From 793b7e1d2836728066b5a094d042c11ef3a00852 Mon Sep 17 00:00:00 2001 From: Warren Togami Date: Wed, 2 Oct 2019 22:04:44 -0700 Subject: [PATCH] EPEL committee decision to maintain EPEL7 nginx with Fedora, first step is to replace with master branch files. --- index.html | 116 ---------------- nginx-1.12.1-logs-perm.patch | 13 ++ nginx.conf | 2 +- nginx.logrotate | 2 +- nginx.spec | 248 +++++++++++++++++++++++++++-------- poweredby.png | Bin 2811 -> 0 bytes sources | 3 +- 7 files changed, 209 insertions(+), 175 deletions(-) delete mode 100644 index.html create mode 100644 nginx-1.12.1-logs-perm.patch delete mode 100644 poweredby.png diff --git a/index.html b/index.html deleted file mode 100644 index dea2265..0000000 --- a/index.html +++ /dev/null @@ -1,116 +0,0 @@ - - - - - Test Page for the Nginx HTTP Server on Fedora - - - - - -

Welcome to nginx on Fedora!

- -
-

This page is used to test the proper operation of the - nginx HTTP server after it has been - installed. If you can read this page, it means that the - web server installed at this site is working - properly.

- -
-

Website Administrator

-
-

This is the default index.html page that - is distributed with nginx on - Fedora. It is located in - /usr/share/nginx/html.

- -

You should now put your content in a location of - your choice and edit the root configuration - directive in the nginx - configuration file - /etc/nginx/nginx.conf.

- -
-
- -
- [ Powered by nginx ] - - [ Powered by Fedora ] -
-
- - diff --git a/nginx-1.12.1-logs-perm.patch b/nginx-1.12.1-logs-perm.patch new file mode 100644 index 0000000..4884a84 --- /dev/null +++ b/nginx-1.12.1-logs-perm.patch @@ -0,0 +1,13 @@ +diff --git a/src/core/ngx_cycle.c b/src/core/ngx_cycle.c +index aee7a58..bcceecb 100644 +--- a/src/core/ngx_cycle.c ++++ b/src/core/ngx_cycle.c +@@ -1108,7 +1108,7 @@ ngx_reopen_files(ngx_cycle_t *cycle, ngx_uid_t user) + } + + fd = ngx_open_file(file[i].name.data, NGX_FILE_APPEND, +- NGX_FILE_CREATE_OR_OPEN, NGX_FILE_DEFAULT_ACCESS); ++ NGX_FILE_CREATE_OR_OPEN, NGX_FILE_DEFAULT_ACCESS | 0220); + + ngx_log_debug3(NGX_LOG_DEBUG_EVENT, cycle->log, 0, + "reopen file \"%s\", old:%d new:%d", diff --git a/nginx.conf b/nginx.conf index c23699a..3c5c787 100644 --- a/nginx.conf +++ b/nginx.conf @@ -7,7 +7,7 @@ worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; -# Load dynamic modules. See /usr/share/nginx/README.dynamic. +# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. include /usr/share/nginx/modules/*.conf; events { diff --git a/nginx.logrotate b/nginx.logrotate index cffa62e..353da6e 100644 --- a/nginx.logrotate +++ b/nginx.logrotate @@ -1,5 +1,5 @@ /var/log/nginx/*log { - create 0644 nginx nginx + create 0664 nginx root daily rotate 10 missingok diff --git a/nginx.spec b/nginx.spec index c6e754c..c6c1f70 100644 --- a/nginx.spec +++ b/nginx.spec @@ -1,38 +1,42 @@ %global _hardened_build 1 %global nginx_user