From 4056bb403c2ea0dd9cb5cd70237c304e61dabbca Mon Sep 17 00:00:00 2001 From: Spyros Date: Mon, 28 Feb 2022 19:21:02 +0000 Subject: [PATCH 01/26] Zapalerts (#163) * zap alerts to cre, init * convert alerts to yml * new db * ZAP DATA! * parser init * linting * rename parsers to spreadsheet parsers --- application/cmd/cre_main.py | 19 +- application/database/db.py | 35 +- ...rs_test.py => spreadsheet_parsers_test.py} | 4 +- .../external_project_parsers/__init__.py | 0 .../zap_alerts_parser.py | 80 ++ application/utils/git.py | 12 +- .../{parsers.py => spreadsheet_parsers.py} | 0 cre.py | 11 +- ...idation_sanitization_and_whitelisting.yaml | 62 ++ cres/>>Authentication.yaml | 50 +- cres/>>Authorization.yaml | 2 +- cres/>>Authorized_access.yaml | 173 ++++ cres/>>Business_logic.yaml | 84 ++ cres/>>Dependency_strength.yaml | 51 ++ cres/>>Development_&_operations.yaml | 205 +++++ cres/>>Documentation_and_requirements.yaml | 18 + cres/>>Input_and_output_verification.yaml | 96 +++ cres/>>Logging_and_error_handling.yaml | 103 +++ cres/>>Network_security.yaml | 8 + cres/>>Personnel_Security.yaml | 58 ++ cres/>>Program_Management.yaml | 197 +++++ cres/>>Risk_Assessment.yaml | 70 ++ cres/>>SUGGEST-WITHDRAW.yaml | 80 +- cres/>>Secure_communication.yaml | 73 ++ cres/>>Secure_data_storage.yaml | 40 + cres/>>Secure_user_management.yaml | 54 ++ cres/>>Session_management.yaml | 62 ++ cres/>>TBD.yaml | 2 +- cres/>>Tags.yaml | 24 +- cres/API-web_services.yaml | 53 ++ .../Accompany OAuth with Referesh tokens.yaml | 20 +- ...ection for cookie based REST services.yaml | 42 +- cres/Add integrity check to SOAP payload.yaml | 27 +- ...ection_for_cookie_based_REST_services.yaml | 66 ++ cres/Add_integrity_check_to_SOAP_payload.yaml | 41 + cres/Allow long passwords.yaml | 35 +- ...rity checks on all resources and code.yaml | 14 +- cres/Allow_long_passwords.yaml | 56 ++ ...rity_checks_on_all_resources_and_code.yaml | 28 + ...elpers,_including_paste_functionality.yaml | 50 ++ cres/Allow_unicode_in_passwords.yaml | 50 ++ ...Allow_user_revocation_of_Oauth_tokens.yaml | 42 + ...tomation_protection_for_REST_services.yaml | 39 + cres/Architecture.yaml | 30 +- ...dded_by_a_trusted_proxy_or_SSO_device.yaml | 23 + ...Authenticate_all_external_connections.yaml | 28 + ...itiated_action_on_multi_factor_device.yaml | 46 + cres/Authenticate_consistently.yaml | 21 + cres/Authenticate_encrypted_data.yaml | 50 ++ cres/Authentication_mechanism.yaml | 82 ++ ...d_and_deployment,_especially_with_SDI.yaml | 15 + cres/Avoid_deserialization_logic.yaml | 34 + ..._with_exception_of_consecutive_spaces.yaml | 56 ++ ...d_unauthorized_client_data_collection.yaml | 28 + ..._for_authentication_of_access_control.yaml | 23 + cres/Backups.yaml | 8 +- cres/Binary_integrity.yaml | 17 + ...henticators_only_as_secondary_factors.yaml | 28 + ...f_file_metadata_from_untrusted_origin.yaml | 42 + ...ck_execution-output_of_uploaded_files.yaml | 27 + ...ion_of_content_from_untrusted_clients.yaml | 28 + cres/Boundary_Protection.yaml | 15 + cres/CSRF.yaml | 8 +- cres/Centralize_security_controls.yaml | 52 ++ ...with_presence_of_old_and_new_password.yaml | 50 ++ ...ck_binary_integrity_before_deployment.yaml | 21 + ...s_against_integer_overflow_weaknesses.yaml | 33 + ..._passwords_against_breached_passwords.yaml | 56 ++ ...ty_libraries_to_not_contain_backdoors.yaml | 21 + ...ce_code_to_not_contain_malicious_code.yaml | 21 + ..._source_code_to_not_contain_timebombs.yaml | 21 + ..._decompression_attacks_(eg_zip_bombs).yaml | 34 + ..._that_old_or_outdated_data_is_deleted.yaml | 34 + ...y_sensitive_data_in_protection_levels.yaml | 34 + ...thentication_data_from_client_storage.yaml | 27 + ...ear_policy_compliant_I-O_requirements.yaml | 40 + ..._or_tokens_independently_and_securely.yaml | 35 + cres/Communication_authentication.yaml | 26 + cres/Communication_encryption.yaml | 30 + cres/Configuration.yaml | 32 +- .../Configure_CSP_configuration_properly.yaml | 78 ++ ...Configure_HSTS_configuration_properly.yaml | 33 + cres/Configure_Referrer-Policy_properly.yaml | 27 + ...igure_X-Content-Type-Options_properly.yaml | 35 + ...stently_apply_authentication_strength.yaml | 21 + ...tional_features_based_on_user_stories.yaml | 41 + cres/Cookie-config.yaml | 4 +- ...cally_secure_random_number_generators.yaml | 29 + cres/Credential_recovery.yaml | 40 + cres/Credentials_directives.yaml | 49 ++ cres/Cryptoghraphy.yaml | 2 +- cres/Cryptographic_directives.yaml | 23 + cres/Cryptography.yaml | 50 +- cres/DOS.yaml | 28 +- cres/Data_access_control.yaml | 21 + ...ta_security_requirement_documentation.yaml | 25 + ...e_and_perform_security_analysis_on_it.yaml | 54 ++ ...ne_security_steps_in_every_SDLC_stage.yaml | 39 + ...etime_of_time-based_one-time_password.yaml | 33 + cres/Deny_new_users_by_default.yaml | 50 ++ cres/Dependency_integrity.yaml | 44 + cres/Dependency_management.yaml | 24 + cres/Deployed_topology.yaml | 116 +++ cres/Deployment.yaml | 34 +- cres/Deployment_process.yaml | 53 ++ cres/Deserialization_Prevention.yaml | 26 + cres/Developer_Configuration_Management.yaml | 25 + cres/Developer_Testing_and_Evaluation.yaml | 15 + cres/Development_verification.yaml | 26 + cres/Disable_debug_mode_in_production.yaml | 29 + cres/Disable_insecure_SSL-TLS_versions.yaml | 63 ++ cres/Disallow_default_credentials.yaml | 26 + ...allow_shared_high_privileged_accounts.yaml | 51 ++ ...d-deprecated_client-side_technologies.yaml | 21 + ...nformation_in_HTTP_header_or_response.yaml | 196 +++++ ...echnical_information_in_error_message.yaml | 60 ++ ...otation_rules_or_history_requirements.yaml | 50 ++ cres/Do_not_expose_data_through_API_URLs.yaml | 46 + .../Do_not_expose_data_through_HTTP_verb.yaml | 34 + cres/Do_not_expose_session_token_in_URL.yaml | 27 + ...all_back_to_insecure_protocols_in_TCP.yaml | 53 ++ ...racter_types_for_password_composition.yaml | 56 ++ ...ot_log_credentials_or_payment_details.yaml | 33 + ...clear_text)_authenticators_by_default.yaml | 34 + ...ent_password_during_password_recovery.yaml | 44 + ...nized_state_on_high-value_logic_flows.yaml | 29 + cres/Do_not_store_secrets_in_the_code.yaml | 23 + ...tive_data_on_client_(browser)_storage.yaml | 27 + ...l_or_dynamic_code_execution_functions.yaml | 54 ++ ...se_password_hints_or_secret_questions.yaml | 44 + cres/Do_not_use_static_secrets.yaml | 26 + ...boundaries_and_significant_data_flows.yaml | 48 ++ ...cument_explicit_key-secret_management.yaml | 42 + ...irements_for_(data)_protection_levels.yaml | 34 + cres/Documentation_and_requirements.yaml | 66 ++ ...ponents_business_or_security_function.yaml | 29 + cres/Enable_certification_revocation.yaml | 21 + ...gurable_alert_against_usage_anomalies.yaml | 41 + ...on_to_log_out_from_all_active_session.yaml | 43 + cres/Encode_output_context-specifically.yaml | 176 ++++ ...output_near_the_consuming_interpreter.yaml | 42 + ...hile_preserving_user_input_formatting.yaml | 126 +++ cres/Encode_user_input_before_logging.yaml | 66 ++ cres/Encrypt_all_communications.yaml | 23 + cres/Encrypt_data_at_rest.yaml | 39 + cres/Encrypt_financial_data_at_rest.yaml | 64 ++ cres/Encrypt_health_data_at_rest.yaml | 64 ++ cres/Encrypt_personal_data_at_rest.yaml | 71 ++ ...de_both_confidentiality_and_integrity.yaml | 30 + cres/Encryption_algorithms.yaml | 58 ++ ...Enforce_JSON_schema_before_processing.yaml | 80 ++ ...s_control_on_trusted_parts-serverside.yaml | 27 + ...cess_control_on_trusted_service_layer.yaml | 46 + ...thorization_and_segregation_of_duties.yaml | 27 + ...h_an_authentication_third_party_(CSP).yaml | 33 + cres/Enforce_high_entropy_session_tokens.yaml | 51 ++ ...validation_on_a_trusted_service_layer.yaml | 49 ++ ...for_externally_hosted_assets_(eg_SRI).yaml | 47 ++ cres/Enforce_least_privilege.yaml | 45 + ...zation_both_at_URI_and_final_resource.yaml | 38 + ...ence_of_business_flows_to_avoid_abuse.yaml | 35 + ...Enforce_schema_on_XML_structure-field.yaml | 71 ++ ...a_on_type-contents_of_structured_data.yaml | 86 ++ ..._safety-resistance_to_race_conditions.yaml | 29 + ..._elements_can_be_upgraded_or_replaced.yaml | 50 ++ ..._integrity_of_DNS_entries_and_domains.yaml | 39 + ...re_keys_and_passwords_are_replaceable.yaml | 35 + ...re_proper_generation_of_secure_random.yaml | 36 + cres/Ensure_repeatability_of_deployment.yaml | 21 + ...orithms_for_generating_session_tokens.yaml | 51 ++ cres/Ensure_session_timeout_(soft-hard).yaml | 49 ++ ...e_revoked_fully_immediately_when_lost.yaml | 29 + ...l-safe_is_in_place_for_access_control.yaml | 50 ++ ...thentication_request,_code,_or_tokens.yaml | 34 + ...usted_origin_of_third_party_resources.yaml | 48 ++ ...users_can_remove_or_export_their_data.yaml | 30 + cres/Error_handling.yaml | 24 + cres/Escape_output_against_XSS.yaml | 163 ++++ cres/Fail_securely.yaml | 25 + cres/File_download.yaml | 14 + cres/File_execution.yaml | 43 + cres/File_handling.yaml | 46 + cres/File_storage.yaml | 19 + cres/File_upload.yaml | 44 + cres/Force_format_strings_as_constants.yaml | 32 + ...ing_for_specific_interpreters_context.yaml | 126 +++ ...to_check_outdated-insecure_components.yaml | 26 + ...ncoders_and_parsers_throughout_system.yaml | 40 + ...ew_session_token_after_authentication.yaml | 56 ++ ..._allow_to_reuse_the_initial_password..yaml | 34 + ...ookup_secrets_with_sufficient_entropy.yaml | 28 + cres/Guidelines.yaml | 16 +- cres/HTTP_security_headers.yaml | 48 ++ ...n_by_excluding_unwanted_functionality.yaml | 28 + cres/Http_headers.yaml | 8 + ...itive_data_and_subject_it_to_a_policy.yaml | 194 +++++ ...d_origin_(local_file_context,_eg_LFI).yaml | 28 + ..._origin_(remote_file_context,_eg_RFI).yaml | 42 + ...s_from_untrusted_origin_(against_RFD).yaml | 21 + ...xecution_logic_from_untrusted_sources.yaml | 30 + ...its_against_identified_business_risks.yaml | 35 + ...and_use_it_only_after_opt-in_consent..yaml | 31 + ...form_users_for_authentication_renewal.yaml | 26 + cres/Injection.yaml | 32 +- cres/Input_validation.yaml | 68 ++ ...plication_request_minimal_permissions.yaml | 28 + ...t_cryptographic_modules_fail_securely.yaml | 46 + ...thorize_users_access_to_functionality.yaml | 40 + cres/Limit_REST_HTTP_methods.yaml | 45 + ...ess_to_admin-management_functionality.yaml | 44 + ..._specifically_authorized_actors-users.yaml | 39 + ...act_GraphQL-data_layer_expression_DoS.yaml | 31 + ...mit_size_and_number_of_uploaded_files.yaml | 34 + ...erization)_to_avoid_injection_attacks.yaml | 182 ++++ cres/Log_TLS_connection_failures.yaml | 34 + cres/Log_access_control_decisions.yaml | 27 + cres/Log_access_protection.yaml | 8 + cres/Log_access_to_sensitive_data.yaml | 26 + cres/Log_all_security_relevant_events.yaml | 32 + ..._OTP_tokens_and_notify_device_holder..yaml | 28 + ...sions_without_exposing_sensitive_data.yaml | 27 + cres/Log_discretely.yaml | 29 + ..._sufficiently_to_recreate_their_order.yaml | 39 + ...og_in_consistent_format_across_system.yaml | 40 + cres/Log_injection_protection.yaml | 17 + cres/Log_integrity.yaml | 39 + cres/Log_only_non-sensitive_data.yaml | 39 + cres/Log_relevant.yaml | 53 ++ cres/Log_time_synchronization.yaml | 8 + cres/Login_functionality.yaml | 19 + cres/MFA-OTP.yaml | 50 +- ...inventory_of_third_party_repositories.yaml | 38 + ...cure_coding_resources_for_programmers.yaml | 41 + cres/Manage_temporary_storage.yaml | 45 + ...ate_using_multi_factor_authentication.yaml | 46 + cres/Memory,_String,_and_Unmanaged_Code.yaml | 33 + cres/Minimize_communication.yaml | 28 + ...the_number_of_parameters_in_a_request.yaml | 21 + ...e_intensity_(e.g._number_of_requests).yaml | 36 + ...istic_human_time_business_logic_flows.yaml | 42 + cres/Monitor_suspected_automation_abuse.yaml | 47 ++ .../Monitor_unusual_activities_on_system.yaml | 47 ++ ...ation_and_credential_service_provider.yaml | 51 ++ ...ation_components._Minimize_privileges.yaml | 39 + ...y_authenticate_application_components.yaml | 33 + cres/Network_Access_Control.yaml | 8 + cres/Network_protection.yaml | 10 + cres/Notify_user_about_credential_change.yaml | 49 ++ ...out_anomalies_in_their_usage_patterns.yaml | 39 + ...Offer_password_changing_functionality.yaml | 50 ++ ...nly_store_hashed_authentication_codes.yaml | 34 + ...put_encoding_and_injection_prevention.yaml | 79 ++ cres/Parse_JSON_safely.yaml | 40 + ...tographic_operations_in_constant_time.yaml | 35 + ...f_important_data_and_test_restoration.yaml | 21 + cres/Personal_data_handling.yaml | 115 +++ cres/Physical_security.yaml | 17 + ...acking_through_X-Frame-Options_or_CSP.yaml | 33 + ...f_sensitive_data_in_server_components.yaml | 21 + cres/Prevent_security_disclosure.yaml | 31 + ...n_for_all_applications_and_frameworks.yaml | 41 + ...authorized_access-modification_(IDOR).yaml | 45 + ..._against_JS_or_JSON_injection_attacks.yaml | 126 +++ cres/Protect_against_LDAP_injection.yaml | 133 +++ cres/Protect_against_LFI_-_RFI.yaml | 129 +++ ...t_against_OS_command_injection_attack.yaml | 141 ++++ cres/Protect_against_XML-XPath_injection.yaml | 134 +++ ..._directory_browsing-discovery_attacks.yaml | 49 ++ ...inst_mass_parameter_assignment_attack.yaml | 42 + ...otect_and_clear_cached_sensitive_data.yaml | 21 + ...cation_between_application_components.yaml | 48 ++ cres/Protect_logs_against_log_injection.yaml | 66 ++ ...tect_logs_against_unauthorized_access.yaml | 200 +++++ ...nctionalities_against_race_conditions.yaml | 29 + cres/Protect_session_ID.yaml | 30 + cres/Provide_a_password_strength_meter.yaml | 50 ++ ...tire_password_or_last_typed_character.yaml | 50 ++ ...system_flexibility_for_access_control.yaml | 49 ++ cres/RESTful.yaml | 8 +- ...nticate_before_sensitive_transactions.yaml | 39 + ...tication_from_federation_or_assertion.yaml | 26 + .../Reject_non-whitelisted_content_types.yaml | 33 + ...res,_documentation,_configuration_etc.yaml | 46 + ...enrollment_when_recovering_OTP_or_MFA.yaml | 39 + cres/Resist_stolen_credentials.yaml | 51 ++ cres/Restrict_XML_parsing_(against_XXE).yaml | 67 ++ cres/Restrict_excessive_authentication.yaml | 65 ++ cres/SOAP.yaml | 6 +- cres/SSRF.yaml | 8 +- ...ate_applications_at_the_network_level.yaml | 41 + cres/Sandbox_third_party_libraries.yaml | 39 + cres/Sanitization_and_sandboxing.yaml | 75 ++ ...dbox_untrusted_SVG_scriptable_content.yaml | 48 ++ ...riptable_or_template_language_content.yaml | 79 ++ ..._where_template-injection_is_a_threat.yaml | 79 ++ ...sted_origin_if_processing_is_required.yaml | 34 + cres/Sanitize_unstructured_data.yaml | 54 ++ cres/Sanitize_untrusted_HTML_input.yaml | 60 ++ ...to_mail_systems_(SMTP-IMAP_injection).yaml | 54 ++ cres/Scan_untrusted_files_for_malware.yaml | 27 + cres/Secret_storage.yaml | 88 ++ cres/Secure_Development.yaml | 13 + cres/Secure_auto-updates_over_full_stack.yaml | 35 + ...ecure_name-address_resolution_service.yaml | 28 + cres/Secure_random_values.yaml | 33 + ...lized_objects_(e.g._integrity_checks).yaml | 45 + ...mate_build_and_deployment_in_pipeline.yaml | 21 + ...ely_store_files_with_untrusted_origin.yaml | 27 + cres/Securely_store_regulated_data.yaml | 28 + cres/Securely_transfer_logs_(remotely).yaml | 27 + ...ty_and_Privacy_Engineering_Principles.yaml | 15 + ..._components_of_differing_trust_levels.yaml | 28 + ...Send_authentication_secrets_encrypted.yaml | 62 ++ ...)_authorization_logic_from_data_layer.yaml | 28 + ...parate_storage_of_user_uploaded_files.yaml | 21 + cres/Server_protection.yaml | 10 + cres/Session_integrity.yaml | 19 + cres/Session_lifecycle.yaml | 47 ++ cres/Session_token_generation.yaml | 28 + ...refix_for_cookie-based_session_tokens.yaml | 51 ++ ..._of_security_deployment_configuration.yaml | 23 + cres/Set_content_HTTP_response_type.yaml | 27 + ...ibute_for_cookie-based_session_tokens.yaml | 64 ++ ...content-Disposition_for_API_responses.yaml | 27 + ...session_tokens_as_precise_as_possible.yaml | 57 ++ cres/Set_proper_(C)_compiler_flags.yaml | 36 + ...ibute_for_cookie-based_session_tokens.yaml | 65 ++ ...ibute_for_cookie-based_session_tokens.yaml | 59 ++ cres/Set_sufficient_anti-caching_headers.yaml | 40 + ...t_feasible_iteration_count_for_PBKDF2.yaml | 40 + ...ghest_feasible_work_factor_for_bcrypt.yaml | 40 + ...xceptions_or_unanticipated_exceptions.yaml | 39 + ...annot_execute-damage_server_or_client.yaml | 37 + cres/Store_backups_securely.yaml | 21 + cres/Store_credentials_securely.yaml | 28 + cres/Store_cryptographic_keys_securely.yaml | 40 + cres/Store_passwords_salted_and_hashed.yaml | 40 + ...riber-provided_authentication_devices.yaml | 28 + cres/Synchronize_time_zones_for_logs.yaml | 27 + cres/System_time_synchronization.yaml | 17 + cres/TLS.yaml | 20 +- cres/Techniques.yaml | 18 +- ...all_sessions_when_password_is_changed.yaml | 33 + cres/Terminate_session_after_logout.yaml | 49 ++ ...t_model_every_design_change_or_sprint.yaml | 46 + cres/Treat_client-secrets_as_insecure.yaml | 23 + ...rty_components_build-_or_compile_time.yaml | 44 + ..._even_when_using_RBAC_for_permissions.yaml | 33 + ...ols_for_unauthenticated_functionality.yaml | 67 ++ cres/Use_SAST_for_malicious_content.yaml | 27 + ..._centralized_access_control_mechanism.yaml | 56 ++ ...dedicated_secrets_management_solution.yaml | 35 + ...rt_error_handler_for_unhandled_errors.yaml | 39 + ...ue_challenge_nonce_of_sufficient_size.yaml | 45 + ...y_module_for_cryptographic_operations.yaml | 35 + ...Use_approved_cryptographic_algorithms.yaml | 47 ++ ..._generation,_seeding_and_verification.yaml | 45 + ...ion,_seeding_and_verification_of_OTPs.yaml | 43 + ..._centralized_authentication_mechanism.yaml | 33 + ...cally_secure_random_number_generators.yaml | 29 + ...al_secrets_rather_than_static_secrets.yaml | 44 + cres/Use_exception_handling_uniformly.yaml | 39 + cres/Use_key_vaults.yaml | 35 + ...e_OS_accounts_for_system_(components).yaml | 34 + cres/Use_least_privilege_for_resources.yaml | 27 + cres/Use_lookup_secrets_only_once.yaml | 28 + ...Use_memory-safe_functions_exclusively.yaml | 38 + ...tication_on_administrative_interfaces.yaml | 29 + ..._and_initialization_vectors_only_once.yaml | 50 ++ ...n_requests,_codes_or_tokens_only_once.yaml | 34 + ...Use_proper_source_code_control_system.yaml | 55 ++ ...generate_initial_authentication_codes.yaml | 41 + ...ry_mechanisms_for_forgotten_passwords.yaml | 50 ++ ...e_one-time_password_verification_keys.yaml | 47 ++ ...eparately_stored_secret_salt_(pepper).yaml | 34 + ...f_the_art_cryptographic_configuration.yaml | 50 ++ ...nticators_only_for_less_secure_access.yaml | 47 ++ cres/Use_time-based_OTP_only_once.yaml | 33 + ...ufficient_entropy_for_each_credential.yaml | 40 + cres/Use_unpredictable_lookup_secrets.yaml | 28 + ...ypto_only_for_backwards_compatibility.yaml | 50 ++ ...ords_are_of_sufficient_minimum_length.yaml | 56 ++ cres/Validate_HTTP_request_headers.yaml | 38 + ...e_type_of_data_from_untrusted_sources.yaml | 33 + cres/Validate_max_input-file_sizes.yaml | 49 ++ ...nst_HTTP_parameter_pollution_attacks).yaml | 42 + ...rify_TLS_certificates_and_trust_chain.yaml | 30 + ...Verify_content-type_for_REST_services.yaml | 48 ++ ...rify_strong_TLS_algorithms_by_testing.yaml | 56 ++ ...henticity_of_both_headers_and_payload.yaml | 57 ++ cres/Was:_TBD.yaml | 783 ++++++++++++++++++ ...s_in_browser,_use_secure_methods_only.yaml | 38 + ...n_event_to_other_parties_in_the_chain.yaml | 27 + ...ptographically_secure_characteristics.yaml | 48 ++ cres/White-list_HTTP_methods.yaml | 29 + cres/Whitelist_CORS_resources.yaml | 29 + cres/Whitelist_all_external_(HTTP)_input.yaml | 86 ++ cres/Whitelist_data_sources_and_sinks.yaml | 53 ++ ...st_file_extensions_served_by_web_tier.yaml | 27 + cres/Whitelist_redirected-forwarded_URLs.yaml | 49 ++ cres/Wireless_link_protection.yaml | 15 + cres/XML_Parser_hardening.yaml | 11 + cres/XSS.yaml | 24 +- ...itive_information_in_memory_after_use.yaml | 21 + cres/db.sqlite | Bin 327680 -> 606208 bytes cres/zap-alerts/0.yml | 13 + cres/zap-alerts/10003.yml | 5 + cres/zap-alerts/10009.yml | 5 + cres/zap-alerts/10010.yml | 13 + cres/zap-alerts/10011.yml | 13 + cres/zap-alerts/10015.yml | 13 + cres/zap-alerts/10017.yml | 13 + cres/zap-alerts/10019.yml | 13 + cres/zap-alerts/10020-1.yml | 13 + cres/zap-alerts/10020-2.yml | 13 + cres/zap-alerts/10020-3.yml | 13 + cres/zap-alerts/10020-4.yml | 13 + cres/zap-alerts/10020.yml | 5 + cres/zap-alerts/10021.yml | 13 + cres/zap-alerts/10023.yml | 13 + cres/zap-alerts/10024.yml | 13 + cres/zap-alerts/10025.yml | 13 + cres/zap-alerts/10026.yml | 5 + cres/zap-alerts/10027.yml | 13 + cres/zap-alerts/10028.yml | 5 + cres/zap-alerts/10029.yml | 5 + cres/zap-alerts/10030.yml | 5 + cres/zap-alerts/10031.yml | 5 + cres/zap-alerts/10032-1.yml | 13 + cres/zap-alerts/10032-2.yml | 13 + cres/zap-alerts/10032-3.yml | 13 + cres/zap-alerts/10032-4.yml | 13 + cres/zap-alerts/10032-5.yml | 13 + cres/zap-alerts/10032-6.yml | 13 + cres/zap-alerts/10032.yml | 5 + cres/zap-alerts/10033.yml | 5 + cres/zap-alerts/10034.yml | 5 + cres/zap-alerts/10035.yml | 5 + cres/zap-alerts/10036.yml | 5 + cres/zap-alerts/10037.yml | 13 + cres/zap-alerts/10038.yml | 5 + cres/zap-alerts/10039.yml | 5 + cres/zap-alerts/10040.yml | 13 + cres/zap-alerts/10041.yml | 5 + cres/zap-alerts/10042.yml | 5 + cres/zap-alerts/10043.yml | 5 + cres/zap-alerts/10044.yml | 5 + cres/zap-alerts/10045.yml | 13 + cres/zap-alerts/10047.yml | 13 + cres/zap-alerts/10048.yml | 13 + cres/zap-alerts/10049.yml | 5 + cres/zap-alerts/10050.yml | 5 + cres/zap-alerts/10051.yml | 13 + cres/zap-alerts/10052.yml | 5 + cres/zap-alerts/10054.yml | 13 + cres/zap-alerts/10055.yml | 13 + cres/zap-alerts/10056.yml | 13 + cres/zap-alerts/10057.yml | 13 + cres/zap-alerts/10058.yml | 13 + cres/zap-alerts/10061.yml | 13 + cres/zap-alerts/10062.yml | 5 + cres/zap-alerts/10063.yml | 5 + cres/zap-alerts/10070.yml | 5 + cres/zap-alerts/10094.yml | 5 + cres/zap-alerts/10095.yml | 13 + cres/zap-alerts/10096.yml | 13 + cres/zap-alerts/10097.yml | 5 + cres/zap-alerts/10098.yml | 13 + cres/zap-alerts/10099.yml | 5 + cres/zap-alerts/10103.yml | 13 + cres/zap-alerts/10104.yml | 5 + cres/zap-alerts/10105.yml | 13 + cres/zap-alerts/10106.yml | 13 + cres/zap-alerts/10107.yml | 13 + cres/zap-alerts/10108.yml | 5 + cres/zap-alerts/10109.yml | 5 + cres/zap-alerts/10110.yml | 5 + cres/zap-alerts/10202.yml | 13 + cres/zap-alerts/110001.yml | 13 + cres/zap-alerts/110002.yml | 5 + cres/zap-alerts/110003.yml | 13 + cres/zap-alerts/110004.yml | 13 + cres/zap-alerts/110005.yml | 13 + cres/zap-alerts/110006.yml | 5 + cres/zap-alerts/110007.yml | 13 + cres/zap-alerts/110008.yml | 13 + cres/zap-alerts/2.yml | 13 + cres/zap-alerts/20012.yml | 13 + cres/zap-alerts/20014.yml | 13 + cres/zap-alerts/20015.yml | 13 + cres/zap-alerts/20016.yml | 13 + cres/zap-alerts/20017.yml | 13 + cres/zap-alerts/20018.yml | 13 + cres/zap-alerts/20019.yml | 13 + cres/zap-alerts/3.yml | 13 + cres/zap-alerts/30001.yml | 13 + cres/zap-alerts/30002.yml | 13 + cres/zap-alerts/30003.yml | 13 + cres/zap-alerts/40003.yml | 13 + cres/zap-alerts/40008.yml | 13 + cres/zap-alerts/40009.yml | 13 + cres/zap-alerts/40012.yml | 13 + cres/zap-alerts/40013.yml | 13 + cres/zap-alerts/40014.yml | 13 + cres/zap-alerts/40015.yml | 13 + cres/zap-alerts/40016.yml | 13 + cres/zap-alerts/40017.yml | 13 + cres/zap-alerts/40018.yml | 13 + cres/zap-alerts/40019.yml | 13 + cres/zap-alerts/40020.yml | 13 + cres/zap-alerts/40021.yml | 13 + cres/zap-alerts/40022.yml | 13 + cres/zap-alerts/40023.yml | 13 + cres/zap-alerts/40024.yml | 13 + cres/zap-alerts/40025.yml | 13 + cres/zap-alerts/40026.yml | 13 + cres/zap-alerts/40027.yml | 13 + cres/zap-alerts/40028.yml | 13 + cres/zap-alerts/40029.yml | 13 + cres/zap-alerts/40032.yml | 13 + cres/zap-alerts/40033.yml | 13 + cres/zap-alerts/40034.yml | 13 + cres/zap-alerts/40035.yml | 13 + cres/zap-alerts/40036.yml | 5 + cres/zap-alerts/40038.yml | 5 + cres/zap-alerts/40039.yml | 5 + cres/zap-alerts/40040-1.yml | 13 + cres/zap-alerts/40040-2.yml | 13 + cres/zap-alerts/40040-3.yml | 13 + cres/zap-alerts/40040.yml | 5 + cres/zap-alerts/40041.yml | 5 + cres/zap-alerts/40042.yml | 13 + cres/zap-alerts/40043-1.yml | 13 + cres/zap-alerts/40043-2.yml | 13 + cres/zap-alerts/40043.yml | 5 + cres/zap-alerts/41.yml | 13 + cres/zap-alerts/42.yml | 13 + cres/zap-alerts/43.yml | 13 + cres/zap-alerts/6.yml | 13 + cres/zap-alerts/7.yml | 13 + cres/zap-alerts/90001.yml | 13 + cres/zap-alerts/90002.yml | 5 + cres/zap-alerts/90003.yml | 5 + cres/zap-alerts/90004-1.yml | 13 + cres/zap-alerts/90004-2.yml | 13 + cres/zap-alerts/90004-3.yml | 13 + cres/zap-alerts/90004.yml | 5 + cres/zap-alerts/90011.yml | 13 + cres/zap-alerts/90017.yml | 13 + cres/zap-alerts/90018.yml | 13 + cres/zap-alerts/90019.yml | 13 + cres/zap-alerts/90020.yml | 13 + cres/zap-alerts/90021.yml | 13 + cres/zap-alerts/90022.yml | 13 + cres/zap-alerts/90023.yml | 13 + cres/zap-alerts/90024.yml | 13 + cres/zap-alerts/90025.yml | 13 + cres/zap-alerts/90026.yml | 5 + cres/zap-alerts/90027.yml | 13 + cres/zap-alerts/90028.yml | 13 + cres/zap-alerts/90029.yml | 5 + cres/zap-alerts/90030.yml | 5 + cres/zap-alerts/90033.yml | 13 + cres/zap-alerts/90034.yml | 5 + 564 files changed, 19452 insertions(+), 420 deletions(-) rename application/tests/{parsers_test.py => spreadsheet_parsers_test.py} (99%) create mode 100644 application/utils/external_project_parsers/__init__.py create mode 100644 application/utils/external_project_parsers/zap_alerts_parser.py rename application/utils/{parsers.py => spreadsheet_parsers.py} (100%) create mode 100644 cres/(SSRF)_When_depending_on_internal_server_input,_use_validation_sanitization_and_whitelisting.yaml create mode 100644 cres/>>Authorized_access.yaml create mode 100644 cres/>>Business_logic.yaml create mode 100644 cres/>>Dependency_strength.yaml create mode 100644 cres/>>Development_&_operations.yaml create mode 100644 cres/>>Documentation_and_requirements.yaml create mode 100644 cres/>>Input_and_output_verification.yaml create mode 100644 cres/>>Logging_and_error_handling.yaml create mode 100644 cres/>>Network_security.yaml create mode 100644 cres/>>Personnel_Security.yaml create mode 100644 cres/>>Program_Management.yaml create mode 100644 cres/>>Risk_Assessment.yaml create mode 100644 cres/>>Secure_communication.yaml create mode 100644 cres/>>Secure_data_storage.yaml create mode 100644 cres/>>Secure_user_management.yaml create mode 100644 cres/>>Session_management.yaml create mode 100644 cres/API-web_services.yaml create mode 100644 cres/Add_CSRF_protection_for_cookie_based_REST_services.yaml create mode 100644 cres/Add_integrity_check_to_SOAP_payload.yaml create mode 100644 cres/Allow_long_passwords.yaml create mode 100644 cres/Allow_only_trusted_sources_both_build_time_and_runtime;_therefore_perform_integrity_checks_on_all_resources_and_code.yaml create mode 100644 cres/Allow_password_helpers,_including_paste_functionality.yaml create mode 100644 cres/Allow_unicode_in_passwords.yaml create mode 100644 cres/Allow_user_revocation_of_Oauth_tokens.yaml create mode 100644 cres/Anti-Automation_protection_for_REST_services.yaml create mode 100644 cres/Authenticate_HTTP_headers_added_by_a_trusted_proxy_or_SSO_device.yaml create mode 100644 cres/Authenticate_all_external_connections.yaml create mode 100644 cres/Authenticate_by_OTP_token_entry_or_user-initiated_action_on_multi_factor_device.yaml create mode 100644 cres/Authenticate_consistently.yaml create mode 100644 cres/Authenticate_encrypted_data.yaml create mode 100644 cres/Authentication_mechanism.yaml create mode 100644 cres/Automate_secure_build_and_deployment,_especially_with_SDI.yaml create mode 100644 cres/Avoid_deserialization_logic.yaml create mode 100644 cres/Avoid_password_truncation,_with_exception_of_consecutive_spaces.yaml create mode 100644 cres/Avoid_unauthorized_client_data_collection.yaml create mode 100644 cres/Avoid_using_of_Origin_header_for_authentication_of_access_control.yaml create mode 100644 cres/Binary_integrity.yaml create mode 100644 cres/Biometric_authenticators_only_as_secondary_factors.yaml create mode 100644 cres/Block_direct_execution_of_file_metadata_from_untrusted_origin.yaml create mode 100644 cres/Block_execution-output_of_uploaded_files.yaml create mode 100644 cres/Block_serialization_of_content_from_untrusted_clients.yaml create mode 100644 cres/Boundary_Protection.yaml create mode 100644 cres/Centralize_security_controls.yaml create mode 100644 cres/Change_password_with_presence_of_old_and_new_password.yaml create mode 100644 cres/Check_binary_integrity_before_deployment.yaml create mode 100644 cres/Check_boundaries_against_integer_overflow_weaknesses.yaml create mode 100644 cres/Check_new_passwords_against_breached_passwords.yaml create mode 100644 cres/Check_source_code_and_third_party_libraries_to_not_contain_backdoors.yaml create mode 100644 cres/Check_source_code_to_not_contain_malicious_code.yaml create mode 100644 cres/Check_source_code_to_not_contain_timebombs.yaml create mode 100644 cres/Check_uploaded_archives_for_decompression_attacks_(eg_zip_bombs).yaml create mode 100644 cres/Classify_personal_data_regarding_retention_so_that_old_or_outdated_data_is_deleted.yaml create mode 100644 cres/Classify_sensitive_data_in_protection_levels.yaml create mode 100644 cres/Clear_authentication_data_from_client_storage.yaml create mode 100644 cres/Clear_policy_compliant_I-O_requirements.yaml create mode 100644 cres/Communicate_out_of_band_authentication_requests,_codes_or_tokens_independently_and_securely.yaml create mode 100644 cres/Communication_authentication.yaml create mode 100644 cres/Communication_encryption.yaml create mode 100644 cres/Configure_CSP_configuration_properly.yaml create mode 100644 cres/Configure_HSTS_configuration_properly.yaml create mode 100644 cres/Configure_Referrer-Policy_properly.yaml create mode 100644 cres/Configure_X-Content-Type-Options_properly.yaml create mode 100644 cres/Consistently_apply_authentication_strength.yaml create mode 100644 cres/Constrain_functional_features_based_on_user_stories.yaml create mode 100644 cres/Create_random_GUIDs_with_cryptographically_secure_random_number_generators.yaml create mode 100644 cres/Credential_recovery.yaml create mode 100644 cres/Credentials_directives.yaml create mode 100644 cres/Cryptographic_directives.yaml create mode 100644 cres/Data_access_control.yaml create mode 100644 cres/Data_security_requirement_documentation.yaml create mode 100644 cres/Define_High-level_architecture_and_perform_security_analysis_on_it.yaml create mode 100644 cres/Define_security_steps_in_every_SDLC_stage.yaml create mode 100644 cres/Defined_lifetime_of_time-based_one-time_password.yaml create mode 100644 cres/Deny_new_users_by_default.yaml create mode 100644 cres/Dependency_integrity.yaml create mode 100644 cres/Dependency_management.yaml create mode 100644 cres/Deployed_topology.yaml create mode 100644 cres/Deployment_process.yaml create mode 100644 cres/Deserialization_Prevention.yaml create mode 100644 cres/Developer_Configuration_Management.yaml create mode 100644 cres/Developer_Testing_and_Evaluation.yaml create mode 100644 cres/Development_verification.yaml create mode 100644 cres/Disable_debug_mode_in_production.yaml create mode 100644 cres/Disable_insecure_SSL-TLS_versions.yaml create mode 100644 cres/Disallow_default_credentials.yaml create mode 100644 cres/Disallow_shared_high_privileged_accounts.yaml create mode 100644 cres/Disallow_unsupported-deprecated_client-side_technologies.yaml create mode 100644 cres/Do_not_disclose_technical_information_in_HTTP_header_or_response.yaml create mode 100644 cres/Do_not_disclose_technical_information_in_error_message.yaml create mode 100644 cres/Do_not_enforce_password_rotation_rules_or_history_requirements.yaml create mode 100644 cres/Do_not_expose_data_through_API_URLs.yaml create mode 100644 cres/Do_not_expose_data_through_HTTP_verb.yaml create mode 100644 cres/Do_not_expose_session_token_in_URL.yaml create mode 100644 cres/Do_not_fall_back_to_insecure_protocols_in_TCP.yaml create mode 100644 cres/Do_not_limit_character_types_for_password_composition.yaml create mode 100644 cres/Do_not_log_credentials_or_payment_details.yaml create mode 100644 cres/Do_not_offer_weak_(clear_text)_authenticators_by_default.yaml create mode 100644 cres/Do_not_reveal_the_current_password_during_password_recovery.yaml create mode 100644 cres/Do_not_share_unsynchronized_state_on_high-value_logic_flows.yaml create mode 100644 cres/Do_not_store_secrets_in_the_code.yaml create mode 100644 cres/Do_not_store_sensitive_data_on_client_(browser)_storage.yaml create mode 100644 cres/Do_not_use_eval_or_dynamic_code_execution_functions.yaml create mode 100644 cres/Do_not_use_password_hints_or_secret_questions.yaml create mode 100644 cres/Do_not_use_static_secrets.yaml create mode 100644 cres/Document_all_trust_boundaries_and_significant_data_flows.yaml create mode 100644 cres/Document_explicit_key-secret_management.yaml create mode 100644 cres/Document_requirements_for_(data)_protection_levels.yaml create mode 100644 cres/Documentation_and_requirements.yaml create mode 100644 cres/Documentation_of_all_components_business_or_security_function.yaml create mode 100644 cres/Enable_certification_revocation.yaml create mode 100644 cres/Enable_configurable_alert_against_usage_anomalies.yaml create mode 100644 cres/Enable_option_to_log_out_from_all_active_session.yaml create mode 100644 cres/Encode_output_context-specifically.yaml create mode 100644 cres/Encode_output_near_the_consuming_interpreter.yaml create mode 100644 cres/Encode_output_while_preserving_user_input_formatting.yaml create mode 100644 cres/Encode_user_input_before_logging.yaml create mode 100644 cres/Encrypt_all_communications.yaml create mode 100644 cres/Encrypt_data_at_rest.yaml create mode 100644 cres/Encrypt_financial_data_at_rest.yaml create mode 100644 cres/Encrypt_health_data_at_rest.yaml create mode 100644 cres/Encrypt_personal_data_at_rest.yaml create mode 100644 cres/Encrypt_sensitive_data_with_algorithms_that_provide_both_confidentiality_and_integrity.yaml create mode 100644 cres/Encryption_algorithms.yaml create mode 100644 cres/Enforce_JSON_schema_before_processing.yaml create mode 100644 cres/Enforce_access_control_on_trusted_parts-serverside.yaml create mode 100644 cres/Enforce_access_control_on_trusted_service_layer.yaml create mode 100644 cres/Enforce_additional_authorization_and_segregation_of_duties.yaml create mode 100644 cres/Enforce_authentication_timeout_when_dealing_with_an_authentication_third_party_(CSP).yaml create mode 100644 cres/Enforce_high_entropy_session_tokens.yaml create mode 100644 cres/Enforce_input_validation_on_a_trusted_service_layer.yaml create mode 100644 cres/Enforce_integrity_check_for_externally_hosted_assets_(eg_SRI).yaml create mode 100644 cres/Enforce_least_privilege.yaml create mode 100644 cres/Enforce_model-based_authorization_both_at_URI_and_final_resource.yaml create mode 100644 cres/Enforce_natural_sequence_of_business_flows_to_avoid_abuse.yaml create mode 100644 cres/Enforce_schema_on_XML_structure-field.yaml create mode 100644 cres/Enforce_schema_on_type-contents_of_structured_data.yaml create mode 100644 cres/Ensure_business_flows_thread_safety-resistance_to_race_conditions.yaml create mode 100644 cres/Ensure_cryptographic_elements_can_be_upgraded_or_replaced.yaml create mode 100644 cres/Ensure_integrity_of_DNS_entries_and_domains.yaml create mode 100644 cres/Ensure_keys_and_passwords_are_replaceable.yaml create mode 100644 cres/Ensure_proper_generation_of_secure_random.yaml create mode 100644 cres/Ensure_repeatability_of_deployment.yaml create mode 100644 cres/Ensure_secure_algorithms_for_generating_session_tokens.yaml create mode 100644 cres/Ensure_session_timeout_(soft-hard).yaml create mode 100644 cres/Ensure_that_physical_single_factor_OTP_generator_can_be_revoked_fully_immediately_when_lost.yaml create mode 100644 cres/Ensure_that_secure_fail-safe_is_in_place_for_access_control.yaml create mode 100644 cres/Ensure_timely_expiration_of_out_of_band_authentication_request,_code,_or_tokens.yaml create mode 100644 cres/Ensure_trusted_origin_of_third_party_resources.yaml create mode 100644 cres/Ensure_users_can_remove_or_export_their_data.yaml create mode 100644 cres/Error_handling.yaml create mode 100644 cres/Escape_output_against_XSS.yaml create mode 100644 cres/Fail_securely.yaml create mode 100644 cres/File_download.yaml create mode 100644 cres/File_execution.yaml create mode 100644 cres/File_handling.yaml create mode 100644 cres/File_storage.yaml create mode 100644 cres/File_upload.yaml create mode 100644 cres/Force_format_strings_as_constants.yaml create mode 100644 cres/Force_output_encoding_for_specific_interpreters_context.yaml create mode 100644 cres/Force_pipeline_to_check_outdated-insecure_components.yaml create mode 100644 cres/Force_uniform_encoders_and_parsers_throughout_system.yaml create mode 100644 cres/Generate_a_new_session_token_after_authentication.yaml create mode 100644 cres/Generate_initial_passwords_with_sufficient_secure_random,_short_expiration_time_and_do_not_allow_to_reuse_the_initial_password..yaml create mode 100644 cres/Generate_lookup_secrets_with_sufficient_entropy.yaml create mode 100644 cres/HTTP_security_headers.yaml create mode 100644 cres/Harden_application_by_excluding_unwanted_functionality.yaml create mode 100644 cres/Http_headers.yaml create mode 100644 cres/Identify_sensitive_data_and_subject_it_to_a_policy.yaml create mode 100644 cres/Ignore-at_least_validate__filename_metadata_from_untrusted_origin_(local_file_context,_eg_LFI).yaml create mode 100644 cres/Ignore-at_least_validate__filename_metadata_from_untrusted_origin_(remote_file_context,_eg_RFI).yaml create mode 100644 cres/Ignore-at_least_validate_filenames_from_untrusted_origin_(against_RFD).yaml create mode 100644 cres/Ignore-block_execution_logic_from_untrusted_sources.yaml create mode 100644 cres/Implement_business_logic_limits_against_identified_business_risks.yaml create mode 100644 cres/Inform_users_clearly_about_the_collection_and_use_of_personal_data,__and_use_it_only_after_opt-in_consent..yaml create mode 100644 cres/Inform_users_for_authentication_renewal.yaml create mode 100644 cres/Input_validation.yaml create mode 100644 cres/Let_application_request_minimal_permissions.yaml create mode 100644 cres/Let_cryptographic_modules_fail_securely.yaml create mode 100644 cres/Limit-authorize_users_access_to_functionality.yaml create mode 100644 cres/Limit_REST_HTTP_methods.yaml create mode 100644 cres/Limit_access_to_admin-management_functionality.yaml create mode 100644 cres/Limit_modification_of_access_controls_to_specifically_authorized_actors-users.yaml create mode 100644 cres/Limit_query_impact_GraphQL-data_layer_expression_DoS.yaml create mode 100644 cres/Limit_size_and_number_of_uploaded_files.yaml create mode 100644 cres/Lock-precompile_queries_(parameterization)_to_avoid_injection_attacks.yaml create mode 100644 cres/Log_TLS_connection_failures.yaml create mode 100644 cres/Log_access_control_decisions.yaml create mode 100644 cres/Log_access_protection.yaml create mode 100644 cres/Log_access_to_sensitive_data.yaml create mode 100644 cres/Log_all_security_relevant_events.yaml create mode 100644 cres/Log_and_reject_re-use_of_valid_time-based_OTP_tokens_and_notify_device_holder..yaml create mode 100644 cres/Log_authentication_decisions_without_exposing_sensitive_data.yaml create mode 100644 cres/Log_discretely.yaml create mode 100644 cres/Log_events_sufficiently_to_recreate_their_order.yaml create mode 100644 cres/Log_in_consistent_format_across_system.yaml create mode 100644 cres/Log_injection_protection.yaml create mode 100644 cres/Log_integrity.yaml create mode 100644 cres/Log_only_non-sensitive_data.yaml create mode 100644 cres/Log_relevant.yaml create mode 100644 cres/Log_time_synchronization.yaml create mode 100644 cres/Login_functionality.yaml create mode 100644 cres/Maintain-manage_inventory_of_third_party_repositories.yaml create mode 100644 cres/Make_(centrally)_available_secure_coding_resources_for_programmers.yaml create mode 100644 cres/Manage_temporary_storage.yaml create mode 100644 cres/Mandate_using_multi_factor_authentication.yaml create mode 100644 cres/Memory,_String,_and_Unmanaged_Code.yaml create mode 100644 cres/Minimize_communication.yaml create mode 100644 cres/Minimize_the_number_of_parameters_in_a_request.yaml create mode 100644 cres/Monitor_expectation_of_usage_intensity_(e.g._number_of_requests).yaml create mode 100644 cres/Monitor_for_realistic_human_time_business_logic_flows.yaml create mode 100644 cres/Monitor_suspected_automation_abuse.yaml create mode 100644 cres/Monitor_unusual_activities_on_system.yaml create mode 100644 cres/Mutually_authenticate_application_and_credential_service_provider.yaml create mode 100644 cres/Mutually_authenticate_application_components._Minimize_privileges.yaml create mode 100644 cres/Mutually_authenticate_application_components.yaml create mode 100644 cres/Network_Access_Control.yaml create mode 100644 cres/Network_protection.yaml create mode 100644 cres/Notify_user_about_credential_change.yaml create mode 100644 cres/Notify_users_about_anomalies_in_their_usage_patterns.yaml create mode 100644 cres/Offer_password_changing_functionality.yaml create mode 100644 cres/Only_store_hashed_authentication_codes.yaml create mode 100644 cres/Output_encoding_and_injection_prevention.yaml create mode 100644 cres/Parse_JSON_safely.yaml create mode 100644 cres/Perform_cryptographic_operations_in_constant_time.yaml create mode 100644 cres/Perform_regular_backups_of_important_data_and_test_restoration.yaml create mode 100644 cres/Personal_data_handling.yaml create mode 100644 cres/Physical_security.yaml create mode 100644 cres/Prevent_Click_jacking_through_X-Frame-Options_or_CSP.yaml create mode 100644 cres/Prevent_caching_of_sensitive_data_in_server_components.yaml create mode 100644 cres/Prevent_security_disclosure.yaml create mode 100644 cres/Proper_Configuration_for_all_applications_and_frameworks.yaml create mode 100644 cres/Protect_API_against_unauthorized_access-modification_(IDOR).yaml create mode 100644 cres/Protect_against_JS_or_JSON_injection_attacks.yaml create mode 100644 cres/Protect_against_LDAP_injection.yaml create mode 100644 cres/Protect_against_LFI_-_RFI.yaml create mode 100644 cres/Protect_against_OS_command_injection_attack.yaml create mode 100644 cres/Protect_against_XML-XPath_injection.yaml create mode 100644 cres/Protect_against_directory_browsing-discovery_attacks.yaml create mode 100644 cres/Protect_against_mass_parameter_assignment_attack.yaml create mode 100644 cres/Protect_and_clear_cached_sensitive_data.yaml create mode 100644 cres/Protect_communication_between_application_components.yaml create mode 100644 cres/Protect_logs_against_log_injection.yaml create mode 100644 cres/Protect_logs_against_unauthorized_access.yaml create mode 100644 cres/Protect_sensitive_functionalities_against_race_conditions.yaml create mode 100644 cres/Protect_session_ID.yaml create mode 100644 cres/Provide_a_password_strength_meter.yaml create mode 100644 cres/Provide_options_to_view_entire_password_or_last_typed_character.yaml create mode 100644 cres/Provide_system_flexibility_for_access_control.yaml create mode 100644 cres/Re-authenticate_before_sensitive_transactions.yaml create mode 100644 cres/Re-authentication_from_federation_or_assertion.yaml create mode 100644 cres/Reject_non-whitelisted_content_types.yaml create mode 100644 cres/Remove_unnecessary_features,_documentation,_configuration_etc.yaml create mode 100644 cres/Require_proof_of_identity_of_the_same_level_as_during_enrollment_when_recovering_OTP_or_MFA.yaml create mode 100644 cres/Resist_stolen_credentials.yaml create mode 100644 cres/Restrict_XML_parsing_(against_XXE).yaml create mode 100644 cres/Restrict_excessive_authentication.yaml create mode 100644 cres/Sandbox,_containerize_and-or_isolate_applications_at_the_network_level.yaml create mode 100644 cres/Sandbox_third_party_libraries.yaml create mode 100644 cres/Sanitization_and_sandboxing.yaml create mode 100644 cres/Sanitize,_disable,_or_sandbox_untrusted_SVG_scriptable_content.yaml create mode 100644 cres/Sanitize,_disable,_or_sandbox_untrusted_scriptable_or_template_language_content.yaml create mode 100644 cres/Sanitize-sandbox_user_input_where_template-injection_is_a_threat.yaml create mode 100644 cres/Sanitize_filename_metadata_from_untrusted_origin_if_processing_is_required.yaml create mode 100644 cres/Sanitize_unstructured_data.yaml create mode 100644 cres/Sanitize_untrusted_HTML_input.yaml create mode 100644 cres/Sanitize_user_input_before_passing_content_to_mail_systems_(SMTP-IMAP_injection).yaml create mode 100644 cres/Scan_untrusted_files_for_malware.yaml create mode 100644 cres/Secret_storage.yaml create mode 100644 cres/Secure_Development.yaml create mode 100644 cres/Secure_auto-updates_over_full_stack.yaml create mode 100644 cres/Secure_name-address_resolution_service.yaml create mode 100644 cres/Secure_random_values.yaml create mode 100644 cres/Secure_serialized_objects_(e.g._integrity_checks).yaml create mode 100644 cres/Securely_automate_build_and_deployment_in_pipeline.yaml create mode 100644 cres/Securely_store_files_with_untrusted_origin.yaml create mode 100644 cres/Securely_store_regulated_data.yaml create mode 100644 cres/Securely_transfer_logs_(remotely).yaml create mode 100644 cres/Security_and_Privacy_Engineering_Principles.yaml create mode 100644 cres/Segregate_components_of_differing_trust_levels.yaml create mode 100644 cres/Send_authentication_secrets_encrypted.yaml create mode 100644 cres/Separate_GraphQL_(or_similar)_authorization_logic_from_data_layer.yaml create mode 100644 cres/Separate_storage_of_user_uploaded_files.yaml create mode 100644 cres/Server_protection.yaml create mode 100644 cres/Session_integrity.yaml create mode 100644 cres/Session_lifecycle.yaml create mode 100644 cres/Session_token_generation.yaml create mode 100644 cres/Set__Host__prefix_for_cookie-based_session_tokens.yaml create mode 100644 cres/Set_and_confirm_integrity_of_security_deployment_configuration.yaml create mode 100644 cres/Set_content_HTTP_response_type.yaml create mode 100644 cres/Set_httponly_attribute_for_cookie-based_session_tokens.yaml create mode 100644 cres/Set_metadata-content-Disposition_for_API_responses.yaml create mode 100644 cres/Set_path_attribute_in_cookie-based_session_tokens_as_precise_as_possible.yaml create mode 100644 cres/Set_proper_(C)_compiler_flags.yaml create mode 100644 cres/Set_samesite_attribute_for_cookie-based_session_tokens.yaml create mode 100644 cres/Set_secure_attribute_for_cookie-based_session_tokens.yaml create mode 100644 cres/Set_sufficient_anti-caching_headers.yaml create mode 100644 cres/Set_the_highest_feasible_iteration_count_for_PBKDF2.yaml create mode 100644 cres/Set_the_highest_feasible_work_factor_for_bcrypt.yaml create mode 100644 cres/Show_generic_message_for_security_exceptions_or_unanticipated_exceptions.yaml create mode 100644 cres/Store_and_serve_user-uploaded_files_such_that_they_cannot_execute-damage_server_or_client.yaml create mode 100644 cres/Store_backups_securely.yaml create mode 100644 cres/Store_credentials_securely.yaml create mode 100644 cres/Store_cryptographic_keys_securely.yaml create mode 100644 cres/Store_passwords_salted_and_hashed.yaml create mode 100644 cres/Support_subscriber-provided_authentication_devices.yaml create mode 100644 cres/Synchronize_time_zones_for_logs.yaml create mode 100644 cres/System_time_synchronization.yaml create mode 100644 cres/Terminate_all_sessions_when_password_is_changed.yaml create mode 100644 cres/Terminate_session_after_logout.yaml create mode 100644 cres/Threat_model_every_design_change_or_sprint.yaml create mode 100644 cres/Treat_client-secrets_as_insecure.yaml create mode 100644 cres/Update_third_party_components_build-_or_compile_time.yaml create mode 100644 cres/Use_ABAC-FBAC_on_data-feature_level,_even_when_using_RBAC_for_permissions.yaml create mode 100644 cres/Use_CSRF_protection_against_authenticated_functionality,_add_anti-automation_controls_for_unauthenticated_functionality.yaml create mode 100644 cres/Use_SAST_for_malicious_content.yaml create mode 100644 cres/Use_a_centralized_access_control_mechanism.yaml create mode 100644 cres/Use_a_dedicated_secrets_management_solution.yaml create mode 100644 cres/Use_a_standard_last-resort_error_handler_for_unhandled_errors.yaml create mode 100644 cres/Use_a_unique_challenge_nonce_of_sufficient_size.yaml create mode 100644 cres/Use_an_isolated_security_module_for_cryptographic_operations.yaml create mode 100644 cres/Use_approved_cryptographic_algorithms.yaml create mode 100644 cres/Use_approved_cryptographic_algorithms_for_generation,_seeding_and_verification.yaml create mode 100644 cres/Use_approved_cryptographic_algorithms_in_generation,_seeding_and_verification_of_OTPs.yaml create mode 100644 cres/Use_centralized_authentication_mechanism.yaml create mode 100644 cres/Use_cryptographically_secure_random_number_generators.yaml create mode 100644 cres/Use_ephemeral_secrets_rather_than_static_secrets.yaml create mode 100644 cres/Use_exception_handling_uniformly.yaml create mode 100644 cres/Use_key_vaults.yaml create mode 100644 cres/Use_least_privilege_OS_accounts_for_system_(components).yaml create mode 100644 cres/Use_least_privilege_for_resources.yaml create mode 100644 cres/Use_lookup_secrets_only_once.yaml create mode 100644 cres/Use_memory-safe_functions_exclusively.yaml create mode 100644 cres/Use_multifactor_authentication_on_administrative_interfaces.yaml create mode 100644 cres/Use_nonces_and_initialization_vectors_only_once.yaml create mode 100644 cres/Use_out_of_band_authentication_requests,_codes_or_tokens_only_once.yaml create mode 100644 cres/Use_proper_source_code_control_system.yaml create mode 100644 cres/Use_secure_random_to_generate_initial_authentication_codes.yaml create mode 100644 cres/Use_secure_recovery_mechanisms_for_forgotten_passwords.yaml create mode 100644 cres/Use_security_module_to_store_one-time_password_verification_keys.yaml create mode 100644 cres/Use_separately_stored_secret_salt_(pepper).yaml create mode 100644 cres/Use_state_of_the_art_cryptographic_configuration.yaml create mode 100644 cres/Use_strong_authenticators_with_priority_and_weak_authenticators_only_for_less_secure_access.yaml create mode 100644 cres/Use_time-based_OTP_only_once.yaml create mode 100644 cres/Use_unique_random_salt_with_sufficient_entropy_for_each_credential.yaml create mode 100644 cres/Use_unpredictable_lookup_secrets.yaml create mode 100644 cres/Use_weak_crypto_only_for_backwards_compatibility.yaml create mode 100644 cres/User_passwords_are_of_sufficient_minimum_length.yaml create mode 100644 cres/Validate_HTTP_request_headers.yaml create mode 100644 cres/Validate_file_type_of_data_from_untrusted_sources.yaml create mode 100644 cres/Validate_max_input-file_sizes.yaml create mode 100644 cres/Validatie-enforce_HTTP_inputs_(against_HTTP_parameter_pollution_attacks).yaml create mode 100644 cres/Verify_TLS_certificates_and_trust_chain.yaml create mode 100644 cres/Verify_content-type_for_REST_services.yaml create mode 100644 cres/Verify_strong_TLS_algorithms_by_testing.yaml create mode 100644 cres/Verify_the_authenticity_of_both_headers_and_payload.yaml create mode 100644 cres/Was:_TBD.yaml create mode 100644 cres/When_storing_session_tokens_in_browser,_use_secure_methods_only.yaml create mode 100644 cres/When_using_an_authentication_third_party_(CSP),_relay_last_authentication_event_to_other_parties_in_the_chain.yaml create mode 100644 cres/When_using_stateless_tokens,_ensure_cryptographically_secure_characteristics.yaml create mode 100644 cres/White-list_HTTP_methods.yaml create mode 100644 cres/Whitelist_CORS_resources.yaml create mode 100644 cres/Whitelist_all_external_(HTTP)_input.yaml create mode 100644 cres/Whitelist_data_sources_and_sinks.yaml create mode 100644 cres/Whitelist_file_extensions_served_by_web_tier.yaml create mode 100644 cres/Whitelist_redirected-forwarded_URLs.yaml create mode 100644 cres/Wireless_link_protection.yaml create mode 100644 cres/XML_Parser_hardening.yaml create mode 100644 cres/Zeroize_sensitive_information_in_memory_after_use.yaml create mode 100644 cres/zap-alerts/0.yml create mode 100644 cres/zap-alerts/10003.yml create mode 100644 cres/zap-alerts/10009.yml create mode 100644 cres/zap-alerts/10010.yml create mode 100644 cres/zap-alerts/10011.yml create mode 100644 cres/zap-alerts/10015.yml create mode 100644 cres/zap-alerts/10017.yml create mode 100644 cres/zap-alerts/10019.yml create mode 100644 cres/zap-alerts/10020-1.yml create mode 100644 cres/zap-alerts/10020-2.yml create mode 100644 cres/zap-alerts/10020-3.yml create mode 100644 cres/zap-alerts/10020-4.yml create mode 100644 cres/zap-alerts/10020.yml create mode 100644 cres/zap-alerts/10021.yml create mode 100644 cres/zap-alerts/10023.yml create mode 100644 cres/zap-alerts/10024.yml create mode 100644 cres/zap-alerts/10025.yml create mode 100644 cres/zap-alerts/10026.yml create mode 100644 cres/zap-alerts/10027.yml create mode 100644 cres/zap-alerts/10028.yml create mode 100644 cres/zap-alerts/10029.yml create mode 100644 cres/zap-alerts/10030.yml create mode 100644 cres/zap-alerts/10031.yml create mode 100644 cres/zap-alerts/10032-1.yml create mode 100644 cres/zap-alerts/10032-2.yml create mode 100644 cres/zap-alerts/10032-3.yml create mode 100644 cres/zap-alerts/10032-4.yml create mode 100644 cres/zap-alerts/10032-5.yml create mode 100644 cres/zap-alerts/10032-6.yml create mode 100644 cres/zap-alerts/10032.yml create mode 100644 cres/zap-alerts/10033.yml create mode 100644 cres/zap-alerts/10034.yml create mode 100644 cres/zap-alerts/10035.yml create mode 100644 cres/zap-alerts/10036.yml create mode 100644 cres/zap-alerts/10037.yml create mode 100644 cres/zap-alerts/10038.yml create mode 100644 cres/zap-alerts/10039.yml create mode 100644 cres/zap-alerts/10040.yml create mode 100644 cres/zap-alerts/10041.yml create mode 100644 cres/zap-alerts/10042.yml create mode 100644 cres/zap-alerts/10043.yml create mode 100644 cres/zap-alerts/10044.yml create mode 100644 cres/zap-alerts/10045.yml create mode 100644 cres/zap-alerts/10047.yml create mode 100644 cres/zap-alerts/10048.yml create mode 100644 cres/zap-alerts/10049.yml create mode 100644 cres/zap-alerts/10050.yml create mode 100644 cres/zap-alerts/10051.yml create mode 100644 cres/zap-alerts/10052.yml create mode 100644 cres/zap-alerts/10054.yml create mode 100644 cres/zap-alerts/10055.yml create mode 100644 cres/zap-alerts/10056.yml create mode 100644 cres/zap-alerts/10057.yml create mode 100644 cres/zap-alerts/10058.yml create mode 100644 cres/zap-alerts/10061.yml create mode 100644 cres/zap-alerts/10062.yml create mode 100644 cres/zap-alerts/10063.yml create mode 100644 cres/zap-alerts/10070.yml create mode 100644 cres/zap-alerts/10094.yml create mode 100644 cres/zap-alerts/10095.yml create mode 100644 cres/zap-alerts/10096.yml create mode 100644 cres/zap-alerts/10097.yml create mode 100644 cres/zap-alerts/10098.yml create mode 100644 cres/zap-alerts/10099.yml create mode 100644 cres/zap-alerts/10103.yml create mode 100644 cres/zap-alerts/10104.yml create mode 100644 cres/zap-alerts/10105.yml create mode 100644 cres/zap-alerts/10106.yml create mode 100644 cres/zap-alerts/10107.yml create mode 100644 cres/zap-alerts/10108.yml create mode 100644 cres/zap-alerts/10109.yml create mode 100644 cres/zap-alerts/10110.yml create mode 100644 cres/zap-alerts/10202.yml create mode 100644 cres/zap-alerts/110001.yml create mode 100644 cres/zap-alerts/110002.yml create mode 100644 cres/zap-alerts/110003.yml create mode 100644 cres/zap-alerts/110004.yml create mode 100644 cres/zap-alerts/110005.yml create mode 100644 cres/zap-alerts/110006.yml create mode 100644 cres/zap-alerts/110007.yml create mode 100644 cres/zap-alerts/110008.yml create mode 100644 cres/zap-alerts/2.yml create mode 100644 cres/zap-alerts/20012.yml create mode 100644 cres/zap-alerts/20014.yml create mode 100644 cres/zap-alerts/20015.yml create mode 100644 cres/zap-alerts/20016.yml create mode 100644 cres/zap-alerts/20017.yml create mode 100644 cres/zap-alerts/20018.yml create mode 100644 cres/zap-alerts/20019.yml create mode 100644 cres/zap-alerts/3.yml create mode 100644 cres/zap-alerts/30001.yml create mode 100644 cres/zap-alerts/30002.yml create mode 100644 cres/zap-alerts/30003.yml create mode 100644 cres/zap-alerts/40003.yml create mode 100644 cres/zap-alerts/40008.yml create mode 100644 cres/zap-alerts/40009.yml create mode 100644 cres/zap-alerts/40012.yml create mode 100644 cres/zap-alerts/40013.yml create mode 100644 cres/zap-alerts/40014.yml create mode 100644 cres/zap-alerts/40015.yml create mode 100644 cres/zap-alerts/40016.yml create mode 100644 cres/zap-alerts/40017.yml create mode 100644 cres/zap-alerts/40018.yml create mode 100644 cres/zap-alerts/40019.yml create mode 100644 cres/zap-alerts/40020.yml create mode 100644 cres/zap-alerts/40021.yml create mode 100644 cres/zap-alerts/40022.yml create mode 100644 cres/zap-alerts/40023.yml create mode 100644 cres/zap-alerts/40024.yml create mode 100644 cres/zap-alerts/40025.yml create mode 100644 cres/zap-alerts/40026.yml create mode 100644 cres/zap-alerts/40027.yml create mode 100644 cres/zap-alerts/40028.yml create mode 100644 cres/zap-alerts/40029.yml create mode 100644 cres/zap-alerts/40032.yml create mode 100644 cres/zap-alerts/40033.yml create mode 100644 cres/zap-alerts/40034.yml create mode 100644 cres/zap-alerts/40035.yml create mode 100644 cres/zap-alerts/40036.yml create mode 100644 cres/zap-alerts/40038.yml create mode 100644 cres/zap-alerts/40039.yml create mode 100644 cres/zap-alerts/40040-1.yml create mode 100644 cres/zap-alerts/40040-2.yml create mode 100644 cres/zap-alerts/40040-3.yml create mode 100644 cres/zap-alerts/40040.yml create mode 100644 cres/zap-alerts/40041.yml create mode 100644 cres/zap-alerts/40042.yml create mode 100644 cres/zap-alerts/40043-1.yml create mode 100644 cres/zap-alerts/40043-2.yml create mode 100644 cres/zap-alerts/40043.yml create mode 100644 cres/zap-alerts/41.yml create mode 100644 cres/zap-alerts/42.yml create mode 100644 cres/zap-alerts/43.yml create mode 100644 cres/zap-alerts/6.yml create mode 100644 cres/zap-alerts/7.yml create mode 100644 cres/zap-alerts/90001.yml create mode 100644 cres/zap-alerts/90002.yml create mode 100644 cres/zap-alerts/90003.yml create mode 100644 cres/zap-alerts/90004-1.yml create mode 100644 cres/zap-alerts/90004-2.yml create mode 100644 cres/zap-alerts/90004-3.yml create mode 100644 cres/zap-alerts/90004.yml create mode 100644 cres/zap-alerts/90011.yml create mode 100644 cres/zap-alerts/90017.yml create mode 100644 cres/zap-alerts/90018.yml create mode 100644 cres/zap-alerts/90019.yml create mode 100644 cres/zap-alerts/90020.yml create mode 100644 cres/zap-alerts/90021.yml create mode 100644 cres/zap-alerts/90022.yml create mode 100644 cres/zap-alerts/90023.yml create mode 100644 cres/zap-alerts/90024.yml create mode 100644 cres/zap-alerts/90025.yml create mode 100644 cres/zap-alerts/90026.yml create mode 100644 cres/zap-alerts/90027.yml create mode 100644 cres/zap-alerts/90028.yml create mode 100644 cres/zap-alerts/90029.yml create mode 100644 cres/zap-alerts/90030.yml create mode 100644 cres/zap-alerts/90033.yml create mode 100644 cres/zap-alerts/90034.yml diff --git a/application/cmd/cre_main.py b/application/cmd/cre_main.py index cb6f8622a..f91d11f7c 100644 --- a/application/cmd/cre_main.py +++ b/application/cmd/cre_main.py @@ -12,7 +12,8 @@ from application.database import db from application.defs import cre_defs as defs from application.defs import osib_defs as odefs -from application.utils import parsers +from application.utils import spreadsheet_parsers +from application.utils.external_project_parsers import zap_alerts_parser from application.utils import spreadsheet as sheet_utils from dacite import from_dict from dacite.config import Config @@ -108,8 +109,8 @@ def parse_file( for contents in yamldocs: links = [] - document: defs.Document - register_callback: Callable[[Any, Any], Any] + document: Optional[defs.Document] = None + register_callback: Optional[Callable[[Any, Any], Any]] = None if not isinstance( contents, dict @@ -185,13 +186,13 @@ def parse_standards_from_spreadsheeet( hi_lvl_CREs = {} cres = {} if "CRE Group 1" in cre_file[0].keys(): - hi_lvl_CREs, cres = parsers.parse_v1_standards(cre_file) + hi_lvl_CREs, cres = spreadsheet_parsers.parse_v1_standards(cre_file) elif "CRE:name" in cre_file[0].keys(): - cres = parsers.parse_export_format(cre_file) + cres = spreadsheet_parsers.parse_export_format(cre_file) elif any(key.startswith("CRE hierarchy") for key in cre_file[0].keys()): - cres = parsers.parse_hierarchical_export_format(cre_file) + cres = spreadsheet_parsers.parse_hierarchical_export_format(cre_file) else: - cres = parsers.parse_v0_standards(cre_file) + cres = spreadsheet_parsers.parse_v0_standards(cre_file) # register groupless cres first for _, cre in cres.items(): @@ -358,6 +359,10 @@ def run(args: argparse.Namespace) -> None: elif args.osib_out: export_to_osib(file_loc=args.osib_out, cache=args.cache_file) + + elif args.zap_in: + zap_alerts_parser.parse_zap_alerts(db_connect(args.cache_file)) + elif args.owasp_proj_meta: owasp_metadata_to_cre(args.owasp_proj_meta) diff --git a/application/database/db.py b/application/database/db.py index 715870429..457464254 100644 --- a/application/database/db.py +++ b/application/database/db.py @@ -1,5 +1,4 @@ from typing import cast -from pprint import pprint import logging import re @@ -140,15 +139,10 @@ def __get_internal_links(self) -> List[Tuple[CRE, CRE, str]]: internal_links.append((group, cre, il.type)) return internal_links - def __get_unlinked_nodes( - self, ntype: str = cre_defs.Standard.__name__ - ) -> List[Node]: + def __get_unlinked_nodes(self) -> List[Node]: linked_nodes = ( - self.session.query(Node.id) - .join(Links) - .filter(Node.id == Links.node) - .filter(Node.ntype == ntype) + self.session.query(Node.id).join(Links).filter(Node.id == Links.node) ) nodes: List[Node] = ( @@ -411,9 +405,11 @@ def get_nodes( nodes.append(node) return nodes else: - logger.warning(f"Node {name} of type {ntype} does not exist in the db") + logger.warning( + f"Node {name} of type {ntype} and section {section} does not exist in the db" + ) - return None + return [] def __get_nodes_query__( self, @@ -623,9 +619,16 @@ def export(self, dir: str, dry_run: bool = False) -> List[cre_defs.Document]: docs[ "%s-%s:%s:%s" % (unode.name, unode.doctype, unode.id, unode.description) ] = unode + logger.info(f"{unode.name} is unlinked?") for _, doc in docs.items(): - title = doc.name.replace("/", "-") + ".yaml" + title = ( + doc.name.replace("/", "-") + .replace(" ", "_") + .replace('"', "") + .replace("'", "") + + ".yaml" + ) if not dry_run: file.writeToDisk( file_title=title, @@ -1072,3 +1075,13 @@ def CREfromDB(dbcre: CRE) -> cre_defs.CRE: return cre_defs.CRE( name=dbcre.name, description=dbcre.description, id=dbcre.external_id, tags=tags ) + + +def dbCREfromCRE(cre: cre_defs.CRE) -> CRE: + tags = cre.tags if cre.tags else [] + return CRE( + name=cre.name, + description=cre.description, + external_id=cre.id, + tags=",".join(tags), + ) diff --git a/application/tests/parsers_test.py b/application/tests/spreadsheet_parsers_test.py similarity index 99% rename from application/tests/parsers_test.py rename to application/tests/spreadsheet_parsers_test.py index f1cfe2259..6a773cfe5 100644 --- a/application/tests/parsers_test.py +++ b/application/tests/spreadsheet_parsers_test.py @@ -3,12 +3,12 @@ from pprint import pprint from application.defs import cre_defs as defs -from application.utils.parsers import parse_export_format -from application.utils.parsers import ( +from application.utils.spreadsheet_parsers import ( parse_hierarchical_export_format, parse_uknown_key_val_standards_spreadsheet, parse_v0_standards, parse_v1_standards, + parse_export_format, ) diff --git a/application/utils/external_project_parsers/__init__.py b/application/utils/external_project_parsers/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/application/utils/external_project_parsers/zap_alerts_parser.py b/application/utils/external_project_parsers/zap_alerts_parser.py new file mode 100644 index 000000000..e2b08b774 --- /dev/null +++ b/application/utils/external_project_parsers/zap_alerts_parser.py @@ -0,0 +1,80 @@ +# script to parse zaproxy website md files describing alerts find the CWE ids +# and add the alerts to CRE +from typing import List +from application.database import db +from application.utils import git +from application.defs import cre_defs as defs +import os +import re + + +def zap_alert( + name: str, id: str, description: str, tags: List[str], code: str +) -> defs.Tool: + return defs.Tool( + tooltype=defs.ToolTypes.Offensive, + name=f"ZAP Alert: {name}", + id=id, + description=description, + tags=tags, + hyperlink=code, + ) + + +def parse_zap_alerts(cache: db.Node_collection): + zaproxy_website = "https://github.com/zaproxy/zaproxy-website.git" + alerts_path = "site/content/docs/alerts/" + zap_md_cwe_regexp = r"cwe: ?(?P\d+)" + zap_md_title_regexp = r"title: ?(?P\".+\")" + zap_md_alert_id_regexp = r"alertid: ?(?P<id>\d+)" + zap_md_alert_type_regexp = r"alerttype: ?(?P<type>\".+\")" + zap_md_solution_regexp = r"solution: ?(?P<solution>\".+\")" + zap_md_code_regexp = r"code: ?(?P<code>\".