From bda73d4de3f91a6171c26d3188b5eb0ee689485e Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Fri, 20 Dec 2024 16:21:12 +0000 Subject: [PATCH 01/17] ci-automation: Give the sbsign_image container a name Otherwise it uses the default name, which can clash with other concurrent jobs, especially jobs for the other arches. Signed-off-by: James Le Cuirot --- ci-automation/sbsign_image.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ci-automation/sbsign_image.sh b/ci-automation/sbsign_image.sh index fe3053e7fd6..361401b40e5 100644 --- a/ci-automation/sbsign_image.sh +++ b/ci-automation/sbsign_image.sh @@ -82,7 +82,9 @@ function _sbsign_image_impl() { local sdk_image="$(docker_image_fullname "${sdk_name}" "${docker_sdk_vernum}")" echo "docker image rm -f '${sdk_image}'" >> ./ci-cleanup.sh - ./run_sdk_container -x ./ci-cleanup.sh -v "${FLATCAR_VERSION}" -U -C "${sdk_image}" \ + local docker_vernum="$(vernum_to_docker_image_version "${FLATCAR_VERSION}")" + local sbsign_container="flatcar-sbsign-image-${arch}-${docker_vernum}" + ./run_sdk_container -x ./ci-cleanup.sh -n "${sbsign_container}" -v "${FLATCAR_VERSION}" -U -C "${sdk_image}" \ ./sbsign_image --board="${arch}-usr" \ --group="${channel}" --version="${FLATCAR_VERSION}" \ --output_root="${CONTAINER_IMAGE_ROOT}" \ From aa70fc929f58cc5788058d590402f840b08d3615 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Thu, 19 Dec 2024 18:19:46 +0000 Subject: [PATCH 02/17] Delay generating test update payload in official builds The update payload needs the kernel, which isn't signed during the image job. Secure Boot is not currently enabled for update tests, but we may as well do this properly. The production update upload is generated manually at the end after everything has already been signed. Signed-off-by: James Le Cuirot --- build_image | 2 +- ci-automation/sbsign_image.sh | 3 ++- sbsign_image | 5 ++++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/build_image b/build_image index a9e6bcdaf82..739bc49b55e 100755 --- a/build_image +++ b/build_image @@ -177,7 +177,7 @@ if [[ "${PROD_IMAGE}" -eq 1 ]]; then if [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then extract_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}" fi - if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]]; then + if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} && ${COREOS_OFFICIAL:-0} -ne 1 ]]; then generate_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}" fi if [[ "${PROD_TAR}" -eq 1 ]]; then diff --git a/ci-automation/sbsign_image.sh b/ci-automation/sbsign_image.sh index 361401b40e5..9f2cb630d95 100644 --- a/ci-automation/sbsign_image.sh +++ b/ci-automation/sbsign_image.sh @@ -91,7 +91,8 @@ function _sbsign_image_impl() { --only_store_compressed # Delete uncompressed generic image before signing and upload - rm "${images_local}/flatcar_production_image.bin" + # Also delete update image because it will be unchanged + rm "${images_local}"/flatcar_production_{image,update}.bin create_digests "${SIGNER}" "${images_local}"/* sign_artifacts "${SIGNER}" "${images_local}"/* copy_to_buildcache "${images_remote}"/ "${images_local}"/* diff --git a/sbsign_image b/sbsign_image index 66aca04472d..7fb3a80d3f3 100755 --- a/sbsign_image +++ b/sbsign_image @@ -61,8 +61,11 @@ switch_to_strict_mode # Create the output directory and temporary mount points. mkdir -p "${BUILD_DIR}" +DISK_LAYOUT="${FLAGS_disk_layout:-base}" + fix_mtab -sbsign_prod_image "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${FLAGS_disk_layout:-base}" +sbsign_prod_image "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}" +generate_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}" echo "Done. ${FLATCAR_PRODUCTION_IMAGE_NAME} and associated files are now signed for Secure Boot in ${BUILD_DIR}." command_completed From 94f95acdc7b6f15f93ea5d17a9951da6c382f284 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Fri, 20 Dec 2024 11:12:36 +0000 Subject: [PATCH 03/17] build_image: Temporarily nobble condition around generate_update Once we have passed the shim review, we will delay this task until the kernel has been signed later in the pipeline. Signed-off-by: James Le Cuirot --- build_image | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/build_image b/build_image index 739bc49b55e..f365c2c1908 100755 --- a/build_image +++ b/build_image @@ -177,7 +177,8 @@ if [[ "${PROD_IMAGE}" -eq 1 ]]; then if [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then extract_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}" fi - if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} && ${COREOS_OFFICIAL:-0} -ne 1 ]]; then + # TODO: Un-nobble this later when we have passed the shim review. + if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]]; then # && ${COREOS_OFFICIAL:-0} -ne 1 ]]; then generate_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}" fi if [[ "${PROD_TAR}" -eq 1 ]]; then From 29a5131380588076b158259878302bd6193528db Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Fri, 20 Dec 2024 17:55:11 +0000 Subject: [PATCH 04/17] build_image_util.sh: Don't compress extracted partition unnecessarily I know I recently deduplicated the code between extract_update and generate_update recently, but now that generate_update will sometimes be called at a later time, I've realised that it is compressing and uploading the partition twice. Signed-off-by: James Le Cuirot --- build_library/build_image_util.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh index 2549e4667dc..225e0c864c0 100755 --- a/build_library/build_image_util.sh +++ b/build_library/build_image_util.sh @@ -79,7 +79,9 @@ generate_update() { local devkey="/usr/share/update_engine/update-payload-key.key.pem" # Extract the partition if it isn't extracted already. - [[ -s ${update} ]] || extract_update "${image_name}" "${disk_layout}" + [[ -s ${update} ]] || + "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \ + extract "${BUILD_DIR}/${image_name}" "USR-A" "${update}" echo "Generating update payload, signed with a dev key" delta_generator \ From a701bbce4b0ad909148fbcef1b287f56e60bd076 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Sat, 28 Dec 2024 07:06:04 +0000 Subject: [PATCH 05/17] sys-kernel/coreos-sources: Update from 6.6.67 to 6.6.68 --- changelog/updates/2024-12-28-linux-6.6.68-update.md | 1 + .../{hv-daemons-6.6.67.ebuild => hv-daemons-6.6.68.ebuild} | 0 ...{coreos-kernel-6.6.67.ebuild => coreos-kernel-6.6.68.ebuild} | 0 ...oreos-modules-6.6.67.ebuild => coreos-modules-6.6.68.ebuild} | 0 .../coreos-overlay/sys-kernel/coreos-sources/Manifest | 2 +- ...oreos-sources-6.6.67.ebuild => coreos-sources-6.6.68.ebuild} | 0 6 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2024-12-28-linux-6.6.68-update.md rename sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/{hv-daemons-6.6.67.ebuild => hv-daemons-6.6.68.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-6.6.67.ebuild => coreos-kernel-6.6.68.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-6.6.67.ebuild => coreos-modules-6.6.68.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-6.6.67.ebuild => coreos-sources-6.6.68.ebuild} (100%) diff --git a/changelog/updates/2024-12-28-linux-6.6.68-update.md b/changelog/updates/2024-12-28-linux-6.6.68-update.md new file mode 100644 index 00000000000..fc408d0e6d2 --- /dev/null +++ b/changelog/updates/2024-12-28-linux-6.6.68-update.md @@ -0,0 +1 @@ +- Linux ([6.6.68](https://lwn.net/Articles/1003609)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.6.67.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.6.68.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.6.67.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.6.68.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.67.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.68.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.67.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.68.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.6.67.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.6.68.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.6.67.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.6.68.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index 2a20f710083..e571b3bbbdf 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ DIST linux-6.6.tar.xz 140064536 BLAKE2B 5f02fd8696d42f7ec8c5fbadec8e7270bdcfcb1f9844a6c4db3e1fd461c93ce1ccda650ca72dceb4890ebcbbf768ba8fba0bce91efc49fbd2c307b04e95665f2 SHA512 458b2c34d46206f9b4ccbac54cc57aeca1eaecaf831bc441e59701bac6eadffc17f6ce24af6eadd0454964e843186539ac0d63295ad2cc32d112b60360c39a35 -DIST patch-6.6.67.xz 3606008 BLAKE2B ae111426d04d1de1f5a0afe387901c8d5025a4061e58cfbbf730198e5f9f4a372d6920d2152c10c26dad82bd36b4f05696e01ce5faa4e43fa30eec4e40a2cb96 SHA512 75e506d6448a23998732bdd3c7c2560f03ebaf4b2489cdb7b6f2abbb636ca51077cb1d095b56e77217312480dcfca8d8d7033eb1d09c53f5d20c7a73c92230e7 +DIST patch-6.6.68.xz 3627932 BLAKE2B f68bcd6b999984dd39aaafeb577816022ec0740b30dbb591eb9b02e9adae96c62ffcaccf22f009573bc1e6180ab3409994e0ce8bb4e935fbb985b4c3534c3824 SHA512 6a190e01adbe9486989d81b0dd06dbe2190798ee7573bcfce9d109a1fe6da5ddb8fd48782d09633a6c8de53930509f0250de6915c1e8406edf8e6e0583a10850 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.6.67.