netscape.cmsutil.ocsp.ResponseData ASN.1 encoding/decoding is incomplete - Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit policy extension to 5 only - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #661514 - CMAKE build system requires rules to make javadocs - Bugzilla Bug #658188 - remove remaining references to tomcat5 - Bugzilla Bug #656733 - Standardize jar install location and jar names - Bugzilla Bug #223319 - Certificate Status inconsistency between token db and CA - Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory During CRL Generation - 'pki-java-tools' - Bugzilla Bug #224945 - javadocs has missing descriptions, contains empty packages - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #659004 - CC: AuditVerify hardcoded with SHA-1 - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #661514 - CMAKE build system requires rules to make javadocs - Bugzilla Bug #662156 - HttpClient is hard-coded to handle only up to 5000 bytes - Bugzilla Bug #656733 - Standardize jar install location and jar names - 'pki-common' - Bugzilla Bug #583822 - CC: ACL issues from CA interface CC doc review - Bugzilla Bug #623745 - SessionTimer with LDAPSecurityDomainSessionTable started before configuration completed - Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs in the java subsystems - Bugzilla Bug #615827 - rhcs80 - profile policies need more than 5 policy mappings (seem hardcoded) - Bugzilla Bug #224945 - javadocs has missing descriptions, contains empty packages - Bugzilla Bug #548699 - subCA's admin certificate should be generated by itself - Bugzilla Bug #621322 - Provide switch disabling SCEP support in CA - Bugzilla Bug #563386 - rhcs80 ca crash on invalid inputs to profile caAgentServerCert (null cert_request) - Bugzilla Bug #621339 - SCEP one-time PIN can be used an unlimited number of times - Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml as part of CC interface review - Bugzilla Bug #629677 - TPS: token enrollment fails. - Bugzilla Bug #621350 - Unauthenticated user can decrypt a one-time PIN in a SCEP request - Bugzilla Bug #503838 - rhcs71-80 external publishing ldap connection pools not reliable - improve connections or discovery - Bugzilla Bug #629769 - password decryption logs plain text password - Bugzilla Bug #583823 - CC: Auditing issues found as result of CC - interface review - Bugzilla Bug #632425 - Port to tomcat6 - Bugzilla Bug #586700 - OCSP Server throws fatal error while using OCSP console for renewing SSL Server certificate. - Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. - Bugzilla Bug #621338 - Include a server randomly-generated 16 byte senderNonce in all signed SCEP responses. - Bugzilla Bug #607380 - CC: Make sure Java Console can configure all security relevant config items - Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be generated on TKS instead of TPS. - Bugzilla Bug #489342 - com.netscape.cms.servlet.common.CMCOutputTemplate.java doesn't support EC - Bugzilla Bug #630121 - OCSP responder lacking option to delete or disable a CA that it serves - Bugzilla Bug #634663 - CA CMC response default hard-coded to SHA1 - Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade attack in SCEP - Bugzilla Bug #621334 - Provide an option to set default hash algorithm for signing SCEP response messages. - Bugzilla Bug #635033 - At installation wizard selecting key types other than CA's signing cert will fail - Bugzilla Bug #621341 - Add CA support for new SCEP key pair dedicated for SCEP signing and encryption. - Bugzilla Bug #223336 - ECC: unable to clone a ECC CA - Bugzilla Bug #539781 - rhcs 71 - CRLs Partitioned by Reason Code - onlySomeReasons ? - Bugzilla Bug #637330 - CC feature: Key Management - provide signature verification functions (JAVA subsystems) - Bugzilla Bug #223313 - should do random generated IV param for symmetric keys - Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port fowarding for agent services - Bugzilla Bug #630176 - Improve reliability of the LdapAnonConnFactory - Bugzilla Bug #524916 - ECC key constraints plug-ins should be based on ECC curve names (not on key sizes). - Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple Certificates from the Same Request - Bugzilla Bug #648757 - expose and use updated cert verification function in JSS - Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection of signature algorithm; and for ECC curves - Bugzilla Bug #451874 - RFE - Java console - Certificate Wizard missing e.c. support - Bugzilla Bug #651040 - cloning shoud not include sslserver - Bugzilla Bug #542863 - RHCS8: Default cert audit nickname written to CS.cfg files imcomplete when the cert is stored on a hsm - Bugzilla Bug #360721 - New Feature: Profile Integrity Check . . . - Bugzilla Bug #651916 - kra and ocsp are using incorrect ports to talk to CA and complete configuration in DonePanel - Bugzilla Bug #642359 - CC Feature - need to verify certificate when it is added - Bugzilla Bug #653713 - CC: setting trust on a CIMC cert requires auditing - Bugzilla Bug #489385 - references to rhpki - Bugzilla Bug #499494 - change CA defaults to SHA2 - Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit policy extension to 5 only - Bugzilla Bug #649910 - Console: an auditor or agent can be added to an administrator group. - Bugzilla Bug #632425 - Port to tomcat6 - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) - Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets as expected - Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for validity - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #659004 - CC: AuditVerify hardcoded with SHA-1 - Bugzilla Bug #661196 - ECC(with nethsm) subca configuration fails with Key Type RSA Not Matched despite using ECC key pairs for rootCA & subCA. - Bugzilla Bug #661889 - The Servlet TPSRevokeCert of the CA returns an error to TPS even if certificate in question is already revoked. - Bugzilla Bug #663546 - Disable the functionalities that are not exposed in the console - Bugzilla Bug #661514 - CMAKE build system requires rules to make javadocs - Bugzilla Bug #658188 - remove remaining references to tomcat5 - Bugzilla Bug #649343 - Publishing queue should recover from CA crash. - Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and pkiCA, obsolete 2252 and 2256 - Bugzilla Bug #640710 - Current SCEP implementation does not support HSMs - Bugzilla Bug #656733 - Standardize jar install location and jar names - Bugzilla Bug #661142 - Verification should fail when a revoked certificate is added - Bugzilla Bug #642741 - CS build uses deprecated functions - Bugzilla Bug #670337 - CA Clone configuration throws TCP connection error - Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time interface is no longer available through console - 'pki-selinux' - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #667153 - store nuxwdog passwords in kernel ring buffer - selinux changes - 'pki-ca' - Bugzilla Bug #583822 - CC: ACL issues from CA interface CC doc review - Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs in the java subsystems - Bugzilla Bug #621322 - Provide switch disabling SCEP support in CA - Bugzilla Bug #583824 - CC: Duplicate servlet mappings found as part of CC interface doc review - Bugzilla Bug #621602 - pkiconsole: Click on 'Publishing' option with admin privilege throws error "You are not authorized to perform this operation". - Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml as part of CC interface review - Bugzilla Bug #583823 - CC: Auditing issues found as result of CC - interface review - Bugzilla Bug #519291 - Deleting a CRL Issuing Point after edits throws 'Internal Server Error'. - Bugzilla Bug #586700 - OCSP Server throws fatal error while using OCSP console for renewing SSL Server certificate. - Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. - Bugzilla Bug #621338 - Include a server