From e208fc2a0e104141100b001613a8932c52e4cee7 Mon Sep 17 00:00:00 2001 From: Ryan Northey Date: Tue, 10 Oct 2023 15:04:32 +0000 Subject: [PATCH] repo: Release v1.25.10 Summary of changes: - Resolve CVE-2023-44487 (https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76) - Update Docker images to resolve glibc vulnerabilites **Full Changelog**: https://github.com/envoyproxy/envoy/compare/v1.25.9...v1.25.10 Docker images: https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.25.10 Docs: https://www.envoyproxy.io/docs/envoy/v1.25.10/ Release notes: https://www.envoyproxy.io/docs/envoy/v1.25.10/version_history/v1.25/v1.25.10 Signed-off-by: Ryan Northey --- VERSION.txt | 2 +- changelogs/1.24.11.yaml | 19 +++++++++++++++++++ changelogs/current.yaml | 24 +++++++++++------------- docs/inventories/v1.24/objects.inv | Bin 141751 -> 141778 bytes docs/inventories/v1.25/objects.inv | Bin 149714 -> 149776 bytes docs/versions.yaml | 4 ++-- 6 files changed, 33 insertions(+), 16 deletions(-) create mode 100644 changelogs/1.24.11.yaml diff --git a/VERSION.txt b/VERSION.txt index 0ff952508c01..ba7b1297a554 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1 +1 @@ -1.25.10-dev +1.25.10 diff --git a/changelogs/1.24.11.yaml b/changelogs/1.24.11.yaml new file mode 100644 index 000000000000..c5c5e55329bb --- /dev/null +++ b/changelogs/1.24.11.yaml @@ -0,0 +1,19 @@ +date: October 10, 2023 + +behavior_changes: +- area: http + change: | + Close HTTP/2 and HTTP/3 connections that prematurely reset streams. The runtime key + ``overload.premature_reset_min_stream_lifetime_seconds`` determines the interval where received stream + reset is considered premature (with 1 second default). The runtime key ``overload.premature_reset_total_stream_count``, + with the default value of 500, determines the number of requests received from a connection before the check for premature + resets is applied. The connection is disconnected if more than 50% of resets are premature. + Setting the runtime key ``envoy.restart_features.send_goaway_for_premature_rst_streams`` to ``false`` completely disables + this