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.6.68.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.6.67.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.6.68.ebuild From 9d552edfd7880fe9ad98768f7fe5c9757075beb2 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Wed, 1 Jan 2025 07:06:10 +0000 Subject: [PATCH 06/17] portage-stable/metadata: Monthly GLSA metadata updates --- .../portage-stable/metadata/glsa/Manifest | 30 ++-- .../metadata/glsa/Manifest.files.gz | Bin 591718 -> 594915 bytes .../metadata/glsa/glsa-202412-01.xml | 42 ++++++ .../metadata/glsa/glsa-202412-02.xml | 63 +++++++++ .../metadata/glsa/glsa-202412-03.xml | 64 +++++++++ .../metadata/glsa/glsa-202412-04.xml | 129 +++++++++++++++++ .../metadata/glsa/glsa-202412-05.xml | 121 ++++++++++++++++ .../metadata/glsa/glsa-202412-06.xml | 133 ++++++++++++++++++ .../metadata/glsa/glsa-202412-07.xml | 104 ++++++++++++++ .../metadata/glsa/glsa-202412-08.xml | 47 +++++++ .../metadata/glsa/glsa-202412-09.xml | 47 +++++++ .../metadata/glsa/glsa-202412-10.xml | 47 +++++++ .../metadata/glsa/glsa-202412-11.xml | 42 ++++++ .../metadata/glsa/glsa-202412-12.xml | 60 ++++++++ .../metadata/glsa/glsa-202412-13.xml | 88 ++++++++++++ .../metadata/glsa/glsa-202412-14.xml | 51 +++++++ .../metadata/glsa/glsa-202412-15.xml | 46 ++++++ .../metadata/glsa/glsa-202412-16.xml | 46 ++++++ .../metadata/glsa/glsa-202412-17.xml | 42 ++++++ .../metadata/glsa/glsa-202412-18.xml | 42 ++++++ .../metadata/glsa/glsa-202412-19.xml | 42 ++++++ .../metadata/glsa/glsa-202412-20.xml | 51 +++++++ .../metadata/glsa/timestamp.chk | 2 +- .../metadata/glsa/timestamp.commit | 2 +- 24 files changed, 1324 insertions(+), 17 deletions(-) create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-01.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-02.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-03.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-04.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-05.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-06.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-07.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-08.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-09.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-10.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-11.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-12.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-13.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-14.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-15.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-16.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-17.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-18.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-19.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-20.xml diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest b/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest index 4f017eb9f89..6cf0235b2e3 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 591718 BLAKE2B cd53ee1575b57b03315f3e2b15f89a06fbc6711259ee7a82e1ca6f8970d8fdd183ea1f95f313b15f9f7f905c2c8641fa9ae9f0d8a12e8fedc6851ee3f7c15bbd SHA512 1cf337d112115a521c08a9fa208a2c60a1ef9651426b5a20b7ff05709eda7e21b384c627f1dedd2abb84476daf5fadea280b479585390abd903daec89814b24f -TIMESTAMP 2024-12-01T06:40:23Z +MANIFEST Manifest.files.gz 594915 BLAKE2B 220d9175cb1796cb5045abb4a1dd895efa478aa604a6eb3dde800553a73ce6b12ecf630b6574e1fc834659bac119417be17231464d8355e60ed5ed18f51b8044 SHA512 db425e75cb49a2ea05358c8e7f4e366d86628930a1e26279cb8287fe250565842ac004358a56986eb2aa4342ed7217cf30c8f78d97a02ed24483cca80fd1b2eb +TIMESTAMP 2025-01-01T06:40:41Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmdMBNdfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmd042lfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klANZw/+KSWqV2sDOVWslomj90wmI4kWrUE4ZC46YZtvjGz4Faf9D8i9RzkuV9nB -Lt6HhwNbrTFYYyFv0wAYLBUbNzQUDKl0KwOXs7SjRD+hV2lNRakA/dM1FbHsN0wF -qUd+S3Slmis3NGaIQ5UstxqdG5wjZ04q6BnjdrA5Yaqxj+S8bS04D3HUr5jhKU8A -vR9e7h6fkiABZW52mXVcBvqkSTmqrZcxGss3LpTiWU1VDcbFoVXcjsNQKYUEj9dt -IgWaVX/LwVj3yPSI2TPF2PO8lenyiroADclFwXPHHyuDm6qxXb0v0nie3h4PuG5O -yFVWmpLPkgdO2oCnJhh1W2sh+vu5iV4xnfoxT5U0BMp24s2wt2oKzPieJUhslk4s -lINvCPAVF8VFwgvop3rdwvwQWE7yZCAZuKxD0Y6m8WORExR/MB33Qmc0gm7b6ksC -yFG7AjN6y0qUd2yL1vpl9lvy4Rv0izZnVmuhd0+Jsq/8lgzY8+oiiZMzTxEc8Y/e -8BcxWkB64/Sta0U+GYEYypxS2nPtPAb7BvPu1f2dyBEqO+vDRN5M+0LuhfucKDTo -fuNw7Ri6zyv4thIvUJI7f54AHcGvAGmxQ+ObXHoHrBHtKacSXG6VF/P48rAwX165 -WblhbkW1T4kqLrUiFl/pt9BHP2zCXFkphVMrw4GJyp6KquSqfFA= -=l52K +klBoyg//VQm7GsyyuffSjKJO3H/YJF558ygX0IxnZPwgQweC9ERRd3NlONm2mlph +TzmZhAC+PnRGN+QTZh3M/kNuxPytaf6bg9vSNs2v221CHcSqErbzbMAiDO8ZRPoj +ToTfCC1jH2AoEAAmCWd120MK7nA1dzKx0DSvWhuTv02ssdS9Plj+SJ0SY6stjE3w +vfyYTvVjsz90UppvVl9zdKPQa5st2ojC9/tJxCFEjTxV1ubGJDI/7TdArgyTTSDg +rx4Bbc5su4ANjXbYHofhar2X0/YYF6l/bglDMhCJIn8OwOyzWqXufgrmhmnCrCgt +V6FLxXqWimOmIiIL1YUwUgc3p0JYNuYAwGt5I6Tf/gX2h/4aHOxUvgDdvRf+hoUl +9USr4sw5qovn+pFdDNwYrZ2+Uat83IYET85Mnlc8sqf3wH8I17lPKOzLtcgtkRND +i062wD9kU6gCen6fM80vuW4k40UphiAkrLhy8nMaWjBBVbRdXpGddGdOuPk0yX+b +g+qjOXnkY/rZPek+u0lpS1MPU661IFJgXQs9wFaV9++VXpcpVCyFoyUNhhaIxEH9 +KEQwa8bz2DkoBCeJMYjH3xigcXMavQ9KTrRqkl2lUk1tLf/dBwY3d7Ao8rpCkirO +AF2w3sJ5hbD7PXm4OEDG3EYt1uQftsnV/UcNB26SVu8UT1tfmR0= +=IQdp -----END PGP SIGNATURE----- diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz b/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz index 22441536c90f8140ca5a7fc23d323720337daea1..1b987a323dd7f4fa75694754ead77658b71cec7f 100644 GIT binary patch delta 26898 zcmV)eK&HRujwIu!B!GkggaU*Egam{Iga(8MvnfJQ7GBSj~-P|!ZVGn8Bpv&a+XSne>&WiLvJ*~BT1C3WO;QDgNRDgMQ?>$ z;~aZ16jV;VIDQ%O2+xlw|BoD~1i_~V@q|4Gb{18Yv%))+5lYufIFjHtZ`I5wa-%Bt zfP!wb{ccqM(sY3=gbKoJ^u|Z$^JDSeS&%>K$8rRm!=F;>vI6XmUtZ`2-D2LW<%LWQ zS56udF}L3xu!%}=oU)~KNo7&^2@5lVqjzOvEA4tAdtW18q}ZluE#K>K46sTjqGHyh zk`1XZ#LZ7v^(IcIt7`X>l3Je~`lAPtUXtnQgHFA*b6D`$m(8aLAAg6}FOBaRPu8Ox zREr*vLpL5BP?W>i;tyxHA>lO10hUXm?2A(TT~)Jny7Xmlf}O-X+-!6D9&h40fJ5K; zqWbg60lrlQ2UF`-rHIhb+cN)MQc{VmJ;OirVIg`_dMZIUhsHZ=^E_F(Rb{rf(FVoH z4=n$W9C+3LM}&}TbbrZlqb?;>oJ-cX`(lgxc@fp5hp?>P<4mu^gZCvMJf{}b(YPju zF0j)NCs3$WE-%m=K1(2C0G z5V}}6s&!D3W&f2(BXR+NHZgCn4R*LmKqeApmTd<`_fCu7N`I0do`@yAMz2l?72v~A zsRKM!Q~j}8|0F!~m$(~&Ajs^M!mY2mvSL{m9nGDiu78wva&)P>)xX-#M+4M4W>-E` z%8zcjMUG%48{Li9DpuBF+b#_IOxeq+@u>uG=XAQt78N#6etSsIUwSUxfC=ha;jtA*&8}&=~W+$z?5)u4&x1lrru@8mA zv>P7rG^al7|Mg?F&X6=hPT1s8@H8^@tT+SFw2Wwwh+q z8W=0MKw+q!A+hQv{Y&#K#j-cuEkB){q0N&;9Rb|CJb$wy#W4|0jkozmr_*LecDAWs zdUB}WEg6ZjU|0%4}ii5%u8iQ9v3f*rY%u!U!{?O_A;h6wDU}laa<+)90FJdx< zQ1OoP>MEz?s;H<3c%JFUYW>6V^-FpssISs4@KrbwtHs z?Qz=5aeq{o;xZ}!=`HdE)gJz+epc#zgUvNWn*0;cP*$vrVgk7?#H4oC^yAxR6N}B1 z*-oQLg*-X`>J-OtAJnVbLn#F{z4HF9zi>#*R1cEXu}5;v>5#e_+iWnEHb$hI1o5yK6L^fU%c`cw1!Z$nHdM2=r-{yQ;^bY6QIbA2~698DIUWr# z>%(3!q>{eKle(X2k?2)**mdsZM}KRwRarP?nhA78al}XXn9K)`8(Xz$B*vA)Y-<*93TK}@e(c$i zEnpe_t^{{Ac#boKv3t`BZR|m4O(IyePWJ8IqNjad0&Ik6jL!eC&^i=mZ3+;;JS>(HkK|XD8MkP2f|O^P1jP6V=%&WZ6XJ zsCcQj+!wiebrt57xupoBYJcKil(?EY2~lHlJCV1JsTS&9F9SikbVq8(|6Q&8V!K&D ze{!Pgku1kSFuJ@A)>g?T+Iq-$!EQY}t7#T$)vDPCk?Uy!X|jS>fB=8H0pL$1flu~$ zao9K=%0@q6v}$=oStMDqd!^{?<{psv82YdxBCuOW=;P3Eo@$>0DVJZa2p4~Hs^Ld~ z3aa{(8#+)J80eg<)M32@1i<9uqbHs-dJ`gNJ9%Ljf2`K)B!1P2!;3u*+T=M})=urZ z6x)T4hc4v<=dSz>6(%^BYJ;OA$YH*3`GWsD-K28J(D-m9D&LE1h<7!6@UO8Ub_g9 zGNb-OXf|>tZ&-q+V-7XS<~r5Oh{@X^FyA4gm=k5!ss324e1K7)lmmq>)v(-`TVh3|3>c0S5+OILCOs* z66SVl019byvAlF8;U<5=;-*JASWxyo&v{(bK$dFxqajL^`=0FG@M0_@vKjzgW}24g_vN*K^0kM(hsSX|X&u)t^qL|%RsOdU z6RJiMirAb~OzOdDZfgH^rLx6BNPO>{*qqN%uAY3aHvN;Q$`04bW<84Lh*{&1yvv;I z1Y@8uFPBpI>7b~*2m7c{F3Ms*sls`p*#mftkI|FJNlNPd_-nP& zKlzMr`=i52FEI8&CCYbk1jjb9oN&NuS|kB4qnyFv=d3qmdYZu#KQ+Ax(pHrpi1x*b z{^&rnXwz7O`H+eKNi~go+2Y%#&ClIuBOE>NI?-FWCG&sK{`R>gwKF-7(@aX6#s!56 z6{ozZ29gZj;|e5g0w-WEYa&lUMFMW>n#Zg{ggPF(t$SYHS^&LLm%G7|3FMs^BIg__ z{Fet&zF4|nY&Q;o(%m4W=(F>{m*AJc1zs4rcCY4%Yq_Ywl9ct;yh}RlZ4VqItVwdW zQp==ria~#Mty{JAXMiBHxHN9EnN?&iVX1T3 zby_0*&R`6Blt>52fWh2KS^cw7Y#C}H=71_F5+LJRsk3uGo;Ly*k5X03)+8wu6_RR` z!F%05R_jMMQ184L>M?@zhf4WTD+5#U!5 zJF}SSoVsIj8m4ZA`hh$7QdCnUN*?vogBTPo3Ih<@9H6+hLeRXRk}uL&Uf%+t)|f)o zX@GKwx{}{WxwoY0OBVAYoTX$_oFpYY-<32!IKpvjULA)gwX&1fWeHR4=j|E~uw6U{ESxt? zL+1qE+fc>NP6mIj@ShRPwYS|vb=k`r z+NyWst#RxnhCcKNww={Qq*Em5o6-6w)6mGH5s z>DQxdJ_QXguo2nhs1kDc10^`AvjG`Zw}HbCBY#l!sg)QJEiKld0yPiky5+D8gKpc1 z;vfNoWr=nVVdOkg;rwVd(|L)YuglB+U#s4HU4E)hLngZNQgK}O8f%bOllPEpx zXMeEbpUIW&Xfc~_rE|R2wwAUU)R~6V+*p4KDsMgyLZoH7Li{?r$f^o~oXxvzVqy>@ zC?-GNyN5eFSVPpf^wLP)Wo;WZM-w|2BPYhU?9XSl^zxN4M9z?_p`%kK0_Ctl zLw|H20>4ni{83go57OO81<&bNwL;2Hfq!>J)d*g5JEzHEJXTbafCXob+4+;5#`~oX zl+zD>1TUWF*9_Usr`tTay|Yq5ty2kzE-5lglVt;}F2xq*nv3n89VN?Z)pERnucyU? zLuL*kklkbJ+p%4LqU~f!>?9uZ705dv=6Pts0}6WnJBv}?EZtN-2qO6gwe(y?xM^QdhxCY>G_z-Jf5}zo$lo89nPRlwiyRV z(@;u80JKJD+g0S&Rp$(!s+t!zVg%`(nsp~WzVl5TrJyXI@(qcTff9Hf8h_w=8F1(v zJ{39UoltpRvHRQ-8-VadC{5pyGzjl+SB)Hyv8Xuz&Y0#-WdtM!?$-b@v)>ef;=p4iC@s$oqPm7^Nmqaa;qu z2X4>V3&)@{nNB!Oi>OIkA8-M25J#*V0YAS5Q zOw#<{sJNt7R^Ft2JN`@A-Fdh6W#8RE{^zc`Umc1j8f1hv6vU$eA|62@S$N#6P?Jre zNT(i&;EYpQeTQZXczptjoiV2#a-_3s2i?