nginx +# Disable strict symbol checks in the link editor. +# See: https://src.fedoraproject.org/rpms/redhat-rpm-config/c/078af19 +%undefine _strict_symbol_defs_build + +%bcond_with geoip + # gperftools exist only on selected arches -%ifnarch s390 s390x +# gperftools *detection* is failing on ppc64*, possibly only configure +# bug, but disable anyway. +%ifnarch s390 s390x ppc64 ppc64le %global with_gperftools 1 %endif %global with_aio 1 -%if 0%{?fedora} > 22 +%if 0%{?fedora} > 22 || 0%{?rhel} >= 8 %global with_mailcap_mimetypes 1 %endif Name: nginx Epoch: 1 -Version: 1.12.2 -Release: 3%{?dist} +Version: 1.16.1 +Release: 1%{?dist} Summary: A high performance web server and reverse proxy server -Group: System Environment/Daemons # BSD License (two clause) # http://www.freebsd.org/copyright/freebsd-license.html License: BSD URL: http://nginx.org/ -Source0: http://nginx.org/download/nginx-%{version}.tar.gz -Source1: http://nginx.org/download/nginx-%{version}.tar.gz.asc +Source0: https://nginx.org/download/nginx-%{version}.tar.gz Source10: nginx.service Source11: nginx.logrotate Source12: nginx.conf Source13: nginx-upgrade Source14: nginx-upgrade.8 -Source100: index.html -Source101: poweredby.png Source102: nginx-logo.png Source103: 404.html Source104: 50x.html @@ -43,6 +47,11 @@ Source210: UPGRADE-NOTES-1.6-to-1.10 # -D_FORTIFY_SOURCE=2 causing warnings to turn into errors. Patch0: nginx-auto-cc-gcc.patch +# downstream patch - changing logs permissions to 664 instead +# previous 644 +Patch2: nginx-1.12.1-logs-perm.patch + +BuildRequires: gcc %if 0%{?with_gperftools} BuildRequires: gperftools-devel %endif @@ -51,8 +60,18 @@ BuildRequires: pcre-devel BuildRequires: zlib-devel Requires: nginx-filesystem = %{epoch}:%{version}-%{release} +%if 0%{?el7} +# centos-logos el7 does not provide 'system-indexhtml' +Requires: system-logos redhat-indexhtml +# need to remove epel7 geoip sub-package, doesn't work anymore +# https://bugzilla.redhat.com/show_bug.cgi?id=1576034 +# https://bugzilla.redhat.com/show_bug.cgi?id=1664957 +Obsoletes: nginx-mod-http-geoip <= 1:1.16 +%else +Requires: system-logos-httpd +%endif -%if 0%{?rhel} || 0%{?fedora} < 24 +%if 0%{?rhel} > 0 && 0%{?rhel} < 8 # Introduced at 1:1.10.0-1 to ease upgrade path. To be removed later. Requires: nginx-all-modules = %{epoch}:%{version}-%{release} %endif @@ -76,11 +95,12 @@ IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. %package all-modules -Group: System Environment/Daemons Summary: A meta package that installs all available Nginx modules BuildArch: noarch +%if %{with geoip} Requires: nginx-mod-http-geoip = %{epoch}:%{version}-%{release} +%endif Requires: nginx-mod-http-image-filter = %{epoch}:%{version}-%{release} Requires: nginx-mod-http-perl = %{epoch}:%{version}-%{release} Requires: nginx-mod-http-xslt-filter = %{epoch}:%{version}-%{release} @@ -88,18 +108,9 @@ Requires: nginx-mod-mail = %{epoch}:%{version}-%{release} Requires: nginx-mod-stream = %{epoch}:%{version}-%{release} %description all-modules -%{summary}. -%if 0%{?rhel} -The main nginx package depends on this to ease the upgrade path. After a grace -period of several months, modules will become optional. -%endif -%if 0%{?fedora} && 0%{?fedora} < 24 -The main nginx package depends on this to ease the upgrade path. Starting from -Fedora 24, modules are optional. -%endif +Meta package that installs all available nginx modules. %package filesystem -Group: System Environment/Daemons Summary: The basic directory layout for the Nginx server BuildArch: noarch Requires(pre): shadow-utils @@ -109,8 +120,8 @@ The nginx-filesystem package contains the basic directory layout for the Nginx server including the correct permissions for the directories. +%if %{with geoip} %package mod-http-geoip -Group: System Environment/Daemons Summary: Nginx HTTP geoip module BuildRequires: GeoIP-devel Requires: nginx @@ -118,9 +129,9 @@ Requires: GeoIP %description mod-http-geoip %{summary}. +%endif %package mod-http-image-filter -Group: System Environment/Daemons Summary: Nginx HTTP image filter module BuildRequires: gd-devel Requires: nginx @@ -130,21 +141,20 @@ Requires: gd %{summary}. %package mod-http-perl -Group: System Environment/Daemons Summary: Nginx HTTP perl module BuildRequires: perl-devel -%if 0%{?fedora} >= 24 +%if 0%{?fedora} >= 24 || 0%{?rhel} >= 7 BuildRequires: perl-generators %endif BuildRequires: perl(ExtUtils::Embed) Requires: nginx Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) +Requires: perl(constant) %description mod-http-perl %{summary}. %package mod-http-xslt-filter -Group: System Environment/Daemons Summary: Nginx XSLT module BuildRequires: libxslt-devel Requires: nginx @@ -153,7 +163,6 @@ Requires: nginx %{summary}. %package mod-mail -Group: System Environment/Daemons Summary: Nginx mail modules Requires: nginx @@ -161,7 +170,6 @@ Requires: nginx %{summary}. %package mod-stream -Group: System Environment/Daemons Summary: Nginx stream modules Requires: nginx @@ -172,13 +180,12 @@ Requires: nginx %prep %setup -q %patch0 -p0 +%patch2 -p1 +cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} . -cp %{SOURCE200} . -cp %{SOURCE210} . - -%if 0%{?rhel} < 8 -sed -i -e 's#KillMode=.*#KillMode=process#g' %{SOURCE10} -sed -i -e 's#PROFILE=SYSTEM#HIGH:!aNULL:!MD5#' %{SOURCE12} +%if 0%{?rhel} > 0 && 0%{?rhel} < 8 +sed -i -e 's#KillMode=.*#KillMode=process#g' nginx.service +sed -i -e 's#PROFILE=SYSTEM#HIGH:!aNULL:!MD5#' nginx.conf %endif @@ -188,7 +195,9 @@ sed -i -e 's#PROFILE=SYSTEM#HIGH:!aNULL:!MD5#' %{SOURCE12} # to error out. This is is also the reason for the DESTDIR environment # variable. export DESTDIR=%{buildroot} -./configure \ +# So the perl module finds its symbols: +nginx_ldopts="$RPM_LD_FLAGS -Wl,-E" +if ! ./configure \ --prefix=%{_datadir}/nginx \ --sbin-path=%{_sbindir}/nginx \ --modules-path=%{_libdir}/nginx/modules \ @@ -208,14 +217,16 @@ export DESTDIR=%{buildroot} --with-file-aio \ %endif --with-ipv6 \ - --with-http_auth_request_module \ --with-http_ssl_module \ --with-http_v2_module \ --with-http_realip_module \ + --with-stream_ssl_preread_module \ --with-http_addition_module \ --with-http_xslt_module=dynamic \ --with-http_image_filter_module=dynamic \ +%if %{with geoip} --with-http_geoip_module=dynamic \ +%endif --with-http_sub_module \ --with-http_dav_module \ --with-http_flv_module \ @@ -228,6 +239,7 @@ export DESTDIR=%{buildroot} --with-http_slice_module \ --with-http_stub_status_module \ --with-http_perl_module=dynamic \ + --with-http_auth_request_module \ --with-mail=dynamic \ --with-mail_ssl_module \ --with-pcre \ @@ -239,7 +251,11 @@ export DESTDIR=%{buildroot} %endif --with-debug \ --with-cc-opt="%{optflags} $(pcre-config --cflags)" \ - --with-ld-opt="$RPM_LD_FLAGS -Wl,-E" # so the perl module finds its symbols + --with-ld-opt="$nginx_ldopts"; then + : configure failed + cat objs/autoconf.err + exit 1 +fi make %{?_smp_mflags} @@ -252,11 +268,14 @@ find %{buildroot} -type f -name perllocal.pod -exec rm -f '{}' \; find %{buildroot} -type f -empty -exec rm -f '{}' \; find %{buildroot} -type f -iname '*.so' -exec chmod 0755 '{}' \; -install -p -D -m 0644 %{SOURCE10} \ +install -p -D -m 0644 ./nginx.service \ %{buildroot}%{_unitdir}/nginx.service install -p -D -m 0644 %{SOURCE11} \ %{buildroot}%{_sysconfdir}/logrotate.d/nginx +install -p -d -m 0755 %{buildroot}%{_sysconfdir}/systemd/system/nginx.service.d +install -p -d -m 0755 %{buildroot}%{_unitdir}/nginx.service.d + install -p -d -m 0755 %{buildroot}%{_sysconfdir}/nginx/conf.d install -p -d -m 0755 %{buildroot}%{_sysconfdir}/nginx/default.d @@ -268,12 +287,30 @@ install -p -d -m 0755 %{buildroot}%{_datadir}/nginx/html install -p -d -m 0755 %{buildroot}%{_datadir}/nginx/modules install -p -d -m 0755 %{buildroot}%{_libdir}/nginx/modules -install -p -m 0644 %{SOURCE12} \ +install -p -m 0644 ./nginx.conf \ %{buildroot}%{_sysconfdir}/nginx -install -p -m 0644 %{SOURCE100} \ - %{buildroot}%{_datadir}/nginx/html -install -p -m 0644 %{SOURCE101} %{SOURCE102} \ + +rm -f %{buildroot}%{_datadir}/nginx/html/index.html +%if 0%{?el7} +ln -s ../../doc/HTML/index.html \ + %{buildroot}%{_datadir}/nginx/html/index.html +ln -s ../../doc/HTML/img \ + %{buildroot}%{_datadir}/nginx/html/img +ln -s ../../doc/HTML/en-US \ + %{buildroot}%{_datadir}/nginx/html/en-US +%else +ln -s ../../fedora-testpage/index.html \ + %{buildroot}%{_datadir}/nginx/html/index.html +%endif +install -p -m 0644 %{SOURCE102} \ %{buildroot}%{_datadir}/nginx/html +ln -s nginx-logo.png %{buildroot}%{_datadir}/nginx/html/poweredby.png +mkdir -p %{buildroot}%{_datadir}/nginx/html/icons + +# Symlink for the powered-by-$DISTRO image: +ln -s ../../../pixmaps/poweredby.png \ + %{buildroot}%{_datadir}/nginx/html/icons/poweredby.png + install -p -m 0644 %{SOURCE103} %{SOURCE104} \ %{buildroot}%{_datadir}/nginx/html @@ -281,7 +318,7 @@ install -p -m 0644 %{SOURCE103} %{SOURCE104} \ rm -f %{buildroot}%{_sysconfdir}/nginx/mime.types %endif -install -p -D -m 0644 %{_builddir}/nginx-%{version}/man/nginx.8 \ +install -p -D -m 0644 %{_builddir}/nginx-%{version}/objs/nginx.8 \ %{buildroot}%{_mandir}/man8/nginx.8 install -p -D -m 0755 %{SOURCE13} %{buildroot}%{_bindir}/nginx-upgrade @@ -292,8 +329,10 @@ for i in ftdetect ftplugin indent syntax; do %{buildroot}%{_datadir}/vim/vimfiles/${i}/nginx.vim done +%if %{with geoip} echo 'load_module "%{_libdir}/nginx/modules/ngx_http_geoip_module.so";' \ > %{buildroot}%{_datadir}/nginx/modules/mod-http-geoip.conf +%endif echo 'load_module "%{_libdir}/nginx/modules/ngx_http_image_filter_module.so";' \ > %{buildroot}%{_datadir}/nginx/modules/mod-http-image-filter.conf echo 'load_module "%{_libdir}/nginx/modules/ngx_http_perl_module.so";' \ @@ -315,10 +354,12 @@ exit 0 %post %systemd_post nginx.service +%if %{with geoip} %post mod-http-geoip if [ $1 -eq 1 ]; then /usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || : fi +%endif %post mod-http-image-filter if [ $1 -eq 1 ]; then @@ -389,9 +430,9 @@ fi %config(noreplace) %{_sysconfdir}/nginx/uwsgi_params.default %config(noreplace) %{_sysconfdir}/nginx/win-utf %config(noreplace) %{_sysconfdir}/logrotate.d/nginx -%attr(700,%{nginx_user},%{nginx_user}) %dir %{_localstatedir}/lib/nginx -%attr(700,%{nginx_user},%{nginx_user}) %dir %{_localstatedir}/lib/nginx/tmp -%attr(700,%{nginx_user},%{nginx_user}) %dir %{_localstatedir}/log/nginx +%attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx +%attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx/tmp +%attr(770,%{nginx_user},root) %dir %{_localstatedir}/log/nginx %dir %{_libdir}/nginx/modules %files all-modules @@ -402,10 +443,14 @@ fi %dir %{_sysconfdir}/nginx %dir %{_sysconfdir}/nginx/conf.d %dir %{_sysconfdir}/nginx/default.d +%dir %{_sysconfdir}/systemd/system/nginx.service.d +%dir %{_unitdir}/nginx.service.d +%if %{with geoip} %files mod-http-geoip %{_datadir}/nginx/modules/mod-http-geoip.conf %{_libdir}/nginx/modules/ngx_http_geoip_module.so +%endif %files mod-http-image-filter %{_datadir}/nginx/modules/mod-http-image-filter.conf @@ -432,19 +477,112 @@ fi %changelog -* Tue May 07 2019 Jamie Nguyen - 1:1.12.2-3 +* Sun Sep 15 2019 Warren Togami +- add conditionals for EPEL7, see rhbz#1750857 + +* Tue Aug 13 2019 Jamie Nguyen - 1:1.16.1-1 +- Update to upstream release 1.16.1 +- Fixes CVE-2019-9511, CVE-2019-9513, CVE-2019-9516 + +* Thu Jul 25 2019 Fedora Release Engineering - 1:1.16.