check. +- area: http + change: | + Add runtime flag ``http.max_requests_per_io_cycle`` for setting the limit on the number of HTTP requests processed + from a single connection in a single I/O cycle. Requests over this limit are processed in subsequent I/O cycles. This + mitigates CPU starvation by connections that simultaneously send high number of requests by allowing requests from other + connections to make progress. This runtime value can be set to 1 in the presence of abusive HTTP/2 or HTTP/3 connections. + By default this limit is disabled. diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 49dcb27ddd6a..087ad323021d 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -1,7 +1,6 @@ -date: Pending +date: October 10, 2023 behavior_changes: -# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* - area: http change: | Close HTTP/2 and HTTP/3 connections that prematurely reset streams. The runtime key @@ -18,19 +17,18 @@ behavior_changes: mitigates CPU starvation by connections that simultaneously send high number of requests by allowing requests from other connections to make progress. This runtime value can be set to 1 in the presence of abusive HTTP/2 or HTTP/3 connections. By default this limit is disabled. - -minor_behavior_changes: -# *Changes that may cause incompatibilities for some users, but should not for most* +- area: http + change: | + Add runtime flag ``http.max_requests_per_io_cycle`` for setting the limit on the number of HTTP requests processed + from a single connection in a single I/O cycle. Requests over this limit are processed in subsequent I/O cycles. This + mitigates CPU starvation by connections that simultaneously send high number of requests by allowing requests from other + connections to make progress. This runtime value can be set to 1 in the presence of abusive HTTP/2 or HTTP/3 connections. + By default this limit is disabled. bug_fixes: -# *Changes expected to improve the state of the world and are unlikely to have negative effects* - area: tls change: | fixed a bug where handshake may fail when both private key provider and cert