_do|gQk0F8fS^A5*oG}{4||Hz5|Si1Rp zDylk4B5O`JoFIvn9Dl@mRYI5JL=S;Sdjzl&C-o71Jt}JcNn!J{3BT-g%KE;-W^n@7 zB46b4!eVO(AIhb(l6-h${YY#VNyR&W`@;ZVHnbl#VA!OI^TcmXQhP4%%k@_q)&t>C z>!`8Qg6`(F${Zk!gaVyiYgO5x>%Fdsr!Hl-((6)Lb2?~wuzxEFw4fc*`Q4u^{cglx zQT`?SQ@?r;+vSOhL-{-BhR9nSa7C-d$rMyhP8VI5^{SqF*ekQihN*c-8ZUoCJJB~i zmBor1b?{?-EvuIr^-!c%N=_h0HS_^7)Y>V0Y;v9Q)Yn}jCUP(-I!iX9B(MxxY;RS^ zIO*qO1z9$FH-Ej{no&8|B0Ge7hR;_VP;V6{#YsQG%S65)P?y!A{LYjX$FbG&mD6#O zZAHm6?NZImtL^1%T6#9c5r5uyK3jH$YJAD1p!8*DYFB4R zm-3seSTxW&1oNEZIMPTe_%_OJf0;5vUaV-(<9#FfF*@}@Ae0jY_~AK+ws(A)EJ)O( ztfwux7T16K^5tWOett=K2JN`iva+EWSF-;>Vj_Y)QSf}Jg{p8e*;(J-cHFja7cl*v zNB>h?zc+GEKwqkoSt-PbgcH20|nSi&&^A5FY{^bVzrZs z5VxY&01U4ddAwhH>n-8=brM;ka;S->I#0IO@_!t>DCf>uA&$)rXaVydQS@Pi_xM# zh;zb3v?lA7S~!ybsEnQZIka|@S#s_XNPmg3l$r)D2m9ngX^NvdK6qatFN7RHo`sTV9OJ9PY?#YXX*P2++^*)KcJAd?` zn$B(Rm)RSfCI)W+-2qQvJm)gCBvBhfCjas_Q(aTt$H{k`foF%#Tk9>p>!e5pscjGT z-kN$PQftz+KSmi&Ht;4t{aUS;glGOTFCZqWzoX~aWn1J@*Qk1v!-iUlq?4$mq$)Z= ziKp08dp5^aGsCRZ?a&v1zx!-8d4F&dAOZNPDn}tAY65)d%=qZzqfu<5-rBOBZyp2% zFL_H%`||?BdCQ}8DIt&gO2QUdd#N2*Y%0`s*?1&k5-dO)P8&K5+H{7yOT2~}1nri$ z=)hFBIpG<6T)swC7S(~iw5yYHKYt*ImxO2gx~m?l6l~Kc4^r}qPeAE?qJMW0q3cGW zyQ8gx$H9T;n%>$e$vX2H1fs{udDdu^0xmn7lr%QjDN^{MSePw*W%QF;uFnG~cYNhz zf0W4^m#P`gJ9+u8sYtMEad;6$9F^Z2iqc}6PQTae}76)l>zMgYqeeyo?mm-lryLFBPy4ZszuB`>}i2f)f!v! zcOL}J2}-pfK7WSWzvNR%e>0X6LjI=49L>K=~lPfcf+)_)YjKVj=ZmQ}`26?wwY*rmyrKLhvskx@0_d-(0_M#%`KRobojo>y{Z!stxns7#K~)#Q3Sf3hMr%E<4-Y#4w=#xa^i2y(w&AH8 zLzOvhkKtpWn3DEU_kT+2W@~;f(<&=VasrjlLrXT zyCSPPeo_o+`V^EtS?s7a1ldXqIL@t3T{S5dL4sMjT;&I%7mau+)$&C*Z(I&0?9HO(fCoc+gYy{xsqco3kYUS+LO;Psq7eXuRZbr{{o$t6l~q}?M@#lCSOi{;0VEvm_c!{OTguz%s~BFP!}v0DGI{CR$IVgukw zD|oWv!w);XvMlOpPU*yi>afkk0m73v)K6Xr)vyNTS2Op4xdsVe@TdYtyc=O{fm`ia z<~?f6CvC?H@Ojn*@dN{_j0gOD-|WZJDHCv7*lw1_9g?(Trp_a(->wkg3=UPlfIDV|wAC?DO zw{Pj;-KaV45v$MB z#M0dh@oq$MxODV!YvRF?{_kqNS-M|pWikk^%^TH=ikC;tK*a_C1gTI$Eu|fkax|wC zqny}NmQYuwgUYcx_j_$EzN+{qU{#!WS0~jY9qiR~m8aqqCepnLu~(5YYJoSITfoV((E`(ls}qwJ;rea)LoOr zMzCpo0&n@l(tQdbl+sg%Vbuqg;*)=quC+tsHU-#5r9tejaq-CNL9HRcLV)s z>rKQx$wPyxN#P>upJYE#mg%kDE+tX&T5%b=RJE-62bTZG(gj_A%_oxV+)i`IRwZE_ z`U+p$REf7l{FfNpblWI^_aIT3LWh!V>D{g1)tJnmXf9hWN~j^3Q= z!~=Kia1m)_ZE!@t6s3P6-?~(OX&nv-o#dMVa#P2c7@_j6UIlfhjI4ZjQwJdFFW;2c z@W$kJ7GKvA8BFu=5=p)l1t)P}G{21XhYowiahO2?7bG_PTCG=K{>$F`*dokncQ+g; zpCIrj>OfR&$4kRXtG0fFGM4V}hv&3Anw$Cmw?s2pK)Gtq!ES#_z*W^TH38ECs}#qg z$w1|FOvr7hQP8>_{h93}Ft31;3df)piHa&?vI0)bkzOWoZ+4!0*}b^@a1Wufo>MkT zCvE$(K=#k0ps00?G;*&FdsSS$=^b0y;hN=5``8rISGPG#K>Od-svpDZFLbIly!OUh zL)z|=^1w=r5Vn6**Ppy-8_!^GjbSfP5dMhdS%B|D08 zH^(#87&ISnoTjFI{6fM7@aP@o`4dIkI4j*bmk<;inQlE1LsWlzvL6cblc z3p9PtQ>IE-+JjX|Y|dA%T8^d3m_FeKQc{$44rMD*9Rz=;Wwx#hnM8VDKUORK*S1Yz z9WMvNRzD}P@x-e5M5(A{+sf}hD=K|!o@o1d0v`b1ib(42?WhHKXMv^JI|@-*Yv$}U z+9}74jd!b)4WgzXdYq*t0~3v(cMqZj2X}8N=1Kl5m4&+5{CZ+@dy4vj4m4C&L7NC0 zd)fSwoS=Wa%a(IKbt^t?BPraU?4Tu;Pzs1y*C=XJ$5@71>h)M&hEm^^JO6j$uD)5i zWctr)o$R2Z@sd-)N@s-IA?oTyi;`{xbY-Ynfgv@tv+vwyQW-U>B*tf}6NTI@K7n9otwj=%9$1>>usG+o;$9r)#D0DmsyeGYcV`RfjC8cE_>DNg- zm%hdbApuO6;Km3fAyruD72u;iIWgg5D(u*`wr zksNY*g7hSEFHaPlu-K}^&Oh2U1&JnqZ@=_XTviz~D#_g)GM69aTubI3?xOw#s|Yr{ zC30#zA@@R!%yISXGawUDKXV_Jr#1mbGoI_HShB_fS_$ZT4 zd714{5*twbP(dn^>Y}|=%G9BMbnn&GmXmI$A<{o0wx%~x1|vbCtb2z`@$vXmI+ zkvV8CIS18wTJLU*`C@Yk|7W219QWQ4t;`>*^_pA>pE^Wnab(fY%Wj;KPQK?*$rV{|?O& z35Lyn*qdXsyHs`^*;gzI|F#L|2;D3WNp9Gr*AyKbU>5V%leQn@$7;Q1$i8kdyiw1sQL5xam*mL^ zFMq83^r%$;-K+PsIse28Er>t>Us}4#KNLp^rEHy=Umnr}Q(`Lt$A=Fv(z1KD)Qh1e zAS`MjQk-|yW?h*_fNiN6_OP-{EOdmbQ;x>t+1< zrPHi@&z;&9vem4P&D0dvQ*0_H&h8GuXkG z?t;$2PzSH4)TW4q^tS`-bw5o%%zq}?Z#g8=0G$$S9WV;iZCOzy+hbJj_i)x=oqGg_ zY;ND~$7;Q_-M-ACs7#MLIUql%N*~_%?OlvM?`I930i)8=?%UygPKutt`2moTnut{f9F-QaB&s5Zt?(OzKy?>h6HF`r; z8Ae`~OCPf+d>*}4IfkCqx;md)3R_k^W0v+&D^TLu1^9a&$$D}xr@lZ2T02O^6!6cy?b{tz&A7W4F)S3(|@= zwSBt?Px)(X^{uzQ8}wv6l7Ab>P8gx_HdUdmMhY`1)EcJIYEaL>qKo&4;|d z5m26ziZ@}p4qi}X$3B|om*tPz1AdX*6m&8?BLx$MVBIE4z()J7rKtU!4u9}c4uUKZ zPa6o{*GQ?l+mF@yr_&t2`ts(Nz zsEQ9oBsGl??F9Bar#?A=U5$|u@mqP=Q{%^>W6p2#wINARZICBYxx_P(uzTM%^sJ zJ{6Y#2XC%T<&J7E<$uR&{bP+#v3)u=y21buik9Qi&Zu{9cEhDKANmY96Y+R`B@d?` zrz{RBHL5ZiEcZWcihg#shLfc2lZb&pOcCPF4`KJ!+11v7X=qTx`u2C_L&6%)Gu(T3 z@H>2XFmKTdus&LrT!dASbXDCmIyobEs|97IlI{TQ9Ml_NX@5tCWK-XI|AbA-ZUnf+ zE6tQbnRt>_ROgMUk^d0=f1Jb@1N{2J@}xwdmW~6eR1FCR>}p#$Y~OozwO)g`b7{jI zs0+JZ4odADnoDIbuX^ihBZSRG2g}&k*@TQ|t|y*{5`u?fZ&z08nZO@P-J_OoEUzBB zonOv{eIs6wBY)9Ezk}5;K=s^Y*J=cFo@UAAvQZ~oinbB9%G_46ayqxg){-{FdwK#$ zvguv09p;Or)35=nyR%#>r-c5iaB#jE;NiP!o^#)unzxzGoG~qqj}!9qORy1>bp4 zXP90o7X4-#_g;WYe(minn`XCNrCtipAFK89T=`PZh|0aI6i~Fh07W~NBlXHV+&v;y zlsObm27h7UkQJHxF8TB;8{=R}mSWSFS7(9cv(9xnotGdGr{(5V2!tG_wjQ5Gm;(;o zADdiOa5>$h4cet%q^=p|1iNYc>g$vJK97DB8vrSQ!1STgj5&e~juA&CB~GuVz17!L zt#V}8*jsqkTlnHrDCDA}p>yDBPJzhzpdYLC&k-!@n*mOaHUUx10Dq4|&6J{-7tjbL ze^nn{!7RC7Eg=>DsIMgD+h5_3lNC5ba#G&C(@^xcCJ~=|T0&{1zJfBPr^?=WYBNwB z?(9LCN0uF&AT{^Yc9QgT@@2#MIEDbkWv`wqX`_1HlDr~t(FTx}WF+z`QeF@16l#F^ zqwJsM)+3qO=15iV9y++J zGz1Wo4CuX^a~z%U;skMO!Fjq&Jz#?11vPzf+4apvFF&5IXHN~){A0C#utwMjhx22J zbX#O&IZmXG1;NpIqyhACjsS#1Thky%D=YQvOL&G9i1NE|ijJszTY# zvP_))nMvZF#ME#BcLpeQcY$R2I;OA4^#~Fq)EupKUYgj%Tr_I^ueRIyW`MUZEU)es z9Kf72Gt}545qEKtx>S085`!G>u9cUY(g-1cIhx(3=-~08Fq)3(I-)B=`MJdyx`oFr z;p;Ms#Cpt z5b|lf9vx3*pVh6f;1H8zB^7*0<)97qK}yzPx!Qy|+X!R(i?CMgxKoP#Xo`_Yv{nG$ z`?e9mfqMC}&^>Ege)C}sPy(c&1WurT=^v~0!tzJ@W`Nr#Z*py9D9m;#LVOtn4!dYs zMt|KVL{r2`;rhl5OBd3l$6 zIuP{ko%X~hc$@Mljp>6r83{J38?jd=;dCL zZ<>Jp&0Y%C?0IQib!kX3q*Re>x_RLP9d8gH7toIw}y3El7rFiwTjk+kDi8nbB8dLj@3HUidU+7b09r9NCJL5 z_P{$;-$(U_U63VsSIP9?+2*i+FCnJ&E-gB#0yZ6h3=VeRJG3iiAc=AE@mW)E&YX^e zAe(rWt<Y*C5l+q>Vcwd}!Ph>|kT zsZBg-_I~ylH9y_=SVra5DRPi5dA!G3dR3pYJf<2IIs#C!{a_@2oi7Hswwj+PFH7{& z6p*k^@j*#Hys=!$|FjCc;*4>GNNef@B<Q0Aay8hqdXBuvE~*U>7P&t-xy(_i z6k)f&IK1SDV^iOMoHEut5m35rZ{^rmx=6I)^h!{BoOi7h!WFh>(DMUty%^wpi4T^a zs?(p+p!t$dwPq*Fofi<4P_uZG-gcGkX+j!zK$0U++Sb~fZBGS*hl=h|1R6(cfQR}Z zQVA-s`B-2I{&QW|Ef>159kO%SUkq?%9j-u{=S>8CK&cjg)i(i76|pdTT4yA3vt2L! zagufkYV_+TO8U74pX@4a|2SahttabckY5hPs&=K`LG`|J5+o`q`|dUsiIhJ&HtE%u z|MD&%#qh9eU$#}!aLrA1lNRFRQEA#=4Spp7si=>vgH{q?mMm%orvosGL| z=S!{m!#k|@YqkFM<@tMGlPi+^v!f`K@?^jxO7E;7C^_y&a8y9C(Z~`yQOpx6@4ZM- zs!g4ax~gQ}Ie8#b0YY7doZ!#oMUw| zEjk54ZP29VskW5hr|64ZoGEcC83X{Mao66tClRD5`m`#~Dxe`CCbvuqj%6+qblT6@DyE-*i-1T0alvT!S6E=Q$`mwS9Z{w{C}&l9kRy zhErkUu%4{8j7kn5bCa!oYaK$#3C(e25{x}DI|BS6%W z97x|;KtQ$KfQs`kR6Hhv^V4Dclph_l$@{hug*y?GGS za-Y5Bcs7+6fKrDW1%$HK%xrPeG&_3f#4Q$*v*ak`Oq**Qk)av-od{A*aTh7RtCa zx7Ij8g2fy>XNSGQG$<`^Di+R+^-2PDhpH4%k=vsvhgdY90S|GA%lohHcI>#7>V|oob|W z;54x2L+799wW6m*^>zTHJvM$LE3i&At&&57QA0-(lI}3K98#qK)*zlmek3YXl}MFU zCpbH!LHEM<%{~W>GRu^z_Q6y%e`j)P$qO4D0nuu>te+fL+bq!!K ziuZ~@rmpZ7rPL&$zgO$6>&LPE0A6jGomgV#!@y0KXUkgN0G9RX$AvME87KUV7>-fHm^w@3%% ze{U6vce~L9WY117ddkxfe_PU-0_;;;1HL9*#A;T6n{tMo{am&o0N;ttownr>Q7Jn7 zSGCz5;{YU9owaVi;ntuHAaS-|`)DLJMahnB+I%@uHON_06BQf#i-V&LPBL`LrC`~_ zIL?Bc+sV3HhJiimJ)BhxHiGlw{j(!m=TK6uQ;b}0Bzf{D-dk_q4O^eJbw+F=-Gk6#n*&6o$0%{RUYFP12tIpPXz5f+g8iWS>ZR&b}ewM7w>_tV@ zRV*Yme#z!>-?(duK`mai5{^1CHjujlzl1UmslnQ^hjYZ9Xdjiuc|@MS?FRZ(zw{Ou zaVj;(h&mvh(nMDVc*bJx%#T$Id71^S@*|FT!wyfMM<9?qOP-ga|62%FKHd|xDYzv& z2M0p|hHQ;8ua|(|2pl*=e9+B8ie;xUS4d_Grj0 zyZy1mBdGmYtrwPWA0EUt*{j5Kw&tqB2^BrI^_fZNp*GQAkd;u(ojj(lq_Y<7cH{+M zr+z8lKyFCr{G65$GgljAS*3U49-*5wujzG^vI%5q;jp2d#;3nU%~!TfQc)YGe?C(H z&Oz7WJ!|8pXMwkGDi{RPGJoc^5rL8VUO(pshzQMeyr9HB|J*Rrg*_&8Mr0D^@s0HY3mMWn{trI?2LdYWR^=0@wz7v zZP#uztSvHPIX306O|P>FrmXkVe}dD$BLm*->s4Dys-#ve4*Ky?S>#CY0ZnBPg61Xr zU*)oyS|3qsySq@rA3)`4{i1*jyVZe~ArVKlWkSR}N$DYUWhkbe1@bm22G3>FVi9ge zw^}315K5KU1|G^Qe15Ff+ZW?=v#&6qLeozAkr}JChf}+3Yi$6!S20AOf1I7MoSgt5 z@0}vN49_fomO&8JOME&Dq1nld z*{Re~`=RQiLuFxGVC5)DOq1EHXG!_BTK};8@uk!3VCu~tDw{1>`E-|Mg#eu zt*~qgY9wyA&M|n(HZ8LH9tFAo`dnQ=YwKO}SFJgG&(+&t)9d$>2lr>pCw1hW# z6FiF#H`~^NdK8V6)(YUbrSzWFt;hE2PUi$?9I`dJ#he5ofAvs_;7arm1~o7uwv#Bj zSM2S}7sIwP@$k8}#}bb|B5UEC8mUEPdtRqRx1B5xwet4-mP36tHWqeLi#>81G@u>c zC08wJG}szeBAmlx_cJL!9ii!&ghp0d`nLbTTk+*_7rs~{hgSzYtTVx&Yy!e1-$kBc zv#och^N?H1BwME<Mf2&`?f->8e5vcoLHpxD+(O4_RZ0c9CgZ`9B2xR)2?2swXC z9*?S?s^w5@kgH`ZR8@J}R5F76*~mZMyJdL_4|SNtlwUdVpL$05(nyL?0}g;xopO|y zBDVIT0t@cY4?yuxWC7gjY=fM5ulINzNv*(^4rju><|a8h*SJYB9O*(_)y^swHq*G3 z*HI5@OzmSqWV#uacc)p>;Gs`Bhwguo&f_2gIaf{vC6HoY2&)~=;J(#j$zK*X7_RNO!-psX4*YtQb>S%gceVcUAe_DWR6c(s zt>XP5k+`c|z^2tCobWPu6&im6tE1`UDB#lJJSTVa+=h40oi%qgc@i}2?oz3;N^M&- z==gnV!t0cE)%c0RF?kbBv7#{j_;dq}z;f7)RNkU4qk^+D_S5c@{oJYhZ`PDZK^6os zbXg|AiQ+URHLTX;_xWi4I+VJR5u{}EpOI6U6WFhjaoPSOZFl6C*HwSVj~>K}2NA%G zpXCZN@WcpKckZ0?T9n1=uk4X;M=CDLjq?yqUh2_O(gE_jZD(?d^G1ryjV;TkGMkP% zj)vTtk8)TZrMsl^d4a}{QS*V#!X6F!ls+S|3Pb6WEKiZGDI2Z!qH4x!MU-ELb`GSD zM6}h_f+#(lJXy-n9sGZm=Jk;3xu?T$O_y=161F}Sc=C3?Y6AqeATcb0rPuGJ{&%qY zdQ0Jj`v0sRKn$anzWD@oft_z?V&uTJd1-gwK!2=Y{~@*Hq?eo4q8#*0#rTq zxIUCcd^Vx}*(&PQ!7p}z6F#x2B*waAf6y!3j}aM(K5(QtsFZ&;Rb02gzHyov^PUx+ z@*oZQI-PKc))Zb?wR7gDmkaWxt}dl}9p~~UdtT>M9Kg!@3d(Ke87N=amX3o)9n2-E z&L6AwlFw-M%eJknmUvW7`zb337cWo0b!9%5wcdudG6r;;_)m!mqXrRHqu&Ww|w z(gW%jQ>XL(v0BGVQtJA$KTul{T#UlkYZ)V|mmW z)F$jei4f&ceXtywk!Wv!1Hy|2*Y+!vd7b1`5YiJJL;#ntC%U&x??RESq*1bSL0*kJ zZtt}#812vocIuLz1e%1Q!>@7vjdi-=h9voWGn;b|M5k?=P5!Yi%V{eebT?Pcr8z!$ z5Ec5<4Um5%=aGKxt@4r{{u;ScMeo!ahHbjXbapew1|NmCdaGWbKZ+po7Pp=wn5uLY z)~K3DNJ?cDhnJrLkW#VR3z&yMep$pgb*}?k+^n$bpmvUqAe5;p#(Qtw4&_}b0l6qf z*Al-aFK50+%wAwP{S~)bFi0M}s%ZJKZX{^vird5lOXH2Ss6Mv>; z#C2YZ0)_4Ql?$o&&K#ZU6;asJjcUZy%ef3nYX^3JJM~YmYV(S34>bU(U_ss5fOu;e zpY)OAf4W9y5=RyDi&B6m8-s(`NNyU8_)GP56TyM170*?zp{NMgw5!