kubernetes1.24-kubelet-1.24.17-150500.3.24.1<>,kpfp9|8DpxMgu6i[]md}tbG[c,vy LцoVZ{`UK-Êo EdTx|-]8:UǹVcE35Nr i F`%sK:w䟀mK_g1Fזש@ }vՌmL|`{ ֠~h TD5 v&PYu< 7&YXP!- O؂<;UKOq|,.[d0i|:0I>9>Gbd?bTd! / I! 7I`fp|     (7Ft(89D:B^F^6G^PH^\I^hX^lY^xZ^[^\^]^^^b_:c_d`le`qf`tl`vu`v`wa|xayazaaaaaabbbbbPCkubernetes1.24-kubelet1.24.17150500.3.24.1Kubernetes kubelet daemonManage a cluster of Linux containers as a single system to accelerate Dev and simplify Ops. kubelet daemon (current version)fh04-armsrv1SUSE Linux Enterprise 15SUSE LLC Apache-2.0https://www.suse.com/System/Managementhttps://kubernetes.io/linuxaarch64WH,^A큤ffd旿7bb5a768a4a45266334cd6a5042ef6c1a99a9b69fc83118f73441b22ce1ed092cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30rootrootrootrootrootrootkubernetes1.24-1.24.17-150500.3.24.1.src.rpmkubernetes-kubelet1.24kubernetes1.24-kubeletkubernetes1.24-kubelet(aarch-64)@@@@@@@@    cri-runtimekubernetes-kubelet-commonlibc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libdl.so.2()(64bit)libdl.so.2(GLIBC_2.17)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libresolv.so.2()(64bit)libresolv.so.2(GLIBC_2.17)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)systemdsystemdsystemdsystemd3.0.4-14.6.0-14.0-15.2-14.14.3f)@ffff@f@e}@e7@eL@e eRd dd@dddJcd7d6@d!@d!@d@d@d @ddb֜b@bbs@priyanka.saggu@suse.compriyanka.saggu@suse.compriyanka.saggu@suse.compriyanka.saggu@suse.compriyanka.saggu@suse.compriyanka.saggu@suse.compriyanka.saggu@suse.comdimstar@opensuse.orgbwiedemann@suse.compriyanka.saggu@suse.compriyanka.saggu@suse.compriyanka.saggu@suse.compriyanka.saggu@suse.compriyanka.saggu@suse.compriyanka.saggu@suse.compriyanka.saggu@suse.compriyanka.saggu@suse.compriyanka.saggu@suse.compriyanka.saggu@suse.comrombert@apache.orgrombert@apache.orgpriyanka.saggu@suse.comrombert@apache.orgrombert@apache.orgpriyanka.saggu@suse.compriyanka.saggu@suse.comjkowalczyk@suse.comjkowalczyk@suse.comjkowalczyk@suse.comjkowalczyk@suse.com- Security fix for bsc#1229869 * New Patches: - prevent-rapid-reset-http2-DOS-on-API-server.patch, - bump-golang-org-grpc-to-v1_56_3.patch, - expose-DisableHTTP2-flag-in-SecureServingOptions.patch * Mitigates http/2 DOS vulnerabilities for CVE-2023-44487 and CVE-2023-39325 for the API server when the client is unauthenticated. The mitigation may be disabled by setting the `UnauthenticatedHTTP2DOSMitigation` feature gate to `false` (it is enabled by default). An API server fronted by an L7 load balancer that already mitigates these http/2 attacks may choose to disable the kube-apiserver mitigation to avoid disrupting load balancer → kube-apiserver connections if http/2 requests from multiple clients share the same backend connection. An API server on a private network may opt to disable the kube-apiserver mitigation to prevent performance regressions for unauthenticated clients. Authenticated requests rely on the fix in golang.org/x/net v0.17.0 alone. https://issue.k8s.io/121197 tracks further mitigation of http/2 attacks by authenticated clients.- Update .spec file to bump go version build requirements (per requested in bsc#1229858) * `BuildRequires: go >= 1.22.5` * `BuildRequires: golang(API) = 1.22` - Follow up changes after go version bump to 1.22: - For ppc64le platform: disabled `export GOLDFLAGS='-linkmode=external'`. * to fix the build failure error: `-linkmode=external requires external (cgo) linking, but cgo is not enabled` - For linux/s390x platform: disabled building kubernetes binaries with `-buildmode=pie` * `-buildmode=pie` with "internal linking" is not yet supported on linux/s390x platform * ref: https://github.com/golang/go/blob/a63907808d14679c723e566cb83acc76fc8cafc2/src/internal/platform/supported.go#L223-L232 * ref: https://github.com/golang/go/issues/64875#issuecomment-1870734528- Security fix for bsc#1229869 * New Patch: bump-x-net-to-v0_23_0.patch - golang.org/x/net is bumped to v0.23.0 to address CVE-2023-45288- Security fix for bsc#1229867 * New Patch: bump-golang-protobuf-to-v1_5_4.patch - [CVE-2024-24786] Bump github.com/golang/protobuf v1.5.4, google.golang.org/protobuf