randomly-generated 16 byte senderNonce in all signed SCEP responses. - Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be generated on TKS instead of TPS. - Bugzilla Bug #630121 - OCSP responder lacking option to delete or disable a CA that it serves - Bugzilla Bug #634663 - CA CMC response default hard-coded to SHA1 - Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade attack in SCEP - Bugzilla Bug #621334 - Provide an option to set default hash algorithm for signing SCEP response messages. - Bugzilla Bug #539781 - rhcs 71 - CRLs Partitioned by Reason Code - onlySomeReasons ? - Bugzilla Bug #637330 - CC feature: Key Management - provide signature verification functions (JAVA subsystems) - Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port fowarding for agent services - Bugzilla Bug #524916 - ECC key constraints plug-ins should be based on ECC curve names (not on key sizes). - Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple Certificates from the Same Request - Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection of signature algorithm; and for ECC curves - Bugzilla Bug #529945 - (Instructions and sample only) CS 8.0 GA release -- DRM and TKS do not seem to have CRL checking enabled - Bugzilla Bug #609641 - CC: need procedure (and possibly tools) to help correctly set up CC environment - Bugzilla Bug #509481 - RFE: support sMIMECapabilities extensions in certificates (RFC 4262) - Bugzilla Bug #651916 - kra and ocsp are using incorrect ports to talk to CA and complete configuration in DonePanel - Bugzilla Bug #511990 - rhcs 7.3, 8.0 - re-activate missing object signing support in RHCS - Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) - Bugzilla Bug #489385 - references to rhpki - Bugzilla Bug #499494 - change CA defaults to SHA2 - Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit policy extension to 5 only - Bugzilla Bug #649910 - Console: an auditor or agent can be added to an administrator group. - Bugzilla Bug #632425 - Port to tomcat6 - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets as expected - Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for validity - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #661128 - incorrect CA ports used for revoke, unrevoke certs in TPS - Bugzilla Bug #512496 - RFE rhcs80 - crl updates and scheduling feature - Bugzilla Bug #661196 - ECC(with nethsm) subca configuration fails with Key Type RSA Not Matched despite using ECC key pairs for rootCA & subCA. - Bugzilla Bug #649343 - Publishing queue should recover from CA crash. - Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and pkiCA, obsolete 2252 and 2256 - Bugzilla Bug #223346 - Two conflicting ACL list definitions in source repository - Bugzilla Bug #640710 - Current SCEP implementation does not support HSMs - Bugzilla Bug #656733 - Standardize jar install location and jar names - Bugzilla Bug #661142 - Verification should fail when a revoked certificate is added - Bugzilla Bug #668100 - DRM storage cert has OCSP signing extended key usage - Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time interface is no longer available through console - Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory During CRL Generation - 'pki-silent' - Bugzilla Bug #627309 - pkisilent subca configuration fails. - Bugzilla Bug #640091 - pkisilent panels need to match with changed java subsystems - Bugzilla Bug #527322 - pkisilent ConfigureDRM should configure DRM Clone. - Bugzilla Bug #643053 - pkisilent DRM configuration fails - Bugzilla Bug #583754 - pki-silent needs an option to configure signing algorithm for CA certificates - Bugzilla Bug #489385 - references to rhpki - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) - Bugzilla Bug #640042 - TPS Installlation Wizard: need to move Module Panel up to before Security Domain Panel - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #588323 - Failed to enable cipher 0xc001 - Bugzilla Bug #656733 - Standardize jar install location and jar names - Bugzilla Bug #645895 - pkisilent: add ability to select ECC curves, signing algorithm - Bugzilla Bug #658641 - pkisilent doesn't not properly handle passwords with special characters - Bugzilla Bug #642741 - CS build uses deprecated functions- Bugzilla Bug #668839 - Review Request: pki-core - Removed empty "pre" from "pki-ca" - Consolidated directory ownership - Corrected file ownership within subpackages - Removed all versioning from NSS and NSPR packages- Bugzilla Bug #668839 - Review Request: pki-core - Added component versioning comments - Updated JSS from "4.2.6-10" to "4.2.6-12" - Modified installation section to preserve timestamps - Removed sectional comments- Initial revision. (kwright@redhat.com & mharmsen@redhat.com)  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijkl10.5.18-17.el7_9    pki-kra-10.5.18LICENSEpki-kra.jarkraconfCS.cfgCatalinalocalhostkra.xmlacl.ldifacl.propertiesauth-method.propertiesdb.ldifindex.ldifindextasks.ldifjk2.manifestjk2.propertiesjkconf.ant.xmljkconfig.manifestserver-minimal.xmlshm.manifesttomcat-jk2.manifesttomcat-users.xmluriworkermap.propertiesvlv.ldifvlvtasks.ldifworkers.propertiesworkers.properties.minimalworkers2.propertiesworkers2.properties.minimalsetupregistry_instancewebappsROOTWEB-INFweb.xmlindex.jspkra404.html500.htmlGenUnexpectedError.templateWEB-INFlibpki-certsrv.jarpki-cms.jarpki-cmsbundle.jarpki-cmscore.jarpki-cmsutil.jarpki-kra.jarpki-nsutil.jarvelocity.propertiesweb.xmladminconsoleagentGenError.templateGenPending.templateGenRejected.templateGenSuccess.templateGenSvcPending.templateGenUnauthorized.templateGenUnexpectedError.templatecms-funcs.jsfuncs.jsheader.templatehelpfun.jsindex.jspindex.templatekraGrantRecovery.htmlListRequests.htmlSrchKey.htmlSrchRecoverKey.htmlconfirmRecover.htmlconfirmRecoverBySerial.templatedisplayBySerial.templatedisplayBySerial2.templatedisplayBySerialForRecovery.templateexamineRecovery.templatefinishAsyncRecovery.templatefinishRecovery.templateframeGrant.htmlframeRecover.htmlframeRequest.htmlframeSearch.htmlframeStats.htmlgetApprovalStatus.templategetStats.templategrantAsyncRecovery.templategrantRecovery.templateindex.jspmenuCheck.htmlmenuGrant.htmlmenuRecover.htmlmenuRequest.htmlmenuSearch.htmlmenuStats.htmlmonitor.templateprocessReq.templatequeryKey.templatequeryKeyForRecovery.templatequeryReq.templaterecoverBySerial.templatesrchKey.templatesrchKeyForRecovery.templatetop.htmlindex.jspservices.template/usr/share/doc//usr/share/doc/pki-kra-10.5.18//usr/share/java/pki//usr/share/pki//usr/share/pki/kra//usr/share/pki/kra/conf//usr/share/pki/kra/conf/Catalina//usr/share/pki/kra/conf/Catalina/localhost//usr/share/pki/kra/setup//usr/share/pki/kra/webapps//usr/share/pki/kra/webapps/ROOT//usr/share/pki/kra/webapps/ROOT/WEB-INF//usr/share/pki/kra/webapps/kra//usr/share/pki/kra/webapps/kra/WEB-INF//usr/share/pki/kra/webapps/kra/WEB-INF/lib//usr/share/pki/kra/webapps/kra/admin//usr/share/pki/kra/webapps/kra/agent//usr/share/pki/kra/webapps/kra/agent/kra/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m32 -march=x86-64 -mtune=generic -mfpmath=sse -fasynchronous-unwind-tablescpioxz2i686-redhat-linux-gnu  directoryASCII textASCII text, with CRLF line terminators (Zip archive data, at least v2.0 to extract)ASCII text, with very long linesXML 1.0 document textexported SGML document, ASCII textC++ source, ASCII textXML 1.0 document, ASCII textHTML document, ASCII text?7zXZ !#,] b2u jӫ`(1"lq>6aj7fm]VNHU1GNØ!V*OͯU`F PZ˕׾8:Q8Mn<1O&\A+cB=(gS;;8ngxZXFlVg9sP~݌` $ j6JwA,n#85\&X'w^ >'V2'Y.} mGb:,~淂W|V?FKC`GPݯ?Q3rap1ldq;݌/H!w)p?jyhfBJƑbMM'TmmC!_=u1 $ #wlu.-l)ka dAPDI1"7E3Jք'k n)8ݣ,L6+xZBZ@r&x*s0FY&#rCJˇm0 @[EC2<;)0JM[UZ3|E;3Rucg Pm"b9[W/OLSWߕH;G=raAԓJFŲkD BզQFryۘB, _pЂ } 909&6P"刕؏mIs=cE/KS0:P z9CE]iuqZLq>OB쿛}  R+ߌ<=cX.Ly\DNgjD>WOkAf2_2(@r]h&Oywy^cء~@zhx[1ɧ`j`_UYΓNv|P0fFٗy1 -~ f&lsL$ܴ{0T^ w;?ڇU?͉By}q#dzwds GPPFVSBQי0EðY-f-,=Z{ZQi`C7y ą=<AC+.