From 98fde783791f231773fec22126d595153f1a5796 Mon Sep 17 00:00:00 2001
From: Nick Anderson <nick@cmdln.org>
Date: Wed, 13 May 2026 14:22:20 -0500
Subject: [PATCH] Add dirtyfrag module for CVE-2026-43284 and CVE-2026-43500

Detects Dirty Frag kernel page-cache write vulnerabilities (xfrm-ESP and
RxRPC) and optionally applies mitigation via modprobe.d module blacklisting.
---
 cfbs.json                               |  41 +++
 security/dirtyfrag/README.md            | 138 ++++++++
 security/dirtyfrag/dirtyfrag.cf         | 402 ++++++++++++++++++++++++
 security/dirtyfrag/inventory-status.png | Bin 0 -> 50761 bytes
 security/dirtyfrag/patched-kernels.json |  66 ++++
 5 files changed, 647 insertions(+)
 create mode 100644 security/dirtyfrag/README.md
 create mode 100644 security/dirtyfrag/dirtyfrag.cf
 create mode 100644 security/dirtyfrag/inventory-status.png
 create mode 100644 security/dirtyfrag/patched-kernels.json

diff --git a/cfbs.json b/cfbs.json
index 549f89d..7d7c609 100644
--- a/cfbs.json
+++ b/cfbs.json
@@ -142,6 +142,47 @@
         "bundles delete_home_dotshosts:main"
       ]
     },
+    "dirtyfrag": {
+      "description": "Detect and optionally mitigate CVE-2026-43284 (DirtyFrag) and CVE-2026-43500 in the Linux kernel.",
+      "tags": ["security", "inventory", "detection", "mitigation"],
+      "subdirectory": "security/dirtyfrag",
+      "steps": [
+        "copy dirtyfrag.cf services/cfbs/modules/dirtyfrag/dirtyfrag.cf",
+        "copy patched-kernels.json services/cfbs/modules/dirtyfrag/patched-kernels.json",
+        "policy_files services/cfbs/modules/dirtyfrag/dirtyfrag.cf",
+        "bundles dirtyfrag:main",
+        "input ./input.json def.json"
+      ],
+      "input": [
+        {
+          "type": "string",
+          "variable": "mitigate_esp",
+          "namespace": "dirtyfrag",
+          "bundle": "main",
+          "label": "Mitigate CVE-2026-43284 (ESP/IPComp)",
+          "question": "Blacklist esp4, esp6, ipcomp4, ipcomp6 kernel modules? (breaks IPsec) [true/false]",
+          "default": "false"
+        },
+        {
+          "type": "string",
+          "variable": "mitigate_rxrpc",
+          "namespace": "dirtyfrag",
+          "bundle": "main",
+          "label": "Mitigate CVE-2026-43500 (RxRPC)",
+          "question": "Blacklist rxrpc kernel module? (breaks AFS/RxRPC) [true/false]",
+          "default": "false"
+        },
+        {
+          "type": "string",
+          "variable": "mitigate_userns",
+          "namespace": "dirtyfrag",
+          "bundle": "main",
+          "label": "Mitigate CVE-2026-43284 via user namespaces",
+          "question": "Set user.max_user_namespaces=0? (blocks ESP exploit without disabling IPsec, may break rootless containers) [true/false]",
+          "default": "false"
+        }
+      ]
+    },
     "demo": {
       "description": "Enables convenient and insecure settings for demoing CFEngine.",
       "subdirectory": "management/demo",
diff --git a/security/dirtyfrag/README.md b/security/dirtyfrag/README.md
new file mode 100644
index 0000000..8d4b3d6
--- /dev/null
+++ b/security/dirtyfrag/README.md
@@ -0,0 +1,138 @@
+Dirty Frag is a pair of kernel page-cache write vulnerabilities affecting Linux kernel modules that use nonlinear sk_buff (skb) fragments. An unprivileged local attacker with access to a network namespace can trigger out-of-bounds memory writes, potentially leading to privilege escalation.
+
+- **CVE-2026-43284** (xfrm-ESP/IPComp): Affects `esp4.ko`, `esp6.ko`, `ipcomp.ko`, and `ipcomp6.ko` modules when unprivileged user namespaces are enabled. Patched in stable kernel trees as of May 2026.
+- **CVE-2026-43500** (RxRPC): Affects `rxrpc.ko` module. Patches available for some distros as of May 2026; mitigation via module blacklisting where unpatched.
+
+## Vulnerability conditions
+
+- **CVE-2026-43284**: Requires `esp4`, `esp6`, `ipcomp`, or `ipcomp6` kernel modules present AND `/proc/sys/kernel/unprivileged_userns_clone` set to `1`
+- **CVE-2026-43500**: Requires `rxrpc` kernel module present (no additional prerequisites)
+
+## Inventory
+
+After adding this module you can view Dirty Frag vulnerability status in Mission Portal Inventory Report:
+
+[![Inventory showing Dirty Frag status](https://raw.githubusercontent.com/cfengine/modules/master/security/dirtyfrag/inventory-status.png)](https://raw.githubusercontent.com/cfengine/modules/master/security/dirtyfrag/inventory-status.png)
+
+- **Dirty Frag CVE-2026-43284 (xfrm-ESP) status**:
+  - `VULNERABLE (esp4, esp6 loaded)` -- vulnerable modules currently in memory (names vary by host)
+  - `VULNERABLE (modules on disk, none loaded)` -- modules present but not loaded; latent risk
+  - `PATCHED (kernel fix applied)` -- running kernel version includes the fix (auto-detected or admin-declared)
+  - `MITIGATED (blacklist in place)` -- modprobe blacklist or userns restriction active
+  - `NOT AFFECTED` -- vulnerable modules not present on this host
+- **Dirty Frag CVE-2026-43500 (RxRPC) status**:
+  - `VULNERABLE (rxrpc loaded)` -- module currently in memory
+  - `VULNERABLE (module on disk, not loaded)` -- module present but not loaded; latent risk
+  - `PATCHED (kernel fix applied)` -- running kernel version includes the fix (auto-detected or admin-declared)
+  - `MITIGATED (blacklist in place)` -- modprobe blacklist active
+  - `NOT AFFECTED` -- rxrpc module not present on this host
+
+## Mitigation
+
+Each CVE has an independent toggle and separate conf file:
+
+**CVE-2026-43284** (ESP/IPComp) -- `/etc/modprobe.d/dirtyfrag-esp.conf`:
+
+```
+# Dirty Frag CVE-2026-43284 mitigation: block xfrm-ESP and IPComp
+install esp4 /bin/false
+install esp6 /bin/false
+install ipcomp4 /bin/false
+install ipcomp6 /bin/false
+```
+
+**CVE-2026-43500** (RxRPC) -- `/etc/modprobe.d/dirtyfrag-rxrpc.conf`:
+
+```
+# Dirty Frag CVE-2026-43500 mitigation: block RxRPC
+install rxrpc /bin/false
+```
+
+This prevents the vulnerable modules from loading. When mitigation is first applied, already-loaded modules are unloaded via `rmmod`.
+
+**CVE-2026-43284 alternative** (user namespaces) -- `/etc/sysctl.d/dirtyfrag-userns.conf`:
+
+```
+# Dirty Frag CVE-2026-43284 mitigation: disable unprivileged user namespaces
+# Blocks ESP/IPComp exploit without disabling IPsec.
+# WARNING: May affect rootless containers and sandboxed applications.
+user.max_user_namespaces = 0
+```
+
+This blocks the ESP/IPComp exploit path without blacklisting the modules, preserving IPsec functionality. Use this instead of `mitigate_esp` on hosts that require IPsec. Note: this does **not** mitigate CVE-2026-43500 (RxRPC) and may break rootless containers (Podman, Docker rootless), Flatpak, and browser sandboxes. Applied via `sysctl --system` on first write.
+
+All mitigations are **disabled by default** -- the module only reports status unless the corresponding CMDB variable is set to `"true"`.
+
+## Usage
+
+Add the policy to your inputs:
+
+```
+inputs "security/dirtyfrag/dirtyfrag.cf"
+```
+
+To enable mitigation, set one or both variables in your site's `def.json` (Augments):
+
+```json
+{
+  "variables": {
+    "dirtyfrag:main.mitigate_esp":    { "value": "true" },
+    "dirtyfrag:main.mitigate_rxrpc":  { "value": "true" },
+    "dirtyfrag:main.mitigate_userns": { "value": "true" },
+    "dirtyfrag:main.esp_patched":     { "value": "true" },
+    "dirtyfrag:main.rxrpc_patched":   { "value": "true" }
+  }
+}
+```
+
+| Variable | What it does | Trade-off |
+|----------|-------------|-----------|
+| `mitigate_esp` | Blacklists esp4, esp6, ipcomp4, ipcomp6 | Breaks IPsec |
+| `mitigate_rxrpc` | Blacklists rxrpc | Breaks AFS/RxRPC |
+| `mitigate_userns` | Sets `user.max_user_namespaces=0` | May break rootless containers/sandboxes |
+| `esp_patched` | Declare CVE-2026-43284 as patched | Admin must verify kernel is actually patched |
+| `rxrpc_patched` | Declare CVE-2026-43500 as patched | Admin must verify kernel is actually patched |
+
+Typical combinations:
+- **Most hosts**: `mitigate_esp` + `mitigate_rxrpc` (full protection)
+- **IPsec hosts**: `mitigate_userns` + `mitigate_rxrpc` (preserves IPsec)
+- **Container hosts needing IPsec**: `mitigate_rxrpc` only (partial, accept ESP risk until patched kernel)
+
+Default behavior (variables unset) is status-only reporting.
+
+## Detection details
+
+The module checks for vulnerable modules in three ways:
+
+1. **On-disk `.ko` files** under `/lib/modules/$(kernel_version)/`
+2. **Compressed variants** (`.ko.zst`, `.ko.xz`) on distros that compress modules
+3. **Currently loaded modules** via `/sys/module/` entries
+
+For CVE-2026-43284, the module also checks whether unprivileged user namespaces are enabled (`/proc/sys/kernel/unprivileged_userns_clone`), since the exploit requires namespace access.
+
+## Kernel patch detection
+
+The module automatically detects whether the running kernel includes fixes for the Dirty Frag CVEs by comparing the kernel version (`uname -r`) against known-patched versions from distro security advisories. This data is maintained in `patched-kernels.json`, shipped alongside the policy.
+
+Currently tracked distros:
+
+| Distro | CVE-2026-43284 | CVE-2026-43500 |
+|--------|---------------|---------------|
+| RHEL/CentOS/Alma/Rocky 8 | 4.18.0-553.123.2 | 4.18.0-553.123.2 |
+| RHEL/CentOS/Alma/Rocky 9 | 5.14.0-611.54.1 | 5.14.0-611.54.3 |
+| RHEL/CentOS/Alma/Rocky 10 | 6.12.0-124.55.2 | 6.12.0-124.55.3 |
+| Debian 11 (Bullseye) | 5.10.251-4 | 5.10.251-4 |
+| Debian 12 (Bookworm) | 6.1.170-3 | 6.1.170-3 |
+| Debian 13 (Trixie) | 6.12.86-1 | 6.12.86-1 |
+| SLES 15 SP7 | 6.4.0-150700.53.45.1 | 6.4.0-150700.53.45.1 |
+
+When a patched kernel is detected, the status reports `PATCHED (kernel fix applied)` instead of `VULNERABLE`. The module uses `sort -V` (version sort from coreutils) to compare kernel versions.
+
+For distros not in the data file, or hosts running custom/backported kernels, set the admin override variables `esp_patched` and/or `rxrpc_patched` to `"true"` via augments.
+
+To update the patched kernel data, edit `patched-kernels.json` and redeploy. The data file is intentionally separate from the policy so it can be updated independently.
+
+## Adding exceptions
+
+To exclude specific hosts from mitigation, use conditional augments to override them to a value other than `"true"`.
+
diff --git a/security/dirtyfrag/dirtyfrag.cf b/security/dirtyfrag/dirtyfrag.cf
new file mode 100644
index 0000000..4795ca9
--- /dev/null
+++ b/security/dirtyfrag/dirtyfrag.cf
@@ -0,0 +1,402 @@
+body file control
+{
+  namespace => "dirtyfrag";
+}
+
+bundle agent kernel_patch_check
+# @brief Checks whether the running kernel includes fixes for Dirty Frag CVEs
+#   by comparing the kernel package version against known-patched versions
+#   from distro security advisories.
+#
+# Sets classes:
+#   dirtyfrag:_esp_kernel_patched
+#   dirtyfrag:_rxrpc_kernel_patched
+#   dirtyfrag:_patch_data_matched
+{
+  vars:
+    "_data_file"
+      string => "$(this.promise_dirname)/patched-kernels.json";
+
+    "_data"
+      data => readjson("${_data_file}"),
+      if => fileexists("${_data_file}");
+
+    "_entries_idx"
+      slist => getindices("_data[entries]"),
+      if => isvariable("_data[entries]");
+
+    "_os_id"
+      string => "$(default:sys.os_release[ID])",
+      if => isvariable("default:sys.os_release[ID]");
+
+    "_os_ver"
+      string => "$(default:sys.os_release[VERSION_ID])",
+      if => isvariable("default:sys.os_release[VERSION_ID]");
+
+    # Find matching entry: the entry whose id_match and version_match
+    # both match this host's os-release ID and VERSION_ID.
+    "_matched_idx"
+      string => "${_entries_idx}",
+      if => and(
+        regcmp("${_data[entries][${_entries_idx}][id_match]}", "${_os_id}"),
+        regcmp("${_data[entries][${_entries_idx}][version_match]}", "${_os_ver}")
+      );
+
+    "_esp_patched_ver"
+      string => "${_data[entries][${_matched_idx}][cve_2026_43284]}",
+      if => isvariable("_data[entries][${_matched_idx}][cve_2026_43284]");
+
+    "_rxrpc_patched_ver"
+      string => "${_data[entries][${_matched_idx}][cve_2026_43500]}",
+      if => isvariable("_data[entries][${_matched_idx}][cve_2026_43500]");
+
+  classes:
+    "_patch_data_matched"
+      expression => isvariable("_matched_idx");
+
+    # Use sort -V to check: if the patched version sorts <= running version,
+    # then the running kernel is patched. We test by checking that the
+    # patched version comes first (or equal) in version-sorted order.
+    # printf '%s\n' "$patched" "$running" | sort -V | head -1
+    # If result == patched, then running >= patched.
+    "_esp_kernel_patched"
+      expression => returnszero(
+        "/usr/bin/test \"$(const.dollar)(/usr/bin/printf '%s\n' '${_esp_patched_ver}' '$(default:sys.release)' | /usr/bin/sort -V | /usr/bin/head -1)\" = '${_esp_patched_ver}'",
+        "useshell"
+      ),
+      if => isvariable("_esp_patched_ver");
+
+    "_rxrpc_kernel_patched"
+      expression => returnszero(
+        "/usr/bin/test \"$(const.dollar)(/usr/bin/printf '%s\n' '${_rxrpc_patched_ver}' '$(default:sys.release)' | /usr/bin/sort -V | /usr/bin/head -1)\" = '${_rxrpc_patched_ver}'",
+        "useshell"
+      ),
+      if => isvariable("_rxrpc_patched_ver");
+
+  reports:
+    inform_mode._patch_data_matched::
+      "Dirty Frag: matched distro ${_os_id} ${_os_ver} (entry ${_matched_idx})";
+
+    inform_mode._esp_kernel_patched::
+      "Dirty Frag CVE-2026-43284: kernel $(default:sys.release) >= ${_esp_patched_ver} (PATCHED)";
+
+    inform_mode._rxrpc_kernel_patched::
+      "Dirty Frag CVE-2026-43500: kernel $(default:sys.release) >= ${_rxrpc_patched_ver} (PATCHED)";
+}
+
+bundle agent main
+# @brief Detects Dirty Frag (CVE-2026-43284, CVE-2026-43500) vulnerability
+#   and applies CMDB-toggleable mitigations via module blacklisting.
+#
+# Usage:
+#   inputs "security/dirtyfrag/dirtyfrag.cf"
+#
+# CMDB variables (set via def.json augments):
+#   {
+#     "variables": {
+#       "dirtyfrag:main.mitigate_esp":      { "value": "true" },
+#       "dirtyfrag:main.mitigate_rxrpc":    { "value": "true" },
+#       "dirtyfrag:main.mitigate_userns":   { "value": "true" },
+#       "dirtyfrag:main.esp_patched":       { "value": "true" },
+#       "dirtyfrag:main.rxrpc_patched":     { "value": "true" }
+#     }
+#   }
+#
+# Mitigation toggles (each independently controls a mitigation strategy):
+#   mitigate_esp    -> blacklists esp4, esp6, ipcomp4, ipcomp6
+#   mitigate_rxrpc  -> blacklists rxrpc
+#   mitigate_userns -> sets user.max_user_namespaces=0 via sysctl
+#                      (blocks CVE-2026-43284 without disabling IPsec,
+#                       but may affect rootless containers/sandboxes;
+#                       does NOT mitigate CVE-2026-43500)
+#
+# Admin patch overrides (suppress false positives on patched kernels):
+#   esp_patched     -> declare CVE-2026-43284 as patched on this host
+#   rxrpc_patched   -> declare CVE-2026-43500 as patched on this host
+#
+# Kernel patch detection is automatic for known distro versions
+# (see patched-kernels.json). The admin overrides are for distros
+# not yet in the data file, or custom/backported kernels.
+#
+# When disabled (default), the module only reports vulnerability status.