+\")" + + repo = git.clone(zaproxy_website) + for mdfile in os.listdir(os.path.join(repo.working_dir, alerts_path)): + pth = os.path.join(repo.working_dir, alerts_path, mdfile) + name = None + externalId = None + tag = None + description = None + code = None + with open(pth) as mdf: + mdtext = mdf.read() + title = re.search(zap_md_title_regexp, mdtext) + if title: + name = title.group("title") + + id = re.search(zap_md_alert_id_regexp, mdtext) + if id: + externalId = id.group("id") + + type_tag = re.search(zap_md_alert_type_regexp, mdtext) + if type_tag: + tag = type_tag.group("type") + + desc = re.search(zap_md_solution_regexp, mdtext) + if desc: + description = desc.group("solution") + cd = re.search(zap_md_code_regexp, mdtext) + if cd: + code = desc.group("code") + + cwe = re.search(zap_md_cwe_regexp, mdtext) + if cwe: + cweId = cwe.group("cweId") + cwe_nodes = cache.get_nodes(name="CWE", section=cweId) + for node in cwe_nodes: + for link in node.links: + if link.document.doctype == defs.Credoctypes.CRE: + alert = zap_alert( + name=name, + id=externalId, + description=description, + tags=[tag], + code=code, + ) + dbnode = cache.add_node(alert) + cache.add_link( + cre=db.dbCREfromCRE(link.document), node=dbnode + ) diff --git a/application/utils/git.py b/application/utils/git.py index 10a305598..4cf5a6a7f 100644 --- a/application/utils/git.py +++ b/application/utils/git.py @@ -1,10 +1,12 @@ +from typing import Optional import logging import os from datetime import datetime +import tempfile import git - +from git.repo.base import Repo from github import Github logger = logging.getLogger(__name__) @@ -67,3 +69,11 @@ def createPullRequest( pr = github.get_repo(repo).create_pull( title=title, body=body, head=srcBranch, base="master" ) + + +def clone(source: str, dest: Optional[str] = None): + if not dest: + dest = tempfile.mkdtemp() + with git.Git().custom_environment(): + repo = Repo.clone_from(url=source, to_path=dest) + return repo diff --git a/application/utils/parsers.py b/application/utils/spreadsheet_parsers.py similarity index 100% rename from application/utils/parsers.py rename to application/utils/spreadsheet_parsers.py diff --git a/cre.py b/cre.py index 87e8c794b..0f2df5088 100644 --- a/cre.py +++ b/cre.py @@ -100,9 +100,8 @@ def main() -> None: parser.add_argument( "--owasp_proj_meta", - default=os.path.join( - os.path.dirname(os.path.realpath(__file__)), "./cres/owasp/projects.yaml" - ), + default=None, + # default=os.path.join(os.path.dirname(os.path.realpath(__file__)), "./cres/owasp/projects.yaml"), help="define location of owasp project metadata", ) parser.add_argument( @@ -115,6 +114,12 @@ def main() -> None: default=None, help="define location of local directory to export database in OSIB format to", ) + + parser.add_argument( + "--zap_in", + action="store_true", + help="import zap alerts by cloning zap's website and parsing the alert .md files", + ) args = parser.parse_args() cre_main.run(args) diff --git a/cres/(SSRF)_When_depending_on_internal_server_input,_use_validation_sanitization_and_whitelisting.yaml b/cres/(SSRF)_When_depending_on_internal_server_input,_use_validation_sanitization_and_whitelisting.yaml new file mode 100644 index 000000000..4e41eb096 --- /dev/null +++ b/cres/(SSRF)_When_depending_on_internal_server_input,_use_validation_sanitization_and_whitelisting.yaml @@ -0,0 +1,62 @@ +doctype: CRE +id: 657-084 +links: +- document: + doctype: CRE + id: 764-765 + name: Sanitization and sandboxing + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: CRE + id: 028-727 + name: SSRF + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.2.6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/918.html + name: CWE + section: '918' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection.html + name: WSTG + section: WSTG-INPV-11 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Server Side Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross Site Scripting Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: DOM based XSS Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + name: Cheat_sheets + section: Unvalidated Redirects and Forwards Cheat Sheet + ltype: Linked To +name: (SSRF) When depending on internal server input, use validation sanitization + and whitelisting +tags: +- SSRF diff --git a/cres/>>Authentication.yaml b/cres/>>Authentication.yaml index 912a3bd2e..10425ca9b 100644 --- a/cres/>>Authentication.yaml +++ b/cres/>>Authentication.yaml @@ -5,103 +5,81 @@ links: doctype: CRE id: 270-568 name: Authentication mechanism - type: Contains + ltype: Contains - document: doctype: CRE id: 455-885 name: Credentials directives - type: Contains + ltype: Contains - document: doctype: CRE id: 065-782 name: Ensure session timeout (soft/hard) - type: Related + ltype: Related - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-7 name: NIST 800-53 v5 section: AC-7 UNSUCCESSFUL LOGON ATTEMPTS - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-8 name: NIST 800-53 v5 section: AC-8 SYSTEM USE NOTIFICATION - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-9 name: NIST 800-53 v5 section: AC-9 PREVIOUS LOGON NOTIFICATION - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-1 name: NIST 800-53 v5 section: IA-1 Policy and Procedures - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-10 name: NIST 800-53 v5 section: IA-10 Adaptive Authentication - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-12 name: NIST 800-53 v5 section: IA-12 Identity Proofing - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-2 name: NIST 800-53 v5 section: IA-2 Identification and Authentication (organizational Users) - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-3 name: NIST 800-53 v5 section: IA-3 Device Identification and Authentication - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-4 name: NIST 800-53 v5 section: IA-4 Identifier Management - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-5 name: NIST 800-53 v5 section: IA-5 AUTHENTICATOR MANAGEMENT - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8 name: NIST 800-53 v5 section: IA-8 Identification and Authentication (non-organizational Users) - subsection: '' - version: '' - type: Linked To + ltype: Linked To name: '>>Authentication' diff --git a/cres/>>Authorization.yaml b/cres/>>Authorization.yaml index 7dc721497..2033bb6e5 100644 --- a/cres/>>Authorization.yaml +++ b/cres/>>Authorization.yaml @@ -4,5 +4,5 @@ links: doctype: CRE id: 551-400 name: Allow user revocation of Oauth tokens - type: Related + ltype: Related name: '>>Authorization' diff --git a/cres/>>Authorized_access.yaml b/cres/>>Authorized_access.yaml new file mode 100644 index 000000000..188cfe146 --- /dev/null +++ b/cres/>>Authorized_access.yaml @@ -0,0 +1,173 @@ +doctype: CRE +id: 724-770 +links: +- document: + doctype: CRE + id: 540-566 + name: Let application request minimal permissions + tags: + - Personal data handling + ltype: Contains +- document: + doctype: CRE + id: 166-151 + name: Ensure that secure fail-safe is in place for access control + ltype: Contains +- document: + doctype: CRE + id: 650-560 + name: Enforce access control on trusted service layer + tags: + - Architecture + ltype: Contains +- document: + doctype: CRE + id: 284-521 + name: Enforce additional authorization and segregation of duties + ltype: Contains +- document: + doctype: CRE + id: 152-725 + name: Limit access to admin/management functionality + ltype: Contains +- document: + doctype: CRE + id: 060-472 + name: Use CSRF protection against authenticated functionality, add anti-automation + controls for unauthenticated functionality + tags: + - CSRF + ltype: Contains +- document: + doctype: CRE + id: 817-808 + name: Deny new users by default + ltype: Contains +- document: + doctype: CRE + id: 412-561 + name: Provide system flexibility for access control + ltype: Contains +- document: + doctype: CRE + id: 524-603 + name: Limit modification of access controls to specifically authorized actors/users + ltype: Contains +- document: + doctype: CRE + id: 368-633 + name: Enforce least privilege + ltype: Contains +- document: + doctype: CRE + id: 368-633 + name: Use least privilege for resources + ltype: Contains +- document: + doctype: CRE + id: 330-281 + name: Use least privilege OS accounts for system (components) + ltype: Contains +- document: + doctype: CRE + id: 664-080 + name: Enforce model-based authorization both at URI and final resource + ltype: Contains +- document: + doctype: CRE + id: 615-744 + name: Protect against directory browsing/discovery attacks + tags: + - Configuration + ltype: Contains +- document: + doctype: CRE + id: 304-667 + name: Protect API against unauthorized access/modification (IDOR) + ltype: Contains +- document: + doctype: CRE + id: 801-310 + name: Use ABAC/FBAC on data/feature level, even when using RBAC for permissions + ltype: Contains +- document: + doctype: CRE + id: 640-364 + name: Enforce access control on trusted parts/serverside + ltype: Contains +- document: + doctype: CRE + id: 651-530 + name: 'Was: TBD' + ltype: Contains +- document: + doctype: CRE + id: 278-413 + name: Mutually authenticate application components. Minimize privileges + tags: + - Architecture + ltype: Related +- document: + doctype: CRE + id: 746-705 + name: Limit/authorize user's access to functionality + ltype: Related +- document: + doctype: CRE + id: 273-600 + name: Segregate components of differing trust levels + ltype: Related +- document: + doctype: CRE + id: 538-770 + name: Data access control + ltype: Related +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-1 + name: NIST 800-53 v5 + section: AC-1 POLICY AND PROCEDURES + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-14 + name: NIST 800-53 v5 + section: AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-2 + name: NIST 800-53 v5 + section: AC-2 ACCOUNT MANAGEMENT + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-24 + name: NIST 800-53 v5 + section: AC-24 Access Control Decisions + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-3 + name: NIST 800-53 v5 + section: AC-3 ACCESS ENFORCEMENT + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-5 + name: NIST 800-53 v5 + section: AC-5 SEPARATION OF DUTIES + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-6 + name: NIST 800-53 v5 + section: AC-6 LEAST PRIVILEGE + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-2 + name: NIST 800-53 v5 + section: SC-2 Separation of System and User Functionality + ltype: Linked To +name: '>>Authorized access' diff --git a/cres/>>Business_logic.yaml b/cres/>>Business_logic.yaml new file mode 100644 index 000000000..20e097885 --- /dev/null +++ b/cres/>>Business_logic.yaml @@ -0,0 +1,84 @@ +doctype: CRE +id: 854-643 +links: +- document: + doctype: CRE + id: 623-550 + name: DOS + ltype: Related +- document: + doctype: CRE + id: 630-573 + name: Monitor suspected automation abuse + tags: + - DOS + ltype: Contains +- document: + doctype: CRE + id: 725-682 + name: Enable configurable alert against usage anomalies + tags: + - DOS + ltype: Contains +- document: + doctype: CRE + id: 534-605 + name: Enforce natural sequence of business flows to avoid abuse + ltype: Contains +- document: + doctype: CRE + id: 418-853 + name: Monitor unusual activities on system + tags: + - DOS + ltype: Contains +- document: + doctype: CRE + id: 670-660 + name: Do not share unsynchronized state on high-value logic flows + ltype: Contains +- document: + doctype: CRE + id: 660-867 + name: Implement business logic limits against identified business risks + ltype: Contains +- document: + doctype: CRE + id: 134-412 + name: Protect sensitive functionalities against race conditions + ltype: Contains +- document: + doctype: CRE + id: 456-535 + name: Monitor for realistic "human time" business logic flows + tags: + - DOS + ltype: Contains +- document: + doctype: CRE + id: 380-540 + name: Ensure business flows' thread safety/resistance to race conditions + ltype: Contains +- document: + doctype: CRE + id: 746-705 + name: Limit/authorize user's access to functionality + ltype: Contains +- document: + doctype: CRE + id: 082-327 + name: Inform users clearly about the collection and use of personal data, and + use it only after opt-in consent. + tags: + - Personal data handling + ltype: Contains +- document: + doctype: CRE + id: 762-451 + name: Ensure users can remove or export their data + tags: + - Personal data handling + ltype: Contains +name: '>>Business logic' +tags: +- DOS diff --git a/cres/>>Dependency_strength.yaml b/cres/>>Dependency_strength.yaml new file mode 100644 index 000000000..5014a4d70 --- /dev/null +++ b/cres/>>Dependency_strength.yaml @@ -0,0 +1,51 @@ +doctype: CRE +id: 613-285 +links: +- document: + doctype: CRE + id: 462-245 + name: Remove unnecessary features, documentation, configuration etc + tags: + - Configuration + ltype: Contains +- document: + doctype: CRE + id: 673-475 + name: Disallow unsupported/deprecated client-side technologies + ltype: Contains +- document: + doctype: CRE + id: 154-031 + name: Harden application by excluding unwanted functionality + tags: + - Configuration + ltype: Contains +- document: + doctype: CRE + id: 613-286 + name: Dependency management + ltype: Contains +- document: + doctype: CRE + id: 613-287 + name: Dependency integrity + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-22 + name: NIST 800-53 v5 + section: SA-22 Unsupported System Components + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-23 + name: NIST 800-53 v5 + section: SA-23 Specialization + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-4 + name: NIST 800-53 v5 + section: SA-4 Acquisition Process + ltype: Linked To +name: '>>Dependency strength' diff --git a/cres/>>Development_&_operations.yaml b/cres/>>Development_&_operations.yaml new file mode 100644 index 000000000..4168a0fda --- /dev/null +++ b/cres/>>Development_&_operations.yaml @@ -0,0 +1,205 @@ +doctype: CRE +id: 153-513 +links: +- document: + doctype: CRE + id: 616-305 + name: Define security steps in every SDLC stage + ltype: Contains +- document: + doctype: CRE + id: 783-355 + name: Deployment + tags: + - Configuration + ltype: Contains +- document: + doctype: CRE + id: 601-155 + name: Developer Configuration Management + ltype: Contains +- document: + doctype: CRE + id: 817-658 + name: Developer Testing and Evaluation + ltype: Contains +- document: + doctype: CRE + id: 433-442 + name: Development verification + ltype: Contains +- document: + doctype: CRE + id: 344-611 + name: Centralize security controls + tags: + - Architecture + ltype: Contains +- document: + doctype: CRE + id: 625-323 + name: Documentation and requirements + tags: + - Architecture + ltype: Contains +- document: + doctype: CRE + id: 863-521 + name: Maintain/manage inventory of third party repositories + ltype: Related +- document: + doctype: CRE + id: 577-260 + name: Enforce integrity check for externally hosted assets (eg SRI) + ltype: Related +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-7 + name: NIST 800-53 v5 + section: PL-7 CONCEPT OF OPERATIONS + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-8 + name: NIST 800-53 v5 + section: PL-8 SECURITY AND PRIVACY ARCHITECTURES + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-9 + name: NIST 800-53 v5 + section: PL-9 Central Management + ltype: Linked To +- document: + doctype: Standard + hyperlink: '#N/A' + name: NIST 800-53 v5 + section: 'PL: Planning' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-15 + name: NIST 800-53 v5 + section: SA-15 Development Process, Standards, and Tools + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-16 + name: NIST 800-53 v5 + section: SA-16 Developer-provided Training + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-17 + name: NIST 800-53 v5 + section: SA-17 Developer Security and Privacy Architecture and Design + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-2 + name: NIST 800-53 v5 + section: SA-2 Allocation of Resources + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-20 + name: NIST 800-53 v5 + section: SA-20 Customized Development of Critical Components + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-21 + name: NIST 800-53 v5 + section: SA-21 Developer Screening + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-3 + name: NIST 800-53 v5 + section: SA-3 System Development Life Cycle + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-38 + name: NIST 800-53 v5 + section: SC-38 Operations Security + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-2 + name: NIST 800-53 v5 + section: PL-2 System Security and Privacy Plans + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-1 + name: NIST 800-53 v5 + section: CM-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-10 + name: NIST 800-53 v5 + section: CM-10 Software Usage Restrictions + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-11 + name: NIST 800-53 v5 + section: CM-11 User-installed Software + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-12 + name: NIST 800-53 v5 + section: CM-12 Information Location + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-13 + name: NIST 800-53 v5 + section: CM-13 Data Action Mapping + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-14 + name: NIST 800-53 v5 + section: CM-14 Signed Components + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-3 + name: NIST 800-53 v5 + section: CM-3 Configuration Change Control + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-4 + name: NIST 800-53 v5 + section: CM-4 Impact Analyses + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-5 + name: NIST 800-53 v5 + section: CM-5 Access Restrictions for Change + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-7 + name: NIST 800-53 v5 + section: CM-7 Least Functionality + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-8 + name: NIST 800-53 v5 + section: CM-8 System Component Inventory + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-9 + name: NIST 800-53 v5 + section: CM-9 Configuration Management Plan + ltype: Linked To +name: '>>Development & operations' diff --git a/cres/>>Documentation_and_requirements.yaml b/cres/>>Documentation_and_requirements.yaml new file mode 100644 index 000000000..4d6778ebc --- /dev/null +++ b/cres/>>Documentation_and_requirements.yaml @@ -0,0 +1,18 @@ +doctype: CRE +links: +- document: + doctype: CRE + id: 227-045 + name: Identify sensitive data and subject it to a policy + tags: + - Personal data handling + ltype: Contains +- document: + doctype: CRE + id: 268-272 + name: Classify personal data regarding retention so that old or outdated data + is deleted + tags: + - Personal data handling + ltype: Contains +name: '>>Documentation and requirements' diff --git a/cres/>>Input_and_output_verification.yaml b/cres/>>Input_and_output_verification.yaml new file mode 100644 index 000000000..6fcba5120 --- /dev/null +++ b/cres/>>Input_and_output_verification.yaml @@ -0,0 +1,96 @@ +doctype: CRE +id: 503-455 +links: +- document: + doctype: CRE + id: 118-110 + name: API/web services + ltype: Contains +- document: + doctype: CRE + id: 836-068 + name: Deserialization Prevention + ltype: Contains +- document: + doctype: CRE + id: 130-550 + name: File handling + ltype: Contains +- document: + doctype: CRE + id: 010-308 + name: Input validation + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: CRE + id: 866-553 + name: Memory, String, and Unmanaged Code + tags: + - Injection + ltype: Contains +- document: + doctype: CRE + id: 161-451 + name: Output encoding and injection prevention + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: CRE + id: 308-515 + name: Prevent security disclosure + tags: + - Configuration + ltype: Contains +- document: + doctype: CRE + id: 764-765 + name: Sanitization and sandboxing + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: CRE + id: 541-441 + name: Validate HTTP request headers + tags: + - Injection + ltype: Contains +- document: + doctype: CRE + id: 630-573 + name: Monitor suspected automation abuse + tags: + - DOS + ltype: Related +- document: + doctype: CRE + id: 782-234 + name: Clear policy compliant I/O requirements + ltype: Related +- document: + doctype: CRE + id: 821-540 + name: Protect logs against log injection + tags: + - Injection + ltype: Related +- document: + doctype: CRE + id: 048-612 + name: Encode user input before logging + tags: + - Injection + ltype: Related +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-10 + name: NIST 800-53 v5 + section: SI-10 INFORMATION INPUT VALIDATION + ltype: Linked To +name: '>>Input and output verification' diff --git a/cres/>>Logging_and_error_handling.yaml b/cres/>>Logging_and_error_handling.yaml new file mode 100644 index 000000000..9e3f08e2b --- /dev/null +++ b/cres/>>Logging_and_error_handling.yaml @@ -0,0 +1,103 @@ +doctype: CRE +id: 842-876 +links: +- document: + doctype: CRE + id: 148-420 + name: Log integrity + ltype: Contains +- document: + doctype: CRE + id: 843-841 + name: Log discretely + ltype: Contains +- document: + doctype: CRE + id: 402-706 + name: Log relevant + ltype: Contains +- document: + doctype: CRE + id: 513-183 + name: Error handling + ltype: Contains +- document: + doctype: CRE + id: 141-555 + name: Fail securely + ltype: Contains +- document: + doctype: CRE + id: 725-682 + name: Enable configurable alert against usage anomalies + tags: + - DOS + ltype: Related +- document: + doctype: CRE + id: 418-853 + name: Monitor unusual activities on system + tags: + - DOS + ltype: Related +- document: + doctype: CRE + id: 176-154 + name: Monitor expectation of usage intensity (e.g. number of requests) + tags: + - DOS + ltype: Related +- document: + doctype: CRE + id: 668-364 + name: Log TLS connection failures + ltype: Related +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-1 + name: NIST 800-53 v5 + section: AU-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-11 + name: NIST 800-53 v5 + section: AU-11 Audit Record Retention + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-12 + name: NIST 800-53 v5 + section: AU-12 Audit Record Generation + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-16 + name: NIST 800-53 v5 + section: AU-16 Cross-organizational Audit Logging + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-4 + name: NIST 800-53 v5 + section: AU-4 Audit Log Storage Capacity + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-5 + name: NIST 800-53 v5 + section: AU-5 Response to Audit Logging Process Failures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-6 + name: NIST 800-53 v5 + section: AU-6 Audit Record Review, Analysis, and Reporting + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-7 + name: NIST 800-53 v5 + section: AU-7 Audit Record Reduction and Report Generation + ltype: Linked To +name: '>>Logging and error handling' diff --git a/cres/>>Network_security.yaml b/cres/>>Network_security.yaml new file mode 100644 index 000000000..a6f78a94f --- /dev/null +++ b/cres/>>Network_security.yaml @@ -0,0 +1,8 @@ +doctype: CRE +links: +- document: + doctype: CRE + id: 651-530 + name: 'Was: TBD' + ltype: Contains +name: '>>Network security' diff --git a/cres/>>Personnel_Security.yaml b/cres/>>Personnel_Security.yaml new file mode 100644 index 000000000..b3f57b845 --- /dev/null +++ b/cres/>>Personnel_Security.yaml @@ -0,0 +1,58 @@ +doctype: CRE +id: 568-138 +links: +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-1 + name: NIST 800-53 v5 + section: PS-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-2 + name: NIST 800-53 v5 + section: PS-2 Position Risk Designation + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-3 + name: NIST 800-53 v5 + section: PS-3 Personnel Screening + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-4 + name: NIST 800-53 v5 + section: PS-4 Personnel Termination + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-5 + name: NIST 800-53 v5 + section: PS-5 Personnel Transfer + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-6 + name: NIST 800-53 v5 + section: PS-6 Access Agreements + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-7 + name: NIST 800-53 v5 + section: PS-7 External Personnel Security + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-8 + name: NIST 800-53 v5 + section: PS-8 Personnel Sanctions + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-9 + name: NIST 800-53 v5 + section: PS-9 Position Descriptions + ltype: Linked To +name: '>>Personnel Security' diff --git a/cres/>>Program_Management.yaml b/cres/>>Program_Management.yaml new file mode 100644 index 000000000..89edf735c --- /dev/null +++ b/cres/>>Program_Management.yaml @@ -0,0 +1,197 @@ +doctype: CRE +id: 223-615 +links: +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-1 + name: NIST 800-53 v5 + section: PM-1 Information Security Program Plan + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-10 + name: NIST 800-53 v5 + section: PM-10 Authorization Process + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-11 + name: NIST 800-53 v5 + section: PM-11 Mission and Business Process Definition + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-12 + name: NIST 800-53 v5 + section: PM-12 Insider Threat Program + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-13 + name: NIST 800-53 v5 + section: PM-13 Security and Privacy Workforce + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-14 + name: NIST 800-53 v5 + section: PM-14 Testing, Training, and Monitoring + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-15 + name: NIST 800-53 v5 + section: PM-15 Security and Privacy Groups and Associations + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-16 + name: NIST 800-53 v5 + section: PM-16 Threat Awareness Program + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-17 + name: NIST 800-53 v5 + section: PM-17 Protecting Controlled Unclassified Information on External Systems + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-18 + name: NIST 800-53 v5 + section: PM-18 Privacy Program Plan + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-19 + name: NIST 800-53 v5 + section: PM-19 Privacy Program Leadership Role + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-2 + name: NIST 800-53 v5 + section: PM-2 Information Security Program Leadership Role + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-20 + name: NIST 800-53 v5 + section: PM-20 Dissemination of Privacy Program Information + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-21 + name: NIST 800-53 v5 + section: PM-21 Accounting of Disclosures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-22 + name: NIST 800-53 v5 + section: PM-22 Personally Identifiable Information Quality Management + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-23 + name: NIST 800-53 v5 + section: PM-23 Data Governance Body + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-24 + name: NIST 800-53 v5 + section: PM-24 Data Integrity Board + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-25 + name: NIST 800-53 v5 + section: PM-25 Minimization of Personally Identifiable Information Used in Testing, + Training, and Research + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-26 + name: NIST 800-53 v5 + section: PM-26 Complaint Management + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-27 + name: NIST 800-53 v5 + section: PM-27 Privacy Reporting + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-28 + name: NIST 800-53 v5 + section: PM-28 Risk Framing + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-29 + name: NIST 800-53 v5 + section: PM-29 Risk Management Program Leadership Roles + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-3 + name: NIST 800-53 v5 + section: PM-3 Information Security and Privacy Resources + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-30 + name: NIST 800-53 v5 + section: PM-30 Supply Chain Risk Management Strategy + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-31 + name: NIST 800-53 v5 + section: PM-31 Continuous Monitoring Strategy + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-32 + name: NIST 800-53 v5 + section: PM-32 Purposing + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-4 + name: NIST 800-53 v5 + section: PM-4 Plan of Action and Milestones Process + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-5 + name: NIST 800-53 v5 + section: PM-5 System Inventory + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-6 + name: NIST 800-53 v5 + section: PM-6 Measures of Performance + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-7 + name: NIST 800-53 v5 + section: PM-7 Enterprise Architecture + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-8 + name: NIST 800-53 v5 + section: PM-8 Critical Infrastructure Plan + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PM-9 + name: NIST 800-53 v5 + section: PM-9 Risk Management Strategy + ltype: Linked To +name: '>>Program Management' diff --git a/cres/>>Risk_Assessment.yaml b/cres/>>Risk_Assessment.yaml new file mode 100644 index 000000000..d70a67a5a --- /dev/null +++ b/cres/>>Risk_Assessment.yaml @@ -0,0 +1,70 @@ +doctype: CRE +id: 328-113 +links: +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=RA-1 + name: NIST 800-53 v5 + section: RA-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=RA-10 + name: NIST 800-53 v5 + section: RA-10 Threat Hunting + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=RA-2 + name: NIST 800-53 v5 + section: RA-2 Security Categorization + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=RA-3 + name: NIST 800-53 v5 + section: RA-3 Risk Assessment + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=RA-5 + name: NIST 800-53 v5 + section: RA-5 Vulnerability Monitoring and Scanning + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=RA-6 + name: NIST 800-53 v5 + section: RA-6 Technical Surveillance Countermeasures Survey + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=RA-7 + name: NIST 800-53 v5 + section: RA-7 Risk Response + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=RA-8 + name: NIST 800-53 v5 + section: RA-8 Privacy Impact Assessments + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=RA-9 + name: NIST 800-53 v5 + section: RA-9 Criticality Analysis + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-1 + name: NIST 800-53 v5 + section: SA-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-9 + name: NIST 800-53 v5 + section: SA-9 External System Services + ltype: Linked To +name: '>>Risk Assessment' diff --git a/cres/>>SUGGEST-WITHDRAW.yaml b/cres/>>SUGGEST-WITHDRAW.yaml index c97142dd5..b9d6ca4e9 100644 --- a/cres/>>SUGGEST-WITHDRAW.yaml +++ b/cres/>>SUGGEST-WITHDRAW.yaml @@ -6,159 +6,119 @@ links: hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-13 name: NIST 800-53 v5 section: "AC-13 Supervision and Review \u2014 Access Control" - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-15 name: NIST 800-53 v5 section: AC-15 Automated Marking - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-15 name: NIST 800-53 v5 section: AU-15 Alternate Audit Logging Capability - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-4 name: NIST 800-53 v5 section: CA-4 Security Certification - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-3 name: NIST 800-53 v5 section: PL-3 System Security Plan Update - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-5 name: NIST 800-53 v5 section: PL-5 Privacy Impact Assessment - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-6 name: NIST 800-53 v5 section: PL-6 Security-related Activity Planning - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=RA-4 name: NIST 800-53 v5 section: RA-4 Risk Assessment Update - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-12 name: NIST 800-53 v5 section: SA-12 Supply Chain Protection - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-13 name: NIST 800-53 v5 section: SA-13 Trustworthiness - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-14 name: NIST 800-53 v5 section: SA-14 Criticality Analysis - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-18 name: NIST 800-53 v5 section: SA-18 Tamper Resistance and Detection - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-19 name: NIST 800-53 v5 section: SA-19 Component Authenticity - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-6 name: NIST 800-53 v5 section: SA-6 Software Usage Restrictions - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-7 name: NIST 800-53 v5 section: SA-7 User-installed Software - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-14 name: NIST 800-53 v5 section: SC-14 Public Access Protections - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-19 name: NIST 800-53 v5 section: SC-19 Voice Over Internet Protocol - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-33 name: NIST 800-53 v5 section: SC-33 Transmission Preparation Integrity - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-9 name: NIST 800-53 v5 section: SC-9 Transmission Confidentiality - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-9 name: NIST 800-53 v5 section: SI-9 Information Input Restrictions - subsection: '' - version: '' - type: Linked To + ltype: Linked To name: '>>SUGGEST-WITHDRAW' diff --git a/cres/>>Secure_communication.yaml b/cres/>>Secure_communication.yaml new file mode 100644 index 000000000..b3df401db --- /dev/null +++ b/cres/>>Secure_communication.yaml @@ -0,0 +1,73 @@ +doctype: CRE +id: 278-646 +links: +- document: + doctype: CRE + id: 634-733 + name: Communication authentication + ltype: Contains +- document: + doctype: CRE + id: 435-702 + name: Communication encryption + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 341-076 + name: Minimize communication + ltype: Contains +- document: + doctype: CRE + id: 228-551 + name: TLS + tags: + - Cryptoghraphy + ltype: Contains +- document: + doctype: CRE + id: 683-036 + name: Wireless link protection + ltype: Contains +- document: + doctype: CRE + id: 270-634 + name: Send authentication secrets encrypted + ltype: Related +- document: + doctype: CRE + id: 456-636 + name: Add integrity check to SOAP payload + ltype: Related +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-9 + name: NIST 800-53 v5 + section: IA-9 Service Identification and Authentication + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-16 + name: NIST 800-53 v5 + section: SC-16 Transmission of Security and Privacy Attributes + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-8 + name: NIST 800-53 v5 + section: SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-3 + name: NIST 800-53 v5 + section: CA-3 Information Exchange + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-9 + name: NIST 800-53 v5 + section: CA-9 Internal System Connections + ltype: Linked To +name: '>>Secure communication' diff --git a/cres/>>Secure_data_storage.yaml b/cres/>>Secure_data_storage.yaml new file mode 100644 index 000000000..170a2ad98 --- /dev/null +++ b/cres/>>Secure_data_storage.yaml @@ -0,0 +1,40 @@ +doctype: CRE +id: 126-668 +links: +- document: + doctype: CRE + id: 163-776 + name: Backups + ltype: Contains +- document: + doctype: CRE + id: 538-770 + name: Data access control + ltype: Contains +- document: + doctype: CRE + id: 400-007 + name: Encrypt data at rest + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 208-830 + name: Manage temporary storage + ltype: Contains +- document: + doctype: CRE + id: 223-780 + name: Secret storage + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 542-270 + name: Secure random values + tags: + - Cryptography + ltype: Contains +name: '>>Secure data storage' diff --git a/cres/>>Secure_user_management.yaml b/cres/>>Secure_user_management.yaml new file mode 100644 index 000000000..703e5347f --- /dev/null +++ b/cres/>>Secure_user_management.yaml @@ -0,0 +1,54 @@ +doctype: CRE +id: 586-842 +links: +- document: + doctype: CRE + id: 235-658 + name: Notify user about credential change + ltype: Contains +- document: + doctype: CRE + id: 623-347 + name: Disallow shared high privileged accounts + ltype: Contains +- document: + doctype: CRE + id: 065-183 + name: Disallow default credentials + ltype: Contains +- document: + doctype: CRE + id: 813-610 + name: Do not use static secrets + ltype: Contains +- document: + doctype: CRE + id: 138-448 + name: Inform users for authentication renewal + ltype: Contains +- document: + doctype: CRE + id: 808-425 + name: Notify users about anomalies in their usage patterns + ltype: Contains +- document: + doctype: CRE + id: 751-176 + name: Offer password changing functionality + ltype: Contains +- document: + doctype: CRE + id: 327-505 + name: Change password with presence of old and new password + ltype: Contains +- document: + doctype: CRE + id: 817-808 + name: Deny new users by default + ltype: Related +- document: + doctype: CRE + id: 673-736 + name: Enable option to log out from all active session + ltype: Related +name: '>>Secure user management' diff --git a/cres/>>Session_management.yaml b/cres/>>Session_management.yaml new file mode 100644 index 000000000..ef7cb99fd --- /dev/null +++ b/cres/>>Session_management.yaml @@ -0,0 +1,62 @@ +doctype: CRE +id: 177-260 +links: +- document: + doctype: CRE + id: 402-133 + name: Do not expose session token in URL + ltype: Contains +- document: + doctype: CRE + id: 582-541 + name: Re-authenticate before sensitive transactions + ltype: Contains +- document: + doctype: CRE + id: 270-568 + name: Authentication mechanism + ltype: Related +- document: + doctype: CRE + id: 110-531 + name: Cookie-config + ltype: Contains +- document: + doctype: CRE + id: 258-115 + name: Re-authentication from federation or assertion + ltype: Contains +- document: + doctype: CRE + id: 470-731 + name: Session lifecycle + ltype: Contains +- document: + doctype: CRE + id: 470-731 + name: Session token generation + ltype: Contains +- document: + doctype: CRE + id: 114-277 + name: Session integrity + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-10 + name: NIST 800-53 v5 + section: AC-10 CONCURRENT SESSION CONTROL + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-11 + name: NIST 800-53 v5 + section: IA-11 RE-AUTHENTICATION + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-23 + name: NIST 800-53 v5 + section: SC-23 SESSION AUTHENTICITY + ltype: Linked To +name: '>>Session management' diff --git a/cres/>>TBD.yaml b/cres/>>TBD.yaml index 3fa9605f7..b047f8beb 100644 --- a/cres/>>TBD.yaml +++ b/cres/>>TBD.yaml @@ -4,5 +4,5 @@ links: doctype: CRE id: 651-530 name: 'Was: TBD' - type: Contains + ltype: Contains name: '>>TBD' diff --git a/cres/>>Tags.yaml b/cres/>>Tags.yaml index 75bd41fe1..52df5178a 100644 --- a/cres/>>Tags.yaml +++ b/cres/>>Tags.yaml @@ -5,62 +5,62 @@ links: doctype: CRE id: 817-133 name: Boundary Protection - type: Contains + ltype: Contains - document: doctype: CRE id: 486-813 name: Configuration - type: Contains + ltype: Contains - document: doctype: CRE id: 170-772 name: Cryptography - type: Contains + ltype: Contains - document: doctype: CRE id: 623-550 name: DOS - type: Contains + ltype: Contains - document: doctype: CRE id: 760-764 name: Injection tags: - XSS - type: Contains + ltype: Contains - document: doctype: CRE id: 760-765 name: XSS - type: Contains + ltype: Contains - document: doctype: CRE id: 058-527 name: Secure name/address resolution service - type: Contains + ltype: Contains - document: doctype: CRE id: 180-070 name: Security and Privacy Engineering Principles - type: Contains + ltype: Contains - document: doctype: CRE id: 155-155 name: Architecture - type: Contains + ltype: Contains - document: doctype: CRE id: 028-727 name: SSRF - type: Contains + ltype: Contains - document: doctype: CRE id: 028-727 name: CSRF - type: Contains + ltype: Contains - document: doctype: CRE id: 028-728 name: Personal data handling - type: Contains + ltype: Contains name: '>>Tags' diff --git a/cres/API-web_services.yaml b/cres/API-web_services.yaml new file mode 100644 index 000000000..5cd561340 --- /dev/null +++ b/cres/API-web_services.yaml @@ -0,0 +1,53 @@ +doctype: CRE +id: 118-110 +links: +- document: + doctype: CRE + id: 532-878 + name: Limit REST HTTP methods + ltype: Contains +- document: + doctype: CRE + id: 377-680 + name: Reject non-whitelisted content types + ltype: Contains +- document: + doctype: CRE + id: 061-186 + name: Force uniform encoders and parsers throughout system + tags: + - SSRF + ltype: Contains +- document: + doctype: CRE + id: 612-252 + name: Separate GraphQL (or similar) authorization logic from data layer + tags: + - Architecture + ltype: Contains +- document: + doctype: CRE + id: 071-288 + name: RESTful + ltype: Contains +- document: + doctype: CRE + id: 080-373 + name: SOAP + ltype: Contains +- document: + doctype: CRE + id: 152-725 + name: Limit access to admin/management functionality + ltype: Related +- document: + doctype: CRE + id: 664-080 + name: Enforce model-based authorization both at URI and final resource + ltype: Related +- document: + doctype: CRE + id: 503-455 + name: '>>Input and output verification' + ltype: Contains +name: API/web services diff --git a/cres/Accompany OAuth with Referesh tokens.yaml b/cres/Accompany OAuth with Referesh tokens.yaml index 48508de52..969e4725b 100644 --- a/cres/Accompany OAuth with Referesh tokens.yaml +++ b/cres/Accompany OAuth with Referesh tokens.yaml @@ -5,37 +5,27 @@ links: doctype: CRE id: 258-115 name: Re-authentication from federation or assertion - type: Contains + ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md name: ASVS section: V3.5.1 - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://cwe.mitre.org/data/definitions/290.html name: CWE section: '290' - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard - hyperlink: '' name: Cheat_sheets section: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard - hyperlink: '' name: Cheat_sheets section: https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html - subsection: '' - version: '' - type: Linked To + ltype: Linked To name: Accompany OAuth with Referesh tokens diff --git a/cres/Add CSRF protection for cookie based REST services.yaml b/cres/Add CSRF protection for cookie based REST services.yaml index 421308897..45de484cc 100644 --- a/cres/Add CSRF protection for cookie based REST services.yaml +++ b/cres/Add CSRF protection for cookie based REST services.yaml @@ -5,60 +5,62 @@ links: doctype: CRE id: 071-288 name: RESTful - type: Contains + ltype: Contains - document: doctype: CRE id: 028-727 name: CSRF - type: Related + ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md name: ASVS section: V13.2.3 - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://cwe.mitre.org/data/definitions/352.html name: CWE section: '352' - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html name: WSTG section: WSTG-SESS-05 - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html name: Cheat_sheets section: REST Assessment Cheat Sheet - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html name: Cheat_sheets section: REST Security Cheat Sheet - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html name: Cheat_sheets section: Cross-Site Request Forgery Prevention Cheat Sheet - subsection: '' - version: '' - type: Linked To + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "Anti-CSRF Tokens Check"' + tags: + - '"Active"' + tooltype: Unknown + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Absence of Anti-CSRF Tokens"' + tags: + - '"Passive"' + tooltype: Unknown + ltype: SAME name: Add CSRF protection for cookie based REST services tags: - CSRF diff --git a/cres/Add integrity check to SOAP payload.yaml b/cres/Add integrity check to SOAP payload.yaml index df3eb70f4..c6e404c95 100644 --- a/cres/Add integrity check to SOAP payload.yaml +++ b/cres/Add integrity check to SOAP payload.yaml @@ -5,34 +5,39 @@ links: doctype: CRE id: 080-373 name: SOAP - type: Contains + ltype: Contains - document: doctype: CRE id: 278-646 name: '>>Secure communication' - type: Related + ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md name: ASVS section: V13.3.2 - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://cwe.mitre.org/data/definitions/345.html name: CWE section: '345' - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html name: Cheat_sheets section: XML Security Cheat Sheet - subsection: '' - version: '' - type: Linked To + ltype: Linked To +- document: + description: '"Ensure each page is setting the specific and appropriate content-type + value for the content being delivered."' + doctype: Tool + hyperlink: '"Ensure each page is setting the specific and appropriate content-type + value for the content being delivered."' + name: 'ZAP Alert: "Content-Type Header Missing"' + tags: + - '"Passive"' + tooltype: Unknown + ltype: SAME name: Add integrity check to SOAP payload diff --git a/cres/Add_CSRF_protection_for_cookie_based_REST_services.yaml b/cres/Add_CSRF_protection_for_cookie_based_REST_services.yaml new file mode 100644 index 000000000..919593b86 --- /dev/null +++ b/cres/Add_CSRF_protection_for_cookie_based_REST_services.yaml @@ -0,0 +1,66 @@ +doctype: CRE +id: 464-084 +links: +- document: + doctype: CRE + id: 071-288 + name: RESTful + ltype: Contains +- document: + doctype: CRE + id: 028-727 + name: CSRF + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md + name: ASVS + section: V13.2.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/352.html + name: CWE + section: '352' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html + name: WSTG + section: WSTG-SESS-05 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html + name: Cheat_sheets + section: REST Assessment Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html + name: Cheat_sheets + section: REST Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross-Site Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "Anti-CSRF Tokens Check"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Absence of Anti-CSRF Tokens"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Add CSRF protection for cookie based REST services +tags: +- CSRF diff --git a/cres/Add_integrity_check_to_SOAP_payload.yaml b/cres/Add_integrity_check_to_SOAP_payload.yaml new file mode 100644 index 000000000..f037e16dc --- /dev/null +++ b/cres/Add_integrity_check_to_SOAP_payload.yaml @@ -0,0 +1,41 @@ +doctype: CRE +id: 456-636 +links: +- document: + doctype: CRE + id: 080-373 + name: SOAP + ltype: Contains +- document: + doctype: CRE + id: 278-646 + name: '>>Secure communication' + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md + name: ASVS + section: V13.3.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/345.html + name: CWE + section: '345' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html + name: Cheat_sheets + section: XML Security Cheat Sheet + ltype: Linked To +- document: + description: '"Ensure each page is setting the specific and appropriate content-type + value for the content being delivered."' + doctype: Tool + name: 'ZAP Alert: "Content-Type Header Missing"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Add integrity check to SOAP payload diff --git a/cres/Allow long passwords.yaml b/cres/Allow long passwords.yaml index 408cf435a..77fca9de0 100644 --- a/cres/Allow long passwords.yaml +++ b/cres/Allow long passwords.yaml @@ -5,69 +5,52 @@ links: doctype: CRE id: 455-885 name: Credentials directives - type: Contains + ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md name: ASVS section: V2.1.2 - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html name: OPC section: C6 - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://cwe.mitre.org/data/definitions/521.html name: CWE section: '521' - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html name: WSTG section: WSTG-ATHN-07 - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html name: Cheat_sheets section: Choosing and Using Security Questions Cheat Sheet - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html name: Cheat_sheets section: Forgot Password Cheat Sheet - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html name: Cheat_sheets section: Credential Stuffing Prevention Cheat Sheet - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard - hyperlink: '' name: NIST 800-63 section: 5.1.1.2 - subsection: '' - version: '' - type: Linked To + ltype: Linked To name: Allow long passwords diff --git a/cres/Allow only trusted sources both build time and runtime; therefore perform integrity checks on all resources and code.yaml b/cres/Allow only trusted sources both build time and runtime; therefore perform integrity checks on all resources and code.yaml index 8fc466ffa..b552b32ce 100644 --- a/cres/Allow only trusted sources both build time and runtime; therefore perform integrity checks on all resources and code.yaml +++ b/cres/Allow only trusted sources both build time and runtime; therefore perform integrity checks on all resources and code.yaml @@ -5,30 +5,24 @@ links: doctype: CRE id: 615-188 name: Deployment process - type: Contains + ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x18-V10-Malicious.md name: ASVS section: V10.3.2 - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://cwe.mitre.org/data/definitions/353.html name: CWE section: '353' - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html name: Cheat_sheets section: Docker Security Cheat Sheet - subsection: '' - version: '' - type: Linked To + ltype: Linked To name: Allow only trusted sources both build time and runtime; therefore perform integrity checks on all resources and code diff --git a/cres/Allow_long_passwords.yaml b/cres/Allow_long_passwords.yaml new file mode 100644 index 000000000..77fca9de0 --- /dev/null +++ b/cres/Allow_long_passwords.yaml @@ -0,0 +1,56 @@ +doctype: CRE +id: 158-874 +links: +- document: + doctype: CRE + id: 455-885 + name: Credentials directives + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.1.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/521.html + name: CWE + section: '521' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + name: WSTG + section: WSTG-ATHN-07 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html + name: Cheat_sheets + section: Choosing and Using Security Questions Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Credential Stuffing Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: Allow long passwords diff --git a/cres/Allow_only_trusted_sources_both_build_time_and_runtime;_therefore_perform_integrity_checks_on_all_resources_and_code.yaml b/cres/Allow_only_trusted_sources_both_build_time_and_runtime;_therefore_perform_integrity_checks_on_all_resources_and_code.yaml new file mode 100644 index 000000000..b552b32ce --- /dev/null +++ b/cres/Allow_only_trusted_sources_both_build_time_and_runtime;_therefore_perform_integrity_checks_on_all_resources_and_code.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 307-507 +links: +- document: + doctype: CRE + id: 615-188 + name: Deployment process + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x18-V10-Malicious.md + name: ASVS + section: V10.3.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/353.html + name: CWE + section: '353' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +name: Allow only trusted sources both build time and runtime; therefore perform integrity + checks on all resources and code diff --git a/cres/Allow_password_helpers,_including_paste_functionality.yaml b/cres/Allow_password_helpers,_including_paste_functionality.yaml new file mode 100644 index 000000000..88b97c7d5 --- /dev/null +++ b/cres/Allow_password_helpers,_including_paste_functionality.yaml @@ -0,0 +1,50 @@ +doctype: CRE +id: 630-577 +links: +- document: + doctype: CRE + id: 789-320 + name: Login functionality + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.1.11 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/521.html + name: CWE + section: '521' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + name: WSTG + section: WSTG-ATHN-07 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html + name: Cheat_sheets + section: Choosing and Using Security Questions Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Credential Stuffing Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: Allow password helpers, including paste functionality diff --git a/cres/Allow_unicode_in_passwords.yaml b/cres/Allow_unicode_in_passwords.yaml new file mode 100644 index 000000000..e9d44efa9 --- /dev/null +++ b/cres/Allow_unicode_in_passwords.yaml @@ -0,0 +1,50 @@ +doctype: CRE +id: 103-707 +links: +- document: + doctype: CRE + id: 455-885 + name: Credentials directives + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.1.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/521.html + name: CWE + section: '521' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + name: WSTG + section: WSTG-ATHN-07 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html + name: Cheat_sheets + section: Choosing and Using Security Questions Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Credential Stuffing Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: Allow unicode in passwords diff --git a/cres/Allow_user_revocation_of_Oauth_tokens.yaml b/cres/Allow_user_revocation_of_Oauth_tokens.yaml new file mode 100644 index 000000000..958ddef9d --- /dev/null +++ b/cres/Allow_user_revocation_of_Oauth_tokens.yaml @@ -0,0 +1,42 @@ +doctype: CRE +id: 551-400 +links: +- document: + doctype: CRE + id: 258-115 + name: Re-authentication from federation or assertion + ltype: Contains +- document: + doctype: CRE + name: '>>Authorization' + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.5.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/290.html + name: CWE + section: '290' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html + name: Cheat_sheets + section: JSON Web Token for Java Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html + name: Cheat_sheets + section: REST Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 7.1.2 + ltype: Linked To +name: Allow user revocation of Oauth tokens diff --git a/cres/Anti-Automation_protection_for_REST_services.yaml b/cres/Anti-Automation_protection_for_REST_services.yaml new file mode 100644 index 000000000..2a406cf18 --- /dev/null +++ b/cres/Anti-Automation_protection_for_REST_services.yaml @@ -0,0 +1,39 @@ +doctype: CRE +id: 001-746 +links: +- document: + doctype: CRE + id: 071-288 + name: RESTful + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md + name: ASVS + section: V13.2.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/770.html + name: CWE + section: '770' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html + name: Cheat_sheets + section: REST Assessment Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html + name: Cheat_sheets + section: REST Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross-Site Request Forgery Prevention Cheat Sheet + ltype: Linked To +name: Anti-Automation protection for REST services diff --git a/cres/Architecture.yaml b/cres/Architecture.yaml index 8c9825abf..055e0386c 100644 --- a/cres/Architecture.yaml +++ b/cres/Architecture.yaml @@ -7,101 +7,101 @@ links: name: Use centralized authentication mechanism tags: - Architecture - type: Related + ltype: Related - document: doctype: CRE id: 278-413 name: Mutually authenticate application components. Minimize privileges tags: - Architecture - type: Related + ltype: Related - document: doctype: CRE id: 650-560 name: Enforce access control on trusted service layer tags: - Architecture - type: Related + ltype: Related - document: doctype: CRE id: 726-868 name: Deployed topology tags: - Architecture - type: Related + ltype: Related - document: doctype: CRE id: 515-021 name: Sandbox, containerize and/or isolate applications at the network level tags: - Architecture - type: Related + ltype: Related - document: doctype: CRE id: 340-754 name: Threat model every design change or sprint tags: - Architecture - type: Related + ltype: Related - document: doctype: CRE id: 625-323 name: Documentation and requirements tags: - Architecture - type: Related + ltype: Related - document: doctype: CRE id: 344-611 name: Centralize security controls tags: - Architecture - type: Related + ltype: Related - document: doctype: CRE id: 004-130 name: Define High-level architecture and perform security analysis on it tags: - Architecture - type: Related + ltype: Related - document: doctype: CRE id: 820-877 name: Document all trust boundaries and significant data flows tags: - Architecture - type: Related + ltype: Related - document: doctype: CRE id: 612-252 name: Separate GraphQL (or similar) authorization logic from data layer tags: - Architecture - type: Related + ltype: Related - document: doctype: CRE id: 848-711 name: Enforce input validation on a trusted service layer tags: - Architecture - type: Related + ltype: Related - document: doctype: CRE id: 260-200 name: Log in consistent format across system tags: - Architecture - type: Related + ltype: Related - document: doctype: CRE id: 117-371 name: Use a centralized access control mechanism tags: - Architecture - type: Related + ltype: Related - document: doctype: CRE id: 546-564 name: '>>Tags' - type: Contains + ltype: Contains name: Architecture diff --git a/cres/Authenticate_HTTP_headers_added_by_a_trusted_proxy_or_SSO_device.yaml b/cres/Authenticate_HTTP_headers_added_by_a_trusted_proxy_or_SSO_device.yaml new file mode 100644 index 000000000..522c3bad7 --- /dev/null +++ b/cres/Authenticate_HTTP_headers_added_by_a_trusted_proxy_or_SSO_device.yaml @@ -0,0 +1,23 @@ +doctype: CRE +id: 820-421 +links: +- document: + doctype: CRE + id: 541-441 + name: Validate HTTP request headers + tags: + - Injection + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.5.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/306.html + name: CWE + section: '306' + ltype: Linked To +name: Authenticate HTTP headers added by a trusted proxy or SSO device diff --git a/cres/Authenticate_all_external_connections.yaml b/cres/Authenticate_all_external_connections.yaml new file mode 100644 index 000000000..8b0d88632 --- /dev/null +++ b/cres/Authenticate_all_external_connections.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 605-735 +links: +- document: + doctype: CRE + id: 634-733 + name: Communication authentication + ltype: Contains +- document: + doctype: CRE + id: 170-772 + name: Cryptography + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x17-V9-Communications.md + name: ASVS + section: V9.2.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/287.html + name: CWE + section: '287' + ltype: Linked To +name: Authenticate all external connections +tags: +- Cryptography diff --git a/cres/Authenticate_by_OTP_token_entry_or_user-initiated_action_on_multi_factor_device.yaml b/cres/Authenticate_by_OTP_token_entry_or_user-initiated_action_on_multi_factor_device.yaml new file mode 100644 index 000000000..5430ac1c9 --- /dev/null +++ b/cres/Authenticate_by_OTP_token_entry_or_user-initiated_action_on_multi_factor_device.yaml @@ -0,0 +1,46 @@ +doctype: CRE +id: 525-361 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.2.7 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/308.html + name: CWE + section: '308' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html + name: Cheat_sheets + section: Authentication Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html + name: Cheat_sheets + section: Transport Layer Protection Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html + name: Cheat_sheets + section: TLS Cipher String Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.2.9 + ltype: Linked To +name: Authenticate by OTP token entry or user-initiated action on multi factor device diff --git a/cres/Authenticate_consistently.yaml b/cres/Authenticate_consistently.yaml new file mode 100644 index 000000000..e1f243f7c --- /dev/null +++ b/cres/Authenticate_consistently.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 146-556 +links: +- document: + doctype: CRE + id: 270-568 + name: Authentication mechanism + ltype: Contains +- document: + doctype: CRE + id: 278-413 + name: Mutually authenticate application components. Minimize privileges + tags: + - Architecture + ltype: Contains +- document: + doctype: CRE + id: 576-042 + name: Consistently apply authentication strength + ltype: Contains +name: Authenticate consistently diff --git a/cres/Authenticate_encrypted_data.yaml b/cres/Authenticate_encrypted_data.yaml new file mode 100644 index 000000000..d72e5a89e --- /dev/null +++ b/cres/Authenticate_encrypted_data.yaml @@ -0,0 +1,50 @@ +doctype: CRE +id: 786-224 +links: +- document: + doctype: CRE + id: 742-432 + name: Encryption algorithms + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x14-V6-Cryptography.md + name: ASVS + section: V6.2.7 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/326.html + name: CWE + section: '326' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + name: WSTG + section: WSTG-CRYP-04 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Cryptographic Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Key Management Cheat Sheet + ltype: Linked To +- document: + description: '"Protect the connection using HTTPS or use a stronger authentication + mechanism"' + doctype: Tool + name: 'ZAP Alert: "Weak Authentication Method"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Authenticate encrypted data diff --git a/cres/Authentication_mechanism.yaml b/cres/Authentication_mechanism.yaml new file mode 100644 index 000000000..7f555a919 --- /dev/null +++ b/cres/Authentication_mechanism.yaml @@ -0,0 +1,82 @@ +doctype: CRE +id: 270-568 +links: +- document: + doctype: CRE + id: 633-428 + name: '>>Authentication' + ltype: Contains +- document: + doctype: CRE + id: 558-807 + name: Mutually authenticate application and credential service provider + ltype: Contains +- document: + doctype: CRE + id: 333-858 + name: Resist stolen credentials + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 113-133 + name: Use centralized authentication mechanism + tags: + - Architecture + ltype: Contains +- document: + doctype: CRE + id: 146-556 + name: Authenticate consistently + ltype: Contains +- document: + doctype: CRE + id: 520-617 + name: Credential recovery + ltype: Contains +- document: + doctype: CRE + id: 585-408 + name: Cryptographic directives + ltype: Contains +- document: + doctype: CRE + id: 789-320 + name: Login functionality + ltype: Contains +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 802-056 + name: Restrict excessive authentication + ltype: Contains +- document: + doctype: CRE + id: 177-260 + name: '>>Session management' + ltype: Related +- document: + doctype: CRE + id: 551-054 + name: Use ephemeral secrets rather than static secrets + ltype: Related +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-6 + name: NIST 800-53 v5 + section: IA-6 Authentication Feedback + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-7 + name: NIST 800-53 v5 + section: IA-7 Cryptographic Module Authentication + ltype: Linked To +name: Authentication mechanism diff --git a/cres/Automate_secure_build_and_deployment,_especially_with_SDI.yaml b/cres/Automate_secure_build_and_deployment,_especially_with_SDI.yaml new file mode 100644 index 000000000..c370ee77c --- /dev/null +++ b/cres/Automate_secure_build_and_deployment,_especially_with_SDI.yaml @@ -0,0 +1,15 @@ +doctype: CRE +id: 263-184 +links: +- document: + doctype: CRE + id: 615-188 + name: Deployment process + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.14.4 + ltype: Linked To +name: Automate secure build and deployment, especially with SDI diff --git a/cres/Avoid_deserialization_logic.yaml b/cres/Avoid_deserialization_logic.yaml new file mode 100644 index 000000000..85a43d968 --- /dev/null +++ b/cres/Avoid_deserialization_logic.yaml @@ -0,0 +1,34 @@ +doctype: CRE +id: 831-563 +links: +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.5.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/502.html + name: CWE + section: '502' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html + name: Cheat_sheets + section: Deserialization Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: XML External Entity Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html + name: Cheat_sheets + section: XML Security Cheat Sheet + ltype: Linked To +name: Avoid deserialization logic diff --git a/cres/Avoid_password_truncation,_with_exception_of_consecutive_spaces.yaml b/cres/Avoid_password_truncation,_with_exception_of_consecutive_spaces.yaml new file mode 100644 index 000000000..70e4d194c --- /dev/null +++ b/cres/Avoid_password_truncation,_with_exception_of_consecutive_spaces.yaml @@ -0,0 +1,56 @@ +doctype: CRE +id: 715-681 +links: +- document: + doctype: CRE + id: 455-885 + name: Credentials directives + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.1.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/521.html + name: CWE + section: '521' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + name: WSTG + section: WSTG-ATHN-07 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html + name: Cheat_sheets + section: Choosing and Using Security Questions Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Credential Stuffing Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: Avoid password truncation, with exception of consecutive spaces diff --git a/cres/Avoid_unauthorized_client_data_collection.yaml b/cres/Avoid_unauthorized_client_data_collection.yaml new file mode 100644 index 000000000..1b8e872da --- /dev/null +++ b/cres/Avoid_unauthorized_client_data_collection.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 834-645 +links: +- document: + doctype: CRE + id: 613-287 + name: Dependency integrity + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x18-V10-Malicious.md + name: ASVS + section: V10.2.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/359.html + name: CWE + section: '359' + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "Personally Identifiable Information via WebSocket"' + tags: + - '"WebSocket Passive"' + tooltype: Offensive + ltype: SAME +name: Avoid unauthorized client data collection diff --git a/cres/Avoid_using_of_Origin_header_for_authentication_of_access_control.yaml b/cres/Avoid_using_of_Origin_header_for_authentication_of_access_control.yaml new file mode 100644 index 000000000..3a4eaee60 --- /dev/null +++ b/cres/Avoid_using_of_Origin_header_for_authentication_of_access_control.yaml @@ -0,0 +1,23 @@ +doctype: CRE +id: 405-411 +links: +- document: + doctype: CRE + id: 541-441 + name: Validate HTTP request headers + tags: + - Injection + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.5.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/346.html + name: CWE + section: '346' + ltype: Linked To +name: Avoid using of Origin header for authentication of access control diff --git a/cres/Backups.yaml b/cres/Backups.yaml index a8f676713..0c789c9e4 100644 --- a/cres/Backups.yaml +++ b/cres/Backups.yaml @@ -5,22 +5,22 @@ links: doctype: CRE id: 126-668 name: '>>Secure data storage' - type: Contains + ltype: Contains - document: doctype: CRE id: 783-355 name: Deployment tags: - Configuration - type: Related + ltype: Related - document: doctype: CRE id: 257-117 name: Perform regular backups of important data and test restoration - type: Contains + ltype: Contains - document: doctype: CRE id: 614-353 name: Store backups securely - type: Contains + ltype: Contains name: Backups diff --git a/cres/Binary_integrity.yaml b/cres/Binary_integrity.yaml new file mode 100644 index 000000000..733af6c93 --- /dev/null +++ b/cres/Binary_integrity.yaml @@ -0,0 +1,17 @@ +doctype: CRE +id: 381-501 +links: +- document: + doctype: CRE + id: 783-355 + name: Deployment + tags: + - Configuration + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-34 + name: NIST 800-53 v5 + section: SC-34 Non-modifiable Executable Programs + ltype: Linked To +name: Binary integrity diff --git a/cres/Biometric_authenticators_only_as_secondary_factors.yaml b/cres/Biometric_authenticators_only_as_secondary_factors.yaml new file mode 100644 index 000000000..438b16e4a --- /dev/null +++ b/cres/Biometric_authenticators_only_as_secondary_factors.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 076-470 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.8.7 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/308.html + name: CWE + section: '308' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.2.3 + ltype: Linked To +name: Biometric authenticators only as secondary factors diff --git a/cres/Block_direct_execution_of_file_metadata_from_untrusted_origin.yaml b/cres/Block_direct_execution_of_file_metadata_from_untrusted_origin.yaml new file mode 100644 index 000000000..54a19b597 --- /dev/null +++ b/cres/Block_direct_execution_of_file_metadata_from_untrusted_origin.yaml @@ -0,0 +1,42 @@ +doctype: CRE +id: 683-722 +links: +- document: + doctype: CRE + id: 451-082 + name: File execution + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x20-V12-Files-Resources.md + name: ASVS + section: V12.3.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/78.html + name: CWE + section: '78' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection.html + name: WSTG + section: WSTG-INPV-12 + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "Remote OS Command Injection"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Update Bash on the server to the latest version"' + doctype: Tool + name: 'ZAP Alert: "Remote Code Execution - Shell Shock"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Block direct execution of file metadata from untrusted origin diff --git a/cres/Block_execution-output_of_uploaded_files.yaml b/cres/Block_execution-output_of_uploaded_files.yaml new file mode 100644 index 000000000..7d8ae231a --- /dev/null +++ b/cres/Block_execution-output_of_uploaded_files.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 545-243 +links: +- document: + doctype: CRE + id: 130-550 + name: File handling + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x20-V12-Files-Resources.md + name: ASVS + section: V12.5.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/434.html + name: CWE + section: '434' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html + name: WSTG + section: WSTG-BUSL-09 + ltype: Linked To +name: Block execution/output of uploaded files diff --git a/cres/Block_serialization_of_content_from_untrusted_clients.yaml b/cres/Block_serialization_of_content_from_untrusted_clients.yaml new file mode 100644 index 000000000..f044f1869 --- /dev/null +++ b/cres/Block_serialization_of_content_from_untrusted_clients.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 736-554 +links: +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.5.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/502.html + name: CWE + section: '502' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html + name: Cheat_sheets + section: Deserialization Cheat Sheet + ltype: Linked To +name: Block serialization of content from untrusted clients diff --git a/cres/Boundary_Protection.yaml b/cres/Boundary_Protection.yaml new file mode 100644 index 000000000..68590688a --- /dev/null +++ b/cres/Boundary_Protection.yaml @@ -0,0 +1,15 @@ +doctype: CRE +id: 817-133 +links: +- document: + doctype: CRE + id: 546-564 + name: '>>Tags' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-7 + name: NIST 800-53 v5 + section: SC-7 Boundary Protection + ltype: Linked To +name: Boundary Protection diff --git a/cres/CSRF.yaml b/cres/CSRF.yaml index e316e5cd8..ea4b05d29 100644 --- a/cres/CSRF.yaml +++ b/cres/CSRF.yaml @@ -8,24 +8,24 @@ links: controls for unauthenticated functionality tags: - CSRF - type: Related + ltype: Related - document: doctype: CRE id: 464-084 name: Add CSRF protection for cookie based REST services tags: - CSRF - type: Related + ltype: Related - document: doctype: CRE id: 342-055 name: Set "samesite" attribute for cookie-based session tokens tags: - CSRF - type: Related + ltype: Related - document: doctype: CRE id: 546-564 name: '>>Tags' - type: Contains + ltype: Contains name: CSRF diff --git a/cres/Centralize_security_controls.yaml b/cres/Centralize_security_controls.yaml new file mode 100644 index 000000000..54179a9b5 --- /dev/null +++ b/cres/Centralize_security_controls.yaml @@ -0,0 +1,52 @@ +doctype: CRE +id: 344-611 +links: +- document: + doctype: CRE + id: 153-513 + name: '>>Development & operations' + ltype: Contains +- document: + doctype: CRE + id: 155-155 + name: Architecture + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.1.6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c10-handle-errors-exceptions.html + name: OPC + section: C10 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/637.html + name: CWE + section: '637' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html + name: Cheat_sheets + section: Threat Modeling Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html + name: Cheat_sheets + section: Attack Surface Analysis Cheat Sheet + ltype: Linked To +name: Centralize security controls +tags: +- Architecture diff --git a/cres/Change_password_with_presence_of_old_and_new_password.yaml b/cres/Change_password_with_presence_of_old_and_new_password.yaml new file mode 100644 index 000000000..a1c4c0c5e --- /dev/null +++ b/cres/Change_password_with_presence_of_old_and_new_password.yaml @@ -0,0 +1,50 @@ +doctype: CRE +id: 327-505 +links: +- document: + doctype: CRE + id: 586-842 + name: '>>Secure user management' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.1.6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/620.html + name: CWE + section: '620' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + name: WSTG + section: WSTG-ATHN-07 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html + name: Cheat_sheets + section: Choosing and Using Security Questions Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Credential Stuffing Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: Change password with presence of old and new password diff --git a/cres/Check_binary_integrity_before_deployment.yaml b/cres/Check_binary_integrity_before_deployment.yaml new file mode 100644 index 000000000..c3bdf6bf4 --- /dev/null +++ b/cres/Check_binary_integrity_before_deployment.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 171-222 +links: +- document: + doctype: CRE + id: 615-188 + name: Deployment process + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.14.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/494.html + name: CWE + section: '494' + ltype: Linked To +name: Check binary integrity before deployment diff --git a/cres/Check_boundaries_against_integer_overflow_weaknesses.yaml b/cres/Check_boundaries_against_integer_overflow_weaknesses.yaml new file mode 100644 index 000000000..4a6463113 --- /dev/null +++ b/cres/Check_boundaries_against_integer_overflow_weaknesses.yaml @@ -0,0 +1,33 @@ +doctype: CRE +id: 482-771 +links: +- document: + doctype: CRE + id: 866-553 + name: Memory, String, and Unmanaged Code + tags: + - Injection + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.4.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/190.html + name: CWE + section: '190' + ltype: Linked To +- document: + description: '"Rewrite the background program using proper checking of the size + of integer being input to prevent overflows and divide by 0 errors. This will + require a recompile of the background executable."' + doctype: Tool + name: 'ZAP Alert: "Integer Overflow Error"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Check boundaries against integer overflow weaknesses diff --git a/cres/Check_new_passwords_against_breached_passwords.yaml b/cres/Check_new_passwords_against_breached_passwords.yaml new file mode 100644 index 000000000..8c0f92984 --- /dev/null +++ b/cres/Check_new_passwords_against_breached_passwords.yaml @@ -0,0 +1,56 @@ +doctype: CRE +id: 576-651 +links: +- document: + doctype: CRE + id: 455-885 + name: Credentials directives + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.1.7 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/521.html + name: CWE + section: '521' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + name: WSTG + section: WSTG-ATHN-07 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html + name: Cheat_sheets + section: Choosing and Using Security Questions Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Credential Stuffing Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: Check new passwords against breached passwords diff --git a/cres/Check_source_code_and_third_party_libraries_to_not_contain_backdoors.yaml b/cres/Check_source_code_and_third_party_libraries_to_not_contain_backdoors.yaml new file mode 100644 index 000000000..afcaa9015 --- /dev/null +++ b/cres/Check_source_code_and_third_party_libraries_to_not_contain_backdoors.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 838-636 +links: +- document: + doctype: CRE + id: 613-287 + name: Dependency integrity + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x18-V10-Malicious.md + name: ASVS + section: V10.2.