Ѯ(UVf#|)R4&4PA׺-[VIEiqWy 6*JՖ5RI}̂8`\1rh6Rx{]v`N5ee| N[WQH5tw!Ə勎S"ğ5$olÕ:t״Th+ 6 ?, D>+fZݒ51)ݼGNh8s#GtG΋,@Jτ0FY]s=le(dt5.t`^yj풟=;kj>1T}%xG=C;HhBƸx?:9 wFZ+q{7Q ×o#e;{q=Gra{d^MXxhD$Up_b VObt *R&^VQA٥~ }N%)"X156~0q0o쏄ERJTXXG/NWF'B ozҞc3Ho+u:/#9n?u`Y[8JKW$jH 8k(Ayׄ &nrdWYʻ'TI2BpObu AHZwVVy˜W8p\/B.˲Y4"e>"0ia먺o瘠aꉡjTBtv\1v&̢y*Y TfsSi|JD"e{i7EhQ%a5'Kԡe~c+!q#ZSS[j*ᛥ2Ԃwۆ"W%lAD\wD ͍tHV.@T~Ґe,2:۩qp2O keIp.zqؾ=ity6˚R\= lmzKo0?H@u _EC)D]0-1Z.']P2O@*{)jvD6a'DY25\i*6҉ Bk8'#/JS/x^G0޳?x;oA֫kq$ܬSp@G JEjYƒϟ~ez`<%Wy;(#^cn.=u轰ρ4+nf.ԉe(Ti`%ͩ$$MBVyB;`kFWb/ bGDT,}-+̑ɖ*×B o;jWD")g6;ҝ68u܌iFCԕ)^_[z@=ėpHQp ꬝:#hSl2m\n RA ܙFWs$]iWpӜ.#i PC@> sYρIr"|RMK KpQGt3++zPv搩%|۪)!h~ޏqT߮SO>8z%(?' &!P0ndX;<:k`\RPt cuAtn1Joh0 ǝ,[h@ ` ڋ|'e2(-jx! sO(m3u?p.pIER(_;`z+3E'1yY:S݊W ,PMN)-(Ca/I2{b^ٿ_~S,_v8O$~rBhlhCKbԲgڭ!x'7Fp/KlCp:8~w_mH ImWalu ~Qr7p ^ tZshyTW yLdZ$ΊJ5(ILz+EաM*6>*9D} h(DIƺKlCvIN!s9u/|ƺFɮO*rsBY%},WB U!fńzt?LxB*]^efx'խ["^Ð9J?.k,=)kX\ed5u_jWV;Ơs92gq1b(aP!0u6kEeGۺ`I<72. v5~D#6d&o eaL2Y7 5B`[@O G*|q?7{|P$ᒵg8ve>HiWγ=GDS;80{JǗIlg&ܗ>"ECB~zmL g0=wmJ+ÔNc]ܨ Sҭ,R.=*2Ǖ~0@:>2aNj"2 Zgv) NUN<]#*H\4S|C_S7%ב@.;ˤ⠋oL5j%nlA8=z.'3fT3:F{ DB@52]0bEiLdqATOxUH֒NݯBǦîP꯾٢ dXr &qOR=Iƍl˷r9[Gp۶ʣ3ú۟xKEu|ޔ1]ՇzMM %Z'~ >zIFȫz-/܃v&L݌En㥂Nbp*(e&꛺A)9ᄖY}&)SPe1b\b#:'>=ޣFB,ԡ~R*z`0Rc{(Vݳdpϐ1xU`pV,?^i™#!#2avffFC%E kհAQM|GMö$ y) | \ĒtwjփVÇ{&rL/1v%_Ҭ&Ƞ'aB;#W[d9$ d'ͼ3//>W#Fk3 +ѳ%%ASW­_dzHQJIJ<:fhk(5Tq'Oj`z1Rx6?4@9+⩮ .+zhu[$>`C&)AiV@Q&MWJ Ʉ8n{OnbǦ~5 Y"Ha5vy4؍w'\[L>ȸgV@{7_6h&;=`2&r5ҦXY]_'b2[e>£{R!aWT`49F&;#~w_qRE4VHGN6`oڳNAPNr(1cM"?(+uU Cb[W2p5N %a,iYYIH+ZW4ӺڊC377E^QdWxۮ;,u <$=^UIF:Yp;dZa v IgT:EY`%ܝ|ҵMz?Hng ߖv-2v Muׄ!&xs}e!ٱ̟s tp ]Cgi%A':7J`8 qȋlQ *¾ۍ0*+mpi}Ka]cM|]4PK8$"ѣ-'" aKLY@TωȺ+TsOj|NTqfl&<;Cӽqb;cVPMـC&y3YKW,Ʈ.ξZ,D3q@RD.3@ Z$KKyCĹ/(IYRǯSA5xǤѳUm\j s N_H{ iK_ ͌(a)3'Kz7ֹQyr)~t#.WM;N}e@i2M[VAc'q8i* W %[^['eYQwq+9іZ͡A. E޳L,? q̖5C5 #^~kxpbx_` pE\ޟ3g=yt@Iy4?jE;(vo#M9LSOM%F MjY=0M8dBF iawAIHryk,g>oVmV(zNc@ ={\*$ɂR~,Q^9mOmiئJ\5B6kUq2ԟt>REP5,[!hYpUE8Azd ΃H@hʭ[DŽgWChr@ !O V(RF/W&M(D !\.6d9t Baa8ҴG*9]pLss#v9So)4 w o:Pw+*(~RK!j;g(bԩD]$<:mED HoK:/@-팀dM$ݨvm\!k!X~gr$2Wq aK addnh:]"ÑvOyF.idZ"AGZnh/@{7HM]F@=Su膞݋C:fz#abçkQ= gu9p9é2kLdxr>d+tO`lcfꌖ:}.ZB=&Üe) ˝mt ^d555,ez1z$JR?_9]o6U]`NjEy>VtiEF{-8=35GI<5hA?m7<-jb-NcT t.Sut4ִyZ.ұsTljW '[̠;vi%ڼe51\B9bJ@]>qE]:iP3ưgWPXf%5 >Ebgf^}A%=8qb X{MWw|S~_/w-e* 萲,,6?K(PN9]N}L|Q2YzmywА(Ϯk+P6'p]<$6ҧ XIS[ TEsRlw&ɍzήIlx&ؘXFl!s1ȢR;-Ǯm5ʜ-}wc;0Nj{).fAhPc,m~0֯*7Nx ^Odזwa#5=)jAń(c$ܪRE/kBv#r$b-i^O",2a=_%a9,BSΒʋy}Ct4/mu.rOhT:k-ܠ&]6^XvȟG:Lcz9~>*<\Xt>q[t)P*'!Yȃ8 E[aM6>g͚Dצ+KNF²L@ N4g Oz`/Ć+Y&K ]WM1OP0!EZnf֨=L"y/];nhf_7DFq_éYIqaˁ8ROQQylīCgl W©ן<]Ҵ4ѯIuN$_7c'|6BbFuwdso\:!ulc/ɴed{3V" BjA'-ono͒ 12}ħ7'rBQf_,!(؃$qQTIQ9H-Ұw]dY;mڟf}bŐci+h͟xsDRӥ6c3ͦŒ.(a6a|X' pXp=XC~"ϫITKY;2sd5=2g{g/D4\=";Ag+q5KtcFOw=Gyŋ`K]ْvF/i9*vcLJKe^ od!w4΅7Z2VZ+H`DQmYŐ=?ix?aç??l%U-;{RCrB|eд|2E2yբ )ݢfYҏmXk*tJK R@clZjS|qm,KWwg% .,oD_sw+> V}#k9@M[W3o7[#|Fҥz:g,@xcCL'g7ug/gPlRLCsB6ԼEd+LbIwH"7//4Xs#Ş;m^zn+ fW"'sbOoþ%5W@ B_)u?ދsَ'.t7n<˹. 'B>t~ԥ8,`) 10äE9ڡZP(O#ʴ_̀oƩl2|k FO.\,-%}ml WsAꉻ!ʕ襤JZ%#|A%NZFk l;E>DQz7 1f`` )@o9n9fN̍UU]mn]iot@;:S9tO =UyOr@ ocz&]ЦAd>Iw{> f4倳6Mi0HRͼF<́.AU?EWJ7nA[.uwU-k*Tbbz$2AT1t vK _U[ݨ'GmTb5@9a'׏%25MpmdA6 `C-onCG9pj*a|.3 FU3m/[P hm#>hѲpe=QC׊twFW䏤Ϭ%z>]ϒTĐR 9&F 2\qlpe[)RaFe$~cƾџ\ `];`&Aƕrr8dU^%K(M#89kR:MgWC%!_LƏ͛-.^q]άt=Yِ ]1jqlg1Lx7&%2=A xMo=ZGQ1tfˏ*%ΉsebԳ6Q'<4$D|f5AQyZ6kHNM7 *Q9kQ5'q*பKJC_}[s Qagysߧ7*ɶvfS%9Z5y" ٹy5/'l4=5*6l `I !Tw]'ruxdlL@wNr3B+ R4 Rzv|{#6Kڒ"<Ɍ t泋W7}qz`=>%Ҁ.z&,8v LfKؒH_0'b;pؙv!L**I46QQyݤ\4ttMsE& d6fQږV0!1Yxz~V).l9#ӻ51p%QLĒ5m[.cLne*Vp&IovԹq Q)ɕźӮ-Ha7*B\J@5fiz"4avG ʾk+ ` żʓ"O\S#ӣC.SOqz}#_lkgg M <sH[~gJnUb),M/۩ @KS3窞m͚XywGИc1bR cLO? cקgdz\g$6pq%ͱ̗Z= c~ ͑/˃lžBpty\Å[!Fm2mr2hLኣ8>D<Oi޲z܆.tʂ*/EsrKיwT,Jggy3g ~hԣ*G &iٻҲMԴ Hs,ЄZA3iJX#߰}ΆT >V%:av0of~%(2sg"i(evUBΤW ѻSj*L)۹VNp&!&UEVeHa+q Q/!Ubϓ{ڗzD>j-9UXöMnyc6"~WH5^?yu46R8t1cT_PXcsm$m+;Aںt~ŴB\b?(.-.8ٕ_YuQaŵҵϨ'LN{GKi~8 b8j5;kC2)=I 8•VZTrZٟ!E;M0—^е- .ųY@CN%Djp&C.#Il};0F8J!b뉾%#: 4 XgԢTCMh@Gg詣m5'y4}!~_ wMY, #VUføC['ll0߅l0bpq$_Lv%< ):Z&<8~7P<Cp`AE*}_T8Km+Ԧ,ɷ\ ]u;fʌ8K[P47]Ec-wHxn2fdHd0x,m.>쌲疸>dVe`4g>~MB'L@aˮcRd.5A#ĝ1U4X7pΒ::U>|sZRӌ@g3aS |I8Z1oO &B]#t8Ob)\O߇K 5^ǃzO VQ8Lp S D1btTlbeUӾrðfjt 1a+B ;g1:\)2x]z.F=*&#nNkom۾&z}ߛ]\ݱJKU]K"(ö4Mtf(A[ebcR'Gzuؑljdz TC(j$Xª(c x")Ƶ [o&1X\!9%7%iRoF07m,'Fz(ƕLb5A};ɚTxGLUZ)SEq"Ijcbd^ɳ)L+Q|?6Nw;aԍ$'$BII> Qԡ' ًFe *5%4*sF*| SʄUrD<ī|] 4%ěO^n:^iz?Dk5fz)XC gӓX+X[1$T[$<)ۓ_V"X̎1L##`fKS4-h[(̓ml 1\Mm$Luw}$[U C|;/'^<6*lBc_0M;UXHcd!=ڪ4_F|-fl{;5p5v Vgr/$qnoW§;g cӳ!8,a*KA z#NsnS@ki\k81"D#)*Dh7^;s="ާap)`KoTYwzwq!drQB~ +0_IGzKF+PJw[-%jN =r;  խf]h|x] R-lam͜RS7~GS&̼P%MڰN'\yputvyjeGovA[M%^tw@j=Ϫ U}"fF\0RDyWzl]J$C#zsjH5N_E,qҗb*߾H◺d>5D;4jY9MSc' _|< 5 4/-mKAXS3M߈w=3GlBŲKBUl Z%U.agf|O=ʉ87v|H l4vyX8dfLb1;4я$}{?;>X@[[$5a{0Top ! "+ҐŚjH4{Ra=pտ/ @OZeMQho mD?k Usdq;6iG3VR˻e:Ew)@3JU݄ ;]h]@]椙 U~.+΍,fYp"ҒB,(1X%4`ToCvޤAbuW4ERh^`Оޚ"&wiiK_Ö&lhP[|i][]]RdʅT6skOfl2[Z^'`[ɿKmO$꺒ջQr5mioɂz>i}w)ek0jC?ƃ)~+ʚi}lf&%hXm(oMP'̫1tN{m8DED2!*k{;T8.i% u4z DEXȘv<blV[)֏`ejZ ]rpߴ7o'eRDp<^ QX? DI FtjRH`{ȏwؕ*w`JI-UB1NX&Ƹ."/4xI^H-&w[T)YٲK'YW0|9Fߙ+h5H##>usc\k"H׹{ ׀4bMxL$A`YR61Z~oCWrpPIqVs7#imf_`23WoO k(GTֲeJ]"HN`n}zpO0.R\Ho\{аq(q8RrRƆbKތ csWXafnX3g&廞D ~||[`/eaĴRl_*HG}c?ٚ'e۶?},j;*}{7³1Ź g^WX.~d^.qouzT5[he;O0A`\(^";kϿ(ʇ۰ -΁.*`<8 . Klzgu#WV}Fyhi%Q`*AԎ 8 x=\%zs(_% *KޛTʦYu_P{D;ZHj#l_㔶,ɗGJ-t4U7L{5Rw1)Q3yf4;0־49(IE4* epOԨm +Tao^\q~UR}v9D 5aA_;AUK|Hϟ|(ER1IX7 GW z|ĭ?GX}NX8 7 e; KH5:'EmwSYk@7g\kHjtaZz،_\(W`vOg&p4I^~;"HG_Y̼-SK7O܇< SJz %}ctlSaj$/UJ8 z䗎DىԬNwY-G(%EJRtoUfz{<9#ǐH~88,WimWV_v SwOuUZn\.8s+[mSsвz*Ca6sٳ\8d([q@ώ>Pj̢,+FM\ikV| ּdeoG꾕/Pn ~=ՏѸCܲ` AWz5 A'LG!ܿOLz\>)Ҩ>X3ĩ|8E=+|fd5Yq Ѕh~`F"SY] FVTȑ &v!Cł\nA759;mӜVXms3j/U\')v6]tH~+]͸D*{2E]2P}}Ag5syAImm[IY]FY\d-QT!ugV5w>DZ!α3ccq*Vqure$#Z? (aE9KD}Q3FY]=PQr-1擭XV/ڍœ{W:YV2g*΂W  V[Ӊ>MjƲR] KdsB nzm&FTlb}`琚 w~ ]ۈN{abs_H$"z}z aaђ^QQ@Jm" _bd%y-_c~ m| KnI{vҜ+jKeNv5FM ѢI%gi՞;!:W6k kM ksq,w\y)TPF&,P*"ÿf#rUtBLT h$mAUo+kimc䪭T3bV잾O'$\8 zԽQmN}_xF+`o4)'T~ Ҡ< VؤFı,W*K2s`>t F)O7%EHEt{I:j{k^h4U۞ :ȢY7tF.ZG>>:neI9K` .Q|n3*Fȇ 7MSC6kGJnZ.iJL}AIPD5"+gN0+ OxyCr DgieRoHWqIX9hKe6(9*hJl1]gPӯY. J41(ϲo&1mh``>盺`^~Dh[yʼzǬr,]u+B?xO*xbLO|8IdفhZ]> 8gZ\͵诌.0VۜJ+(W5k[JPf ^Sgtܹ 6%pK׀0_cBSt9W Rl҅pa FW\ғM*l-~ (+ExQB}hߔAHGQB5򞞠lRbc:TD+*`rĿL"*їR>h=g=$+d[F3u"s5΢Zg*&llw^{= 2yOgg1:ׅ65mmfVtPp/o}UҷPC`籸֏Œ("SH/rub_3fMg?Y/2fLB+㭴IB|o)RxjRǧzF rirW1Icˬ"kG@FO'Ph;KUA$c?γL`PZdD\5Ѝal.$zlS@E:vmbOl@IUG3'%{0D?{S>b_hu腦81a# z>~ky[#A4V߇(#&kt17s;.89L[]ocx"=5iFYCzu.s(rz'!sVƅX!VyƉ#>~.tF'9U<; x-_1:?r=Oy#60(*bW_w΢ W c=iCX ɕ4_]!/x5_2&vXb"M1`ZJ#/ A~nz/!?Y{ĆU&w.qGw57luDUݪ*0|e'jJib}C \yZ~9[U2C[`yN}KȨ(,"XC.6BPN욂Ev?T*&USHGI' K n;(q7{龨<$/Ar4tjҫ&&Re` X ˄y\$+_/TorhIoWw8#2 QW;@(M(c{bAw*QGܘƔ;A夏tf6M/v0.sI̞5S[u+%.Ky^g3A&X˘Pd$0+.vj a T1۷w tL) m9&Ӣʸм%PÓQx- |LcWbtkW"=|h^kdN>) < ~?MUupaHJ2d׎Cge]nc+ãy&FD8/ nycЙ!7.Ta[b'|yb!](4> m ZzוU@*)!b 8jQ_y`LIV&%:gohRQЏ>RLoGREL[*+ln}G$Q>ӯZXbaJtn6"[I!MI7[O}҄Jn꧰cǪ,Z S#:p6½n5ij<-Q!@k=i znp0AjHj!b WpZ;A+Jd- =?p 4ٺ+<Ө PhIG` ́BNCVwayVC9~&FUwmVPNYHcR`0f A(e/ =u*xA:I38+]$l츒LW8'*g% ]P0GAz;]:f Sr ~&SنaKa|>d+}}ת4F-͞Q>k$NTZi*O"}HؤZZ#IPJroec9+FwL&8I+foOLxq͵qÁNM`RZ˸eCE\?1PTd"$Bosf7dKP!Y9=v=|\ΜcjE_)((R:p~z\ J{);94/?dFU)k\zHer.2₼jmsB55[M0=?k,_A;mW?M$  D:zù7I+'ܳ+  B5< ,Yh\` 1a&_Y%',ڿ4xlv7"C!i}QEB"(hLa|/60|xear jt#,Zn^ oVbVf?sax%c0p CD@.˰R+~n񲋓MJʇ+B/kaPхv[A$2C[bWb)ҠA jTB}ț0o1o$!r;'4=-BF<@ף3^Oաn<'-ĖK΀ʒ+$7,29KA+>LYqT\xs Sl UGTG 1=#f|@$$UxnG]S5BÄYc雀:1Vdqzе+?cJ!lR0{Qѫ\qsFJ^NfߺBM:0KIQjg"abDjc2EGS" ~׶H/˖wRQ9 a`XjS6y2,r;03]7IxW g@Ɠht2͵x嫺^՞ExVssEX;LF1=Up}Mr cpuDJ8/@iR -I <o[ofT3k|@<몦;t+ ^(>#ezsq k۬ETg}G7!3$eP$$49 ]8̳2è_>;?8̦Ys_""RʑwQ%6LO*{A#  R7ڶrUE矜כ"}FY}x}yIKfA_EBgCJ]mJT,`dDʱO p=$Wik3G scM ۠ˡzؕ)3>ZjX@t}Jj}]Zo}"1'峡yDz7 cI]sӤ"aLՑ×).bē"j-0'c$)rqiS,T)X@Lf!ee* Nh=ӓ+ SiS m -!BٍͥHI6OX2$B+l.=+Ƥ~cڥi.Rc[upWu|B[ΰE\B\+gp!Fތ!dCF"BCۗfxwᅻ2g fk!4iHnxw+(A|sڧ>j7)SA,𶐟[MkNj%T p.z:X}ŚR5"ׂ|wh "l=!:#}m$8 9X"kf_@,Z4ihL&|!D|G[RQJތOX;e_ֵdmmf&͑wum#KC:z1R"We0t!jgv6m*U6KH7ezYG`l.Fe.omdleѥnbS d^7#:KnQI?Y9 yttL q`o-1G m] Тǚ=Ybрޟ>S:G/`0,70vYBQLPB}!@T0yWuސHtnLn?|C[O5xK)ǩ#gl"JDq~*Uplrqkzeb!~ zQq-[E:Gn@6[iQ!D30lh%@U Y&=Q+pnlYj-H' |Jz_?''9z 䊜iqto_GA'{9ƀP!U h\_LƄXĈ͹?:3 \vy}Eq)Qr`N Ԁrf"mذۥ_DBCJ Dj"{z+y}jIΩNk8;P%p,)by^7/y*v} 9A>oW`f78fJ >I.0Il|(Vhe 's#83t@VWk+f(, $۰m[GxyQCQ$ƹyROŏ* 8_ AVn<4k~ 9KtZS~w*`M8.2ah~Oғ?R435_fRw`<㈿o_jwORY-ZrJ\9z)/qhVr*@CKBuDi)9`&%<(ͬAW c&+n3fF$-hS!Nv.G )wd2տp%:ip0PT_+.A/ꮞLK%%H52ٌۨ=#'ShzO}_0S-i5AeFXHٵV`(\x=MºVgn{~C9jh .