pki-kra-10.5.18-18.el7_9>t  DH`paD$ƨװ!a-C$NlEAxwVa`+z84oN4v3*kVӃ:o>i) BgŅSjG_IU +L 3 z]#/wO5uxqBZr`GfHgT59 ҘYիi^j1?Ͷ?Fhj>cK!!H#@x4~y|ť_@G}²?}Ӝ0GJ9af> <:pϼ!=9Fz Зp'~JQOAFmT">OT!sQ{ H8$ /W=mBLwJxOսưqvv]r~cW cWWG(Hn<~DȒ˴9b'}u՛Z>W赐ظ7{0llXruf][iw& @!\Ҡ(5u\kj|N%tؚ_q(KK%T^dI`%rx[G]rJ)`A|h J+f-s'cC:b^!?u iV Yu ^: _2N$J%s*Y'V\E^bR9NMO:@-\1ӁJbxp({V<,u}"& o79mK{ ^FZIׅ⯴~ak~ŬE T##Z~:sCp0s@9-8g^kT/>7St?Sdd   G        4 R X `ll l l pl (l )l+Xl-tl//l1d1l 1 2D (2u82|96:gFG-pki-server-theme NOTE: As a convenience for standalone deployments, top-level meta packages may be provided which bind a particular theme to these certificate server packages.aix86-02.bsys.centos.orgCentOSGPLv2CentOS BuildSystem System Environment/Daemonshttp://pki.fedoraproject.org/linuxnoarch=mYD M!6 S}F}\ g(; #%##"x/   P 9M]g')t K+7ehf`\ #+##'2<!k, " wA큤AA큤AA큤A큤AAA큤A큤AAAA큤A큤ai^2aiaiaiaiGaiai^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2ai^2aiaiai^2^2ai^2^2^2aiaiaiaiaiaiaiaiai^2^2aiaiai^2^2^2^2^2^2^2^2aiD^2^2^2^2ai^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2^2d6bf5823021651d1cb53350adcf4bb818ac77768f5cbc43898ad06af1036b00ee76d16151d185fd6227775257e8dac2e368bce85ec57a67b6fc238d46852daa77b44149720eaf0407e16ee9e0f8ae72b352b4f6f4622bd810b001b5d85deb36e380b9107081800a248ca7a064562c80b123ebb13889486c8fffb533b5b5f63068f1dd8aacafde7444b474dc2bd8e3634df688009ca5c7f8015cbbb4351ca667388f7cb8f0cf201fbf0e12c62429b8e798438c7586948ed8878cbaf131a3b0f468075fca87218754d0e1cda0c922b6f3665d32cd15bd02f93ed245f68d4342ac4747a7ad8823f14f1e52344b158db9a5cac37858fd7d77fb62795426b40f153d4e5aa4c4ea965737cf4d247523765a5850cba9f086d276e92ae9cc224f8128123daf83af32352768f970da204178f58ccbdea0f2cf9f3bc82f28fac0a2a47e2a527ed767345475519c0b68cc96bd20f23cb2045c3829dcc72c67a4f1a133a7d155ec67643ebfdcec431c7d61966510fefc3e691ff14a09438257c5c23fe66d54bb14050386b6df46fef8e6214e41579d09c780d19d242741f29c2809ef973cefeb760a2dee6aef9a244f84690b0e80d22f419f277d615a90b129483aa669128f6767d3c20dc56e7c6f0ba342130b0160dd473330845cc80f17f5ea872d0fd5031448b089c45226bb2cf6dad3cdf581c3af18a90d6b911ccb66c7b2179a7a75fd1bca75eac7d894fd5cd1ea75a0ed89170c0d4d1580016ef8436ecf4e619543752303a3f673928e2839845976001deaec22af953bacd3b72fe5c49443a185a898c26d1e3ccc9375d6256e77b91817081f349ed0b5115ce58d43c2720c3473e5e440931144adecc3e739b8e90e79978a1c24da8e3f19df422256cdacb909942f04c1463861b5901af132d310917e6f413300c51d1550d3019a30cf22d1de3a94fe7e1f16dfc4891efbc5f8b12d38381041f75aeef95dda09a3c728bac964a8660a1bdde4c0aefb36f1162726bb551a958e9ff0de0333133702e0312e1bbe8c64c60f940b149f3278ebe2f7040e9224cb5d49ad2e896b807877864ae209975fdba39fe55d9dabe5730b830109f5d6bad9227eea0387e9b425cbdf52e9aecb5044ddffe8e98d26730ff60f728d0e080cf63e44ec0bc72932c375894c729bda2b364a1272612c2005dcad021f513cc99590d3eddcbd0943208feb340699371199f997cbdc94d667eb164fe14473fddcf73e6d94a900625a8b34413c3644876fa6cde884f4ab4dcaf087b7c4f19ee478f417cbed2a795077a6756951460095e218af9182e19f93b4be505b09e226e4a3b99d72eae82a72f405e7d89a22e8eda014d5d36a530cfa996d1101fb3b07ef12de2101bfe688fc4cd55ca9ccc33f9dca7087e8a831c3bd3e90d7f32167749ec6c6dcee365bf920f8e1cfa91af896404d1229ebce00d651d3984b45e8018392211eec9609f0f7ea34c4cb2b6d24cc4d38a9354508bbb1093626dba946d692324a87eace7f835e956cc86ac3a169fced8b2824878d5c34ffa37e009b172504474fec6f4aac965e0e1a463eb765e8c3b4c8a55cdf0aa1b54bceb5df380f7fb1ca90dc4d6ee9f1ab73ce43f532a85e944f5b371a591716b91bc1841c1f76c7e9824debc567c81da6b2357c72f2ba79bffaf4ba129bcf325bb79d689a8bb887992e43ac22aab0c187599395419df5d4d419a233f95549c80bd279299a5e3db6bf0f1446060bb9d3856342b145f76385ca1e42a6599f13cd074c49414cbab0bfbce300a5f52d998d99532a34bf8f0be8eaa97eb8b73fe7186e454bf11475fb89e70283aebd7d3b913baa865e57d465418ac32295631ab8de37b68b658435c45c3e79b8d91085063b4764cb63af21cefaca358c07ccba79aa72c6b2e52b47aac7e7d204effb742419b5194ca1e20369fdcc25d23b471ee9902c09334fc549604ff49152c6ab93e45b2d09989ed85c9e8de26953bdf3a4b161e364c199fdba6d7a9c62eb09a93db390b3225ee6b2e5267b5e016056ba8ef3c70533c10c58c6bb6e6b59b4e994df6f980a5bc0d77a7f4f96925389aefadc116b6074076964bd3421a6296f1fcb5505bac1f7a23a3833a7bf36d457ba09d3a5abbe69efd5d9e13de6a20d7ca2562313178d752460db591b4fe56b8fad305d2cfdb76516962bf699fad5d6291de370a4dab04c21ddec0aebc16659bb0952b895c5d3fc87e733619d451271518f58f95267472cfcf111d65a5ffbfec5d1598ccc6c9f7548e09de4cec6924e2cb4fefb9dbbfa52369f7b1de7d34889a279024677b6f464d0d9bb08c8157b7c92293e4245e735eacc25dae6c6b70a55f81ea3a1da930afb7a59f632ee20620c07c13d5294c195d77f9fb0a07db3743851d8a8aa27d72655b1f09c4e1d3c11c20f442118c706db0808f5a44a80a45619d6dfcd4be5607d1fd9f59439c5efd43308c1b45411ea51d59b894d29d788abd5dfe4d34f4878966dc1df54c8ccc2b9353a475063df6fe2c95426730695078a6839796ef1370ff75db78c7f69c17f1990c49f03adec681ca2966df1cf879c8393b16ac292df37b576035e32b1c0336c9fb9df2d6202a726d48179e1dd494db38f94b4aaba1dcf7d10bb925b7cc7738d0e77935d251b22c247119d61a369f5314da511568dc631b92e3241f7146840c6df40a1db607752671d475b91a7ee97584c73f2f5abec6aed611046c0fc83844860c83f52d7db63d17dead6ae2c472914f4b64c1ea83d2a834712471a12f07a5855c7c8a0c0a48eb38ad5777f5eec9ad7544a58a0831a0cff4bb4835af4b7eb04035738711dd50a4968482f656f88e8e68b4a4720fc6f5efcc0110a5f068759b2daef538471dd0c04721a7e8fdb24f4b186bcd6bb9fd3e2afa52e9fcf22f5c70d8a7130dfe1bdb06a1e7e0130e65ebda1e71f36992fef63cf339a1d478c2ba0c588bb1d4bedacbd0d032d6552a06ec98dbf416610661214af0dfd34996ddb2491353dae287b5ea640903601375e41df3a68ddcba44e9a04c7a623d5f397244a362112fc148b25a7f807b3f9006a07a5e6fa8e318b44d72d9a2cc1044698337f2afb6d22e7de75bb55e9b45319cacd292721976fc55cbd658411516cc9966e5d01b7524f3cd8e31d3db15878b22e175729fea56d74888a62fc22ae3b35ff72cb81e9c91b5ae40f0eda38421efaf6c2ea37ac2bf86a686c635ef630edc71443016cf5b652a848a5d497b94a0def8b35ae0d17b9d371890134b7e84bc26f2aa0151da75c0b4ee6a08c38c6923e144f7b719cd958990abe6dcdc74afad7b8b465a959b0fdcb8b288f6897c157ccbdb2c2f115e084ac06471cc99b3e2cf80956d139fe566364453ae08929677b123b5f36900eabf6205fc33947d99eeb97bdb30938ee64a837c220bbe58faa0f4f7ebceb785c8629b87c7f0fdae55ab0a638fde3851c29956fb1119af3ee29e945a3198bcc978be94922e2fabafe215a4f362b5c6129678597b18ea0add0bf4bcd3c944d37ac1e3a6d4ad93cbbee979c2b726448f8ef2e0a2df7617023e6eb26974199f246cf15d0e96dd06e4fffec521f96524624a589702d0c070efe06f3cafd7cf41af43c99f082f63463174ef492c4cfd60d1ea5ea81d71941755e29d55786dcbaacb5e8d4fadcd770a1d765583f70c9524152c1f10dc0b184a6e82f437d28c6d280dbd2457c9d784da59e6b2bab81e1e560573dad04db79cabffddc2bf2ccdf5cca914f4bf3a778c1dffee2dd8903584b6474653b660dc940ba8d515da7518817152b1369d945051134bd1c9dc4c50a21cb98fda4b797ddb9dd0496d4b23af1b0e300f28c72f815115/usr/share/java/pki/pki-certsrv.jar/usr/share/java/pki/pki-cms.jar/usr/share/java/pki/pki-cmsbundle.jar/usr/share/java/pki/pki-cmscore.jar/usr/share/java/pki/pki-cmsutil.jar/usr/share/java/pki/pki-kra.jar/usr/share/java/pki/pki-nsutil.jar/usr/share/pki/server/webapps/pki/admin/consolerootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpki-core-10.5.18-18.el7_9.src.rpmpki-kra    java-1.8.0-openjdk-headlesspki-serverrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)systemd-unitssystemd-unitssystemd-unitsrpmlib(PayloadIsXz)10.5.18-18.el7_93.0.4-14.6.0-14.0-15.2-14.11.3as@aA@a`@``e@`6?`%@_$_@_@^V@^@^@^U@^=@^@^]]@]@]]v>]R@] u@\\@\f\T4\R@\\U@\[@[{[l,[`O@[U@[>@[d@[@[o[@ZUZ@Z@ZZxG@Zg#Z.s@Z@Z ZYYY@Y@Y@YoIYlYGY>@Y5GY-^Y$$@Y"Y@Y#@X@XX@XO@X*XRXOX!@X&X2@WWҤ@WίW#W:WWt@W{@Wu WgWV@WV@WV@WV@WV@WV@W 10.5.18-18Dogtag Team 10.5.18-17Dogtag Team 10.5.18-16Dogtag Team 10.5.18-15Dogtag Team 10.5.18-14Dogtag Team 10.5.18-13Dogtag Team 10.5.18-12Dogtag Team 10.5.18-11Dogtag Team 10.5.18-10Dogtag Team 10.5.18-9Dogtag Team 10.5.18-8Dogtag Team 10.5.18-7Dogtag Team 10.5.18-6Dogtag Team 10.5.18-5Dogtag Team 10.5.18-4Dogtag Team 10.5.18-3Dogtag Team 10.5.18-2Dogtag Team 10.5.18-1Dogtag Team 10.5.17-6Dogtag Team 10.5.17-5Dogtag Team 10.5.17-4Dogtag Team 10.5.17-3Dogtag Team 10.5.17-2Dogtag Team 10.5.17-1Dogtag Team 10.5.16-3Dogtag Team 10.5.16-2Dogtag Team 10.5.16-1Dogtag Team 10.5.9-13Dogtag Team 10.5.9-12Dogtag Team 10.5.9-11Dogtag Team 10.5.9-10Dogtag Team 10.5.9-9Dogtag Team 10.5.9-8Dogtag Team 10.5.9-7Dogtag Team 10.5.9-6Dogtag Team 10.5.9-5Dogtag Team 10.5.9-4Dogtag Team 10.5.9-3Dogtag Team 10.5.9-2Dogtag Team 10.5.9-1Dogtag Team 10.5.1-13.1Dogtag Team 10.5.1-13Dogtag Team 10.5.1-12Dogtag Team 10.5.1-11Dogtag Team 10.5.1-10Dogtag Team 10.5.1-9Dogtag Team 10.5.1-8Dogtag Team 10.5.1-7Dogtag Team 10.5.1-6Dogtag Team 10.5.1-5Dogtag Team 10.5.1-4Troy Dawson - 10.5.1-3Dogtag Team 10.5.1-2Dogtag Team 10.5.1-1Dogtag Team 10.5.0-1Dogtag Team 10.4.1-15Dogtag Team 10.4.1-14Dogtag Team 10.4.1-13Dogtag Team 10.4.1-12Dogtag Team 10.4.1-11Dogtag Team 10.4.1-10Dogtag Team 10.4.1-9Dogtag Team 10.4.1-8Dogtag Team 10.4.1-7Dogtag Team 10.4.1-6Dogtag Team 10.4.1-5Dogtag Team 10.4.1-4Dogtag Team 10.4.1-3Dogtag Team 10.4.1-2Dogtag Team 10.4.1-1Dogtag Team 10.4.0-1Dogtag Team 10.3.3-18Dogtag Team 10.3.3-17Dogtag Team 10.3.3-16Dogtag Team 10.3.3-15Dogtag Team 10.3.3-14Dogtag Team 10.3.3-13Dogtag Team 10.3.3-12Dogtag Team 10.3.3-11Dogtag Team 10.3.3-10Dogtag Team 10.3.3-9Dogtag Team 10.3.3-8Dogtag Team 10.3.3-7Dogtag Team 10.3.3-6Dogtag Team 10.3.3-5Dogtag Team 10.3.3-3Dogtag Team 10.3.3-2Dogtag Team 10.3.3-1Dogtag Team 10.3.3-0.1Dogtag Team 10.3.2-5Dogtag Team 10.3.2-4Dogtag Team 10.3.2-3Dogtag Team 10.3.2-2Dogtag Team 10.3.2-1Dogtag Team 10.3.2-0.1Dogtag Team 10.3.1-1Dogtag Team 10.3.0-1Dogtag Team 10.3.0.b1-1Dogtag Team 10.3.0.a2-2Dogtag Team 10.3.0.a2-1Dogtag Team 10.3.0.a1-2Dogtag Team 10.3.0.a1-1Dogtag Team 10.3.0-0.5Dogtag Team 10.3.0-0.4Dogtag Team 10.3.0-0.3Dogtag Team 10.3.0-0.2Dogtag Team 10.3.0-0.1Dogtag Team 10.2.7-0.3Tomas Radej - 10.2.7-0.2Dogtag Team 10.2.7-0.1Dogtag Team 10.2.6-1Dogtag Team 10.2.6-0.3Dogtag Team 10.2.6-0.2Dogtag Team 10.2.6-0.1Dogtag Team 10.2.5-1Dogtag Team 10.2.5-0.2Dogtag Team 10.2.5-0.1Dogtag Team 10.2.4-1Dogtag Team 10.2.4-0.2Dogtag Team 10.2.4-0.1Dogtag Team 10.2.3-1Dogtag Team 10.2.3-0.1Dogtag Team 10.3.0-0.1Dogtag Team 10.2.3-0.1Dogtag Team 10.2.2-1Dogtag Team 10.2.2-0.1Dogtag Team 10.2.1-1Matthew Harmsen - 10.2.1-0.4Ade Lee 10.2.1-0.3Christina Fu 10.2.1-0.2Dogtag Team 10.2.1-0.1Ade Lee 10.2.0-3Matthew Harmsen - 10.2.0-2Dogtag Team 10.2.0-1Matthew Harmsen - 10.2.0-0.10Matthew Harmsen - 10.2.0-0.9Matthew Harmsen - 10.2.0-0.8Fedora Release Engineering - 10.2.0-0.5Jack Magne - 10.2.0-0.7Matthew Harmsen - 10.2.0-0.6Matthew Harmsen - 10.2.0-0.5Ade Lee - 10.2.0-0.4Fedora Release Engineering - 10.2.0-0.3Michael Simacek - 10.2.0-0.2Dogtag Team 10.2.0-0.1Ade Lee 10.1.0-1Ade Lee 10.1.0-0.14Ade Lee 10.1.0-0.13Ade Lee 10.1.0-0.12Ade Lee 10.1.0-0.11Endi S. Dewata 10.1.0-0.10Abhishek Koneru 10.1.0.0.9Abhishek Koneru 10.1.0.0.8Endi S. Dewata 10.1.0-0.7Endi S. Dewata 10.1.0-0.6Endi S. Dewata 10.1.0-0.5Ade Lee 10.1.0-0.4Endi S. Dewata 10.1.0-0.3Matthew Harmsen 10.1.0-0.2Ade Lee 10.1.0-0.1Endi S. Dewata 10.0.2-5Ade Lee 10.0.2-4Ade Lee 10.0.2-3Endi S. Dewata 10.0.2-2Ade Lee 10.0.2-1Ade Lee 10.0.2-0.8Endi S. Dewata 10.0.2-0.7Endi S. Dewata 10.0.2-0.6Ade Lee 10.0.2-0.5Endi S. Dewata 10.0.2-0.4Endi S. Dewata 10.0.2-0.3Endi S. Dewata 10.0.2-0.2Endi S. Dewata 10.0.2-0.1Endi S. Dewata 10.0.1-9Ade Lee 10.0.1-8Endi S. Dewata 10.0.1-7Matthew Harmsen 10.0.1-6Endi S. Dewata 10.0.1-5Endi S. Dewata 10.0.1-4Matthew Harmsen 10.0.1-3Matthew Harmsen 10.0.1-2Ade Lee 10.0.1-1Matthew Harmsen 10.0.0-5Matthew Harmsen 10.0.0-4Ade Lee 10.0.0-3Ade Lee 10.0.0-2Ade Lee 10.0.0-1Matthew Harmsen 10.0.0-0.56.b3Endi S. Dewata 10.0.0-0.55.b3Endi S. Dewata 10.0.0-0.54.b3Ade Lee 10.0.0-0.53.b3Ade Lee 10.0.0-0.52.b3Endi S. Dewata 10.0.0-0.51.b2Endi S. Dewata 10.0.0-0.50.b2Matthew Harmsen 10.0.0-0.49.b2Ade Lee 10.0.0-0.48.b2Matthew Harmsen 10.0.0-0.47.b1Ade Lee 10.0.0-0.46.b1Ade Lee 10.0.0-0.45.b1Ade Lee 10.0.0-0.44.b1Ade Lee 10.0.0-0.43.b1Ade Lee 10.0.0-0.42.b1Ade Lee 10.0.0-0.41.b1Ade Lee 10.0.0-0.40.b1Endi S. Dewata 10.0.0-0.40.a2Endi S. Dewata 10.0.0-0.39.a2Ade Lee 10.0.0-0.38.a2Endi S. Dewata 10.0.0-0.37.a2Ade Lee 10.0.0-0.36.a2Endi S. Dewata 10.0.0-0.36.a1Endi S. Dewata 10.0.0-0.35.a1Endi S. Dewata 10.0.0-0.34.a1Ade Lee 10.0.0-0.33.a1Matthew Harmsen 10.0.0-0.32.a1Endi S. Dewata 10.0.0-0.31.a1Endi S. Dewata 10.0.0-0.30.a1Endi S. Dewata 10.0.0-0.29.a1Endi S. Dewata 10.0.0-0.28.a1Endi S. Dewata 10.0.0-0.27.a1Endi S. Dewata 10.0.0-0.26.a1Endi S. Dewata 10.0.0-0.25.a1Endi S. Dewata 10.0.0-0.24.a1Matthew Harmsen 10.0.0-0.23.a1Endi S. Dewata 10.0.0-0.22.a1Endi S. Dewata 10.0.0-0.21.a1Matthew Harmsen 10.0.0-0.20.a1Matthew Harmsen 10.0.0-0.19.a1Matthew Harmsen 10.0.0-0.18.a1Endi S. Dewata 10.0.0-0.17.a1Matthew Harmsen 10.0.0-0.16.a1Ade Lee 10.0.0-0.15.a1Christina Fu 10.0.0-0.14.a1Endi S. Dewata 10.0.0-0.13.a1Endi S. Dewata 10.0.0-0.12.a1Ade Lee 10.0.0-0.11.a1Matthew Harmsen 10.0.0-0.10.a1Matthew Harmsen 10.0.0-0.9.a1Jack Magne 10.0.0-0.8.a1Matthew Harmsen 10.0.0-0.7.a1Endi S. Dewata 10.0.0-0.6.a1Ade Lee 10.0.0-0.5.a1Endi S. Dewata 10.0.0-0.4.a1Matthew Harmsen 10.0.0-0.3.a1Matthew Harmsen 10.0.0-0.2.a1Nathan Kinder 10.0.0-0.1.a1Ade Lee 9.0.16-3Endi S. Dewata 9.0.16-2Matthew Harmsen 9.0.16-1Matthew Harmsen 9.0.15-1Matthew Harmsen 9.0.14-1Ade Lee 9.0.13-1Matthew Harmsen 9.0.12-1Matthew Harmsen 9.0.11-1Matthew Harmsen 9.0.10-1Matthew Harmsen 9.0.9-1Matthew Harmsen 9.0.8-2Matthew Harmsen 9.0.8-1Matthew Harmsen 9.0.7-1Matthew Harmsen 9.0.6-2Matthew Harmsen 9.0.6-1Matthew Harmsen 9.0.5-2Matthew Harmsen 9.0.5-1Matthew Harmsen 9.0.4-1Matthew Harmsen 9.0.3-2Matthew Harmsen 9.0.3-1Matthew Harmsen 9.0.2-1Matthew Harmsen 9.0.1-3Matthew Harmsen 9.0.1-2Matthew Harmsen 9.0.1-1Matthew Harmsen 9.0.0-3Matthew Harmsen 9.0.0-2Matthew Harmsen 9.0.0-1- ########################################################################## - # RHEL 7.9 (Batch Update 10): - ########################################################################## - Bugzillla Bug 1978345 - End Entity's List Certificates Page Back/Forward Buttons are Broken (ckelley, jonahon.d.parrish@mail.mil, mharmsen) - Bugzilla Bug 2008707 - pkispawn bails out too easily for things that could have been worked around after installation [RHEL 7.9.z] (cfu) - Bugzilla Bug 2016773 - Directory authentication plugin requires directory admin password just for user authentication (rhel-7.9.z) (awnuk@purestorage.com, jmagne) - ########################################################################## - # RHCS 9.7: - ########################################################################## - Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and pki-console to 10.5.18 in RHCS 9.7 (Batch Update 7)- ########################################################################## - # RHEL 7.9 (Batch Update 9): - ########################################################################## - Bugzilla Bug 1958788 - ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500 [ftweedal, ckelley] - ########################################################################## - # RHCS 9.7: - ########################################################################## - Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and pki-console to 10.5.18 in RHCS 9.7 (Batch Update 7)- ########################################################################## - # RHEL 7.9 (Batch Update 8): - ########################################################################## - Bugzilla Bug 1958277 - PKCS10Client EC Attribute Encoding [cfu] - Bugzilla Bug 1958788 - ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500 [ftweedale, ckelley] - ########################################################################## - # RHCS 9.7 (Batch Update 8): - ########################################################################## - Bugzilla Bug 1959937 - TPS Allowing Token Transactions while the CA is Down [cfu] - Bugzilla Bug 1979710 - TPS Not properly enforcing Token Profile Separation [cfu]- ########################################################################## - # RHEL 7.9: - ########################################################################## - Bugzilla Bug 1905374 - restrict EE profile list and enrollment submission per LDAP group without immediate issuance [rhel-7.9.z] (cfu) - ########################################################################## - # RHCS 9.7: - ########################################################################## - Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and pki-console to 10.5.18 in RHCS 9.7 (Batch Update 7)- ########################################################################## - # RHEL 7.9: - ########################################################################## - Bugzilla Bug 1911472 - Revoke via REST API not working when Agent certificate not issued by CA [rhel-7.9.z] (cfu) - Bugzilla Bug 1914587 - RHEL IPA PKI - Failed to read product version String.java.io.FileNotFoundException (ckelley) - Bugzilla Bug 1942687 - TPS not populating Token Policy, or switching PIN_RESET=YES to NO [rhel-7.9.z] (jmagne) - Bugzilla Bug 1955633 - Recovery of Keys migrated to latest version of KRA fail to recover and result in Null Point Exception [rhel-7.9.z] (jmagne) - ########################################################################## - # RHCS 9.7: - ########################################################################## - Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and pki-console to 10.5.18 in RHCS 9.7 (Batch Update 6)- ########################################################################## - # RHEL 7.9: - ########################################################################## - Bugzilla Bug 1949136 - PKI instance creation failed with new 389-ds-base build (jmagne) - Bugzilla Bug 1949656 - CRMF requests with extensions other than SKID cannot be processed (cfu) - ########################################################################## - # RHCS 9.7: - ########################################################################## - Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and pki-console to 10.5.18 in RHCS 9.7 (Batch Update 6)- Change variable 'TPS' to 'tps' - ########################################################################## - # RHEL 7.9: - ########################################################################## - Bugzilla Bug 1883639 - Add KRA Transport and Storage Certificates profiles, audit for IPA (edewata) - ########################################################################## - # Backported CVEs (ascheel): - ########################################################################## - Bugzilla Bug 1724697 - CVE-2019-10180 pki-core: unsanitized token parameters in TPS resulting in stored XSS [certificate_system_9-default] (edewata, ascheel) - Bugzilla Bug 1725128 - CVE-2019-10178 pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab [certificate_system_9-default] (edewata, ascheel) - Bugzilla Bug 1791100 - CVE-2020-1696 pki-core: Stored XSS in TPS profile creation [certificate_system_9-default] (edewata, ascheel) - Bugzilla Bug 1724688 - CVE-2019-10146 pki-core: Reflected Cross-Site Scripting in 'path length' constraint field in CA's Agent page [rhel-7.9.z] (dmoluguw, ascheel) - Bugzilla Bug 1789843 - CVE-2019-10221 pki-core: reflected cross site scripting in getcookies?url= endpoint in CA [rhel-7.9.z] (dmoluguw, ascheel) - Bugzilla Bug 1724713 - CVE-2019-10179 pki-core: pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab [rhel-7.9.z] (ascheel) - Bugzilla Bug 1798011 - CVE-2020-1721 pki-core: KRA vulnerable to reflected XSS via the getPk12 page [rhel-7.9.z] (ascheel,jmagne) - ########################################################################## - Update to jquery v3.4.1 (ascheel) - Update to jquery-i18n-properties v1.2.7 (ascheel) - Update to backbone v1.4.0 (ascheel) - Upgrade to underscore v1.9.2 (ascheel) - Update to patternfly v3.59.3 (ascheel) - Update to jQuery v3.5.1 (ascheel) - Upgrade to bootstrap v3.4.1 (ascheel) - Link in new Bootstrap CSS file (ascheel) - ########################################################################## - # RHCS 9.7: - ########################################################################## - # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- ########################################################################## - # RHEL 7.9: - ########################################################################## - Bugzilla Bug 1883639 - Add KRA Transport and Storage Certificates profiles, audit for IPA (edewata) - ########################################################################## - # Backported CVEs (ascheel): - ########################################################################## - Bugzilla Bug 1724697 - CVE-2019-10180 pki-core: unsanitized token parameters in TPS resulting in stored XSS [certificate_system_9-default] (edewata, ascheel) - Bugzilla Bug 1725128 - CVE-2019-10178 pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab [certificate_system_9-default] (edewata, ascheel) - Bugzilla Bug 1791100 - CVE-2020-1696 pki-core: Stored XSS in TPS profile creation [certificate_system_9-default] (edewata, ascheel) - Bugzilla