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/507.html + name: CWE + section: '507' + ltype: Linked To +name: Check source code and third party libraries to not contain backdoors diff --git a/cres/Check_source_code_to_not_contain_malicious_code.yaml b/cres/Check_source_code_to_not_contain_malicious_code.yaml new file mode 100644 index 000000000..2ae0f0466 --- /dev/null +++ b/cres/Check_source_code_to_not_contain_malicious_code.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 265-800 +links: +- document: + doctype: CRE + id: 613-287 + name: Dependency integrity + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x18-V10-Malicious.md + name: ASVS + section: V10.2.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/511.html + name: CWE + section: '511' + ltype: Linked To +name: Check source code to not contain malicious code diff --git a/cres/Check_source_code_to_not_contain_timebombs.yaml b/cres/Check_source_code_to_not_contain_timebombs.yaml new file mode 100644 index 000000000..de95f58b4 --- /dev/null +++ b/cres/Check_source_code_to_not_contain_timebombs.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 418-525 +links: +- document: + doctype: CRE + id: 613-287 + name: Dependency integrity + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x18-V10-Malicious.md + name: ASVS + section: V10.2.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/511.html + name: CWE + section: '511' + ltype: Linked To +name: Check source code to not contain timebombs diff --git a/cres/Check_uploaded_archives_for_decompression_attacks_(eg_zip_bombs).yaml b/cres/Check_uploaded_archives_for_decompression_attacks_(eg_zip_bombs).yaml new file mode 100644 index 000000000..680da35c3 --- /dev/null +++ b/cres/Check_uploaded_archives_for_decompression_attacks_(eg_zip_bombs).yaml @@ -0,0 +1,34 @@ +doctype: CRE +id: 163-518 +links: +- document: + doctype: CRE + id: 621-287 + name: File upload + ltype: Contains +- document: + doctype: CRE + id: 623-550 + name: DOS + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x20-V12-Files-Resources.md + name: ASVS + section: V12.1.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/409.html + name: CWE + section: '409' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html + name: Cheat_sheets + section: File Upload Cheat Sheet + ltype: Linked To +name: Check uploaded archives for decompression attacks (eg zip bombs) +tags: +- DOS diff --git a/cres/Classify_personal_data_regarding_retention_so_that_old_or_outdated_data_is_deleted.yaml b/cres/Classify_personal_data_regarding_retention_so_that_old_or_outdated_data_is_deleted.yaml new file mode 100644 index 000000000..6191f0f60 --- /dev/null +++ b/cres/Classify_personal_data_regarding_retention_so_that_old_or_outdated_data_is_deleted.yaml @@ -0,0 +1,34 @@ +doctype: CRE +id: 268-272 +links: +- document: + doctype: CRE + name: '>>Documentation and requirements' + ltype: Contains +- document: + doctype: CRE + id: 028-728 + name: Personal data handling + ltype: Related +- document: + doctype: CRE + id: 783-355 + name: Deployment + tags: + - Configuration + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md + name: ASVS + section: V8.3.8 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/285.html + name: CWE + section: '285' + ltype: Linked To +name: Classify personal data regarding retention so that old or outdated data is deleted +tags: +- Personal data handling diff --git a/cres/Classify_sensitive_data_in_protection_levels.yaml b/cres/Classify_sensitive_data_in_protection_levels.yaml new file mode 100644 index 000000000..f4439b4c1 --- /dev/null +++ b/cres/Classify_sensitive_data_in_protection_levels.yaml @@ -0,0 +1,34 @@ +doctype: CRE +id: 765-788 +links: +- document: + doctype: CRE + id: 625-323 + name: Data security requirement documentation + ltype: Contains +- document: + doctype: CRE + id: 028-728 + name: Personal data handling + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.8.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html + name: Cheat_sheets + section: User Privacy Protection Cheat Sheet + ltype: Linked To +name: Classify sensitive data in protection levels +tags: +- Personal data handling diff --git a/cres/Clear_authentication_data_from_client_storage.yaml b/cres/Clear_authentication_data_from_client_storage.yaml new file mode 100644 index 000000000..3016eb103 --- /dev/null +++ b/cres/Clear_authentication_data_from_client_storage.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 046-257 +links: +- document: + doctype: CRE + id: 208-830 + name: Manage temporary storage + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md + name: ASVS + section: V8.2.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/922.html + name: CWE + section: '922' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/12-Testing_Browser_Storage.html + name: WSTG + section: WSTG-CLNT-12 + ltype: Linked To +name: Clear authentication data from client storage diff --git a/cres/Clear_policy_compliant_I-O_requirements.yaml b/cres/Clear_policy_compliant_I-O_requirements.yaml new file mode 100644 index 000000000..6f1c75e03 --- /dev/null +++ b/cres/Clear_policy_compliant_I-O_requirements.yaml @@ -0,0 +1,40 @@ +doctype: CRE +id: 782-234 +links: +- document: + doctype: CRE + id: 625-323 + name: Documentation and requirements + tags: + - Architecture + ltype: Contains +- document: + doctype: CRE + id: 503-455 + name: '>>Input and output verification' + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.5.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/1029.html + name: CWE + section: '1029' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html + name: Cheat_sheets + section: Deserialization Cheat Sheet + ltype: Linked To +name: Clear policy compliant I/O requirements diff --git a/cres/Communicate_out_of_band_authentication_requests,_codes_or_tokens_independently_and_securely.yaml b/cres/Communicate_out_of_band_authentication_requests,_codes_or_tokens_independently_and_securely.yaml new file mode 100644 index 000000000..be97be97a --- /dev/null +++ b/cres/Communicate_out_of_band_authentication_requests,_codes_or_tokens_independently_and_securely.yaml @@ -0,0 +1,35 @@ +doctype: CRE +id: 102-811 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.7.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/523.html + name: CWE + section: '523' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.3.2 + ltype: Linked To +name: Communicate out of band authentication requests, codes or tokens independently + and securely diff --git a/cres/Communication_authentication.yaml b/cres/Communication_authentication.yaml new file mode 100644 index 000000000..aee411444 --- /dev/null +++ b/cres/Communication_authentication.yaml @@ -0,0 +1,26 @@ +doctype: CRE +id: 634-733 +links: +- document: + doctype: CRE + id: 278-646 + name: '>>Secure communication' + ltype: Contains +- document: + doctype: CRE + id: 605-735 + name: Authenticate all external connections + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 537-367 + name: Enable certification revocation + ltype: Contains +- document: + doctype: CRE + id: 530-671 + name: Mutually authenticate application components + ltype: Contains +name: Communication authentication diff --git a/cres/Communication_encryption.yaml b/cres/Communication_encryption.yaml new file mode 100644 index 000000000..50cd0f669 --- /dev/null +++ b/cres/Communication_encryption.yaml @@ -0,0 +1,30 @@ +doctype: CRE +id: 435-702 +links: +- document: + doctype: CRE + id: 278-646 + name: '>>Secure communication' + ltype: Contains +- document: + doctype: CRE + id: 170-772 + name: Cryptography + ltype: Related +- document: + doctype: CRE + id: 527-034 + name: Protect communication between application components + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 426-842 + name: Verify the authenticity of both headers and payload + tags: + - Cryptography + ltype: Contains +name: Communication encryption +tags: +- Cryptography diff --git a/cres/Configuration.yaml b/cres/Configuration.yaml index 02012f64c..27e566353 100644 --- a/cres/Configuration.yaml +++ b/cres/Configuration.yaml @@ -7,90 +7,86 @@ links: name: Protect against directory browsing/discovery attacks tags: - Configuration - type: Related + ltype: Related - document: doctype: CRE id: 462-245 name: Remove unnecessary features, documentation, configuration etc tags: - Configuration - type: Related + ltype: Related - document: doctype: CRE id: 154-031 name: Harden application by excluding unwanted functionality tags: - Configuration - type: Related + ltype: Related - document: doctype: CRE id: 783-355 name: Deployment tags: - Configuration - type: Related + ltype: Related - document: doctype: CRE id: 180-488 name: Proper Configuration for all applications and frameworks tags: - Configuration - type: Related + ltype: Related - document: doctype: CRE id: 308-515 name: Prevent security disclosure tags: - Configuration - type: Related + ltype: Related - document: doctype: CRE id: 764-507 name: Restrict XML parsing (against XXE) tags: - - Configuration - Injection - type: Related + - Configuration + ltype: Related - document: doctype: CRE id: 333-888 name: Do not expose data through API URLs tags: - Configuration - type: Related + ltype: Related - document: doctype: CRE id: 186-540 name: Do not expose data through HTTP verb tags: - Configuration - type: Related + ltype: Related - document: doctype: CRE id: 430-636 name: Verify TLS certificates and trust chain tags: - Configuration - type: Related + ltype: Related - document: doctype: CRE id: 546-564 name: '>>Tags' - type: Contains + ltype: Contains - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-2 name: NIST 800-53 v5 section: CM-2 BASELINE CONFIGURATION - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-6 name: NIST 800-53 v5 section: CM-6 Configuration Settings - subsection: '' - version: '' - type: Linked To + ltype: Linked To name: Configuration diff --git a/cres/Configure_CSP_configuration_properly.yaml b/cres/Configure_CSP_configuration_properly.yaml new file mode 100644 index 000000000..7f16cf4cc --- /dev/null +++ b/cres/Configure_CSP_configuration_properly.yaml @@ -0,0 +1,78 @@ +doctype: CRE +id: 257-668 +links: +- document: + doctype: CRE + id: 636-347 + name: HTTP security headers + ltype: Contains +- document: + doctype: CRE + id: 760-765 + name: XSS + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.4.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/1021.html + name: CWE + section: '1021' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html; + https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting.html; + https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.html + name: WSTG + section: WSTG-INPV-01; WSTG-INPV-02; WSTG-CLNT-01 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html + name: Cheat_sheets + section: Content Security Policy Cheat Sheet + ltype: Linked To +- document: + description: '"Ensure a valid setting is used on all web pages returned by your + site (if you expect the page to be framed only by pages on your server (e.g. + it''s part of a FRAMESET) then you''ll want to use SAMEORIGIN, otherwise if + you never expect the page to be framed, you should use DENY. Alternatively + consider implementing Content Security Policy''s ''frame-ancestors'' directive."' + doctype: Tool + name: 'ZAP Alert: "X-Frame-Options Setting Malformed"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Ensure only a single X-Frame-Options header is present in the response."' + doctype: Tool + name: 'ZAP Alert: "Multiple X-Frame-Options Header Entries"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Ensure X-Frame-Options is set via a response header field. Alternatively + consider implementing Content Security Policy''s ''frame-ancestors'' directive."' + doctype: Tool + name: 'ZAP Alert: "X-Frame-Options Defined via META (Non-compliant with Spec)"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Missing Anti-clickjacking Header"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Configure CSP configuration properly +tags: +- XSS diff --git a/cres/Configure_HSTS_configuration_properly.yaml b/cres/Configure_HSTS_configuration_properly.yaml new file mode 100644 index 000000000..9c3e8db64 --- /dev/null +++ b/cres/Configure_HSTS_configuration_properly.yaml @@ -0,0 +1,33 @@ +doctype: CRE +id: 036-147 +links: +- document: + doctype: CRE + id: 636-347 + name: HTTP security headers + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.4.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/523.html + name: CWE + section: '523' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security.html + name: WSTG + section: WSTG-CONF-07 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html + name: Cheat_sheets + section: Content Security Policy Cheat Sheet + ltype: Linked To +name: Configure HSTS configuration properly diff --git a/cres/Configure_Referrer-Policy_properly.yaml b/cres/Configure_Referrer-Policy_properly.yaml new file mode 100644 index 000000000..7850978a0 --- /dev/null +++ b/cres/Configure_Referrer-Policy_properly.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 268-100 +links: +- document: + doctype: CRE + id: 636-347 + name: HTTP security headers + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.4.6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/116.html + name: CWE + section: '116' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html + name: Cheat_sheets + section: Content Security Policy Cheat Sheet + ltype: Linked To +name: Configure Referrer-Policy properly diff --git a/cres/Configure_X-Content-Type-Options_properly.yaml b/cres/Configure_X-Content-Type-Options_properly.yaml new file mode 100644 index 000000000..79ad0797a --- /dev/null +++ b/cres/Configure_X-Content-Type-Options_properly.yaml @@ -0,0 +1,35 @@ +doctype: CRE +id: 065-388 +links: +- document: + doctype: CRE + id: 636-347 + name: HTTP security headers + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.4.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/116.html + name: CWE + section: '116' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html; + https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting.html; + https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.html + name: WSTG + section: WSTG-INPV-01; WSTG-INPV-02; WSTG-CLNT-01 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html + name: Cheat_sheets + section: Content Security Policy Cheat Sheet + ltype: Linked To +name: Configure X-Content-Type-Options properly diff --git a/cres/Consistently_apply_authentication_strength.yaml b/cres/Consistently_apply_authentication_strength.yaml new file mode 100644 index 000000000..3a455d43f --- /dev/null +++ b/cres/Consistently_apply_authentication_strength.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 576-042 +links: +- document: + doctype: CRE + id: 146-556 + name: Authenticate consistently + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.2.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/306.html + name: CWE + section: '306' + ltype: Linked To +name: Consistently apply authentication strength diff --git a/cres/Constrain_functional_features_based_on_user_stories.yaml b/cres/Constrain_functional_features_based_on_user_stories.yaml new file mode 100644 index 000000000..546a8d7fd --- /dev/null +++ b/cres/Constrain_functional_features_based_on_user_stories.yaml @@ -0,0 +1,41 @@ +doctype: CRE +id: 822-100 +links: +- document: + doctype: CRE + id: 625-323 + name: Documentation and requirements + tags: + - Architecture + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.1.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/1110.html + name: CWE + section: '1110' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html + name: Cheat_sheets + section: Threat Modeling Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html + name: Cheat_sheets + section: Attack Surface Analysis Cheat Sheet + ltype: Linked To +name: Constrain functional features based on user stories diff --git a/cres/Cookie-config.yaml b/cres/Cookie-config.yaml index 74c2f45f5..26a8e0b3f 100644 --- a/cres/Cookie-config.yaml +++ b/cres/Cookie-config.yaml @@ -5,12 +5,12 @@ links: doctype: CRE id: 177-260 name: '>>Session management' - type: Contains + ltype: Contains - document: doctype: CRE id: 342-055 name: Set "samesite" attribute for cookie-based session tokens tags: - CSRF - type: Contains + ltype: Contains name: Cookie-config diff --git a/cres/Create_random_GUIDs_with_cryptographically_secure_random_number_generators.yaml b/cres/Create_random_GUIDs_with_cryptographically_secure_random_number_generators.yaml new file mode 100644 index 000000000..e487be1c9 --- /dev/null +++ b/cres/Create_random_GUIDs_with_cryptographically_secure_random_number_generators.yaml @@ -0,0 +1,29 @@ +doctype: CRE +id: 027-210 +links: +- document: + doctype: CRE + id: 542-270 + name: Secure random values + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x14-V6-Cryptography.md + name: ASVS + section: V6.3.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/338.html + name: CWE + section: '338' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + name: WSTG + section: WSTG-CRYP-04 + ltype: Linked To +name: Create random GUIDs with cryptographically secure random number generators diff --git a/cres/Credential_recovery.yaml b/cres/Credential_recovery.yaml new file mode 100644 index 000000000..0dbc4315b --- /dev/null +++ b/cres/Credential_recovery.yaml @@ -0,0 +1,40 @@ +doctype: CRE +id: 520-617 +links: +- document: + doctype: CRE + id: 270-568 + name: Authentication mechanism + ltype: Contains +- document: + doctype: CRE + id: 270-634 + name: Send authentication secrets encrypted + ltype: Contains +- document: + doctype: CRE + id: 581-525 + name: Use secure recovery mechanisms for forgotten passwords + ltype: Contains +- document: + doctype: CRE + id: 358-860 + name: Require proof of identity of the same level as during enrollment when recovering + OTP or MFA + ltype: Contains +- document: + doctype: CRE + id: 772-358 + name: Do not use password hints or secret questions + ltype: Contains +- document: + doctype: CRE + id: 543-621 + name: Do not reveal the current password during password recovery + ltype: Contains +- document: + doctype: CRE + id: 235-658 + name: Notify user about credential change + ltype: Related +name: Credential recovery diff --git a/cres/Credentials_directives.yaml b/cres/Credentials_directives.yaml new file mode 100644 index 000000000..0ad8244ff --- /dev/null +++ b/cres/Credentials_directives.yaml @@ -0,0 +1,49 @@ +doctype: CRE +id: 455-885 +links: +- document: + doctype: CRE + id: 633-428 + name: '>>Authentication' + ltype: Contains +- document: + doctype: CRE + id: 576-651 + name: Check new passwords against breached passwords + ltype: Contains +- document: + doctype: CRE + id: 158-874 + name: Allow long passwords + ltype: Contains +- document: + doctype: CRE + id: 338-370 + name: Do not enforce password rotation rules or history requirements + ltype: Contains +- document: + doctype: CRE + id: 807-565 + name: Do not limit character types for password composition + ltype: Contains +- document: + doctype: CRE + id: 715-681 + name: Avoid password truncation, with exception of consecutive spaces + ltype: Contains +- document: + doctype: CRE + id: 103-707 + name: Allow unicode in passwords + ltype: Contains +- document: + doctype: CRE + id: 604-025 + name: Provide a password strength meter + ltype: Contains +- document: + doctype: CRE + id: 027-555 + name: User passwords are of sufficient minimum length + ltype: Contains +name: Credentials directives diff --git a/cres/Cryptoghraphy.yaml b/cres/Cryptoghraphy.yaml index 3d9f05ae9..a8a4e78a9 100644 --- a/cres/Cryptoghraphy.yaml +++ b/cres/Cryptoghraphy.yaml @@ -6,5 +6,5 @@ links: name: TLS tags: - Cryptoghraphy - type: Related + ltype: Related name: Cryptoghraphy diff --git a/cres/Cryptographic_directives.yaml b/cres/Cryptographic_directives.yaml new file mode 100644 index 000000000..ab7600138 --- /dev/null +++ b/cres/Cryptographic_directives.yaml @@ -0,0 +1,23 @@ +doctype: CRE +id: 585-408 +links: +- document: + doctype: CRE + id: 270-568 + name: Authentication mechanism + ltype: Contains +- document: + doctype: CRE + id: 002-801 + name: Use approved cryptographic algorithms for generation, seeding and verification + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 287-251 + name: Use a unique challenge nonce of sufficient size + tags: + - Cryptography + ltype: Contains +name: Cryptographic directives diff --git a/cres/Cryptography.yaml b/cres/Cryptography.yaml index 5ef816c0b..6ca7846ab 100644 --- a/cres/Cryptography.yaml +++ b/cres/Cryptography.yaml @@ -7,153 +7,147 @@ links: name: Resist stolen credentials tags: - Cryptography - type: Related + ltype: Related - document: doctype: CRE id: 062-850 name: MFA/OTP tags: - Cryptography - type: Related + ltype: Related - document: doctype: CRE id: 002-801 name: Use approved cryptographic algorithms for generation, seeding and verification tags: - Cryptography - type: Related + ltype: Related - document: doctype: CRE id: 287-251 name: Use a unique challenge nonce of sufficient size tags: - Cryptography - type: Related + ltype: Related - document: doctype: CRE id: 206-254 name: Use secure random to generate initial authentication codes tags: - Cryptography - type: Related + ltype: Related - document: doctype: CRE id: 223-780 name: Secret storage tags: - Cryptography - type: Related + ltype: Related - document: doctype: CRE id: 543-428 name: Use security module to store one-time password verification keys tags: - Cryptography - type: Related + ltype: Related - document: doctype: CRE id: 605-735 name: Authenticate all external connections tags: - Cryptography - type: Related + ltype: Related - document: doctype: CRE id: 435-702 name: Communication encryption tags: - Cryptography - type: Related + ltype: Related - document: doctype: CRE id: 527-034 name: Protect communication between application components tags: - Cryptography - type: Related + ltype: Related - document: doctype: CRE id: 426-842 name: Verify the authenticity of both headers and payload tags: - Cryptography - type: Related + ltype: Related - document: doctype: CRE id: 248-646 name: Disable insecure SSL/TLS versions tags: - Cryptography - type: Related + ltype: Related - document: doctype: CRE id: 400-007 name: Encrypt data at rest tags: - Cryptography - type: Related + ltype: Related - document: doctype: CRE id: 742-432 name: Encryption algorithms tags: - Cryptography - type: Related + ltype: Related - document: doctype: CRE id: 542-270 name: Secure random values tags: - Cryptography - type: Related + ltype: Related - document: doctype: CRE id: 664-571 name: Ensure proper generation of secure random tags: - Cryptography - type: Related + ltype: Related - document: doctype: CRE id: 704-530 name: Enforce high entropy session tokens tags: - Cryptography - type: Related + ltype: Related - document: doctype: CRE id: 727-043 name: Ensure secure algorithms for generating session tokens tags: - Cryptography - type: Related + ltype: Related - document: doctype: CRE id: 546-564 name: '>>Tags' - type: Contains + ltype: Contains - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-17 name: NIST 800-53 v5 section: SC-17 Public Key Infrastructure Certificates - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-12 name: NIST 800-53 v5 section: SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-13 name: NIST 800-53 v5 section: SC-13 Cryptographic Protection - subsection: '' - version: '' - type: Linked To + ltype: Linked To name: Cryptography diff --git a/cres/DOS.yaml b/cres/DOS.yaml index 79b30103b..26728276a 100644 --- a/cres/DOS.yaml +++ b/cres/DOS.yaml @@ -7,88 +7,86 @@ links: name: '>>Business logic' tags: - DOS - type: Related + ltype: Related - document: doctype: CRE id: 630-573 name: Monitor suspected automation abuse tags: - DOS - type: Related + ltype: Related - document: doctype: CRE id: 725-682 name: Enable configurable alert against usage anomalies tags: - DOS - type: Related + ltype: Related - document: doctype: CRE id: 418-853 name: Monitor unusual activities on system tags: - DOS - type: Related + ltype: Related - document: doctype: CRE id: 456-535 name: Monitor for realistic "human time" business logic flows tags: - DOS - type: Related + ltype: Related - document: doctype: CRE id: 268-088 name: Limit query impact GraphQL/data layer expression DoS tags: - DOS - type: Related + ltype: Related - document: doctype: CRE id: 814-322 name: Whitelist data sources and sinks tags: - DOS - type: Related + ltype: Related - document: doctype: CRE id: 163-518 name: Check uploaded archives for decompression attacks (eg zip bombs) tags: - DOS - type: Related + ltype: Related - document: doctype: CRE id: 660-052 name: Validate max input/file sizes tags: - DOS - type: Related + ltype: Related - document: doctype: CRE id: 463-820 name: Limit size and number of uploaded files tags: - DOS - type: Related + ltype: Related - document: doctype: CRE id: 176-154 name: Monitor expectation of usage intensity (e.g. number of requests) tags: - DOS - type: Related + ltype: Related - document: doctype: CRE id: 546-564 name: '>>Tags' - type: Contains + ltype: Contains - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-5 name: NIST 800-53 v5 section: SC-5 DENIAL-OF-SERVICE PROTECTION - subsection: '' - version: '' - type: Linked To + ltype: Linked To name: DOS diff --git a/cres/Data_access_control.yaml b/cres/Data_access_control.yaml new file mode 100644 index 000000000..db7ad8633 --- /dev/null +++ b/cres/Data_access_control.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 538-770 +links: +- document: + doctype: CRE + id: 126-668 + name: '>>Secure data storage' + ltype: Contains +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Related +- document: + doctype: CRE + id: 117-371 + name: Use a centralized access control mechanism + tags: + - Architecture + ltype: Contains +name: Data access control diff --git a/cres/Data_security_requirement_documentation.yaml b/cres/Data_security_requirement_documentation.yaml new file mode 100644 index 000000000..d9fa7de78 --- /dev/null +++ b/cres/Data_security_requirement_documentation.yaml @@ -0,0 +1,25 @@ +doctype: CRE +id: 625-323 +links: +- document: + doctype: CRE + id: 625-323 + name: Documentation and requirements + tags: + - Architecture + ltype: Contains +- document: + doctype: CRE + id: 765-788 + name: Classify sensitive data in protection levels + tags: + - Personal data handling + ltype: Contains +- document: + doctype: CRE + id: 731-120 + name: Document requirements for (data) protection levels + tags: + - Personal data handling + ltype: Contains +name: Data security requirement documentation diff --git a/cres/Define_High-level_architecture_and_perform_security_analysis_on_it.yaml b/cres/Define_High-level_architecture_and_perform_security_analysis_on_it.yaml new file mode 100644 index 000000000..991324ed9 --- /dev/null +++ b/cres/Define_High-level_architecture_and_perform_security_analysis_on_it.yaml @@ -0,0 +1,54 @@ +doctype: CRE +id: 004-130 +links: +- document: + doctype: CRE + id: 625-323 + name: Documentation and requirements + tags: + - Architecture + ltype: Contains +- document: + doctype: CRE + id: 155-155 + name: Architecture + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.1.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c1-security-requirements.html + name: OPC + section: C1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/1059.html + name: CWE + section: '1059' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html + name: Cheat_sheets + section: Threat Modeling Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html + name: Cheat_sheets + section: Attack Surface Analysis Cheat Sheet + ltype: Linked To +name: Define High-level architecture and perform security analysis on it +tags: +- Architecture diff --git a/cres/Define_security_steps_in_every_SDLC_stage.yaml b/cres/Define_security_steps_in_every_SDLC_stage.yaml new file mode 100644 index 000000000..2e8739c5f --- /dev/null +++ b/cres/Define_security_steps_in_every_SDLC_stage.yaml @@ -0,0 +1,39 @@ +doctype: CRE +id: 616-305 +links: +- document: + doctype: CRE + id: 153-513 + name: '>>Development & operations' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.1.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c1-security-requirements.html + name: OPC + section: C1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html + name: Cheat_sheets + section: Threat Modeling Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html + name: Cheat_sheets + section: Attack Surface Analysis Cheat Sheet + ltype: Linked To +name: Define security steps in every SDLC stage diff --git a/cres/Defined_lifetime_of_time-based_one-time_password.yaml b/cres/Defined_lifetime_of_time-based_one-time_password.yaml new file mode 100644 index 000000000..d8df5f92d --- /dev/null +++ b/cres/Defined_lifetime_of_time-based_one-time_password.yaml @@ -0,0 +1,33 @@ +doctype: CRE +id: 681-823 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.8.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/613.html + name: CWE + section: '613' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.4.2 + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.5.2 + ltype: Linked To +name: Defined lifetime of time-based one-time password diff --git a/cres/Deny_new_users_by_default.yaml b/cres/Deny_new_users_by_default.yaml new file mode 100644 index 000000000..806b0293b --- /dev/null +++ b/cres/Deny_new_users_by_default.yaml @@ -0,0 +1,50 @@ +doctype: CRE +id: 817-808 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: CRE + id: 586-842 + name: '>>Secure user management' + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V4-Access-Control.md + name: ASVS + section: V4.1.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c7-enforce-access-controls.html + name: OPC + section: C7 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/276.html + name: CWE + section: '276' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/01-Test_Role_Definitions.html + name: WSTG + section: WSTG-IDNT-01 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html + name: Cheat_sheets + section: Access Control Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.html + name: Cheat_sheets + section: Authorization Testing Automation Cheat Sheet + ltype: Linked To +name: Deny new users by default diff --git a/cres/Dependency_integrity.yaml b/cres/Dependency_integrity.yaml new file mode 100644 index 000000000..4f732a6d9 --- /dev/null +++ b/cres/Dependency_integrity.yaml @@ -0,0 +1,44 @@ +doctype: CRE +id: 613-287 +links: +- document: + doctype: CRE + id: 613-285 + name: '>>Dependency strength' + ltype: Contains +- document: + doctype: CRE + id: 577-260 + name: Enforce integrity check for externally hosted assets (eg SRI) + ltype: Contains +- document: + doctype: CRE + id: 838-636 + name: Check source code and third party libraries to not contain backdoors + ltype: Contains +- document: + doctype: CRE + id: 265-800 + name: Check source code to not contain malicious code + ltype: Contains +- document: + doctype: CRE + id: 418-525 + name: Check source code to not contain timebombs + ltype: Contains +- document: + doctype: CRE + id: 834-645 + name: Avoid unauthorized client data collection + ltype: Contains +- document: + doctype: CRE + id: 860-084 + name: Sandbox third party libraries + ltype: Contains +- document: + doctype: CRE + id: 715-223 + name: Ensure trusted origin of third party resources + ltype: Contains +name: Dependency integrity diff --git a/cres/Dependency_management.yaml b/cres/Dependency_management.yaml new file mode 100644 index 000000000..9e6c5b53b --- /dev/null +++ b/cres/Dependency_management.yaml @@ -0,0 +1,24 @@ +doctype: CRE +id: 613-286 +links: +- document: + doctype: CRE + id: 613-285 + name: '>>Dependency strength' + ltype: Contains +- document: + doctype: CRE + id: 053-751 + name: Force pipeline to check outdated/insecure components + ltype: Contains +- document: + doctype: CRE + id: 715-334 + name: Update third party components build- or compile time + ltype: Contains +- document: + doctype: CRE + id: 863-521 + name: Maintain/manage inventory of third party repositories + ltype: Contains +name: Dependency management diff --git a/cres/Deployed_topology.yaml b/cres/Deployed_topology.yaml new file mode 100644 index 000000000..2945ec380 --- /dev/null +++ b/cres/Deployed_topology.yaml @@ -0,0 +1,116 @@ +doctype: CRE +id: 726-868 +links: +- document: + doctype: CRE + id: 228-551 + name: TLS + tags: + - Cryptoghraphy + ltype: Related +- document: + doctype: CRE + id: 155-155 + name: Architecture + ltype: Related +- document: + doctype: CRE + id: 515-021 + name: Sandbox, containerize and/or isolate applications at the network level + tags: + - Architecture + ltype: Contains +- document: + doctype: CRE + id: 330-281 + name: Use least privilege OS accounts for system (components) + ltype: Related +- document: + doctype: CRE + id: 783-355 + name: Deployment + tags: + - Configuration + ltype: Contains +- document: + doctype: CRE + id: 814-322 + name: Whitelist data sources and sinks + tags: + - DOS + ltype: Related +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-49 + name: NIST 800-53 v5 + section: SC-49 Hardware-enforced Separation and Policy Enforcement + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-50 + name: NIST 800-53 v5 + section: SC-50 Software-enforced Separation and Policy Enforcement + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-47 + name: NIST 800-53 v5 + section: SC-47 Alternate Communications Paths + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-36 + name: NIST 800-53 v5 + section: SC-36 Distributed Processing and Storage + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-30 + name: NIST 800-53 v5 + section: SC-30 Concealment and Misdirection + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-46 + name: NIST 800-53 v5 + section: SC-46 Cross Domain Policy Enforcement + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-26 + name: NIST 800-53 v5 + section: SC-26 Decoys + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-35 + name: NIST 800-53 v5 + section: SC-35 External Malicious Code Identification + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-37 + name: NIST 800-53 v5 + section: SC-37 Out-of-band Channels + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-48 + name: NIST 800-53 v5 + section: SC-48 Sensor Relocation + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-25 + name: NIST 800-53 v5 + section: SC-25 Thin Nodes + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-11 + name: NIST 800-53 v5 + section: SC-11 Trusted Path + ltype: Linked To +name: Deployed topology +tags: +- Architecture diff --git a/cres/Deployment.yaml b/cres/Deployment.yaml index 720688f4b..084c66b60 100644 --- a/cres/Deployment.yaml +++ b/cres/Deployment.yaml @@ -5,59 +5,59 @@ links: doctype: CRE id: 153-513 name: '>>Development & operations' - type: Contains + ltype: Contains - document: doctype: CRE id: 486-813 name: Configuration - type: Related + ltype: Related - document: doctype: CRE id: 347-352 name: Set and confirm integrity of security deployment configuration - type: Contains + ltype: Contains - document: doctype: CRE id: 381-501 name: Binary integrity - type: Contains + ltype: Contains - document: doctype: CRE id: 726-868 name: Deployed topology tags: - Architecture - type: Contains + ltype: Contains - document: doctype: CRE id: 615-188 name: Deployment process - type: Contains + ltype: Contains - document: doctype: CRE id: 840-757 name: Guidelines - type: Contains + ltype: Contains - document: doctype: CRE id: 636-347 name: HTTP security headers - type: Contains + ltype: Contains - document: doctype: CRE id: 266-527 name: Physical security - type: Contains + ltype: Contains - document: doctype: CRE id: 612-364 name: System time synchronization - type: Contains + ltype: Contains - document: doctype: CRE id: 273-600 name: Segregate components of differing trust levels - type: Contains + ltype: Contains - document: doctype: CRE id: 268-272 @@ -65,28 +65,24 @@ links: is deleted tags: - Personal data handling - type: Related + ltype: Related - document: doctype: CRE id: 163-776 name: Backups - type: Related + ltype: Related - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-29 name: NIST 800-53 v5 section: SC-29 Heterogeneity - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-27 name: NIST 800-53 v5 section: SC-27 Platform-independent Applications - subsection: '' - version: '' - type: Linked To + ltype: Linked To name: Deployment tags: - Configuration diff --git a/cres/Deployment_process.yaml b/cres/Deployment_process.yaml new file mode 100644 index 000000000..c3f5038af --- /dev/null +++ b/cres/Deployment_process.yaml @@ -0,0 +1,53 @@ +doctype: CRE +id: 615-188 +links: +- document: + doctype: CRE + id: 783-355 + name: Deployment + tags: + - Configuration + ltype: Contains +- document: + doctype: CRE + id: 263-184 + name: Automate secure build and deployment, especially with SDI + ltype: Contains +- document: + doctype: CRE + id: 307-507 + name: Allow only trusted sources both build time and runtime; therefore perform + integrity checks on all resources and code + ltype: Contains +- document: + doctype: CRE + id: 171-222 + name: Check binary integrity before deployment + ltype: Contains +- document: + doctype: CRE + id: 314-131 + name: Set proper (C) compiler flags + ltype: Contains +- document: + doctype: CRE + id: 208-355 + name: Ensure repeatability of deployment + ltype: Contains +- document: + doctype: CRE + id: 253-452 + name: Securely automate build and deployment in pipeline + ltype: Contains +- document: + doctype: CRE + id: 028-254 + name: Secure auto-updates over full stack + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-51 + name: NIST 800-53 v5 + section: SC-51 Hardware-based Protection + ltype: Linked To +name: Deployment process diff --git a/cres/Deserialization_Prevention.yaml b/cres/Deserialization_Prevention.yaml new file mode 100644 index 000000000..f3905a7e7 --- /dev/null +++ b/cres/Deserialization_Prevention.yaml @@ -0,0 +1,26 @@ +doctype: CRE +id: 836-068 +links: +- document: + doctype: CRE + id: 503-455 + name: '>>Input and output verification' + ltype: Contains +- document: + doctype: CRE + id: 762-616 + name: Secure serialized objects (e.g. integrity checks) + ltype: Contains +- document: + doctype: CRE + id: 515-021 + name: Sandbox, containerize and/or isolate applications at the network level + tags: + - Architecture + ltype: Related +- document: + doctype: CRE + id: 184-284 + name: Log all security relevant events + ltype: Related +name: Deserialization Prevention diff --git a/cres/Developer_Configuration_Management.yaml b/cres/Developer_Configuration_Management.yaml new file mode 100644 index 000000000..ed4925827 --- /dev/null +++ b/cres/Developer_Configuration_Management.yaml @@ -0,0 +1,25 @@ +doctype: CRE +id: 601-155 +links: +- document: + doctype: CRE + id: 757-271 + name: Use proper source code control system + ltype: Contains +- document: + doctype: CRE + id: 715-334 + name: Update third party components build- or compile time + ltype: Related +- document: + doctype: CRE + id: 153-513 + name: '>>Development & operations' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-10 + name: NIST 800-53 v5 + section: SA-10 Developer Configuration Management + ltype: Linked To +name: Developer Configuration Management diff --git a/cres/Developer_Testing_and_Evaluation.yaml b/cres/Developer_Testing_and_Evaluation.yaml new file mode 100644 index 000000000..71191474d --- /dev/null +++ b/cres/Developer_Testing_and_Evaluation.yaml @@ -0,0 +1,15 @@ +doctype: CRE +id: 817-658 +links: +- document: + doctype: CRE + id: 153-513 + name: '>>Development & operations' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-11 + name: NIST 800-53 v5 + section: SA-11 Developer Testing and Evaluation + ltype: Linked To +name: Developer Testing and Evaluation diff --git a/cres/Development_verification.yaml b/cres/Development_verification.yaml new file mode 100644 index 000000000..992e97330 --- /dev/null +++ b/cres/Development_verification.yaml @@ -0,0 +1,26 @@ +doctype: CRE +id: 433-442 +links: +- document: + doctype: CRE + id: 340-754 + name: Threat model every design change or sprint + tags: + - Architecture + ltype: Contains +- document: + doctype: CRE + id: 611-158 + name: Use SAST for malicious content + ltype: Contains +- document: + doctype: CRE + id: 053-751 + name: Force pipeline to check outdated/insecure components + ltype: Related +- document: + doctype: CRE + id: 153-513 + name: '>>Development & operations' + ltype: Contains +name: Development verification diff --git a/cres/Disable_debug_mode_in_production.yaml b/cres/Disable_debug_mode_in_production.yaml new file mode 100644 index 000000000..049974e36 --- /dev/null +++ b/cres/Disable_debug_mode_in_production.yaml @@ -0,0 +1,29 @@ +doctype: CRE +id: 208-805 +links: +- document: + doctype: CRE + id: 308-515 + name: Prevent security disclosure + tags: + - Configuration + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.3.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/497.html + name: CWE + section: '497' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html + name: Cheat_sheets + section: Error Handling Cheat Sheet + ltype: Linked To +name: Disable debug mode in production diff --git a/cres/Disable_insecure_SSL-TLS_versions.yaml b/cres/Disable_insecure_SSL-TLS_versions.yaml new file mode 100644 index 000000000..027e222a4 --- /dev/null +++ b/cres/Disable_insecure_SSL-TLS_versions.yaml @@ -0,0 +1,63 @@ +doctype: CRE +id: 248-646 +links: +- document: + doctype: CRE + id: 228-551 + name: TLS + tags: + - Cryptoghraphy + ltype: Contains +- document: + doctype: CRE + id: 170-772 + name: Cryptography + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x17-V9-Communications.md + name: ASVS + section: V9.1.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/326.html + name: CWE + section: '326' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection.html + name: WSTG + section: WSTG-CRYP-01 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html + name: Cheat_sheets + section: HTTP Strict Transport Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html + name: Cheat_sheets + section: Transport Layer Protection Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html + name: Cheat_sheets + section: TLS Cipher String Cheat Sheet + ltype: Linked To +- document: + description: '"Protect the connection using HTTPS or use a stronger authentication + mechanism"' + doctype: Tool + name: 'ZAP Alert: "Weak Authentication Method"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Disable insecure SSL/TLS versions +tags: +- Cryptography diff --git a/cres/Disallow_default_credentials.yaml b/cres/Disallow_default_credentials.yaml new file mode 100644 index 000000000..1be4fabba --- /dev/null +++ b/cres/Disallow_default_credentials.yaml @@ -0,0 +1,26 @@ +doctype: CRE +id: 065-183 +links: +- document: + doctype: CRE + id: 586-842 + name: '>>Secure user management' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.10.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/255.html + name: CWE + section: '255' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.1 + ltype: Linked To +name: Disallow default credentials diff --git a/cres/Disallow_shared_high_privileged_accounts.yaml b/cres/Disallow_shared_high_privileged_accounts.yaml new file mode 100644 index 000000000..d8b6dcb36 --- /dev/null +++ b/cres/Disallow_shared_high_privileged_accounts.yaml @@ -0,0 +1,51 @@ +doctype: CRE +id: 623-347 +links: +- document: + doctype: CRE + id: 586-842 + name: '>>Secure user management' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.5.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/16.html + name: CWE + section: '16' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html + name: Cheat_sheets + section: Choosing and Using Security Questions Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: A.3 + ltype: Linked To +- document: + description: '"Ensure that only POST is accepted where POST is expected."' + doctype: Tool + name: 'ZAP Alert: "GET for POST"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Disallow shared high privileged accounts diff --git a/cres/Disallow_unsupported-deprecated_client-side_technologies.yaml b/cres/Disallow_unsupported-deprecated_client-side_technologies.yaml new file mode 100644 index 000000000..44d6ae017 --- /dev/null +++ b/cres/Disallow_unsupported-deprecated_client-side_technologies.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 673-475 +links: +- document: + doctype: CRE + id: 613-285 + name: '>>Dependency strength' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.14.6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/477.html + name: CWE + section: '477' + ltype: Linked To +name: Disallow unsupported/deprecated client-side technologies diff --git a/cres/Do_not_disclose_technical_information_in_HTTP_header_or_response.yaml b/cres/Do_not_disclose_technical_information_in_HTTP_header_or_response.yaml new file mode 100644 index 000000000..851487386 --- /dev/null +++ b/cres/Do_not_disclose_technical_information_in_HTTP_header_or_response.yaml @@ -0,0 +1,196 @@ +doctype: CRE +id: 403-005 +links: +- document: + doctype: CRE + id: 308-515 + name: Prevent security disclosure + tags: + - Configuration + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.3.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/200.html + name: CWE + section: '200' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/01-Information_Gathering/README.html + name: WSTG + section: WSTG-INFO-## + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html + name: Cheat_sheets + section: Error Handling Cheat Sheet + ltype: Linked To +- document: + description: '"Review the source code of this page. Implement custom error pages. + Consider implementing a mechanism to provide a unique error reference/identifier + to the client (browser) while logging the details on the server side and not + exposing them to the user."' + doctype: Tool + name: 'ZAP Alert: "Application Error Disclosure"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Do not divulge details of whether a username is valid or invalid. + In particular, for unsuccessful login attempts, do not differentiate between + an invalid user and an invalid password in the error message, page title, page + contents, HTTP headers, or redirection logic."' + doctype: Tool + name: 'ZAP Alert: "Possible Username Enumeration"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Limit access to Symfony''s Profiler, either via authentication/authorization + or limiting inclusion of the header to specific clients (by IP, etc.)."' + doctype: Tool + name: 'ZAP Alert: "X-Debug-Token Information Leak"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Remove all comments that return information that may help an attacker + and fix any underlying problems they refer to."' + doctype: Tool + name: 'ZAP Alert: "Information Disclosure - Suspicious Comments in XML via WebSocket"' + tags: + - '"WebSocket Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Remove all comments that return information that may help an attacker + and fix any underlying problems they refer to."' + doctype: Tool + name: 'ZAP Alert: "Information Disclosure - Suspicious Comments"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Do not pass sensitive information in URIs."' + doctype: Tool + name: 'ZAP Alert: "Information Disclosure - Sensitive Information in HTTP Referrer + Header"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Disable debugging messages before pushing to production."' + doctype: Tool + name: 'ZAP Alert: "Information Disclosure - Debug Error Messages via WebSocket"' + tags: + - '"WebSocket Passive"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Proxy Disclosure"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Cookie Slack Detector"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Disable debugging messages before pushing to production."' + doctype: Tool + name: 'ZAP Alert: "Information Disclosure - Debug Error Messages"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Before allowing images to be stored on the server and/or transmitted + to the browser, strip out the embedded location information from image. This + could mean removing all Exif data or just the GPS component. Other data, like + serial numbers, should also be removed."' + doctype: Tool + name: 'ZAP Alert: "Image Exposes Location or Privacy Data"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Do not pass sensitive information in URIs."' + doctype: Tool + name: 'ZAP Alert: "Information Disclosure - Sensitive Information in URL"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"TBA"' + doctype: Tool + name: 'ZAP Alert: "Insecure HTTP Method"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Remove emails that are not public."' + doctype: Tool + name: 'ZAP Alert: "Email address found in WebSocket message"' + tags: + - '"WebSocket Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"For secure content, put session ID in a cookie. To be even more + secure consider using a combination of cookie and URL rewrite."' + doctype: Tool + name: 'ZAP Alert: "Session ID in URL Rewrite"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Remove the private IP address from the HTTP response body. For + comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can + be seen by client browsers."' + doctype: Tool + name: 'ZAP Alert: "Private IP Disclosure"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Ensure that your web server, application server, load balancer, + etc. is configured to suppress ''X-Powered-By'' headers."' + doctype: Tool + name: 'ZAP Alert: "Server Leaks Information via ''X-Powered-By'' HTTP Response + Header Field(s)"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Manually confirm that the timestamp data is not sensitive, and + that the data cannot be aggregated to disclose exploitable patterns."' + doctype: Tool + name: 'ZAP Alert: "Timestamp Disclosure"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Do not disclose technical information in HTTP header or response diff --git a/cres/Do_not_disclose_technical_information_in_error_message.yaml b/cres/Do_not_disclose_technical_information_in_error_message.yaml new file mode 100644 index 000000000..7916fd33a --- /dev/null +++ b/cres/Do_not_disclose_technical_information_in_error_message.yaml @@ -0,0 +1,60 @@ +doctype: CRE +id: 743-110 +links: +- document: + doctype: CRE + id: 308-515 + name: Prevent security disclosure + tags: + - Configuration + ltype: Contains +- document: + doctype: CRE + id: 843-841 + name: Log discretely + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.3.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/209.html + name: CWE + section: '209' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/01-Testing_for_Error_Code.html + name: WSTG + section: WSTG-ERRH-01 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html + name: Cheat_sheets + section: Error Handling Cheat Sheet + ltype: Linked To +- document: + description: '"Update the affected server software, or modify the scripts so that + they properly validate encrypted data before attempting decryption."' + doctype: Tool + name: 'ZAP Alert: "Generic Padding Oracle"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Review the error payloads which are piped directly to WebSockets. + Handle the related exceptions. Consider implementing a mechanism to provide + a unique error reference/identifier to the client (browser) while logging the + details on the server side and not exposing them to the user."' + doctype: Tool + name: 'ZAP Alert: "Application Error Disclosure via WebSockets"' + tags: + - '"WebSocket Passive"' + tooltype: Offensive + ltype: SAME +name: Do not disclose technical information in error message diff --git a/cres/Do_not_enforce_password_rotation_rules_or_history_requirements.yaml b/cres/Do_not_enforce_password_rotation_rules_or_history_requirements.yaml new file mode 100644 index 000000000..cc8cb9a6d --- /dev/null +++ b/cres/Do_not_enforce_password_rotation_rules_or_history_requirements.yaml @@ -0,0 +1,50 @@ +doctype: CRE +id: 338-370 +links: +- document: + doctype: CRE + id: 455-885 + name: Credentials directives + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.1.10 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/263.html + name: CWE + section: '263' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + name: WSTG + section: WSTG-ATHN-07 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html + name: Cheat_sheets + section: Choosing and Using Security Questions Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Credential Stuffing Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: Do not enforce password rotation rules or history requirements diff --git a/cres/Do_not_expose_data_through_API_URLs.yaml b/cres/Do_not_expose_data_through_API_URLs.yaml new file mode 100644 index 000000000..61587b0a8 --- /dev/null +++ b/cres/Do_not_expose_data_through_API_URLs.yaml @@ -0,0 +1,46 @@ +doctype: CRE +id: 333-888 +links: +- document: + doctype: CRE + id: 341-076 + name: Minimize communication + ltype: Contains +- document: + doctype: CRE + id: 486-813 + name: Configuration + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md + name: ASVS + section: V13.1.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/598.html + name: CWE + section: '598' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.html + name: WSTG + section: WSTG-SESS-04 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Web Service Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Server Side Request Forgery Prevention Cheat Sheet + ltype: Linked To +name: Do not expose data through API URLs +tags: +- Configuration diff --git a/cres/Do_not_expose_data_through_HTTP_verb.yaml b/cres/Do_not_expose_data_through_HTTP_verb.yaml new file mode 100644 index 000000000..963a37e25 --- /dev/null +++ b/cres/Do_not_expose_data_through_HTTP_verb.yaml @@ -0,0 +1,34 @@ +doctype: CRE +id: 186-540 +links: +- document: + doctype: CRE + id: 341-076 + name: Minimize communication + ltype: Contains +- document: + doctype: CRE + id: 486-813 + name: Configuration + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md + name: ASVS + section: V8.3.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/319.html + name: CWE + section: '319' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/03-Testing_for_Sensitive_Information_Sent_via_Unencrypted_Channels.html + name: WSTG + section: WSTG-CRYP-03 + ltype: Linked To +name: Do not expose data through HTTP verb +tags: +- Configuration diff --git a/cres/Do_not_expose_session_token_in_URL.yaml b/cres/Do_not_expose_session_token_in_URL.yaml new file mode 100644 index 000000000..477c0da40 --- /dev/null +++ b/cres/Do_not_expose_session_token_in_URL.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 402-133 +links: +- document: + doctype: CRE + id: 177-260 + name: '>>Session management' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.1.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/598.html + name: CWE + section: '598' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.html + name: WSTG + section: WSTG-SESS-04 + ltype: Linked To +name: Do not expose session token in URL diff --git a/cres/Do_not_fall_back_to_insecure_protocols_in_TCP.yaml b/cres/Do_not_fall_back_to_insecure_protocols_in_TCP.yaml new file mode 100644 index 000000000..cb9f0d3ba --- /dev/null +++ b/cres/Do_not_fall_back_to_insecure_protocols_in_TCP.yaml @@ -0,0 +1,53 @@ +doctype: CRE +id: 745-045 +links: +- document: + doctype: CRE + id: 228-551 + name: TLS + tags: + - Cryptoghraphy + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x17-V9-Communications.md + name: ASVS + section: V9.1.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html + name: OPC + section: C8 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/319.html + name: CWE + section: '319' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection.html + name: WSTG + section: WSTG-CRYP-01 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html + name: Cheat_sheets + section: HTTP Strict Transport Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html + name: Cheat_sheets + section: Transport Layer Protection Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html + name: Cheat_sheets + section: TLS Cipher String Cheat Sheet + ltype: Linked To +name: Do not fall back to insecure protocols in TCP diff --git a/cres/Do_not_limit_character_types_for_password_composition.yaml b/cres/Do_not_limit_character_types_for_password_composition.yaml new file mode 100644 index 000000000..fd9dcb655 --- /dev/null +++ b/cres/Do_not_limit_character_types_for_password_composition.yaml @@ -0,0 +1,56 @@ +doctype: CRE +id: 807-565 +links: +- document: + doctype: CRE + id: 455-885 + name: Credentials directives + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.1.9 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/521.html + name: CWE + section: '521' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + name: WSTG + section: WSTG-ATHN-07 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html + name: Cheat_sheets + section: Choosing and Using Security Questions Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Credential Stuffing Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: Do not limit character types for password composition diff --git a/cres/Do_not_log_credentials_or_payment_details.yaml b/cres/Do_not_log_credentials_or_payment_details.yaml new file mode 100644 index 000000000..b4457404a --- /dev/null +++ b/cres/Do_not_log_credentials_or_payment_details.yaml @@ -0,0 +1,33 @@ +doctype: CRE +id: 067-050 +links: +- document: + doctype: CRE + id: 843-841 + name: Log discretely + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x15-V7-Error-Logging.md + name: ASVS + section: V7.1.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/532.html + name: CWE + section: '532' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration.html#log-review + name: WSTG + section: WSTG-CONF-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html + name: Cheat_sheets + section: Logging Cheat Sheet + ltype: Linked To +name: Do not log credentials or payment details diff --git a/cres/Do_not_offer_weak_(clear_text)_authenticators_by_default.yaml b/cres/Do_not_offer_weak_(clear_text)_authenticators_by_default.yaml new file mode 100644 index 000000000..ff3225b3a --- /dev/null +++ b/cres/Do_not_offer_weak_(clear_text)_authenticators_by_default.yaml @@ -0,0 +1,34 @@ +doctype: CRE +id: 354-752 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.7.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/287.html + name: CWE + section: '287' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.3.2 + ltype: Linked To +name: Do not offer weak (clear text) authenticators by default diff --git a/cres/Do_not_reveal_the_current_password_during_password_recovery.yaml b/cres/Do_not_reveal_the_current_password_during_password_recovery.yaml new file mode 100644 index 000000000..c3d47c985 --- /dev/null +++ b/cres/Do_not_reveal_the_current_password_during_password_recovery.yaml @@ -0,0 +1,44 @@ +doctype: CRE +id: 543-621 +links: +- document: + doctype: CRE + id: 520-617 + name: Credential recovery + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.5.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/640.html + name: CWE + section: '640' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html + name: Cheat_sheets + section: Choosing and Using Security Questions Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: Do not reveal the current password during password recovery diff --git a/cres/Do_not_share_unsynchronized_state_on_high-value_logic_flows.yaml b/cres/Do_not_share_unsynchronized_state_on_high-value_logic_flows.yaml new file mode 100644 index 000000000..13a32c42b --- /dev/null +++ b/cres/Do_not_share_unsynchronized_state_on_high-value_logic_flows.yaml @@ -0,0 +1,29 @@ +doctype: CRE +id: 670-660 +links: +- document: + doctype: CRE + id: 854-643 + name: '>>Business logic' + tags: + - DOS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.11.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/362.html + name: CWE + section: '362' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +name: Do not share unsynchronized state on high-value logic flows diff --git a/cres/Do_not_store_secrets_in_the_code.yaml b/cres/Do_not_store_secrets_in_the_code.yaml new file mode 100644 index 000000000..2fc7f81ca --- /dev/null +++ b/cres/Do_not_store_secrets_in_the_code.yaml @@ -0,0 +1,23 @@ +doctype: CRE +id: 774-888 +links: +- document: + doctype: CRE + id: 223-780 + name: Secret storage + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.10.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/798.html + name: CWE + section: '798' + ltype: Linked To +name: Do not store secrets in the code diff --git a/cres/Do_not_store_sensitive_data_on_client_(browser)_storage.yaml b/cres/Do_not_store_sensitive_data_on_client_(browser)_storage.yaml new file mode 100644 index 000000000..da2056b11 --- /dev/null +++ b/cres/Do_not_store_sensitive_data_on_client_(browser)_storage.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 617-524 +links: +- document: + doctype: CRE + id: 208-830 + name: Manage temporary storage + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md + name: ASVS + section: V8.2.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/922.html + name: CWE + section: '922' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/12-Testing_Browser_Storage.html + name: WSTG + section: WSTG-CLNT-12 + ltype: Linked To +name: Do not store sensitive data on client (browser) storage diff --git a/cres/Do_not_use_eval_or_dynamic_code_execution_functions.yaml b/cres/Do_not_use_eval_or_dynamic_code_execution_functions.yaml new file mode 100644 index 000000000..bf97892fe --- /dev/null +++ b/cres/Do_not_use_eval_or_dynamic_code_execution_functions.yaml @@ -0,0 +1,54 @@ +doctype: CRE +id: 317-743 +links: +- document: + doctype: CRE + id: 764-765 + name: Sanitization and sandboxing + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.2.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/95.html + name: CWE + section: '95' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/02-Testing_for_JavaScript_Execution.html + name: WSTG + section: WSTG-CLNT-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Server Side Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross Site Scripting Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: DOM based XSS Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + name: Cheat_sheets + section: Unvalidated Redirects and Forwards Cheat Sheet + ltype: Linked To +name: Do not use eval or dynamic code execution functions diff --git a/cres/Do_not_use_password_hints_or_secret_questions.yaml b/cres/Do_not_use_password_hints_or_secret_questions.yaml new file mode 100644 index 000000000..3d9ebaf5f --- /dev/null +++ b/cres/Do_not_use_password_hints_or_secret_questions.yaml @@ -0,0 +1,44 @@ +doctype: CRE +id: 772-358 +links: +- document: + doctype: CRE + id: 520-617 + name: Credential recovery + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.5.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/640.html + name: CWE + section: '640' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/08-Testing_for_Weak_Security_Question_Answer.html + name: WSTG + section: WSTG-ATHN-08 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html + name: Cheat_sheets + section: Choosing and Using Security Questions Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: Do not use password hints or secret questions diff --git a/cres/Do_not_use_static_secrets.yaml b/cres/Do_not_use_static_secrets.yaml new file mode 100644 index 000000000..0edcdf1a9 --- /dev/null +++ b/cres/Do_not_use_static_secrets.yaml @@ -0,0 +1,26 @@ +doctype: CRE +id: 813-610 +links: +- document: + doctype: CRE + id: 586-842 + name: '>>Secure user management' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.10.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/287.html + name: CWE + section: '287' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.1 + ltype: Linked To +name: Do not use static secrets diff --git a/cres/Document_all_trust_boundaries_and_significant_data_flows.yaml b/cres/Document_all_trust_boundaries_and_significant_data_flows.yaml new file mode 100644 index 000000000..10ce4c076 --- /dev/null +++ b/cres/Document_all_trust_boundaries_and_significant_data_flows.yaml @@ -0,0 +1,48 @@ +doctype: CRE +id: 820-877 +links: +- document: + doctype: CRE + id: 625-323 + name: Documentation and requirements + tags: + - Architecture + ltype: Contains +- document: + doctype: CRE + id: 155-155 + name: Architecture + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.1.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/1059.html + name: CWE + section: '1059' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html + name: Cheat_sheets + section: Threat Modeling Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html + name: Cheat_sheets + section: Attack Surface Analysis Cheat Sheet + ltype: Linked To +name: Document all trust boundaries and significant data flows +tags: +- Architecture diff --git a/cres/Document_explicit_key-secret_management.yaml b/cres/Document_explicit_key-secret_management.yaml new file mode 100644 index 000000000..a79c72e50 --- /dev/null +++ b/cres/Document_explicit_key-secret_management.yaml @@ -0,0 +1,42 @@ +doctype: CRE +id: 287-305 +links: +- document: + doctype: CRE + id: 625-323 + name: Documentation and requirements + tags: + - Architecture + ltype: Contains +- document: + doctype: CRE + id: 223-780 + name: Secret storage + tags: + - Cryptography + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.6.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/320.html + name: CWE + section: '320' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Cryptographic Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Key Management Cheat Sheet + ltype: Linked To +name: Document explicit key/secret management diff --git a/cres/Document_requirements_for_(data)_protection_levels.yaml b/cres/Document_requirements_for_(data)_protection_levels.yaml new file mode 100644 index 000000000..d32210b12 --- /dev/null +++ b/cres/Document_requirements_for_(data)_protection_levels.yaml @@ -0,0 +1,34 @@ +doctype: CRE +id: 731-120 +links: +- document: + doctype: CRE + id: 625-323 + name: Data security requirement documentation + ltype: Contains +- document: + doctype: CRE + id: 028-728 + name: Personal data handling + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.8.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html + name: Cheat_sheets + section: User Privacy Protection Cheat Sheet + ltype: Linked To +name: Document requirements for (data) protection levels +tags: +- Personal data handling diff --git a/cres/Documentation_and_requirements.yaml b/cres/Documentation_and_requirements.yaml new file mode 100644 index 000000000..1b5692878 --- /dev/null +++ b/cres/Documentation_and_requirements.yaml @@ -0,0 +1,66 @@ +doctype: CRE +id: 625-323 +links: +- document: + doctype: CRE + id: 153-513 + name: '>>Development & operations' + ltype: Contains +- document: + doctype: CRE + id: 036-275 + name: Make (centrally) available secure coding resources for programmers + ltype: Contains +- document: + doctype: CRE + id: 004-130 + name: Define High-level architecture and perform security analysis on it + tags: + - Architecture + ltype: Contains +- document: + doctype: CRE + id: 820-877 + name: Document all trust boundaries and significant data flows + tags: + - Architecture + ltype: Contains +- document: + doctype: CRE + id: 782-234 + name: Clear policy compliant I/O requirements + ltype: Contains +- document: + doctype: CRE + id: 822-100 + name: Constrain functional features based on user stories + ltype: Contains +- document: + doctype: CRE + id: 162-655 + name: Documentation of all components' business or security function + ltype: Contains +- document: + doctype: CRE + id: 287-305 + name: Document explicit key/secret management + ltype: Contains +- document: + doctype: CRE + id: 625-323 + name: Data security requirement documentation + ltype: Contains +- document: + doctype: CRE + id: 155-155 + name: Architecture + ltype: Related +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-5 + name: NIST 800-53 v5 + section: SA-5 System Documentation + ltype: Linked To +name: Documentation and requirements +tags: +- Architecture diff --git a/cres/Documentation_of_all_components_business_or_security_function.yaml b/cres/Documentation_of_all_components_business_or_security_function.yaml new file mode 100644 index 000000000..9d4f057ae --- /dev/null +++ b/cres/Documentation_of_all_components_business_or_security_function.yaml @@ -0,0 +1,29 @@ +doctype: CRE +id: 162-655 +links: +- document: + doctype: CRE + id: 625-323 + name: Documentation and requirements + tags: + - Architecture + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.11.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/1059.html + name: CWE + section: '1059' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +name: Documentation of all components' business or security function diff --git a/cres/Enable_certification_revocation.yaml b/cres/Enable_certification_revocation.yaml new file mode 100644 index 000000000..29ed8e45e --- /dev/null +++ b/cres/Enable_certification_revocation.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 537-367 +links: +- document: + doctype: CRE + id: 634-733 + name: Communication authentication + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x17-V9-Communications.md + name: ASVS + section: V9.2.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/299.html + name: CWE + section: '299' + ltype: Linked To +name: Enable certification revocation diff --git a/cres/Enable_configurable_alert_against_usage_anomalies.yaml b/cres/Enable_configurable_alert_against_usage_anomalies.yaml new file mode 100644 index 000000000..dd747922c --- /dev/null +++ b/cres/Enable_configurable_alert_against_usage_anomalies.yaml @@ -0,0 +1,41 @@ +doctype: CRE +id: 725-682 +links: +- document: + doctype: CRE + id: 854-643 + name: '>>Business logic' + tags: + - DOS + ltype: Contains +- document: + doctype: CRE + id: 623-550 + name: DOS + ltype: Related +- document: + doctype: CRE + id: 842-876 + name: '>>Logging and error handling' + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x19-V11-BusLogic.md + name: ASVS + section: V11.1.8 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/390.html + name: CWE + section: '390' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +name: Enable configurable alert against usage anomalies +tags: +- DOS diff --git a/cres/Enable_option_to_log_out_from_all_active_session.yaml b/cres/Enable_option_to_log_out_from_all_active_session.yaml new file mode 100644 index 000000000..7e69a3b44 --- /dev/null +++ b/cres/Enable_option_to_log_out_from_all_active_session.yaml @@ -0,0 +1,43 @@ +doctype: CRE +id: 673-736 +links: +- document: + doctype: CRE + id: 470-731 + name: Session lifecycle + ltype: Contains +- document: + doctype: CRE + id: 586-842 + name: '>>Secure user management' + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.3.