+{
+  methods:
+    # Run kernel patch check before evaluating status
+    "kernel_patch_check" usebundle => "dirtyfrag:kernel_patch_check";
+
+  vars:
+    # --- Constants ---
+    "_esp_conf_path" string => "/etc/modprobe.d/dirtyfrag-esp.conf";
+    "_rxrpc_conf_path" string => "/etc/modprobe.d/dirtyfrag-rxrpc.conf";
+
+    "_esp_conf_content"
+      string => concat(
+        "# Dirty Frag CVE-2026-43284 mitigation: block xfrm-ESP and IPComp$(const.n)",
+        "install esp4 /bin/false$(const.n)",
+        "install esp6 /bin/false$(const.n)",
+        "install ipcomp4 /bin/false$(const.n)",
+        "install ipcomp6 /bin/false$(const.n)"
+      );
+
+    "_rxrpc_conf_content"
+      string => concat(
+        "# Dirty Frag CVE-2026-43500 mitigation: block RxRPC$(const.n)",
+        "install rxrpc /bin/false$(const.n)"
+      );
+
+    "_userns_conf_path" string => "/etc/sysctl.d/dirtyfrag-userns.conf";
+
+    "_userns_conf_content"
+      string => concat(
+        "# Dirty Frag CVE-2026-43284 mitigation: disable unprivileged user namespaces$(const.n)",
+        "# Blocks ESP/IPComp exploit without disabling IPsec.$(const.n)",
+        "# WARNING: May affect rootless containers and sandboxed applications.$(const.n)",
+        "user.max_user_namespaces = 0$(const.n)"
+      );
+
+    # --- Read kernel version ---
+    "_kver" string => "$(default:sys.release)";
+
+    # --- Module paths ---
+    "_esp4_path" string => "/lib/modules/$(_kver)/kernel/net/ipv4/esp4.ko";
+    "_esp6_path" string => "/lib/modules/$(_kver)/kernel/net/ipv6/esp6.ko";
+    "_ipcomp4_path" string => "/lib/modules/$(_kver)/kernel/net/ipv4/ipcomp.ko";
+
+    "_ipcomp6_path"
+      string => "/lib/modules/$(_kver)/kernel/net/ipv6/ipcomp6.ko";
+
+    "_rxrpc_path" string => "/lib/modules/$(_kver)/kernel/net/rxrpc/rxrpc.ko";
+    "_ns_proc" string => "/proc/sys/kernel/unprivileged_userns_clone";
+
+    # --- Read the unprivileged user namespace setting ---
+    "_ns_val"
+      string => readfile("${_ns_proc}"),
+      if => fileexists("${_ns_proc}");
+
+    # --- Loaded-module detail for inventory ---
+    "_esp_loaded_csv"
+      string => format(
+        "%s%s%s%s",
+        ifelse("_esp4_loaded", "esp4, ", ""),
+        ifelse("_esp6_loaded", "esp6, ", ""),
+        ifelse("_ipcomp4_loaded", "ipcomp, ", ""),
+        ifelse("_ipcomp6_loaded", "ipcomp6, ", "")
+      );
+
+    # Trim trailing ", "
+    "_esp_loaded_names"
+      string => regex_replace("${_esp_loaded_csv}", ",\s*$", "", "");
+
+    # --- Status strings ---
+    "_esp_status"
+      string => ifelse(
+        "dirtyfrag_esp_needs_mitigation._esp_any_loaded",
+        "VULNERABLE (${_esp_loaded_names} loaded)",
+        "dirtyfrag_esp_needs_mitigation",
+        "VULNERABLE (modules on disk, none loaded)",
+        "dirtyfrag:kernel_patch_check._esp_kernel_patched|_esp_admin_patched",
+        "PATCHED (kernel fix applied)",
+        "dirtyfrag_esp_present._esp_mitigated",
+        "MITIGATED (blacklist in place)",
+        "NOT AFFECTED"
+      );
+
+    "_rxrpc_status"
+      string => ifelse(
+        "dirtyfrag_rxrpc_needs_mitigation._rxrpc_loaded",
+        "VULNERABLE (rxrpc loaded)",
+        "dirtyfrag_rxrpc_needs_mitigation",
+        "VULNERABLE (module on disk, not loaded)",
+        "dirtyfrag:kernel_patch_check._rxrpc_kernel_patched|_rxrpc_admin_patched",
+        "PATCHED (kernel fix applied)",
+        "dirtyfrag_rxrpc_present._rxrpc_mitigated",
+        "MITIGATED (blacklist in place)",
+        "NOT AFFECTED"
+      );
+
+    # --- Inventory output for Mission Portal ---
+    "inventory_dirtyfrag_esp"
+      string => "CVE-2026-43284 (xfrm-ESP): $(_esp_status)",
+      meta => {
+        "inventory",
+        "attribute_name=Dirty Frag CVE-2026-43284 (xfrm-ESP) status",
+      },
+      comment => "CVE-2026-43284 xfrm-ESP mitigation status";
+
+    "inventory_dirtyfrag_rxrpc"
+      string => "CVE-2026-43500 (RxRPC): $(_rxrpc_status)",
+      meta => {
+        "inventory",
+        "attribute_name=Dirty Frag CVE-2026-43500 (RxRPC) status",
+      },
+      comment => "CVE-2026-43500 RxRPC mitigation status";
+
+  classes:
+    # --- CMDB toggles ---
+    "_mitigate_esp" expression => strcmp("true", "$(mitigate_esp)");
+    "_mitigate_rxrpc" expression => strcmp("true", "$(mitigate_rxrpc)");
+    "_mitigate_userns" expression => strcmp("true", "$(mitigate_userns)");
+
+    # --- Admin override: manually declare host as patched ---
+    "_esp_admin_patched" expression => strcmp("true", "$(esp_patched)");
+    "_rxrpc_admin_patched" expression => strcmp("true", "$(rxrpc_patched)");
+
+    # --- Unprivileged user namespace enabled? ---
+    "_ns_proc_file_exists" expression => fileexists("${_ns_proc}");
+    "_ns_val_is_1" expression => strcmp("${_ns_val}", "1");
+    "_userns_enabled" and => { "_ns_proc_file_exists", "_ns_val_is_1" };
+
+    # --- xfrm-ESP/IPComp modules present? ---
+    "_esp4_on_disk" expression => fileexists("${_esp4_path}");
+    "_esp6_on_disk" expression => fileexists("${_esp6_path}");
+    "_ipcomp4_on_disk" expression => fileexists("${_ipcomp4_path}");
+    "_ipcomp6_on_disk" expression => fileexists("${_ipcomp6_path}");
+
+    # Compressed variants (.ko.zst, .ko.xz)
+    "_esp4_on_disk_z" expression => fileexists("${_esp4_path}.zst");
+    "_esp6_on_disk_z" expression => fileexists("${_esp6_path}.zst");
+    "_ipcomp4_on_disk_z" expression => fileexists("${_ipcomp4_path}.zst");
+    "_ipcomp6_on_disk_z" expression => fileexists("${_ipcomp6_path}.zst");
+    "_esp4_on_disk_xz" expression => fileexists("${_esp4_path}.xz");
+    "_esp6_on_disk_xz" expression => fileexists("${_esp6_path}.xz");
+    "_ipcomp4_on_disk_xz" expression => fileexists("${_ipcomp4_path}.xz");
+    "_ipcomp6_on_disk_xz" expression => fileexists("${_ipcomp6_path}.xz");
+
+    # Currently loaded
+    "_esp4_loaded" expression => isdir("/sys/module/esp4");
+    "_esp6_loaded" expression => isdir("/sys/module/esp6");
+    "_ipcomp4_loaded" expression => isdir("/sys/module/ipcomp");
+    "_ipcomp6_loaded" expression => isdir("/sys/module/ipcomp6");
+
+    "_esp_any_loaded"
+      or => {
+        "_esp4_loaded", "_esp6_loaded", "_ipcomp4_loaded", "_ipcomp6_loaded"
+      };
+
+    "dirtyfrag_esp_present"
+      or => {
+        "_esp4_on_disk",
+        "_esp6_on_disk",
+        "_ipcomp4_on_disk",
+        "_ipcomp6_on_disk",
+        "_esp4_on_disk_z",
+        "_esp6_on_disk_z",
+        "_ipcomp4_on_disk_z",
+        "_ipcomp6_on_disk_z",
+        "_esp4_on_disk_xz",
+        "_esp6_on_disk_xz",
+        "_ipcomp4_on_disk_xz",
+        "_ipcomp6_on_disk_xz",
+        "_esp4_loaded",
+        "_esp6_loaded",
+        "_ipcomp4_loaded",
+        "_ipcomp6_loaded",
+      };
+
+    # --- RxRPC module present? ---
+    "_rxrpc_on_disk" expression => fileexists("${_rxrpc_path}");
+    "_rxrpc_on_disk_z" expression => fileexists("${_rxrpc_path}.zst");
+    "_rxrpc_on_disk_xz" expression => fileexists("${_rxrpc_path}.xz");
+    "_rxrpc_loaded" expression => isdir("/sys/module/rxrpc");
+
+    "dirtyfrag_rxrpc_present"
+      or => {
+        "_rxrpc_on_disk",
+        "_rxrpc_on_disk_z",
+        "_rxrpc_on_disk_xz",
+        "_rxrpc_loaded",
+      };
+
+    # --- Mitigation conf files in place? ---
+    "_esp_conf_exists" expression => fileexists("${_esp_conf_path}");
+    "_rxrpc_conf_exists" expression => fileexists("${_rxrpc_conf_path}");
+    "_userns_conf_exists" expression => fileexists("${_userns_conf_path}");
+
+    # ESP is mitigated by modprobe blacklist, disabled userns, patched kernel,
+    # or admin override
+    "_esp_mitigated"
+      or => {
+        "_esp_conf_exists",
+        "_userns_conf_exists",
+        "!_userns_enabled",
+        "dirtyfrag:kernel_patch_check._esp_kernel_patched",
+        "_esp_admin_patched",
+      };
+
+    # RxRPC is mitigated by the modprobe blacklist, patched kernel,
+    # or admin override
+    "_rxrpc_mitigated"
+      or => {
+        "_rxrpc_conf_exists",
+        "dirtyfrag:kernel_patch_check._rxrpc_kernel_patched",
+        "_rxrpc_admin_patched",
+      };
+
+    # --- Per-CVE vulnerability checks ---
+    "dirtyfrag_esp_needs_mitigation"
+      and => { "dirtyfrag_esp_present", "!_esp_mitigated" };
+
+    "dirtyfrag_rxrpc_needs_mitigation"
+      and => { "dirtyfrag_rxrpc_present", "!_rxrpc_mitigated" };
+
+  files:
+    # --- CVE-2026-43284: ESP/IPComp mitigation ---
+    _mitigate_esp::
+      "${_esp_conf_path}"
+        create => "true",
+        content => "${_esp_conf_content}",
+        classes => default:results("bundle", "dirtyfrag_esp_conf");
+
+    # --- CVE-2026-43500: RxRPC mitigation ---
+    _mitigate_rxrpc::
+      "${_rxrpc_conf_path}"
+        create => "true",
+        content => "${_rxrpc_conf_content}",
+        classes => default:results("bundle", "dirtyfrag_rxrpc_conf");
+
+    # --- CVE-2026-43284 alternative: disable unprivileged user namespaces ---
+    _mitigate_userns::
+      "${_userns_conf_path}"
+        create => "true",
+        content => "${_userns_conf_content}",
+        classes => default:results("bundle", "dirtyfrag_userns_conf");
+
+  commands:
+    # --- Unload ESP/IPComp modules after conf written ---
+    _mitigate_esp.dirtyfrag_esp_conf_repaired::
+      "/sbin/rmmod"
+        arglist => { "esp4", "esp6", "ipcomp", "ipcomp6" },
+        comment => "Unload ESP/IPComp modules already in memory";
+
+    # --- Unload RxRPC module after conf written ---
+    _mitigate_rxrpc.dirtyfrag_rxrpc_conf_repaired::
+      "/sbin/rmmod"
+        arglist => { "rxrpc" },
+        comment => "Unload RxRPC module already in memory";
+
+    # --- Apply sysctl after writing userns conf ---
+    _mitigate_userns.dirtyfrag_userns_conf_repaired::
+      "/sbin/sysctl"
+        arglist => { "--system" },
+        comment => "Apply user.max_user_namespaces=0 without reboot";
+
+  reports:
+    inform_mode::
+
+      "Dirty Frag CVE-2026-43284 (xfrm-ESP/IPComp): $(_esp_status)"
+        if => "dirtyfrag_esp_present";
+
+      "Dirty Frag CVE-2026-43500 (RxRPC): $(_rxrpc_status)"
+        if => "dirtyfrag_rxrpc_present";
+}
+
+body file control
+{
+  namespace => "default";
+}
+
+bundle agent __main__
+{
+  methods:
+    "dirtyfrag:main";
+}
diff --git a/security/dirtyfrag/inventory-status.png b/security/dirtyfrag/inventory-status.png
new file mode 100644
index 0000000000000000000000000000000000000000..4adcd0b7c3421558ea1dfd480ddd9cdf079912a8
GIT binary patch
literal 50761
zcmdRVWpEu!u%2yMk}b5w%*@Qp%*@PSF-sP+WHB={Gcz+CF&r@-G3&%PRe5>$CHa>h
z$yV*`RM%9`bl2?e*VFxlE69n%!(hRD`t%82QbI)O(<dnIzx|MJP=DLVK@RP|kMF-E
zG@U+uLahDg{(Rz_+4boY!6!)(K^1qs^Gz3blo9OS>#I#tLV>T}2nqX0ErgIZHve8l
z77mn`)qR_rRkUgmXw*s@lC|!R>^=NODUpJ(jk}M&*`Y_4=8tsDUJbX?=jYQ_iApep
zK|h4P{YMifB4wRU@GsG~xYSXT(EmK>8zB;F+WEgFBKc$qxc^DfUzHMzCiTMqQ}sW+
z@N^m1e@loInVDsuPzVVLz2BbVdV2*HWdE(@hkkHT5$W>sa%x6~xbzA|kxFCY*Px&v
z(96BGjjgR@Hc#7$8DV#s`Aqii{=P{%jYwzVR#=VTX_7=`;pIQ(ZIg#z|JB*8?(6H@
z=?BL1@_MyE#>?r7S{jMPH_iVqOWfAE*&nNGYB~Up#Lmt0d({&&Fes35{o5tiH4@o8
z9#Jbc-VguPHG_WP|ErA&V+jA@;{R?xi51i8za?QJvSi%<o+Yky?7wRNzv=k@{i3?9
z$6twVp%L=7<0qad7OI5aBJb!qd3;E+La%lZ`4^(UFN6jeG046d!3BLilSK|@_&M2?
z)o{FK&BlEdnreq4G?)wOYL4#X6=OUARMY@MVE-}HyQYwzG$?F)CGGrM+n|BGx{|8?
zm`_6Th@Tg}QprQ%^F!}3_DA!NEnc7K8l6!zMhy2>52%4o*E;uoxMf|AkpO>P%H*1F
z4|0&BDz%(d!xx9+9mh#3KAltTyPFh;Y8V}j*@aWefiSk@^*hJLZv_{W-R7r5Vpbe&
z@nu((0mMk~_JHjkvNBvLMYn6)FH!uUG$F9Y%+8p$M#nE2WQ3P=yO<2mskP>!U)6_0
zxC_tU-fhVe$3j(4dE&s8xIAMDrL<iu8+*W##sq)zlM}VCGmPqgCRX%?DSF`OVr@@5
z3u#zGCyJptkBNj~+KiIcq63iaepuB%^OHXDFhkLq-nWz9WjOJj@`S5@Loa3_E6|o#
z<9&k>PWXe4lgSmh)H2|R-1rK8esOD%)eR4em-@zg@4vYzWt_l;SY}ndTjvj$$z!?X
z@M0<2%)IS{0Y}V2dtox4e0vPc_W`=m?rDVJrgQ>0P=|}0$vvm|r-%!H2JUsSuGvGB
zTrX}&=_5<8J-cbKCz2q`{3G%g{tmKr&`09KWh4XWAyzl)bT-qQ6UHc|nqgJiHTUd}
zc;i9&YgSfRMIg0@FOU3>?(?iW<XbkI!;+uaZCGysr1v+*3C2G<_(U4v87GXB*0Q7`
zvxk{e5f87&RPU@5GHft;YbSKF<1Y@KK;aIs`A17>s?Jr4!FMM-k{LBWX~}RS)k5Dd
zagCK))LM@yerGu;-l*aCXEyN7eb~(cl_!svpk{O+>t<A7S|T<v8?RjhdR&~Lvac|O
zwi-Po6&(@O2O7$}!A2wdf+|!xNYLbnnK!KYW2HVDa97?ZSF{B-S_{Srp(sOUj*RuC
z-&2r3fqMX4?a-pPXe2H#@$QSb1M#p|VLfXUd~bEZKbhr$RYWh}hdst3qm_T&sNnW*
zG}r^5yP^h{4+q268P7tRx~LyGtrVO<a(1aWZ?h@rnp}<KMLdyl!<76dyjTi;y;L!L
z2=+w~_CQv%?<4xDu0(tz+n9coU%K>fUUHnXgMR2wl?-_dg#wXBuauH5U%inmn0pd9
zYTjDA%n7s37KyaU5YL&C`U{3XiP?9LaYK+fYz6JY4taDT9;wL{Dz4seaCQLyl+eM8
zT^_|;ld|5&O;q^hyI#k0aG;Y|msP{9dXJQ5eI$1GqetAHLXd~93~g;C*}Tt)#Qgk%
zpJim0gMc!row_IoIi^;R{H~@4v=zZarYXrzDN&zqQe&-8!k^xN&%j(TB!C6BpHRhk
z500C_#Sy$KyM6$mRx0rd$LB-Z9zP^y-dPx5aTUQfj?w!T48OBW$dl*l#8jDzXT;0l
zhQ^eek#)(hcJtjd@QgFHA3P+}^5B9qrVJh-PN>7K0@Eyo_K+q&@QN%w8<DhYqKZ3%
zPh79TvXROsRw`5P5!?t5=T=K`%va|W8U=J+4VrsC7hkoH;0(cAw=|n<5o?xB2JU@p
zbQj0I^XU<`9kX;Dr1<!HN5|E+a8?d6?9l9t8&ey1h~Z%9Q;43A#pvdWZ6yl;k(!$$
zVc7{^P9KdnW_lu5e|gKZr2<9T$zf}m0$=B|fI?=M;VfrjJ~;QLaOF24i1moQ#?Yfj
z&YgUHyxjBQdd3m^4fKEz*3m%Q{X=xLN_LWOHo}zEb}p!-Yojf52@&o$-OD9d^sudT
z36PcZXkDsGjGnX1WK}C+Cw;2IM)KN-=*{)c%;sh<oFcs3IKCcrNQV%Yq0$R^NZ&1R
zb`2TMv3~dH#^9CWR_UUf(u^}8rbgO;0O!A@v(cFuZ0vPIxFpBMDjzuWo`Iv?na;W*
zUhk*LTkm^P|7M;R*CMIE)~;>v?O}KMy2}P*HBC44rQS!En<w6XcoJz{g;LVe_NP7V
z^7eJUQQB&1G+@GidiuIW+JR}H=^3%{Q38op_2^virZ(Y}dg1ohtAf=7U|?W>wM?mk
zGx}WE-Tm;}I@z7!tA92QKru38b%oL8QO_4QJBP@nV%GtP<O(kxcd$zMk^@g>+rXt#
z>ks?M46~HGmbFM36I~$GI4^PcLPVyUoLsSKjBawAwRn4fqY%_KIo<|qxwX-|OUw&m
zQ1|BH4NQ+-1~m&1L&=Q?54{`Hq^_rwKax3k8=~U)Jj@lX8N_g^<xk{_?KgV&IndLG
zu=@Bv*A+RBRTAHQuxYK}4Am8q9?v>4a3;L`I@nRnh9V!BXHmWeb#w+Lcg5b)l_`cV
zYCpi83v?7bEZVOJC#S`O4(IXEXs|@8)Fq#6^*kyezI>l8EZUOipJ#DWxtP~7CCES^
z*mW#k`tm|vc@7BKD!C|KxQA{pxd*n~Q)4KA$+ozYnE|}b^Az4Q^tpBkqC9j@5cgcD
z#HgRJDkB<Abbytqp9%R|0L>=M{A^zSmmsBfv*;_DFeJYXIn3q+O|er%OYv2e-!OZt
ztGJVoSYo_>+S8L%!cy>Gw{+wq#gI9Uvyf)2SdUMPrb4;R0d=lSE^gUI!+Fn*b00&`
zfsq)kM?dvC#FQtloo2dwm_L*{^;WVv-?L{gc3i~{UmJl$K~Kv_5w}>4lJN=Sbfj#_
z*ZNW~bbFmQyP#TxMjdZxCiFbtjByT2J%`<1!D1Kg@o8$<CyzvjOnM2Ag3tN8bA)Uk
zKo0!=gEHJwwpR#ItwsYSd9N=u7pBYof{XX^eXEqBbwsHZPVI^pB|X0^*OJ3|D?J<>
zk)1pn4??c6nwzIY3<7*0yA?7KcQ4EP8g-v>V1XZXU`R3c(`l(&rp7D2KbdU48-RwG
zAqcJ;fsSZeT4g6ze@Cq?9Xa5zle=Cat#JFc(Q~`CH-nCu#X_2UCWgSAMOqXweqFdJ
zT%3XrJZDRM-vphZW(Ru%mD%tVU7ox*B~~R2yRpnb<=joFWO`Dj*^ZwbnoBzEk?NL~
zGv;ax%M1Gkk5i^Cb7<{jaWbslQtjtnxR&I=<9*A|7$7hA2-C<ei_MMRtpa|9<D@%O
z5uy^lg@qD%*#sk)?oud^eO1beDh0oj0{ffwW$o2fk5aSsFZuRQ+5w9(2+v6_(?3ro
z{+zH~gLe{6jb~k0s~bD&rvWO_oVR+IMC?K3BORes>?57yZ6|E^A~lJ-Lt?7Lwt7i!
z08!K`so+i}bH8V0pQx8wi9x=iEsSh?g{6f<Rm|77@_@vic9xE4shr|4D*oqqPq6(m
z#5*%<j~HK4{sxf?^`eRPagLR@CA+D%b4dFSq$C^n24&XiMDbPDjY>VTM7N%<@-k(;
zB(GygRGW6$!87I4BqhSrBf*12*)^>4U%TGp)i+Eo+<R_t-9^4sS@Nr><#{(;t>s^U
zHPi(;ii6ZDo4WIAMY7tu_k4TEtJBbzrzJ}3=<1Nt$*Rq19p$Ps#9X8wr-Qvx<7~<<
z2Pf(3MU{10yz><tGlcI0N##asomA4>%DZ)axm)jClBkZ;HRDrl8OJk8@?{<V9WP~z
zWxOiDscyw^D18@0E!YE#9C=in$55E4wfNjwY*-b>5%2Q7e)93ciYG~<sTua-o*p&T
zsZ{kMDmJYPAG-|#=+brUl8QR7oU$LN<sX?#8byutd0dz5)7GW!tX+9hy9%oBPujH+
zR@hplZHRogVaNLA%;Zt86i^3U&5`v^HigAo2&z<f^sH6+9a5^U)$J(H#KGmE)ZEnO
zp;A`8Cjvz(we4P~neFCx#35U{<>MUf6<ifQiG3igDr-fN)pi7hb$ws6kEr7uJcSFM
z8|oQ<@x{Gmyz%Bi8yC_y9cFLu%1a)0yL-O!DqC2p3~&B2{eUDGK7P?Qt|fJ3`*f(D
zUpXprMSSP@`Sl!$Dzq(KF{j8cAJtIk4$78THY)N)l-aujmP_P48B*%@P3@Q;n{%(<
z75VV+^6FPR%8(YW$~YXcNMqQ@JvU+s?2h$Ihg^6QRfm18I%=3suh<j|raPHWudo(F
zC(agUG0m6GK(S}~IBHou8!9iw>x)2*aqOPI-xH=%bn3MV6$I9$(uwbQsDy*)ca)5J
zWgL5_V3$nx(v<a=a+!x}D)U#|(`tv^!0Za%gyJ&R7Ko%5D2J^bCt2LCr{z*zL<O%7
zboJ(J<fRjXA~^cy@)u0qq_f`(ia?dX*tONB%6b>fT-Q!!k`47IB8RP9Z#fwSNajTK
zsug=>-rLslO8(54sJPFuR~4bdDW4%`O1G*#RMQbcRenpAW<uS2dw3;{??3qfHiTC>
zm(`K&Fh-J}Zhz{Y8;1pby~NGMnNL*WjrHqL6wrB(p&&d>={rc0U6ZpK!Uo1;ERL+3
zFQttbj!--}QLE@?=;#+oD68GSlU527`9Q{{rVh8yWM#j?-0|?YCAz9o?Vg_tu6ajW
za6X&k1@rToy8Fb8*<%0UEr7Pvp;D~8)<DblkUh?zU39p~eSY`^SJR@fPKnr@oxoxI
z_BCUd6V|Fdq5hoX@O?4*jV`-zS}hPt*$*iDRG`wm^2m^HYz@;I%zK*E=8hh6<%QMk
zEj@TN5oNkO8q;ceKgg&L`(oEK&_oL?jqmwZwvdu1v(38^>Agl96dHOsUunaMlgTrt
z(TE(_vJDoW*bMU{c;XBdk2Su8=cU69WhxDep2J1vnpedi1gud${qm-@wma+N`7Y@K
zdU*t9wt^Y0zGE_b!KD1^qk34U9ek95bn;sIg!SPZILT|)(ALAv7I#n3eXBcj@V!ZL
zcQI}(qga_$|1*x()xe4${#2&!*rpF5|1zAH$jV#+yzoO0!408e7kke%whU)%KY$Z`
zsOeCmv)We%q<GzGQK@8XU)HyC72EUW{)0=8zmYU2lH4_IT)FtxQO;w;)sK5nfB5T~
z!k4x-2OL#cG~y;F!+LZ}!3@dJ)&q34_?d|jw_zUWte51G(;KeCk8?zdEqu+sdTm#h
zOYIyQvbk08178SBndspi9>;!}_(C|j2M*p<fP55Dg|Hx&yq4(5O_76yen3D~vcu`6
zM{!ey_%d8J2m0yoKJyjv*`J%Psh7Mg%0JBft|!uaiheZI)j=zDVE}bIt_m~P0a_<t
zD*E=ZkmcaIvDt7`dg5-<Fk)RPL!d^|XGQDLPYxq?KKmYX;i&d^Ji5!tD#fuz+)XB1
z!Vuq=x-7m-GkQ%!R${}O$Z#fb16d>~SF7NM?n_dEE(r#`AaD8xwk`s%vzWz(*dl6^
zS!5g(5d(!EpYgLD%+6*um;j3HGSeV(4Hf{})!1TkSsRBvB{YAk_Xjwbj5C`TYL>9V
zU)!4P+KJ%D*6;zQYuq1=^}bCUY_)I|(xYFbBtZ+p)P@Obf$bIGh@u!sCo>IGn=CBm
z`-dZ5F??4&l>DWB-Meay2o?`92O1D5`C)Xi@AJ6H*uKARazx@;bMp4KcvH16yBlM!
