From 93ad8b18f2064800fd69a4c26b242344dde295b9 Mon Sep 17 00:00:00 2001 From: Jody Garnett Date: Mon, 27 Jan 2025 11:48:18 -0800 Subject: [PATCH] release-2.26.2-anouncement (#243) * release-2.26.2-anouncement * Update _posts/2025-01-27-geoserver-2-26-2-released.md Co-authored-by: Mark Prins <1165786+mprins@users.noreply.github.com> * review issue types --------- Co-authored-by: Mark Prins <1165786+mprins@users.noreply.github.com> --- .../2025-01-27-geoserver-2-26-2-released.md | 137 ++++++++++++++++++ bin/templates/about226.md | 2 +- img/posts/2.26/filesystem-sandbox.png | Bin 0 -> 13056 bytes 3 files changed, 138 insertions(+), 1 deletion(-) create mode 100644 _posts/2025-01-27-geoserver-2-26-2-released.md create mode 100644 img/posts/2.26/filesystem-sandbox.png diff --git a/_posts/2025-01-27-geoserver-2-26-2-released.md b/_posts/2025-01-27-geoserver-2-26-2-released.md new file mode 100644 index 000000000..2efa68074 --- /dev/null +++ b/_posts/2025-01-27-geoserver-2-26-2-released.md @@ -0,0 +1,137 @@ +--- +author: Jody Garnett +date: 2025-01-27 +layout: post +title: GeoServer 2.26.2 Release +categories: +- Announcements +- Vulnerability +tags: +- Release +release: release_226 +version: 2.26.2 +jira_version: 16940 +--- + +GeoServer [2.26.2](/release/2.26.2/) release is now available +with downloads +([bin](https://sourceforge.net/projects/geoserver/files/GeoServer/2.26.2/geoserver-2.26.2-bin.zip/download), +[war](https://sourceforge.net/projects/geoserver/files/GeoServer/2.26.2/geoserver-2.26.2-war.zip/download), +[windows](https://sourceforge.net/projects/geoserver/files/GeoServer/2.26.2/GeoServer-2.26.2-winsetup.exe/download)), along with +[docs](https://sourceforge.net/projects/geoserver/files/GeoServer/2.26.2/geoserver-2.26.2-htmldoc.zip/download) and +[extensions](https://sourceforge.net/projects/geoserver/files/GeoServer/2.26.2/extensions/). + +This is a stable release of GeoServer recommended for production use. +GeoServer 2.26.2 is made in conjunction with GeoTools 32.2, GeoWebCache 1.26.2, and ImageIO-Ext 1.4.14. + +Thanks to Jody Garnett for making this release. + +## Security Considerations + +This release addresses security vulnerabilities and is recommended. + +* CVE-2024-38524 Moderate + + + +See project [security policy](https://github.com/geoserver/geoserver/blob/main/SECURITY.md) for more information on