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/613.html + name: CWE + section: '613' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality.html#testing-for-server-side-session-termination + name: WSTG + section: WSTG-SESS-06 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Session Management Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: '7.1' + ltype: Linked To +name: Enable option to log out from all active session diff --git a/cres/Encode_output_context-specifically.yaml b/cres/Encode_output_context-specifically.yaml new file mode 100644 index 000000000..2c1e76389 --- /dev/null +++ b/cres/Encode_output_context-specifically.yaml @@ -0,0 +1,176 @@ +doctype: CRE +id: 064-808 +links: +- document: + doctype: CRE + id: 161-451 + name: Output encoding and injection prevention + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.3.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/89.html + name: CWE + section: '89' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.html + name: WSTG + section: WSTG-INPV-05 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross Site Scripting Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: DOM based XSS Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html + name: Cheat_sheets + section: HTML5 Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html + name: Cheat_sheets + section: Injection Prevention in Java Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Input Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: LDAP Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html + name: Cheat_sheets + section: OS Command Injection Defense Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html + name: Cheat_sheets + section: File Upload Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html + name: Cheat_sheets + section: Query Parameterization Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: SQL Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + name: Cheat_sheets + section: Unvalidated Redirects and Forwards Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Bean Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: XML External Entity Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html + name: Cheat_sheets + section: XML Security Cheat Sheet + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "SQL Injection - Oracle"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Advanced SQL Injection"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "SQL Injection - Hypersonic SQL"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "SQL Injection - MsSQL"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "SQL Injection - MySQL"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "SQL Injection - PostgreSQL"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "SQL Injection"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "SQL Injection - SQLite"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Encode output context-specifically diff --git a/cres/Encode_output_near_the_consuming_interpreter.yaml b/cres/Encode_output_near_the_consuming_interpreter.yaml new file mode 100644 index 000000000..627478c6f --- /dev/null +++ b/cres/Encode_output_near_the_consuming_interpreter.yaml @@ -0,0 +1,42 @@ +doctype: CRE +id: 806-367 +links: +- document: + doctype: CRE + id: 161-451 + name: Output encoding and injection prevention + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.5.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html + name: OPC + section: C4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/116.html + name: CWE + section: '116' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html + name: Cheat_sheets + section: Deserialization Cheat Sheet + ltype: Linked To +name: Encode output near the consuming interpreter diff --git a/cres/Encode_output_while_preserving_user_input_formatting.yaml b/cres/Encode_output_while_preserving_user_input_formatting.yaml new file mode 100644 index 000000000..26b86510d --- /dev/null +++ b/cres/Encode_output_while_preserving_user_input_formatting.yaml @@ -0,0 +1,126 @@ +doctype: CRE +id: 533-516 +links: +- document: + doctype: CRE + id: 161-451 + name: Output encoding and injection prevention + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.3.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html + name: OPC + section: C4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/176.html + name: CWE + section: '176' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/6-Appendix/D-Encoded_Injection.html + name: WSTG + section: WSTG-APPE-D + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross Site Scripting Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: DOM based XSS Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html + name: Cheat_sheets + section: HTML5 Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html + name: Cheat_sheets + section: Injection Prevention in Java Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Input Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: LDAP Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html + name: Cheat_sheets + section: OS Command Injection Defense Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html + name: Cheat_sheets + section: File Upload Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html + name: Cheat_sheets + section: Query Parameterization Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: SQL Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + name: Cheat_sheets + section: Unvalidated Redirects and Forwards Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Bean Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: XML External Entity Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html + name: Cheat_sheets + section: XML Security Cheat Sheet + ltype: Linked To +name: Encode output while preserving user input formatting diff --git a/cres/Encode_user_input_before_logging.yaml b/cres/Encode_user_input_before_logging.yaml new file mode 100644 index 000000000..0d7b28b97 --- /dev/null +++ b/cres/Encode_user_input_before_logging.yaml @@ -0,0 +1,66 @@ +doctype: CRE +id: 048-612 +links: +- document: + doctype: CRE + name: Log injection protection + ltype: Contains +- document: + doctype: CRE + id: 503-455 + name: '>>Input and output verification' + ltype: Related +- document: + doctype: CRE + id: 760-764 + name: Injection + tags: + - XSS + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x15-V7-Error-Logging.md + name: ASVS + section: V7.3.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html + name: OPC + section: C9 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/117.html + name: CWE + section: '117' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/03-Test_Integrity_Checks.html + name: WSTG + section: WSTG-BUSL-03 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html + name: Cheat_sheets + section: Logging Cheat Sheet + ltype: Linked To +- document: + description: '"Upgrade Log4j2 to version 2.15.0 or newer. In previous releases + (>2.10) this behavior can be mitigated by setting system property ''log4j2.formatMsgNoLookups'' + to ''true'' or by removing the JndiLookup class from the classpath (example: + zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). + Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) + protects against remote code execution by defaulting ''com.sun.jndi.rmi.object.trustURLCodebase'' + and ''com.sun.jndi.cosnaming.object.trustURLCodebase'' to ''false''."' + doctype: Tool + name: 'ZAP Alert: "Log4Shell (CVE-2021-44228)"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Encode user input before logging +tags: +- Injection diff --git a/cres/Encrypt_all_communications.yaml b/cres/Encrypt_all_communications.yaml new file mode 100644 index 000000000..b8664c29e --- /dev/null +++ b/cres/Encrypt_all_communications.yaml @@ -0,0 +1,23 @@ +doctype: CRE +id: 636-854 +links: +- document: + doctype: CRE + id: 228-551 + name: TLS + tags: + - Cryptoghraphy + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x17-V9-Communications.md + name: ASVS + section: V9.2.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/319.html + name: CWE + section: '319' + ltype: Linked To +name: Encrypt all communications diff --git a/cres/Encrypt_data_at_rest.yaml b/cres/Encrypt_data_at_rest.yaml new file mode 100644 index 000000000..2bf9803b9 --- /dev/null +++ b/cres/Encrypt_data_at_rest.yaml @@ -0,0 +1,39 @@ +doctype: CRE +id: 400-007 +links: +- document: + doctype: CRE + id: 126-668 + name: '>>Secure data storage' + ltype: Contains +- document: + doctype: CRE + id: 742-432 + name: Encryption algorithms + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 170-772 + name: Cryptography + ltype: Related +- document: + doctype: CRE + id: 504-340 + name: Encrypt sensitive data with algorithms that provide both confidentiality + and integrity + ltype: Contains +- document: + doctype: CRE + id: 275-483 + name: Securely store regulated data + ltype: Contains +- document: + doctype: CRE + id: 232-325 + name: Treat client-secrets as insecure + ltype: Contains +name: Encrypt data at rest +tags: +- Cryptography diff --git a/cres/Encrypt_financial_data_at_rest.yaml b/cres/Encrypt_financial_data_at_rest.yaml new file mode 100644 index 000000000..e91686ac9 --- /dev/null +++ b/cres/Encrypt_financial_data_at_rest.yaml @@ -0,0 +1,64 @@ +doctype: CRE +id: 267-468 +links: +- document: + doctype: CRE + id: 275-483 + name: Securely store regulated data + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x14-V6-Cryptography.md + name: ASVS + section: V6.1.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/311.html + name: CWE + section: '311' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + name: WSTG + section: WSTG-CRYP-04 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html + name: Cheat_sheets + section: User Privacy Protection Cheat Sheet + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "Secure Pages Include Mixed Content"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Configure your web or application server to use SSL (https)."' + doctype: Tool + name: 'ZAP Alert: "HTTP Only Site"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Ensure that your web server, application server, load balancer, + etc. is configured to only serve such content via HTTPS. Consider implementing + HTTP Strict Transport Security."' + doctype: Tool + name: 'ZAP Alert: "HTTPS Content Available via HTTP"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Encrypt financial data at rest diff --git a/cres/Encrypt_health_data_at_rest.yaml b/cres/Encrypt_health_data_at_rest.yaml new file mode 100644 index 000000000..2eb1ee2c4 --- /dev/null +++ b/cres/Encrypt_health_data_at_rest.yaml @@ -0,0 +1,64 @@ +doctype: CRE +id: 224-321 +links: +- document: + doctype: CRE + id: 275-483 + name: Securely store regulated data + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x14-V6-Cryptography.md + name: ASVS + section: V6.1.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/311.html + name: CWE + section: '311' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + name: WSTG + section: WSTG-CRYP-04 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html + name: Cheat_sheets + section: User Privacy Protection Cheat Sheet + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "Secure Pages Include Mixed Content"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Configure your web or application server to use SSL (https)."' + doctype: Tool + name: 'ZAP Alert: "HTTP Only Site"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Ensure that your web server, application server, load balancer, + etc. is configured to only serve such content via HTTPS. Consider implementing + HTTP Strict Transport Security."' + doctype: Tool + name: 'ZAP Alert: "HTTPS Content Available via HTTP"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Encrypt health data at rest diff --git a/cres/Encrypt_personal_data_at_rest.yaml b/cres/Encrypt_personal_data_at_rest.yaml new file mode 100644 index 000000000..9dabd5677 --- /dev/null +++ b/cres/Encrypt_personal_data_at_rest.yaml @@ -0,0 +1,71 @@ +doctype: CRE +id: 482-866 +links: +- document: + doctype: CRE + id: 275-483 + name: Securely store regulated data + ltype: Contains +- document: + doctype: CRE + id: 028-728 + name: Personal data handling + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x14-V6-Cryptography.md + name: ASVS + section: V6.1.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/311.html + name: CWE + section: '311' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + name: WSTG + section: WSTG-CRYP-04 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html + name: Cheat_sheets + section: User Privacy Protection Cheat Sheet + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "Secure Pages Include Mixed Content"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Configure your web or application server to use SSL (https)."' + doctype: Tool + name: 'ZAP Alert: "HTTP Only Site"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Ensure that your web server, application server, load balancer, + etc. is configured to only serve such content via HTTPS. Consider implementing + HTTP Strict Transport Security."' + doctype: Tool + name: 'ZAP Alert: "HTTPS Content Available via HTTP"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Encrypt personal data at rest +tags: +- Personal data handling diff --git a/cres/Encrypt_sensitive_data_with_algorithms_that_provide_both_confidentiality_and_integrity.yaml b/cres/Encrypt_sensitive_data_with_algorithms_that_provide_both_confidentiality_and_integrity.yaml new file mode 100644 index 000000000..6a34fc8ac --- /dev/null +++ b/cres/Encrypt_sensitive_data_with_algorithms_that_provide_both_confidentiality_and_integrity.yaml @@ -0,0 +1,30 @@ +doctype: CRE +id: 504-340 +links: +- document: + doctype: CRE + id: 400-007 + name: Encrypt data at rest + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md + name: ASVS + section: V8.3.7 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html + name: OPC + section: C8 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/327.html + name: CWE + section: '327' + ltype: Linked To +name: Encrypt sensitive data with algorithms that provide both confidentiality and + integrity diff --git a/cres/Encryption_algorithms.yaml b/cres/Encryption_algorithms.yaml new file mode 100644 index 000000000..2c1a843aa --- /dev/null +++ b/cres/Encryption_algorithms.yaml @@ -0,0 +1,58 @@ +doctype: CRE +id: 742-432 +links: +- document: + doctype: CRE + id: 400-007 + name: Encrypt data at rest + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 170-772 + name: Cryptography + ltype: Related +- document: + doctype: CRE + id: 742-431 + name: Use approved cryptographic algorithms + ltype: Contains +- document: + doctype: CRE + id: 786-224 + name: Authenticate encrypted data + ltype: Contains +- document: + doctype: CRE + id: 122-287 + name: Ensure cryptographic elements can be upgraded or replaced + ltype: Contains +- document: + doctype: CRE + id: 674-425 + name: Use state of the art cryptographic configuration + ltype: Contains +- document: + doctype: CRE + id: 036-810 + name: Let cryptographic modules fail securely + ltype: Contains +- document: + doctype: CRE + id: 878-880 + name: Perform cryptographic operations in constant time + ltype: Contains +- document: + doctype: CRE + id: 433-122 + name: Use nonces and initialization vectors only once + ltype: Contains +- document: + doctype: CRE + id: 441-132 + name: Use weak crypto only for backwards compatibility + ltype: Contains +name: Encryption algorithms +tags: +- Cryptography diff --git a/cres/Enforce_JSON_schema_before_processing.yaml b/cres/Enforce_JSON_schema_before_processing.yaml new file mode 100644 index 000000000..f37fec4cf --- /dev/null +++ b/cres/Enforce_JSON_schema_before_processing.yaml @@ -0,0 +1,80 @@ +doctype: CRE +id: 146-706 +links: +- document: + doctype: CRE + id: 010-308 + name: Input validation + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md + name: ASVS + section: V13.2.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/20.html + name: CWE + section: '20' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html + name: Cheat_sheets + section: REST Assessment Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html + name: Cheat_sheets + section: REST Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross-Site Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "Remote Code Execution - CVE-2012-1823"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Relative Path Confusion"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Source Code Disclosure - CVE-2012-1823"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"The best immediate mitigation is to block Proxy request headers + as early as possible, and before they hit your application."' + doctype: Tool + name: 'ZAP Alert: "Httpoxy - Proxy Header Misuse"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Properly sanitize the user input for parameter delimiters"' + doctype: Tool + name: 'ZAP Alert: "HTTP Parameter Pollution"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Enforce JSON schema before processing diff --git a/cres/Enforce_access_control_on_trusted_parts-serverside.yaml b/cres/Enforce_access_control_on_trusted_parts-serverside.yaml new file mode 100644 index 000000000..24ea9d61a --- /dev/null +++ b/cres/Enforce_access_control_on_trusted_parts-serverside.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 640-364 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.4.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/602.html + name: CWE + section: '602' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +name: Enforce access control on trusted parts/serverside diff --git a/cres/Enforce_access_control_on_trusted_service_layer.yaml b/cres/Enforce_access_control_on_trusted_service_layer.yaml new file mode 100644 index 000000000..adde57a61 --- /dev/null +++ b/cres/Enforce_access_control_on_trusted_service_layer.yaml @@ -0,0 +1,46 @@ +doctype: CRE +id: 650-560 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: CRE + id: 155-155 + name: Architecture + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V4-Access-Control.md + name: ASVS + section: V4.1.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/602.html + name: CWE + section: '602' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html + name: WSTG + section: WSTG-ATHZ-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html + name: Cheat_sheets + section: Access Control Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.html + name: Cheat_sheets + section: Authorization Testing Automation Cheat Sheet + ltype: Linked To +name: Enforce access control on trusted service layer +tags: +- Architecture diff --git a/cres/Enforce_additional_authorization_and_segregation_of_duties.yaml b/cres/Enforce_additional_authorization_and_segregation_of_duties.yaml new file mode 100644 index 000000000..e30412536 --- /dev/null +++ b/cres/Enforce_additional_authorization_and_segregation_of_duties.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 284-521 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V4-Access-Control.md + name: ASVS + section: V4.3.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/732.html + name: CWE + section: '732' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html + name: Cheat_sheets + section: REST Assessment Cheat Sheet + ltype: Linked To +name: Enforce additional authorization and segregation of duties diff --git a/cres/Enforce_authentication_timeout_when_dealing_with_an_authentication_third_party_(CSP).yaml b/cres/Enforce_authentication_timeout_when_dealing_with_an_authentication_third_party_(CSP).yaml new file mode 100644 index 000000000..8886b1e50 --- /dev/null +++ b/cres/Enforce_authentication_timeout_when_dealing_with_an_authentication_third_party_(CSP).yaml @@ -0,0 +1,33 @@ +doctype: CRE +id: 618-403 +links: +- document: + doctype: CRE + id: 258-115 + name: Re-authentication from federation or assertion + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.6.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/613.html + name: CWE + section: '613' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#session-id-predictability-and-randomness + name: WSTG + section: WSTG-SESS-01 + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 7.2.1 + ltype: Linked To +name: Enforce authentication timeout when dealing with an authentication third party + (CSP) diff --git a/cres/Enforce_high_entropy_session_tokens.yaml b/cres/Enforce_high_entropy_session_tokens.yaml new file mode 100644 index 000000000..f27869573 --- /dev/null +++ b/cres/Enforce_high_entropy_session_tokens.yaml @@ -0,0 +1,51 @@ +doctype: CRE +id: 704-530 +links: +- document: + doctype: CRE + id: 470-731 + name: Session token generation + ltype: Contains +- document: + doctype: CRE + id: 170-772 + name: Cryptography + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.2.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/331.html + name: CWE + section: '331' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#session-id-predictability-and-randomness + name: WSTG + section: WSTG-SESS-01 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Session Management Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: '7.1' + ltype: Linked To +name: Enforce high entropy session tokens +tags: +- Cryptography diff --git a/cres/Enforce_input_validation_on_a_trusted_service_layer.yaml b/cres/Enforce_input_validation_on_a_trusted_service_layer.yaml new file mode 100644 index 000000000..c80fc5b39 --- /dev/null +++ b/cres/Enforce_input_validation_on_a_trusted_service_layer.yaml @@ -0,0 +1,49 @@ +doctype: CRE +id: 848-711 +links: +- document: + doctype: CRE + id: 010-308 + name: Input validation + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: CRE + id: 155-155 + name: Architecture + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.5.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html + name: OPC + section: C5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/602.html + name: CWE + section: '602' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html + name: Cheat_sheets + section: Deserialization Cheat Sheet + ltype: Linked To +name: Enforce input validation on a trusted service layer +tags: +- Architecture diff --git a/cres/Enforce_integrity_check_for_externally_hosted_assets_(eg_SRI).yaml b/cres/Enforce_integrity_check_for_externally_hosted_assets_(eg_SRI).yaml new file mode 100644 index 000000000..8d1fc93fe --- /dev/null +++ b/cres/Enforce_integrity_check_for_externally_hosted_assets_(eg_SRI).yaml @@ -0,0 +1,47 @@ +doctype: CRE +id: 577-260 +links: +- document: + doctype: CRE + id: 613-287 + name: Dependency integrity + ltype: Contains +- document: + doctype: CRE + id: 153-513 + name: '>>Development & operations' + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.2.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/829.html + name: CWE + section: '829' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Vulnerable Dependency Management Cheat Sheet + ltype: Linked To +- document: + description: '"Ensure JavaScript source files are loaded from only trusted sources, + and the sources can''t be controlled by end users of the application."' + doctype: Tool + name: 'ZAP Alert: "Cross-Domain JavaScript Source File Inclusion"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Enforce integrity check for externally hosted assets (eg SRI) diff --git a/cres/Enforce_least_privilege.yaml b/cres/Enforce_least_privilege.yaml new file mode 100644 index 000000000..ed2264c62 --- /dev/null +++ b/cres/Enforce_least_privilege.yaml @@ -0,0 +1,45 @@ +doctype: CRE +id: 368-633 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V4-Access-Control.md + name: ASVS + section: V4.1.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c7-enforce-access-controls.html + name: OPC + section: C7 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/285.html + name: CWE + section: '285' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/01-Test_Role_Definitions.html + name: WSTG + section: WSTG-IDNT-01 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html + name: Cheat_sheets + section: Access Control Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.html + name: Cheat_sheets + section: Authorization Testing Automation Cheat Sheet + ltype: Linked To +name: Enforce least privilege diff --git a/cres/Enforce_model-based_authorization_both_at_URI_and_final_resource.yaml b/cres/Enforce_model-based_authorization_both_at_URI_and_final_resource.yaml new file mode 100644 index 000000000..184481879 --- /dev/null +++ b/cres/Enforce_model-based_authorization_both_at_URI_and_final_resource.yaml @@ -0,0 +1,38 @@ +doctype: CRE +id: 664-080 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: CRE + id: 118-110 + name: API/web services + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md + name: ASVS + section: V13.1.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/285.html + name: CWE + section: '285' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Web Service Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Server Side Request Forgery Prevention Cheat Sheet + ltype: Linked To +name: Enforce model-based authorization both at URI and final resource diff --git a/cres/Enforce_natural_sequence_of_business_flows_to_avoid_abuse.yaml b/cres/Enforce_natural_sequence_of_business_flows_to_avoid_abuse.yaml new file mode 100644 index 000000000..14dee7450 --- /dev/null +++ b/cres/Enforce_natural_sequence_of_business_flows_to_avoid_abuse.yaml @@ -0,0 +1,35 @@ +doctype: CRE +id: 534-605 +links: +- document: + doctype: CRE + id: 854-643 + name: '>>Business logic' + tags: + - DOS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x19-V11-BusLogic.md + name: ASVS + section: V11.1.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/841.html + name: CWE + section: '841' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html + name: WSTG + section: WSTG-BUSL-$$ + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +name: Enforce natural sequence of business flows to avoid abuse diff --git a/cres/Enforce_schema_on_XML_structure-field.yaml b/cres/Enforce_schema_on_XML_structure-field.yaml new file mode 100644 index 000000000..e6a9eddb7 --- /dev/null +++ b/cres/Enforce_schema_on_XML_structure-field.yaml @@ -0,0 +1,71 @@ +doctype: CRE +id: 611-051 +links: +- document: + doctype: CRE + id: 080-373 + name: SOAP + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md + name: ASVS + section: V13.3.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/20.html + name: CWE + section: '20' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.html + name: WSTG + section: WSTG-INPV-07 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html + name: Cheat_sheets + section: XML Security Cheat Sheet + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "Remote Code Execution - CVE-2012-1823"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Relative Path Confusion"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Source Code Disclosure - CVE-2012-1823"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"The best immediate mitigation is to block Proxy request headers + as early as possible, and before they hit your application."' + doctype: Tool + name: 'ZAP Alert: "Httpoxy - Proxy Header Misuse"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Properly sanitize the user input for parameter delimiters"' + doctype: Tool + name: 'ZAP Alert: "HTTP Parameter Pollution"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Enforce schema on XML structure/field diff --git a/cres/Enforce_schema_on_type-contents_of_structured_data.yaml b/cres/Enforce_schema_on_type-contents_of_structured_data.yaml new file mode 100644 index 000000000..e5bb7af36 --- /dev/null +++ b/cres/Enforce_schema_on_type-contents_of_structured_data.yaml @@ -0,0 +1,86 @@ +doctype: CRE +id: 653-242 +links: +- document: + doctype: CRE + id: 010-308 + name: Input validation + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.1.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html + name: OPC + section: C5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/20.html + name: CWE + section: '20' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/ + name: WSTG + section: WSTG-INPV-00 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html + name: Cheat_sheets + section: Mass Assignment Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Input Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "Remote Code Execution - CVE-2012-1823"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Relative Path Confusion"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Source Code Disclosure - CVE-2012-1823"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"The best immediate mitigation is to block Proxy request headers + as early as possible, and before they hit your application."' + doctype: Tool + name: 'ZAP Alert: "Httpoxy - Proxy Header Misuse"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Properly sanitize the user input for parameter delimiters"' + doctype: Tool + name: 'ZAP Alert: "HTTP Parameter Pollution"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Enforce schema on type/contents of structured data diff --git a/cres/Ensure_business_flows_thread_safety-resistance_to_race_conditions.yaml b/cres/Ensure_business_flows_thread_safety-resistance_to_race_conditions.yaml new file mode 100644 index 000000000..44d4c263b --- /dev/null +++ b/cres/Ensure_business_flows_thread_safety-resistance_to_race_conditions.yaml @@ -0,0 +1,29 @@ +doctype: CRE +id: 380-540 +links: +- document: + doctype: CRE + id: 854-643 + name: '>>Business logic' + tags: + - DOS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.11.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/367.html + name: CWE + section: '367' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +name: Ensure business flows' thread safety/resistance to race conditions diff --git a/cres/Ensure_cryptographic_elements_can_be_upgraded_or_replaced.yaml b/cres/Ensure_cryptographic_elements_can_be_upgraded_or_replaced.yaml new file mode 100644 index 000000000..fc3051f4b --- /dev/null +++ b/cres/Ensure_cryptographic_elements_can_be_upgraded_or_replaced.yaml @@ -0,0 +1,50 @@ +doctype: CRE +id: 122-287 +links: +- document: + doctype: CRE + id: 742-432 + name: Encryption algorithms + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x14-V6-Cryptography.md + name: ASVS + section: V6.2.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html + name: OPC + section: C8 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/326.html + name: CWE + section: '326' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Cryptographic Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Key Management Cheat Sheet + ltype: Linked To +- document: + description: '"Protect the connection using HTTPS or use a stronger authentication + mechanism"' + doctype: Tool + name: 'ZAP Alert: "Weak Authentication Method"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Ensure cryptographic elements can be upgraded or replaced diff --git a/cres/Ensure_integrity_of_DNS_entries_and_domains.yaml b/cres/Ensure_integrity_of_DNS_entries_and_domains.yaml new file mode 100644 index 000000000..22cdbd66b --- /dev/null +++ b/cres/Ensure_integrity_of_DNS_entries_and_domains.yaml @@ -0,0 +1,39 @@ +doctype: CRE +id: 336-512 +links: +- document: + doctype: CRE + name: Network protection + ltype: Contains +- document: + doctype: CRE + id: 058-527 + name: Secure name/address resolution service + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x18-V10-Malicious.md + name: ASVS + section: V10.3.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/350.html + name: CWE + section: '350' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover.html + name: WSTG + section: WSTG-CONF-10 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +name: Ensure integrity of DNS entries and domains +tags: +- Secure name/address resolution service diff --git a/cres/Ensure_keys_and_passwords_are_replaceable.yaml b/cres/Ensure_keys_and_passwords_are_replaceable.yaml new file mode 100644 index 000000000..8ab535d0d --- /dev/null +++ b/cres/Ensure_keys_and_passwords_are_replaceable.yaml @@ -0,0 +1,35 @@ +doctype: CRE +id: 821-832 +links: +- document: + doctype: CRE + id: 223-780 + name: Secret storage + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.6.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/320.html + name: CWE + section: '320' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Cryptographic Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Key Management Cheat Sheet + ltype: Linked To +name: Ensure keys and passwords are replaceable diff --git a/cres/Ensure_proper_generation_of_secure_random.yaml b/cres/Ensure_proper_generation_of_secure_random.yaml new file mode 100644 index 000000000..1a4043d16 --- /dev/null +++ b/cres/Ensure_proper_generation_of_secure_random.yaml @@ -0,0 +1,36 @@ +doctype: CRE +id: 664-571 +links: +- document: + doctype: CRE + id: 542-270 + name: Secure random values + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 170-772 + name: Cryptography + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x14-V6-Cryptography.md + name: ASVS + section: V6.3.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/338.html + name: CWE + section: '338' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + name: WSTG + section: WSTG-CRYP-04 + ltype: Linked To +name: Ensure proper generation of secure random +tags: +- Cryptography diff --git a/cres/Ensure_repeatability_of_deployment.yaml b/cres/Ensure_repeatability_of_deployment.yaml new file mode 100644 index 000000000..1782ea994 --- /dev/null +++ b/cres/Ensure_repeatability_of_deployment.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 208-355 +links: +- document: + doctype: CRE + id: 615-188 + name: Deployment process + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.1.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +name: Ensure repeatability of deployment diff --git a/cres/Ensure_secure_algorithms_for_generating_session_tokens.yaml b/cres/Ensure_secure_algorithms_for_generating_session_tokens.yaml new file mode 100644 index 000000000..4e6e79013 --- /dev/null +++ b/cres/Ensure_secure_algorithms_for_generating_session_tokens.yaml @@ -0,0 +1,51 @@ +doctype: CRE +id: 727-043 +links: +- document: + doctype: CRE + id: 470-731 + name: Session token generation + ltype: Contains +- document: + doctype: CRE + id: 170-772 + name: Cryptography + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.2.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/331.html + name: CWE + section: '331' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#session-id-predictability-and-randomness + name: WSTG + section: WSTG-SESS-01 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Session Management Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: '7.1' + ltype: Linked To +name: Ensure secure algorithms for generating session tokens +tags: +- Cryptography diff --git a/cres/Ensure_session_timeout_(soft-hard).yaml b/cres/Ensure_session_timeout_(soft-hard).yaml new file mode 100644 index 000000000..65b72ae91 --- /dev/null +++ b/cres/Ensure_session_timeout_(soft-hard).yaml @@ -0,0 +1,49 @@ +doctype: CRE +id: 065-782 +links: +- document: + doctype: CRE + id: 470-731 + name: Session lifecycle + ltype: Contains +- document: + doctype: CRE + id: 633-428 + name: '>>Authentication' + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.3.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/613.html + name: CWE + section: '613' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/07-Testing_Session_Timeout.html + name: WSTG + section: WSTG-SESS-07 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Session Management Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: '7.2' + ltype: Linked To +name: Ensure session timeout (soft/hard) diff --git a/cres/Ensure_that_physical_single_factor_OTP_generator_can_be_revoked_fully_immediately_when_lost.yaml b/cres/Ensure_that_physical_single_factor_OTP_generator_can_be_revoked_fully_immediately_when_lost.yaml new file mode 100644 index 000000000..d96ed556d --- /dev/null +++ b/cres/Ensure_that_physical_single_factor_OTP_generator_can_be_revoked_fully_immediately_when_lost.yaml @@ -0,0 +1,29 @@ +doctype: CRE +id: 440-361 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.8.6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/613.html + name: CWE + section: '613' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.2.1 + ltype: Linked To +name: Ensure that physical single factor OTP generator can be revoked fully immediately + when lost diff --git a/cres/Ensure_that_secure_fail-safe_is_in_place_for_access_control.yaml b/cres/Ensure_that_secure_fail-safe_is_in_place_for_access_control.yaml new file mode 100644 index 000000000..2193bee56 --- /dev/null +++ b/cres/Ensure_that_secure_fail-safe_is_in_place_for_access_control.yaml @@ -0,0 +1,50 @@ +doctype: CRE +id: 166-151 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: CRE + id: 141-555 + name: Fail securely + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V4-Access-Control.md + name: ASVS + section: V4.1.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c10-handle-errors-exceptions.html + name: OPC + section: C10 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/285.html + name: CWE + section: '285' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/01-Testing_for_Error_Code.html + name: WSTG + section: WSTG-ERRH-01 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html + name: Cheat_sheets + section: Access Control Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.html + name: Cheat_sheets + section: Authorization Testing Automation Cheat Sheet + ltype: Linked To +name: Ensure that secure fail-safe is in place for access control diff --git a/cres/Ensure_timely_expiration_of_out_of_band_authentication_request,_code,_or_tokens.yaml b/cres/Ensure_timely_expiration_of_out_of_band_authentication_request,_code,_or_tokens.yaml new file mode 100644 index 000000000..ccb03095e --- /dev/null +++ b/cres/Ensure_timely_expiration_of_out_of_band_authentication_request,_code,_or_tokens.yaml @@ -0,0 +1,34 @@ +doctype: CRE +id: 816-631 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.7.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/287.html + name: CWE + section: '287' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.3.2 + ltype: Linked To +name: Ensure timely expiration of out of band authentication request, code, or tokens diff --git a/cres/Ensure_trusted_origin_of_third_party_resources.yaml b/cres/Ensure_trusted_origin_of_third_party_resources.yaml new file mode 100644 index 000000000..3d9f81ec1 --- /dev/null +++ b/cres/Ensure_trusted_origin_of_third_party_resources.yaml @@ -0,0 +1,48 @@ +doctype: CRE +id: 715-223 +links: +- document: + doctype: CRE + id: 613-287 + name: Dependency integrity + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.2.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c2-leverage-security-frameworks-libraries.html + name: OPC + section: C2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/829.html + name: CWE + section: '829' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Vulnerable Dependency Management Cheat Sheet + ltype: Linked To +- document: + description: '"Ensure JavaScript source files are loaded from only trusted sources, + and the sources can''t be controlled by end users of the application."' + doctype: Tool + name: 'ZAP Alert: "Cross-Domain JavaScript Source File Inclusion"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Ensure trusted origin of third party resources diff --git a/cres/Ensure_users_can_remove_or_export_their_data.yaml b/cres/Ensure_users_can_remove_or_export_their_data.yaml new file mode 100644 index 000000000..fea84cb4e --- /dev/null +++ b/cres/Ensure_users_can_remove_or_export_their_data.yaml @@ -0,0 +1,30 @@ +doctype: CRE +id: 762-451 +links: +- document: + doctype: CRE + id: 854-643 + name: '>>Business logic' + tags: + - DOS + ltype: Contains +- document: + doctype: CRE + id: 028-728 + name: Personal data handling + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md + name: ASVS + section: V8.3.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/212.html + name: CWE + section: '212' + ltype: Linked To +name: Ensure users can remove or export their data +tags: +- Personal data handling diff --git a/cres/Error_handling.yaml b/cres/Error_handling.yaml new file mode 100644 index 000000000..d0ce449dd --- /dev/null +++ b/cres/Error_handling.yaml @@ -0,0 +1,24 @@ +doctype: CRE +id: 513-183 +links: +- document: + doctype: CRE + id: 842-876 + name: '>>Logging and error handling' + ltype: Contains +- document: + doctype: CRE + id: 612-435 + name: Show generic message for security exceptions or unanticipated exceptions + ltype: Contains +- document: + doctype: CRE + id: 863-636 + name: Use exception handling uniformly + ltype: Contains +- document: + doctype: CRE + id: 118-602 + name: Use a standard last-resort error handler for unhandled errors + ltype: Contains +name: Error handling diff --git a/cres/Escape_output_against_XSS.yaml b/cres/Escape_output_against_XSS.yaml new file mode 100644 index 000000000..d461150eb --- /dev/null +++ b/cres/Escape_output_against_XSS.yaml @@ -0,0 +1,163 @@ +doctype: CRE +id: 366-835 +links: +- document: + doctype: CRE + id: 161-451 + name: Output encoding and injection prevention + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.3.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html + name: OPC + section: C4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/79.html + name: CWE + section: '79' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html + name: WSTG + section: WSTG-INPV-01 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross Site Scripting Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: DOM based XSS Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html + name: Cheat_sheets + section: HTML5 Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html + name: Cheat_sheets + section: Injection Prevention in Java Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Input Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: LDAP Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html + name: Cheat_sheets + section: OS Command Injection Defense Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html + name: Cheat_sheets + section: File Upload Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html + name: Cheat_sheets + section: Query Parameterization Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: SQL Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + name: Cheat_sheets + section: Unvalidated Redirects and Forwards Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Bean Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: XML External Entity Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html + name: Cheat_sheets + section: XML Security Cheat Sheet + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "Cross Site Scripting (Reflected)"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Cross Site Scripting (Persistent)"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"N/A"' + doctype: Tool + name: 'ZAP Alert: "Cross Site Scripting (Persistent) - Prime"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"N/A"' + doctype: Tool + name: 'ZAP Alert: "Cross Site Scripting (Persistent) - Spider"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Cross Site Scripting (DOM Based)"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Escape output against XSS diff --git a/cres/Fail_securely.yaml b/cres/Fail_securely.yaml new file mode 100644 index 000000000..d1d76741a --- /dev/null +++ b/cres/Fail_securely.yaml @@ -0,0 +1,25 @@ +doctype: CRE +id: 141-555 +links: +- document: + doctype: CRE + id: 166-151 + name: Ensure that secure fail-safe is in place for access control + ltype: Related +- document: + doctype: CRE + id: 842-876 + name: '>>Logging and error handling' + ltype: Contains +- document: + doctype: CRE + id: 036-810 + name: Let cryptographic modules fail securely + ltype: Related +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-24 + name: NIST 800-53 v5 + section: SC-24 Fail in Known State + ltype: Linked To +name: Fail securely diff --git a/cres/File_download.yaml b/cres/File_download.yaml new file mode 100644 index 000000000..a179cfc14 --- /dev/null +++ b/cres/File_download.yaml @@ -0,0 +1,14 @@ +doctype: CRE +id: 040-843 +links: +- document: + doctype: CRE + id: 130-550 + name: File handling + ltype: Contains +- document: + doctype: CRE + id: 314-701 + name: Whitelist file extensions served by web tier + ltype: Contains +name: File download diff --git a/cres/File_execution.yaml b/cres/File_execution.yaml new file mode 100644 index 000000000..2d776f8f5 --- /dev/null +++ b/cres/File_execution.yaml @@ -0,0 +1,43 @@ +doctype: CRE +id: 451-082 +links: +- document: + doctype: CRE + id: 130-550 + name: File handling + ltype: Contains +- document: + doctype: CRE + id: 675-168 + name: Sanitize filename metadata from untrusted origin if processing is required + ltype: Contains +- document: + doctype: CRE + id: 777-470 + name: Ignore/block execution logic from untrusted sources + ltype: Contains +- document: + doctype: CRE + id: 683-722 + name: Block direct execution of file metadata from untrusted origin + ltype: Contains +- document: + doctype: CRE + id: 421-513 + name: Ignore/at least validate filenames from untrusted origin (against RFD) + ltype: Contains +- document: + doctype: CRE + id: 737-086 + name: Ignore/at least validate filename metadata from untrusted origin (local + file context, eg LFI) + ltype: Contains +- document: + doctype: CRE + id: 742-056 + name: Ignore/at least validate filename metadata from untrusted origin (remote + file context, eg RFI) + tags: + - SSRF + ltype: Contains +name: File execution diff --git a/cres/File_handling.yaml b/cres/File_handling.yaml new file mode 100644 index 000000000..59fe54bda --- /dev/null +++ b/cres/File_handling.yaml @@ -0,0 +1,46 @@ +doctype: CRE +id: 130-550 +links: +- document: + doctype: CRE + id: 503-455 + name: '>>Input and output verification' + ltype: Contains +- document: + doctype: CRE + id: 175-235 + name: Validate file type of data from untrusted sources + ltype: Contains +- document: + doctype: CRE + id: 814-322 + name: Whitelist data sources and sinks + tags: + - DOS + ltype: Contains +- document: + doctype: CRE + id: 040-843 + name: File download + ltype: Contains +- document: + doctype: CRE + id: 545-243 + name: Block execution/output of uploaded files + ltype: Contains +- document: + doctype: CRE + id: 451-082 + name: File execution + ltype: Contains +- document: + doctype: CRE + id: 758-262 + name: File storage + ltype: Contains +- document: + doctype: CRE + id: 621-287 + name: File upload + ltype: Contains +name: File handling diff --git a/cres/File_storage.yaml b/cres/File_storage.yaml new file mode 100644 index 000000000..253e2b548 --- /dev/null +++ b/cres/File_storage.yaml @@ -0,0 +1,19 @@ +doctype: CRE +id: 758-262 +links: +- document: + doctype: CRE + id: 130-550 + name: File handling + ltype: Contains +- document: + doctype: CRE + id: 112-273 + name: Scan untrusted files for malware + ltype: Contains +- document: + doctype: CRE + id: 307-111 + name: Securely store files with untrusted origin + ltype: Contains +name: File storage diff --git a/cres/File_upload.yaml b/cres/File_upload.yaml new file mode 100644 index 000000000..0c4178235 --- /dev/null +++ b/cres/File_upload.yaml @@ -0,0 +1,44 @@ +doctype: CRE +id: 621-287 +links: +- document: + doctype: CRE + id: 130-550 + name: File handling + ltype: Contains +- document: + doctype: CRE + id: 163-518 + name: Check uploaded archives for decompression attacks (eg zip bombs) + tags: + - DOS + ltype: Contains +- document: + doctype: CRE + id: 660-052 + name: Validate max input/file sizes + tags: + - DOS + ltype: Contains +- document: + doctype: CRE + id: 384-344 + name: Store and serve user-uploaded files such that they cannot execute/damage + server or client + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: CRE + id: 463-820 + name: Limit size and number of uploaded files + tags: + - DOS + ltype: Contains +- document: + doctype: CRE + id: 634-883 + name: Separate storage of user uploaded files + ltype: Contains +name: File upload diff --git a/cres/Force_format_strings_as_constants.yaml b/cres/Force_format_strings_as_constants.yaml new file mode 100644 index 000000000..20c54d635 --- /dev/null +++ b/cres/Force_format_strings_as_constants.yaml @@ -0,0 +1,32 @@ +doctype: CRE +id: 824-732 +links: +- document: + doctype: CRE + id: 866-553 + name: Memory, String, and Unmanaged Code + tags: + - Injection + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.4.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/134.html + name: CWE + section: '134' + ltype: Linked To +- document: + description: '"Rewrite the background program using proper deletion of bad character + strings. This will require a recompile of the background executable."' + doctype: Tool + name: 'ZAP Alert: "Format String Error"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Force format strings as constants diff --git a/cres/Force_output_encoding_for_specific_interpreters_context.yaml b/cres/Force_output_encoding_for_specific_interpreters_context.yaml new file mode 100644 index 000000000..604593b2c --- /dev/null +++ b/cres/Force_output_encoding_for_specific_interpreters_context.yaml @@ -0,0 +1,126 @@ +doctype: CRE +id: 620-101 +links: +- document: + doctype: CRE + id: 161-451 + name: Output encoding and injection prevention + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.3.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html + name: OPC + section: C4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/116.html + name: CWE + section: '116' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/6-Appendix/D-Encoded_Injection.html + name: WSTG + section: WSTG-APPE-D + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross Site Scripting Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: DOM based XSS Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html + name: Cheat_sheets + section: HTML5 Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html + name: Cheat_sheets + section: Injection Prevention in Java Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Input Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: LDAP Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html + name: Cheat_sheets + section: OS Command Injection Defense Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html + name: Cheat_sheets + section: File Upload Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html + name: Cheat_sheets + section: Query Parameterization Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: SQL Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + name: Cheat_sheets + section: Unvalidated Redirects and Forwards Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Bean Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: XML External Entity Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html + name: Cheat_sheets + section: XML Security Cheat Sheet + ltype: Linked To +name: Force output encoding for specific interpreter's context diff --git a/cres/Force_pipeline_to_check_outdated-insecure_components.yaml b/cres/Force_pipeline_to_check_outdated-insecure_components.yaml new file mode 100644 index 000000000..21fcbea62 --- /dev/null +++ b/cres/Force_pipeline_to_check_outdated-insecure_components.yaml @@ -0,0 +1,26 @@ +doctype: CRE +id: 053-751 +links: +- document: + doctype: CRE + id: 613-286 + name: Dependency management + ltype: Contains +- document: + doctype: CRE + id: 433-442 + name: Development verification + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.14.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/1104.html + name: CWE + section: '1104' + ltype: Linked To +name: Force pipeline to check outdated/insecure components diff --git a/cres/Force_uniform_encoders_and_parsers_throughout_system.yaml b/cres/Force_uniform_encoders_and_parsers_throughout_system.yaml new file mode 100644 index 000000000..3af813a00 --- /dev/null +++ b/cres/Force_uniform_encoders_and_parsers_throughout_system.yaml @@ -0,0 +1,40 @@ +doctype: CRE +id: 061-186 +links: +- document: + doctype: CRE + id: 118-110 + name: API/web services + ltype: Contains +- document: + doctype: CRE + id: 028-727 + name: SSRF + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md + name: ASVS + section: V13.1.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/116.html + name: CWE + section: '116' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Web Service Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Server Side Request Forgery Prevention Cheat Sheet + ltype: Linked To +name: Force uniform encoders and parsers throughout system +tags: +- SSRF diff --git a/cres/Generate_a_new_session_token_after_authentication.yaml b/cres/Generate_a_new_session_token_after_authentication.yaml new file mode 100644 index 000000000..7e8fa84d1 --- /dev/null +++ b/cres/Generate_a_new_session_token_after_authentication.yaml @@ -0,0 +1,56 @@ +doctype: CRE +id: 002-630 +links: +- document: + doctype: CRE + id: 470-731 + name: Session token generation + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.2.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/384.html + name: CWE + section: '384' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-53 v5 + section: SC-23(3) + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/03-Testing_for_Session_Fixation.html + name: WSTG + section: WSTG-SESS-03 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Session Management Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: '7.1' + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "Session Fixation"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Generate a new session token after authentication diff --git a/cres/Generate_initial_passwords_with_sufficient_secure_random,_short_expiration_time_and_do_not_allow_to_reuse_the_initial_password..yaml b/cres/Generate_initial_passwords_with_sufficient_secure_random,_short_expiration_time_and_do_not_allow_to_reuse_the_initial_password..yaml new file mode 100644 index 000000000..9b2786623 --- /dev/null +++ b/cres/Generate_initial_passwords_with_sufficient_secure_random,_short_expiration_time_and_do_not_allow_to_reuse_the_initial_password..yaml @@ -0,0 +1,34 @@ +doctype: CRE +id: 622-835 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.3.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/330.html + name: CWE + section: '330' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: A.3 + ltype: Linked To +name: Generate initial passwords with sufficient secure random, short expiration time + and do not allow to reuse the initial password. diff --git a/cres/Generate_lookup_secrets_with_sufficient_entropy.yaml b/cres/Generate_lookup_secrets_with_sufficient_entropy.yaml new file mode 100644 index 000000000..e0b16e39f --- /dev/null +++ b/cres/Generate_lookup_secrets_with_sufficient_entropy.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 346-640 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.6.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/330.html + name: CWE + section: '330' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.2.2 + ltype: Linked To +name: Generate lookup secrets with sufficient entropy diff --git a/cres/Guidelines.yaml b/cres/Guidelines.yaml index 87c537e94..b4aed95ca 100644 --- a/cres/Guidelines.yaml +++ b/cres/Guidelines.yaml @@ -7,33 +7,27 @@ links: name: Deployment tags: - Configuration - type: Contains + ltype: Contains - document: doctype: CRE name: Secure Development - type: Contains + ltype: Contains - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-42 name: NIST 800-53 v5 section: SC-42 Sensor Capability and Data - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-43 name: NIST 800-53 v5 section: SC-43 Usage Restrictions - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-18 name: NIST 800-53 v5 section: SC-18 Mobile Code - subsection: '' - version: '' - type: Linked To + ltype: Linked To name: Guidelines diff --git a/cres/HTTP_security_headers.yaml b/cres/HTTP_security_headers.yaml new file mode 100644 index 000000000..e4a361c7d --- /dev/null +++ b/cres/HTTP_security_headers.yaml @@ -0,0 +1,48 @@ +doctype: CRE +id: 636-347 +links: +- document: + doctype: CRE + id: 783-355 + name: Deployment + tags: + - Configuration + ltype: Contains +- document: + doctype: CRE + id: 736-237 + name: Set metadata/content-Disposition for API responses + ltype: Contains +- document: + doctype: CRE + id: 257-668 + name: Configure CSP configuration properly + tags: + - XSS + ltype: Contains +- document: + doctype: CRE + id: 036-147 + name: Configure HSTS configuration properly + ltype: Contains +- document: + doctype: CRE + id: 268-100 + name: Configure Referrer-Policy properly + ltype: Contains +- document: + doctype: CRE + id: 065-388 + name: Configure X-Content-Type-Options properly + ltype: Contains +- document: + doctype: CRE + id: 480-071 + name: Prevent Click jacking through X-Frame-Options or CSP + ltype: Contains +- document: + doctype: CRE + id: 036-725 + name: Set content HTTP response type + ltype: Contains +name: HTTP security headers diff --git a/cres/Harden_application_by_excluding_unwanted_functionality.yaml b/cres/Harden_application_by_excluding_unwanted_functionality.yaml new file mode 100644 index 000000000..8b26e7156 --- /dev/null +++ b/cres/Harden_application_by_excluding_unwanted_functionality.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 154-031 +links: +- document: + doctype: CRE + id: 613-285 + name: '>>Dependency strength' + ltype: Contains +- document: + doctype: CRE + id: 486-813 + name: Configuration + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x18-V10-Malicious.md + name: ASVS + section: V10.2.6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/507.html + name: CWE + section: '507' + ltype: Linked To +name: Harden application by excluding unwanted functionality +tags: +- Configuration diff --git a/cres/Http_headers.yaml b/cres/Http_headers.yaml new file mode 100644 index 000000000..1a1b1195e --- /dev/null +++ b/cres/Http_headers.yaml @@ -0,0 +1,8 @@ +doctype: CRE +links: +- document: + doctype: CRE + id: 473-758 + name: Set sufficient anti-caching headers + ltype: Related +name: Http headers diff --git a/cres/Identify_sensitive_data_and_subject_it_to_a_policy.yaml b/cres/Identify_sensitive_data_and_subject_it_to_a_policy.yaml new file mode 100644 index 000000000..e64a1db27 --- /dev/null +++ b/cres/Identify_sensitive_data_and_subject_it_to_a_policy.yaml @@ -0,0 +1,194 @@ +doctype: CRE +id: 227-045 +links: +- document: + doctype: CRE + name: '>>Documentation and requirements' + ltype: Contains +- document: + doctype: CRE + id: 028-728 + name: Personal data handling + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md + name: ASVS + section: V8.3.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html + name: OPC + section: C8 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/200.html + name: CWE + section: '200' + ltype: Linked To +- document: + description: '"Review the source code of this page. Implement custom error pages. + Consider implementing a mechanism to provide a unique error reference/identifier + to the client (browser) while logging the details on the server side and not + exposing them to the user."' + doctype: Tool + name: 'ZAP Alert: "Application Error Disclosure"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Do not divulge details of whether a username is valid or invalid. + In particular, for unsuccessful login attempts, do not differentiate between + an invalid user and an invalid password in the error message, page title, page + contents, HTTP headers, or redirection logic."' + doctype: Tool + name: 'ZAP Alert: "Possible Username Enumeration"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Limit access to Symfony''s Profiler, either via authentication/authorization + or limiting inclusion of the header to specific clients (by IP, etc.)."' + doctype: Tool + name: 'ZAP Alert: "X-Debug-Token Information Leak"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Remove all comments that return information that may help an attacker + and fix any underlying problems they refer to."' + doctype: Tool + name: 'ZAP Alert: "Information Disclosure - Suspicious Comments in XML via WebSocket"' + tags: + - '"WebSocket Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Remove all comments that return information that may help an attacker + and fix any underlying problems they refer to."' + doctype: Tool + name: 'ZAP Alert: "Information Disclosure - Suspicious Comments"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Do not pass sensitive information in URIs."' + doctype: Tool + name: 'ZAP Alert: "Information Disclosure - Sensitive Information in HTTP Referrer + Header"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Disable debugging messages before pushing to production."' + doctype: Tool + name: 'ZAP Alert: "Information Disclosure - Debug Error Messages via WebSocket"' + tags: + - '"WebSocket Passive"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Proxy Disclosure"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Cookie Slack Detector"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Disable debugging messages before pushing to production."' + doctype: Tool + name: 'ZAP Alert: "Information Disclosure - Debug Error Messages"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Before allowing images to be stored on the server and/or transmitted + to the browser, strip out the embedded location information from image. This + could mean removing all Exif data or just the GPS component. Other data, like + serial numbers, should also be removed."' + doctype: Tool + name: 'ZAP Alert: "Image Exposes Location or Privacy Data"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Do not pass sensitive information in URIs."' + doctype: Tool + name: 'ZAP Alert: "Information Disclosure - Sensitive Information in URL"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"TBA"' + doctype: Tool + name: 'ZAP Alert: "Insecure HTTP Method"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Remove emails that are not public."' + doctype: Tool + name: 'ZAP Alert: "Email address found in WebSocket message"' + tags: + - '"WebSocket Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"For secure content, put session ID in a cookie. To be even more + secure consider using a combination of cookie and URL rewrite."' + doctype: Tool + name: 'ZAP Alert: "Session ID in URL Rewrite"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Remove the private IP address from the HTTP response body. For + comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can + be seen by client browsers."' + doctype: Tool + name: 'ZAP Alert: "Private IP Disclosure"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Ensure that your web server, application server, load balancer, + etc. is configured to suppress ''X-Powered-By'' headers."' + doctype: Tool + name: 'ZAP Alert: "Server Leaks Information via ''X-Powered-By'' HTTP Response + Header Field(s)"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Manually confirm that the timestamp data is not sensitive, and + that the data cannot be aggregated to disclose exploitable patterns."' + doctype: Tool + name: 'ZAP Alert: "Timestamp Disclosure"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Identify sensitive data and subject it to a policy +tags: +- Personal data handling diff --git a/cres/Ignore-at_least_validate__filename_metadata_from_untrusted_origin_(local_file_context,_eg_LFI).yaml b/cres/Ignore-at_least_validate__filename_metadata_from_untrusted_origin_(local_file_context,_eg_LFI).yaml new file mode 100644 index 000000000..88201fc8a --- /dev/null +++ b/cres/Ignore-at_least_validate__filename_metadata_from_untrusted_origin_(local_file_context,_eg_LFI).yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 737-086 +links: +- document: + doctype: CRE + id: 451-082 + name: File execution + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x20-V12-Files-Resources.md + name: ASVS + section: V12.3.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/73.html + name: CWE + section: '73' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.html + name: WSTG + section: WSTG-ATHZ-01 + ltype: Linked To +name: Ignore/at least validate filename metadata from untrusted origin (local file + context, eg LFI) diff --git a/cres/Ignore-at_least_validate__filename_metadata_from_untrusted_origin_(remote_file_context,_eg_RFI).yaml b/cres/Ignore-at_least_validate__filename_metadata_from_untrusted_origin_(remote_file_context,_eg_RFI).yaml new file mode 100644 index 000000000..f5d940c32 --- /dev/null +++ b/cres/Ignore-at_least_validate__filename_metadata_from_untrusted_origin_(remote_file_context,_eg_RFI).yaml @@ -0,0 +1,42 @@ +doctype: CRE +id: 742-056 +links: +- document: + doctype: CRE + id: 451-082 + name: File execution + ltype: Contains +- document: + doctype: CRE + id: 028-727 + name: SSRF + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x20-V12-Files-Resources.md + name: ASVS + section: V12.3.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/98.html + name: CWE + section: '98' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.html + name: WSTG + section: WSTG-ATHZ-01 + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "Remote File Inclusion"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Ignore/at least validate filename metadata from untrusted origin (remote file + context, eg RFI) +tags: +- SSRF diff --git a/cres/Ignore-at_least_validate_filenames_from_untrusted_origin_(against_RFD).yaml b/cres/Ignore-at_least_validate_filenames_from_untrusted_origin_(against_RFD).yaml new file mode 100644 index 000000000..9c2c4d4ef --- /dev/null +++ b/cres/Ignore-at_least_validate_filenames_from_untrusted_origin_(against_RFD).yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 421-513 +links: +- document: + doctype: CRE + id: 451-082 + name: File execution + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x20-V12-Files-Resources.md + name: ASVS + section: V12.3.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/641.html + name: CWE + section: '641' + ltype: Linked To +name: Ignore/at least validate filenames from untrusted origin (against RFD) diff --git a/cres/Ignore-block_execution_logic_from_untrusted_sources.yaml b/cres/Ignore-block_execution_logic_from_untrusted_sources.yaml new file mode 100644 index 000000000..0a178cdcc --- /dev/null +++ b/cres/Ignore-block_execution_logic_from_untrusted_sources.yaml @@ -0,0 +1,30 @@ +doctype: CRE +id: 777-470 +links: +- document: + doctype: CRE + id: 451-082 + name: File execution + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x20-V12-Files-Resources.md + name: ASVS + section: V12.3.6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/829.html + name: CWE + section: '829' + ltype: Linked To +- document: + description: '"Ensure JavaScript source files are loaded from only trusted sources, + and the sources can''t be controlled by end users of the application."' + doctype: Tool + name: 'ZAP Alert: "Cross-Domain JavaScript Source File Inclusion"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Ignore/block execution logic from untrusted sources diff --git a/cres/Implement_business_logic_limits_against_identified_business_risks.yaml b/cres/Implement_business_logic_limits_against_identified_business_risks.yaml new file mode 100644 index 000000000..9cc54fbbd --- /dev/null +++ b/cres/Implement_business_logic_limits_against_identified_business_risks.yaml @@ -0,0 +1,35 @@ +doctype: CRE +id: 660-867 +links: +- document: + doctype: CRE + id: 854-643 + name: '>>Business logic' + tags: + - DOS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x19-V11-BusLogic.md + name: ASVS + section: V11.1.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/841.html + name: CWE + section: '841' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html + name: WSTG + section: WSTG-BUSL-$$ + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +name: Implement business logic limits against identified business risks diff --git a/cres/Inform_users_clearly_about_the_collection_and_use_of_personal_data,__and_use_it_only_after_opt-in_consent..yaml b/cres/Inform_users_clearly_about_the_collection_and_use_of_personal_data,__and_use_it_only_after_opt-in_consent..yaml new file mode 100644 index 000000000..7d78811f2 --- /dev/null +++ b/cres/Inform_users_clearly_about_the_collection_and_use_of_personal_data,__and_use_it_only_after_opt-in_consent..yaml @@ -0,0 +1,31 @@ +doctype: CRE +id: 082-327 +links: +- document: + doctype: CRE + id: 854-643 + name: '>>Business logic' + tags: + - DOS + ltype: Contains +- document: + doctype: CRE + id: 028-728 + name: Personal data handling + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md + name: ASVS + section: V8.3.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/285.html + name: CWE + section: '285' + ltype: Linked To +name: Inform users clearly about the collection and use of personal data, and use + it only after opt-in consent. +tags: +- Personal data handling diff --git a/cres/Inform_users_for_authentication_renewal.yaml b/cres/Inform_users_for_authentication_renewal.yaml new file mode 100644 index 000000000..5cb87200d --- /dev/null +++ b/cres/Inform_users_for_authentication_renewal.yaml @@ -0,0 +1,26 @@ +doctype: CRE +id: 138-448 +links: +- document: + doctype: CRE + id: 586-842 + name: '>>Secure user management' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.3.