zAUu-^g-lF6FD73nHs%6K{wCjoDZJ3L&k&XzB*(0gj$b(^*0ztC<b#+GrW!4++3~1a
z3!5m-R-NAjy?al4|8P+Tr}HaUM$4wqL8+kfOpqO?%x^Y$Q7P<4MYvA)2PhvTuS_LN
zMxN(jpB0qg4EA2yn?ns;%v1K<`g<n?oL0$ihbFXYVKidwGf-XbW7w4rQW+>)nFc@y
zKgXtHfoPVxOy->aE3Aa|*d2>z-%4y{oP`VmR<)DSLklP<UO~Z+&TijK2*05CIwMM*
zDFMi@ND@f#n!{U|uZ@mS4iCNb?j>a+uU2IRYZ3dGjh2alJIv%9Xl>bIUm*}z=#4I5
z)uCkUq^6JAF-8n5b6~Wq`e*1r4TRpp(d`OGyb*IA7yK5WleLTrREB@adir6m!ydg}
zH?L)!GY%*81q7@3l%+E<kL~H`g4Y)-N|cT9b=DxOh7$OKLgw<sxWbia{x%wM97AvT
zarGCXU9$09UaM0)KFpLjy|?eXQvTL$-)mjMn`qbe&jm+P9&C=i3}6NbT`?AQVyjtV
zGhfL4Fb`4fUv6X9CRz@M=alzzQ&(zPi?ru?e(GEn_;%eggmgr_XWik`SNDjC&VQ(4
z<KX-J*|V)ZzP=ynBZ?#Z-jA_Jh|dOA?ocL*HFxiE3E27Z^9&7lV7(c~m~4rt!eQNh
zSK{9P-6EU!d+Ok`+fP5LyJ_^u+w?>ailaE9a$WXL;OgxsXM`AzW0WgDzG-?vP0NjP
zg+&h4gm|hds@=B_l-FrUQh>UGKEX8f_Nv6|^t$Ah50}#!*N{6`Ka(yQlSTjxJmD;u
z*G(ShsHMeKrSd!k@_UkUpii9=iiBsVZH2tk<F2The9myLs`^}8VqxYSa?bYy;&hGS
zA5`4{pK~JM#Qs3_lAiayJ;-V&Ms*EJrX3SUI%mb=eA|T)S$l=d_~nZUEqjou`iIdr
zfX=<$-RMdwWm%7%-@dF?!&1U1?Q8T0eavN7-$ZWMcxfM%mtjO<<dx)i+A^i}eAcgf
z_&?b2Qn~{qCii%+z?7&@{^qgSH?zmv##g^BaJ_n*8cH{9*vKcP7%k?1g{Vpor=4__
za-OqXsS=3$V)X`9Xkv7lL2{$t6&rf`ZJpB2ttOlH#~eh_Bz?7wV3OHrONY>#a)>^#
z9H0HGjMfJ`**<MzG~XX5n<>blCrEUmP%`lO&tTTWfLMcxt2|Zu`*dY>f#xmEX@K^z
zK6-0X5yZqwbbj0ve6owZ<g4*2X0sz>q*l@H;Tj{{#v2yoQ+B#o7Mq^V1RzXPdYHNP
z4?A^-OFnqFG*V_yn-OHQ$&gOh-7g-9;I(o-=<X?JEIKw{of`Tvba3Wxp`@DYr!P-K
z@1a<uz=)$urCg~d-yXf*I|r?Q%F9f2t?&fqiVg|%>nk5pX@;YfkSegI$#L!u)id6t
zv*5I5)P6le^!uuDy?69(!wHT@?Bh}j)iczq89N6l3Vc&HcP;p6-L5TX|4{?!Q(7J~
zSF;;i>Gcwh{Q1S;ZOd=}{WZ4J%Oyvc8NFdaJ5+ispb+?750`u1&5hvzT6WM{$W|#U
zOY(i0x(#&#mI#T;*xR;r_e0F{VO`eZqV9Z)G4w<i*5L9Y)B_0~gO4768y~)`!Y$v4
z&Yo?0bE@FaNM*L$x9u-gC)&$YYeSy*FAThAh-S~Xop)Kh!K=7T4o-IZr}C{h_jrV;
zqgO}#3dVap%XbsekN%j8RV^6XFUEl8cEq9p-`x_u$Y<KG3_QlRDG$z??}?eVP)trb
z${Tu@`EKugG;CV-YT#e|*g46D<1a%|HSuXy(c^!ZKws7oyAiZsP6oI_Y#xVyyrgbw
zM{Qptxt+&soy^9U>!>Hwru9dVDub}pVbNh})t;r4HWV`qHkr}x)_*>9ITjm68i^&u
zDK=uBF_o4PyQx(f<j6CmBv<VPd0@V{O(QeYeads|D*ZE;usEF!FfWrhxK@|gwuND~
zE@pbMjaRA^rFHBEr)8BGX9YZi4dNn|f^By<Z9m+RMrw()xHW#n#xMiedp@sDPX4-J
z2^989X6}|6PIaN#aa+Ff4lxZ6VS&{y84V&j4rHg-@B04w_(JSIoFokC==e_0;gT~x
zZ93)9BoT9iNTNIyBa_A+ZfVPW?S3Y*Cf6pxkgJDVC_a!!)0LDiCLF?$Uj!TL*Zrd@
zxsmZ;V5wq;k;J7$XYMJ5XtB6L<aS=t!_S!<`PHp>U}uiSjy1T+%^Af)Cvam}RGH8l
zgg`%2!QOfE{psB8@kvihXy*BGbgLMb^@8OXpMS585OTGlD8d&(%Z$W}3w{QVC$et3
z^@ekxv`^a|xSDQ9O8dRbDT80Q>emz~d5AY7fjyGEtU)c``$%4AMiU%R<@3q}^pQ=b
zvyh5$CxZ)+m+xiu5oAii9O8_Pv%%K?q77dv;P-Yvv&vQrSxxsWnN-d3Y!z)XR#Yn)
zC{I=5ITI+}ZNY5Hrs*puK75W@`^{(EXF<c-eaxR%eKyfXpn-<*EDz@4=$}3B2lih<
zoNoAaBX>ywEtN7J(IzV>Mt3aq!M=XNd-v^edb;FnvZM75YX-n1#=bL%-a-shAav~o
zMzFtXaqscyTgqxkb>;XZ9ZQ5##|GNDq202aSEzS>kk?RC2-HmyTa>*`-0ZN&Xxjdv
zkB#^EBps?+${(`Pgu!G=6e+Gg^f654>8w8_n`yyj&57-`KcsUc(~w5Z(dh&yJ3qpc
zJU5gTTf_AmRY>IVy91wAPMxFGhEe1#tJFeaGjhmTC;;<guW$Cu3*ZdDk-l7@Q0cI%
zA9YLE(&o&J;?!c47}311BBSWwOaJQA-%ay0kH_Yh#DPC~p<3{K5``P>xkS>i+`9lR
z|9#nvAXGAnX(lt6MvEVhC+y>cHf&Y>sl-9gBgaf4qilnQGk%G`b;v29H2Z7;8<?7h
zfoF>d<Z$MT#2Re2Nwnk?JerTcuSm~Va~>l0lWvcBG+Gjc7OOfD%ma~D^6}yu8et1t
z>_u)KI4)RS!aTrJi!oKvE{#<0fMOh2W>9?3fmp9O9fI@8#;f(YlxcY9dHPkCm6CHv
zHB$>G39qc{q0wfFQRt4t(>vg;<4n-5unD=G_=oGJ<=@Q1#XD9Ut?^%kYb%u%159gv
z=d#aNWf85lchBix4-G|cW_Fx|6taO;80O7KC;S_nxDPS0f)0XoG$jtcz{)20gCvUi
zYTf$8K4f%LXt6^S=U{TFJnovxy6hm=UpnH(=`o4|o<MBhq*wBt({!>5cbnMM39aqc
zE&F&_+h9DESemKPerrBh-C62|;c$)emeN@x((k@RuV6?O38xg{F&~LtXzRJ9;p$d9
z9%SR;MDuOuGjKXX;b_?#Pch(^yIBf^cXD9>0-~uy94}skg_0n>(CiL;*Fw%U0l`Sg
z0!cbSTh#-tL!lUYd4w_FS(^8x=Z&%`nIF~~c;+$;kw>zA&ykiW@Y7c>clYKcq_lYg
z>Da6FO^-H!m3qwyhU@AKqrA)6sZVm23EIZCb~}B~$~r#U0XMF@_Yz(5JKi<u%{iK`
zTrpR|4RE{gDg3`f8d0eez_UWG-jh;QA!8aGU<5xNCI$XyPBi)sf77XxN-VWF6s%I!
z#dzpovHD*?pY*$Ma6Xp6aaWScR2>tQU_xRgD|B6<IbADPf(JjeqUXGGakHy{H0gMe
zZ?JiVi~IXl{Ft30zI1C8yhBt8ylNT5Hw75j9z<^y%<Izi!1Stte!1fV+Uui&QFVBE
zF#I8%^QC$mX_gwJ?So5<j*Mu6%l%mXy8YiY6STHk{ktpzlr5fgO(s_^iYDJ;!F;(3
z&U0TD)u;5rM7x#nHAq?leQqmS?g6aW_BRDydbRz%(3cEA4~T7LoAQQ#yML0{7X_~=
zJ4tsw4<bE9dMv{TnAY_Mb1_^9DR8C{=zxs1`}0~Euu^E2?qjpzk$FUmWqf-JiHFT%
z!NRuxi_sT7D*HEwvD=-T_xxmVX$I!E_K~+@;L}9)7g+R`k<C3`Y@~9pIN5f8^A+$Q
zx1}D;L3G6yNs-8-YvLM5IA#M=g5A5Z&YEnY9Tshaj2omgrWLcjps|j#Kq<W&0<Gy&
zzrXW%b9&QMe+=etx(;qg8+51LHRL<h`jOX|h^sU)h+Ks_U7Fvi7X&dV*YeVi(INYo
zw+e+4Pg+~1vZsJ+-E&V<>89(X{;j4T!VIC%YNThqAaE1KQ2*Jj<xfs(Tfw?)VhoiL
zu04oETn7L8pI~K92zdlnqnD=jPB!-+^|tWb+a~$1m%&lg7;HSYsY4n1SXYs6opr4d
z*nwoItXL^Vqr1pDvnAwd5A^ZnuRIMDy}#Q}@)3uHK6Xl^OrI&={HAUnc2){>#|j|s
z1fO0Y3)o)<up$cqB+=!M{(g43vbVuJbc|75{GLXTyMYTFj@Z)mFYdvTRWG}!D$%CW
zYkx+*1V99SQ~8XO$^@;uo;+!NAaUFUoWx)c9j;={1g!gSq_>Kmi^cqpT7Vn$!DmaK
z6Ninoz6?*LL8edoJp=(lpM}4Dd<X_<k@wNOnKRF<B+I^5++NOcqDA3KU)UYuXsE!K
zoTDBub76*Th*B)^vxbbAYqB^n^0Rn^PR%fXk8H0)`DP>=6Ni%hqo4)DGo_*hg-%ze
zU=#FX`1j*5pUD<RQhwd9+>KnxC>l()(D-&&gX`nSL~NEQrcek*lsEr^_YDcW`#5)C
zv*w^_?VpM$O7(cgxL1q1alI@|=JY?R&@0Bt6uy#<$|O0M)HUGn7Dsj~WuWx{5YJC@
z>3k+W{pYq~x(a)&g4ckoU5JJfeGRl3dgYwemtU^;g%*6cKgJ8fHjPpJ`2Obh<%Asg
z#B$<z>V}{HK&g&3J9BbBybU38GCTU-@?C167+C>n9PaWyhB#{aC$I}PV}lhlw_6`s
zWwllv?al=8G*EIM%?CY%Yx%oBzgSeYX)002Ym1l&%@kY^mx6(+jtF{_iBx5?gI?fv
z7;yD*a9C9hD0Z*&;b&wAf>E@nGTXaK2#Wv5Q^;4Oa)DqdAU;MwT9L<-!)#p9kO)GG
z$H*=0ItF(g?9^0pLz}Q#LHG+`{QGCW%6yj*mnYTp5sllbC~fc$-FoOKYxdAiZBOO-
zn-BASh&^oKLG+G<qx;?uMX5$CCmhE%<;Ggh+#~qG^INf~_ll-`ZAkXXF|n4aGYhX~
z23#)mk<BlT_Y@O*X3$T-X1sdgUU9#GXtNR)EvI-*?T{Q|DDP$jf|cd4Xvxwemt<Ae
zfq*(TA67K5&Yx;>--DHjmNthowiJ1L!^N0rnkxP@<6G*`9w(Yq;dkn|I=`pKT)`A3
zc3ks!31P2-mwyh!B!*m6cOn^_$|f4~OeKw-tAjFc^9MRJ48g|kL+|4LsirfL+9t8v
z@!oi=4BGc$p)>LGMgaF0xU7*kybH|Tn%ZBZ;u8+YX-e$x<Qq*W31l8j@s_;?3cvdw
zPsyO*^oFacYrZ!*km<J@2qoePS279*7MUWk{6IaXrIi$Vdc@Sb1z9q@m}^_4dWoAz
zFa}x8nz)Z6^K$qu5!1<NreKbr4B>;$fBo*6-X?2}AJgp|PtlkA5De2q+qf0!oRbQb
zT^3>))e3_$<i6gWG#Ovf4P1GlzH_3#YdOu9h+@(3bTu^wLo8l)CMVO{0=ny{gR5Bo
ziBYmHlS$;!r0F>|e<o+z4>$hVPrW*uBGM~h|LqCR6u&~bdO#p`TQ-dAI1_Hv;P(y5
zwh_}u;?{k^lF3>6gsw|)WQJ%oSvJ`SuKQU%MsR$hoP8ST!I6)4A|~$LFHovB0UY@-
z;8~3`z(iGJ-?I~T;mlyRK35K*%alnd!v8);My_2XH<`1JFcWm6NOHbpxy=q=R_<CT
zoh=rX_4LPN$gfboY~R8=>X8w2ehqt<SCgh!rLh?7Axyz#I#RGw{Al?(okT;+0Hw5d
zp6UF+35xeG)IF?|5?%F<iGz@?GPc{m-Q5^4|BA%6npY<y)mWZU`9s#4v(9r#@PW4~
z>>_#lyUfaO7cXd~Day1t0#?qYy{Jt&F?|d<pPhYxZ`9M2|7FI=EJqi@-S;J4pnJJH
zcpBYC$q4;b0`rsY%Nm?bcYxLHkrSn=X|mg7Fyy1G8-##yTFA!p?JnjAI}EDx-VnVD
z2DdeG3f6srz~J`sno$bUR?lnL=RJ&4zat?#r_(pDT1wGu=XQ;10^!VyT*?Km=98~i
znbxz-`PWE^!;_R7PE>)?K_m9IQa2de{UvkpENOG_FfS=MsT}FM*1o_kaVH$zdZT+K
zK^R^rI3ABDoUUMQ$j$t&T_)FbmDV<{d|sC{WAnE%UAFFU3;1T#Qw8cNLAIx5;J$~~
zp$dNQrK3x!@k_sWgH2=3Y7W*eglv_I7*og<lBX#iX*n&hdM?W&xvBUXPyr+9{|CC`
zWWxjrUH7%YS`nf?)Xm-bWIjRfHJjVbhar)z-HQoC*pfq$Da9?m5%TqOi{@-Kv~o78
z`A4(jqAN_r5|_9*PE*8Uml;D(lMmoZkpcht&M&?KEcmct8yV?`^Q>(#P=2uT^t9Xy
ziWtJcYr@nJ3(ibQbv7g29Dpsaa~<aGVcvHe;oZlg>q@CTH8Tx4q#TJ&7#H<v{KFlr
z%r{bXqW6#qpKsVLPf;?QEQ49efYULfPxyzge#aAU!$+hxjX5n#);D1`w)1}B4^xvZ
zjoWvt+A2USE3XbCY}Z7+9&puAHPCRASMsMOs*8#3TCmxz7UPkjRJv=mv|Ivq<6h)?
z++_WN;k1BN$z1N-u|zx-u7?w+A?_B)#BsvEYHfm^+#Xqp=8^nPHQ~=V9p>qY*A_N`
z6>0O+8mM(xzi(reEr}2L@n$_iAfB`1kLppZ5)@orP?`L#+YMpR)1D0QO?d&==!AK=
zZ=(q++L7M8|5AA4_`L5WYo@krBjrVoQG0~}Y?RsZtB*JZle;?euuxtYOLPN-MqR+s
zbI%ZaYH9+^M%PF>yTx?a>J2QyrDWJ+QiO#{Q?{BHd}wqNi1beh9Z~LC`96QA*Bg@U
zQ48}5mC4LyXy-nd<99-6uVT-#|KW3qT}cr~X=?Ho(NF_I+<SZHYtg)EK=jSiQ<=Fy
zZTe{-%g*$^9B0h`7=Er!?&O%4i>xpTKfzBuXR+)l*McQx2}>~T=xeea_57BePbqHR
zGPKZ1dLj0d|JoYKHDu1<>tyVTwsx!e9OefX_v<`HSI9??nTB?1Rzyz3f0*gJB#Y-A
z6u}e9`;D7<le`LOk&DgnacDOYW*vL|hF5cqQXcTvL1^L&2e$D5pkf;xUeW-Vf1h$f
zn>F{bI{F+_GfwSOs&eZLTu4&m*J!lc!m`nLa%#CTnHkZ)MI3`C6?&d4#glSv<p*On
z&fQPY7h=*+CZTNbnoL?qp1WA;-q=cGSOmYRQ!bILvV$k5wI(kn7_DSE#W25I`?^Or
z@jsXjGSFM8<4dlF4T}viHp_+WGU^4A*RRgTY^HGSSssjJ9RyOi9mJeu=ZKvNG|MC(
z^DP<y$MO=Hx=p3uq*)3p*Fq555ScB<<YlOOejCP}VVrr?yCDs@bqy5T=xene3xE@=
z7F-i5CArJZ!b%OW;<*9FRsI67mULk7@vmym2->ZyQZ9?n(d(KG<}T7VWRl0;D^9B{
zV?k_|Fy{$WTbM<bHVX+uauZ8L#%;B&OpGr}AxC8287<?BhYB<Vd8TrI-3;55w<mHk
z%gtNaaaJ;!ktAp$%}1^EO*dN_>$QgKpoa&ovkVZMjjV)NRZ`CS(m=1rlI{bg?Xq-)
zLSvjTy2`LRBFO&4g3--Zj~8oTBG>f`UBT@p%jv_+w3zjU0~<7?J`a_~5|^pA3LuDu
z#HSM`6N11)iWGWYVSN?|u3pd{REoZZg!T~Uo5LAEL!s1Awcex3XkxsHgcD65=2Es4
z%Ql}l%44|I=#fE5Y+ZR~Kz6{gXE7rlsLotp>Z0+Qsj$f$$D)Z8W^e2DiH35miT7aT
zeQ@F-tJJiFa4Tass*K=EAPN;n*yw@%XO&OBA0k`duE8TY6SpO`Pt8y%m(dgniO061
z<YB%k7B()GpNIA;6SdB7QHqS7zfwuG_8L2#FdfN{Pp?hRamke)^)Tft>R*1z9ir@l
zXy4J!?7@<_0CDpH&BXkdrzqQvkgP-G^7jsZF8+$)Kn`f@u_pCWS}yS#1Cb`hqvmVk
zlB;=L7@yIZBXr71-jkVz)iH%EL#5;om0>Ur7>cA6FjBiF6ZRgbTAtS%d_T^?FS1XF
z%Nzv+Ug*(|X0TY{+rA*FjPVABpS3tuiKc)aHIF?yZK*@O7v?Lao;oZ7@axO1(L=x|
zeT}w2%S=kE)Z7WZOc+e`dYc(Wyk-j-GTh%p1Oz_<hXV?ev7AqUqd9FceAeo7G=QfO
zgx&q1X&HB=thQS%<vvB}*>|VRxuXJ^<}hRX-lHjQA;tk2=;Q6{JzGZ{W%0(q2m^io
z0Evj`qzB}Qw4nZ^hy=%hpUL>gVr6T)(hJYJW(URmbrfsA>x*OUk7*>$^4t%w!@eXq
z=?1nLBSfInhe2j@xbXIN|IA2jZR5<)7LjTF>gaKa(wWT_&)bElEhbYWn5U@11_Qbt
zx)_y2u3}w<Ma{FJae*N4NJDF!arsRdIm}SK_(cpYw!QVh%b5Fi+O$MFqf<ltLzDNz
zSMbjw(n4qs&~CsO-;eU@9qz0nE=AVN$<T!H93rRIRKVKT59d1iXZ|*3^_+zO<PLUj
z*oD*y`GN4aYt+BF1b*d4j+zOf0jO#jJg3wp*vp19Rjkt{8r%tGr=R~|^9hLtIn%VI
zdkSLc^Il_L-Fk6vk~`KBw5!1yGi@s|ng(RdqsLmuHfAqA?rCd>a`t$i>~1mR&$P{&
zN_nE!4~sHbt{c&&9h^2;$Nskak5;vmnjw2=#(>6$FI{9P{a6BB2Rr4$JWaG>P5p+*
zLf7}GACj5!m*>OtS)}<z1wGT}%?X^U?w`(}RC+~Aj-FQ=I>(ixynp&jJOeLqzjEn5
zEo5CMDr0_wfe{V<`qShS!vL8J%pITLSIS^Q4iw#HsGL8D1-66iArc&}eyE3+cltdM
zYJ_5#QbzLGqlCFoP9>d*^!hx>MeeBhe%b?f8QFK1N#v)1wDmm$^UqpNG?T>KsDL9H
zk=6O{S=#gJKf)K(v(6>{42PWRVkb0Q!f>(A%~vSeIkP`7SuasDHDL;GE(+?T&&B5X
zwJmfOLu=CLgYIk@%;e+>mp)t6Hp@X>`I=wMZ@QOE2&`f~Kixf2S~4zJF+6o0EoHQH
zKKP79du`>kndSeCW?gD$CwIFjYP7@<iZ#P4^aPWK&QPVxJo%@ed~6Q9gDIX4q1Ie9
zr#D#+C~sbVB%Ceny5CDBPFsb~+~=(N9wU6#JgsxK!p&^@;dsjsi8ckC?958E)<~eb
zw5)sk71}kye$!FJZJgddehvbY!s=+r8@^Y_Ev9h=Lv7jsI!ax?9C=L&;K+{R7PI5^
zVdcERRa$SPQA(`fW!vB}#$&bj9BVAc^>UYRUg`$qkSz}%FjMD>cB8#1SQ6v5&>I-G
zD8Wr{{_$01Td*{NPUp83jIIQMCh0e(HnTLdZi8H6h)EWUIfu4Gu=MZ>)k`)3i<OeW
zovvT`JOk<3T8kR`iSoQjem!;LV=1Yej^^sAmnqRS|13;)hUc2~HgqdyI~(qpUiu~d
z5OOPCZM^OARah#BH|&jb@`fc>en{3iV>SuRK0}$Z3UMT*YJY_!ICX6q-bpXbmn6PT
z+Xd@TYx=28dN#Ff?qSIN27O+^dR}HYG1{Hc-Jr8>{pmvdvwHHZ*$yM$eyKQX2lx59
z3v{E}K7}UBM>{%g_UW(b^v}}U9Xei>B}QrsWhoR|M_6#DuMz4~x_h=0OCw%5n{}~0
z&O!9XO);D;1jeB^B6P;E7<${gFVwi2^_(NApl805Ha};G+pW|Bp)IGQ6dxOokD$V#
zm)cUlZg;YAqj?QY!=gDS<0~$;qG>^{$8wcXGdrabo;1MVL8OZstC^Pb*W0;QTKi7g
zZ>^8$vEHa0pDe~yYA{ug;LP+oE`uJbrF|#NadaL20Pu3Z%$iz`2b8IoE_qQ;N$ci&
zPbs-`P-N@!^u;8^GEm25QVpfY=|UR_<_#~6b(%0Li-Y~^s|4Qb>);sR?KwJJkR|hV
zap#PV^uoC=r(4lo*`yE)I%gOfPYBd{?hSSb&^u>7#tlC;a<roL(aNH6#aQ%*6vJ8q
z?r?dr_xtxg7}03BqE)NH?`Si>-q8c*T9|zhPD{Be(WVjofFR*d@X04P3PhpQyyA-{
zUZIkUHqTLd_fAI7Ad=f7Jpzvt#l`7d(Sm4RzfYRHyrWpOq<@ZFwOIIK_NjM-v@VR%
z?k@XwurW*5yZMqF0XuH56tL(zgqn5umVY*Tm(sFITM2?-WUUpJr@~EY=xe<n1iv`C
z=DIk*&iV*(e$J56#Z-Gyf4R4eJ#<y3D!e~vahcG3=0OicTkOB<LztXT;6=u1b4U@G
z|M|$w!&TpWERqnctHHStseB)zz?8NJJmGXs{~)L9QmZYQ7R6G}kZSSG#(6B4g<7Z~
zNN&v<agOC685{Wh{N4tzKw7|F+><DZNSsLu=!HfHG(3KpQBon3PNHOq(m<xWBlLU2
zjB3&*!^uzL{9xm0zE)4$GqY%l=zZkt^Z*8aT=3fQv-=`Pg%mE2F)r`}N6V-7yMYqZ
z<3)ebAoiHhOzlpI?!HAvcnkS*Em&0~ha%7WFW;gw2<Sbzf-*u^&5=_kM;jrJF|dc}
zmp8T*$L6p-2U_j6$z0h{u*ZO%;m^IV-%V_7&sbC495c8az!yhw+A(9W!-rLN_+#x3
z9tjYNw*F&$LS!b_8opKbnfC8bphJPgo6^O&J0*Fx@ZRyVwb8&T{0AN0E2~Z5a&qR7
zj$}?V8L_8*!P-84DJ~#HE!fuG!x5sP1ya#dh`oH>iZ8DQB){hkvjLmI(}j!EF9r*b
zhOkPxe;D+9*5z!+no8_ibTV7c^E`j-@yi?82_bmzMVJ;QHSnsa=sJ;^J}F(bzwRB1
ztGTYQYQja$zSF;k?6>-|Xqxf>rY@6hz;l@I1$Q;0$d|fT>tTXuc+K04hqV46QE}0o
zi-byzYm%D~s87x(l-n%q>?<{f%jsp68oF_ZO|bC;)4d7I9U6_#xF^``dBaC?%M$v6
zBue^LZ%-|x)QcGx)>W8XhRDhx=K`zdB|<%`Z;K`0*wO`T99!cb0CXX4nKNFtF!d;v
zGkf7xV`UHwCGI8Ji#-e(o5mqdg#z>lYBS<k3;amvwp?2BIFm`;uqP_M)M#lD^W~+i
zW+K|c`wb*h+gTUbRhWFf5DU<D<fBx$!B#C~(I+gWPk)1C?zR-4m7E{mBXQv!DGK&L
zM>RY^UuIVxiQBm3Nj5UZYyp(rZp&2Kk<~zTLYoGsA3QcfmHA>jB1U`(q52%zB>rsh
zVH@~fS?o=lWsH)=0D*d|F>m!oaj`{iy8FZr?5%!9S9iVdb9t82Fu~h1hlb0^HD#7^
zAR{)ZKarc|OCp&OdWt*$W4#FU)$+V_y@he%?=kXjqj00XTJ-R3=d4WTaHGq@@wJ?I
zy3UY=Dk<lhMm?^5MzR97)!}b1I*5s*7^CY6f_Tn@!aY!$Or;S#*4fPXh}#qmEN-X?