%8;ς`[JF.ojƶ[0Y"\u讈Lhy?:t㬣/aqr3{{Ara/ b$)FzkJsDi&tնHE$;Pp$|VnKW>Qgcx46bB4dBbO}D@E ,-n?rGtU~~>(|=VdN2[z:9ኩ-G+uԈLtl^dgf_vB;~aPmMr|J=~MnU^ZeUХ%>[ͤ優paK&bR $_gBGŮvo ~(_,7ٯ%x,gwo-"wFV+;eY۽Jhhnk]&xpHNMLHSW:/[өhi䨥qNܮrEk$pTv[B.@+;^FW,IX7tm!YSaF?h&MRBz=q1ʦ~n"ha*u'Ri-|?pDqxpRAW9YڹE\p=n" y`?0!$%m&&B1&uכz;Hxxh(rW&VEor c%Vc_`5b^NLk1 ꌘgx<>ViDn4x)]#Iy˂ ϡT wṐL'9#ci^.% [_fd{fv*-]sZzHd`s*E$w-m.10\zNa6v"kݐ{k8==oA>m'UhYӪW 1oQJ^>8fOߔ2fsK &.w25Fڱ>:Gtb;fd`H+lաԥ W둓Vx-7t-WRx1ت~ #qMy Vː"%ֱ,%ELj ɡvHk˅DM}] NMOEoM+hZdzEr#$,v7hݐ\7/%fLϨ{Mːw/~m1=e_b۩ut:;Qec[?`ߌӽl_ceq냂| :03F1L]Ēh,@Tԏ c$!GDnH2˖PBxbpG,<4Sઍ3ISZ~.!~em@|\ϸ =dw EIOR}t^KpAQ+,}6O|@JLSWDLMɱ$ٰ:m7d;4V4~Y*[ vT$Q6銚kQz }Q !΁/S$*l%Y9B2ִr0.7\:+:F4 {?7y㞟ra@Ófc(+.6B􅾘L[Et&zK1d{PH)L[0eu=T뵣B IW\LwAV/efr НUoވl(dQ6)Qz6H[e5n+,JL;Etk)o"Mυҳ4/N%]@2>Uu~!;,黼}INϟ..Ilšbihe@(A\='ޏ|աS *!}lJ˾dg#aq@I#IR/ǂܯ>Y8?BsQHsSjWHNlr'֞8ZjQ@=Q&=)c#D&mש4tK -'2XR0|*_JTLY>\yh}e˭{e υ@wo47lJ_ݹ~ϥӾG0kw prR[KJ&!)ɭW(,XZDK^ZѲf/.4:L #2ܦ(\޾>Ph;z]U^uU"_)OIa%\+:Y"X=cPnpav#B\pZXgo'GST4~;B}ʲ4֛FA&h7dy[Qҿ'fHty.-$V7߬| .",>vZv:rmEW7L7%x$M8skbڼc[cNs-> ]92{y ̀KΑ:o麻z?+ahV>n@WEͳq)t|f;J N5B—y <&2;S%-yh=V1=d62&]= L"T{#D듓c@u9AM_7;ZJHC3%< ABKMӜTflq ?~)C6rHvMKd; l~$2_pJ~IFh.%W꘧Wtu`c]l25q`b0QfH#rӟ+'!*2gQmR:v"xiU->hJۗ6WŒDR NjNL@BZ$JO iRRZg4 JgfNeN5tX߫v̮x_@M giyQsBJM_h'k sR#Rx@nml-.'t>sQGZ= fYc"X ڠNϏllՂQ+b`'Hq NJN4 콛w_3*.#doGϠq Cك )%e Z)Dnm1H9\&N'b\mܑ&N<`?'h5p Ioѵ$SrV.CdHd $5 i02fә cg"n?uG(®hqKꪤo<:&ܘ(*3K"v!Jta\m0^ͨ ?I](;U=:!C_? uJK++Q8]}Zhl׿)Qr `"ȁC.mjjEzZS4ۯrS-D3{XHB8Hb=NҵG4w2^9zQ8G%eR eiŹ/ŒH|^QR0io>LsA|hF8>[Au@ݹs&IƕfF9E}?,J8 4S #B+Ohn͹6:(v&Dq *9H֚,%ṁ61i ޹ 'ZD*CrWncXa}CI! kUg֓XI]nr V'z l[Woԧs[] =79]L4%󳬫 S&xΠ=" =K-QNk5&i \Oi<`z<"nWOʦt$''s#j5TkVMvŗ OoݑNoj@zS*q߁:<Մ *j;)- Џ:cQN{('4o2O iږUL_Rc>.ȝ A:۝+ M.-_WA&Sukx!cRWhI- vv{2 *f1 /8F2GhaC/ G{ɑmv>4\hڿ|䅭4߷`k _d{} N l-_5K΋}=nJ`?8st 56:70_w֎['Ӂsk9 ?4%'sVq*У`H@$ΖTթ|]L]*f\jtDmX5o2uPV~4Cy l{(+F@) Sz ɹJ@*uhQd$AW O81Q~QK;h :4\s{fњ9@jΔ)b]GY{JY则= G+d!ۀٙ R *pCâUo^o=y4S u-N*xZ ,[ܝ5 #ͣcsiv.@|Xw0U~$0ǰpLa[": hhO$䪅ږIu %"(ZLHڕR>a#\IwLDʏ}Ϳȸ75V3 .T'O6{҇숦>5d><5=ؖ|PHe?k \Oc *K}zg3أH?h"ؿz+J'~ %n"ؤ`$  Ò53оيwv)s*޿kk @\<5wt|+Ft-$JnLU- ]@K6;߭:F> 8UMؖ5TzQ&J+¥%eyfkFV ]~ ;*E^l !DӴѣ-g=;Ed9ea:ՕjK;|OM?ݡn}6v]5cYC%ʒu UעN^$T.1BE@ؾGzբzeQ -Ai:*l¿[ !ޖXGXd*tw)Ɩ~ @ZPrvҡ>RڋEE/@>+ꠟDM 7N$'H&0Wn+/W;K?""obDJ7t4,cd0u m\**mF0] u9] vʮČWs(R: _,4k259I;ڑ;'- R4(*rj#Aq~x6Q~^ A ؉)>z4SxHZQ+Gw8m[ V.=qa C9/a|P.r>c%}&xZȾm4:o xJ\@?f'̭iV?ɡcN9,cX~Y 1]:1ϙ>a*WfGiB9iR!ݬRo/\cBgE֡2+{>9T,FPCjsԽJBso.E$r4UY 'l軬`(UӈȅcZ[02jt .yyS}a"'6uݺFxwޜbW}IpO{j[6T*br%<  ה)!<;H'òىPTXIts.1iƆ{YePQуa/zv 2Dx[qK 뢡޵+˜_.1m_Д2/Qcr!*_77d9s iP.za"N 厫^Nټi&ö.؋W95S+B+:DC)ma\'14x$uy {BSS̥[oY~W%[wJDC IowM=sٶ,4Z,jHSYjW3v>|z?RDT!AHӴϴ>O"4 U*Ŷ1 quͣ؍Xk@' mh2f|Y \j3%@% mK#Zl&H/s&>0G"+EvS I(3z<8j-dm΅m(r A.j#_78b.TW>#FSnpot</A9֞bב!LG: MPO!BqϩŹ;F[,k4Vw4^-)ΘSLf:9a!%Z0b@]sobl}CZ/ ?EFSԯ3J/T餆$#eP狋D+99'R-Tge Z瞛@R"["b.ϗQwF_ɮZ]MOoA~윝T"!Ǎլ Ksbt`##CH@{ g7sbx c 8$w0)!6e.p"Q1“hDiɴ`HKƞ^IApዂP!NN:%,fo 8 TxH5WEy]_]%ЋyGY,p}Qyu,j;;~;=o3b}qDVizB4S^22jg)BOGD>D~[$UfKҋGI"|I9;*EO?(":N=~H˖p.rk#=‰3,<ʒn&YɎer@eA$n- So{-nz_HN:y`0/6Ĵu!1Xm8K8l1~>H]I>$ 7(/36J .MY~E;{z:4z-Nϕv=&xѝn]T Bx$|WЭKZLD ߡ "CM(شY`2)o&|0ĖW-腸o{uQǍú\f5sF3HK=:D& c5bp G6XZ zH}mjֿ\$74(Q;BtSH OZ}.b'uSR±ZtO`up?-^EsZZpflx%zd)@hEdP-|^W%5Q/g38 ]Rʱ) P/7, %gO6F&c \E=*#y$BƆcq;?DNv{ySY%>d3?m}sT<njK-uW)+_uFYF%UTaZ4K w^NgA\?E*BC'0WfY藒6JYb~9_.=8ɳSUS~5BI%2.FPbVfi-qx6qbTm0N mo.x[{5YoZo7iIIH&׮\6"V]02*pFiS~3/5h#=!67D>_ U G@O%I[ N**k!c<+wA4ˋį/!$&:C5xwxuwަCM^Wgs&M?1 H}%<[TH%&YR^zub8{QpUm9EIC6 g)lA"Z,Mz1ۘɈ'zx iob1+.ʛ|oddZpL MCV}ש+0k{/3 UenSYIL ;}Xt>A8)nlKs84<<hW `>5I]SO 0dKI^UԉàQJ")6NIC[iėi2͊GGq(9 , ,i寠^eMg%5ScdVx7.u!誓9?Xɷ$!6Mh-jCl-v_?2wW_OiLJ!&⃧zUS<y쒷8x(H¿o>~ I `xcܳՋ%/vg#U5pyWde#Qz['Y7v$b c2 c)ђF/sGܿ|kM-;עZ_1A/;hwZ ђI2Fۉw՜}f0!֘; >~;ߞ~ prP_'$D0Z`LL NOIы8OOb܇*k2vӈ8+lSZVǀؠR#R_5R̯Bk›ּWԳdW,(tVHE/Nb/ڡf݌yO #*]|&'A9q*|ޅw{Y }~a1Oz5&7cudq2C"W_Utcd#n,?d)Nx-, s蔖=UrreC/+-NTGh]4L{/b ōU]RƂS)Gdjlk"T& 6+urH" Lo3]@9MVz/t0~ 7桹{6বC7J` Z|O:n4@0$dT .Ը>z9xV6 BǘeOtg«,?x05)I(OqYPWf@[t$ϤJ=.r!v?-=neR9DREe6fIq(͆hc3Iuo"r0 \AGcոMU8Sl(ea$Szakmef8R+%>K7Zvi фS}! y0LN8B**/MH_VIQP?èCKdu;}?ֹkl+OQ< `2WLw\Ƅˣfp<"VKm]{ *X qnыA{y}xrb3v*a +!1&\yX(:/f44}5T0>!"̄^}vEJNh+9AH M5{(oAW\, v)TFw&wUcsT `aյxg}7yR.`rnD8zGF xMOgg wU_t؊93Ǝޒd$.XVG܋˸C 2–,KREwۆǶ }!9k8Ǧ0pcզ A1|nэG]SW(6Ȟp<ʇcץ)ѽ?5pz/q[7Xsp=]?şs֓F.W9ೌ54$PƘ >'͜=QЪ+ב()F,ߣ@BΓɝŽY?ǯǙΒ`t]12! 4e$}(5hִTfR-'d$Tڋnձej<0U o+)?Msķ5᫽A[J1MהÖ7F?Kv3BI@1;VS[%\FMa Sp=1ch Rzz!E\? fREKT;|=<p{EMaO@\<{T|~Iő[Ŝd^"E0  96Ĭʌ,=`t'y퀰+LT'D<1A&Y'f)m_6GQ4<&1(Dͮæ6LgJVF}>b:Mc$ 6JEu:u.?m9L)&15:@_ K%őI-І4|K }%@l2` !X!}PK6 :c()%[ :^q_4{hDT@LYj\Œp>p`As\ ᇯ ʤVz[j+j~t7_v+-UHզe.LMR9#Q 0TGF;@Θ8:MpMBd2-ybguZ.JX=$ !99sfb9s"-4jy Sxǩgx`ˈ)[޻:6 ,T\жzJhvn8eSCrpJwHbDi׻YTJWWfRy,G, i+TyJ $_R ~{=uS`K9 z ؿqFqh#":du h&Y ,Gۯ$EF*`b->`",_`07X>3Rը_r;0Iŝ9WRʒe]S7NJC?\ Rj胦Y:〦UP,`$붫3;? $EL2,B r zxjX&q%RbIE3Ų mzKIkNh[ \kgй)IH}qFdh";RmM^Ii>Rzhy%㲫2Wtp3mX|,`. L; 8gRƸPCܽȇǑWrȇȆhd5Q-A U\ߠ]m0F=IK؇ ':|r >ɬ,k.^xu/ .cR?z cJ"ke)Kfϡ^Rڂp<|CboQ5_=8M{3JLpH e ?q9g<+{X.* Jv3h?Sj_"Szq Qvɮq~$`- j&<(wkk3X*IV$MY"ꍎ<ЈѾHP:xsT̽.oV q]7~{?;M5 S[o;mʒs Z^#+(ʽ+S^%(uYƑxAED`q̠FI 3qd!4ܦlbZQ@.s 3VI$#D?iMJ] ZlnAST3՚Opz>*z0G#NiqZrž[% )^Q#vFX晾jC_44P^TmėX}-ٚ,@R #ӳjGN׌쓸A&XM- N#5sYq6soerSLKy@xJ7$}1k.uK!յn2#=hPͨNQM0-LUeyTW\g-D]Ր9{7X{ azMѧp~+%6(RBuhoCy@ ՕK( XcZY=<{Wm952"gQ[!lkre¡V\ONyb%(  fGs-qRcQEFv@7 XsN9ك; oXDGzP6SYHc. "TǭFs6տtHPBJgp By`"wg9cZzӰOI㱺V wp>xC:C|-wpb8nj8Z;ï/ۃtC2nGE5.FT+Yͪc7_r4/e8L])ѴI.m;b֙,?SHVט,aTGjqZf;e& 3R$hnbYݐ8F`㛲vKMS':6M `~>gnAߗK_]qٝ0P~g8`#0q:N[̋;؏VEʚ|)$foH`|1VmF gn[C!a SHK5H޷䥱Xܲ Ȼ88)U6=uaݫ:9]^$3 rWJQR\K2sIF;8Ǥ5D慁Y Kad~LLr-*ςcU.O6B}O Hy~TB&}ROZ}LYh:yXEp86 ̸Z_Gg v כBt{@(j>BOsU50&CEo-]Bw?kXreTus_~)mj:O&?ŌH291דdWH(m)~`pw]Qa O%9S>eD0$ ?*hdTxp:DbsSABJDwޓ68#ztH vm}$3B7"󬛞`َ?  8:/IDT^~HA ts/v%rIn]P_M@^@Rێq=c/${yG6WH01E! #xu ?/ QD.=:G/֧܆jɱ儗<. }P0ZyZBMeK# #B61^s=^7DG l~qJ0h>U3㿡cY+cm_) \ҤGo_"3Ԃe-&L9Ti2 |4Q'ߡ#ye 3pDKIϱCP뮓zlLSn?KizJѓx$T`ɢR'̫>dd7Ɖko>6h']o܇X%"X>d#Tf7ewo6G7 ^q[s,ZOs5Gj 4pa@);Û* TӟNL6K0( H{^XϘ2LC0phpbNQz-9UNir]zN$]*cJRKe ӿVXw7b LT2>_}jϝ9!R+1}#|HZb9ivTN_AM?Z3%*L>M:FHw(ަyY-F=Mm+KEfPAqF>y8|+Mq܈>ok S8>8rLib_^spD }o X E|% kH~Hs"It0GQImP?!fh!\V029፲'w<ܦ~|BR<P)~ W[KօaȺo1^5S̜}vbMk2OJmLZOͰGAzEp:M5|,z (3#8^:zW1`uE5)QrpPSy2^Ӵ{W7 ^w*J _1ץ͘Oh $+!HQ5}c(:&}m<M?{<@ 6"Q<SeN֡V3h 2}Tn8)j2" (JW§v45>3ȦkU [s#Jb?4`e?Ȱ8KK#D_rӵ͊yXW?%~*b.pD7nR6c~)†xZA9!m'eHgh̒j5mg92'l2+ಈbB8x{탽s[1F1su\zljBB֥UCt~ xWjt8ϛYભ+QGE}z`gT̖)~ƩlMOM ~఺~apaPהq& t@[;&_Dw[7i=~_em3jh!Jt<,D3!*Nي'e K"|)Ԓ46dl8k((?~@$͂sk .#0fFf`']J=}Ȭ7/ˮz ۣͣ2z~bLd\-tff"Bl5Ȟ9N^-21hn~#_ !$ ˤLJ7JD2L5HKb}y~'T22قs׹5ܛߗw7=tQ&N _oAX{\ڼ3 ~x!m.I\< GNyNGaO' g<OHgyM`︶hQ)NB)*`^c'"nȂeh-[xc?ϟK($!?&'IT\NEQ5*z#ZV,b9+t,!ܯnc. 4B{<fۙeH j y>UutR pp+ L>;qockj6"_<$^X%erf 6SflڍS!ehDn3S%r1 n\N(VwHkHL!tE,YwA jU06`,:j7VFs1ds-Nȣ7ER(4%`I>b& +ɨbfGDGelI F 1-9p^UVK~w؀Pjkɟ]۳V;wET6v|8'aXb/kJlgۣ{IvGtf^`Y08FoYLCmADX]e|9'gv6䌩~VY4f؍8Jkt$RR^&AQ^ J؍hs8%He/{L~H({ 7eƞqzu_W_1Mv"pa$ U$͟573FM 1륎!0wp)g40xNr ؇1*C~E`wEpLpږz^NrzV9'+x?)(:BL>CNPӚ|2 )^K:fN*_`=qA$Q( gcHodQ"3lYi,Tn8xt%HaPBaEoL.'לg3w;pAgtF>׹B jıZ*P: C@}f㝸a@n;Â%݄2m^q 6L11 Rk  (Hz2J]+YXAG- dJQcEbXJCJþGt{ VZ|AY1IGo/5HB_`L,LǨ'J:BYpA9BKlDH(GflkDp^.iGcV9}sWB3!fn x0~'=sD -T[Y[iAm צʉP)2MEI:ҁ:P:EB_#+b;e8lMO_BbҴ@n+ lx!LS&ѧXuȔKi5Nm^wexJjqcUw4c/oi(s,zߠΐY9uT)N5lD M%Kq"2;{8mg-WE> /:%<$VOG'p;6X?<2~_e+dMOt ۧ{E)~jWcaj"wl/bVViKזY\4h&g.&0*/UKJ]̑eyƙd^8. C *.>stR^*,L<-%5@^ ̰D#ή ;Tc5Js6ϕɃx5!;ٯ#pYe+L:*_>1MdU]{IXa'W:j:|NuOLހJKA~_y1’-z`3C1:䓹E9@}[/'H厜UƁJλLµ!? mK9pp cZ~p L7JK/_}zYM\?b H)V ݉BIaBp:Ny}/\1?D F*8G7C$k,f}Jirw}xDsoóY9l씴D5Jz)? O]8?}$Ļn?12aC62}:Pw~aՋ=: -X g]"k.d.M~|6܌Wa)aYsP",n2W ƊR1K(+goKE9qzUvJ[Zv{ۋ5uԚGE — ir#vb]YڸP``(/ܞoAUD>ɋrb7)VٗqK"!\ 8 kџş8!jD%1EkȠ1\>8[2*y YŔHlf{u} â0 {yPi5/.oF {X4xZӛӱۗTF]9k->Yp䮊ܚrC" IR5T9' bqz.)ȅ*]2Sah+YP^6̳ _w C~uLҏ rt]2_E0rו%ޜ5M.-%ĵ[MO89`˶6iNҍ ( g^qfg FYiȨ} 84yB_#)D l} ʵx:;K8`RL:xwi\Ӳƒ (/ek[& Zf*=m$+R*8̙C`s1n̒F QjUjF!ܰہlD6zuB81MޟE77%^WaT8k+ j_Ϝ&dFrw,N%33E#428F5¶.]Ev^{YY!n]Zo~F^ҽ(0ey%Ίpa {xb?^ Hyb6bHm,J9e(x,ً%M[{衝^YhP?3'xiH݋Z#5vDckhY~4hP醀EGAm * mMu*pC| 1;t}3m0o$;ht _ٵa}w9B0 qd \6׸ CRUW|4Ԭ&AXLF-֛NMնBGZ 3悟Y,0q*EZq 9rOI( C%Da+yH@v$;23I󱆂)7v#M]:XޱTx2gox1V}WL QeAպb[ ZC,^H&ࠍ٩N]_3^n헰As1zم.