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/287.html + name: CWE + section: '287' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 6.1.4 + ltype: Linked To +name: Inform users for authentication renewal diff --git a/cres/Injection.yaml b/cres/Injection.yaml index 69482e0b0..c58c269df 100644 --- a/cres/Injection.yaml +++ b/cres/Injection.yaml @@ -6,80 +6,80 @@ links: id: 764-765 name: Sanitization and sandboxing tags: - - XSS - Injection - type: Related + - XSS + ltype: Related - document: doctype: CRE id: 010-308 name: Input validation tags: - - XSS - Injection - type: Related + - XSS + ltype: Related - document: doctype: CRE id: 760-765 name: XSS - type: Related + ltype: Related - document: doctype: CRE id: 384-344 name: Store and serve user-uploaded files such that they cannot execute/damage server or client tags: - - XSS - Injection - type: Related + - XSS + ltype: Related - document: doctype: CRE id: 866-553 name: Memory, String, and Unmanaged Code tags: - Injection - type: Related + ltype: Related - document: doctype: CRE id: 161-451 name: Output encoding and injection prevention tags: - - XSS - Injection - type: Related + - XSS + ltype: Related - document: doctype: CRE id: 541-441 name: Validate HTTP request headers tags: - Injection - type: Related + ltype: Related - document: doctype: CRE id: 764-507 name: Restrict XML parsing (against XXE) tags: - - Configuration - Injection - type: Related + - Configuration + ltype: Related - document: doctype: CRE id: 821-540 name: Protect logs against log injection tags: - Injection - type: Related + ltype: Related - document: doctype: CRE id: 048-612 name: Encode user input before logging tags: - Injection - type: Related + ltype: Related - document: doctype: CRE id: 546-564 name: '>>Tags' - type: Contains + ltype: Contains name: Injection tags: - XSS diff --git a/cres/Input_validation.yaml b/cres/Input_validation.yaml new file mode 100644 index 000000000..821140f25 --- /dev/null +++ b/cres/Input_validation.yaml @@ -0,0 +1,68 @@ +doctype: CRE +id: 010-308 +links: +- document: + doctype: CRE + id: 503-455 + name: '>>Input and output verification' + ltype: Contains +- document: + doctype: CRE + id: 146-706 + name: Enforce JSON schema before processing + ltype: Contains +- document: + doctype: CRE + id: 760-765 + name: XSS + ltype: Related +- document: + doctype: CRE + id: 760-764 + name: Injection + tags: + - XSS + ltype: Related +- document: + doctype: CRE + id: 176-154 + name: Monitor expectation of usage intensity (e.g. number of requests) + tags: + - DOS + ltype: Contains +- document: + doctype: CRE + id: 031-447 + name: Whitelist all external (HTTP) input + ltype: Contains +- document: + doctype: CRE + id: 743-237 + name: Validatie/enforce HTTP inputs (against HTTP parameter pollution attacks) + ltype: Contains +- document: + doctype: CRE + id: 848-711 + name: Enforce input validation on a trusted service layer + tags: + - Architecture + ltype: Contains +- document: + doctype: CRE + id: 042-550 + name: Protect against mass parameter assignment attack + ltype: Contains +- document: + doctype: CRE + id: 653-242 + name: Enforce schema on type/contents of structured data + ltype: Contains +- document: + doctype: CRE + id: 232-217 + name: Whitelist redirected/forwarded URLs + ltype: Contains +name: Input validation +tags: +- Injection +- XSS diff --git a/cres/Let_application_request_minimal_permissions.yaml b/cres/Let_application_request_minimal_permissions.yaml new file mode 100644 index 000000000..a0a4f53c2 --- /dev/null +++ b/cres/Let_application_request_minimal_permissions.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 540-566 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: CRE + id: 028-728 + name: Personal data handling + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x18-V10-Malicious.md + name: ASVS + section: V10.2.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/272.html + name: CWE + section: '272' + ltype: Linked To +name: Let application request minimal permissions +tags: +- Personal data handling diff --git a/cres/Let_cryptographic_modules_fail_securely.yaml b/cres/Let_cryptographic_modules_fail_securely.yaml new file mode 100644 index 000000000..ae463f5dd --- /dev/null +++ b/cres/Let_cryptographic_modules_fail_securely.yaml @@ -0,0 +1,46 @@ +doctype: CRE +id: 036-810 +links: +- document: + doctype: CRE + id: 742-432 + name: Encryption algorithms + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 141-555 + name: Fail securely + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x14-V6-Cryptography.md + name: ASVS + section: V6.2.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/310.html + name: CWE + section: '310' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/02-Testing_for_Padding_Oracle.html + name: WSTG + section: WSTG-CRYP-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Cryptographic Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Key Management Cheat Sheet + ltype: Linked To +name: Let cryptographic modules fail securely diff --git a/cres/Limit-authorize_users_access_to_functionality.yaml b/cres/Limit-authorize_users_access_to_functionality.yaml new file mode 100644 index 000000000..4ce109b15 --- /dev/null +++ b/cres/Limit-authorize_users_access_to_functionality.yaml @@ -0,0 +1,40 @@ +doctype: CRE +id: 746-705 +links: +- document: + doctype: CRE + id: 854-643 + name: '>>Business logic' + tags: + - DOS + ltype: Contains +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x19-V11-BusLogic.md + name: ASVS + section: V11.1.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/770.html + name: CWE + section: '770' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html + name: WSTG + section: WSTG-BUSL-$$ + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +name: Limit/authorize user's access to functionality diff --git a/cres/Limit_REST_HTTP_methods.yaml b/cres/Limit_REST_HTTP_methods.yaml new file mode 100644 index 000000000..0d76ff80a --- /dev/null +++ b/cres/Limit_REST_HTTP_methods.yaml @@ -0,0 +1,45 @@ +doctype: CRE +id: 532-878 +links: +- document: + doctype: CRE + id: 118-110 + name: API/web services + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md + name: ASVS + section: V13.2.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/650.html + name: CWE + section: '650' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/03-Testing_for_HTTP_Verb_Tampering.html + name: WSTG + section: WSTG-INPV-03 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html + name: Cheat_sheets + section: REST Assessment Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html + name: Cheat_sheets + section: REST Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross-Site Request Forgery Prevention Cheat Sheet + ltype: Linked To +name: Limit REST HTTP methods diff --git a/cres/Limit_access_to_admin-management_functionality.yaml b/cres/Limit_access_to_admin-management_functionality.yaml new file mode 100644 index 000000000..b881498c1 --- /dev/null +++ b/cres/Limit_access_to_admin-management_functionality.yaml @@ -0,0 +1,44 @@ +doctype: CRE +id: 152-725 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: CRE + id: 118-110 + name: API/web services + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md + name: ASVS + section: V13.1.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/419.html + name: CWE + section: '419' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html + name: WSTG + section: WSTG-ATHZ-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Web Service Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Server Side Request Forgery Prevention Cheat Sheet + ltype: Linked To +name: Limit access to admin/management functionality diff --git a/cres/Limit_modification_of_access_controls_to_specifically_authorized_actors-users.yaml b/cres/Limit_modification_of_access_controls_to_specifically_authorized_actors-users.yaml new file mode 100644 index 000000000..cc1363643 --- /dev/null +++ b/cres/Limit_modification_of_access_controls_to_specifically_authorized_actors-users.yaml @@ -0,0 +1,39 @@ +doctype: CRE +id: 524-603 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V4-Access-Control.md + name: ASVS + section: V4.1.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/639.html + name: CWE + section: '639' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html + name: WSTG + section: WSTG-ATHZ-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html + name: Cheat_sheets + section: Access Control Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.html + name: Cheat_sheets + section: Authorization Testing Automation Cheat Sheet + ltype: Linked To +name: Limit modification of access controls to specifically authorized actors/users diff --git a/cres/Limit_query_impact_GraphQL-data_layer_expression_DoS.yaml b/cres/Limit_query_impact_GraphQL-data_layer_expression_DoS.yaml new file mode 100644 index 000000000..140d6852a --- /dev/null +++ b/cres/Limit_query_impact_GraphQL-data_layer_expression_DoS.yaml @@ -0,0 +1,31 @@ +doctype: CRE +id: 268-088 +links: +- document: + doctype: CRE + id: 764-765 + name: Sanitization and sandboxing + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: CRE + id: 623-550 + name: DOS + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md + name: ASVS + section: V13.4.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/770.html + name: CWE + section: '770' + ltype: Linked To +name: Limit query impact GraphQL/data layer expression DoS +tags: +- DOS diff --git a/cres/Limit_size_and_number_of_uploaded_files.yaml b/cres/Limit_size_and_number_of_uploaded_files.yaml new file mode 100644 index 000000000..5d77972fc --- /dev/null +++ b/cres/Limit_size_and_number_of_uploaded_files.yaml @@ -0,0 +1,34 @@ +doctype: CRE +id: 463-820 +links: +- document: + doctype: CRE + id: 621-287 + name: File upload + ltype: Contains +- document: + doctype: CRE + id: 623-550 + name: DOS + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x20-V12-Files-Resources.md + name: ASVS + section: V12.1.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/770.html + name: CWE + section: '770' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html + name: Cheat_sheets + section: File Upload Cheat Sheet + ltype: Linked To +name: Limit size and number of uploaded files +tags: +- DOS diff --git a/cres/Lock-precompile_queries_(parameterization)_to_avoid_injection_attacks.yaml b/cres/Lock-precompile_queries_(parameterization)_to_avoid_injection_attacks.yaml new file mode 100644 index 000000000..e49bae057 --- /dev/null +++ b/cres/Lock-precompile_queries_(parameterization)_to_avoid_injection_attacks.yaml @@ -0,0 +1,182 @@ +doctype: CRE +id: 732-873 +links: +- document: + doctype: CRE + id: 161-451 + name: Output encoding and injection prevention + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.3.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c3-secure-database-access.html + name: OPC + section: C3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/89.html + name: CWE + section: '89' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.html + name: WSTG + section: WSTG-INPV-05 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross Site Scripting Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: DOM based XSS Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html + name: Cheat_sheets + section: HTML5 Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html + name: Cheat_sheets + section: Injection Prevention in Java Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Input Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: LDAP Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html + name: Cheat_sheets + section: OS Command Injection Defense Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html + name: Cheat_sheets + section: File Upload Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html + name: Cheat_sheets + section: Query Parameterization Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: SQL Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + name: Cheat_sheets + section: Unvalidated Redirects and Forwards Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Bean Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: XML External Entity Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html + name: Cheat_sheets + section: XML Security Cheat Sheet + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "SQL Injection - Oracle"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Advanced SQL Injection"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "SQL Injection - Hypersonic SQL"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "SQL Injection - MsSQL"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "SQL Injection - MySQL"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "SQL Injection - PostgreSQL"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "SQL Injection"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "SQL Injection - SQLite"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Lock/precompile queries (parameterization) to avoid injection attacks diff --git a/cres/Log_TLS_connection_failures.yaml b/cres/Log_TLS_connection_failures.yaml new file mode 100644 index 000000000..4323cb059 --- /dev/null +++ b/cres/Log_TLS_connection_failures.yaml @@ -0,0 +1,34 @@ +doctype: CRE +id: 668-364 +links: +- document: + doctype: CRE + id: 228-551 + name: TLS + tags: + - Cryptoghraphy + ltype: Contains +- document: + doctype: CRE + id: 842-876 + name: '>>Logging and error handling' + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x17-V9-Communications.md + name: ASVS + section: V9.2.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/544.html + name: CWE + section: '544' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-28 + name: NIST 800-53 v5 + section: SC-28 PROTECTION OF INFORMATION AT REST + ltype: Linked To +name: Log TLS connection failures diff --git a/cres/Log_access_control_decisions.yaml b/cres/Log_access_control_decisions.yaml new file mode 100644 index 000000000..5a4aca5b7 --- /dev/null +++ b/cres/Log_access_control_decisions.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 443-447 +links: +- document: + doctype: CRE + id: 402-706 + name: Log relevant + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x15-V7-Error-Logging.md + name: ASVS + section: V7.2.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/285.html + name: CWE + section: '285' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html + name: Cheat_sheets + section: Logging Cheat Sheet + ltype: Linked To +name: Log access control decisions diff --git a/cres/Log_access_protection.yaml b/cres/Log_access_protection.yaml new file mode 100644 index 000000000..df8806974 --- /dev/null +++ b/cres/Log_access_protection.yaml @@ -0,0 +1,8 @@ +doctype: CRE +links: +- document: + doctype: CRE + id: 713-683 + name: Protect logs against unauthorized access + ltype: Contains +name: Log access protection diff --git a/cres/Log_access_to_sensitive_data.yaml b/cres/Log_access_to_sensitive_data.yaml new file mode 100644 index 000000000..8fa375290 --- /dev/null +++ b/cres/Log_access_to_sensitive_data.yaml @@ -0,0 +1,26 @@ +doctype: CRE +id: 015-063 +links: +- document: + doctype: CRE + id: 402-706 + name: Log relevant + ltype: Contains +- document: + doctype: CRE + id: 843-841 + name: Log discretely + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md + name: ASVS + section: V8.3.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/532.html + name: CWE + section: '532' + ltype: Linked To +name: Log access to sensitive data diff --git a/cres/Log_all_security_relevant_events.yaml b/cres/Log_all_security_relevant_events.yaml new file mode 100644 index 000000000..9e1f91f28 --- /dev/null +++ b/cres/Log_all_security_relevant_events.yaml @@ -0,0 +1,32 @@ +doctype: CRE +id: 184-284 +links: +- document: + doctype: CRE + id: 402-706 + name: Log relevant + ltype: Contains +- document: + doctype: CRE + id: 836-068 + name: Deserialization Prevention + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x15-V7-Error-Logging.md + name: ASVS + section: V7.1.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/778.html + name: CWE + section: '778' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html + name: Cheat_sheets + section: Logging Cheat Sheet + ltype: Linked To +name: Log all security relevant events diff --git a/cres/Log_and_reject_re-use_of_valid_time-based_OTP_tokens_and_notify_device_holder..yaml b/cres/Log_and_reject_re-use_of_valid_time-based_OTP_tokens_and_notify_device_holder..yaml new file mode 100644 index 000000000..aa77528f6 --- /dev/null +++ b/cres/Log_and_reject_re-use_of_valid_time-based_OTP_tokens_and_notify_device_holder..yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 646-227 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.8.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/287.html + name: CWE + section: '287' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.5.2 + ltype: Linked To +name: Log and reject re-use of valid time-based OTP tokens and notify device holder. diff --git a/cres/Log_authentication_decisions_without_exposing_sensitive_data.yaml b/cres/Log_authentication_decisions_without_exposing_sensitive_data.yaml new file mode 100644 index 000000000..7415666a7 --- /dev/null +++ b/cres/Log_authentication_decisions_without_exposing_sensitive_data.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 841-710 +links: +- document: + doctype: CRE + id: 402-706 + name: Log relevant + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x15-V7-Error-Logging.md + name: ASVS + section: V7.2.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/778.html + name: CWE + section: '778' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html + name: Cheat_sheets + section: Logging Cheat Sheet + ltype: Linked To +name: Log authentication decisions without exposing sensitive data diff --git a/cres/Log_discretely.yaml b/cres/Log_discretely.yaml new file mode 100644 index 000000000..0171c3e6e --- /dev/null +++ b/cres/Log_discretely.yaml @@ -0,0 +1,29 @@ +doctype: CRE +id: 843-841 +links: +- document: + doctype: CRE + id: 842-876 + name: '>>Logging and error handling' + ltype: Contains +- document: + doctype: CRE + id: 240-274 + name: Log only non-sensitive data + ltype: Contains +- document: + doctype: CRE + id: 067-050 + name: Do not log credentials or payment details + ltype: Contains +- document: + doctype: CRE + id: 743-110 + name: Do not disclose technical information in error message + ltype: Related +- document: + doctype: CRE + id: 015-063 + name: Log access to sensitive data + ltype: Related +name: Log discretely diff --git a/cres/Log_events_sufficiently_to_recreate_their_order.yaml b/cres/Log_events_sufficiently_to_recreate_their_order.yaml new file mode 100644 index 000000000..7a2cb73ab --- /dev/null +++ b/cres/Log_events_sufficiently_to_recreate_their_order.yaml @@ -0,0 +1,39 @@ +doctype: CRE +id: 555-048 +links: +- document: + doctype: CRE + id: 402-706 + name: Log relevant + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x15-V7-Error-Logging.md + name: ASVS + section: V7.1.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html + name: OPC + section: C9 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/778.html + name: CWE + section: '778' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration.html#log-review + name: WSTG + section: WSTG-CONF-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html + name: Cheat_sheets + section: Logging Cheat Sheet + ltype: Linked To +name: Log events sufficiently to recreate their order diff --git a/cres/Log_in_consistent_format_across_system.yaml b/cres/Log_in_consistent_format_across_system.yaml new file mode 100644 index 000000000..f5239a2fe --- /dev/null +++ b/cres/Log_in_consistent_format_across_system.yaml @@ -0,0 +1,40 @@ +doctype: CRE +id: 260-200 +links: +- document: + doctype: CRE + id: 148-420 + name: Log integrity + ltype: Contains +- document: + doctype: CRE + id: 155-155 + name: Architecture + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.7.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html + name: OPC + section: C9 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/1009.html + name: CWE + section: '1009' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html + name: Cheat_sheets + section: Logging Cheat Sheet + ltype: Linked To +name: Log in consistent format across system +tags: +- Architecture diff --git a/cres/Log_injection_protection.yaml b/cres/Log_injection_protection.yaml new file mode 100644 index 000000000..6942d5cff --- /dev/null +++ b/cres/Log_injection_protection.yaml @@ -0,0 +1,17 @@ +doctype: CRE +links: +- document: + doctype: CRE + id: 821-540 + name: Protect logs against log injection + tags: + - Injection + ltype: Contains +- document: + doctype: CRE + id: 048-612 + name: Encode user input before logging + tags: + - Injection + ltype: Contains +name: Log injection protection diff --git a/cres/Log_integrity.yaml b/cres/Log_integrity.yaml new file mode 100644 index 000000000..35a361ab1 --- /dev/null +++ b/cres/Log_integrity.yaml @@ -0,0 +1,39 @@ +doctype: CRE +id: 148-420 +links: +- document: + doctype: CRE + id: 842-876 + name: '>>Logging and error handling' + ltype: Contains +- document: + doctype: CRE + id: 260-200 + name: Log in consistent format across system + tags: + - Architecture + ltype: Contains +- document: + doctype: CRE + id: 026-280 + name: Securely transfer logs (remotely) + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-10 + name: NIST 800-53 v5 + section: AU-10 Non-repudiation + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-8 + name: NIST 800-53 v5 + section: AU-8 Time Stamps + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-9 + name: NIST 800-53 v5 + section: AU-9 Protection of Audit Information + ltype: Linked To +name: Log integrity diff --git a/cres/Log_only_non-sensitive_data.yaml b/cres/Log_only_non-sensitive_data.yaml new file mode 100644 index 000000000..7768014bc --- /dev/null +++ b/cres/Log_only_non-sensitive_data.yaml @@ -0,0 +1,39 @@ +doctype: CRE +id: 240-274 +links: +- document: + doctype: CRE + id: 843-841 + name: Log discretely + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x15-V7-Error-Logging.md + name: ASVS + section: V7.1.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html + name: OPC + section: C9 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/532.html + name: CWE + section: '532' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration.html#log-review + name: WSTG + section: WSTG-CONF-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html + name: Cheat_sheets + section: Logging Cheat Sheet + ltype: Linked To +name: Log only non-sensitive data diff --git a/cres/Log_relevant.yaml b/cres/Log_relevant.yaml new file mode 100644 index 000000000..253feb06e --- /dev/null +++ b/cres/Log_relevant.yaml @@ -0,0 +1,53 @@ +doctype: CRE +id: 402-706 +links: +- document: + doctype: CRE + id: 443-447 + name: Log access control decisions + ltype: Contains +- document: + doctype: CRE + id: 841-710 + name: Log authentication decisions without exposing sensitive data + ltype: Contains +- document: + doctype: CRE + id: 184-284 + name: Log all security relevant events + ltype: Contains +- document: + doctype: CRE + id: 555-048 + name: Log events sufficiently to recreate their order + ltype: Contains +- document: + doctype: CRE + id: 015-063 + name: Log access to sensitive data + ltype: Contains +- document: + doctype: CRE + id: 113-133 + name: Use centralized authentication mechanism + tags: + - Architecture + ltype: Related +- document: + doctype: CRE + id: 842-876 + name: '>>Logging and error handling' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-2 + name: NIST 800-53 v5 + section: AU-2 Event Logging + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-3 + name: NIST 800-53 v5 + section: AU-3 Content of Audit Records + ltype: Linked To +name: Log relevant diff --git a/cres/Log_time_synchronization.yaml b/cres/Log_time_synchronization.yaml new file mode 100644 index 000000000..c22719eeb --- /dev/null +++ b/cres/Log_time_synchronization.yaml @@ -0,0 +1,8 @@ +doctype: CRE +links: +- document: + doctype: CRE + id: 770-361 + name: Synchronize time zones for logs + ltype: Contains +name: Log time synchronization diff --git a/cres/Login_functionality.yaml b/cres/Login_functionality.yaml new file mode 100644 index 000000000..370f9492a --- /dev/null +++ b/cres/Login_functionality.yaml @@ -0,0 +1,19 @@ +doctype: CRE +id: 789-320 +links: +- document: + doctype: CRE + id: 270-568 + name: Authentication mechanism + ltype: Contains +- document: + doctype: CRE + id: 630-577 + name: Allow password helpers, including paste functionality + ltype: Contains +- document: + doctype: CRE + id: 487-305 + name: Provide options to view entire password or last typed character + ltype: Contains +name: Login functionality diff --git a/cres/MFA-OTP.yaml b/cres/MFA-OTP.yaml index 680e9a446..8ee632d20 100644 --- a/cres/MFA-OTP.yaml +++ b/cres/MFA-OTP.yaml @@ -5,138 +5,138 @@ links: doctype: CRE id: 270-568 name: Authentication mechanism - type: Contains + ltype: Contains - document: doctype: CRE id: 170-772 name: Cryptography - type: Related + ltype: Related - document: doctype: CRE id: 076-470 name: Biometric authenticators only as secondary factors - type: Contains + ltype: Contains - document: doctype: CRE id: 201-246 name: Use multifactor authentication on administrative interfaces - type: Contains + ltype: Contains - document: doctype: CRE id: 841-757 name: Use approved cryptographic algorithms in generation, seeding and verification of OTPs - type: Contains + ltype: Contains - document: doctype: CRE id: 525-361 name: Authenticate by OTP token entry or user-initiated action on multi factor device - type: Contains + ltype: Contains - document: doctype: CRE id: 646-227 name: Log and reject re-use of valid time-based OTP tokens and notify device holder. - type: Contains + ltype: Contains - document: doctype: CRE id: 206-254 name: Use secure random to generate initial authentication codes tags: - Cryptography - type: Contains + ltype: Contains - document: doctype: CRE id: 543-428 name: Use security module to store one-time password verification keys tags: - Cryptography - type: Contains + ltype: Contains - document: doctype: CRE id: 513-845 name: Use unpredictable lookup secrets - type: Contains + ltype: Contains - document: doctype: CRE id: 101-217 name: Use lookup secrets only once - type: Contains + ltype: Contains - document: doctype: CRE id: 346-640 name: Generate lookup secrets with sufficient entropy - type: Contains + ltype: Contains - document: doctype: CRE id: 524-446 name: Mandate using multi factor authentication - type: Contains + ltype: Contains - document: doctype: CRE id: 622-835 name: Generate initial passwords with sufficient secure random, short expiration time and do not allow to reuse the initial password. - type: Contains + ltype: Contains - document: doctype: CRE id: 342-764 name: Only store hashed authentication codes - type: Contains + ltype: Contains - document: doctype: CRE id: 102-811 name: Communicate out of band authentication requests, codes or tokens independently and securely - type: Contains + ltype: Contains - document: doctype: CRE id: 816-631 name: Ensure timely expiration of out of band authentication request, code, or tokens - type: Contains + ltype: Contains - document: doctype: CRE id: 168-186 name: Use out of band authentication requests, codes or tokens only once - type: Contains + ltype: Contains - document: doctype: CRE id: 440-361 name: Ensure that physical single factor OTP generator can be revoked fully immediately when lost - type: Contains + ltype: Contains - document: doctype: CRE id: 354-752 name: Use strong authenticators with priority and weak authenticators only for less secure access - type: Contains + ltype: Contains - document: doctype: CRE id: 553-413 name: Support subscriber-provided authentication devices - type: Contains + ltype: Contains - document: doctype: CRE id: 681-823 name: Defined lifetime of time-based one-time password - type: Contains + ltype: Contains - document: doctype: CRE id: 404-126 name: Use time-based OTP only once - type: Contains + ltype: Contains - document: doctype: CRE id: 354-752 name: Do not offer weak (clear text) authenticators by default - type: Contains + ltype: Contains - document: doctype: CRE id: 270-634 name: Send authentication secrets encrypted - type: Related + ltype: Related name: MFA/OTP tags: - Cryptography diff --git a/cres/Maintain-manage_inventory_of_third_party_repositories.yaml b/cres/Maintain-manage_inventory_of_third_party_repositories.yaml new file mode 100644 index 000000000..157ecc47f --- /dev/null +++ b/cres/Maintain-manage_inventory_of_third_party_repositories.yaml @@ -0,0 +1,38 @@ +doctype: CRE +id: 863-521 +links: +- document: + doctype: CRE + id: 613-286 + name: Dependency management + ltype: Contains +- document: + doctype: CRE + id: 153-513 + name: '>>Development & operations' + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.2.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c2-leverage-security-frameworks-libraries.html + name: OPC + section: C2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Vulnerable Dependency Management Cheat Sheet + ltype: Linked To +name: Maintain/manage inventory of third party repositories diff --git a/cres/Make_(centrally)_available_secure_coding_resources_for_programmers.yaml b/cres/Make_(centrally)_available_secure_coding_resources_for_programmers.yaml new file mode 100644 index 000000000..b6dd07aaa --- /dev/null +++ b/cres/Make_(centrally)_available_secure_coding_resources_for_programmers.yaml @@ -0,0 +1,41 @@ +doctype: CRE +id: 036-275 +links: +- document: + doctype: CRE + id: 625-323 + name: Documentation and requirements + tags: + - Architecture + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.1.7 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/637.html + name: CWE + section: '637' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html + name: Cheat_sheets + section: Threat Modeling Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html + name: Cheat_sheets + section: Attack Surface Analysis Cheat Sheet + ltype: Linked To +name: Make (centrally) available secure coding resources for programmers diff --git a/cres/Manage_temporary_storage.yaml b/cres/Manage_temporary_storage.yaml new file mode 100644 index 000000000..c0c2391cb --- /dev/null +++ b/cres/Manage_temporary_storage.yaml @@ -0,0 +1,45 @@ +doctype: CRE +id: 208-830 +links: +- document: + doctype: CRE + id: 126-668 + name: '>>Secure data storage' + ltype: Contains +- document: + doctype: CRE + id: 157-430 + name: Protect and clear cached sensitive data + ltype: Contains +- document: + doctype: CRE + id: 473-758 + name: Set sufficient anti-caching headers + ltype: Contains +- document: + doctype: CRE + id: 046-257 + name: Clear authentication data from client storage + ltype: Contains +- document: + doctype: CRE + id: 715-304 + name: Zeroize sensitive information in memory after use + ltype: Contains +- document: + doctype: CRE + id: 846-302 + name: Prevent caching of sensitive data in server components + ltype: Contains +- document: + doctype: CRE + id: 617-524 + name: Do not store sensitive data on client (browser) storage + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-4 + name: NIST 800-53 v5 + section: SC-4 Information in Shared System Resources + ltype: Linked To +name: Manage temporary storage diff --git a/cres/Mandate_using_multi_factor_authentication.yaml b/cres/Mandate_using_multi_factor_authentication.yaml new file mode 100644 index 000000000..a7cca32fc --- /dev/null +++ b/cres/Mandate_using_multi_factor_authentication.yaml @@ -0,0 +1,46 @@ +doctype: CRE +id: 524-446 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.2.6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/308.html + name: CWE + section: '308' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html + name: Cheat_sheets + section: Authentication Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html + name: Cheat_sheets + section: Transport Layer Protection Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html + name: Cheat_sheets + section: TLS Cipher String Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.2.8 + ltype: Linked To +name: Mandate using multi factor authentication diff --git a/cres/Memory,_String,_and_Unmanaged_Code.yaml b/cres/Memory,_String,_and_Unmanaged_Code.yaml new file mode 100644 index 000000000..336cf6c6e --- /dev/null +++ b/cres/Memory,_String,_and_Unmanaged_Code.yaml @@ -0,0 +1,33 @@ +doctype: CRE +id: 866-553 +links: +- document: + doctype: CRE + id: 503-455 + name: '>>Input and output verification' + ltype: Contains +- document: + doctype: CRE + id: 760-764 + name: Injection + tags: + - XSS + ltype: Related +- document: + doctype: CRE + id: 824-732 + name: Force format strings as constants + ltype: Contains +- document: + doctype: CRE + id: 482-771 + name: Check boundaries against integer overflow weaknesses + ltype: Contains +- document: + doctype: CRE + id: 831-570 + name: Use memory-safe functions exclusively + ltype: Contains +name: Memory, String, and Unmanaged Code +tags: +- Injection diff --git a/cres/Minimize_communication.yaml b/cres/Minimize_communication.yaml new file mode 100644 index 000000000..6f964e2fa --- /dev/null +++ b/cres/Minimize_communication.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 341-076 +links: +- document: + doctype: CRE + id: 278-646 + name: '>>Secure communication' + ltype: Contains +- document: + doctype: CRE + id: 333-888 + name: Do not expose data through API URLs + tags: + - Configuration + ltype: Contains +- document: + doctype: CRE + id: 217-112 + name: Minimize the number of parameters in a request + ltype: Contains +- document: + doctype: CRE + id: 186-540 + name: Do not expose data through HTTP verb + tags: + - Configuration + ltype: Contains +name: Minimize communication diff --git a/cres/Minimize_the_number_of_parameters_in_a_request.yaml b/cres/Minimize_the_number_of_parameters_in_a_request.yaml new file mode 100644 index 000000000..bac91466e --- /dev/null +++ b/cres/Minimize_the_number_of_parameters_in_a_request.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 217-112 +links: +- document: + doctype: CRE + id: 341-076 + name: Minimize communication + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md + name: ASVS + section: V8.1.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/233.html + name: CWE + section: '233' + ltype: Linked To +name: Minimize the number of parameters in a request diff --git a/cres/Monitor_expectation_of_usage_intensity_(e.g._number_of_requests).yaml b/cres/Monitor_expectation_of_usage_intensity_(e.g._number_of_requests).yaml new file mode 100644 index 000000000..4ced95a2a --- /dev/null +++ b/cres/Monitor_expectation_of_usage_intensity_(e.g._number_of_requests).yaml @@ -0,0 +1,36 @@ +doctype: CRE +id: 176-154 +links: +- document: + doctype: CRE + id: 010-308 + name: Input validation + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: CRE + id: 623-550 + name: DOS + ltype: Related +- document: + doctype: CRE + id: 842-876 + name: '>>Logging and error handling' + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md + name: ASVS + section: V8.1.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/770.html + name: CWE + section: '770' + ltype: Linked To +name: Monitor expectation of usage intensity (e.g. number of requests) +tags: +- DOS diff --git a/cres/Monitor_for_realistic_human_time_business_logic_flows.yaml b/cres/Monitor_for_realistic_human_time_business_logic_flows.yaml new file mode 100644 index 000000000..568c8c954 --- /dev/null +++ b/cres/Monitor_for_realistic_human_time_business_logic_flows.yaml @@ -0,0 +1,42 @@ +doctype: CRE +id: 456-535 +links: +- document: + doctype: CRE + id: 854-643 + name: '>>Business logic' + tags: + - DOS + ltype: Contains +- document: + doctype: CRE + id: 623-550 + name: DOS + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x19-V11-BusLogic.md + name: ASVS + section: V11.1.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/799.html + name: CWE + section: '799' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html + name: WSTG + section: WSTG-BUSL-$$ + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +name: Monitor for realistic "human time" business logic flows +tags: +- DOS diff --git a/cres/Monitor_suspected_automation_abuse.yaml b/cres/Monitor_suspected_automation_abuse.yaml new file mode 100644 index 000000000..d26bd157e --- /dev/null +++ b/cres/Monitor_suspected_automation_abuse.yaml @@ -0,0 +1,47 @@ +doctype: CRE +id: 630-573 +links: +- document: + doctype: CRE + id: 854-643 + name: '>>Business logic' + tags: + - DOS + ltype: Contains +- document: + doctype: CRE + id: 503-455 + name: '>>Input and output verification' + ltype: Related +- document: + doctype: CRE + id: 623-550 + name: DOS + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x19-V11-BusLogic.md + name: ASVS + section: V11.1.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/770.html + name: CWE + section: '770' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html + name: WSTG + section: WSTG-BUSL-$$ + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +name: Monitor suspected automation abuse +tags: +- DOS diff --git a/cres/Monitor_unusual_activities_on_system.yaml b/cres/Monitor_unusual_activities_on_system.yaml new file mode 100644 index 000000000..877989247 --- /dev/null +++ b/cres/Monitor_unusual_activities_on_system.yaml @@ -0,0 +1,47 @@ +doctype: CRE +id: 418-853 +links: +- document: + doctype: CRE + id: 854-643 + name: '>>Business logic' + tags: + - DOS + ltype: Contains +- document: + doctype: CRE + id: 623-550 + name: DOS + ltype: Related +- document: + doctype: CRE + id: 842-876 + name: '>>Logging and error handling' + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x19-V11-BusLogic.md + name: ASVS + section: V11.1.7 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html + name: OPC + section: C9 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/754.html + name: CWE + section: '754' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +name: Monitor unusual activities on system +tags: +- DOS diff --git a/cres/Mutually_authenticate_application_and_credential_service_provider.yaml b/cres/Mutually_authenticate_application_and_credential_service_provider.yaml new file mode 100644 index 000000000..9b83c81c8 --- /dev/null +++ b/cres/Mutually_authenticate_application_and_credential_service_provider.yaml @@ -0,0 +1,51 @@ +doctype: CRE +id: 558-807 +links: +- document: + doctype: CRE + id: 270-568 + name: Authentication mechanism + ltype: Contains +- document: + doctype: CRE + id: 228-551 + name: TLS + tags: + - Cryptoghraphy + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.2.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/319.html + name: CWE + section: '319' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html + name: Cheat_sheets + section: Authentication Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html + name: Cheat_sheets + section: Transport Layer Protection Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html + name: Cheat_sheets + section: TLS Cipher String Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.2.6 + ltype: Linked To +name: Mutually authenticate application and credential service provider diff --git a/cres/Mutually_authenticate_application_components._Minimize_privileges.yaml b/cres/Mutually_authenticate_application_components._Minimize_privileges.yaml new file mode 100644 index 000000000..b16b34997 --- /dev/null +++ b/cres/Mutually_authenticate_application_components._Minimize_privileges.yaml @@ -0,0 +1,39 @@ +doctype: CRE +id: 278-413 +links: +- document: + doctype: CRE + id: 146-556 + name: Authenticate consistently + ltype: Contains +- document: + doctype: CRE + id: 155-155 + name: Architecture + ltype: Related +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.2.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c3-secure-database-access.html + name: OPC + section: C3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/306.html + name: CWE + section: '306' + ltype: Linked To +name: Mutually authenticate application components. Minimize privileges +tags: +- Architecture diff --git a/cres/Mutually_authenticate_application_components.yaml b/cres/Mutually_authenticate_application_components.yaml new file mode 100644 index 000000000..ba8ba2368 --- /dev/null +++ b/cres/Mutually_authenticate_application_components.yaml @@ -0,0 +1,33 @@ +doctype: CRE +id: 530-671 +links: +- document: + doctype: CRE + id: 634-733 + name: Communication authentication + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.9.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/295.html + name: CWE + section: '295' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html + name: Cheat_sheets + section: Transport Layer Protection Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html + name: Cheat_sheets + section: TLS Cipher String Cheat Sheet + ltype: Linked To +name: Mutually authenticate application components diff --git a/cres/Network_Access_Control.yaml b/cres/Network_Access_Control.yaml new file mode 100644 index 000000000..4fb62214a --- /dev/null +++ b/cres/Network_Access_Control.yaml @@ -0,0 +1,8 @@ +doctype: CRE +links: +- document: + doctype: CRE + id: 651-530 + name: 'Was: TBD' + ltype: Contains +name: Network Access Control diff --git a/cres/Network_protection.yaml b/cres/Network_protection.yaml new file mode 100644 index 000000000..35c72e32a --- /dev/null +++ b/cres/Network_protection.yaml @@ -0,0 +1,10 @@ +doctype: CRE +links: +- document: + doctype: CRE + id: 336-512 + name: Ensure integrity of DNS entries and domains + tags: + - Secure name/address resolution service + ltype: Contains +name: Network protection diff --git a/cres/Notify_user_about_credential_change.yaml b/cres/Notify_user_about_credential_change.yaml new file mode 100644 index 000000000..6e81d111a --- /dev/null +++ b/cres/Notify_user_about_credential_change.yaml @@ -0,0 +1,49 @@ +doctype: CRE +id: 235-658 +links: +- document: + doctype: CRE + id: 586-842 + name: '>>Secure user management' + ltype: Contains +- document: + doctype: CRE + id: 520-617 + name: Credential recovery + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.5.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/304.html + name: CWE + section: '304' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/02-Testing_for_Default_Credentials.html + name: WSTG + section: WSTG-ATHN-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html + name: Cheat_sheets + section: Choosing and Using Security Questions Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 6.1.2.3 + ltype: Linked To +name: Notify user about credential change diff --git a/cres/Notify_users_about_anomalies_in_their_usage_patterns.yaml b/cres/Notify_users_about_anomalies_in_their_usage_patterns.yaml new file mode 100644 index 000000000..0b4484a9f --- /dev/null +++ b/cres/Notify_users_about_anomalies_in_their_usage_patterns.yaml @@ -0,0 +1,39 @@ +doctype: CRE +id: 808-425 +links: +- document: + doctype: CRE + id: 586-842 + name: '>>Secure user management' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.2.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/620.html + name: CWE + section: '620' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html + name: Cheat_sheets + section: Authentication Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html + name: Cheat_sheets + section: Transport Layer Protection Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html + name: Cheat_sheets + section: TLS Cipher String Cheat Sheet + ltype: Linked To +name: Notify users about anomalies in their usage patterns diff --git a/cres/Offer_password_changing_functionality.yaml b/cres/Offer_password_changing_functionality.yaml new file mode 100644 index 000000000..a0a4c9634 --- /dev/null +++ b/cres/Offer_password_changing_functionality.yaml @@ -0,0 +1,50 @@ +doctype: CRE +id: 751-176 +links: +- document: + doctype: CRE + id: 586-842 + name: '>>Secure user management' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.1.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/620.html + name: CWE + section: '620' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + name: WSTG + section: WSTG-ATHN-07 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html + name: Cheat_sheets + section: Choosing and Using Security Questions Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Credential Stuffing Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: Offer password changing functionality diff --git a/cres/Only_store_hashed_authentication_codes.yaml b/cres/Only_store_hashed_authentication_codes.yaml new file mode 100644 index 000000000..cd55da5f7 --- /dev/null +++ b/cres/Only_store_hashed_authentication_codes.yaml @@ -0,0 +1,34 @@ +doctype: CRE +id: 342-764 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.7.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/256.html + name: CWE + section: '256' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.3.2 + ltype: Linked To +name: Only store hashed authentication codes diff --git a/cres/Output_encoding_and_injection_prevention.yaml b/cres/Output_encoding_and_injection_prevention.yaml new file mode 100644 index 000000000..48a6c040d --- /dev/null +++ b/cres/Output_encoding_and_injection_prevention.yaml @@ -0,0 +1,79 @@ +doctype: CRE +id: 161-451 +links: +- document: + doctype: CRE + id: 503-455 + name: '>>Input and output verification' + ltype: Contains +- document: + doctype: CRE + id: 760-765 + name: XSS + ltype: Related +- document: + doctype: CRE + id: 760-764 + name: Injection + tags: + - XSS + ltype: Related +- document: + doctype: CRE + id: 620-101 + name: Force output encoding for specific interpreter's context + ltype: Contains +- document: + doctype: CRE + id: 533-516 + name: Encode output while preserving user input formatting + ltype: Contains +- document: + doctype: CRE + id: 366-835 + name: Escape output against XSS + ltype: Contains +- document: + doctype: CRE + id: 806-367 + name: Encode output near the consuming interpreter + ltype: Contains +- document: + doctype: CRE + id: 064-808 + name: Encode output context-specifically + ltype: Contains +- document: + doctype: CRE + id: 607-671 + name: Protect against JS or JSON injection attacks + ltype: Contains +- document: + doctype: CRE + id: 531-558 + name: Protect against LDAP injection + ltype: Contains +- document: + doctype: CRE + id: 547-283 + name: Protect against LFI / RFI + ltype: Contains +- document: + doctype: CRE + id: 857-718 + name: Protect against OS command injection attack + ltype: Contains +- document: + doctype: CRE + id: 732-873 + name: Lock/precompile queries (parameterization) to avoid injection attacks + ltype: Contains +- document: + doctype: CRE + id: 134-207 + name: Protect against XML/XPath injection + ltype: Contains +name: Output encoding and injection prevention +tags: +- Injection +- XSS diff --git a/cres/Parse_JSON_safely.yaml b/cres/Parse_JSON_safely.yaml new file mode 100644 index 000000000..a13a8f36c --- /dev/null +++ b/cres/Parse_JSON_safely.yaml @@ -0,0 +1,40 @@ +doctype: CRE +id: 387-848 +links: +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.5.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/95.html + name: CWE + section: '95' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/02-Testing_for_JavaScript_Execution.html + name: WSTG + section: WSTG-CLNT-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html + name: Cheat_sheets + section: Deserialization Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: XML External Entity Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html + name: Cheat_sheets + section: XML Security Cheat Sheet + ltype: Linked To +name: Parse JSON safely diff --git a/cres/Perform_cryptographic_operations_in_constant_time.yaml b/cres/Perform_cryptographic_operations_in_constant_time.yaml new file mode 100644 index 000000000..81031dcc3 --- /dev/null +++ b/cres/Perform_cryptographic_operations_in_constant_time.yaml @@ -0,0 +1,35 @@ +doctype: CRE +id: 878-880 +links: +- document: + doctype: CRE + id: 742-432 + name: Encryption algorithms + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x14-V6-Cryptography.md + name: ASVS + section: V6.2.8 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/385.html + name: CWE + section: '385' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Cryptographic Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Key Management Cheat Sheet + ltype: Linked To +name: Perform cryptographic operations in constant time diff --git a/cres/Perform_regular_backups_of_important_data_and_test_restoration.yaml b/cres/Perform_regular_backups_of_important_data_and_test_restoration.yaml new file mode 100644 index 000000000..f5b583c0f --- /dev/null +++ b/cres/Perform_regular_backups_of_important_data_and_test_restoration.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 257-117 +links: +- document: + doctype: CRE + id: 163-776 + name: Backups + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md + name: ASVS + section: V8.1.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/19.html + name: CWE + section: '19' + ltype: Linked To +name: Perform regular backups of important data and test restoration diff --git a/cres/Personal_data_handling.yaml b/cres/Personal_data_handling.yaml new file mode 100644 index 000000000..b74ee030b --- /dev/null +++ b/cres/Personal_data_handling.yaml @@ -0,0 +1,115 @@ +doctype: CRE +id: 028-728 +links: +- document: + doctype: CRE + id: 540-566 + name: Let application request minimal permissions + tags: + - Personal data handling + ltype: Related +- document: + doctype: CRE + id: 765-788 + name: Classify sensitive data in protection levels + tags: + - Personal data handling + ltype: Related +- document: + doctype: CRE + id: 731-120 + name: Document requirements for (data) protection levels + tags: + - Personal data handling + ltype: Related +- document: + doctype: CRE + id: 227-045 + name: Identify sensitive data and subject it to a policy + tags: + - Personal data handling + ltype: Related +- document: + doctype: CRE + id: 082-327 + name: Inform users clearly about the collection and use of personal data, and + use it only after opt-in consent. + tags: + - Personal data handling + ltype: Related +- document: + doctype: CRE + id: 762-451 + name: Ensure users can remove or export their data + tags: + - Personal data handling + ltype: Related +- document: + doctype: CRE + id: 268-272 + name: Classify personal data regarding retention so that old or outdated data + is deleted + tags: + - Personal data handling + ltype: Related +- document: + doctype: CRE + id: 482-866 + name: Encrypt personal data at rest + tags: + - Personal data handling + ltype: Related +- document: + doctype: CRE + id: 546-564 + name: '>>Tags' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PT-1 + name: NIST 800-53 v5 + section: PT-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PT-2 + name: NIST 800-53 v5 + section: PT-2 Authority to Process Personally Identifiable Information + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PT-3 + name: NIST 800-53 v5 + section: PT-3 Personally Identifiable Information Processing Purposes + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PT-4 + name: NIST 800-53 v5 + section: PT-4 Consent + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PT-5 + name: NIST 800-53 v5 + section: PT-5 Privacy Notice + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PT-6 + name: NIST 800-53 v5 + section: PT-6 System of Records Notice + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PT-7 + name: NIST 800-53 v5 + section: PT-7 Specific Categories of Personally Identifiable Information + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PT-8 + name: NIST 800-53 v5 + section: PT-8 Computer Matching Requirements + ltype: Linked To +name: Personal data handling diff --git a/cres/Physical_security.yaml b/cres/Physical_security.yaml new file mode 100644 index 000000000..82183818b --- /dev/null +++ b/cres/Physical_security.yaml @@ -0,0 +1,17 @@ +doctype: CRE +id: 266-527 +links: +- document: + doctype: CRE + id: 783-355 + name: Deployment + tags: + - Configuration + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-41 + name: NIST 800-53 v5 + section: SC-41 Port and I/O Device Access + ltype: Linked To +name: Physical security diff --git a/cres/Prevent_Click_jacking_through_X-Frame-Options_or_CSP.yaml b/cres/Prevent_Click_jacking_through_X-Frame-Options_or_CSP.yaml new file mode 100644 index 000000000..30c9d5c56 --- /dev/null +++ b/cres/Prevent_Click_jacking_through_X-Frame-Options_or_CSP.yaml @@ -0,0 +1,33 @@ +doctype: CRE +id: 480-071 +links: +- document: + doctype: CRE + id: 636-347 + name: HTTP security headers + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.4.7 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/346.html + name: CWE + section: '346' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/09-Testing_for_Clickjacking.html + name: WSTG + section: WSTG-CLNT-09 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html + name: Cheat_sheets + section: Content Security Policy Cheat Sheet + ltype: Linked To +name: Prevent Click jacking through X-Frame-Options or CSP diff --git a/cres/Prevent_caching_of_sensitive_data_in_server_components.yaml b/cres/Prevent_caching_of_sensitive_data_in_server_components.yaml new file mode 100644 index 000000000..817fafb35 --- /dev/null +++ b/cres/Prevent_caching_of_sensitive_data_in_server_components.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 846-302 +links: +- document: + doctype: CRE + id: 208-830 + name: Manage temporary storage + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md + name: ASVS + section: V8.1.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/524.html + name: CWE + section: '524' + ltype: Linked To +name: Prevent caching of sensitive data in server components diff --git a/cres/Prevent_security_disclosure.yaml b/cres/Prevent_security_disclosure.yaml new file mode 100644 index 000000000..1a6a31f08 --- /dev/null +++ b/cres/Prevent_security_disclosure.yaml @@ -0,0 +1,31 @@ +doctype: CRE +id: 308-515 +links: +- document: + doctype: CRE + id: 503-455 + name: '>>Input and output verification' + ltype: Contains +- document: + doctype: CRE + id: 486-813 + name: Configuration + ltype: Related +- document: + doctype: CRE + id: 208-805 + name: Disable debug mode in production + ltype: Contains +- document: + doctype: CRE + id: 743-110 + name: Do not disclose technical information in error message + ltype: Contains +- document: + doctype: CRE + id: 403-005 + name: Do not disclose technical information in HTTP header or response + ltype: Contains +name: Prevent security disclosure +tags: +- Configuration diff --git a/cres/Proper_Configuration_for_all_applications_and_frameworks.yaml b/cres/Proper_Configuration_for_all_applications_and_frameworks.yaml new file mode 100644 index 000000000..cd70d284d --- /dev/null +++ b/cres/Proper_Configuration_for_all_applications_and_frameworks.yaml @@ -0,0 +1,41 @@ +doctype: CRE +id: 180-488 +links: +- document: + doctype: CRE + name: Server protection + ltype: Contains +- document: + doctype: CRE + id: 486-813 + name: Configuration + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.1.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/16.html + name: CWE + section: '16' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +- document: + description: '"Ensure that only POST is accepted where POST is expected."' + doctype: Tool + name: 'ZAP Alert: "GET for POST"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Proper Configuration for all applications and frameworks +tags: +- Configuration diff --git a/cres/Protect_API_against_unauthorized_access-modification_(IDOR).yaml b/cres/Protect_API_against_unauthorized_access-modification_(IDOR).yaml new file mode 100644 index 000000000..b959e3459 --- /dev/null +++ b/cres/Protect_API_against_unauthorized_access-modification_(IDOR).yaml @@ -0,0 +1,45 @@ +doctype: CRE +id: 304-667 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V4-Access-Control.md + name: ASVS + section: V4.2.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/639.html + name: CWE + section: '639' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html + name: WSTG + section: WSTG-ATHZ-04 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Insecure Direct Object Reference Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross-Site Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.html + name: Cheat_sheets + section: Authorization Testing Automation Cheat Sheet + ltype: Linked To +name: Protect API against unauthorized access/modification (IDOR) diff --git a/cres/Protect_against_JS_or_JSON_injection_attacks.yaml b/cres/Protect_against_JS_or_JSON_injection_attacks.yaml new file mode 100644 index 000000000..d9e157c08 --- /dev/null +++ b/cres/Protect_against_JS_or_JSON_injection_attacks.yaml @@ -0,0 +1,126 @@ +doctype: CRE +id: 607-671 +links: +- document: + doctype: CRE + id: 161-451 + name: Output encoding and injection prevention + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.3.6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html + name: OPC + section: C4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/830.html + name: CWE + section: '830' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.html + name: WSTG + section: WSTG-CLNT-01 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross Site Scripting Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: DOM based XSS Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html + name: Cheat_sheets + section: HTML5 Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html + name: Cheat_sheets + section: Injection Prevention in Java Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Input Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: LDAP Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html + name: Cheat_sheets + section: OS Command Injection Defense Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html + name: Cheat_sheets + section: File Upload Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html + name: Cheat_sheets + section: Query Parameterization Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: SQL Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + name: Cheat_sheets + section: Unvalidated Redirects and Forwards Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Bean Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: XML External Entity Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html + name: Cheat_sheets + section: XML Security Cheat Sheet + ltype: Linked To +name: Protect against JS or JSON injection attacks diff --git a/cres/Protect_against_LDAP_injection.yaml b/cres/Protect_against_LDAP_injection.yaml new file mode 100644 index 000000000..f9f760233 --- /dev/null +++ b/cres/Protect_against_LDAP_injection.yaml @@ -0,0 +1,133 @@ +doctype: CRE +id: 531-558 +links: +- document: + doctype: CRE + id: 161-451 + name: Output encoding and injection prevention + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.3.7 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html + name: OPC + section: C4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/90.html + name: CWE + section: '90' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/06-Testing_for_LDAP_Injection.html + name: WSTG + section: WSTG-INPV-06 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross Site Scripting Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: DOM based XSS Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html + name: Cheat_sheets + section: HTML5 Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html + name: Cheat_sheets + section: Injection Prevention in Java Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Input Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: LDAP Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html + name: Cheat_sheets + section: OS Command Injection Defense Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html + name: Cheat_sheets + section: File Upload Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html + name: Cheat_sheets + section: Query Parameterization Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: SQL Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + name: Cheat_sheets + section: Unvalidated Redirects and Forwards Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Bean Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: XML External Entity Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html + name: Cheat_sheets + section: XML Security Cheat Sheet + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "LDAP Injection"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Protect against LDAP injection diff --git a/cres/Protect_against_LFI_-_RFI.yaml b/cres/Protect_against_LFI_-_RFI.yaml new file mode 100644 index 000000000..fb3cd7702 --- /dev/null +++ b/cres/Protect_against_LFI_-_RFI.yaml @@ -0,0 +1,129 @@ +doctype: CRE +id: 547-283 +links: +- document: + doctype: CRE + id: 161-451 + name: Output encoding and injection prevention + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.3.9 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/829.html + name: CWE + section: '829' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection.html + name: WSTG + section: WSTG-INPV-11 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross Site Scripting Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: DOM based XSS Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html + name: Cheat_sheets + section: HTML5 Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html + name: Cheat_sheets + section: Injection Prevention in Java Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Input Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: LDAP Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html + name: Cheat_sheets + section: OS Command Injection Defense Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html + name: Cheat_sheets + section: File Upload Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html + name: Cheat_sheets + section: Query Parameterization Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: SQL Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + name: Cheat_sheets + section: Unvalidated Redirects and Forwards Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Bean Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: XML External Entity Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html + name: Cheat_sheets + section: XML Security Cheat Sheet + ltype: Linked To +- document: + description: '"Ensure JavaScript source files are loaded from only trusted sources, + and the sources can''t be controlled by end users of the application."' + doctype: Tool + name: 'ZAP Alert: "Cross-Domain JavaScript Source File Inclusion"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Protect against LFI / RFI diff --git a/cres/Protect_against_OS_command_injection_attack.yaml b/cres/Protect_against_OS_command_injection_attack.yaml new file mode 100644 index 000000000..d662c44df --- /dev/null +++ b/cres/Protect_against_OS_command_injection_attack.yaml @@ -0,0 +1,141 @@ +doctype: CRE +id: 857-718 +links: +- document: + doctype: CRE + id: 161-451 + name: Output encoding and injection prevention + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.3.8 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html + name: OPC + section: C4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/78.html + name: CWE + section: '78' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection.html + name: WSTG + section: WSTG-INPV-12 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross Site Scripting Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: DOM based XSS Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html + name: Cheat_sheets + section: HTML5 Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html + name: Cheat_sheets + section: Injection Prevention in Java Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Input Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: LDAP Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html + name: Cheat_sheets + section: OS Command Injection Defense Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html + name: Cheat_sheets + section: File Upload Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html + name: Cheat_sheets + section: Query Parameterization Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: SQL Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + name: Cheat_sheets + section: Unvalidated Redirects and Forwards Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Bean Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: XML External Entity Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html + name: Cheat_sheets + section: XML Security Cheat Sheet + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "Remote OS Command Injection"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Update Bash on the server to the latest version"' + doctype: Tool + name: 'ZAP Alert: "Remote Code Execution - Shell Shock"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Protect against OS command injection attack diff --git a/cres/Protect_against_XML-XPath_injection.yaml b/cres/Protect_against_XML-XPath_injection.yaml new file mode 100644 index 000000000..3c22e43a1 --- /dev/null +++ b/cres/Protect_against_XML-XPath_injection.yaml @@ -0,0 +1,134 @@ +doctype: CRE +id: 134-207 +links: +- document: + doctype: CRE + id: 161-451 + name: Output encoding and injection prevention + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.3.10 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html + name: OPC + section: C4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/643.html + name: CWE + section: '643' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.html; + https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection.html + name: WSTG + section: WSTG-INPV-07; WSTG-INPV-09 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross Site Scripting Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: DOM based XSS Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html + name: Cheat_sheets + section: HTML5 Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html + name: Cheat_sheets + section: Injection Prevention in Java Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Input Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: LDAP Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html + name: Cheat_sheets + section: OS Command Injection Defense Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html + name: Cheat_sheets + section: File Upload Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html + name: Cheat_sheets + section: Query Parameterization Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: SQL Injection Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + name: Cheat_sheets + section: Unvalidated Redirects and Forwards Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Bean Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: XML External Entity Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html + name: Cheat_sheets + section: XML Security Cheat Sheet + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "XPath Injection"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Protect against XML/XPath injection diff --git a/cres/Protect_against_directory_browsing-discovery_attacks.yaml b/cres/Protect_against_directory_browsing-discovery_attacks.yaml new file mode 100644 index 000000000..e33d44fb8 --- /dev/null +++ b/cres/Protect_against_directory_browsing-discovery_attacks.yaml @@ -0,0 +1,49 @@ +doctype: CRE +id: 615-744 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: CRE + id: 486-813 + name: Configuration + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V4-Access-Control.md + name: ASVS + section: V4.3.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/548.html + name: CWE + section: '548' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/03-Test_File_Extensions_Handling_for_Sensitive_Information.html + name: WSTG + section: WSTG-CONF-03 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html + name: Cheat_sheets + section: REST Assessment Cheat Sheet + ltype: Linked To +- document: + description: '"Disable directory browsing. If this is required, make sure the + listed files does not induce risks."' + doctype: Tool + name: 'ZAP Alert: "Directory Browsing"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Protect against directory browsing/discovery attacks +tags: +- Configuration diff --git a/cres/Protect_against_mass_parameter_assignment_attack.yaml b/cres/Protect_against_mass_parameter_assignment_attack.yaml new file mode 100644 index 000000000..5bb3d2110 --- /dev/null +++ b/cres/Protect_against_mass_parameter_assignment_attack.yaml @@ -0,0 +1,42 @@ +doctype: CRE +id: 042-550 +links: +- document: + doctype: CRE + id: 010-308 + name: Input validation + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.1.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html + name: OPC + section: C5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/915.html + name: CWE + section: '915' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html + name: Cheat_sheets + section: Mass Assignment Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Input Validation Cheat Sheet + ltype: Linked To +name: Protect against mass parameter assignment attack diff --git a/cres/Protect_and_clear_cached_sensitive_data.yaml b/cres/Protect_and_clear_cached_sensitive_data.yaml new file mode 100644 index 000000000..3e7da3b45 --- /dev/null +++ b/cres/Protect_and_clear_cached_sensitive_data.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 157-430 +links: +- document: + doctype: CRE + id: 208-830 + name: Manage temporary storage + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md + name: ASVS + section: V8.1.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/524.html + name: CWE + section: '524' + ltype: Linked To +name: Protect and clear cached sensitive data diff --git a/cres/Protect_communication_between_application_components.yaml b/cres/Protect_communication_between_application_components.yaml new file mode 100644 index 000000000..5fbf3fe51 --- /dev/null +++ b/cres/Protect_communication_between_application_components.yaml @@ -0,0 +1,48 @@ +doctype: CRE +id: 527-034 +links: +- document: + doctype: CRE + id: 435-702 + name: Communication encryption + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 170-772 + name: Cryptography + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.9.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c3-secure-database-access.html + name: OPC + section: C3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/319.html + name: CWE + section: '319' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html + name: Cheat_sheets + section: Transport Layer Protection Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html + name: Cheat_sheets + section: TLS Cipher String Cheat Sheet + ltype: Linked To +name: Protect communication between application components +tags: +- Cryptography diff --git a/cres/Protect_logs_against_log_injection.yaml b/cres/Protect_logs_against_log_injection.yaml new file mode 100644 index 000000000..65920fb28 --- /dev/null +++ b/cres/Protect_logs_against_log_injection.yaml @@ -0,0 +1,66 @@ +doctype: CRE +id: 821-540 +links: +- document: + doctype: CRE + name: Log injection protection + ltype: Contains +- document: + doctype: CRE + id: 503-455 + name: '>>Input and output verification' + ltype: Related +- document: + doctype: CRE + id: 760-764 + name: Injection + tags: + - XSS + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x15-V7-Error-Logging.md + name: ASVS + section: V7.3.