zqil4cq+$T&x><tRB9EFp-V{<7?P|nIp?<^@-O7k?MzR@favmmsl4V7S!z?=`ChUsQ
z@*7{{bbg=)wD+#FrX_%ZURg}9uRb5T`&I4N4EFLx_ZX;thzR<}_0VN0c{Usm|2?ew
z8{Aj@ZK3T4?f&?wdZwMf6}rRfk1{0mTJcDdVs$<%KAsO#X!1wH@%_9VX=KB>e!fw2
zx-p;siJ8;6m`S<hjpk>C#LmvK-CMo*k6fOg%0zS~XngF2+PXcs0@<u*wMa%7Gq9t@
z5lj4DjZ7G{ME8^}7F3M|R*3JknnU>B&n>!JiBRj)#A}R`&K4MMc=5qH@$;LSv$v3e
zW{u?F!9@4P@~DQn$@1koELe7E24@hGS~N!A@Hy#;Lf)sc>TKp0G-EC%_RPWX^PyBm
zYh>=ns-vJB%(8~|IfMNlFK!fqVg>%mnwO5P+O&I@UbCs1BlRX<e!PTT07vS1wek^G
z{GUrt?69pj5!yOq@7cf1Vox*W0W}L~B}=>ZS**{rjI^yjd9eYQo!`jF5C9Su<ur*G
zJkbvC)InW{2Lm3<SMD;uzMbQ&W@N=}=MB|O8QICuN~K#B0D8zEh)Zltooi6PYMbXu
z48%=>>+rx&=JUlR3pb`D8BI|K+J|#TZTRVlX_U)0EE7;Gq!n_3r##t^gpnGxK9IsG
zJ_4(SB?1Q@Hm`M}Pmz+We+eYLG{hI3$qC+jEXDLWlhv`35=V;u;Tf;9tGvmPcI}fY
z6d5s+XAe&Mx|UX=Rr06_sy{v5u1yBQY@_to19<N*8B0g7@I3DJEcDfF686nLMi&w>
zIkM#<9UB@NPSAfyZ&aJKi)Yf@vY0Q-;kZxT8Qu52({SL3AcfkXSaU`dbzv(^9!rUW
z?gP(Tvl8chHVcv&VbTBQVPBsrNP)%r#jk*H6^bu%!Bz^ZWG{7%)qvza)GH?20r&PR
z`hh#7qF)vKK^`d~AYe$`BHy2AtIcwy$qx;a_gH>>p)mTZvk?#5H5e93-e@4SFvWZ)
zf?XYCbI(cSh(|Q8Dp}>B$Q-JSrsHqoisV~8V_~tsxa;9mVg}1lUR{h~LN}1iZUVz&
zPT--vi4tp_@%5ae=4ghOoAYs6;CM*Y*{+?+DnV4RIO{RL!3l}yh0ee&0uxTZG1DI#
zqHg?L@>UZWV~zvaOaMfFhuUqHxdKo({&0nFFt0K{tGuRhx9=q@z-}6*F;fZUArYKu
z3L4k+A@NG#Vsw0vBcpYX>G{l}W(T**nWpB)99S1knD{vMWbD>*UaWr$Pw72VRg`0y
zB&(Fh8eObxzGfzutTm9S8VX>!#i)UBE*wuxp%Om2HBQ+BSoXSm5)%Fc!jr_xTJ@Mw
zJN`Sp5M?5LUFZ!KsXX={jvTq&q1}TR+|}{VTSld8KgvAMTiIiMM~g%6=1!-Qqn-BF
zVMk!Bgw6-@{b>a=$VSzi2Wq3JFa6@~R=+Q?0IU4&LM&_2&*|nM5_B|}+rGG&opcg<
zILmgv`dTv%^2V>ChTGL?(|lv=h?;wO3!m|;xWrni>zb^<c=Wm34gh}$n%Fx<tXao0
z_w@5u0b#bS*D+gmU|jDzu7x=Z9;L#-ECYe}i!|J6>a@wfoMk@SAYDHr2#ormvDl5z
z9>D|LI{8J7(ttmOyzxJ@8S!?Axw+MgmJAWm-q<qC%D|gY_Y=b&*S6kcAB!#c!X#M#
zI3&!nGLqAQX3$N<_(<}RGP`(8=<U@RLFL7eCC9g?_y?G7pdr$R55$aZmQ6}xZqAh?
zDX4bKM^kCre$+#VSp*$j_+G<{vFOdRT;W$Jm|U|$jOgnaU|1#Iz-}q422Y<=O3w8m
zZM0lx&pT(hGqyYy)fN{=HB=ur{3}ORIR<F09mRC1pFdIAM`h1THeF%fF8DTL$;@gp
z3<9dW)ZtGlPZ^2YBc6YJBqjN&_xdb9UX6v_$~mturuFOBl%WWHBZj$}5C=Gz;5)hY
zkn7%>ExsHg<LYxyN7@6WA4<9}Fo@><{H@vAFBC=p%NrF5xO;qLc05LVYe+QTICtHD
zjoo}JmQ;-j&oDQbv&0j(^Ul>noACRUqVA1?Z}-vf5t;68izyP#vhA7s@&597roq7X
zxv!J6F8;F~{q=V_F|OE~C~el?P}^?-QBU@a14S2buI0PV+mGC_9qtB?Ez8Mok0;wY
zz+PD|&+7F4+WciOxisiI;fD`YHooRy?@6o!)m$*7aD;(r`-D2VgWllX#qf{t(7&Vv
zBk~E2a1q(lf+z0(0}Ixzxb70{)35Yz8g6*z|G%VFtfE9F*{GQY^BI|he-mg4yD7=Z
zOGd$L%u-;JVSR$Zo|DxEb0z#C^8`=gZm2SKqPqBY>VMd&IV8h>X{t|KX?&@K6B^(D
zMa?Br{NFQW|25bDEA-v}vZxDcIai9iym1!AH|qVCCr7xiPf$Os(rJRiQeYki*hg7Z
z|Jet7{1TABGjyYLEOu0>Q9qa8pf=Ob0zcnANNc>o9mWzq5)@DigY?JJce=vw@86!%
z)Be6i*M7YM617__*O4zrj8{D_Rd;7Hu0fp!AF&-LbpxR__f8lAU#=gRFE}Z-HoGP^
zPM|GUy~w9R@r=i_k2+aS)`MR<4HoKw&M$`K(XaR>qvPvu*L>x~=x@^*1>7@pZoLSe
z=iaYN;~-h@!0o*rxh{YNd<l<65yGqa#f~IbtQZSkdmM8OAFvcduRdQ=aehg2s!M~v
z_-`5emuKDbd7m6aeP@eY@Msmp#EEJLk>&io!2tAc1H7C!d@plcb=4dG%cCvnKxg7F
zL>i3|fK6Quz~*Lk*TdRo6P4@lO<e10Bk1OD6uOUF&+me|SgtNTud6vTXG8dtoNm*T
zX=!dUoik`qEp}pz-10IwR*FThFfl!^Enz9(FEB#Y7Y3#Fu$efWwZE#xNw+C0pNWZt
zUn5dmGFKTglKBo8Z5z|n(?pR!{T*tTrw@Dqpgr`DZ=&~bn!6_<1``ow*E$U|Sh=eX
zPPW6j@@-<)lZK5p3JoGPnj=(|s|@t7S#pOY{f}Az*mWk{leS}+E11)j4}$pW>7l7^
zvOszAV)Ehcy`9XsMJny@k^Kh_)jQ%P`tsLG2gxiVBu9Rh{%L8{Lt=WQ9ooJ(3Hb89
zCU$y29gvGSzl_qI;!6(o!vNjUY|AZSs0hiU>vV~3)fxchA-`7K3F}UOVpV<>rl7|^
zzQzyFNNOgg6`ej*a`%Qq^+d7<vcw&WSfZ5;TOC$iDz--wZLauja4p$%mYy#}IL?tS
zrYcx4`B4FjR~hlN+Baw7>++)obeM-j2<JODP_dJSj1BddB}+`vN<TAS3xOk*c%nBP
zMrdRbY=~;IBY#mU(F-Z`VN9OgGnIyhm(j(gbO)ulJ4%MP?zIswYb8@p#yp0a&frC3
z`Jt}-CnNoOw^ISC*2ICuW|(Z+;<|_B7M^ny!TlVs)W%~N!!HUvrfM#aaHf<dyP`j@
z{sM@H)Y1)RX)=8elMC$NNgYP&tyD5&L?o01M(O9H^~wx}uyQ?A#umE3DsyYC=(YZn
z7RqQ8a3cJ|vg3ntbBHz>3Xk4SWSj?SJ8sOl_s^dW0d#WJ8c&zI!goKp0IdddXC}qn
z)%yn#F&Ns5<{R*wmiKj+gEu=ko-X5FlqT!RnvZ+TI!fKELb%p$RP^rt0hMf3r#Zf3
zW0`W3mw4!RRX!A(1~?PdK2uE1gDVBjREH7S9;lvQ&C1<eZOtzIqs_hA>ANH)q|C-<
zCS_v;`*(k)rkT>VWLsLwa6=<yJwum~`0PEs1>5+fD^K(PZe6%@d>A%g&e<PHlxpt|
zyNOXf_S(azG4>r(NFlMCvX0DJCurVZ#8;N+<bXgwB8%$!lfw>z_#=M%VXTt;0rUH*
z|7x?`XyF&c%nfrR_{-{AHKdT>Y`!ai1Ac&C2SowxUH?XZ?)G^M0%=RnY<H*HJ&7hX
z%|~_P6wV+DtjtuF&NHevGt$#GnV-i?d8CA=eCCK!F`u!Ufe&I;)u-zJ8`Q9MvsxM2
z0{ul#&>FM76U{BH1p1DsGfq|-fBrWBdO(H0cD7zvm2OO(UaL6vHit1;Ab%;IXZx4%
z>)}uNn<G-Z=ivCRxH@`bT(m38vY!n3u4L6^>3^yE4ivmUx1L^&8(?Saj&YGnl&;a6
zescr39hO|itogX0Z(W`ewMQ`T!k6Uw7ifI`v=#pKwu0gnYuZ%Dq49eD{4Y$6#h+)8
zn-5;o?&ZrS`78WwotJ5@RQ@`UX>(3x^-2Cg)G{Z07nE|MViZ{h$oE3|=_%u81)<iw
zE;DNAAW2D&efEGU%U%%W;6R(UhNyk{K;WtCObjW@oNk3NmVk)-z>0-8xGXiNaT5=$
zl@VM#9mMp-aZDKHj=NR@=eJ&BQ<ydyaRS{8PyQd|2e-xl4ifad+cBwSQDlmEK0Q3o
zj*Zi47;uF}`+lQ~V}6E$lDL=zlsP)|5~P~C7@HWOua%$t@=wyu<+SQ`3^lVj;!~a<
zeSQuN+8sizW?P2OErntDT{bUUMaPaxPM#Wwr+UUbeo|1Bd_FRTIz0nO@NPxFshu&5
zdco;K&xqF2N|QUF;K}L{v|Sa0C9x<?RI*4z5OrlCO?<cUwX83r=afX_)frYU8%Bc{
zb2z)IK2|v`JuBa`x{Dv<9y`&l_i*~#!?Pn>SUjo^;e`&crG*h6_l&3UfGZd`?aJI?
zw#45##KO7#X%M`KvkR(YnqJud6GTERu?m%e6aR=s?Rqfzfd$Qa^rwrRg!i{jaw-(`
zvh>>|o^KgTx6L2X$a3u`Kl$g#Tju6xoC{)O<H4X36PI?xT}4%B+LR<~7te<r5>Z^7
z)}7WXKU2!LBU5^qlKAQ-`>sc#uKPU)zk=ZX6KFCpfM8uG>No9(uUQhoS5L8T)=>5z
z8^o~#O=;t_o%x3Yx%5jpYH6qcTKVP#{?`(*>d>6p`fv+Ctq3hfccGfGYB^<CdK;<8
z*o=IScCZXTLf?jCIb&IuzGHkTq4kNg8#XYp{U_AVtfQ}ktblSVXJYQIrPGkJeA8B`
zk@!l$=$>>xZAPnZed%PcN$8ybR<0gH(-2K=EU!hOxOn0uR<!(eJnbE1X+M?f6``06
z@~u}C@7Ua{D?_fB(7fLW23W;#W5*^&wR%L@fsKsy&`QfY9YOTXm9%KLnz!Xf(6V<$
zOf-|P$SkTda!f63C7_J|!p+^=*f_j5VLE%+($XwnyQp%{!zlSCH9K03>rM@0KqT<t
z+5uK<m`KZ51FkNvj*$f7AML=;cNWLPjPPpMm_g2kh<tXH1HaFu#lg!gJh6hV(wE#k
zzM9biZ`g2XDorhOE1?YMR!#B#Z4SrxTp+A*BTUkoO%QhcFef5(sokzNR?;h~Km0C;
zxQF~UcqKKC48teY0g*_u84D8h%6DK|8^;XqTcYhqi8PraLC>cXGuk?$1|)?)X5ZS~
zjPLLX*~xYEb4=}1f=>YlIT5Lap7uA6`ky1TVUsL&gUqTX6DK#oK?chBFmCVO$g1gs
zh%`RPu8tPjlrbmNaP2sP9-b*3DmAr;D;ZN#P<&wbfUfjCQHahi9q8z6k*_}Xw-E`%
z#47Sw5KKqJeIqm`|M&l+WT=Y-4P66FjrGyVOO7cN`I`j&5hUGZLZvROE-{nWTN<I4
z`MQu385&8#4|H&|*sgzp#JD&TggyX@kb=mf|117GdcM%byz&6~t9^87GKDkRmFYQX
zEG4wVxp(|D?-O;%PBZ32wt7DH7E^r(uvxu2JqC=XgnkS`0oz$Ksu!=N``FXTl>760
z(r`&6K7M}88DvKMgFqIq8bga%L$1xMfYzgpv~9bTk3QX*xzPv9sC%rRwTcdHq6j=U
ziV7JDSrC6Ikw@!>&}iZViVm$nzs8niXr63Hy1tpQ>+hh|YzT|%IN)aTPxas2^<C`s
z#We4*kr0=r^qt%tb44hRuAXJzqHzR1l5%T9LrhciQPqi&F9=+>lj)s4p?-V|gLDcq
zK7ZN@|9V@Ym^wO!Mwn{qpppNF{(Diz5Ed5qL+5n=zRpvfD;0#ldc>JETiNz-GDp|9
z#4%5~^aBtD<o)~inUk^-|5nT%yifGr9V+CRuYCs;?;nZb1NV#ZXJUjhEiqE;owHxG
znHeNrB&H@RMaZQ~!f(JavF@2%2%!*<_Z}CmhFuUxLehRI65l@-qX+L7!;eM?g^-Jo
z4^bi};hmT}c%K+>ApD2a;UD7%x5fW8`RR|!k2^&pD;Hrm^pZ$OPZgo(XN&UIrG<H;
z&Ek1}UXJ2}Skc&B7}i`Z9_Q!&?}#$=rFi%;R@|S{LKs*N5IZ7-5Q@*@>bWN(Dy=Ik
zMcD6sg^8uFnE&)2F5v$d`RO+z>VoL+;wo%>cZwHDnJ=oM6cMkUir}bEVoh^*VbpMw
zc&W&Ai~Obdt&WE<uCYwqiBC%u!JGRC8;iPP)RnZvY>9q&Rb2U?(x!=b#Q1Wq!m95X
z5wCbFmNs-3Mh!QMmua^oi6_fD33H3aV$$tg3;&OhaCWjNYF<us3rr9~$i?&J9fhf7
zBQf$~WV#H`7NrP3H%pW&QcHB%u}=&t?J68cTu~Xv|1R>?uYU5sOI|WJU*lXZo-b`L
zOx%AJ7t?H&T*!wUO1QN^cv*Uh>hps{Z03vkBtLyu@#=Tcz|KV&SDY#WKdS1OIPuhf
zftVinK_m&ec(S;yFfywwdL4~cxkoM@FK8nSEgFdNHxh*qN#eqonnK^oPb_<#SzzYD
zcWH-2@%-|2@j^xP%Ac<j)h#_l^R3}RSs*!;Gm7`eM0d|J!fW&?v8IcsFsQsl+)HUk
zWz<{o?4xR<Mv1-M$_f3HzL9uyo^Z8pC1yX$L7(TVo<c+(9Vd!fR1ux_eMzrJ^dDlZ
zkDD-W?JwSC^ZJ#MSH#dVZlZ9@t>RH?-ts46W;HiqP+_6CrBZBV=t0rezO*oDvs--5
z>qX@&j~x1j;*(g@!c*wk4Hx^Pg%Al3#f)kmqL5uXG3Dwvl{Qj}$h+IcgoW3{mz19?
zKAjZ3J>7(D`+eeVHucSbGDK`{TUHb*(pPL&t&sAw*wCho&@VAg1V#xVVgf~b>(au!
z=LwNfgDb>~<sF2Pc|9@qdXmUjUr%{2g^E@bHs)@^bKEr%k@9H8+pVImm7A#a+jAio
zIoY%s$?2Y`laoX-GdEFr!HaaCK=DQ_ZR8;gYc3UQN7ohlg?os#?^Vi~Lz^jrH;Xz}
zE~4nL%OXMK{7hBi4-FTlrk<khZdKWk8*=e{Z8u?M)kq9E75<mU;a?&qP_(yp5v3;F
z68RC;8SR{Z83n9MD*vZ-O1vRPxVs3GP5~k+^EDy<5ufbu*IzE~%xo$Qta^!!Uy^%o
zfn?ElBtJS{i2s<L&npk*7qQ*XM;N${68k?FuzV`yrsw0{z7oN4DmTYp6+>KIgn7>s
zB2EaQ41XX_-~Os1+u}svfJ(x^Yqq$Os1zSJ_7KLI-e2VIfx^VHm6#Qz+CByIm*Vd(
z6BVt?h$^%0W<S2NAwF=FurRMG2AwU46#0APtyhx7#j&-7zEy9rDO6QMC`HuMYvStL
z<ad-)KCu^Ph*IWm!e{OiAr}Q4pFeGdpSHq3$zRmt1>tY&yexWIDZX8rBfM?Oh?+~E
z|FCkal3CZ~wq*IY5eeTovE?j1h8?8iFBjQ(Ph~YqB=Yq9Z6;0*pzYv;bf0mB&9|b`
zj(5epe!=2-$LKiZAe|<hV$zl;+zylTXwNa)%n0J8LP^l>W3=plfN56}P=5W)&9_jZ
zqCF02t40#c$~xes9m}oz5h#=q+;|X!W+?}%nWZoBsax4oyO@OF`=9uvlwoG2hfW@E
zCgIaNHZDI&*P#b!KkhWM4}ao|0utXnVeIhzbX)U=Pyr~TIl44}*5hw*>6;+_{adzf
zxWM4?0kj)*kgn4&v*liF^3E9%OTdByw4QmF1N$!1f5bsLOgPV)KO%X3<1P~?9maR)
z5k~+1mXC4(!OO#^Xg&A>>yH1ym<fmQ9eRWj>!0vvdVHHqC<*y9h&i*4(thwkx=g#w
z#y_I6KSm}Jd3xbClcprMQMc)rS##+t$)Q^X;g6rNaNaTeh8&>dgtN>G{KS`(V`B10
zcjz|o5Hkawvv~Fq+7At2@am^L{QQM|YfsZ{=t2CZTw%}i#Q&pRP!de44rEFzQ{w*E
z#g_XidzTbpTv|Ssnx5q`v8jM-lgVtjAC;kuA~Be~6MEoQ%nP&P&G7y89Kk6sF!9_J
z94)-*ek2i)^Wx|V`m}06Dd)176t09@v*~PqoO0|i_6QwpTq!kRJ-_v8g<}yfth~B1
z?r7HIq!JScN?B@TTn(3+<5SHUy|hFnpFV`5&@{u^IFAnelRSyJ5Wt}?=J*b5PSIQs
z>PXPHccO?+=Ja%w?=EuWfuMZH*0`l@N03pZRcq=M`pB_kk8(Yds9Va13RdYmdqs2z
z@4rc~ur@=cj3FXgpl)W0Y1%DnIJIetk2IL$Ctv0oH&KM&WBr67)GS{eYa352U0T!e
zw`(cKO%>do)eJ-Hu1s7tjXECQm^n6}>5L0Jy|a@(^=e^h<4wt?^Emo3eXl|6lR!qd
zZcLFP<#DRkpUKBRlJ?mkMKJsK{fY4D$k2*~a^2yP_{^UkefFa}U;)coSpPG-Ie+q#
zoXA7w=69UO#>Rn`7OEQnb0Tj!B<I$?W4zF<&fuOUQQ2Vm-T7nFHZI3m;5TC=4K35<
z5oqD$JB*19tx!Wou@=qn(fG#EJs0_wI_~Aq*uC#DqIhH4d;QI=J>R7r)N!onO;MHY
zVF{l;6G|bht+bI8Ku+aI%me23n8fK~!`VKq5}7waO7sd-%u)@M3K9}x`SS2A$NrRK
zSEnkjY9Qj`iANJ1t?Zwkzj`Kc?bt=a%<Iylp=o+ObUo<mTb#tJ=QxuVPa_p2!8=y-
z`zKdM&23MKY`4&*BhfR(OiO|?HkO!(n~bgOiD8+^91j;jJa^``#lpHV!_P(LXz!`!