validation are set. - -removed_config_or_runtime: -# *Normally occurs at the end of the* :ref:`deprecation period ` - -new_features: - -deprecated: +- area: docker/publishing + change: | + Update base images to resolve various glibc vulnerabilities. diff --git a/docs/inventories/v1.24/objects.inv b/docs/inventories/v1.24/objects.inv index 986bfcc604afd3819b4c175b4f0a1c79f516b25e..4a3daae93885ef97995b0e00002d10f73ee3d9fd 100644 GIT binary patch delta 2614 zcmV-63d!}i(+JYj2#`4pbYW*Lb}=q8G%hhQfk%Z$0kua0mK=X+S$bg_r5RgBdr1MB zP;n*}%!JyADB&p;Won@`rbS;-V953M$bvbdH6lv%n2K?1VH`L1boW7=P$5n%h!a{P zqC`)r7^fD-X;dT9-x%tQ7RD<|*F*`vrXswy5MERICD?}cRa=osw}Ml@qTVJ@Wm7z- zVv_nn_BcFq)L4JKzFIFbX_iNRMZGLlHpLQK>Ba(yhbZm?>3elVCQbC%uc()(%BG0o zjw9XBhnV6{fW9|SWYSDe{EB*+s%(nsiCLWx`#{F8oIG)@x$i9&nKaK+zoK5ADx2ad zHXGoZI_{;}`)yX)jCL~=ng-P4T4rB6BQj|#yz(pRwSs@jrg*-xyD3KjqPSSr*IbEA zn&@l4qF$mZn`lfjH!>3JBmg@h`fO#6@p~fs{vLJHPoy>oQJQXi3&C85g?qww0aR7Hr^gCmg z!x;&55&)ghJkgltf=0re1~8{Y-!x`9rIA370-#4UZ#8DQsgW>`1DMA#{%g!~Tq7Z$ z1dvZ+JldG$%0@yy4IrP=ecYJk+(yEE6~KK(_j+TNgIW-`>7wSsJrb=&zvmjWT-HdK z;{bo=nCQ#KEGIS+=p+C-p?SA4%dL%sISpV=iT-ZPa&#ks9tA*;XdZCPa(yFV9tSXw zV|?P6D4ZZ92KRP>;pidQ5s-k120!)9uZT zIgas$W0o5n33(Dgp2YaaG0QQIgggx(Pw9UibIfv;BjFweaF3`ybj)&|BcUD#P>*R| zbr3t~21;9Qs|q9&6(&$1L}_AZ*h?&INlaDl*M)j#&Xhbr$1ImS66R3=^N8$=$1Ep2 z66{F;_9VhPk6Dg%LExqaV|))q(yU^ zW0t=h33eQS9Y;9QG0TIF1Uv}P>%wrM>K!;J7)Ra zkuZ+~n8!qiJZ5>~kw8xZpeIBZJ!bjlkw8xapr=HqJ!bjW1wor0b}mq{9!zw+W0uDq z33nX89Y?t0G0O*!1Uv}qRvwZnTpeF&)lL#k2X8C{P1%aC$c`ji2jios1G0Q`bggOqOj%luY%=X!%friRD zeo6J_W40R~4LDfbG1#Jq~~#lN|+_Q~gr8^Tc%ZreN`zn8c`zpe{kXe3( zB;eNp;MY`#LuUB~22q>dfi6_Bk%Qti$SiL`66iPpIwrdjGTVQUh8rsF_$AS^kl8MU zG~8f;$5dxSW_uaZfF~i~3Dy6QS&oM!+z{-9?vcnWS40x-G=Mv$`zSKYIgx~W6u>>A zdo41{U6F))9Kbz}@MC{umIEUR_#^;)LiKE9mP;cE^)!HbO7wMPmXjk1^i=@#71jHZ zS#FOc)Yk#j*HnKy8mhv?JDEN4a%?l^!urh7Ru+r5zn94hhnCDrkf z*&dHH;9!x*5x$Vja)Km5PXfpjx_2bA+#*T1(*W)?!e5eEj*@>Q;G+QW5!Hi|S+0{L z)Z+l^G0~@zSx2S2RydX1QRJFkc5S zUlV;ZnQ^8JVK&?;9f+cT-tT0|j8|j`uHhHyfD<18lD8x??u{YDhJ&L6QS3IOxji!D zrx=24cq%#|#kPMSivJ=r4u>JYhRdM?P;B2II3hCRf=Iv{`|-v^*FATw@)1kAA?b4+s|WVd6wcb^mN78V*@A@SHP$;r$F zt8=LyJ0sXJ6IqVrs^``I(j9S*nLuzPPc^Upu{%HwGQiWsXlg|;K6PwYpvGl8ZOl* z&LcONJ`RJ>#q+5?b)J&J^cfR`&YVy6E9cP@OrL)WLFhsGRKFI7Mck$J>}FmpAdoUE zv+JzP*0U@W3R+3%9|A&MC6L=F`a>qaxXYGH_IX|0t=arxov!j3TV-`RPwO-kbvd2i zrd-ebFd#1p@C*rNNMwdY1N_17js6MuMsLNv(a-YUi@Tc#mRBrW-xd$7%GPrTL=ADC zClE6tJ8Q?HzD~a!