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html + name: OPC + section: C9 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/117.html + name: CWE + section: '117' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/03-Test_Integrity_Checks.html + name: WSTG + section: WSTG-BUSL-03 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html + name: Cheat_sheets + section: Logging Cheat Sheet + ltype: Linked To +- document: + description: '"Upgrade Log4j2 to version 2.15.0 or newer. In previous releases + (>2.10) this behavior can be mitigated by setting system property ''log4j2.formatMsgNoLookups'' + to ''true'' or by removing the JndiLookup class from the classpath (example: + zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). + Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) + protects against remote code execution by defaulting ''com.sun.jndi.rmi.object.trustURLCodebase'' + and ''com.sun.jndi.cosnaming.object.trustURLCodebase'' to ''false''."' + doctype: Tool + name: 'ZAP Alert: "Log4Shell (CVE-2021-44228)"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Protect logs against log injection +tags: +- Injection diff --git a/cres/Protect_logs_against_unauthorized_access.yaml b/cres/Protect_logs_against_unauthorized_access.yaml new file mode 100644 index 000000000..f5a0a34bd --- /dev/null +++ b/cres/Protect_logs_against_unauthorized_access.yaml @@ -0,0 +1,200 @@ +doctype: CRE +id: 713-683 +links: +- document: + doctype: CRE + name: Log access protection + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x15-V7-Error-Logging.md + name: ASVS + section: V7.3.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html + name: OPC + section: C9 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/200.html + name: CWE + section: '200' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/03-Testing_for_Privilege_Escalation.html + name: WSTG + section: WSTG-ATHZ-03 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.htmlhttps://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html + name: Cheat_sheets + section: Logging Cheat Sheet.htmlhttps://cheatsheetseries.owasp.org/cheatsheets/Logging + Cheat Sheet + ltype: Linked To +- document: + description: '"Review the source code of this page. Implement custom error pages. + Consider implementing a mechanism to provide a unique error reference/identifier + to the client (browser) while logging the details on the server side and not + exposing them to the user."' + doctype: Tool + name: 'ZAP Alert: "Application Error Disclosure"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Do not divulge details of whether a username is valid or invalid. + In particular, for unsuccessful login attempts, do not differentiate between + an invalid user and an invalid password in the error message, page title, page + contents, HTTP headers, or redirection logic."' + doctype: Tool + name: 'ZAP Alert: "Possible Username Enumeration"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Limit access to Symfony''s Profiler, either via authentication/authorization + or limiting inclusion of the header to specific clients (by IP, etc.)."' + doctype: Tool + name: 'ZAP Alert: "X-Debug-Token Information Leak"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Remove all comments that return information that may help an attacker + and fix any underlying problems they refer to."' + doctype: Tool + name: 'ZAP Alert: "Information Disclosure - Suspicious Comments in XML via WebSocket"' + tags: + - '"WebSocket Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Remove all comments that return information that may help an attacker + and fix any underlying problems they refer to."' + doctype: Tool + name: 'ZAP Alert: "Information Disclosure - Suspicious Comments"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Do not pass sensitive information in URIs."' + doctype: Tool + name: 'ZAP Alert: "Information Disclosure - Sensitive Information in HTTP Referrer + Header"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Disable debugging messages before pushing to production."' + doctype: Tool + name: 'ZAP Alert: "Information Disclosure - Debug Error Messages via WebSocket"' + tags: + - '"WebSocket Passive"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Proxy Disclosure"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Cookie Slack Detector"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Disable debugging messages before pushing to production."' + doctype: Tool + name: 'ZAP Alert: "Information Disclosure - Debug Error Messages"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Before allowing images to be stored on the server and/or transmitted + to the browser, strip out the embedded location information from image. This + could mean removing all Exif data or just the GPS component. Other data, like + serial numbers, should also be removed."' + doctype: Tool + name: 'ZAP Alert: "Image Exposes Location or Privacy Data"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Do not pass sensitive information in URIs."' + doctype: Tool + name: 'ZAP Alert: "Information Disclosure - Sensitive Information in URL"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"TBA"' + doctype: Tool + name: 'ZAP Alert: "Insecure HTTP Method"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Remove emails that are not public."' + doctype: Tool + name: 'ZAP Alert: "Email address found in WebSocket message"' + tags: + - '"WebSocket Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"For secure content, put session ID in a cookie. To be even more + secure consider using a combination of cookie and URL rewrite."' + doctype: Tool + name: 'ZAP Alert: "Session ID in URL Rewrite"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Remove the private IP address from the HTTP response body. For + comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can + be seen by client browsers."' + doctype: Tool + name: 'ZAP Alert: "Private IP Disclosure"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Ensure that your web server, application server, load balancer, + etc. is configured to suppress ''X-Powered-By'' headers."' + doctype: Tool + name: 'ZAP Alert: "Server Leaks Information via ''X-Powered-By'' HTTP Response + Header Field(s)"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Manually confirm that the timestamp data is not sensitive, and + that the data cannot be aggregated to disclose exploitable patterns."' + doctype: Tool + name: 'ZAP Alert: "Timestamp Disclosure"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Protect logs against unauthorized access diff --git a/cres/Protect_sensitive_functionalities_against_race_conditions.yaml b/cres/Protect_sensitive_functionalities_against_race_conditions.yaml new file mode 100644 index 000000000..54aa9e7d6 --- /dev/null +++ b/cres/Protect_sensitive_functionalities_against_race_conditions.yaml @@ -0,0 +1,29 @@ +doctype: CRE +id: 134-412 +links: +- document: + doctype: CRE + id: 854-643 + name: '>>Business logic' + tags: + - DOS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x19-V11-BusLogic.md + name: ASVS + section: V11.1.6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/367.html + name: CWE + section: '367' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +name: Protect sensitive functionalities against race conditions diff --git a/cres/Protect_session_ID.yaml b/cres/Protect_session_ID.yaml new file mode 100644 index 000000000..22cf73fdd --- /dev/null +++ b/cres/Protect_session_ID.yaml @@ -0,0 +1,30 @@ +doctype: CRE +links: +- document: + doctype: CRE + id: 232-034 + name: Set '_Host' prefix for cookie-based session tokens + ltype: Contains +- document: + doctype: CRE + id: 804-220 + name: Set httponly attribute for cookie-based session tokens + tags: + - XSS + ltype: Contains +- document: + doctype: CRE + id: 688-081 + name: Set "secure" attribute for cookie-based session tokens + ltype: Contains +- document: + doctype: CRE + id: 705-182 + name: Set path attribute in cookie-based session tokens as precise as possible + ltype: Contains +- document: + doctype: CRE + id: 455-358 + name: When storing session tokens in browser, use secure methods only + ltype: Contains +name: Protect session ID diff --git a/cres/Provide_a_password_strength_meter.yaml b/cres/Provide_a_password_strength_meter.yaml new file mode 100644 index 000000000..78e170ed7 --- /dev/null +++ b/cres/Provide_a_password_strength_meter.yaml @@ -0,0 +1,50 @@ +doctype: CRE +id: 604-025 +links: +- document: + doctype: CRE + id: 455-885 + name: Credentials directives + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.1.8 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/521.html + name: CWE + section: '521' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + name: WSTG + section: WSTG-ATHN-07 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html + name: Cheat_sheets + section: Choosing and Using Security Questions Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Credential Stuffing Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: Provide a password strength meter diff --git a/cres/Provide_options_to_view_entire_password_or_last_typed_character.yaml b/cres/Provide_options_to_view_entire_password_or_last_typed_character.yaml new file mode 100644 index 000000000..7bda23dea --- /dev/null +++ b/cres/Provide_options_to_view_entire_password_or_last_typed_character.yaml @@ -0,0 +1,50 @@ +doctype: CRE +id: 487-305 +links: +- document: + doctype: CRE + id: 789-320 + name: Login functionality + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.1.12 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/521.html + name: CWE + section: '521' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + name: WSTG + section: WSTG-ATHN-07 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html + name: Cheat_sheets + section: Choosing and Using Security Questions Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Credential Stuffing Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: Provide options to view entire password or last typed character diff --git a/cres/Provide_system_flexibility_for_access_control.yaml b/cres/Provide_system_flexibility_for_access_control.yaml new file mode 100644 index 000000000..c97d26ceb --- /dev/null +++ b/cres/Provide_system_flexibility_for_access_control.yaml @@ -0,0 +1,49 @@ +doctype: CRE +id: 412-561 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.4.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/284.html + name: CWE + section: '284' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +- document: + description: '"Use per user or session indirect object references (create a temporary + mapping at time of use). Or, ensure that each use of a direct object reference + is tied to an authorization check to ensure the user is authorized for the requested + object. "' + doctype: Tool + name: 'ZAP Alert: "Username Hash Found"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Use per user or session indirect object references (create a temporary + mapping at time of use). Or, ensure that each use of a direct object reference + is tied to an authorization check to ensure the user is authorized for the requested + object."' + doctype: Tool + name: 'ZAP Alert: "Username Hash Found in WebSocket message"' + tags: + - '"WebSocket Passive"' + tooltype: Offensive + ltype: SAME +name: Provide system flexibility for access control diff --git a/cres/RESTful.yaml b/cres/RESTful.yaml index 133bd7f4b..efb819122 100644 --- a/cres/RESTful.yaml +++ b/cres/RESTful.yaml @@ -5,22 +5,22 @@ links: doctype: CRE id: 118-110 name: API/web services - type: Contains + ltype: Contains - document: doctype: CRE id: 001-746 name: Anti-Automation protection for REST services - type: Contains + ltype: Contains - document: doctype: CRE id: 543-512 name: Verify content-type for REST services - type: Contains + ltype: Contains - document: doctype: CRE id: 464-084 name: Add CSRF protection for cookie based REST services tags: - CSRF - type: Contains + ltype: Contains name: RESTful diff --git a/cres/Re-authenticate_before_sensitive_transactions.yaml b/cres/Re-authenticate_before_sensitive_transactions.yaml new file mode 100644 index 000000000..fc2f0feb3 --- /dev/null +++ b/cres/Re-authenticate_before_sensitive_transactions.yaml @@ -0,0 +1,39 @@ +doctype: CRE +id: 582-541 +links: +- document: + doctype: CRE + id: 177-260 + name: '>>Session management' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.7.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/306.html + name: CWE + section: '306' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#session-id-predictability-and-randomness + name: WSTG + section: WSTG-SESS-01 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Session Management Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Transaction_Authorization_Cheat_Sheet.html + name: Cheat_sheets + section: Transaction Authorization Cheat Sheet + ltype: Linked To +name: Re-authenticate before sensitive transactions diff --git a/cres/Re-authentication_from_federation_or_assertion.yaml b/cres/Re-authentication_from_federation_or_assertion.yaml new file mode 100644 index 000000000..874175fb0 --- /dev/null +++ b/cres/Re-authentication_from_federation_or_assertion.yaml @@ -0,0 +1,26 @@ +doctype: CRE +id: 258-115 +links: +- document: + doctype: CRE + id: 177-260 + name: '>>Session management' + ltype: Contains +- document: + doctype: CRE + id: 052-821 + name: When using an authentication third party (CSP), relay last authentication + event to other parties in the chain + ltype: Contains +- document: + doctype: CRE + id: 618-403 + name: Enforce authentication timeout when dealing with an authentication third + party (CSP) + ltype: Contains +- document: + doctype: CRE + id: 551-400 + name: Allow user revocation of Oauth tokens + ltype: Contains +name: Re-authentication from federation or assertion diff --git a/cres/Reject_non-whitelisted_content_types.yaml b/cres/Reject_non-whitelisted_content_types.yaml new file mode 100644 index 000000000..c35d0d236 --- /dev/null +++ b/cres/Reject_non-whitelisted_content_types.yaml @@ -0,0 +1,33 @@ +doctype: CRE +id: 377-680 +links: +- document: + doctype: CRE + id: 118-110 + name: API/web services + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md + name: ASVS + section: V13.1.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/434.html + name: CWE + section: '434' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Web Service Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Server Side Request Forgery Prevention Cheat Sheet + ltype: Linked To +name: Reject non-whitelisted content types diff --git a/cres/Remove_unnecessary_features,_documentation,_configuration_etc.yaml b/cres/Remove_unnecessary_features,_documentation,_configuration_etc.yaml new file mode 100644 index 000000000..01c280c8c --- /dev/null +++ b/cres/Remove_unnecessary_features,_documentation,_configuration_etc.yaml @@ -0,0 +1,46 @@ +doctype: CRE +id: 462-245 +links: +- document: + doctype: CRE + id: 613-285 + name: '>>Dependency strength' + ltype: Contains +- document: + doctype: CRE + id: 486-813 + name: Configuration + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.2.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/1002.html + name: CWE + section: '1002' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html + name: WSTG + section: WSTG-CONF-04 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Vulnerable Dependency Management Cheat Sheet + ltype: Linked To +name: Remove unnecessary features, documentation, configuration etc +tags: +- Configuration diff --git a/cres/Require_proof_of_identity_of_the_same_level_as_during_enrollment_when_recovering_OTP_or_MFA.yaml b/cres/Require_proof_of_identity_of_the_same_level_as_during_enrollment_when_recovering_OTP_or_MFA.yaml new file mode 100644 index 000000000..19585a7c8 --- /dev/null +++ b/cres/Require_proof_of_identity_of_the_same_level_as_during_enrollment_when_recovering_OTP_or_MFA.yaml @@ -0,0 +1,39 @@ +doctype: CRE +id: 358-860 +links: +- document: + doctype: CRE + id: 520-617 + name: Credential recovery + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.5.7 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/308.html + name: CWE + section: '308' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html + name: Cheat_sheets + section: Choosing and Using Security Questions Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 6.1.2.3 + ltype: Linked To +name: Require proof of identity of the same level as during enrollment when recovering + OTP or MFA diff --git a/cres/Resist_stolen_credentials.yaml b/cres/Resist_stolen_credentials.yaml new file mode 100644 index 000000000..07b8dd8d2 --- /dev/null +++ b/cres/Resist_stolen_credentials.yaml @@ -0,0 +1,51 @@ +doctype: CRE +id: 333-858 +links: +- document: + doctype: CRE + id: 270-568 + name: Authentication mechanism + ltype: Contains +- document: + doctype: CRE + id: 170-772 + name: Cryptography + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.2.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/308.html + name: CWE + section: '308' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html + name: Cheat_sheets + section: Authentication Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html + name: Cheat_sheets + section: Transport Layer Protection Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html + name: Cheat_sheets + section: TLS Cipher String Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.2.5 + ltype: Linked To +name: Resist stolen credentials +tags: +- Cryptography diff --git a/cres/Restrict_XML_parsing_(against_XXE).yaml b/cres/Restrict_XML_parsing_(against_XXE).yaml new file mode 100644 index 000000000..2614602e2 --- /dev/null +++ b/cres/Restrict_XML_parsing_(against_XXE).yaml @@ -0,0 +1,67 @@ +doctype: CRE +id: 764-507 +links: +- document: + doctype: CRE + name: XML Parser hardening + ltype: Contains +- document: + doctype: CRE + id: 486-813 + name: Configuration + ltype: Related +- document: + doctype: CRE + id: 760-764 + name: Injection + tags: + - XSS + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.5.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/611.html + name: CWE + section: '611' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.html + name: WSTG + section: WSTG-INPV-07 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html + name: Cheat_sheets + section: Deserialization Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: XML External Entity Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html + name: Cheat_sheets + section: XML Security Cheat Sheet + ltype: Linked To +- document: + description: '"TBA"' + doctype: Tool + name: 'ZAP Alert: "XML External Entity Attack"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Restrict XML parsing (against XXE) +tags: +- Injection +- Configuration diff --git a/cres/Restrict_excessive_authentication.yaml b/cres/Restrict_excessive_authentication.yaml new file mode 100644 index 000000000..e29f96232 --- /dev/null +++ b/cres/Restrict_excessive_authentication.yaml @@ -0,0 +1,65 @@ +doctype: CRE +id: 802-056 +links: +- document: + doctype: CRE + id: 270-568 + name: Authentication mechanism + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.2.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/307.html + name: CWE + section: '307' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/03-Testing_for_Weak_Lock_Out_Mechanism.html + name: WSTG + section: WSTG-ATHN-03 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html + name: Cheat_sheets + section: Authentication Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html + name: Cheat_sheets + section: Transport Layer Protection Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html + name: Cheat_sheets + section: TLS Cipher String Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.2.2 + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.4.2 + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.5.2 + ltype: Linked To +name: Restrict excessive authentication diff --git a/cres/SOAP.yaml b/cres/SOAP.yaml index b1cecaa6f..61c948260 100644 --- a/cres/SOAP.yaml +++ b/cres/SOAP.yaml @@ -5,15 +5,15 @@ links: doctype: CRE id: 118-110 name: API/web services - type: Contains + ltype: Contains - document: doctype: CRE id: 611-051 name: Enforce schema on XML structure/field - type: Contains + ltype: Contains - document: doctype: CRE id: 456-636 name: Add integrity check to SOAP payload - type: Contains + ltype: Contains name: SOAP diff --git a/cres/SSRF.yaml b/cres/SSRF.yaml index 6c6919376..ef610b847 100644 --- a/cres/SSRF.yaml +++ b/cres/SSRF.yaml @@ -7,7 +7,7 @@ links: name: Force uniform encoders and parsers throughout system tags: - SSRF - type: Related + ltype: Related - document: doctype: CRE id: 742-056 @@ -15,7 +15,7 @@ links: file context, eg RFI) tags: - SSRF - type: Related + ltype: Related - document: doctype: CRE id: 657-084 @@ -23,10 +23,10 @@ links: and whitelisting tags: - SSRF - type: Related + ltype: Related - document: doctype: CRE id: 546-564 name: '>>Tags' - type: Contains + ltype: Contains name: SSRF diff --git a/cres/Sandbox,_containerize_and-or_isolate_applications_at_the_network_level.yaml b/cres/Sandbox,_containerize_and-or_isolate_applications_at_the_network_level.yaml new file mode 100644 index 000000000..40ff96acf --- /dev/null +++ b/cres/Sandbox,_containerize_and-or_isolate_applications_at_the_network_level.yaml @@ -0,0 +1,41 @@ +doctype: CRE +id: 515-021 +links: +- document: + doctype: CRE + id: 726-868 + name: Deployed topology + tags: + - Architecture + ltype: Contains +- document: + doctype: CRE + id: 836-068 + name: Deserialization Prevention + ltype: Related +- document: + doctype: CRE + id: 155-155 + name: Architecture + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.14.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html + name: OPC + section: C5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/265.html + name: CWE + section: '265' + ltype: Linked To +name: Sandbox, containerize and/or isolate applications at the network level +tags: +- Architecture diff --git a/cres/Sandbox_third_party_libraries.yaml b/cres/Sandbox_third_party_libraries.yaml new file mode 100644 index 000000000..390c681c0 --- /dev/null +++ b/cres/Sandbox_third_party_libraries.yaml @@ -0,0 +1,39 @@ +doctype: CRE +id: 860-084 +links: +- document: + doctype: CRE + id: 613-287 + name: Dependency integrity + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.2.6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c2-leverage-security-frameworks-libraries.html + name: OPC + section: C2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/265.html + name: CWE + section: '265' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Vulnerable Dependency Management Cheat Sheet + ltype: Linked To +name: Sandbox third party libraries diff --git a/cres/Sanitization_and_sandboxing.yaml b/cres/Sanitization_and_sandboxing.yaml new file mode 100644 index 000000000..ddba920d6 --- /dev/null +++ b/cres/Sanitization_and_sandboxing.yaml @@ -0,0 +1,75 @@ +doctype: CRE +id: 764-765 +links: +- document: + doctype: CRE + id: 503-455 + name: '>>Input and output verification' + ltype: Contains +- document: + doctype: CRE + id: 268-088 + name: Limit query impact GraphQL/data layer expression DoS + tags: + - DOS + ltype: Contains +- document: + doctype: CRE + id: 760-765 + name: XSS + ltype: Related +- document: + doctype: CRE + id: 760-764 + name: Injection + tags: + - XSS + ltype: Related +- document: + doctype: CRE + id: 317-743 + name: Do not use eval or dynamic code execution functions + ltype: Contains +- document: + doctype: CRE + id: 422-005 + name: Sanitize/sandbox user input where template-injection is a threat + ltype: Contains +- document: + doctype: CRE + id: 646-462 + name: Sanitize, disable, or sandbox untrusted scriptable or template language + content + ltype: Contains +- document: + doctype: CRE + id: 145-310 + name: Sanitize, disable, or sandbox untrusted SVG scriptable content + ltype: Contains +- document: + doctype: CRE + id: 881-434 + name: Sanitize user input before passing content to mail systems (SMTP/IMAP injection) + ltype: Contains +- document: + doctype: CRE + id: 657-084 + name: (SSRF) When depending on internal server input, use validation sanitization + and whitelisting + tags: + - SSRF + ltype: Contains +- document: + doctype: CRE + id: 538-446 + name: Sanitize unstructured data + ltype: Contains +- document: + doctype: CRE + id: 542-445 + name: Sanitize untrusted HTML input + ltype: Contains +name: Sanitization and sandboxing +tags: +- Injection +- XSS diff --git a/cres/Sanitize,_disable,_or_sandbox_untrusted_SVG_scriptable_content.yaml b/cres/Sanitize,_disable,_or_sandbox_untrusted_SVG_scriptable_content.yaml new file mode 100644 index 000000000..34aa30b43 --- /dev/null +++ b/cres/Sanitize,_disable,_or_sandbox_untrusted_SVG_scriptable_content.yaml @@ -0,0 +1,48 @@ +doctype: CRE +id: 145-310 +links: +- document: + doctype: CRE + id: 764-765 + name: Sanitization and sandboxing + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.2.7 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/159.html + name: CWE + section: '159' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Server Side Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross Site Scripting Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: DOM based XSS Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + name: Cheat_sheets + section: Unvalidated Redirects and Forwards Cheat Sheet + ltype: Linked To +name: Sanitize, disable, or sandbox untrusted SVG scriptable content diff --git a/cres/Sanitize,_disable,_or_sandbox_untrusted_scriptable_or_template_language_content.yaml b/cres/Sanitize,_disable,_or_sandbox_untrusted_scriptable_or_template_language_content.yaml new file mode 100644 index 000000000..d6c4cc2ed --- /dev/null +++ b/cres/Sanitize,_disable,_or_sandbox_untrusted_scriptable_or_template_language_content.yaml @@ -0,0 +1,79 @@ +doctype: CRE +id: 646-462 +links: +- document: + doctype: CRE + id: 764-765 + name: Sanitization and sandboxing + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.2.8 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/94.html + name: CWE + section: '94' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/05-Testing_for_CSS_Injection.html + name: WSTG + section: WSTG-CLNT-05 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Server Side Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross Site Scripting Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: DOM based XSS Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + name: Cheat_sheets + section: Unvalidated Redirects and Forwards Cheat Sheet + ltype: Linked To +- document: + description: '"Ensure the .htaccess file is not accessible."' + doctype: Tool + name: 'ZAP Alert: ".htaccess Information Leak"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Server Side Code Injection"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Consider whether or not ELMAH is actually required in production, + if it isn''t then disable it. If it is then ensure access to it requires authentication + and authorization. See also: https://elmah.github.io/a/securing-error-log-pages/"' + doctype: Tool + name: 'ZAP Alert: "ELMAH Information Leak"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Sanitize, disable, or sandbox untrusted scriptable or template language content diff --git a/cres/Sanitize-sandbox_user_input_where_template-injection_is_a_threat.yaml b/cres/Sanitize-sandbox_user_input_where_template-injection_is_a_threat.yaml new file mode 100644 index 000000000..f40959c3a --- /dev/null +++ b/cres/Sanitize-sandbox_user_input_where_template-injection_is_a_threat.yaml @@ -0,0 +1,79 @@ +doctype: CRE +id: 422-005 +links: +- document: + doctype: CRE + id: 764-765 + name: Sanitization and sandboxing + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.2.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/94.html + name: CWE + section: '94' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection.html + name: WSTG + section: WSTG-INPV-18 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Server Side Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross Site Scripting Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: DOM based XSS Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + name: Cheat_sheets + section: Unvalidated Redirects and Forwards Cheat Sheet + ltype: Linked To +- document: + description: '"Ensure the .htaccess file is not accessible."' + doctype: Tool + name: 'ZAP Alert: ".htaccess Information Leak"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Server Side Code Injection"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Consider whether or not ELMAH is actually required in production, + if it isn''t then disable it. If it is then ensure access to it requires authentication + and authorization. See also: https://elmah.github.io/a/securing-error-log-pages/"' + doctype: Tool + name: 'ZAP Alert: "ELMAH Information Leak"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Sanitize/sandbox user input where template-injection is a threat diff --git a/cres/Sanitize_filename_metadata_from_untrusted_origin_if_processing_is_required.yaml b/cres/Sanitize_filename_metadata_from_untrusted_origin_if_processing_is_required.yaml new file mode 100644 index 000000000..965722d2c --- /dev/null +++ b/cres/Sanitize_filename_metadata_from_untrusted_origin_if_processing_is_required.yaml @@ -0,0 +1,34 @@ +doctype: CRE +id: 675-168 +links: +- document: + doctype: CRE + id: 451-082 + name: File execution + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x20-V12-Files-Resources.md + name: ASVS + section: V12.3.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/22.html + name: CWE + section: '22' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.html + name: WSTG + section: WSTG-ATHZ-01 + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "Path Traversal"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Sanitize filename metadata from untrusted origin if processing is required diff --git a/cres/Sanitize_unstructured_data.yaml b/cres/Sanitize_unstructured_data.yaml new file mode 100644 index 000000000..30a86d017 --- /dev/null +++ b/cres/Sanitize_unstructured_data.yaml @@ -0,0 +1,54 @@ +doctype: CRE +id: 538-446 +links: +- document: + doctype: CRE + id: 764-765 + name: Sanitization and sandboxing + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.2.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/138.html + name: CWE + section: '138' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/ + name: WSTG + section: WSTG-INPV-00 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Server Side Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross Site Scripting Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: DOM based XSS Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + name: Cheat_sheets + section: Unvalidated Redirects and Forwards Cheat Sheet + ltype: Linked To +name: Sanitize unstructured data diff --git a/cres/Sanitize_untrusted_HTML_input.yaml b/cres/Sanitize_untrusted_HTML_input.yaml new file mode 100644 index 000000000..09125930d --- /dev/null +++ b/cres/Sanitize_untrusted_HTML_input.yaml @@ -0,0 +1,60 @@ +doctype: CRE +id: 542-445 +links: +- document: + doctype: CRE + id: 764-765 + name: Sanitization and sandboxing + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.2.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html + name: OPC + section: C5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/116.html + name: CWE + section: '116' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/03-Testing_for_HTML_Injection.html + name: WSTG + section: WSTG-CLNT-03 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Server Side Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross Site Scripting Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: DOM based XSS Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + name: Cheat_sheets + section: Unvalidated Redirects and Forwards Cheat Sheet + ltype: Linked To +name: Sanitize untrusted HTML input diff --git a/cres/Sanitize_user_input_before_passing_content_to_mail_systems_(SMTP-IMAP_injection).yaml b/cres/Sanitize_user_input_before_passing_content_to_mail_systems_(SMTP-IMAP_injection).yaml new file mode 100644 index 000000000..997a68168 --- /dev/null +++ b/cres/Sanitize_user_input_before_passing_content_to_mail_systems_(SMTP-IMAP_injection).yaml @@ -0,0 +1,54 @@ +doctype: CRE +id: 881-434 +links: +- document: + doctype: CRE + id: 764-765 + name: Sanitization and sandboxing + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.2.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/147.html + name: CWE + section: '147' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/10-Testing_for_IMAP_SMTP_Injection.html + name: WSTG + section: WSTG-INPV-10 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Server Side Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross Site Scripting Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: DOM based XSS Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + name: Cheat_sheets + section: Unvalidated Redirects and Forwards Cheat Sheet + ltype: Linked To +name: Sanitize user input before passing content to mail systems (SMTP/IMAP injection) diff --git a/cres/Scan_untrusted_files_for_malware.yaml b/cres/Scan_untrusted_files_for_malware.yaml new file mode 100644 index 000000000..6a53dd61e --- /dev/null +++ b/cres/Scan_untrusted_files_for_malware.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 112-273 +links: +- document: + doctype: CRE + id: 758-262 + name: File storage + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x20-V12-Files-Resources.md + name: ASVS + section: V12.4.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/509.html + name: CWE + section: '509' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html + name: WSTG + section: WSTG-BUSL-09 + ltype: Linked To +name: Scan untrusted files for malware diff --git a/cres/Secret_storage.yaml b/cres/Secret_storage.yaml new file mode 100644 index 000000000..feb70c8ed --- /dev/null +++ b/cres/Secret_storage.yaml @@ -0,0 +1,88 @@ +doctype: CRE +id: 223-780 +links: +- document: + doctype: CRE + id: 170-772 + name: Cryptography + ltype: Related +- document: + doctype: CRE + id: 881-321 + name: Store credentials securely + ltype: Contains +- document: + doctype: CRE + id: 783-255 + name: Store cryptographic keys securely + ltype: Contains +- document: + doctype: CRE + id: 774-888 + name: Do not store secrets in the code + ltype: Contains +- document: + doctype: CRE + id: 077-781 + name: Use separately stored secret salt (pepper) + ltype: Contains +- document: + doctype: CRE + id: 340-375 + name: Use a dedicated secrets management solution + ltype: Contains +- document: + doctype: CRE + id: 078-427 + name: Set the highest feasible work factor for bcrypt + ltype: Contains +- document: + doctype: CRE + id: 767-435 + name: Set the highest feasible iteration count for PBKDF2 + ltype: Contains +- document: + doctype: CRE + id: 032-213 + name: Use an isolated security module for cryptographic operations + ltype: Contains +- document: + doctype: CRE + id: 082-530 + name: Use unique random salt with sufficient entropy for each credential + ltype: Contains +- document: + doctype: CRE + id: 622-203 + name: Store passwords salted and hashed + ltype: Contains +- document: + doctype: CRE + id: 508-702 + name: Use key vaults + ltype: Contains +- document: + doctype: CRE + id: 821-832 + name: Ensure keys and passwords are replaceable + ltype: Contains +- document: + doctype: CRE + id: 543-428 + name: Use security module to store one-time password verification keys + tags: + - Cryptography + ltype: Related +- document: + doctype: CRE + id: 287-305 + name: Document explicit key/secret management + ltype: Related +- document: + doctype: CRE + id: 126-668 + name: '>>Secure data storage' + ltype: Contains +name: Secret storage +tags: +- Cryptography diff --git a/cres/Secure_Development.yaml b/cres/Secure_Development.yaml new file mode 100644 index 000000000..80e5622b6 --- /dev/null +++ b/cres/Secure_Development.yaml @@ -0,0 +1,13 @@ +doctype: CRE +links: +- document: + doctype: CRE + id: 840-757 + name: Guidelines + ltype: Contains +- document: + doctype: CRE + id: 255-443 + name: Techniques + ltype: Contains +name: Secure Development diff --git a/cres/Secure_auto-updates_over_full_stack.yaml b/cres/Secure_auto-updates_over_full_stack.yaml new file mode 100644 index 000000000..445b23223 --- /dev/null +++ b/cres/Secure_auto-updates_over_full_stack.yaml @@ -0,0 +1,35 @@ +doctype: CRE +id: 028-254 +links: +- document: + doctype: CRE + id: 615-188 + name: Deployment process + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x18-V10-Malicious.md + name: ASVS + section: V10.3.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/16.html + name: CWE + section: '16' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +- document: + description: '"Ensure that only POST is accepted where POST is expected."' + doctype: Tool + name: 'ZAP Alert: "GET for POST"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Secure auto-updates over full stack diff --git a/cres/Secure_name-address_resolution_service.yaml b/cres/Secure_name-address_resolution_service.yaml new file mode 100644 index 000000000..dfe4780ab --- /dev/null +++ b/cres/Secure_name-address_resolution_service.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 058-527 +links: +- document: + doctype: CRE + id: 336-512 + name: Ensure integrity of DNS entries and domains + tags: + - Secure name/address resolution service + ltype: Related +- document: + doctype: CRE + id: 546-564 + name: '>>Tags' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-20 + name: NIST 800-53 v5 + section: SC-20 Secure Name/address Resolution Service (authoritative Source) + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-21 + name: NIST 800-53 v5 + section: SC-21 Secure Name/address Resolution Service (recursive or Caching Resolver) + ltype: Linked To +name: Secure name/address resolution service diff --git a/cres/Secure_random_values.yaml b/cres/Secure_random_values.yaml new file mode 100644 index 000000000..e515ba1b5 --- /dev/null +++ b/cres/Secure_random_values.yaml @@ -0,0 +1,33 @@ +doctype: CRE +id: 542-270 +links: +- document: + doctype: CRE + id: 126-668 + name: '>>Secure data storage' + ltype: Contains +- document: + doctype: CRE + id: 170-772 + name: Cryptography + ltype: Related +- document: + doctype: CRE + id: 542-488 + name: Use cryptographically secure random number generators + ltype: Contains +- document: + doctype: CRE + id: 664-571 + name: Ensure proper generation of secure random + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 027-210 + name: Create random GUIDs with cryptographically secure random number generators + ltype: Contains +name: Secure random values +tags: +- Cryptography diff --git a/cres/Secure_serialized_objects_(e.g._integrity_checks).yaml b/cres/Secure_serialized_objects_(e.g._integrity_checks).yaml new file mode 100644 index 000000000..fa67b3434 --- /dev/null +++ b/cres/Secure_serialized_objects_(e.g._integrity_checks).yaml @@ -0,0 +1,45 @@ +doctype: CRE +id: 762-616 +links: +- document: + doctype: CRE + id: 836-068 + name: Deserialization Prevention + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.5.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html + name: OPC + section: C5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/502.html + name: CWE + section: '502' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html + name: Cheat_sheets + section: Deserialization Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: XML External Entity Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html + name: Cheat_sheets + section: XML Security Cheat Sheet + ltype: Linked To +name: Secure serialized objects (e.g. integrity checks) diff --git a/cres/Securely_automate_build_and_deployment_in_pipeline.yaml b/cres/Securely_automate_build_and_deployment_in_pipeline.yaml new file mode 100644 index 000000000..1cdb1f591 --- /dev/null +++ b/cres/Securely_automate_build_and_deployment_in_pipeline.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 253-452 +links: +- document: + doctype: CRE + id: 615-188 + name: Deployment process + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.1.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +name: Securely automate build and deployment in pipeline diff --git a/cres/Securely_store_files_with_untrusted_origin.yaml b/cres/Securely_store_files_with_untrusted_origin.yaml new file mode 100644 index 000000000..c5cc0e465 --- /dev/null +++ b/cres/Securely_store_files_with_untrusted_origin.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 307-111 +links: +- document: + doctype: CRE + id: 758-262 + name: File storage + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x20-V12-Files-Resources.md + name: ASVS + section: V12.4.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/922.html + name: CWE + section: '922' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html + name: WSTG + section: WSTG-BUSL-09 + ltype: Linked To +name: Securely store files with untrusted origin diff --git a/cres/Securely_store_regulated_data.yaml b/cres/Securely_store_regulated_data.yaml new file mode 100644 index 000000000..e2c9948e3 --- /dev/null +++ b/cres/Securely_store_regulated_data.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 275-483 +links: +- document: + doctype: CRE + id: 400-007 + name: Encrypt data at rest + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 267-468 + name: Encrypt financial data at rest + ltype: Contains +- document: + doctype: CRE + id: 224-321 + name: Encrypt health data at rest + ltype: Contains +- document: + doctype: CRE + id: 482-866 + name: Encrypt personal data at rest + tags: + - Personal data handling + ltype: Contains +name: Securely store regulated data diff --git a/cres/Securely_transfer_logs_(remotely).yaml b/cres/Securely_transfer_logs_(remotely).yaml new file mode 100644 index 000000000..d189d1f82 --- /dev/null +++ b/cres/Securely_transfer_logs_(remotely).yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 026-280 +links: +- document: + doctype: CRE + id: 148-420 + name: Log integrity + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.7.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html + name: OPC + section: C9 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html + name: Cheat_sheets + section: Logging Cheat Sheet + ltype: Linked To +name: Securely transfer logs (remotely) diff --git a/cres/Security_and_Privacy_Engineering_Principles.yaml b/cres/Security_and_Privacy_Engineering_Principles.yaml new file mode 100644 index 000000000..bc7bddfcc --- /dev/null +++ b/cres/Security_and_Privacy_Engineering_Principles.yaml @@ -0,0 +1,15 @@ +doctype: CRE +id: 180-070 +links: +- document: + doctype: CRE + id: 546-564 + name: '>>Tags' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-8 + name: NIST 800-53 v5 + section: SA-8 Security and Privacy Engineering Principles + ltype: Linked To +name: Security and Privacy Engineering Principles diff --git a/cres/Segregate_components_of_differing_trust_levels.yaml b/cres/Segregate_components_of_differing_trust_levels.yaml new file mode 100644 index 000000000..34d291eab --- /dev/null +++ b/cres/Segregate_components_of_differing_trust_levels.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 273-600 +links: +- document: + doctype: CRE + id: 783-355 + name: Deployment + tags: + - Configuration + ltype: Contains +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.14.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/923.html + name: CWE + section: '923' + ltype: Linked To +name: Segregate components of differing trust levels diff --git a/cres/Send_authentication_secrets_encrypted.yaml b/cres/Send_authentication_secrets_encrypted.yaml new file mode 100644 index 000000000..1e5d73c2c --- /dev/null +++ b/cres/Send_authentication_secrets_encrypted.yaml @@ -0,0 +1,62 @@ +doctype: CRE +id: 270-634 +links: +- document: + doctype: CRE + id: 520-617 + name: Credential recovery + ltype: Contains +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Related +- document: + doctype: CRE + id: 278-646 + name: '>>Secure communication' + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.5.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/640.html + name: CWE + section: '640' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/01-Testing_for_Credentials_Transported_over_an_Encrypted_Channel.html + name: WSTG + section: WSTG-ATHN-01 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html + name: Cheat_sheets + section: Choosing and Using Security Questions Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: Send authentication secrets encrypted diff --git a/cres/Separate_GraphQL_(or_similar)_authorization_logic_from_data_layer.yaml b/cres/Separate_GraphQL_(or_similar)_authorization_logic_from_data_layer.yaml new file mode 100644 index 000000000..4b22bf527 --- /dev/null +++ b/cres/Separate_GraphQL_(or_similar)_authorization_logic_from_data_layer.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 612-252 +links: +- document: + doctype: CRE + id: 118-110 + name: API/web services + ltype: Contains +- document: + doctype: CRE + id: 155-155 + name: Architecture + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md + name: ASVS + section: V13.4.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/285.html + name: CWE + section: '285' + ltype: Linked To +name: Separate GraphQL (or similar) authorization logic from data layer +tags: +- Architecture diff --git a/cres/Separate_storage_of_user_uploaded_files.yaml b/cres/Separate_storage_of_user_uploaded_files.yaml new file mode 100644 index 000000000..ab20968db --- /dev/null +++ b/cres/Separate_storage_of_user_uploaded_files.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 634-883 +links: +- document: + doctype: CRE + id: 621-287 + name: File upload + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.12.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/552.html + name: CWE + section: '552' + ltype: Linked To +name: Separate storage of user uploaded files diff --git a/cres/Server_protection.yaml b/cres/Server_protection.yaml new file mode 100644 index 000000000..7e111e980 --- /dev/null +++ b/cres/Server_protection.yaml @@ -0,0 +1,10 @@ +doctype: CRE +links: +- document: + doctype: CRE + id: 180-488 + name: Proper Configuration for all applications and frameworks + tags: + - Configuration + ltype: Contains +name: Server protection diff --git a/cres/Session_integrity.yaml b/cres/Session_integrity.yaml new file mode 100644 index 000000000..269d0417e --- /dev/null +++ b/cres/Session_integrity.yaml @@ -0,0 +1,19 @@ +doctype: CRE +id: 114-277 +links: +- document: + doctype: CRE + id: 177-260 + name: '>>Session management' + ltype: Contains +- document: + doctype: CRE + id: 551-054 + name: Use ephemeral secrets rather than static secrets + ltype: Contains +- document: + doctype: CRE + id: 483-883 + name: When using stateless tokens, ensure cryptographically secure characteristics + ltype: Contains +name: Session integrity diff --git a/cres/Session_lifecycle.yaml b/cres/Session_lifecycle.yaml new file mode 100644 index 000000000..022fbbc7c --- /dev/null +++ b/cres/Session_lifecycle.yaml @@ -0,0 +1,47 @@ +doctype: CRE +id: 470-731 +links: +- document: + doctype: CRE + id: 177-260 + name: '>>Session management' + ltype: Contains +- document: + doctype: CRE + id: 673-736 + name: Enable option to log out from all active session + ltype: Contains +- document: + doctype: CRE + id: 238-346 + name: Terminate all sessions when password is changed + ltype: Contains +- document: + doctype: CRE + id: 457-165 + name: Terminate session after logout + ltype: Contains +- document: + doctype: CRE + id: 065-782 + name: Ensure session timeout (soft/hard) + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-10 + name: NIST 800-53 v5 + section: SC-10 NETWORK DISCONNECT + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-11 + name: NIST 800-53 v5 + section: AC-11 DEVICE LOCK + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-12 + name: NIST 800-53 v5 + section: AC-12 SESSION TERMINATION + ltype: Linked To +name: Session lifecycle diff --git a/cres/Session_token_generation.yaml b/cres/Session_token_generation.yaml new file mode 100644 index 000000000..f55576a2c --- /dev/null +++ b/cres/Session_token_generation.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 470-731 +links: +- document: + doctype: CRE + id: 177-260 + name: '>>Session management' + ltype: Contains +- document: + doctype: CRE + id: 704-530 + name: Enforce high entropy session tokens + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 727-043 + name: Ensure secure algorithms for generating session tokens + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 002-630 + name: Generate a new session token after authentication + ltype: Contains +name: Session token generation diff --git a/cres/Set__Host__prefix_for_cookie-based_session_tokens.yaml b/cres/Set__Host__prefix_for_cookie-based_session_tokens.yaml new file mode 100644 index 000000000..b881592b6 --- /dev/null +++ b/cres/Set__Host__prefix_for_cookie-based_session_tokens.yaml @@ -0,0 +1,51 @@ +doctype: CRE +id: 232-034 +links: +- document: + doctype: CRE + name: Protect session ID + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.4.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/16.html + name: CWE + section: '16' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute + name: WSTG + section: WSTG-SESS-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Session Management Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross-Site Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 7.1.1 + ltype: Linked To +- document: + description: '"Ensure that only POST is accepted where POST is expected."' + doctype: Tool + name: 'ZAP Alert: "GET for POST"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Set '_Host' prefix for cookie-based session tokens diff --git a/cres/Set_and_confirm_integrity_of_security_deployment_configuration.yaml b/cres/Set_and_confirm_integrity_of_security_deployment_configuration.yaml new file mode 100644 index 000000000..1f6572172 --- /dev/null +++ b/cres/Set_and_confirm_integrity_of_security_deployment_configuration.yaml @@ -0,0 +1,23 @@ +doctype: CRE +id: 347-352 +links: +- document: + doctype: CRE + id: 783-355 + name: Deployment + tags: + - Configuration + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.1.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +name: Set and confirm integrity of security deployment configuration diff --git a/cres/Set_content_HTTP_response_type.yaml b/cres/Set_content_HTTP_response_type.yaml new file mode 100644 index 000000000..b2acffad1 --- /dev/null +++ b/cres/Set_content_HTTP_response_type.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 036-725 +links: +- document: + doctype: CRE + id: 636-347 + name: HTTP security headers + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.4.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/173.html + name: CWE + section: '173' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html + name: Cheat_sheets + section: Content Security Policy Cheat Sheet + ltype: Linked To +name: Set content HTTP response type diff --git a/cres/Set_httponly_attribute_for_cookie-based_session_tokens.yaml b/cres/Set_httponly_attribute_for_cookie-based_session_tokens.yaml new file mode 100644 index 000000000..c20225cc6 --- /dev/null +++ b/cres/Set_httponly_attribute_for_cookie-based_session_tokens.yaml @@ -0,0 +1,64 @@ +doctype: CRE +id: 804-220 +links: +- document: + doctype: CRE + name: Protect session ID + ltype: Contains +- document: + doctype: CRE + id: 760-765 + name: XSS + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.4.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/1004.html + name: CWE + section: '1004' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute + name: WSTG + section: WSTG-SESS-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Session Management Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross-Site Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 7.1.1 + ltype: Linked To +- document: + description: '"Ensure that the HttpOnly flag is set for all cookies."' + doctype: Tool + name: 'ZAP Alert: "Cookie No HttpOnly Flag"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Set httponly attribute for cookie-based session tokens +tags: +- XSS diff --git a/cres/Set_metadata-content-Disposition_for_API_responses.yaml b/cres/Set_metadata-content-Disposition_for_API_responses.yaml new file mode 100644 index 000000000..820fc9299 --- /dev/null +++ b/cres/Set_metadata-content-Disposition_for_API_responses.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 736-237 +links: +- document: + doctype: CRE + id: 636-347 + name: HTTP security headers + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.4.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/116.html + name: CWE + section: '116' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html + name: Cheat_sheets + section: Content Security Policy Cheat Sheet + ltype: Linked To +name: Set metadata/content-Disposition for API responses diff --git a/cres/Set_path_attribute_in_cookie-based_session_tokens_as_precise_as_possible.yaml b/cres/Set_path_attribute_in_cookie-based_session_tokens_as_precise_as_possible.yaml new file mode 100644 index 000000000..4aece5ac7 --- /dev/null +++ b/cres/Set_path_attribute_in_cookie-based_session_tokens_as_precise_as_possible.yaml @@ -0,0 +1,57 @@ +doctype: CRE +id: 705-182 +links: +- document: + doctype: CRE + name: Protect session ID + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.4.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/16.html + name: CWE + section: '16' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute + name: WSTG + section: WSTG-SESS-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Session Management Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross-Site Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 7.1.1 + ltype: Linked To +- document: + description: '"Ensure that only POST is accepted where POST is expected."' + doctype: Tool + name: 'ZAP Alert: "GET for POST"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Set path attribute in cookie-based session tokens as precise as possible diff --git a/cres/Set_proper_(C)_compiler_flags.yaml b/cres/Set_proper_(C)_compiler_flags.yaml new file mode 100644 index 000000000..9008a0bc0 --- /dev/null +++ b/cres/Set_proper_(C)_compiler_flags.yaml @@ -0,0 +1,36 @@ +doctype: CRE +id: 314-131 +links: +- document: + doctype: CRE + id: 615-188 + name: Deployment process + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.1.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/120.html + name: CWE + section: '120' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +- document: + description: '"Rewrite the background program using proper return length checking. This + will require a recompile of the background executable."' + doctype: Tool + name: 'ZAP Alert: "Buffer Overflow"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Set proper (C) compiler flags diff --git a/cres/Set_samesite_attribute_for_cookie-based_session_tokens.yaml b/cres/Set_samesite_attribute_for_cookie-based_session_tokens.yaml new file mode 100644 index 000000000..878dda828 --- /dev/null +++ b/cres/Set_samesite_attribute_for_cookie-based_session_tokens.yaml @@ -0,0 +1,65 @@ +doctype: CRE +id: 342-055 +links: +- document: + doctype: CRE + id: 110-531 + name: Cookie-config + ltype: Contains +- document: + doctype: CRE + id: 028-727 + name: CSRF + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.4.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/16.html + name: CWE + section: '16' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute + name: WSTG + section: WSTG-SESS-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Session Management Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross-Site Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: are g + ltype: Linked To +- document: + description: '"Ensure that only POST is accepted where POST is expected."' + doctype: Tool + name: 'ZAP Alert: "GET for POST"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Set "samesite" attribute for cookie-based session tokens +tags: +- CSRF diff --git a/cres/Set_secure_attribute_for_cookie-based_session_tokens.yaml b/cres/Set_secure_attribute_for_cookie-based_session_tokens.yaml new file mode 100644 index 000000000..7e2947f48 --- /dev/null +++ b/cres/Set_secure_attribute_for_cookie-based_session_tokens.yaml @@ -0,0 +1,59 @@ +doctype: CRE +id: 688-081 +links: +- document: + doctype: CRE + name: Protect session ID + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.4.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/614.html + name: CWE + section: '614' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute + name: WSTG + section: WSTG-SESS-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Session Management Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross-Site Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 7.1.1 + ltype: Linked To +- document: + description: '"Whenever a cookie contains sensitive information or is a session + token, then it should always be passed using an encrypted channel. Ensure that + the secure flag is set for cookies containing such sensitive information."' + doctype: Tool + name: 'ZAP Alert: "Cookie Without Secure Flag"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Set "secure" attribute for cookie-based session tokens diff --git a/cres/Set_sufficient_anti-caching_headers.yaml b/cres/Set_sufficient_anti-caching_headers.yaml new file mode 100644 index 000000000..db67ca994 --- /dev/null +++ b/cres/Set_sufficient_anti-caching_headers.yaml @@ -0,0 +1,40 @@ +doctype: CRE +id: 473-758 +links: +- document: + doctype: CRE + id: 208-830 + name: Manage temporary storage + ltype: Contains +- document: + doctype: CRE + name: Http headers + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md + name: ASVS + section: V8.2.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/525.html + name: CWE + section: '525' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses.html + name: WSTG + section: WSTG-ATHN-06 + ltype: Linked To +- document: + description: '"Whenever possible ensure the cache-control HTTP header is set with + no-cache, no-store, must-revalidate."' + doctype: Tool + name: 'ZAP Alert: "Incomplete or No Cache-control Header Set"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Set sufficient anti-caching headers diff --git a/cres/Set_the_highest_feasible_iteration_count_for_PBKDF2.yaml b/cres/Set_the_highest_feasible_iteration_count_for_PBKDF2.yaml new file mode 100644 index 000000000..738e02fb9 --- /dev/null +++ b/cres/Set_the_highest_feasible_iteration_count_for_PBKDF2.yaml @@ -0,0 +1,40 @@ +doctype: CRE +id: 767-435 +links: +- document: + doctype: CRE + id: 223-780 + name: Secret storage + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.4.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/916.html + name: CWE + section: '916' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Password Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: Set the highest feasible iteration count for PBKDF2 diff --git a/cres/Set_the_highest_feasible_work_factor_for_bcrypt.yaml b/cres/Set_the_highest_feasible_work_factor_for_bcrypt.yaml new file mode 100644 index 000000000..249881900 --- /dev/null +++ b/cres/Set_the_highest_feasible_work_factor_for_bcrypt.yaml @@ -0,0 +1,40 @@ +doctype: CRE +id: 078-427 +links: +- document: + doctype: CRE + id: 223-780 + name: Secret storage + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.4.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/916.html + name: CWE + section: '916' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Password Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: Set the highest feasible work factor for bcrypt diff --git a/cres/Show_generic_message_for_security_exceptions_or_unanticipated_exceptions.yaml b/cres/Show_generic_message_for_security_exceptions_or_unanticipated_exceptions.yaml new file mode 100644 index 000000000..9f0cff463 --- /dev/null +++ b/cres/Show_generic_message_for_security_exceptions_or_unanticipated_exceptions.yaml @@ -0,0 +1,39 @@ +doctype: CRE +id: 612-435 +links: +- document: + doctype: CRE + id: 513-183 + name: Error handling + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x15-V7-Error-Logging.md + name: ASVS + section: V7.4.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c10-handle-errors-exceptions.html + name: OPC + section: C10 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/210.html + name: CWE + section: '210' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces.html + name: WSTG + section: WSTG-ERRH-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html + name: Cheat_sheets + section: Error Handling Cheat Sheet + ltype: Linked To +name: Show generic message for security exceptions or unanticipated exceptions diff --git a/cres/Store_and_serve_user-uploaded_files_such_that_they_cannot_execute-damage_server_or_client.yaml b/cres/Store_and_serve_user-uploaded_files_such_that_they_cannot_execute-damage_server_or_client.yaml new file mode 100644 index 000000000..357a549a2 --- /dev/null +++ b/cres/Store_and_serve_user-uploaded_files_such_that_they_cannot_execute-damage_server_or_client.yaml @@ -0,0 +1,37 @@ +doctype: CRE +id: 384-344 +links: +- document: + doctype: CRE + id: 621-287 + name: File upload + ltype: Contains +- document: + doctype: CRE + id: 760-765 + name: XSS + ltype: Related +- document: + doctype: CRE + id: 760-764 + name: Injection + tags: + - XSS + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.12.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/646.html + name: CWE + section: '646' + ltype: Linked To +name: Store and serve user-uploaded files such that they cannot execute/damage server + or client +tags: +- Injection +- XSS diff --git a/cres/Store_backups_securely.yaml b/cres/Store_backups_securely.yaml new file mode 100644 index 000000000..d2e7834be --- /dev/null +++ b/cres/Store_backups_securely.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 614-353 +links: +- document: + doctype: CRE + id: 163-776 + name: Backups + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md + name: ASVS + section: V8.1.6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/19.html + name: CWE + section: '19' + ltype: Linked To +name: Store backups securely diff --git a/cres/Store_credentials_securely.yaml b/cres/Store_credentials_securely.yaml new file mode 100644 index 000000000..24504ca59 --- /dev/null +++ b/cres/Store_credentials_securely.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 881-321 +links: +- document: + doctype: CRE + id: 223-780 + name: Secret storage + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.10.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/522.html + name: CWE + section: '522' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.1 + ltype: Linked To +name: Store credentials securely diff --git a/cres/Store_cryptographic_keys_securely.yaml b/cres/Store_cryptographic_keys_securely.yaml new file mode 100644 index 000000000..99ae2bb8d --- /dev/null +++ b/cres/Store_cryptographic_keys_securely.yaml @@ -0,0 +1,40 @@ +doctype: CRE +id: 783-255 +links: +- document: + doctype: CRE + id: 223-780 + name: Secret storage + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.9.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/320.html + name: CWE + section: '320' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Cryptographic Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Key Management Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.7.2 + ltype: Linked To +name: Store cryptographic keys securely diff --git a/cres/Store_passwords_salted_and_hashed.yaml b/cres/Store_passwords_salted_and_hashed.yaml new file mode 100644 index 000000000..39d7d7401 --- /dev/null +++ b/cres/Store_passwords_salted_and_hashed.yaml @@ -0,0 +1,40 @@ +doctype: CRE +id: 622-203 +links: +- document: + doctype: CRE + id: 223-780 + name: Secret storage + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.4.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/916.html + name: CWE + section: '916' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Password Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: Store passwords salted and hashed diff --git a/cres/Support_subscriber-provided_authentication_devices.yaml b/cres/Support_subscriber-provided_authentication_devices.yaml new file mode 100644 index 000000000..079e4b09a --- /dev/null +++ b/cres/Support_subscriber-provided_authentication_devices.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 553-413 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.3.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/308.html + name: CWE + section: '308' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 6.1.3 + ltype: Linked To +name: Support subscriber-provided authentication devices diff --git a/cres/Synchronize_time_zones_for_logs.yaml b/cres/Synchronize_time_zones_for_logs.yaml new file mode 100644 index 000000000..7540f03bf --- /dev/null +++ b/cres/Synchronize_time_zones_for_logs.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 770-361 +links: +- document: + doctype: CRE + name: Log time synchronization + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x15-V7-Error-Logging.md + name: ASVS + section: V7.3.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html + name: OPC + section: C9 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.htmlhttps://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html + name: Cheat_sheets + section: Logging Cheat Sheet.htmlhttps://cheatsheetseries.owasp.org/cheatsheets/Logging + Cheat Sheet + ltype: Linked To +name: Synchronize time zones for logs diff --git a/cres/System_time_synchronization.yaml b/cres/System_time_synchronization.yaml new file mode 100644 index 000000000..d511fc819 --- /dev/null +++ b/cres/System_time_synchronization.yaml @@ -0,0 +1,17 @@ +doctype: CRE +id: 612-364 +links: +- document: + doctype: CRE + id: 783-355 + name: Deployment + tags: + - Configuration + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-45 + name: NIST 800-53 v5 + section: SC-45 System Time Synchronization + ltype: Linked To +name: System time synchronization diff --git a/cres/TLS.yaml b/cres/TLS.yaml index 6a4524b42..b048710c8 100644 --- a/cres/TLS.yaml +++ b/cres/TLS.yaml @@ -4,58 +4,58 @@ links: - document: doctype: CRE name: Cryptoghraphy - type: Related + ltype: Related - document: doctype: CRE id: 726-868 name: Deployed topology tags: - Architecture - type: Related + ltype: Related - document: doctype: CRE id: 745-045 name: Do not fall back to insecure protocols in TCP - type: Contains + ltype: Contains - document: doctype: CRE id: 636-854 name: Encrypt all communications - type: Contains + ltype: Contains - document: doctype: CRE id: 430-636 name: Verify TLS certificates and trust chain tags: - Configuration - type: Contains + ltype: Contains - document: doctype: CRE id: 668-364 name: Log TLS connection failures - type: Contains + ltype: Contains - document: doctype: CRE id: 767-701 name: Verify strong TLS algorithms by testing - type: Contains + ltype: Contains - document: doctype: CRE id: 248-646 name: Disable insecure SSL/TLS versions tags: - Cryptography - type: Contains + ltype: Contains - document: doctype: CRE id: 558-807 name: Mutually authenticate application and credential service provider - type: Related + ltype: Related - document: doctype: CRE id: 278-646 name: '>>Secure communication' - type: Contains + ltype: Contains name: TLS tags: - Cryptoghraphy diff --git a/cres/Techniques.yaml b/cres/Techniques.yaml index 43a0c28de..c01735d4b 100644 --- a/cres/Techniques.yaml +++ b/cres/Techniques.yaml @@ -4,37 +4,29 @@ links: - document: doctype: CRE name: Secure Development - type: Contains + ltype: Contains - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-44 name: NIST 800-53 v5 section: SC-44 Detonation Chambers - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-39 name: NIST 800-53 v5 section: SC-39 Process Isolation - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-3 name: NIST 800-53 v5 section: SC-3 Security Function Isolation - subsection: '' - version: '' - type: Linked To + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-32 name: NIST 800-53 v5 section: SC-32 System Partitioning - subsection: '' - version: '' - type: Linked To + ltype: Linked To name: Techniques diff --git a/cres/Terminate_all_sessions_when_password_is_changed.yaml b/cres/Terminate_all_sessions_when_password_is_changed.yaml new file mode 100644 index 000000000..ae71bbf38 --- /dev/null +++ b/cres/Terminate_all_sessions_when_password_is_changed.yaml @@ -0,0 +1,33 @@ +doctype: CRE +id: 238-346 +links: +- document: + doctype: CRE + id: 470-731 + name: Session lifecycle + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.3.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/613.html + name: CWE + section: '613' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality.html#testing-for-server-side-session-termination + name: WSTG + section: WSTG-SESS-06 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Session Management Cheat Sheet + ltype: Linked To +name: Terminate all sessions when password is changed diff --git a/cres/Terminate_session_after_logout.yaml b/cres/Terminate_session_after_logout.yaml new file mode 100644 index 000000000..0418b76de --- /dev/null +++ b/cres/Terminate_session_after_logout.yaml @@ -0,0 +1,49 @@ +doctype: CRE +id: 457-165 +links: +- document: + doctype: CRE + id: 470-731 + name: Session lifecycle + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.3.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/613.html + name: CWE + section: '613' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-53 v5 + section: SC-23(1) + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality.html#testing-for-server-side-session-termination + name: WSTG + section: WSTG-SESS-06 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Session Management Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: '7.1' + ltype: Linked To +name: Terminate session after logout diff --git a/cres/Threat_model_every_design_change_or_sprint.yaml b/cres/Threat_model_every_design_change_or_sprint.yaml new file mode 100644 index 000000000..64800ac8b --- /dev/null +++ b/cres/Threat_model_every_design_change_or_sprint.yaml @@ -0,0 +1,46 @@ +doctype: CRE +id: 340-754 +links: +- document: + doctype: CRE + id: 433-442 + name: Development verification + ltype: Contains +- document: + doctype: CRE + id: 155-155 + name: Architecture + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.1.