=NjAZWXl%;#< z(Z;fQ5Dqmz)uh}}m~#BQ9q)5q(K!*q*pJnEk($2%mtv36hq$-zng&jDyZ6XFQ+QJ< zO}rd`;+BQb@=%PtOa~h;@i<3pN<`*hoRxa}&oGFns_W7}YTCc`@{IWml`@&0%s=3S3 z?fOlstgUS?$e!?Mv!JpiZymiWb>E&nRDN9AjZy@EB*x3@Pj|T!pM_JRV?nllSM{Sd z3C{1;BJPE{Wtpe4*}8Q6sc)!trN$-SV@sgcvmL#k*QFILK`BU=VeKhM_!|Zmb#2Cf zI3)jcc3lhX2DL>auSkn@$0xn{d)OmG(=$~E|GQc*DZKWzS|>rOQ6AjOqVvdGE(6$H z?&VdG=HG7AB0XEHotwfP0KW`t)cRLkl|y^k7`*KsuZJ=q+d67eAHiNErgs!=2zvf~Ky{3k!mX#|2qgnqjW#mX&X%4f?&?tPO_dEP z4yW{abr`R+wJijs?i!K5SUKFO{%8ljr0~ku=t?iPk+n&^)FuEaJF9cWc$(KJ6PDvC zEWpMMUAHCTSdjie{!~0RYi}7G|0Vae<_JbtcB*NlAcMz=E581voEa}cS(WO=i5d4j zM0RC=!EO;QWgB{&VTBRds9VvFjk+;N2S)^Nur*ys$e5rDvJnzwe6pAk?yeob1R!wA?Vl({qVqF1B%NVee^4W%} zdgwX0bwyOU3q!qAl|tlaQ9BHIQb#AxU)eT))p4-L;$h2KwW7xfb`Fn>)O!mDcC&9! zVE^{H#%NR9qIjIe33w2H3%}k09Iq<>dqvjX#;@NJ2i*p4dbAalrlR)- zxhhfn56w$LaOjDmPCP(9A(Ra3EF#Nv29aM#OgikM`0rMtR0KXQ-HmPqx!bH=mr^#q z;dtxJCf{>Yb$lG3Ym7xr!cTVH!NClgaZw`Lp1CitwWC8-r}gPg`7fdOF4by(fAQ?8 z+QOw6qZ%#!;4y$}nuc0js7i4g;Ulk9L@~*+2LEVp+ykACAFK7cBKxv!E840ojr1m^ z>l#!Ny3UTVg^1Tm*)}TQmP)!0(y{js8VXloV zZPW?rwN&dqWRgnio}bYb_2<=peBH*&B_S#0BM1~)$^%@mUp9{sIM0u7U zyP}3NJnKo73EC}HuLKGhh2#yKSvEh_mXjrb3)xyy4V*gFd1N~gZsF5^0#YOZ2K6He z+D&G%U5vvs-6mm8V{^RKlxv$SGbgZ|V=S&HS$=V0+Qs{$Iyt zkm~ZXam5jwL1m$$R1@fbaHtF}=RoaRDP+#C1&yD1_YU^*Wu;t`9(4=gz>)T&U06QH z9^7+U5viR5mK6|69u@H>kV5X8DECIE&tCrKt5)7?Mza+qQ#j8dOmFP#;E?yN+X97i zr6Nx34c9ArUH3rqFYi zC8fUL6GZ-XadJ5}-kJ5KKD}N%;I?UGOIv&LBcH)n%ucLbfUIKsloS*ArfdW6?9OIv zJd2VwN0vz6wqxFZv2Q;|+ka*7;v_dQp_GprVehAI)>-$lf^!hiUVOQnLWCy1Q)b{`4c!^ zB9lYlAniNWKQp8v%gE`%plgMS=X__c`G|o>(xu>?6J>ONM_HUiY)%L1bm!-?MSO^g z#8dB=2}{nM$ZzF^3927eSf)mVSq(pMwY7FUyo@>&=qmi=WePbqcaq>KDSVq_Ztsu% zoIh6URaJkw4WyiWhtctHFaU5)IVptI=rtG$TTcj&-P;s|v>u|ouqGUI+p+R@L>n1su?5?PfWR#cb zkglp_MvP3c=EP+5l1v4L63ITgrv&vJ?c{Inte2RZ5AP@_tJpHdKI?uvSEv?vE#w|; zf9H>XocNFKCb9P;na)POd28&^&M|x3B~&&_MuNnqL%8HH{!4PckVjV4q^pRhLx)Pu z1^iBwrzmF!dACf+C2TnNznbb!;G?xAjgrXpRIt$lM};vj>)OxLK(nIj+*DzMlcJXDO|A#HvE$QFl`Cm0rfnxb_c0Y#i{P1S)Kh7H z?SmDGvPjK6TM9w9fU7nIyeTz~ylraLVY-s3Gb?=qLLqX6OCCp5&Z&w-DcXR^QTMHC zP-a7EyT^JuSt=+aPoF)#F8^>wvR0A5BB1*53N2=k9>R&qdmDm8upSp;l}rb~A) zhf0@S`(iQHB;RI`g+^S<(N|)|(tMJC$3743JY6;t*K-hCmSfC8ZK7k56vt<8DIwan zT!0L%b%(evioEIAgLR5FIWb7Zn*Ekbv2H8;to!fPetXm1jxPciFqg`KdK$b;aL{1FE;>p2-cGE4BJ6Fe>>K4#Er{h7@0l-#wwp-UG;oeCJH;IrnE5-I9 zLJS*cS#`o^h~lJ|7h##^Dt#)4aco0^P65R4Ad{S@M0ILb_T zS0;=-3t%k68*5&`_E#m@2O`>k(K;`pulQrN{$cs!>#q9LD})R}*{3>z;hjvPmugTq zIT~WBHd?w3k+V5bRQEDW0d{T5Ri;dl_I=xcCmCp3ad@Q?m7dhmiWq0tAO20? z{ix2`)5j8!FHA-9I6|<;v4G6?pXw{sHYGvd*Iaj48gLFpp=3>7gf3}+Z>k>OtZGw{ z?~01Bs!7#VC_G8y=7&?K5&!y443UZI+?;Hp;56Bf)%tfsR=x!0uQE;DMGXk~t<-w_ zS0__)^X?S9K#d^Psq0$-==bJW{`t)+ljB&5q>xB1V8_R~ zB?Umj+)vNMuK?E8j-~UnQ<(7#&4g^8QNf&cjmQv+ zr=JQJdIaKADB*`DNjm-5X)!sI$N1(d14$qw5?oStz~aB6{CiaR6Socub{%gD3GVI= zlLS4Sa_%|qyWRvYq&RKLBiauEzJR-(`YA4v*Je4`r1O7R=>4#NG3c4Jr#pl_8d6Ze zp7uyUVx?$E(e4}M`o2$eaQM{AEoJGBAQJGHH%U_WW&dfR;$&=9uIx~)o`o$^XVd?_H09blSQTZjKX$uDGd}WDA6`lOA6|ABIYoZ}Sd4)m9Nx9q;fsMx-xcTQtIjEoH==N zGqE-IqIAABe~fzcn6`J{ya~Pjd{4+8ZOh7BMPbc3$L(|&V8?V7CxU@?OXnXX3CEm_RR{*{BLn@uF}GyDdEn zvy^`wY@Hu+Y{>za$BQ;6Eq|=mAC{+l`ZBo#mWt3Umy7ubCx0r4f}MD6pKTI=qKDq^ zJf-O*qZ1o1G;Twx)o;bm-W{8!J;bA+q&mwS$MdL8wYps#6s=NO$YIs8mh!+Dsx0r7 zTF60KuKlIrkUP&agEK74Iq*Vq*>EOCa}-~cU+pxy?zOA)lqy90ceP%!Kl$rs{{g5_ zs3`V*Y#Vv|f`2zfqGE*3A{G@rk_IM&wXx~z4EY%yk|uP69-_ndL!0SB^%E%oqs&lh zBrn$0nMhHU9$W96d7V_%W&kLK50(%2)_jR-o;Mktr~3ArCM+>tk*#r^m!^s2HIL=f z_Z^B*QRTmN@`fWjdP-nb4t9`q^yL6bHqIxXTq4mej3!c9f$IVLkvZ-wh$w!nR(!>+ z_%+VS>*U~r0uQQCO$dU!u$U8AlQ$T z<4<|c<(*?00{#4W%h)x209#nKCnp&IFTiBZcvGuM+b1w~(+X9cEovg&rqYrTos>t? zEdDG}EsHbm+stQ4OziBcJKvNh?FW{BvE7a@NvUAn>DVZ*0Bpy*ypmdw-W5E?ZGWAs zx8HJ#f(WpoZY5-xG8~s+6%<-{RECt0s;^Tf|7VIQt&7GX#Y7)E=MwaV2#F04fD%p$ ze^yIT=DM~GT<|`T5U++CfiMBTIm!HuqMdbCwK$1Ssm`cH&*`AvlNILI-YPppc3BP$ z5SYSpO_lcN8Wh*L>PboYcmv~73-LZkya-k15lbq7`S^*fh9{0JTafR|tV z2w)*pU0UKKIe4Y7A%^mgUc;wHw+}te$ zY_YIVUR_aZM}O{+o#h1fBlL~kf%Ed0i~R^Ue^_-OS7CbGO634{WSyo>CzD?CW3}pw z0{$iY^KiOPm6euq%`(c_KilQmdvpNiHNcJRxhPsKRhOng)F;GwH%K<-5%ywAf^^pS zegN(oY=Q!s_hf_Iq*;kF-{**|q1Id4KBo6-X~zS&Yun724fqsi>uQwX=^NN$fW)HJ ze`nQ>I_rOY%5bQtk6@=MMS+ zLy7>Kc`1}FQEFpVLj;N)?<8t2c_`B*fBBCe$n9eZ7%wSB1Y)vi_9YD}&Lwak{h4afSYDDT~@7jS*tj5k>Y{d-F zh!Q26NSMUPSG|%W3+>OlHeA}sZ+5HBMkd@+&(A>yJOyV5wWK-(nx5)Y<(M!5;8AAj1VV$=(n>PS-nH1(K_yPV;tQJk zU0TUVRB9fxUKB0X1*KBCfXnsL=w2iXTpQU9^ zO1gUtO;?D9M6+=!c&Dx1e>0@uOU&(RTtA`-(gm+WUC3MiC9tUp*RCcH)@-Yt)EJit zg2ivTeir3t!lTw0ho9>4$7;oYbz=Co*5bEubd&%ji8~nrK+RGtq!vH-rG|wvUqBk2 zk_vf_fde3^ap;jPoT#_dI?i@!_5Q!Ug{-*M|O z8ab@S&UFreH$cMZj~5~CY`a}vnw&p_5_mv*DQ<8{wgOB6~Ecvi{qA7Thm7QQO zbH1Imq_(~_d(`%se^X2i#3P+U>7C*%A`eX6`b=3eGFTNU=GC63O1zy-v$?Z9xG2ZR zEQ+u%S8vZUX*90l#H2)Ojsb9H_2QZKg_HVm6jj?lLZR#KL_an35mlkwjzCJF>U`al zoN81Cw>GW(UQHm`>2d;P$pa5lr=ncpf3bXwAKSL$ORlV`f3;t>zXRm}c`yL(s2DB{ z5rzf();RTYixd-f3*Q^kWHhI^jcOwnr8`q`W-{n;9+X@wnaK4x{X#?xW#uhx16C7- z0@IVswl{(pQZUSRiXkXJORC`E=M8kKD)v59%C~)(N1;%~lqjobh+2F)I~G-x)oq*NK@cmQKsXFv7FYP}>5zD!rh4ivGElRL#8>J130 zVJn{88K}B+Lt32zsa{^!vzbHjwopA7b@Vs}nV`V_%4$BIR4AOzzOO4JFgSLtR!<(; z)?T++b3ImhK}py5Nt`MgU0T}}n`idZbfY@}kx>h+mpB6nDt{bZ3KK`znWV9_>|ptR ztk#Q3`PB^sDLy5sTSZL(c4FsWdpPF?IyKT<(ND~7lc##KMOQw6F{C3tdB{es-3FIv&82W%?F zQR1u4tB&daXMaDd_pglYNjOk%hh+vmFKN!MW=R_l1l@gHAI%3A}~J5f9msEVG4PR57x(qY0*+t_YVhx~rNA+g%t8=2{ldl!iX z#VZe|46K%hQnKt1wn3CkE(K=!mP?_P5Yv34GJ;ML-e*^H*1zX9qS~RkG63eksz2OC=4WVCI_Nr zV}oRtlXu6D)he$}^OqUAZcw9+Yi4C$wfKIda_Kjtb%aXnn!3-dG~n9G-N8ZJsSf~9 zlmb&(ax|V~GttQ=KykH+*&!z!4Nl<7~ zsqRuytHhTR1qmc6dg&HM#lnwg>Gv^g(?MRbq7IQ)mi}Yg=4zcUNvSXM0$zIZf}X=s z+?QYl2~Z!!aqh}O(>m6^Z@b_=?QW5&BjJBW5?@Pf)VclJ^QxE61ql~l1j^5+Pu0%m zuPFa-Xup2<<;iM}<|v!7rJi{cDl3>pf__Dhx6p3?;VEm2T>`PMFt5nB<|GrMKU$`LFRPS z1W-dFyVwsJ@eJn}k9Gc7trsJye(tK%pO>2k2^l_BWtww&TUT?qV;1>oh@~3pec1uM zgZ7g|W^Hs&je+l?oga9d;`a)p9nWwVih91}%E*f2+QWqWU~1B}4wv!<2{M1{j+{=5 z^EZQ4)&KUlV*0Yl{WA0!PU#D7fGH1Q`yz#mq^fUplxXo5yBahULD~YxZ0&z|r5CAX z*Kj=9RQ-^f6?9F~{zyH8+9F6qHi|qdjwFud)d8@M3oQQMXdnJoVB=8kP@?OeP3})?55uB)VuW$aqaQU%YT0d(`a2f2MEVuvpk!UZzo|w!k{_4c;yC8v>n#f{F23^ z`F55{28xq@vHl|h?rQzx%O798(+Ez!w*w3*TX}Ks^XuAyKIk)E9i9j>1Hn`(QP%rW z%TDoW&Ye?KiFd?`-&%3CxUcz?yi08iC#i-INnVW^{Ex!IlL|Ltfa4;s7L_2 zlx*s#x&{h9n4BIbx)1Ht^Ol*_a(GIvxWx!sLA4mNL^&mTpKZ-m*kX!+slUy)CB^<-UVjcwpzEXjkFan)oxB2n_l`>Em5#)KDvu>kn_)%KYj<7{Ifa8O~Yhpyx$&Q|~{v)WHdV zMA$1ivbg0hs6tdx10ghrb(A{Ha;21-r=FJ!rx*cYic>|{NqWZ15C|!^ z{k^yDplb}lPdn4-WTIV7MU;W~3dWJ>o6~Cg0RVIf9QuD^-HkE|#1A5|Y6DMoWg6_N zDpAsOB5LaVHLs8L0@gaOsb03d4(mxmBuW2Rt@>|o)vqXD!7u#ZxvB*!n+(WeJasZf z^?<|Hu+ks^3J&;c%~21K!vUg@!lk-k(BPD^h4`{8fal@H3qx1ZKUrK=^1|J8m1V+nWmZ-d%mO4$hRLR%M=-K$UQ9J#W{Ke>=N(WXCiKI~b*%E;&+fMrDyB zD7z|V$^m_Begmj$PtwiUV2kW)X=I~^)2viX$;Xe?`a`F@wfZ%Me(FcT0~7Lp5j(>w$O`r zDaB5aJH|~G<{N@%ZzH7U1}r0`q4zApROg(j_YcYrUfhropS<(r`7XyotrZ;}=3IXR zSel3A&@Rt9xZ98HYBJw3mq+(iVa1z5;HrUqn&b_peF6Y^sI){b;x;{4is|WMq|pAU z56o?$QS^5P@ks(EXz+)#l(#vIsTQR@elW0##w2)onA$r@d}&hg!;h==&X)(_Kkgvz zTWMIw2|Wu z!6$8$;(hMZ3;?oHs8JxOgPao$-qH^1o1SA>CS^l!kGw?esAYOkVKZ0r60PfoL7jlZJDPA@@2dsJ<*wuVzEmK@F8>A*uG00Dc8s{*`(wnVl z%R#j$nif)Zs;Nl=(~ou2L9`JcVo=;cy|=C^$dev~O;go*i<;>UiLrk%vPSJyuB4Px zoA5!8PnA3`^+okW-#x2pm@ZI20Ou;0anx`MD=Ecv!mmsE9&sWWuKNIJ-pfE~-? z&A+i0!O);Mp1n1S3fq6o-jWmdi4v#RLe4SfLt!ONWFFmD57!}J4ogy-R~3X%rzz5%t)#i!iLrM_O4)p5N}bk+Lb^&jcByVahk4hgIM>iqN22vb$&$VOK1s7+-XV90 z7zToC`Y#hSWJ7QZ zmy!K-?UFAYOJWmbRhA2{@TLqE357LlugbyYRHL@OgY~1nlNCm)rT31=@>>-gwZKWh0)(_1#O)I`e`(%5!8aG=QUrI!`^`A~DA zfY73BK?)s7%^b$8dGNJIeSOQ4YCkp|%Zz)mm+jKDM)gLqTxGEV=LAHmpN+~xh0FPv zin^9%sT_Y@$$s*nW0$p}{W7Vi+7+0s0xTSng_IUCl{Cx7=c{RRrLg{s)%v_?ev0zDSl=aM!v7x^0B%Gg-Q@}L z+wB*aIS?wTTTE%wIo+Y`(B2(`I5jPAFL2_AJZyZLE~rWl5W0F>!i{+vi>wqG z4Tpc0+8L0n$e7JCrH34VDr~!{q3-D*z|GI}WC3gHfeK!-FQkjC-1Ve_Wl{*MlSd@) zNWvykJ#+(4=cb~!bEM&BfoV5?k*>Vuqy#+)G#lZIg&AjBp5&sXqC5$SVDD5?Jc>|! zI&7}(w)UvXnoeR02iJO5exIbRk|@rooG*VFFE3W>{ic~`c(T?S^RV6CTpj(T2`dg9%UM9r=T+4%6{3%Gw> zGv^ZMacUEypDmG-ovA$&+f86L^1ZHhFVOu`Wl}}C{`6OSE4}N zXSmeYKb4$3Nq_2=e)bbNg)B19Bb{rsBq82vbgMxEv{cnDDgP~F3)FRnybAkm>X_km zVN|W<)S}8!Wc79PT;Ik(MJQRKBvyN%m;F+N%nwzQCb6Dhe*5+JKmPpXr|)0C&HujF dZ~y+>|N8sI5C8f0?d$h1{{y;%&bu!=5dd%eq(cAz delta 23683 zcmV)ZK&!vwrzGZ%B!GkggaU*Egam{Iga(8Mv{3bjDsGa}dk zLC}u`s0U;)2weyT3DE67GzK&0qbg?|pw8L3bImn_LAske&CNLE5~rGKAa}bBdc&qt zvn}`;^s&HePY@;rRUg1@rBIo4ztpwN%w#;u;j>>`tNP+=kjyyil=nGnQl;uE*wxGK zl$_eve?}o&Vv|7?+&G+G<*#fpjmrK|_}PBO54@FLSU!KOxXPB;(dmQIKPboO=;)yme(l5QL&-{qwo__!IuB(ZXQ;>Eg@cL&O9LF~ zeO?~{2WI%V+}%l=oluUGDj-p~-j?cpW%-*Yf90&Dr}d?rPB+ zjqpekB`aB8-NPWF(sb2Z;nq0E9t;JQQ!kERhCIUaBg+3J2P#4E=|MbU&w-s)RpqSk z4rPSW^%9OGxXoKNGm6}(ians9+ibrZ)xR`dAPb>_FdMz`(fPbA-a8BOhx)M`0q5|i zX_UIG0K4Ot7rH^WnD=UVA#(&L4T+fB?+(~RB{)vmQo5wFDEx$l8Nt!JvaywRy^y`H zkuOqg)3lcFRU896Bok3FYf{OE)EDCBrw{cePN%Dm?jG_lzg&Q47_g2c+o6qXUX^7+d_|>^3BvCMjUKB+9-h#otvmTc=B3 z_9oa#%;IL7)Ax82*8v>*&R5l+PY&>{Dma*0w<<-1hTfL>&m|?5$l5dfLmw8RC#9zn zgmY-Tvo_C@m0O3*_BPs}82N$a|B?f*<3AB0+s-x2?)=rMRhc;$)OAE^x^~xwaVoMdgB*yl$0ph@JQ#R=7?hkcTWN$i`qZ_ zM~SxrN*C@Qw-fiI5k0h`ayo=A7LIBilw{d|CDMpo0H96G+iQazZW54*M44sVLD9X_ z;`bnbNf1xOl3t@9P6$=t!%(RMJawew$7=nR@XTN0ZUllLvsVhYzUs<~WnFYMcaFOL zQQFDTrRrAyYC9hdQ0tgo`A{i8y5&|mf(O~?ZoF2pvKHHRVc2KNUQUfqC4f7p)8$s( zl+K^qSBhxrNp{~c6F?(?R>^qQl-h7fFS`1FRo9jw916h7;vG@@M@@$UA=l}6klwaY zzjSYQ(z+`V!T)v}I@2HfP&iDx;So=B>cjqDKUV8}IVgU0Yz{^69!JlpAJ#pcp``Mh z8iNJ(>IzwpSkZMAi#KnpX%?