Bug 1724688 - CVE-2019-10146 pki-core: Reflected Cross-Site Scripting in 'path length' constraint field in CA's Agent page [rhel-7.9.z] (dmoluguw, ascheel) - Bugzilla Bug 1789843 - CVE-2019-10221 pki-core: reflected cross site scripting in getcookies?url= endpoint in CA [rhel-7.9.z] (dmoluguw, ascheel) - Bugzilla Bug 1724713 - CVE-2019-10179 pki-core: pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab [rhel-7.9.z] (ascheel) - Bugzilla Bug 1798011 - CVE-2020-1721 pki-core: KRA vulnerable to reflected XSS via the getPk12 page [rhel-7.9.z] (ascheel,jmagne) - ########################################################################## - Update to jquery v3.4.1 (ascheel) - Update to jquery-i18n-properties v1.2.7 (ascheel) - Update to backbone v1.4.0 (ascheel) - Upgrade to underscore v1.9.2 (ascheel) - Update to patternfly v3.59.3 (ascheel) - Update to jQuery v3.5.1 (ascheel) - Upgrade to bootstrap v3.4.1 (ascheel) - Link in new Bootstrap CSS file (ascheel) - ########################################################################## - # RHCS 9.7: - ########################################################################## - # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- Bugzilla Bug #1883639 - additional fix to upgrade script (edewata)- Bugzilla Bug #1883639 - additional support on upgrade for audit cert profile and auditProfileUpgrade + auditProfileUpgrade part 2 (cfu)- ########################################################################## - # RHEL 7.9: - ########################################################################## - Bugzilla Bug #1883639 - add profile caAuditSigningCert (cfu) - ########################################################################## - # RHCS 9.7: - ########################################################################## - # Bugzilla Bug #1710978 - TPS - Add logging to tdbAddCertificatesForCUID if - # Bugzilla Bug #1858860 - TPS - Update Error Codes returned to client - # Bugzilla Bug #1858861 - TPS - Server side key generation is not working - # Bugzilla Bug #1858867 - TPS does not check token cuid on the user- Patch for CMCResponse tool - Bugzilla Bug #1710109 - add RSA PSS support - fix CMCResponse tool (jmagne)- Patch for CMC Credential Error, RSA PSS typo, and new profile for directory-authentication-based Server-Side keygen - ########################################################################## - # RHEL 7.9: - ########################################################################## - Bugzilla Bug #1710109 - add RSA PSS support (jmagne) - Bugzilla Bug #1794213 - Server-Side keygen Enrollment for EE (cfu) - ########################################################################## - # RHCS 9.7: - ########################################################################## - # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- Updated jss dependencies - Bugzilla Bug #1710109 - add RSA PSS support - fix SHA512 (jmagne)- ########################################################################## - # RHEL 7.9: - ########################################################################## - Bugzilla Bug #1794213 - Server-Side keygen Enrollment for EE additional support and touch-up (cfu) - ########################################################################## - # RHCS 9.7: - ########################################################################## - # Bugzilla Bug #1710975 - TPS - Searching the certificate DB for a brand new- Updated jss dependencies - ########################################################################## - # RHEL 7.9: - ########################################################################## - Bugzilla Bug #1794213 - Server-Side keygen Enrollment for EE (cfu) - Bugzilla Bug #1809273 - CRL generation performs an unindexed search (jmagne) - ########################################################################## - # RHCS 9.7: - ########################################################################## - # Bugzilla Bug #1549307 - No default TPS Auditor group (ascheel)- Bugzilla Bug #1710109 - add RSA PSS support - fix IPA installer (jmagne)- Updated jss dependencies - ########################################################################## - # RHEL 7.9: - ########################################################################## - Bugzilla Bug #1774174 - Rebase pki-core from 10.5.17 to 10.5.18 (RHEL) - ########################################################################## - # RHCS 9.7: - ########################################################################## - # Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and - # Bugzilla Bug #1774181 - Update RHCS version of CA, KRA, OCSP, and TKS so- ########################################################################## - # RHEL 7.8: - ########################################################################## - Bugzilla Bug #1723008 - ECC Key recovery failure with CKR_TEMPLATE_INCONSISTENT (cfu) - Bugzilla Bug #1774282 - pki-server-nuxwdog template has pid file name with non-breakable space char encoded instead of 0x20 space char (ascheel) - ########################################################################## - # RHCS 9.6: - ########################################################################## - # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- ########################################################################## - # RHEL 7.8: - ########################################################################## - Bugzilla Bug #1523330 - CC: missing audit event for CS acting as TLS client (cfu) - ########################################################################## - # RHCS 9.6: - ########################################################################## - # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- Include 'pistool' in the 'pki-tools' package- ########################################################################## - # RHEL 7.8: - ########################################################################## - Bugzilla Bug #1445479 - KRATool does not support netkeyKeyRecovery attribute (dmoluguw) - Bugzilla Bug #1534013 - Attempting to add new keys using a PUT KEY APDU to a token that is loaded only with the default/factory keys (Key Version Number 0xFF) returns an APDU with error code 0x6A88. (jmagne) - Bugzilla Bug #1709585 - PKI (test support) for PKCS#11 standard AES KeyWrap for HSM support (cfu, ftweedal) - Bugzilla Bug #1748766 - number range depletion when multiple clones created from same master (ftweedal) - ########################################################################## - # RHCS 9.6: - ########################################################################## - # Bugzilla Bug #1520258 - TPS token search fails to find entries , LDAP filter - # Bugzilla Bug #1535671 - RFE to have the users be able to use the- ########################################################################## - # RHEL 7.8: - ########################################################################## - Bugzilla Bug #1523330 - CC: missing audit event for CS acting as TLS client (cfu) - Bugzilla Bug #1597727 - CA - Unable to change a certificate’s revocation reason from superceded to key_compromised (rhcs-maint) - ########################################################################## - # RHCS 9.6: - ########################################################################## - # Bugzilla Bug #1470410 - TPS doesn't update revocation status when - # Bugzilla Bug #1470433 - Add supported transitions to TPS (rhcs-maint) - # Bugzilla Bug #1585722 - TMS - PKISocketFactory – Modify Logging to Allow - # Bugzilla Bug #1642577 - TPS – Revoked Encryption Certificates Marked as- Updated jss, nuxwdog, and tomcatjss dependencies - ########################################################################## - # RHEL 7.8: - ########################################################################## - Bugzilla Bug #1733586 - Rebase pki-core from 10.5.16 to 10.5.17 (RHEL) - ########################################################################## - # RHCS 9.6: - ########################################################################## - # Bugzilla Bug #1718418 - Update RHCS version of CA, KRA, OCSP, and TKS so - # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- ########################################################################## - # RHEL 7.7: - ########################################################################## - Bugzilla Bug #1638379 - PKI startup initialization process should not depend on LDAP operational attributes [ftweedal] - ########################################################################## - # RHCS 9.5: - ########################################################################## - # Bugzilla Bug #1633423 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- ########################################################################## - # RHEL 7.7: - ########################################################################## - Bugzilla Bug #1491453 - Need Method to Include SKI in CA Signing Certificate Request [ftweedal] - ########################################################################## - # RHCS 9.5: - ########################################################################## - # Bugzilla Bug #1633423 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- Updated jss dependencies - ########################################################################## - # RHEL 7.7: - ########################################################################## - Bugzilla Bug #1633422 - Rebase pki-core from 10.5.1 to 10.5.16 (RHEL) - ########################################################################## - # RHCS 9.5: - ########################################################################## - # Bugzilla Bug #1633423 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- Updated jss dependencies - ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1671245 - CC: unable to verify cert before import [rhel-7.6.z] [manpage] (ascheel) - Bugzilla Bug #1671303 - CC: Upgrade scripts for audit event names (RHEL) [rhel-7.6.z] (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1671586 - CC: Upgrade scripts for audit event names (RHCS)- Updated jss dependencies - ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1671245 - CC: unable to verify cert before import [rhel-7.6.z] (ascheel) - Bugzilla Bug #1671303 - CC: Upgrade scripts for audit event names (RHEL) [rhel-7.6.z] (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1671586 - CC: Upgrade scripts for audit event names (RHCS)- Updated jss dependencies - ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1671245 - CC: unable to verify cert before import [rhel-7.6.z] (ascheel) - Bugzilla Bug #1671303 - CC: Upgrade scripts for audit event names (RHEL) [rhel-7.6.z] (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1671586 - CC: Upgrade scripts for audit event names (RHCS)- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1659939 - CC: Simplifying Web UI session timeout configuration [rhel-7.6.z] (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1639836 - CC: Identify RHCS version of CA, KRA, - # Added Batch Update Information to Product Version (mharmsen)- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1657922 - CC: CA/OCSP startup fail on SystemCertsVerification if enableOCSP is true [rhel-7.6.z] (jmagne) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1639836 - CC: Identify RHCS version of CA, KRA,- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1645262 - pkidestroy may not remove all files [rhel-7.6.z] (dmoluguw) - Bugzilla Bug #1645263 - Auth plugins leave passwords in the access log and audit log using REST [rhel-7.6.z] (dmoluguw) - Bugzilla Bug #1645429 - pkispawn fails due to name collision with /var/log/pki/ [rhel-7.6.z] (dmoluguw) - Bugzilla Bug #1655951 - CC: tools supporting CMC requests output keyID needs to be captured in file [rhel-7.6.z] (cfu) - Bugzilla Bug #1656297 - Unable to install with admin-generated keys [rhel-7.6.z] (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1639836 - CC: Identify RHCS version of CA, KRA,- Require "tomcatjss >= 7.2.1-8" as a build and runtime requirement - ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1632116 - CC: missing audit event for CS acting as TLS client [rhel-7.6.z] (cfu) - Bugzilla Bug #1632120 - Unsupported RSA_ ciphers should be removed from the default ciphers list [rhel-7.6.z] (cfu) - Bugzilla Bug #1632615 - Permit certain SHA384 FIPS ciphers to be enabled by default for RSA and ECC . . . [rhel-7.6.z] (cfu) - Bugzilla Bug #1632616 - X500Name.directoryStringEncodingOrder overridden by CSR encoding (coverity changes) [rhel-7.6.z] (mharmsen) - Bugzilla Bug #1633104 - CMC: add config to allow non-clientAuth [rhel-7.6.z] (cfu) - Bugzilla Bug #1636490 - Installation of CA using an existing CA fails [rhel-7.6.z] (edewata) - Bugzilla Bug #1643878 - pki cli command for RHCS doesn't prompt for a password [rhel-7.6.z] (edewata) - Bugzilla Bug #1643879 - CC: Identify version/release of pki-ca, pki-kra, pki-ocsp, pki-tks, and pki-tps remotely [RHEL] [rhel-7.6.z] (cfu, jmagne) - Bugzilla Bug #1643880 - PKI subsystem process is not shutdown when there is no space on the disk to write logs [rhel-7.6.z] (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1639836 - CC: Identify RHCS version of CA, KRA,- Updated nuxwdog dependencies - ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #673182 - ECC keys not supported for signing audit logs (cfu) - Bugzilla Bug #1593805 - Better understanding of NSS_USE_DECODED_CKA_EC_POINT for ECC (cfu) - Bugzilla Bug #1601071 - Certificate generation happens with partial attributes in CMCRequest file (cfu) - Bugzilla Bug #1601569 - CC: Enable all config audit events (cfu) - Bugzilla Bug #1608375 - CMC Revocations throws exception with same reqIssuer & certissuer (cfu) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1596629 - ipa-replica-install --setup-kra broken on DL0 with latest version (abokovoy) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1548203 - pki console configurations that involves ldap passwords leave the plain text password in signed audit logs (cfu) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1494591 - keyGen fails when only Identity- Re-spin alpha builds- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1471935 - X500Name.directoryStringEncodingOrder overridden by CSR encoding (cfu) - Bugzilla Bug #1538311 - Using a Netmask produces an odd entry in a certificate (ftweedal) - Bugzilla Bug #1540440 - CMC: Audit Events needed for failures in SharedToken scenario's (cfu) - Bugzilla Bug #1550742 - Address ECC profile overrides (cfu) - Bugzilla Bug #1562841 - servlet profileSubmitCMCSimple throws NPE (cfu) - Bugzilla Bug #1572432 - AuditVerify failure due to line breaks (cfu) - Bugzilla Bug #1592961 - Need proper default subjectDN for CMC request authenticated through SharedToken (cfu) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1538311 - Using a Netmask produces an odd entry in a certifcate (ftweedal) - Bugzilla Bug #1544843 - ExternalCA: Installation failed during csr generation with ecc (rrelyea, gkapoor) - Bugzilla Bug #1557569 - Re-base pki-core from 10.5.1 to latest upstream 10.5.x (RHEL) (mharmsen) - Bugzilla Bug #1580394 - CMC CRMF requests result in InvalidKeyFormatException when signing algorithm is ECC (cfu) - Bugzilla Bug #1580527 - CVE-2018-1080 pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access (ftweedal, cfu) - Bugzilla Bug #1585866 - CRMFPopClient tool - should allow option to do no key archival (cfu) - Bugzilla Bug #1588655 - Cert validation for installation with external CA cert (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to- Rebuild due to build system database problem- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1553068 - Using a Netmask produces an odd entry in a certifcate [rhel-7.5.z] (ftweedal) - Bugzilla Bug #1585945 - CMC CRMF requests result in InvalidKeyFormatException when signing algorithm is ECC [rhel-7.5.z] (cfu) - Bugzilla Bug #1587826 - ExternalCA: Installation failed during csr generation with ecc [rhel-7.5.z] (rrelyea, gkapoor) - Bugzilla Bug #1588944 - Cert validation for installation with external CA cert [rhel-7.5.z] (edewata) - Bugzilla Bug #1588945 - CRMFPopClient tool - should allow option to do no key archival (cfu) - Bugzilla Bug #1589307 - CVE-2018-1080 pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access [rhel-7.5.z] (ftweedal, cfu) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,- Updated "jss" build and runtime requirements (mharmsen) - ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1571582 - [MAN] Missing Man pages for tools CMCRequest, CMCResponse, CMCSharedToken (typos) [rhel-7.5.z] (cfu) - Bugzilla Bug #1572548 - IPA install with external-CA is failing when FIPS mode enabled. [rhel-7.5.z] (edewata) - Bugzilla Bug #1574848 - servlet profileSubmitCMCSimple throws NPE [rhel-7.5.z] (cfu) - Bugzilla Bug #1575521 - subsystem -> subsystem SSL handshake issue with TLS_ECDHE_RSA_* on Thales HSM [rhel-7.5.z] (cfu) - Bugzilla Bug #1581134 - ECC installation for non CA subsystems needs improvement [rhel-7.5.z] (jmagne) - Bugzilla Bug #1581135 - SAN in internal SSL server certificate in pkispawn configuration step [rhel-7.5.z] (cfu) - Bugzilla Bug #1581167 - CC: CMC profiles: Some CMC profiles have wrong input class_id [rhel-7.5.z] (cfu) - Bugzilla Bug #1581382 - ECDSA Certificates Generated by Certificate System 9.3 fail NIST validation test with parameter field. [rhel-7.5.z] (cfu) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1554726 - Need ECC-specific Enrollment Profiles for standard conformance [rhel-7.5.z] (cfu) - Bugzilla Bug #1557880 - [MAN] Missing Man pages for tools CMCRequest, CMCResponse, CMCSharedToken [rhel-7.5.z] (cfu) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1560233 - libtps does not directly depend on libz- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1550581 - CMCAuth throws org.mozilla.jss.crypto.TokenException: Unable to insert certificate into temporary database [rhel-7.5.z] (cfu) - Bugzilla Bug #1551067 - [MAN] Add --skip-configuration and --skip-installation into pkispawn man page. [rhel-7.5.z] (edewata) - Bugzilla Bug #1552241 - Make sslget aware of TLSv1_2 ciphers [rhel-7.5.z] (cheimes, mharmsen) - Bugzilla Bug #1553068 - Using a Netmask produces an odd entry in a certifcate [rhel-7.5.z] (ftweedal) - Bugzilla Bug #1554726 - Need ECC-specific Enrollment Profiles for standard conformance [rhel-7.5.z] (cfu) - Bugzilla Bug #1554727 - Permit additional FIPS ciphers to be enabled by default for RSA . . . [rhel-7.5.z] (mharmsen, cfu) - Bugzilla Bug #1557880 - [MAN] Missing Man pages for tools CMCRequest, CMCResponse, CMCSharedToken [rhel-7.5.z] (cfu) - Bugzilla Bug #1557883 - Console: Adding ACL from pki-console gives StringIndexOutOfBoundsException [rhel-7.5.z] (ftweedal) - Bugzilla Bug #1558919 - Not able to generate certificate request with ECC using pki client-cert-request [rhel-7.5.z] (akahat) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1560233 - libtps does not directly depend on libz- ########################################################################## - # RHEL 7.5: - ########################################################################## - # Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release - Bugzilla Bug #1445532 - CC: Audit Events: Update the default audit event set (RHEL) (edewata) - Bugzilla Bug #1532867 - Inconsistent key ID encoding (edewata) - Bugzilla Bug #1540687 - CC: External OCSP Installation failure with HSM and FIPS (edewata) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, - # Bugzilla Bug #1404075 - CC: Audit Events: Update the default audit event- ########################################################################## - # RHEL 7.5: - ########################################################################## - # Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release - Bugzilla Bug #1542210 - pki console configurations that involves ldap passwords leave the plain text password in debug logs (jmagne) - Bugzilla Bug #1543242 - Regression in lightweight CA key replication (ftweedal) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,- ########################################################################## - # RHEL 7.5: - ########################################################################## - # Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release - Bugzilla Bug #1445532 - CC: Audit Events: Update the default audit event set (RHEL) (edewata) - Bugzilla Bug #1522938 - CC: Missing faillure resumption detection and audit event logging at startup (jmagne) - Bugzilla Bug #1523410 - Unable to have non "pkiuser" owned CA instance (alee) - Bugzilla Bug #1525306 - CC: missing CMC request and response