v1.33.0- add new security patch to escape terminal special characters in kubectl output, bsc#1194400, CVE-2021-25743 * patch file - escape-terminal-special-characters-in-kubectl-112553.patch- add new security patch for bypassing mountable secrets policy imposed by the ServiceAccount admission plugin, bsc#1222539, CVE-2024-3177 * patch file – bypass-mountable-secrets-policy-imposed-by-SA-admission-plugin.patch- add new patch to advance autoscaling v2 as the preferred API version, to fix bsc#1219964, CVE-2024-0793 * autoscaling-advance-v2-as-the-preferred-API-version.patch- Use %patch -P N instead of deprecated %patchN.- Add kubernetes-trimpath.patch for reproducible builds (boo#1062303)- fixes for bsc#1214406 - update `Wants` directive in [Unit] section of `kubelet.service`: * add: `containerd.service` * remove: `docker.service` - updating container runtime prerequisites: (Refer: k8s.io/docs/setup/production-environment/container-runtimes/#install-and-configure-prerequisites) * update `90-kubeadm.conf` to add below iptables rules: - net.bridge.bridge-nf-call-iptables = 1 - net.bridge.bridge-nf-call-ip6tables = 1 * update `kubeadm.conf` to add `overlay` kernel module * update .spec file to: - add post-installation scriptlet for `kubeadm` package to enable iptables rules defined in `90-kubeadm.conf` using sysctl - add conditional checks to load kernel modules (br_netfilter, overlay) in `kubelet-common` package post-installation scriptlet - update `kubelet-common` post scriptlet to correctly update `KUBELET_VER` var in `/etc/sysconfig/kubelet` file based on fillup template - add below to `kubelet` subpackage to recommend installing correct version of package providing `kubernetes-kubelet-common` : * `Recommends: kubernetes-kubelet-common = %{version}` - add below to `kubeadm` subpackage to recommend installing correct version of `kubelet` and `kubelet-common` packages: * `Recommends: kubernetes%{baseversion}-kubelet`- Update .spec file to bump go version build requirements: * `BuildRequires: go >= 1.20.7` - Update to version 1.24.17: * Release commit for Kubernetes v1.24.17 * Use environment varaibles for parameters in Powershell * Use env varaibles for passing path * Fix capture loop vars in parallel or ginkgo tests * Update protoc check for verify-generated-kms * [release-1.24] releng/go: Bump images, versions and deps to use Go 1.20.7 * Update CHANGELOG/CHANGELOG-1.24.md for v1.24.16 * kmsv1: attempt AES-GCM before AES-CBC on reads- Update: `BuildRequires: go >= 1.20.6` - Update: `BuildRequires: golang(API) = 1.20` - Update to version 1.24.16: * [release-1.24] releng/go: Bump images, versions and deps to use Go 1.20.6 * Fix the converts an empty string to nil. * Only declare job as finished after removing all finalizers * Fix deadlock in ready test * deps: Bump to cAdvisor v0.44.2 * Fix the git-repo test error caused by the correct use of loop variables * kubeadm: remove function pointer comparison in phase test * test server side apply patch * don't process unsupported loadbalancers with mixed protocols * make MixedProtocolNotSupported public- remove: kube-apiserver-admission-plugin-policy.patch * patch included upstream in the v1.24.15 patch version release - remove: kubernetes1.24.13.obscpio- v1.24.15 includes Security Patch Fix for CVE-2023-2727 (bsc#1211630) and CVE-2023-2728 (bsc#1211631) - Update: `BuildRequires: go >= 1.19.10` - Update to version 1.24.15: * Release commit for Kubernetes v1.24.15 * update-vendor: update vendored go.sums * [release-1.24] releng/go: Update images, deps and ver to go 1.19.10 * kube-proxy avoid race condition using LocalModeNodeCIDR * Add ephemeralcontainer to imagepolicy securityaccount admission plugin * Switch to assert.ErrorEquals from assert.Equal to check error equality * kubeadm: Make etcd member removal idempotent * kubeadm: Add etcd client unit tests * kubeadm: Use internal etcd client through an interface * update webhook test to go 1.21 * Test APIService safe handling at startup * Fix waiting for CRD sync at server start * kubeadm: fix a bug where the static