{OِJEP`z U5HH\:%˰c?1O~o]e.;{@#:Ɠx Dz&@6ݎIĺs`+U?,ﺼRtVguMa6Wi̲'Y<•l]j {,bj_Br,Qmc+b2B9cy͑pĨ, BH Wtw5S_=N۬*ϻhR2i?J˟sɹs[{|rK(CP M]Rz\ )u_#(EP'󉴼r Ҩ$%X!R8MɛA 5 65r,Ix 6d:xy7/߈L)d.ooMxLK_rlMM8q&u)wT7M248֑}h8bAti+y=aK1#-YnN0p? ao 3rpmM[SNNAnhg=xcscgylsRcC=P3/fGk Fɖ@bPe{w;eᨌPQսT7l8sr 35k% U$<2&Kdr޵Fgo$N'N* (`+h[#"==_+œ[mlA9(*iBnMs#.CڟG..k54aߢDdF{}(gWq%&9UO`P9V)Α._}P/i&^~G*{|Xe) i*%=!C}"Z[8"%L_?}$'5KUf1ҽI2\C{& ORVsyO}S}Dײ)B30'ժb)b!ۍCs7{x^xmc`5W@/X,:2HMq82H\8겄+ 5FL{GP S,6B(xGN %%i)(~nn %f Z%Q4)=s>'x'$[)'82ˬl-x 1N w]A^o\-Vs:U %.G+ԪœW)a#抨}dtvD4e+(瑇싚/%aV-EaHuj U3-@)voׯb峥ϾSN^2i=,Edi{h8lv1\E7+Cj;QCNK(9BX4Ѡ7WlHroԨUdT8|)?GgjelIk9]pjw3wP'?˻"Xn3_Ǟ GcW*qja7SIr @qAv3sYYvÍ3pUԹ) f~Zsϧ3G~yZVOxB{_ dRy}Uyޓ\\ -1_ :9 09@ռMTV%BȊO8y&@Sϸ7Hae;^GYGR+CMP8SGcp^0Y IӲixy2O]EX6bANg*DDD]QRKʶ"(v+ as=3Bm00jn>9W٤Q\뀌Y9Mk,ŪIH} BQ>I\95ɴ~ *-F}j5Dqt- ?J1zjLR޺:64h=Reg4&p#maUSYP`-ӪP' %+S&!@ߌqO+?-ỦT74*.v%!2ARk(E}p$EQrtc>hY`Klx`r.?%eFYBgO63_ܻBDtۭ &sLlR Y;&ͺo%&kW$^n",*F_XQ?WW.gI!Eٶ 7,^.4fj)fJMdy c=DfHX[BZGWN(l$񪣡q~l/@ <`s:a+ ,ǚ|C^%ہZ3)vLhچp"yQ͟Mrݴ@zInLOsݦ 8r'tEMnU*L kxP6iRc,kM~\';FZEMCدaOR1x 'ÂO?|f4A% q|tbS|]6NG(C7 cja ,Hv]cҍ3R9iV^=LBv%k+ uҗ˻szo yECT.h&ΡGZj08fCsp %u/@"Qe=Qݟl|5ࣽ$2!2>c<4~;T,]02_/cĒHkr.z+xڣq`_7^.χ^bOŽ>pxbV .phij b:<{rQY+(y (2ݣ„ lV'59`UB.t"`8BF<nw5V Kcpxu#?FLF?~[juڣ[QD ֓ 1Q(u:{SL>^| oΞ_~\@ߌu=Gq-/2:Hymc,_HSzKcòΧdru?63*q05onXs7M`uBVJ&9wE)Sn̏>|o:&Ұ~?nϬkރkt%hHЂ6ݮs0s_W\-vr>Wm$&T{^rUَܥ~8 +yD[%p>$ ń6iӎvcц\CqݯPfjQ}r2$YYHc=zKk} n:~#\,H-ϔ=VVdeh{F(qRr>fd-a3St4>ط:lT| V3{97YO(.ƞfwx腍IpRu͉1gE>ݼL6y'm_?T%!VU),6#d˟Nf fl+ #a78t}zm!ӭm6l)% DK`麼cE;b);6JuEpXJb$8?9IUm?3R[wGq'aO"Ǡrjƨۄ] †M3ۇ( m+4r,Th \en\=cA-=3hp \ܴtυ'w6':nKQYr|Oʪx(LSXcc6@vKvnC)W%^~ 㐯2O:g0}dF^j)Ɲ!h(wDY|>2kaW8:< +ퟵgY>rǾRLw:Έ"7ysT6hMN6( nܥ %spm^gܷe\?.q uXne_-A+}K'ⰺ縴*whC'f+(da@0-p:Kvcһ>|H'.Wav!wuFPAY>?ՠ:aOQ+6"ASQL0UT ZBm+QL;&4u}r1݈FJ k0r~n$2jkdUN"uZ9 cbjx#aGHV_|7̑rڴ5,]&^э]qfֻ¦y'Ch>84S#g ѧXS=YhmRƸɵOР}̐$`;T3Չ-; 3A[sI=n(qDqDuvih]^ZNt&ñPvn[ʯ֛+k3'4'\Iop_g'uڜڻaJjn?lWGECI3S gڟv ng~IyQ~snHU}.(L8EіȠ"˼rVg?${\! |Q?D̀SLتMܖs@`L/yYd;d{?&(~3O:}P̄ 9pK=;#&)PcǸB0IYiPdTk~܍Wƽ£'3Ğ_'e#ۧcKdcqcܽDiOd^=݃ߔZck=3ȅ_ U' jRjy9V(CW s M|@fz3%y++s>0CN^5bI``y=Q:ʂq2PI|B?(ޖ>9hEnJ7+NQoZd &ݱNM;[Oi8[&5br#; 8Ew*"49'*?;I\CNb*}Jʡ(a 4.ʿ0lQ8PƁѦ;ɼӍܦ܋uN  mw4UOY%麽{18%aJ-UW3ܳ0 cM )X/'_a<$'薔+1Ae4|X'`vd윕xsJ n:{9I-\g_ײ?И>5sK*zU4OARG2I*o~w+;˓>2ri(Dp,OzOP :/\zw=RmX Ged_vl2a<ΊT#%JҌ~9U7CcKk 6:@NR`D\9A~P~ xu7baڇt2w\L~p;i"&s<#G(i V Fdpc冶C YrvX#P9op .]|?gs +~QGg/}opI=e Q~5 +bZeh$\|m\qqOFa{ t}^$:O7J5ղAQ qydFsf']LU>_">{1=)Mlk,zzqt!6/t҈Y@oKVUZMۗПx|%(%0g=:WQkt#ЮL$IW(bsuohJj~8dQ_Qbi‹=$:c@n l!6ϡst)t|ڽ_wϞO J3j)w7-5v-K@5nd_bd3*= 6|BsPFz6o VjkN07Ck-JU4='nzc7x2Ãg;iњm?Q)'ںӠޖ[Et՞aMpNxcHa}>,kNд$`a=4BLPB/w-} XSu,`8kwo[U9\H0'41n}ȶeRjE5M6qxvHM7jM:Z0?p?pyl70< jHRV|e8-qbcEd_XvKe:"Eِm2DU\+VԷ;b~RF"I1սw,v:D:7jfZ{i|*js  neS>n}.  9(n5rc3!una2x&FtE!vE>BzJNÞL?xWf?Ԁvc.{uTP63{ mW,ML\Iۣ\EPp͓o}.ϛy5(+7 IQΟ<^7|WlLnԱb;aᾎ4! _X5x|Q$/R!Azg>O\8wsWndwGſU3ee%|\*Sk{4.8,}bJg!8cLhcvWNAiT UE0Gzᱫ4Z p_s dӦ31bug>(@lZ"#Ff1t/ q.;fkMA/>)th@?/}ȪU<%45*Sm).j?.ca&鲜=$EUWpVH!4£fHrfҤE;@Jt]--6ǪO9Py&K"hޏ2!m_Ԃd\ҥ&BHPy\ eE _y08=/AFvErFj_9>ԋcbTќhy0B XNEv:){cTCCui{΢R]&xx`B!PJ1̧]wĤ=Sk3-pS gB2Tc*qz"cWT6݃mc'1;?)4hш&WBh܊0>mgfJ%Fu@H% VNKoʿeCVOXA>Qe^Aq$6dyd&c &'T-HE 9 /s_ h6 i̕ܞB'3g%FA:*^7 X^Mk\sUz4[le[s҉@-7a䝔:k#w6u$aphi|~;1^)??0e&5Ȱ,R0 {ݬlZr +ݩl۱@-~QϤP$?-hMhBif֧/ux^X@wʥc{kNt ]3xSw!MjvCQm `QHyC^ <[E^خ+[YXg?'v4v]v|a淶\9i #KY긥BߣJ$1GZ59.ȵ (5DNE[P [ Xz#n1n]|QTD1R#g|ذG=0<-տ"r{6ŰlC~YDNZq>a.kUlo?cwdO~ 7TGS(U1 ZeQIt-XyQ)$U =oaYuiPB2%Âl; #2'T08,&׬k u>8Ur,L¾tM-r(hT);kKVݛ~w4* S=WA^vA}X4V͟iF/JC]p>)Zmxj2Ik$8琅|ɣ1S:2-&" $'d`K];s Zơگs^‹IJcܤwۧFdH+G obclhuV;k]ȷک2^7 ЁE8oP8v=]ːZ'ugaB?L8uTIF N̝0F 7ߏy*>:,UV&SN"׶ɾGmDDnFlmЌBgK?kw)5=6$D ׆A8-;8v-F)F+? &T:t(HyO>rxWՁ.f1^%ClqPQ߫<-c6$ RIcgwkٌK" 5zS4λM>l'"E($ ΄ш$+Μ4UmI dٺ.b D. 7ɫJC=ɛKHvw"`K7 bS޻eb*ϷL4)HM<5?0ʺŞwcA}7R{{:`l_G^\)7emKMQ0bZ(a%aiTSlN3c nTA"0itf}|K~-hB%~tqp])%+5WʶEȘyLmF~F~3٦Kgd*Fx/a_ГIgܯ3hտW rZ-$[އDّQa8nnj`.Ry#rΰYFd'%e Ⱦ±Ø;Q@~SjFwL`_D 6w'==ptl閔 ҩC v: bit;x)SZi!s)jBJ1u#(VV̂,$ԡ(k$ DtWr5O N11:N4LT<g` ogQ'<9-:/7&KѬPã>,nr[9ԺT@QYc$6hLcV;.+< -M:J$[ywLj[RGmdKTŦF 7At5`EԡIAs2g3@y#r\;H7mnO՘tWSCߣTfe 1cYjp+梩,aw22 0fen.̶uV),ِ6|WJ 4#A6 {7)^Le#A/F'=7lAE(+J$=-I4֊J҄4f6*xWB']/A|P#_N؝|{j?+ Z&n,N0~cl?!l[+tGH DYMNg.fVi 2h_lYB9lİR FId?wT\C֭5Riɱ"gp:‡lwO># y/*/;'ΞW'4-amȟjRo*c.TDi7Jٜ|M{ѯ`xcu?zcDMG4g>cb;q'Z!qqC4W :_e;9ۉfvN39I50QlmXt>o ^nJyЗ;r!H|)}|; ^l:`}A=|.ІH4ATȴId+_Zc88Kƣ*wZrFکD/xD5Tkr*PP7(|3m"vuE7F GoZBNg !MuK Y{7T'J)ΐqĠ.RO 5|ƺS>jzP u mv2œ5\Vн9hCzmcoٵFª 6c+uKBRBtY@:Cdi\gz OΎ0&RJO:\᳒/f:-T1snM|S* WXO0#)\zVwBQN\#Zg&bVn% lSLԸfH%PCƣWCl'@kw~evUɞßZz}!k5:VOU^Kq͹$6qQg@j* > ܖyij)+tCrn6+w2^Z戱CG4W#GA5ϝnfb{ ÍhTj-=@hnU-1-+;XFF$jMY=Br~o1S$ec.{Z* bxR.1\C^r1P .ʾ:yD+f0/}[ϱwg">v\m:3@W^T8&Vv@Bc.A)~5lP\Tj%ս aRP% ̹UCSυVϡ">gF!1w x;-obܖ?czI; +z AP,vMcx X4RnI"484/mJܒK;X8K3;cz=JsRY5"˧: 0f(l~.?TL%aj9Gȟ) [fP ,@yuKIPYk8h2PsXM8ga\&/÷| 2SC<NJ[Bef`<, Te¨:bɁ?/ x͖Gs9ޥĂB\jq@\MJ'4LE?Z%5Tk8(Pi< 5Hl.6^8,ڱO0pzɬ* aL#\L֬LީFuE+RRelTٲ"ɇd)Bth}N}Tʴ,p5A.V.zlSZ*> s6ٖ\4#B5K9;v |t,V\\ & Vҫq /i~&$7R کIHBc&F <=EPDuD-BcERQ/"až΅ 98zZFQ H8*/<*S ٖ FJ|oo88lT)&FT\FES  E}H0dž#5޾m:)ɽM4k2s=:3Nz̔ӨP̨0BE>[4"UJ'>z9Uv U=Fs4(=j4K˦s@BŎ[ӎogsq' HM6/ qs`ߘ;hj`څ%Dhݾ_9k!W.eʯ㚱qNK'Hz.Y%@0Ɨ-`4/vaPAΜEKK^%‰GAyB: VLaO/bM'6:6?]R;*$S9 52:1ui,p6:sbF.n l}{<EBV@ ' Iq,rRY^ѺE]v3#iYcIL,vd1WƊe}LZuحAƊ~xwdd`g)쳒aAFm q80״6l@΢-y柕E5M\dPYcm4s~"z @yDza&9 5PbIxf[mS\|NyPYv}QkhH!^nixib);?oAPpꐭEBw"{)HC$an8ɶXRveS筲()aEYBt5hI2v5*u8{s_=7!8۰M=C<_:.\e΂m^iEYSI/.blڷQe,.<0Y @gtLҒ@($~2GFUN/_R")bV_xUSUF '5PPW87y{0 CYwa=5 +^+i:E(:nf&h yVG#`9ǣy)@u [VJS9Ea0:Gݱى##zU^I8#`sߒݒOwR*W>3T[zKd>Ѹ|wI'mu,6gP6+S,PȈ$*FBUqF;@lǏ" d*V4!d`GS !L?KҒA_6(c!y䍩0s"s1R ak:HRMmANFy9x3{t~P=(G8䃏7dTk!HM=8q]/)heR(j,Bۅ7IyίM5 fQYWdavA`~Ur'-¿έL{|l?Ya-lswb.Z  U^R7x=&Ta2 s Zc;\ p޹gʑzMα󁚢 ~|{;gRcA@bh_š4 7~kc:oDTJS DG"D†5>_M5bbё<;A@Kn2V^Őӆ@05(w|xp4R7 a]Jpq-yvY'8Z'T* @k).fp*J3g :T܃]ba7gC/6 Wz#&,,k?<4 c;x.QAXFFE&x18,o zm=TfzLRKC{赈Ql1dStVOڰ_rL6'M^pc&2 gP'u`㡗ވ$~"Ӗ "W2ͿxۯPr70[n1ӭUs$<,E3ڈ|դ# qR&X4w;15-KW賛z_s@ST@']wL.b+VYbSelΥY/_ʬ}i7ꨅƕvA윿`qc wH*ݥ<'1kROXU|xI-rǃa"[k)YAߒ]% 3_Od Bȕu;/eQL즃mA|M.q+YIokb $늶vW3o.S-: HF.1Hx!ItFΡ* 3F@oU^}Tm5i#\aw>Ѱҽ*=|Oͭ[m9uqa/޸Y^;#(EjLn т4*Ueu=Œ9BN5zvS+j2v|We )bi;#+%G~`-M2Z fʰ+huX ]vg'DgM̋Y]Ӧ 5HwD[*6Oz2-kn,Fօ}ޅ)Kj]K}^߹~M餺.]sm}tCEXk;mN:ѝЙŷy5u6#0-T#mb01 Ͱ$;dxC}:e1rfJL [ GQHB6?]GUrq >1Wz!9%webO]h[\&b6 |B]'w<(K9 yWTSԺ>(حRHX5SthTPN:r@J nwv 'b:U$):NI14³ '=m?u<.B$ n|<_c u2<Mmbo8FX])蝣pc7[ Ӓ["/v[9ƂNbqK,[|P6U ;?UR{q* sN-3Uf;~,oHKBAydvneOQ+ʤa/ pv%wDCJ^r} Ey<7j\i;#&q@!՟ax˂(FI; UV,ŴhCI[؝ J|%!ş90u/5b_qP;B3X LgY?q?EVܰT(Ұ{;͑H(d qd3.2_͞= cY.8[j]L!5xh6L;e+و-dF#A'auQtkb݅Z2t. c\\U15z. Q,5 P_]N|@ޏ&K%\6y00.ػc }Nr,qv#d $p{6$hhOg1̥l15aSUqyu/ُIԥF^/@uCIƨ+z8ށaWPF ģr_D"jR/7 , 36(@hWQٍe[jOxˮ|Щ!ɓ_$n)rG-(tDe;5`Q觇I}vzRb/fN^9 4)ANF kf#6yVG#IL[w4qiN0ڥ׳/Kz!4gQEg"5s4]L u--goܻG'9n."F,4~)*G3eGcM@jlxH9atnmxvSJo&G㈞O?8 m PS%.=TO*  7Wv&*{۰t^ YYLl7MwV7MY7_r]/S_P8N9YH,`O8tGmrh9NOn,`B(84b'gvA9?>}b76ěHY$;Q9==Rx$,D,eO(4œg28,OCl[Ye}wnለ=Lp)T= |aRv2ΐB4޵1wɋkyuN6إc۱3KqS (aKIJY}WK/ݼ_tEABbIhVKKXͧ)ޗ|)w2Z2)gؕqWWGpńSw#~5&݅rC6IQ) ֎ #F 8JK'>]lyZpȰ6ÏW%'z.M}*Qx PaX)7qH!-ieJ'FOmerX7KEsVGAX0zkrv[ 'RѼt{  TO'wyЋ2=NժF1&4k>p[s{>ZM:JW6!u̔,Ⱥ,"7W$ mg΢;y$\jIpC>w܉Eis>7QA6.haЇ:J5oBiղY7GeC,1 kjW ;R!_=*k5P1DMö;f|( bD$N ҪҶ#E,*w^»N8{TDeWxD0)+LEmw'duZz[kǠtց䉖@3p꺉yCgL> )MXtDH Ux%i9ODWu?zʝ-ˎ%M``ܵ_\q9w#$5N䁝Ŗy< 4Pf:2k)*8<}`B)TX SLg-qT?(_Ű0 ܺӽK6+ &*M&JOp[)tDDr6{ BwP}6oQj{ =܇6.tZ8"P՛T2͜ǐKzELE/, Hvb#~r=үAM7Y4P=|ۍLW{>,0UcQ:}68evo~yL-iczqTM7q x'\vxFAJ.s!*2]mcg,Opx !Z>h< ƶydrcv%y!6BU?5Uaa~ -4""^ZGobԡw ww6V`_KԐndmq5 =^2r^YR]Om8 ]A%~I+dS 'Jzl4H+OO"Āf.JPa>i)ANpU lu>}7"i׸(>rιȂ_EFM(\aγ:e1 WyK]V3&*DV&$!d$k91vc ;XN+ywY lbZ)e]˨ Q _,7&e=4,g$lzM]sS2ӿ6c&FK}L~GAʝ(r=V[67$H[8 ҹ3&$J&ՙ_aw}aـs,ю~n#1Ϧf V嵀Y,ͤm6rlW M\S;\Z0ƅ<]f;@/+Q'f.ENes%$^cQ'Jf7TzRQ6 ~VէVCF~jnncqq~`{֧13l9IhU#Qy൜驰ȱ=3hsoIf e jv6b 6yVԌ>G./jjSnn*0 T0SCNVZv{G"Ӡ E|JuIH< ) ?aI"Y4)Tۈ/|03 lȀ7kp Q·܏:A/d #LAʆ3nxú 8* (RXxϟhZm.\[~h,4 _Jr60m }!]]Z]20 m]odl ($0 dVeGR+&[Nm+s-j7_öR;8=N3|;=ZvhXmHg,aS(`]hW0H(z>4/Uw"u1[g+˩))XUki-Ϩ3K8p(hS:"PoNosx"{Z4LO)DNjԪ7[1.^mU19rw"8^yHyɗNd1XRZc:Dɜ'HWg6t^];z(:R1HWcArO؇ ݕ EK.+*|qJ}Kgr=yy}(+kT1y+UnKBs4a֏ʁ͝F"BL]9 n&K=&@UB$cr`3U~eΛ ەW $dvh9;ܜ~-wS\RԖ|enHBCj?L>^nhz砗@Je`;TE ezyJuJ@jڇZ!>tU)ޕC%s9ndu>iLqO&ǘ7y1Z_}3E!cq.XMm@Yz&0<b!