record (cfu) - Bugzilla Bug #1532933 - Installing subsystems with external CMC certificates in HSM environment shows import error (edewata) - Bugzilla Bug #1535797 - ExternalCA: Failures when installed with hsm (edewata) - Bugzilla Bug #1539125 - restrict default cipher suite to those ciphers permitted in fips mode (mharmsen) - Bugzilla Bug #1539198 - Inconsistent CERT_REQUEST_PROCESSED outcomes. (edewata) - Bugzilla Bug #1540440 - CMC: Audit Events needed for failures in SharedToken scenario's (cfu) - Bugzilla Bug #1541526 - CMC: Revocation works with an unknown revRequest.issuer (cfu) - Bugzilla Bug #1541853 - ProfileService: config values with backslashes have backslashes removed (ftweedal) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, - # Bugzilla Bug #1404075 - CC: Audit Events: Update the default audit - # Bugzilla Bug #1501436 - TPS CS.cfg should be reflected with the- Updated jss, nuxwdog, and openssl dependencies - ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release (RHEL) - Bugzilla Bug #1402280 - CA Cloning: Failed to update number range in few cases (ftweedal) - Bugzilla Bug #1428021 - CC: shared token storage and retrieval mechanism (cfu) - Bugzilla Bug #1447145 - CMC: cmc.popLinkWitnessRequired=false would cause error (cfu) - Bugzilla Bug #1498957 - pkidestroy does not work with nuxwdog (alee) - Bugzilla Bug #1520277 - PR_FILE_NOT_FOUND_ERROR during pkispawn (alee) - Bugzilla Bug #1520526 - p12 admin certificate is missing when certificate is signed Externally (edewata) - Bugzilla Bug #1523410 - Unable to have non "pkiuser" owned CA instance (alee) - Bugzilla Bug #1523443 - HAProxy rejects OCSP responses due to missing nextupdate field (ftweedal) - Bugzilla Bug #1526881 - Not able to setup CA with ECC (mharmsen) - Bugzilla Bug #1532759 - pkispawn seems to be leaving our passwords in several different files after installation completes (alee) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release (RHEL) - Bugzilla Bug #1466066 - CC: Secure removal of secret data storage (jmagne) - Bugzilla Bug #1518096 - ExternalCA: Failures in ExternalCA when tried to setup with CMC signed certificates (cfu) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release (RHEL) - ########################################################################## - # RHCS 9.3: - ########################################################################## - #Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- dogtagpki Pagure Issue #2853 - Cleanup spec file conditionals- Patch applying check-ins since 10.5.1-1- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release (RHEL) - ########################################################################## - # RHCS 9.3: - ########################################################################## - #Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release (RHEL) - ########################################################################## - # RHCS 9.3: - ########################################################################## - #Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- #Bugzilla Bug #1492560 - ipa-replica-install --setup-kra broken on DL0- #Require "jss >= 4.4.0-8" as a build and runtime requirement - ########################################################################## - # RHEL 7.4: - ########################################################################## - # Resolves: rhbz #1486870,1485833,1487509,1490241,1491332 - # Bugzilla Bug #1486870 - Lightweight CA key replication fails (regressions) - # Bugzilla Bug #1485833 - Missing CN in user signing cert would cause error - # Bugzilla Bug #1487509 - pki-server-upgrade fails when upgrading from - # Bugzilla Bug #1490241 - PKCS12: upgrade to at least AES and SHA2 (FIPS) - # Bugzilla Bug #1491332 - TPS UI: need to display tokenType and tokenOrigin - # dogtagpki Pagure Issue #2764 - py3: pki.key.archive_encrypted_data: - ########################################################################## - # RHCS 9.2: - ########################################################################## - # Resolves: rhbz #1486870,1485833,1487509,1490241,1491332,1482729,1462271 - # Bugzilla Bug #1462271 - TPS incorrectly assigns "tokenOrigin" and - # Bugzilla Bug #1482729 - TPS UI: need to display tokenType and tokenOrigin- Resolves: rhbz #1463350 - ########################################################################## - # RHEL 7.4: - ########################################################################## - # Bugzilla Bug #1463350 - Access banner validation (edewata)- # Resolves: rhbz #1472615,1472617,1469447,1463350,1469449,1472619,1464970,1469437,1469439,1469446 - ########################################################################## - # RHEL 7.4: - ########################################################################## - # Bugzilla Bug #1472615 - CC: allow CA to process pre-signed CMC non-signing - # Bugzilla Bug #1472617 - CMC: cmc.popLinkWitnessRequired=false would cause - # Bugzilla Bug #1469447 - CC: CMC: check HTTPS client authentication cert - # Bugzilla Bug #1463350 - Access banner validation (edewata) - # Bugzilla Bug #1469449 - CC: allow CA to process pre-signed CMC renewal - # Bugzilla Bug #1472619 - Platform Dependent Python Import (mharmsen) - # Bugzilla Bug #1464970 - CC: CMC: replace id-cmc-statusInfo with - # Bugzilla Bug #1469437 - subsystem-cert-update command lacks --cert option - # Bugzilla Bug #1469439 - Fix Key Changeover with HSM to support SCP03 - # Bugzilla Bug #1469446 - CC: need CMC enrollment profiles for system- # Resolves: rhbz #1469432 - ########################################################################## - # RHEL 7.4: - ########################################################################## - # Bugzilla Bug #1469432 - CMC plugin default change - # Resolves CVE-2017-7537 - # Fixes BZ #1470948- ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1458043 - Key recovery on token fails with invalid public key error on KRA (alee) - Bugzilla Bug #1460764 - CC: CMC: check HTTPS client authentication cert against CMC signer (cfu) - Bugzilla Bug #1461533 - Unable to find keys in the p12 file after deleting the any of the subsystem certs from it (ftweedal)- ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1393633 - Creating symmetric key (sharedSecret) using tkstool is failing when RHEL 7.3 is in FIPS mode. (jmagne) - Bugzilla Bug #1419756 - CC: allow CA to process pre-signed CMC non-signing certificate requests (cfu) - Bugzilla Bug #1419777 - CC: allow CA to process pre-signed CMC revocation non-signing cert requests (cfu) - Bugzilla Bug #1458047 - change the way aes clients refer to aes keysets (alee) - Bugzilla Bug #1458055 - dont reuse IVs in the CMC code (alee) - Bugzilla Bug #1460028 - In keywrap mode, key recovery on KRA with HSM causes KRA to crash (ftweedal)- Require "selinux-policy-targeted >= 3.13.1-159" as a runtime requirement - Require "tomcatjss >= 7.2.1-4" as a build and runtime requirement - ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1400149 - pkispawn fails to create CA subsystem on FIPS enabled system (edewata) - Bugzilla Bug #1447144 - CA brought down during separate KRA instance creation (edewata) - Bugzilla Bug #1447762 - pkispawn fails occasionally with this failure ACCESS_SESSION_ESTABLISH_FAILURE (edewata) - Bugzilla Bug #1454450 - SubCA installation failure with 2 step installation in fips enabled mode (edewata) - Bugzilla Bug #1456597 - Certificate import using pki client-cert-import is asking for password when already provided (edewata) - Bugzilla Bug #1456940 - Build failure due to Pylint issues (cheimes) - Bugzilla Bug #1458043 - Key recovery using externalReg fails with java null pointer exception on KRA (alee) - Bugzilla Bug #1458379 - Upgrade script for keepAliveTimeout parameter (edewata) - Bugzilla Bug #1458429 - client-cert-import --ca-cert should import CA cert with trust bits "CT,C,C" (edewata) - ########################################################################## - # RHCS 9.2: - ########################################################################## - Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne)- ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1393633 - Creating symmetric key (sharedSecret) using tkstool is failing when RHEL 7.3 is in FIPS mode. (jmagne) - Bugzilla Bug #1445519 - CA Server installation with HSM fails (jmagne) - Bugzilla Bug #1452617 - Unable to create IPA Sub CA (ftweedal) - Bugzilla Bug #1454471 - Enabling all subsystems on startup (edewata) - Bugzilla Bug #1455617 - Key recovery on token fails because key record is not marked encrypted (alee)- Bugzilla Bug #1454603 - Unable to install IPA server due to pkispawn error (mharmsen)- ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1419761 - CC: allow CA to process pre-signed CMC renewal non-signing cert requests (cfu) - Bugzilla Bug #1447080 - CC: CMC: allow enrollment key signed (self-signed) CMC with identity proof (cfu) - Bugzilla Bug #1447144 - CA brought down during separate KRA instance creation (mharmsen) - Bugzilla Bug #1448903 - exception Invalid module "--ignore-banner" when defined in ~/.dogtag/pki.conf and run pki pkcs12-import --help (edewata) - Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails (jmagne) - Bugzilla Bug #1452123 - CA CS.cfg shows default port (mharmsen) - Bugzilla Bug #1452250 - Inconsistent CERT_REQUEST_PROCESSED event in ConnectorServlet. (edewata) - Bugzilla Bug #1452340 - Ensuring common audit log correctness (edewata) - Bugzilla Bug #1452344 - Adding serial number into CERT_REQUEST_PROCESSED audit event. (edewata)- ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1386303 - cannot extract generated private key from KRA when HSM is used. (alee) - Bugzilla Bug #1446364 - pkispawn returns before tomcat is ready (cheimes) - Bugzilla Bug #1447145 - CMC: cmc.popLinkWitnessRequired=false would cause error (cfu) - Bugzilla Bug #1448203 - CAInfoService: retrieve KRA-related values from the KRA (ftweedal) - Bugzilla Bug #1448204 - pkispawn of clone install fails with InvalidBERException (ftweedal) - Bugzilla Bug #1448521 - kra unable to extract symmetric keys generated on thales hsm (alee) - Updated "jss" build and runtime requirements (mharmsen) - ########################################################################## - # RHCS 9.2: - ########################################################################## - Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne)- ############################################################################ - # RHEL 7.4: - ############################################################################ - Bugzilla Bug #1303683 - dogtag should support GSSAPI based auth in conjuction with FreeIPA (ftweedal) - Bugzilla Bug #1385208 - RHCS 9.1 RC5 CA in the certificate profiles the startTime parameter is not working as expected. (jmagne) - Bugzilla Bug #1419756 - CC: allow CA to process pre-signed CMC non-signing certificate requests (cfu) - Bugzilla Bug #1426754 - PKCS12: upgrade to at least AES and SHA2 (ftweedal) - Bugzilla Bug #1445088 - profile modification cannot remove existing config parameters (ftweedal) - Bugzilla Bug #1445535 - CC: Crypto Operation (AES Encryption/Decryption) (RHEL) (alee) - Bugzilla Bug #1446874 - Missing ClientIP and ServerIP in audit log when pki CLI terminates SSL connection (edewata) - Bugzilla Bug #1446875 - Session timeout for PKI console (RHEL) (edewata) - ############################################################################ - # RHCS 9.2: - ############################################################################ - Bugzilla Bug #1404480 - CC: Crypto Operation (AES Encryption/Decryption) (RHCS) (alee)- ############################################################################ - # RHEL 7.4: - ############################################################################ - Bugzilla Bug #1282504 - Installing pki-server in container reports scriptlet failed, exit status 1 (jpazdziora) - Bugzilla Bug #1400149 - pkispawn fails to create CA subsystem on FIPS enabled system (edewata) - Bugzilla Bug #1410650 - [RFE] Add SCP03 support for sc 7 g & d cards (RHEL) (jmagne) - Bugzilla Bug #1437591 - cli authentication using expired cert throws an exception (edewata) - Bugzilla Bug #1437602 - non-CA cli looks for CA in the instance during a request (edewata) - ############################################################################ - # RHCS 9.2: - ############################################################################ - Bugzilla Bug #1274086 - [RFE] Add SCP03 support for sc 7 g & d cards (RHCS) (jmagne) - ############################################################################ - # Common Criteria - ############################################################################ - Bugzilla Bug #1404080 - CC: add audit event: various SSL/TLS failures (edewata) - Bugzilla Bug #1417307 - CC: Audit Review /Searches (edewata) - Bugzilla Bug #1419737 - CC: CMC: id-cmc-popLinkWitnessV2 feature implementation (cfu)- Require "nss >= 3.28.3" as a build and runtime requirement - Require "jss >= 4.4.0-4" as a build and runtime requirement - Require "tomcatjss >= 7.2.1-3" as a build and runtime requirement - dogtagpki Pagure Issue #2612 - Unable to clone due to pki pkcs12-cert-find failure (edewata) - ############################################################################ - Bugzilla Bug #1394309 - Rebase pki-core to 10.4.x in RHEL-7.4 - Bugzilla Bug #1394315 - Rebase redhat-pki, redhat-pki-theme, pki-core, and pki-console to 10.4.x - ############################################################################ - # RHEL 7.4: - ############################################################################ - ############################################################################ - # RHCS 9.2: - ############################################################################ - ############################################################################ - # Common Criteria - ############################################################################ - Bugzilla Bug #1419734 - CC: CMC: id-cmc-identityProofV2 feature implementation (cfu) - Bugzilla Bug #1419742 - CC: CMC: provide Proof of Possession for encryption cert requests (cfu) - Bugzilla Bug #1404080 - CC: add audit event: various SSL/TLS failures (edewata) - Bugzilla Bug #1428020 - CC: CMC feature support: provided issuance protection cert mechanism (cfu)- Require "jss >= 4.4.0-1" as a build and runtime requirement - Require "tomcatjss >= 7.2.1-1" as a build and runtime requirement - ############################################################################ - Bugzilla Bug #1394309 - Rebase pki-core to 10.4.x in RHEL-7.4 - Bugzilla Bug #1394315 - Rebase redhat-pki, redhat-pki-theme, pki-core, and pki-console to 10.4.x - ############################################################################ - # RHEL 7.4: - ############################################################################ - Bugzilla Bug #1222557 - ECDSA Certificates Generated by Certificate System 8.1 fail NIST validation test with parameter field. (cfu) - Bugzilla Bug #1238684 - Generting Symmetric key fails with key-generate when --usages verify (vakwetu) - Bugzilla Bug #1246635 - user-cert-add --serial CLI request to secure port with remote CA shows authentication failure (edewata) - Bugzilla Bug #1249400 - CA EE: Submit caUserCert request without uid does not show proper error message (vakwetu) - Bugzilla Bug #1305993 - Add profile component that copies CN to SAN (ftweedal) - Bugzilla Bug #1316653 - pki ca-cert-request-submit fails presumably because of missing authentication even if it should not require any (edewata) - Bugzilla Bug #1325071 - add options to enable/disable cert or crl publishing. (vakwetu) - Bugzilla Bug #1330800 - Failed to start pki-tomcatd Service ("ipa-cacert-manage renew" failed?) (edewata) - Bugzilla Bug #1368410 - Misleading Logging for HSM (edewata) - Bugzilla Bug #1372052 - Unable to search certificate requests using the latest request ID (edewata) - Bugzilla Bug #1375347 - Typo in comment line of UserPwdDirAuthentication.java (edewata) - Bugzilla Bug #1376226 - IPA replica-prepare failed with error "Profile caIPAserviceCert Not Found" (ftweedal) - Bugzilla Bug #1376488 - pkispawn fails as it is not able to find openssl as a dependency package (mharmsen) - Bugzilla Bug #1378275 - two-step externally-signed CA installation fails due to missing AuthorityID (ftweedal) - Bugzilla Bug #1378277 - Spurious host authority entries created (ftweedal) - Bugzilla Bug #1378527 - Miscellaneous Minor Changes (edewata) - Bugzilla Bug #1381084 - KRA installation failed against externally-signed CA with partial certificate chain (edewata) - Bugzilla Bug #1382066 - Problems with FIPS mode (edewata) - Bugzilla Bug #1386371 - Remove xenroll.dll from pki-core (mharmsen) - Bugzilla Bug #1386424 - Fix packaging duplicates of classes in multiple jar files (edewata) - Bugzilla Bug #1391737 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI (RHEL 7) (edewata) - Bugzilla Bug #1392068 - [RFE] add express archivals and retrievals from KRA (vakwetu) - Bugzilla Bug #1395817 - Unable to install subordinate CA with HSM in FIPS mode (edewata) - Bugzilla Bug #1397200 - pkispawn does not change default ecc key size from nistp256 when nistp384 is specified in spawn config (jmagne) - Bugzilla Bug #1399862 - Dogtag 10.3.9 Man Pages (edewata) - Bugzilla Bug #1404881 - TPS throws "err=6" when attempting to format and enroll G&D Cards (jmagne) - Bugzilla Bug #1405654 - Token memory not wiped after key deletion (RHEL) (jmagne) - Bugzilla Bug #1409946 - Request ID undefined for CA signing certificate (vakwetu) - Bugzilla Bug #1409949 - CA Certificate Issuance Date displayed on CA website incorrect (vakwetu) - Bugzilla Bug #1410650 - [RFE] Add SCP03 support (RHEL) (jmagne) - Bugzilla Bug #1411428 - Unable to create a CA clone in FIPS (edewata) - Bugzilla Bug #1412211 - Unable to set up KRA in FIPS (edewata) - Bugzilla Bug #1412681 - update to 7.3 IPA with otpd bugfixes, tomcat will not finish start, hangs (ftweedal) - Bugzilla Bug #1413132 - pki-tomcat for 10+ minutes before generating cert (edewata) - Bugzilla Bug #1413136 - Problem with default AJP hostname in IPv6 environment. (edewata) - ############################################################################ - # RHCS 9.2: - ############################################################################ - Bugzilla Bug #1248553 - TPS Enrollment always goes to "ca1 (cfu) - Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne) - Bugzilla Bug #1274096 - [BUG] Add ability to disallow TPS to enroll a single user on multiple tokens. (jmagne) - Bugzilla Bug #1379379 - Unable to read an encrypted email using renewed tokens (jmagne) - Bugzilla Bug #1379749 - Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued (jmagne) - Bugzilla Bug #1381375 - Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches (cfu) - Bugzilla Bug #1381635 - Token format with external reg fails when op.format.externalRegAddToToken.revokeCert=true (cfu) - Bugzilla Bug #1382762 - PIN_RESET policy is not giving expected results when set on a token (jmagne) - Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI (RHCS 9) (edewata) - Bugzilla Bug #1391207 - Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status (cfu) - Bugzilla Bug #1395479 - TPS throws "err=6" when attempting to format and enroll G&D Cards (RHCS) (jmagne) - Bugzilla Bug #1404900 - Dogtag 10.3.9 logging properties (edewata) - Bugzilla Bug #1405655 - Token memory not wiped after key deletion (RHCS) (jmagne) - ############################################################################- ## RHEL 7.3.z Batch Update 4 - Bugzilla Bug #1429492 - Add profile component that copies CN to SAN (ftweedal)- ## RHCS 9.1.z Batch Update 3 - Bugzilla Bug #1391207 - Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status (cfu) - ## RHEL 7.3.z Batch Update 3 - Bugzilla Bug #1417063 - ECDSA Certificates Generated by Certificate System 8.1 fail NIST validation test with parameter field. (cfu) - Bugzilla Bug #1417064 - Unable to search certificate requests using the latest request ID (edewata) - Bugzilla Bug #1417065 - CA Certificate Issuance Date displayed on CA website incorrect (alee) - Bugzilla Bug #1417066 - update to 7.3 IPA with otpd bugfixes, tomcat will not finish start, hangs (ftweedal) - Bugzilla Bug #1417067 - pki-tomcat for 10+ minutes before generating cert (edewata) - Bugzilla Bug #1417190 - Problem with default AJP hostname in IPv6 environment. (edewata)- Separate original patches into RHEL and RHCS portions - ## RHEL 7.3.z Batch Update 2 - Bugzilla Bug #1404176 - logging properties and man pages (edewata) - Bugzilla Bug #1405328 - TPS throws "err=6" when attempting to format and enroll G&D Cards (jmagne) - ## RHCS 9.1.z Batch Update 2 - Bugzilla Bug #1395479 - TPS throws "err=6" when attempting to format and enroll G&D Cards (jmagne) - Bugzilla Bug #1404900 - RHCS logging properties (edewata)- ## RHEL 7.3.z Batch Update 2 - Bugzilla Bug #1404173 - user-cert-add --serial CLI request to secure port with remote CA shows authentication failure (edewata) - Bugzilla Bug #1404175 - pki ca-cert-request-submit fails presumably because of missing authentication even if it should not require any (edewata) - Bugzilla Bug #1404178 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI [pki-base] (edewata) - Bugzilla Bug #1404172 - Unable to install subordinate CA with HSM in FIPS mode (edewata) - Bugzilla Bug #1403689 - pkispawn does not change default ecc key size from nistp256 when nistp384 is specified in spawn config (jmagne) - Bugzilla Bug #1404176 - logging properties and man pages (edewata) - ## RHCS 9.1.z Batch Update 2 - Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI [pki-tps] (edewata) - Bugzilla Bug #1391207 - Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status (cfu) - Bugzilla Bug #1395479 - TPS throws "err=6" when attempting to format and enroll G&D Cards (jmagne)- Marked the following RHCS 9.1.z bug: Bugzilla Bug #1382862 - TPS token enrollment fails to setupSecureChannel when TPS and TKS security db is on fips mode. (jmagne) as a duplicate of RHEL 7.3.z bug: Bugzilla Bug #1389757 - Problems with FIPS mode (edewata) and moved the patch from the RHCS 9.1.z bug to the RHEL 7.3.z bug.