pod changes detection logic is inconsistent with kubelet * Update CHANGELOG/CHANGELOG-1.24.md for v1.24.14 * vclib: Modify x509.UnknownAuthorityError unwrap check * vsphere: Adapt to govmomi version bumps * *: Bump version of vmware/govmomi- Update BuildRequires: `go >= 1.19.9` - Update to version 1.24.14: * Release commit for Kubernetes v1.24.14 * [1.24] vendor: bump runc to 1.1.6 * benchmark test to evaluate the overhead of podMatchesScopeFunc * Fix incorrect calculation for ResourceQuota with PriorityClass as its scope * releng/go: Update images, dependencies and version to Go 1.19.9 * Fix directory mismatch for `volume.SetVolumeOwnership()` * use case-insensitive header keys for http probes * add log includes pod preemption details * fix: the volume is not detached after the pod and PVC objects are deleted * Bump konnectivity-client to 0.0.37 * Do not look at VPC-related resources outside the cluster's network * kubelet: Do not mutate pods in the pod manager * Logging, remove LookPath in detectSafeNotMountedBehavior * Take canSafelySkipMountPointCheck package-private, reduce log visibility for removePath. * Add test for detectSafeNotMountedBehavior. * Add test for CanSafelySkipMountPointCheck * Correct detection of 'not mounted' behavior -- umount will exit with a non-zero code. * Skip mount point checks when possible during mount cleanup. * Return error for localhost seccomp type with no localhost profile definedSecurity Patch Fix for CVE-2023-2727 (bsc#1211630) and CVE-2023-2728 (bsc#1211631) * added patch: kube-apiserver-admission-plugin-policy.patch * this new kube-apiserver component patch prevents ephemeral containers: * * from using an image that is restricted by ImagePolicyWebhook (CVE-2023-2727) * * from bypassing the mountable secrets policy enforced by the ServiceAccount admission plugin (CVE-2023-2728)- Update `Requires` in the "kubernetes1.24-client" pkg to: * Requires: kubernetes%{baseversion}-client-common - Remove following `Obsoletes` from the "kubernetes1.24-client-common" pkg: * Obsoletes: kubernetes%{baseversionminus1}-client-common- Update to version 1.24.13: * Release commit for Kubernetes v1.24.13 * releng/go: Update images, dependencies and version to Go 1.19.8 * wait again on pending state * cacher allow context cancellation if not ready * Drop development dependencies from test targets * apiserver cacher: don't accept requests if stopped * Clear front proxy headers after authentication is complete * Make prerelease tag optional in CI versions * Annotate CI version regexes * Drop unused regex grouping * Delete unused version regex function * kubelet: Fix fs quota monitoring on volumes * fsquota: only generate pod uuid is nil * Change where transformers are called. * Route controller should update routes with NodeIP changed When a node reboots or kubelet restarts, it is possible that its IP is changed. In this case, node route should be updated with the correct IP. In this PR, it checks if the IP in an existing route is the same as the actual one. If not, it marks it as "update" so the old route will be deleted and a new one will be created. There's a new field EnableNodeAddresses, which is a feature gate for specific cloud providers to enable after they update their cloud provider code for CreateRoute(). * client-go/cache: update Replace comment to be more clear * client-go/cache: rewrite Replace to check queue first * client-go/cache: merge ReplaceMakesDeletionsForObjectsInQueue tests * client-go/cache: fix missing delete event on replace without knownObjects * client-go/cache: fix missing delete event on replace * Bump konnectivity-client to v0.0.36 * test: demote service ClientIP affinity timeout tests from conformance- add kubernetes1.18-client-common as conflicts with kubernetes-client-bash-completion- Stronger conflicts for completion packages- Add proper obsoletes for completion packages- Update to version 1.24.12: * Release commit for Kubernetes v1.24.12 * One lock among PodNominator and SchedulingQueue * releng/go: Update images, dependencies and version to Go 1.19.7 * Fix for windows kube-proxy: 'externalTrafficPolicy: Local' results in no clusterIP entry in windows node. * Re-enable label selector * Add integration test for diff --prune --selector * Use label selector for filtering out resources when pruning. Matches same behavior as for kubectl apply * scheduler/framework/plugins/volumebinding: fix inaccurate log for when a volume is bound to a claim * Remove check for CSI driver running on node for CSI migration attach operations * Simplify construction of /metrics request * Move CSI json file saving to SetUpAt() * Fix for issue with Loadbalancer policy creation for IPV6 endpoints in Dualstack mode. * Invoke gimme from kube::golang::verify_go_version * Defer builds to test-cmd and test-integration targets * Carefully compute request path for metrics- Split individual completions into separate packages- Use upstream fish completions and obsolete external package- update patch files to reflect upstream registry changes from k8s.gcr.io to registry.k8s.io * kubeadm-opensuse-registry.patch * revert-coredns-image-renaming.patch- Update to version 1.24.11: * Release commit for Kubernetes v1.24.11 * releng: Update images, dependencies and version to Go 1.19.6 * Update golang.org/x/net to v0.7.0 * Pin golang.org/x/net to v0.4.0 in 1.24 * kubelet/client: collapse transport wiring onto standard approach * apiserver: remove 34s from DELETECOLLECTION rest handler * update prev succeeded indexes for indexed jobs unconditionally * use custom dialer for http probes * use custom dialer for tcp probes * add custom dialer optimized for probes * bump honnef.co/go/tools to support go1.20 * Fix issue that Audit Server could not correctly encode DeleteOption * Do not include scheduler name in the preemption event message * Do not leak cross namespace pod metadata in preemption events * pkg/controller/job: re-honor exponential backoff * releng: Update images, dependencies and version to Go 1.19.5 * Explicitly call rand.Seed() method * Improve vendor verification works for each staging repo * Bump Konnectivity to v0.0.35 * Add pod to dsw if termination is not completed during reconstruction #issues/113979 * integration: migrate taint tests * integration: migrate scoring tests * integration: migrate preemption tests * integration: migrate plugings tests * integration: migrate extender tests * integration: scheduler: migrate PDB from v1beta1 to v1 * Fix issues in volumesnapshot test for ephemeral storage * update golangci-lint for go 1.19 * golang: Update to 1.19 * Adjust for os/exec changes in 1.19 * Update golangci-lint to 1.46.2 and fix errors * Windows Kube-Proxy implementation for internal traffic policy. * Fix a regression that scheduler always go through all Filter plugins * Fix SPDY proxy authentication with special chars * Creating Ingress IP loadbalancer alone when all the endpoints are terminating. KEP1669 * change k8s.gcr.io/pause to registry.k8s.io/pause * Update golang.org/x/net 1e63c2f * image pull event include duration with waiting * kubelet: make the image pull time more accurate in event * update structured-merge-diff to 4.2.3 * regression test for exponential recursion bug on CRDs * Fix endpoint reconciler failing to delete masterlease * kubeadm: remove v1.25 etcd "3.5.6-0" for v1.24 * use etcd 3.5.6-0 after promotion * changelog: CVE-2022-3294 and CVE-2022-3162 were fixed in v1.23.14 * upgrade system-validators to v1.8.0 for a bugfix of cgroupv2 io check * Introducing LoadbalancerPortMapping flags for VipExternalIP * egress_selector: prevent goroutines leak on connect() step. * Merge pull request #113133 from sxllwx:automated-cherry-pick-of-#113133-upstream-release-1.25 * Fixed (CVE-2022-27664) Bump golang.org/x/net to v0.1.1-0.20221027164007-c63010009c80 * Add CVE-2022-3162 to CHANGELOG-1.24.md * tls.Dial() validates hostname, no need to do that manually * e2e: use custom timeouts in GetSnapshotContentFromSnapshot() * test/e2e/storage: replace hardcoded value with custom timeout in cleanup routine * StatefulSet: Cleanup the complex defer function updating the status * Be sure to update the status of StatefulSet even if the new replica creation fails * added retries to winkernel proxy rules deletion * added backend hashing to winkernel proxier * kubelet: fix pod log line corruption when using timestamps and long lines * kubeadm: mutate ClusterConfiguration.imageRepository to "registry.k8s.io" * kubeadm: use registry.k8s.io instead of k8s.gcr.io * add GetAllocatableCPUs test in cpumanager * fix GetAllocatableCPUs in cpumanager * e2e: restore volume lifecycle checks for csi-hostpath driver * kubelet: fix volume reconstruction for CSI ephemeral volumes * NodeLifecycleController: Remove race condition * kube-proxy wait for cluster cidr skip delete events * kube-proxy handle node PodCIDR changs * kube-proxy: gate topology correctly * service update event should be triggered when appProtocol in port is changed. * filter out terminated containers in cadvisor_stats_provider * Fix winkernel proxier setting the wrong HNS loadbalancer ID for ingress IP * Bump konnectivity-client to v0.0.33 * Fix list estimator for lists that are executed as gets * kubeadm: allow RSA and ECDSA format keys in preflight check * Limit redirect proxy handling to redirected responses * Make sure auto-mounted subpath mount source is already mounted * Call SetupDevice only if Volume is not globally Mounted * Fixes kubelet log compression on Windows * Add zone field to vsphere test cloudconfig * Reduce default gzip compression level from 4 to 1 in apiserver * exec auth: support TLS config caching * Add an option for aggregator * Update go-runner to v2.3.1-go1.18.6-bullseye.0 * Update kube-cross image to v1.24.0-go1.18.6-bullseye.0 * Fix problem in updating VolumeAttached in node status * Call queueSet::boundNextDispatchLocked enough * Always log APF InitialSeats and FinalSeats values * Marshal MicroTime to json and proto at the same precision * Windows: ensure runAsNonRoot does case-insensitive comparison on user name * Tolerate sub-microsecond eventTime changes on update * Improve kubectl display of invalid errors * fix unmatch reason when updating pod status * fix nestedPendingOperations mount and umount parallel bug * client-go/rest: check if url is nil to prevent nil pointer dereference * Revert "client-go: remove no longer used finalURLTemplate" * Skip "instance not found" error for LB backend address pools * Update cel-go to v0.10.2. * fix a memory leak problem when calling DryRunPreemption * Fix JobTrackingWithFinalizers when a pod succeeds after the job fails * Use CheckAndMarkAsUncertainViaReconstruction for uncertain volumes * Remove volume from found during reconstruction if mounted * Add unit test for verifying if processReconstructedVolumes works as expected * Fix code to process volumes which were skipped during reconstruction * Keep track of each pod that uses a volume during reconstruction * allow namespace admins to use leases to encourage migration off of configmaps * Fix: filter out unsatisfied nodes when calling AddPod in PodTopologySpread * Fix `kubeadm upgrade plan` issue with FQDN nodes names * Add rate limiting when calling STS assume role API * Fix kubelet panic when accessing metrics/resource endpoint * Fixing issue in generatePodSandboxWindowsConfig for hostProcess containers by where pod sandbox won't have HostProcess bit set if pod does not have a security context but containers specify HostProcess. * Add retry logic for Unix Domain sockets on Windows * Execute the Run function of kubelet, no log output after failure * Prune defaults for CRD serving- Update to version 1.24.3: * Do not skip job requeue in conflict error * kubeadm: fix the bug that configurable KubernetesVersion not respected during kubeadm join * endpointslices: node missing on Pod scenario * fix metrics for placeholder slice * fix a bug on endpointslices tests comparing the wrong metrics * kubeadm: fix the bug that configurable KubernetesVersion not respected during kubeadm join * GIT-110239: fix activeDeadlineSeconds enforcement bug * kubeadm: handle dup unix:// prefix in node annotaiton * fix: --chunk-size