z5u4LZ(n6RSt3gs6F-d}$^S`q$NI}UylNj$~pwdPX3c0su#?bPZro3~hMJ;Adu7m9C
zT2}m#2nfQCPQul>1;1R)7zzT3DNWi|!65EB{sEuU{1)ZgllWgwz@}+)YG&DH{(VsQ
z=*C<>YhG=b#Dr5RVaBrEt@+o`GBd_NDu{`ROKS_o;{dkb5_q+2LdRCMu}i$gj{R@5
z*r6yDBqk&fpO8RY<Oi<qy})Co3Dv5X$mT@acOvdOOP1cEknd=w)lAt1uKdW#CLS17
zpU&dRy>N5%!qVN3Vf&x)V9yNdm+`^WwmQ{^1@I!xxl!=({5rbVuZxY1CsyvhbeemC
zH!9ALh<L!-p`CDXEQ^h&FMf+|@+GY=%DFnRE(SJ3*pm`wj-;E6^l;5Nq((mciF9%=
zU$Spej&}2R(7!<~EN#l+TyHWvo@ML3<x!VZyRJ8zLX*enBmWsRC|40voANmM_|bLF
z2_DB}E~%1FC#F-*wmj9Q-XJ{lWmWRy--rlqte;H%a+NT%E=#eh{h6@;C9y!lk<nOM
zcV*Q(CGkf_V`=JwRll=YLndV+{`G05c4>{Xy(gx{>QQIlW-f=OJW=_XbIYgFs#ZOU
z+IwPBv<@}<|IQyOVXSktT_GQBnndvNCA6zr6$`tnlxaDGUC%O>I;$-DHzEIT>G?eJ
z5TWPrKO0L)zn(NU|BD_*9(rD@usubzK**DbkB#8@xwG8(YC@fQZfF1!qtev$G)$NA
z%5Qx57>CTl5(}9Gvx-$ItNo09Td(jcMo!$v+pOPnADMF%YO0+0EReq>zH(^M?*!R*
z<hNn&=m8=!7u|j4HZ!ZcW70X0XhkR+T6>^p)tWhv5>sSJFXrxAKm+%(Sadl;bn5u;
zw}#nWnqg;K7RQ?7Sby&&N2d41%h?Mv=N5F?@Th>H!m>kxrj{lW#Y;{H2Jtx|wKGc4
zb1IKdVbwmI6%Au!^rcE-W0L16vyRW7w!;6stx#(XPZXr-CD-0d8Q-okc7?qtT&@Qr
z_q-rgt%HJ(7uVCXL9#BkbZbq!DMtv35y{tb(bH*qFTedhwR|-vGizj5TphE{E9Oof
z<@qOco+6BkOGi=7%^M5n`qUY;gF6{w+Db5}G>G|~Ou4;$9mgY8F8xE~DhvM}f^QE$
z5K^oJ{W>^PQW?tOZTGp7+`7CueU+)Z-xKHPM9+4v)G&@BaN|Xm{t=H*er4b0Ke?-0
zlo3NJGqRNf_R2&O)nwS!D9^Mm_E<}$*w-k}uOq6^)kOml7R?u-fwhHZ#(}P`hmEm>
z(9jr?6tR2`2U82ZjK`lO>R4N7LU;^c@^LmuM80RmlAE0TW=sn|Z~9f!<L#;I%s3o|
zDD2FTmgXq$-)H6JC|;kr&9<i+)baD6lA#0*bp^3%Ce&@_$<R)v@RWvfVACDWq*)4}
z3<>3(nKQ%tds0RF8^^YsXVD`A+V`%+;7Z!Oy>f^3H{w+~+E?zrEkvXC-VAPJj`Cp;
zGgm+3O*VCjd-{NBYn~Bo;y~Z-WoTVAo>QAIv-UyeMF%BsPG4iH|69VW9O&ZfLVX80
zw=ccpRUE{>c*xY1LEM*F(x$Bk?cCLPbo3gN_k@sU9}5M~UL{iAw*sT<8xeK?0n-;h
zA+DSkzw|AQOVVd{Y<<GhEK>5HLYInFT+mRw=g*)>1WDXq)Sp%}ZlKq4G#ge9rGYrZ
z@HXSw{yzO>DxO{9Jk=OGX96Q@%DA+6D6M|Its*E>k)bD#MOmsT<L1p~&C~{%1?^(s
zfGs>qxAysT?N2n?O=thk@if)E$MV5*IgqOtkv-9O)-q_t3!J)kr%C!*%Afp2f*-vg
zTINh~X&}Q}Hlj#jPb^(q(|+b@UgqU-WkT`x4R4i(I2AL_D0H>#a4Ia}!|M-uI&o<z
zK67CFd=5z}GrVgl)YKfPQ`45j)9aYH_c34M;t79ti6vt;aZM@s@Gji|%MOXI8gbEv
z)apBmm8+&OtZXz#=Zs?9QI%Mn@+Vw*=gHJf%a~b1$%Vy3sXP8THD)Yl-`qNA|FMPs
zGcFJfh|rS^YCV><k4^C%H;yS?OY!;2z4Z9B@)taKCMfJ;%Ke4Isp47=lfsp8Z#Fr@
zHwZ-76~=X)&!Z}n**d~a#aa2uPyQWbmbv*G=YqJ{1Qg*{n9`y#MeRH>b*w|pKI^%V
z8qhWkMc#5qd?V;l2vR2}bk8oJO_i#cTbHG1<vxt|f10v6;rnp^{zsJB9@MOm%gQbw
zEnJt5)wGE?9mvrXU6yz!fZfkzlx^FXQmVeENFp*Ul+Pi_e<9%o|ES$xYln=8@T*K2
zyN6J(F7&UWm2WwfBZ^P#9X5=G5lvXPvOUFfSujYvG7DGRayV3<!gbHd?3-B`0||)u
zSYj0)**Dq`SLZSq7p{bR)5)y8le}n<uX>6IUcZS(YVVNg__z!^ry^*`-}6evz5zh_
znPUO>kW^_+hoad`6etpjiHIU1B8qPzuQ;)24F|(yI9Dl$tzkJPuk1^i(ESXVaEce#
zR?u(JbDRgyWO{Y|bo)G)JPM~)M#zbY_(oXRSHeO+asS|Aemfb5mZuLsg_OL$`<QPM
zbE;Hx%7+6j!KA(~EzI9@_;3(OfHEnGBzY1^89ck>dyVQgqp@ic*Y+Ogb;`p3%Yy;j
zP}tF?omYXvn-mOvYD}I^U&qgE899qXAp#`QY$q_3u@PzG=JS_uA~SbtKqSTz5fMd1
zL?mBc-(=O?gFF)!RI8dCt^$(y!~ZZrQV-fRu|?anKFu8z+}ahWVy7k}f4+g*c3zm;
zcwttw4)tc<!?yoC7Bw->wtP7wNQewmDSKp&A8$^$af%}$Hnj1ph<>Jr$Y0*#anYV^
z+&%?g{UFv4=tPe*PE6dqhSi<TdGz}<M(_TD0Aj8$rdfw2oKvgHm^r^Nv7ruE7YwG!
z#4AJyK>3c1y?ZlacL*iBj9~8QrZ@!M;9hRKP;w=I{zNKymJdM0bMsml^?zN#!KE#+
ze6o)rqxO&`w0i;TqI~7gpy7v+H=EAk14~)ZuPo|eF{o>*zHlX9&djAnuK=`rEN0&%
z?>s}^<nG_d30g6bX5)_&UA_x*=Z&C)%?nod?LpuDA*fa8&!GboXl^D&qe6cU1#IQu
zNG~)pKSBi&c8=jKhq2_o32i3)!n{G{NjyHE7HwB?I{}dDB4XpQZ_<l-%jfW0H+$ah
zolUoSw@D-)wrf7xH2U&yH1D>SD_YeVJ#z#DswlaB<$b2fz^t<9UxNt$PwV;2dB~qV
z<%wJm*CJn8GpHjjMZGX}tV^vv`TTA}zV*C<hYQ+bS)?MK-A-aTVFjyOXBUnyk*8ax
z^6OO-d<QqdK?*YGPVCsy9<iw(ZuTCSyLD#fyXvgnF%a(*MO0vaDe@`@&c)){z9n8M
zWtQmYqPuIBqVuv%9GO@V9jO70rf=fpff;nPPibWN1GXQ6PK(#DcVw9q{V4c!JqYbi
z)7i7KJ@&5y7~XUM+YCFgVfO-tmiof}iBnmf&kye8tnXx$={^8o`*8LT_obL!d7LV=
zr+KfL{I>rgp_w|Gh>uRTDZ;+;>E%sU&Du?n(u^uqQtgPW<MXGj0RPLjLPi8{F5D!k
z{!rGe8BcfnSF9h<o8iZj7mQ-AFQ$3BMI4FqV&IJN{L<E*w}*Fe>_tNU^z>io_wq-V
zxnb0d*{kL-qq!c}m*h0Bn2|io^TTys689Gmp!M|g#Fp>Mtm(aIY!Jl7EEBuhRP<{~
ziHHjvyb_n`+K(sOeS+Ty2}YhJ@vCTx3`>ece__DhNM45uDr<xicsd-3YZ)eWDuRIo
zC~t!LoU`mX70i2g6B3dHLM|sdL5icJ9bLWDQj~%bB@;fQB>^o{BT70Zf3rjJDZ|4v
zl36xogUHWK00=_<c+Qn51AGU0(acH$SYjD>n(>!ja;Jd_K9$PQ=h;~n>^a9%p~SLI
z6}ps4-jy#gx2I3%^xQmT;auGq&dbjN43g8NmbNsnWJY1Bz_4;KXZFNXuBJVu3rnD}
zBNr~+;`RGzl&MQLGE<thEl$-!fQtnswG$Y)^Cc%<6r*R6v`2wR<i?rTd@{0UYPS-U
zRtMY+QG7hbj<fISP}%{bQ~{Cng}~Ech!P%5>Ft1-1gKn;)=CL7NfH-MzvP{s9TWR|
z;Hd>r7(3-Dre1x<m4@cj0FcOVt6Bn|qEaa0gwOd9PTSkj%EJgP3~5#FC4ZcWBsd0&
zCx<ir$B{^qdzBDC!gbcH4??TS0=7)7gP{bPR?y<L_heT2zoOmHWW!IbbVnBd+L;nE
zpk)ml6PnWF_wAe<<wb+^tN{rYO-8b|N$UUAFn)B3W;-A8C<#iY++)?CGkt57LY)#!
z>KVxH3D5ZRjgnTz*-SFzK>U-PbnUo`x0NRnINmF3Y}=m{nE1E^g!~Q*r)kl-$9Q&)
zQ|JA~ZA_Uzg4XftxiqZ|xw`_H$w9`bBqzm15v#hIFOj0Dr;AqF<WD%KC-tT8Q3LvI
z{S`l3DWHM(sNb0XVKkHaw`RQp)QpPLZhR{mUS7yW4Rt_4TvRNHDn^1ts*X+}Ez~qi
zGjQ?LwDcxkF`PRwn}-iSAa7JGIZ@4(&O;kh(Nu!>&?c-4SchSY?)a9oMp~vXU4IW`
z@}nobQ&dH3&sO$-v17pDRm>=tZ05Cb2<3d+BguIsB@izceA=~`Wi2`|dUY2}W1g`4
zx5bQV{{_vn%jjbEnl=5#uuY>qyMC>XVSFsnN%6=92zes0@kyv@sb}LT{NyM94B5%t
z<VlOX#<>*Rn!fak{Yuene=;Zl03ZNKL_t(a<r#0SPRPxD%$mE1HXqcve4um6_ZX7N
zQw~kBBtAhPf4Y;&{!QsKX%Qp!zH)QxGNupdON9PDRy9!BHTXBkp=Mc;7}L0IRmPn>
zhkxJ~+I2SI`rhNb)+o!67KJm8+oV7FwQdc5P5D>dWgwSM_oK87P$Uo?lZa~gSc!%<
z`r7HH>tAmNm87V9%;`Lw4G9fdzqTu-HGt@R$SJF&9Lkr#&EJMG@T?7EcMZZvD~{-x
z1QO(cGKtvO1muM@QA=qQb@y)UI@*YDZ?3a)`gEH0SLfL3hFCk*rhgY5l%;&AI?@#7
z+iR?zy@nC(zM+3%5iNmiD+JjlXGuy)$kI3D&$<6t;M~_W-6mAM{9-c=if>L&kZ9xB
zWDIKul|&6tbM48Rskf;)W+K&3#-l7Zg44s@GJFFs_dHT&Cz9?nt!5RbrQIV%&#4g$
z7q-Ju1`o5=D0ehV;p48x=7&!R6CPMLoyFs(nQux#*M|<xtk}LOkiF0R7**^AyY~hm
zO7*9mTT1^+*+rRMDTDxl1ZhE)lu$yUvi!27I~SU+W%!sXcumiyjZhN4cN8V}ru-|>
zq~(TdY-yr89jqkGe<%+A=_wKo3u=y;!{jO{Q!sHi*}nfRYGv9{%P5}cM0@JjE5ef1
zf$Y4~iy39pmyu*enz4LkTbyNpJep@G*73`#(ey61mESvL8rQj!$jQ+Sa2%cTuZ9nc
zZm*-KW#(Ec`S9=wVcITuyJU4&)tnkK)UQ0nWlAi%>|@)+a2oY(O=TAujP}ES(*zzo
z3`Q<A30&#V6Vn##**TFqdH@Y5t!PHG?VH#)vI3nx?q$XKILc1=ogIT5lAYsb#=LME
z!@Z1;%^!LB6T=-z6Z0Z6&+>HykZ4n_dvBV0X@J)dh6e7V>!l|=lY^Z~v&;W1SY1SX
z9C1RR5fe$2u*0*(K$>((e&5OFsFJV?3ux(o09ofn?3?7H5}Q6Za`A6;Z?I~`U8MD9
zvVUolWFOPl3(Y#d%wKkZ=S_R#?fnHyO^_Pd<L%>_hhL-Q&EAdpe<;e}V@sLrp#ij@
zX^|Mb`u@)H)7@C#P>&j;W+nTl0QHLS?u0K39z5lX(vzgTY}dTnbeJiDtM~EJxG6h!
zPo<%O1Za#`{9URqO?_wznPpMF-se9<cJeG+{>Suuc6lVmClD{<I5ux7vTmJN-q{lQ
zi?b}8v6Qx5B%BNENhwKA<tvDumr>MjHYclp<KwM;OrPDCj%pj(-P2KJp<cn8{gY@l
z{yrtfu3=vN<cZ<9Key1O*LGs+jADBiPt2l%@Snew{#}eP+B1YITCWQ1FUem%CMdy-
zI%RFr<q)8qi|*ES@x<(n5mJdd79~BXP(InW3<XegqSwr!bSRSYlvn@>Rt-DTzqT9d
z6r=y%?R2|Vo}PUw;h_N~2i9OshhzNtQ~^%p=%Xf=FL!+>wQb0n3+3o{?h=>oJ|*b!
zQ|?~b!;}O5tZOxwGb`$0nUYV~?%_D?PRR$5XqZuX*j%R8RPpFDkI$dB!vD0bkP!)m
zTMuPsS1;6odNu5buiAqR>rODaZhbDU^yjgDeKzl%MROAg(1t#v6{xAju&Z0{db*ol
za{l@5_m0UWQY+=l?6EB<E(2<NWBIKyom1u&o8_eV@?kf0GylOlZ@?$ku6u~A)>ICy
zZkhazz%~`p__G1yGp*FfoIEINu!dU?-l3@PltJ$NX!7b2e-BA&XOy6$t%ihnlmbLt
z44-2pSQIg&Q0gtRLKG`3Lp+G#i^Q4Mok|gL@D;0<KPFa4DP&`VUl%Xx+GPKFq{h0K
zNfP<+IRQ~ZJAJSxMe{yfU|K>Kb(sVUBe?T9ngk5fCn`lEA3rC8i7t7cVibgi#i3Nj
zvu}O?2hx(2NQEXLkpj%L@M%yKhuaT%p>9EgYQ||RyK!${vEKg)*WSjX(AK4>kpj68
zD6?Iul%S!JvPzpOA=PE5143jcG65tQ+8Sa?C?Vkr$gtQEPsmp#%CE1PIrdF@vO<Ey
zB$iM?nqw>CV)+~c<_^XxyLTkWq<}Jx&tXbrmPXj8?P5@)sGUBtOEG-T5)uKB$k0$D
zgQQnimjTM;g@*qV;<$eK0ZCFTN|z`E5g&Q;P4F#n0;L=$rro7Tl2YjH2Na}C{Gy^v
zB!-mrc0hLQBf+7W8!?e*`{pxrb|5$2#iL{6jH4_TA(T0`x2~=>5|k*iy`DWuuMg9w
z-5hSaj^xnl);Q(1_30=1#>&PVnN*W*i{~+>M2g%g=Zf}=x^y^vf;+#Ip;F%4Ndb@*
zw#8N&!L#S#D66UL=7|sH={tdSH5)XEVt3DK^ggb#<wDJwai{h$!9@llimS5+(rJsJ
z!-kbiuc9)6sZ*RDs}JHg>pj6?U|PfmgW$E)h*YCQX$RC2FEgaf0JeswcPy!8I}YFe
zg{o11uyFJoR-JxEn8cW3rHu(!fT1Gu%6u{sO)az}sxn9eZA~Cni2^0>f<K_p@SvPq
z4*OX&&9OECna>dXXV*z_VBPU98pZ9(%h-D+oDLoVti2FUjC=!)N^Qva`)&QPztM{`
z7lz{XV>Q@Mev&OY$=v*nb18aNyE3<G>P4WOCq=$Kq{i}doDK1#m{sa8rTLIUgR!>M
zMEbrS^EM5qa*9qaU&e$FH#@U&{~s)BQ2V=tw{ml}M0)uyXRgN5tVV82y%G#+H>auj
zadz%K$(xpT_y>GKujWviXa3-$S}}So8cE}n(4x{pcG#udBEPqs$_>}^TxDmTR@2{j
zyP-bX{M~j)A?_(FyANdEhf1v2H-%=_DepKxa>`{(_T^ip&z6l3i2ADJmpT>sCH*q6
zp4uhuFz4!K2BcI}Qpg66GB!}g1COK!I1gFNmPhrNP`W1L=hRI9skaB^jXvVmK9GQG
z3AAy~M?ED5*cZ`5dFB-_lfX8u;tF0re?y|04GuP$+C(13*BA*#rUuzMr83*bELhwc
zXIVVgmyBWBWe0kU_r*1>OUQ6+-<J-{JF_&{i1vM2P$H9El6M|}niD;jj;5Kp1c^k3
zrg33hN?KDWrHSm_ien%Gxp@95Nfk@w<8+56#wI$5_Yp)WAwz_gENJ4>wjsqfZeaKR
zXAG=&j6IKKcu#AT?2rP;3^3N0AP@P%7bWQ@Qc&{cQz%NQ5hjK?O>tz85CS1Ur%WGK
zj<`mhIkOpDvN>5zLJ0=72C=Sp>10PvBE`}*vqF?$P-i&X2D+jqf6n^BGdZBwn27_t
zFideQB2FLRz$Yc~ALiicFh}LLQug@YVnSJ;G}$51GN)7-_cXohUCx?M7n?JE@h<N8
z4yR1oZ}UQ(@`L6xwsMM%AT^?7cB^U#BECg~z7Zz5wv_}et>jbvX=aI*7Mg%kDL@&*
zt2gneIl17Lw&JFRyJs=fw!9(ugA&F2x4ac5bSh)}T^wVPr$3>x*pZL&Wkn4g9d#rk
z>j%UY?+R8IS&5D;p8lQ*tLD;fT@*=DU5eH1&5C8+liO4zaB+)2a&-@8_?1ly4OcKS
z`ZprtJ+Hq?ad0o0?qjMu;N_x&^5i?-D4=+DT_Q)6ynFo~xrQg6B~yis1Vi`I6qTOl
zO>j6$MHDAyPvw_wH+T`Hj-|6BdY=UtDp2ObcFnU*m4erA6HqJePMO@d7E>@;^baC2
z{!i-p9P_ZW#8N6S9lVegUCfews&ekQE1pnt<Z%L?cf&b0hw>Fr&+Aw_Q_dRjc0=n)
zU3?es;7aF-RMP-Z^7-UUS`9vj`H+?D98@~R=7{3R!WCRHY|rT>ok@-i=8Cs-0uL%I
zWajR+9P}=@zod+aBof0E{iI6Xx;uNc(ACMDmnv##X{jM0eQU8qOA}3rB6+?e@iN16
z@==rT&RgGUn&DZm1)lX%{!e<(#?Gx7a>$>6$#v){f#g0rlui9gqlN^jhAvi4&N!Q9
zK9W<A@%htM_}{S=vO&8PWlE^A=Gi;mCx!6(O+2#VUX)XLj+(j*6#3B8&S^hMA&-8a
z9g;%0d)gyAoHDPdmxIF1kKJGr%CR4)^W+g93H~O<p{#4(^XF0nOpGAnTNFz84=r}&
zfJ8?ZOI^Y9;BQ0<{p5k9h~oJ>1rifo%%u_xix+3a=;8=@5?|iE=lAt@*m%T>%DoDw
zEgYy$l1q#&C|md;{?~$eU8w{PY5;;Sf4t^)ybjgf43J4Blr62p!K<&i5Nbnx)8vjU
z{}{}v=K{O>mRRJ~SV%B8(?urLp!x9Xw9V`!0w|+7x#t<LboH=G3Sqnd8{B&q!Aug(
z3IBUs5Y9}UUYuf@a^7FO$=EmFGk}>OJUE<CG;z;-GC-n@m8lGAd=bWucgHoeY*#^|
zql={;Jb4jDn9?An6AP3=f>ff7rKuFftFOFDaKK0lK+enHNEB*?ur!jStm^-p5rkh_
z#-!aLXqFj4XHPXGa$Aa;NV)Gbom*?_W!<@?{Fo^L5Ru%y^%{jvdF)K3@LJ_k*ij}9
z^XGHBCES`^5wrMr>>1UCKi;O_^LJ5vJk79nlR0NMko_C{aQPlHT0a56yjo>Eq)Ryx
z@SLF~iYFV*B9Yj*BqW-eWH{lU2U6S0)GxJ=**o_0z^`vgd|3r=_wD6Gv=trdmp~mg
z>Q3Ik$w4X_P@+v?M;Q>u-Q`1Qw>*O8t2Qvdj%l`&P@2XzI2!}vE5}ys;l55qRx~n4
zs;<q*9b4#}q#`sm%_yy|;MVdfOut~mjDU0Wa8e`e&N|w+c*<WpXeh<n)&g1LV{YD$
zr&-EQfefgZrd|ybHk>-asnFUqPm#mQxH#gGVy>x<tXON-9jr{8s@<n}$dYbzxm<n}
z+eg(--ZAo%pZvq*CUf&Q&Ot<m5~5*>McVL?6CIs^P}8MQhVL^-@*#(Gs8qWwIsunB
z_(u$tE2UVyia27EKto$ITUqf}DBGnY6*kRb+k`pP**%HIX`4?Hd39(r0Y<GDP$ea#
zgpM~Inp?AVLjapM+7R%?h(_(IXAONK)yKI)CF-Qke5fER-j+=Vt7nh{5|g56@qOBX
z#9+4c>&q`sJo#<kOxoJ3n8f*!Q#qASUB=Mgx6mO`Re&XNepVl5y=%m><z1+4DJ9|6
zb*?Jhsa`C#BPa<E{e~Ph)MS9-8=t=FVriN>jW0-yjv)bU^!23qtfwaB>sG>O=P5QG
z>rd5YDPaU+?y`B;6ErHcrbcGxQKp5Ch9D$5Ib3SyCX;Ae;aRa9UTRQYw=KIGtYhiI
z^K@QTGsQ8E=kBt3Y<O>plWjPACe5d{_Y~@>7*%=a0Z0qs<n2R^Z2AU(ZgoF;lsv|~
z)zg?!btRK48Kw30=%D>9zwSi;t}f}Ds!$LclK|Su3-)=T?%ITQr8n~H{{5^DKgSEL
z@(gKilRlo*OH!r0E}Kv6W5eC%O!7*e7*u{a%eq4!z_t#R?PO4pfGvU)r&trWfz$cr
zTnEN4+=fgJr8C?pLEYMgTD2<W652<Cx@B=HRVs%DURd`##*s<8n7z9ryZtPXif{sU
zoad{4HGbXD6YsQ)z7hD#aF!fC$mvNwG|p+hQzQ_dAP|WOq=iY(7gEehSD;QU)w4d?