- ## RHEL 7.3.z Batch Update 1 - Bugzilla Bug #1389757 - Problems with FIPS mode (edewata) (added KRA key recovery via CLI in FIPS mode) - ## RHCS 9.1.z Batch Update 1 - Reverted patches associated with Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI (edewata)- ## RHEL 7.3.z Batch Update 1 - Bugzilla Bug #1390318 - CA EE: Submit caUserCert request without uid does not show proper error message (alee) - Bugzilla Bug #1390319 - Failed to start pki-tomcatd Service ("ipa-cacert-manage renew" failed?) (edewata) - Bugzilla Bug #1390320 - pkispawn fails as it is not able to find openssl as a dependency package (mharmsen) - Bugzilla Bug #1390321 - two-step externally-signed CA installation fails due to missing AuthorityID (ftweedal) - Bugzilla Bug #1390322 - Spurious host authority entries created (ftweedal) - Bugzilla Bug #1390324 - KRA installation failed against externally-signed CA with partial certificate chain (edewata) - Bugzilla Bug #1389757 - Problems with FIPS mode (edewata) - Bugzilla Bug #1390311 - Fix packaging duplicates of classes in multiple jar files (edewata) - Bugzilla Bug #1390325 - Typo in comment line of UserPwdDirAuthentication.java (edewata) - ## RHCS 9.1.z Batch Update 1 - Bugzilla Bug #1248553 - TPS Enrollment always goes to "ca1" (cfu) - Bugzilla Bug #1274096 - [BUG] Add ability to disallow TPS to enroll a single user on multiple tokens. (jmagne) - Bugzilla Bug #1379379 - Unable to read an encrypted email using renewed tokens (jmagne) - Bugzilla Bug #1379749 - Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued (jmagne) - Bugzilla Bug #1381375 - Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches - Bugzilla Bug #1381635 - Token format with external reg fails when op.format.externalRegAddToToken.revokeCert=true (cfu) - Bugzilla Bug #1382762 - PIN_RESET policy is not giving expected results when set on a token (jmagne) - Bugzilla Bug #1382862 - TPS token enrollment fails to setupSecureChannel when TPS and TKS security db is on fips mode. (jmagne) - Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI (edewata)- PKI TRAC Ticket #1527 - TPS Enrollment always goes to "ca1" (cfu) - PKI TRAC Ticket #1664 - [BUG] Add ability to disallow TPS to enroll a single user on multiple tokens. (jmagne) - PKI TRAC Ticket #2478 - pkispawn fails as it is not able to find openssl as a dependency package (mharmsen) - PKI TRAC Ticket #2483 - Unable to read an encrypted email using renewed tokens (jmagne) - PKI TRAC Ticket #2496 - Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches (cfu) - PKI TRAC Ticket #2505 - Fix packaging duplicates of classes in multiple jar files (edewata)- Revert Patch: PKI TRAC Ticket #2449 - Unable to create system certificates in different tokens (edewata) - Resolves: rhbz #1374054 - ipa-replica-install fails setting up certificate - Restores: rhbz #1319557 - pkispawn KRA instance is failing server - Removes from Errata: rhbz #1372041 - Unable to create system certificates in different tokens- PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA deletion (ftweedal) - PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements (edewata) - PKI TRAC Ticket #2443 - Prevent deletion of host CA's keys if LWCA entry deleted (ftweedal) - PKI TRAC Ticket #2444 - Authority entry without entryUSN is skipped even if USN plugin enabled (ftweedal) - PKI TRAC Ticket #2446 - pkispawn: make subject_dn defaults unique per instance name (for shared HSM) (cfu) - PKI TRAC Ticket #2447 - CertRequestInfo has incorrect URLs (vakwetu) - PKI TRAC Ticket #2449 - Unable to create system certificates in different tokens (edewata)- PKI TRAC Ticket #1578 - Authentication Instance Id PinDirEnrollment with authType value as SslclientAuth is not working (jmagne) - PKI TRAC TIcket #2414 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided (gkapoor) - PKI TRAC Ticket #2423 - pki_ca_signing_token when not specified does not fallback to pki_token_name value (edewata) - PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements (akasurde) - ticket remains open - PKI TRAC Ticket #2439 - Outdated deployment descriptors in upgraded server(edewata)- PKI TRAC Ticket #690 - [MAN] pki-tools man pages (mharmsen) - CMCEnroll - PKI TRAC Ticket #833 - pki user-mod fullName="" gives an error message "PKIException: LDAP error (21): error result" (edewata) - PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade. (cheimes, edewata, mharmsen) - PKI TRAC Ticket #2432 - Kra-selftest behavior is not as expected (edewata) - PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements (edewata, mharmsen) - PKI TRAC Ticket #2437 - TPS UI: while adding certs for users from TPSUI pem format with/without header works while pkcs7 with header is not allowed (edewata) - PKI TRAC Ticket #2440 - Optional CA signing CSR for migration (edewata)- Bugzilla Bug #1366465 - Errata TPS upgrade test fails- PKI TRAC Ticket #978 - TPS connector man page: add revocation routing info (cfu) - PKI TRAC Ticket #1285 - [MAN] Apply 'generateCRMFRequest() removed from Firefox' workarounds to appropriate 'pki' man page (jmagne) - PKI TRAC Ticket #2246 - [MAN] Man Page: AuditVerify (cfu) - PKI TRAC Ticket #2381 - Throws exception while providing invalid module. (edewata) - PKI TRAC Ticket #2383 - CLI :: pki client-cert-request --extractable should accept only boolean value (edewata) - PKI TRAC Ticket #2389 - Installation: subsystem certs could have notAfter beyond CA signing cert in case of external or existing CA (cfu) - PKI TRAC Ticket #2399 - Dogtag 10.3.5: Miscellaneous Enhancements (akasurde, alee, cheimes, edewata, jmagne, mharmsen) - PKI TRAC Ticket #2401 - pkispawn calls dnsdomainname even if it does not rpm-require hostname (mharmsen) - PKI TRAC Ticket #2402 - Conflict in file ownership in pki-base and pki-server (cheimes) - PKI TRAC Ticket #2403 - Deployment problem with RESTEasy 3.0.17 (edewata) - PKI TRAC Ticket #2406 - Make starting CRL Number configurable (jmagne) - PKI TRAC Ticket #2412 - pki client-cert-import --trust option does not apply the specified trust bits (alee) - PKI TRAC Ticket #2418 - [TPS] Some template substitution didn't happen during installation (alee) - PKI TRAC Ticket #2420 - CA subsystem OSCP responder fails when LWCAs are not used (ftweedal) - PKI TRAC Ticket #2421 - Incorrect SELinux contexts Installation/Configuration (edewata) - PKI TRAC Ticket #2424 - ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full (edewata) - PKI TRAC Ticket #2428 - broken request links for CA's system certs in agent request viewing (cfu) - PKI TRAC Ticket #2430 - CA Agent certificate list is not sorted by serial number in migration case (jmagne) - PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade. (mharmsen) - PKI TRAC Ticket #2433 - Lightweight CA GET /chain returns bogus PEM data (ftweedal)- PKI TRAC Ticket #691 - [MAN] pki-server man pages (mharmsen) - PKI TRAC Ticket #1114 - [MAN] Generting Symmetric key fails with key-generate when --usages verify is passed (jmagne) - PKI TRAC Ticket #1306 - [RFE] Add granularity to token termination in TPS (cfu) - PKI TRAC Ticket #1308 - [RFE] Provide ability to perform off-card key generation for non-encryption token keys (cfu) - PKI TRAC Ticket #1405 - [MAN] Add additional HSM details to 'pki_default.cfg' & 'pkispawn' man pages (mharmsen) - PKI TRAC Ticket #1607 - [MAN] man pkispawn has inadequate description for shared vs non shared tomcat instance installation (mharmsen) - PKI TRAC Ticket #1664 - [BUG] Add ability to disallow TPS to enroll a single user on multiple tokens. (jmagne) - PKI TRAC Ticket #1711 - CLI :: pki-server ca-cert-request-find throws IOError (edewata, ftweedal) - PKI TRAC Ticket #2285 - freeipa fails to start correctly after pki-core update on upgraded system (ftweedal) - PKI TRAC Ticket #2311 - When pki_token_name=Internal, consider normalizing it to "internal" (mharmsen) - PKI TRAC Ticket #2349 - Separated TPS does not automatically receive shared secret from remote TKS (jmagne) - PKI TRAC Ticket #2364 - CLI :: pki-server ca-cert-request-show throws attribute error (ftweedal) - PKI TRAC Ticket #2368 - pki-server subsystem subcommands throws error with --help option (edewata) - PKI TRAC Ticket #2374 - KRA cloning overwrites CA signing certificate trust flags (edewata) - PKI TRAC Ticket #2380 - Pki-server instance commands throws exception while specifying invalid parameters. (edewata) - PKI TRAC Ticket #2384 - CA installation with HSM prompts for HSM password during silent installation (edewata) - PKI TRAC Ticket #2385 - Upgraded CA lacks ca.sslserver.certreq in CS.cfg (ftweedal) - PKI TRAC Ticket #2387 - Add config for default OCSP URI if none given (ftweedal) - PKI TRAC Ticket #2388 - CA creation responds 500 if certificate issuance fails (ftweedal) - PKI TRAC Ticket #2389 - Installation: subsystem certs could have notAfter beyond CA signing cert in case of external or existing CA (cfu) - PKI TRAC Ticket #2390 - Dogtag 10.3.4: Miscellaneous Enhancements (akasurde, edewata)- PKI TRAC Ticket #2373 - Fedora 25: RestEasy 3.0.6 ==> 3.0.17 breaks pki-core (ftweedal)- Updated release number to 10.3.3-1- Updated version number to 10.3.3-0.1- Provided cleaner runtime dependency separation- Updated tomcatjss version dependencies- Updated 'java', 'java-headless', and 'java-devel' dependencies to 1:1.8.0.- Updated tomcat version dependencies- Updated version number to 10.3.2-1- Updated version number to 10.3.2-0.1- Updated version number to 10.3.1-1 (to allow upgrade from 10.3.0.b1)- Updated version number to 10.3.0-1- Build for F24 beta- PKI TRAC Ticket #2255 - PKCS #12 backup does not contain trust attributes.- Updated build for F24 alpha- PKI TRAC Ticket #1625 - Allow multiple ACLs of same name (union of rules) [ftweedal] - PKI TRAC Ticket #2237 - Add CRL dist points extension to OIDMap unconditionally [edewata] - PKI TRAC Ticket #1803 - Removed unnecessary URL encoding for admin cert request. [edewata] - PKI TRAC Ticket #1742 - Added support for cloning 3rd-party CA certificates. [edewata] - PKI TRAC Ticket #1482 - Added TPS token filter dialog. [edewata] - PKI TRAC Ticket #1808 - Fixed illegal token state transition via TEMP_LOST. [edewata]- Build for F24 alpha- PKI Trac Ticket #1399 - Move java components out of pki-base- PKI TRAC Ticket #1850 - Rename DRMTool --> KRATool- PKI TRAC Ticket #1714 - mod_revocator and mod_nss dependency for tps should be removed- PKI TRAC Ticket #1623 - Runtime dependency on python-nss is missing- Updated version number to 10.3.0-0.1- Added dep on tomcat-servlet-3.1-api [Fedora 23 and later] or dep on tomcat-servlet-3.0-api [Fedora 22 and later] to pki-tools - Updated dep on tomcatjss [Fedora 23 and later]- Updated dep on policycoreutils-python-utils [Fedora 23 and later]- Updated version number to 10.2.7-0.1- Update release number for release build- Remove setup directory and remaining Perl dependencies- Remove ExcludeArch directive- Updated version number to 10.2.6-0.1- Update release number for release build- Resolves rhbz #1230970 - Errata TPS tests for rpm verification failed- Updated version number to 10.2.5-0.1- Update release number for release build- Updated nuxwdog and tomcatjss requirements (alee)- Updated version number to 10.2.4-0.1 - Added nuxwdog systemd files- Update release number for release build- Reverted version number back to 10.2.3-0.1 - Added support for Tomcat 8.- Updated version number to 10.3.0-0.1- Updated version number to 10.2.3-0.1- Update release number for release build- Updated version number to 10.2.2-0.1 - Moved web application deployment locations. - Updated Resteasy and Jackson dependencies. - Added missing python-lxml build dependency.- Update release number for release build- PKI TRAC Ticket #1187 - mod_perl should be removed from requirements for 10.2 - PKI TRAC Ticket #1205 - Outdated selinux-policy dependency. - Removed perl(XML::LibXML), perl-Crypt-SSLeay, and perl-Mozilla-LDAP runtime dependencies- Change resteasy dependencies for F22+- Ticket 1198 Bugzilla 1158410 add TLS range support to server.xml by default and upgrade (cfu) - PKI Trac Ticket #1211 - New release overwrites old source tarball (mharmsen) - up the release number to 0.2- Updated version number to 10.2.1-0.1. - Added CLIs to simplify generating user certificates - Added enhancements to KRA Python API - Added a man page for pki ca-profile commands. - Added python api docs- Disable pylint dependency for RHEL builds - Added jakarta-commons-httpclient requirements - Added tomcat version for RHEL build - Added resteasy-base-client for RHEL build- PKI TRAC Ticket #1130 - Add RHEL/CentOS conditionals to spec- Update release number for release build- PKI TRAC Ticket #1017 - Rename pki-tps-tomcat to pki-tps- Merged jmagne@redhat.com's spec file changes from the stand-alone 'pki-tps-client' package needed to build/run the native 'tpsclient' command line utility into this 'pki-core' spec file under the 'tps' package. - Original tps libararies must be built to support this native utility. - Modifies tps package from 'noarch' into 'architecture-specific' package- PKI TRAC Ticket #1127 - Remove 'pki-ra', 'pki-setup', and 'pki-silent' packages . . .- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild- Respin to include the applet files with the rpm install. No change to spec file needed.- Bugzilla Bug #1120045 - pki-core: Switch to java-headless (build)requires -- drop dependency on java-atk-wrapper - Removed 'java-atk-wrapper' dependency from 'pki-server'- PKI TRAC Ticket #832 - Remove legacy 'systemctl' files . . .- Update rawhide build- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild- Use Requires: java-headless rebuild (#1067528)- Added option to build without server packages. - Replaced Jettison with Jackson. - Added python-nss build requirement - Bugzilla Bug #1057959 - pkispawn requires policycoreutils-python - TRAC Ticket #840 - pkispawn requires policycoreutils-python - Updated requirements for resteasy - Added template files for archive, retrieve and generate key requests to the client package.- Trac Ticket 788 - Clean up spec files - Update release number for release build - Updated requirements for resteasy- Change release number for beta build- Updated requirements for tomcat- Removed additional /var/run, /var/lock references.- Removed delivery of /var/lock and /var/run directories for fedora 20.- Moved Tomcat-based TPS into pki-core.- Listed new packages required during build, due to issues reported by pylint. - Packages added: python-requests, python-ldap, libselinux-python, policycoreutils-python- Added pylint scan to the build process.- Added man pages for upgrade tools.- Cleaned up the code to install man pages.- Reorganized deployment tools.- Bugzilla Bug 973224 - resteasy-base must be split into subpackages to simplify dependencies- Updated dependencies to Java 1.7.- TRAC Ticket 606 - add restart / start at boot info to pkispawn man page - TRAC Ticket 610 - Document limitation in using GUI install - TRAC Ticket 629 - Package ownership of '/usr/share/pki/etc/' directory- Change release number for 10.1 development- Fixed incorrect JNI_JAR_DIR.- TRAC Ticket 605 Junit internal function used in TestRunner, breaks F19 build- TRAC Ticket 604 Added fallback methods for pkispawn tests- Added default pki.conf in /usr/share/pki/etc - Create upgrade tracker on install and remove it on uninstall- Change release number for official release.- Added %pretrans script for f19 - Added java-atk-wrapper dependency- Added pki-server-upgrade script and pki.server module. - Call upgrade scripts in %post for pki-base and pki-server.- Added dependency on commons-io.- Add /var/log/pki and /var/lib/pki directories- Run pki-upgrade on post server installation.- Added dependency on python-lxml.- Added pki-upgrade script.- Updated version number to 10.0.2-0.1.- Renamed base/deploy to base/server. - Moved pki.conf into pki-base. - Removed redundant pki/server folder declaration.- Removed jython dependency- Added minimum python-requests version.- Bugzilla Bug #919476 - pkispawn crashes due to dangling symlink to jss4.jar- Added dependency on python-requests. - Reorganized Python module packaging.- Added dependency on python-ldap.- TRAC Ticket #517 - Clean up theme dependencies - TRAC Ticket #518 - Remove UI dependencies from pkispawn . . .- Removed runtime dependency on 'pki-server-theme' to resolve Bugzilla Bug #916134 - unresolved dependency in pki-server: pki-server-theme- TRAC Ticket 214 - Missing error description for duplicate user - TRAC Ticket 213 - Add nonces for cert revocation - TRAC Ticket 367 - pkidestroy does not remove connector - TRAC Ticket #430 - License for 3rd party code - Bugzilla Bug 839426 - [RFE] ECC CRL support for OCSP - Fix spec file to allow f17 to work with latest tomcatjss - TRAC Ticket 466 - Increase root CA validity to 20 years - TRAC Ticket 469 - Fix tomcatjss issue in spec files - TRAC Ticket 468 - pkispawn throws exception - TRAC Ticket 191 - Mapping HTTP Exceptions to HTTP error codes - TRAC Ticket 271 - Dogtag 10: Fix 'status' command in 'pkidaemon' . . . - TRAC Ticket 437 - Make admin cert p12 file location configurable - TRAC Ticket 393 - pkispawn fails when selinux is disabled - Punctuation and formatting changes in man pages - Revert to using default config file for pkidestroy - Hardcode setting of resteasy-lib for instance - TRAC Ticket 436 - Interpolation for pki_subsystem - TRAC Ticket 433 - Interpolation for paths - TRAC Ticket 435 - Identical instance id and instance name - TRAC Ticket 406 - Replace file dependencies with package dependencies- TRAC Ticket #430 - License for 3rd party code- TRAC Ticket #469 - Dogtag 10: Fix tomcatjss issue in pki-core.spec and dogtag-pki.spec . . . - TRAC Ticket #468 - pkispawn throws exception- Replaced file dependencies with package dependencies- Updated man pages- Update to official release for rc1- TRAC Ticket #315 - Man pages for pkispawn/pkidestroy. - Added place-holders for 'pki.1' and 'pki_default.cfg.5' man pages.- Added system-wide configuration /etc/pki/pki.conf. - Removed redundant lines in %files.- Moved default deployment configuration to /etc/pki.- Cleaned up spec file to provide only support rhel 7+, f17+ - Added resteasy-base dependency for rhel 7 - Update cmake version- Update release to b3- Removed dependency on CA, KRA, OCSP, TKS theme packages.- Renamed pki-common-theme to pki-server-theme.- TRAC Ticket #395 - Dogtag 10: Add a Tomcat 7 runtime requirement to 'pki-server'- Update release to b2- TRAC Ticket #350 - Dogtag 10: Remove version numbers from PKI jar files . . .- Added Obsoletes for pki-selinux- Remove build of pki-selinux for f18, use system policy instead- Update required tomcatjss version - Added net-tools dependency- Update selinux-policy version to fix error from latest policy changes- Fix typo in selinux policy versions- Added build requires for correct version of selinux-policy-devel- Update release to b1- Merged pki-silent into pki-server.- Renamed "shared" folder to "server".- Added required selinux versions for new policy.- Added Provides to packages replacing obsolete packages.