how security vulnerabilities are managed. + +## File System Sandbox Isolation + +A file system sandbox is used to limit access for GeoServer Administrators and Workspace Administrators to specified file folders. + +* A system sandbox is established using ``GEOSERVER_FILESYSTEM_SANDBOX`` application property, and applies to the entire application, limiting GeoServer administrators to the ```` folder, and individual workspace administrators into isolated ``/`` folders. + +* A regular sandbox can be configured from the **Security > Data** screen, and is used to limit individual workspace administrators into ``/`` folders to avoid accessing each others files. + + ![](/img/posts/2.26/filesystem-sandbox.png) + +Thanks to Andrea (GeoSolutions) for this important improvement. + +- [File system sandboxing](https://docs.geoserver.org/2.26.x/en/user/security/sandbox.html) +- [GSIP 229 - File system access isolation](https://github.com/geoserver/geoserver/wiki/GSIP-229) + +## Developer Updates + +### Palantir formatter + +A nice update for GeoServer developers is an updated formatter that is both wider at 120 columns, and plays well with the use of lamda expressions. + +```java +List filtered = children.stream() + .filter(b -> b instanceof DynamicValueBuilder || b instanceof SourceBuilder) + .collect(Collectors.toList()); +``` + +Thanks to Andrea for this improvement, and coordinating the change across all active branches. + +- [GSIP 228 - 120 columns format with Palantir formatter](https://github.com/geoserver/geoserver/wiki/GSIP-228) + +## Release notes + + +New Features: + +* [GEOS-11616](https://osgeo-org.atlassian.net/browse/GEOS-11616) GSIP 229 - File system access isolation +* [GEOS-11644](https://osgeo-org.atlassian.net/browse/GEOS-11644) Introducing the rest/security/acl/catalog/reload rest endpoint + +Improvement: + +* [GEOS-11612](https://osgeo-org.atlassian.net/browse/GEOS-11612) Add system property support for Proxy base URL -> use headers activation +* [GEOS-11615](https://osgeo-org.atlassian.net/browse/GEOS-11615) Update to Imageio-EXT 1.4.14 +* [GEOS-11683](https://osgeo-org.atlassian.net/browse/GEOS-11683) MapML WMS Features Coordinate Precision Should be adjusted based on scale + +Bug: + +* [GEOS-11636](https://osgeo-org.atlassian.net/browse/GEOS-11636) Store panels won't always show feedback in target panels +* [GEOS-11494](https://osgeo-org.atlassian.net/browse/GEOS-11494) WFS GetFeature request with a propertyname parameter fails when layer attributes are customized (removed or reordered) +* [GEOS-11606](https://osgeo-org.atlassian.net/browse/GEOS-11606) geofence-server imports obsolete asm dep +* [GEOS-11611](https://osgeo-org.atlassian.net/browse/GEOS-11611) When Extracting the WFS Service Name from the HTTP Request A Slash Before the Question Marks Causes Issues +* [GEOS-11630](https://osgeo-org.atlassian.net/browse/GEOS-11630) REST API throws HTTP 500 When Security Metadata Has Null Attributes +* [GEOS-11643](https://osgeo-org.atlassian.net/browse/GEOS-11643) WCS input read limits can be fooled by geotiff reader +* [GEOS-11647](https://osgeo-org.atlassian.net/browse/GEOS-11647) Restore "quiet on not found" configuration for REST in global settings +* [GEOS-11649](https://osgeo-org.atlassian.net/browse/GEOS-11649) welcome page per-layer is not respecting global service enablement +* [GEOS-11681](https://osgeo-org.atlassian.net/browse/GEOS-11681) MapML raster GetFeatureInfo not working + +Task: + +* [GEOS-11608](https://osgeo-org.atlassian.net/browse/GEOS-11608) Update Bouncy Castle Crypto package from bcprov-jdk15on:1.69 to bcprov-jdk18on:1.79 +* [GEOS-11631](https://osgeo-org.atlassian.net/browse/GEOS-11631) Update MySQL driver to 9.1.0 +* [GEOS-11650](https://osgeo-org.atlassian.net/browse/GEOS-11650) Update dependencies for monitoring-kafka module +* [GEOS-11659](https://osgeo-org.atlassian.net/browse/GEOS-11659) Apply Palantir Java format on GeoServer +* [GEOS-11671](https://osgeo-org.atlassian.net/browse/GEOS-11671) Upgrade H3 dependency to 3.7.3 +* [GEOS-11685](https://osgeo-org.atlassian.net/browse/GEOS-11685) Bump jetty.version from 9.4.56.v20240826 to 9.4.57.v20241219 + +For the complete list see [2.26.2](https://github.com/geoserver/geoserver/releases/tag/2.26.2) release notes. + +## Community Updates + +Community module development: + +* [GEOS-11635](https://osgeo-org.atlassian.net/browse/GEOS-11635) Add support for opaque auth tokens in OpenID connect +* [GEOS-11637](https://osgeo-org.atlassian.net/browse/GEOS-11637) DGGS min/max resolution settings stop working after restart +* [GEOS-11680](https://osgeo-org.atlassian.net/browse/GEOS-11680) Azure COG assembly lacks mandatory libraries, won't work +* [GEOS-11686](https://osgeo-org.atlassian.net/browse/GEOS-11686) Clickhouse DGGS stores cannot properly read dates +* [GEOS-11687](https://osgeo-org.atlassian.net/browse/GEOS-11687) OGC API packages contain gs-web-core +* [GEOS-11691](https://osgeo-org.atlassian.net/browse/GEOS-11691) Smart data loader accepts bigint and bigserial but not int8 postgresql type alias + +Community modules are shared as source code to encourage collaboration. If a topic being explored is of interest to you, please contact the module developer to offer assistance. + +# About GeoServer 2.26 Series + +Additional information on GeoServer 2.26 series: + +* [GeoServer 2.26 User Manual](https://docs.geoserver.org/2.26.x/en/user/) +* [GeoServer 2024 Q3 Developer Update]({% post_url 2024-07-22-developer-update %}) +* [Raster Attribute Table extension](https://github.com/geoserver/geoserver/wiki/GSIP-222) +* [Community module graduation, amending generality rule](https://github.com/geoserver/geoserver/wiki/GSIP-223) +* [Individual contributor clarification](https://github.com/geoserver/geoserver/wiki/GSIP-224) +* [Migrate geoserver-users from SourceForge to discourse](https://github.com/geoserver/geoserver/wiki/GSIP-225) + +Release notes: +( [2.26.2](https://github.com/geoserver/geoserver/releases/tag/2.26.2) +| [2.26.1](https://github.com/geoserver/geoserver/releases/tag/2.26.1) +| [2.26.0](https://github.com/geoserver/geoserver/releases/tag/2.26.0) +| [2.26-M0](https://github.com/geoserver/geoserver/releases/tag/2.26-M0) +) + diff --git a/bin/templates/about226.md b/bin/templates/about226.md index e8c9c893c..23ab61743 100644 --- a/bin/templates/about226.md +++ b/bin/templates/about226.md @@ -1,7 +1,7 @@ {% extends 'about.md' %} {% block features %} -* {% raw %}[GeoServer 2024 Q3 Developer Update]({% post_url 2024-07-22-developer-update.md %}){% endraw %} +* {% raw %}[GeoServer 2024 Q3 Developer Update]({% post_url 2024-07-22-developer-update %}){% endraw %} * [Raster Attribute Table extension](https://github.com/geoserver/geoserver/wiki/GSIP-222) * [Community module graduation, amending generality rule](https://github.com/geoserver/geoserver/wiki/GSIP-223) * [Individual contributor clarification](https://github.com/geoserver/geoserver/wiki/GSIP-224) diff --git a/img/posts/2.26/filesystem-sandbox.png b/img/posts/2.26/filesystem-sandbox.png new file mode 100644 index 0000000000000000000000000000000000000000..d9d7d95c10d8295d57ea1a16b676d529b5052bb9 GIT binary patch literal 13056 zcmZ{K1wb6jvNlc#L4pQ%Nbo>#S=>Frf_rdx4-g3M?