with selector returns missing result * Fix unnecessary recreation of placeholder EndpointSlice * kubeadm: fix error adding extra prefix unix:// * e2e: add storage capability for offline volume expansion * add missing error handling steps * Update CHANGELOG/CHANGELOG-1.24.md for v1.24.2 * apiserver: printers should use int64 * fix image pulling failure when IMDS is unavailalbe in kubelet startup * e2e: ensure single image for populator containers * fix: exclude non-ready nodes and deleted nodes from azure load balancers - Require only BuildRequires: golang(API) = 1.18 pinned Go major version. Remove potentially conflicting BuildRequires: go >= x.y.z. The plan for future updates is BuildRequires: golang(API) >= 1.18 minimum Go major version.- Update to version 1.24.2: * move the ignore logic higher up to the reconciler * Ignore EndpointSlices that are already marked for deletion * test: update graceful node shutdown e2e with watch * kubelet: Mark ready condition as false explicitly for terminal pods * agnhost: bump version 2.39 * Update Go to 1.18.3 * add service e2e tests * kubelet: add e2e test to verify probe readiness * kubelet: only shutdown probes for pods that are terminated * kubelet: Pod probes should be handled by pod worker * cpu manager policy set to none, no one remove container id from container map, lead memory leak * fix audit union loop variables in closures * Updating e2e test to check EndpointSlices and Endpoints as well * e2e: services with evicted pods doesn't have endpoints * e2e test for evicted pods * endpoints controller: don't consider terminal endpoints * endpointslices: terminal pods doesn't receive enpoints * add pod util to verify pod is terminal * Update CHANGELOG/CHANGELOG-1.24.md for v1.24.1 * Add test for checking ephemeral volume expansion * Fix resizing of ephemeral volumes * Winkernel proxier cache HNS data to improve syncProxyRules performance * GCE Windows: Copy the CNI binaries from the right folder- Update to version 1.24.1: * kubeadm: remove checking legacy taint for kubeadm-kinder-latest-on-1-24 * Fix requests scope classification * Update Go to 1.18.2 * Integration test for openapi scale & status * Remove warning log for merging meta and scale type * authn: fix cache mutation by AuthenticatedGroupAdder * GCE: skip updating and deleting external loadbalancers if service is managed outside of service controller * Wait for cache to sync in job's TestWatchOrphanPods * Fix ServiceIPStaticSubrange assigns duplicate IP addresses * Fix OpenAPI loading error caused by empty APIService * kubeadm: only taint CP nodes when the legacy "master" taint is present * Test Foreground deletion in job integration * Fix removing finalizer from finished jobs * Don't mark job as failed until expectations are satisfied * Integration test for backoff limit and finalizers * Update CHANGELOG/CHANGELOG-1.24.md for v1.24.0 * Do not wrap lines if we can't read term size- Initial packagekubernetes-kubelet1.24h04-armsrv1 17271799181.24.171.24.17-150500.3.24.11.24.17-150500.3.24.11.24.17kubelet1.24kubernetes1.24-kubeletLICENSE/usr/bin//usr/share/licenses//usr/share/licenses/kubernetes1.24-kubelet/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:35821/SUSE_SLE-15-SP5_Update/e6890fc7caa5f01661704902edf53b00-kubernetes1.24.SUSE_SLE-15-SP5_Updatedrpmxz5aarch64-suse-linuxELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=ecea3a600e4fa74ce1fcb23cbbecd7fb6b097e92, for GNU/Linux 3.7.0, strippeddirectoryASCII textR RRRRRRR"!&0%_fkubernetes-kubelet-common1.24.17systemd-sysvcompatutf-8f100fa70a973e4cb7fdb31be27a225da51bb2e870ba2d8b83414471384db111c?7zXZ !t/2]"k%9[]{~iDOb63m|M/1xLU+c"Re$|o@W"Z{D'ʆĦc>W;w 5||tF5=][M$ߟaj 1DSmb[w`]nBI5fB,I]5*xXA#[9-Sw}cqo/J[AXnR T\{jr %:G*Pj~-=T֭4;a,B^Nk\nx.?f(>uRӘѝTZnHГSl@GP8Ogz8LH>HmO3&;ZHgVkW2@t|br`G.ULUIe,$CfV '#k#3r]RZ2m|!10i~CUXGǚ:uxYw Xynܬp\*lQgYp]S6 ib9 Y{**LiQTgd2Lbl <~N&{ @UPy~R byK&QC^DHp"j#00hkt[ qY\"B#/TkliEh83{q>K3NQkSʊH@xϣ^HX,Sd wr27%Mb`[l3˝݈ .nm 筚93B:8 䥔8?J<|CkpawS}q ɫ4dL(feY+T_iOUQo!(:+Ht r=Y+Tɀo-7&!ܡf`d?_IԴx1rtMGrSu\6= m^&lerC&g*Xp1RISwOhas6} )tQF %%  YZ