- Update release to a2- Modified CMake to use RPM version number- Added VERSION file- Merged pki-setup into pki-server- Added Conflicts for IPA 2.X - Added build requires for zip to work around mock problem- TRAC Ticket #312 - Dogtag 10: Automatically restart any running instances upon RPM "update" . . . - TRAC Ticket #317 - Dogtag 10: Move "pkispawn"/"pkidestroy" from /usr/bin to /usr/sbin . . .- Fixed pki-server to include everything in shared dir.- Added build dependency on redhat-rpm-config.- Merged Javadoc packages.- Added pki-tomcat.jar.- Moved webapp creation code into pkispawn.- Split pki-client.jar into pki-certsrv.jar and pki-tools.jar.- Merged pki-native-tools and pki-java-tools into pki-tools. - Modified pki-server to depend on pki-tools.- Split pki-common into pki-base and pki-server. - Merged pki-util into pki-base. - Merged pki-deploy into pki-server.- Updated release of 'tomcatjss' to rely on Tomcat 7 for Fedora 17 - Changed Dogtag 10 build-time and runtime requirements for 'pki-deploy' - Altered PKI Package Dependency Chain (top-to-bottom): pki-ca, pki-kra, pki-ocsp, pki-tks --> pki-deploy --> pki-common- Added pki-client.jar.- Merged pki-jndi-realm.jar into pki-cmscore.jar.- PKI TRAC Task #254 - Dogtag 10: Fix spec file to build successfully via mock on Fedora 17 . . .- Moved 'pki-jndi-real.jar' link from 'tomcat6' to 'tomcat' (Tomcat 7)- Updated release of 'tomcatjss' to rely on Tomcat 7 for Fedora 18- Added CLI for REST services- Integration of Tomcat 7 - Addition of centralized 'pki-tomcatd' systemd functionality to the PKI Deployment strategy - Removal of 'pki_flavor' attribute- BZ 813075 - selinux denial for file size access- Bug 745278 - [RFE] ECC encryption keys cannot be archived- Replaced candlepin-deps with resteasy- Added option to build without Javadoc- BZ 802396 - Change location of TOMCAT_LOG to match tomcat6 changes - Corrected patch selected for selinux f17 rules- Corrected 'junit' dependency check- Initial attempt at PKI deployment framework described in 'http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment'.- Added support for pki-jndi-realm in tomcat6 in pki-common and pki-kra. - Ticket #69.- For 'mock' purposes, removed platform-specific logic from around the 'patch' files so that ALL 'patch' files will be included in the SRPM.- Removed dependency on OSUtil.- 'pki-selinux' - Added platform-dependent patches for SELinux component - Bugzilla Bug #739708 - Selinux fix for ephemeral ports (F16) - Bugzilla Bug #795966 - pki-selinux policy is kind of a mess (F17)- Added dependency on Apache Commons Codec.- Add '-DSYSTEMD_LIB_INSTALL_DIR' override flag to 'cmake' to address changes in fundamental path structure in Fedora 17 - 'pki-setup' - Hard-code Perl dependencies to protect against bugs such as Bugzilla Bug #772699 - Adapt perl and python fileattrs to changed file 5.10 magics - 'pki-selinux' - Bugzilla Bug #795966 - pki-selinux policy is kind of a mess- Integrated 'pki-kra' into 'pki-core' - Integrated 'pki-ocsp' into 'pki-core' - Integrated 'pki-tks' into 'pki-core' - Bugzilla Bug #788787 - added 'junit'/'junit4' build-time requirements- Updated package version number- Added resteasy-jettison-provider-2.3-RC1.jar to pki-setup- Added JUnit tests- 'pki-setup' - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - Bugzilla Bug #737122 - DRM: during archiving and recovering, wrapping unwrapping keys should be done in the token (cfu) - 'pki-java-tools' - 'pki-common' - Bugzilla Bug #744797 - KRA key recovery (retrieve pkcs#12) fails after the in-place upgrade( CS 8.0->8.1) (cfu) - 'pki-selinux' - 'pki-ca' - Bugzilla Bug #746367 - Typo in the profile name. (jmagne) - Bugzilla Bug #737122 - DRM: during archiving and recovering, wrapping unwrapping keys should be done in the token (cfu) - Bugzilla Bug #749927 - Java class conflicts using Java 7 in Fedora 17 (rawhide) . . . (mharmsen) - Bugzilla Bug #749945 - Installation error reported during CA, DRM, OCSP, and TKS package installation . . . (mharmsen) - 'pki-silent'- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen) - Bugzilla Bug #699809 - Convert CS to use systemd (alee) - 'pki-setup' - Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - Bugzilla Bug #737192 - Need script to upgrade proxy configuration (alee) - 'pki-symkey' - Bugzilla Bug #730162 - TPS/TKS token enrollment failure in FIPS mode (hsm+NSS). (jmagne) - 'pki-native-tools' - Bugzilla Bug #730801 - Coverity issues in native-tools area (awnuk) - Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - 'pki-util' - Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - 'pki-java-tools' - 'pki-common' - Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - Bugzilla Bug #737218 - Incorrect request attribute name matching ignores request attributes during request parsing. (awnuk) - Bugzilla Bug #730162 - TPS/TKS token enrollment failure in FIPS mode (hsm+NSS). (jmagne) - 'pki-selinux' - Bugzilla Bug #739708 - pki-selinux lacks rules in F16 (alee) - 'pki-ca' - Bugzilla Bug #712931 - CS requires too many ports to be open in the FW (alee) - Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - 'pki-silent' - Bugzilla Bug #739201 - pkisilent does not take arch into account as Java packages migrated to arch-dependent directories (mharmsen)- 'pki-setup' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - 'pki-symkey' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - 'pki-native-tools' - 'pki-util' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - 'pki-java-tools' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - 'pki-common' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - 'pki-selinux' - 'pki-ca' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - Bugzilla Bug #699809 - Convert CS to use systemd (alee) - 'pki-silent' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . .- 'pki-setup' - Bugzilla Bug #699809 - Convert CS to use systemd (alee) - 'pki-ca' - Bugzilla Bug #699809 - Convert CS to use systemd (alee) - 'pki-common' - Bugzilla Bug #699809 - Convert CS to use systemd (alee)- 'pki-setup' - Bugzilla Bug #712931 - CS requires too many ports to be open in the FW (alee) - 'pki-symkey' - 'pki-native-tools' - Bugzilla Bug #717643 - Fopen without NULL check and other Coverity issues (awnuk) - Bugzilla Bug #730801 - Coverity issues in native-tools area (awnuk) - 'pki-util' - 'pki-java-tools' - 'pki-common' - Bugzilla Bug #700522 - pki tomcat6 instances currently running unconfined, allow server to come up when selinux disabled (alee) - Bugzilla Bug #731741 - some CS.cfg nickname parameters not updated correctly when subsystem cloned (using hsm) (alee) - Bugzilla Bug #712931 - CS requires too many ports to be open in the FW (alee) - 'pki-selinux' - Bugzilla Bug #712931 - CS requires too many ports to be open in the FW (alee) - 'pki-ca' - Bugzilla Bug #712931 - CS requires too many ports to be open in the FW (alee) - 'pki-silent'- 'pki-setup' - Bugzilla Bug #689909 - Dogtag installation under IPA takes too much time - remove the inefficient sleeps (alee) - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Bugzilla Bug #724861 - DRMTool: fix duplicate "dn:" records by renumbering "cn=" (mharmsen) - 'pki-common' - Bugzilla Bug #717041 - Improve escaping of some enrollment inputs like (jmagne, awnuk) - Bugzilla Bug #689909 - Dogtag installation under IPA takes too much time - remove the inefficient sleeps (alee) - Bugzilla Bug #708075 - Clone installation does not work over NAT (alee) - Bugzilla Bug #726785 - If replication fails while setting up a clone it will wait forever (alee) - Bugzilla Bug #728332 - xml output has changed on cert requests (awnuk) - Bugzilla Bug #700505 - pki tomcat6 instances currently running unconfined (alee) - 'pki-selinux' - Bugzilla Bug #700505 - pki tomcat6 instances currently running unconfined (alee) - 'pki-ca' - Bugzilla Bug #728605 - RFE: increase default validity from 6mo to 2yrs in IPA profile (awnuk) - 'pki-silent' - Bugzilla Bug #689909 - Dogtag installation under IPA takes too much time - remove the inefficient sleeps (alee)- 'pki-setup' - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - Bugzilla Bug #719007 - Key Constraint keyParameter being ignored using an ECC CA to generate ECC certs from CRMF. (jmagne) - Bugzilla Bug #716307 - rhcs80 - DER shall not include an encoding for any component value which is equal to its default value (alee) - 'pki-java-tools' - 'pki-common' - Bugzilla Bug #720510 - Console: Adding a certificate into nethsm throws Token not found error. (jmagne) - Bugzilla Bug #719007 - Key Constraint keyParameter being ignored using an ECC CA to generate ECC certs from CRMF. (jmagne) - Bugzilla Bug #716307 - rhcs80 - DER shall not include an encoding for any component value which is equal to its default value (alee) - Bugzilla Bug #722989 - Registering an agent when a subsystem is created - does not log AUTHZ_SUCCESS event. (alee) - 'pki-selinux' - 'pki-ca' - Bugzilla Bug #719113 - Add client usage flag to caIPAserviceCert (awnuk) - 'pki-silent'- Updated release of 'jss' - Updated release of 'tomcatjss' for Fedora 15 - 'pki-setup' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser (jdennis) - Bugzilla Bug #694569 - parameter used by pkiremove not updated (alee) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-symkey' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-native-tools' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #717765 - TPS configuration: logging into security domain from tps does not work with clientauth=want. (alee) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-util' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-java-tools' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #532548 - Tool to do DRM re-key (mharmsen) - Bugzilla Bug #532548 - Tool to do DRM re-key (config file and record processing) (mharmsen) - Bugzilla Bug #532548 - Tool to do DRM re-key (tweaks) (mharmsen) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-common' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #695403 - Editing signedaudit or transaction, system logs throws 'Invalid protocol' for OCSP subsystems (alee) - Bugzilla Bug #694569 - parameter used by pkiremove not updated (alee) - Bugzilla Bug #695015 - Serial No. of a revoked certificate is not populated in the CA signedAudit messages (alee) - Bugzilla Bug #694143 - CA Agent not returning specified request (awnuk) - Bugzilla Bug #695015 - Serial No. of a revoked certificate is not populated in the CA signedAudit messages (jmagne) - Bugzilla Bug #698885 - Race conditions during IPA installation (alee) - Bugzilla Bug #704792 - CC_LAB_EVAL: CA agent interface: SubjectID=$Unidentified$ fails audit evaluation (jmagne) - Bugzilla Bug #705914 - SCEP mishandles nicknames when processing subsequent SCEP requests. (awnuk) - Bugzilla Bug #661142 - Verification should fail when a revoked certificate is added. (jmagne) - Bugzilla Bug #707416 - CC_LAB_EVAL: Security Domain: missing audit msgs for modify/add (alee) - Bugzilla Bug #707416 - additional audit messages for GetCookie (alee) - Bugzilla Bug #707607 - Published certificate summary has list of non-published certificates with succeeded status (jmagne) - Bugzilla Bug #717813 - EV_AUDIT_LOG_SHUTDOWN audit log not generated for tps and ca on server shutdown (jmagne) - Bugzilla Bug #697939 - DRM signed audit log message - operation should be read instead of modify (jmagne) - Bugzilla Bug #718427 - When audit log is full, server continue to function. (alee) - Bugzilla Bug #718607 - CC_LAB_EVAL: No AUTH message is generated in CA's signedaudit log when a directory based user enrollment is performed (jmagne) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-selinux' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #720503 - RA and TPS require additional SELinux permissions to run in "Enforcing" mode (alee) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-ca' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser (jdennis) - Bugzilla Bug #699837 - service command is not fully backwards compatible with Dogtag pki subsystems (mharmsen) - Bugzilla Bug #649910 - Console: an auditor or agent can be added to an administrator group. (jmagne) - Bugzilla Bug #707416 - CC_LAB_EVAL: Security Domain: missing audit msgs for modify/add (alee) - Bugzilla Bug #716269 - make ra authenticated profiles non-visible on ee pages (alee) - Bugzilla Bug #718621 - CC_LAB_EVAL: PRIVATE_KEY_ARCHIVE_REQUEST occurs for a revocation invoked by EE user (awnuk) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-silent' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen)- 'pki-setup' - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Added 'DRMTool.cfg' configuration file to inventory - 'pki-common' - 'pki-selinux' - 'pki-ca' - 'pki-silent'- 'pki-setup' - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Bugzilla Bug #532548 - Tool to do DRM re-key - 'pki-common' - 'pki-selinux' - 'pki-ca' - 'pki-silent'- 'pki-setup' - Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser - Bugzilla Bug #694569 - parameter used by pkiremove not updated - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - 'pki-common' - Bugzilla Bug #695403 - Editing signedaudit or transaction, system logs throws 'Invalid protocol' for OCSP subsystems - Bugzilla Bug #694569 - parameter used by pkiremove not updated - Bugzilla Bug #695015 - Serial No. of a revoked certificate is not populated in the CA signedAudit messages - Bugzilla Bug #694143 - CA Agent not returning specified request - Bugzilla Bug #695015 - Serial No. of a revoked certificate is not populated in the CA signedAudit messages - Bugzilla Bug #698885 - Race conditions during IPA installation - 'pki-selinux' - 'pki-ca' - Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser - Bugzilla Bug #699837 - service command is not fully backwards compatible with Dogtag pki subsystems - 'pki-silent'- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error.- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) - Bugzilla Bug #693327 - Missing requires: tomcatjss - 'pki-setup' - Bugzilla Bug #690626 - pkiremove removes the registry entry for all instances on a machine - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Bugzilla Bug #689453 - CRMFPopClient request to CA's unsecure port throws file not found exception. - 'pki-common' - Bugzilla Bug #692990 - Audit log messages needed to match CC doc: DRM Recovery audit log messages - 'pki-selinux' - 'pki-ca' - 'pki-silent'- Bugzilla Bug #693327 - Missing requires: tomcatjss- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) - Require "jss >= 4.2.6-15" as a build and runtime requirement - Require "tomcatjss >= 2.1.1" as a build and runtime requirement for Fedora 15 and later platforms - 'pki-setup' - Bugzilla Bug #688287 - Add "deprecation" notice regarding using "shared ports" in pkicreate -help . . . - Bugzilla Bug #688251 - Dogtag installation under IPA takes too much time - SELinux policy compilation - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Bugzilla Bug #689501 - ExtJoiner tool fails to join the multiple extensions - 'pki-common' - Bugzilla Bug #683581 - CA configuration with ECC(Default EC curve-nistp521) CA fails with 'signing operation failed' - Bugzilla Bug #689662 - ocsp publishing needs to be re-enabled on the EE port - 'pki-selinux' - Bugzilla Bug #684871 - ldaps selinux link change - 'pki-ca' - Bugzilla Bug #683581 - CA configuration with ECC(Default EC curve-nistp521) CA fails with 'signing operation failed' - Bugzilla Bug #684381 - CS.cfg specifies incorrect type of comments - Bugzilla Bug #689453 - CRMFPopClient request to CA's unsecure port throws file not found exception.(profile and CS.cfg only) - 'pki-silent'- Bugzilla Bug #688763 - Rebase updated Dogtag Packages for Fedora 15 (alpha) - Bugzilla Bug #676182 - IPA installation failing - Fails to create CA instance - Bugzilla Bug #675742 - Profile caIPAserviceCert Not Found - 'pki-setup' - Bugzilla Bug #678157 - uninitialized variable warnings from Perl - Bugzilla Bug #679574 - Velocity fails to load all dependent classes - Bugzilla Bug #680420 - xml-commons-apis.jar dependency - Bugzilla Bug #682013 - pkisilent needs xml-commons-apis.jar in it's classpath - Bugzilla Bug #673508 - CS8 64 bit pkicreate script uses wrong library name for SafeNet LunaSA - 'pki-common' - Bugzilla Bug #673638 - Installation within IPA hangs - Bugzilla Bug #678715 - netstat loop fixes needed - Bugzilla Bug #673609 - CC: authorize() call needs to be added to getStats servlet - 'pki-selinux' - Bugzilla Bug #674195: SELinux error message thrown during token enrollment - 'pki-ca' - Bugzilla Bug #673638 - Installation within IPA hangs - Bugzilla Bug #673609 - CC: authorize() call needs to be added to getStats servlet - Bugzilla Bug #676330 - init script cannot start service - 'pki-silent' - Bugzilla Bug #682013 - pkisilent needs xml-commons-apis.jar in it's classpath- 'pki-common' - Bugzilla Bug #676051 - IPA installation failing - Fails to create CA instance - Bugzilla Bug #676182 - IPA installation failing - Fails to create CA instance- 'pki-common' - Bugzilla Bug #674894 - ipactl restart : an annoy output line - Bugzilla Bug #675179 - ipactl restart : an annoy output line- Bugzilla Bug #673233 - Rebase pki-core to pick the latest features and fixes - 'pki-setup' - Bugzilla Bug #673638 - Installation within IPA hangs - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided by 'netscape.security.provider' package - 'pki-common' - Bugzilla Bug #672291 - CA is not publishing certificates issued using "Manual User Dual-Use Certificate Enrollment" - Bugzilla Bug #670337 - CA Clone configuration throws TCP connection error. - Bugzilla Bug #504056 - Completed SCEP requests are assigned to the "begin" state instead of "complete". - Bugzilla Bug #504055 - SCEP requests are not properly populated - Bugzilla Bug #564207 - Searches for completed requests in the agent interface returns zero entries - Bugzilla Bug #672291 - CA is not publishing certificates issued using "Manual User Dual-Use Certificate Enrollment" - - Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided by 'netscape.security.provider' package - Bugzilla Bug #672920 - CA console: adding policy to a profile throws 'Duplicate policy' error in some cases. - Bugzilla Bug #673199 - init script returns control before web apps have started - Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI subsystem instances - 'pki-selinux' - 'pki-ca' - Bugzilla Bug #504013 - sscep request is rejected due to authentication error if submitted through one time pin router certificate enrollment. - Bugzilla Bug #672111 - CC doc: certServer.usrgrp.administration missing information - Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml as part of CC interface review - Bugzilla Bug #672333 - Creation of RA agent fails in IPA installation - Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI subsystem instances - 'pki-silent' - Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided by 'netscape.security.provider' package- Bugzilla Bug #656661 - Please Update Spec File to use 'ghost' on files in /var/run and /var/lock- 'pki-symkey' - Bugzilla Bug #671265 - pki-symkey jar version incorrect - 'pki-common' - Bugzilla Bug #564207 - Searches for completed requests in the agent interface returns zero entries- Allow 'pki-native-tools' to be installed independently of 'pki-setup' - Removed explicit 'pki-setup' requirement from 'pki-ca' (since it already requires 'pki-common') - 'pki-setup' - Bugzilla Bug #223343 - pkicreate: should add 'pkiuser' to nfast group - Bugzilla Bug #629377 - Selinux errors during pkicreate CA, KRA, OCSP and TKS. - Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port fowarding for agent services - Bugzilla Bug #632425 - Port to tomcat6 - Bugzilla Bug #606946 - Convert Native Tools to use ldapAPI from OpenLDAP instead of the Mozldap - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #658926 - org.apache.commons.lang class not found on F13 - Bugzilla Bug #661514 - CMAKE build system requires rules to make javadocs - Bugzilla Bug #665388 - jakarta-* jars have been renamed to apache-*, pkicreate fails Fedora 14 and above - Bugzilla Bug #23346 - Two conflicting ACL list definitions in source repository - Bugzilla Bug #656733 - Standardize jar install location and jar names - 'pki-symkey' - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #644056 - CS build contains warnings - 'pki-native-tools' - template change - Bugzilla Bug #606946 - Convert Native Tools to use ldapAPI from OpenLDAP instead of the Mozldap - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #644056 - CS build contains warnings - 'pki-util' - Bugzilla Bug #615814 - rhcs80 - profile policyConstraintsCritical cannot be set to true - Bugzilla Bug #224945 - javadocs has missing descriptions, contains empty packages - Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. - Bugzilla Bug #621338 - Include a server randomly-generated 16 byte senderNonce in