-4v4RT}hUys-t8UW2G|yTsd(++W)5#gyJXzEcz`e_V zGb>UY6VcRon{RYFZDwR=oBE|Ehx*-;kthp>rC`{8T-u~KC@i5dctxbp{RYAuMYZgU zPS+351mFQPb0jIxZ9;nylPQF%ca&FGIVB&8ih6+OnSQL+Uo3xoNe>6*jf)^cHIzpQ zpRj#bLk+gB^<9q|(~oeBs5q=WPFp#Dj_OieCgnf9MV_GA;*aWQrQSE#TtlSEKLHJ8 z#mXoqkn2KBYG+M9zHK(K*i4!2G@4Y%lk=}maSV5%Uez8-DX8hqXBB6i2Pf7phmJWM z;5IJy&{XOXv_pE$`kp!N-5fX#)F7Z(Wz@BUr#i`*=yvK9ccl4awO+2mUy|v6Y38H> zpUiTNm7>!o>!5CkS}^zOkOTon)h5D?~%KrZI6FTL*N6uJ7jd6>dM%a=)|ob2qM1*eZK0% zQ(^IW0&mP7DXZMa`5`27E{G%LJhzF^;jjVgNC0bHbsd7#p~0}z1S%nvNZC~63sSjw zVbj@7An%6~GRN%A0b7-)qN1UAY}0+PCbc#?9v;~%Ov6j z=a>D$<~$vg>?(@#H-R+lW`Y<6<)QEuzl~!#wP`DAei0p(-c2?Fto1Km4)rQ|m4N%B z)BKklXxIOXkpxJtBDSUZEnmPXkEC4{0g_|n@Vi2l=c73HEb8bGzHO$dNSfRsL6usk zzzC#Nt>lFmo$CR=ZCZzaDC_|Ot$1sOP_{id(T#HbgXNv!ol2rn4=UjtF3w0`b6Gp^ zJyiSB|NJ4Elk%<>#xUf2>l~Uzmoqe+8|m3yqv-^Uy)?wzB2y*16TKnOr&aE%9*3$C z@aBKy#QetcUmP0~UuknZ8ekp|d%=)O`XW#2ex^mDSJh$HxtAY*t;yEG!YR{CpsR`_ zKElUjK5*RFs!by?R{gYd<2}AKMs@&O@1o#roieC?ytM$wx9V6#EJrcAXxtee3R4OQ zu!B=9TkmCCvw%}L`{ePmXGgYxW%Roe+|}SIX9#2WrWM-QgV35puxg#`+r33k`@RI& z8Yj`@$7!?f&i!~ZztkVQ95DIV9}&?B2vo&~ng~^IgbqPg%}udRt9YXRDB96P2UlrQUL1w$96IG97ISRq(@-|poC7WpLA>ReN_3W&sS*TU3W*6(WXbN8qO+TOK;mQQ!-|N&ZXKaZ z(Quw>p8_eDO|A$Re|oCnM}P{d`jZva;p>crv29tUmm94%|7c3p~XN-EG2sg$to^dDk zR_pIcOf7#IktqmBX+5Ww0Ln5^zbVSUR3i7A?B-3DggZ7ry=)P9ZL^;w5zFS6a@hR4 z+ny80G{mGGe`j(&DC(?ERSl9LDmR|@nTj8fsh-cxev@eNa5O+Hx)=kx9H**e=v^`# zwm#GX2(~FN^-@U(bAn`*);n{h>KuPt3dCVu8VPW1Bo0GU*bI!ig!f9!D^yjE!PdIB zok2c-tk&O=yZTjCM`w_71B-;Yof?2b+FUFzT}il!f3UdeQ4SW=ea~~2iyDX>brMda zq}1!yH?&AVIUlDfS&EYbz+G}c+xtqUFbDMbPoC7N=&F4Nho4-QZcCqr@5*9*OlrP3nB5nb7FHoN4a|Pz1s9o zo+>+BC!4iY%@MQ4A$gZM*$Ku#VO}q#@Yx%ze{t8>!Mf+B^3y?4c@OqcrCgN7eo}?= zM6(C*7$2i2k&~3v`|;OmrN8nS-}XnvNiQ&Vp%Uf0ID%uFSWY-#H7$~Wmr>5(@N?E1 zGCj@UiJzL@1Zk_v4@CQ7ReyA#S+r@a!FA6y=?Jq)8^;yvk{J-cb(`h+>&`{ ze}DVjlG>S^$7v>|P2++>g^E+&R0BzdZn*+Uo4^U!%bLhjP?3O}y5=#f5TTC8ZtI?x zw-!LJ)a7olWCD37hR8W3g@1Vv^^2wZ#dhNWDBTT0iat9Jd zxOz)@uP%+7Y-SaiYgp=BcAb_;zcUzv9wpKNGGH*bQda+LR9l8xh&iANiUi2GR_g5B zkLQg5#-kjnWowcYstQR*lfir4KUV8UH&E}q7>+W6^M^|LQ7Z#f9KvOV=FZm7mtC?5 z4S%kdWJ*aFM<~KQiGPR2Fb+GjnCYClV{#g%ZiV`RJNZ&oQzS~3GFu!WV`o%6?P{gwUs9#9-qOMlzQLLR2KYZQK0()^%=a%)~4hbQ%5C$GyA zrrOWhNl*(&mDBCoD%5UM^6-9AMw2JdYrp07zH(WkIYC7D30{M<1de!qMprZ+$b=l3 zzL}qnO%qvfb-coM@f@&l-Y^ZF6L@b!6+b%}{3)mDmaDHGS(hO@oOj=0;EvNbH-8rp z>Ef6w4iOwZ(dbkmN9FE+tk#RAo4*EqG?t$1c-x86<(2&5XeJvfMP9W^fD|PwG>6@$ znts8N!=p^ES7ue~h$xm!fZ_ z41@FL(|<+zzoWvWm=A(*AV-agaC#AWZy_g2KI>LhxKkvpUk))``bv2l1PsmD3#_`E zDc*?^nu}xD%6e9pP_zgu0Tq{gvg}}M`wOTI;&+zHkc*9?MXSdIZ}}>D^1Rbv@cLDa{(!mI`a6YD?^R zH&S-0?3I?N)$Q&R!IVn)Sk(0EQ8u4~h8Ng~Y;sfyIsAbVoYdKXj6=79;)fA`sQT1O zjEI&NYj6NHi*wy_ScXBjZA4K>z+hRT-9s2TORAh7t!6qe5%hI=+5c;`Ua~)50`pBr zkTLDV>B9_y(eR4}^zv>wNSpOGYsw&X0=0W7Xx-7k^i4IU@pMt-?KM!Pcm};c6o`R8 zTBRw#y)-E2l@Mrer#^|&!+r*TEB={W*^U;o`Bpl|Yi(<3t3jP^*+o`W2;^+uWfK#F7(p@l@!mb$*})p3#-*1=@-A!Js5zRzd8vx1tsgltzGZ(t ztEHE(j3IJ{Tn!zaG7%_;4I28R0}=RzBIXZeh4UcYja2ZQj#Vq9>=bx^S5%GQHMet` z9LBPuk_0R`Ys}7{>@?mlb)cMn@FRHfJilhhZa&@S$?ct$3TmB7Ky*owS(_{yV0Epw zDA!zU_v|QHR;!ld4SYQNK8ttwYfcp`B_AS!dcSSVr)y;GBs?`S{dwdv9%`HD@t6Id-LJT@8%T0i|h*4TUSY2B;vG831ey} z9<$HKZ&>Otsx5Np)j|PuS||?P(r#dCy8tUXaD*x;Rw8wg#HToa1@LjH5Uu(5jv&cf zh#%ef;=p z4iC?>v5tTIJs<5Q)yDRNbi!7XT2+B zu%)gJ?!R*U^~KWl#DBVhj%}2x#i|*V{N%brouMNB+dUB6_?b?%A2%r$A2liJMY%M?7JJt|J{e~S4Gi8gN)FI zf_OAQ#3Lvq3y+%>YO*O5>C__;oN+3v@6c=ouTMa+Gv?Goj&yeIpu3vQ(~{p5pz)7v z-r*RHW;?+0A35ek8Vwq~aaG{b7JF8`_T=Fl^Gq zdEz%GsXdqX<@&1)>w!?zI%@2+pu4%PG6x7Fp+INX<51b4>%Fdsr!Hl-(vPLG=5)}q zuqz3Fw4fc*`Q4u^{cglxQT`?SbA0t6w#yS0hw^vM4UxAv;EGm@lPRd2oUXbq>s3AV zuvcc24RhonX}ta!+KImDsVr99sDmHtYgxS^{$0pY)Pkr4r zVj>5VqO)WpN&?HE#r9TpjFWyoR*-e0chk#%tr?YbEwV$XXZU=@0rggKQk?V?yiDW^ z0(Ds(%I{2RQOZ`!S5C)Cj$bG7eBrGRU%ttey(zjJ)c$k5KoYbK(k}|)dFU(BsmuWR zoRQ^7B}o`~&PuiDEn2#@PkN{dPgyOOUy3SC*$d6A*;bTH(=OG_yxLyRrln_79N~R` z=d)#3sK%FE3QAvgrgn99bSb~did6%xBADkK$B{--!M9O%`^%IW@?u4M9`75;kI|_Q z0->BJzz@$kw7uiYWI>`PWj$@lwYdK6%h!(?`uQc{8MNb4%gTmkT*>|iiHQjIM8Wf= z7OKL@WM_SQTe)rDE@1jSm3&&QIwaYD;=w5+Jr@5CwK%C_j7@r$WT^*TJ7s9=8&9f; z8n~tpld@i_!syMwj<`;1bVa0x_95PSIamsW%kD1OV%Ey1+;5eVS)xQ7IX&sp=veJ3 z2MVy4o|~8AUgp!<#cC%NA#O#l0T^B_@_4`Y)?32!>m;&7wWx`vI#0IO@)TZwlym2- z5Xa^QGy}wlY*E8py>rzsPeFVDj#TBQsXWhXv^f(L^bsnbQ5yI-m5${sbjnX^$(hf$rHQk9D-@k^_WrQGMu*Z;9v@dr1sMm4FNO#!2U7@b~9 zB&;prd3ozVc(Tr4&iEw7?+%S}E~|b;kLuDwY@QtCs``oT6M`ChL`}%jH`l#d`V#zf zPhLE{*2IFY_et#Cp$FA}bZ&FM%--NMF?a*$4tN6NIhUy=iP{)4`Ionu>YD04PQK#| zJUevWT5s`PCq*hqZF{iy*3>JJT9dB*G0JeVfj9Z-*J`~aJoA@%0Wnei9X-b`+ai~` zMu#^!Y^bG3I*Ce3s-hE=c#1u>XLDRNGt5fe4t)XmyU$jW2R8wK5`dqoa#SLsCcs5! z#z!9?jba=1)|T~r^B^dA$y;jLpBEU;TOOrL33=3461K?NOYOjFQ{h;bjYlFT!2-15 zw4uYGO=q~f#%riS&~AB)4or2M6Q04xNqDxeyXv7z!8U#J zASJK(1eD$8+iTtTUfMAX-k&vqq~FaM{_Uq_M$Hk-`tf z!ffFyqo34reI7u$<0~KgqfFkoRLyYS$;)?5MS@+6;zbm3RDN%$N{e~lt;fpU4pM8> zQEDo7EzM1KM%%TnZXD4?6JtH974q)p(0(JIz(msiQ-i913}D}1tM!ub{FuCdD zl^lNRv3kwKOm(=}M}g|RfBN$A<}J^#oBgVLFAHgqX-=9VQJTmH)U+q)+~TOKdpNQ` zHJx2rQ+SJiY4b|yNtKcEEp?0~?m!R!0eQa)_Pta z7CQj9GKOCCO$$r5;i((LA#>aw!^c1|CGDf`mDJ6D*8E(iRaTbd1S+3JPpD+ByAANc zA>ZPO+gqAI!s4AeRW|md`n3LNrr@~Lq?ct$8GR@+qe{?8^r2`Q6m7a?$QApsT5ogC zuQ{K?LMm-OrR22GPm4KrMOJnEq!`llDJXri*imZ;vXvNcoLim9p;jiPO=IWW{5{aI zd@kjG%cBLgEnnq%9>+iRt^tB)DpS%Und4(#u(1&JjIJ(Ixe?yVx;lmVWBjd1M}4(`?en*?+9o z%UbJ;2LU?jhpaV9d^Ya2sw!Z%W2ov98ypmWN=6R))_}g8F?1d|%ELI%Ex4cew{5U7{)pLmEx^m8{I4M`a^1O- z5(1fEv8NM4_k*3py}bKkFOC2#Yn+;!T%rU=+C3sw>>DStT7C@KqMA%N9IovT8_q6& zlAM7btMwPlpXVnhHUOTqf+s6J{IJsxmPI|yDV>;59k!V`KzQlfC_h%~50(d8w{Pj;-KZ(|2v+JX`ZD%qtAgo(KGC|jHBv?cPRb|SQRJUhbQWh4)$ug%2RO) z6X{|SQh4LkE005?l&9~wmA5yW6XSr^M|3y*vJXIt|^SQ=Txnh zNVDUtQT}M!^%%zyPLMQoVfZWtECPt{d zt5?CXQ$|+4yQu?^^p|hSYj|UFJBzPti43M$yhM_3MZrlN7|kzZ{h`BNbsT0;zy*m7 zzgFwjm;bW&E?a~-?e2yH-6@+wsz{(mGndK^aST_~JS3j^<|m|1Hr>7EnI4 z=U{&~CE%*+n3{lTfmN$x(PW@{Iws^c)F^1(j{eN{5tvs%Nrhuji$q10Fu zn1J?QSL^r~R)3*Wwc)il-Wt+&my`!qVuXLNrMmv)Mca4=dut4P0W>X7ThvX#Nq{7o zsVC);l;=+rZR4zT=UhTiY-GAY z$)44Lrl)(;$a8Oe^yoc);!Vn^8`Ksz7>(w z-P=(M@Xi8Dvv(AtvewMmX|z+08yoLdCmTdfLG(CFO9mzyKkpty4G!+!Qp}V5S1Jp2 zv-$PJ=Jr(e1085MSOsk&Z0u$8OLBjL@~&IX`P8lWw2h>2f3ky?R6?mBW?iGGO&wzy zYN;P(c^OK5SMU7q#NF{`>5}O`t97!2s>VxB1uLBqZilE3FItpzBcLlo%?b>up`Cr_ zHj~PzQ6(`xTb)p(UD8Ecx6i4wVDu_^+^Td9brmnL4<)5CLI5vk_g48>J)BB$OGhQu zqRC=ZEJ_Mb$2y73Zs#Ik3$izL&0%|0?bX?Aw=O2P4QxmHw~uAe|4~C}J&*U|YEbBS z5O_~|3CGBWnMz8_KGLs~SeLHG2q6JZm(a!tBq4{e&?~@4dvapJ$5hy{Yi~)6C#U1$ z*7_q-40@BAY)h1v6~_o8e1ut zM&oM}5g(t}xezxCd2KoF=g=F+m7Jlg({=H&><6kNr*)$Y8=bx=jn&oyYv1-hDcFYL zhs>sZVD`SoA)(ffcU28QQXa`6rzc2HBKPt{!3m44O6>fjT~m-~fAaQAFU4h*F{6^) z-63=NQO>nw{^73bPq2z$!&@S!wi9wM)JQ%wUOl|p0-J>z^7ye@$7??ElM?}VR&dG5 zX)6flO2NK`C}^xW z4bYX}-@|pme;;y5UN+i@&hm!G**#6hmIzN*u=}SGs zuKFaN=qltKlA<)!3DLnvnS9F2Y=@HAfZ|03sYt4e_EITRe}~e&S65q3x}BCIq=Zh@ zt(-fEdTNFgQGF5mCi!G3G0Y=#&|Gp3s`Iqo-5B%5<`VwTK=C>5y(3zkKUV8Cxe`8g zqP_*T&m>E#fA!O(KsYhUKj^~_ga--$gEfMk^4#w~{Jwp86=YQD8)lP@cbscgG+mZ` z9X9}8M`VBx8&19#Xq5dsG)E*DHv3_3j?L~;*>z-Ju_*l8CY&R5vp6KVVUu1{bN~gr zkS$-GTDuxW<6y&4StMJ|iLdTJAbC`G1X*0HEWqcfAu3EO$woQ>Rs(`r%v(>|UdE5r zdd-l1-C}s7o?D|-$wimb$p|lht^D+;RRG47P+m4M^J2N-GDJzMI<*4aS(*pxGjKTvt5F*7PZH;oE$=9>m-V(f0Qy)pC&7{yn*z1#a5V7z@Z~$v08o+@ z^YfNh1-nybiZ_rPfyU`w6Ud;zGVlhd%n>B1MBaw8!R+(Xi?b|k9@u{AZ9;8OH8l(@ zeoS-?tcq2+}#Zg=}F6^x3G=y4H#uj;8vYv!b@s zC}oEM)@g_SJnfpd*TrHA6=N@bb4II#Aw>#0Xm#6tR80ejs~(+{(MN%mU~i8Mf`1X~A; z0(Dzf6v_4&mHR!MHCX2!!6BR5xBIbLFKxFkvnVRlawiAm2UY3A8^67a(dYd} zw6yznc%PG^=Wl)hWF&cZioy}Z=j-O!otkUps(q$>MzG@HwWE{N3TgrrGf&v0GpQJ) zf$?W5>Ph!@d!Sx_P3#)Ip$-{FUY1KAvnYHXy;eDfp4DS@KDAc1ta`>Q?W0zp#Ip}Xi9+z$ zCQ86Y`>wUB{hW$Fcqs=#mWZbf1n+C4RNd{zYW>w|j$eIw^Go186U`k7h^x)2FPz;F zLK(?x>a@9kZ?Z|qKo(tZRW4M;ha!@iMu>I-`<+vt9Kf!|NR?2}KRS?i4noVwppW8Q zKv&@p*g;-@pTw!tfFdsK^mGqL6>1;4X6-s03_nz$*KWO@u`5F3xIoyp@P`t9-D{Xz zI|mSt3EdGtau28>2NR=i7Ga+X%m2cgYg4(Squ2U>W3~RWMyS|69UEO?00>pf@n~n% zyEnVxQksiC1I|P|USG+>>E)EgA*DuDMuX-4r%ln%&em{}w0#mW5Qr&4-1#BwzB;?w z8ZZqFYFOX?u6#&X!+C~#?+$*44-e+8dI27fmL(Tq6(oJA?irn&k-OD`GE+%+fOZb* z4Y0I-BSW&OZ@quQCS^AQ+~SpHN})_V$ttSz#?;7vi2grL;)?-(ePMZ0B2Y`m0adDo z1Os-pEgZJ*y}DYjLEO2tVGh)VT`vcvc8caw*~_cmy4na~bJ4*v_H{NP0f1S~?9Iu(~_TrE*H>UxkD7%>WNy*6}=aBdt;9 zjxEl6NAJEbh0no7ycs2093(C+rq9KwX7vaht;0<28axQ z2Y#c{wYMSRnPO2J&lcn+zdOwYF|~s!-u6JdQ>q6U)_au!sv_n*c3+bg4jgLY(Z0IW zFUa?-VtDknNxefI6usa(3w4I+m15Cvrg85Dxa8N~&a!EC+g0kN@cgk_FVB@P^^B<8 zyGj97%L`DnV>wcFK`vVzO$9&OMr^&)l6s3+J><5ypw?DtuEsWt#o0DDj)u;Gt2qTC=YxK%)?c#_sBZ>1 zIobq7H3R%DMa`6|mj}=YC4YxLx`J79zgj{n{83*?%D2D5Atx(vh~%Wad#9o5Z%raT z_q2r4N__=oN>7!&^VDYGaJaJvWgb~}aDvp_Q`)5(_&=i?Xx5SP7ruB46Xc}wz& zz(pHCR+5p(t4R4#tW&4~=8wuJzE~sw$)RTRW{A=b04!c+Wc}p-UVju_)QTLsTh*gm z`PMo4RyUZ{;n54g%`0EtxCu8LdQ(s4)OTL1cP}*56zNk6Zv}7Z1;59EICb5w-=`ZW z<5V5W)s{-rJW~K1De+gFz%9H2%gt+ThBX^(&(~aAA;x*Al6TQDm561NUJu9dFMUEK}_fc}mWnpP7CBrUrJ;eHK}qcNxb%uZul@ zW>s8b-a{rQU$}DQEDs%ARvH2bN(S`a%{h)vcyWR_wctEmrXDas@PeAYxa|67qn97g z*R!XFj{IY_ey~Q^2*vraM7piAu^cB-$AaMKJkkLAI7a}&A#x@=C6^9Hf4rXJu&ftW zacnVD>LRX=ZgUj`uIe7c2Lm0f%FA3 zj@xzIh^UK*oS^fVyf$K)e;JD?bRXIhJXDZ+%~3We8b2f_ScNFc<;)_RpeNq9!v-q+ zlG)>ok|diO3 z?JvSwvExoD_M<6ABGFm_eDB*v1PAKn%R=|8ZTZcIH9!fFf)Y4^f2Mz|)(gv*^vwXb zPu}F($WWN=QiS+22o$?$Sw{b{O^Bw5lgg!19jUGZlv1dS^tIHO`W%Y#p8 z>YAhQ9|Df@vBg0que`j=Jsk*o_fC7_6TD4%l*aU{I9=gTp8`3CH18vI>otn8EJLa7 zRvsICVX4eFYyxUMe|ou>)M-5Bj$*p0XmgHcxd#$Q9;iIP^-`pV# zrDL@Ywc?ek-W*5|4w8T$%N}^A>iekvunV#T??W;@c(yt0e@lpIy-SNus(?)gAcKS5 z_YUof8AxKBe0l`eH!