{nm^9D)yA="B9ʼJ.b2?r\NPe$DdIo Ldt=42&wc}I([azikHv';Q7EN+h޴ f+^YOx{z0sdIfDgBq0>n*NN<°zX 1R\!C0$$>\qwub3U[F@N:qn8cAz3PrSc5xtB:x @(i"=txT2s:"ś:E+v寚&żJ?L+hV\@Xf RȳԿ! [:RvJ8$7ҽ9Wr~Oy 7]}h{-6(WSdm`ȑi0kd`8~ko8P1u W!Gjum 7\&y :& o }L,GbգU\Ef_NrV)Ji/mLٰgG(D+Vsf8s߸~Qiu)Ȕ4J 9,lȄ@yQ;e6qA>0ɋ3썬S ~^xqjg(*OeDs^߾ 9+Wm~"=k&gj :`"v=BrPT $N-o\3s_;ł܌^vK, b]7=WwC. %JJ vT]TnH?@gzC$D7ц+u7 PE ڤdc Er}Ϯ H$4$5NRjh1}N~=zbfjEV:$!n?@#öc]/va˖)eK}sX>:UÈEO6`H\Хzh_ĚmsWw8JJfY!w 4[:1+w(k )9>9%&퐻0f_"@`PpyU4#jFEwh zzо}/},̼Unh3 vq%e+g8.N+HI3׉lG;ܮ)[Jl:E.Rϐ-qbqHYܬhl(OdG^._k=\]ɎɤA[sAkJ?C; 0 Lz Z^VDNk3x'רxF`DP,T{YTtC7){q8LosQi8{Tc`e;K,=>UKB]nKII$/E ~!0Uڊt-#n?H I8|+P?Z JlbQnq_iQS}f sMO~\^E%NѻfxVm}gTlj<\yʡ^{ :cS] h"tl2M&O1S$SQ~xbد)f GJYR_tӟ~chiY3jqT/f$ɷ2)g5+rHBGY`o6%7$?"X͠C{C `V([ٿIp?c4f *z a [Rgf~_D 0E{OC@7z]yl9H@XdrfFs`'ҳJ՗FecYG,LMncWwlVz WV$4()Cjn\#A 1D;嬣Sٚ*ܒ5q-3=t!<.~?Б]>ʷBQ_}*$;v ԜήjS6'`MI8JI"qnaYF@cR&{UEx`YsFV9Ӑv#>{A~e.С0p]GƳFMMV%jJgV'rQ0]#(Z#:]qr15~q|ɗ _TP#G3C*QdzEKcPb0l\dUk1=[{7u\9=\5A*E͜/ݿ%s@'aÆƕroH,l-@X1w -bWʿu'>Y/)3fReM}7MҨng֖Zm0%Iܯ>Qej(7^/5p7:i n?Z)8*DNvKuU?-Wd>jQUv\#AɡҗP!c@OdmX+ !ނY>!x)1*Q ]y %6)Ļl.'?zJd^MRǑȑqۜ -D;L$oz"1|,p\UojEF-ܻ':dpᤈ4H=Ew@;3E7C"#67^~J0Z.[;I)\T[Q6pQz[&3DO![ĕiF@'}/<j+]G悩wzǨ`ԗf8w4d?bYH!E`Ԏh ,J鳐uVǮ9 [GXbAaIژOf1ԧV0S|1]"c;NykֽطOhxPձRt!IQʗ픩$w-|FH1C3LXԚpQ,&{թo,8rҤ.k<2.$ٖyZqΘT1HLRN:`{OTbI˨Qzþf! QB1/<8Oݹ҅' NTZf38; qXlJXgU3vH5|dI$hÏLfi .F(#)x7B8fLHj?Ћ ]7;Т6իn Y *%d%G5v-0+e-Vki@) *i)\tG;sk'rN!hFtq_U?R 4b " lKQ+[DWtR>1:ohR2Nr^ns LG__R(\S]Zp?868 V1a`w{Bb?rubrK ^Թ#yYbUE䕦| -g 2]#i3LUo |!T#RU|D?tCKNUÁTq['SŃgçyb3C(h* 疍#A?ߴ B8Nj@j L-?b9Ei ?ekː7s ]*Oku踙X=thfN\nG3Sb@J!:9CPs(g:>/ِe4>\m;|b!満 <>W WV6+M uh% v:ÕS&H%hΟÇ'Yu> =gTZ7g$&ް6L)N\DBDnop#6;Ҥw ,i-KZp]!rn;Eě@$*pvX=Z\t ̴hgBClx=VSzYWu%|1a2ǁӵ]`L$3y7)b]( V{d}||yւ]BZ*Ǵ = ՀtR#O}q\rqQ7BM}KŎI %V=^;d?EƧTJ36v;r!?j,^P eCYN捂8VY0@;+i>-=D*ţe%*)iJt4jqNHmzG#0? '(tp4SC%hUcDxv/x#J$ӡ kkb)^J?'ӿ|EtTz'I@n4P5ek&"<DHBn/hq"،T?M/7#`ZcB]TРY|? X;7f؅# \n}2l] /r=<\jY))|cq4ϰGMU(G(Un -=˓8NhCիkUtOo7AXe=.mc5 A?) ^0 .LDSፉ vY/q,1XK|PȁOhO0'c|^$18{t@-1,lu/[wr\Ty]W9E8M(] xQ.u 1CqC=ܗ05]2 0k׺2rT@ }~#U+c1xv_5γV%ItYkC런216aX=Uq֐  {_bj~Ahf-؟yP9ڟ٭t]rJd-;i+/WЛ+O KxHyqbn϶]f)J2i"\PrJI+Shs] 9'zӎvP}k7L5Iww2RfK6aKIЧ'D.Rg Okeo-H,!p1Wō?J[0č@6ޚ)AElhÜy"U"aa%[]OSE-`!&%zHn' ;g4Ga;hphN~{7Oxc]4^eOsd_D'${*&"SΑRFKNUCeȂ=T e|ȷ߄2Zs9V1d+įum59˹Oc FPZ UKh`rimv WνP4-Fk$47 !y % {"pQ {l@(wAt&TfH ڀtZ-ev^sңeb򢭒I w듑` !dnI ht\Tp%wd m0083@(r?T~pR9v^Wva}zE9JWsFF,L$ŝK'V-Ox7[!P2h ;DxK/[Ó QhJҼ b+nTe_WXm+k5JuDMPFR u͍_YouI~7HD?r匳ZA,8ϼIpd2xUHixo)do,L~B`]E6]@_/#2 ODBjgE00B,2T 2OSΧ =o6Jtg$F֐fF:(fg\OIP}&>@H>酳Jvʏ$~I%́B[up^@g{@ JMAI6H,w=ulZpc'A%[޷aiϯޤ+I*e- K_e צ)cleC&0,]4Tfc@#E5NZq]MxrE5UPH9-9F# %7 OWy3Wp M,$WTcU'bn҈.r, #]^}RI{?X} sh5 ؎!?;Hƕ?$Woj¤{;јɕ:~kP3-1X%iV.lA:Y7u%_fLz;Zw 4"Pt8֧C5k[nSka.뗽 &m *~G*a݇~YΝ?FroSuL"5F-@c)2{&9Hָ'7Ħg٘b6kIBBt2c.P0J*J^:Yk;t<%<,>zV׏rT@<.ŏSTRL'SqZ2`;*yhXKSφAF0f}w#_(An(}-3%sXHw]ڵ,k(\ٵj%<=еB~qS<^_9U}}2D-"/ s볶uE?v@.sg9d&/ֻv{΅a%ڭ87L#h^*J M6ENP&hP*3ɂUZ9mݲ拆Kў]5kȵ7MQ R(E| ~6?v=AqSN_~$"ӯٚ,rN|Cx 88&0*6EŊ tbV:ゔ5`a]PѤGmqQ͉wY)g&oʐ$X_LpyĤ/cVxq$̵ܐ49H~DsjJ: _9a \z Ⱦ`Zśm+px/cjg9)4I8F.C&nf+n#QQ;F% .^^Br;4şܺ¬=xq%>M'M`I8n :RrCMu0Q@KLëw.2b~j{ޑa/vvݐ&=q6Źܒ?)cRnb<am =(# Kۧz39TCZN#7}2Him>x5M?գl_:yX2jیHdo,.)67&h̡l.r3cshV'kʺ>:։iCȄ76ʼ)]nSC,PסP"*R-$ '7'Wx˸|{3|yT7s={k}+U0'qY.nÅ[Ȳ0Ȁl]u<d_`m;sD]0 jWQwfR+I8.׌@ :ML[| y@Iu,o 3%JE\#p5">DY*TX)Njm'NZ8|?A°P=,6my "G :Y_J)wiMM@mR0zSJdr8*M J%~.Wz֦wJ^\6lOcNqXO~ 8\&,;ZB zEQ!ǝ'`q/tAdZVqjPfu6q"wpGreA6f8vwyKK/`k6w]ڧ߀ a欪yX:Q&诘&sǨQ4g+!}7^`y[bVADkZdS t/(=Oٟn‘Ǵh܄, 3fGBv8ޏL^ #rI}ʡ_fPF &z1N-ަy֮ 4Z@NX_"cg@@«xF}tzK&!2,TM%gBA[ɮ ^oY201=][" ޗ HЂ7[` `Y8+4G{{I o?aCI=A*tp&sө88zΏr:kg.<Zdž:r´@{,8/:mI\a1ڏ9*iޞ Ĝ;{ S;8itP@""D֞ Z6M˼ wgKC2M\* 11>v8}y[~l!kjgL&ꮔ/>*^T1*hZn(u1oDJe]m!5#nmPگ=yR]4x7E}<5[Z\AEwL|j= AՅXlt@r,2+^8MBF·Cx0Tf+^@Lwb\˿K⼫Lꩈ 5jGA&.Ww-v #Ya{Ƙc (9HKϟr@c)hvD<,+]rd;ed$܌#J{t,oe8aP~C۔vGrX~9>Gt?a%tJv8JZ!ulV3[hsIA6=&1<\98>ۘxe+7zʼٯ#̳14U~߭jopD&E$~UuLںM77VkJ`XŦV :av!ϛY|=dp/;4/#f>zOf3s^>) Ul_f(rIvmv]21 [Ľv;%Q;:71`3k4DupzsϦps]j 4M>d87ܟTjLί)vv'dW;>nڥ[Y(!5J"H!+LMBI\v`G^S2d=*cC?Չ&P[j9tp>1W֘'g 5@KlmQKvb2R8Qx~&9~ %œg|K% ~̲>em'qqR<;>Kzt%˥O3Q oV%f6,JGO87)jІp鹷f9?bߠ=yag nEPv?5Feʭ~BZD4!H~RS^l~ xû%l+ue$("J¾ͭ_n[*p jYp(W{F>aLIբ C|C)H KU IjK p:%v!zKdXjIZ{u:X73,q?#; JJz2XPB鴋B]ם.!+Y-Dh-t_‚D@3=7scɶK*PEIGr&GL5N-wPDaQ/_3/&\%(5ЬxCRjaAEΪ^„B|99 vӦ{yUEKj_'ͮ[kVc/.Z֓j O$h:+Mo,rpeVx]vQEB @1yJ 5v)hri}蝇_z>994rLRBK*.RFU8. )}s+g4ubF8zfMk4@phR羧QlrI<)@.,ﵬt)IjG;x;V2 Rt.zzV;fʻ`uc ŷ=լ0J~\9l"[VL_3g <܊+ܴe K> P> ׼WxC&(xC9H6d4[gJ(VEtݰS9ZD+9`e՗;ҡEn#Fh2odj+WBҒC*omϑ-ō-yTIU`37TFBmigTgkpG1(ߏБU61cO:7'ڥa }*?56- 'Ei&I_gF]+\Y l+/B] 4\9#`N47λ&no: 8 c P?6|0]x]w$]Mr1\6Ah64#Y^Ģ$sD~9}=S?9k:W䜝ܗ@q+_ M-KlA`촐9yo)>n IY7(mlF!VbRՈG:Va Jv> &'&="9P mT7Wty ЮezbDf`i?-bԤ "ua)ڐd@'+~ùlS QW"h9xC,4pP3^Fv<}RiҜ\h2g됟p.<Ο@\@ Y"o"iS1`?;B q݂)#\OE=~~u,UmɍRP m߇n+Iރ.`JQ33;Z*P`iBK'T@~%R/2Psي;[D8RJks|)40$9Ǿ f(VK&ӀV }Coޞ HB`ɬ &Ҏ"[n2 “I6F:Sɗv|4GpQ,vb\U]9mL&Mth xږ'yzתBVi 1ְMDrmأτ@e%]NM_>A:j9R0q7'u-18_Ib nVB>g6̃'e /z&:I:9P2tۃ-LSHbT3,u㑖J:~;y 6T/pl44~HAXrK7C̳˳?SO˭!O/qi)%PMީR\ܯٱp ۅyh(n4]qf)[֘JO }0k`ۇCR o[!xh( 3 h^9NޠK kx^aU$G")t/(KIJ:t6DbZ\NP- E"PJnpݞB~FNeYBi4T^'b_-L*L("$ZfGs,-("dDp~G7/goZWnps3%ht[Of.v#AsοH > d#LYb`N59 k-PĤi&d8P4YQ${e*n95Ap`c4rO&@;2~k[(3MpAu~D@! 2)j@]{|Jw{A|ԌE,E Gf`|_` -O$l>^+jJ{X{  Q_ ZhzPR;x S8.L R]3k1_kKX'N%Ȍ_hˤ]K$c.by*h(eG%li6X,џ+rx¯ D#F6B޻di>yvڸۚ%} Sת|}G6 2cN`3=1cRVik$Q Y!Y ҶeN0j2`9`9D{=V!^4-ǐ,f2"C>,S/3ػ@FsF3n\ywEħI&Ck16nqL% J| ۡwXN'7Z1G R.p (OQ38?l؝ir.F/^VS5N9$ @WU_<U]ɞ73P)4%Y fv Lih2]gC@t cu%|EBf:rF4hs3ğp6*(Iz90nfTڅ9i]+۱%^=Mpd8 Pv:w<6 ĩ3'/$XHKYT*Vw\f^~WxJW5|sfkl, XkJŎef鈕j#P%mwbȎ\Jp0ݣʓS.٥i-tCl5T}#~̈azET)W81I1)꟏:'B2C=e:.$v K` ӵ*MHc,9ۘkoșhEy'R*oQi^ wyz$%z,Uo,1Lנ<4k×m2`jt6`0.k_нWixt's]Rt:VOJacܼ^=\'KiB'i'Ia PdΩ 2nIBZq>:Y^ uUȲR?rπJ!A5-ecktPv * ֲKZf=wHY`sӬ4QAx4 [t(*璚OvN_ +<ΒJf݂H?*m,Fd_ߧd^ߴ͚3 (zWzE睜I,MbE81)\=VgCM]sn<b'ͯm\I,`GVj)j=95Ԋj.6f/r9M.. !I7A1ѱͭt 8etn@UJ~OTOI!Ik^Xσ:/iokʏ&:/8X [[eWljM- KCȤp7 qN󯻑団RcC)3$OP^ mՄ3N\>!Ip+Qu=H~8M숙*L,HM*s !p'U32?5&J1zm tP.&xDj<:L+v{u5I'4?Auj8u1*y\ȔM NN ig ,E``f~J?,#_l+h3H5%W~P_Oנ/ YF%CO#K̪Xi0 pN+m/[/+&s ~3K2Zv*߯@Y$趌g*F-Mb[siuSi; .:d6Ђ$;fׅv2P"x\a\/|Aqmd*(W@V&ÆCh5v-H7A G5ey<]h0:ڄ:w(LjķAwם dx~cqd#fVd-Lx#e* N4ztW0nIdl% 7 34X` 8 $1JIՐ!;F]}j’eQ}P Š|)t(ndYht1 i8KQnsEEIfۨ&τ՗;k^N3uji_ʙq/jfݐa*NM[;GӠt553\L7}}>z55V7of%2Dl!¡jb1S/#[lH]Z05{xtYQk _L!Z&_qgq[ڄq^ I6zS HNRA]#T%{ n40 *(6N% H\ ݉UWoz.ou` mI~51Wvn_:e l"VW7 egik!,) Ӗ&66%~Ěr7L4t7[*E:lUWҀ1-wlCe[`%r8?r=0Ƭg.zF+H.닮AOkq} h}xN@x]  KZ mC:VCOK(as//X+lm3TO+b΁My I@xM+7hޭ0[[+ۇtXm OmX>E{,NU˃+2K8=67a̶,7-y`!˾rU`| m$?bT^G?ߥm0')d3ouՁP&c?T*6 ؘ ḏ"gΈfރ=]5"'k%>I;.f0z&VóU` fee`upi=@2 +,愬_GpB O6uBƵElĨqr 2 ‚Iz>{ <pÑr}rxnɸ̑S"=&= [qc|FInqul\B*ǡy^\#V~=AqlϺ2j/6K2YP~4'ʈ?O"fgk!=NG\{djPRUeh"p 6$(df{t* I}^n^9G)J10B?+VV);zgbҁb/ ՒC4F^OTl_hU =f>)ݯwi=t M2k$O}dANlk"m:Y@Vp75'dbN m}m|Y&ԺyL rڤP._<)]RK( lcu:,)a)!sʖ&.?uY  ALOT[R܇ .? WT5r;c7t&8\ )ZJ!FJ\26$Ҙ׈/igVmZdۅX CӴhvw udug zZRAgrbҭ#F"R?(_f{+jMEKBR&J Jb+^q3y = #Ê;g+'@dh,XwJ e‚AxxGvdj+/NӐ9U[0eT>"8UXb $Z'HIgm^@,8 [&i4J -5D5l'╴! ['g@zִX /xWe=V'nd 7"V` {o5yOH- Ƃн/Fju. Vm*RFuaùxA>[IL DС0yWR>%P}xj†Z[Y~t؋uhRDe|Rpﰯ7Sz2)T:/J!*J-. =((k:sֿf>6L4ca]UM^&*9U 2o?* 0T([]0f3= My3!3K3x!8J|䀍/]rxRu`$9nzx<)4 S1zL͛dr QWG^h|9'L UmĤ {:Bthw7 ZO%%h LJa_ki ::v)R#F<ኊa$D_1Γ9K ufw6 3ZNV ]~]VT9njgY0)?cpeQ3z ӛx[xS(v׍ nQLvpܕXDϽyx|,⌴!Cf5kj՜Axp{eFRNNV/6i?ZtO' ]ei׵Xkl&Y|pѡz4# Iɱ4討 9~by8P=#2QB :P%#mzazoUulKJ)~D.xDQ(xF2hwZ\%\UKLkT/l'@ǣF]7?ن8pˀ]r )2R`4+W|cq>S)U yceYHC|ub5]]%Y9[cn͠tE@vƾ; ٭l$ZG.u]!(u 7~|n,}.XnpPkq`\향c2JC$hCY ?Qv-^nB\:%d ìeL} XUcI<-SH_o[d-IrDÉLRk4V͊z' zJW";N+uY2100, ̗pWX^\Hw8(Op󞝚t| RvbKlZs|ۖ;Ёf`ʁ%u񏱘 AHSU8b5:H;3Qbn`͗DSU ^GޠuL+ϼ*etcX6nA $s#ZB~#,gN _"70QqAp@*AY:vKLk7/J 5LtDK!m ƕ&.`xj^Ul-V"=O_kB\}u3GtNsvϔ>{6wW#@x rfYPA1o0ݹ{'~ِ MK ~NPK RRovpRԇJV|H͍~`:EG\ _ȎVx}>+`w k }Gv V'nL Ku,Lsv^$b"+]gߒ >- $3 Nה ŽGnƈOP9#w.c}JJ \ǰ9y67@Hא99WA s0 9oسÁmIf6 ㆫiw^7 4$κUB(q`, z'b38FG=mP4e.Я  N̒_Ѕ'2 +:n8B}_ҒDqpxvX{6fЖ ?0"#&Т{e \z7e"OVy'4B_C7Y!Qp KS];uǤUǕ.f 8"a]ǤEͻ!հA([1Y݋+gi|*%QN1YoB]sAO=n@>qUʅJKsjD/G Bq!xdͅlۀ;oj ,wt*p¨,v~+%JM&Me4tS(3))Iax]ܜ`Hz%Yg(z& cSs\WE5_]iYmoFb(,\7ɻhVp2i_5 ȥĄo~ilzWZffx|fS5dzf g8{TVzLŘͮ}FU:H0(ҋ?*i4/8MNsvtu$^+ȲΚ촇7}6D#cLBUˬ`6:KmgOoW7s3tiV"usܫT=\=G㥌 4b>!2 @Fʁ2+[Egtom1T3t1._>{S*1 FGVU>`?