(Vj@Yj6l2+}$_WBFn$I_nvcj z_q~6aVSB5)TB>WRtG=4=N(z!_F9~15z`&qMONpt#z`%i_W#Jb{(EqY6tQ^06`f=+K<&x z?ghO~zD9S8ID({j8F^?KoQig_DuZ~pKo~r30iLBj!xIW@-6h$?lfXptP5T*m+_U4X zbuSVgrag=$VK+AwW?LF$QbPe-J~Z@>Q3XTD4=Ed#PG}c(TSdXi3Bixk3)0%&fz+O( z8^|CK*rnUPMtT!cUq2Ya{D*CWHo(~Fcos>&XhJJ{Rv3?v;=a%?RC`XEzG1rjZocv zb#(pKOri;^O!Pr5mXrXoh7;y3GamXK!+Unw*QwbcNoxcL=5hjk5q{-Nq5+~!qo9W_ zyAU*r@#t*{iC178laPP}!D^o`LEKsR7&WAQ9F*=#%h3}k3*o;u+^b9mo6;#D@ANp| z1gJa#De3(4rUvSOVr>-OqcyAyf+&Xceg24>eNrJDW;K=-Qi%k%qmV-!MC02C`Yu3Un>K0?!FKkg zmls&(K2B})3T@Uz+Q~{hDE8`o=mvr2rGcU$=KJV3GOuVCH<6lH zP9r3{@&H!j+(b9T<6B{XjrTbL=YDnxKgFAPbhN37aCfMGB3=aqAI3qPz3mu^556I< z3o4P&Z^o4Euqy1unBQPs$+drIt9cl|OLwJ9e2&gd-!CvB37p#jxKSVrHt5t9a$zQI5ZZ8;iWX&)8C z>EwDSQ6`fMYbJ3qyT_PUGjLdDIO8zgBVDlc4kQlzoq$2*`pqd)EWw0C zG(Sg4gqNEBp}h&na9)l-H>Qg)!u@%w{lVPuuIp$I!k91MmB~q|1I$_P7@NjT^zo9B z@dB`vkktIIvazfXmxR%Np`w44_z9=*HLDxZ4n-TWapUj+X+oIH4NZ{zg^0+P7x0sk za+tDxr1lcOLRhc@#mH-<*kZpKQ(}qvkBTOen+y`>V=a7}p+t_R8kFAVpYmT8JEamB z%o_B>5uH^gnR!t!GLUB#AMh>jV*k?z?2PYtx&8Yu>)acjq2*hz>TBWg?KCH z1=~Sf)n|E*^zgxlpfl=bBMarjSBmb;b@BDrwAgGYz!x-u4m}Dz20a9~jLz7)*x$uy zCsX%fv-*tut+uEVYSy!dWWU{MS0+qXOQ2i&N)=9eBP_iw1}&#s0*kI zTI^q3s#i1z80)`sL`tI2XEZq0Pd9Kn!gMZocH>>(HR1JiUUa^5s(03L#&$M4Qad1> zJux(tW1x*n8POi%A8h;K1^Dshm09?g(c1S{M!W-UlSE~ERdiDfvr9#;s%PzjvH&T7 zq;I`X9z+Lzxoe#Khkjx=UI05%yOHw`k0{)5CK6A(V4OlzT(lL2DT2OgkW-S>vQhtj1jS)j4(6%;F27MJelw z>7vbD_vj*Hcln@I)`E^>DbEsruUCe9nR`~y_kQXycRXjjM#guERwIlfXo+S_YZ{tb zG@4BH7IhvL6=q{V=DJE?hmk1o0+?d{(b};;@ykfVSj~!+=MZ|mBXFd)thV(_)MD#W z*a_E?YdBT-Z(=$Eb%E2CfEM_HoUWYljSi~m_dPX(HIo zcCLcl1IIAYhkYh;=33FY~?ql+Bf{=zFE@DY3@SdZF^Fm%le=0Slm{Bs@;I+RNBZPiW`^i1gurw@#LXSwzjN{wqe()Lel!grgw$m=qInZ&P3*nK+-kR zsdcGq@mfPvbCng~SJkhlW1&TVOXOaR22w+^(x*w#fP64Puq;vZHy$+a2+ar``5}1{ z$)3nMPERf}$k0WR4pSkMs-$yNCBKA#nwQnO+r|Y1dkVXqj$KjEDr42-erEfly23!Z z4FKC`cX^^4ki|Q~~WWWLqrg)M)3is$d0imzH^HY_coO&>kf zf7^fsdOc@57a$E)Bkf1~k6riH7@MTaK5yM_A7UOR2TnH!>IQZcU49Ohaj;!ktuWa% z@LhiQ5{Edm5WAn4vzacK{!f9bo`b@U$l0Wj>4D3h&a@+#<26`6+?k>xI81qX@>T3? zW@ajDHx{m@vrmMtPtiJ}An}<==#Yq#>wLX_fxB1nrIq@ZV7)o+fEV3l%g500BGE)c z+EiX1h8|je0fPvO1p^N)!9xFFUvB z&qoS+L%IL+4Ildr1{wMb3wj4;!