&a2UZr_I%DgiX4l1bJtr8vE7T~$>LJ0~3BR2Pos#?NVT5-^{LTpP{Nu&_9D>1@ z*&%-^(`|iIlzIJdu)$(jhoc0tiGxu>dcMU!-!-sGX8F7f!h0=&lF*KCuP>8k33@8)%ZJ2bkWd8TX)4Rjc_m8}cd*5ktBuVb+- YXIYo=CIUkOlZ&@DCjxx}1nYSyf^CJTQ`+HpO!)=8hj^N5C_6 zjK%A#^&*pIdE{5rf6G#3Q!KIZY^+;&h~oB)zE?+N(nOE_ih7BvY>Fsu1k&wqh$$}6 z_q~B4lV*D2SJcZ?Wm8N~%%XwVo-uyq6;w9G^OfCuI0_KOe>JSW=1OGJL|^+A^%7Ot z6w%j>7a&-(r0AH2Fg6H!K5F81s&Kfn`4AkAY<-Sv%y^pl9pqZRW^L!VWSqQAUPgGJ zG2=280&O^rIY7qM&UCi?9A^}eWz*C~b7qdLQNT5dn&?A})7_)r8NSMa~%wwWc7_+>=NT4SH&=Z=Q z7_F8439$fP50;XvQoL zGZOM?0Qr>edd4iDGZOBr0PZWgGa9q}#)7y_&oLM7k!UUY9m<&HNk+mP2QbG(7c*x0 zmXSawe*w@5&FPF;-ex4sX#jIdbVFm7{}~DNC;)myb4+8FM;Zz9IDmN^>dwY2&$A$E)A!7UdMw`7W76AtOnF%wr zM>NMbW_i4kFpmS6$7EMHW_hgzVVizyF4$91k!kL1%<^L+;f@2i;|K>gW_h-efF}Xq ze+kv)jaj~KB-CjDbxL!BW0v-LW0nV75Vq;V=7N1CY81t_jafczB-C*L zbxd`3W0sd233U=colxE1nC16ILY)Rsr!q{c^tqzerH$4*QaRBs~ z?7zn>$2}74NdWdF!lRE_u6!im(*W=(-N%nv&V3}@R{`8t5ng}Ha`z(vf4>d@zoz;D zGRtKzh}v}8bD@fj928$ZW;yYZK*s^lG1xrvcPcq6;Fkd=E*WuL7X2s7{H@@IJcss4z}azrHIP6DtK zx`!gOToXyS(*W)?!e^0L&Wa@9qX6&`)r*l??u#VU;{fV0(XWwNe-4c#(31e@3Dwh) zSuTzw)YAa!Db@FpSx%26)K>x2S2S-(X1PI?gVK!VE9f+cj-0$ef zjAvp9uHl>LfD?@{$zzcj7sC)@!^zNrD0Y0&To0M?6%0W(yagSQVrve?hmaYkzYt)< z?au)ywonk90hw_Fewtmu>c{Frgf3n4aK^Bjm`^_A$b z$Be5U0dwrf9MfF**zK6^Vdn(9g~@(bv^aK4a`ZBB++3>1&fsp$1YIM!%XziGbO&Q& zCPo^`Tg{G zg0!E~tN+*?hk}_H0i>O7Ui~NT*a6HO>`vPEn*)3_^%^c@5{{DyQGy5ZhB zQm_7r`&36}e~v{XjlI44r|#p@m^lZC)PeQtKXRWB#BM2zr`AaxF6C3_@gD4!vPNnh zzu{7S54cWFJlnHLL)G0e*BY&t8m^(+fTNmdg2hk#I53FJ14 z{*cKp?y}{QeO?!LYc_var>lI%R#~0S(>e_WBu?kIDc3VU49H6YJVSyR5}6^<0Dtg% zqkqD^(OYqE^s~J8;_l{wME z%F%5;%My5dQq6w#z{+A6?7G;l=LCayg&IXzJtTNL;kOf^Q*vKDjPTBg-x=YZ zf4sP#L!9(7JLE5Ax~*@DGOr&FHdqYnfRaEqaX3jx&$syJy9U-QMW2^p7?Y!mU`acb z7t3WfgLj_SkGkwBk2|*m)UDM`fY;djnr+fDT~&SX-MlVvhej7P&y=m9fexd#vULI5 cdR$m4W__0oCjvtP(}TBBCjxx}1R15`sV0fmb^rhX diff --git a/docs/inventories/v1.25/objects.inv