}^~IygKKE}RXi@{H3Mhvsk~n|r%xT6&Oxx|h||Gs;wQJmZ!)IDf2G zdQBIEFH>Q{%=wVhrn>H%ex5;tg_qz^f&35~%*4*ee~T-{qIF%a`BZAW??KeI>8nyU%+isf`Vw64TJOh~Jt=j~|sq`(|@05hXd(`z?Sc36jN5RKlxR zutg=FZ|{D)*0P1a5G7@vQ=53w?EUO9YJR%!v5bRPr^rFNh^tP*RPZQF(1Cktp+P2o_ zY$@Sl%$-EyHT+aWuL{lx%R*5L}IdEP|O2b5}2 ze|;0+R22)er*%dmH{12nA17&-phmxbqNJZ&@X4;y_KyR0-g>fL2KnVstZG;49UR_Q zPJ+Zi%D%fzMIz;oj!k;?<-fcONHIL@+LvtyY52%Zb(0q2<56kaUk!dG0ja8wtbZ1*ZcrszeFRwLtO|I*N&{N67*Km!j7QFMq4Lc&NwXo<53_`AeINsZ^MBJcW2j zLGjk!Kpqp1bA$GKhSAOOBDAtpQEu)$P$lPRW-&%)Iazb+)nFM1`%#Hwm$a0jl zCp)R5c@99bTxyD(^YHeE<)M%~bS~B3S8=!K=v-XakNd>G4Dfh;PoZb2fm`;SQxK!o zptLhy0PqsXpj=z@T^yHQ*$5wh-Vs@F0x%!fDI~jPkMgJrX?}EUy7S`6)SoVYvwVV) zGz`x&Qd^I@VO4oeN~q0P9XXJ`wRB#nve2kX75rug_V_4gl$ESxbEbao%2e%zqBedc zMhx&J5s0(c;{8vQzur6uYPrweay*;L3qYyEjRHd1Yi71MX__6qbmA5k$yst#a;D8S zj>ymq{Z0g_COO%@&2g6!+6YYnRhMAe2puyAZ;_|JG{C(w=98w1F1NzV?gkL9X6P&j zz?;2GIMMMhOR_n;t}K*sYi_M^f&_~}xG0yf+6WXP>a^Z6t!pI!aDV4SNA0wolfs(S z$zTHmxq@!*%cymnXYrTj+6W$8`o}R=vChaTAN!mS6^>(h99tlZ|5&Y;g6CJ8qoxAFEaV zbuz6wn1*f6GsI4hTAga7bKo?v=0oQn(Q8FdtLp6lNPBGjMpj^*YFZ_S2BU_KBqZHo zZaJh%0jxnhi~LAbs49^v51rubj0W8c-#7alG|DVfs@exr(SMxDsU<@wj=eb7Kw*#s z6~rCg;lwWmp4Q!6!O|(AWhj+{B)1I%NoGx7Pn(9MbTF6mpwgRyGR6}8K!^9S@ArPJ z)?d7(5#I-$KBBnb#k!>;4|!6-%$ixqDWNs#Ojpo=u= zkh`?ug98oRx^;v-qY}V<<+~}cL43Dm*pC4=2NM#Km8OsaO&PpaI@OKM8h~7#|Lq7U z+m=lUqWrO1fALm}pSVRjApd)-P`%rYCLnuudeKv!hJVJR&MZhyM<3w#O)d#6xGT+i$ovXah)`?bkjUNlj6*vQ3*WN2&%n zYigomV}EgQw82S+PPr5;n;6GgkaIg(cgrxa$8is56@!i7ym*lxJhqFsA`Pi200p-5`W`>I z)N*2Nz+i+N@L2S9YXg_{Q@^CKy7qRh4-kUWm`h0{>ZSSd9ZwYh*dNr-L`D%X7cg-j zn{x$Zlbxw2?Bk{X=!ci4-Uugu6|~4}xvuytZoNG2zBtXYXY4W9bE^t;L`CWeG)}$$ zDXugK4ffmA^#J`WS)195ibGeikkt4ko5y|Qt|bPwc-2Zc>crSU?h5=8$~>e7Ys((a z5qqM2R2FB6Jb&8_^r?R7EimF#YK{?gKsu#~t_<*u)!dmMs}}M!3wp>SJK_yHJbjix zAbFNNFGc^i5UhN>Cu&o0OLh(ph5`)P8g*WmZ{G+UI3hmiW+BD0)0pz9H7^~iv+Y?4 z>vBymJeo;%0qB6^Q@s(>x7se_w0X{1Q{Zx=*D-AoeWp2&YL~;`2qu5(pNU+RXKqo3 zT58^Jd&y=MM%wZEGuiCXkXv^9V~Iyl`>|RtEZ;snh-D6jDOv086mjL*%!!hi}*JLyMeJghyO z+GSg71JJ#SAp(Ep?2P5?1OR#O6ybGnMjShQR2t59Z-I)B#zO=k2O7!Y>UL3(Q>hPG z+eG$CMWV*45|N$P|BhSJs4~cK=O`3A&DVZ7n@xuHevtH-?I{qQqB0pn?u4m$$AW_$men^DZZE(Z0dWAkm&%NmcMbv`1Yc8{@%ewc&L6Aw!t!4l;8V{-$s(1L z5GJTOQxO}y2gtytBvt=Kog4QUegK^wIqlx$e6Ht-j{i^}-x|6FJ%DWd4rj`@kaK(f zNH$)CZvN7vGF=>wOXj0q@ZySVj75-(A+vu*DX}*0HNPW;kgA_+9CakM3k% zCOP4)C^LU=m{ZOYpUy&Pb~0mjDs>#asQTzoS=bg>IZ6`KWH#$rQh%-1Uo2m~bebJZ zz1c%m(@H%&iu}l~#Nuu=kpI~V%ch`4;&$sCgQslMBCGFFko!-cs|#pty=(reHHYu{ z@HSZa7IsAQEj+fH*>3lpp5x#OFeqi|*58|j_ zY`43m!v>`6s5|PTtjTiG65ixZ@T@-EY+DQJQ8ZFoD}dvc(t93mJ+@bOIwv^ekgdrr z<|KazsfS7gSE7e7sDTl&okY>SVsBr*7`By(htIV=mU#3LSqtaXNG&Sc^ExHE?POWh z%G>i>4)qb7kP@!w%(o2BDW=$w@yXK15(`)SleR1Q5QF5hgpU}v8|Dm zv{m~9$}+0nsGnQ8mj&bqIe%*&kE))kM)5Z zzjESV^^E$Zkrbl_8~~|f%28g5*xHK1J5pon}dcMW1pG-G3vU$3X;guAB7xDH`C(v8eN9zyyYeX6Erg&QCvF@?zb`P)%aA_|mccMB~ zo>@I&xTSCOR#_sGB!9FcZT0A(KD^4qN&7$#^g3)c@q{1s4313FgDETK`#4g!MHeD) zU__bCQ#H0sr889?qPQ)JBLQcx+^sOO)a66w)VcL+gL|e9-AH(C)Aluo;o6Qne26mO zz^_MH7mo73tM!)$;q29?^7%v3s@@+GiMz@LY+6mi2`__Jp?@K;I+{+70xliSb8ov+1bgXvnSkD2L@yx=Sjb7ijz#H6Pe4?9rf4=`#|mFqA&Y z@)X&cveAxSRn1tfit_8w&VkgCh_<>~5T%EcCrcT+!hdgRUJt3BdpZo)bQz~AVe3^!mLX{|;7PZz;TR{3k2Zq&fmIm2f$qCM_gJCq|M_Ta?F?XHiH~ zixUOLrd*I!K{;vkCRjR#873{9*?<;S-xmVysK{2ff1m7?F|a z14o*JN`Gl{i0c;EH%>ES-m}6}9;6{(rxOm*n!*dKcFz3tazVb-)unW=axQPO=XFlS z0j#XApxjoTf%1iI={RWA!CaE+{IOau`HXga*|v4n63fA9pVMyp`8e(OfF;x#Ym#>+ z1z!OX>cCx{xuYNhwzHf;M;s?v*o$niN2Rz9B7c7@#HXSnnhRD>l(VAx5^o zm&QbWDp^B)Er+vOYR=Z~%s2@uJ)nLubvo}Kt5sf-QrDOLk&?+SV7{&Is}}F~^y26t zQ-89vY2nN%Hq*Hs>IS zPTMw{{9|2~(^fj@ZmuKO=J;SCD)grtAb&~DBmLT2^(8(0HFBql-l;VV+jNiV>}HG& zJ_>F1R=q%f6hY)IZaqgZRqZOQQ8kf}l*+0OFFykyrDC@iFb{$JvWRg3FC5V0>Rt!7 zxLIL`gW5Sdf>5Wb81KDxJCt{&Nc@((ocS6tdx7EfSKMmBAbIerrY-D_9-UqwoDvqi zyHJ0gth%c`lEJBBkcbrkPqS+DB5cS5cGh2QfK~o@F+E0Ldc28JDb{7N~}H$2rK>sramdq{sTRLE80&YWRc3WlwqPC=_FgjYe;7zZwt zj2}f8Nh6bLgDG9k>DEJ<0{DxcqDWMOhKMo?yPg6CG#45haQlh3lC#^4|}lA8u2{!)G2L~x*L z#dB3_s4BuW?P|6RBboa;W$6|@+E_LZLQ(TmP0AgGDaX&-@jmAjof9F9{aCFRsrd_V zDfSqBhsqbg=Ofk8{MPL}U)ec~EZ`jbMoS zX+t5)CzaedNz)eJp}x|gTRN}oNgq+lxNpl(IRF~r%B4MrOhG4901`pN&Zb6rzIP#G z`Q-%2sjh<#F7~c!Y)uV?AV(-^PNtb?18@LzSJFp|WY+DSR*78zXG$cEeSUwe)~hie zzwD3tzVH&GYA!Rz9s;|w-7AMhyMB`@YirvJvL`&+EI8Pbw~pQib>E&nRDN9AjZy@E zNQ{@)pYC!eJ}ak0$AWDAuIk6pBsjlUi?|n#Ez3NW&DN#kkNSpMS881HJ+=huakkR? zd0kr35|n~;8P=YHguh{6QP+QFj3W7`v+G)5H>fQdc|}^JJ3i^n-@_gmnx3gT`0r}H zr109;YMlhBMtN{Ai_Vg_Tn4bY-pi{X&A;8KReH8oJ2!QWAL_n zydKJcZ0o2=eFVGJTm3i1r^b@KX4WOps^&K9XDkX_acR**eSOYr291BdDC941*!Vg` z@v5(Bpxh8k@pX2~76egl*Q_VUKg*+RhD0>`%~5(8QI8j;y#S^8X&%*$zUX~W{RrM1 z-}1+5y-CgCYZyZZL_#+IO#s*WhDhxQJjZBwE#4i+RiB1*u2l+)TO2K(8iMHsrOi)$ z_!B~b^M6W>It{^rY7~D-MRpuPp8w{DIgLP&sL)H3IRB<3we8U*!8$niBv_+de5Q0> zt0IXK>fbs@yG@ix(?vg+=@nYkXd_eYZ0T9zt`6niRN0W?a7v$7hw(aF+d@F}vNoxg+5{kFXLYU^PxBgO!g4%?1=xSMq3gCp91GGP$e)VG zX6-G5*o*@hlxSYbpq z>Q=O4qizh+!4bh5Y)zOZ=lMxWMoeKr(62ywiYAGMUqWF*aJ4lf*(QRVkFJJ?O&xM= zzEn9-p11TLh2nop3hzoEymch9Otl$)d$FznrDY7*N%?F;)lu{u+`1yF+=ZdusY)U8 zv#1@0JgL&j^H;V_RSJ777F*7$6+KR{b9iK=-di}Zn|*r%`?t?EMjO+)OMYTceo78j z?r5%EYf`e#y;oE7{^_}uE~HWe5trPqLb+y`u?iRjU&Hdy@ys*#G0hd~}zC`LOQr2;H6~r`KAdRu(4^UK{ z*A|r3Fe|B{G%1Elw~be|rC)N}d~NIW3U7<9>#I$!cJ%bLa_pR&nMo$^)p~4pD<09c zXmJ-tA?JUvp#@646?L%A;uWzEZ}vaolX~nTC!J12>h9}BC1;{1%hGM#-5#NK@t zD2m5foqz|i@arAG@v8FQE3)=Be*Km>=r(ZEqphek6}>meRf*bvXkHS6Lr)ZS;sNpr zp=4NR5m}})i2OogQn8ETzgvk?5%{=tH@X$%Zu5WWx|Fi<4aZw&Hu;{Ls^g=4t}zxh z2|w9&2M04~#zl!}d*;5p){YKUoz|x}<-dg9yB=2ii)T-VEnJE*s?pjDj{#iMG}Pik zRf^jPA9(H+o*h7 zD(QbdNXOnkXefLL8xNAuERPgi$IaPvdSr-Zt|`@1)`E?AX`@a^uccadkx444dwxb& z)Sp-LjgRBCbuG>`dUf{jIBHj<(>M_bk=qSbHQe@G>_XBGnOw>SV9q(u?Sv-M)oV`8 z(d{Fuk#stiT2sktlqk>gV^`ErhG#vgGC{lb&?|ug zMj?3vXO_)RwdG_9;6k>RR0F3@bspJHgj@Kuf)ojWLH$UAc9WTG7o&Kl+a#=MjKsqO zDn6Egeeq;Yf@Lz87beHG{YxY%KLkRaK5M7y;OU{zN%960lmI4hB=Xj%QetI1E`5KC ztFne#04w%e2%DvI)vzNd5s+ISe(QHM@6wX|82-6$;IymHg>$X7Qd{7Z5cJeLdTSHM2zi+YQ3vXi;L0q_7m=&HegsPHZo_TRgu6AqK?=6|mCr+KZOs zlI^{8uX+fx8Z#f4fAI()f5+nFa%{Xa>q~uly?DTF)5w;#_T)!CgRhvKSi1mO)%GbV zCh$$!2Hx47&DeNWC2LBSNZ+<&UfH*wBl1#aV&4s3mqVIent9nSP5o5Tg*|;9b$6y5 z0?`DPNJ+(1A9<}mR_pv1on92>E2yZW>qqmPIr&#=y)La);-i>1e`&JXXHsz>Y$dZt zSC!y`HZXqz$4g{#2ppt+$K#I~Qk7-obYal7LdA2wv)6pYz>;(+c;`eJ-BA`N5u4LN zI^FrXZV?}%BJtGwWx|qkC-Pf)VS?&M6_%+HVOGNrTy3o#i zN#WZZb9;a6=lro+f3K?gOFm<$fOLChxMWK!W^zpv$-RmAz1y3}%9Stma~{W%scZ5a z3Tc#6bzrJSo?y%1X29l%ck&N;(e;v|Qwakc-Db}2rj9!wdz)&OENB5MVo}-=o&7JiUbMxUH1!Wamrr2lQ zZ|4ft0zWFbN88`|BPaf)yGiW*NT#!qZ{8Yvv~$cJcL|k^l93>>=@2eCjQ^3GFXWL` zHR&qi>CmB4a|OQ>2~eO|9fa%5cRq?^nvXzLObw;Xm#7u9qLLGmWLzll1U0>hkj!= zO35*HYuM~W+^E+9#XfPGl95IIv087s+t&>l@wW}#9Ki^;96tktIvo6w{aNM9!BUiW zot&?0e@6o_sYf#a6oi*Y(P-X)&=P1?b)B0kY;aQ4QoYIb05^7g8me+7ZN;?hQ)sAU>5E zKY%O(wnWpVJD5YI%dUO37;BPmGsr?CuI1<}F=J^y$zz{IJ5QI5#Pt+n%W{l4s7+KB zNpXDkmJ*_E%LT~LT6c)+qR5+$Jy@q`lM{nftl4k56zjIqzcnGMbG!bO-jAhTa$-sR zf7KKyoFo3;;nmKiGn$u4q#}0zNje%bK8bbzUhTIx-K~5PxPZA-4%E}&WrBkS6L!%_ z()V^^tv9>tQPOr<%P!K|B6JnWxpAF<{gTuMcCL;$)h(cTPRD}|2LRi#v)#Hj3HMG) zxJiUOvQlgxBE+z9mQ^QwhA2*Yc@>svf3DJ}au{VB5_Ae6eg~Q4JS7)AdM9dPM{*=B zhw9}Q8^=**!n-nI>{$R~9o|^;0=B;@$vzO#O6$CczT%J7`iteu*Io6gR|pw|vQKpa z!#kNoFV&!Kax}yo+Gy!EM9$_!QQgZh1=zJISD7+J+V^b(o@AhDMe#}{Dm|&Ae-$;3 zmw_Qu&OZE`!2401wWp6IAYYh@Bq~rI(D$y#Kss$*H^+%WSKQP~vIWA}Nsq6f55qy1UHAwde~zBc=RIDq zlqplKpUq^qtP{J529j}AS&1aVuJM2nUivq+z*6hqBEC2obuZo_dx_J)!7Q3vMT)E{ z#Xhv`3^fl~B&^(0^&DvF;U>sfL*eFMwy}1NM5X~Gm)YyJ+|IC^E#=j%>YmeA1oj4t@#qwJZ~~OPxb9LO;}>QB3t7+ zFHIB4YaYv|?>iKsqRM~k zQ)$VFPRb)`7Jt^Lmc<$OZRWEiCU$n!oo`B$_5;hm*ly)ZQYu(?IyTBH0Ne2{ucQ{F zcLk4eTYu;3?YEqwAOdWtTL~Ga4#y=}1%(zKl_4dh>g$xr|Cu66>!MMlnCL_2T!Ow3 zA+Z4hP{K*!&uS^ke5`E)7raj-#H-;(AWXn-PBMR^YG<8QEl%Q7sxxZQb2_N^WQF;) zx5^HYU6w-w1g5ZDQ>Fd62E}zg^rWPGyn%5_!wUii93T3Dw_a?wwq4Sy& z@St(IxqQ8)&7+WZYEi_A(HVqD2XwqI^L^_Ms_5%imoEGW9sz-uP5cO8HXORN#7T1S zN?$_^~BQD^;+PZ{1*?RstKauBpH3yeep%qW?l+)OO)DJ)ewPV$2*B5*F2Qzf0F#i59Ic-1dNxIB7!lQw-AzUZ}@Et z4^es1Wtl=)#2}}%G?G7n@3{(*melba-Y6KGbTt6LN?KRZ?RF4XsdKBMu9x0HUFJ+q zxX3sJoZIIAkJWm~{(KE6rpF3e^-zVi;*Qh=*0rs*icTiC4wT?O0*z`Qyy+BM-A>^A ze_5?9|7lIChQ&XemKEBc&!mJ+bRz1}YTesytpf-;ZAfoTx^RA(MU6|Hz1iPhNI zi>;Ue8d0KT6A6?u}#}U>xC)a5XR9DS6cPeI{*!Ou}Wyb!Z^AlyLFB z!C@P#w4%y}qCh`Z>+k3aRm+E^8z~Tce_ocXQSuXngT4qV=xFtxrJ$&*M2vyln6)bmrwfT!TBP)n*qpy{bTRgMW003KzQP9QW`Ev+;Fe;beT zkYKr|@C z(PwFylalTpL(>(aA<=A{3f^gJfA<-QXkn0ZTrto@feQ zWMwDV%bag#Evc<<%^tOVf94cZ1Mx`bP~AE>RWA?Fgg< zs?OI<$*D$VaBI`b@6`m7oh~O(mOSt`#Vq$kOu?c zj*8*Z5MfxbZ;ewgw@5KzxA46oO-6Hy+o(2TRk|}(XC{Ll=RwJ}nu%PG(=SBCP*>j4 zHefYTC@?+AY) z5A_BF9bqe;+!?64bVFL50_nKCu4glc>TRKVFzV=W3^GB1{gu^xJgHDPoqbJb>L+G5%61N5+L?d|ysuLq8cv19 z;yj|4kOK)9e^GAszqU~0IzGHp1*%RZcydtvg50GqTGgxvY%0c4;_H~#F{b~Y{jA=< zGPWn-K)oH78T7oQIfpaufrCf2WczkgKXy3{PL3y8Vd`7y4aW-vAN^RZ@{;2(Urfqd z1JyfGJQAp?o`+7xhx5{5!cN=RZc#;kKi`m8ZSRfDe^lh&MPfnq%EKuGtEHioEc=6P z5G50NiQvIeph^M32b{2|o_H*;B)^Qv>Seo3rkod|=S8UuBDocnu2xQ$2<%n=j@k~otC(Xz2YGRw)k@?*8?tJC~t zhOQgbTR6rwvofz*d_PjT^qbK-LM3)h-Dg%BaBb!8;2`eQ2LLEafvGGxPqLZlWD}sc z+QjUTlao5E*gFXml*W!_7XVEvD7-D@B|nTL`|pPXU!X})Xi}-}Qc*rtQLVnrPyuPpsz+vaMWFG;B{^8#La@`9ejQQenK1qo1pMLBn6p=lj! z-?v?GpLVy%)RFK%BZ;piHtO8|?RgzMkFI@P1vU~G^}h8@*Oo;xl48ZwoT~=P&!<5i_hI5Q%oj+FV#Yj3nch%{Sp+c}A%h_x4Qy;wu6k6<-rZ2)h_LZ>a zNQcTa=km7h$l;DzR2lNiwPZF86(LFT=zN>bA;BkuID~wj2;Vu;Qe94uO z700!Q3Hia)q-zyU|4;yz;|2*XLXRCeofhYB2CJ(1-~PA%^?(0A{?GsAfBGN){Xd@n m?|=0F_<#TB`~UjCfBfP9^B@25-~Y#d`~LwC + + + R: Arbitrary Code Execution + A vulnerability has been discovered in R, which can lead to arbitrary code execution. + R + 2024-12-07 + 2024-12-07 + 930936 + local + + + 4.4.1 + 4.4.1 + + + +