all signed SCEP responses. - Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade attack in SCEP - Bugzilla Bug #621334 - Provide an option to set default hash algorithm for signing SCEP response messages. - Bugzilla Bug #635033 - At installation wizard selecting key types other than CA's signing cert will fail - Bugzilla Bug #645874 - rfe ecc - add ecc curve name support in JSS and CS interface - Bugzilla Bug #488253 - com.netscape.cmsutil.ocsp.BasicOCSPResponse ASN.1 encoding/decoding is broken - Bugzilla Bug #551410 - com.netscape.cmsutil.ocsp.TBSRequest ASN.1 encoding/decoding is incomplete - Bugzilla Bug #550331 - com.netscape.cmsutil.ocsp.ResponseData ASN.1 encoding/decoding is incomplete - Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit policy extension to 5 only - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #661514 - CMAKE build system requires rules to make javadocs - Bugzilla Bug #658188 - remove remaining references to tomcat5 - Bugzilla Bug #656733 - Standardize jar install location and jar names - Bugzilla Bug #223319 - Certificate Status inconsistency between token db and CA - Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory During CRL Generation - 'pki-java-tools' - Bugzilla Bug #224945 - javadocs has missing descriptions, contains empty packages - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #659004 - CC: AuditVerify hardcoded with SHA-1 - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #661514 - CMAKE build system requires rules to make javadocs - Bugzilla Bug #662156 - HttpClient is hard-coded to handle only up to 5000 bytes - Bugzilla Bug #656733 - Standardize jar install location and jar names - 'pki-common' - Bugzilla Bug #583822 - CC: ACL issues from CA interface CC doc review - Bugzilla Bug #623745 - SessionTimer with LDAPSecurityDomainSessionTable started before configuration completed - Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs in the java subsystems - Bugzilla Bug #615827 - rhcs80 - profile policies need more than 5 policy mappings (seem hardcoded) - Bugzilla Bug #224945 - javadocs has missing descriptions, contains empty packages - Bugzilla Bug #548699 - subCA's admin certificate should be generated by itself - Bugzilla Bug #621322 - Provide switch disabling SCEP support in CA - Bugzilla Bug #563386 - rhcs80 ca crash on invalid inputs to profile caAgentServerCert (null cert_request) - Bugzilla Bug #621339 - SCEP one-time PIN can be used an unlimited number of times - Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml as part of CC interface review - Bugzilla Bug #629677 - TPS: token enrollment fails. - Bugzilla Bug #621350 - Unauthenticated user can decrypt a one-time PIN in a SCEP request - Bugzilla Bug #503838 - rhcs71-80 external publishing ldap connection pools not reliable - improve connections or discovery - Bugzilla Bug #629769 - password decryption logs plain text password - Bugzilla Bug #583823 - CC: Auditing issues found as result of CC - interface review - Bugzilla Bug #632425 - Port to tomcat6 - Bugzilla Bug #586700 - OCSP Server throws fatal error while using OCSP console for renewing SSL Server certificate. - Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. - Bugzilla Bug #621338 - Include a server randomly-generated 16 byte senderNonce in all signed SCEP responses. - Bugzilla Bug #607380 - CC: Make sure Java Console can configure all security relevant config items - Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be generated on TKS instead of TPS. - Bugzilla Bug #489342 - com.netscape.cms.servlet.common.CMCOutputTemplate.java doesn't support EC - Bugzilla Bug #630121 - OCSP responder lacking option to delete or disable a CA that it serves - Bugzilla Bug #634663 - CA CMC response default hard-coded to SHA1 - Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade attack in SCEP - Bugzilla Bug #621334 - Provide an option to set default hash algorithm for signing SCEP response messages. - Bugzilla Bug #635033 - At installation wizard selecting key types other than CA's signing cert will fail - Bugzilla Bug #621341 - Add CA support for new SCEP key pair dedicated for SCEP signing and encryption. - Bugzilla Bug #223336 - ECC: unable to clone a ECC CA - Bugzilla Bug #539781 - rhcs 71 - CRLs Partitioned by Reason Code - onlySomeReasons ? - Bugzilla Bug #637330 - CC feature: Key Management - provide signature verification functions (JAVA subsystems) - Bugzilla Bug #223313 - should do random generated IV param for symmetric keys - Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port fowarding for agent services - Bugzilla Bug #630176 - Improve reliability of the LdapAnonConnFactory - Bugzilla Bug #524916 - ECC key constraints plug-ins should be based on ECC curve names (not on key sizes). - Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple Certificates from the Same Request - Bugzilla Bug #648757 - expose and use updated cert verification function in JSS - Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection of signature algorithm; and for ECC curves - Bugzilla Bug #451874 - RFE - Java console - Certificate Wizard missing e.c. support - Bugzilla Bug #651040 - cloning shoud not include sslserver - Bugzilla Bug #542863 - RHCS8: Default cert audit nickname written to CS.cfg files imcomplete when the cert is stored on a hsm - Bugzilla Bug #360721 - New Feature: Profile Integrity Check . . . - Bugzilla Bug #651916 - kra and ocsp are using incorrect ports to talk to CA and complete configuration in DonePanel - Bugzilla Bug #642359 - CC Feature - need to verify certificate when it is added - Bugzilla Bug #653713 - CC: setting trust on a CIMC cert requires auditing - Bugzilla Bug #489385 - references to rhpki - Bugzilla Bug #499494 - change CA defaults to SHA2 - Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit policy extension to 5 only - Bugzilla Bug #649910 - Console: an auditor or agent can be added to an administrator group. - Bugzilla Bug #632425 - Port to tomcat6 - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) - Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets as expected - Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for validity - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #659004 - CC: AuditVerify hardcoded with SHA-1 - Bugzilla Bug #661196 - ECC(with nethsm) subca configuration fails with Key Type RSA Not Matched despite using ECC key pairs for rootCA & subCA. - Bugzilla Bug #661889 - The Servlet TPSRevokeCert of the CA returns an error to TPS even if certificate in question is already revoked. - Bugzilla Bug #663546 - Disable the functionalities that are not exposed in the console - Bugzilla Bug #661514 - CMAKE build system requires rules to make javadocs - Bugzilla Bug #658188 - remove remaining references to tomcat5 - Bugzilla Bug #649343 - Publishing queue should recover from CA crash. - Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and pkiCA, obsolete 2252 and 2256 - Bugzilla Bug #640710 - Current SCEP implementation does not support HSMs - Bugzilla Bug #656733 - Standardize jar install location and jar names - Bugzilla Bug #661142 - Verification should fail when a revoked certificate is added - Bugzilla Bug #642741 - CS build uses deprecated functions - Bugzilla Bug #670337 - CA Clone configuration throws TCP connection error - Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time interface is no longer available through console - 'pki-selinux' - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #667153 - store nuxwdog passwords in kernel ring buffer - selinux changes - 'pki-ca' - Bugzilla Bug #583822 - CC: ACL issues from CA interface CC doc review - Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs in the java subsystems - Bugzilla Bug #621322 - Provide switch disabling SCEP support in CA - Bugzilla Bug #583824 - CC: Duplicate servlet mappings found as part of CC interface doc review - Bugzilla Bug #621602 - pkiconsole: Click on 'Publishing' option with admin privilege throws error "You are not authorized to perform this operation". - Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml as part of CC interface review - Bugzilla Bug #583823 - CC: Auditing issues found as result of CC - interface review - Bugzilla Bug #519291 - Deleting a CRL Issuing Point after edits throws 'Internal Server Error'. - Bugzilla Bug #586700 - OCSP Server throws fatal error while using OCSP console for renewing SSL Server certificate. - Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. - Bugzilla Bug #621338 - Include a server randomly-generated 16 byte senderNonce in all signed SCEP responses. - Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be generated on TKS instead of TPS. - Bugzilla Bug #630121 - OCSP responder lacking option to delete or disable a CA that it serves - Bugzilla Bug #634663 - CA CMC response default hard-coded to SHA1 - Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade attack in SCEP - Bugzilla Bug #621334 - Provide an option to set default hash algorithm for signing SCEP response messages. - Bugzilla Bug #539781 - rhcs 71 - CRLs Partitioned by Reason Code - onlySomeReasons ? - Bugzilla Bug #637330 - CC feature: Key Management - provide signature verification functions (JAVA subsystems) - Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port fowarding for agent services - Bugzilla Bug #524916 - ECC key constraints plug-ins should be based on ECC curve names (not on key sizes). - Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple Certificates from the Same Request - Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection of signature algorithm; and for ECC curves - Bugzilla Bug #529945 - (Instructions and sample only) CS 8.0 GA release -- DRM and TKS do not seem to have CRL checking enabled - Bugzilla Bug #609641 - CC: need procedure (and possibly tools) to help correctly set up CC environment - Bugzilla Bug #509481 - RFE: support sMIMECapabilities extensions in certificates (RFC 4262) - Bugzilla Bug #651916 - kra and ocsp are using incorrect ports to talk to CA and complete configuration in DonePanel - Bugzilla Bug #511990 - rhcs 7.3, 8.0 - re-activate missing object signing support in RHCS - Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) - Bugzilla Bug #489385 - references to rhpki - Bugzilla Bug #499494 - change CA defaults to SHA2 - Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit policy extension to 5 only - Bugzilla Bug #649910 - Console: an auditor or agent can be added to an administrator group. - Bugzilla Bug #632425 - Port to tomcat6 - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets as expected - Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for validity - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #661128 - incorrect CA ports used for revoke, unrevoke certs in TPS - Bugzilla Bug #512496 - RFE rhcs80 - crl updates and scheduling feature - Bugzilla Bug #661196 - ECC(with nethsm) subca configuration fails with Key Type RSA Not Matched despite using ECC key pairs for rootCA & subCA. - Bugzilla Bug #649343 - Publishing queue should recover from CA crash. - Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and pkiCA, obsolete 2252 and 2256 - Bugzilla Bug #223346 - Two conflicting ACL list definitions in source repository - Bugzilla Bug #640710 - Current SCEP implementation does not support HSMs - Bugzilla Bug #656733 - Standardize jar install location and jar names - Bugzilla Bug #661142 - Verification should fail when a revoked certificate is added - Bugzilla Bug #668100 - DRM storage cert has OCSP signing extended key usage - Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time interface is no longer available through console - Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory During CRL Generation - 'pki-silent' - Bugzilla Bug #627309 - pkisilent subca configuration fails. - Bugzilla Bug #640091 - pkisilent panels need to match with changed java subsystems - Bugzilla Bug #527322 - pkisilent ConfigureDRM should configure DRM Clone. - Bugzilla Bug #643053 - pkisilent DRM configuration fails - Bugzilla Bug #583754 - pki-silent needs an option to configure signing algorithm for CA certificates - Bugzilla Bug #489385 - references to rhpki - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) - Bugzilla Bug #640042 - TPS Installlation Wizard: need to move Module Panel up to before Security Domain Panel - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #588323 - Failed to enable cipher 0xc001 - Bugzilla Bug #656733 - Standardize jar install location and jar names - Bugzilla Bug #645895 - pkisilent: add ability to select ECC curves, signing algorithm - Bugzilla Bug #658641 - pkisilent doesn't not properly handle passwords with special characters - Bugzilla Bug #642741 - CS build uses deprecated functions- Bugzilla Bug #668839 - Review Request: pki-core - Removed empty "pre" from "pki-ca" - Consolidated directory ownership - Corrected file ownership within subpackages - Removed all versioning from NSS and NSPR packages- Bugzilla Bug #668839 - Review Request: pki-core - Added component versioning comments - Updated JSS from "4.2.6-10" to "4.2.6-12" - Modified installation section to preserve timestamps - Removed sectional comments- Initial revision. (kwright@redhat.com & mharmsen@redhat.com)  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijkl10.5.18-18.el7_9    pki-kra-10.5.18LICENSEpki-kra.jarkraconfCS.cfgCatalinalocalhostkra.xmlacl.ldifacl.propertiesauth-method.propertiesdb.ldifindex.ldifindextasks.ldifjk2.manifestjk2.propertiesjkconf.ant.xmljkconfig.manifestserver-minimal.xmlshm.manifesttomcat-jk2.manifesttomcat-users.xmluriworkermap.propertiesvlv.ldifvlvtasks.ldifworkers.propertiesworkers.properties.minimalworkers2.propertiesworkers2.properties.minimalsetupregistry_instancewebappsROOTWEB-INFweb.xmlindex.jspkra404.html500.htmlGenUnexpectedError.templateWEB-INFlibpki-certsrv.jarpki-cms.jarpki-cmsbundle.jarpki-cmscore.jarpki-cmsutil.jarpki-kra.jarpki-nsutil.jarvelocity.propertiesweb.xmladminconsoleagentGenError.templateGenPending.templateGenRejected.templateGenSuccess.templateGenSvcPending.templateGenUnauthorized.templateGenUnexpectedError.templatecms-funcs.jsfuncs.jsheader.templatehelpfun.jsindex.jspindex.templatekraGrantRecovery.htmlListRequests.htmlSrchKey.htmlSrchRecoverKey.htmlconfirmRecover.htmlconfirmRecoverBySerial.templatedisplayBySerial.templatedisplayBySerial2.templatedisplayBySerialForRecovery.templateexamineRecovery.templatefinishAsyncRecovery.templatefinishRecovery.templateframeGrant.htmlframeRecover.htmlframeRequest.htmlframeSearch.htmlframeStats.htmlgetApprovalStatus.templategetStats.templategrantAsyncRecovery.templategrantRecovery.templateindex.jspmenuCheck.htmlmenuGrant.htmlmenuRecover.htmlmenuRequest.htmlmenuSearch.htmlmenuStats.htmlmonitor.templateprocessReq.templatequeryKey.templatequeryKeyForRecovery.templatequeryReq.templaterecoverBySerial.templatesrchKey.templatesrchKeyForRecovery.templatetop.htmlindex.jspservices.template/usr/share/doc//usr/share/doc/pki-kra-10.5.18//usr/share/java/pki//usr/share/pki//usr/share/pki/kra//usr/share/pki/kra/conf//usr/share/pki/kra/conf/Catalina//usr/share/pki/kra/conf/Catalina/localhost//usr/share/pki/kra/setup//usr/share/pki/kra/webapps//usr/share/pki/kra/webapps/ROOT//usr/share/pki/kra/webapps/ROOT/WEB-INF//usr/share/pki/kra/webapps/kra//usr/share/pki/kra/webapps/kra/WEB-INF//usr/share/pki/kra/webapps/kra/WEB-INF/lib//usr/share/pki/kra/webapps/kra/admin//usr/share/pki/kra/webapps/kra/agent//usr/share/pki/kra/webapps/kra/agent/kra/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=genericcpioxz2x86_64-redhat-linux-gnu  directoryASCII textASCII text, with CRLF line terminators (Zip archive data, at least v2.0 to extract)ASCII text, with very long linesXML 1.0 document textexported SGML document, ASCII textC++ source, ASCII textXML 1.0 document, ASCII textHTML document, ASCII text?7zXZ !#,] b2u jӫ`(1% q4_.GpPRu9{+,#E& Ooxn^))zop{⛡*+q7gV٦#w zX]vR2岆c:I{1\}ɟge7&4 5.H?4?>Pn>͘={5':E}DpL8tC^F۬|}g`g< x4<UH4]m#g>;gNF /,{&KB>3Ny `U{NYSHk#l+HʚPH6y8។ʥrX"',[tX?iW<IE}Cs@Ijh}u6([BgUI'>, )0*K-kVKRhЌ3ƻ?u?O5Xa,[ M#|g B qEG~uE NWKM+*䡯814. ;agU~wg&&*0s׭5$6G"?ĞsxGXwҎK5}gv7" e,⁓5;~ UyTKL#_ƨ5?&ϗ+G Z> i{҉'24UpuirXS@TwˢYc.uM#~ڑl4o"/m"-WK"Rf%L.PSWR 4N"1jWM[h+_q8AK*2.Mq^o /LQ=G_WO?3/s OEF5ـ0Ws6_ yque(((PŠ؎J}x LYd4^+&Q=sR>j%S %$ZAb)!]]smI;+Zߊ^m+Aʦ+v}[Pœ2"A!60:X*w-vy3 robd#]lx[`wd)r4w@4nc bT bQa!Z2gJu0٦cKە4<*&'Ema7H*5m^HaP%㹈Tf?_EKjY {gW>2rh*=ǁmBѰDZ-2 x9zi Yraޯ+gme}AxUђ[+ q,3FE.õ_KڦЛZ&/D/؜wQ.ZܑX_E#)3YzVL` Wa3h`YdZ nʷ@0p׉w {ta(pↅkz^Mty~t_ tR5%K\[վEVKCZ5% 1*Z,xSE|o>,KaS^RPNq1iW"]P,T.v!YAn*#3C=u.hxћ/9Iqx?1Z-V+?S)Ĭ+vg/d5q-m4V/Id? }lRуaDSu~ÅK?|su%^@vCo}c X/E;bZ0+NΌqяF(f `$?PT} >i.zkixIy1YLv-bLv;FwrfΘ2nXRi!pu?{o >7WKMGmT]cLM)kgurVGlf1x?ESIt܍}~ E7wC/1<Rn]Lv3Ii`!qqsBgSΠjqT /0#GDzո;'h=3|n8 5M!X_:z{a)y1;3vS|9S whݺ-w}ӵ!:K>s%nL:;FJoE.$ yߖ !Kg4g:ɽ+:%nH9+E2I3W5> %Ld Tpg4R i\fn0:Ѐ谤~In$6)&gJefhWUL/ @]65}sYCR^=#@)OTKP(9SNFU"K˧r/౓X6%K֐}=jt{a ^aT4Q.Jc [SpU7=V'"1QhY^ĥ;VP"*veV{lB!;VJG UMvx]L|l%ծ(w yʦ*jk,?AEJQ`_`vV6T&dnLG#mVzWsjeҽWY`0/p^EA;_t[Y M)K{+f"ۣ&uS!C>y;;9NjU5X@^KHaR vD73S了`YaAYO7ȏ'[TlOٌ˘G :H(ÍѶcg$vu}Ud8/i>QO sn:FױJ3"@ B͊gч0O=/udiR/؄8ÿVxcfEm= Ps*Lћ9T:Bg:™:D}RV-fmc:Y,wl&c]5ڠI6[s9,e;{v}4Ǐ ] cac )='11W'G-G˨#^Bk *9 `qĞ <sR$ƉG->sh=uܵ$'CljL`(=zP Rq*\Iuͬ' @kZT̩:J߆va9yR!{1ќ"*6>DRtNJm5q]7"{n$IKq(womw(܄1y +x y :Z1UwŁ\Ws-6d=sZ{5KF='-?.4c7)]Db s=Rw2O:ħ p<7WjqCίXYkZr0$ݴMeеߜx`/% 9UY Jrj6uhܤ\їPvK]_oq_mz쉧5,g d*m/`| 0g꒓0b5V鯴 +rsk6D>[D`b~b5Pn ɟ>  cg֒1Gl#R$d Qp& Ko<6$BJiϟFuIKA IP Sa4%jؚ.^!;6= 3 =:%j5 jEB7c.tӐy^c| NϤ:{ܵy J(hͳP+- ѐtTH.4k MT8߀s<ۚ-%e&#x}R>k.͠*Blko NzKn:4\+7O5K ~g@)-$ 'H+Dge\k|9Ѳi4t~ޒENsᰔ V*٭D8'\%4b|Q{aK2bW^QcYۂ*ExJK#'P ij$5_큽BBoVOW% H섆lBUu_L4)@:_8B+}|]5T",Ӕk €vp|f;LZ2ed<?$ǿEt9-ORit/E z<3".} A(0^p@?*+ tZV)&xvj{(1H r'?#JIӖaa anddGN涰:xVX('Rq!F}Hat5#IusaYl+_KB照Uln"l3R4zWN*`NM >$uU] }U &d]W)'"pzg'ٓLY&H^l_KvgH0?i: UD 3@9p$GH^G _X~ @rȽtJф1'exz -BOWo~}좲E3;[3kr|mSZ(iG&{UXmW$ 5֜t[R|5$M*𖧴1Fa~̈́d*o=x5'4Qb*JP؁uG1ʚd3w͕_nRضFQ Z^)?žQT\;f"&]֋F'6r`30^u//K4yj 'E.y}Ϸ*leS/ g)R{ |$&~I3U< z9w"m3C3"B=\]Kk ĎEY:8u;)_vofV.sumOk5O-US-QrElP(Nm):nԱ:0" U6Ya,8B07?dy|π+χ(-j8+j'uL k/SOHsajY< yj{8dεr}*}*^V.GٜQkF-,n` L{~ h֖i2n?FFH) K[YRPȶ)cSN.֖#6lԉj-B!h-W.ezobc6K"GXs3M ATX(.C!{`<$=h{V*n /"sn˦zg b"XC>4ƛb9*M95&p?Kd\ol;zWezgLRT?sߵOlz L+=UnTOcH*1kbt'Rv!DŽ7:y-zmsDR9tfRȅ$OJD2[J>lGܛE5&GnfT9/ ^yqhlBZ$TB=/'61|&իK'-R0,R^&J4[d蒇`kŊ/#>țlID#4g6h<@9&ED#}_aזȱpre}݀IԔ-2N?yU}ckl_ʗkS?4_#fF>Yo D"m9itUd9l,{ΐX]"YBF t|3\OܳG`T̆1^+cR 2Z^E>)bƖ4$g\D!=vу`Qӌ؏6D4GXzze7ΜWu*"4Ug촑ՈoN 'Rjr0c<HNE|]CE-n/..Ow^y"K?]phD^OJa3xZW@_3d]D[;ݟ&QgP I)~ƻIF*+VkQ+rCnCBX8my^Ʃ9ԀtEhq$c0Ob/"Wp"^TZM/cQ L XKb QɉGqTOG[_=)(8}PNt)\vvm$($ ȏv0B`ۿxӿztەmtڅ>y&d2t+L%l=[>(zc}O"0 u1(.r^rAL0G* B'7eEɆ"*Yd,Xvg `g\vR+LCJ/"2BSvg9tW@rJۣQM<SpweQ!JG"+#\Dd>OUәD"AWQ善 \hzQ48O2'vE5ӎʺ@|@Qd9m+M ѥքd'a! Iь)UwI}vAØ ]~G4 fvjvv=7|ޘM(r"юX;G{'1QC7HLa(5HzB–1njI !LkzZJ]u4kV=Mg|M/FγU[ kFhGaFМ%rQ6B!/ 1Ghx̻+z/!KZB25Ia`SjhpܫK~QHU"d1.;٦7VR25l Dd\0v^+X}yO}mP<ؕ2%^q]WZ;uWC<'Fn Q_4 \9sT̪H@iVD8tB p{W:5KqD~ALq<'˙O08Q뭻PRS 2eF6&( uVE):E9 5JӱAJv y !mXb"~oӷ6ɮk(+ K}s/$)ǂ}!V|@9 vL]nkEV܉*i>Kb{tSw{$s/UlW,ٷQvUH|fiUnm{f2kʙj4lK)ϱX:27=nK dm_J>U u㣱zc`}MRz;2E#\h|N A";99ЈSE3.E 4Ȟi[ViG쀒$cV”wN폵 7f0iGdKR" s|1W_DZFT..ӥ1͛}W W' :+ne|pE)@I[f[U?|bҩb."/wfDz`%GX}Ա/Y]*|c vS=bێ=^or/%45|j=$8vHalt뺅.K{܋ ,2|b$M,OBPap? 냊rM]B-dinS='@(DlTSVj\M9)w(í3[g0{AM @k 'U`%ܴm`(ׯϘ74HO W@I4.C8a>