b/docs/inventories/v1.25/objects.inv index 4b6cff80793638673ba8088edda0ea9c3149c112..dd24b33b0039320969c1992e3871c50be0772a06 100644 GIT binary patch delta 3948 zcmV-y50miHkqMBJ36MSrIW0G0GBz+dfkuT!0kuW~k~x3Hkrw+bBmx8_KIFB1oXg&a zjip{o*?xlajrCshC8#u&4Q&+)Q4FG9{8~1L(I`eUj7GQip>={{5{4PppgKnwDauG0 zBSp4$*Dyl~86&vyq@YgZC?aQw{31kwA_|5m`iWXA38C!c9H0*y$D5L}&5ySsa41-L z>u3$s{1bm%wPF+nj|A6RqZrLF!!k%02qQrm31cM4NN^2Pl#nul8*3^>5E+Wd7$S3< zX@($j6p=GT&JXiT31jzKvmbaLHjV}@Wt$%jL*P)fesMe?S3Ex!hCs$p$Obetgu9`5 zKh)3>yA35X6ucu|PsT$Vg<#;1STl(Gn&19VKKFlqB`6|ch{TPC0zsrGB4vp5B1DEF zGKLtx#E~a**EUBXIfLXcS57mS0>u;zQ?UI-foxhON+}tovJ|fq8I@ z|ZW@E>?ILP=3d$|xy1hq%TWO34@{ z<8ugv$x%$sF!?ZtK$}>BG782hpf!VQS)z!NAt{r&`Y;auks>M2?MZ*R((x1!EK!jqUk4Y6xVE z5?L|0h6|LiV1xy9H0*yC#X!yHa|fPfkVNW_a#vY)I2{y4S|fJ&_V4QYm|SY z8AZF%rVvDeA`*rePP~>6DqPbPWu%OeLIc{hgtwxMAu?=0yQVqH$QdJl_Kn>Pqd*x2 zV-(1Mb`49EP%=V!$$*}pGloEhSRgyqZaFl!$=aY{zDTAM%}y3B%+;CL-QG) zh@99#iwUE|Oi_rd1g-)VQey5X1l0mmV^S$Gn-pRu0y6ieo8YGy}k294GX8Lhs-8fL0X#8zTPD@4`; zSzn^M5_4Q3aw3ouTz(~Hy+Yhn;HIb!OU#3XsF^^`FhQ1>%PKN`n>EDD?UoEluEgwC z2&)9FxlLSQX`HLA%H^J5`uB2W`doF!(=Ld;ZPrm#v& z%z72EzV{l!mUfFmbXZ~@EJRfTRiT0`F*6pTYJsXzWtNyL3sDn+nqU$wF?$wbrUEmC zwOV36EriVlY<_=%XiLnA6~Vq08v-xvRt(6p#4K3|ssyNl^;u%xEQC!2Y;u86OU$H& zz^MREQN@;+TMJP$ftq2`Esd6}g!DYw0MPyn0ob#|L{|~$tF9rW{YeWmV2P=(5LO9T zb%7I0OooNPS^(<{ELmcDECfyjaDsZX#DrOhnhMkuGiiT`DYOtX6POw3))JFyA!sf@ zbI`UWrrAQ!LVy;ae@jf26`{T?8-m*3gF%Oum^=${mB3XOShd7-S_rHKutq&wVuCG1 zO$2I!nYYB0TZowo%oKESiAlH+G!vj1Xy+2sav^9gK=TWHU1Dmj2=?XL5V+sRBF-%_ z*%qQIfvSHn3zxWli$SHns%uotC2r(mV6nRjc6EtKx)4|kTn*a0#I#)qnh4MY^m&Pi zybv@Mpebnh5>tC2XeK~2*!d+U`$E`Uz~&cNz{K=l2wVu@0{4Q63BeGz6u9LDrZ6!@ z7y>T@@B(#*iD|wf)fat3RC^)^;{Os8e<7$6pbCFBf{ClZ7+318x&|d-;&w2`6+5g@ zZ;fg3 zn2QX7a{-*Ak}@$n8KM>fwE(qcV!kp2Ed^+aip<0eW{A2Fs0&nWCT1avRNq4mQSFI3 zpq_tB%u9y2O5iG7SSD^NV_>Pr>Kb*JiOI_lR|{B;Tg}9DW{8^z+~fk!nV8@Vfl~pT zqUJL(P*3LSQaH zr<$1lEJA$&Is~;RMS)&4F(De_DuJtTQ<{I6A`Nl1z}28TO-!1GposuYP@9^VMh#I@ zftrGTH8HUof@T6VLyc=;(h*}8L0<*G->DUmn6qqIGX%iE)A?QMY zEJ)vX$j|9(*c}a9zrfPjqVwC9C@Dlv@`F~C&QOohqCbXK_g8-$(PpCLo{zNIsyppJK?4W(AWTh-Ed3t33y zoy>k6zO^ikcYK9B*2(-Td?