ٽȖbu \}Q' Āz;n8X 6y݉]CK r%^RLF/ ,{Mڔ3u.,R½LcmQjKoK)$筀 +&5uA]Dp7ΞNAjbOQw1|nȃ {k=\d f\dNՀ{{kMO3Ftiu6]xy"Ŗh?]M5}㖮s҅5bo4 dad I,h>󓳟ѿAux02xB%f<%`}%GG7Ij[37NO^d ;3\m`Qْ#ᮘzFn #O٬X{~۸v.hOa):LrҞ`5 H31r!a>&{t >xKH(&Qú@ V)urZ:˚s邠wȈǴ&@UR"/4&3w v4Voxv^ELn4Rɴ?rQ-"W EX‚9@7FRceH9zCFE ؘcY^H&{{M{g?9AN!rwJkzl[ ާfTY Ypx{dᕧm"u<]/U J`A7غB5O&FW 3XB,_y-7TLo#(lx߉gZʧN e9&/̬K>.E$/'Ί˲w({ޣ/2>='S̮C } DGCڀ30FC x{3qfEW\..D>Va!83 ͇#`#;;|V ?M16]6'^9d,uJ(`,6- d#یGҕ (.3y\NKu4 94Ae  Jsư@$nk 1H@!*=zL8WحY?@&#\X(!4'qߣjrH1'=V12\'& =Ht<$PޢUo袇-avUZ})R Yi;M ,Fe,M5-Ass&yZXџ;b(\ʁ az x8r\G_-i/7+ic)_dMھ\bYbPΖݱ=lZJfm-!$w5)0'$)2u" Txǀ4U4rw4ˈ7Vf'^H²% ޛ@\wI8U7K `h񓚖T92N‡j*Xe DpMs *.)(w$Ůі/Tw1SJoeS.62ܥˣ5uYؐ8ky+n2d"+0@GX~J`Zt؁,49R_qe9ɠxS'Et;U_Mx:pAwNkT(wD;ih%YXUE-{}8paa'A|0P + ?08忉,; GeqzZOI>FK̲eޢ_uL\ȗj#f 4hu> ^ĭOk! N!j捿^X3} Dќ <1s:LIۍad7( *1j3'^صhM=RwFV{.zҔ qՎ :n=f 57Ia :vdn~ kOU!0ȉ# >l*Z2i:hb,{|M88&&yc #QsHMe/, @Dn\ Gv`^ A,QDBa[OD @:LnNۉT#E"vC\{۫`{*r 9`6Vf<4aـSjd>)+yw@È}ʀ^1VaB#>sGz8*):knFĨZ_Op:)y֢aqaC-̈́]xBFV_4&ݝu6hBaj]`F c:}:Xl@JW7*e'FTu3{deqJK!-nB> &%tf_48yK6:3U2$1 (O`*w UvsUZHNtt.:r)h,2uRu9|+V»Q t&azy kC,ԸCed&*;WZ:dhPM7DG ]I_ 3sg٠ Yu|Rߒ2%?!U 8/SLbP_}tAdANp]Cz δFnDr!-m n[ȑ"xc j+>yѐɯ}~.qET:Qn\bUMbq́('aYEq+,Gf2.vq&g~4=,=mD[a>ntoKW$n_"mx˞+ V3d2t(gזE0 cOY2^YԏGgX`Olw~W٘8!R$']*FJtF'=Tjno,W [SHZ^-JJ:mɦ7fR@]D@&Ӓ | ,[1#f227cHp$lp/NSFu/~C6jjə#tͺZR5!f/} | ._{IR gΪALӫ (Ixs|3$vv-r\ װۓϨ_6/lc4ɳr2Fqeq]TТG5|(wBZ FwcQy̷_:/NC*X쥙^ȅb[FV@SEDB,kʐZ0BDiF_"&?Pd#=eZ*&%P]YkyE^饍P5niix(ϖ|>B֣Bw4nJ'V7s=Sa}{FϳU̞kufKsrdr][m\wax\mr[wU 할M]sqG{ Գ-ء7 Dk֓_VOIEW6+w~ɗNZS?KSkiGol7 ]=ן g:rs]ѭbF"z *2oqpIGأ#<ӏttF5Q>H%&l M_ ;G5x%Yzػ(Y}lWRO_z~fFnTNEe]:k֜i8Xeh+ZmFLm/BBȂ\3ic'Ԧ/Re]"):1jԯZ*؏qmi%`j!HU7~I~V!<(<1)oG>ZNь(#CҜ쭤v\D18{{Ǩd?О n)\rE] կ;r;_1w Y!FWX`^ Ȫs{Qz|w :Fb>߀ JEbsv*p2ϱx(2C#$Z"o6ŨvyPŷF!;\#{uvn>J Fc"q8$Yap>ۤ_u a RA0E//ir}7pGjI&N`KJyLϕŷ `DɦZ "`XrҬ7'2w@q䢤Xnkf2v~fBq3 @+kDH@,!ͺϭ3nXu"NgD3mKViG~˵A 4oUfpEZe*3` Oi2-|q\iml!̊N }&č1ג%qӨc] (~2vT1ħj|t ;\9ycG~!j0%!?C1 6+!lSKGl x9瑣_ZYL^$n}61j, ,4@j);\,%\(i=3cJ mИMklG)tS/͍-à"%8 eqt"[} jQ 3\c(llR "+@*}}+fqhvjׄ=V*o5N8g.5CNzJ^31qQ4M~̔R,z7WlHfcR`ŰkY# g)&v>A!{(g$gZAQ%jZGϷ鞺\sy*Sa2jx\Ru,3A'DA ri`cAQAk kl e 8{N'>)]T`R.x^]z [xT; /pd(Os@D7(,9o2iS Ƕ;́ε0hKzSU ppiړ}$x[Bt3phP8{qapIhu7^(8yēty6/!}lYU57 T@B[i4%_9GCn~ ]c Y"5'x!? =>>Z2^^4吵stbE5#澡me0 N,{ck,K4yvcpZjQjy> Pn ;BҸ6Nޗw)ǶIn陀5vD2t[';k`gԌoeKw#\ }ҡmP]!KšJ)OJ[ag N2zr;9.46} r(ɲ'ұ̄s25n};Щ P%ǧ"OiDAXE!! /^At ߨyt!Bl"+ MKo _|IXK V(a|sshhڕղ4?H(EÁCڳǪWhL3!Ъ -`htT-ZMGL%h!+4?{ֈ<%o+F؈S2h\.Z[ռO3P"  "eWY9XvoJbAdݝUy+̚XGkw.^UB-iLL#Z1y OFpmTt a:8ؕ>GepWC*uC#ì|>DŽaM@%^V|3p-= 39:7bq/誙}p؈?d ,.&bX{_ZiH@(|$?Vr_8 dB=p yku;Bz]uaZ2Ö[Gy^Ӄj3ή?]k-EIilO!m1DruΑNH3zbF`v }=v qǧ <2:\9kj TtŞLF6#Nh:J10%r7FG KI8W@dDeD9+ph)AC@Dְe4oܒ_FtBzV&'1vs n5M= \0nAiȆ^jbqf\ݳzo0i l9ؠ=cм1ISԱW(NzP "%cD4%uY.swg )3ҌYg~_*O18G@*9BGMi͵æ~l^Q{W 7"}<G JU9=<;gpQN!DhۂcHznI~\Nh3ĞW )d:R<y,nf -k d=NW Mo3rIP=7߭rmJ S( *;ĆV0]2CđE.FkH~iZom2& ${ߚuaZ%1U(g OM~<8*R2 URk<3C$D s[P9baW3*5?V,DB*< ķю9 #v6zz.\=|,'NkZBym\+DFمt{RplMB#waKsdimᄀZ[9"@TnTg"`ۭm(q΀/kvXP cX3Pk)zK)@c{=0,ޮrPPN/y! tH(1@14u|Puñ€ +ܿz̦YQ҂՟'jmӻaH'n$'!xI8B0HxO=vP1|?G(*|*r(YRblSu % u?u&u'Q.G߇:VˑBnṖ@4BźwOlpTLCEH}d-=r%QJCIGrohvJW]>u+h]M|LۯH J{Hu^MHvɛ+WҁdN,Vt|q3 x}g}9/tV:oH;Nr10!X'M۶-% . 5O!]e!^|/K EƑ Kx+)hP L}R5fNٴpz6!+v/Gd,QOU%o ~h@eVZIXe*?W v[ү ̙vSoRzkBVޝ(o8sC;xm-jmO U쌃()c2LʅIP. v@c\fw;!1` Z OzHT` _>A=\~24,CDhn0l,Ͷq)C8c,Bo;cafLaYf,jTcEZP,Cn2ZyT=SyV{UNPyWF/'[Z4;=PYL N#(7Yfo梘Z ]JMD&C.%GzmJ7^4t*ڝKf=EGg=B,"z%%gYo&Mtj@yU$breAgrD\5}|}#[ L+br6f}5 S`fepe:ȳNnN:jg_kQ'6ޱjd-j>eQQxÅ3<*V9 PYX#.ײoˇ+)({ibGtUqU٘A7yc+=|SNk&.+m%1Aؗ!}kqk0`ђ@*g\CM iMN^ d,#%wN `VH;jw|Y_k}kLD[\ 8D>= c^8`[b-[I%يD=Ir 8niV^$ّ |{6JnՂ5>l qȐK7͈^V.0WEH^5+@UX~H%%!(CL~ Ls?ɲCl^\YW[h|KcGg桳D# 4^XCнދ^xOeѝ pgL:\x2E}aYȹEE Ұ+1|DA4+٥1 Yɜ7u> E W:$N5I D >FVVuĴ7#r8,$>Blpi 0=؄IsRwƍmEAUnhGN즧{]-϶yr6tMz{8tC u,0e6gra*dwU;~թo >x|iYlx4b}J'Ȯ}s5h\7.)+3_?UK"ߠ#=0A~ATuM3?n.k@џ-.laTSFSSSd].UċGZ-H\wtwң-ٝϞń.tWxZñoFH)?}.' LVW#y4!FfpVn o "l}Y:F젞屯J0?~VO$fimd{(z$SyHшjxgk3_ /d|{^4U~{x=Y`~M4!,XO`1G#+I+{-דq +/'|@*PWb6eu xYPhN\҈XGQ{OJ"eXx32:3vi;B[ 0<hc樶|=Oŭ@'-DWYSR0D 8!R/gmUo! Z1gQhKL7 R*d>+3;mCgf&O bFf2aadMHfZ`IY>򍺘x/کf >(MN8A[X5O6bᇓGsE8~tYʼul_! l %\pHl O5 RR b'l}!G98 *p]c sÎ]e~h%}Wbl \I,/G٦{)rbVz#U̽v*y&qՅt rBɠ鲷R3$PJ:w|@̥'Z6V*w&~wc(\)gL87Tksiu&P6qwEĬkGX$}8E~R^;1HdLYXO(姖鯣HtX1KY qW 5}&J =,B-!^0Uim*5`Gڬ_hQgu"_KmAKP4Go>o:}C0[d&t\@<1ZÁ~{+>YD/H^jtVB99[|a RI5RV];wL &jrmY-koc_S g*qr,F KȌŇ_ds0Swz[ ~è(x9~‹{ ޳fb iM;nfjX+ ~z{y@.Qfq;> (r{QHv߰ ~OhosOYkMi A3k]}P T2u݉?u8t "`}]=vF>R%4pLnU(5i2)uѮh 5FH]:4DզەhWٶ1L/¹R?"H{ձwB-l'DLmM\A o>fo<IYѳCA#_3G1v6%A}ϥ0p.?V?-de!vIL^= -US+FVR֝nY !IFR V^R: 0|@94wdg)ܷ^1`(5yZ*vt nL\ _*ʩ- ǩY̸a_ơن4zc>fm+HZi#o?Zj Aâ&Bz#v#|l {p 8IiB.#}a&k#5[޳@ϐ`pڸ~9{LP)ڲ2$({YI<&hXק *6R[Zat|@^:gT#l8_n0 @`nB8H6$Z6zLG,Փ^dER] .2fj08A~nj| @x{|ي^[;0!_\)hn$'::,j:«(0?Ŕ 6H~nEx޶')hx/.ZL3y1GOooZog0,Q ],S}"3O).fm߰uF"=}}J^ZY(a T I/w I @p !ts.ەÞgϊ;A3L;>t!qӸH}1Tu7ϛ-HE|e@%V5RL GB;C$PGgfmҪajJ$SnXly;;#xKeQB$lIĐћa{2Ș wmv5ّ. ]J[Ż9sHͼ/sΚt jr l˵S[rxc7ywDJz=xgVLmzɅF9d6(23~^ xO095l.yo>H ɯ62 `ȡzRJrC0D&؃mlm -CXAq%MrQٔNZj6ֻ}¾=kKۮ;eS|$N!8Q:"]x;yxg)/a+zh|Ԝ; ؊HP1,Do<|O"Y݉ 0* jC7h{DJᚬA%.nc[^ :B"wƘBFdc1ǵ'4r@&0t|[T(' )iղ$'+vO**h`O2b߲12R3}L}4FSH%m%F9Ҏ@>~^FN@V&럥E\ Nf K)KvTZC>KQk⾓ @ 9kg&zހCT1tX$[K '!&|eޤ %w>\kUW }q eYqȧ@,Aj~abم 0^Z|p7:o:RVQbRTM1.lVNjZ/Ru!}D™<쀁'e]-K7HFYUnݗ]Xmqyijq9*;bkZL43n Bcoi pd|hI(> D&Go)gmMb+)mtSj|!-Yd+H5EudE<3;#3bt{\&>{PMi+f u:>G+87߁+eCLI$c;E|[׋|Cj6Ы˔h9Eγ L)&^XN~U眔:V7r3Y@Lݲ38*fPGd]at H_R| z_7^bџG<I/L<y6u@!cm ,!*R~]M.ѯRFv@Kx˘>nsGRGliڔV(AxT f.VOB &&A7\N=R"6|aw;o Y8vfXY'1Ia0c&pgVˈ8[f]'>t<$5da9= q[4 U!k"xKƯ?h;H=Wimr"#K[{V( ?0f\Kf{ٙ' 1r_SDžo'uK2/ dca`d0|]iMb2f1uoO eXm`=xpggR'CKCȞs}<58GV} xρB r>Nc~Eb{0׼Zr(:Qސm2M5OzSH%[6Q/׷W GUtֆ 1 4U̷H!_bHwjC=Ѕϕ)ŋA.6s&4}:SC@ȼan "^b]rɁDf75;!Y<%d~KY^ҟM{h}Qx!d e}L'"b/-w{N-JD} CvӟfF ٽReo!&҃uV`9B|*9P d,}87RVE %tygmP}СTsU`P3B"ejEĖH 9pGL&ܰo؀ \Tg1oC=-Qa b)T2bw]w`:T( )tpM10JBYLF^M)61)3]fnylX-h1ةͼs/8Z-zKo%~"38ܓ=Fga|<^ 2B?g}DHhG ZxwКH*{k;9;P!z')qRj:25[zh1X,pV4's ,Z DgGAp(Oc&0I)m'"d}bnl70N_IJO|_@,NP*dha񍺏.BhI_29gQJP[(&5/aw)E9r6n̚Kl@Ϗ_hOwQMy)3Mcf)/Kg'z>Ͼyd+nj j:@+'G㾂gd)CF8SQ .- ˎxQ3saVTC'_{-e[۟l9~zͨh&&""j.gu YuPY"跉ɉSBR6&R ȢPks1n ZAfV'7Oԫן6}<DZ7znSh s RU^bqc|m2L>}ħ쐉뉷#L;JUA߷m sQ>KEQP|ꉚ\R_~(yqnbgb jHޤHV' eᗉ:XOi4g7{gT A4LZxx  !ej  M]b mIR19"V~A7E*q7ȭ=KHȱӣwV?`xOU^Mk)bVB&졚#ϿTR՘uaJܷ*pNt0Ÿ Iw$;x*Kddž3W9'Ի˹3$r`C ֳņ{D6ؑ9g<bĿ-‚̲!HI}˞GYb @g[N{r[^d +tq젆}'U-b6zCF8L ZM]X`A0B3L"T}\rHAރjm*8ƅ2b2{vdWnσlAyμUi]3L^3خz7Do kai'(ӿ  -.L.t#}=<>'&xOK/3UYu#K.=.  #8>/@ 8Cק ʃwq0m ::Âtϧ4}QZ4 kԻE,΋}Z*%\?xP`*:.+vʰ-ą}0"i84&>(KP8yu*B ƪ}y 6vm%`k[N]O(0E&תӪ)E0܎C,:r/y)_)YJAWh 6:py`14Pq5bBhTY'DS\葺^^ZHFZ3RGԢ+~Pi ~59r4ѩ,BL' X%)TOv|gюl`m1B]!tTyHv@?E-wPR,ZM#) PE VA%jXHAI֓f) h΍? ѤgSs% 'oȴ*W4]LP85=~&ykڬXoIW9*X<5"&j"w C SJFJKiBu+p0c{MN.',![~칤ZNn1 kM=V`[IÚ2 q. TpKOө ys_.FXO\cX lxA6VR1cYc3@sQ̭.ng!6Ȑ Rw@,`^ߖ"x0/]{7~0bۊb#P#gUڛ8YPB4ͤP k!+(W;bg=-qΖ{S6al>0~,u숪E$@@"CYgy^]>#>#qR8޷:d+[zxoMMV޼)w,Nfc.пiu}'vrfUj.DcbR9krY> 0Zs*k׿*.v+x8 1PJb h+f#n /&W@ZoHz[j8bloa D<'mH8iW.G]IՆ.`]eh-eW$$">9&{c:0:ƚ`N^HJFʝ/TAᇣvI܎AU85>g40D,  5+D4&8 _)@RB83.]%klk͵ΗWʃ7 n c;ت/:S=c]a}_e2ۃ peĪ>yAܝ.4yEUa{}i‚Y>~_ĘufZD̢pGQ̓F#qgW4# Aeu !Qh` iFUAů]7UtX<ͨQIJxva48Vuʷ8@!/?F)Ƞ^[妛툊ͰVcj 1Vc>$:h.f1(Yw6Pӻ/In5z)W(C0N)JEf6ch}퍿̱X~)! habl-.B|nɘK#m%c>lKz&<f ɣ:q;ZIh)Ψ;@B;ԇ5g0B\~ ,"]l9ޏ> .qJg 1Dxlv%PGfji]S/fo6Jl@VaD1Mz.cA)/lN:?V i^JwepTQMx5tlrw>A 5 8FėY" A}K<2'ɲYdp'~€T! O!^/A&N+Z޳&ޢМp\C_CjZw$\mGPi?٦z!$0lK4äqp{y|o FL˪..beb{.oJxNM /fϗ ]-+GE>O39==g !o[n͝Qc _cT##0|"#es&OUqka@ESjjF&cM'|Ǚ˒V=Wefj c 6T0̓.N-A;3?i:I2R=M~u B mMq2B9=bI,3dye˻T@RP+z|?Ue̗n4|: JnP w) U)\T_|_%@~4ݦF?p7\lb_Ҹ][b\2 c1hYTn>4/-AU54y'T8~۵9Zdc鵝^Ɩ@R^$'U>a&3ѩԮcПI`gPi]:lz~X-bRWiF|~8Y/7Iz2Kf`$z'Ri(YO?d'~%MΤSHz7~gѹj^{m?A0VIs5Lw.:ԞDG3/;gڊöPXц_qT`phHʣh) $z'BhxWmV ;f kO-P6zeLݥgV~#z QMH^vO#p>k3҂f@T]27J7HP ^t^/g!wUs~My4j4PUő!R(X αr]M,39P]3n#dC\%&P#T6ϕKh8)H<Ѻw/En1>ao:6 0"{{>2Q(`n'!^Xg߂C׿F?2s۪0'2=(a7\+<9n?xⳣ~̢,&5̤ῪFT069"v{U#Bnj4.8&ðbQr+OVqcSN:R>k42r1\CMUX?Q%oMwխlvvӥXcc$\WWqaԥe G^S[v+(L@5Z g1lc/E:Lw TA#8. ΌםC**4mfi. XEEh%L336#1ewe\XP f,"ͨg5A3 Y C,H5‡׼ zqEj䰍^AN6;/(D?k MZۂW[i?RҘ0X=Z>-MIF2;Q#z_&#ϔ=vUaG'%¨>0`3yqnz?/#Θ(4ĆAb]1X?1IK:ޢ-\6܅j1k>bZ)Hh ڒ}&qlpRULP:rrRGfp7ܑMyL'KDEm&;21&fZZ&,QоL#um&G"b%W9R[^*9'?