o foe V`EyJ7 @=c.ĚF\bIZAn2 `M?&oJ `'TR.[E@zVZպMFf~^18a2ySxⵛ2vXxY*aTs[LSK% q8Htdm!6ěʼo^ $꧔e7Mot.ZP|,b?-vȐi3'3Vqڨ Řw3[| lE{DWV!q2`EEdliңVJ|GmDqs&aM*bhl Ѭ멳A =zqcIlH]jn&k ~oCVFXKbV\C`ݣgh ܔ4D7 ~?P%X"c7\ĩ+TNI; :t=㷂eU`Vd6Fvw9JJ b|bㆀR|4n,(\mSk/DyQof"V{k>eDEif,-gAQ?c,*AG#;;nOiDg?GD0/ۛxO-MKBȷN"H]&q/k՟?~W;w#XB.kv㋀y)˗,'t6Xs:u"k0}Kĵp\8Z\"ac쓢F  0eF׈!Xq}[lpb^ﻄ%dQ4-$'aLBi0L1{f4تX#]Bt+ 5|zs9U ᶒL g~Dä}:"gQ1t3k2>H_Ӆ}!* |LZ69>@:>X=;G>4AJE 7 ŷŒɼV6pz 4ʀySN[ysQb(P$J1$7z;>ވȰl<|NaZ z_+)ȸH75T6P\0r"eageSIB95(l ,kIBŪ1 h?Dq.ޯD {M/Z=כsA?14;&,,Ѕ%ج´5>~Y}SjbefaĐf_-n4*`ʗq=*Zq!܉}}[$/ S,WG^t@PT<dne9؃g֏d['mVɊoFs B%1}碉u pG/v0sﳈ;$OQf]g%tσ2"U_"Qk뼫taioӓk/ů Qb1n4X pC|\2!"]L H -E~])}+3뽓b72j$؎3ݿNa@ۃqo%DMq=2[p lx;[ UWE]~$ $P ÇONϡ4i^UGUHޭF1"bwXL"%ʼ~)W`fw@6uF*2{L)5}E֢ƈeN$}zŵ,8`W.&J-\D猾 JG<.^G ^: Qt%ꌘd)ߔ|7U/lEZSBx<)dz #7rYBhzʲD+n5y”[? P\ $Xk`ib ?LkWt2g< M㡁qv GgaVw{u_ VmKh}_Ɵz-k'e ; g`u*uھa 2'LWJZ]174!]Q-NU )~H~lK!Fuf U\1hmilUR z n~KLH&s#ԹߡMLjҌLCu0v$Sxe}i-uܒ}k%؎tùI_~K ,9;A cР$~pL&W&J_؛6{AS"h`kyik;+UXШ=żXbh>Ðs+\1* bAե)P~>gIVEM} Pyo/>~3v"/9y= yΗ{jΠMZpZN|#h{y5E;AVŌ}JR%2id"#@!7вRIlk|ѼBAX=g-_%&(CWwgd~u<w•Xή]\r?DO m MaeTQ!i,Vd2&3Uij ^ r4Ib\b |=9`Bt:6aMS>E*A}hߒYСFw~QW:2ԞlTtRI`^dh~(ӹUk=h{[G'].JlRaH!EB D lUx-ʼnJ,壁  /1#7~cf`Vֱ7)AP[C{9eRV)] ydMe[A.Z$ κ`H f>VO%RRF֊(h|GfS ӟJq7&PL}#Ƅ/Ԅa |ud]* .9˩ Zɪ/l Կ܆l2[WS0/V L}n1.4v(N=Q'AbΈ){Ǒ+BZIK dӷ)E`_PN,Ltg^hA~]lh]Hnq $̆R-08SUFԥ鱽kJr[w 1*6(>ߧG{C%r.ڻ<8]Qc-@6~5mqX#/WUwFZՙ2m#_mX>Y^գJNUm3Vp "S 9rY[K0ToϺy!g QEJnŖ$p]hq9m)hI;`*kV(#?C-FF3lqډ/q1aV[/$ 7diL + +/C|춓JkP=kzh ;ekqzYN]zvj1('+4GHLSSa)ı)_u? ?Tv޼ ^;I=D ,["~`4np1,ɼJ;5᝱L`/,9 M}l"%q}Tv5 ;KrȂmSFn{"?PR˾ _hUKZ=\olw˽0E_S@>1H'.;{MVҪ帑QZ}#Hzl6GpjI{i+z@0نzL?竔кEuFr]#]׏2.M$fG''е|8&_!QGY/,ʚtX\Ĭi/w]dILILN~!DÉ&!`Q3GgGuaUa^XCr"uoX>Lox;x'l B TO6Hz˘M L(ػ [ ]ϩus|]at]ͲPwO[QQM eo[sn0s;jo _vx%WF~G!$V)L;3k XћPS6r:Τm`VqCSpD3Wm&5D7a&)\FjqE 4k ,]'bBh%D+TR&J5B|xSj_r9Ja.<%ޗ\JBX=3;҃1&7y<]rͺ9x >|B<@UqQY^6zLj{X@:(j8 Zx2: ~|f#xd64ąxU՗7xFq?$5w/!1ޠ0c![v/RWX*jQ|K#NeK 0 v4,sn,'? #x]!Izv{%ī -15d%9šNr1RTR1W:{d㈑ܫ.?:'T(7?uQoȜِ>qu[*zy||9ֺ^ hK-3|iU)-JfgcՅᲫi,-m3C|zE;z)/t! 7UY`V6Kt=j¡ ]Nw~xA.UA~=}"YhfJchLAp䊐iRbq+}^ʫTНt]!dr.@Y״g}"WcIEVLꪭzccE(lR{Zߕ(4q#:@쮔?+sgn nّͳHW:L2cC,8 r9bkۊ82 VFQV2 %H}d_oKU; )e -ǜmH0v]l2CP~IFe?Oʥ+^DtrZԵWVtAk5BBcɱ!:ߨ $q6Uٰ9ՅA ;kH6ťB*(^*tXGkhÊp75y4ZpwsH{UZ0(LsᢼC\ʌ0d#*(ܥGqk?zxf~_sb M|66$4wUX儾,朁 h8n'ڭ iڧ0B\Llv]`]f-ucF;K^yM\Y[Tqr"} /Z6zN@JMuSo.q8εr9F }՚m ϧbIѩR>2EFc8HO*wtoWk$'W ;j-$\ ;7fuqu:ݻYLoϲbi=V9)^Թ8=f tgIvMgIBӽH^#Eʓ3msQX' 0bl?bS.>dr I[9Ȉ_e DKlq򒇘`| K,:%#W t{- fB0|Vr}o9q8fXyֽW ~Tb5L=ZZ}2B0ǙAra|7CeF>d頩qF+w{ӊ Z5ġbi:H5[{fOAK0YjHQGnV~8iP>G],n dʸz3=K&*; 3Y0ʛTҷ!$=eq1!=Yghee!HY>l%yFr㢦uO1PTSHogcɛ !"ouy~%:"Vvrt(o1]ϡU!P= N ҳם44"+9Ŭ tn5%2ԯm241 ˖߳N=PPp[MQ*.ڿ´񹛰RJ;+5?H9\m|t=ID$R(ܔ}r;Zڼ:o |]luAqԣKO@yj\MƪL;RP3~fНOXoPx=Uw *4sD;'kӶKo(#ur6Neu1˂"uw"q"эT4?ϥ@G;nIEr.:qf|u|PAGwKwpSؓ85HN-di:Q?Ոǿ̈́ҫ͙q&a0>y$5# z=!(dO:sKz+)#lXth B٘5)Iyj@tPz?g2!RvgHHT6yP`7)XR]+&J0#.͇tXQ(+J,֊mR$(aABqT&Wܜj.A6,|V'mdH#6߷",wvsy v뤿LN?KIՍ@2蓭rɶ"FʙKoS~A>ѭX^dd ļ%}ҕ1_\$ڒYycOw}gT, /! ČSvpH*6/8p8ҩf̧9xm)/iFtj^ dL*4 iP넪-&ޢM,SA8M-܎4~MU`be ݾOfe4LKc+i.7xH#<30Z"..ae(H7LEu8 '!vvAx*-]3(WMW>`s\JLIp ̎΃5SV@! FR];AJC51TÔ[F. ('a]%I e2cfB!)䲷G;`̟K92~QbG]6B%nYJ[)JX6M2DpM7 /cF\^ d%s<%M/P*Dʑ)vrP%niIz6`0d\ܧ}";xB˯[SbR6(\ ~]m򰳛:WZ'|xSnd3dN{nF[Uv2ܸPeN 7cD9˗@@O:}|Z.Ay?N*7$}{lȋ5b^ֱ =$U1Ƨ4jrk(߽&y~["Z2v# S]@ɫάɁ_㦒qyȵ世ŀtS>vM^TɝWq&q͋D\A֨Vn68{=򗽃@#$+Ԩ(6,/ݒ6=d X'E+G"Ya8E*FY ƪ*flXeO9WWW =bZ{2(A6[J=OIhݳzyh/ a+O C1wȡahG⏣ŧ 3spoZd`5,裏^pd~x2Ri%W̔@Μ鄁I'H#┯,4" Y,1挹#BP "teͽXcLq{cz/Э_ afd1xܛV=9AV- q#<Δ3(aR|? \yjlłPSMGϯtOȵjp蕱$>+mx˕lTa6uu^46ay;cy RhOcl,o K1SPƢE؋QZ@A=(wzsKn)'Uʛ>$eROL_}xWS_sbsBax b)n[G+  u@:ڳW[0x7EA֯8/OXl'h;`J H"|Yy@kQ6o\Nuk3^?^ҪEcOAj2(*Oוw,p; BλTf3ƻ2p'iM _1+#YPŸ[9ZK+ل.Vxa ,2uKW .v*2ûȢ\T\;Ȗ&{q(*|J \ˢM2|:\b-0id߸F"u[BUc%RaF7mٲq?ſ,IW74|X[q] (R4ߟ7DIѭl0̲(loXکVl_;_U9RYsCsW֑ݙ|VU#9rQ 8>ۊՃ׾e`oS|[o uEF?WOֱ 쐽b6IZ=W o~/.y”A)uB ՋeyR(㏢.V(N0~0[v9 Sjd0sv(^pV0%t¨Ps0}u:'K]zX+BpCVC1|mW |ݵݺ/m@3Ay?}eFҨ .ere ;[t5cUigj|{i5#F0= YW  E*9t.= ; tݮB0n#y%:ُ$ e%=YSv Sj>T  ,]8!Hm;ALD7`yÜ^Q7mz`:;)7n`*}g6{7\jRMr5V|&2b)ĄTѫ1'h]ֳAf.c|a@~6>V^Na.8 U$9_ L}L2 ʀny_9O<5Π m)s08&}ͧN§b+2)ˀ-uQgQՒ-Uk>!vp*9ɔWa_~&ݒaWtˏ@ΒvOIdjZ߬|=HχL=MZpSԶm.P(Ziȸ Dpr-۽z2|݋*_As-ϽwN "kD5QH,6IJb|QyKX[Y* mERGJ; SOVp7X>RVwJo;Hhkec{ދ- k7m~ʕ{q~,ņ] V޸bV_XԞ(r p1d="şqe$GKP˲T`8a3eEg .?d>m=)s:^۬n~L0^mU'ؒs\x_x "FTAtT%iY W P72-4])PMTHrA['a"g(ͯ(`V=&^nh(f6ε)vCk#Y|/SEɎfH699ΎBrΣ̊XepRgec /n6je`gC8ijh|xoJ% Q4EGf'9˃7y)I]xʟ;bwv e"4{ jjx1LHs>R?V`@,/f4GHfy۬E&9sxfex|TGF!nuT7_!-\iQG_ȘVњ8]Jk;% x )J([cl?t d%n0҇7Pq9Xp!dO]0 z,rgepkl294au6ԩ\:|w}}AAWa2&k'9Mf˂o`1ź?3H8&/fhSb [v; FK{ۨGeljRIpoŠkR]Em7n>4Qt_e;,-꠮Rv<;@`x":"Vjr0'ܫ\؊5!)77L)A %pal1tbx19M1``?.apڎjm+Hv`S޿@M,%5@@@cfqZComWp'㚄^nc˩/&Zꢣa+`2Nv݁gPSYx 4N [\L {.,f D_#F02"}W6iu,43i ^e!.k&KP}|6p ㍹vB须})^y,^6U<5*di\θ^CCjːEq"1}z#[ ڋ}0+[R$Ho:ubCiQI=nurnp1puޫY[[d}>{ĹUI| I ׀磈 8UM1B[ўbRl늩l 󺌪Y'[,Eq04rq@O`q8{:]PagIZ=iw!׫3@yT]T5Y{9m)!WPBM))Z~t'ʤ[i1Ί\]9dbs`RI]ʓ]&%nM}04Bg ;KMKߡY2j}YDq$o ~tSz$TD4j5OLg[/PYhItdD{4߹04E 1ObeA$Jߌ@]'-չҬwmk Aۆؠ)9{OBѸ%QţijwӅMXw-l{+6C^CE=d=,4Ǝ2+D*fF3y9#yMfb,.cϗ^s/sA\&ßbWVv!F+p]DNdnBśtA /<cr-'q=9}IlʂU)nFWaOG{ e$ C3۞ MY3t3 \|)VCzȥ/rG,@E-(C@T"`pW9<ѕ0h:ō!Cű3;jԓS<[&ckN"? P=S&f(PLiˬ:uNծSÂ&Cbt$}>Pzd(*nLv׮^ug',`x6(OIzusߺߍŀٕH~n@n:a2蓚:!TLkӷF [ C(!l*#/W=b;pT*/I금x4[׸6WL%FQ;l4 CdՃՁcgʈhRi3]S:4k.{'hrf!,=ThQ.ieUw(v$W/rJ[Z6Ҝh+^?`dU'b(Fmo rjX8ZHF?@HTH մ]Y"E3\m(#g1_)V.R?|h^ #9"=LcA<0<ߡ{_6gRrңcg'O9g8ȑrgn/)T0o“_JDEhAPFXJJ8flqdL!MRT:y_kKz)\Bcs*پ݀jWœO(E,O Y,;?6.A2`g6x]0>m6ńk X~MksMyЇhc7+.&a1eu;ٱ*5i$&o7e_MoI,mPƟ[TX%e]!Xz9u#I9f-XJ2Lot [:2XJG^ОE`Z)J<׿LoﭳB?50Y;}<-{$I4y.WW0YVYn[OC"׮KkhVfQ^a ^c’]܆'"QǢR 6#XWr2eMj@blBdC62.|kj \:m0'x ktHXn)-:ML R[V,AsmBqU(-*-XJ pvi66uݠ t3r7Ӣ=Fn VnatjhzܦIʿ|"Yc#iW#B9d4B3+*.a5(,>Iv.Z6+/}Ze5zc& UF-Bİi'0k@KȹiXtzB}po%Pt|6.g>.C//5k?o<'t~ʂVP[ x^3h#71N?REaLDȝv{'~ԔnKM,d XoC}$d'~#`dI_w*ߏ=e2]KJ@N72< TLaA5GD$h\2`~8PK`Gt(c Mu_|YHc X_%V<^)|gC8RHy(k5cY[21^.*ӢMrΝx?XI2@Xثw]lR*׈BL#?Rm͞c;Sd7@Se7:`oԌG Nb(cZ3G._Z%`@t "b&A&[} -OUK]R1,}]NXTkƠU ZT!ntEAdZMEo>Mz-iU8iOORj=qq+Rv[Q!#ՐA> I]C>W*W\kpd6}Ke]ɠ|Yza!-D% ů~<+;K??^̇9O(FdPP!| QG/MD:2;J K [͈ΎQRaW"W0RćFBf4B8H}?4n#f|p;vJh?K0z*i8 1" A'Nk.!< GRENg$QۖjһؿߒHLJZ_SGiMj.7Y^nȇ <ȎDU m& \AB^H'tvC $9qvsmwpHmea'Pig *8RO$l-7Q\گN Ik ;ѮԨ(ě|PZJ5t|$e$( _*n^EXY*:f1g;l +&?G]z/S"tJ[u=΋xfI2F}SD #r~݌9rT7<=?Ih\[bחDtNJC{#e*)}hSY،9656/Œ'-0ްl.@ v3b)u(qAxl s\E6_DmBI ک <8H9&"@zCd LrGo/ ?V&|C&gcOqq "" XN(UZ9( {QF̒ɳݢYyYʪ ڗS "pa&p'WP6@&x1V.mF2>/BY2;b`1D$3z Ot"!/l2ïwCwZ-Zi NuKs{Xۀبt `x-=bRi}`s$-Vڸ +/ Kir^+= AZ{}yC-9>T1?VV=3:lǖ2E]S'hFzY..VK^iܜW$O9,l$ 㙨xx$[DzaRs6ngigY@ԜS^xObtpw-xW!S^{~_hK~X'}fz7!חLTȃF߭Q~!:?uBdA=;Cپi/6tD$(&Ftϒ!}UrH=BDPG`A Ne#krnL^oyoP\>gb\S E'nMqRGBj>g IqJnVA`ixÝ<3c뎹h4ikv 96c-ev1FS- :j4]0IÈ>5ӟ{vXl]J' i7Xm*?-ཥg|,AVDxn־oI 4QPXv#y xФ.$DW$sbo_'$׫l+c6*F`~uL(A)Wzb fըu N^_yLuLhtW"/?I'?Γ A%nN[R`-k{ݳ)bi ѕ`ilf.M_ί2xXx_7",veY>5$uC -ϭm񋛈WqH ̞ 9Kϧ=?m{VAGx&^Ÿu%<i0SfX*T\M<@BhvnO'Zrmjnp!IIixXv5Um)^\CkM|C,Gl8 (-;enXh+nO-߱2ryӚBvq,aTyELtZD6/T*IB9MZ\yG<.Lm)ɄZ2FXWm2LP溫ksGX}В^uk!`vLLd} Ofs9/\Y\$^ZŹ '-6΁g^t,qLjҽ?ӔO=^t6>W3M<gRU<%=:U}֫ƽ(U) >h]0K"T@ַO6WsZ]`cω_M'\.YAw>⑃p ӯB?odY%q-H[ЧsB`u5._y;h t7/k4!w/EK kte~99Re_Њ& [c ;C=^@%~nbT.$U*jvaB<ˮDTYxܣe-EzZE0Ib|'+ەeAR{8wؙR*g$_d(2/)̳M|Vxb#h3c5JwWV|Jn2#"dç`gz)zCE[R 3ݮ付oVX֊ hK );/iű HD~7&]7bE]xƍh#t\nГ'p5*q=oI*cVW^Ђ;lf9g_D")q{ֲ%X]͉Duiֶ4kЁJF.]@Kcθk5oHeeԛ&SWOCM`c8Ijr n׉Bَ71o66~Yb6a$ol*xo4vCuNA.\zz!!:=v#s?nӐGB-H{ #n5(uU+]f@^B4SQU}1!{,Idpßw֌ vyGEj!;U40]KAN#ifx&spk u =a,s$9@I _c:ǵ[U<a{a5יnIȩ8AÖQDP6#ݪLaܘMQ\XT|Epgp' {E|CIByJ>AI:I :X'Bϓ"g9W.2┝$vӲzviONTA[(m,٫`և|̤u\m9=Ai4љfI[B$;:Y;8b}_ٝw 匠߭y);G܈G?1]kb:c X^yLp Mfu928|PdJMi#!23Fsj t(D2)Hrua#Y=\Akw(3 oM N&02AGSs|\ag›J~Lg  a9Ǡ<)S+꿊B>Q{Jg]Os!5smW7ue־=dq5 w8%nLf,/Ck8vpzKb@t _ɘ A(x6Н_ 9kKWJxMWv>y=FƯibDFu wE_9 }A{+oہl{lFbEcT6n&89G#<Йi̹FJwJeykOS)xܣ:㳟րnҩMAR ČrhK&n!HR Y:V$?]!}7W lo:C?xVi]\7C34T e.*ZMrw>Hs#Ԧ>HU1yK+G'}|nQۛAF#Ḯ9ĮY({=)D&@|jCd)i>" wy3U30hT'E )0mɹ[lcПLmZӫ^}<1ʥZBm a-?@OpM@ԥ훪v7MRhgؤʅ$C!@b.U< } $3yն#=鶕?s 44Vӡ^MS.69vھ2x\vNˀW:]al+թSrcs9(ޏ6H vA|"/ $GMh\6<>;+M|ȿS4G6ov+{\44k@{oG]kБ,(-JC>Մ%bCmJ:w8av[i-װ..+ao*q`-٧6wߤX3ERQySҊ;3^뚶3>W/x!o`rA3s8Y 68jPa!e9Qy#//xݣ(:WuD>ǩ˅bUcE,ox~!k>J5\f_N6=ttBΌ ~O0Ϟ Z֞7U-,11 kt{]7Óߗuh{ٌI1uY\K= ^cv_%rE%؍G!(? sCQjܮ[fzutۜusPL l@Vby(+hflcYD(Q#!V8UtJl[% !M`qN˵V̳iF?b6<Ɖ3)ҕ(w(okk +s=`^yoE}xâW%*r=K+rN:&\~[禓l%CrQP[EiŽe{jn4ׂyO?nm'5*M9DX0 jb<:J}[0Sn33SAC#u.6h$7kL30,Od=f=Js!y0kۤu ^6KiwO-pdTQGDo՟SƲ]1b |FS=ގ.5Σ )}+B 5و5Xj!]Y1 YaXQ8kXgA}n}YR} JLek0iY4w)pqy?_"EL*jWqL$ܿBw&/5S{F;$Xf1H[58!ʛh,f~+kt C i%X[Sxip≍q QfCr@osgr͠7$ bvGϔ^p"uLW wyrĂ1F[V#FīH7MþX%@OK"sVr @@qkz Y W##@oBh+Dbv<-Z ] U21[ai-@bQ'dq,Cɞ>'QZA.ə+po> WDu%}HIsƏnxN8BT93QA%aV\8( A#͚Ȱekr&AR %ܪ.G"ŮRfH o@b j\,I /o/ȖIClDKqDA'`]"R.t^,%?d?D`ӄ҇ *O[PnW!QОMc +]N3,s+3WKvYg@W}dCXq;k$=k6 JKOz>hn< FM0+9 -b^;}__T$c)w]xu X=nuF 88.x+|6)9)ʬ-jdjS;^f{(2}X?` 4a# bRtNjߟqXЙbڶ|ViXh$W*=c3?CE2܍p%gy4" IվީFdHE4[#QZLʮ!.'y\$`+|{ӉmX;>N{Ef̌bvJQ2cJvpݽzfO;XOfDc^#k&r1Ͳʨ(ַs(A9;MKVVOJʂ8ӅgVdZICn%/QP HEfKvd3+s^AuC -RY Vx ]ow?S{;H׎'''t+ F 6`1&XEmT{H)v/+4PY\Q c|9jWi0f ;|iOg1/1"߂=p6}?.9 rk744 *)YIφ> 5q͢pr{Hhը%8DSC_Q4{D[#z\p5ک̩g9hh)Al]%47.g5ST~/H=x~@fYiNNk`ŰE|lל(wEJ"txP; ܗt~jW ob8HF{1_ޝX^Y;pc՞e?X\KƖVnDs*Wp-}ǻnt,# ̗PYM6DX_OH kO|=(e]alwU+Pڄ&^˟$07AJ4 \f :R7)tI=:v>,BY,⃓m)dDKFb R gIPaI[ҔoU7l*ftP4V?\!5(D=L4FYk#<3eǫ o>$uI>E'rh!beƯMgQќW {wEX/4diȔgq``p_{cIt{1D<*`I) Z<ɞ)skwƴw*Β>MĀlɤaW\o1ذ gE?Pf3ZNi)T߽rYa8kY"8ԃ} .҃SڸKdt1/7[' 8NoorLȎHfFqK'45+Z~ǪfĴ%ƊKӻlװ(L Z&?-I\toIdLd:<dN32CRUì ?-ͭqrF"*8-[FP~R4m1DtMtԾc "Q/rn=E7[MX /+3+70] |aǯp7ItNмkp肏KQ ^xOcٞE4{S[3l lspY=? ,tm7dl䝍%fa+-2+g*rcc^ƒM|\{^}y9DNX/B(:m$%&,nĀR;ӕ$qjOmz4Q |=MĹ B&a81k| M`OA!z8A6^tAbq*=1,ZXMQ>EF{Hzզ %K~vKhMEMO]c?wl˴-8tajsb+&,2]Alr@I|*kp/dMKFnweB5tfC'\WQ}A/7E"b7)^E6K)u '»P0Uz{ 5)PS<6Y*YKQ[e%K2ҋp0L삵<N/ PkEoUl3:߃7(=>djJ e} (g?c],7,QwEpj/@"(`hKߊeF .TgT|.E zt͏8GS!&vb[؜{V`XT\eg>a61 ޘ^1X7ю!o\I):+*F ck 'c_^Y`w͛NZ27Q)r;8v匴ENivj4;xpే#;OlYʈf7!:Ιi4OBHA•fUw ug~ fH̲zwWn Em8@1xFn6[<ǿ6 `J7 jCL/j9gZlwEuoAEch~ y?%b FzebG7 2 ܜIUtDYpht® ơZ\-h뙶.#<*(ȸg#1:k 3#R#E0 r& p:̀bS60QRW_qd2#.>4ɑs@j*ePڎ ! e^\3,- }d IҥbF]ua-NpġcM}ڝ,w!\FCW<2dS%X&l=[jF5Wr-03 e Anܭ #vRK!d4RZ_֬!Zր u>7x:g4@R31"@%“ԫCދ Ng{Hl;ʺ:3iymY!&Hƾ(7><*9䣏6Ε|zdeYDVDw/ћ+#2@ޔKGxu30O5heO_ghH FXiP.k!:=N~ o%gۆюUb:>Ҙ/C{q&ъ2"šq= )ir^) /ךqטh齣ƺŒ|y7.I9-h|t۫>Uv|6E@w&6m4,bgL7 '- $9^=wuX8b1 ֈ6C#AaDrm+J9"~ JFd|MN^&8S'g:5^H:ܤuĩ4ybv 56@B6(n,ӊƘ=Yv8a]M}XnzY] 8 hہo չImJ_@/\n9X`󵼲83v>:JLOSyK=̓GϡWÖ6?$7uAwL$gԦ&z+ΜLg?Vqqd x1U"=u4{;-O*0kIsJd~TQ_ZNi*v]t2|U39NQfʈ0Q12#TAŸ*vmn.S:Ter~[yξ\i۫yi4/!Tzh,#g:1>VflG%ؠ]"87v4d7˼yIVH5HL*To\ +3P.`cݪ R?.ԎR%[qO!e>N^eG*ITE\@vc/;<9Vva4%6_mR @vȨf8tvʎ~tS*B h@m.ǜFy'=2z:kNPMքmoT1!9#n9`HG[]ݿk%viC#mf# yvN+&:,1RySiA|m]c'rלl4Y:Qgu7?`!v餾Eb3x?chثՔ!2\X2u9?jO0j+h(t4+J *P3$ T{~@f9v0݅Gvhi]_t˪jnhg~Ӹ #ș0[ah%ཌྷ}I %(5Bo]懭?(z1bs_qڏXÇc+Z~N9]Cmkz3*gP:>@Ajf{R‰2QP;oj _!z(Nv蕉bK/5#TGUqزdHi>> HFg|6(Ȉ^K9^s]*).Vbкݕ1m@b$ '@ V_n(Vr#`m!8 n|g O(un$TL/ЩWS^o$4z\գJ6J}st `O_Zxh@"?sSy`W/)<{.Q􄄳@='D؞<{c j:޹{GZ0QqW0ki-ZxcG%iۺêY%65<9=#p; HS{>4D&w QxX#wV*>O|}4X`U1f0OS)3? g$ QH X.3)n_ |-8,!΢2"< ;.џgHn+xikJNt\ˠ& >e Q-,DB`SԍGNFj~lP<18-bW=d/ fT' ~CadMlċ:CHb koBDq͸=E^|A 7:i''`rkq~_!x0*,=h# id Nd/B"rz >;:S`x4곇_u/{4\t8/C.^g!7ԃ`Q鐣ٳ9{*Ciibiz23l¶Kh[K+ L"Si&J(d[6ʫVOϯz9.k7"$ͳ$_dy¿'0hZz5(`zPH#²5Ct1mPNLL=LVTEM+56]:qYn_G]9YMĿKBo]b'mXD>)Sp)<lfX%j3DZ/UG! #-ELqI8H@>lF2r/%<^;F́K.=>7)OZR|ry eډ +Y8t֖փu%P ㉭'6 u(H tjiέzьq}k]Aٜ*o6mWطn,0N3³40~;0ڳ.g"FfIdi'FHZ.3/xRz(eyd[I䢾/3 ВIIϩS@0")z^O}0ڵ[Bþ ߤ=mWإߝ6rVwէ.4 -wffʖPbtdZv䶋iAmC?_R[TX8]YCw{v]_%^L*Wi$I2ouݟP4/K+9f"+Jpyؕw5kt]=/XOkz 7.qG$XΈ=JtN/UG:^(_$U"U}&,!5xieP^HC8S n| T"gN' ;gwIEn0ec}mTXZ-H O̹Ϟ&N B:-'+.Dt8N`0ЭqwjA||x=)5ڔ<{AkDz0G᜖6y6o'ഥc䵿ĒSu^ Olosdf/oywx%R=E4% ,n  %-ؽ7w8W2 e-{#Y͊>6KXWг ။'{x)? qٟ=~ǦC_vgtSwKތUа#; p/°,S̯{FM{WtcHTAnx,M kBo;(`;at\J,ͻNgi"ͨ= 5H_EtΘ1[q 2Sfe:E3Lᏺ!SVI P9l": K7py7H{wt:kcQ{-8|KPEOs tt?z4!mm\L:m1)L!f5kF \ͤ Z5dxBVP|ǮKx V`AE .biB#%>lA!{TM "룋8).;81ojRiJ;U-ٓZz\Ȍ_)V O*o,4UCxgExAeP,;7UYQ% ȟH/UwͤONg}䝶LhtsP2 :*zZ~Ru4~=5f}2uoÑ? #c*_G<';ū ~,l>?ŰݢA374F;/iI 3MLhM.[{芙Daj\p (6C$z8'c@OGT=ۧLϼ 5L@ϣ&"8^x} aHx8ugi~k|Gf|_gN(ƠeF=dT8RM %V<:5W핎Q417`y]],.& ,ߧy D2,H>7GuLւo%eѴsnP"_Rb8u\a/nqA% 8vԚ?B6nFzx2ыy.+!٩BG^4&I)KG>uf:*n5gehV;vi>` lu!U*u!e\CyY 4zr>ms:O$.¡01j_m|(!ɑ1X]s3-*F  /vU])ƦKXB*bCnHk};J8Obяj W%k{l6,S+K4$i,GGR<.aϣBP2] tGt(.j/]!iԌݕ҇ONZs{7tYXJM{zə]]s+ۍP !0$:=m{jckF-' )Djou`I8$gAɲf {3Qq'Qr${FVc^h -8閻5n'd5M>H#g7PQ cөAЪt5itrݏ9U7dY8~K KߧZ+1~j]Oo:H*va/ qqϏ_Q ɭ_6MX#3dl|i#ѡ+'xZ{Sx (|45'+BƐ靄Yye;ka)P3|V#$T`FSnot;wT۔ZhHzoe&)1#) M˘mh&mbsW6&ЋٳgpA(!2xx5ۥlDr!k쎧(@Nq@.Kvo%с6(? ?2{sOɜr;z[?~O~˱1[ #JYZOʵod|L,DbRDhd)B!9Wo sX8 4&^;bzE8_!΃z]Qor}*i٬CEv8"&M1*qgWŖ 'Ra~F\#MfX].[͊הeD*йY"1fyi8M] ̈m_UHJBT R %3Xѕmԃ_q(xN/)Luƍ/%Y;3uWt_c $ #)lwn F~O }k/1jBqEs,ag3DEWu3W;x;_t_8&ҳ=f:ma;J~Ƨx*D#MA@1ō*A%Xvw< yvgΌZ-u_3 iӥހǟ0oe),0Q2#nR"[(Q<7=ue*k_gYJaU]ҞCMi|NsaGA(ih6{`tON-ᰄǔEq3]&7@f0$2Z mHxp*wBg*ÅO*79[͠d}wA}ǼnҀQ9xЪ3uWJG O#cV1@{I?!a zGm0&ށN'a&_'nZ{-Y1hì~Cx HVMv^]r-8U =o-Bwj^[鷬I [@r*PO(!WM M V$6ި2gMzpwR_8^ҿ)ma{4|gsj,CgT(7P4vhʳ9U E&\mN]v<_b2f.|c⃪ZJx ҝk8{Ea'[X$syGQOU*\_8 XQKіo/+n5OI ȱ?=)h#{?:.#9kt'k$yP, {۞IҲ3٪{OH|H>2Lj@* T# S1,ۚPޮS:%EчU:kټYwpE.R cTpvm>Wݺ&~1A֦B%{0ju^V&een̯@&O):YHJq3ob5Zz"t BxH0Dhl'f D 6|>ב>d5P> 2(]߉&xHL#lpY'*bU@wjQγ˸P{aj]_!g皠,@hk\,bķ=e{OŒx܀CfG:BMƙX^ܔUg:(ܩ3Azg;ƣ\<$D^]\C/ xNNQg<,6*OQޖڒ^h|]OpӜZ%ޥcbrs_xw&L8vW7Nm8a]*V(1^6PHum:$PObg[gSZ{ Ta֨7M)"[l}STtmʔ*D~{=Dzj9'de%@E! &јf ͫ>p|A,%@F0& %\MS,5 NkЌ_gK' ߠLRD4ĭMOa6[KߟRG/#ӗ {%%hB-~*ݜ,`m9WVF=a^PX}ĄE@st^! @q/D`5YQK)dXb1v<&(-tG|80*2U Xq" 9fEo;&H)DQ]p{ Vn&Tp-c Wr;׀MѻVfd}a'c7ƚK zzCZrZ_л+90{$`(֋,ÂF~ݯYjU4fO b&Yr@]`NxvKB?mj8{ěj&h-?מ85uy 8$-H${%\=(K%7W/\_?=[@sbA*Q?ϡ/iOmd*.GIΪn@ao)Vmj9mPج4hUSZ=?tP%y+s)a%|S;r(?V(+]Fkjieq޺2z/17ؔyUdc{o bG0;^ QT.ٻxL}+mw_pDƾK"x}}}o(l~fCJu"QTHsD{y Pa ,5 ivk.b`lញf8n\!AGΤ2`jO1+[4o))VgSPm jX8LkjȪ5·W =%K`%/+y;I?sP88b-u}MTk''Jq^eONUu>[|8ue!ӭ$R% ]BzM8?CeJ4\bPv8Q Mi^~\l1!; C$r5MtI[:/m\9#ˑ ܂xix%?fhJ !W zT|)Rކ>C_7gMYyX7#*Ey""P47x@3|@O=6M8Es®]YIVСKov2<xSScub6Nʺ"0,>KEG,zvU4PW59H [\-peW?q"pS 4!ܰP{{WS AHHH^3oXOM}g铉!M7/R 3B9&+޺3:Sꍶ[^%Ĉ . >jrz®?Pcife@I¾ c39>8 <(' ЭR!19 J=S6+Ï9<.fKi''ruC?I0SJk{[8F/8RB!jcUk||ǥ@L<"( y^ m`;*M]g*&rJj=-%$ I]{]}m2>w]uCB-nO|=ZƑ>)Z\%kgqFW @+daD -r񾟏%d@wY ]qx<w֩&Y__ uy7FHMw20Hm #P)Sq*&t۔<͌>7c\qt`N$%Dt O)uRqRY[Hwμ.$7ym[V ^kYdS+!CѸ']JOHGOB!R!r gO@r-F쭒ntrJTJё@nM|Wyw~~5ݚ#@Taws0$L?ʗ׺X11EGE܂cZW@㻴}yLyZ:C_8hOkwt: XNw)P(LTʩ"Hnq}aU+#FXp%t}j)WipCɳ@SЕ9] w-'aǯx9ʸJ$Y64YyZ ԁؿy\z"NQ0u "~wKBcAz:PsYID$5= 1G}q|"r #\տlO zHEw$ !0$-F޽L"!ved3bBؠݺy }r;vݣ/ieԛ4*q[:"&uX7 f\8 Tڡ sbLWKGr#ziGO~P8\=MV\Y `\u-aI!! s[ξ.雛s\F7NK ߨץ q\{9*?X'V>nk~g $#rNLLnU =GGÆa2Mi9a{ a[!nwyQ_k$'֫a;6@i`-SGS>3F|,h9225GDդNڒl"9/;XQM?2g\7*eR%ɝni"zp~3zw9S O;R0YV R##_"ɭ04^%^8͉ 0Tߛ Xm4I|EMŸLsxo9LU&_ue3p0u,8*! 7I;_.8';{{!M4!y-ŷ)ŞQن!V v&D},UC#$ By/)n[K.ѻŋ&3}:ns?mHʎ_nşUFڠdsMxë`3ʸ#}C6*n=uUs9':I,-[Oy0U|<ì/n5[TxzDTWJYſLcG#|ʃo;|ڕr4M .o\O5ڹ2lҽJ$'}3 Hd;k6\+ےZl:Z~)//3:DZogsfUhҲVRxea`޳,j2~SO-yQn\Wؑk.=*bQZaԅupi8oK?u&/TT"(q6/%<(*>{p9:׆YYm3p\T$-lhmU%bDW+>ރMEAR,B*ִ:]97d/9UG11Eg 2$44 /3f|3FLJ9,WpI3q^˼l~-F] ÚŽԴ`c ^g64) 鮁Xa%-mv ^˽ZXSjqWyZE,4L2 @9b{9jC-^FRO_& %4Y_꺥1nFE5'ּ+ z:t.~ kvO?ذ049]^M&)Sml0]8ڌMD_2f[ ,ځsO4iz%A d sSi A56NV@3Y 8p c*,,^?lQP2m+%l؍J;'Kgśt1g1^ 0PFH27OB[~P~(.'SZ|+` NjGZJ"B3=ud88 2e rcU= 0ᓬEd_:5(ߧh=tv͘ں::9n̙[Mvv;"d_.LĊ-`2[&nY8E)p>].gJ,ut-:b]Xydgř_Npokc1v2SA |IC`\ @՘WFvk VJG:fte3cњ& 8@,jD7L*khbui$Ϭ1)9Un/%WrPD̸n&"` ɕū5p>9Auk(Xb:a QYD;׀X!48q7S|O:JISF^.s/):Q*TRͰr,J'RhjfCHK<s5(觳]*} H IOCE&YɮP~l֮-Ch 9E3YCk/EnSJpeOP TaJALj߻wle{LcxT)n.D V=D"r[{rژm55]QDasɢVZ@[roOs ,7[?rЋN,9wKq|=EX|7P,dF@j; V"EYfD`@Ջ+˃g3!|zfjWjý)PgFTS֙NT] NSq/W^z. ]%Վm =6Pj݂xwk[Q9\u_Iv~ x^~%rJ0Fѹ .m E]/O>Ht@Nqw :<|8U N5j{W]iIBlЁwuؚ(:}v"R`'~n-hH>oa']v 1fjuo6y7_aPL%PC"½o؆,Ih']ٔ>Bw!Ţ ]/o0ںr5$c$H}DL<_/ 9? ّ Aȝ;-Ɵ2zJ2 Am%?%ݍl2c)b8vir9F4`#Z4iÃxXVJHrܨ)}:oOø {1ay|Xg)A)ør8,#;$AG u.Rf#vlC_ ;"u393,.t~5JWjzdx6$V?_}Ws`7WQ%7T]To= ?)Ne8K4C4A]LYi% b2!]G,/jcUC /oա-?|TWABʰv-=WF/ojg&v('V63_ZoOeuA7JH~Ϫ7a+Zl&f:#=(uӋJ.|qݩsRoUy<=Yӓ؄?(gٯLDޘ񇺚pgF+CӌqvݏΦy^|{+YH!йit!!x|*-d-tN rb<``2k,JA $F+^_[Wh7pp28"ޗn&j2-O 8s:3v1݆;ހT|G}) (q XxQxڡ_`ZCS\Wb첩I{OzJ}w[%DI_Q*-ajp%_0|YvvA)(8 B'_[3ŶJ_NQD[)7tң/a%AGϑI04Tp vQ _ I0{^$e,qɌCQ S!6ܚʌYֹG1 2ja+ mlj"j,)Z'< Sc:$ Ng dE'.;v .F3hHK_Ι؃>H |w[.oȚKtISgTTI:'NI2q]-܎be|Tv(k_VEpTZ.d/pNJʏo>ߠX5q"_ "!6p4=%T? N Ts0v4O;Aǧɱ~L#DŔ]FxJTsJ6nڛH>ºZ@#*^!^m*0Gm g^d/[*nF)N�P_J " e AH򱮣WG{߿~䋒Qah0n 2mvۆIڪS"#i/N<7>R 2Q/M.\27 <qכ8QK"X!pL- /Lq`"|>ϓyl]:n{-NֶCיB a9pFS-0o -)e=TaԉG]\48Dϙr.ipTn Z_xJ+k=~LȂwyΞQDAY<q!T0rv`[<cy/y>5,X/ >ru 44*=~(i`:!G'c$XWl[zQ;'qϾnD%x,Uɝt"^A uIs!,}YG&1x!WA V!ߡ wtjj1ΡL13{d ^>řnYep2;uRa>|_N>K*A'^R_.gn" 5 O= Ӱ}GQ(A<w"%͑L8tٌҎZ(] x%kMn),!+Kur ܻ՛06qĶ1nh< c#lVhwɁ5jGD:@aЬY؊`]%zgLһmBb9=5fG2 v x XF>Dq@zl^QCk~ Fbء #adZ4iugBu|8k4"l ӫ9܋LoCl6Z'LM-[Z̐n| w+]uaxDX3!h}k[SnsY/̺`Zr=՟ `uڦa5*ؚDYXWg.z\b7l1L|KyEZ)]mD{USx4?u5X~e<-&w Etenc=+ V9Z4Άj Q"4| `)8{''rņh+zآCʼ`]X#$Jmi.ʢ#Yx*7aݞ~W`9 [h|r×<u(wAxFb7/jνpo: J:@vTvt_ƨcGII㗤)/f%h>k q }O񉳻Խ\G*,m8CMl;f́zۑɮxл~QHHR DLZįuc/)(1!&쿟w@h|%yv]y8ש#$+E-yCZ.QKJC^ԴJpy G[H{Lxv" h0.) oz*ݚHW_@vx8b70{L+GLP*x꾦p/tFWlhM8#bJ7JWS(1= 3Mfm*w")1<]tl3qH#ZxŬGFCLmLEh^,[f;>/6zm{a'xc_CsϏCXn*|ӱ+[a <vCk%Κ rýSABȋn$2B/O_d(qt#Tb_(i g ߓIG.\]SrUt"׿ $(^r1v}g&O 'IP"; V2+ J-2uy`?bj͆F%O do&;ҔuJ|UmFk߄4TKw?#{h_oTo%S3ppdO\қ&hq!DfxF3[`nC;QgEc$iA|Xdy-'m%UvmU wَ)9hO,^+7wUSt%" T$QŮ.m!SqKm, 1@g1?-VFtw7ꔡ Bgum0#DxVm\c0Um=ҰR8+i.Ȇ*CB(dH&&!Œ#C7߼Yi$h3216$&!ii:ct:rš&"2I_]X8ՕwdT #Rz^-`"A0<ʝu&Q'N.Jj_'筅9kzٵ 3*YYo`N}?13MRj%P(Lؙ)uR8>Yux j­| zNiVA+ofOȘ:(s~ DE3tNru |x#] \Z7wnKvv4* n(؍!ڤXlŪ)0P1NyQ^I.GɉGM >ChIr0g㨵Ѡ w G.[{ƛ+ytkq-J{FE Ȓ9KPJP6W:7Tv Q~T_ qvRPNJȼKG`کH:DO.(=ZSͬZ`ڹ$^ǕAQoqx&ebױznA!. 8VXIzxK 2Kf/Yw(wӈB;+)6EyS⏸}0?\veYTIgä&(bUH$7ev8sג5 'q c1An ARP)+GP%16 u0_/CoU|"qiaf }Fn_-4P FU_10.1hxෙ Z"s]Rn'"ڝ1PV, #>bgT{-xv0KA+:lz JanD U>IyNtLkٜk[pHU Fj +j6& i"N$PZP4B0B5@iOTCjJ;f0:1-ή[]nc@~LSUų75a.7 v,nI/{` l_D )={` ?x"m G(Q{|7|./1=m{»wĘ])R> pM?Tġ2ֈɮC+lJs.~V3w}e-:q@BmO7VU‡SҲ\+v!K:: TZxq?fN9Zf[QwNX .;Sߙ-}k+Z&U&Œ)d{Ι3$)8SiL/N v`euqpb$`h?Z-j4Ljq~{ie 'dROnBb9q?]0ug۟pJs*밌S[vT_CF/ p Q@Sz r5 }\'T~+8 >eEQU S-c7b;:^ 8l'E[9b[j p3#H0z:JgXY4'*ک6J7#8, yƋ7E;0̄, 6 pC"uO$iP,߀X6qX{Hlj MM V=oBP`QE4[]K sɸ:8f0n}+5 }~ï":Bp5@gwqKxAqk# ^G>֑D,B?IY~-nQ1ƹ:N`;n֮φO4%ʴ.*D/\qb'*GC^(P`E{[Gaͣ#3B|nbHcOgH#pOBvD\hM S)^4j6O7-,2<2SЗ[c4tHa5}_}gؓۍGY rP+Ϗ8 z(z6CW@K=)}H@f7ʆ̎*2`z?XmrÝ5},-fW.Xq=-7$d [?&4io`2Ô<ҳנ3Bw]F0g""#ڛzuhSzUwIVѡ:8H.<P ou\;uX0nN@ҚG'?Nvk-J+vakW[^?zy5H,(Mƥ KZVwnl5 ^'Dグz5OlbK/ٰ[U+f + B:0In!x搽->hFsOH5Mj۽\*qL6~8e)ҏ {aQ=A0LctJMfW\GEP _-2'KJ_ T(Ϣ{øZ[zbGt] s= o(O׵(j3!_ R䚡 DF ?.{&lZUpn9}4`kFX&]ed mPM 4ɁKEɯ[{ $5BV9BH'֟J 6\ ''b ˷*4PaUh|KIj)|Ĩ!Kj?tfaiԴT}*m/}CONezXa*2z=llF{xgJFT9d!o@1l\ ѱT:9!O\y*񹝉o]77IEaz+S%8H}p,gb>Oy>VQ<.]H=DNԚw_zʹDܛ^2gfe"q'Ӄ s\=tᓙP[hcPzgaZrQiDẃd V"eP{+wxP4s! =M zWw)ղfT{nha97%8/)5}0Ci  VM$ 0Fa1T>چF_1 &`L0x&7y&A'fP"W N2r+fsB+Sv #djK3Ә /\XFj<W|Rd <Iגrǹ-1&!w*'`f ]{d\&z }ŞwsM3BN`,빤Z9 ~.d%(E"])bd&m& ${s<7J:Ce zU<ޑjKV>E_hn8IgSfpW Jo<ʴi KͤygX3E~ &G` I/Eok4?zk 쎁}oorwH7\F*P ;e&+ o\)v T'nN߬H(UA/chdB&h.=AT^S^[A@g<&:mb@Bk/sf! Úlldk$p+G?85JԬh.rmHD8S^Vs-ڒ?ʗxEbï(aoN]-buBOY.~HQmVDzRxH02K"QDU j(fieEA_$ϳ5U&N*ɭt-w.q8@F,ؗHX>`QA^mK:+ e37qc >W<+<)܆*ķjp-dnj1`¡Ȥ67 Wb$kF DHwG$ťN"a?M:vW^5y)Sw2:'?U(;2^h6ǜ6&)/(! 6kTDq)U#8W|BPفQ)3F,jrRO4 ,[W݇huH/b)XRWD[C^[ߠ7 :eZ^#5(]Bp܅>U{Y?<gC /$S߼>uY4b#O×;{d"X|zHZXcn1E榸)nM%(.I.Jx6QӘۥ'PiOT S= ԬI+Q=?DvKkkAD&i,a5j65fƒCp̆Bq=1khr Q' R$k4'YG@: s=-4o3Y.sыY]s8ٮ vruuJ &' k%g x9|X:Ӽ'&.V\ R<4|v`@wx@A@\`\!;ֽ]1lG^ۉ=N2>XXkx:yZL['[uRlW_A5#Y[*F-"PP4h:GM W[fHe˜bvs79SSkӝxn3jy|eD~;+R[6]wKu3=Ԓj8Q{ 3t1"U9`Z \qs64o-fk<~7:('u!"?3hB)ZQz%?,UPv1^TFkmlL5ucgeRB'_H tL:5tpPey:Tardj\jWcؙCt()gtE4^W0 ` @RW(Z:Ԛ6hX6B0<,Z-]8M Eо:y*\\ 24~f"[ډ:5Rwvy;og>Y[, ̙OzͅzGU5׷f ƋK5ާ:sA8טJvwm\L˿›~,tؖx8*B9XDJfGԼt s a; C`M-gfl:I4OPCa!EwxX`-R@+Lx-Aל/hϯv}thRm}psa9t`H|;K/6\TB";_ b?\˲M(KWt~PӛlEtrv\΃@A`P-ZVG<:NԮTrͦ+ K/nfώgu[}&Wb>r/*_K7XfoμQ8^3#t|YF 什Znz VY#~l,4\4#7 `w\`8[hDW2EvB?9C1<˃4"k%*e"*g.6hqcyN G5%0S(Ŀ, bcn/ymj yOA9Jhu((* ,Av9`iܚ§V>a6^A;_ Vʌ{P+F{,G7 .)u)u@\{q2B>Nq`$BF3 $E:I0lۋv@Wp9$w2Iq 7 31>F)*]Ȗ/MS@ts׫oXYVBϴQ.c84溲]J^zY/2H`1?32mKGFR _S "zo*n{?|AEs8{c"D%)RSFAxHw #'-BQMb+4{̓!r¸Q]{Lan~zEJCD;Lղw[(L{>d (6YƤ6=;0'z^HW6g.ֱtypmP{Y(.{<k6kϨ4\VѐF~sS#izUV=Xxva_ucϚ3cwRLhT ƯOQ Y+P@ɚ33h9RJ%ƿdCbvs%mJ~7\W.)rn! ̾%3r6Pg 3b:е0¦,?w -I_;`@[͢2wm MBwGI,ulrƨ|/ d >FJ }xsF-f> OR0м}߶ΝI{]̏hzr·DU*I$EUeӂw%.6yw.wV:"{2Vp""j TqQה˽w+'t!9PH-/_ɺs}TWS6#J @Ƽ|FaAdaJ ־R LGTΒ+FbMpP )͟+b{qNjg^#H>@,VƊCi' ]PgV&zEp˚` )!vd'~^ͮ>&JD-2C3?h% )&ؙ=؟QGku{m&`Y ̎-uGQdax7zkT8t#A3! B92"QÑ1Ѓ mNn2v^G't:VH$TbS5a@&Tdb$wy*rMPY+ɩhX .:ə#.ӎ[VPH+V:1-@§|Xy$KG}հtPWHC`zns1~]hCa{S|3\0sv9,+}L?GILqN@P1TZ_0=0fZB8tPN'I{"j,z[\O2UG6(bt8~kP*̽D`DExOEH)ޡ~1@5C jn]G=K?V]*=ϣZnklAwEmOک2 @://jL&$:JL"󮵾|4I\蛤KYPeGi 0Hȋ/ePZ8$jQ y0"og.G"8 _<,qעefCچF!?Ƣ`eȸ鶪ȳvԑ旦7k)[xKq gJ <80ƣ9+z?l@Eʋ+= Y:ɻЕA72}2?Ң7hvwNњpfGY51lAEO}.CBs!ƲP )"}E5S͒to^WA^1 w%MɪIr[STݸ_ߔ<DkH'jBq^dfŧn.iX1feVxuu,e\MNIf6je_4"-_uN(Ýt:ӥlӲ]1ҷwo[':r7ڕP+P&E) >CiM8)FwuJcfo(\θ4qyKΟ<15T,r ΖIUFU_! !,d4R&YEޮu$촊\&3DC6^"F%KCQ"g5Wr+y8Mݷj3;;U݌c6WϑOfkuezGF[t&unTQt[NOrsS z @jpf2;~TS)ɂĦZrmq%i_6)gWšm>~`?@D%z `=RX?4 pV2vLQ-O/pvh"Q>}eEoUb+v9[0>JBBYWmhbrŋOϒy9/fUPI㟌ցBAv O|gs;a/+$j403 V8sph)g[̳_pS3)=W"u´7VbA4مiO}~4q! i5\  ̷!I?k!tna&Wˎ_4$uLܖjY"<7- @&.?[;cq+)6ç9Yx&9i?9kV v14,^.Eֈ@Sb }j]_ ]qFE.l''wS8`~: o,^Ø'~jcWoIh *6GQjɜWR+(E-ѿTܐ '_"VNi12/.98n,#8x/Wsz%# @*iYl'=WWG }P_sO%yX'=K0e_ַ\K%BbےA.V"[[,|Ar1)LlI7Q0&SC &~pNPeH0/ed`'ԷPneȑpQ_\\Q.JTfEBG|@⸔r"dKI/F jz ֆftkɛQ}PuT`6 +ȈL31mˠLЏTRB]gu` j3=CrVV]EǻE9Cqhzc3ٞ;8dJnVEneIObmHemw02 g_Lb9cTPynW{7VkPlaŽ}~NXBCN^'qq(oxW+3ĥ=)?Տb^.6;2|MXЅ7͜ h|B/->AW}>+ENRڹo'݂i_OҜ{'qrO1_2|xPܷ!T$v]e$|l e.۴qsiR}gxs >)=2]lS#-R,q5~N.#iWX\[?mwTS \yc3=Ӽٍ%hVv}S۶ä-~[PGwF4 6S"/qUڦU~/atqcٳ&m0NtF:a(dSc4kkd[L;jֆزYw-.av5lc!}4R.JC{ip9 qBwE L>¶ #=D9@p,J}S TXV?0pOɿn ÓKǩNUdsg^YᱮثFIxէڝΌg ?:Q&=ZSњ7e؂ͷ `\YRU;5%yE O0;ZhwYjW5A--oh5%d?ͼb%>=:Ї.OcN&.1dqLVR! 5qٲ2VVvIp^_QQ_aF.dQeՎSBuMس ݈-z=d{nx'Z#ymfj$[N(Q7a)ncDlET*6$<3=|~AY]-<;i;9T? ǾaX~ۏ9ҶlzqNIsP,i<L`բPoH_PAܷZ4'cI=ImSffǫ a&7*i0qX6 FYkw![+^`hNDn5u4=NzHqCy}*>=ļ8|]#2I1+wVۣCU>ʬuk5n3Hp8>K8OxՈj"bȩIrrNNX󥶾b.;8_H {XheBv5n ɴM5wR #t(oyRdI6 :64Dc $ubInw+,eHcJ&_92΋cWV&{UQ )hiʜLTp'|?yM]P`nj6,~d'qۀgIQ[,o, h}9yKnMnt*q03^KߵZ૥psG,x4n/?=z5fboLdEZx슯D钍>#I@_dd͜h%P(D!a <`٩+eȓ>E \ =@"S&L4JKLSDlD[3(E&Jm̮N>,m0)E<8pfg4j~_fk}:vl= lZ2v:P9̐.F/|_%\r=All!!+J.P(@-i&OXX2l'@S*)+Ի~D(wJ6j QgR3$FwoQ퓀G5}ΣtƂW2\I4|#(.fUM֙*w M栐F⧎D: ۴fV3,)C3Zy1kwĉqnF.y`mFOnX§Do GcXNA{Rga(1KK^Q7/s%I UaURIK\^셣ƬD|(BejXwT49A"%= ImcO,r/f c%VMI8L\YEhh(ʉJZ_<#-4k aV{4j{qƝ_PK~[oS,b/-s|` CIP( T$^ R'sYT@CP jz6N_DoP]R܍o='9 ތXf|0 v°5H  < \]gguz +][R"Nl5{2LOŽ-P |iE"eq~0P.AL:T^ʀ:f+wbdwko\*D`]opnY4;N[$*]kRV, "kWgĕ3uZ,vJ _ƏV~(E੩A!dI|bst:Z$Bӡcl7:YTfIAr'AG :Jsx kUhUW J[H_iZ32C| nD+ܣ★2z2i H&"UYyfwA[ڔOcЎ-̣֭11\dz,c_i]í'HYLiMfbn\>(h&6\FcVM@Ǚ|.R \DBҸtG幼[L:Έ| wJ Җ߫'y}͍ۈ:@Vvf|Df-WNoScVfqQo ~\`>Mxܷmy| {0Mng@3L6x] OB˱' :6%2]NM750nBA~R!OURɋ$|IZ=S H$Iͪ)Ǵ)mXIdw qQ`,~eTLA9lT Kp%җ>n's=_ Z9m'rEķй(֢L_÷$DըxqϼтWǚC;7>yFUAU%*b1Ĵ3ml3fzR(mtƓqgm_XyygaI6'^9nΏh~i5{uf|"Z>0j)(h'n0 6f `U J.7/ޱ^z1D!g=: ^c͑LTv+1En݃LN@/P*Q2sթ<@qM)w*?M[E,?gmR)IUsLS{0rUkt0"5\127NG0 YNCzyhωK@$d,jMi1h@:U FDh` ?dQR@BFR&j0qn{{MMhT:Y8uewY"}"6:sMBzWWǓVsơF͔yȅ' ̇ ,Rr\53ݗm<$E- .vKtݷ<ڣE ܣ}tX@Hb}fWPm@T6.m9رKfXLolo;XNs;56|)z E+0NE>ILLpֹPb ib|Kn5{ZK.8-!DXIoZc]a_ *Y G뷼-S$F*VdjHuK5+}(  pu19XAlRC;3X;~m>񕔐 (c CwÝLC:`TZꡭK kCJMP- w'?T^X4sRNx7R]W>Z4d&@n gl_4T_JQFOh D=}/^7A 5PC[ T,9$*xXHMo+wgWPuHe!٨7|>i-?&qŧqԫUpoʰGߝ,i p@~\H?!GU_;,)~BMO4TI$q?J!x2U<$$V$Ҭ=ݹRýV%[K$:3Q {^דIZVkB($ +|LK."o;{g ߒu4|MPL^? QSBZ:t E-_q龂&׽_&fsHywV' h nSS^A)4KZr,ج5:}i4:d:HIrjQN֗ʝqT`| ed2ܰfe&`q]@ 0TEUHmiS<MwNT 6*0wkeKnwpC]y*]n[[Kz3$S8qhg|I1!4Lh$}bH+ESo" k|UA`yna6jO-m@;7/2V zpȭ/՜߾AI;(v^7 nW܀VGKdv]g'SKWJkt 2]=LPo%ְ/QGIE5@ "XIFg>;l9rhE{4yb2{D!I0T{}ˠh*M%nhT`wV3q#8zIKߟA^\l9fV[E%uHzϼE($LBKQBrwu$>x>1RFhIKSCYr449 YN'e\ԟr.