#2MZ)<-FS$C89b@+CtG~UAzvUDc%C*gZL(s(C1$SRo3 zpN8)+N8{bIpfkNE^Jn3^YSDPdBj_C5$^3cvPDnJ~rUp7Ab25JszI_diH!y+DmYd99 zhHq>_n9P11zQX{GS5AM2e)*ov zufkVUr}0|U&~G@C`E~dj)ihq@75Y|iGJg`j_$!T9HG~eWC-bM_s~ysKQ8H+OJefZW zU#yJI$Y~?&8b+byN$|o(bVkk&VHX|>rA~uaBcd~M4hXwcP$+d4ynYa!kuyEmwS7XV z^WX)4Xt)>;u!NjST?DVuL&JX+Zh*z&RO&K#;TsyRNdv6Vrcy8LrE0!a$L0NMcSqHJ zO-+4UH}!T|`^n8q@j1C#?zXqm_aKW3{S|l~1#nQ&SyH#aGqpT$wzpE1`W~fC-4ZfVdBc2f!EeTJ(QM`&#tQz83w} zzxL+a{S&PZRBz9_Cpy&I)p~nJ_s8R2oA={T9}j+cx7B}FtNQEd?#{$r%{K09yMKz; zhqw!i`>?nRi+jeG`=@Aqh;G`5sE>$#|NQyGm5yx4FX2kp+hg5qtB01i-)#@|<@LTy zAyn;xzIcTIF&FYCA+J=IYC=82l! z=~&Ztcck0hX}bd6@RyCeE^MCS?&a9L9NV0I?VG2ldnGcjMBRTYzr1-|9n4^C>MJuS ztJCp**Q}3EKkd72uuC%uVfM02Ql1~We}42>%k`>}F=NC_0&5*izI%A6m+hE0+sCn) z=}$O101ami7hty7$0O~lrrI3l@GoOS@Ib~8+62|xc7m3v&%#~;pXUj&%y8VDnq@7c z{HT|tXIUf=J?wv$mD%fHKtFmK{4A?jfSK^Y?y^t;&GK>X@o8UQZQA`^-E<#+{Sc;3 z23qFZ-DYE^sGG;VA$HeI`?K2KovOP!`r+-(pFc)@(}PG~?KahVixt3QZ4IC5#>{$A z+f#=VY3;tu>__&e;{ijyXyEm|-SI{5yH`c*dXLduoP~e9{{Z!={}Us4!4~t+c7409 zSJ7WR>(>wOMP6e*lE&nys)$-q$3wpyl zT(u!xwAp`8+69SuCN}YL*XY-`e_Z`-9-_)DNZj-nwa9L{)Go~3kw-^c*3Hpu^JZeM z&2s11t>C4_{h?l-+BHY}M^hii3Rt3eNObd9ZT1g_f8W&g&k>7>hL~HkW_x`1DZ2ak z;cW}s+MWL!-qDNRi=k1Q_2bQ_&)s{`rFSoR$*GrpM*<6fgUvuZLx`{#w6+6OTzg^?$WP+ia#E`|auA zqwBM&>0}N@%%^uShpXl&^2z?as_ka;o$s$p9J9pnv&1)jOvGX$KgO?iSQFfvt(wiIYi&?tK%>V5A9oM#>}bNPE^z$Y1EHxCswbl zt34=jnc9Qs_5=KKUvHzze2D*@>h1;iaYpZUrntY&(aKHRWTLp!e$|fK*VWZ0=}Kv5 zQFG*JMrUN7o&cL;zD-;I>&Pz4(CPjOA8Kahx@wGvi$_-8|%I1Q&4Fr8`>%qq8LQIxLP)c(I`eUj7InNp>={{5{4P(pgKnwDauG0 zBSrRh*Dyl~86&v~BiSHs9Zdz@cE} z&7(C?^G|Rh|FLC67+_lY7NX{Vn%bC**ra&L?2ovtXEon}hd9 zz6nNRf6fv5uyGhnq-^uU;1D=eoQ$WN;wb1^Diom@f}L(A5Cq;3#kWLV_rnMB)&t|< z7|DMj%0E4yp=cDM8H3%jr3&N?gLkBaQTU}7jZjjQk}^t)_HNfWLn#@fWW0Anm>k9A z43iJN8~X4Ilu)P{x8W7SB#pCm5;yIY;Qj#(^-Evds^K zL*P(x%D;_J;(X0DRwzX=iekMkK`0ufXhwh0Xs>gP6O@uLiuVm)iD2LlI%Sv?