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/1053.html + name: CWE + section: '1053' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html + name: Cheat_sheets + section: Threat Modeling Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html + name: Cheat_sheets + section: Attack Surface Analysis Cheat Sheet + ltype: Linked To +name: Threat model every design change or sprint +tags: +- Architecture diff --git a/cres/Treat_client-secrets_as_insecure.yaml b/cres/Treat_client-secrets_as_insecure.yaml new file mode 100644 index 000000000..9c08cf006 --- /dev/null +++ b/cres/Treat_client-secrets_as_insecure.yaml @@ -0,0 +1,23 @@ +doctype: CRE +id: 232-325 +links: +- document: + doctype: CRE + id: 400-007 + name: Encrypt data at rest + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.6.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/320.html + name: CWE + section: '320' + ltype: Linked To +name: Treat client-secrets as insecure diff --git a/cres/Update_third_party_components_build-_or_compile_time.yaml b/cres/Update_third_party_components_build-_or_compile_time.yaml new file mode 100644 index 000000000..9bac9bf23 --- /dev/null +++ b/cres/Update_third_party_components_build-_or_compile_time.yaml @@ -0,0 +1,44 @@ +doctype: CRE +id: 715-334 +links: +- document: + doctype: CRE + id: 613-286 + name: Dependency management + ltype: Contains +- document: + doctype: CRE + id: 601-155 + name: Developer Configuration Management + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.2.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c2-leverage-security-frameworks-libraries.html + name: OPC + section: C2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/1026.html + name: CWE + section: '1026' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Vulnerable Dependency Management Cheat Sheet + ltype: Linked To +name: Update third party components build- or compile time diff --git a/cres/Use_ABAC-FBAC_on_data-feature_level,_even_when_using_RBAC_for_permissions.yaml b/cres/Use_ABAC-FBAC_on_data-feature_level,_even_when_using_RBAC_for_permissions.yaml new file mode 100644 index 000000000..8609a289e --- /dev/null +++ b/cres/Use_ABAC-FBAC_on_data-feature_level,_even_when_using_RBAC_for_permissions.yaml @@ -0,0 +1,33 @@ +doctype: CRE +id: 801-310 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.4.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c7-enforce-access-controls.html + name: OPC + section: C7 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/275.html + name: CWE + section: '275' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +name: Use ABAC/FBAC on data/feature level, even when using RBAC for permissions diff --git a/cres/Use_CSRF_protection_against_authenticated_functionality,_add_anti-automation_controls_for_unauthenticated_functionality.yaml b/cres/Use_CSRF_protection_against_authenticated_functionality,_add_anti-automation_controls_for_unauthenticated_functionality.yaml new file mode 100644 index 000000000..9dcdfa345 --- /dev/null +++ b/cres/Use_CSRF_protection_against_authenticated_functionality,_add_anti-automation_controls_for_unauthenticated_functionality.yaml @@ -0,0 +1,67 @@ +doctype: CRE +id: 060-472 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: CRE + id: 028-727 + name: CSRF + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V4-Access-Control.md + name: ASVS + section: V4.2.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/352.html + name: CWE + section: '352' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html + name: WSTG + section: WSTG-SESS-05 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Insecure Direct Object Reference Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross-Site Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.html + name: Cheat_sheets + section: Authorization Testing Automation Cheat Sheet + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "Anti-CSRF Tokens Check"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Absence of Anti-CSRF Tokens"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Use CSRF protection against authenticated functionality, add anti-automation + controls for unauthenticated functionality +tags: +- CSRF diff --git a/cres/Use_SAST_for_malicious_content.yaml b/cres/Use_SAST_for_malicious_content.yaml new file mode 100644 index 000000000..288629a91 --- /dev/null +++ b/cres/Use_SAST_for_malicious_content.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 611-158 +links: +- document: + doctype: CRE + id: 433-442 + name: Development verification + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x18-V10-Malicious.md + name: ASVS + section: V10.1.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/749.html + name: CWE + section: '749' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Third Party Javascript Management Cheat Sheet + ltype: Linked To +name: Use SAST for malicious content diff --git a/cres/Use_a_centralized_access_control_mechanism.yaml b/cres/Use_a_centralized_access_control_mechanism.yaml new file mode 100644 index 000000000..ba02d926c --- /dev/null +++ b/cres/Use_a_centralized_access_control_mechanism.yaml @@ -0,0 +1,56 @@ +doctype: CRE +id: 117-371 +links: +- document: + doctype: CRE + id: 538-770 + name: Data access control + ltype: Contains +- document: + doctype: CRE + id: 155-155 + name: Architecture + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.4.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c7-enforce-access-controls.html + name: OPC + section: C7 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/284.html + name: CWE + section: '284' + ltype: Linked To +- document: + description: '"Use per user or session indirect object references (create a temporary + mapping at time of use). Or, ensure that each use of a direct object reference + is tied to an authorization check to ensure the user is authorized for the requested + object. "' + doctype: Tool + name: 'ZAP Alert: "Username Hash Found"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Use per user or session indirect object references (create a temporary + mapping at time of use). Or, ensure that each use of a direct object reference + is tied to an authorization check to ensure the user is authorized for the requested + object."' + doctype: Tool + name: 'ZAP Alert: "Username Hash Found in WebSocket message"' + tags: + - '"WebSocket Passive"' + tooltype: Offensive + ltype: SAME +name: Use a centralized access control mechanism +tags: +- Architecture diff --git a/cres/Use_a_dedicated_secrets_management_solution.yaml b/cres/Use_a_dedicated_secrets_management_solution.yaml new file mode 100644 index 000000000..3e481f220 --- /dev/null +++ b/cres/Use_a_dedicated_secrets_management_solution.yaml @@ -0,0 +1,35 @@ +doctype: CRE +id: 340-375 +links: +- document: + doctype: CRE + id: 223-780 + name: Secret storage + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x14-V6-Cryptography.md + name: ASVS + section: V6.4.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html + name: OPC + section: C8 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/798.html + name: CWE + section: '798' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Key Management Cheat Sheet + ltype: Linked To +name: Use a dedicated secrets management solution diff --git a/cres/Use_a_standard_last-resort_error_handler_for_unhandled_errors.yaml b/cres/Use_a_standard_last-resort_error_handler_for_unhandled_errors.yaml new file mode 100644 index 000000000..f91641f9e --- /dev/null +++ b/cres/Use_a_standard_last-resort_error_handler_for_unhandled_errors.yaml @@ -0,0 +1,39 @@ +doctype: CRE +id: 118-602 +links: +- document: + doctype: CRE + id: 513-183 + name: Error handling + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x15-V7-Error-Logging.md + name: ASVS + section: V7.4.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c10-handle-errors-exceptions.html + name: OPC + section: C10 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/431.html + name: CWE + section: '431' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces.html + name: WSTG + section: WSTG-ERRH-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html + name: Cheat_sheets + section: Error Handling Cheat Sheet + ltype: Linked To +name: Use a standard last-resort error handler for unhandled errors diff --git a/cres/Use_a_unique_challenge_nonce_of_sufficient_size.yaml b/cres/Use_a_unique_challenge_nonce_of_sufficient_size.yaml new file mode 100644 index 000000000..0c689e6e0 --- /dev/null +++ b/cres/Use_a_unique_challenge_nonce_of_sufficient_size.yaml @@ -0,0 +1,45 @@ +doctype: CRE +id: 287-251 +links: +- document: + doctype: CRE + id: 585-408 + name: Cryptographic directives + ltype: Contains +- document: + doctype: CRE + id: 170-772 + name: Cryptography + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.9.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/330.html + name: CWE + section: '330' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Cryptographic Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Key Management Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.7.2 + ltype: Linked To +name: Use a unique challenge nonce of sufficient size +tags: +- Cryptography diff --git a/cres/Use_an_isolated_security_module_for_cryptographic_operations.yaml b/cres/Use_an_isolated_security_module_for_cryptographic_operations.yaml new file mode 100644 index 000000000..1fb70b14e --- /dev/null +++ b/cres/Use_an_isolated_security_module_for_cryptographic_operations.yaml @@ -0,0 +1,35 @@ +doctype: CRE +id: 032-213 +links: +- document: + doctype: CRE + id: 223-780 + name: Secret storage + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x14-V6-Cryptography.md + name: ASVS + section: V6.4.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html + name: OPC + section: C8 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/320.html + name: CWE + section: '320' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Key Management Cheat Sheet + ltype: Linked To +name: Use an isolated security module for cryptographic operations diff --git a/cres/Use_approved_cryptographic_algorithms.yaml b/cres/Use_approved_cryptographic_algorithms.yaml new file mode 100644 index 000000000..d989eed08 --- /dev/null +++ b/cres/Use_approved_cryptographic_algorithms.yaml @@ -0,0 +1,47 @@ +doctype: CRE +id: 742-431 +links: +- document: + doctype: CRE + id: 742-432 + name: Encryption algorithms + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x14-V6-Cryptography.md + name: ASVS + section: V6.2.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html + name: OPC + section: C8 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/327.html + name: CWE + section: '327' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + name: WSTG + section: WSTG-CRYP-04 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Cryptographic Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Key Management Cheat Sheet + ltype: Linked To +name: Use approved cryptographic algorithms diff --git a/cres/Use_approved_cryptographic_algorithms_for_generation,_seeding_and_verification.yaml b/cres/Use_approved_cryptographic_algorithms_for_generation,_seeding_and_verification.yaml new file mode 100644 index 000000000..115504357 --- /dev/null +++ b/cres/Use_approved_cryptographic_algorithms_for_generation,_seeding_and_verification.yaml @@ -0,0 +1,45 @@ +doctype: CRE +id: 002-801 +links: +- document: + doctype: CRE + id: 585-408 + name: Cryptographic directives + ltype: Contains +- document: + doctype: CRE + id: 170-772 + name: Cryptography + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.9.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/327.html + name: CWE + section: '327' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Cryptographic Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Key Management Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.7.2 + ltype: Linked To +name: Use approved cryptographic algorithms for generation, seeding and verification +tags: +- Cryptography diff --git a/cres/Use_approved_cryptographic_algorithms_in_generation,_seeding_and_verification_of_OTPs.yaml b/cres/Use_approved_cryptographic_algorithms_in_generation,_seeding_and_verification_of_OTPs.yaml new file mode 100644 index 000000000..760024697 --- /dev/null +++ b/cres/Use_approved_cryptographic_algorithms_in_generation,_seeding_and_verification_of_OTPs.yaml @@ -0,0 +1,43 @@ +doctype: CRE +id: 841-757 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.8.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/326.html + name: CWE + section: '326' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.4.2 + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.5.2 + ltype: Linked To +- document: + description: '"Protect the connection using HTTPS or use a stronger authentication + mechanism"' + doctype: Tool + name: 'ZAP Alert: "Weak Authentication Method"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Use approved cryptographic algorithms in generation, seeding and verification + of OTPs diff --git a/cres/Use_centralized_authentication_mechanism.yaml b/cres/Use_centralized_authentication_mechanism.yaml new file mode 100644 index 000000000..3b0bd7745 --- /dev/null +++ b/cres/Use_centralized_authentication_mechanism.yaml @@ -0,0 +1,33 @@ +doctype: CRE +id: 113-133 +links: +- document: + doctype: CRE + id: 270-568 + name: Authentication mechanism + ltype: Contains +- document: + doctype: CRE + id: 155-155 + name: Architecture + ltype: Related +- document: + doctype: CRE + id: 402-706 + name: Log relevant + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.2.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/306.html + name: CWE + section: '306' + ltype: Linked To +name: Use centralized authentication mechanism +tags: +- Architecture diff --git a/cres/Use_cryptographically_secure_random_number_generators.yaml b/cres/Use_cryptographically_secure_random_number_generators.yaml new file mode 100644 index 000000000..621885c54 --- /dev/null +++ b/cres/Use_cryptographically_secure_random_number_generators.yaml @@ -0,0 +1,29 @@ +doctype: CRE +id: 542-488 +links: +- document: + doctype: CRE + id: 542-270 + name: Secure random values + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x14-V6-Cryptography.md + name: ASVS + section: V6.3.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/338.html + name: CWE + section: '338' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + name: WSTG + section: WSTG-CRYP-04 + ltype: Linked To +name: Use cryptographically secure random number generators diff --git a/cres/Use_ephemeral_secrets_rather_than_static_secrets.yaml b/cres/Use_ephemeral_secrets_rather_than_static_secrets.yaml new file mode 100644 index 000000000..985d04ee6 --- /dev/null +++ b/cres/Use_ephemeral_secrets_rather_than_static_secrets.yaml @@ -0,0 +1,44 @@ +doctype: CRE +id: 551-054 +links: +- document: + doctype: CRE + id: 114-277 + name: Session integrity + ltype: Contains +- document: + doctype: CRE + id: 270-568 + name: Authentication mechanism + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.5.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/798.html + name: CWE + section: '798' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#session-id-predictability-and-randomness + name: WSTG + section: WSTG-SESS-01 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html + name: Cheat_sheets + section: JSON Web Token for Java Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html + name: Cheat_sheets + section: REST Security Cheat Sheet + ltype: Linked To +name: Use ephemeral secrets rather than static secrets diff --git a/cres/Use_exception_handling_uniformly.yaml b/cres/Use_exception_handling_uniformly.yaml new file mode 100644 index 000000000..4885a3bf5 --- /dev/null +++ b/cres/Use_exception_handling_uniformly.yaml @@ -0,0 +1,39 @@ +doctype: CRE +id: 863-636 +links: +- document: + doctype: CRE + id: 513-183 + name: Error handling + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x15-V7-Error-Logging.md + name: ASVS + section: V7.4.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c10-handle-errors-exceptions.html + name: OPC + section: C10 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/544.html + name: CWE + section: '544' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces.html + name: WSTG + section: WSTG-ERRH-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html + name: Cheat_sheets + section: Error Handling Cheat Sheet + ltype: Linked To +name: Use exception handling uniformly diff --git a/cres/Use_key_vaults.yaml b/cres/Use_key_vaults.yaml new file mode 100644 index 000000000..4c146523a --- /dev/null +++ b/cres/Use_key_vaults.yaml @@ -0,0 +1,35 @@ +doctype: CRE +id: 508-702 +links: +- document: + doctype: CRE + id: 223-780 + name: Secret storage + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.6.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/320.html + name: CWE + section: '320' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Cryptographic Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Key Management Cheat Sheet + ltype: Linked To +name: Use key vaults diff --git a/cres/Use_least_privilege_OS_accounts_for_system_(components).yaml b/cres/Use_least_privilege_OS_accounts_for_system_(components).yaml new file mode 100644 index 000000000..ef4ee586a --- /dev/null +++ b/cres/Use_least_privilege_OS_accounts_for_system_(components).yaml @@ -0,0 +1,34 @@ +doctype: CRE +id: 330-281 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: CRE + id: 726-868 + name: Deployed topology + tags: + - Architecture + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.2.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c3-secure-database-access.html + name: OPC + section: C3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/250.html + name: CWE + section: '250' + ltype: Linked To +name: Use least privilege OS accounts for system (components) diff --git a/cres/Use_least_privilege_for_resources.yaml b/cres/Use_least_privilege_for_resources.yaml new file mode 100644 index 000000000..d7a9b1006 --- /dev/null +++ b/cres/Use_least_privilege_for_resources.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 368-633 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.4.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/272.html + name: CWE + section: '272' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +name: Use least privilege for resources diff --git a/cres/Use_lookup_secrets_only_once.yaml b/cres/Use_lookup_secrets_only_once.yaml new file mode 100644 index 000000000..6e3aee46c --- /dev/null +++ b/cres/Use_lookup_secrets_only_once.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 101-217 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.6.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/308.html + name: CWE + section: '308' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.2.2 + ltype: Linked To +name: Use lookup secrets only once diff --git a/cres/Use_memory-safe_functions_exclusively.yaml b/cres/Use_memory-safe_functions_exclusively.yaml new file mode 100644 index 000000000..447e71fd9 --- /dev/null +++ b/cres/Use_memory-safe_functions_exclusively.yaml @@ -0,0 +1,38 @@ +doctype: CRE +id: 831-570 +links: +- document: + doctype: CRE + id: 866-553 + name: Memory, String, and Unmanaged Code + tags: + - Injection + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.4.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/120.html + name: CWE + section: '120' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/13-Testing_for_Buffer_Overflow.html + name: WSTG + section: WSTG-INPV-13 + ltype: Linked To +- document: + description: '"Rewrite the background program using proper return length checking. This + will require a recompile of the background executable."' + doctype: Tool + name: 'ZAP Alert: "Buffer Overflow"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Use memory-safe functions exclusively diff --git a/cres/Use_multifactor_authentication_on_administrative_interfaces.yaml b/cres/Use_multifactor_authentication_on_administrative_interfaces.yaml new file mode 100644 index 000000000..3d7566b26 --- /dev/null +++ b/cres/Use_multifactor_authentication_on_administrative_interfaces.yaml @@ -0,0 +1,29 @@ +doctype: CRE +id: 201-246 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V4-Access-Control.md + name: ASVS + section: V4.3.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/419.html + name: CWE + section: '419' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html + name: Cheat_sheets + section: REST Assessment Cheat Sheet + ltype: Linked To +name: Use multifactor authentication on administrative interfaces diff --git a/cres/Use_nonces_and_initialization_vectors_only_once.yaml b/cres/Use_nonces_and_initialization_vectors_only_once.yaml new file mode 100644 index 000000000..d4d6824ec --- /dev/null +++ b/cres/Use_nonces_and_initialization_vectors_only_once.yaml @@ -0,0 +1,50 @@ +doctype: CRE +id: 433-122 +links: +- document: + doctype: CRE + id: 742-432 + name: Encryption algorithms + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x14-V6-Cryptography.md + name: ASVS + section: V6.2.6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/326.html + name: CWE + section: '326' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + name: WSTG + section: WSTG-CRYP-04 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Cryptographic Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Key Management Cheat Sheet + ltype: Linked To +- document: + description: '"Protect the connection using HTTPS or use a stronger authentication + mechanism"' + doctype: Tool + name: 'ZAP Alert: "Weak Authentication Method"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Use nonces and initialization vectors only once diff --git a/cres/Use_out_of_band_authentication_requests,_codes_or_tokens_only_once.yaml b/cres/Use_out_of_band_authentication_requests,_codes_or_tokens_only_once.yaml new file mode 100644 index 000000000..feb3f6d34 --- /dev/null +++ b/cres/Use_out_of_band_authentication_requests,_codes_or_tokens_only_once.yaml @@ -0,0 +1,34 @@ +doctype: CRE +id: 168-186 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.7.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/287.html + name: CWE + section: '287' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.3.2 + ltype: Linked To +name: Use out of band authentication requests, codes or tokens only once diff --git a/cres/Use_proper_source_code_control_system.yaml b/cres/Use_proper_source_code_control_system.yaml new file mode 100644 index 000000000..4f5ad5a41 --- /dev/null +++ b/cres/Use_proper_source_code_control_system.yaml @@ -0,0 +1,55 @@ +doctype: CRE +id: 757-271 +links: +- document: + doctype: CRE + id: 601-155 + name: Developer Configuration Management + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.10.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/284.html + name: CWE + section: '284' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Third Party Javascript Management Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Virtual_Patching_Cheat_Sheet.html + name: Cheat_sheets + section: Virtual Patching Cheat Sheet + ltype: Linked To +- document: + description: '"Use per user or session indirect object references (create a temporary + mapping at time of use). Or, ensure that each use of a direct object reference + is tied to an authorization check to ensure the user is authorized for the requested + object. "' + doctype: Tool + name: 'ZAP Alert: "Username Hash Found"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Use per user or session indirect object references (create a temporary + mapping at time of use). Or, ensure that each use of a direct object reference + is tied to an authorization check to ensure the user is authorized for the requested + object."' + doctype: Tool + name: 'ZAP Alert: "Username Hash Found in WebSocket message"' + tags: + - '"WebSocket Passive"' + tooltype: Offensive + ltype: SAME +name: Use proper source code control system diff --git a/cres/Use_secure_random_to_generate_initial_authentication_codes.yaml b/cres/Use_secure_random_to_generate_initial_authentication_codes.yaml new file mode 100644 index 000000000..3d4245ed9 --- /dev/null +++ b/cres/Use_secure_random_to_generate_initial_authentication_codes.yaml @@ -0,0 +1,41 @@ +doctype: CRE +id: 206-254 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 170-772 + name: Cryptography + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.7.6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/310.html + name: CWE + section: '310' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.3.2 + ltype: Linked To +name: Use secure random to generate initial authentication codes +tags: +- Cryptography diff --git a/cres/Use_secure_recovery_mechanisms_for_forgotten_passwords.yaml b/cres/Use_secure_recovery_mechanisms_for_forgotten_passwords.yaml new file mode 100644 index 000000000..1ac71c0ad --- /dev/null +++ b/cres/Use_secure_recovery_mechanisms_for_forgotten_passwords.yaml @@ -0,0 +1,50 @@ +doctype: CRE +id: 581-525 +links: +- document: + doctype: CRE + id: 520-617 + name: Credential recovery + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.5.6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/640.html + name: CWE + section: '640' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.html + name: WSTG + section: WSTG-ATHN-09 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html + name: Cheat_sheets + section: Choosing and Using Security Questions Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: Use secure recovery mechanisms for forgotten passwords diff --git a/cres/Use_security_module_to_store_one-time_password_verification_keys.yaml b/cres/Use_security_module_to_store_one-time_password_verification_keys.yaml new file mode 100644 index 000000000..94cf7534e --- /dev/null +++ b/cres/Use_security_module_to_store_one-time_password_verification_keys.yaml @@ -0,0 +1,47 @@ +doctype: CRE +id: 543-428 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 223-780 + name: Secret storage + tags: + - Cryptography + ltype: Related +- document: + doctype: CRE + id: 170-772 + name: Cryptography + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.8.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/320.html + name: CWE + section: '320' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.4.2 + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.5.2 + ltype: Linked To +name: Use security module to store one-time password verification keys +tags: +- Cryptography diff --git a/cres/Use_separately_stored_secret_salt_(pepper).yaml b/cres/Use_separately_stored_secret_salt_(pepper).yaml new file mode 100644 index 000000000..53b567a48 --- /dev/null +++ b/cres/Use_separately_stored_secret_salt_(pepper).yaml @@ -0,0 +1,34 @@ +doctype: CRE +id: 077-781 +links: +- document: + doctype: CRE + id: 223-780 + name: Secret storage + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.4.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/916.html + name: CWE + section: '916' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Password Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: Use separately stored secret salt (pepper) diff --git a/cres/Use_state_of_the_art_cryptographic_configuration.yaml b/cres/Use_state_of_the_art_cryptographic_configuration.yaml new file mode 100644 index 000000000..f60be6549 --- /dev/null +++ b/cres/Use_state_of_the_art_cryptographic_configuration.yaml @@ -0,0 +1,50 @@ +doctype: CRE +id: 674-425 +links: +- document: + doctype: CRE + id: 742-432 + name: Encryption algorithms + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x14-V6-Cryptography.md + name: ASVS + section: V6.2.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/326.html + name: CWE + section: '326' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + name: WSTG + section: WSTG-CRYP-04 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Cryptographic Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Key Management Cheat Sheet + ltype: Linked To +- document: + description: '"Protect the connection using HTTPS or use a stronger authentication + mechanism"' + doctype: Tool + name: 'ZAP Alert: "Weak Authentication Method"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Use state of the art cryptographic configuration diff --git a/cres/Use_strong_authenticators_with_priority_and_weak_authenticators_only_for_less_secure_access.yaml b/cres/Use_strong_authenticators_with_priority_and_weak_authenticators_only_for_less_secure_access.yaml new file mode 100644 index 000000000..257fd6d05 --- /dev/null +++ b/cres/Use_strong_authenticators_with_priority_and_weak_authenticators_only_for_less_secure_access.yaml @@ -0,0 +1,47 @@ +doctype: CRE +id: 354-752 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.2.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/304.html + name: CWE + section: '304' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html + name: Cheat_sheets + section: Authentication Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html + name: Cheat_sheets + section: Transport Layer Protection Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html + name: Cheat_sheets + section: TLS Cipher String Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.2.10 + ltype: Linked To +name: Use strong authenticators with priority and weak authenticators only for less + secure access diff --git a/cres/Use_time-based_OTP_only_once.yaml b/cres/Use_time-based_OTP_only_once.yaml new file mode 100644 index 000000000..f77b4d4e2 --- /dev/null +++ b/cres/Use_time-based_OTP_only_once.yaml @@ -0,0 +1,33 @@ +doctype: CRE +id: 404-126 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.8.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/287.html + name: CWE + section: '287' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.4.2 + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.5.2 + ltype: Linked To +name: Use time-based OTP only once diff --git a/cres/Use_unique_random_salt_with_sufficient_entropy_for_each_credential.yaml b/cres/Use_unique_random_salt_with_sufficient_entropy_for_each_credential.yaml new file mode 100644 index 000000000..d43580b2d --- /dev/null +++ b/cres/Use_unique_random_salt_with_sufficient_entropy_for_each_credential.yaml @@ -0,0 +1,40 @@ +doctype: CRE +id: 082-530 +links: +- document: + doctype: CRE + id: 223-780 + name: Secret storage + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.4.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/916.html + name: CWE + section: '916' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Password Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: Use unique random salt with sufficient entropy for each credential diff --git a/cres/Use_unpredictable_lookup_secrets.yaml b/cres/Use_unpredictable_lookup_secrets.yaml new file mode 100644 index 000000000..8f7d75eb6 --- /dev/null +++ b/cres/Use_unpredictable_lookup_secrets.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 513-845 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.6.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/310.html + name: CWE + section: '310' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.2.2 + ltype: Linked To +name: Use unpredictable lookup secrets diff --git a/cres/Use_weak_crypto_only_for_backwards_compatibility.yaml b/cres/Use_weak_crypto_only_for_backwards_compatibility.yaml new file mode 100644 index 000000000..74ee6175a --- /dev/null +++ b/cres/Use_weak_crypto_only_for_backwards_compatibility.yaml @@ -0,0 +1,50 @@ +doctype: CRE +id: 441-132 +links: +- document: + doctype: CRE + id: 742-432 + name: Encryption algorithms + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x14-V6-Cryptography.md + name: ASVS + section: V6.2.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/326.html + name: CWE + section: '326' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + name: WSTG + section: WSTG-CRYP-04 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Cryptographic Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Key Management Cheat Sheet + ltype: Linked To +- document: + description: '"Protect the connection using HTTPS or use a stronger authentication + mechanism"' + doctype: Tool + name: 'ZAP Alert: "Weak Authentication Method"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Use weak crypto only for backwards compatibility diff --git a/cres/User_passwords_are_of_sufficient_minimum_length.yaml b/cres/User_passwords_are_of_sufficient_minimum_length.yaml new file mode 100644 index 000000000..137dc6665 --- /dev/null +++ b/cres/User_passwords_are_of_sufficient_minimum_length.yaml @@ -0,0 +1,56 @@ +doctype: CRE +id: 027-555 +links: +- document: + doctype: CRE + id: 455-885 + name: Credentials directives + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.1.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OPC + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/521.html + name: CWE + section: '521' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + name: WSTG + section: WSTG-ATHN-07 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html + name: Cheat_sheets + section: Choosing and Using Security Questions Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Credential Stuffing Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +name: User passwords are of sufficient minimum length diff --git a/cres/Validate_HTTP_request_headers.yaml b/cres/Validate_HTTP_request_headers.yaml new file mode 100644 index 000000000..fa5b18567 --- /dev/null +++ b/cres/Validate_HTTP_request_headers.yaml @@ -0,0 +1,38 @@ +doctype: CRE +id: 541-441 +links: +- document: + doctype: CRE + id: 503-455 + name: '>>Input and output verification' + ltype: Contains +- document: + doctype: CRE + id: 760-764 + name: Injection + tags: + - XSS + ltype: Related +- document: + doctype: CRE + id: 405-411 + name: Avoid using of Origin header for authentication of access control + ltype: Contains +- document: + doctype: CRE + id: 316-272 + name: Whitelist CORS resources + ltype: Contains +- document: + doctype: CRE + id: 820-421 + name: Authenticate HTTP headers added by a trusted proxy or SSO device + ltype: Contains +- document: + doctype: CRE + id: 483-715 + name: White-list HTTP methods + ltype: Contains +name: Validate HTTP request headers +tags: +- Injection diff --git a/cres/Validate_file_type_of_data_from_untrusted_sources.yaml b/cres/Validate_file_type_of_data_from_untrusted_sources.yaml new file mode 100644 index 000000000..99b48270d --- /dev/null +++ b/cres/Validate_file_type_of_data_from_untrusted_sources.yaml @@ -0,0 +1,33 @@ +doctype: CRE +id: 175-235 +links: +- document: + doctype: CRE + id: 130-550 + name: File handling + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x20-V12-Files-Resources.md + name: ASVS + section: V12.2.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/434.html + name: CWE + section: '434' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html + name: Cheat_sheets + section: File Upload Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Third Party Javascript Management Cheat Sheet + ltype: Linked To +name: Validate file type of data from untrusted sources diff --git a/cres/Validate_max_input-file_sizes.yaml b/cres/Validate_max_input-file_sizes.yaml new file mode 100644 index 000000000..bf87c170d --- /dev/null +++ b/cres/Validate_max_input-file_sizes.yaml @@ -0,0 +1,49 @@ +doctype: CRE +id: 660-052 +links: +- document: + doctype: CRE + id: 621-287 + name: File upload + ltype: Contains +- document: + doctype: CRE + id: 623-550 + name: DOS + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x20-V12-Files-Resources.md + name: ASVS + section: V12.1.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/400.html + name: CWE + section: '400' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html + name: WSTG + section: WSTG-BUSL-09 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html + name: Cheat_sheets + section: File Upload Cheat Sheet + ltype: Linked To +- document: + description: '"Upgrade your Apache server to a currently stable version. Alternative + solutions or workarounds are outlined in the references. "' + doctype: Tool + name: 'ZAP Alert: "Apache Range Header DoS (CVE-2011-3192)"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Validate max input/file sizes +tags: +- DOS diff --git a/cres/Validatie-enforce_HTTP_inputs_(against_HTTP_parameter_pollution_attacks).yaml b/cres/Validatie-enforce_HTTP_inputs_(against_HTTP_parameter_pollution_attacks).yaml new file mode 100644 index 000000000..f1feb8636 --- /dev/null +++ b/cres/Validatie-enforce_HTTP_inputs_(against_HTTP_parameter_pollution_attacks).yaml @@ -0,0 +1,42 @@ +doctype: CRE +id: 743-237 +links: +- document: + doctype: CRE + id: 010-308 + name: Input validation + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.1.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/235.html + name: CWE + section: '235' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution.html + name: WSTG + section: WSTG-INPV-04 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html + name: Cheat_sheets + section: Mass Assignment Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Input Validation Cheat Sheet + ltype: Linked To +name: Validatie/enforce HTTP inputs (against HTTP parameter pollution attacks) diff --git a/cres/Verify_TLS_certificates_and_trust_chain.yaml b/cres/Verify_TLS_certificates_and_trust_chain.yaml new file mode 100644 index 000000000..ec9df4609 --- /dev/null +++ b/cres/Verify_TLS_certificates_and_trust_chain.yaml @@ -0,0 +1,30 @@ +doctype: CRE +id: 430-636 +links: +- document: + doctype: CRE + id: 228-551 + name: TLS + tags: + - Cryptoghraphy + ltype: Contains +- document: + doctype: CRE + id: 486-813 + name: Configuration + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x17-V9-Communications.md + name: ASVS + section: V9.2.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/295.html + name: CWE + section: '295' + ltype: Linked To +name: Verify TLS certificates and trust chain +tags: +- Configuration diff --git a/cres/Verify_content-type_for_REST_services.yaml b/cres/Verify_content-type_for_REST_services.yaml new file mode 100644 index 000000000..1ddd490f2 --- /dev/null +++ b/cres/Verify_content-type_for_REST_services.yaml @@ -0,0 +1,48 @@ +doctype: CRE +id: 543-512 +links: +- document: + doctype: CRE + id: 071-288 + name: RESTful + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md + name: ASVS + section: V13.2.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/436.html + name: CWE + section: '436' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html + name: Cheat_sheets + section: REST Assessment Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html + name: Cheat_sheets + section: REST Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross-Site Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + description: '"Force UTF-8 for all text content in both the HTTP header and meta + tags in HTML or encoding declarations in XML."' + doctype: Tool + name: 'ZAP Alert: "Charset Mismatch"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Verify content-type for REST services diff --git a/cres/Verify_strong_TLS_algorithms_by_testing.yaml b/cres/Verify_strong_TLS_algorithms_by_testing.yaml new file mode 100644 index 000000000..212322756 --- /dev/null +++ b/cres/Verify_strong_TLS_algorithms_by_testing.yaml @@ -0,0 +1,56 @@ +doctype: CRE +id: 767-701 +links: +- document: + doctype: CRE + id: 228-551 + name: TLS + tags: + - Cryptoghraphy + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x17-V9-Communications.md + name: ASVS + section: V9.1.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/326.html + name: CWE + section: '326' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection.html + name: WSTG + section: WSTG-CRYP-01 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html + name: Cheat_sheets + section: HTTP Strict Transport Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html + name: Cheat_sheets + section: Transport Layer Protection Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html + name: Cheat_sheets + section: TLS Cipher String Cheat Sheet + ltype: Linked To +- document: + description: '"Protect the connection using HTTPS or use a stronger authentication + mechanism"' + doctype: Tool + name: 'ZAP Alert: "Weak Authentication Method"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Verify strong TLS algorithms by testing diff --git a/cres/Verify_the_authenticity_of_both_headers_and_payload.yaml b/cres/Verify_the_authenticity_of_both_headers_and_payload.yaml new file mode 100644 index 000000000..f6678c785 --- /dev/null +++ b/cres/Verify_the_authenticity_of_both_headers_and_payload.yaml @@ -0,0 +1,57 @@ +doctype: CRE +id: 426-842 +links: +- document: + doctype: CRE + id: 435-702 + name: Communication encryption + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 170-772 + name: Cryptography + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md + name: ASVS + section: V13.2.6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/345.html + name: CWE + section: '345' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html + name: Cheat_sheets + section: REST Assessment Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html + name: Cheat_sheets + section: REST Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross-Site Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + description: '"Ensure each page is setting the specific and appropriate content-type + value for the content being delivered."' + doctype: Tool + name: 'ZAP Alert: "Content-Type Header Missing"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Verify the authenticity of both headers and payload +tags: +- Cryptography diff --git a/cres/Was:_TBD.yaml b/cres/Was:_TBD.yaml new file mode 100644 index 000000000..91422ec01 --- /dev/null +++ b/cres/Was:_TBD.yaml @@ -0,0 +1,783 @@ +doctype: CRE +id: 651-530 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: CRE + name: '>>Network security' + ltype: Contains +- document: + doctype: CRE + name: Network Access Control + ltype: Contains +- document: + doctype: CRE + name: '>>TBD' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-16 + name: NIST 800-53 v5 + section: AC-16 Security and Privacy Attributes + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-17 + name: NIST 800-53 v5 + section: AC-17 Remote Access + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-18 + name: NIST 800-53 v5 + section: AC-18 Wireless Access + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-19 + name: NIST 800-53 v5 + section: AC-19 Access Control for Mobile Devices + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-20 + name: NIST 800-53 v5 + section: AC-20 Use of External Systems + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-21 + name: NIST 800-53 v5 + section: AC-21 Information Sharing + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-22 + name: NIST 800-53 v5 + section: AC-22 Publicly Accessible Content + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-23 + name: NIST 800-53 v5 + section: AC-23 Data Mining Protection + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-25 + name: NIST 800-53 v5 + section: AC-25 Reference Monitor + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-4 + name: NIST 800-53 v5 + section: AC-4 Information Flow Enforcement + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AT-1 + name: NIST 800-53 v5 + section: AT-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AT-2 + name: NIST 800-53 v5 + section: AT-2 Literacy Training and Awareness + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AT-3 + name: NIST 800-53 v5 + section: AT-3 Role-based Training + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AT-4 + name: NIST 800-53 v5 + section: AT-4 Training Records + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AT-5 + name: NIST 800-53 v5 + section: AT-5 Contacts with Security Groups and Associations + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AT-6 + name: NIST 800-53 v5 + section: AT-6 Training Feedback + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-13 + name: NIST 800-53 v5 + section: AU-13 Monitoring for Information Disclosure + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-14 + name: NIST 800-53 v5 + section: AU-14 Session Audit + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-1 + name: NIST 800-53 v5 + section: CP-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-10 + name: NIST 800-53 v5 + section: CP-10 System Recovery and Reconstitution + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-11 + name: NIST 800-53 v5 + section: CP-11 Alternate Communications Protocols + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-12 + name: NIST 800-53 v5 + section: CP-12 Safe Mode + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-13 + name: NIST 800-53 v5 + section: CP-13 Alternative Security Mechanisms + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-2 + name: NIST 800-53 v5 + section: CP-2 Contingency Plan + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-3 + name: NIST 800-53 v5 + section: CP-3 Contingency Training + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-4 + name: NIST 800-53 v5 + section: CP-4 Contingency Plan Testing + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-5 + name: NIST 800-53 v5 + section: CP-5 Contingency Plan Update + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-6 + name: NIST 800-53 v5 + section: CP-6 Alternate Storage Site + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-7 + name: NIST 800-53 v5 + section: CP-7 Alternate Processing Site + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-8 + name: NIST 800-53 v5 + section: CP-8 Telecommunications Services + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-9 + name: NIST 800-53 v5 + section: CP-9 System Backup + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-1 + name: NIST 800-53 v5 + section: IR-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-10 + name: NIST 800-53 v5 + section: IR-10 Integrated Information Security Analysis Team + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-2 + name: NIST 800-53 v5 + section: IR-2 Incident Response Training + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-3 + name: NIST 800-53 v5 + section: IR-3 Incident Response Testing + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-4 + name: NIST 800-53 v5 + section: IR-4 Incident Handling + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-5 + name: NIST 800-53 v5 + section: IR-5 Incident Monitoring + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-6 + name: NIST 800-53 v5 + section: IR-6 Incident Reporting + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-7 + name: NIST 800-53 v5 + section: IR-7 Incident Response Assistance + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-8 + name: NIST 800-53 v5 + section: IR-8 Incident Response Plan + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-9 + name: NIST 800-53 v5 + section: IR-9 Information Spillage Response + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MA-1 + name: NIST 800-53 v5 + section: MA-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MA-2 + name: NIST 800-53 v5 + section: MA-2 Controlled Maintenance + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MA-3 + name: NIST 800-53 v5 + section: MA-3 Maintenance Tools + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MA-4 + name: NIST 800-53 v5 + section: MA-4 Nonlocal Maintenance + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MA-5 + name: NIST 800-53 v5 + section: MA-5 Maintenance Personnel + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MA-6 + name: NIST 800-53 v5 + section: MA-6 Timely Maintenance + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MA-7 + name: NIST 800-53 v5 + section: MA-7 Field Maintenance + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-1 + name: NIST 800-53 v5 + section: MP-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-2 + name: NIST 800-53 v5 + section: MP-2 Media Access + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-3 + name: NIST 800-53 v5 + section: MP-3 Media Marking + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-4 + name: NIST 800-53 v5 + section: MP-4 Media Storage + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-5 + name: NIST 800-53 v5 + section: MP-5 Media Transport + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-6 + name: NIST 800-53 v5 + section: MP-6 Media Sanitization + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-7 + name: NIST 800-53 v5 + section: MP-7 Media Use + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-8 + name: NIST 800-53 v5 + section: MP-8 Media Downgrading + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-1 + name: NIST 800-53 v5 + section: PE-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-10 + name: NIST 800-53 v5 + section: PE-10 Emergency Shutoff + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-11 + name: NIST 800-53 v5 + section: PE-11 Emergency Power + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-12 + name: NIST 800-53 v5 + section: PE-12 Emergency Lighting + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-13 + name: NIST 800-53 v5 + section: PE-13 Fire Protection + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-14 + name: NIST 800-53 v5 + section: PE-14 Environmental Controls + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-15 + name: NIST 800-53 v5 + section: PE-15 Water Damage Protection + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-16 + name: NIST 800-53 v5 + section: PE-16 Delivery and Removal + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-17 + name: NIST 800-53 v5 + section: PE-17 Alternate Work Site + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-18 + name: NIST 800-53 v5 + section: PE-18 Location of System Components + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-19 + name: NIST 800-53 v5 + section: PE-19 Information Leakage + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-2 + name: NIST 800-53 v5 + section: PE-2 Physical Access Authorizations + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-20 + name: NIST 800-53 v5 + section: PE-20 Asset Monitoring and Tracking + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-21 + name: NIST 800-53 v5 + section: PE-21 Electromagnetic Pulse Protection + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-22 + name: NIST 800-53 v5 + section: PE-22 Component Marking + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-23 + name: NIST 800-53 v5 + section: PE-23 Facility Location + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-3 + name: NIST 800-53 v5 + section: PE-3 Physical Access Control + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-4 + name: NIST 800-53 v5 + section: PE-4 Access Control for Transmission + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-5 + name: NIST 800-53 v5 + section: PE-5 Access Control for Output Devices + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-6 + name: NIST 800-53 v5 + section: PE-6 Monitoring Physical Access + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-7 + name: NIST 800-53 v5 + section: PE-7 Visitor Control + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-8 + name: NIST 800-53 v5 + section: PE-8 Visitor Access Records + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-9 + name: NIST 800-53 v5 + section: PE-9 Power Equipment and Cabling + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-4 + name: NIST 800-53 v5 + section: PL-4 Rules of Behavior + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-15 + name: NIST 800-53 v5 + section: SC-15 Collaborative Computing Devices and Applications + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-1 + name: NIST 800-53 v5 + section: SR-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-10 + name: NIST 800-53 v5 + section: SR-10 Inspection of Systems or Components + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-11 + name: NIST 800-53 v5 + section: SR-11 Component Authenticity + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-12 + name: NIST 800-53 v5 + section: SR-12 Component Disposal + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-2 + name: NIST 800-53 v5 + section: SR-2 Supply Chain Risk Management Plan + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-3 + name: NIST 800-53 v5 + section: SR-3 Supply Chain Controls and Processes + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-4 + name: NIST 800-53 v5 + section: SR-4 Provenance + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-5 + name: NIST 800-53 v5 + section: SR-5 Acquisition Strategies, Tools, and Methods + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-6 + name: NIST 800-53 v5 + section: SR-6 Supplier Assessments and Reviews + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-7 + name: NIST 800-53 v5 + section: SR-7 Supply Chain Operations Security + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-8 + name: NIST 800-53 v5 + section: SR-8 Notification Agreements + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-9 + name: NIST 800-53 v5 + section: SR-9 Tamper Resistance and Detection + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-22 + name: NIST 800-53 v5 + section: SC-22 Architecture and Provisioning for Name/address Resolution Service + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-1 + name: NIST 800-53 v5 + section: CA-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-2 + name: NIST 800-53 v5 + section: CA-2 Control Assessments + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-5 + name: NIST 800-53 v5 + section: CA-5 Plan of Action and Milestones + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-6 + name: NIST 800-53 v5 + section: CA-6 Authorization + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-7 + name: NIST 800-53 v5 + section: CA-7 Continuous Monitoring + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-8 + name: NIST 800-53 v5 + section: CA-8 Penetration Testing + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-1 + name: NIST 800-53 v5 + section: PL-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-10 + name: NIST 800-53 v5 + section: PL-10 Baseline Selection + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-11 + name: NIST 800-53 v5 + section: PL-11 Baseline Tailoring + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-1 + name: NIST 800-53 v5 + section: SC-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-31 + name: NIST 800-53 v5 + section: SC-31 Covert Channel Analysis + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-6 + name: NIST 800-53 v5 + section: SC-6 Resource Availability + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-1 + name: NIST 800-53 v5 + section: SI-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-11 + name: NIST 800-53 v5 + section: SI-11 Error Handling + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-12 + name: NIST 800-53 v5 + section: SI-12 Information Management and Retention + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-13 + name: NIST 800-53 v5 + section: SI-13 Predictable Failure Prevention + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-14 + name: NIST 800-53 v5 + section: SI-14 Non-persistence + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-15 + name: NIST 800-53 v5 + section: SI-15 Information Output Filtering + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-16 + name: NIST 800-53 v5 + section: SI-16 Memory Protection + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-17 + name: NIST 800-53 v5 + section: SI-17 Fail-safe Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-18 + name: NIST 800-53 v5 + section: SI-18 Personally Identifiable Information Quality Operations + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-19 + name: NIST 800-53 v5 + section: SI-19 De-identification + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-2 + name: NIST 800-53 v5 + section: SI-2 Flaw Remediation + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-20 + name: NIST 800-53 v5 + section: SI-20 Tainting + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-21 + name: NIST 800-53 v5 + section: SI-21 Information Refresh + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-22 + name: NIST 800-53 v5 + section: SI-22 Information Diversity + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-23 + name: NIST 800-53 v5 + section: SI-23 Information Fragmentation + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-3 + name: NIST 800-53 v5 + section: SI-3 Malicious Code Protection + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4 + name: NIST 800-53 v5 + section: SI-4 System Monitoring + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-5 + name: NIST 800-53 v5 + section: SI-5 Security Alerts, Advisories, and Directives + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-6 + name: NIST 800-53 v5 + section: SI-6 Security and Privacy Function Verification + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-7 + name: NIST 800-53 v5 + section: SI-7 Software, Firmware, and Information Integrity + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-8 + name: NIST 800-53 v5 + section: SI-8 Spam Protection + ltype: Linked To +name: 'Was: TBD' diff --git a/cres/When_storing_session_tokens_in_browser,_use_secure_methods_only.yaml b/cres/When_storing_session_tokens_in_browser,_use_secure_methods_only.yaml new file mode 100644 index 000000000..2af645395 --- /dev/null +++ b/cres/When_storing_session_tokens_in_browser,_use_secure_methods_only.yaml @@ -0,0 +1,38 @@ +doctype: CRE +id: 455-358 +links: +- document: + doctype: CRE + name: Protect session ID + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.2.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/539.html + name: CWE + section: '539' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html; + https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/12-Testing_Browser_Storage.html + name: WSTG + section: WSTG-SESS-02; WSTG-CLNT-12 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Session Management Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: '7.1' + ltype: Linked To +name: When storing session tokens in browser, use secure methods only diff --git a/cres/When_using_an_authentication_third_party_(CSP),_relay_last_authentication_event_to_other_parties_in_the_chain.yaml b/cres/When_using_an_authentication_third_party_(CSP),_relay_last_authentication_event_to_other_parties_in_the_chain.yaml new file mode 100644 index 000000000..8d75b709e --- /dev/null +++ b/cres/When_using_an_authentication_third_party_(CSP),_relay_last_authentication_event_to_other_parties_in_the_chain.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 052-821 +links: +- document: + doctype: CRE + id: 258-115 + name: Re-authentication from federation or assertion + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.6.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/613.html + name: CWE + section: '613' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 7.2.1 + ltype: Linked To +name: When using an authentication third party (CSP), relay last authentication event + to other parties in the chain diff --git a/cres/When_using_stateless_tokens,_ensure_cryptographically_secure_characteristics.yaml b/cres/When_using_stateless_tokens,_ensure_cryptographically_secure_characteristics.yaml new file mode 100644 index 000000000..d536fe036 --- /dev/null +++ b/cres/When_using_stateless_tokens,_ensure_cryptographically_secure_characteristics.yaml @@ -0,0 +1,48 @@ +doctype: CRE +id: 483-883 +links: +- document: + doctype: CRE + id: 114-277 + name: Session integrity + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.5.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/345.html + name: CWE + section: '345' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + name: WSTG + section: WSTG-CRYP-04 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html + name: Cheat_sheets + section: JSON Web Token for Java Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html + name: Cheat_sheets + section: REST Security Cheat Sheet + ltype: Linked To +- document: + description: '"Ensure each page is setting the specific and appropriate content-type + value for the content being delivered."' + doctype: Tool + name: 'ZAP Alert: "Content-Type Header Missing"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: When using stateless tokens, ensure cryptographically secure characteristics diff --git a/cres/White-list_HTTP_methods.yaml b/cres/White-list_HTTP_methods.yaml new file mode 100644 index 000000000..a3e313e14 --- /dev/null +++ b/cres/White-list_HTTP_methods.yaml @@ -0,0 +1,29 @@ +doctype: CRE +id: 483-715 +links: +- document: + doctype: CRE + id: 541-441 + name: Validate HTTP request headers + tags: + - Injection + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.5.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/749.html + name: CWE + section: '749' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods.html + name: WSTG + section: WSTG-CONF-06 + ltype: Linked To +name: White-list HTTP methods diff --git a/cres/Whitelist_CORS_resources.yaml b/cres/Whitelist_CORS_resources.yaml new file mode 100644 index 000000000..3c44584eb --- /dev/null +++ b/cres/Whitelist_CORS_resources.yaml @@ -0,0 +1,29 @@ +doctype: CRE +id: 316-272 +links: +- document: + doctype: CRE + id: 541-441 + name: Validate HTTP request headers + tags: + - Injection + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.5.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/346.html + name: CWE + section: '346' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/07-Testing_Cross_Origin_Resource_Sharing.html + name: WSTG + section: WSTG-CLNT-07 + ltype: Linked To +name: Whitelist CORS resources diff --git a/cres/Whitelist_all_external_(HTTP)_input.yaml b/cres/Whitelist_all_external_(HTTP)_input.yaml new file mode 100644 index 000000000..070c13979 --- /dev/null +++ b/cres/Whitelist_all_external_(HTTP)_input.yaml @@ -0,0 +1,86 @@ +doctype: CRE +id: 031-447 +links: +- document: + doctype: CRE + id: 010-308 + name: Input validation + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.1.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html + name: OPC + section: C5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/20.html + name: CWE + section: '20' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/ + name: WSTG + section: WSTG-INPV-00 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html + name: Cheat_sheets + section: Mass Assignment Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Input Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "Remote Code Execution - CVE-2012-1823"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Relative Path Confusion"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + name: 'ZAP Alert: "Source Code Disclosure - CVE-2012-1823"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"The best immediate mitigation is to block Proxy request headers + as early as possible, and before they hit your application."' + doctype: Tool + name: 'ZAP Alert: "Httpoxy - Proxy Header Misuse"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Properly sanitize the user input for parameter delimiters"' + doctype: Tool + name: 'ZAP Alert: "HTTP Parameter Pollution"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Whitelist all external (HTTP) input diff --git a/cres/Whitelist_data_sources_and_sinks.yaml b/cres/Whitelist_data_sources_and_sinks.yaml new file mode 100644 index 000000000..344c7cee3 --- /dev/null +++ b/cres/Whitelist_data_sources_and_sinks.yaml @@ -0,0 +1,53 @@ +doctype: CRE +id: 814-322 +links: +- document: + doctype: CRE + id: 130-550 + name: File handling + ltype: Contains +- document: + doctype: CRE + id: 623-550 + name: DOS + ltype: Related +- document: + doctype: CRE + id: 726-868 + name: Deployed topology + tags: + - Architecture + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x20-V12-Files-Resources.md + name: ASVS + section: V12.6.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/918.html + name: CWE + section: '918' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html + name: WSTG + section: WSTG-BUSL-09 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Server Side Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + name: Cheat_sheets + section: Unvalidated Redirects and Forwards Cheat Sheet + ltype: Linked To +name: Whitelist data sources and sinks +tags: +- DOS diff --git a/cres/Whitelist_file_extensions_served_by_web_tier.yaml b/cres/Whitelist_file_extensions_served_by_web_tier.yaml new file mode 100644 index 000000000..057288ba5 --- /dev/null +++ b/cres/Whitelist_file_extensions_served_by_web_tier.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 314-701 +links: +- document: + doctype: CRE + id: 040-843 + name: File download + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x20-V12-Files-Resources.md + name: ASVS + section: V12.5.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/552.html + name: CWE + section: '552' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/08-Test_Upload_of_Unexpected_File_Types.html + name: WSTG + section: WSTG-BUSL-08 + ltype: Linked To +name: Whitelist file extensions served by web tier diff --git a/cres/Whitelist_redirected-forwarded_URLs.yaml b/cres/Whitelist_redirected-forwarded_URLs.yaml new file mode 100644 index 000000000..4e8917668 --- /dev/null +++ b/cres/Whitelist_redirected-forwarded_URLs.yaml @@ -0,0 +1,49 @@ +doctype: CRE +id: 232-217 +links: +- document: + doctype: CRE + id: 010-308 + name: Input validation + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.1.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/601.html + name: CWE + section: '601' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect.html + name: WSTG + section: WSTG-CLNT-04 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html + name: Cheat_sheets + section: Mass Assignment Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Input Validation Cheat Sheet + ltype: Linked To +- document: + doctype: Tool + name: 'ZAP Alert: "External Redirect"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Whitelist redirected/forwarded URLs diff --git a/cres/Wireless_link_protection.yaml b/cres/Wireless_link_protection.yaml new file mode 100644 index 000000000..8a8023383 --- /dev/null +++ b/cres/Wireless_link_protection.yaml @@ -0,0 +1,15 @@ +doctype: CRE +id: 683-036 +links: +- document: + doctype: CRE + id: 278-646 + name: '>>Secure communication' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-40 + name: NIST 800-53 v5 + section: SC-40 Wireless Link Protection + ltype: Linked To +name: Wireless link protection diff --git a/cres/XML_Parser_hardening.yaml b/cres/XML_Parser_hardening.yaml new file mode 100644 index 000000000..226e6c473 --- /dev/null +++ b/cres/XML_Parser_hardening.yaml @@ -0,0 +1,11 @@ +doctype: CRE +links: +- document: + doctype: CRE + id: 764-507 + name: Restrict XML parsing (against XXE) + tags: + - Injection + - Configuration + ltype: Contains +name: XML Parser hardening diff --git a/cres/XSS.yaml b/cres/XSS.yaml index fd4a9fad1..c9ae386aa 100644 --- a/cres/XSS.yaml +++ b/cres/XSS.yaml @@ -7,57 +7,57 @@ links: name: Configure CSP configuration properly tags: - XSS - type: Related + ltype: Related - document: doctype: CRE id: 764-765 name: Sanitization and sandboxing tags: - - XSS - Injection - type: Related + - XSS + ltype: Related - document: doctype: CRE id: 010-308 name: Input validation tags: - - XSS - Injection - type: Related + - XSS + ltype: Related - document: doctype: CRE id: 760-764 name: Injection tags: - XSS - type: Related + ltype: Related - document: doctype: CRE id: 384-344 name: Store and serve user-uploaded files such that they cannot execute/damage server or client tags: - - XSS - Injection - type: Related + - XSS + ltype: Related - document: doctype: CRE id: 161-451 name: Output encoding and injection prevention tags: - - XSS - Injection - type: Related + - XSS + ltype: Related - document: doctype: CRE id: 804-220 name: Set httponly attribute for cookie-based session tokens tags: - XSS - type: Related + ltype: Related - document: doctype: CRE id: 546-564 name: '>>Tags' - type: Contains + ltype: Contains name: XSS diff --git a/cres/Zeroize_sensitive_information_in_memory_after_use.yaml b/cres/Zeroize_sensitive_information_in_memory_after_use.yaml new file mode 100644 index 000000000..9fbc75ebf --- /dev/null +++ b/cres/Zeroize_sensitive_information_in_memory_after_use.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 715-304 +links: +- document: + doctype: CRE + id: 208-830 + name: Manage temporary storage + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md + name: ASVS + section: V8.3.6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/226.html + name: CWE + section: '226' + ltype: Linked To +name: Zeroize sensitive information in memory after use diff --git a/cres/db.sqlite b/cres/db.sqlite index 3472af6b7e6108b1ef34b8f417163808e5a14246..3c1fd76b0f8e5632cf424e988af1ba7abc517e6c 100644 GIT binary patch delta 96566 zcmcG12YeLA_3+N_-tLvXJ1_{*wTL1KP_KY72qA>1LK4*!AJQQXB%M&98kQ9p*^VU} zE6%wjE^&!VVuQiPy~Mr5-Eo{a2`-5p#|6hNPHg9UGrK#pdv|i2{PWqr6EpYTyqS6P z=FOWoZ|3&zAG&}4#EV9r7Pyz=xF5o20({EglX`e+K@NPIvvjZD^*QH7MO@&EzzJox zGD5seY~$bMZ$?GFKUx3t>-qKlg9l9)J$ullkk~S#yJLi$nwG|&Q`i~W*c@(X4{vCW zv~KO739hfAwz9mwQmrqav#3%{r-1bS*L?F+E0!*)tFJAuUQ(~NZQTGsQd;d#Q^uy* zV4D~WBjFF=_%i!1^ZSO`flckvt~LW4Rx<l9@dqb%ZQIZminOcCmsBrXUa4lL6P)y^ zDiF!?X3ZEbr7q3t|D%7nhAFp38_h0k$am)J4@jwUYE~9Hr;7HKVLNf_9G!N;)J(6Z zb5~nfT~S_JF~7Was_OLshFabKf_I39DXPGZ%Bsp*b;;6tb;<HYi!h3f8wRIrO;u}Z zs~4Bou2vUTu2wUF*i;qM$%-pyFv?br@^aqN+REyxCF;WdOkWyi>dZu3(pS<vie0%n zlhmWuR?e%etz1%3Sw|}FzsNr{J)ZBZS>CLSVN&Xh6wLHOLN*`&t?gc&BB!RLpmS0P zgYkFxv&_Lv_@+NMFuH$`KdryaKeK;hV0en1os?<)+x$a^IJt(Ysr{D)RB0RGLjQ4p z`UKz=E<aUm41?H4+BzfA)~V|DaC-+NKtMRob?VsQK_9r}f{{{cWg6dq(w{mSk13H= zLrh4LyKrJaN}V=@3KNzf*TGJ|oH}F(I&Y~ZHt?<J=o5UQW~%?~e_pF#q>)LEMn%Vh ze!qVyvGC5$aC>X0c>_?TlKTB<U@Q&)p~P&g{cnglXtjn~Y;y;LlKn^OPX-|0(S~(~ znmYd57Mav3Er+blB1*_HFC&dGA^**Plvw{S0;PlO$lk1(O8>pVnci;MC#O!Cf(}&n zrv~Q~+Ht-+&1jz)OwahfxLUA`7W8J_KIpTcQrJ*ZoL^8{R+=9wxn2D%INbh)3zijE z@NM|Z4LYXe{WdscdiNs8<aWE^?<Bn%{tiC&)vR>^G^>B*5*>}~e|^aU6zrd{^bO4q zK$WZKf{TOhz_CDw|DXON{!RWArB?Cze&O5f{go%;{#yP*zE)l>9g#M;u5|^)@xn6x zS^fZ@jjl(NxHq}0fq?D5>Yf}gw~pfqIWC1;Q(mK%H;3Chr>p7Z8#}_S4PiC9NiA>f zjAU2TX|?mz`smhhYe)LhO`G7K$oBBm^qNoyPNdgIqs?dZWP3U2LOu}l+lf`0(?zWf zH%8jS4V`uh<qe${fjK=>z1*@S1Zu-AQLQtq&Wkj|0?^vf+=cbe094NInd0S^<38<i zHlrdM-5Lq2OQP!h&d#=_t<AgCdCj3FI~l7x>6NV=U7&b6H-|dmPZ&yQW|2)$M2&Q) z9pO%OQ?y+TH8-mbgmOm?VS_IAO!jg+IIfCY?qq6ZODNK;h8i2&!yO$^xU02MjkKyO z!yD_O4O@X;3w$4H3fo&mftpGihuN_`tcEeU4x^1BXl!e=Q*G<o*c@pv8dBGj<>fjI zb~*;PF51-&V_ShW{@h4MLvxgLHe0P&QJGzkmtT;bUsh0PZv_mJW{uLko=h*d6q8ML zcCWg%Biw+wHov~UMqM24+#GF;BZ6t9*Uu?87=?N=yj%;W6m?R<9faW~4XoS=L}A_0 zTGec|ZgUveUAGz7m5lQ8w#E>Yn-l8TtVUbOz;%S%VYyN}qa@c1;Eqmf0W(^$q-T<k zTZ~)Lo#7OidC~S382`G?_DE}!rdGDMN86KCTN~cd9)WtXpll2^Y{f<t3~gI`w5dJR zqJprtHsM?wG^8=y9LB3Co>?11jcUW@P<yBWmJ_vuRMU~8s`Z;ezIH^Qr|scwT`*(R zklL<=8=@_3cmhDlxSGO*N7%?TMR0S^M1|84o&??FoxH7Rk9Krq&y9lcw5kh2+e39^ zVOLF|7;uV}(YbC-4qM?4L!vf8^Ey;4i_OtcW4KY>)E;f=AN+NSHdPG)M{u(Z)DE>F z)SA($ZVbcZY3*!}Ha7$M#$9R{(7IsII;?Jn+S)*(Lzrh~=LYpm@NxQJ+_|u`Z`G|Z zBVouee;tB-dL33+SkZv`U^u{m<+Y3KLrUk^+^8|1K)=O~9^gl6%WJEx30~GS-e+h{ zJ>qOY1@tA{+L>LCZP@u?;6b~(I07oN^*hx}IMlFNZG)L_Dwa+xFoaoc;fBbjNP`;E zfG@xb5Tf=7mT}BAToW<xwuhR#!bBV4LM8}!i^+h%LATq(jRyCY^rU;aCPU*pl(gAQ zL)|w3%eQU;QN|QVKQxErTWrE=U!T}B&c`jp6G&g_oIrDlwvV>&Qs=Zscf@nS)col% zQdo3VV{O3L8%=DO3)NWIVLE8=F=s>LRJA3v6(q^f&>(D)j!rCWMEV+|Ac9yGMp_%Y zK+Cm9I<}evSJk6>xifJ?