ԢMT jj>%`4ȽJ10wBx[aƩjy:rdڊA}2%΢=\L^Fw*H o~}w2|NUSPA:)&]Ek%YE+Gi&/2Rxv`O3 CK&_G#ws&x<_gFɠ4s@bO,RzlvRւyF`7&J✄W;!DAtJ]+,$ͽ.h4=Fϩ-X|AFA.h ЉvHʩ8{BGgG2X oh.o"seͮzo"c~Ӏ2鱽~1\`t?YoCW.j,rePQ%p}ʼnyvV7ע( NaU1ͼG78zNk!#?)6!j;x[^xǮAExidW$NG鳥8m[={,oS$'"I#X婿n֥(!}Q:lGv;g~H͔誳|˗|Ik*sg' 3MWLP9uşhoV6 M'~˻Ьke`@O!qg? xޗߊ~/JTv UsEBILF`)o̡wu=k#y~AN͈ff,2u'"0`4\; 2מHcd$h6&v~Pk >iQHJ._„mz.( j!ݞ{[]ד_= !I%KrC)N]"{y1VaJKe@bbӁXڇxp/]WB'"(kXgד,ԳC>)%5$~c)!5dHL@R'SfvXS }p.h@?pgaKq# tOmpXj*yu?mIC7@c*N{tGn{bI'Zƍ85K_GEހ1Y3¨**Y'ìO`Ђ*B#uR \M*߹{G۷ l/Sؖp~Y ؃WHzն6UփR86tUMa*5 ""AjLila'cOy6eUu]XRWLEщ6LG<1}~k_x5mR ݦrȪˋl2)@DWqJ 3vL ㎭9Nnah+J} uxAiO}坙 ȠdU %yqfقaK`fViZ Kr~dє=zON^Cy}HΕ9_>X<*OjNt#tO.gO> s$I''A'5~DM9`dCXZ;L%n,nj~0tQ.tcㅢDN4ncg} _t N%[-ҁ!DR~JIH9^(-Q.2`ؙi`%1]"8QRrl|y1Ak}w`pPy^ƋFghU|Zp!-cA`Zro ­gvVU,BHZm3Db䥘\44b{Bb:]}"*{R)IMտSұUl,3g}1%>fl&~}T2m~3dW},#wSF~^:D r:KD"! TƎobr4 pFv8gjaa.iU %Ke A V\2bբD:*denٔp㭷l"{ORM4NOdW?Tv'̄$R'`m0WؗCwY1e`Kl;4Ƭ: e4߮-o[އ^N/a]W(\ )y|ozS p6qKdʷ-!`: WȔXbEҴʦ*,w-܊ jx$\g 2 ?gqJr߃}ɝ:S'~gΤ/(Tf#A |k^BVs!?n3N-MEɃ`H)X~SUR܆d!Qʋ)5L\G]S,9 UD0һ-uǜ$OǔM5a!3vl_ӛ jiʱO ECkE' R#׽2pN⨻TjsNz &M'ز 37];=y);zF_5mL9seFF/&5P cmWW^ú!_6y׵='?V6ubƛj{1O!*a'`kN.Kct$V-}K=_Tz.p}p/E-h& !/ TLmxEG Қ&ɣ 1?5ECu4륖* ,өr=w-ԦHS,h-nd1fzMoqE  ) Q4 {OPZ ?%}@=qW#0v1܌ IE:>Y,3 2{CR5^Մ)=$w`Eg"j)e֜D7 Dm5'Q:fBq.-D{* b`uxUL`)[VnS46ڰ^O=8ETЧAA`ڋ6vdMD1賦o(h֌Xo|kጁ5 -=9@ UD\CFܑpJdKY@Ci)nC+dNxvmՐ6*Z5 h5hfqWevRiːϟbsXV G 61܌r88n9٦&` y#Ĝngk;jtT5=.Wچm5Rᑣ ௝YH{mPjh"TR+|,YԿuhWqq$KA2ԳR Mlɉ,Xu8<:,xz%P;篃۳RDoRkh%h=L/\^a0Sф:&8t!ƻ22eudoAVٖ.!RgG̟s gw6!\ h#sH ]cu7,(W8tރTk8+Vf ^]s0<8RW7ej鸕.lR:IEC . c}dX!i.r&w->MTj!WнVƆ D ]%DA㉣Ѕy.^EgVUV#7%7K,ۗ bR#(\ ˡy&~F5%dnEǹ;q=a/i#o:؊w? z!Vo兠E&& .W>r҆qocO&9r؋[U_OYl ή &@b7 lIFP7v}ASX8d;vW D6݇#%]-p OFFJ/d2%iVC9>"_7"›˩l}"';$1伸WivB6Xew_hnSnj3j>U J-fc .'>0d\]C7!KʟM)zoJ:ux=@OOA5)&fȀ0qV++sΛ 9tI}4F|&VaLdtv:2 ۟KP$4/7 Ttl=u Bs8ҸQ7HR׿n QPǷ:._Ϥ?*dГ h͔CU:5H*}r-Z G XbtY'a _$,N88B]H5bp7SMڲ+.LҮ^Pǝ,z=ER0{UeqU5ҵ*qdIYy.VpRJY/\L,Xm8?Cr[;>c8<}f v q.]9{ |Ck51S[w:3%jq]^B$Դf!g1)T+k%{mS3LOj)yIWSG]^?i>Sn,%W { Y9/N[!YJ޹}>jNzU6)E6Vm0.\ޒc\au5V`tE)@ 2G.HM~wE ;+u>K,Tb9vBo#&bܺ%y=RPJt4|MkN6L.5Hw>m6^Z#RDT4ws{=h ' W^tn`sꫣou}>` Es W1嗳%~.h_$y tc AxO#g"I3j}1"* 3f^@- 浅ϟ` h(w XPlr`K{>FZn+ZCswlՕ2cqb,, {.}_9-&:2v*Qk_ʺ6EM~qق-b7joV{1*z+?{R~cp[Y/$s Uia/0tLKUF'7E |KrFݡP~S_i82P(zyc C_o|sk4M_B0 tk]6Rbگ]suP9L1\rĕ ៪0\q+N :7أͼK fѣ~Xh/y O4c-QmB1" ."I{$wx榐Yßa$ >c9jrxXpa@njeڟYd0]1p|5 KbT1]LSK\.c3۹}[;11h{O&ߍQ,w NVvg熟.¢xH0disH/ZD2|7>B,5ց}p?`|5E{HJ6-#2䂜Q,>VY{ٷ,B6lGoJ//ӌb;شC"ER뿦.?)JS 5pQHVsƦzS.&t^Y#6ƫGmUE@Cɳg6,98=)_ oW2OD?:%l-Y{*1u.&/y˯G ǮtPyojQe{f94+Y.x@TE"}?ӕ7@;Iog7B}Njn8' s x|aKl5k|)kJ=1O$ X+/́)pUs-(X Fᒤa2~쭉oHן9 \L~Xt {a5Ҵ]a@'Lfځʡ%s4܍Ag/:]Kfd}e.Dd?!pk Q T䠟Xe%,o?Ԯ çepwpfQ%옹`*Я{ (ٲ5μ2mSSazh0s=<_Mm5v^߼X;9G Rt [葅qFƐ\$=0[bɾ9I_~8ÅQoF1<ֽǗ*vrb/w %>6O9 L#ϡXwsIbq@~@*I6G!f` F5Ɣ/kd0ȉlpq&#"p3f bRB4-Ve VVreN|Is#rG *c-i9S,}'|Hq@N ntIa{ݿȨx=X&Eݜ-]yݿ"v/w(c ݆%G=D܌V9Q$Eb8n5~t^Ð( JsfT|_S'w"ctEvـqs̾ɲ\!t7Zjlt/yexcOReIdRq^R8 7S)i0fbub ,KS2'?}DH8@g+.tkR0{ֈ:Y,ݣ~?"t'ON"ŧkDU)^Lႝsj K7Og)EE=$~ S:r6,䙥Z"U(I1͌t;ӻbcm@:lOÙꝽք"p-n}3rPjwJ2ַQ†f'/zD_ Bhz@5>]=Sz) Nԋ{I4E{5ra >e]A$TH凧׸׬?ou`:ӡJK]o:t*,x`&\qo/rDφWE-½@?$jS1eG g`<`" d4_dhL,2Х~;_U`L`.tUfE'c_qqao7]%{4'orˬQdup͖`;|{q"pId@,2+ #ƴ_[S!i`![Ruz}p+ܛCyy(j!J{`T1k^5ѭ%c<VY+wpm}cG2΅9;e]wm|nk\sB~+DYˌeQҺ~sڂʥV!~(*ٗ~~ouvs]z<L> 2@j٢GciYamQz(qr>3g,%(8s@b  =eci]AIBՒ_!R.A7ʕx5yٍۯr/^6x /ŧY&/(C)8JH4}i_O[iW4۠ykR_t[k" sf{sFh(У+:Yx>xH2[ț[fj߽?60 *?̫Q4 jWʥ4?_ЀLf|PxwlHyh)EGeVSI'OX~9&#) .;I۫y9%)SQ`/,awJ{Oߌl)Kh)vN6KW@-[TKR+qS~O;8Se <_[NYeDےjQ${*%WtaTl!jh#Qt5lsm+EȢK4aoFOM+Tҵ#Xh&ɦz0޺` lF=e:GԠ˰9\$ @t(χ}ttܩhF=7S%Eyc%rՄ j`Dp: :![y~ٲ+Z %'WXh/Дe"ӯE_7>Ղf1 b:")d{w=Ot}SD- {+> @sH@)]QFJ!,`$?}7P4&J IFgʐiHYt#:`5>s[|ޮ/Ht'ͯ`[k,fʗ-@lеG,b{mUc|J"ayD;{^r< ]v%4  kvR[ ݟ,CcI+ЁAmSnn8O5u~LyE[-; *0sz;o?/PǺ[crY 6("צּ0im30F DDa6WzZ/?Qj+M Pe-* }fs(.X}vZGp Ɨ}#ӠӃ`<<%tux`]ynds1bb|R ;d!䟆'hoA@R^nc dz5~J&?Z+VhپcDSm|g-,;ܲ4|]`4IIdaV0@RIެ ػ.76 ZbaQb[Z"y3'+Z'"S5uGbS<ݾyv ς_!2 m^h}@nttϚcE[9SXj:xI]1Î)?#i8hCw$sYn/'N8=I.= ci!l`.QthiFo35;sR[bBf)>:CflKIgê6ʏ׫riOE΃[>NlS`e DTpbd,*`vx`y/3֩l˒JfVmewLa4 Zvy|$9 k[a]1lL W[ڽdW3"Mw K~x#1yr|T<'ގza2A <fm\DA"U+2%\D&WdЀmmGxrDȄP'N,;mwj+p<OM/w˓06-uy0;C;<ӝ&iDQ!f~^?%̗̀NAP]Ʋ47[z"H2.^QR]jUH<&QczKI$k6,svƝ>H4-Cy Df( ~K0;deֆg_ ^&@{4,櫃炇lIC{m>\x%>ʇJߢxC⦜U`Pny{tz%yLI/~-fd.EGJ$,Y|9]ka+)_q7]_|]*6F;{/ FxD\.K!ـx袞 ecWsĵ9S$һ_@w=.,3-U[=eݭ|Xv!ŽhIH"e}p0zH,  *28&ko=6*l*iȧٍ!ؿfk^\Ad;zk m<䓬pn 4qs)*Ja p/=7r(P.9Øni pO6(ۡդh/H.\g CCoSg dÕo>\2r9->0z,CMlHi_cŌl0RhuJPvZwKv6*7V)#+)ɦ88c0EƱ4:ƆK`DXV[Y6` SrrMu*5hu8fCxT^e$GJDF'Ad;ZMng;$R螞dnѡzMālsa6Kb cA|஭U},'ubJl)պAG0'`B$jXG=@8 zǮCp'4+a:2î-0iUI+Jfء/ OBk~i[nP;z8x: ^x'HۖmH, nqmP8kC'5ԣ8AfeNbfcWXL$F@LS<mY ua2`:?MPQ 5F>c'W$z$m]q q2( /Uf{Zz(b u,9G`t6+rƸ(xwHUXa̒@G|k0>(0?[U qftW1S.aEcBl]+~ 'BLw1#r9&(a!ݴ K;ή/.uUzlz!`*n)*+Ҵe]+%4t+&ʎ# v+˛l9EHN͊6w]=D۵Ĵ6]9o`ze8#}Om+X f"ol"S[G]NWX'i0?f0)AuaJvp̿% Alfx u%wF]sD d8E^.`Ο^ 6k`p4ƐcZC Ru= b^X(^wޔ@ ͶNYk?PKR@i<}&fbEn5Oy7Q!Hl{Z;_cB?.e/C!<]@G*31MA3ߤ) &7Imc^W 3fc?t\hVtߦLӁ|@v6++3߰8·JVCsWAk(- d)H ۣ#J Df^,v07rbUy .ȍT+-8h剏'icl5VuDbk sLeYhmeB)1[.X%NAK(:돺>SItrкF`~fqq9HD8T%ꁵߤȩ B>n*[gU}~Sz&-:Pzo7` hhNg"W: Ɩ} ﳶw'w)pD [ro{|q:BZ_QhD;Fݜ fTDɯڜIw=IϾ^隠YfAL@+  @} 'A2|ˆx\?`݊ςBlp^FМm2;PNm0 s-VV:iˍZ̷/N{δU^*\a@(`3Gd ~zt.C'ꤌB%&!TZP.gOOx-J^WN{J[j95%> &xaU'*]xA e3%ܹdEKq%PP?$HNj+gq%LOy%$fvtitCddpPz$y#0m ͛Tve5ʅˆ NE_GፎCd@XQ >u87p9xu,ׂCa~kA8%`mMݕa:˛&I} q|lGxWb_EOdYj"#diGV܇q{JT6& 1Άp "27gގ2Iy7izyZQ G]i!dzd:a*5a h7BZ5 ~6@.s)Oq(rjK}yV'^j}ӋV<Ȏĺ1ۑƽTZaQ5ɯPqC$;TwF˾ܫM!]6kS䖛؛#E#bR]# gr}$P $G^kϚ^9 CqԂ/ 7V{3-/tK5wtN>Y߆0ZK>Z 5y?B)?P{Td t_ͨmV٠YΐJq.pqi Ú)-У9ޚ9< |FtbNnY/̨zKZ$ޚuW+\efTS4ޡۮﬨ*cG7S顗{`f AB/S} A5,Qq)Ég_7VTשu& FYDڌM~躂,rĮCبq]ˋIuBph@hRIW 'oݵNke<% FʨRö«$aR ajYe -b^-'l[UF-duIxMK H=1ʔf+vW'Sxaݣ/"aJi\$i |sZU7ざ1q JئX)QcZ)~hS/(G\vو=Z@O8ٻ\0޿.VZCCp| ggi?YSDyՋgFڅ<ljj G@aDnHm.v)ڊ='Y舑{p<p~&Zxzv+B'Ÿ0OIy)yK^BHn h۰. XFݖ)rΰz2{;Q+kRKnK"LRQ>5ҝ$&'z{f!u27'Ŋ:O)ϔk[0qdҝ2O1Y, K0'054Yr{i=C=MpHiݱyμYPG2F_ q? }@@0Po.`ἲ\F]ŝYGk$)taVEbK(5rM:OZbALRqK·Vbdۂ4e4W,ɏ LOw}W9(Y.7Kn fZOp` ՟e]:"lЊZqV<Wg^U~oGQ{Dx)*xmbͧuJ *ozi6i8)~qgnοt7i2$HG6RoԻ^—ۇ0iޜ*%msfbKfu΂5H_ =PLVYx:'!}ԏUPq'54C7]|2m8_CƆHx߮_hC 2Ibm; #W$}<6^?< W3Q/M lh2 [=%0#<!O+A9PasF%Gf5 >^rY̋*_mH=8РZ9і-Y`ºԂVp_DdҀY\!1E{f?;Y Z%kȠ<qnj.zsN\J;.VW(rVd=ڏo |dR[pT7J{P۷l =62/A@u>OίE+> =f0 -ؐ3GN(z(hu1u4$LHakS10 3Ru,-N(8欴jPzn{?}xo4=m@*6t#m6l_mLOi-49* {G䭢1׌,Ĉ(UaGc`F7:Y!))VB1`6gtg6.V2gJ3 b l{5ipb.'ҦL-Cu4+b \Mdci#v ^:…s!jTQ Nf~D[j6,eo 74GhP5SO͘O}f4)SDd6ƴߧ}aðՇ'}8 CTJ:sb]+ rOӞ;4>኶7QOw&K+_8RU(gr0<}kvź:J,ae5!r&]RkISG 40F<2wԒ8ɼ|Cfd<}ٮ8~XD0.J!( v4/@  'BC"C wTD(dیIW ˠ 7A-Q4 O8?aile#n&9"7)Ѹ^6A)b5_zٮNN*~ԕI>w5鬐,ڟw mih|(Q9 iqf 1}`6"m(wsny{ GD q<5hL-`Tt;ڋ^7HhxhN槑^)PSIUQL yDEE>7}S;'C蟐pe}94VQd"i]~0:LH96'os5u5OHh7xidPީ 1B#^ F6!F2A t>WODqh.p&fiuWp;M =ZJ;w}u=p8Q80T@%"_08oګJC33usD5;'oBp[UqA~[`=LFTi&*ޞz޽7V~BW2|.fU6=ÍCtZlR1JŶ Nғԇj=_4 ܍PH fX}3fU} iҋ?=W4 %+Z^$\ CYgu_&5#hwV\ f>7@)&^6k2 j=6pG#Ahz[,Btrۥ7bf1toG먵"'[lu-}l9H9]k^B5ua+ްw=uVb"}8YB}]_lmtzEJD#!ȹ6yA*husdQ<4 J}E{;>ky":)HlrDxu3 lq5MIQdEuR ,@ήA٥!>m}/ڢ?KH^'GuX/ieiMظc/|ǹw4hwYyf]_Mq\+>7#)k&𾌬nAXF=`ƑUt6[EA1tR-G ȝli"bT"_ Q2c<5CĨ)ҌO<(gLʼn 9^Lq}g~@6bƌ;=`&J((M( ]Y*`נ5i+٢UhE4:4jGdnJWVc4޴ w5J hryق M9>`pqdOl;qRke[r&ʽVq;)k~/aF䢩$|9ic[D^^t#1\+E6XȣRH( e3T4qe_!/ƥ/O[^!} 4{2@&;E2ۢl$Z g RQ!b)Y$I,*]x,*ozBm YkDe[$o\buX; M fٷFJWl?)R*8T [ł[Bng4! _}cָú&ݳFdBW ?N yXu/픆6Uٙrei>me\;a曟܌Hi¦ Q@NT:⚚W%v #\ףJmvBbkv1O>,aW;fZW9R5e[?7i73'Uyd[_+ɸuuGQip_d$ 1n/O?Q3wOzgV"?ct(OA7k{фp׭CKrf8[9>b%ӳPdtǧ(-U LA]N{276pk\ށGWN||ubVSIF|XPُuCi3Фhj RKeP[f2Z-㬗w OE lj*{EgDZ73~'Zu={ȅHd%՘k2쳨űQ"O*^EWJ5p,EDp>^_l`ʦxkq<|9~Xbܜ#9~㕝;B0^Ն||>F/&F!2ܔwg 4H. YR·},5aO.'eZIiK%XԂiWk̛ۉѼʄnc>QaTr~нߦYs+ {݃sz)5 0w@Qb =>L*u¸@6Om}՟0{P>0{^e}Qbl`tF}b6_z:s( 9n-sf1nag,*Mr&85X ?NfUx1cS\#x_!<|dž89fٯ]\II$eNB` K7<SDAhǜA\*osjЭ 09bV[ScZ;o/k&Lԃ3ٙVu^]*n1 Iʐq4]in*moeT`/ w]GE\*ݫ$ks\ e?杌S#7yW~jܗ%JWWρ4veTb/m)=$]8o'hWfFqs+!xvGdD_m'$?ˆxD [rp[Y-x^. Cb/<`A;5a C鑭%>v|H^w"-z/sϟB<с0LԨKmRwUeC"d ]1i/z2}2O10l&8yY/ԋU ?RV;ܢQ)j`Z% (pgH {xHC-X1F߯xn_q"`CL_T>[Yy^Rn'ȏn7I&٫uk+j,z:NE$^P|ZȟR t_n/b l')[㼣y\T=+SQ)#Zt|0B#  t5JC:Іo8{$K5yT.M1+e%06lFf`V H-By,\%@+'alj 0ߝ!Cm teP2%T#m'UGʼnk\MH3YY4BsjDSN1] wE+`Rp^9OOX`c״}?Xer( wi #(Oz}t?CYSծistUkyz6%[pNXJ>^LM~vo 4}G74 fzre|1wJ%dVr "&o HŽ&퀼$F<_iwp-y:[;Y 1i. z2N ƫ*+m?3`N g:r'\kNz(ڇ!TWZAbP+&ɸjY86sT3m2!eTk"r ??pC:^ L"vuV^Qvgq֔xݴ^XXvV 6㧈 BקM H_ʳ;66Q(q16pL#QbcXǟ5c_9d:}I3ݛњTmX@)3o15HtxѥM[ HɀbYv~-{Cځˎc_s[bO8*"TbP.Y[4)mph*gf,bqWhrjT8l Iㆎ`<,Wa%8ۗ2ހnHmhMG<B?7սlQi>HYDfiǁ.`Zg)td_~%h*9^}3'#^--On j0ڭ~P;KH1 L=$c39dFkiՠrxa`525UtZvYo=86Xx_(Z],¢shSՈjC4(r4M}Q ,֡ Ă ب!74^XHy פmTF)D+\)!}oCTw'>76k' '~yΗ! {l2u)ţ%݄-,xol.UJg>z._ϵz#?`c﵁Zgi(z *%mğtQ0nQX6iLnDcqq7JE<3=-  hI-x#!+ЪEقu2Y `_O92*I{(b-m Ew/F;X}Prf\\{s0ڼL<6cdFt\UsxI⌙1ϼkdǓYJ⼻;ppk*CDV,Al튅EabN78?`(q<7֖B!BOGeJɒfnMw nZyZ5ClYW<4E|^nYɞi cU"W ;v?U^|ʸU]]\ѵHbhZkgF|}jTunbSG8)>H7‹tPrWݿpr<$n^!ߊ|i#A҇S""70f >4it>%+9arJ]`C^^{Yw !\SjxhILBcO8/A@ F{2x = ]쏗»ݨI6%$B3>[뗖OxSUSSE@ױE@zon\mC1GOׂ&"ء1H:7E,B"lz版,Nen,76ʁฮ)Y4!lj$l#f=xp{Gb)WcnN_d3Wњ:C2Tip<ʔ~7bAm)Kc[Ԕz#lA"ҋ1[Woܦ]!{&T!%Gb驺8%.%!z,QU&UpWfm/JY|P8t!UŊr)@"Eal 8D3djxlW}jO}omp5Ƞԋﱉ$Cl\Hbj q(::!|r\VuzqXSܑ!Jp8 %zzvkwpl=Ϡ&[nC =} 5@%01KT+:f ~nj\’/ܶG2ԵM!{yY;֛FZvO4}%vd -_VJs>+&Kn-غ5c7̴b"&y-fri{.mΠ+ab+I=dQ 8|e-kiN!<<-2%3IFjӈ>Ί6X^0&;eIn>rxa/ōA޽$r.٘_0OZց[͙aR3o:Jc,!*ΉBmF QD WZ"ܟ!$}]ISU sCZ<37Cqϥq56GìZة\m#[VNPD?s0WFîӣ"U!@llk l'$C1"*哜4kbAÃ8eZX#@!ơx 1i_ϥΊ*YȒv,u;uU-QnNN^Zq/i݅Ű해9(!Kfr>fm$N^ ,2;(ed_&7;Ux򻽯W*8m(f@$%׋$~ro@ļ{b+|>jGphSсy\r&&ej8rsiH,x=`/ DO5㐜y^Ufa$Ekq.MSX*yCVƒۭڦdSc iiMma-.';kŃ0۷wOk)Od{;k@aDq܅6i㊛+8VDiH{k(ځ; 2Mi3l%\#0&z:VV/Ŷ PRuNtbd9aEalQ= C+(%KuyIVS|^Gm?E-mU-Ľ$d[8•6R2ҘYq\Z#FS,rJ; DD%_ EwIB-3lؑFE/?w5s2_M#æ->w²?ml|zoC 5y'̥D%orr\dN@d򱺏v+ ~+ԁ CwGkƾ:| Twc1@xePt@gͯOV5R .&7tq%7wF 5f'MnujI* 9NwB{;Zyӊ=%dLRjt.q9bJ`; 6حJt\WÍ eŘ4rj٩0Z]xܪ*j$^0{DPZmK`C/-)>'D Į>K8|p(1*p#lx) љMS8[mux&{JUkI76>i~G?SQ=_;a󧂒[Q*]?eSzU=zB4J @x+#dM'6gn q?H#wؐk[s4$ y5DH,+o I6\d٢{f3Rm|}U fXX R8 5C]p˻eQuk qUoP{f;Y$Ei9b"!lD&_AG̢*Zt=IC&OˢR*?SV8#.q2P̻,.t :t n:2WÆq=%mv|bMBj/5o(= +gh)8V<~H}}%Ȇ|EvCn grV.^%φ&.G/u.>ɔp;A4i0jr7y>o 9Jql)lY/o#l'D)l& {oJ ˥ 3lլHH^-XR)t\F,y#jd0b;4e Mp|ve~»P,a|Vpe/(9F}Sw(;&]XI.V.!L>y_Ҧ "#W,CȡE;pı>wT lo 9Vn$]v[?J$T SyG3LysQ{*W;5n_/E2%Z'/ѩk&TDV5GxT4ewRRxIQ0}rc=g;`/y#@ض4RUk0V-CлYo0'~C@=*Ca w ۩ c,}ܙMy ήP,H^o_g6I=Nu޻ս`ORS^ q?ݕs0Ӫ#~d1Q +Z}-];+X2$ЛmVANj{CU܇@}~1+`}vϋ0FAg@s7a)+?}:"+4< { vsi4"PVIdrbYaּV&b`ScYBA\t0xiY YiT@Q_p\8|":V/++4a|79gà Vg$@NgaeSpPb|n|8#_1GMD6 UH^4-81#0$(lР=&~EI/L#S<a`O EF#ORBsq^i>JjʑFd2#ȅpSUR8?Jq!U‚6AO~ ʔ`{GvWk~fbZՑRoC!-xi丒(gvy{>CPB;6l:VnTCC;. 55+ J Y(&Ye-\:!w(> N`1tc/5mz\ c<“=h}z$RG25Xgr5g7?_T -SR`|f?8y! abuɕܝ%Y/Zpӵ|C)A {p]ݍo3hPͶ̭ȄC 8a>ѧ]9Q2 ö%׺FILT.+0e5"Cl foP܊Ŷ 'aQ[EX:ܾwP˃Ӈ(z,"Q+Г=B~$c.Mk$C[x}aӠ$Y57Ħ,Hz sSx:>hU*b/bq,hK`vS*9-R3q??-+{vNį[c!>qbDpLX'llUf P/+aT$ 2}sT$_ͦ?'*5|c}XGTa޼iuGmX#-|r8އ7 J?w$=T~4 O|v/2Mϰ9tAlyK-)gp<^]/ԣc=@hp, 3wP'aweʕH:6/Feҽɤ(>PD+X6cYV_{;Nw& zr[؁*V6(N=`tΫbd-L}bzﳼo#猦mS$f ҥO(4ʯZeqIj"jyÄ(8>Zw9[5o8ol a?n΂ϻw7B([=ϗi^xݞBM*vRYmdz698>a 䵼`RaI =B~u>->p_w,&g@1CȂaOƷ N)+t!M휳a[kf|2t;Zg,W[eЗ3S[4_ )bEV^Beof{w~CYr̵\T3Ξٴr vD OT',qRlF$jnsIMu6sP؁!"X5-wIXS iቆrK_Jw־#vzשUwvq3['ou%Sw.*^4j}՜.~e*XȘsT*a"H9EJ(ˆG'?/dv𲒶n~;PVޓRJMy !!126&$j_$ +ceeA(kAv.+,s:~q~՘#TQUOȈrauȦ IQp.bq+ڸ]>s[J! %1 J Z5D9 [+9`L&t :p= <fi Ppe|ndg7f$MgZZ`!u"ȁUjScqL~LJ et3#"_= JM~ϲWJ~+ 0! =I?sBZUiCL4J.y{&Љ+1Hb3!i;$dufv:Dt $gxe HV I,jͅwƌ-'UM;M`o_2MRezRaZT (ߏ@!ɯ>QǼ8Fbcdt:?s5a-L/=Q'Cr+oG4Ey[w: )ϸ7v$6smfCۼƛ s![3.R8BmoDmR!\^l<;[YDc)!~Fܐ4ɸj'Q](!Μw1I~J."Ob+˷x Y Ԥp;>H)0DB;AtV$lHRB2L pwq&;2c\Rcj?"^B̀p3*~$yOW3nPߤb]v$ivi[A{G E~ Wv͎0RYlArWؿ"T&r29WHk"ۭdžDzӴTE1Rd8f%M,quFV19nmgvt3Z*wkOj6ec;uqBC?Z-bj< 3̋)/tdpr9t>0 G'2jcf+<Axo1 )49<5uaL8Cc gЈpr`BC(oHt;q#rMuwNwʭ(3'φԅ*Pv¬[6l jQO¿#ݼwXG P1Dލ<^ +asMl)EэuNPw0y*)ATS{BgZy?`cO&0ے~peLig*v$Ὴyss)֬tS&i_Ec+.Rui`aQ}rsy]0-_"݊l= Эh_ӳoˍ\uZ9MO^~qoc y4nk).4 wuQmo*?OP'2G2EZ.>R] HtF[zS05Ŋ}R-^iڏMt،^vQlA59ɂi㡹$6*ACc4M}yJ0pN e*J6x$pGoc M0@@1t A~AbfuS}$0ꂾ6~p(2aR1Q`tsB\]\8;1d)+YJp+cb$B(1RGhKt @ Rns\̪Fmآj()Xhbǚ,{EހCi-#*B 6EYĕč>Wȭ,.<)4-^H|vIGuo-\4o0!.~̼dHZk2τoIxSV5 B/TK!ꭻ5E*I3}XYG$4nFwZ=új~g&5M)7i@D!r}ѺId_gI|'v|d>mM1<.b[Y' B?(] %AWI)ޭ1]O ET'@yO2eZ#>?6TX5.V{ˈkKe5#Y$t.§Z&>tY,2_8 R^} [5ikGD[q9!Y'eQVZB\pO+PxB,eyܡ7uVG׹E'+L\4gEvb V^L ~C:6QQ;Mc}uz 2?]K^^K-lQIj1gZLyf_G'WOZv 9Gp5| 8 lS +|xg_ؔ0LK4ۿʟxAXJ="B ;2+ 9+X 1ǡP]HSMʊi|ܐ0&z>W}.4~gڱv]Y=2CrX.L#͑ {5P32YJ]IΰZdIUr&5`J\hE;r+ylURHfneO@dؾ1&ր`8-ܺΙsRnr5[,ؓz'tߔbXYij64Κchۣ=!`ոc&t)ꈁڟ#;c;FKS;N5u7`G%OiͬYYB,X7_Nak8q'X음T2Of؋ !m!u|Et[ DݑIDܺ96N96/XL?3)\.Q7-p%{#u~juFCfȞI_[3xZזѓ})>sqrYuIb1< Nz.I4#P]ySs>Oh~#FC % 6p^kHuQ){\ނ.Y.k?. LN$rPRD52Ă4L,ԶI"ڙO й Fn TH"2jL.np.DZ*WyRoۍbnMJ.Qpo\;.zƿo^:;NCfu_HoԪm;x~eңUmۀC`j~V>% BjgL,<  ۻ(nD^%#" &|Fu O v%43/hLB.$z"hw |3Õb֘7 L: *_eCm[zky's:^338Ӝ@yuSFd>~xC@$1 2/'aӺ[NHμ0KdȻyD}C>lYfjӲ [ߗm #A2+HO `ItzK?]ߘmAǤB9{@1AM-on!ڊ؏=Ԙ;>Py&onjZD>}Nbi*62NX!}`Z~x~ H=bX DG,rZڳZfξeFOF" DbPl?f+ԍm:wj"m1.1fT>y׽G> f\qH.ǵj@cZ9KlK&%'@>bCAFQOZ|@˲*qWg3K ['-FtoS2UBjdްpc֩׺n!U*k`I-YN#GgbvO¤edG,x88aIƊO4rg'%?j5,ĩ6䖭I-<1u2lm;aJ z)u- \Ú %և6qƆ##ՇztTMƒN^D޼5d6ug Grxu"f͡QOΈ>VqMSރl4;nEAXJ=XLvvoxL?}[3ޚ#Wցo`l[ |llX Ě`.K?ݹvz\cQf C~t%uq6>-^"55X u]qFkM>[ڟ]H74[0mTǑ|!Q/ Is2/ P⽧SS Iujf q$JPnb J1j.']yTZ9Zkܭ'7TcnFܷcbdߎKt?^ZO$6F#]u1bV-y!(t.;_%G,nr ~{+Jt}1r$GMFW˒V\BrmM8Mi.Nzb1%Rwhb6hjty^jJ]oeBSv*yS67T./O2jq$qt񇞯3m5iiZ8Z&v:|z(ыs&|2(]~X;j  !#m{a4e[]W Z^Δ7me[;&쥨RtIb搭bYT.H@8Zw*t>Ꝗ)kk$XѬA wvkE{,B.#"oxcjw+SQY?#k-PZKu :87x&Y2nBɉDwAJ|>̈s׼^킔K ꂒZ%Jp!hHA )?o&4ƥ꿪TR]eQQ:i)ίWM[vh f#IV훫eST('rJEgh6/\ ھLJMp640AD%o2k$dz8>:y:%7kʙYvA.^~x?xԨ|(\g%4AoY9vJ'[p{7A PB;7 Qwv?ɧњYAxc(*^hLJrH.*xrXיHV#&uMLjkUrŒ><ܕ ќD 62vlA/庪H^jRc3bkl5m~w:Ĩ+C%4f/ iE@3jq0ӓȣl4F$üBlȄ3k#|>e2cAǂΉc`޶E {}"¹89y:-΁P~Fۓi|tsOΩ̄YIiԇKAyer=P~~D|LIObtޮa 8Ғ +Z]K˰|JP29%=T$<1[px|tnALą+A0 UƞvU<@>AR[2)4F8y6z"+vYYR7oRΓzpEy46WM5kHheQ+@,*Nfy_?UT]cM۳V, }T{1Lj `Z8=d! gBaޱt#[#b CUd~" yެ,k\Iɦ5L<`f{M[;+c4'|wV!2[HM\)IXs-B->rɌw| .23oM7P8&iHQD*8Y\Ԋja ~Խڊ[RDʏ/`oW/Qk*c順4\\R2&'0YzF@dut7x9Զ[t,%0] 1&Qj(:/6 5)̞ScruoXKw кR1ۮ"܎T 9;<J9]$[x`]U)ɏx|&go48JRDLR$Kpoqܔ<++Q͂ZIy(c I(`(E^S.nI5L=+dFtkL16杬Ƕ" "U%_f7w}a&50Sk7'zRיdۚۢ_]N?raP-gZ+ٱ(I##tNI `ZK3}7Şq^c6 hfC6j^Gmbzd>$*mC]בL㛥X(5_brAs s k}wh&D}X(wz?xT#\ٗ?K,ca"ѥbL7d6#rǒ $C+:yI fagVE2a+xKwvޠeVmuXIv'XeB߲Dfhx:i{}]͵nTRH)OKuAZHoE2biqpdfT56nMϤ~bo"d]e&F k >ϡ㴌 D ,.i!jL0@9va3E۾ZÏC"2Ӫq0L6u)8z)MXPdVHTўJ#5JD,iϙs<[7cxׁB)* 7mF۞C7ȊIc7x,J#֑pxkElHCO<(p7:Ġ)l+3J/jMo?~ѹȕ2quVP3|+s>Ý ``ݻfr9ss%}dFmg57WG;dl!AvZT0[Y&ZKiU7l(tK7 W3֩z$=h8nvٝ ㈌4:`N1^|2 L& &kaSXSrJՈ"h/=AKT+r$ ̮a{ \`m*ɮ:/Xw<}eE|t&>~Uk&G ؝.p*!)GDcBx.KJ݀K<^9'^&ɖkhYo|9ԢidnR&IN n3^ ܁j˫m~aY^5>6xvHI4D+llTߝ?IYm? ^j2X{GdWH Ѻ<|!LWC`վuT•%#!Lc 0gYX'lĝpy}͚OId)7.H*$sRumz}@yuH]vNLfEf}OS4[;fA%g@-4۟m^,:Nnn?98(vޅsNGw+ 'j2ouf,OL0l\ Uw[gf1mUEJ0/v{?x̟a% H0}6 >N-7:p;$b˃8x~"'7r8-8'?ȕlTQ=dO]3KxcZ9,DDyJmQ:K 8½-hjTIyR7+2bAdeu|_(Vz>X!;[dP.H{ xcΐ;htP$/ieҐN~XθtDdN'&7<`k03G} =mo &-ǝ1^ȮV+€0í!ƾ + }ݯThfȈQ+cFn'iGusgnn 讕BaVq""MU2 C&FV$ pףDTl}lrwLW, Nm6~zЩ*gf vM6nר79:-Vy_dS,&rF9! T)6ʕ#xrD-sD{]~α}ٟWl`2%B":rghyzW7:z xDF1!9J-u- \Li^̚~16ڢ)U GZIk0]PyoDYѸusj Ńm \}2si(IQE3қ FšPEynw@r70РCk;A∨j]ԇMj/bّ7]?Ry~o^rMO| nngG8یCy;,&Kp|,Mk3Ve9 q(uȏ d +yHʡ)Ӧ j'N,pg8(?]/ (/Ew.=Np " yc%S^ Jx<]ev!(~?afg E_GY(o}PI J~50eJvX_ iz/V.+>/;k6$aYFF d4{?8zmIS;ͳB6DY\]?˵p S{ә`ZF8e#t'hj[vk;s"b;pR|p\sD+Y,5KcRU$L-iT$ _\AQƝ܄A⽣1 }+'6yi-,aѤ׮Y:޲sʲr&syFa2Cl !!e&Q GbCrXyϯyG,4\a.«xơ_>4ZZУk.I" ,^on#|;ȁP?H|&ڝnE?^Kg@bFm ǸDvc`*q˜[ڜ͒#%F.\>_?uf;B=:ݗg5 xݴo9 M..>p`!<`_`Ɲ5lnq+{(/R|μDVrX&xPZ2Ȑy8G]ܾNk":uMjqt"-kaXQA`*[y<R?c8 7q:(·߱1K_D&Pg\*p5Eׁ|"-. 0bю!mb-kjP-&0oX2 GW6O'@Y~ǹA:fS>d=+ :9^\u<|Fv ;nWw&ǥa@;'4b%¾|,k@`Pupsvq*վ'rHW aDG9idjϋ&UuKKT̛ұt [7&.3X?co֒4|-4W4'PE'S DI"&q(g ſуJn?.agpXL2J *x7(XL?we h2qVժSНSS-望G4CG{-j_ˡQl~AG]"יw2چ^P&T70TWstv}F RRWT/$3*Py=P4:Ttm/Ŵ<{GejC"Lg+*Y7z_gjh Xs U%K*} y rtgȐJzPImpHwUyc#돈A4V:"eHfjJ^)Vms9ʬk]to;PGdV 1Ɠފ5Β=z-SHq⢖6b iGtbͮu#s|iֿ)_68N݃؄Qff0( {'=7&"}:aes仯Xdu0bBhf#4F?_͒xϧހAC ރ ]Yppx#7?qvǑNh#6/E}T$D[~,]O7.51ijw#淡Jc}C̼0 ͽTZ{& 'bj '`J~Ul!HNUkW'K009L筄'4ђ ߚMY|եv 5yˑ0IIaՈ-+IK7`yt?Ew6x7ٵ[ Jv/-g)Bwc. lRqFe }mƌCbpmM@ATj+oIΑUUVs ;el \E_kS*Ю nٶS#&æWMm a<{\Fbt]8гBw>v @e-H\<"7XKN%wPjl!4T4HdgDmG\5'+[$’O[$V4G26iRjN->rba[y'jMtt|P6@nъ[[ӹw[T:}-C.=ߠLG,hRL-̽M$kFΞaA#Oz6# /,zAdƻYr,'!ze<62>Bڣ虞m)jZĉ[Y{Tz,g{MV#3M2|v7W԰Ĥ7\_>Wdw|}!{KuSY8um O7叙]˫ce7t,T18ի#|9M=*Uo'M,&oy%th܀j-tWv tO"꽙VȩGgjK(<߂݅q}oP/^ceod `}"D\ǁf;IA, Ǜ^FZa3r8'+/]5sʇ%M $dT"!pf[&̠w7ΣNp57d'D1 nq*TˢI:Ң"zc7`l_TŌq3dS*Q9chmb?r%ݬ Da!Y1mRĎ~%A5`*8P7LfQ6wc^F^2W=GSy>+XbOTE:n:hWkO?b-C \"͆<>}^i)}f ?]RYOja?T-p3.% 2w?x""5*֜S>ׄ 8õ&* 7LH̓Ŀ{5R%D;"OqpppV !ԡrc&9(diw lUIb-!*ˇerwx_mP)x*lSsH}!@ggg&W+d%C9*?U,-307vC~ \GFϩAп,8|9~Å3hɟ1X| _֋1QiU^>7)y~̋=xNV01q i e )Rk͓Zr#ڃuioQ́rmBpo{ ZM蚾=ͣ[\x+R]R@JF o1zrt8e;\+w7*krFW&d>VUPs.% :UDR8'05i'آP9s$)3az )ل73fC蝒X2$8xssa7> dZÚA}Fp+zZG6=u֫9YS S/ LkW: fjڟGkKZ߽W>PYA2=6mȳ|>Jq f2]"x#-0TyERgKznڧ IKeė_l u_ 23 S3hŒ (dt;үS{yxoq)cʐ@`4Wvuf[nDŽ>OU "*+Z$J~9Nn>e$"e?9u:ÑEZ㛲f?lUMsZ>8@-CwG3ÊinsA(p_2AПLGS#[f;+Y>51RH4OPs$;mxvOa -q6ŷ߾rr#@ c [zM´QV>umC1Ҩ}y#`&gsPH2[1zB-4>8lfőtX3b AKbMf&o%eT3R'mr. *cE;YU,+ UߞmnJ gwG(-F˰Z,Ҋzվu;_?kJD}+)\0)C(D.li[3TQ.zOd%y2U`-tqxʜ15w)I1UՋ^X/$6g.Px-J9~_Xh9A8U(bqWV9.֪}; V;USne@Ը ' #]IUDfИ_~VxeB˧= iJ ȷs!Ģ`M uidzwiI֏Ȼ?rP2kٲ S;9lG IKm\+O q:sf}Π4,D%} AB98EW 7꩎#Ӝ}dK8Sצ139t$~l{H5-}lvbAdP3пI[$CuѤ҈Ϯ _nf2ǮTbm \T–{:h+`m[@*Z=^fq3$056g5I|iTc4* >??`eMH{@ TԬcbє  < ѫQf} $Vorb JbZ %]5D6D}P$Zj=<q{RAw&*(˷\;VG4|&{9t)( zTMx ,'15e;W0C/ 2{|[AsȈ${,jo0Ю8oHĔkG4VŹYk3=cM*bo?(ai%e烖v :@sXe \E(ؕ^,-#a|͋-' t4&$1&6%'ࠜkfuJiuY\YessY#q<%vf%ՌCSJZX^ad-}G0'gXۂjq.z_I_wXYx0(B-ܝP wka5LߖrЌo+泼@S@L(+a|z>xu{ыp/򗳬=B{`?4A_FK|O'h=o0rR2 s2XV)l5rdg&*~=XyI˗h7x4ܰ +ØoҢQL ZJ_t "sL,O5}XK--K ahYޜ&OqrŌ^7#F E'P4=)5}(`Iwa9Di'4Q "<(d_:NQM%~X܀~ti!)5jM)O{ԊhӺ#T,$:On(/`x1nY ¦ !ī: VձyclKf\n:o<<Fz@~Y#QzF&I3YD#2F2'jwMthԎebmtѾ|s:yGZʒnSJ(!%!/uwgN}md_41,Zo&9q/l.$1byWk䱡47G{=ƥ~e^Kh_k#R#6e:a}H8I0Jz:[|#;Ƃ(6Ox"SEE#ȼF9(]8ꈲ$t{d䋓ׅw,Ta1ic0lB)!gн`oǑ>P nh ~яJXWO0>$AT5 3.!}v/Rw=22'H&mG)`0-}u7<{plk6( im\िi\aau5'QD_I4DA)Yc{<->q Tae6.qK3Bj Z {H8ҕG>ܘK܊ 9CO* Sȭ.E=fl>sKH"/e0 ݲ*ݏmK~2NDzP8D͔YM pkޕ0# {(z,SclR.E:bz~wMe)Ycr2_I xj Fs4+Q+K3ٞL@rI}'U :Tdr/wzuD Hښ9xA,Kru`$u; lΧ&{EKP.<ͭ0\J1ޅsx%l=%CJnGԑwhHujS/T*\kubnu\z %?u f^ -5$鯘8B 0MI{ t í&6jGQqjDtvԑ[_d -xl4dЖD"Wi/jiا6ldY2Զ1o%\G B}Pl`(IFDs1t?]cm'8;)fͅIpRBb`.&n\Hrx4 bOӵnJ VNOf V;vkčFpLQIpDJ`%clE9&*+"-@s)PA,E b-n_<.zSʢB~\mݼ<| S!見oGэL*E֡w8F=ִO}MB,.c:V3Ēj2KSOU&3b!;ۅm,w\x_naÔ+jj12 jE=ZZ`y9ϋ y1-!({ 1t}%V򴌚ۥc;Ͻ\sxt1ƱI *J ~vyN:>T{VyҚ˄40 hQ] =X,nPqM9#X3jOeH0#6R ԉMv , (a4Av(̺xw~mT ZJ6~ "Ѐ1纑8medGs+C(U,=Zϩ *\pUgqi$k<ˍ4zB"٣$FS!3Dk mpc~%L @9C#rO2 -ÓD=TXB-GJKEe2tV) Z`F +3?hO63@ʻ2f!$d[SXdʝHO$#O?+bn ^y:SBEQcF:6#$4{H%uΎ 7ή  Sbiٔh?eW>-Hwt~|Bktװ:#~F9:/r,cfY :ס1^/_YR<ȔEO>zۤTd%^DQx6IS]S|S6崢>Z1U~?GЖ|'"q-7o3f JcA'`31RxPןl/vm֔6тaL oQthny,G#5H ` cBV~;txXDqhnj~3%˙{P\*=p4mm۬ad`:RܐBޖiq!l=XFa>4uי$o#}}HnrT:lp] D.=$Ბ˴1@j-pwv{M,VO^?.|,L)8N%pdՉsSՀyIeN'*؄o(3 ׎ʈ(- 0-R^MH/S"&s}Џi7&)u2D+q|Xo'M=$ ar9{!E3@[FN慛jI_O q&cvS /WhF9t>ݒU &A{(m;`3peN"lst.j3ۮd9PBIcQ˚h f1_B;:k溆K-sIm: ϛ S;@M:!Hy&"wıWn;VxbxZk;p cDY[o?0;׻g(Q0PDq ;^` Q1&_Цޗ&{L/IzPj僴 p ? s$9↜[&D MBd}l#R'j?tZ `3$̌yݾ"GŨɲ,Ml-/XϕG>$45$MX3(79{:EE{2ܤ(Q ௶Jfb*҈`df'T%0f6\?dcIStJ&\+&q e1T+O b%<5*hY0שּׁTCɶ/}ڽwYI*60mLm.;mgf3x҆D|YQ'B}$+rX(SdROV墂%P)#UeXhd|8<ة>%KO(.1ٽVӃEep  5Y~.$[JUsN0MhOj+Ab`@DY9P!g(?67ѝ%a8c ,ܕ7oJ|"Wbұgfu|αnM1)Tm3oJ"Œҹ8Bb]fhwnܭX~RFEDARM yL %08DnDEa6)+%$2o%Jj^I Sv( RhTct-†&+J#2eQ_PHHA;ED1}@H\F?R ."t8p-[$kJ挹/ GLcYLIiP2=϶LM^9ڨ⑃s߾ 3+mLƗZ}~U'"#aRe鼵٤ /Uq;F. ㊞% v7~H}lϐ 6ߍsr,J/r0:l≠tU5뷤G4Vɑϛ|̞+#]hZ +:e%8͓nĩr^}|M\a%}/7J\hztO};YvۤO`t܂&ϳJkd*;s-d=ŁViskGR؊cÓF=yd?L{`XaoVo nL 2B/?cKVH>퓮C-&guX3$3de}O>Ro}.{mS2d'nRNz=d%EBAGLDUBy]8m ]uw7Iрqa:H J}^#ͷ#j +]@Zi$@u Zcb&/FFna;=;AvR[=m@ BYjޒ "8$~(B6̛P!eGDҁ bUgsp*⍸űbܸ)gEܮSgwm+nnT6xظRp14a7i4fMfj0|1 qB.Z s.FK!RT"U"!_-prkDIlTܶ~Jr#=TwZ?>%0Jj?@xk\-'lVLU|G'^ 2呔(&uaЗϘ(4ƪKbP]iV'/ݱޞ>f}J72w rѵ¬}"KII(eSQK\.dr#q;4 ) p-qęC,Ҍ0ڻVݛ!)v<w ?e&& m6v:+]A4ďp-z"`( 8s-gMoX|nLrr$al~#N l2foΞ\V+RɌsDX( M”>m5p iq(08wWKЊ)Iw^X@w;@jFCUQwPޘ7eTqQEO-Fga1Ru۽ش8ZLQ:Ƹ6UP ' s&ůp*:dp` i(%֞-7ǙNy6v&IuFaR!fPbȳq2f gSvѦTz$E(,8Rk"-WVV:`R.Of+xCx-b?%sxOi5D!T `W,ۜd(Ꙡ%V\&z=U/.Er PyrEzuJj0vūqcճX>"uiSu+#`-H2֬NU e`~ ]88&TF'K[6HVKuf߰دW"|+Sm+ X^<_䲾|wV/H.7i"Hw r k);ܼoH72U4\ ^nJb,/Ex@jp#T!)qK& jXC6 *ZQUɄ-'|j9? rB{Z_ т[y`U%=UuV>aW.BȮW?$. cNE/g~J_qZ 1I1v7IAX֘u@B;J)^RF9cj+j*,b Fyy)q0;%NqA / MSENCӸz31# Q;:{j,vJ>{:C9Σ|Xܛ(2)pb]_7\ F'sC A#:ƷxAѯR/0h@XB➇h}"9Pb)5;1B` 4̧EHx Iǭcƥ,QlT'˲>65DT[}߲zgq{wIl F<"]STja\T+I%`G%:l36g*7_/͜*L? (*}fo.G>#!Ap?l8*\r, Z,eC(unp*&剣 ]^q`mt6dD}hM4K:ƞ*}'W{ KrPN8Jي ,<@@YB{'>81RڗQdT hLH+,tl_Zvks}mdmFJMM̀?mhpcMIIws@.,] c"+Wwl@(L%ÐX/D./>m3}+WM,^ KՉHfLѭ/كҙtvcnpu I1 ]+Tcd҂|P%< Cڷs n@Zbuk=\XN|+ ?ZP"&8(!8BZyF ٱB;RØ7N<>fnsgòrdh3>i*F;/eZf}ok7J؀,Y&6 04I&. Pi<رް6bP9moN@o1ױkћIriSJG%}OQ4Zoo.aSgA' mѐ:V&DEo4 \yA|C$s_VEY%磲/6`L߄3yY`ϰ< w{ QGMaMhՀ ʹ[9[ )K 2PR~48L䭻/ 4s@:>Cc4=3vmBEŒ (7 Q>rIc^U >0c\uiGlG8@61BT=9$%!ǼOv?rv\\ăp׺Uw ĵLNu_tJ̆q0?]+d,ҼDsSdo= 3>q]CMF;rx#tkixCO1JNZ)bMi dTÓd%e mܙAC\0u#8LuɃItg3PH yב FPVGͲɐ}܃زQ/ ~bTWEg6B:%a2\-#zyq1V!$,JV!d{\j:J;" &5ͪJh$ Dp񋔏}-D1PwTN` H,Z_wa>V-~W1+7w*栜U彍ғZo|M TȃDdKHh'a{!4`y-G1a{)jQ-{xdLI"ijq#4`E~G{ n=<,#͈va=.bf_,qEv҈45}*rl }' i?Q=Q#)j,nI[69sTw]۝ G9`]&Kϝ*c71[a67[sW4 "LKBדѢ L8tup2Mo9C4)1%13/*D,C ,"oKh-ta7Oщ!f!uDc󴝍ΥH=;\^.kl oj:fFNõ"D %cVP$ m;jD~0U.e^ &Zzoޡ4|<LftKufr>A%0l^7G St;grF3W`7l m[].RC mŜ^?%Gh'/xoGtM>YYI][x5 xpi`XMozJ^%3͗qɮli uXx SX h#m[9捄PKfKݢ*, D$eW @v$sJg.YL΅$+0*1!)N_t C~s"T(P_mO-3 |#B z)8] ~^k;ŕ3';y{THpH+1k#/y6x5p?7 =8c3#dP};mLX-̗ li,q*Nw7Z`|*  ;b$Ud\%T)m2^'dli+qsڗI=РmلD^xyN_+eE! dq% otHb0{#xY$$:Fo\0V'4/YhS,w ?M#B%[| _@킹+g@FUAOxIhUeQ!X&9y3M~c>!@?B y^߯t0?f@fsKoo :EsrIq}(8p:|iYc".~IP% ^ɞ#r!_%!#4`6W fUoǐDqGmҥMǏhOW7i ҹq8Xr5R$-qSP"ֈO9/=1,IP$k)ˈ]G{4n7 *Ad-Nn%K4Z6!>ձ}AzfQ|!)SזQJj4Lޛ![=^):m~JosB8=a,| Fx`Xof>8j7d3ðk2+EV11H#b0nvz95ju=n9wulO=\mdhl b``~rC8bYx,|zns+sɇϞm>KJZ/R9zj4Bc=/Z$==s\7E;r]H*r^f^QѣPm]OOvXJ.#Xx!9ŒS L"7ic4r>wô;r[r/#Jw?YJWɤܺt | aP!vҍ8װy֬_F~3$N q6](#y"Ο?H!M06 IMT\( @WR1&T+Te_ n$0>:"j"Qָ(~ l,9ey*//4$+Tk>kZ/6t_{cOۦ>^'c[