>vgVa zhB7k7$h_N==MXuH$QdHXdYx-ppp1esii>*P{OB(K?OMWnQN|D%)}dX~9A)H;kw5#EYlcyvjDj%=q(i%gB}yn6p+q`#H;b6t zpKQ?3nUm>6vpv~`xjGYj0p+Qmb5C49>Bg(MJ<tPg}FkzQE`~+NR@wfcd5+v4jVL7nolR1t<;6NO7ro`nY~9zmBBi@ z`yl3em<<~0ET$99*6G4ro%TkUuBWQmGG`AlE^N#`o~9>4`tCaW+$dm!hIgTyPBi;2 zxG+~|$tUWmP-u4{cW(Y+gN8yE(}`vabz!d1h1UVZJ*#i3FoGHh! z0yM{5Nn(;D#4H46afv-iOmq~_b-Ww zmk_rUxFv365|bxIuCGsqxTzg2=B-L%IwizZ0#kvWB{9Jgf@%S(G4qm`atSdLfti3V zCNT*Uf~EpA#q3OCS|-HI1ZH-LuSrbQgvhx-&T)g2n7RpZ3xQjpPA4(_Ql$CJooblbE6jk+ne9m$;k6q)mvN2;>B}If-eU5H}ULDe89;6FVVl zCQviX_#`H0icDY63^8-NCqvdIFR3%eHs_9rpz z6M`xMs$d_Kmf4_osJ$KxN}8DpuDU=ICFX}hU@d?(DvlB}Mj>hKthYCRx0h)ky^0figCpaR;UO|%z%ZsTEKs5T#Y5>#6sLe;3l{%OU#mmxT(NR zaebDUHw$qyfty_*)DkmkA#g5$b5yY<=GH>gLZB9)bW6;(g`lMXEl~}Zn12gV7Xo#G zin+ubT9N8ov>~d!Uj~$GiCMJ}R|#B&>$b!^TZpR#uEqsiV&*NxO$2Uofs#wi#f8AB z08W2VNtc+N3sEzHnt|FbF<%#g<^nWFMP6bCFGMW_YJsY~#GGD;S_;$>lYNOy9;rZz*V@^OU&klxLV+9Q1d0`_d?J_fF`K;OU(F% zsHs3rK^2&o0}Mek0h*z5Ffl6_qUHiMM|FQ;VxBNWEd*+T3B<(AVTf4@%o0?JX>@=k zre^^Mi1xH{-VLTv=9O@s&Ktnl2@@pw(rD#MM9<3&5bX$v*}639wGz@3Yy(JpHyfhe z(&))bK+lv70PS5zfImy4IScUAG*5v>EsYAS1oR}>0MOn91F5kzx~vk>vsnW~d&7SM z=(y5ow*pKx%~Y86N@s;jsX^Gey*?It$|#*7H*$RbXDGD_J`|M3hjl`R>16in@IyRl ze6}VeSWf0w;b(5r_y9>r2b;{V!w;6E@o9OGJ~Ej<2|q=T#%Fdxx4Tc~Ps7jhqVYLJ z&@IT5`Lpozi)ehd40LnoWd1z-%o%?g9|!{7Dma2yp}tSYg9v*WGC~h@Y>ZhuKEjI zT$s$S!>a+)xSS^RJ=tXbB)rTfjjPl_XStL4)9~tbG%jTYO^_$^XW=ET=!}2d&%hSf z2_;X0EAG%4xov^1h!aYk2A9d9GjekRTf-)lItwmrLucd`1h(i*D0LoOiH3$%Vt^^+ zRO%wQcnl3ouK<(9snlg~MHU(sO95tRQ>hnr4V7=zae2Sm-BGn)Q&Zp8O}$+{dvv{d zDLyAx_6hb^uEp?+MY#XPZS;Sb=u7|SH{a@q2l{ur`?jUk)3(~Im$a#m)v7vHKFwlI zO?5OCUsbDfW%8`9g!X*_CLrzt;yxfA0AI{&(I4$=(L4KE^jH7dn{W3|v_4S1J@20A zP;Xc3?H%18k9%$2k3)St_~qSJ|6Q%>ucx~^6L&S+xUcR0DPAAqE-ZiU!{RP1?ipY1 zpQ804x@jY#J|g=4^XCs&I{LC*ZVSsP_+w=M_#aY7Z(k2 z&oGM%zI9q)I|`uOzIzS|78 zW{?nO*9(&J{LuaLqsLmVSB;DrBVH0%>tOQT!$ZAn`@Gpdj?I6}_JpGY&~Vmp0cMYV zJkq{us?A{z|1vfN4`d9XO;EjU2WXl4EbJxld7co5!){rb zqYei2qo={ovWf+m0Uz947Al}wKF&Qp?dz*ed%UZg?&Gf?!qmw?%Y3`rY|IdK^SC#} zZb7dl`D4^KJ&5$xZd0wdSOGlN*6^ur%%~T&Tk3Ektv!~RxcIuuQ8u; zjnP=BWqoY_0Bu!M-_?&GWen{p?H?e@;n*i?oc{4EAX1a6iX7JMF{!lMZ z?VO|irKv2BV+AZxJS4h#tTy`x!@qCp`sawnL_^H2nX^5<`xM=M{P4DgZSBGT4d2k0 zs7C@Hf1S>3(JFekJ}h_U&3)>|Vlxf(F{}FF`H2$>vQ6J_&0D@PlcK8Iwm^0|oW35G z&H8Ko3QjyG`PBc`c5Snpe(d+BgO9GyrlylQ88M&U!JMv|v&bj=`>M9P&3C@PE^*8f z$IlYq^f3{OiToJ9+F?#`Z_anVvoMzw=>24 zZO&G1+9nglo%XA?-@dM{K1o+fJBpe!Pt!Xi`{xO;Ip^E7^}mknvJ4yD|G|fvQMs<# zOh40IvtPRIw134uJY