R is a language and environment for statistical computing and graphics.

+ + +

Deserialization of untrusted data can occur in the R statistical programming language, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.

+ + +

Arbitrary code may be run when deserializing untrusted data.

+ + +

There is no known workaround at this time.

+ + +

All R users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/R-4.4.1" + + + + CVE-2024-27322 + + graaff + graaff + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-02.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-02.xml new file mode 100644 index 00000000000..406294fbcda --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-02.xml @@ -0,0 +1,63 @@ + + + + Cacti: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in Cacti, the worst of which can lead to privilege escalation. + cacti + 2024-12-07 + 2024-12-07 + 823788 + 834597 + 884799 + remote + + + 1.2.26 + 1.2.26 + + + +

Cacti is a web-based network graphing and reporting tool.

+ + +

Multiple vulnerabilities have been discovered in Cacti. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Cacti users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/cacti-1.2.26" + + + + CVE-2020-14424 + CVE-2022-0730 + CVE-2022-46169 + CVE-2022-48547 + CVE-2023-30534 + CVE-2023-31132 + CVE-2023-39357 + CVE-2023-39358 + CVE-2023-39359 + CVE-2023-39360 + CVE-2023-39361 + CVE-2023-39362 + CVE-2023-39365 + CVE-2023-39510 + CVE-2023-39511 + CVE-2023-39512 + CVE-2023-39513 + CVE-2023-39514 + CVE-2023-39515 + CVE-2023-39516 + + graaff + graaff + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-03.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-03.xml new file mode 100644 index 00000000000..cf4f8ff726a --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-03.xml @@ -0,0 +1,64 @@ + + + + Asterisk: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. + asterisk + 2024-12-07 + 2024-12-07 + 771318 + 803440 + 838391 + 884797 + 920026 + 937844 + 939159 + remote + + + 18.24.3 + 18.24.3 + + + +

Asterisk is an open source telephony engine and toolkit.

+ + +

Multiple vulnerabilities have been discovered in Asterisk. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Asterisk users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/asterisk-18.24.3" + + + + CVE-2020-35776 + CVE-2021-26712 + CVE-2021-26713 + CVE-2021-26714 + CVE-2021-26717 + CVE-2021-26906 + CVE-2021-31878 + CVE-2021-32558 + CVE-2022-26498 + CVE-2022-26499 + CVE-2022-26651 + CVE-2022-37325 + CVE-2022-42705 + CVE-2022-42706 + CVE-2023-37457 + CVE-2023-49294 + CVE-2023-49786 + + graaff + graaff + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-04.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-04.xml new file mode 100644 index 00000000000..65ac03ed874 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-04.xml @@ -0,0 +1,129 @@ + + + + Mozilla Firefox: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which arbitrary code execution. + firefox,firefox-bin + 2024-12-07 + 2024-12-07 + 936215 + 937467 + 941169 + 941174 + 941224 + remote + + + 131.0.2 + 123.3.1 + 131.0.2 + 128.3.1 + + + 131.0.2 + 128.3.1 + 131.0.2 + 128.3.1 + + + +

Mozilla Firefox is a popular open-source web browser from the Mozilla project.

+ + +

Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Mozilla Firefox users should upgrade to the latest version in their release channel:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-131.0.2:rapid" + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-128.3.1:esr" + + +

All Mozilla Firefox users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-131.0.2:rapid" + # emerge --ask --oneshot --verbose ">=www-client/firefox-128.3.1:esr" + + + + CVE-2024-6601 + CVE-2024-6602 + CVE-2024-6603 + CVE-2024-6604 + CVE-2024-6606 + CVE-2024-6607 + CVE-2024-6608 + CVE-2024-6609 + CVE-2024-6610 + CVE-2024-6611 + CVE-2024-6612 + CVE-2024-6613 + CVE-2024-6614 + CVE-2024-6615 + CVE-2024-7518 + CVE-2024-7519 + CVE-2024-7520 + CVE-2024-7521 + CVE-2024-7522 + CVE-2024-7523 + CVE-2024-7524 + CVE-2024-7525 + CVE-2024-7526 + CVE-2024-7527 + CVE-2024-7528 + CVE-2024-7529 + CVE-2024-7530 + CVE-2024-7531 + CVE-2024-8381 + CVE-2024-8382 + CVE-2024-8383 + CVE-2024-8384 + CVE-2024-8385 + CVE-2024-8386 + CVE-2024-8387 + CVE-2024-8389 + CVE-2024-8394 + CVE-2024-8900 + CVE-2024-9391 + CVE-2024-9392 + CVE-2024-9395 + CVE-2024-9396 + CVE-2024-9397 + CVE-2024-9399 + CVE-2024-9400 + CVE-2024-9401 + CVE-2024-9402 + CVE-2024-9403 + CVE-2024-9680 + MFSA2024-29 + MFSA2024-30 + MFSA2024-31 + MFSA2024-33 + MFSA2024-34 + MFSA2024-35 + MFSA2024-38 + MFSA2024-39 + MFSA2024-40 + MFSA2024-41 + MFSA2024-43 + MFSA2024-44 + MFSA2024-46 + MFSA2024-47 + MFSA2024-48 + MFSA2024-49 + MFSA2024-50 + MFSA2024-51 + + graaff + graaff + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-05.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-05.xml new file mode 100644 index 00000000000..f68005802f5 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-05.xml @@ -0,0 +1,121 @@ + + + + Chromium, Google Chrome, Microsoft Edge. Opera: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in Chromium and its derivatives, the worst of which can lead to remote code execution. + chromium,google-chrome,microsoft-edge,microsoft-edge,opera + 2024-12-07 + 2024-12-07 + 924450 + 925161 + 925666 + 926230 + 926869 + 927312 + 927928 + 928462 + 929112 + 930124 + 930647 + 930994 + 931548 + remote + + + 124.0.2478.97 + + + 124.0.6367.155 + 124.0.6367.155 + + + 124.0.6367.155 + 124.0.6367.155 + + + 124.0.2478.97 + + + 110.0.5130.35 + 110.0.5130.35 + + + +

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web. Google Chrome is one fast, simple, and secure browser for all your devices. Microsoft Edge is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier. Opera is a fast and secure web browser.

+ + +

Multiple vulnerabilities have been discovered in Chromium and its derivatives. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Google Chrome users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/google-chrome-124.0.6367.155" + + +

All Chromium users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/chromium-124.0.6367.155 " + + +

All Microsoft Edge users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-124.0.2478.97" + + +

All Oprea users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/opera-110.0.5130.35" + + + + CVE-2024-1669 + CVE-2024-1670 + CVE-2024-1671 + CVE-2024-1672 + CVE-2024-1673 + CVE-2024-1674 + CVE-2024-1675 + CVE-2024-1676 + CVE-2024-2173 + CVE-2024-2174 + CVE-2024-2176 + CVE-2024-2400 + CVE-2024-2625 + CVE-2024-2626 + CVE-2024-2627 + CVE-2024-2628 + CVE-2024-2883 + CVE-2024-2885 + CVE-2024-2886 + CVE-2024-2887 + CVE-2024-3156 + CVE-2024-3158 + CVE-2024-3159 + CVE-2024-3832 + CVE-2024-3833 + CVE-2024-3834 + CVE-2024-4058 + CVE-2024-4059 + CVE-2024-4060 + CVE-2024-4331 + CVE-2024-4368 + CVE-2024-4558 + CVE-2024-4559 + + graaff + graaff + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-06.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-06.xml new file mode 100644 index 00000000000..a7fb73b9eba --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-06.xml @@ -0,0 +1,133 @@ + + + + Mozilla Thunderbird: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. + thunderbird,thunderbird-bin + 2024-12-07 + 2024-12-07 + 935551 + 936216 + 937468 + 941170 + 941175 + 942470 + remote + + + 128.4.0 + 128.4.0 + + + 128.4.0 + 128.4.0 + + + +

Mozilla Thunderbird is a popular open-source email client from the Mozilla project.

+ + +

Multiple vulnerabilities have been discovered in Mozilla Thunderbird. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Mozilla Thunderbird users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-128.4.0" + + +

All Mozilla Thunderbird users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-128.4.0" + + + + CVE-2024-5693 + CVE-2024-5696 + CVE-2024-5700 + CVE-2024-6601 + CVE-2024-6602 + CVE-2024-6603 + CVE-2024-6604 + CVE-2024-7518 + CVE-2024-7519 + CVE-2024-7520 + CVE-2024-7521 + CVE-2024-7522 + CVE-2024-7523 + CVE-2024-7524 + CVE-2024-7525 + CVE-2024-7526 + CVE-2024-7527 + CVE-2024-7528 + CVE-2024-7529 + CVE-2024-7531 + CVE-2024-8381 + CVE-2024-8382 + CVE-2024-8383 + CVE-2024-8384 + CVE-2024-8385 + CVE-2024-8386 + CVE-2024-8387 + CVE-2024-8389 + CVE-2024-8394 + CVE-2024-8900 + CVE-2024-9391 + CVE-2024-9392 + CVE-2024-9395 + CVE-2024-9396 + CVE-2024-9397 + CVE-2024-9399 + CVE-2024-9400 + CVE-2024-9401 + CVE-2024-9402 + CVE-2024-9403 + CVE-2024-10458 + CVE-2024-10459 + CVE-2024-10460 + CVE-2024-10461 + CVE-2024-10462 + CVE-2024-10463 + CVE-2024-10464 + CVE-2024-10465 + CVE-2024-10466 + CVE-2024-10467 + CVE-2024-10468 + MFSA-2024-25 + MFSA-2024-26 + MFSA-2024-28 + MFSA2024-29 + MFSA2024-30 + MFSA2024-31 + MFSA2024-33 + MFSA2024-34 + MFSA2024-35 + MFSA2024-38 + MFSA2024-39 + MFSA2024-40 + MFSA2024-41 + MFSA2024-43 + MFSA2024-44 + MFSA2024-46 + MFSA2024-47 + MFSA2024-48 + MFSA2024-49 + MFSA2024-50 + MFSA2024-55 + MFSA2024-56 + MFSA2024-57 + MFSA2024-58 + MFSA2024-59 + + graaff + graaff + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-07.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-07.xml new file mode 100644 index 00000000000..f2ac638e2f8 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-07.xml @@ -0,0 +1,104 @@ + + + + OpenJDK: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in OpenJDK, the worst of which could lead to remote code execution. + openjdk,openjdk-bin,openjdk-jre-bin + 2024-12-07 + 2024-12-07 + 912719 + 916211 + 925020 + 941689 + local and remote + + + 8.422_p05 + 11.0.24_p8 + 17.0.12_p7 + 8.422_p05 + 11.0.24_p8 + 17.0.12_p7 + + + 8.422_p05 + 11.0.24_p8 + 17.0.12_p7 + 8.422_p05 + 11.0.24_p8 + 17.0.12_p7 + + + 8.422_p05 + 11.0.24_p8 + 17.0.12_p7 + 8.422_p05 + 11.0.24_p8 + 17.0.12_p7 + + + +

OpenJDK is an open source implementation of the Java programming language.

+ + +

Multiple vulnerabilities have been discovered in OpenJDK. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All OpenJDK users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/openjdk-8.422_p05:8" + # emerge --ask --oneshot --verbose ">=dev-java/openjdk-11.0.24_p8:11" + # emerge --ask --oneshot --verbose ">=dev-java/openjdk-17.0.12_p7:17" + + +

All OpenJDK users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/openjdk-jre-bin-8.442_p05:8" + # emerge --ask --oneshot --verbose ">=dev-java/openjdk-jre-bin-11.0.24_p8:11" + # emerge --ask --oneshot --verbose ">=dev-java/openjdk-jre-bin-17.0.12_p7:17" + + +

All OpenJDK users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/openjdk-bin-8.442_p05:8" + # emerge --ask --oneshot --verbose ">=dev-java/openjdk-bin-11.0.24_p8:11" + # emerge --ask --oneshot --verbose ">=dev-java/openjdk-bin-17.0.12_p7:17" + + + + CVE-2023-22006 + CVE-2023-22025 + CVE-2023-22036 + CVE-2023-22041 + CVE-2023-22044 + CVE-2023-22045 + CVE-2023-22049 + CVE-2023-22067 + CVE-2023-22081 + CVE-2024-20918 + CVE-2024-20919 + CVE-2024-20921 + CVE-2024-20926 + CVE-2024-20932 + CVE-2024-20945 + CVE-2024-20952 + CVE-2024-21208 + CVE-2024-21210 + CVE-2024-21217 + CVE-2024-21235 + + graaff + graaff + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-08.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-08.xml new file mode 100644 index 00000000000..e886a101b87 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-08.xml @@ -0,0 +1,47 @@ + + + + icinga2: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in Icinga2, the worst of which could lead to arbitrary code execution. + icinga2 + 2024-12-07 + 2024-12-07 + 760660 + 943329 + remote + + + 2.14.3 + 2.14.3 + + + +

Icinga2 is a distributed, general purpose, network monitoring engine.

+ + +

Multiple vulnerabilities have been discovered in Icinga2. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Icinga2 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/icinga2-2.14.3" + + + + CVE-2020-29663 + CVE-2021-32739 + CVE-2021-32743 + CVE-2021-37698 + CVE-2024-49369 + + graaff + graaff + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-09.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-09.xml new file mode 100644 index 00000000000..a4213f22a46 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-09.xml @@ -0,0 +1,47 @@ + + + + Salt: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in Salt, the worst of which can lead to arbitrary code execution. + salt + 2024-12-07 + 2024-12-07 + 916512 + 925021 + remote + + + 3006.6 + 3006.6 + + + +

Salt is a fast, intelligent and scalable automation engine.

+ + +

Multiple vulnerabilities have been discovered in Salt. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Salt users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/salt-3006.6" + + + + CVE-2023-20897 + CVE-2023-20898 + CVE-2023-34049 + CVE-2024-22231 + CVE-2024-22232 + + graaff + graaff + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-10.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-10.xml new file mode 100644 index 00000000000..264249f3268 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-10.xml @@ -0,0 +1,47 @@ + + + + Dnsmasq: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in Dnsmasq, the worst of which could lead to a denial of service. + dnsmasq + 2024-12-07 + 2024-12-07 + 867322 + 905321 + 924448 + remote + + + 2.90 + 2.90 + + + +

Dnsmasq is a lightweight and easily-configurable DNS forwarder and DHCP server.

+ + +

Multiple vulnerabilities have been discovered in Dnsmasq. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Dnsmasq users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/dnsmasq-2.90" + + + + CVE-2022-0934 + CVE-2023-28450 + CVE-2023-50387 + CVE-2023-50868 + + graaff + graaff + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-11.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-11.xml new file mode 100644 index 00000000000..8596c449aad --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-11.xml @@ -0,0 +1,42 @@ + + + + OATH Toolkit: Privilege Escalation + A vulnerability has been discovered in OATH Toolkit, which could lead to local root privilege escalation. + oath-toolkit + 2024-12-07 + 2024-12-07 + 940778 + local + + + 2.6.12 + 2.6.12 + + + +

OATH Toolkit provide components to build one-time password authentication systems. It contains shared C libraries, command line tools and a PAM module. Supported technologies include the event-based HOTP algorithm (RFC 4226), the time-based TOTP algorithm (RFC 6238), and Portable Symmetric Key Container (PSKC, RFC 6030) to manage secret key data. OATH stands for Open AuTHentication, which is the organization that specify the algorithms.