~NA74xA1DR~beaS_dQiQB)cl=)in5axgKmar|QI zRM&BH0wti>NohL5z@TFPxnW^a)89bjqdD_W8crJWa=b>i*31URwuUCmZq{~x`hnqh z#iaO2L=p zgvku%Fb--V8-&EhlhuSm5qgsjS1R<$?R27e|d`2IhW zdQSUKdw!NbJO4}*{;g*JqC)jd@FhRX-#RP!vf=O)0s})iCoLxY$qn`-!_`Yw{O*Td ztdi*4ocv%~4yG+%_{S+az zc%N^B2b@UGP0-i&4Hw~c6myGBZaZSmSkZl0@AdQLrFS4G$ZTg7gZW%f<9mZKWHmIB zKb3xxMknE=Zgn}SwTg*}QE79#z{ZWKy1;xe`}$K7Fg-Oz&A=cllgRjPXCx^}!1H<# z@_7F^aVWPQUB!aWK=t=Z{ipr9P{y2Vfxw;io7K1gWOS+G(A(%}%+3X5giV?xZOSLe z%`|9~eL^O9ggJqQRv{MrdrvkDk15}wzn1N!bwP#YopfaJ`l}%hd=#98Zc1$X?u&Ci z{N&XjEjLq-NEX4Gk*oZw{AZc;KdGAd9lOH^r>K$CS8>;JHPT_-?`V}EAO zgGHEHq!CE|p*xjV@f#V-(~k(E0{7p$iDtW_1hgO>-J~@86gzd=s^|LaOX6=7`XIFMndQJrTBlK_vZ=O6d%7&i;z|iS5Hkn`1!bzy zR_|akujspsllWe8g=D|zRV;&_P9~EUXBmogOUgO9ZHY>O4|dY$)kG#Ogk1n;@uae{ zN}-kJLaS>Pibe8cU~sV30;}*sqixm>lWJ*x{9ENIgp=K|G#V-@(GjM1%F2@}El%e0 zNfapdleGrZYCPEtSjZTpb(*JaCd0`}5^q4=;WR4ppRus8nTQ`nNic_5UEe9^29|3A zKL>dif2z`5K@jW%rOuWW#5a`5B+$<_wE2)HE3@2n`aZ#0s>{iRCw%V~@$hK5=F=I= zWGnbG$@=|!WQ@Zi-ri5TdGtDyl@{l@BtqV5k=6%z^s#D#UL>P8xT*_H+2NGUJ!@#M zqLDX!%0R0*v;woGsz6SjoTxpdIEK0#sqxp}Bflqx;xa7!Mxf)8>iR9JDTSft#{9OI z?3A~Q;h9kog1lA|cF`^}96y>WVE@#5(*=LCm*R4JKF|i*k?{;bS~a}@noTrZ@+zIH z;4#-#%cpU=->ms&1?4e5xSlQ#$x2`J+pe_qx1M!)wui>NmMlo&caL=)AaT|Bwc@(6 zQxZ}K>VVuapq42!O=`7!)Hhnp(w~)6IxlHuoOLp*`&XQyl=?PSmyN*&v zkT$S?L^ZO-Oz^lq^&aj5~{jX}M#?t?|{jyJze`h31Lm9LkM$<1L|)tfk|G179&b0qY5dKfstYw*5z zsd^O0_qaNoz3|YPo}PyNny_=WLZ2W z1a8Vhe`2UQncek!R_O{u}W<9xQBVR!`^gxj7sE3WNT9e2ZgovN~^ zMC_*F^{uVwIG9mS7OL27rt)d~9Ft^foj$S1u-Y{unpO6B-!dzCHSWo6GP>mD<*$m! z_}!w5TrM(?s#3Asfu>`1x9Yk+3-_I_s~2}yM@KbjG&dPs-1i}^M4 zO&2_PoEKp%jAOsJ);{=J$(dA{O^}iv$|zi;Sv*iasb&pUDYuuR!Bn0&N2u4!eBC)( zx}jwlK+FEQ=XvFxQ_=5qf#kza#C`6leNM{%SQo|BqoSh1D6i0^KLB?t`rKTy{5gsA zR&xUIRe7cuQW-AOn=B`Dn}dbBdNBmPd_DWNItd(vS z$Dxm)hXr#UaJ!>>;A&oPuLS&kzRFflcDia!J~OpM!)HFR#%S#W#nT}}l}0Ks?$E<> zzOn{HasIx^Uo>M7n+)GNAm3W6@$-E(oIh?r05Zm}@Q%ztBL*zn2$Cb3z5$KQgXvBn z8~LKLgf9sU`2=WZq^%D@FZI2V?hV@&kM=TzQg*s%0&UKgpNLD!9W+E&PFyaOoqnCF zHkMl#v9P)oh0)0Ride-NGe{LRzd6U%)_O_!XiKztqRIK_w?O%uY+q)b0~LcguI=t& zlysu?=RotI6Vl)`;jiyim9&h6qCnLHp?3H8l>2CD5Y@G@mYMr%Gmwlh$TNKHa zE8A+z7&Tb+^j)ivwi59HUs#A07Bw5JQp5uBcaieMhOm`{vU9qusRP^De;YMFXS*t@4H4^_gm!TK#QA3!VOYm#|8a ziz@iOzFo}hb`0I;Z1t7<>4MqLvZ?&lWfpL|<)|v@HjqA%?v_sZs82B9aMn_4i?