zqphO}xqZhaKS<3fYNv(#)&uTEx1nw!fH>~md5&DYC=NDKWWpM2$!TuidW*bb%4vv9
zNF)*vaYV-n$aP{5BnEl-6RPB+e0<CNqnwdh=UtZ!ND5K5$8?VOm`+mEXC9wlOV3_Q
znYybX2b=(jHjO5ZM6q%PQ~ai3cW5fjRK6kiSCAMK#=%(0t-B8i6U8u>07<X7{U8=;
zks{d1AZ^wzUpwNY*xDCHE%7P0f)Z)!sR0PS-FwJOr5<%1j7dB*i@r;rP-F3KPB*tk
ze7wXY-(fsY`F&otYo2W?zEQ+R9r@k6+=^_Ia<U^Q3MPyGIn@4hdOo*2WKNZ+ZMTZ`
z0cQyIYfExeCP7?WJW7cM+FBB1wmFn9UwU5f@!DlVN>{`^RS}6;!om_jCQCW>A^3WE
z5p8-MMyvZ$c8&H-j(7qflq4j`5lIOosJMnAA%O%TP$tU%lD{O;(ngy&VzM}TdF$>U
zg1SczK5FVex#>GW)QxQ{c;v;<&ZX1eow@-QCK@1BM?+nbqJ|}?Ta~0*wF=qfqe{WX
z=TBSVf6P`;)hV$Lxe=6vn!OD+>J~WKYoWMui|b$8(K4mqD-}wl`O(wg0};s`)p^C7
z$VYkN&n)|~IxpcOh4q#E@y7!~lupSfJ90wA5fe+=#*}}OJZ+#Kf|@A}YngEIz&)mI
zj-{THI-l-6C-8#?6}s7BO*F^X-{yh2EtQ@1(T$BIB2j{&v3ByuoV3)@Mi6}W1*h~3
zFtsa;r-eTCn-}H$ipTuAJdvi}2B?4eNZ^?ew7kmF!ZBIWm#E`HrMoxTwCoz8)vd8o
zMsn%Q3tpKxFrm7B4wC{39_%~A>^sH`98-q!-p<rKdzHN_uMkty76<iso<97BeoYVB
zIja$T@)nz)Xi%qLby`N<X7tv3EIwn%<XSRhQVAk1k%*`SBI4tD6B3_gS5ARZgtB+*
z1Cq)Zpc(d&gC|3gIJi*PQJQ+rGZ~3G-gO))vhWEDmMUpd(S$;=5!`t$sOIZJdBZ67
z{dSSVdM?cFYe%D6CS2V2CzDr2Q?HZ`aqr%9`Lj8L2bRRUR#9vhKV!*q3C+9>k$!l~
zflKjNRP~}_A(dzTYY@aeI>oA0FOVq{2zhi7|Gl^QY*v$nOZ<`z0a-cv4fJC7q{%dv
zy`)zSOX8nh;cQrCex2P6=M<$Y58BCyNm_I$Ye2|_?fiBy8s`CiDM!dukg6e-3gRQe
z2@MTL@%05yKV}ms@h>96t}>zh7`A@(Wb_zk!meH7Bmhz@TzzoMbD8xgxgm3C!?a$9
zXz^QLnum9%OF08VF8i|}P=VKkCb+A`b8%7|+6B0>;^eP1GgAGvAT(eCRfjyF`4)d>
zRw_!bN$uF#eid!ne`8SVl4!g-!^+iH&}%xIVdaxo9!;G+FjdV4NRHt;k~TB$V(L4Z
z#@f#~bNU$oQoSOS_b!6=`@{4fcnag%l_+hTz|&*?tUi%Iy?LYYHJ1STIF|8DJu#_*
z0+~z-NwI`~`AV3f;N_!td{y!n<BUqNZ`F~8OUJOh`vBxaT2Myo1E)6~SNR^2F13db
zrrwDu^ldH(>QfUZ@q&HJHu2cJ9usTpBh@j$qrA0h#*mnVzlH=23n#qYtaCBie)5wa
zL*6nsALCs4j`cm-FfrJJ4sEMYwx~W)cMq~?^Cyb5|AqR72^r-|o^nWndW*q~+SY}s
z-MSMyr~@^vWB6nHdbWhv)3<%u^ivFf6Is#rtek(3rbG79vFaUaHK~fHh2X>Oa~wGT
z2DQq%)UVh9CmDbS-fbIGeBEjm&3c5wx;1_^vT<0Hp<LU$3(X9(BT`H}>eAf929NSK
zD(T65mv&Hm;=r&z3_UKR!NjK61mECfFn|QD!lkKP+%RuBrE8FF`2ZZfGRxa|KAK38
zgj?cX))_15TUHJk$k?DFwCK@_y2bU0d3u^vEAOFGaXhV^l-ys`n>s6#sNKFXHQcPx
z`ErYmOO6v)q9<J{X@D#r^#t_m_G4nTOAH^{1Ig3&)V7M|#`cYD{#cSRE1QzVM^m%K
z$sSGxJtv;RxrS@haQ9<GU4MG*U&*TeRT*1aM%0z1^j`1;=fRr@Xnvcv4d>H;xEE(P
zG|O<<IF+n<WWFN@G)psT#Yk@Z&S638rktu<hgu~KiGO{IfWTXPFsw(>`txX$>Ve6F
z`SVF4h1~41kY?7=+3XaNIpEvYlQ|Ronf_Kmp@zd~nzAz)0ErPzNA{%L`9;ic(}AGY
zHE_`h<LbcxE_^nl)yht&M0Nm02$yzj14ETGi8{sV`cg0T#R!$4x*Cr3T|Asqb!Twu
zYvx80#6LaHrcLiM`YkeBYIUfHy=q$W1swf)({5E?HZR)1<(A{96nczp=VLK#(Uu-n
zRl}buv2E|g>al0pe&QRAnkT1<s27|*aD<mKQbJQ~XX#_G>sbqrw0f%8+Nnu^)YOBv
ztx`joDG0u}mvzw@C6mmm48HY>sf0U|VdGc?t?1`Gc&ngJiXT^CB>FV!*On43Hqob@
zl)=8GkOc*@cuNTOU8m8)RDzmuOM3hGGiFXd{33hMvbf;c(XE_LB*i9^QM7b1bmUiA
z`RgHyceCf~xosQ`$zf(iGY@}4wd(mOUqMiF%d0LKQGPzo;NFMPZ_<R?E+)jk2_+hR
z+zRWZ^(}S#W~|y4LCaQ4=<R2M>As;<GJvqNYngOVNwW!ksH-|Q@<Ov5efxW|YwApz
z_y0)u3VOUcvX#}3jA^#IS#l^xp^Lt*grvJiSh@ooi+IwiQpT`5=}56{-Hmpu2C=m3
z0OI@A!#VCQn^&A5-nBpdYv>@kB1J|bQDI*R4bvd*#Y^5q3$RH3eV(>!o^5JCqaIBu
z(tbDn+G;SOn>Qw5x7o7wC5q&Sq?17wWxVu%&3{SH=beWugC;d$f6qBI>GXlYtxBL3
ze4Z7{ZlPOk3eAd0kw~*IALOm)Ex!ih*Lf_bOsdhdb1mG>6}&#Xi=`*zxQ=K_S#^lM
zvyOIMHuB8bkNK68xP9hQa#m6UN>p^AZil*9_Si|UuG)<3<biqgBm5Vy<6fZ(ENN_m
zOh;N^e@V^30SC!09zKddc&2_wLFBHxvmbch2T4voDk=If7k$^h6pwanWAV26Y}#6f
zj?KzZ+(gN{tA|*<`x~}x+tJuW0-sfXm<K;?h5xXvpychYxePY-rAFa6Zf;x0hWD1V
zpH&Y_X(1Z)Yfs7J>lx5o$^8yxFbciHp1>$NZC;LFUV1vq;$i-fKitmH2^w_tHX`(5
zF7t}2<il=|sQqZ2SDqeSo!PZuHqHBeW?(%VV(%Ye*)4f$to}5VU!L(WL`KnKIqC2p
z$N$Y@2U3dE@?nzN1Gb)h&iY#lbS=zi)XkN4Wweke;;^*S<LcE%EIFBoQd<W{cMnE4
zGD$A5QDIuu{=mxfFIc@@lN#Nv@wAYlTilhY{k7P1=oPznzC@v02)CNvbZKCnw#z_b
zV8g(nQY`j8;>@8tL`t-9a4E@z7S6b5Bfru~j<*LO(XpWCU>^+k1#vpy4o8(5SUcO&
zQb$VMi$^Rz@(uHvmFQeb18w0!ub{L1cK9Yc9jejB*NvCIKW6dl*QlA9Q@fZ3vXrQ(
ze;KJhrL1B&x&H<46Ev`Mb74Z8Vx)#nR7JzSB)<$$XUpN2?B5woqLvQDy__&qPpe&u
zFqB|h(}&6G57>I<4ci|jw^8+aHWbkW&7!6GrLQ`h55Hp1?qDcnfJXx#y4EvCM^d1*
z>3;}8%pbcL{|889n&?|OQmNZ73?JGWAG6e9C!=`pB^=UP#H1C!Gv;6nnpUN0)YCje
z2oSa6K9r3-$?P#fe3liV#_&bV8{vTtsqt--kr>rw#)7*Hm_D1@K49(Ln0oquZ3;O%
zlI|X1M^GFJ<uzvYx~6hPlV)qL@Oz8z_pJXfk?2ur(s~YBFJ{{M)ePPgi>9>;ji#(*
zdLJj$i3f?4>^}zvAVDfky(+<=>L>zsnlWMKE@qGNM{Zn{8hw6a#>m>auZAl_IPQO$
zkMblwZl8|t_Vi0?CHr#W>>wN?1%|qx2wXOoHL=>*x>aW6wt)<;ZIg$Pm*LTW3X`5s
zXKCl=EYWqOe!JorNXhbHzx*P#XuwMUXvU6P%jQXw*x^utZgt9FeE&w;Ju<tNY&@*T
z-05rCJZS=7l!lb3(vkI(`zITvKl#bOko?HpyvKQAI?kIz#DdN2+_;F%VRCe=OHymt
z5~d8UjG-ixT**@o0h+}bx_u+2vlp>+<qURwlVa&og;AS_Gr}iV!=`}9aA-4!b50dm
zxOf)_kL=)Fj2fnnZnT~}j*&epC-2BjL9J9{+PSS~@@*wfEt*jwyHywY8}`qf&i)LE
zGF(Ty)5OCdTlw`}+9C2LI}W@hF$oS%9>T%2Jfv85T|?0P3TXUDIVH8F_r~?;EMCvX
zJ<A#TF$Rf|0~I?=W&PL|ILai5J~LUFw3?OsH!)#-BtqYovh_x?Z@gd1he`9PSJdq2
zzF{M}vwvg3#<?7d(xk9wZD#KtN*|AG>;#zuwQCe+&i14KkG;E&j#_yeIR0I!0Y&N*
zD-?>9Qo#zv-QC??io5&8-QC??FYfN{McM*&+nx81+IB0n_riOD-+a#D9GYZjv&qOa
znPkGTucfIKZ>kF&3UliAY0UH^%UCr12<`q##poXEc<tJY<9(b+XOxcxqs~)i;6yqt
z&d2V~`Uwy(jrPkc>2HxJW5?!fIi8ypvsSS7@Ie+H4aLYhC&gP1XIbwC6xX?u7<TV4
zyB?cRx{nJ+KtP-}Iw4B3)~QA530FBBY(eA3rDC5tiDI0;Jv(-rF@EA&c5PnC;fOS3
zajwYlDZS`ZQSSw`nz!toHif;q%M?b`v#p=-1q?u)y&-eQouyQ-(>hB51Ob=U)Ay3z
zVx!8eYn0Fh3?Pj=y}P)vY2*$ju5ZeWfZbdQx1?o*qI&N`P?D*7bxMxD%<;{~@Tye+
z0FBoP#&kIWfI^|d#3DN-I!|HBup*=;_M%jDtgXu+e-BF4Ef6&sYy@}KPr-A2+-(d?
z4ySU(oTSz{XsL^pq=eCEcJ6sW&ptU5tPheSRgvE8TyM&-Nn4mYWEa9R7Zv)>VS=Z7
z<jYJ|c644opU}a7F@NzyPMF$LtzB^n9(>6w02El&AHw__Lm0Yg6txfKq*}MC6t_H~
zS9e8xsEh*u03ZNKL_t(bUVkFm_x3MEy~OYS7CmZfT=HsJId3#eK8BLYHV+j?%wlpC
zQ}{c2BL%6QJFtGqXR5VYLG$(&>|a-(XPZ{C@o{Uq$GesPd(`CZGKXD;GZ?ve4TE=w
zkuGNuIxiZ)usW8J<wl*G)&m-Fa`<kh^t(pR&I_rV=wJsZ%t|wT`wXl`Eo9xK@q96`
z#-&Psc8qF)s}WGTI}3Y$V9?C=6r7v^*IJdy6#Lj$GGf>7ol^yA%MN76LPPpa+Rd0g
zhp=_8MZ=O=xD=<*$FGZiEq_isAC`<Xtg4OX;JU1gn!24ay;c!snicnkqgXJsUV_(A
zQbJ)_jRiXu%$dEB?XxGc@SB#j*$Pl=>=H(IaKs1=clYh)(pN1J*VoXw>6+LN8y05z
zl@)ZZK8pRzY#B9YFT*=5Bgn{t-0lsSzqlLC|KScQEQ(U0fMC+D6TENIfJ{mdK7TVP
zskXaYF8yTwA0^e^&7jWot^8eT9dp+lVau!&d=6G&W|yBT!xk{KiwEY4==Ldj^vkD=
z75=1HL5X$Y0vMiJg6EabsIwNN)54*Qt`s>nc&frZ*}2h_;S)EpWZcQfwzzqBD%q(?
zWt4O~{ZFZ~7sT2BFys0><Vz|$%IREJOv?A-hM(W&8B(y{Jl2Wvj99${&%<W8)UHdp
zeCJsgr@(1>wf7)bRL)E&kv55P^m8ag;xB(l(EIoAv9;A3L6-g_g6DgWGw`ShohNuu
z@t1s};^&h2QTiujzL9<gnXjbZmCU=6F73;W)GYfKpIR*C_}D`Ksw4MH2!FxC#!VUK
z)qn#h`{SO#7?1QT3gXnDy42li&x|8;X=|6*rEcl}UDy@+7wN*S&bv6=HA~!!byDK~
zqq<18@lq_o=bim2((M)%mu+Tob@TuC3y{C8|EPRQ|5h?$g`fj8%Qc8wZC7)1eB=wt
z|5I8o7S^uH(4cNyJklxl9WQ?vt=9osR~W*ja<jQSr%b$oz#mP&t&_2dBuSDaNs=T<
z04VJmGIK;>J}>P{^I13W(U~v&w-fw=jh;OjdBv7)GdfdLUcC5?q@whoQM9+b$e`w9
z*!Da`e*@`167l3R=llxNOm}X2DQU7Ul70yaENc&BT20v6vj@YEeT*~f`Ts0gK7Y-9
zW0WX8w`SwCecHBdTc>T??mlhXwr$(CZQHgr{oZ@OJF~v~duC1jNwRCL<k`Ebl2o$u
zYy$@67v#WB?!lcOx>+0fcyvPX?+4$gfRPuW|AY}&KxU4$Hf8u6AmG97p2+&`pxv+I
zGxSaqjH5bdKlytIg)z~&=F1q#crdlYkp!E8>tMyRJLOqf;+wkBz?p_iM_`@kSTE6G
zwC&HE5m{v^uQPhMITTHnm#}Wwk?Skt=-sP(d~IK~$j<W)v<kFEo&GwRx#}k?vADDW
z@#m7ESHc%Ws!c&Q{}JV>Gx2@ZKgRh?HN>R-Cp~>w=Wyi=`j^fA3o?;dH#7SR{(l+r
zzlC!)Qm{^c{=4{JnFoz{f9!u35`8Wm=m!74t2Pi`;DlCk?B~^fME!TzKWcW@H8w`R
zcB`AX)}4~ziG3G7UvH0pkQJs(u+B~6-6uY@$GNKfqr;bEU1ah<slywb@rYT)|IpyA
za<murf3)CbVOJyg?=~pdPQ$v0`S%)5n@PYp|6M5d|3kHFGFTVzrUU_BeMs;DfkHX6
zIv=7h&BG#Z*QOA#;3NXxwM1fKzx8~71)R|){-eREH^1E;fRxKG_0Pa>AC?2kYfphc
z4b8|1{4RNv-g@2VUJ^exk!K(xReq7P%Khp6EO||82tR<Kg02dOX|}ytRPp`T+jMEE
zjd}aeMTI)L<GkH13y=_TSrq!0Vwq54za=X-M=sVvhWc6TcNHL~{GJHQ(~t=5GaI=i
zZVZ6B<KxLrWD~EzJP@myz9Axc;ovF@R4&6*jjno0czx)$K01T6Va($h(<zTu#}(=}
zfnd861?hRCf@Dxx_f|`2TI<^NE@jc9Me^0`9yK!VDS@{C>JJ*8wW1E@y_sthsoI#m
zIOxG>St#O57_%~Pu;vXWAa=ZH8^DIxM6WP)!5RH*Et_e?SYBP8bRO||(Q_gUd|D}#
z=+rSSHCY>yuVld1Pu;U<vL=2@zXW!Z>8eC&5BKY%f_CaYCwwK)9{4&Q<*^}I@Q*_b
zyHwSSLGKQ46aMT(oC-~Sq5d&N6nncRc=0#~h;L^hHYtj8;KWhN5!kNtt|KMR4A;*p
zC378nG`{Fk`8E7WmuoXcU$26>afdQASA_&Z;bby%H2lkBRoF9=g?x(lJPf)eM<p1H
z+vGh32WeafEu4zjwvsccaJlPjfggiMbK_5U5zL6eb&y(8T+0&9P)2>Ww?Ibj;dmx@
z#MKPe@kSv1v}S@PG3Siq5IqhUqyVk-(C8Y(aIQ*-N~0NXO@lW7+!4+IPB-`zG>r_$
z=k`wsPz)$k3Tm(90g&l~2G8wk8{q6rUGZk+mIImq*CPFcYMy{rRL^}c8}YMJA+y^x
z)_@Q6`}nQ{O>5E1B5;?fs%}uZQd6-CE3H~bYoYjAFc)~FR_%LBb|c0!Tujk9)a=2>
zl<c?9Z3rSlIAWn4XA?|9lgwdJfV5#rihV2-oqt{*^#bb7W$ppq(*Xiv%E%Yj{)IV+
z@eSq@b{E!X;C&MG+gpzDpvQs)4ciJ!sJOvKz(=r(-Iw%|c%-`&WP@b8J3%`M!H4H#
zQo+*JjRhM~!D_~W5JWR7NLiOTPXd5Re_<EHh&Rp;$WN_|z0Bqm?<DJnHO#T$MQple
z3aM&^Hl3Wo=Or4E28*D0LHr5E_I=qp?#yqFo=qDFEZs}@qy^jlg+7Sl-DPlMH=W-v
zTPNO4mugS^@NLbwNl6eD&3^~-7QKM@Y|=jp8mYqsPo*E!|7I<}xl(1dypr~^@g=`Z
zyfqb$C|ZHY#JQLKMs!G7f+a3xW4!wqDBRukV=<gu&3xnmx(o(xu)oh)Nhv=us{Cc<
z*Wr3yo=r|r$W)mS+P=-JFfjfZk!eTe#ZB-T{i3k;dQcGSQjt{0knxuj_wEg=o{LkK
z&0CJj5-Pslko2vpYdracpyKv$?rfBaLIY=Al17ztsj#=ip9>;XTBU#ZzWh|ZoMW}F
zC3dzJ6q%D|Zzet9JSX8XS-_>v9v1P*>yLItiR<uHuGQZ<=Rqn_%p+nC`h(!P?x6g4
zTB|KNAr?}MtxR?4VGO0wq(Suh3LLhiOQGfNC)-U@JKX(Z#MP|B(wXSe;(Yx>9R_9a
z@b}b|f$w00K-^W7uK`ux5P&V$S5npCLbghzSKr}dPOo59{>tv1;2Dt}+!C>y1CnSw
zCZX`B<E-rOp>7_QIo^CcsaTSTie%tKk^s2pFXR0&Tg7$fEH%!e`86JPVSb6fx~9Kh
z<$dSKn2nFn|5#*XJjBs{jCq_na|Nt1q{Nh5!@ameDy3iWYgN&EevgT|ZKqdcHHREc
zHezuv0jv18nEfFyJlyx4RlKN)o*{TV<tRcv{mi!Ym_`JOh?E<!EZ&{n^J3CQ3W4D_
zopg)~!N1|<jZceQx-FC?1eG2Q-wj8k%2*CAn=blmCx^^H!tzkz*}u0$jdn+eD#h_w
zn2ycGUK6wm%&~9L7S8O*xYKAw#@v=YT%nBlbrv5OgXx~~s=`{<l{PqvZd4Ppx%wRd
z4ny!KU*WF+4qdsJyU1o^k<+_%!&K4EW@A3qeGt>_ofVtRGIY_UIW6>lWqd(4*#i==
zMf5?Q5=WQtHV)wj8%F~-H4Fdil;_E5$=+;M;>6`l8d&{OeU%uABHutbc0(0=8X^ht
z$&5XntE5M(;|tq$pS)gN5%_2FRDn^(mm*rTvXt&nr6$ryl>)lyR$ZF`rdu{^vGlT+
z!!+8+PcS(&*>6Cec4dZ@!IYbKO4GH!^gK9^r(9*kD7)3{ZRXhh>0E>tCvI=YN`pnu
z)ut|u_GrxR7yC+Qnu?{186ru$9c_Oju;aN_T}w!Vofh--s$eA7+q3HlAr-cWp61t<
zMOQrNBO)fxWbvsrfn`k!uX>geSmrAW6jzW&a}<V$9zUC|-ybU@uL0W>F()9>#U0QW
zLb!%-*;@5M`qRC7b_N*Q3{?tivcxraCJP%bJmacKIJ*CM=xz7FHgH;teKu*CnwbPV
zM|x6ea)qd8N3?Kta~1XC|Dt4&x9O8jGmhpC9%E7)E%h^OrW_p+yoCU&qAIYCAM7CC
zh<3{iGq6T#6*1BZ`|=-)7Y1C5nburwi%Rt5+>JNqv^Y~EIj1Qrm>+>}jpe|63~tD;
zK*tks^|nQYQid+pmgS(Cpb-QG3E*1!6D|_Zb`cNQY|eagsvEW)4|Spbjq2!}ZEzF|
z(jdokJhnRsz44re>^>wrPQvaEjtB1D638B`UfW^ZR`Nmi(&A2Rp=0hVG?qw#`3MR}
ztl|T}#I-@6Y_wcy##TTstN;v&{3K2BqVesIp?!%a9+~y-8o%aS)~GSJz!iXsDqUl7
z_Tx0z)xRVNOm0wy=*hJ{{WgwJAa2leuI0|g-GGN|DL&^cpx)8wvlI?ouWUP3gY?<%
zs$2L=kp)QxH8TjK_~_I08pF{pKiSx^4?ORU!u*c)R8Rv|utBeji>ozTDxahN_z$j=
zwP~<L85?foZ{F{N`DoyWQ1FkAPw-ECY$BL6qAHa@k9R+v6lMU(M*7nUhM3+3x>`mI
z!Fxjx<nal9Zady!4wJCtWresU-rS$AF}mk@5LlW@ZM@ArpRJ_>=ZU=Jx?p=VdwwcC
z>s1>=Y}g#4F(Oo~CKIl0C`Dvb%}O@tX%j4t)C%wU*-CfRC#pm7N>@Vy%39`}uaVuW
zrP;JMAuB0hV{`gK*uMlbAuC)VT<=4dI1+PuaJ&;6QKijb-#h#;9%Z&7m-k%;CPy_R