#DY|Tӈ0fQ[l{(iܺrR;5 PN9&@$W;O$=" Ma{8vq ߋ9y?6]V8I?J@cV#$yJUB$ j('3Z<ϙYE`rjAiU  d;h:orschxT䗰3-Uɸ xEAN) 2q]M`-ENPS|'2HT qT U2"(s/f[uHɪA3:UVjcmC!YAڛ4%8sYklw[yY9YU ]Ȉ<3ʹ΍WF Նu u#`Mg-pU7l|ӧ~0 ~H_wWS[N~~,QVS$ \TS AURy(䑘dpaΪ5v}Tm|Q"x}'nnT|In->$͍ tTK=:,F/Č[^Vayд0q,Oi%, ǹ0s2!|..CtVέ(%|0e~ !6za}F;_m cB+^ɿ@Y/ocPD0G솉8Hc_cKEYf~ ,Q%EB^=dC@hyf&Re%ѢiiFޒ!fwT pD+/Tz uC—32[,b?ф & ]Y/2_|C];J  pЫ|?R9P ʭ onW8Ӡգ=3J;ձ-gi~Fs'! 7P"OMQk&2Z26wŢݮR~GH5;SYՇSQ495K@u= (f%3,XlhYޞɂf)uq.[ L!_kAψZ~ꘂ\Ni7#2Zy4hmvX#jִD W_Р5&$ \"hE?[YUq)p~"9*F7>TU8D >[OGz{q( O:} TMWiu$?%$5zT[NK-mheO^2ݩ恺*Nd&73f9k\I 5 mWw Sܔ`qP=x:+ڹQىG ;G}kKz6 W:gXƞ0TewwzcȀmu͗ѫ0XaE<᩟p,]fI1|[]lhұO ~C_;`3IZ_4s\=S_$DDD`'WtPK!+EGD@c*DZrI,%XQXghexni{Z R[xOHɣO e0!aƕQvg8aaB۵Hme'Mw ^sϲb"p+{ /Yw4#pMo8|`T٪1u_crDzT/!rw*sd BS*,_ħ9S1$sܩ<Ge1 =wϲ!SnJsĂL֜_ 5jM'Qq.s!D6{@=ƕs;pV]c8/]GVFI_,ߏNt<BY3@y3 )GZ|Lna"V_T6Q_߂k֚8 >y6r嚗"h%< (Z_•{+; *VYgrhFV)!ΰ\/T9*bx;0@лj {S'5 ضO'sBh`sEV思ro>fK:vVlGǍ! ._`xq\)~ŧ뺽,ͫ/"c9e a+"Vpd &*0lAe0& 'T'=23f7l(a'sĈdK~AA Jvv5v,2=k+4Rɋt,XY̗㮉:Jhc1eh6Vs]x90DxC*ASDŽJovB"oѧW 8% B-F_x9W8QxaP_[!k;&eGAiqIt?Rؓ -1 !?:}JH;%z)du[~<`"̶{ ^ + .h@IUiŠwAM7֘1ƅ-b%_,>{ֿ;׬ YF}xf!;.mĔcsP{|i]-ETGnh6=#vق߷}qiqѺI Ϭ!X|?8.c:V*LC.W?V跒g]-<. 7j;w0>Mp~B V4IHqbY'g\][k̟?fNnik2[S ' \Aǧxu LR?OW%Gs~k馓ͰB?xd0&(ҎR~cLpHDXĩ0 JҸ+JeK(J+Z^hBu|[U-[('[Ek{MhTE}}UqjHi&"[-Y?y·F=p0ibN1I̚daY N y9lX,By(̰3X%OD1\ԆÓSv[JsdUvc*s R C?g->SG u1c.8zu;FX3jN@"{@4uѽ* #딘 Y^]qdJ8bV: B Q#q+쁁Aa94uh&X"v">GUY_my%t0Z?#E%Vo?|9mr0X7/$ t_@N2Bzφm~Yy녉TvPjT8b^ʝZ%}| ʉډܡ.<)QXd|r=dXx?magTZhanDmDh3&76vaʲby<.~sd`íPNaϵV> [OP?`mWA?8:9w9Ҳ j%7&/tfk-JdPt\?r@k HX.kʉ RL= hvQ&3]Ia,S}0S;S8[|XYhO1 ϱ.>ZmZzD!'f1(T(NiNǁØeBެv?LMXB#RFIht swn&)WL!Y[r}(a,*eS[LƼOK'r* t[6K&;YV&А 3:O 4VΰO_>28gYxZ&6K%? lZ(SѴ!;Hx:z̩EUL`vV>8X\;xܘgq\ehe5Sa/pWKR$Oe1hFyvm s<d|^w 0VFL$ՕV2? g8ߚR9I3|04/nLd# 5Fq}~c4|LN\ #`{u3 U ̄ ovX&P~+T XMڡe쿲jFO/Dex.slտuk\%1ZZ~2bL -TXN3aSl~h6sW#^cu(>uO]ٰxjOox`#F7M\FKQ!^_6Cp/58|<=}JH &ަ8{XNW`Ppp-T m!U9"0wTmISDKXj \}p.b2,P?کt9*KfyɍGV2n  [o܀gتٯ~8vP؂ q";xdg.QyaqD,[0`½X۔z F6%Z.W)lXGtfԜ~\GNJMK.HrjA%a,bm:2W/X q|PW?E+[{,XLR_]GSv9$s;uvp\(nwn+8(ݯ\\maguțəbUQb6FGvN'_V$ƨ53ÅD!0 -BeO+7@>*f:}.p QjdvJ.ꊧҥ*) @J'ĞGwWwIҮqp,.[(L'|Ċ2ls `W쉅-zD% g䇪 !l쳗ԦKD81 }/W[ 7y!I~*Z"k@% wug=-T }A.?41ÜYu8A 'Gס6mZl7 5uA Uط(O=-(}%J [%(}-Ȫѽ X.P_O?}\r""2+@:F$yJ7ulƍmu'b~jkIS0͆|z~Iyu4mD+㗲F䟍m_z^$Ò/Aז8,O Z UP{қlynC֞$ =Ai趵CKa"=0BdDVJ$OBd<ȌT`}r[dRӸ R_.G3_lD0Iw&%{H9Z_}gcN=K JI1 ~+6=h!P b|3XKX Yڶ ~m;5Y\d/^5BTp]4ulaw sDLhUwU fZHKD|A7<64h?%Ciz.,abh 3_$ tR䰼1 c+C{/G\c F=^9{+ hco&A"03%$qƩ] J!9m R~bg|y5F3"awE-ճ3uEz\}U45 4C tLnܑr^#<8|p49-?MctDO?z`sR3*FQƽ&O5ᙤza jvu؎t*\aHRC05%"C)V?o7͜j9J 1c.1Gg *Pٗpy%LbO{هTqh'Ǯ`m.$mƅբ&j=߅U)!Rkv8fg-5.|y_$^ZIUtHX1^I%d_kD/=[3]n%amTP QӑރsrVW\=̓  Qk>6ߑ QF>%WFJ llEll7vNla;߸EPP j5mAO > yF|~>%Pc<\KXaX[}i *Hள5 TgI~_}+~9sc\*S0iXsk(Q;r]oIFaKBoxłAUzm[l\Ҹ_ b X+C9Q x{R`RBR%ey>قEu+pMxܥ3N9n|bTlӀUc:v@@w0[օcIzulX@Cjo r!2]F3]v[eW,_6(yS? $FlfeqB_l6E|/O[p8) #Ԇ !BәRJFFg Y&, OFEX(^'es{zW"&mHlƈlj H=p9#5OдMu0oǦ RVW_W:Yt2ŵR!nq4+/>h8E$KO &V0'F+؏ luY]M^βT34c67+g|'׉8΍ Y+fk4mEC NTZLլTvaV*(0G+m6qatk*VjV`CO,ڒB&㴦Ret'Q9ˆ.XJBOsKM@YwD|t6*Bp7P]"'"&Ԕܸa24Š g@FO /S/P8 õ,nFt l8xps5O@Mh9Hl<^$Q-,}Tb!8M3a.z|jet=8`F+n)Mް'<mS}(,ޱ|P vEt8Re_Ϫ9_k邾^DbC +&`^VGS2OSۉm&%k(WǠ  ^0LH+Ur<l9|'Et@ #zI`✧pP a8/J,_d| ?;o^)apK _c/jPػ&T&wD4h.qBMOUW8>;h5G]&zΘxަ{4%N!=} ]jFh6ExK>ڞ:+`{=jЗ GɃ+w=BƥqJO'|g72dgLۻvn4$+~R  ~_ћV:Qvab2nOX. j%qőf*( ^|b[i cXd⭊9_4GMESUZ̑*`[BnxbTAKSN5)T i?ZW,ckckt5=DD@쥪r-OJC!h]oЏ"13ўgM[/4PkUA^7%Zlb\ ?J~Hg=?s5i. ܐT¤Esec^X,#rrHx w(exkG̛{Im5,ih:)䐂^1dt3n# J=zGaٜ~7oNVie컈= FF9+B}N0i7ET{RE0~ߗ;X42BJPО5oKnl[e;bl\t;Mw Ƽ#_\$6 P60"O&5aU"6m=MSoynsu*DT'CV"7;TT6o,^IiwӨG_į,2r4RQ*g5{^U8`J89!M e? ľLJ~7?W$n $ݤ7L>Ê|I 1. (R`i4_d&%8\ڸs% af&1E~xD¨rVC eM IJЉC]/l굡~:juxmG?[Љ<@;$9E'd ~3[_udcl&;[OaDB>+gƴǕ7|w G {MF-Rm1f(\}A~S* UI&^nx+dwX]s LFiMTȵtdSiUEv!fOdΝFB섋P#3v~Ȥq5T#PnrY]ajaDS֑= Dژi~ %>lߨtS3g9N HJIZ*%\1Y)d1zP)\X,ۃ/uCaO*9b CKt2GdQ=I(tgҪ봿ɒ#b#jJ́_&h2UU`c&"r&ykA,Aea1eD~#|^'FtZD}(iGXyguF j1#ݑ(ڷ2xqpyC(uX8lxȢ70dByML.xzn@t٫SGBD+6n;Q }wʮІWaOq0J"*+@"#Jt=ׅMM`F6rx߸ r$\=R.{WT I^׳zJk|+$pDWG` >| cYV˹(ʾ@E-A߅DA_@ o+kЫu086@x a8TBWӼsڋz >5|sLYL gl[IvʇZ`P`)Nd-Gha6זUu? p;ig$;R ,SFNtWH:)\Z|)_8ÄdHcd aa0^̉,8ʆr"C}J+Qat׷=t8El~2xHJYiC`<|ڭ?ҀK4f^ yh*+B#cj\}g|Ğƞ.$.4knI`_-+\?e\}0`xaog9兦voQ+B-A.6uqq|$d{Ր>nn^usxwxc=[5]1Λ3Iyp<Kz5{xN3r@B41{xCB([M3fjZe&X? `Hjas78ː5=8:܎yďi!%cȑ@ ^6'onVk,nF="hQƜ_'|q6d:Y;ԋlԴ SpOB;o$~(`@m_7ۭ-fpQsLic`D!YʤBG/}܁q`o{2"؋vJ>aFUXvBK4q( \I41=i79.'IOVrPVtf׊nP T pv 玈9'/G2IW VK\㗐H\H7l(K:잲a{ˆd圵ZJ HVwDpzݏğxKd[ґ E`n" G,z*B|6S.E Uʩ3ۨ^p4^~d,'^x%7̬ pID˟,W""\[i0;tuj (|t lj`lsK 龏 w E?l.g i|j"{D{#-5z|  |-],s\D =uůW BQSj"C*Z]*?^d:khˮjO,̉k}4 /$-;: fyF\s1 !B2'0yp]9gaQji9 iؒ#K": F< V&gYz/VqqyKT?eYȌ?ը]E\% 0:+}^̼z|5@UW[4bA|v0KTr8/?r4 vў&,%^@!|qe{_ >Z}/=sil4.TOm0Ex[a4%?~~PݶK{:Q,#Bј~ :}HȊmJ\>J~ؐ S.kȝmkzK wp0X[t( ee0n5_sT|[Bs퐵D'[:Iދ{j퇓*iN +#,bKZl?dZo҄[=z.!;0e*rW݉^>(ᬣwpxڽB!srzH,>` (|G,| #V߂Wn8Dc5\ioB \M- D~X *P-A6I6b?e:Phk7Dj>f_E9Cs§Spfܼ]+T T/%Q̄4(՞]Y屛kYz<طj-JN׃,*Z4jOcN#c -)vxYҩkts@uG[/sS Vjs$ӟT$ }l\՞{fu_D})%~wGi:h*zv뵣>7f~c[@c<;1ߞw:b>|3rï}$c U) KL2eXRXK4W.rZAG63؄U)LP~ު%WAj3<`~sbaڇzo ߃X~NBWZ,LmT l<2'F ǨM uc Oa96lޑR|1L83qc%?vrvϞ;>vU0!NO9MGҋ8@[qD8ң\g|ؽ9JA\7 =!xYxH-BoAGmZ{3QfRX矍Uc+s+c3Ix`3{`:rD~k+ˑIţr+,=5 Y#РY$='VO'&߸Bļz“hɮ|C`}~5 {I n.Ibh| 3G=5& L7'=1mJ+N_N $ws8M=cӀl]Il}ڙ+YC0Y1bR5Z[%1' A>R#WGv?/VŸԺV83oTӪJRB͋^miE9r:! N>=ԓ\ .D/=)MoaQ8}4n3\骰 tXz@k3WP9,z&{nSHuo9Agj$? \© BPI/qqu"^E09#p°-j@osBP8Sc)0T!|u:WK +dBf HR۔JsVMΐv촏HAC@8?:]:H4ΕpVkC 6+)?Pi#/eG[`UAX(_4~*nPju  ъlIrvKAGG5R"\‡*S( 교 a*) 낣^ʹ&y)O>PPP5f޳&ض7pՏb16Z,2# օCAؐwȓ5gҝuG&>UPٞdcI)N[1}:*ey|֙1Y;_<g["ݸT,bBgF#;[1$5j:ہW_XQX`kBU6#z0QezrTA!#d5,{.0 FʴK(y eܗR5҇SGl>T <vmb% yԗ|fS#Ij|_vx1a'1Ji܉FS-턅Gtj眫vL*R6{nEpr !seG^N5sZW-So%T#\ БGmVH4\>ם Qїp~01kDXa!R5dݵmKpNC=w\p8Eg'KDhfXZhoqE*FJWyp89=}c @)LּghR0eS7@蜛 MIԪ.O`"tqɳTWks`.B3G?CP-{rV_];(fYu$RgK , nX1oIcPWE]gm= X4ѝ_Dx ~o +&Ġ `)]U2h 3\ y>^vc%kۏinajeֿ ybܦ@l0U1lrYht+y\3Kjeɴ֋' I.>ѫE^k .?avpj }(PD""_k3d(!5T\xl`-D }k#bvxDXOk =B@~IxHq/k$.p֋Yn9;3%` h"|CVMӔn{}怜"!=(Ѐ St&Yې?$64cpϦ_ {yŜ\_ `?PF3ȭ='ܭ7/|ýqٱ$uiZ#}i7#:x+wIj[U~#&5# >v/Q2D`n."GB(R36k'EFV߉Ba=p9,Y;wU[YT$Kʘߗ)~Nc dd~ v3 ΙApU }-_+ r6D]t: [>wntYbw^Mſ&HZߧ) ̎'Eչ8X2ܖKWE߄(dx}\+ڝFSHvsq@2=oŠc&741ְp6ײJTƝbԘFԻB"]>Z!X6ٸdw7Gz?̈́]<\+ P !ΝEwo"7$` tk`W'A+q̤w"h%dSuegֳ:7%+HJCCd}`%+ژk!c0KUBbEgu>^Y?*Do!}`a`ܣj7 V9L^&Y➒t;f=쇁ni[tIڮLD@; ^ZҷU %MЫhuXXlTc"qwgH.Ha :@yOB ujHR!~PL"O^{`sOCKs>P']{&yB%WqG(hԠxVc,LO A<;Lmscamo?@Y}Q{ԍDgՎ9MmWu,堄*3}!}V>TJ2B7k1|$D-o$v4BIdCNIJۭâTtӣp|Zlg,28Wè*n/K\ޔ`cfRF"*ۍK0Qp{-!m%H?Lp6Ի-Tmf17 ˄Y` CQ#v]gأ@(\ܸc: 8~bdkNy%]Fx{Wp;ki {7ϋK 'kgȯDC=5)r$$G '"+@,7;>-^/=SE/?V3z=cd>|TT޿19Ffdk {/threV4 N`Y:dXRtЙHg>W P2LzW1?j8]"[LLc>1(.@VM`UIOu|Կ^L<{*CץONB=}j˭L+2>TmF-,N=X TTT5)zɖz (9kbv_-e rf*{yY)T?oeѰa[%jOiUHK4$t$W}J^"\Vl2#\;䞏F7Շ Jm \KT(Gܷ%E,K^WFd> uZ<Ux8H>٘W-T\ڤ k񵒹73 G3Fh:|gV*Р 2Q?KP<̕bM@"Ձ+#67í JMXtUys>F`a|{@F ѺJ?L׼x0!x`f2#[Zd/`ǩ,~j% pa0xqAwl9Vy4yg3 Eg7V`U7wb3.~mv a>(윸bf'L8ԏU Z1op l%;im?*7Kc׳`YQ[Ow$~𗲡3P֠WXqYن  >jP660Mi|59:*zYGf6bOɚOq?V[Qe0JV.nKS ^~%D/5loTdu@=g^%o 2(xf +gGв@coqahpF(n G!xdH4.uv-3.pw'$ACSGҀ]@SEMI(1"h):cd [('_B8C @OUʴ[ ['O|R*#BxDM -0X  }"+nbF6#BԞ<8$ˀq JT>s˜1g&]a)90~&5-r9Nх߳ڰMhFdO@$ƅ?jJ()Z;Rvbn?ONO5k٬X;W;G<Ŕ}PtZ餦*:DžarSV03!6J)PˆN7W`T+{Tk3~&gJR!􉙀G~] 5怀A-{ l!VdN%Yd3E^=}~PeO=Pn̩ų(Hr-݇m \XNkpFj@]烘g%\<5{PИ} 5H4Moֱ>3[:d>M'1IQ9."|zЧdeǀb $ʵx+ބ'IdIG|\:2Gߵ' CFv7kAJ_('N"xAʒfyZ0Rm"yj1W. م%/?|2b } C̓1EvM1bM&,$ k~J5-eM}@Sk|p0>oַfR3e$a/4.l`ڻ##]P2wU5lգQaL`7 ð:Cn2Bl\ΰvzpo$&v$ .O Ch:ذ?m$d_^:ԫVEt9HAFsϙZ[kF*δJUcw Ϧ_z`FY_OD*<14CO=eD ; CѠ6bھ,R/xLof~] RV^fe梷/:3Liq=4z]H)/YteF\m-(´\q*Jd:9Q\ץhr?g^oJb4pwF(Œf̚ܪP͵D_d&3Xi]ojIA>7_]R-*y:p*=B%^FfjrKGdA"D ?ssjxPW7 -Xe!9$x.۲v#b8fKwQH"Si^E&eX iH_]bn-d'4`^@ͥ9*Ɖi֛EX7G^Z 4½YկQhWͿ)Zu1<>uq,l0Zw8a: ˻I(!9|*@Psz{ Dep4)t4>@}2BOGy0j*[pF3V<* jQ=qԮ4$ K{=TK*wie;r6qX#[/Jb`F7zxܻaIz Pa~u=(uYw'gVsu$v3 [N}},EغW W:*<:yF%ˉoG`ZLypVZ$Z<;{ETPה\0ƐEwNmF?9WSm†tƂd* v)Fd'*Xò?Gk*٦4fѦ&"k`γY_ܭ|LA:7:ܥ[R"ŀEs/Vx\{En[PO\Xg-|(_k1W#*.UiCK4ϊ qjF{Vs[o㹬vvV:b(:zPU vĸ '7-p`R-)f*rnJh^BJZ2b$**%[pwjjQ{>Ȧu4NM8![S<#ʚ)ɴvĖ}OH4Gg=$6wWBƎyL4>üKvI/d]YA2*~yVbݽ}{6gUf&x\Zu@u(BAV{݀,Lɸpa%䰤:J~(NguM%w +&p(zx ʐLZtrg+߯~73V)32`WFEqtVqWңw3CLT r *VGj]3Rʲ5eD'H̄ KxAUH{>~]K !E@bn?5ndZ_yC >m@ F] `K$(,CL3k!Zwms_q%,!1=}Y(Qjm?{5 ْ= W1NMwg#jl-ơdiyWf' s*:CBNl Ʌah.ڿ#r8NC]eֹc/XIGJXsگ] 첱ɴ9;)K՟]n:.iQ*EI{y/ L'>-4}/_X 4ȓi:c uNCSyG=bo*8frsm U>N^Fd}LG)-s_g=r&Q~_eY%T*FO^o7cTȀ+`=-lZZӜCT(緵ӷ6Mw o4N= ZcF-iv~MchT%DK{ +Q,3P p{KߠTO . T[ YZ