(B| zkG}W{Y{k{;lYh2YUv@<_(ObWkuq74${jJeGQFUjwc-U`7!ZgQuTMb)JY|Nhz%ez0w z9=|NqCKN1GxZI_2+17Tfc%FGrXyig{KqGhTCbw88;xl6 zAG0s25-M-7UgBgO=JXO7B%4Ou_p$o*3HauFWMo4`8q_3aBM%2Wxs83ba;lfM;xV}$v2 zET3DKjgN1nwuOPeKNJsGJu0V1jPz=p#{dIxs;rx9v#rzMRMPeUlFcoY0ZlJwnG7dk z@AO9fIPlw%OgZmIAmBV!Zm!nRBDmU=ZRo!4_C*_FVpC__a~PeAsIbGl=8nZdpFoBa zV4rq1RM5~+MwNULxdgBT8*wTl5p$08j5F9i2VpES-g7OBpO*fO@RnPjyZyJpz+G$ zEbY27IVewIg_XXgM%^ryEQY1?K?eC{maL{g0h zW2(d3Q^&kXgOJ0*_%Yy@s}T+tw~z-H->F!`5myHl=6)Bly@fgp@}+TxS*G_m601cd z)oT;46IsnVsRr9Mg9Ya1ZI!Lq^z`x*IaEfOpf*JfV*3izrqvG1OhI##J^UU9SU^jF>a>`OD)R;F2n}iE^miOq7{7 z)U2@`$K-HYt~ToV4$T-*H=g~XI8xynq>9ouy;3b!627}`)jVz5Qjo69qGp<~q%h0! z<}6i;Y15fFu%+Qz{Ur%KBWRB<-G<`DWf{>$NEwjFH+pqE9Kt`SPA8XDozh|m-bTx% ze^`+78Kss|eGG}AV&aJm6wBJE%^--p=5ijRN9{%KSYMX;!Hb4*+=>n6p28wS69r3O z#eRCj!uA_)yWbDa?55Ydu)u_O2}Xy)mw8@8KEx4fUE*$OTTkj7ZH9M9k#*0PO^$!NXN)Se(+G0DEJH|YJwrr*WX zz@k4_zEEqv<8?{M?A81CH7y_|(cwi>c)bPt7C^R)VcXLZtbTF}v+Anb zqX`kY!1XVqT7yRq@a|GcvnRF~GW#>If5L)o7Jo|KrDH~wNKN3q1-%$Uplx-4HK%F4LC06OWLNzk1P2C- zU(2xDZqIQ99|AE%6Xv4?4Ax_;`s_Ms2nY$XwyO=&({jgwfQY7lohu~(%jw@!;w z4XahDyn@X-P=20!2IV911Jsf25nMJVGk^JoQ7{y0#%zcJyXp|H_w0nSi_SG#e~v?~ zptP9HO1HP9)=#c&;kBRF>yX@vZuIbPyw>M*Q(fWk`|WIIRF;uc|gQ?{#ttT*N7;iJpaBjx2}bM!ik zH~g0~q_P2Z`vJ01waS1V9q&rtw%BI~%r=>S92VGD%#r+IJ)Qg&BfF9YQgAE(8{*6T zRe7!w1)RtIgfR!?u-mS-CJaWdb3xXXnjZM+2hE#G8`sD7tA|X7;{${j4{gIDZI0J*l5Zl1te$N+kPwoN#+ z)^xO@_ZlHRd!A|#PD<)*#{BGmfEB2n1;Bwh26w??y%j_7Ig^8+K+!S7{>tYOSacVG@OmeP6M(8^OyT*aM+upK$MKXRsI=O$qgmlZp6maw9xzZ?fHw5p0EIcf5heA`OWWM-?YZCACihx zJtrc*-b6`8mX*ryUJC^cBmhFHGfxTABI14-6n|@le`hib?MGm3ZT{zai>Z>2bSNk} zHT`-IQZK!(25`Y|lz;sAF)WU+V@yewo5g;I2uT6L|LsZ_y@uUq3h@Ye=nunpRJr=# z!HL-Xjt&Qmc|{`=zaCOc4lrrR_{+sxucN~xB(#Vt!F+V0KKDdPpZSbwdcJWx^{Bf% zs`$?$C9&=9h7T(8j1H*$pCY>K%|HQRPKCT~1Q%rc18i}qPwg(orzWmD$c+I${|Nsr zBZ5M{Yoxv@K;JtYNx6~{pH5{BbGV(a5096A zMY`u{Gep=AjUV3hF>3yuIwY1xmYR`K&SJK7NAJCzy+3#bhMb%E7g=)f&EEo}R*HVX zsIWr2G<99vFr{{+C|BU1Le~-N3=4eVy|S?PzZ)2XEZqwEe!Y4#)q`m94(BU9Bg-b- z*41hjU85jcE?)#ndc1sxB|tY2YLJJ6@O9s6HCWZ4H4|~!#6Lak0TK};tyf)^tRYEV zx||U_hlnbGo|Uk#;iszwX&=mEN7LWKD?j1lC*#9MG~Y#exv2(>*!wVqJPVJMU{Jy{ zI+PaM?<(4^dtVapx_8Ww@G7jPajtoM)%1B}-*dv@e}RD_oNhr)^a5f3eS~Dww4#)) z&vG%at@+}-^`SH9sjwMS(bWTsyCB8O$zW$V!C{ai~uiI*4Gc#E?w_975)Ng!dERlCHyIub9Dur?cCECrkO&G%5_Ym*<>xK83 zP-Sz~G`YJxP&1vTmG7G#>mHCjn&>0?Yb&9Tp%B8kc{x5G^$1hO1W?WQdd2JDZc=fo z!Wn*{mO(VM6cWm)BckGZoCwUNqLDNc#IIbXZoMIi|NLDU3!i|3j~#t5GCV+qui@+1 zPun>!%#+C-nY0kS1|FSFhWMEC&3@z6Qu$ifC*cw-9pO@m1fUZ#8?b(K%;DUwaHi@t z11^;exX;(GkU>alBBU^LMy@06b+G2Rj_Zm^&m$C^ioH6TADJqU-GSVn-SqP2=jvv) zfIA^~mOM`nzYEMJGC})!Q8E$|-@b#!