zQ&P;EJOXUoO~La;%gzNQ-vS16FC**Mk6+8=&LJyZ)n@uCa=k*2W;f`E8d3rIT0||(
z<^Dn|B%=FW3I55P<r$O4Xz@qm2}2pSGKLL~CfjI~n&8Se-)JN9Voiwja3}FT=6XJ8
z-)B~>_bSOy<A+c0F7t!rWB3r{o3s39^)TeeNYf8dEo8v9VTz~)%5mz*IP;=delv%#
z*(WgX)eF%fYbdf1WT*SHw6~lGzRkdaHm6W=<raZ}x0anL@Zi=dr|_p3+#qJ;*Vy((
zH#dts*63)odbL!Z+t3F=`mq`UM!TZRH@6y6qa%{?qDpx2C_8%EvpzqJNo?1K{w*E*
z`Zu5Y_3>VoN=yrPVbvd#buG&el7JZxBvfhc-(PDfl>yUlG<_RIu_;e4->zWZjH9Eh
zecufyN!wzE<_%(8P|G@{5|mw?E>zmD-tZD<Y~j$0%Av<^kIDn~^qqO(bd;Pj8{na8
zWZIQiR19h=zk#QQsU&54I-&MH+%xSloCKk%FNheN*zpCJYz8*Wrw9Za7x!EzNOt#T
zKa%>!+Jewrxkod<y%F5(5=QitR2w#NDFQ;^WsX@<QCJp*zZty<NZv{QP<qHn{SK^8
zLak)Ig6GE04Djr}=Qw;>j;rt>{^ViG9_R<_BDi^AiydDRbl^rIY3Onn+NYAv+iBsf
zeU-iEudvz0pJR`L4+ai^Uz^q!gmR9ZGV@t^mFs5slXA4lB1bC<xXW-C1iqwp<@`5f
zL{Ce;VdIv)sp6L=vi~L&csXeLphhITKmb&Aadlv}v>s$PqYP4`69Tic=bJQoctS=;
zxofSq;$)Ie3NkL?lly5Ceed4w5xV}y*E4~pP>5(fW;k>bvCyzTAji5;NH8Nt*u#?2
z;LNz5K*(QPH(B;r76T~yYoog;xrpmV&(SiQ{(*V><N?OaGS<CQ2Dzaj;RUsG$_DbX
z;@`!t&VL&0smV4#aS$cc+ru1)k3ux$l<JngBVG0iHF)2{FRh@$8>SEkQt9yfsw9!6
zn;r)bz(O02N8d6>Ck1WIKBu6j{Xm3{+$;wDPZ|huLPHCoLL3H-!z?)3D<8M0G1l23
z?}Ic3hp(|q3=3obY|VK5Jp8sWrq#EwOhAE<8FzgTGgQ5_%1|`V-SR2+ImqsG%z>Iz
z)WPGDXbT=J<V;Pd5GpBWqI?~M&rfEd*}SQ~jypR9MEO8&Bt&sesCxotAukJ3InzCE
z1e$=5mTp<3=Fm@0<rKCvHGvf43o>P|C2ltLTRkOrJ!3WT2QGAyAD-5G{mhay>TbFp
z1|O_9_+}4oO;&XW?Y}ZF=Tyi9nwpq8f(7Gq{1fVHGKRGjG;0^L<K?@~gC+XX5JQ#t
z?r)G#P%5)7<<{(xl)Y9BfO~5XD1Ae7YDhTVqC`lYL<!z|Lx2!3vGh(mUb71<-6O0Q
zX(3!~Z3F|6p^ZXqF2@J&1k?5PB`qhFFV-w?yI-$f#Tm*T+?>Klql&T#>F-Rw24tVs
zaq~k^x516~+Y<Y@1LhE7WtnhZ_W~VrFlPcZAzRX~fl9%I1ghY<kDZiJI^TH;HelhO
zo7_Si&7*rBDatODmb4QOQQ6x|I6t3dSBitq^G88NH<F!w7MZn%Y(j>ELbaBd=ExUd
z-x@{J<lA@54KtS3?%u@C9f8%5w0@%V2Fud-t+4H`)B(LXRb~$3zA#TYP~T^@D1pF7
zSgpXv^vCotBySz{hghv2cstb_`!VVf^)qq1$0ysjez(HKayatCdfNf4+7}_g1EuIv
zMuBJcCKIl0P-3&+EKuJ!v4Q(#!SYr$ee|R!yM2-fcU0Y1<J2E*A%Nqi%v_D{O(q<d
zh*0;A7o=}=LI45Y4x_`5{D#{N;d%Vw)Q)H1Y-aeUCj|fZtAfk8Wfv$u%%0xXcT>6t
z29s_`fvrxx%dq(ejJ9YJZs&R94fdrC$gmAsgn=&fc2l}rl6I$ze2wl+Cd?;RiK@5T
zyF00%=nV<NX<%s0Z_sLRfZqGgVbhs&rg2yuqnR3RraLaa?!)L7M9%F99O~?=4U@3~
zf2PaE^d*Do+PgAuf@o|=4_t2Jr3Jx;lg@BsK^Z!;<Mfi@{$E{ixb%$XTK9USscqlD
z+4<2bCmKZ$TVlmZ(JOTaXq7+coaU5ZyPuB7uIwMsYSM>*qv$^$RP?hlKJv-wXczrw
zAF08++5(xI^X>A6g6r?W6s8)<j#9&R744BIt>5$ApM+K@o8T;Dd^4<7kE*2dA&Om)
z9sByEBZs!yz%O9~01>!2TYRP-&*P?Z;g3?e$z<KJFmXh%cmG-FI}qx+8c*G-<#|%u
z964DE!Ux;ul`f;3mgd3iZ*lG+tNcrQ$(NQAsLs>zEMj07TDdAiz4na=By(*rZ9<9h
zSRxojgu5UYvqXcchS*_%ANO>L4!ePjWVPi3M9(T*GNRrMm?+iB=5PY|CewW;o;jVV
zk8UvhCEP>0<*B4=Wf3ZlInoT^>sttdLZ4nTx>$p9HKu~a^Ty>X%4h(wtwDvmlx`<H
zuA4rJoc;l0%JWH(-2i}LEnOz%w$1{r!;}<8BV5x^EnazB?CN2Fm`RyDOrn5rx0E)<
zpUDp9k8^3F>yKeLsh*%&*iL^|gGygbKG&gt9K{L#eB^?{D)mrB<5NSLZno`8TG~FX
ztF5)};w&dVCsWu!<eUXv;>b`64$(s^5E|I%dXZl%Zeh;)i1&D0kJW(_b;C1w6wiNP
zHS3F^JUZIgn~~n0u<tU{ECHC=4k6g;asthxoM@^uNzhbL;FK$szY(CtHW*3^Bx_)h
z4Wa;I+Sd<$=RW)joa}0FCeXNNES6OJ6N<$g``EA2jJ}I^(bC~sn1Mtkp9i`+34xiy
zZmBY|eOCq6nzMiT#18j1ppp}Zz-~FGbiKRd@tD&}=k81c_#zw?KX^*YJQtT|FOs|o
zT}rkfCrey$N9)U+H*TN(y-u$J?2VP5V$P7HI1-})LqO2~#p9YN_(~|IQlC6y0nbkm
zyf;K~2*TU_&dbE^K8A+6nuW&r6O0t}V=;lt*5)8wG<FC`!T@9~2M?%QOYbj)${Z@z
zpq>t3z+VG%g9<B)ndbzZ3{~-DYYhHSs{*FMIZ2q^-d{mbK;PQab?+E=PB^1KtT^rD
zfJiAEtVSIsa#VRyt#fT$h@whDj&|fwRY8D2+5UvKb|vE>P@zJdpslA1#aw3A*1B7#
zczidPD-=n*OvSd@ZwG&*XQi9KtE$weTXikcqR&N*&RY&Co$uwS&eCYFHhpuK)w(Z{
zhlnj^8f+cQ3~%;lju2x#Gqc5FF`99JPjssfciX5lqMTpi#(32|XsZewTNzYMD8#qS
z`_<eCts}4n-(wZ-hh@7xjO<og^|SH`4%;e^%_oqsF*>HGiUk+N4aW|`q<le{&^>+L
zeQy<@+*^Z}tgBWQHAZ1R*$MOXZHIT4Aw+L3-`qHqOMR?JSQ$8%i`1u$uw0P`0(TSX
zDA|)Wc6T#yl|vg)sur}0S&ghR8uIpwn<CVCLeBy>YDYAGKS!On;=p_3=JTE}n9&HP
zFW_nXtcRgm%Y0i+hor62R9)lXf_u99*;--5txq9Cy^AMYw)g<k5^_@UN5jz-h*8&>
z*bc7M;z*HxOI=K`LC(287^+J^RZZ&*>2;?N74oVNWG_y6lSU@|%%)$YIc+jlqbi2*
z2>Ku(-iGECNLxP!Gr|&~biv6O*yN{}JuTl0KgZmwbrqLbRLhZ6QD}wn<4G@6-Lp`A
z5q`OAnY=cwmtcv@OCN_$BRwV$pgv8gPkXi>NnY<uV(`5X&pKtdObswhr8KX}_za~Z
z!)X4AuLV@V2@qbi#eTIIhc4ql?Q44k1j?(nanR~JSZW+iDujPJ466B9vWJa0_e=N3
zOoDYZ>)h*wOX(B!jjct1oV1U+?w%f=IhiQIld8&VF_C`jausA`oTF&`1tOxIpHSNe
z_rQxz8GzuXi^tMrrTU;OG2-jHqIy7TupDn&{PDAj|DBGj{;~Jlqw_gShW&n~F%{Ug
zaqB|MIsN_(ofKjX4!2cM1cSw?h@S`K8CFOC11H<%UJ$a|nJUFTFkfe~WIYdDOQLvp
zvQ{Eu``mxzg74Z*+0<s+c$eK<JF8`?Z8%8La@SAP4I~H@!*Ah8vFtL;WZa{LqI0$J
z43tz~-Fn9B?x?a5*t5M=e(r!Wc<E!Z0_@auZPZ^Ihopnu+y5}xQQI>AwQrKONYO?;
zKzp%rW~+UAU{J;-vnPMGH~N~vX%taA)udRW-H&Mmp|5uFSk;Y{O4}FK)hW6b>dKaQ
z!!PYI)9fq@^cs`4<xNa*q~1M3%_V!C0`o_)+|c?oFfdvM^L0}F@w%Py`f4<{7W#@v
z?xigoRfc;YQu)IIn`wfDNu<73D^|7}{_pf}#Zq!@2Hv1F=Z)6uV7!d=`ZhW552LvS
z%#pCbEJb9}ll8x3m|KHcT$AzjA5vzZGUy`Tb`(=nPX%8A=Mai?6mvqqawk>7@fAqx
z4JDPRu5EHfpP9Kr&?n(NT3o>TN%mJ-&Bz)ftm(U#buR9tUfIE0Y7?@cvSQ1nIL*^Y
zJ#2-<yHwz^5OVDBn(cT!&y`3mj8!Z%FlHR~Y_rZ)1h#Ws@6%Y<9uCILP@3nMr$nkI
zAh)_baI3W?5{?MlgQN|j^L}}*9|%@XNe|kofpd06?5^Y9v9tZ!CN)WAG(|>j^n149
z72(!SqZ2k~?gjjb8)XClg&J8TlM4VVjouUE|5b}A%(eHSp)ypFHat+LE<OEJFgH`2
zfX$nY?X5I$aE8$q$twkb*AYEe->aL%(~vV8gCAiXA02&cGdLxKc^lC#^DFgU<FC81
zjyMPM5SKkfhDCJPJq^;XeHOk|(QVEF+0qkb&b(S|!FSZ$Sf==tI1P2yR9HDK1o-3e
z;p^l>wo@A3rOK9TApGqCeKf(`PQoLUgc}Q~H!LgF1*Ke<eV;v`g^smJpBrsm^NEn)
z=Ig}(t9BPGpINfj^{g)Ps-4jw-5xfr!x~8guG(w~xH3D1f_-aJRk`sjvC15FXF`kT
zI#gvS)L|GgeH|1Tqe`Bu8Dbaq_H=Ja6V=5KPZN)vT!}5r-RV^v`0(^_dUQ6yx91&<
zwB278{5Pv@-cp;uYY-8*t)ONNi?&22X(#SPvPrO}=hOZP8)mhp8uHe7G&*ojUWj6<
zz)@{uresagS_6HEIdZ;$UkC-a`oldaZ0tw_RP|s}jUu%VA_qDAbzUao_wYVXguzdn
z0&;bLlXgTg-b{MGyzY<JS-rcw+<IfxBvvl-`*IES>I!HlN&>aWPCDba`lD_y_JG=^
z+`<H_LnA2TS)Tl)f14RbebE#6_1Ng#-oE-pKZ99cXH7oj_oB78?OT@}9!>^(D5=WT
zInZ=@t4aB~CW<UHx(#o2K0|;t?Cu7L1|Z@v{;rns6@HX<m^$x2a&>pj+(ioimoEVJ
zS5V`9G`wsHv*%dRs|m1fC_-25;W)RGbV>|uw#)Yy;dS1(t0ys=xihfzrT+1|VnVeJ
zhJ=FinF<Tx$%3`hY4$V`guthV{@C{LwAU}v<NY94awR5g56_9rW;aK5`B%|^zq>1f
zSZmO_M<;Fv9_`Uykzln?Qb0Ool9Aw$y;a7dMN`>*4^2)Tt30Vq3e||9zqHe&GD+&$
z;4eg?Zw1k3SE5+moBy7qTA!i>bo1~vgXXg*HiE4$H}o<$PMLcmJg3ZBQIIk)87)p7
zR$#Bg7l%{_pkc;#?@Pi`nes_DViZd=ve(%VBT}Bj))5oz;hSi)(d#cVC_j#bE?;$@
zaD2-VJZ9`Xo>B&=+!~I?<u=s2_ugG)p170wKA(FWzkqLdpK46UpQ6H)ZaCA$zbp5g
z{V*eB-x7S>%egJ#PKZ~3Jft!vvSVMk&{e}dl5Q@Xj;F|W2vgsAa86#`-yX@uehIZb
z&fu<0ofpT>sZwVdHs51hO`1kXE$y{5afeOTfKXZMX7&iT(BV|0_Xj{7F`X&JUx>@H
zHyG}x6@@5ik?S7&Dfuc(dT0a{V!F!`olT`6Jtu$A)SN5AS4o}kqBKs2HHbBA9^TEG
zZ&AQP(@Ikqag;@C49;rpn^~he#t~lC>A^K*bOv00LWykF5Wf69<sqRSuC>xrxX`}J
zx2e3Ukl2nx)-c&gy=LSLj@Gkf(3vTKc`KTie%(X0w^Ks0T+S46>bkgC56M^!iz`=E
zICIDtdB}XeSsFJbAi`rPx_RvjK2}j>GNXKMOiG|a#}*w?#n)p{4k4UX<&V^>wZ2$o
zj^Icd8~MK07{B_mMmsCcl^KHM6^?tR{N{vYXgMkrwuMq$iDBMh+-!coozvLSE9$oD
zOGv#u-M}MNOW@0mFofnEo4B8D(Vo;ai4y27E|+1y&W;k{-Ym(K16<KX^vK9H$+pig
zW52=yIsG^wVr<IXtDVtTs3oer7v3VSuBpqnFHfl+5I!6aOzh(NCd1P@U?`MAIdf5s
zQzQSQvxiLD6e!!0fgP2KEZd(oZ&H1Grv;#%rw*M6(ujFnlt3P{oz_8;`>^tmK{#zU
zhi@^V;tRfi7n<xbqC1?@<ocHh0J1=I-!USRbbEG!o)bOK;t#^q;r_I%L0qa=C!`z~
z44+e(5^6~TLWcHRMzdKReMdS})eu1HXc6~N3X}|+&SY4a2ms_nhQ0j!EHtuNsqG;;
zW0snHVFfe$LQJ8)2rP}u@HiZhrI+dA$GAKhfglXN&x{0>niuYV8lx&>2f-<_Y<UVj
zZFq$K>=7!{Z3OhkLeyj`cP_H4B420SO7K$N=Nk+b_KwKnN&z6q67zd~gYm<5A-((G
zh_!T_8$7H#5v%xGbIP`a>0m%tv{gM`jbQHGDGTby$=@v_F(EOc>8A4@2sYx-Cf~Bn
zF809U<fy-~!a`blCu)Zp%y|>21)*J>jj{8KAM^P~?53iq|IBFtdfujG|KSMl_y2^L
z^Q@4_9Uzl3k1(M5da?5`L~X;86kTpaG>sL8K$AD@aVYA<9T~BPQLO@W4BB8qSI;&-
zHntm@0hocmz!gf7j>wV4h#6ZzYm6o2HjWNe)1Ie}Q4l4uzus~uC_9eOEOE+9G=T}z
zAS2sTi#K{titV!I#6WHmR;z)sTDmq_@E7e^Oz3l2S9kK75_#?nN7G@e%d<||Oz+0T
z4UweeN{9jP4W_P7RcS^CMr|G<xIxe;o;K#2pGM2f5VaUjraI*aaSW1LWypm-74!oK
zhr<`}2>~Z0Bf@H|<p;tB5qld|Ts>{l1)}AYG2~mcbIBu$^mGMnst()y+(bhwLBP)q
z2+@U=$_y{Fk~nIv!{1vKGmgrZ*k6K_zP#q^IysSev3D7Qq``2ZW1UjKwjC_z&O;e6
zD@{CF$f`>M;_2F0ZS|qAY|q<hh{z3;S5_b<+2SD*(G!UrDnzq;KuUl1E)pwu&|LFM
zNe&7;(PFjVu*38UhDaP^z(14m|KMhG@1TsL;6oJW(?x4jc&31s`eX4MvyEioNqFmT
z!pIg$jq1<IWAXB?3h>IIyF#nKOuvBQ<YbJXWemRsS{XXwxTTHtZ<4ZFFu@Sv(Zo%E
z<-m}VktKjD<fo7ZL1(Pj9qKxEb#)E&+3uHYPWlLjm+PgM18u4o3#3nH%70SNbhVD`
zjY^y>A5fafOy}Xm?7;c`LLJsfki`KCaT&V|1`4K;uB9)zIx{IRO>=j=01AY7Vg{>i
zFwtJ{St|vW7}6}>$k|O`$M9?V%NzAf?PJ|df6A2C=Cs?4u2Dr~V9+ENN220rJZ0(E
z33)a6EiA@37TjK+w)l**OQ=~>${ZTp_`o`6u)}xUg{-z_1~Y%WvA^QTm}Xfb1G~uo
zN&VfJqJwy!O$Q5CArhY1OCOFjl&JdYK=K&T^;dTvqGP`0M^}7bUq8P@?wS=B9~e%Z
z`Kn?qhGSpY{ga-u6}X7E`I$_$<>Xm>bWealAU>g?>9(K$xiCdVT%JI^MQGo%1!ozl
zRB;Kljzjdx_Y=`7Gcr!y-$wc06&Z=mq8Rl1R|Y&5cDB~L#yCZleP@^PB?eUh7;~;U
zppCv^C)zFp>jn?z4XOF5ZFQbjoRD7E6gl7|bVA`QR58{3=9-)5^tDc9B?hM<?y@5C
zlt=|rM<MO*AI?rhe=db6r_Wk6$a-?2hL@dx{D6xCVn}^ewfK)fvm`C|g8*e)Em;J_
z8%+l52qVfgb!^s&qN0})L#!xQ9(WLcqAMGei5>{o!e+kz&Q-oM-lcPLJ2swKvV9oK
z2NI9%uf|DSvfNSSMKu>jR#u`xg)G$QYizffRUA#6;3EE<dI-1A^Qw2^$z|$`Lo6r%
zz22SBa8F^^kTNmLpmW>S<Zm0_KBL(gSBZV$2zticvBe(uCTJ6Ha`U@LIn;xK^<@e}
z-FbsgcM#Ch^fIjQ+ml5mU7~pjeWa$6l{iwTprsq>_5=S}kh)Zr><-(0Rx-}CUE$by
z@Xir50TQ_4zD>5m)Np$alP@zo3X$6^iTO;!4*<!qVkyiT8B&)|y3J~vZ#`W2bY>M8
zRd8fIpGqPPdvD4B=73<9$Nb>S>~@pKr(-=|1w+neP<Uw}qQj$NLOznX7;64;L2YWw
zW8yP7y4BSSGvC?DSnac$tu}{&Meg*)@=~IzQtlK0Qcyzt;WeE8&|%LIoswt=H4ORf
zaAut?wCRR76#0To{(zB1Bxgcb6v27<*V@~!5!Kz|mr#Ffp<`=4ehNfpNP#$)R{K8v
zy0pF+&8H$V8?gIP9li;JPavCY-G()IC&~5Us*}q=ltQ|__-p_PgN^bdy!S_UF2<T7
zbF=ysD9BzL?HZ4JLYgiJeuKC)EOaIza9<W*UqM-2(~^jd;*)K?oIU{fTk*e4AgA>O
z!$3AXujY7Dx}xCOU8b{MuA>9J)dr{*NMsZKHz+62PQUI)MZ@QYGB!B4MH0mU*K~Q_
zOyyP$duWcTfSB3q3WXh6Vxo0^$u)Ms5(j}oB89Ak&GH4R<I8(QdFk|OayTddH4?$P
zPw8W&)%HgA*yN4yc<MK3nhT($_q@k}kwf*GolHI@S0v&r6V&dwTbgFl<65PMnI3&_
z{a^`DOvS2E0l^Ponf*xQXoP@lF#WBWU2~J{e!5`@xt#e{Z(<8<=jnW+DjpS)S|Ljw
zY0BwN;eRKjv>upA=c*iP>>mBsK!~5K%bSxNplm{IB=2J=zPQU&;(TKg@h)uG2BfKw
zQ7?d3gEOIMUN4gqW&swOy(v=fRSEB-m97<xdKo;eQgx&yjw718cueYju-%OQ6ua7^
zhrohlu2WrHjhERKt3Dr=Q}o(zQ|%lxy*7bGYQ^32SK&uBgZ&N?3bwajbYDb9l<|u>
zo+p9Lg*+O%LB&kvJv2Q%kY9u8%-z$XJ5vx15>3pAkp>~9<s|>%R{CT-r3mxR6w>JK
z^yBaQ6|cTzW14qWx3%P+5M;&aW`e8ZWyk(2J5lM3r-94kCf&FMy#5QNRL24WgRRb8
zK^KlX!%3g-HyTO#m07Z8d<x4NIY=tENke{%@ew=q6?BtH!n-HliLPR+QB<X3A+C*{
z0;?^<>yl?hFdqVJC$;$;?pwd(-5BB`&*huDQ;WWZ)R8Q)XGZf1tc)6<FcgO4$yDPB
zHJ2dmaY|BnvSLj@Qp|*7Yr8!G_{MP(W}iGftw4^2I*y5=OHo%XTFmrkPdq7hnX{Ab
z8@bH*r}{UAeug?0g*0PAjRg{f<|Bo?HM^{{jU_`(3l1A)#omB{^{#`(W;s9H`Wh{`
zqOND%-l*AyrpU7Mcm<h5o%owCYVq;3MCaS@JR_mOy@(Jk7^-4{EKJGPnzSo9UPZk$
zh-AOioE#{cU1!^q&ID#S3dV_AEWzT0@J~|&)G*_lJihtQi*__|!DGXZDWqe3yuNH&
zUq}Yk0*M>_Dhdf0;|XgYe~JJJdr<l(O{X<Ds{jSbBw4-f2B^uSX8o&jXr@ceWG*+`
z(dT)9h1L@~XS~KrBr+t5hzW*x-fHS1x#E#3KI^&A&y3f1`rW~M;{8)t!ifn5{4LM@
zbd<e`nK&{KV<pbH!CHiUl5T>;VOcJTpR+sV-J9J7bp5S-LnC*N<RNQD@_^<W?vwf!