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu May 30 2019 Jitka Plesnikova - 1:1.16.0-4 +- Perl 5.30 rebuild + +* Tue May 14 2019 Stephen Gallagher - 1.16.0-3 +- Move to common default index.html +- Resolves: rhbz#1636235 + +* Tue May 07 2019 Jamie Nguyen - 1:1.16.0-2 - Add missing directory for vim plugin -* Tue Mar 6 2018 Tadej Janež - 1:1.12.2-2 -- enable building the ngx_http_auth_request_module module (RHBZ #1471107) +* Fri Apr 26 2019 Jamie Nguyen - 1:1.16.0-1 +- Update to upstream release 1.16.0 -* Wed Oct 18 2017 Luboš Uhliarik - 1:1.12.2-1 -- update to upstream release 1.12.2 -- Resolves: #1468584 - (CVE-2017-7529) CVE-2017-7529 nginx: Integer - overflow in nginx range filter module leading to memory disclosure +* Mon Mar 04 2019 Jamie Nguyen - 1:1.15.9-1 +- Update to upstream release 1.15.9 +- Enable ngx_stream_ssl_preread module +- Remove redundant conditionals -* Mon Sep 18 2017 Luboš Uhliarik - 1:1.10.2-2 -- Resolves: #1478662 - rebuild for ALPN support +* Fri Feb 01 2019 Fedora Release Engineering - 1:1.14.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Jan 14 2019 Björn Esser - 1:1.14.1-4 +- Rebuilt for libcrypt.so.2 (#1666033) + +* Tue Dec 11 2018 Joe Orton - 1:1.14.1-3 +- fix unexpanded paths in nginx(8) + +* Tue Nov 20 2018 Luboš Uhliarik - 1:1.14.1-2 +- new version 1.14.1 +- Resolves: #1584426 - Upstream Nginx 1.14.0 is now available +- Resolves: #1647255 - CVE-2018-16845 nginx: Denial of service and memory + disclosure via mp4 module +- Resolves: #1647259 - CVE-2018-16843 nginx: Excessive memory consumption + via flaw in HTTP/2 implementation +- Resolves: #1647258 - CVE-2018-16844 nginx: Excessive CPU usage via flaw + in HTTP/2 implementation + +* Mon Aug 06 2018 Luboš Uhliarik - 1:1.12.1-14 +- add requires on perl(constant) for mod-http-perl + +* Mon Jul 30 2018 Luboš Uhliarik - 1:1.12.1-13 +- don't build with geoip by default + +* Thu Jul 19 2018 Joe Orton - 1:1.12.1-12 +- add build conditional for geoip support + +* Mon Jul 16 2018 Tadej Janež - 1:1.12.1-11 +- Add gcc to BuildRequires to account for + https://fedoraproject.org/wiki/Changes/Remove_GCC_from_BuildRoot + +* Fri Jul 13 2018 Fedora Release Engineering - 1:1.12.1-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jun 27 2018 Jitka Plesnikova - 1:1.12.1-9 +- Perl 5.28 rebuild + +* Mon May 14 2018 Luboš Uhliarik - 1:1.12.1-8 +- Related: #1573942 - nginx fails on start + +* Wed May 02 2018 Luboš Uhliarik - 1:1.12.1-7 +- Resolves: #1573942 - nginx fails on start + +* Thu Feb 08 2018 Fedora Release Engineering - 1:1.12.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Jan 24 2018 Björn Esser - 1:1.12.1-5 +- Add patch to apply glibc bugfix if really needed only +- Disable strict symbol checks in the link editor + +* Sat Jan 20 2018 Björn Esser - 1:1.12.1-4 +- Rebuilt for switch to libxcrypt + +* Tue Oct 24 2017 Joe Orton - 1:1.12.1-3 +- rebuild + +* Tue Sep 19 2017 Remi Collet - 1:1.12.1-2 +- own system drop-in directories #1493036 + +* Tue Aug 15 2017 Joe Orton - 1:1.12.1-1 +- update to 1.12.1 (#1469924) +- enable http_auth_request_module (Tim Niemueller, #1471106) + +* Thu Aug 03 2017 Fedora Release Engineering - 1:1.12.