+ + +

A vulnerability has been discovered in OATH Toolkit. Please review the CVE identifier referenced below for details.

+ + +

Please review the referenced CVE identifier for details.

+ + +

There is no known workaround at this time.

+ + +

All OATH Toolkit users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-auth/oath-toolkit-2.6.12" + + + + CVE-2024-47191 + + graaff + graaff + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-12.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-12.xml new file mode 100644 index 00000000000..c9363090995 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-12.xml @@ -0,0 +1,60 @@ + + + + PostgreSQL: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in PostgreSQL, the worst of which could lead to arbitrary code execution. + postgresql + 2024-12-08 + 2024-12-08 + 943512 + remote + + + 12.21 + 13.17 + 14.14 + 15.9 + 16.5 + 17.1 + 12.21 + 13.17 + 14.14 + 15.9 + 16.5 + 17.1 + + + +

PostgreSQL is an open source object-relational database management system.

+ + +

Multiple vulnerabilities have been discovered in PostgreSQL. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All PostgreSQL users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-12.21:12" + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-13.17:13" + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-14.14:14" + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-15.9:15" + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-16.5:16" + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-17.1:17" + + + + CVE-2024-10976 + CVE-2024-10977 + CVE-2024-10978 + CVE-2024-10979 + + graaff + graaff + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-13.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-13.xml new file mode 100644 index 00000000000..77a0f6a0270 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-13.xml @@ -0,0 +1,88 @@ + + + + Spidermonkey: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in Spidermonkey, the worst of which could lead to arbitrary code execution. + spidermonkey + 2024-12-08 + 2024-12-08 + 935552 + 936217 + 937469 + 941176 + local and remote + + + 115.15.0 + 115.15.0 + + + +

SpiderMonkey is Mozilla’s JavaScript and WebAssembly Engine, used in Firefox, Servo and various other projects. It is written in C++, Rust and JavaScript. You can embed it into C++ and Rust projects, and it can be run as a stand-alone shell.

+ + +

Multiple vulnerabilities have been discovered in Spidermonkey. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Spidermonkey users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/spidermonkey-115.15.0:115" + + + + CVE-2024-5693 + CVE-2024-5696 + CVE-2024-5700 + CVE-2024-6601 + CVE-2024-6602 + CVE-2024-6603 + CVE-2024-6604 + CVE-2024-7518 + CVE-2024-7519 + CVE-2024-7520 + CVE-2024-7521 + CVE-2024-7522 + CVE-2024-7523 + CVE-2024-7524 + CVE-2024-7525 + CVE-2024-7526 + CVE-2024-7527 + CVE-2024-7528 + CVE-2024-7529 + CVE-2024-7531 + CVE-2024-8381 + CVE-2024-8382 + CVE-2024-8383 + CVE-2024-8384 + CVE-2024-8385 + CVE-2024-8386 + CVE-2024-8387 + CVE-2024-8389 + CVE-2024-8394 + MFSA-2024-25 + MFSA-2024-26 + MFSA-2024-28 + MFSA2024-29 + MFSA2024-30 + MFSA2024-31 + MFSA2024-33 + MFSA2024-34 + MFSA2024-35 + MFSA2024-38 + MFSA2024-39 + MFSA2024-40 + MFSA2024-41 + MFSA2024-43 + MFSA2024-44 + + graaff + graaff + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-14.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-14.xml new file mode 100644 index 00000000000..f351fb59fd2 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-14.xml @@ -0,0 +1,51 @@ + + + + HashiCorp Consul: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in HashiCorp Consul, the worst of which could result in denial of service. + consul + 2024-12-08 + 2024-12-08 + 907925 + 917614 + 925030 + remote + + + 1.15.10 + 1.15.10 + + + +

HashiCorp Consul is a tool for service discovery, monitoring and configuration.

+ + +

Multiple vulnerabilities have been discovered in HashiCorp Consul. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All HashiCorp Consul users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/consul-1.15.10" + + + + CVE-2023-1297 + CVE-2023-2816 + CVE-2023-44487 + CVE-2024-23322 + CVE-2024-23323 + CVE-2024-23324 + CVE-2024-23325 + CVE-2024-23327 + + graaff + graaff + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-15.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-15.xml new file mode 100644 index 00000000000..762abfb6f9c --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-15.xml @@ -0,0 +1,46 @@ + + + + OpenSC: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in OpenSC, the worst of which could lead to arbitrary code execution. + opensc + 2024-12-11 + 2024-12-11 + 907930 + 917651 + local + + + 0.24.0 + 0.24.0 + + + +

OpenSC contains tools and libraries for smart cards.

+ + +

Multiple vulnerabilities have been discovered in OpenSC. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All OpenSC users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/opensc-0.24.0" + + + + CVE-2023-2977 + CVE-2023-4535 + CVE-2023-40660 + CVE-2023-40661 + + graaff + graaff + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-16.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-16.xml new file mode 100644 index 00000000000..af826ff2839 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-16.xml @@ -0,0 +1,46 @@ + + + + libvirt: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in libvirt, the worst of which could lead to a denial of service. + libvirt + 2024-12-11 + 2024-12-11 + 908042 + 916497 + 929966 + remote + + + 10.2.0 + 10.2.0 + + + +

libvirt is a C toolkit for manipulating virtual machines.

+ + +

Multiple vulnerabilities have been discovered in libvirt. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All libvirt users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/libvirt-10.2.0" + + + + CVE-2023-2700 + CVE-2023-3750 + CVE-2024-2494 + + graaff + graaff + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-17.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-17.xml new file mode 100644 index 00000000000..e30b8e8c0bf --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-17.xml @@ -0,0 +1,42 @@ + + + + idna: Denial of Service + A vulnerability has been discovered in idna, which can lead to a denial of service. + idna + 2024-12-11 + 2024-12-11 + 929208 + local + + + 3.7 + 3.7 + + + +

Internationalized Domain Names for Python (IDNA 2008 and UTS #46)

+ + +

A vulnerability has been discovered in idna. Please review the CVE identifier referenced below for details.

+ + +

Please review the referenced CVE identifier for details.

+ + +

There is no known workaround at this time.

+ + +

All idna users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/idna-3.7" + + + + CVE-2024-3651 + + graaff + graaff + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-18.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-18.xml new file mode 100644 index 00000000000..6d486fe4884 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-18.xml @@ -0,0 +1,42 @@ + + + + Distrobox: Arbitrary Code Execution + A vulnerability has been discovered in Distrobox, which can lead to arbitrary code execution. + distrobox + 2024-12-11 + 2024-12-11 + 927742 + local + + + 1.7.0.1 + 1.7.0.1 + + + +

Use any Linux distribution inside your terminal. Enable both backward and forward compatibility with software and freedom to use whatever distribution you’re more comfortable with. Distrobox uses podman, docker or lilipod to create containers using the Linux distribution of your choice. The created container will be tightly integrated with the host, allowing sharing of the HOME directory of the user, external storage, external USB devices and graphical apps (X11/Wayland), and audio.

+ + +

A vulnerability has been discovered in Distrobox. Please review the CVE identifier referenced below for details.

+ + +

Please review the referenced CVE identifier for details.

+ + +

There is no known workaround at this time.

+ + +

All Distrobox users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-containers/distrobox-1.7.0.1" + + + + CVE-2024-29864 + + graaff + graaff + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-19.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-19.xml new file mode 100644 index 00000000000..e00b2b93e21 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-19.xml @@ -0,0 +1,42 @@ + + + + eza: Arbitrary Code Execution + A vulnerability has been discovered in eza, which can lead to arbitrary code execution. + eza + 2024-12-11 + 2024-12-11 + 926532 + local + + + 0.18.6 + 0.18.6 + + + +

eza is a modern, maintained replacement for ls, written in rust.

+ + +

A vulnerability has been discovered in eza. Please review the CVE identifier referenced below for details.

+ + +

A buffer overflow vulnerability in eza allows local attackers to execute arbitrary code via the .git/HEAD, .git/refs, and .git/objects components.

+ + +

There is no known workaround at this time.

+ + +

All eza users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/eza-0.18.6" + + + + CVE-2024-25817 + + graaff + graaff + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-20.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-20.xml new file mode 100644 index 00000000000..0156abad3cb --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202412-20.xml @@ -0,0 +1,51 @@ + + + + NVIDIA Drivers: Privilege Escalation + Multiple vulnerabilities have been discovered in NVIDIA Drivers, the worst of which could result in privilege escalation. + nvidia-drivers + 2024-12-14 + 2024-12-14 + 942031 + local + + + 535.216.01 + 550.127.05 + 535.216.01 + 550.127.05 + + + +

NVIDIA Drivers are NVIDIA's accelerated graphics driver.

+ + +

A vulnerability has been discovered in NVIDIA Drivers. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifier for details.

+ + +

There is no known workaround at this time.

+ + +

All NVIDIA Drivers 535 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-535.216.01:0/535" + + +

All NVIDIA Drivers 550 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-550.127.05:0/550" + + + + CVE-2024-0126 + + graaff + graaff + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk index 264273a75fd..9828bb002c9 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Sun, 01 Dec 2024 06:40:21 +0000 +Wed, 01 Jan 2025 06:40:39 +0000 diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit index 0858bad8cc1..9f09f9ad7dc 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit @@ -1 +1 @@ -06b1665a387d4d7cb73b9b91b99b6ed644d013ed 1731837118 2024-11-17T09:51:58Z +75999cf3645e45cf60bdeaf1621c235c071cf08b 1734174153 2024-12-14T11:02:33Z From 7ab16c2e03d3b3ea62692060de2e57e53299a848 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Thu, 2 Jan 2025 12:57:35 +0000 Subject: [PATCH 07/17] Update mantle container image to latest HEAD --- sdk_container/.repo/manifests/mantle-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index dd8b0ecd889..8bd913dc736 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-af7d6c16f4c5b22f309daefbed1eae968e9d2f67 +ghcr.io/flatcar/mantle:git-08b9b0ea99d42185e08ed881cdf6479d6f423b0f From d3690b80e32f5de7c5491e0336061f76b68930a2 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Thu, 2 Jan 2025 21:00:25 +0000 Subject: [PATCH 08/17] New version: main-4203.0.0-nightly-20250102-2100 --- sdk_container/.repo/manifests/version.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 636ce95f1d0..eef7080a73d 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4200.0.0+nightly-20251230-2100 -FLATCAR_VERSION_ID=4200.0.0 -FLATCAR_BUILD_ID="nightly-20251230-2100" -FLATCAR_SDK_VERSION=4200.0.0+nightly-20251230-2100 +FLATCAR_VERSION=4203.0.0+nightly-20250102-2100 +FLATCAR_VERSION_ID=4203.0.0 +FLATCAR_BUILD_ID="nightly-20250102-2100" +FLATCAR_SDK_VERSION=4203.0.0+nightly-20250102-2100 From 623abcef546dd17078c20102e8073325315cebd4 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Fri, 3 Jan 2025 07:05:44 +0000 Subject: [PATCH 09/17] sys-kernel/coreos-sources: Update from 6.6.68 to 6.6.69 --- changelog/updates/2025-01-03-linux-6.6.69-update.md | 1 + .../{hv-daemons-6.6.68.ebuild => hv-daemons-6.6.69.ebuild} | 0 ...{coreos-kernel-6.6.68.ebuild => coreos-kernel-6.6.69.ebuild} | 0 ...oreos-modules-6.6.68.ebuild => coreos-modules-6.6.69.ebuild} | 0 .../coreos-overlay/sys-kernel/coreos-sources/Manifest | 2 +- ...oreos-sources-6.6.68.ebuild => coreos-sources-6.6.69.ebuild} | 0 6 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog/updates/2025-01-03-linux-6.6.69-update.md rename sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/{hv-daemons-6.6.68.ebuild => hv-daemons-6.6.69.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-6.6.68.ebuild => coreos-kernel-6.6.69.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-6.6.68.ebuild => coreos-modules-6.6.69.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-6.6.68.ebuild => coreos-sources-6.6.69.ebuild} (100%) diff --git a/changelog/updates/2025-01-03-linux-6.6.69-update.md b/changelog/updates/2025-01-03-linux-6.6.69-update.md new file mode 100644 index 00000000000..6a75d9782fb --- /dev/null +++ b/changelog/updates/2025-01-03-linux-6.6.69-update.md @@ -0,0 +1 @@ +- Linux ([6.6.69](https://lwn.net/Articles/1003986)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.6.68.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.6.69.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.6.68.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/hv-daemons/hv-daemons-6.6.69.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.68.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.69.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.68.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.69.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.6.68.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.6.69.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.6.68.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.6.69.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index e571b3bbbdf..33dda6cf160 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ DIST linux-6.6.tar.xz 140064536 BLAKE2B 5f02fd8696d42f7ec8c5fbadec8e7270bdcfcb1f9844a6c4db3e1fd461c93ce1ccda650ca72dceb4890ebcbbf768ba8fba0bce91efc49fbd2c307b04e95665f2 SHA512 458b2c34d46206f9b4ccbac54cc57aeca1eaecaf831bc441e59701bac6eadffc17f6ce24af6eadd0454964e843186539ac0d63295ad2cc32d112b60360c39a35 -DIST patch-6.6.68.xz 3627932 BLAKE2B f68bcd6b999984dd39aaafeb577816022ec0740b30dbb591eb9b02e9adae96c62ffcaccf22f009573bc1e6180ab3409994e0ce8bb4e935fbb985b4c3534c3824 SHA512 6a190e01adbe9486989d81b0dd06dbe2190798ee7573bcfce9d109a1fe6da5ddb8fd48782d09633a6c8de53930509f0250de6915c1e8406edf8e6e0583a10850 +DIST patch-6.6.69.xz 3648052 BLAKE2B 97849245e0c3e40ddc9ab93c5078aecd6cc9ccb6361554f5b1de953898d0839b28c5a4ed7357d34e5801ee54d2fe97318a66bb66212e7defc7875a4508f80e6f SHA512 91e4f596c21243285ab9f8a07995fe7bdf8056699db68cf4a7ca29c135d4c9efd029d58e69770e7c3d3216d5f26e81eab7fe2f4bd6939d20af955c4d41003624 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.6.68.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.6.69.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.6.68.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-6.6.69.ebuild From 228ae59e0cf647738c170e920b9e8024cc56b6f6 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Fri, 3 Jan 2025 21:00:27 +0000 Subject: [PATCH 10/17] New version: main-4204.0.0-nightly-20250103-2100-INTERMEDIATE --- sdk_container/.repo/manifests/version.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index eef7080a73d..bf0aee61c81 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4203.0.0+nightly-20250102-2100 -FLATCAR_VERSION_ID=4203.0.0 -FLATCAR_BUILD_ID="nightly-20250102-2100" -FLATCAR_SDK_VERSION=4203.0.0+nightly-20250102-2100 +FLATCAR_VERSION=4204.0.0+nightly-20250103-2100-INTERMEDIATE +FLATCAR_VERSION_ID=4204.0.0 +FLATCAR_BUILD_ID="nightly-20250103-2100-INTERMEDIATE" +FLATCAR_SDK_VERSION=4204.0.0+nightly-20250103-2100-INTERMEDIATE From b72e50007c49950bd6170bbcf3d03db73afeb7f6 Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Sat, 4 Jan 2025 02:25:08 +0000 Subject: [PATCH 11/17] New version: main-4204.0.0-nightly-20250103-2100 --- sdk_container/.repo/manifests/version.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index bf0aee61c81..16377e0ca94 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4204.0.0+nightly-20250103-2100-INTERMEDIATE +FLATCAR_VERSION=4204.0.0+nightly-20250103-2100 FLATCAR_VERSION_ID=4204.0.0 -FLATCAR_BUILD_ID="nightly-20250103-2100-INTERMEDIATE" -FLATCAR_SDK_VERSION=4204.0.0+nightly-20250103-2100-INTERMEDIATE +FLATCAR_BUILD_ID="nightly-20250103-2100" +FLATCAR_SDK_VERSION=4204.0.0+nightly-20250103-2100 From 8357e5cabf4b2fc1ee6f03e0c202112a26c826ad Mon Sep 17 00:00:00 2001 From: flatcar-ci Date: Mon, 6 Jan 2025 21:00:27 +0000 Subject: [PATCH 12/17] New version: main-4207.0.0-nightly-20250106-2100 --- sdk_container/.repo/manifests/version.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt index 16377e0ca94..4ceebf01e22 100644 --- a/sdk_container/.repo/manifests/version.txt +++ b/sdk_container/.repo/manifests/version.txt @@ -1,4 +1,4 @@ -FLATCAR_VERSION=4204.0.0+nightly-20250103-2100 -FLATCAR_VERSION_ID=4204.0.0 -FLATCAR_BUILD_ID="nightly-20250103-2100" -FLATCAR_SDK_VERSION=4204.0.0+nightly-20250103-2100 +FLATCAR_VERSION=4207.0.0+nightly-20250106-2100 +FLATCAR_VERSION_ID=4207.0.0 +FLATCAR_BUILD_ID="nightly-20250106-2100" +FLATCAR_SDK_VERSION=4207.0.0+nightly-20250106-2100 From c526b417295c12b21f7c7eb909abab9f2b5661fc Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Thu, 9 Jan 2025 15:01:33 +0100 Subject: [PATCH 13/17] run_sdk_container: Bail out on unknown flags The script would pass unknown flags further as a container command. This normally is not desired, but in case it actually is, the user can use the newly added `--` parameter to stop parameter handling and pass the following parameters as the container command. I was tripped by using -u instead of -U and I got a rather confusing error message suggesting something going wrong inside the container. --- run_sdk_container | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/run_sdk_container b/run_sdk_container index 6cb9213a217..36ad60a19bf 100755 --- a/run_sdk_container +++ b/run_sdk_container @@ -22,7 +22,7 @@ mounts=() usage() { echo " Usage:" - echo " $0 [-t] [-v ] [-V ] [-a ] [-n ] [-x