zf-nN_QI&$EwOW~}6BILU*hZV701f=2rzZ|f((*hS&$iVTaF9gho=iEW(`L{#2#ea3
zj4`ZRO2NMZc#k#`ZDN{`qTc2MJV?J!7{)HedmGfBI^N((hd}x6V+G@f>GU^^vR*ND
z_jP5`qJictX3TkS?;OF)Hms4BR&^SEue!i_uvbTtz!l2emwJ?rjVePK$VPfvxo>g0
zQ@5m&cB<v{lByx|Q6q9Q4G8F^#K|JWtbk0JiLmre=|@F-xy+NeT*o;hwTrn+_x+Qa
zX}1w`r)20^Gn+-r7fV8SKGWe$33wRu)oqPMtLH^>ejjywRRk``nMkL?-b3G9mh-B=
z6w>Ja;q~pih_*aNl<GfvuT2w_C3sKnbK*&?1P-+FB><uGQVbQTXSM5E{40(LWcupj
zK=A0E*;n=~!1Cx25yt+(PG=8jGS7PWlA$a#1$`uh5G;Fzl0G_68M&%Obofbp$;$ij
zC)(BRljHW?%DFE>EK{79TFX2la?!S$9UW7zU`9y$8k|#fd*H1kRwKU3Lng`5E}{Y$
zS==(?0fUWDLX&cNu+eT|d-qy(wG6QH+0uBsB+NmU&oJxJP)S8}flL;oh{S*f42$Xk
zcQm$Ez@uBfB8Kp4tYA&xXSDG2_yW@pG&H)#l?H^wqheAkri}wXUL6N$5J^%U91Vc1
zpi;<}$B-|!LB}|EUIS<V#M*ocKrNk*q5nX{Wa%Di6;!4|2E<zR2%qosrQf%UpC|Kk
zHmRa}d5q5ZE4lMNhH4Y>cd1)JM^8Wm3VAH10vhKmBHl}@Ttd$;G7$1o!3GEPsE6=u
zEN})A2@=tgD#29SV^`SJi2)5*=;k947o(A!WwbQn>loZ)ddlEnNd^u1LX=X4IV^<g
zfKJ73-4km$Ns(krQdXU|6U66c|EMw9R34c)J@B{oS;Zau$PG{W>xv=lvIz1p!vXa=
zXv5K2`ij*Tb>y<`8x#6qsU`PHYaYm};~Dwsb}fY#5bB{O?1g)nN!CUzfBnxSoDC~5
z7D43gl@MZ#int`sh9sW#>cBdjM(%#x+@;=tQxu3{u0k9KT2{eq0W#`o0sT}yC1zC{
z<d?m@mrdHlw@9WiWs34FL2pmb2o)l%@lPDPT#)sa%rZ8pGL2j&y4>#}<_5@R^iig|
zfmy!(#@BpwXAZ>u=gd4$8fG5Wq}hfmgRfQp5OK?T)qF_zk;HZUg($Z=LRer?iezS!
z!CFGB`zk){@Dbor7+8{D#L6O|C3Y;jt5?72qj!LET8A^5yltya09c?)eEO>w;>5rG
z7YfD`xbFaGdeSAeozOMi=joau6PNrUS5ay`wjs0|O(QZP`QWjz{FL=V#2zLw`jWNg
zmu$xie%=4}DC-Z&OXM1<IYpy{bIez~EP1y1wPpC2B#MS&!M6$x3BTRqwg=*5q@}+l
z$5%qT1qf6~aRwTRn<IOEgrvb7=-6K*YkU63+%SwLK(Aw^KFt&TY`)WQA>nsv*i1zf
zwS~%s!Q+_Z#e0VDnbeqWQ8(jQ0~^wPj{ZX;9Cq18q*`OUWQH4`UKX%Hob`L0$~KT*
zwd#B$6d_J4gXgdi#`<Z%z-Vdl?{!{a<gD}M87j$UAgJSOvCPzmCXV}~<|4nyxEa*s
zmK@t6$*B{@>cQoAN`w-*a)3z{9uKj|NZ|(~4}MiXyxf!+mPm%wZpKvCKgnY$ia|fI
zykh6;&$1Z;#Y8m2QHP{pgcVqgB^He)GGAFMj}i&**2KVBkEM(TIWg^wZjIJQ%$Ud+
z(#AOW7k_%}grWnAJ?Yh7cc6S{4AiFC&+rPU(MBGnff08j@bfgF8{4BF60IjoB)qj+
zpfLQtxw^mEb+awcG91n{0*NoH723VE>L^1ybMJ!X6iTG*xs;`hKSR(Jw|N4@l_@GR
z#bpP{{gyd{=dLp$hrJeUnP+bFhiRq))#qJ?3^@jvg4DIGafFv)-d9~J89~ClykEc)
zR5?)c^<N8)EM`y#CP5U`?o@pRpG6X8qdB|dy&VF1JNu=0iPh>>2hOpAGg5vSb)(5R
z-6@C9R|q<$80zG3vw+AdYnvHG?7uLQyO?sd6}RTh8_1MqTlsvg;(Z(3>9cEr-5D6}
z?S_(Hwi*<~E5w})7k8sVWO=o>ImcFD4bT`WnP60u!(G!@XW!Soer*o;U)jETv6;6^
z8p`($uP}?@;wBhQ#zOetfMv9!2zCCJbFW&=Q=%A6BV+_UgLb)E?}_mcJ3vH`)P+aG
z#PmFF5%UIp#9f{uO$?$~el}oMN)mdaRlDryIp1UFVMiHeZ^Qr1|MC*xCyxBM5WF+q
zs>XEDg1YZyzsfL^=rB7hV+sKi$rlj(yKJ5rDK|F&(wBv55BD({X^12RUQ)LsYU_FZ
zD!Z?TIF`r!0T&Y5@?N2<Llj5>5aNTj+F%Hnl}m$t2#3?(K{XxIZw^2Z7$g=hf`V=&
zC3&teoH!<m2Ay(%)F7}WE(%#PpY=Vp*DnG&?vNM#LN=v<I30bX<t--D^={YvWOx)x
zCuHXQ%wn6{<kSh-s1Eb)a+a}42Z~ey#C;=zd1KSoZ<KZ7guVn%IGj!P>HwsPmP<yr
zmCBG6eD}7qx`6sv01=G2I!fE%kx-DriCU2R`y5)+J$#jPj<Ku*GEv?a9Ckn5n`~P^
zz~z&i$d%AkY}TdT^HQr1s;GZtIDAvIQ_gT&hS=Tc!9F<_2^6W+RAwnPI)z?EVsh^&
z1=MqYNP+)U<dr;aD;s-$x`tKCi^RD$|L-f7Vdr}aNIlJMUJHoXhbNmmW5!)(m|T?y
zY~6%cU&bq>IjUIn-6y6~CQNTz0_LEUZ@{+87q1Zf#|~OJ3b$Y(%;CI0qve)YW^~eF
z3VX4zAzluJ<T8%6B{q8)M%l3gm4)C){C&m)d2hgIqiqPqKEgBWtW5#^BxK?K{3(p&
zHnxx8Gm7Fux1(~YNGVc)$Nk{?I_hMy3D?tHHvdC5A`dFsk^{U&cMHSc7+@aM>EG<e
z)dOpznLytUMi##T$}V8g*KOe(i=A_$Y&g|XrH6~{(^G48{MT#J*vbXj80+w*p4e-5
zPJWr2%zQTVxNp;mKXyrEGN-4W#QH}Orq`675@4`=icf>O(tFtY1%^+@7cCjSAw^=H
z{v09h6<|fjvx8m!V#4x93>N_|)w>Ho9L@&Fk&I8w6Ry+0v!>m2!|Jc_1B)`w<>F~b
z9TXKP<#NP}tU%&Zzkq7f$7R*y^A|4+xWV(__3kC@+<EnH_Lz<930yvq)mQ0eUp#`<
z_iDcqdZ?1%-+#u^aZH(}_jNO;c(@ckB+NgR7ya99&u$lLa*@&;7Ob3zu8mJUrg-|7
z+`K%UE+DXeRn|AxktPhO=2JR{LX0=O=XeEajVe4x(MXiReB0jc)2*r7UjHD9<UkRS
zg48XlVsr{tp=9-ryYuY0_hoULD#bZ+p-@zT^Gxo02Gb(NZU>W{<CJGHSEX9<Z0u&v
z<n(+M=ZDu;aRjaB5Qb9iGBKGS$|6<_0+7^XzU`GJK-80C$(E%4jq!N7TE9~UWsTKY
zX4k<zRN>Hctk0~uWYL{-Qerd5V^Y3F9coL5cd)8kC!Z!Zjbbnz;WZ6jFpQ~+|H>#l
zmH8A9<7c=hOXnjMJD(i9)SwHqcN7Y3l^{NAG3+ZeCCNOD?b?1K&hJ|E&{fHva=}rS
zb9A9*=xm#qRRMsEVC0l1aDKa9Rw$h(Zt(_qvVMEC0@pqgN9tl>L$$-pzk`8tf7ZSE
ztXQzp$rf*&|NZj97LKw-pmdwdG*Wo@R3WXXi6$Lb#7w5qlcbnkU2FGq=JMVlr!g46
zB<_~ex8cVP*S4fSW*jzZ(_0)oHGYCOXo~to#f%Z#nZ{7ASsvO+ao5|6CexU!FL#;Z
zX|Yv$-+caLX*n{U(tOypg<buF>7n^gKrA6J%EPf+KKX>HY`8%pg*=aqn}D{q!S<I$
zhm1}tmQvABQe}wBhAUE#86amx;+s{27p-Qp-$Nn?L&>sL8Ip{7ySJ#>azG&Cm2CYn
z2}WWEe<MdBxo+v;`O)?T+Z$5YgT7WY7n%^4;e1lNkfDWeF-ahK**qEwOXbi-WcW($
zD<okUip<@H@Z8PWgi{j8K<B!6Vl7@I#c{+Lk-3Yl2jYDv4E*l4i`@}Gx^&lIK?`a4
zJLhmT^3MVmK?-nuF#Tvd^wZj~WomsAr<nvpcP)1r+orv2Nn#0j|MoG|7EjPGUiYbU
z0Kg@mzJxNZ^tk66ySC+7yLL5x2A6H!buVxAsw|meD!I^tF~MkL#+$17NY~3Z-A)6*
z&O6dsy=a%gI+}bo108=*9QHroi{aD!kQEFj1K_d+VuBcfLGSOZHA4ifsaj?7_$I$k
z3saI<HNNtag$c)uVUNbzj4E7A1n0#PYvl$yePR!8`NfXjE=}8Vz{b}a32Ou$H6uFN
zS|71W->CG}{9&1N7BbBy+in}}nIQ}Aj>c-;ReyXzVt&_N^UZj9^>xZn*d0W0Zbm*F
zzs0Y;UKihfs!HWbx_s}vUv^9;e>Rvhrx+X+p3anUO(|n&XKnOt5F)TWmJ8zp|7;3J
zkW{MN4djB%iwD?$4y=w8B%F>YaPcOlDfJb7l5jN9=Xy(^RsiADxIQshr=l20M@p8+
zlPhfK$eT<{I}M^-alZupjcfx1igj53WTXTT*7saE=>_5++3!|sJhPJA{N+Odb(ns%
z-#g?uq0JhpWI;LC;iPAmZsF>#2N&M#MJ%yTvOu?7&ebhC1PSqys2|t@3@+9b_$^oA
zL%?jNKndRM>eGtZ%TrGI$n9mwNnsFp@FoMwDVr+St>o3Q#H&9ZSC7>^Ekgan<)%H{
z312Z`DqOYWY`OW7NL#jmRI(=>Y<`563y4HdC>o}?<ZyB*{f7O_-gONM))=(HVVJ8;
zLEJlyL-*dJQZeQ_Ly?V7(ia%@EW_Y=jm%<1E7dOo;?nhnUr*XCWMw8Cm=RR+bvfe0
zK>f-9YUgmwxD|*ISIOrU#5^JPpcvE!eR;=_*A8g$#A9+?q!NH$Owg=BGlx0w(UuZn
zm_Ue2*oI!?Hf;}kbq6%>(1J7_o?iHyu#u3k4XwuQ8mh_46S=jjjMIujBlaLZ@SE|M
zuSzrB0|l9)NWr9OwCFm*!=t57yOBe!Vr=_7))U&a{(;{k^cr@EoQP<dbB#drsQj^0
zam=<H30&K>sFL#7Q|91;7fk`dRZ1LzAo0+2i`cVmeCZBsld!ogyH!Wo7cSI~eIuX!
zXH97tO812`nMD?~-Lk$duBY<L*skfKc%S|3w5l+H5S{}~BY#(@BctlW(Jbcl>NEAS
zFsqA2pf!+HQRNBA!87~e?SSr~#G)}<%grAS%#cW>Gm&yz%@c8B7}))mjQ~7+f>YdS
ztNE4Cdwo3Zd;~l0dhF@#oR#X#@M&>n!kr)~#mvSf#eQ|(Kt-)q->e-Q?@k*TDJky|
z6O3_EX2@`U^(>Wc$g;g*E`P6g|1d;@N*%SDpLp+du3k=qfrC_hnA=sS(^-_USMA{N
zjO+NN9y@g%u{6&q!OH%10MhA6p{jLnWj=c#f$heuOs;}a+Ib8gXgo1zx!r^eeFuA&
zhF*H(Eo{+WojvzPqQ&fH=giD{-h}$Dl(c$@D!%5a28Ck1)O7RL$PuTYl<=)=aeJ$?
zF<NjKV$H6mR6n29LgPhWi^@6|M-Vs>g}%Ok4CJihe2mtz;OKQYvBR?a4ohpnV#Tn~
zCXMD>)F!Hxq%|sZAvOXwO!YG@&)7yOx6vO|Izo0Y4}!Rn?-t}TY_m`X18!F2y_jPx
ziZTlO(c=w;Sq;7Tg}T=5GcJDZ@pf^n6Cd)9;#F~e_x|y%iA6o$<4@@B`-7t%VdFhk
zh4A_@#lW!JGD6uI)`IIEMds7Z(wd`tf<2o=F%;HfTX``M0Sbk~8@wZx!Xd|#hkQKu
zJkqUpE!W4eh3xC~AL1&{s*4m;qht#Q+3VNn@#*qc?BVLM2~Xsx=GWFSj+;Qp@Pdqx
z<V5>(G-K|&bfiy%Nj&C?N!zgvZN{d8(%UvBtJP*X{9`CX^HsI2X%TWO-|jY!6ho*m
zIeEFdxVmO@TlFr>$+hzB64^@~ro*9dF-rDo#XPvg{Ta2c84sVo001EMVnY0i{p)6n
zQ-mD1nbAX=O$);4Bqp!ZsRb<trE5selGDR1$_EwDo?9kO(o?6EN7CGhXt$)?^t>XB
zaqbkPBVPb*muT~IB5T*SDoMjYjmL)0g`@=*!?Qm@G`{>ZHrhttRU{JL?0h;l#Yva@
zqNC1wcriy!qLMR+v}jmGReEZ}z1nNSJuP7DWrrc?Ireue0|GYJvOA@0w4G$frMa1n
zd&?o+XGOKB=HRXmOqWUJpV<u-m#-+245I1NRyc*_g6$j#<}~&xI{a*<yr(q_V<zq@
zVS;I9OAs~>JPfj<pN1$cZAR;GqaE%S3Q7tgGmk1^ojHoH7riB=4!Ij5w`9WS-@J8V
z>yxvWh5{&RGSw*TkL!roUpop4c4(2CoYLN^EK7OzMM|wwN#8M_;gp?{lqB?>$cf()
zENO7=U_8VKIoZoDv@DL2fE&0N)lrA26<-nt?IvA?xy4zNP3lX|WjM)9jzuO{ZYsml
z8<n!@B@)q(l<azIHqj>CZv%{rjmQkE>VXtQ7XGg2C24reFmq+*#cYJzUCgL3#-Whg
z8A7FASPzz;d>fdvOO`*AjxZC*ak30q=m4`mqI0X&2epjl3S(Aob!%6}Vm1=8h^JSx
zsx<d{rLE^(Y|B?n!{W$Q_3x|G7pNUhAua$vnq<*d4A4_lEPDNlA4elLPH*tiO48Oq
z%`fQCXFfkEwH=p7V*jLPKW*djAQUy}rd(=#ZlXL%y)4AFUeU2_J%z-;%oQxX3RCr#
zl_)Ac3sbOg#6`=A9A!jSoz$6GaP#rtwsJe{(coZZ=d+rOyG&<<Y+v5sp6~yndybV#
zo;EhWQfoIZmK$^7(3TmzTujwNU#s~{c_Qj44BzG~Q7YEP=wy=%*G8i<nV*~~uq#2n
zDu7*tRLX$D{ZqNKqBT7UHB(B=uKw8GU7{fy_hG?wk)vEf6@Pg}o8FRde>^q1xk<x6
z1jF)qydyTryY+{k64YX#(j-Mz<0QHS_6^1y_!Ck@cw1O)@Ov_D`$pB1*{EKc=DgV0
z@p4^43E8u(Ky2Fd_7wn|2f57GdBjE5{!Ht;6}Jj&sUAn~P4|rD)6sQQLKL@P?>_i3
z<60o|^Od8s{VR0t@KE>9#4VZ8{NRP`r{xhCMr@nLs6poW2FMs#kos;{o^lDOd7yh;
z_IVj9#1A<KK#B82CW-mw+*ezRYZVaU)-tP;^Csrlb2bGfk?L;iRT?^O0ib3_iQ{A0
zH&+1Ux3fA_k<h6uA@3mVqw5YTEx^JLb<NQ9G6t`i%?%YbyKU|U#W@_cdEk4Ldhbev
zEG4|tPb&Z|y>ijgTICtYpAVO~Ulp`v?Nxf%e?QOR9*>4;Ah)vejQq{*)L1vPK2Le!
zaMSO2zdG$O-^e|60<s(qBLL5^>(jkj@s-kt)*q(UvrBWt&pQ@m79in(8vSh1^Obec
zDbX-K5f=Ho`K@wvdP`2)0RR?cCT;<I-ln{&_D5m=!SK(eYZ`$4pE&@4o*8h?f8~90
z5&i?`f0P9YFa9M52ohNV{8s@wvgRL?{l|r-p4bl?KA7j{2lQ_IFQJdRimWVN_@I1M
z<(OXZqPdc`HjXdYzwWkFLqb9(Bqx)WFRE8<8rH8`9;#F1mX!QSrqP;PELXW?{qL3*
zAj1a<$`{K(VK5Rbs+IpY1X&eDS9HpM)#%d}@P8n}(EIPE=$QKcFQ~ls4Oo^}VHrhk
RZv77eF=1(;Dgj-;{{=kfy0icQ

literal 0
HcmV?d00001

diff --git a/security/dirtyfrag/patched-kernels.json b/security/dirtyfrag/patched-kernels.json
new file mode 100644
index 0000000..b4dab09
--- /dev/null
+++ b/security/dirtyfrag/patched-kernels.json
@@ -0,0 +1,66 @@
+{
+  "_meta": {
+    "description": "Minimum patched kernel package versions for Dirty Frag CVEs. Keyed by distro match (os_release ID + major version). The policy matches the running host against these entries and uses sort -V to compare the installed kernel package version against the minimum patched version.",
+    "updated": "2026-05-12",
+    "sources": [
+      "https://access.redhat.com/security/vulnerabilities/RHSB-2026-003",
+      "https://security-tracker.debian.org/tracker/CVE-2026-43284",
+      "https://security-tracker.debian.org/tracker/CVE-2026-43500",
+      "https://ubuntu.com/security/CVE-2026-43500",
+      "https://almalinux.org/blog/2026-05-07-dirty-frag/",
+      "https://www.suse.com/security/cve/CVE-2026-43284.html",
+      "https://explore.alas.aws.amazon.com/CVE-2026-43284.html"
+    ]
+  },
+  "entries": [
+    {
+      "label": "RHEL/CentOS/Alma/Rocky/OL 8",
+      "id_match": "^(rhel|centos|rocky|almalinux|ol)$",
+      "version_match": "^8",
+      "cve_2026_43284": "4.18.0-553.123.2",
+      "cve_2026_43500": "4.18.0-553.123.2"
+    },
+    {
+      "label": "RHEL/CentOS/Alma/Rocky/OL 9",
+      "id_match": "^(rhel|centos|rocky|almalinux|ol)$",
+      "version_match": "^9",
+      "cve_2026_43284": "5.14.0-611.54.1",
+      "cve_2026_43500": "5.14.0-611.54.3"
+    },
+    {
+      "label": "RHEL/CentOS/Alma/Rocky/OL 10",
+      "id_match": "^(rhel|centos|rocky|almalinux|ol)$",
+      "version_match": "^10",
+      "cve_2026_43284": "6.12.0-124.55.2",
+      "cve_2026_43500": "6.12.0-124.55.3"
+    },
+    {
+      "label": "Debian 11 (Bullseye)",
+      "id_match": "^debian$",
+      "version_match": "^11",
+      "cve_2026_43284": "5.10.251-4",
+      "cve_2026_43500": "5.10.251-4"
+    },
+    {
+      "label": "Debian 12 (Bookworm)",
+      "id_match": "^debian$",
+      "version_match": "^12",
+      "cve_2026_43284": "6.1.170-3",
+      "cve_2026_43500": "6.1.170-3"
+    },
+    {
+      "label": "Debian 13 (Trixie)",
+      "id_match": "^debian$",
+      "version_match": "^13",
+      "cve_2026_43284": "6.12.86-1",
+      "cve_2026_43500": "6.12.86-1"
+    },
+    {
+      "label": "SLES 15 SP7",
+      "id_match": "^sles$",
+      "version_match": "^15\\.7",
+      "cve_2026_43284": "6.4.0-150700.53.45.1",
+      "cve_2026_43500": "6.4.0-150700.53.45.1"
+    }
+  ]
+}