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 1:1.12.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sun Jun 04 2017 Jitka Plesnikova - 1:1.12.0-2 +- Perl 5.26 rebuild + +* Tue May 30 2017 Luboš Uhliarik - 1:1.12.0-1 +- new version 1.12.0 + +* Wed Feb 8 2017 Joe Orton - 1:1.10.3-1 +- update to upstream release 1.10.3 * Mon Oct 31 2016 Jamie Nguyen - 1:1.10.2-1 - update to upstream release 1.10.2 diff --git a/poweredby.png b/poweredby.png deleted file mode 100644 index b4aea88b9f33b00727d91327089a33d620ac3c32..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2811 zcmVvV z|BYDZhB`fUW6d+C1H&(naQ?!%cMU*DrN$usb(j4Hj&ve^RXZY1Xk0r;(+s~S?u5Ai zhVFM`A$Vi@L-*=Krp0@rg>if;W&%P?N6?RvwEuDRiSDSoFxL0zCd>{(dpQlprGVQW zz4-C-*WR4|2wF4trm1tku*SVQLU$i#0Wr%B*WFLu1no&&N5q<}^@5H<^`;+xcIWPl z@_PBk-%Z261q%euJvl;)Tzh-P8gwk~<%Y+#Ok778{(D+QM+97e^-VB|&V zv5TgWi>CFzl9uoP$DJ={bA)hU^k6idScAIn(Vplg=)NKP7Y!NdM!x#@*M>m>kr4vJ zq#)@&It_10-=s{KP^DaZQCw8BE5L2M(wJKRN0Hdik8?5 zp~Z^sw-qenT4?i-LRL@EnhyoI{8l&AW?^czxJWHbdCd}2la$ve-k4EtVwX%3| zlP?60Ml&S)f>?ODFTkQQH3I=so(x~u;0pwZh6TgnVrvu5?>&kHiAo`oCCisEizaI3 zG;PE;7=V~KbwSH-^yrD$z6eLg2xDO{h`{mG;a|}AaCZoU1Z5nINGlVpk=Me-6Gv_n zu|U2sBVS~(7)i^TPb_${C{JOgK!6mpWMM;qc(~kbd6CXHNR}FXyR;+8TBrvxxOpF4 zbNllzCr+IoJ$kZm!OB_lg*IiVL~IIyfy?zEUc2xXT@&nnXqGyH z_0O6zRD-A>H1Wa}J($cqYy$l@YH z3CTF}12$e+$Q{6;uxR4ekYmIgSw|QS#-cQZrwm?Gi$uRP{?4t4VzGBZN1>o+XQRK{ z>8V4;F$RI7VJYbu7$Ftbt~5%Yj73dgu)F_JD6nj^76hdaC4(&V)bw=qJ<`>;9kLaK zZ23VZcaV~3bxW^*=~^kT1uR;_-|zhHmX`2p#=GB7m=Fm!BQ_GSelvR82 zebi9(9zFEC59p^q`t&m$1w_Q$vSs1!)t4r(HU)c<9py3zZ*VP=g09S9L<9)xh;G8z z_{#zZQ7EWgG5Pkib`IW-jh|LP$Q~*1E*~2|75PJVkW+2>A+DgmV;zle8UE4r8-Etl zSc{Qe-?4Jz$DjO7d-yff6I8br0--K?XNHu0=x$RYVG#)<2AR8Qio-pm}J=C`{3%0df7t z2Ll^+yDP$ytEH-W1-!!@^u^9S2Xf1T74@CZJ%5sB!X~V;QWE9Cq7qS6M$#fkLI0jv z6)#7Wbci);>If5hE$X-k1O*O`JYM9QQdqk}1Qdl2y~S0CBPFLUsqqic3PA+vqpME_ z@$p}7d8#^j8|s%_t-BsSOyfKE9x`XMFfsE|^2%@Cpz&2}wx-CPc!j(-VewMVkMojQ z8^$ezj|f2q5TF>NJ*keLENQ_ssAw8TF%A&uK1Je)EU~In@HWu3S@_6av{=cnEOAVn zIwz`Z*Q)JwzI)%ZqMBG-ZI`e7ff5R0gtuD_Jbl*r?(d`d`=1%(J2a@0m)J^@K*QeR zBXngXRN|~^R+63G_#kHDy{MX~Z76|I3N6+wK=cgkkV9bPfG9NS#q6jSmx4vztA^7T2C{v;4KCugE(-E6<4aS8S@oYDO(lZn98K8Q~6BRq&dCj?ArJsD9&MN zQ9HGwc<~0;(7%HFAJK6Xw~G!9Z-ZT`aYVUIXSpMM_QI4XE-0%i2oIGK=8MTI*J#{b z8Md%4qlr54z8^fQg5dkKRHhmxe$O?U&(`ncu$&A5=Ck%ByG{n-DCvN3G8F|vlnlz9 z+T@BwDv6_=B86AnErNvz83F-`Y2LsZo=VV|sesO&p8^OZQ5i(vu-tudU+jM3SsH)x z&^T@3S;v*vbos4!We^9S=dBm-HQ3_}4H5a=n@W#4uzu$P-lWw@IrZ4@s*WHKp>sHb`v*{`$3L4-5^g-$n7FfcPmr&JYjp07V?x!yYDP0SU?>1pJv$Zj&(x zU1ur&`&l|JzE8PgI7g%sl1QJr*U*jw>BWeYFmTWa)mLN7si z-@LR_5IIU1Sy6O2_i5x&+SjHRF7f&Yv0A9czgphf7cR1U77`AB$A+`#E{kj7h_?2% zub#Vv^Zs=^u}?Fz#L>h-fJoz4cmH{O;tYFcpVPp_*Plbr#IUJrW_$l!pGiwWw|H^X zo`8tF{umP=OdzLd2X$|OgUXGvkqLA06W)e6P))=xmYD+9U@Yux3(t1({-x`z?tuKT zi|x~}XGP+`!hHNuXfw{a?di5R^4&d8vGgf_%W@5WIAqfOum5wk3#Vu)@EBQ=F7Id; z^In5u1lC~gP|9kMv+z@+K{)thVV^~QuHjR-_=MO;E`D^kD38e6{tI!-b7%-1qd5Qo N002ovPDHLkV1nUENR