(zr&Tc+38c5n{Gyqm9GWtolftqTo9ydJICn zhN|WeR7?fxRk~A^I(*<`;6%BVSN;(+Zcl>x^h4e^E5Q`S6>R!6u;w+3tUeEJzO8Q0 zJSfB%p~%D1a^f}V;4i+ZFRxpP=wyn=XFAKi`u;47+b%T|j1jK#rSZfdPTV;2Vv5jB zqn}XJqQ1arXL)DIIr8JOU1e`bQT{eBToRB>q3FYp+F0v+BPdM@4k}-1(8_#V*D?nU ztFwWYa7x~9dxK5-B^G?SWm^PpN?s8?#kFOd%z0U*m#?%;1Kcfx&iCr5>{Qsn$uYsb zjF0CVy(Xi{??FANEK*?5j>+}$LTqa4;hBb-Y2ny8i(ZGeP3NNv80wl)3kvFHdK|uU z--_TeK40&yH5x!aSZ!}zI8TZUsaA#cT0z_Nf;@nyN>v#;lb;TXvhtPlB-jl5UUcjF zK^?ST>u{bhYULUR&Q~W(^Aafl$ZcK)V>mGnsJIRa1`}J~WntR>oxphc5>_rvBA$`< zW>kZAT4mZqdQn$1r9~DGusYq6O?NbMm~n61S6@L>;!*CERr{GVJ&k^e?Brd-aNx-O z+IXCxtru0?X@`hK5+l9kr}TM+Vn(uxU-UGpYiJY0i8D+GQw1VT#A;}+^L4nj7GGRT zUhC*`TCFkVi1%*Se|OwozLg@FD$AG!FH27EteB&2`)68Psb*(a^G`3jt5A|DrEAIu zhB_o4#51UmPn3QtQGs~6#>K``4h;>}I_@d_L8!&V#Zmfh{b1p(s-sI-R3>x9<->b% z_F9fA*@>Q@i1y+z%&6CTi_?LjiM|U!bh`e_WDgPw=4mm$wLL9=2A^x<<)xDrik&$$ zOA<)ACV;Ce{a1eHB^In4kaT=F#-~1SCzaCzs{%Q5G`Uj-a{&@9wDMlmWIthL*u=aY@b)9{XTYMFs1 zq|3=UHl5gQhgjV=rZpYhr&FhzY*gRj>x$4aFOt{OOYDz6$!Q5Bx7q|-O}uX23!%$d z6#62T4C#vQy`;Q``?6vK&$77>%IcC1^P2yVUI-t|V0FHc&VzBP^D9%pb95Ui&B&k- zUduCiv8fK4SO^IV5C1^q<%Iy}a`gtYOM(oY0X7N%X-Zk^>+etLa&5Sg!iYIr7F(&l zPfkVb{)B8!ajx?@>6`j9Yb1q$UNTsPuO~cS5vM<9qrsqiN^;x6sM)C6Ba4%8tZj`H zkf~$w`D49EV5g_JsHkyksO^3Z`jF~&0JsFJgaLj&Q(X(4n4ghsRFm1WHgYh*j84k9 zWV7}mi)1GtC2Xh1wKEBn0~oA>#h3k5!&;)*T>hbifPugQeWqB(q=Z=W2LfQ54siczKdg&WUwtt<%@{=od8A^(Q}&h|ki~ z9e`|2OA0(@9a^Y12!N`SIBRdzw6jh7mD&h0d*)f^)2ivYGScz+3Thw&=TVP=lAU`n zx@19+W{j-m_vh#*VmM47uNctLlB?i5@o3^8n}u}FYlG6U_4B0J(g zroh56ZpQaJJv4M>v2E87VskuY?bFuW0^{Prvx^Pl@93y8$h=%h-ob1Iq2s$xW$IcS zW0R_W!D|V)ywM@EV~qu$_MvGV1Cvd&EOgq)eK|-~8K+EtZ9&23Pwvu7t$K;Ja&dRF zxdn1Vo3&28=sH1ziAb|XU*@*xl6<*}7(oUS@E?iypy@&5z3pBMe?i+-{;(cRFy{8n zvSU=8&B~$`2%0yfmzI_W9aVLvp73+7|LE%*48Rb4%Q{WKVG*AoU^0wzu+rL?z-~N< zNg&`+$4qmQSn{!G5&Te$T=~b@f&wAmBO*9}nK`1tqzNw290CLvcBG5!ndaytTptW^ zHhKXyTuR-?km@^qRjp4Yon#WJ1sHrs3T4zT*EYaHBT;8UjZ)#Bq-+0#Q*X!6aQW7#;oJE;#B?tw|=acWhHaT9!8brBux z4JLyO9dnpa)j8_KwbF2qCzM4VRp zT)o}kTPS9X8{#&)xphf2`cpK2>(%3Infg*W-=@pSB8}tjXbt-n6hLAaOXXnyO=#67 z-aH83dRJb~n8IP1Xq_)kSdPh^HFQiaA%LYE+J$ycV9bxZ`l(;u-&{3-#Y{}Kp zCY$v1$NSE6cXMA3!#M^hryuFs@dk?K_byoaaZ$}97NM0BNoxx(XT4>bdiDx~kT9iw zA#Lc;Z4o_6l)Zv0MZ z*Em2R7Oe9Rw&?Fg4dbsElNHs4YOe~7rGlEyjtQU53I+v729B=&qCx38J%jS^I1XCy z7m@k%wuPXEOW0pA7xYYCABBdOzPo~+*Xhrw+0oGOk|iG_apidz+>R(p+gZ&MnF7yY zgSYtzZ$YRB0Va+AY`7o7xHcRP*z6RVy#4#+hgQFQ2OIhza;Lw*^nCH`NnKCy(wwQg VOYPY+f8NxR7FQ6f6w&|s{{Xv@MD_px literal 0 HcmV?d00001