<5s)6Ws5*Aw!q4SB_~_0iFR~0wTIzrDjOOscDALerYFtI zZ8g~F)UAdJtbxJoFqSG%vWp`-p?#)sP?B-WXE)z77AEZ|GHGWz8M!K3n+K{SoV}Eo z;2rAR@TN#B(A*vgsf#P?%hk*!(bjCNA(|th)=tnKotxD<ke;k$)mbxmRko9=xvXKL zpmD+-ZBbC^>Sip*IqksTaC0LJNqIA|e(`LAB^0EsBZB2T0(FO5Kqj%w#2#40r=F3~ zp=N9%?GAx4(a{-g@5nHR844Q$xus_e%w`W>F5}FG*wJsr2^ww;T?Fl&p<mL45ldtD zSv{kDc-1T94#sJ|>J~i1DtER;J78=UMGd8*!Wv%F9@!ph*rm=5b%yL!fS7B<yh)!E z2CV^lxVbsH1NSe2X~EhX#TpEE493E_;()%(1=5}Eq1KL;NGBFha}gra9d4gWG=7^J z?J`V^aLdMUBUYNtR?8xwsx(WVVO45WYpoCs(XQr3uo*(FFjim@;C5kaq;h9ulL`xA z2zPBu7p!+!D^%6g!C1AxkirlFiKXx*EJuJg6($g#PGQh2&1!2Gw4=QPTDKX~*MMXP z=_RSdQX_h5&nRn!(UDUL+BK|03(pO2>}oQWQ7{jPsgu;0WEvs7QR`}I!W}bBqYmIV z8Hu*8j?MUc;3+6YnCWbRnA0<onvssVX&Qia&7jy|26e)GPr9IEIXbgvgqPdJaT+#r z9Ey@GplTgn@QtMtHzTtK?}<STwRUD<1=1dAahP$Iu3M68*gkW6h7%(-K^4`8!A8OB zR80tGa0Qq>o4(7~)o1mj`nXDBy$p5^!<;TK)7#ahp!_$1)Y|3RYR&gBTr_IAw1+#p z+FRA;aBCB^tYLGQtPYki#+xhufwi)vXPB3Z7-~6z(^|)Ou{ueo@ZeSTqzs_w4QsFt z6qaFKQmsD#rTJ++L&**)$v_bsHTIC7AF2&dx~pf1kDEnSM!`8aRh9K*y{=hWSD&P? zrJ%|FBZ_w_7!g|sp@xQV8&)PeVETfTkgtJB;hmuD;d?`=&g?nOixp}@t83b$J3-G; zqd!UAn1QuDgT36gB;}J?=B=vs-CG9`XJTs4=^2!KV#cq(i+9<VUgyfI=k^3a^Nhg@ zhNXElYuoxCsUEU;(pALH3Hl{nTI?z*Q6r`O8<i9*-;bsoQ`=q(e)pe#b<pQOdPo$H zi7$K|{OPGdcb*i)LC3_CUk8s3Zu|4UDQuD+G!0#c2HkKq8uTBOnT@nka0`GQ;b0}^ z#={5aOW=b&6DjZkhI47~nF^mG_!Ps(2cMzv84I7&;gbm;5IJrxeCERkj6$vgK3@1> z_r+=O83Lc-@EHN0aqyV}p90XcoD2yCKB@4*P7&CWaSPxx4?c6?a|V27!e<(MuzwzW z7F-^DCc`HKKI!mL;WHXO6XBBspBeB0j|4XiKA0x%U^#qX`--Or`Cfv5Iqul7wl{&n zgGL7N0GtpnLUyLZz*O9@pO0rLeBFG*L+00z8EKTQ;q7I=d&uq3K|eqSfs+FefGRGz z^CFOmoD@#y0@nrB`wuGbDVHf{`nG$2>HgZiT5gobN-wzn>AK(5!heL`MpuH{M~CBx zrJ6pjCjgcfu<iTrn+DuAku8307#5gzSYwQxj(rAM8-#SakKz+IQe8cMQ%%QhqjENP zVm${=68nT+6b>cb^;2I>SY-wAW&rC;yb~~JMU3sS2I_52kMcbgQOCfFs9Wyw`M5eP z@dt)DO@wOLn>E?iUc2jn7?gA`k^ViFV7dZZYp%65?uhIr-hhZ%ow4DIw6<Z365B=L z?O>0n;42~)04yG`iPRb++wt-Td+j_Gh7WA=|G^r5a8HldXY8%c?Qkx2i=s_MhTkR= z`<JwWyn_7fqN0L=GRNM;vPqV=fzt%qhl_0~!2N*cV|Slgkdt4WlZTDk*6@ySdkzQ( z>0>0?h4+Td;Sjd#GtU6LyewnaxG}srv^@ePz}tW=buh%WNE7UziLU`%cx1EEu?q~h z7Slu1xl7GxCUxf+j)KJ<O-rJSz{A(o2D=w%Pex~ZS2zQ=19(U+Z){^PXl;xbm})~a zcn*mFgIM1r+lEa#Ei=3`gtto5)!mUcHG7+yjZJ>&ENtJ}!`YK_wuIV&cvEhu4cr3Z zT!3K<82?+eB^TpB61OIoRhL8PXXOxwj#}20Uy!e6c7$Q?2A<B2>AAT(cI?QBf}^Q9 ztmVKiAa@HmesaM8-rO1mx{+`P`KBYBOUh;gH(}z0J77MwG-qMXU}G5ss3{a_g$)Jn zHE}|~KpD;_JV3yX#_*<4S2N*i2Go<&(bbx>1-O#a-V(`)ZiFqi)|mtR>*xf>3-<4A zgh9(7g6YI>h<3nX2K3t~m8=jRicPRP31=8a&*B~racy9uC&7-SW~4@rv9QSw>I+U~ zK^Bt9A+~~M^tiov{YoH6Z1ei|5SGkPvt94mTm<^E9@z)$8mL=+7n>3qcCXvj8Z*YQ zgR`rnEz&?Fx+2<wchkvtNZ1a8O@iTkHt;~sz*%Wp=@FZki+tY_+65c=<~CJ>nGos( z{kjzt6jlhEB0J&VT`IUN!|lzx@NNdi8<b@W_AQ68h~s@kXVl>G!XC-XH6$?&<Bhoa z-~(&#h_-_F%C1D?94Qq&F0Y|P<9ssZjoY!)pb-~_nQl5~2IBR$9ubVfEMgSen4N^z z8gq9iVK(;1uUfq5KQayfv$4=%kmz9iAICyZ>k)ih7ZI^Er_3+Lvk<h58t>!LOt)ku zcwJ%M+Zjq1ZF5B>8;_8R{dP$R5w{SyeLAobhSMVKaU;6UavT}*a$rsm@59@>LhhVx z&_>O6$`s$WI#VGp4mD%l8+IHY#J4V_g4+`gU@a{U4FSh7al_zgu_L^ZxK#1dfH$s& z%HI{$y1><rH}9F?CD|42GIvg-<-`RGY6Vsb;<m!XVDANb4MV^s-HJ;<d1D)y8O~|S zQ6rt;=4uPI!$P}B4XN{L%NJMHRo3GbC`|A(aBHwr4k&kZXy7&gjHR{JRn<$Ts!{BQ z*%1LZo7tRJShU-}vr$t?vkmtQ?y@?!a>;5~!@rMTt|A(HXc3>HeIL)9p4WqX*h~fm z7IjKj1)N&o12AwJgS)+9b5bdq7saPc%j@T5m(i25PB=OTH<U)4*H~aS0s{!|iA8D3 z6jn<uVQ^rPBWS>yUk`H<7F;-!j5cBo)fk2qubp`MJIpz2h?^ejfo%!sCph^iW?C03 zf>qhX0hJA>m>P_XT?faTmQ>ajMZjb*4M;qGb-P+NMO$|P`(P)HZA@_Eg~8VfLq@!& zU3kzt&GU-f5M-n6k=@3L1hl^ylY{na&}Q=#(=z7Fu0tIimeU`+@OS}GGeH2WYoMae zhMX*;n==k+$(N=@b76k{J9W88JG9TVyyKi(SohK6T2K)YFo(*?YGEH@%T}W&dBYFw zCDtEE$`mKlSAx;5mOI!2zCSJgY>+Y>*osXJA`;+QZiO^9EsQfXEF*PT4zSdNVuEv{ zR%~ZuJ~Ot1=)kF3D~P6Xz_;Si*+fag0bkG*W6e6|CMK3z8v-)cdClBtok}cKI0?<q zF3g`+kjy?vx9n7+5XucY?65JU!bxa5v<cKl2Z?R5%-9?}Pc<AqLfm{E(Pn(Q*$T>~ zUEL9F-x?x^hsG%yxP~Ek1~eDdtgsT}b9pe?N#80C?HOS8G!E_QnY~(p{dIH<;}+rW zRfl%_xDZ~{4`w*W4~{}Q@XkqH4xJ<6C6(YI4jWUC(qk?fYr_Y-jIL&2Y9mZzd`b<v z5j<98qJ-2g%_0U$+tA|B`$#KE8g@PC(?~-X%<-v2cXYvdJlPR$>T1T;GB5;;m~cy5 zCwQtGjkCJO2zGd4Ilu>G8^fJD!Z6KYi8TphsWD6*I8CEpwt<}ve5X7nTO!NdJk>ar zgK5wVK~Q9QFi+Q@TARj#9CQE<0my+D7FgUy^Bf*~K8B!=x!{4oiNGp<qmtzv^@3OQ zJnAl&Kaswc?w9tv_K9B!j|=<x<LG0Er+OG^dU;Q|4?Cb?N^Ni|UkHG}=RDxQ#+5=i zLj~R^!0v&ZqgrANYpH#B=mc8{GleWMa13IMEF6tmCut29B@G|R+Iwi8Od1DEt<h|P zi9_kK$>|3i$$?D|`vx+Ez<*O4&+nP-<G|Yj+Bhy+pdLKrFf&@(l6oUG7Fv?NIMmt& zD>^x9+7xMT0o`CmWpq*+<haA!?t?92ob_6V&L%d&fsG(`3BU>;YJwv^V=o9wx6yEk z;_XaZb2OqEa~5`N_^iu3Kdk7Pm3+22OjK;eFIxl_hMoPkeL;6_&l#5ApusuWDi<v- zpHCJhdh8RwGFhs(!a8=dW)+A6?wCOWI1y^-G`MD+nqnmahP`=IG8Nk!u(U-w@G(4A zpO^*Y95w>SLt3>7H9)3_m`)jB7nC&VLQPKXix+Rl!k44g!A=w(BTc9K(QtE1Xmd^z ztejmNb0X2)P%eobfu%8<Oh7FgCQvr9x^fLIj(TSLxRqE%>2bbvG7oFO8UT|4CU_0R z5)hS|g#YQVyuhvmD`i+9I<fx*x^5^2!*2q1CpP9ZlNdfdhb0>}GDa)*^_=d*$LFw? zv^dAkSesy2@EMR=z8$n4;U+c<Ff3VXOgo#%Gg(Kl(MlE(4fLKZ^1-w?;iL}YDj;s8 z8E=iS=>Zl2o|!QBH$|FY7L!9pVzd%6a7GT11z0oSMp;d%%fV;SNltAECvmt-L+nuz zjx~%)JiTXz7kf?dHrR2V<`DZN{lk0c(|e|Sjq|CvP5COaiT+MY1-t6>Z9UUqX9rGS zP=tHq>Nm`AJVl(ILfp}eRoOLBa1(_av*+x}FjQHsb);?Xf#%^8?aU6x`c4&PWvj+w zz?`G=e;J&PE{Nj5uFbdx8up*5X%_dCfhz-i2MMl+<fo5wmoCOpPXoI$y0xBCAGa6p zj}KNjmy>c9U}K)mS{?}v4wx`2>2Zi-w@ANbha|P(?UC>fGNp`Vv@Ns?ODse)ZH|B- z;>e)3NE=A0u~5Q11YJT2fmJgfv<Da)cv7~9H5{(h2pSn5d0`uAAh``OlMfRFEk|6O zU}&^Pwn1c!(HP>#z}8bP_&>o)fOrNP7-pE-U}@vXlW=<$Zg4Yf)j$i8<7eC;YRWhw z%kVTJeiW>IVeyEPXfMErb;<}j!)AvulV<jm&|^7=hpG+)0$UC9B0I@m!I(@=S23PV z`uv_^(@^V{os$8_G~%;8eE5w2HANhDXi$HW$(ddcUD}AF;UeHaY9uxj-kiXSh+6_m zrBj2QFa#rPH7R0+kMT`ORYP#<7{a;~5|%MxEV<?xJum^BPOwyv*<({@1~<Bw_Z0bz zK*<AL&dwOdrUt>x^KmTSy#Fjzk_jZxQE}8A9s+DEfrFUv8DfKorKS>>Bwoub!<t+X z!1g0-J~gl}!D$KsNiEQLyzRu61lSzdngx>JZ(WL&uw_31ltgj?$nXUWPzhmf#L(5) z1LW8x5+^?voiNou)&gZLwRl4bW${9VrP3S~_{Qjq$=lMNLK4+j$Q{^`jJFQf+QozF zzvb9f@!vD=f51Bkc?72lb{gA8==(B{+O%Zsu|Z_A`MY>$?5gy(o&p~PB5T-ejSDd( zp+X=Y)ip`&R-4&sx&`qVLCoHEEK^X3M*re)9t<OEuH`ZVcSz$daOHsO1bayg$L>@t zYwCi!n%r{u)Xc8|5P^V22L~5m5P&#h4@s^qBGW=K6t8*w0Ve{)OK)mBQ`wno&f1=Q zFSiFTIhIer+9fAnb87Ih42^iHYXd##h!M0bRV(BLbXT5_TTS)?ey2!U>aTh(Hd5ha z03yX9q!vQHlS(G$ju~ofnl`XEgEKE{b{k}13r@nab0BOT+xz%1Ol`qYT&%2N0~yW* zjNh^`g7@X1|A3_pV1M9%act1yHnkgJzQzRG-IMDx&IWXkvomBsmtwymjuEnVz~TrP zUxu}2C`N4bL62<u5n70&mWN|CfXBYBZjqWvj&cn5&v(ZYz$x*y_#9bl^K@~+Pl9g+ zUk*MRyd!u+@Y3LU!QH{F!L@LQ;EZ5yPz??a@_|nS?*v{AJPw=F8v~aG&JXMfGzZoN zmIP)6@&e-mrv(K6XZ}C=f9-$5f4Bc;{}uiV{CoYa{tf;bf4RTFKi)so?^3={-c^31 zJf+;D+@kzg=~ebAQ6+qqvP_wy6e<&xVT$bgyYDZ)-};{M-3ONyuJm2#+wa@vYw*?k zDt)ECOy3Bf*ZWWJ2j1U%pYuNGJ>tE_d$IR`x6>Q;uJBfQ%e-0MkzSwYYtM(CKX{(^ zJmfj*`KhPhbI{WT+vQ%jru3DFDLjuot7xt8u+mpdvn9eqN?#Gp=HhH2&8j$CK(nKT z2bI2jnoY&oJS)rnNq9i%%ca?Oa5e{LHC!?GnQ*_-mrcQ^aCR!qeu1-7X!awVoor>% z8sR>rFN<bZ<7_6)uEN<2njJ0NtMpBx*;GM;{6v}`Biy6(O`zEl;clgGJk93fY&y-V zI6IDJQ-r&eK9y$EgcC|%8qMw#?o|55T3P7u9ZKIA$ZCZ1+$o$NO~GH_>?oT32xmuH zS+r6(uJnztvfNF=abMqXF$ED)nHZRA0Ri`z(l^Y?0`4(iUkbxL2ID`}f}#@PcBO9! z&F13lX*8?i>|mNr5soT-gJ`xyIHL3gX*L&U12n7Rte<Ar2)8MH3eJ-8N2_t(N5QLb z)@x<C4~1KOeIBdPlZ0E9J~st^F8o62ldUXr3qM!-B${m#Zc+MNG+QFvtn`UAn=9N5 z{TFCn#bDmb!XVwG^dXu(g|i&ZegWBDjb=Z>*?m?PSb3w;yO(BjarSJQRdIF?&Kmt6 zCHze3-A%zRoZUsUgM=HD-kmf%Qn+5}-9fV=&ThA|+?_bvMYBh6w$sW&v#wKmJ7_jn z&>-JV^C|{!quKq!wMuUr&CbHvsFmfu#MxGweNy<TueZe-r5xcJrMKAvqS3<DO7B*h zO~u(QIBWEOjc}FH8=>IUIJ=o<SK(}vmF1oku2gzA(d=>ICrWSF%0dr8i#F11F3vX4 ztctT6X|_bru26bIG@mO#_AHuJadrdEmI#+Cz3XW<7iZVetctU1X*NZ;OzAz-%7QFi zs`Rd**;6>X8nWj6{{rV%QSe7NyVA;{(}bAPyTZzHkKpWbD~nQuA1S@{Ru)w4B}#7{ z&Ax-PwN@655`L)kE~8nOhVwNv-!Akky-R7f1!tGgY*gs?^)9xCcqaxfvVh#nIJ=N$ zAII4RRu+ckVx_m5W^-|NK4ga*E02ovRTdbyb@;nu@L;8WSM%~0f~|Rk<6HTK!IQ!J zgVzTy2zCb71uKKu!C`@K1Ah)Y7x+1>%T0mGKze}l|G|Hs|1$q}f1N+i?^oVeo=~n+ zbY;CVLmBS--1n02Hs1xlh;N<`E~&tBdXF~-%jhz14lJMVc^-phQ}e9#jB)?N{hIr@ z`><PUb<cE<l)sc;k&nuK@>Y4ioGN`Ly(rx({Xp6*fg8y6lIv>mx7-ooTK+Q}D%ZWy z1CE50gB2WazvVZuA0g3=fcLTx`h>j&+W*X5@ZWh0wEvmA;J@=0Xn0=<8-X}?fpDV4 zy^cg)I+>hsFOwee5C^4jYr1=Us(%c}@k^>9Vz?|XFT13$GzVg$>N>%Y4YfD&kErhP zLnz8{hC?x4;W#uD468v%>n`?ez=JJ+|G_2=F-MmSu6a8Qj&8}mnB3>Vu3b3kvF?n( zaT%N=w3wb6;`b%a9&mvq+%5V4<n2j1d|KSCj_>R35q9Wv!TRP>x`XkI!$&Ot{=|{Y zkmYTf5e)ZV9Wwq8&KL#l?0h$bI6?rhQw)<IFXBcEdy<z(9?nBboYUZjTUjX)XB{M# zQ%fENO1MM4=ievpQ|L{1r%WVLzp}2r3V*WeD(mX9^Gd1MznqAo88{^r=U0h121>Do z!d)>CN|A-aZx{%rkfQt{&z(~47hopGW}gt#Gzxfapt1!N<?ew{m=d@n5v6)b%?h~r zYf(Y(+EFxvWd;syCA!OwV@IKlL5BxIp^ZVm9tb6mHpcT2;Rj~N1$W!nfqpkYSvIby zYakRltmu`2Q0TCt=j<qRY<<n6<BD#v<JeIc$C}P?r>w(r7@K^Lm`#Tj6%ACBvFYi7 zP#BwTNQN?RY4-T>l#_4UQLJH|yQDrlkJiLpW5+T2QCV9%KRb^OEAJWzg;D8CM5(A< zU6aii#%rAe;ZTn84FjRD#_Sphg*Ju{CqY@dM4OkL&$u@yDb75bjzA>?p)gtcY9JIU zC)}Sb6pg3a2%gA*nrOGV`z)Mz6xMAe3CbcE$$W-#{s1U>(}+N5U=W}g1L08Bh`tyI zh0Tw@41_|vjc!js(XuOWgITxHrwKSF3hfip2122ujb2PdnX|lZQMTD_-0O2NisoDq z3>>Bc&l`vg9VULr04NhCSTl}$JQ1b5e*PLf4<OEf7-if81L3fmf&-yY&T#z$p)k($ zjx*Omge6ZS3n8>-iH$WS4ip;(Wz6(}FsQ^-CT$7SLgxv8E)dbkl1!RntB3YEiRL!i zO1sQoKTuO>m-7K*ymOq(YicU9=fVKNwR$WI_oljs3??W`Ybq*?sR7?}uR6Y`-RH+R zzNek$t{P_2L6{EhYOVvFO_{V*&0a5?DEBz%P<CWE=ujST9}jmAF)VsqEmLUR1&#ug zBPi9{C200-0zRH?vZR)OAkEw+Alpu&Jcl+W<b}Q9T<&8|RD`F6gTgF9=6?}<AlMk3 z5co^rNFWqQ^S|T2#^3B8r@W!upfo5`e5ZUD`_}j-ct7{v>(#svO|#YWlxL?W)BURZ zYWG_AIQcdCaycZAgze`w(lW{CddzjMtHL!_{D=5!@piFK+#=57f530%=kXJG9-TxF zpdX{1Xay=nr$I}e<!(Xy&?dA5m7+8x!#BU;ZXvrM*wCzmTTrt>btKy!<=eJL_c*pk zbazCV$Ack|NTVbtKZlMVf6F)%#m+m7qEYrm$GgXm!Xg)sQovYTmW)g>Z04wh)((V0 zWp#rCLo@q>iBRzz;y|%sP)Qvz5C-i|^*|U@O1A^sMpVc57&n9oY|B7YDEGIlc4rZ# z9Xnht&OgnPR_>-!ch(F{9DhF~_9^^fz}x4#vz9ZUx<FJJ@Rmw<)=CC^pbw2>z+21R zSxXskemOse0#W5Och)Qhd=~sf%$^G+8{c9O0oaUNt)4v)4sgZ7sTl~Th~X@yIGSy) z;>rpc(n^XHhf~0C&Kw9QpWzfuFa_7HI&fWh5)HPT42LPp#~&99DbIwu)7@E>glFrH zi&NP5wR99NJT4Xuv3f5ov%cqJ7rr1CGC<8zch*)+h>y*FQJl#rEzNajO(8WbxI-Mv zzF#umon;u_(L2Oa_Wj~{?yS`W{}*?N#jJuwW$vt*Mg?ELEKXv8g;p2%*fp<+lNqH2 z)$Xhfgi`gLVi_w?J>8vEPAL88*J397etv~JtInul{e@ya1@NC0xwDE5z%^fp>8ysX zT6fkqQp2g+#d2Ce=w!_J*Ozu?bkw-BT1bJt$HZBzKzoThYnoBR_OHYVtcGo8xU<M4 zjeUGf%x2%W&2ncgB!mthh52>HQE?OlMrXLQDj0D8KgCoAY-O|LsF=yVZ^?0IWwAof zeJy$!u({ZsRmy;oZ^Xe2xRuWJ!E@{bvt^wpOLvh{02mUx?OU;om5NxS5Ia0a%wpef zrqmt=YV7-_Iqs}wjM$zx?ZUK)wvW^_`7L|<!c_K`RoG>}ae+H4#3)`_VXv;i8uJ*T zcx#n7h_z*-vn>}LKuoZ?M`*`L$wBkQVXS0`DzNPNVjdL${?jGq^g;dpC)n(n!i4^w zK3ntn&uJykRESxWj&PPG7kuo2Av_Zpq*6ug14T^>a5q~G;$ztdQ7%=O+%K^`QOwWe zg7*aX24@F82;3fM4NUWY;lJO1z&{5LnU5>mg>#jeir06iZ>O)!J<9twIJd*zbk9qk z7Wcn|N8FFPuW+}^Z^}pH1M&>%Q|UozpEN^QAR*UXuBa<rd|kX!Y!s*R-|`Rg`}mo> zh&)fDbI}~`8}2bM52|^z6WpGi$UWPgwb&3pyqaV!6h~8*qNz?`%^cnatf2FUtV1W? z5Ju9He9J<2Rs$pZ)Iu?X0T0Y{XH^m4!;7HKz+7<z1qvG|`w!0p;4^;~hf$Ua>o<ek z6I&wo<`RIm&lM|J(RwD|nC^#-JX;yjMmjl3rM+LE6k3w|npR4Hn-<vwi#tlyDFOay zkxh$mKVRg|3R``d!6+Va7FwLbGu4B}P+<9Dn}X*5=4|5?4LoZjYNRuRG^6c8`^@+S z9Vr6*YO#G78w%Z7g`|yyX@gSvAZ;ibS>?_;lK~h0K^RYg{1zv0?J%AJ(Wt5JEV8K~ zV==M>9-3*0?&`1>H14)McUHDVIgJwKj?rF{=H#T?N8<by?yOy;5E=ee^TYyLQmD#w zXN|Ea4jERMS(s(j#{WJZmd{`>(%~gFp0m^@Q~d2MAXBU#vDUdfo5W~VBS6WH!;rWa z=Gqn)bOx+OWYIzW(WlQCY&B*g9V*g^)=HZ~<v+=HXXVl!s%7fp=tg{nAKwwS2%sF8 zKSZoh|LEh>DdC~@?yMc8>_02Tx%BJFmTHPYeL0k0{3)1d#uE4VJlhgCtj?X)g{h$a zwa4aADk%l-tbEq6e6=3mUWOnt9KUR}j5}`WO<dQI*xo8}D68-(Yi9QsMyIl`m(#WR z8f0T1{{^!zf(<tNg8!I`^9WwdWrRMWqO+8@t+1$uHfkR)W>9^>y=4sq9~<{2Vv7Rz zPiqb0V<mSWW_NIJT9!)e0Z}YqlulYT^Ref@L`<1+{{Uuo5Ux#fiF0UExv#9g#iA~o z`N#d8et(Vqd;UYq{ENZ&Lt<mY;<#ZJ)A<ivuwsl0&V;{QdB0Lq<_#_nE)7-(D}pmY zjsGp6Nj>-#kl8%}_}hC3ZqslV916qV^AF({K+Zb^VddPphw#fGhYsPlN6tBCJN!Lx z&ROuc`y5Po|2gm=8>bz_-|suP9RBV-I1B!seQ+}T-F*;K-gO`fe|H{O27k97z>lMJ z9T)_EJDa*&;h*+y{0_>tZiwaPqHrF>ajiNg*P_F925zg4A1T?QtME6X3-EW-TKE&j zWEw~E{`)w;ZzQC-9|YS1i-UE6uHX>=UjwiB*90H&7b^RG-}**EXQLj`f1hwAqz)qO zpuXOVL*`TTz0Nb0y8l_kyz>MGB42G0@){0a`#;=Y__rbQ!rj0ReXmC!41Ekcy9n1h zE0R9~IpAX^_zg(XANp8{^Q{u$I;d`mp6!9>V^X>YJL`*oW{VK|PhR!-j(4^2qlf?H z!&*WN+PpNGr=k=#Y6Wx-Jqc(%)NW>5y5d50dvWZDOB7?LzCvXIs{r?9AcM>8A3P|> zvx6EIYsUzaD26aG(8^5$jEM!CN4rx-U@gFx*R7~qfom?b2=OBVkC8WjpaE?Q-4mM# zUQCYi(<WLts5*EthbN5fzddx-LIP-n>|2CksTMvz9S}RL%?KY0Z4t8;Q{X!QY^I*F zij|cm?8E~d1z^({cM371jOJp;gsr_70!BV`E6>C9DzWh{T*42{v}!@wSSfjePs3lX zD)^7!XTgtx??DXa8^K=(UkE-86ZE#=tc|_+Rin@kutwT&K5q58bI*pqYkTlZM{5pw z;P2{#OX2T|190}rE!XRK_{SAIf#9EpW6IUH2IrmW6?vZLKIDGFp9|lfMY3oq-yyyR z+4V+tBzjah2w85Gfqg0WJc4s+Zlx?Dgr+Tu-kFDxDoXdFP|WoZS~p1c2O0uv0?Ptb zfti6qS%|ehgl--QF(DsAK*<PS(C30U%}>1VLTJg$(x0T?#U?+D3V7+O6KfwvXQ2~M z{}O#BAoXzh=y@Iy@jL|b$-~XmF*${#Aofl6kQBsMNgtAwBJ7o}ASoZDE;sS^NIyC; z?g{j^JFr67&ISJ-JO#WwDeONn=mqpO;)U%o<t2FTii<t_2h<Zg{be+LC@Bd+J<_j8 zYC2H6?8NymqurxVz>hY36BJ#qqNy?05q_B{T`pZ1TXBS6HCZ|WUHY^4citDgk3q!D zZQkpo7rmEx`yd2$r?<ts(Yw;S$Xo6$k*<%ubc8R;l-}U4=5OKegtxUH=0D`$lHL4k z!USQ25D*0Z@4_0nNY0WTm+p<FALUDU>6_T9qkQK`c$(>N(!s!ofwuy$1)dE&9Jn)Z zi#$YnSK1Z(?NNS>Tb>15oST#@Pn>l-zeC`;>p<GBj`gh(Bn=`@<ve2qA?j4lHIfiB zDUYy{$K+u~5@P41FN`F_%}JjdNeFC{KC+TmO79v;2s@MhY$PEbOZv5ugy1Xb6(b3O zSJKPgMMTmdHcEQd_!{D(q-QMTUg=&7xmUW!NIoeXkZ!b+-O|sD<OhN--Ed;T3I0y^ zb;6)K^8{hg3^WxExr3hv-}jUX*FXT&tHGy(4+f8WeBv_UZQ%z(b?~O(mBIetxv(p2 z4>kqYx<40Z2)`1#gu>XQtHsHA?)Sw!;g`Y|Av3Tgupv+%s1BSV{5((?$PA1LoaW)g zdBSgm{lXam+5ffw6EPUue6=`dqi3A5M`;s9C9JGbmWu7dN6K7fnv$c8SB5Koh4+0a zobY|%d(-!8h*^HfcZct0-&MXJ`p)z1^L6+(d#3u<`D%StzSDjAzDd4OzCk{h@Rj!; z-j6-Qyzh8l_dX}CjRneu`I`HW?pNGTxgT&JbKmIxiTh%AkNa%*Huom?neG~QrF*(N z*FC{K!X0o6^54ZKaiZ`eVT1gk{1&*vpOqh$@04$mua+;7&zCj1Q;x{%<vNJankg5^ z8S-d(uq;Xclup4s{H^r7^r$#es29dacSG#fwbG?huhcEA+aWbeA!&uQP?{|jOOvHE zX{h9Jee3$v^`7hZ5Zd*G>ps^}*A1>KTo<{{aqWg}a-(atYYBMW%Us#6bXTfNaUt;w z@vq`Z@m29@@j>ypcoS@+`^9s`y&$0XYh-8<gi6c##wbG^w47rkAqHB`Hj)tkEKfC( z5c@1oAxS89uRO^}Lg=wP&Om^`VtK5QgqUJ^jFE(RVtKTYgjiyE6iFftLU`rD#@7&I zD|?M3MAXV|0|TOIW!d-^f?;LeNJ1d2jEp1%!OEPGgaBCSUnGejepUL1k%ZV)=_?}% zfvVD%1}=n-N*{YS;<*9+xLW$FfdMg-(i;W_#7j!QGm;Q1DgD++LYSoVx{-tsN$EEv ziNhnM*Nh~@LQ1b1Ntf_L>BZRUMZz_rph-WCeY!{}ihWWkG@qEbSn!}c;Uejm24<>o zfpnLZJS5#}CC`z5ZY8%%7o5mgB8W&7&XbPECM*?xuaVXdMUM+Z2^J1ol%6n>ry%*b zk^BOZj~U62Ao(asqQSxsq!UI`5YCm38A(MrTe{T1{ZQB=#f)!<qQ`^@R`O9H-Ata? zaFckAbi)y05WEe^p+f!*L8(y6lx*Sk*mJXmNuqM4@LcTV)#9W<u9scIUA%a+SSt<^ z-268&Wt=!^wlKtV#B;spa?gcu8(^2G)%7!BmZ!n9%Cp!r$MvM^$F8tzuK1;RmAFr= zQu>v4Wts2~;Su4df-amT6!CwHttb}?c-NlTx#dEM2Jhw_cCB$u6F(4tD0YaaE9WXr z;w0f?;VvO2Y!{XbS^T@wC(;XWZU4{G@5E=Md!);x+obEH$Ha%E1JX{ZPg*IpNE=<Z zyAHXQx^l!f#q-3?V!pChSu2hb-VuHwTp(-}76@bcH^g<~9pbNDe%E+co3uzOmrA7I z6iJm*B(LjVuFqV5as46o<D>k-<)%&x6a^*+(gH&RUI+sH!vBH)P5*2DXZ;WR@ATgy zy8KuBFY%x6*ZiISh=0Am-e2uM!(Zsn^pEkM=9iUkl)u3hjo<DNia7;AJM(I!9<V z=Pq24kc*80f$I@+k&%R}5ptoCgliFUft9>h&M=a2&p@7NB;k&MY>qD6FObI@-@@Gj z*&JxNNFb{g?(MQ6Y)FIPe0hk4e7k&_g>gh4WF#R1Uk+LbN92HoaI@^P5N?)53*ly2 zun=yPzO@i;l)kYLZj`<@k`Svd{nKkmKZK%7f49nACw*p>yH5JlDtDdqHzNtr<I*W3 z3DMxv2SyUYwWU89NeI=J-m$*DSbEy}_G0NNBMCvm(vwDVv<B1n5hGp7^@<@QSt490 zJ!~X%A^DJzR3Z7Gh0rHGU?KEL_ge^k(tSp9H0Xl6jbtf5PBcx!0^xk=PUG8rNZ#QU zHLSYI_;hij@pXyNBi(K!b0K-uNUD%LVkAckhosw#WEnqRY_PsPNBV{J?F6yWNR|i( zrCW?-E+lU@k}4!`vJkZW()AX`e(5?3W50B*ku2jUieV#}DeRN3F_I<1Zs`&unG4Au z8c7wB{YElP*eM;haCb--S-3l-3oYCoQXeGU(EZWEcBwa3lPhW`*3A<>aX~1eu@)c* zvzOks$Xp@4Ws$i;deb6vg>=$FxLo?9g>bp_2MghH>GwtwLe{01PJA^*Tq)d;CxV#` z)%*(Ga6)bqCnC+|7QYhT7k?){E8Z{O3fk%-Q3w6gC@vSP#A)IbakS_cz6CvWQg{(; zonyjv!X?5XVTZ6;SPj}_h5$yC5a9pCpW@%-U*aF(kMq~_KjM4%oqU8}!!P7d=d<~- ze30kRC+IEoGI|u<fo^~%a7ynyIJPvdPQeA9!%A-@4PXbYuk_BPS<w7SZ-tcw#$BZJ z&Y{^<oGqtW5MrfwHqC+{E4{O57KB;pJ%eVo5}{A&ok{b#ID0zHsyI8t%EH}%UZr<B z&Ax-P)2u8s>jI^>jAmh3RC-Hk7M3ifm)#YEDWUWhiyGYFAa}=LUMRinvRI06p3=)M zi@_qN^s>uhFk6&fc3BK&jM7Uli-Gh&mR=TvW*t&`$z?H8Q7X>TyJ8xE&ry2mWic=( zAWJWc!M%fnO7CRa37AewFS{%TQ%dQjm&M>_$pNL8UKWFFx6(^5i*aCrE4}QlSc$M- z>776?0HIu*XP3oPoMo5AMhKeH%Pxz-oK$+*Ww8~)UZppUwsJYn(#v9~7H9EgF@w{~ zaMrpjrd6UEVXv<jE{hrWzhFD)>xH{wMh>=wzFxR0X5?T?r}V;2F_RFO8%i&|DhAiA z_V{|?s+fU0N!X+G!c8#~7c_^`%WjH+_E389O)=yC3Je+K*;TP^!Y-wkT@?eZqV(FY zitSK(?N`MhYriT6S$0(nlnmU8r0qx*wh!v{iD`&m1iuIvZagueOMC-g(fEk_7&i01 zw|%esp7%ZGyT^AM|Df-B-xa>YzC*q}{BgK5*<|cI_?u$ysp9B*{z~sHa9c9wy}+yU z{od`~t=_YOJ;AfR%e@OA!luZZ75roH#^5IJSnm+8+w+a*Z^2iBKM9`cdDruX=S9!s zo_m8&1uqWPFe@rp89RNPSTj5Lxm$EkbO+sea6jZL{#^MT`7Zep`8oL)@<;OP!DI3w zS(T^AC31?qLN4c@mO1Ga>2v9i()-d=vN!mC?3d%j&f&pr!nb0YI8^kAlZ7XQ_k`aI zFA1LpABZhT7pLa#m98?>BS?pIrI7^5kbYt$K`5jj8%Y=p>EhU{>0%VSSxpTMS9zr8 z3^)j%bhVKL!TZn1o&d5VJR-*lE5ScgCzxgtTqKoC43cm?Q=V)j;cBLwWhCKRrkrUc z;bx?qW+dTaqdd||9+OjzBwQAh{YDb*3CfC*ggb(=&q%^0KUp%88eCbEJ~7g8sZ4s` zNWz6O=`ThSE|W>`8A-V8B)woH;i8lDJYHBv!fV&Tg@McA-foF<0JgA#x7>5F`=r|= zuad5i3c$A901HjF=n<;;z33_M+@x}!k|(k;bFs_G_)niO(#OI12js@YAlhn3f9uhp z+j4gGUvqEEobu(_1?li(2@n&7vHXtcl7bu>LsSL7cmPpq7-uUu-wN|+h*JNH&u2|6 zBX7+%!LJ#B%Mc^!<A~D`qElF4RqT_YXn~^V4}(Tk8;yGLd^9xn`aE$YZB^{eKa1P^ zg?d#AV0AI9{?=o8aYzOFtf7Duwjt#l&vYW?m!=OHuy-_uO81}U<0e)SLj4~cpF(N$ z=iiyzKktt5{<Oh>u$my~<*^_8_yQ-+t9MLMba@aUl^aw%ce0iMl_evqf=&+R(=agL zVCJO!X$A}7mG49r(qSMh4CvGS(C>9dYoh&Iqa~~{*WBCYFV%AtK&UiY^4k+r9pFJF zdc9BKvh<)yAhvw4u+)L#FVl13MQAwD#$(yP<nC-IxLBX+0kGNCFYcb~1Q+SE+yHJe zN?&o$Ob2*Sp<W~7`iT`aMvumx{3*ZCj?(U%EJ67hM)}eAW!Qmjf&2nJ&&68z;C;^4 z1@iOssUmCM=KJHCm#-JV!>bS?Ksx7tfXNk}5`)SsvZv`e@a(C@z`GuBFpyxB=>_n- zrbT1JgH9U#Uq9$B83{iz6kHN`H*lr@WB+ia*>{&u@visW;XdU)&+U`1lirkuxoXAh zz%D!lj>mh@t7r^&I94-=9|cznhZRgH0>K?c8tI&tI9Q9G0q7ohDr91X$?9KbF;-#G z{q&dPe8un_#>A+BFy@h26e0HJB0jJGf=5awZp;Uvn@BJY_;4hzEt)sqQWvqoJt)+F z#-r;;R^>S)xul53;DaP*jE6iCWu1dZ79cQ}sDpKmklI-5P`;|a;IVOOO*x734&i9D zQbT1FWK&+pKKTnA9OT`^k6|4-`hnQypQcZl3Rts9eFUq2_v6FjkP7wkDS))q;D+xB z8#lJ4@NFRX^Cts*he3pBr@%ZB?nIf9afWs((Pw7?R>Yuk=*crE90aIMofghyof<>* zAPgAOgZ-f+^GBYY!I-lgGl!n77|i+0Q)AM?@Y{BlGGKJ*&;y-n-<*lik`|*SEl<y; zEs5d&1Pk;@@N;Vrjz$I{8vEc@KAoai(q5uZf!n4g=lY*`#wJ7Nd??nl(gDMqkXxU1 zOvsl0e?9B+<&OgdL#y}uf0g5?WC%>Df+9Ujr8HpD??e2=L@d2N4XXyf(co>d!ybN# z18XqQ$}iHVjs;q#{+aZ=V}iGg#VA!{970;iLf1h^bJN1`J5!0QrDH%?n>z~XFjOE} zJ!4aE;n_lkxwjUU&qCbPOzuH07=t5$#eod}1ImZWL1h$N=A902VVv(B=lPAN)icq( zPCh1AODCoKq&jdC?Q^BTe(?rzznCg~Dx5Er^S|LQg#8|ePCy7W5Cr#ZQ(Dtn)=q0l zg-~QFk9dAmPB?QwO<@ZUZCaCz6zwuuT1Hl_cCxL&KDRR`6&O>yX;mVrGNzLVso4`& z4%jMNU~AP1XN4@B7%z*l>|sbwYg(RIT`7xzHd|irAXHFB1N&nyPDYuN%1Vs|wl0xY z8MAW;t%~&80c{4lYBw!QBvg>YD#atSX+q6_Jg`LxPgpu2mMu=WYKfzRg$2}nAqGT2 ziP68siOniw2ce{Y0o}8RE*kojnCj<kGaA;7*qg(VI<jh^qrxI)vBU<CK)Gp63*xIP zf{<k<o7dEfr7?)d8&Z*8Js>}+{58#wr&f?t7ROI@a}^*NYa+EUVL7BK(d=HvJm_A? z&>_{ak0qWNNMzNEy+0D=POPj1V#c!9y)16oW8-Kpdn04FjY1hCtL8d*Qe42gd-NqC zD;6A$Bz1E|(pEB5EE^-M<~T?d7SgE}doe0z#cl;sX-)8stfi-{`9CdgrWH+?J)r#9 z;?;F|7I4MTnR-_2qX0jNX;wVw7mh)yF9n`Aow$^+E_T-#luJ<z#-)x$6Gv9fbhf;J za?6lJbEd&#n~6=Q<4uMtt!YLgQgNKPPSTf52P|`>8sbKZZbU2tWn}DyG?bUtG%Xor zr=(O)fR`GR*jV_ohwUau6TH3{-;?4v(VV2OFQJV*AjCD2Y7N%N3$lekEc#o))&Ks( z*=bGiGGJmAbcPdV!K2|2ID>|9!MB5t!@24O!Dz5HSR70Zd=>az;Qqi>0Ub{ND+3t; zkN>a!U%?Md|IokFzt%s?pAPZ2?<vnHw<?E~PGzMsT^XZbKgHv|o8Y;LD4c~B`%=AM z!4dlX-mAR2x4~QK&G33WfA##zbDQU|r^B<{Q|i%1xc}+?z57A;HSPoMup8ni!HoS- zejc8l=$E_XmGU%sl=Ka_5FUmD%yXnBsal#M`CT8oUUVIEUE<mSCzCT=W5j>KvC1Rj z^<s}05f{QPHYj`|ye!-SM>M;HGliK#nt=GX`N#O5!Cj$Nei>iH4~KApljso*-GI(V zt*90ip<xIjzR*L!5cn@i<OdyR{%1*`bSCmQjWUB=khx#YXV-J~#KAO>3My^;;(!37 zvtWlaat1<C*kZ-smI$QVJO0*0s`OscUM&$wXVck<Fv^0RP$P+qVSQv8vnmOYvZulU z)K=i0umyToVx6?4=Hz;QQBE;4fYFypptLLK^CVE*8S}c|XGy@cUi9|_Xb~G2G%X2~ zPBK)Q1WLyS6({zo$kwN_B!yX@3X(wS0HNF@P}Zf>O{iu@VgWM?nTkYjCKR@rSLlr- zP)7QX2~gY3GBm^q)u3XVO9*+LU;?Gmic*q589#hUpp+ln+ex7L?7Hno3E+HY!J*Mf zpsZP$NuaD*bCW=6votg*379c6D-K$iW3%2+a}p>k+mZma58@62)o3hUK8!yzv`}Y4 zVcRJ3Ym-2kR7aCQ8Mj*PP_1qSRBT%pQHLFDLMgk@wj@y2<8T7hK8TSdP>r^WJCOuT zN0DEb1WKF5{U`~PHEU}e6gX*dT7$dB2NJ+GJ06{%1j<PFBtY%*acL4LD|<OWHCuRN zJ`4j}R8U_+;X>PtxG)Kn@)BK~1WI{{Y}|tJhcU(#Q)Z$cCMnEX{euK3tRU9j73m33 zTZAe4X#!NUxxLVj6Tq-EQPNk&L9xq>F5TP<NuYG`=3YqxC2NF+Z<}+!O#-IViF-W> zl(L$8GzpZlnu}M)xY3l;+#6#wM}TWS2GbsMFU66D;8)ukF*^yAl1AxCpp-J2Y(X_6 zvKHcMZR&;liv_kpDL+sk36$~!4N3x~{6PLVsD>-1t>(^+17j#__22}kjaz7m(+C5j zj}hiqCjtpwGXDIT@lc!N1D%x!WKCKh543I0cs>!xO8$!gZTcUS66GSV#}_SOBhO!z z2&63JuS^88O4r2$HM<G-Ogz-KYePRz1ky^;u0$ZKbY(mc3`c8LYutm0P{xLBi9jk# z+>MDq+9K|!i9p&S?qO=>YKgAgObVnhTIc9Q7_D+re2q5I<?e_R-5jv2umUpdU+&!` zV9FyjHVKsS2#reur48o(ngmLlj3&g}zqnnLPiS63VcTRyS0{n8veza+Z7Tuy2NO!| z-yG0=v|Ze5NeVO4@zxK%7QmqM<Hy0ai$lxefO!AMHVbuePyn(~s80m4L0FLpq+@{A zBm%9jYK>@7B9wJzm{<6g+X<nl=#cQ1@Hjt0xLN2E+JzOubYZNx*j4JPN2j4&6bZf) zd@}fR@I5~gya*nvTopVW9+MUW??G7mk-!fFI|FM2vjY<XZirHR!G9cG=fBi{wwNbr z{pgp{YH7Q;RXmTcLw|JjL5Supu0Qc5QX2Z2Z<9_Jhe$lUEj`CS(eGCNsywG0RW4C> zDrYKZDB~2-_pa}0cs}|f2*F<Ao8}ws{g?MGh}i!bxX4?)HQqw+Fwa*I*6<*_a(Rwt zvuB|v$1~Xd8Q;s_%s&C|UEZTX1onRZ9Rax;-1A%`A*A^mw8*s$+z^U<hkU8L2jZ*C z<q5J3F$}*V4LVX6$7?u+vFXOko!rDgI!gRyP9P{;7=KF@@s~QGxF{Wc{t~A|!racY z5$=yKI?YD+V!;W;_BI=T{x|VZ*kjN(JsS_SnWp?7oj{;!V?><3#v2#bn}@BE=K7EK z9#mfW=PjtQ{DawP1D<pOv0II?usacG^|X=Sp9n0Zx6S!|@le~gl;4{Oq_dV!@RQh# z*;c2*#)d9!?O6cR$ZaUgiDL8hFN-f|vyav%!YFG4i7+~vsfjR+vS(`|khZi#I${d} zF&t#@yXua+T(EVZQq{=+G9G9jrDF_8?0?J^Hu^Uw5VrA*e?ek}@!kPT4($W~k`o9+ zXp`j|5`o2R{I7FD!QQday*3fZ8XULO<C2tf{MF8qcv3UqPez0NZMzSLp{z4Mb`}L~ zVFO;_1mfw%=*HPJ7|5D?zr7^zA46HC_u8Qbkjf8#S3D3d@KIH9JRWE}bLSt62bw$J z5P5+1(Rip`k-VA+WG(t_B9OJ{ci_%l3-Md4kmf{l-gxvT0vQdz69_WSHhui=L?GSs z@m)5c29k=4vW9QBK}{eVqBv(SF3CoyBe5iFF80gX1ghAa0H&KWPK{wGtrYD^EJ`ay z|40PVN>Q9*g*j&<dj~FQysAg+Sqx=#ZK?pzW(;I>PsCSR$Q<b?PAs4&Y+%r9aV0f? z(vd-NS^^iP+8o6#J{U-qD~ekVF^~=^id#rA(BdwbSx?3_380J(k2_a)T$K65(d&st z8I$gg2igP_y=MX~GZ$8G8z0_JEXw%saUziM;ZKP`#)o$jf$Wtt^g$w&@!?b=koEL$ z@j$zEd?XRbT6A07{3j1#S&9o?pIDT&=og7V)}ou7K!*>V`=Jep=Rby0y4*d^<rV`e z-37Liq@Zp3b8$8#OeR*4bLe(lrO6`0&GdtKy0#bUxVU{gE^0|{Blok!lB_Fn{KF+_ zSGdEZpV-Y{89CD!-P4^+fM@I&hsxt&wuAfmi7+a-n-gKh)XiU)2&7W7EfGc;us9J$ z`@bp?M!Vl;!Zg}@Ta3x__=2TO(`-zH(S|lA!e~RA5@EQZhW_7_2&64-kB8YDK5G(T zwD;>0VU*@t3Nzds*c_u;xRe6TQ_^Clgo_hlw1+biVYD&R5@AMT)_|8a2L~Wza5q9w zRWK*$4O|n@0>j`)yU{;Nxm~IDo%F?E7wPpr?ENw98-t!3JTu{<?pAj?oI)2$PfH=! zm#$k~mEs$44aX~7!+*k$K?}GWA*8C-uaDJn_@@z05Ys23Au+#C^sqpOWe0@T!S&fi z`cj?8!Ducc8iHWv`NU}nm=Msa!+Eq7(Q44VBm+%%Vh*a$F3_jy@C)Z=<eGuFJ`<%n z5!2xj;3h3GAiy?P&FG1J$&jd{+eCt2_l^%OuqhK0>Fi`kbRbQnJ;{(*Y=aTjvfB|H zQc%K(Kpa-Cx_K86Netm(!7rFfTGP&CRZ-zF+p{AX5|vtlv><)^fU!rEoIbw`D478! zE8}7}So>)x(DPH#<dIdKj*b?xH_IUkCTpS@1k;h&MB5@@_M<%!$!4vaNZS&T%9urC zBDEz$qLZ8;RisCgas=<rX<wUK6A9UtL_%oR_!b~!#QQrVl(EOdTC%H}<Jd%XBVkjK z5w*58u{zsAN~${}eM{1IV>^lVuqxuHtt6lJ2x`m7fV@%P=EVBSm`*d9*_4P>%2;F~ zZAykjC5s@9tO`3?Ra`(@6*Hp7PQ#&IjmaocZkd!C9Fz)*=~`+;ITo8yfE$z1qBbF+ zRj$G#!0=llIDp1Je70ADo6brkW3zn-nTqrc0}cz-L`~}x3E7+^giu=3x<n+KpMoIG zA<cy!A`Gq!T<3qzp8_#WjlSc)1>VQKXM67U<hWs%E<YoEC0!_0y54au7B3bvg+B;B zeje&Y<GE|O)rZSdM^)*nlaHlNKBku%eB7(2u`unGI82*q7aYSLE82m^s!cjXBRf?r zHmumtkx0n4bJ0+xSRVuNbw)IP?EW3d7J!b!@nchWq7tQChv?*qdyHkLc_*r5%fr!~ zsCm*-9U_x0brq)SD(<H&NT^wCX}vf$cGoVH4SgQz=yPE)l~NqG7aO}9$<UP%iCwYJ zMAns3eK@poo6*XPb|V&hj&IGx{<RyGDMNI)5;W1cX%Q>mgKTl(80X48XyUl_I$Q{{ zRs_Fsjsil)tjpNoF?><1t$|md4=Ij5los0ikdX;_V}9#!GbnyU*cPubM!PX-i9Uoe z(-B+<Z@g3L1~bptE{urfE#w2S4SUgeXw7Mk)|4=OtZgzOZ?*<*55>2}zL?Y2C{uKN zhbU|?HG7}UgaD=%#xCE7vi-WO2LZ{5<cz(z4>@ic<;Aizls0LWj&Bl~OIjtB5#xs- zsJb+|7273@jlHd*G0-Ewqelg0OlROI>R9eLB#+TK9qt#I*TM8NozIq&>kF|9#~~Gj z$(O9(j3n##R2|<pGB0lo?t@!l_zguS_xLu$n1Z4z-Q#RuDH|cuzK_z8Jg!lP>qnME zjW8t2adr&h{YA0a<Ixb9k22I-XYiX?cx~g6%IY<3!7{y8m#~HBvtg<e(CJQ0u<%Ot zT%BD`GAz8mPC)G5Kn#-v#1eg?j&CWE`vYSz;&>;q^7?FYZ(|g93m2RTKl1ql|F;m) zxj;Fo?DXB}{f&2wXTAG+`7iQ3=>R+hGeO)dydpFU>F}u0Ahdz|oVx|g-4+;9_yKs^ z)xF{(s+IBLlbKOuUf$DjkgenPo?{oxri_xULu@U)8H`ts*tpNZfDZhOAI@5Tcnseb zDABX^vN*KY6VTEN*6TRB)-(uh)1PTi`}BvO;I{RppqQE&WckY|Htr{cbz3+syE#L} z9>#xxPlw;Hwk}7)O&@kIhFtOq<m=;gxLO6zeUffsnH*ZI)^CR2xLpFzT6S3Wjd{_g zSf8xJMJw};ObiGPiK!Q$p^Pi!LQYW`um!GLSv!EE7a(?d1(VtqDAi}_@LRjqy+*(o z8f)&gO>zURSWna8f|a$8f%c7#tE-?yFVo?E6+Dnmx<J}=f1kalMw?3XVjbVGT4vyp z8u44K4tm=HdHM_;U$HVS9>xe7emOP{twb-?@g=L}wp!B`h~pe+ZNZ{aeUXkYTWL1D zG1a0iRG+l2I1ljfbt^mG{p~0YFTH45SWj~A3S`(CDH!$npp)R@RlJzn3|~Xc@vQ}z zIg=dHR#Hf}I)-{LH1BNca0e@qB-2b(%>_I<T*oqR>%ql~Yh3XcFD7;&6)GO@sJNhv zO$MUn_I1Hh9oFGamQ}4K<TigTzQY8|0Nl$;Tn4J0KN(~!1EK9`2K=DmW!!#L$cfA4 z_vB~fTjj&>a@9(Cx;zGMh`$ZbqTM8206*9eL06&I(S3Y1Ka~#(6~ZLJ!+*d(&)+VN z7bW2@!n49{!o?7${uHkTZwp=$+!G81tKcUQhd`|Q$-onVTLYH_&W3391%ZOV2zU|a zJ^%Cm6aFjx+Bxu(6LtO>;twEb-J_fm&VpYien|Nl{8Vd~vKAf}nyj3LzVLko9)Kr( zM|_vU4-sz`f9<RBmHAYk+j|OLBG~19&HI4&dbm>G;avmozGd>8z(eqb=l7mRJwJz^ z9p3E;dFFd^J;U7JxZiO<<G$T}x!CURh8xw_xg#1n1TTA)y2rX*(#_IgcoS%YR3+t# ztKqKZH(*ab1EK6!xVpvJu86A!PSn#}viNb_Ay^q0FLaILTkVe)78X(+#K(Dxaj6pO z{Nmf}#fq8a@xOMu_aOR+?SA+}i9jm;{CSB$Dx-X#QJ)6SJ;MF&f@xH-@{h+Cv)NJn z*hC<snU)A--QQ^MV4)@9>F^VWZ;WscNg)qPLQC@VY(F@4pE#QvakxAs&P5Cd=r$fS zCe}(<JbqjvkXrP7dm@l-3wXOj7Q2YyQk89#M<o`ebCw@%?`lCYlZ_kgfWku7%xj$F zz}3oj6a31!lSm9@qZ}9UfPrj8niA=<5!oCMw5dhD*$#x0NX&CacPmT+_U-_zHsn8h z5#s?-#*>lut``?DQWx0)1?-X=e*ptjuB<FBU~KGR5DZ|IoMQ(R=CiJXn4_P-Y2#(_ zr;T_P(()+ooEZZdqt9}74+B{*4kiLw?Y%Z27Nt`AAsp|vK}{f|8+W3POES7~u_NHC zV140J;>jA**zh*<fkY^)bZ{b&RXQ{tXqUHPi9l8|6_1W_+6WW9cp4M`_4aWqX8Tlh zt^>d<S?*pZfDR!qI{<9E$ot^emEaL{ED5-F=8_2;0PB0&-nkA+Oqfv60kHi@*=0@u zRW#iD44^^XY}<%-Gsw!yqG_}U`n?lCJBTJa0Hw49_nre#NHrO9EG=45A)~d$S%h|- z_t<%2y9m0_QNY&qpEv<@H9=R|0fp1@Xix|Dq65M<p8OsMpoI1CcTNBmSnf9tKruDj z&}mKpOlHma2{$y}31PG@cLG>X${m0r#^32q0M%1yr=5%DeNS@QH^%{B*C}T@zo%6! zaehzRwA%4KyRRE`eoygNq`Eac2@F}cJ?b*tQGj{2JDuOt2H~Gnv(cdv<#@5VU>Y3= zewD=|%`i78llV1uQnp*%^;QW|fQbj!>jcocxoaH&=HcV6wgI%tf>K&J_mB+&044?J zIRGWJ1RCmSE<5bl?f9O#X&W4bif!_Lrvp;Rs<_z+U@K4v>M(xz4x4PWvB<Vk!uRa1 zAFnzn5g)y&|3wGHHjz&{0aSF*TaL=v_wDuq`OJ<)ciIb3+0+{OsG|fMC-j69Ks%1` zyr3P=r&5TfI11S2{a+n`BC0~rhnfSzOfd9`6F|iZ9d`iO0|_X@0m!G7@D8n$Z)<Pf z2$+A&)Xit7Cg@Cu5uDGAVD1A4B+u5%<#7<ku*FVD0iB3QTNMYQ+~iKhLFjUT3Y`!p zE<6_pp+d>UMVer{6pMJ3@w4XSEtS#SZZ0SXe&T=9f0loka;xu4-x=WN>hrwiIm>-S z{svypIN$ZEYmitibPJ>5rNm}F9o>hrxwpC9;Om+`Zj-(ecDtr8$=VXzgT=860Jhi8 zHz!Jq>EPmheeCMHk!O@ohes!@*K0bki<9!q@NlAg(A04a@RSm*FxBuh!d`@(oW~B| zi7KJSI>&~-tcdb5wrw<@nOT%i9K{WKZBlX!+a$NlK@OHt>f^wk{Pp*O6SP6ENlJ@a zS)^%xy+U6K&K2`S0zVQK`{TWKKRrBiG8mpYDFwtOafm;@F9~9aUarF%6y_T{#=|MA z??=ujlrY6&Jzs}sDBy?5V6#BpCu5Hd;Kx-kP7%1A76Ojxatb{NzOaWLK+NTY5o3dN zB!a&&PlpF7tOr{F)$uHpiB$mZ*=oS5G%6(oull*od1(=pl&LzrNMZTu2xI>FbDo{l zTZm#n)8SQ$iPH#0eO&A>y#0-x{5$hvBf8P3Ntrr4N@00oQmI3p{AexvxmoOqIV*Og z8%+eEsdS8TX{mjbGh+S&$PJ@BH|Z!-i8e>MScf+$EC-+ZjyN=ie};^?<n%Aawjey5 zRjAJaJoEjBDF>15=_Blo8&@3GZ7)(-Q_QvrF=rUONMZNWvL)8=)0P$!c@OLGBt@bN zi!Ob{g|$qFCn+q(MJVH}AK|rLX2OT_F>*k2)*(~`e!iKE^f)pz9pP8Zojs{b$1hbF zM<oaHX$5gV>5NC_rFnRe)3_(O;GMym!25x#1JnJd{5|j^sZGB7d;#yx@W9s^_bu)@ z^54O6RweyGx)>h5j*5R2`{6nKN&GH2hTP9R3CgP5uNUdt8LvZ)FeZ2Z1KFOnTJ|M^ zF)7jK=n$P?%_o9)izKo)>S7o#kPm)R2uQHp!GW*Qs1cS@7{4U9T+h-W6v1*&mwk=c zi!ZSk-xJ#c)AVUN#38^BXOZdnyRT6x6Az3rs0@NvAPB*n67Yo6xM2c2dLmTDlve9) zF!U*eNDJ}buq}M-lNb5S33=vAHM*ilnTqYgDweJmhKhakTa-O6q~lNoQ>PCxRIGC( z;e24OGDB~HrdfIdGjq$oY<hw)X>5L8wT{CPY|XQ+tfYBa@CA|0O*)QAh+j+M+{rLW zAt=En>BY=eCZ{Wzc}5&aqaI<@Y)4XbwFOZpM^dK&$;}RuMQl%p-`&Z~EHy}O(s6u3 zVgv0YtKmQq0u-zR#pSm<4-|7_58RIOGrBoF45Z8%Kwf{tvmo1;0Zf&^4ESN}>SL&S zbhX~-WMdxN!y0UaF9;h$dIM{vZTQ$w!|+x5bO>00AM7NechPbCVF!`!B0WP70R}k` z8xw;`FeFxW2O7*IluVX_LcK(Xm<8)VkKnx^iuMCNm@MN93L5kctXZ~&o0?2SZ-POA z0~g|XZ1Vz{>TaE5#7fylhZqzsCy1tA%ShR3WQ;J^c6iLoCQyZJzYDZ7GfRxYZ_x2; zUS`8=)ac+F?QhUmCq<(gmY{*it%|FZwhC8TUSf<T9-a|gEf<^`*bT4CaLRn&rQSEZ zQ$3yThulGVgLKsO4_A#C1OI;!e>ObZavW_z0{3IC_Hg;|QB~c}7ch&N3x!OT*j1x= zIJ@n}=hkM&Y!ijHm`)Tx^(RH8V@Oe<ZpG2TGG+l|11xu3s2d+uo7LLHl+waM2o-?l zO^QZahtcLLMcp0{Li0F{9FTV0z^5@`Jv@eQSMs~zl-ja>2$DLMx1HeuQd^)*pWKa4 zsLiQC&`#dK+fK#_TB%;#Eit(#Xwfv@CieubSfA9552wv(M9{80WuHa_tw=BI#z)hp z89>m^_{4555VS&Q8;+!$VNBcKd}3cyFh&qR)Yr`eig~bq_TLbDTrh@F2Im**+1&_G z%!jGA#g^a5+g25W4!ro;jpHWG*Z7|L)Mnh7bn;<6g_udR(fYR7T{rT~pd?7xz?rJ= zqm|*aYuo87=~O<PnL@xM{HQR|MNfQgKWHQiC63{QXi2M2<QNqH^d=i#a*SIB?SXhn zOA6AyMC{2}yc)HGfw`NJA*$-+m&o>FrJ>UD^?5pkOu`THkp>aGGMC6693@NJ;DS6o zM~9$E)3Sxtxy>coI%g1rK-C?#kX9fzl>9;%Ydgl%@=NhkQw#X(IQftA<8TOgiF~%) zATNL)t{DNxfbUArNq0&=kq$~*rCMp4G!A}~=9KF-*8{HWT^G1IU2Ea@XC}J_i+=~Z z=LzvPF(z&dJ`p@8xH!lMo(${?l){6k*ZY^l7Vl-{GG&7@34U7s1pG8lvG@N~_vZ0& zm(~9Ge3oQpl9^2ReVL|9lD65Gt`yQXZPTW0+O(9i6sE}}oi@p&S=t7LFsl{WD|`?U zr~(QI*bB0WN)<1%yNloz7ev%6f_h!p{Jqcf`8>;K60hE`fBo+3`@NUubLKqf+0JvG zbKd7Xf5z)gg9YVtynpq-jx^9d-=BSt`-Xfg&3ULj{RN{3x4u{P+x2twIoiwG4O%mv ziGL2p)B;_53EuqgY5tWyl<_5h)`>SCEE~@apb4ve3++cEn@nB4TdhCT>H~lY<knz7 zKXU>n_uRPFw{SQ6`(pvUTKrvma+z<T{bu+d0=j%{SUa%XhoCO;nH$tgMYAnu`4;YA zf8H9@D<zw+*ZFW=Ao4eKeZKU7KBc-fq&r-*Tz?n3M!VGYcX3W@ud9xT71Fb<ZFGOI zmHY_s*4igsU#i6=QA@i&i1S6i!Tmu>b)QQrac9xKtNwktxJ_##&#Ro2tFh<1t`D+4 zp7t%*2dT@ofcil>hCMF#`7$}S`p2h^D88g+Qmm&{ahJ&famA;W$q)K8SKIQk=J|%} zgLF1{e!xDkvJSA6m(|I}x4V8KqZXd)T~dkDNxNSCL4$<FXq~PPikJE%|G+%34Rw;& z%lr#@S{tORLOX%Rg_l<;`&;Gufs9pq?sR_;9x-jF@?oT@K|0a&dzCLu4b@^%>rc2E zm$=@T`v<~RqP^?-AnjAnb&bA-ZM6OLbqAu6LF*MmUp$fTef=q@kS6xkDw(A`_^w+U zd<)qV^t$z5f79#acK+H5zWaZV-7h$4pB?ruOt7cpt+_>dm-vA`uG+V-mhFH1JuH5p zYwLUq_t;He{En)3PDAh5jDA<7%ZFOe-0cHOlsaPd9@EwdMxL8x9}0e`%V*oQ&+$H3 z-wx@;*25w7Iq4_X_yE-;wS<q#W8h!i<U=t{`un}6zD#zb6I#!f>bIsYU#Qi-!nL7x z;!|If($?1d7Ot|T-D2tUg|u3d^U<wkOAJM={zMGyZFx#BJhzL#zo`CQ+bh)e2YGt6 zY~ai2*mi1JvmTqR$)4e<V?c4)_<i-LCf`x_e5%>E(0=Os{(N1&La#l(k&nci`T8=U z=Qr>LWi9dQ@<m>)dYi*vJ2Cg`X9)5dA^x3Sb-jFJvkw<FCQjw0+HxVk=Ndl!+KIx4 z<oJx^&Fa=IQ`PfjIv-H$F<md|=1bdiHJK2_p530%CqgwS_mGD7;s?Rrz*~WKl!BZE z-^DxrRle`|&c>s4%kWHAHh(sGFY*?er_BqDKO6Vyf6+H-w`r?Ae*hEyKZ)r{0NSvl z@Q2yf7g}`1X9P_19vI*5g5in>oZS^mt8K7#Bndp*C>vZsG}*@Wf+S(uD(&W|MEB$| z-<!5ke9IF{k_2sY>}LjnyK0+iKid$vT9~|qZF8W?jIMNxsd!_EZdP4QQ*sGz5_VPd z82LBEiOBj=Vt1t@31l1Zinzrn(0Oq+!Ic8wHcl#T9txm^-#iH1mU}@_zzU2EV_o99 z=u}J9YLB&3!8wv#G$uRSB!ET0*)4Rjt6L!yGV?`P+b7`8)|mvVjmyS;f>aKWuRQyf zoOGkwYU^vock)`lNvt}O1ZvB@{wbL!a^O0X1Z{Ijl~#p>AZ-rRB*U0i$H&a3^~H(m zEsLggc7645QUUsJCts8>Xvh~8K_3a@Ke{zR##&pI1iYVnq1eq}>ttPes|mT;j~NHN zpR-bCT(Gj&`N||v{@fkMAkp+zy|mQX!mU|`E8PsxIWS^IH*TsP%B5R@Z3<{V-=;TD zRkkUh<yF@EQ}vQy!k;8izXR>9n5N6?8Uyubr|IFDA4&q$&qE_^4E@a~()QbZFioEo zjwT7#@8F5W^hmS{tqBap<S~Xq0Xy+!ILWmPYh(bH{K;h{wmUhJBq)FG9#Qj5#^Vx? zJ>rJ#*UAtYbFtLhu+EMoq4sl^qJp-QOR*yf)czQx>Qc15d#g!p%|IGT=;lx>UiSM; z;a3XJ#kJ?Uf=&L*{fm4*_5ojy%T;&Y)#gj)pz*lT24v-J+V8cCJfFc$rz@CPk)()- zb3bJ_xJ$jJf?j4fz3S>jVG`jGm@-T)U)HP3%OIP|ANA_Rf$}7RA$Yx+(d5PTRbtsN zns{8V!OBM*gm+F%q*6tRW)g$C(KSWNwS#<MW%#%4R!veEWb{4~b{pGAb;&05(eXd9 zUAwVSSHcyv_UG5tN0LhPL)l3}vDiDQHc7z`Rkd$ltG*vW+{)^z6MK^ge(*@cusaYS zL$eeJIALA2PDcVrveDJ)T4{LOE6IkVcO=h}eO68bAtql*6N48e&!qdg?TWS7Zth*L zZxYkO(B|W6suO#XYlv{7J#~!mTkB0ForpR$yQXSm(p{{(dYNd|J`k4K^Abr?5F~f+ zD1jX|l#5m-SIHq-C5NbG+pcmM2DYPE<2LHcFhnceLnN;tG(^^A8=>_hNhB1E(YUxU zFf{-&BovH6Cbk(TQ!)y~s<3OQv1qg1l}J)4*zK2H*}iQ<x#GoVPVWuP`eHOsSp}nq z$fdW}h0;w)WEM=eLlMWPTT31@W$@FQ_mckMhetN+mus_{leHKcB^FVoRFkJrNg4iN zJJFL!Ef}L^IhCZ?P#^qN&uY(2p1e}?HS;#J%^Yw1!1!3`bm&;95pnhZL~XBgiwc5w z1rG<81pX2@9T*O*MOm(A3Xd0VDGU~Tzu=aF^9$zte~;J12K{xuzk$^+@T}T0!-E%) zkNdXxf_RzmGVhb9wAJhl<Ug1H;rzvVh4#Mo2#S0^q<KdG3IBw4_O*?ZeCvI{|I?M> zSNH0*Q~2><;K4?Zx!ebHjJ`d3uU;a*8QR$%v))&>jD5T6UVVXlmEO$T?<s@&Tj<A+ znFmHY5&KVhw^+*C)2+8YWYkRL4Qd}$`H;cEZ0g%SY|N1#-rwOv(3^dD;Y*t0`+2d} zhr^V_J9Upf(VCSsL*mL~U<}Iaivj!ic+!+I7~Te7neEn@ey_ez{wTlA2k#wmY`Rxp zD?~8zq`klAKQwvG@Vw5iZ`L0Q^fJLn+sqAqtGH0Fl7GLj#kVlV8rWN?uabYy;y$^T z{r!`LdabyBjOW)(D`4t!tn`QZy+pUFrs*YO^tEX?9(G~$TYX~ccAr%4p~l%OeemB> z55IJqUM73ETMqKa9#;qXh3!5BH0cMo-L0<?5__IM(+69P{{G9m^$Pj-=T`gR`=!6n zxJO?q{ywwXhYTM4SvzsTsj%qaj7>h+U_{Mki2wuQC!S~3kIHTK7iaJ$*pIqDuTPgh zdIs$?r-03o5Cih#(_+!GUv9g^7%x6*?}?#dAK&}DK1F==d{ca!cb_uR2GT-tTu}#h z+^1aZj8%>l+KI=$vRJUu*ErPv6Opf0jN@w`>$slr`0aiAd_lZGZlI^1m5X<NqYuX| zTGXw5A2BQC6ne0z*{xkW(es>K)Wyr3KkHWEadV-d*Z+=TWUf~2MCf@rQ}g%$>el_o zO~u{vfo%AkkDAg+s=vR&+3D6yO}QoO@9}xkt<PU>D$d+@xun)5n!ZRZhA`eKIFF6P zcpdxsaZMQv{T(rN?BlE}OgVM>--IT>$6_&p`d^!TNU5UPVL#e;r8!T2{0ko#`{Rp; z%!zVvetwak-ZrA2UgOud3mNB%?Z7x5*HtI=&%{8mkL`QR$+Ed;u>&flEdF!Mp!|sE zpqypIe);MIbC#6l3t-FktahUGMd>1%)8Jdkw6kt)yIGg}Mmr+BKxY*wULftm!fSMC zfnI(NUws~nER*@3>pY<wLoG$WEczs>Nv4A<@rL!mz?{N|3bz&N1w#cv|7rg@coFTm z_qX0u{&({i0xa=WbDufM*o-{Ji}Wel7qwk@-0(W6pY`+hB^4}y$Q8`FF4(EUpamd+ zpP7O-$Dk3k-DA?$@ZONcAZQg_fZ&^RU$<#t{J7Bp3f9`17eUx@Us8buD9l_Y1!EQr z<RuTlR(B$4ry{wTW8VGx+(jFbgbA>%$7GwZX_~jSo?Tv5D|$mli1n5IdI==#beU(0 z>zK@TYj(TtgOmgha10+IrE(Jz!xIcFO?JT6=2BAb;wRg4+%1QTY7#X`zyi2QUf!WA z;Vc-ghl2<$5+Y!gZQin*^zS<Ki7q?%Ffc1ilLQNJnqwD*YofXmLnAA=xUMdm1S%l+ zGO84AW|xlXNnir_1v$~_z98dGq)xpQw^{-O<lJhJ`oV{m?m{5CU^I~^Bj4XaM7UNd zcmQ#&Qq~bs!A2xFfMO#m7*S@wTl)^^KD0=1fE=;hFootKe-dB-nSA)IQOSpkVtN=Y z5*9#du}a2Q>=rMJu@(txnbV?DMbH_DvquvtJ}ak-yK@?p_i?+yOAoRJ32K?sppt0k zG}ty4k?_$G5!O7O_fjAh4YlH)L2JGg|7KQqG`V9eW|A2GrJ^NCz$~2wh@fk$ZYsbk zx{A-L-<ZVvUP^mPpoi_TFLz^)btJc;F=vm7JED6z*e(Rj(AL}mlUtka4c7TRY`}o7 z96ew{r_os4(5IUt#h!CLp<6?{i~dyf`Jyes-vk#0ZVjv{{1cuAT8pw8GyS*v_xP?w zS&h$m=QG#D9p)d*jJe9_H8lO>dW-g9E#&z$n7IC@DK!pKN=K=TlpPox>>F5FS=oLx zTG105Jn_>Pr<E?Vlh6;QLUI%q+F&oLI4bqwyc2rMyn`tPB%+XsdA5kGB+-&0govXK zFBIy~h7O87OSe@AI(XS;y}<hHb^5{?O({Z*Nbx1S-um`jvuqJtAqP_mYDAGkvUbE( zP$Pm&sm|+&+nfSygp0dZh|3_N^1)sEat(;+46Ezo`qG&jQ$E-7Qu3v22wJ_3-Z_{8 zkc6)=MGCjD!9-;WND|y9Fq^Zj#_M%i<AC{uK7YMlw`g4oFcL25)*MMi7*mn-$PM}; zNNTzyT_NMlv=PeiZ)aEmD;XuJqCnYr1ru5d*b>B)n54~?`ko|J7x|Q>&%#mxxMUPB z_3WZ43J<3MFX5Y|i7h;;xGBfx<PY=<7OhPJVZyt;MRa=|^L~hpCA=TgtUWu;BCGln z`t%u1$xB`9X@ywQ)b)}Twg+=K3GB&eF{Fco#3(9B0)Hakw`(j=-nV0O)P0j)86Hjo zelnVuR28Rg($9x7bl2-rlF{t)5Dtznngj@ibK}RAvV<MYddxM!wRLJQ0du!|xi5JX zymIXc#mTSO6GjpsSy-fOj$3ZdeY5W5&H9{0XC(oU<<lbJi?-Dx)HQRxSoh7;Le{%W zjR~-72FH{_&beyz0X#cOVkPZXNF2aS_q%3ViNLVr{e8FS`Dh$S+A$a^i-=pCm?DDI z+MYgoe7jEO@{tu;=ER)#B>|@$gQb`PDPt=Q=K{}BPiT43vv@UbQt&yHZJ!#rJ8)6q zAMqyK>ViKMWC~XKzvDmdpNRzdji>}ril@f|dDrA^FpuKNwi8CP{yZLM^J-^!PJ52R zI)^Qps&mO%Ei()09LI`G)j~q&2<Mwj2@_dtlWj<mvul(MYi}~S6QHy&vfyHzW|e$b zUxLP~U5z(XiFvdS^(xzyHk?9jja(TNGs2=>0ZAzonIoxUxG*ZTS>bAPMYR}fcCg>~ zJsiWsDa0Q~vyv0d8jPk8edJVfdx_18?bW<!OKJ&-oRPUes2_Ws%aLK${oEh0qhYa2 zz#5rVX5;W{9kr99804t#iV<WJ6DUj}1jz#mz8@+91q)@Vs;%}P>T^R0f2ssjb_59} zF5VjTw&-g=)aNalo1*xm)0MoOt_aK!+p-wJg=0x4#>Sqq11SnZI(?YWG`K678zWd} zwO(mVo!6O~4@yV<@Uh0bMxwi<%W!Zgkw|e|DmFDcgs=wYxrVsG<=-wT!@t>?)|o;a za*RgBI<OUJYOaf0U6mXQhW)OxBMJvoN;FatPIQ3_=Y9pbPIb`(N^afz3cT+JQ%XEi zVJ1Z5%x1b|TOmy%w%WJ<7-sCj6oQewn}U~m>!#xtqc+{et6mX|iV~Gp*)h0-DTE`( zVCNPM#@bY{lg66Fcd@;{f}0f-k#y!=$fi`YVEqI$sxc;+$$$xC=EO@5rY4Qa%q<x@ zI?>fp1x`iWusm$FbTBnxOm@nyW)|)G6a^)neY4%YZ)BpU75Te<iS^@G^#!Qsvc|It zE)?xu?VG58w=47nfSBt-c}33@T~l;U(X8OhfMQ013j_Zh_<SH1s3`np;mw8Jg^LQ_ zDtM^i7|wvd`=9WS_*?uFeBa0W8=XF%_e<V{cfHq_|3v=2{Bg*~OXM}?>E^Sjw0EvK z&G@nL31gp8tp8R&r618}uhHr}fA>7)xsm$|w>7uz3NNp!g46a+92<|2N8fQcZU40? z(JjWg!a4f2ld4mBZ;j*h)vZtb#tcv3S8wB-wLYM2$+<TBq+TuD*Tx<kcFWOJ9nhh+ z%S*SyFPPHjWh@Xbwnt|h62WE6=N^6CI`pC`onb~XJh3+5bJ83`dNYlAvV|+IRa*!P z*@osA5}IVp<&1Rer`MU%*Kf?>eo^Zua}4S0H)ad};^eu;qKTsOv*a-T@Z;(*&g6Zt z`sNzafosfw*Vx9y-aOZkm?&eqaKV3Tt|49U#xxPdxO=>@R*w2q-ev2L;|<04KV_@0 zj0GjM6UV=~TF{q8-~tV?S=u$;XdTZxPzX0I^Vy#`7?)o8p!9hE_+jbs4)Ab*cB1uB z=>jg0F3rC_DyP@q;w$T-7J)~5Oom5%7eEp(ljNyS>n%b;3gb8)?>Udl0n6tDuUlmk zRFC&5Da`4|r7(F?n1f%I!kBXPzI3CydM68K?Yo~*eg2cgJXPPWm&*yCC|AyNH>oQJ zU}q;*al`HU68VGi(s4fXX2o%Cj1#N>-P;wIoe>hw@x^y2o?xR$_`j>~qzKt9ivQaP zR{F}8ut8-XU%16A6eDW{MC^rqJb0_RrwZL4^Y2vKED);<zf`t~U+k;Mohszd&sVW- zh32SWMj66-;Z7B_=#|5H&2dexW6z`Od`Kt4>Oo{=uG&O?ofBZutt;QsWPCu&6I=J1 z&#GZMlQ&^K^;rdR>Ul)2te4-`WGqE9_{8YerGL<5utw9xXzco&q8c?#PVuvU)Z|*! zJVK<0Kc|S~`MY5BCK!o{@_ZlyP;>6mE4T1XYS+T^^m{_-(8{8(1pgZRa8L_;sPKit z%7WYB%kT7k!#4+h{MYjL<h_!2ZQf+_dE>9fHO3_UIo+pSp{@1wLl0MxV}@L7&M_t( zGq#N{jTmO*Ke0t`#yQ&RI!BjFG&swkE~&K*qv6zcFwU`Ll_w+YE5=zVa<)0m=Uy0v z4R2o<pZk+O4>ke0+@wt);p?pRMYgpvoKie)O^y>mbzV89KJYtSL~ed6Z{ILee@6=7 z9WJ3vdbLe`IY7+R2b!P;5;nUelt^}FoW1{N-3vpSkUXOX$8AVssNG1OYFUxNcE{fT z7siWlJfnEk@TI~Ay2zgbjz?YwKI_emT3r5DeO}Sb6kt3^xS%_J;tcCc0VN#3{25dJ zrY|m<ngWUk`4o(5g|#iH=Twuu>u-8#V15c19^kZz%6jE*if6<c|Bik^V0Nkz-<^tx z$KKIvMM#0Q^zu9U67T?Chw})%tMXtMox=B^_CETqKD}sS>P%4D$f88OHU3?Fp7qm! zUMQH_HzWLDekkEhtpTx<=Tv6>x0&nAxcWUkjKMeqRAMmxo|iiqGv3Ewl%)XI0Y;e( z#un=ffFsK`Sta3z-`6V_CG-^Gb>`c2(oxsg+S*jUUd)yDfqv1<W2u!A*0+^lebV@3 zwT>VCK%b5^L{Obk^DdX9?I=qTQped~(ox2iuY~TCnR+WY5?m*Tqk3bo{ZuJ;=})Dy z2wRmUE4Tt6kj^M>?lr!i#$yhA*3e_Ci;f204K@TGgUkDL;n4!qf1Ceolm+ba&GtU( zjpsj^zbWszyfo67YK=ktuljv@jrN9yA48MvgYe{Z$!ShS96Bxyid#CvkrS3vfMv{T ze`J9{o>G)nS6n{TvSf+f+d4Z$F`S~n<*4S}y#=>JZf;6|<>W$x95V;UVk2E=tQV_N z6s&Z5afY~i*h*V!P3f3H+3Aq=`XXaI8bIuFw45TV##YNaQcCnPN9jpdv3<EQN{wnL zJ&ImRwJg!er1VNw*qPkJDGFbX8YC&P<MKh^ax|6P18fXRQixmfF_<jIpn2Pd?d9|5 ziw(sh3g0U;01-^>ca43Ga-(PNz^cUt0B|XUG5OV0K-Sc&sf}DsU6jL2`r3&Zzcxow zh-8kzPVQ2$TOaVI5X|Itr0bU`$^1+gUa`cO3;Er-%}Px&I~#q4y%HlSC7h}BKpqIx zgJ3eAIuD{bwX0i~8cK>PJIuI$_5rkfuB)?3ijs46wvme$rx4cUot3Aqvag)^JqKht zt3WA`#~pu4SW_~~S*VREifcMMp;=i42(v3$&1^rvT4~I~`rkcP<8t=c;%ZD$h;wYV zRZ47&qW8akTQA1?r@AuA`WN0Jd;N2jxO1$=<?g2Ou`633kms0o9|UiLQalv!7JjDS zTLrrc3Q%nN5$^}y8@!v5{n?3Ps1KNLvMAtpjN`^!{rlR_v}0NbO7ZD%XPUxu&QQ-~ zb`aGflv=6!n9&R>3eM$FDFIK5s7exj>3|rNREZdCyEcKcx~Mk6)WgP#nH$rEu60u{ z)937nhEpTHGfh#sQSD2X)IPYmD~{L63a-rgzR339bf$fynJL90SZBb@>lUp}su#N! zw^Mr}jSyU}XsV;!9-79q5`~k?(5~?=`@xhEYP_F;_T2%v8fB9(WfZ*F@M2;p{FXB? z>VeFrFPcX1jZ<+mR(a8y{Fz0=X++<U>&DEKnO3++$%1D(X6}&TweBA>#?NX_doVUC z?m+PgvZ(eYA2NV+NKpvR5l%KMG#gpZfriwj2+G?wlwE=7$-8t}fSQ%=x%$IKUZ6OI zcpESA&1(F7aF-qwmJ|_E8KUKh(iB2&fTl9Dl2r{Nn4gP~l_8o{wK4S}*Bm!Ug+QCK z6#r%p;o;Q9vLjs6C;>J5NZg*Hu$!Y2<Wmp!>X#}3Q~YtOZp4^|ljInF;5a#j9#$in zq=!MKgy0l1xgP0+ShO*P=o@c-x7>Uz;3*Y|Jo5h#HkN`p#p6cHAQgZkgA#yKWKdQv z$*?*_u{UQ3&diZPVJYH4UByh}_TyL1I^n~s`1pAQ=df$Cs$~H<va`w-*`DL!RNq+4 zq@bihM+(eGJ*zyYJo&}urDlsc-FV$NWegjejftUegsu$j3C%&y-91G;MK!oMKN!3i z`t=WidpvLGujsevd-Vz0ceGDw5iOkeE4*Db6zB-d_nazx4er=T;q-!^6+DPnlB@l{ zz*|=l|8(Df`aS{!_2=H3p^yKP|8V|Z)A(=mQK;WapK$n{o}xPZHgGqC_0BXU%hEVQ zIG!$?YADFhCho4#t%qMSrANeAFC8EIeq>6=hp~=3U97jJ8Wj_{HDs*a;6uI&bD`Yz zvMDoXjYbaJwj$Gv+6m$ZX9*Y9C#M<GjbWTAy6`-@ARAc2yNuM_r&OO(MTM`djCrGq zW*M{P56U?s-J1TiDV==AQr<V~!dZsQQ8kuGx83>AsBXK({DXCBmLYMVMwtL+{%Dq= zIH^my$K{6EMw#?cmq4*Rj@eV);TQf&_2XW^9lX~6j5B1mt#LkQs9Sfvp}L&U<AY*V z%{HW0$yh{w&pb9Lnt?hxvrSWC&-E2z4(a2GpZ3la)1oim=_|9#C9ofEzE|-N>&rOS z+hQO6_bE<gy+ODPBNL5@mT#gmRC+z{fyF)^yWf~1W=gM%LE70&T72Cjg{c*OQTD4R z6UGeru|`PBKE{)(q}2iu%sy_LWJq|lUL}_#N&2x#%H-*lVqLOdeq)j$Vc>cN9Nx^$ zY<FXI#*hv*y_|0*`{T;V##AZoQocXzkGEuvVmSaymikcCi*26Jd)f@~!Sg4%hF89) zxD7pj<o&~Lcu%Vr?Rfqm20A=N5zg~A|AEyy#b^-p`me+gUpYmc&DVv-_}vsmW9Yx+ z{m`wa|3|BnqP{Oby!&6K{9vq>&ei*VVk&WwRr15WS4~-h!&u3EqLwxj^Yg}ZL!zOL z75rEB$L`bST+th2x%-!`Gt^%$6GOw;j?6G5Oy6kWZdIG@{WA=i8er6mHNk#4@kvvz z38PN9(D6};AJvM@%zkv{Ok<K1v_}2WM5||}l22e%^I5lLxe<dPe_7@3Me|eUl+8k^ zvW)3jp5GGaV`=c~!QsG{0y_(TjTaQA7Cc|j;eXeEjenu<4&O@ei{6ZPM*hLPhw^;p zImSKu-}Pqglb+u~J>3&bEKM(lCFES-PJaw@u>B*3EQ@HJyxgE-a*NY|6!5fbM%EB8 zl^QvWY<Z$44NL*Y0W-2s95<A#Yeu##QJMy*0LeAX{9<G`1xy7E%*YxNWoe)aIB1xW z{pzEJ@&pSbt49|AC~$S*^2>9&&>vWw2A;sxfvS%gxgDrYRHXqXKp>4vCVi6jNT6C! z8bAV9YnNV;(^}uW>I3O{(!}8K1?8D!*tIr%0Y-ez+ht1Jml^T5T?r%pKzi<2{A&1e z5d1(%SOUjVk}cPcqMUh2dbacsve(e$y_k6jPhVxs0Y8EhjN&IOOSR>hV^IpnjHK*L z6Rg1D$#0Y@9*12?I@8m~q7psfm#}Frn@_3X!VGl$+eU1pr;g^PT98hg1S-gpOeulS z+QgM=@@Oj6`QY#(OhFDWrD%Y2BVL)F2r|bYmN}R<OjLH38RZNnst+1?+AHnOdajlQ zifxx-we861OcTOjln`R!Fd@bzed%!l50y8eg`X^=t6itO4iWrPT<xskA!E~`_34n5 zS|S&0EUrsxhQ&RrhB!|qX!81^>+sUwOkmSKUGSrV1^)HE6W$+s$K`L#yB3eO1dQ|a z{n{zinL8H>sx+8bn1)ZDKkRh+9%GXARoyHSveElneW4l@R!hSjFO&t*wS3M{bc#*4 zEK#0@LtgA(qI>IehLU1HbmQ>W(olLeW#l?Z%dFuW?=mjPZ5U52rQwrzF?`%Ga~Otd z>OcpFyo;{<p3x2C@!9kWrKT4eZpm#E`4(w7<arqcl8r38T(as!QyRW_*m$-!qrQ@n z=cc1lW9!llpo=p)px*DFU?`c#G$2UvSe}L_p1(bXCMR0niH4e|o-!zdqdZ*)GJc*A z+0pw|^$2c<L(3EAr)#N`vxR6Atv4?-l$Q~S4sT~wr-2?6`k2^#Jz=<edKk5Wo6^-F zlO3IC^(GCaTpZ(8pIDg&T9DUZV13v+$x!M!fNUVJEDf+A_ck!1%O@Gq+dvEMa8Yfd zGF<_(CZz*UPBNyu#+EW;&PoF>2t$%j!9;6S#*n%DHn-|TMH+xX{stRsbj4&td4r8L zT7^jfWRMpNxIAk#xZ7i!Y>KDb6IxYtB=}(9Z-KVL69sP+H2BlL=Y2E02lKz0AIxhv zKV!UN)asXNFKTnGvo6z?UfWs}LWkhgbV~9i;wS3jxix8#o|A@0lTYrm-*okZRjo}d zNw<N*N#HsBv>^*lSSO!lmPB<L?n}OOK{3%Pdj>C^@Z-rQTb@{uMo3v~`)AaZ#uzP2 ztWQ&_hBN1k(E~nHnRAf!2Ue#MKrV~e!_SDSo->q`4#o?06w`<x^E!%*tlMu&e~>Ly zEoNye$ecN6WZCD{IcMBz5+!K_jyboPFQ_YwC|KRXG@{0QBpIg{Ur@IR<5Z0~LEM;^ zN!<UUA!}eWy@&l)n{Eb$qotm?%}}cKV9ijK--<NC#E#I|+(kvMI)b#hmw{%Zpt0tD z+E6mwi3@gENg4rS?lF7n)5bzMW2~L}#OgGH!_H8nolg}ZGhECn<5HI>P9ro7K#AN9 zZx)#WH(98*Cb2Ay;IL~CK7V`89_$O%Rwve^5gtYgx8!%}9ZKAT4bu49szhTNVPdD| zGGx0XWS-$}6dSrRjW97VPMp^y>wBTxp&F@KLEq<5(WM(uH}&U57Z+8bzI|6PKk#_r zZwg0H^za$~EB?d2Vebpxj{JA>ufbc62h0yp<Nhbc4aO4v>-ss`TiQa;mz9!B9#1q) zjydO)w%wq3Dpx-D!*gt`kG^D_6^^FKAvcOzI`9%N8JkKH8`I>Fa|{c`+qZLXYq@-Y zz)qLB@3b+`O1^9qgE{%<MlqKL12KnHsQBZgl_^A!wq7)SIF}zRJ=rx-5<A5s$Jx;X zYEC(D!EQ!V8qZxTF%t3eL<ci_9O%Y@G(~8gPDp;EP0=7um>x{KWAU?;!&iT-o-lUG zVO3XJ3C-FC$mz{2Vd*dl7r$yu33sIr$+jh>7(hW8#Ce23EkBP~(T^=ZF>-1G71u29 zN>ilP=?&*-zqh~&U<i(ATM5icO4XfSXE{<*aCQ{W(Nc!6^*iD9w{>Wu*}BhE5ERVo zubnok77eB;ENic}RHgLmvehO85UZ^ZvMLc;E~^qS61^%(97@YDZEAK7Z!rae_dIL% z*NqKWRQqKY`65v4Z`J@o$YD(5?QA7JUsEfYvOC!OUuSo)i$?RyT>`|fB(W_`5nE^L z$ybQ&C!NLB$rhMB>5Qa@A}jO_V-955=aNNvNXyRua^TPV(ifl!$15+gcolJEe#pFi zX(gH~XjNPTJot8!Gxk44bY1(ux&ljG*^0=yOuK`*H8TIn&O~q$prUCC=8j^ft}<fg zE?2EQEX0^utxsX}yV6Q1moFDZMT+GD%Clvol2S}5qx{XQ#*A$XJw24qURBhIw|E~6 zwgg@ad^k{p3M%^x-YHn&f5D%IYyL%_?zQq?&W|IT{jt35sKs)VIbiyYTZ~=$Z}i*r z@!DP5nV#=^daiAp8IER@J1|$|YN(HC&#sJe|FtDVPoy%j-kzjw4tHgg`>&*u%ZE`# zGt*>mWs73IENU^BD9qsc%d<Te&QcCGwuLX9WzL(qF*C)r^j64fc<d^Tf3vG}S4O%1 zO2LG7W#WUIyULeRrj@vr;opqgfehV$orTP~RaeOqf{(@o*-uWUtV>3<c0p!5p0Br= z1vxgoya9<Z&@6HhZ_H3OtIWYtUM!?dR#sx?SRTmGC3m!FVkz089mpsFa;|6;r-4v3 z;R6{ZNX{u0xdbIf&t2kNc{-6YRx81(P>u&@r9dMEtCGZu428xWZL~tFPYU}f-X<RQ zn`&L~ZDTGP@Q-dl$&phUXwFc$+-X2&y22T-tz1Dmpn=GVHBZj4e)Bf8UFtjJ#>nJ^ z(B(UjG!fKIC3eocskm)~6kwH?GpBN=(3~!^gYgG4=ICxIZ#@cz!NeIE1IM#tUH<O7 zsMo@kAgkLouP&My6*Na$t6XMm??ERZYM!eE8|3;%izqUX@#GQ_E1@YFE2v6Tg;Lh7 z@(3pORB4G5jE<%eFn6~|%;d6VS}2-Ev^<weF)JMD(+HK1rV^$Z7t9?duaz&lF~OGG znQ76q5+&!#s-{Bv9Z9f~#D=sICYJ!ab<CEKLqhAxVwUUXmk=Y4rYTnLI&8>@c56aV z9UY6xJvM8oVERlvb>Pbj?KK|?l@?9be-?b!_<r!J;7+|D@a4SYd13RTT1#MW;it@S z{%5^YjoAg;JU9CvL#3_T;knv3lBn<x!{wE@(4(K**cxu^j`k0(3>P=|w#R$=x}$^9 zaJ(OHkB8Sq+7Cp_+vB~1{qgSbrf8%i+8=I<4i@i<$GeO79EkQtkKiwT@qvNZ{_bcv z+B-1R9}N#4h=$wUKi##fHH;F-^!wPrNO&MR7(N;sJP_`Umov(x^j`ym@&4%2aL>@d zV0nM^NTfT~5gCkD6dR`#tNmLcaI(ZL@P>GQPh>FMHrOBQ?Fu*b_s9Ef(RN0U_Q%i- zl4O6R{ZLnbe5ki0+}9uP>W}n{gog&`2l!_n1nP*Q%dvQGINk~3j&S>dNPnb#5MKru z<AI7Wy~aKOiMzYQ{n5iiF?2G5|DxfFq2KsnPD{~a(e|Oi2nGe>-<jB5kkCl}`Aq(U zV#L?=W9Z7)$9p1p?0s|ONTjX3Kh}pH#fSRaqu~w29JA65dE>oy*P84xR)_~|;!Y3` zgd-5GJC1?w2zU0!drpjhZ}P~}FrJ=d656B#n4R8|!SH@elRdZHAm2ZX`Rl;YMEeJL zk0O12-LduvjSl*8$0}bJc}m@r!1@qwqv5utr=cxfzkO?XZDb(YQC2)ctHpRE(cq8J z7<k=3--H?s@ngf`@^EWE{a<I5ZH)~;61&U0XcnUbgW*_DPqZV3H4#QNhgcVr3+pL7 z7!U97j<+9jSkM#^xxL`9+#&<vXr#Y;nErz=R(nwPM?10RXl#bV2V#TaVT@(i-Rm!I z_I(I)Pj!nucCTA8cCmrMXzySdI@Hz|!-BW_UyPTLij7kT{OiCg;de9JMB8I~F9f7v zv^%{n-rE`LqV2?FIvU+in^F-Co2Z|5A3Beb3b(bjgiG0FybM!y|59HwpQ;hL!<&v_ zS@%Y|!#gpKSikm8Htvo2P-S`Yhul)Fi^mVeqNE3Cj+l5Gx+7h#WjJ^M`;XSXAn61N z%?WLBjBPm5J<^S3Myv)P*gajoqiAZkyQwB@fbMXlqoY4MFo2)YX2p)!6W!m2X$7Yq z{5{g;49(7HPy7h94gCm{Pa@E=?~M<J`-b*o!J?hJle7J8Xeib08F4AOrk1UZo3N=M z8*~S4`<7_rkQnm;nzHcG15tFUpGKUx+P^`kpcaNA-Iymw3ot36MmmPtiPh3@tTT*N z6dR!J1rEL84yZd)1Nd`AxY_w?e{!^Cq`jRwjcLR$9lmI3h<-lkY(BPu=}+<g*v0mC zgdT<x>K=%%46|8BnUiRDPvk&F7xe1T{)$+<GEzAJE!01P4Ot!~<yhVw?<()ZI1W@6 z8()e0k*_#8VYsJ)t;JSoz#g0f{o&SlclQwW%^o4_QK(D|z(AxITkv9A#gfjzeDw|4 zQ{E?j4b>X!8Nr(FA1F4yoapwG{z&$WZm}(l^-lXH+;{}D%0}!+ED|PZMlU$ABkV1J ztt|DFvn`e~EeL(y9ogO69_?Qmjt;h0(87euvo{u0VmutDUB}pj2Zq`YFoj5B@W$IJ zNHTj>#OQGBp;>{3vmP_`IU`tUk0)mPH_|}H-Q8M;V}v#VG#M6J`vJQfII^JFckkLz zzTDX!-QmILu|d%=mi_)XPDZw=lw*@rIHn{L9*lGi(B{~*Yir90t<Wfr?G6&DBii1L zp{Lnm6z6PhfqaQXkv~xj0i$mD)Ge?+HqhQ3XNNb`78WMv7CTHOVJ$*U?TmI}En&V% zQBQ<=W46HhxV`-%0|VBnls;o*_s(Y8?pGyD`{={@=h}uUYgg;*qx*-Pvpl@j-t_}c z8?gblE;@*!i#qIRg#nxnOpW&q4IH4q55`C6aCdek#Q0=lLO}w^mdXE?7;I4po%Fv7 zHG(}hS}M0tS0}gn2Ov}0whDw%(A<L^8g4p<lL|~);`aGVGu_%BI}&Lh4zG_4M(pO- z+8u{ZiXWw($LP0ECL=fzqp)9axOHHSv(;p87E&dZ;5FDE=^el^ItT*n16pqT`{PGJ zw3OLBec?E^GyOT*vp?EF1_h2-=g3vGCs`SGv)oK-j}LW^&|;1BLZ3lZlVFe#U4nXq zNf)8M9E6p}*l%oY!{YDhi}zw@fyZ{V38M^T*u$|y=tZ<Yh9j$Y2y*lfK)M5Hpo8f? z>LhC-+JRZVIkA%I{N(H$oxc%=YJaRf+=>&1gxL=JuG=|GcK4By$s~z%cH&4xN1c%x zh<6Si#mTai<n6&8>l|iu1I$Rn5l6#jpMS%SF$rbD?A8(DiH+Gm+(!&qr=3L_!I1a# zF&%;pO9a@jkp5V^|4dq;Ir?~G(=MhcTDQ0Dvgh2f09n&aebFb<Y;=;a=8hg1iQ+)y ze~%vPWBo!SClV9=Td0*i?(MjqSp)I@;qY2o1Q?{8<t@ImMS|~`DI8~mWEbQA@$(SY zdxWNJgx>?Y$sB?$%8b*FIMyZ|sIgw`O-x;E;1Fqvlm7?968fi`^`?wTXnb_FFNO}~ z7^Nfs)IPI+eM7U4ZbJVL#vS%zkF$iBY4?fbc>j4|m0Cw5yI$H{jv2KF$1?4xHae1F z+6zlcT%#h`2F&8Z2{nid0n?;YN3iy2Zm}qF%c89uKNN+ffnCx|7K7LgM<c_ea>9Mk z!5DG-ii0gES0OGoy}i-yim<wZXooX1AsWs#-IzENFlCNFv~}o^Bn>}>j=te4-;U8^ z?{v7W8yBzedRP(dP($``-;`MBzW~2T#N5jdM=Txw<-3OaU`pEeM4X#)9Xb+6ajQfJ zp&nx+%*15dh;;!=Jl2UlPUj@d0oW<f8rXy+JFy-l*4Udv=qIT^bldraL8G3Ltpa<R zX_C)SD6QDD-43NaS#*BzPr<u`YXdI_`U*dXr=q`G@X@UWbNmnbuLh9q72jc>*V~%^ z>Abh|QpiM}VSGe?T|cJXtR2<-h^B1^uR|F?JGcX&j3uf7l%u#kPVO?d&1%l9h7ZM+ znIIiSl$lUk<-8esC<A22XnxWGLHt^ZGbo8Ze=3U`sxHT6swXIMPG$voIWDrJ!UtzZ z1SCi1(qIt*)EZl89olD(4<E_^>@ivlDKv=@O3cmx?BS%sCeE~iW^TpHtrwb0ib5Gc zJ@9%OhHG}B+S*_$b$^&A_`fbR=a(doW`Oo^#7))bh$}rRQrydqX!$4hJ?XRb9p*-e z3=~MN$QTgeKO>PrRXdtWb)OMcFj1Z%42T0MVNtTob`@Yl5xNlG3SFEb5XdUlHLGNT zQn?X{ABehFCu%c<|8QOocy@yF>K>(rENom?UR~9d0sMoD&i%|vD3W`lf&LgxHOd8E z?sC^DFJm!>I{xiA)PerU<)*k=S({D88N5|9#zG_4o>&ZB8Q?i{S*gid6f~H3AOkq( z7>;c@K|}_ZYN<>9ntItmmY`T~yY&uafae^8om|&WKm&NrT-lUVdDhL6#QF^IoP4Xe zpk?qTOP0c$T(t$><kqR?G(=1Q@*LfO6xxZH%$HQ$38|K=v%RAk;5<1mN#*tvVualF zqH2|llW)h(GV3eT%=~aP6CR6~9BrpX1><SAh;=8`m*Xc^;GL343=1Rb%FLGS@inZb zd^yvhAUh?MV8y0m8*Qigo+F;nE1{my{Gu-wZ7eEAtZYNzJv{ZevhZUCzbL5nf5Z2j z?=Ige@AKYId+YN1^0(%_ns>dqz<9{$)<4j%(KqNbwVj^VJVyxAhkdUEQn{Y4mmRen z?LaY9$DJ#wq<BPCl4#281DT^(cjRa)Ia^XwA)lzoO7@zQ1Em=x!<IQ1w3EH&RFUz! zF>}6a;nyw~8_afR+p&a086{TAMN~b`PDjoi-4P{n$-0Y`wAbCFl9`B=REbeLXDl}E z@dzb*G88AZwPhyHYJAvK9$Jy3faB%MX!C4WoAvUsKNf4YwzipGGz?%^?nJ2CiF&y? zoY@8KWQWw;$DoifaaIQCFg{nZP=|d83hamoi?2r00E^`|t!`Cn8uPfrHII`QSC{dV z=1>MGvC$ml)^nx^FtO28a``x2-1ZN;DA*;2GJuHjgHygfZ+B4!P1r=l&o&REivWv_ zZd$B2wmN{*&k$hD0oHBbV@hBh9bJ>?=&DI9$Piqt(mvb|TlX7kekRB!5LtC%Nro_E zP7zK(UM5+WY%~>I{m))E57$=}XEu#_+>l)(r*wJ-$T6qNc4C$F14DVGm)R2!>@`cV z&^EXhTFnZP+U(#3?1S)71{kv3!BDduo!J74ESCzWAfIzKWH>I@{R8=x9eOAO0NH3( zqJLZ!0X~*XRi~6OCb7`Tvs|5Qkk4JxX>WaSp6SDM1I|2}m0R|n;tV2CV;uFkCx^Ru zHw!$!z}r)gd5qij*Yx|fN3^R7F3o>2zcKU!e{s=O=EX((iz<U}dbj3}3qBmYB-jGX z^{>5O*3S1l=KW(}Y2o?4YX3d{KF=?pll#j{eT}0p8ErdS;GQ~&y9M`68ehuW>lwx` zhDLxi{3pL4@BEGy?rb-{TIM6ae9k4ZWj%spIgN}YhHSs`ME4D*8Mlls_${{M3Ng|N zZ_K|Qj&et%5OHfiME4OVs5C%MR{VF&X~4d$*v?k?ZTb)>!}TT%hj>3Vi<@FEoG%@* zBXDF>Os6W$T)+Qz5bI-gK3rsSZ_3TR&fSr@jkm&U9`A4h9=p~e;PJV{8vh7>mKe?* zF6n=Fx&PXR2Kr*{vG~vc{H_T1^bR`SKga1$ek6E{*azGD(jOfh>c>@B`lLqe4?PjY zbfVpT7?CiXF1U?ie&~AG89RpmI~+!ofqdCC*tjpkN#8R-_d@dS!^eq>Hm<lIN$e^} zl>Og&FfytO<gbM{b}R?t|Dj+1YPUxIg?^<I7x?M!p3LzIGZ!PS&CRW0IWO$;UhGIp zH)q_fkI>~BR3d0Yen9%RY1atc#0ccTqldWE{&>eQd`0kki+Nkh0#=*bS}Pmz|64b; z@-G-Bc#9B%#d;_AcBK;KbS534nHah0F{k9<jKT?mMc&>WqfOvAF#Y6H`VViR=V54r z2S&zpQc!2mfiWVi#^)0O{}9diT=$yYI@CQFLj)jvPWc83kCbm`uDb#5uxLV<96>I7 zupEa4{Bt7+JBG=VF~%?L2qpP<u#X3*3s@*Lh<y0ak<^&ZF~>U+ZbUSq9Nlj}bPx-i zma^?WvHdNd_EmeV#*^lmBXM63x|9>5a0X#r9IB#;MXbre1l5Rb(~bX)*qhxO$4QES z?tvU{vg11L#%h2+7fOgls*TUq`^Xt46l%;y7`U`Hg?!@!gI)bm{MnZGwljQ()So%O zvR!7a%(czJ;gEN0>=?XUj^oJw^{qHE-o}*wZpv0aLaa*jHXrNM2j+rl6xne*@r_TR zVq?(*<Hr?fBk36P;vFAw&wWe0tIi&k(sgGymDk|CwDP*TnwsUd7qWPFAAkjris%m3 zkVD-WiZD*}`id&@AooU(M*9&2>}5)usknYX4-h0D2$!w_T~%3lggI3AM-N1f#AwIZ z%iM`}qrX_|h$%6z*T69LN)Kr+MC1mC!zBprq3sG=v2Gpc+7@qtKXIsUpoHWp8SEd5 zmXI9a(a+uTwAMEFcEoJTaQjF%yoU@qz?LE6Ndp6Y5rm^kqsJl?{#qHnIMx>~KO8Qn zcmNs%JfuHbzPRFGgu<m=m61L|epKQcg=pyi)*Y-Q8vG|oQz@IPVC>5(81f;!e5ksn zdL&$mJuM=dM~@z@h%;w>1@?dCK_Db5;ZHo!8wX$PHTIW*XeIkCFeBY?E+fo*V6dmV zj7Elhk2n##BBWSYubD>>6J-N5Xt`rJI-;Es+T6WeBjFM>R538rTX7J>QqkWNtBCI> zGou3IH!!$+XAA9?{g|{8c9yuw+v5Yhksk2*$3LQ}=tSH$T7tcOd9I~0!hkrr+eC?1 z7)QobXSu)FIxP0oHUHWV2G|eIBdEp|D}3#vcTa8;o8VCGABgwD=PKIDHu%WBE4ID8 z?;JH_JrUF=jo4fD<7fE}|3ku2`pDjL)iveS%WG<F2G`d3c8|pXiijeYt+ZyL96BX( z#<+2bZ=+{qlyt2Oc9L`08P_E@Ft|!O2XX|BWn-OoBS?g~hT=qEDr!evnP|mMEEFc# zP&Yi)9SGVIP61~cU<KIVWQEWPX#X6#pGAylXU2Njf7&`C(vRr>5CXbOnZtSrxF3cT z=p5>%ori<Mi6kK;)?tTV5ut+Nf@6evzV}B5kJ9-F9pW%Xs|XCSb*uc50tQFp{S3=M z`heMsJhr;jcDE142D=dlW3G3{ZH{J{(Py7w_!l|=?>P$;(Y_)X35jvB%eLOZ!DeiR zcJ)U{Pe!`!Nj*;2!zrH49@PB2BKUl8R-m)+KMMY*V7>nu-)p{F?@`pqE6O|Hywmud zQK2728J%&S&DS<g2`1KNkfl=A!>*UsdsmugNjxMyjZ=gq%nUM9_|5W>tISeKL0(#9 z8r5fzl!6MZ<bSqKzlMSp@vBXxYFOegCgq#gW{`!#)0$c@GL^KZ#6@O*U{wbBC$5*7 zcWpJ5Og^+mNqY4eB%h#)G;59BbbFgre+b=l(OOLg=_foVEwW$DB4ZSFiHb}d6iqgx zV7vMRD0O|@GVnmkiQ`*FiqQ<+tdN~&!_$zc%uue0!v$~ss%ci>5~^O2Se`+i2~V?R z&jHVgnrikTqgxKA_#x0aPH{%}R=(;Krxruib&1jprI_$aM;+!QE9_M>+iW@{zGskQ z!ZXbnzb#%<O=o2MYS1n+On9OqOI%y!H<d(1N?aRP2gotfOPtIWjK+>BM!g)3Z@*#o zjcY)Y$SZL&Z$NX^6gBOP(bQv9kyRo`_01`2`YO?2lFKtlB;g{x{c9|#=v}%Z(y9Lj zSzTgP21z7*$*`JFGY%<BhTJHu=2KBUmN7C%cqHLVhuo2b9&3BInIBl2iGb#iy&^8` zR^I9*PAkaMQcEAFc+!;fd{gkvU{&D5h0hgEDv0<W@V)12@m`0@x-0Vf%qLCVI7k1S z_G@jiCk@l8HIyjM2Eg4;luI18uDwHj;P~3vdhhsFa`>#u7Ro-IeXE*r$BC*z1o$`a z_`R2nMO2kong!aMucyPG#2^kOOr;J4u^Wdr6N|FIdh_?m*)Y<Zs$z2GFxDm3WN|&< z_-RH;FRZ#rTT>Xz(kwvUq8>yVjW4-Zc^!^;j&Iymjy&IN9ta2QK|f7|d+t>Wsyc-A ziIOZ(-hA1EP^K$#W_5|hS%P;vZZO8|*?X0@?Koj=q9F^Ix5!4MR{wTyPW>?w549n( zKzj2*WE`K)Duc*5A`q1Y+MBDl^FN}fH=AZ%ImFA1fW`@D`H$xe9J%sp>Y-79^yV7n z-s6f!Ax4a-Hc^)W(3`h*_D6GCBi~^SWX}NS&0jt{Y|YZt+P<7uH8$;sK(^7Ifx9m^ zWkxDB$aqyHR%QV6=DYu}b+@L=-OuHMt}D#|=FKO`cSX)5F=yrS#G(vP-F&^>eT6yS zwSE}UGH6YJy1CZed?nr;=1wwdZiF^tLxKLNr&fEx<1Na+Jb!!s)V$a7t}pm`!3_mF z3g-ELfHJY|c(DC7-<`fgzNOwjdLQv#=5029YR)syHEuP|(tjTME?!lOggix$<B6S? zqEPT<{gU9-!PP;3;OW5Cfn9;Z!YB1Jb-(sP;b38n*EC<xe=vW0-p}&xEc861KT7ND zkDg|1?<UiDSu;N~ew^kL1zt|(VO5a^pTGsze=F+7u#cp+<;UNM8aC`B>FSB%m%rxK ziFE5!mnq9q>2DY>JMS*bqET}S%`M`mp5#7JMgMT2*&;tAxTw0dwNxve&KvVwW?t{f z_jq^>A>BHDT&>PjDoW!l2$-_Ym0l+Kt@(&i8sz-+#Z=gT{J8gh+nfgntkcNWl|4U8 zROn)bsi+u){3t7mv5!;%LVjGso1~IfWs^jUXC!oVnmw0m7rUZ55AtWL)t}+TSrm7W zA6JR0T*m|ID*`3Fu8(g0;G;^}Hhq!c_OpOe=3ieZ#%X*|d4*bEAc{7f88qd40s4H- zN4I*eP#(F^i}}jXt&SHB`Cx#K=cb_pfX~yd=Wa8Ur+J%2$)jMAsr+CQ|GRF@`?MjS zYtT1}m3g>GDbJ>F*z808H(Ic6E;3ihL243@2xuWJ^WPUKj|k}NMTIVWlttt8b>eMq z_M?$I3|TQ>Un^eNWgo8&DGwm%jl82)B;S;8ZFv4He#G|7J^9LyJpaRMT3PJlrCy~H zp0-82Wxzfj{JZ)B_3!vh*uQ-Bn@X)IeHX7%b^U3x_y(_;FLspP#!Iv5*0g8TdR#lj z3Lo|<Z!zdQL>07?KC@9WYURVOTXUZ?l;UsOMfJOL{idvbr*D%JJM_Hr-if}I|3J59 zzhD&08Eg@K{Hb4EwOd4mu5krsjo4D2kI>7=g-)5X1=?1@$&=;F)4H|5Tq-)@$?(^i zbt|<{la=>8X<jhRdbhxwxrXmrPs%o~?jhsq6L{rvSs+vRy~1$8LI2nAxXmW-iTqdd zYx6SZOXfVIPk#gt7VPodV>SNNJO*<Ep?z*{#9lNPiPOT;zG?POXe@_OnVkokb?lsj zaXNX9TFQc`#x=47AAx;-;9q{Nl2yq#fu=f9mql2g-$AOb!;2xj4>+58t#4gtnt}2x zqWau~{mFHvEWJTA6Lz9xX>ArUediE|K(EeG>YF%3%MxW-g!CPo0Yp>qM2xGoaXVo| zEzTlGmD@ev|G08VbNJLJO0!5%bw&t$4$oC;SU5y=iK;B}Q>Fd>skw^%?hw@`s<YET zw1to3xA8blu0%D74cVz6a?H9u%UtIo8NU;-9N1P<K;v9^s%}(<n%Y9gsuK&c$V=rl zLzoTw>l+o*)N*WC-1oARK<MCr7-8`CTmu`%?s9Yyxv9K303%#?yRMX<aX6x?P!`## zd;%Haf8C^BiyXp+L`8Ny2%Re+2$d_KLj$8OI}S9Cjm4NPz1f^0#)S8yF0mww{8Szk zW`w~z)aQ~Nj<qm{k)g^hEk?Nd4t>HXj;QjJMS?0fq<pt1h7@acC2j!hRx{Pp?g{NE zItj?$rofGbZx=Qfob><2zu9-E_Z^fly*cl#yhihS<LB@oT%tX%P4u+mOfN?mI|~>b zm-yQM#C4QP{z*Zqzs4@)4Ou|mxR-#DQSrYVvgP0g$eW8Bl>u~-4Pb8p@x~Vp<3;5F zT|`tus45G@8y|E=Muh=$$Y^eWY~%CC$f!hM4jHc9SwP$PfHShkpH#2ite>@*K!Ub8 zR}e-<wF7gw)qooz+nh^0Bcm#UIb_w?*aUBLZVVukS1pURN1F)XHa-^hPbr&-Q3TNv zaBW;QzVcL#YV0oxXUp-ujBn@AEVXnG)FQcf%CbwP7*n5C#UKjY{1;`HfTEsrxoDPJ z-iL9i$7TkQjc?|2pD~qEQ;ebx6acYtiocGc7+0H^pDhK2gNKM)FV8ZRHN<40J6j28 zY`p?ir{TpgIk1eT8lwW>npB6?vlVs7j|}QJaBEWeUVt*KE>6AHxEG-7mu3M{<8v_Q z1$7S49GyP(SQmh(@yl4;dTh2@vxumcHI~=W@J;dT@q{)OT^amVusASS__ab`L5tt= z{m!@An?=onVBQ7hr;OhitMn1=v^LAL2fJ{7FwvL=+=crt)_hy>U08|lV}|Mz^RnAO z;rJio)|M}tN)<;&Q<qqo1=PjyD`4dMzGy1ts2EKx^a;={PQfbB-1kMZPL2uDphVV^ z>=w{Co8X=AD(4YNLq)VIvxIALl;*A9Q<WxBjH^zp&Jv{MLVHCWwl+UxDi5fDW&p#! z2^7xx@xk}iVJ9BJM00i{2!<I8i}?!A*`OTO7V`ws(YOI*D{Qi^AF4Zq`K;=2x&Xu? zeO4Etc(Uv>HX`{q%d>#6@blt}FDVB;ZA5aVF3PS0g}q0t^M9mxsu%@4j@4OUSLD(9 z_EhC)wYfB4{DEBI1;al3vN}Vooq9Mo&H{x~Tz&5=>iiG|e0ddFKvta5#~j`~O|ARI zxBz>bT>~0N^_=>#y61_4!E>`fXDcL=tl)IDK%Y%llUR{m4Z6Md0D~3iexmMvo30vy z1D(y!2uAnBPjb!(v|E*^&#sho=f7&oCxX}@&99+c@1VER6M80eOVO{2?(kLy4+WYE zzf$m~|9xMJZ@l;Q2gZ*JdPfrVegbDCbMhE=Aw^+e5OKRvvHY!(UOSNy&iu|;KSl1H zM9x9+8<w<!@B}4nAU191gxP7cf|}8^k07rAL<q=7x)9DqVlG0J2y}JWX=M~`>+6ok zSUxmj2uOhG@1+?16N`OKqk}l-u+Tsb?&h(TETEjzLBdoZrxigBN@_&_K88SOBg1;w zu^0wIxinSjryP;YVRukBH;&)tL{_&(x+#bn?XY<`q5Oywr{VEej0}P}EW2uiP$`t5 z%W^9b1tCO=9j#@liWs_RxD?4x_!o@@!ig-r%EBoaCk$LCAqt2YGKdh7v>73aV*lRG z^ev56bRmUtumo@cM29G%6bWzG*|>G2sjX>O8L?zPC?RPg026>UL=3kzZf)AWvw36l zHUw!X{&X~kzdGXBDg6JNP)nKEPM!(zTi>*8FCZO_-7J|H@wORJNR5>=R+{8jTJ)(S zkhp~PusnifOiD{bP}&I<9ibHYWFlUWm`O|cjQ@R()<-*IG_(}O-`cdRF<iPW-isJC zV$(6|GOH@kh7ooG^KA0Y8;#k(>``(iv7t<U2dv`YF*;+>?haQE|LqRmlGx^_plY%{ zw|^|*v3wV0^#B_nVNo(Ixg`bw0L$*O^Mu=mdphI2!x&V=E-ACBA1VG(<QE~f$2#Q7 z9j<ic4O5g3Il0L11XLu(OAF9aqR^kyf2^AUo=;;#Yk*L|s%&nx(`YHf{IWzILrNr; zphF`{6^T7arw%u|L_i`Z1BS6wQOHbTdDb4*OfUYM!i9Fe5=9i-NJd&`fX$%rL@&YW za?+uDfB`@P@<30qaY=H4e=9-EQb*k*yPHQ?HxX)O1Lc(4`xzg?2whVXEW?{8Rv{^k z1uw&Pz#prE1yiwJ!=>&0QNlYR`xd!-KqMeht_N90G>D`(N1!xm48am`hVA_rCSD2y zpIO!tKG_@gA2dQBpurecHU=NTS@)zdP#}E~Y@@dL_z_VeNenPSAloo<G>?>yhiyg* z#Re~gi;V}8%l(vkpBnn7<3uPV0g>U6;Qwv#MkvJm4?6bGNAKSsypexv^#0l46&nvW z`Y2O32iM?K=>S||1WHj&p&kRUa2L+#y`%tw?%{89()ya$)2IVq5_XE0*yFtcGwMJr zowz%q@JJ)%i`M?x2+tj?2=8LY34ub9vI<PD{IRW_oxDJT-0hF`+WEX#xlZaK!6QkA ze!GAQ_W2hGH8HyDj?^1s$B4y<T^_)AC<pe%@ms7=MH?Yf8MY(mY`>liswtjJJ)x$e z%Y!ck=LF6yyc+M2l=&0BZ~NwZ2N3q3oEJ4unVPXfzf=1qf{~ZvC-Q$z%o%qE-4H1v z>)b`dufaT9{B!kYO96ZeJTJ>qRMxR88QpU~&kgj4s%sNxWGO5gvCTb3cgs4}sJ8i` zsA`sCvW`6rIwja|lT_m>M<H3q#0R!ODYHu?xF#&kUL+`B%09PFy=+|jO8^V1vKNBF z@x7e70@(PX^=cfPfCY>ZvQFf!v2wl22sefPz>@3*pm1(A7yL^7j(Y;}Sdu+oP$0(p z=W&MOh$NaKy09a|gm>w)Z>U`Y1<KlIkz2xBVX^Ovey!H!XR&W`l<bvkK&FfgqgaN^ zG_p(hWtuU%`!}lZjFC0KnThNY?#yIll_!-X1B;O%fSx@&N35=sN@&$4qq{dUOL*@X zx94xum7p`Y^#{+(?xIrBGwl_^^8fnRD=tD-i)%b0m<?HEmpCg9le^$S_4bB4Uf;MC zxXU1+MBZigJ*W-^qgjrXy8|?PSbN}e&4cQdfoS04Se8Xv3HOs-`7PB?MikWz^y^95 zRJxphBKSsd5<oUzDx6Z#>3`7ofp4?-mi(9UC+2N2Pnzc$A^l8kDlX=~>PRlgA|eV* zXRRl-ZgNm98|CEtj+NlN9e5;Ig-4=Gi(7#*!haOYvQb=Tk>&XRi+pD?UlJ`@1bvZS zQ0+<1c8|k9s4}38K_g5Z8iN0qngb*MyyyT~C^FmoU#K}i9ZGJ>B0zm1O>EkWD)@>e z*QiugX&RvdGRi4etn^FF?at_tSoA0}L7b{o?Sw66)+J08y43*O#>=RL+kvPAYTO2# zu`5pnf%e9@Mnu9R!sa782-r@R-~b?9Zw$7M!$X*Cl{jl~8-yVbgUGIK;b6o|9guh# zA;|&B2273B5+SomK=oV&Gf13p1fY6$6UI#`&Z>vu2e>xdyvdZTU<dZP?2!U{dEm@c z2QwEw>0mmQQFK-ZTV;!~gjTbUlti4WMOsh2W(KX7{v-E5gFj|{mVj$cxp4+u(;rZQ zVmM*?1C3dNtvR3|Ml|lPE^if~+ZqyUvxHuAfOL%P>IW1gg+-?oU`VA|La#ZlCPwy= zzp2lpFfxk65PHq2V9dzM-Z7OR1tY74TZ$lTb|l7n;+-7XnTw_(OBgmg=tU%xtjpe2 z@GDHN5Mf2Kgky7((HLFnd+Mn}Erx2U;YB1co9!*O`MvO-Ss<NZHeD6Yb^^0GHU;(I z#20#%=mhIP4GtB8vN=8`W+@bWkUJdX04r(D#*_yX7~%aNsHi8_Y&9@+S;De8_5!0j z_IDLSXVWc1!vtni8~))>a~lp-H^9@>2|5RD$oPHeXDZr|_)Vy;&%@E6hyFx{)yG5c zg#Prv_`cUe(>&Lv!uZQIiF0)PA1(AY{<r5u=xz2ja9x3^>$>MU&+oPAcZT)wL#>7x Me%O4=crWz-0k>`3)c^nh delta 46990 zcmZ@>2YejG)!#mQU9v38mL*xTElaX3>H0~w<t}%*cU!jQ-a8#5_U=Rp)fiZMj|t7R z1P4L@hfZh?fk5bx5PGi$o9{m}dv|*)KIfN1``*sXo0&H=ug%-jPp>}x^qv=%_V5{k zAk4)7Gyl}RL&N<6ZJ4^(7x+<dyU!5<zQFx{xBmn0Bfi%>H+U~_pW`{<-ogTpyT;hy zA|)jyVk)$|W98;Gn>TFTw2S??$IWgXGq<&J?wGODS}XU}$)ORuc6V%D-LZ3Z<>cve zTPL>8uADw&ZsqiO)20orbh~EGp4>KO_M*zEt&1vaSM6Lgv@-L09YybZQLc?om@&I` z^2F)%o!Tt6a(3&4*4eGo$F<JM7OAY=u)5A&SLfDBT1xiaCG{T5Xj&d(|M3_b2`MQr z7gIHiXtc)Qng8l}q-UV}wuzJWJug;JO7_i_YIS#Aqpp>VD@Xl(Tdn#tFT0YxRNh1< zYa&B!=D%8A6B+2fzbV69*-_c|i_%g+>#dwWX7;#AV`j5)I8W_Yka>Ukt~IN6Z`ihV z-@R&o7y8?%S@iTS&%P4M{6&mKGASu45>tKlP4QOjdrax$S##p<H9NO<Y+k-$^}c#_ zpxm)#%|5qUw(mT(a^GqGA?RYYqLnlkp^IgK5IUzCbs{MlGDJ+eE((m5FfYdi`qTeB z6llWREs|C;YX}|ieJ}f~bZ`{?zi>~%w*haWBa~=vYVPO=t%=-I`E8)L9iZYZHSj)t zdDOk$;J*V!jmc?v7?h+Hlp2%q8@TtUQSE+l*uDkR4Y6?FYtyHQ1^Wihc*9Ezmj#yK zSD1N;S8W1kmIgX!oUsmo>1R;ZZabqHzf;br!tdlW-1wc?wF|!!x)$PhY*!S&BfC8K zZAq`i@9;EjusI#UZ&SJtej};l@f%Fd!*4?>f#1QY0{qq_H{-WDIT648lY{YFnPl{| z7!=WmQQq4aioc5tAAWmmz>klT<1Lf?M+M@)1b++D0v`un4crju@IMw9?7swEko}7P zQDM^FF};*PtFUD6;RRm2j(@F#)w+bw9Quhe&?9dGARJZeruxi>_mc)qY675s@8O}^ zn6O$m(Py6ai!#(JQL=}OQ0v-#qIpYPi+d<3RUx&m)hC(T7wdzENyh*w@u@{cK55*7 z)_5!^(vj#@s22C}Nn_^BpEEzw5N`-ef1}-#0^j0S7#%ng`1YU}lKvMc8JMaBWPq_y z!hgiTSNIhYfv+g`gFtQEtw@q2TqJxU_MsK%ffwlulV}Bj&jTL@-V3}DcqQ;6I({(F zJpP=MfE@9=Vfc-nbt-;CXO6{h?HMlo_Dj#eZ*i&^zdemPv^_O&P{e=69rOm(1A)$= zytU7StEIC5j<H8EA)Kdl;BhK{>?uAW_r#-6!QZ}2ctJc4kL5%WMX`C>HabRS!ZaZ; z&ws!#`<8kC<n7^^?B478)HPl|fxJk{wTHA$O;Fb>?<r3y1@cU3zcf+O#oEusS;8$S zY5TXN%q3tXeLka{4Q8kz+z>Gj^&penMs;78fVuMd%*8XbdUMBMeXDO?eZ(j&1w2II z3xisJ2Ctu2AMV{p7Y397?3+G$&fLnTV6Z+OiJ`t&OK)Ak1p0iNFols|lNkzWjm7OH znWn2)(_y?CHD|@Osjiw{XkjvK;oTdxp5{j(t<)^suWk2+B1TIwaK~kFSBJHrg$o<8 zp1`fi;?_m9T866)C3+YAKh(tyxra-rru{S;%{#u<>dfoCBxqh0)%v@N3xQfhD||Yt zML8lC(+0ct6aX=XA~wa)$h&*BM)R4N)~}!?VDD?FnfA4|EY#eve)pEm?f&jvj`1!B zeIUJ^R(Nw<Yci{vwe7xyG0+QWD<y54S-6f2W^ixZnBs8@bw+@`-m6KQ#lW5>quPzv z*^GVKgc(C6J6-)<fH6w1Y1ViJo~RMi0bNJSw++);c(oB@0-@Cs3N9F~wK1?SY*cD^ zc{rtFhq-M%sWuBoXuDj4)J$U+j6h?6?eGPS{)*KcDDJy~VEh4h8?`dPZM5RAS}<YY zrR|<(W1s{m?H+{|ndjG$J{;9#)QYwOMdrp)S~)|RzmC$>k>$c#A#f;A=AYra!zX(? zJb(36xL3I~*F~<Fek%D35w&*p9(9iLx^k6#NG_5tl8%>3#L>dL!sEi)y@v-Dw>LYd z0<21>VoIpA39Ql=RM{Ch-oTbdd!l=>1e?LWbK^i&qf|;>FlX*W`v3Ydb0<x&4>p^| zYg&gHEYnNPx>Djd10NC9+_+q;FK&-@uP@HXs40#91{pDs0YW+>V83x_%NSxl^0QXM z8Sv<6t;#hd4AeHD%(^k!D2fQ0*NxHQeHVr@^m!cgg>3Ydk0oyN^s(Bof|j6-ljG5# zdG|S5ZAmo9IQjTSmrztl322`&bKJPNxkD!t%{Ak+s^a#B?p+FTCa<l}OzO|$K-RnC zHOd85LjfH{DZXnwRv(}{U5O!pZKAMct>^_^{NV4Ag8@B(LfO7>?1&Pw)_&ZG*8#VI z;y#<8jbyCbt9eOnhL+s+7G>L8!OogY59ZMxM0gK2PtwYZmkjD&Dr{|vP1R^-3vK3? zN!n;mSlB2V2xyE#4^7qvavqKwRRaKJ9b@dhXNuN~qhdzC{y@<s#W{b-RBUr>QACWI zDxlcrSG7d%X}&rYn;%7a!%?GOWnQtRLkTbD4I5MX(Y1>jedes?DA(MkjiBXrV72$J zKryxlFhcy(wGxIZXeqbNaU>Y0yH%YQXH$H`iv>4{1vk7?u>V4_pp%|DLE&T}(Cq)W z{}lfS-vM8vugLpH?{VH@&nuqZ?i1a;UH7}Lb&Yn3`ssQVd5=6nZY5JmNc)GjPm8MG zsjsOgtHYHylt+{fMUron&z1+vJ*0c3-BPjmig<$9Teu$$bo<w`0W^9t$45LAp^S** zV|`|lGRH?#17A7C?dzPV1P(R2wu{@>c1Q7LU(m9~HWsmPgpNgxx%50uFK%Dmy%amD zrWCZSvXu(QFoMtFJP4exk>d81-Al3EeoB3>4y<k3CHodLrXkY4!dWEJz}C)`#@@^S zp98F^eVMaRI6D&UP84J%Yb2I-NAadYrAz*wod-vB`{M4!_}CV-EV2znBpfsk&!Y3R z&{?3#B4KFhg8!$TNJF?~zP++g&^kx??$bWcS!crPaY4&mTe)ykg3U)+Q-YtrbDZUx z8u*Mf_MZL!3~zJ$EN7u`1KaYaRF}^De>#A(q;!UbGw+_O6&18hx6u^|$LZkInSptl zR@~m^Y@o?vS5N1(+&=%+H<^9@<9S+TLCaKIg;6SKgh@`&n37**w87$|sCmtmTCc|5 zlmDOIM%pLkmkc*FS-tJGY$8zfTr@H(4rdYLrm3#-2_UqCZaxn$fcSz_Cu9Z}Y7Kpd zx1ta|6_c|Zr%u9l>Kt3B)fBXhxAiC%4zUGTfj`*XEgSb6t#gJgXc=oO8HrfT60w+N zjI&4076aClj{bk<FVPU*GYUPTd!|ume({qwh##?imuQt9&q$zVP*lR~cNDS@>+XRi z+Q5RA7CR;31e@l*7Wa+lPDo~38tz2JI15beJAN2YYyej|2C&ICfakYs!I^ZA9w>Y- z1U?9y8JHBP_doCdqko?7d!OlR^8Vy)@>X~r_N?#-?nCaCZrOE{t5yF%A5D(e?$C<W z<CW(WQJyV*C;dqZh<A!{;ro4s1^WwI44<t_;ieeh;U2z1BR!5cAfGbH-dI8pQ7ls? z2MoSatL)Woc=9_Hh2+9k8)L!}cYlM5tL%I{bR`x8J>-kR(H6sHZ!i(24c3*185b-z zAh>cS?86n7Ak>Di`ISZ{c#I(iL5*`L8{T~l1j<*o>Xqi+N66N|-1;VClA+Nf(vwAh zaW#%eiuTW~PZ-rkR-i@U`V1m&^fjnV8_5>Cf16&A!N!c91{H1T1o1XM+oroRZAOh& zL!xb}S@hABdUFO1f!h$X5;voGWKtWJsXJ`+Hw4tp4sM3Mf0bUsu)XKjhuS;yhc`?` zLu+q8tvjm8Lhb2};zwC=`>EYg8U8$_JF1ygSkQ8^eYWB_Ht7NQWtT>JEjtONoEt{a zqT|HwHD*qx6S|}Lh8ypF{Qt9Wg^iKNp%hyu3moetVp}JlM<9M{XK7^xExT=WM}jyg zAo^rh>Mkb*7+j0)olaCDi`wBtHF1R&V#oIGC|+S>?`^-)C8}*i+P69j;ap@?4C%84 zg{azYmmjFE9SXK=&g)l{_bbZJzfH~>>Dr-!QEBguzd;78@xIZjSlKCmB|IcvEx;)9 zM&Oyip9A{?7YCAoZGokM$$@xaK%l^X)c>*nU;fAZcl)pLp9>LjqkoZqqCe&z;4k$3 z>if+1y6<V<LErDCzLLwg&u93y`PzL`ea*faUr(Rt{oMPy_bHe%V8->H>fPX-?;Yn2 zddt0T&kvsecn)`Z9`fAgxy;k$+38vCndWKs4Du9VC;QC(Z}*e#Kf14XpYJ}!z1}^~ zJ=WdmE_1tF-@D#-z3BR@>sFWPO1pNrmbs?7nq1Yc9{R8Pr}}I96Z*aSb^3Yw$@)5d zu0BR@(EI8-`3`dH3*<p^8@ZgENsc3{$s96PPRX4+NQhLDfPBCFtoDock@l+gq<o2X zpZ0t0VlAcZ)H>vw#h1kYia%iMJfzLkMrjT5+fuz&u6fm;)sG?kKBXR1_p6tvX?2&n zQk|uaRvXm{)u;TTe5|~tJS8s|ua;&>tE5rVnbL96<<f1kD%Z&+@^I-J>93vAyK<ZK zf^wg7lX8)Ay0TSSs!UOul^Ug3kuf)U_As!4^tufKyGlb;y4(SYNtZYvA?a!dBrILU zA)S_q27-iih3%yfjBgR?S_dR7U1Nj50@M(bZn8nZ#~|q64oFyf)d7h}FI$jKZs|io z=^uG7L9UTrbU-4~3l2zBdNvONHClQ+4}ujZJ(dRn^Gk1MAf3$67)3u0Wk41rBt7ha zM5MnuAYth*4oFn`a~=f8z4T5V1e>{ZZx(|7)BQaz-I)b(NK87A2Z8xcx;+mP0p!*m zDmG$nFQuCV>b}JZ3QITVm5X7D_Cuoh7uCr26&JkFSwM}hqQwc#4UrKJKzK}E1<h#X zqP$liN=|YB;_DrN*c=BSy2Ao69-#7Qq|Nb4c%cIj+MWl1b}-KYh^=%0qN^Q%$T|n0 zGrZOT3GK`SU@0ti0K)AKKxk<mAl8sbH~{gO0}vU`0hu)j#%y-H5^Bf;V3}-n075JB z08n9OIRNox4nWMG59n-&mgGYk!kZj`&@LxiMWuaCP(->QuUM#|`4k7B=`;r*aY8|- zo&7=$(LIh=BBwe4;S<4+eX|@(wUvoZNNAiB5<JOKO{kN1fRBF&n?OTU{K3{K28xK^ zIYD9ZTPG+a{+JJnHYCJmCnzo^oS>K(v&i6LFLrcL(d2wBB8Huyu-NDXg~Sp0AnXz1 zyG~G8d?OFkNtH<P?K~JZ^0-*!1jR(R6BHGTouG*5ae~6a`%X|u_}l`q^^dWJ79p19 zzXom)Yn`BoINk{gi-Vk?kXUC2MKG>makCQ?61VgK|7G^j5C#mdosj<;9iH9!APkSR z)Cr1-+nk`NxYY@Yi1xLF7CRxVi94LHg~T=aAUZr7oS>+1&<To2?M_fwxYP*>iJLMY zdIpBjA@nkpfpHLaB=L7nP)Iy8A4CWCGAAe`UXc%iJ5M~{35tmq^iVr<!;e!AGk%ft zwTPHUKYc4KUhI4;B%YHG!igvv`5=hj;tdW^Cn~$j0Yk}a>>%th4Nby}PEbPlrxO$x z{_O<Cgx8#)sPI@81pW`v`XfT#8l<4GkhfGRC?xzNTM`9>7>kHF+6fAa{hgqYI5;1K zDHlEhs58s`ROgO~e&=gZvA_w6h(0GMES%*8g~Y;q5Xcv&+k^?65O8`(iyWYkv?LD# z%c8i#0SSrA@*ptnNRk5*5`WEu#3A|^4oFDsY|jJHQ{e9oNJO;DURa4B=p@HGA#p(- z1m}rh7a_5iq4^z-cOt?cIvt>}aDxL95)RqUF6yv~);a)@G6x_$D6bN%1>sNj$!Nfi z8yEfuP;UMyEGAYsUyF)WPEbVn#0d(E1D&9dI3XWIce?AGpw5tZV?K<og}0obu<$P@ zC?w|X!At-aC*}1!gmZY70}>bK*dd)*RWWg{9Rx^JobP}{#KjIsSe)j7gv4HMWu)+w z^n$DmRZ10I{$Bo%{15pN`G9;ils*+o-@DQadFpm&GO#_cEHEuFEKn0D4#@tm{BQf8 z^Z&(vi{JEj`FHs{{4@M5{vrN8e&YMi_rCA2?_sz{uk@YmJHfZcH^(;yE}L?n2d2RP zd0+NE>b={0t@k|dDbThTcw4;@Z<ROTIqLbu^P1;L&!0RudiHucJzG3WJd-^MPqnA0 z(<8dSaKGvPyZe6k&F)LwDfbTda(A11q`VC}ccr_~ExEpN{m1pP>j~GNp?6>9I^T7= zYo}|qYk_OBYq+byRp}~nsrnE4NBZmf^ZFzDJ^D@hrSiG@+4`yaR(*v&TOY5-^;*5J zJV*DDU&+_xzvNZ&ck&Rqi`+;$FC}M_Q^__tK{}w8w~_>@BYlZa`&Ii&uG8MvUe=z} z?$>VDuF)>klG<)<t+r5`qK(iRv`Vc=Q`H}#hrgjdFSn|Xz&U)AdZ~IATvD6W<#LC7 z8Z`28YFw>VOI5FOO!-QAUwK)1Qn_EbO}R$dtE80U+LU$5B4w&FG9+Cm{=j31Y|{$q zA6v_f4oF0@FH$JN*o99K1o=T2SN~~W(bTgW5r1zhP9b6O4hJM8-eQAL!+u1#*Z~O( z4`f4TB27{0joectB)yh>>WoF2rB||#;pU+9MD{5jib{|8)uLh+c@qi-qtb&pWH>0@ zk$nosV$vU=CEB(Y=5d&kM;8{gU^hZUsYDYJ?8-6|?u2vlieZTfc5?!KCnDH&RSF3U z_MxMYkg(TQPox2MI_Zxf@_DMy@_+mK7Ch3K?L|Bq7q7QHMZ|yGo<ib2FAYNyX&6#8 z7|fv}&BA`$Q$n1bdodK*kVAz+;?KFKU|6^aPn}j|Q!pgnokhl)o1|sAr&w4#EB6#_ z68>U)ib^E+6bVb7+*3FvooRcDN?lpX;NV=tP@OccDi#h)7us;4@wsB4I*@w`Hj9_r zo)W^xwx_Uoa`q|OoDko%Jw?Up+*2YUd}uv&E@+KL;^OukG7=Rx+MYs^D@z&tTvKx> z&~mlyDJWi>eTp;(g~Pe0rkHd}?kS!SUe7*tM&e=N)$C&=)-3k0Jw?O;wx_Ugh3zRQ zj>$cNd4}1ZV&aLpr%01@eYOwqPmRqzggX;0wx{@X+e2_s?jh8in}kRxBz4+Q!TGs| zU{i0~Lt?k>Azp5Kh;FvX!}y1ro27+WYQxPjX>s;VxKQWjP)#x6Jlj)LxH0#Xhzr-* zo?^lywx_UgcJ3)26MJSG=nTgrCug7FL0^@7F%}f=%RNP6;;pu)h}4mL3df~$QAr`& ztHNRN+#D(tmMU#eK}pFyfrC2Vu{{RG_j0ua#hqDHs5vO!mqmq|rENJ>A}&5@dy0s3 zLOCU&xHu$-0&9Jedx|E+&+ufe|4^h!{3?gU8u(-GDI64Qa!;Xzl;hA4nh550=};&r zF0nlZqr#`T#~>(}XMc={ZJoB~aI?73{umd&v_FQ#i0v`hED83<u<#$-ehYaW#?lQA zNK~@RzVw|)r(~C(C@3tga}*0n>+>Ku0Hn<hNLbqBfP|#gHVDjy4NX#&1Co$BcRE0E z$$tLOVlk<&<DIBf=72<`3I`-C^>aW%(#kvtwbh<&mjR%^p!erHUJ6NP<Uyzzc)J4< zleRh_QPFO3Z=#2$WY>)-BrK&1nN^KjhAAi{ooA~k0bL{_=?+L((j1VGB<De(olC_I zNJR2GAYrMn5L$gEkQYHZXufCOOLRQ!!M@Pm@J>nII}i}0QU@d=^>IMLlG_0ZNj^Y2 zGtEQkLt|IkUZRkYbXgt*;#QtS_uEn*B*eT@uv$weJ0J<^I11^s%<>4#!MvX8cqu0B zaX_Nd@eW8tI>7-6OS>G9kVI{vxvo-fIE_I%`P{SkM(K3NOCc#~gHY);D%uIM<XOi% zVeyCq5)$n-qZWv|f8y_Ot11PB#hkxm&U^|9i3js4iZnEf8IKTk2tk-`XcGVBcqbv+ zT}1SqxM+6>QAkXD)+)uUiWC$TUv*Rz5ub8E!r~J)-IA8Ve*2o^rI2`k9t4vwe&~QC z#E&hA)jlR){KD~4O#H6{5*6)xEUXI{$4?#agvBo%kdXLw9)zl~cV!?m**H=?_D&i< z(ofhW1Sa~Q^!NAu&6o5(;9cx3^*ri{ySv=guK&8q^bT?lnXSE{U8TOScB!q(qsl5} zfc&VuM!HsfO{^7m?LA!YF+v6n>SXcEi0vpcPrF4!*zkUB2ZERD4I11zkA_5qevi1v zk+*7<W?_Qt@FtA01`YA-q&Qyg3nk71LwvCykTk}VAz8tvZ_{F|U`g{5qg$jWc#Oqt zA`k_ko;=8%2QE?VfCV=2XeflZ46^ym<B?_->S~^M2Vxl74Fr5T3p1ZNFYN9#5c|nu zaZS$w8oo+H!8aYyDpBnKTeaaPxZ-JO#PbJG?Ggh4puE~lWGWT_qqp3M83+O8u?(%* zScb{tr_ZeqTA{j+->D5p{gw9m6D;<yu7pQ#?lSsi;#(Kc(3}L1%u)Ah73dS<L7jbK zK_EOb$2-I*N1tdAv9Z8hb`$~P=+#<G4{i%opF+W_%$g(GIP>n4NXR^Vkv6=n)xd25 zPV<^9&2w7k%&8Azjy@%w=H2_WdeB^Iqd5`_o7Zcku8arwv>Sb#bYcIe@d;MMP`%L` z1ni*PaqY#3zGY+G>k_TW?J{tipt_A>7GI(@aLmJ(Xw@Zi4O}LG<rqZ!xa$Oq7PT5- zG8*I*+sH{o5Nm{>&kFp(<0TASD99fu?Eg7}%ElW-nO^5bXDzM|q6HfCJ@a|3k9mcu zh0s<HTU&9wKm)2x|7DEJaM2*YAsofIhTK&Ky>PIG_V3)w5F*5Se)KXe<lSQgfUyGA zUi>u^sCLEWT4h<xpcf8UP)v@IT4&Fmlx3vjFCi7?@+-9Rv2^j53!8<&EdRBB&DZAL z@0C1j+)p5=qSkfTHCRvS1IYW@x7x+()9NO52*SlG<sEXd^s*EY{~{I(oA(|b>_HUO zWUSFvN~rrOZ72;h-Wr%!9||Fu3895NnCY)i;U)sb;66#{I0JEo)y=fT=BE)n&ARsF z(^^?sg@LF-PJT(2r^e2kGp&B$K=bZCq{FPAK>C#7M&J0hRyJWRMyqX%6A2axSYy8U zjHZ_?GRC7e#t0>x5irCE(An{})=ERi5MNj~i&AmuX}!o?_IIrx-FUVZPOc9HjXGm2 z&@AR}oB8AyN+a8pN@7clY;<969f#OD#)KohFnjMMoM4f2jad4KEOajYn6>mL8i+0A zUEYxGGHwxop`uxaYQqX{$<&eA(jXV*_@!)<L4ytH%%?)xddAI|KA}Fy!l5oU|Mr45 z5+n|{kr<1zt2s61XV+;u+Mtn#>~2t|4H&p`ZMX**xI<A#Zy}gt-p3x_dA-(~M(=O+ zx7Eju0Y+0EHh6=DEp4k0&o$^h3g@Ck5BZ{u+lUIsFp1bV%VRv8bBU3?GLac^+I4zm z$%9b6C>jk>l5j(yKR-FZdwmRCn5e6#a2zW=&1-Jbyc`*h8I=aEOz>cQ94j^aC~86n zaAAV;D?5t*{H;<#%j|N;j36*<F*3}E?-UljxWgMWiVfV1;NgJ0r5_aCYAJ3s7`Piz zw}6tt4zO$ASE_h(aWEjg9Kjioo|yB#R~Q5C5QF<?N(K9`6APx%H9A1pA_V69uSZzt zaPMiJL!LFBYWLIbv)%QsKe*PrT>8`c7QK)hM(|Qhdqq20eMYTQx|AXEN75J46!8=B zHgUS>7w$A?eo4yr&QyAgGHAqDF^Jj%OAr)D7BW^-N&jMtYN<iP#@J+KMjZBkez<~z z5IB})@)(b!tLcY7SlPw6iEEX$#cRe{ye7)7x0Q`15QB#p=86O_y3|;gDQasrZq0O+ zfk=M7A^!Q*%!XL^nieWIjyKkzAme>@3y1Q5J?DM4hTcS%SKGTB#9mDI{Yn@)`NqG% zSe0qJDC2LZN713P$v6)f29f=BEp!_DzK$*Y&_vwMh#KWa2f*wW$l(dtLf&{?D`Yrd zIARPn5Zcc}QyKECV@f4M_6dg<8Ot-R*>)z}NWsojvea0XL1u@6iZ7JmF@o*35ll3* z>t;3m@CO_HMaI%hSzE<nRx!#V%s)GGkvL+N-$tA*AN)lIjq`VImbm6aNm^tq`VC|( zQ|-dMYQwbJMs#CAri`r{T;c&K_Gte^jB{Wq{$SlOL<0f;{JPODD$F!<Vdla^+E5TP zH&d~#j}Ui2DJq_0Bc>_JW6JyC4{Lm8|3=wRrtB<RSr`;4kJMH)^KEF6G4nTyHnE}} zquH2&*=Dz}E_hTM!_GSYJOmjx8`Cq0`H$rgaU)^i768BTRQ@<_Jkis!U|xO9s4;K{ z02gT?zicyK9z^&>OjH(ykUbSBCS;pWAnHDI*2axN1}*^bn}GA5L@YDKxNz2n-P&Ko z#iqJKZFl=u`4{_VAw;vq+*si1XI`*EJ+FsnfTxcq;8EQ_yT5Y(56+&K%y@?yKDe<% zT_O5O4e3WpNPrOdTz)wC%u4lJS;Td^l?SWVsqgFFx$^IXz>k41adGyYgFUvZzldhR zPB>cBs8%AF&z`29X^z;X4l_6IQF|Wz-7fXyvUnfibRjSmuB=V|I$z5BqPO0wcqX~8 zK<s9%zMlMz^whSh530SC_3}e<iL^s}POKD8-+LI*-epM|u+7#RJAbzS7wgSBf1*ZR zl16RQ6Puq-r5|V&8EnL;Owy?B;S_6pgacvMR#L>UfwuY(E=(mQpjl`-L!bUXtvHL0 z7z2_b&@3*Sp@SddW*2RlmJS<(k~D04Vz%<iZMfG+(dPD#G}S%WK;$;345dTag19_s zAaI-4%X)O}Hd4aS1*jLN2V%GD=xtPR!j{`f)EqOFUJFApL~dsT>7i_WtMsC0&JKT* zG1x%pHak{O=+~o4kndIz6goLmh;2xfpP>(QC-a3v#s~wU+jYBW4;b>r&v0FjA_L)| zG0;HlcIH;<<X@G+Rxw1gpO6i9N3ovf^e@1bC`L8A!N&0@#pZ+I+BWIs92Ym53<Pg; z=4ZGIHt9n+E;h(OoHjd8i_O2@N=gd{Om7@x^fM5l&99_xGe5o+S5nzfG#iZu;<M|P zP{JcGX$cN)LT3@1%?I|&mmqu6w~G>^jO|$A*^@7bTRHR?=o`XceB+UfZJCYdIJ)s* z>!kM_$G)u9mn<-7d^X!6ZD#}|5q3s|j4f!9txeXYL7Vk~tV^9ix4v6gD7-DW_PDmW zI$U#Ht*(S?u&dk^z}2~L^#AJr(x1`)DsPsT$us4#a#XI7OJ$$*zVs)(MK8bw@9RlB z8H5<*TeUS>Nc{;X{FUk!b*$P``9S$Y;Mu^1ffa#b`9=SS{yY6=`TO`j#$~<Je3N{o z-p{;$8s^=mjP{Q59P_-O5YMHaxt?-FQQzS{$vxa1aJ{4Kly8wwmbSZor(Y<=B(M0c zc$0Xd*edoC-rjq-1|Cw(p?TpD64a%m4Jx=!GGAY!*AVF!ezV^@lnf=(&qGv9k2z&1 z2(82o|0P&wLrI)SM|he5JQSIMWe`-PpK4WHuAt~5^DoQv0Fizirb0;KkO}pqiby|< zSHT_}vSfxngh=n!t5AB(7k<@hbm4+J6$*r8Zhczo-zhwqHNQ7EiDvF0CZ3jih>9O% zE$YqTh&a*q6c(?{J%yUYwCyP_U21!Zi3j)?WUsu(%yWkl-8`;=6cg$1gVef4i|jia zh>u9m#MSCKzDs}9f<$_<Nv%dVKOIQIL^>E!t0()+|9!2YbN9tmT$bkDeYb&>5$UcL z71yiGmY=l*k=F9QpMi_NM0^Mj<8bZjXRTI?3|6Z#>OcOh4J2Zczt!*yMo4_Cfxab~ zz5^&D+{B*D>wnQ|b#YNbt)2(e$Wus=h<}Z!xY}e^9EI0><aiZE0JHt5Hj)Tek5sEy z`OG_xYE8QM;0Q{NXdYUi#kC2nPv)p&=#&^5$I2MTw2@kvH}m2#+RWplRETSmdH!Xn zK)7%yoj%dr64M501-ydue$|4SNYh%B?H$uw9m+U}vBe$J^`cHG=bC{t=B4aZHZ_aS zWv2uuyYN!(DH0T4%ss)q;mtllMiO%VN#p>LF3wh&XcnK&Jv50IqSONJr%fc9q~5to z5<%hd+*2$n<h<#LXtOvYhl_*-WC5}KLWziY$vll-*A>m0Hf_4r4{QW>4m2X9p<;+y z-GY%iFpXdukLNRgdLv2b;;EROHlUVXq7Bsr(;CtTUZq3&L8Dqt^JZ)-B(+4G!pF4F zKrB>o`53i&15jcs8K#S8fbSNe;lD?<uvW<DC|FGk^&YKOuLIvzsKbaj8TC!{nYVwf z4JJKWRhV5Q^ZJV^D_q7n#ysvDEu@Q&VJ7J&@M4%$6LCG~#xK7CH%^PG)w6I7{adY3 z7az5#tNa=bN#=01y4`2)`B97M;@>RZymdYSr{26(t2Qtczy7GLBT~U2wHliP9x90> z@&$A2Pg<CWhZqN$pZ}!QXrrd6FiV+(j%eeFa20FGJoSiHN5ntyhK?P9GWgmNt%!(^ zupu-7sh=x8Of{-%VH34_+~JpebG=8r*LhcXWzT-kT93<pyL+>{hwC4%6J4eHetjU> zt9_-l!0_3iyr8tpcU#xx=1aZA2gOsx{=!qjroChOlq^odiph_Ltkwgo6VrN179?TC zbetR1*h9|^AgLWQ|4^Yu3W_XjNn)?dO6(!ru%*XUKm5T?s|CqHzfqPeEht-UD;sTw z-Q#RhS8i!|N!T!Xt6AYZV~#{gyBRYQi%^qYBl<`!n2b_eAH%$lOOw=s$&j`R`OSNe zQJbv9*+@lNZsdK0kTRwt7sW!`l3Bau40_^1tI$bD$<ib>Svo7^Rufp8ldxCXtj$YY zG)V;npx)61N!ToT!R#pw`?qyU2a~W`a&dua>z!^gz|z)X>`ayd$?p9zWQ&Ic7%~uU zHUdf5DzTMA7#nV$|0`_1%x*Q@OKRPnNouBKhLP=F!t#mCDBO{Rg_7$qb7;q)Wl&LK zwvUwcT9TwTN@i-w4wq%q07n#e>i|uZVsS)I+pLD;*5%ASeq@qbkfgTBd{%;&Ayd$9 zj6~1_v%{8iwQ+HhS|jtPmfBe8B}>dZERo%iQHBJs*wdfHLYBUTKNyEDPEvcMv*K8$ zV&88dBbkc5wvIN1xuR>{{w@rA3zD8p!R!>nF~T|uBrchD8->jL4^Fx;#mwl!1n#Te zgVoPcA)1YvBrcnBJ_Qyt%xzmu&>rYLQ)U2Q#a#cf)B{+)62_3E1}tR_u6dlYg;cV# za$9|D|Cf5DWow15^tV8<f4lD=z7ugl_xIkZUYF|`*LM99eK>g+*Uu&*aY8fXyIN(s z{FQvS^p+G7|0UK5&j`QUdl<@pa-wZaAjFtECc}IZj<B&_nxw{4=ZeV~$_6J}K_ipK znI-DYB2vyQQN3del36=xb~u^AfyuRXNopr;qn%>~FaKJ>+J*C`B4o@+!br-EmnY>L z9dR)j*6@Ai<X&U|=pJLEI|BP2^#Pc7^&%R$YjlQc+pfZyz-!D;j-m<%HSKUa-l!5X zi7iP#l$N&SNQy1WV$c3b;i*H4!oilL{bqJ3VWoGd=tC$2QDbTTN`a4vF;KY?Ob*ZV zYIv?!)2KHFj-o!qM2CjiI}~MVL~TWsD-jElFq3wxJ&|EgSV_Af`RWE;Su1IFCJ>Bk z(X}9%O*rGq(Zx)>>}vhR=1FB_Fe;(;QfKG*0`R4WCt)xxrfSMreau0xDKOYa$R0D3 z1x7J%-Ax7@{IQ%Y6nl(HM$k>0y2MvEtY+2~{RK%FQoA+97orb4ChV!19dq<CzGDV2 z`8%n>0NQiSAf&}Q*g}~RgiW<uy%}p<X_6XM8|kdGtT3k^QG9$44>cK8NorMPE0wY9 z1_>Ecn6EJc3jy^}w$XwNw=l!Xh2i1JA?Ru$P#dUCl+$B=ArrFy9f>DHsTNiWf$RN8 z{Kvsjy4u&@`?$Bu^NuI!8SDO!`waJZ*9We%Tod%i^tF&19w+OFOFLfct?pEwSNhAR z%GJ_;rE2kJai&;+v?nVehUER5o7|k~a@K2w6M6ma-P?B!GtUf@VI^~uS+i{R6)Hz? z8+y`imW@VWQ48bHo}0{?V{K((tc?4V<a$gHGkQE9CRR?Np%K!rY($cpV(GF=&dIXc z<mof#Q*Qzo=0?omTH6vpnl|R#s<3SKbCc8}%Xl!`EIm*_>KJ$b<Z4U<YnEBl-;NS) zy?|w-HVHc{pQ2M^NXkXebl6{$)c!i0P8=&S;ajDr*%2qZP!~19vbxxm*8E2)rqjI> zN9+oakaxt=JS5bLN?8*I*bHly4kV3csEI5<8ESfUl;JxlaP3YULMT{$5LU8g*X(i5 zBs?^RRYc9M*;NE9dxqI@M}sB_Tau)v*SuCU_FhO9u)K1~A~_6uCX+ed8%8QoEj7Dl zs|{KwWIrrUeyA@=QUh#WwFod~1fw(aoj4|Ra(d_GRSZ!f#H3CHlUejq18iQ!Ou#~6 zR6M6Uj+^koGDx|Sm1g6S1owyTX(4crCuemphb@!MR#g(FS2oEoX`OpisiAh2?LA^G zNu*rKRtWWr5o*3U5?lP@B<!x71GDD}of0b2VC>rRyJ#H_7mOk<kOKRwvwNIzJVs-Z zT3{DZPGnY|w>Rnix#22gh)LLBp^*W%r4Xsx*jzndNcy`6Bqsy2j$(c(B*ST1xsbWN z2ML06;3MT^W;q9!by>$R9Zi&j%7yAtBo#be`Zd7QeTb3}xFs;#|1<6Zto9G`z2H01 z`;d1mqWEv~w0V5)D_uvh4^7d}*UQNLWE2bBcw3DtFDd)v7v(LoTY6T~#2dxYqJ)U_ zdkTi93NRL#oiD*1f)$A-Hq|Rqfed-o+${n*3&J$kan#(ti1aR5k;+PVwm0JZjmqWl z){ae4F^}yf%d>k4_i$Rl4a{YZ6Q~iyP^m9NOqgW?sWs0Z3qfH;Dl7Ea8e&^YmXxgI zmwf{fGd5C2r6B!rQWj-NVg6<0D9remOU;7uWJqC4O1Cjr41o)D6_|U*gSl3uAP(|b zv$bT=LOboQPC+Du3XU27bvzkCx0j%~tCd8`no}@ha~j$lG%)Fc`M5`+dBxUza|p(M z$a?0T6CmiXNWqrvXrAsx*;#R)kb*fImLW7BoCwv3vEsQCNg2w*lI<vK?aX`_du>Yz zc!MqPRyOA}<_kvanWVj}DG5t9Cw^*{_;E}$LUcnPa-tcWOlk^-Cr`6YV>48`$)usz zwj|8i&WfX~VsCj87HyVK$e3&zjU>)VHm8tAl!HavSuR4$EybQ<&qfln{CYTsxLa>Y z5@zlEwM;pJyV8;;+D14Mg(^keJ<%BB{JF^!P%{4nquy|O*t$<j!n6&O4TksjX~fDD z<Z2@oW$`2o+kAj>u1J1x!b3$REo46Oo3FN!9yptK|3(vR8b<>OgSVr7s^if1F}^!( z<4er~G|uSr=~yOnlQ4XDE63@^Xi@t&m6vH^PDJ5TA)&6E3te-QFnxC`$wdWJyY)Aa z+<y-wOy7=@RGg-?cDjWRkb(3*A@E$_y1?#0OCaF?z<-b5@K5uX`QG#W5to%l`+9o+ z<GtT|rgyHl$n&x1cF$JNL{G8%9ru;)xo)59f37=(`^1^9PS<qgjQdjjt9XH{5AGD* zqj%~v^h)v#yhi8XicqcggZ4Dib1c<{s-LTOspqIO)v9XcdxWg*RaPiNapmfH`C9CO zqvf8`A*oZEDOHG{A+xR4NR4rldCgz++Cq7rc$z?S^WtBPir514#ST)X%L@}K6i3Ny zdO#2A@`8F5Ql?~n`G7vCw>%&37P1nVABHxUcEG|VFSe?G=g)dAkrxGNx?8hg9T`Hr zNPRmImbuTHU<GzFlb~o`*R0hN*BBM)Iz@BFFl{)|XTx+zAmpwm(=@^@?OWHAK?EIz zSR|Qu_tL9%>29mGy(6?Cn#v7~r5j*iR9HVG^YBS}r7jmUW3yzQbTV?F$UP$}k`GE| z<0<-3A{T);7?;ULGMLCcSYlpt+(u9;7jkR==^J6~mkXE?+<a&wY<qHmTljz62<xTn z=cfFIO(a?``v$6YLwr)sRvxK5J~nP9TxOMXI@YeKY}>YajqGiq`G6&}d6ph0vWGpH zpKZcrFWJoo&WvwHA7mFBe{;uXBxVs^JlF6aH<Jck)UCPr@qKNOE)v!S_y(?rJy5v6 zNrh%^ZrDP?x~SEua34zM^8af6b&<O^B-8Z)wO1-uv3@tuVt?kw=oMQDYLr=TQRDxp zWnHpnv*JT)<rdknNahP4Vg^NldrPKngJoU#l~aG-Hd3bx$3So!=JV({*xBp(DEI59 z4kprnK>aA6d1e*(cWASUI7#!7DiYDfW7R4mSS0hw%SeST9-W}Vzbu)1AJs<b!VA{Z z!pG>-^UPZ!nf)HuT8Qu*ADe#;!q^DUT0F6I26&<`+!NsESv7F6lv=}n`4d{42!H3p z{%j3~U3#B8XwK?S`s=bjTCH1!b_?g~&ALpi?k;>%gTnL-V-U&oBD{+TPjf!Fu$Bze z#b2yZdiW_Yv+xvnw%KPQpsbq6+9Va8Msw5vGM30HFH~DanMdKP=95agYGgJRFhMWS z!$jtzZi;o36+||e=7>7dsL2>hET>cJz@!p*xy|P?7a<uBF7{!r%^&K>05Xsbv1o3d z0%ynoHb;`_S)@1WvcOi8XqHaZs<r-n*54eAS(koAS0`h}o|vi))vDa;%VHl>y-uBF zF1}7(I1t|Q58SW2Uvxk2e!zXF`zH70NJx}IQp_z#wYI=L%{|5)H{ZBUjh0E*Nw-P& zLFzgreI~sp{YxGw_mTawEd3}iHk+<j<L373)!pW?uhhP#=LWTHC~|Dx;=P89CNV6+ zexxT9$z$3#+K1Yk$gKIK_MmpRwqLsvS01~xlMk-AK|Mj1#N&{#dWUG9U+U5h&b(Q@ zOW*&9R4|_!yK968g}_)`9K9AfJdfdWXgf^a58wi5iRX`=-JU}CVfRjV*!6;IyDOky ztt%v{9o5d!rmAPa40WG!yrRe#!R&pJR4KkAZWS8@dXaH0qy%cJ$deN2md_96ls%pc zH)*)&bZRHjQI1+C9OW{Hc`9l<o<dZIg~(NbKiHAHEfwirG|UB)5h-eka44)?Fo|-( z<c(QOs0-Ozh$Fg|hGdopxwUdzD(Gy0DmJuFpqrW`^5~`-lht1=wCu6k9AffLZFz`G z65CR+NH|L}vX}N+l7dBo<1*quV$7L*Qf`b%4FQt%sXZ%faajV!d@4)yoyYn#*w%VD z5;HsIQK>0am#I1<#!>wT1h;#|6r2uBQ!(nzJx3rru(;k+=aYW!&QuL>%$EI!`5BE< zUqGtLic{3x!01sO^dJpjgq(^ttGl<!C%4zK6m>bU0UW@@N_zRkib3vtA0Ka6ni_x? zn8cMC3nZVgH0%|rtn;Bdqli!?IV<u)U`C?<>?Gi7CpSn~Ho2v#%HOCwBMGMZ*^1(- zCksn6Pg~4n?W`Zd*04?1M#J`;x>48&Sx{S$E6XcVS$Bl3yrq;-4GQJ^+FEah(!;H~ zT!LMZf=_~vO18WuTXA_E<&lRy+wmA}pQ`Kl!&2eko9I@7jQ}WJC8!{ybTvZ*Y$pv+ z6sU`WO-Ht28Vj8rag?L6)R}S_1FLTt8?~OlQP|cfs78MFEY)!YYSEQgVZ~{!NcH%Q z@=V-}noO%4mZB~T#*8!anGqREDKna{FDKReFO&<$(_OGacuNS3_y5D+;rqZh&U?Vy z;JMzTxVIqcXq0{{#IpOy@kG&{K<c)u5$gPz5<wPmL;8y}S@MW8g}1QhT><u<hc@%} z09;UEOR6l9qDB!$&*Xf1kYt%J)(c1##*D_NWyTCUBh%_myMSn@eRlWS6TJ4ZDQX^J zwdZtbzP(}KsNU7DA3?-<YNl;an|NN-nhN}3ZJ;x{w*XCxYIgAywU@9KoQey!GrHN_ zzLQjferh?%(BEWPTztD=!r7L}+D%$5y^)#<*zUO`1+$5BpX1)aa${l&b`#!oE(DtI zbMTpUw@!lyWV6i@k+6vHAIFHG_7ukyWseuT`y@oKPq5=9!S$bQDe6CQ6y^K0w=)Ir z3ELErfBo>WOkUo{jwe;_!W7&m2&jNE_|@?Q1?YW{#V3%#ZeI$n6L`ddx$p$&{|xiP z38dEBCk4j|9O7^$wwkB?i0cjvciD-g!CRCX100PRHb$AZ{e*b2uO33-mXpX}l!Lb< zQ|{LzS{3tg)7`t>>q?CRu8o$9nZOOD;PGbLLao5PCp8i{o>%l_m=WGRnalv;EdVmY zN1T!&{P(AznSLqwM-cphs-~I;jv}lI<VDSyr;;IkPfSto$N-AV*)PV-oY`7G-n{-) zvZ8QnYFNha*+%`IIIF1NbJZTw2RuSuBaSi7*cMXMGr~A9XIo%wfDGVlMPGRu8L<B@ zwE#LLzMdicO%SI;f%{ziec<l_Gq4G|Wr6=S{~!F@{iFQ>q{H~5FYR048{+-h`%mxf z-ZXAD)q7o@H$8WFPWR07)VP0fKjSvt>)cJQU$GCE$QapQ|4x5Ozf@let@0Cch+Ie( zixt9`!rw>*<gW*jM|7&zSFL+Xy<5FNoul?w-d65Vb}4cBbNK;zi9AI5Qo2Q=-}Yet z#J}zxQ>t>AcF*q-ODVVWhx^#WQm!9-@q1F|l9$YfiWh*m*}F-bp?SE7eD)eLR+mdG zQM&3RWXh0xja8BLUNpa$fJ7H{6V<vMFfr{XV{|ED=>+|rB%_EF=ZaX>Er_!E@kts} z731wO$kCfgFI|c*L!;$BlYyH5K*kd(!qh<yX?=#25-H5vVDB7xhBOc<#N)dFL3~$` zt1JwC>Mcl_DK&DnkwHd0M|u;f0W>4bgh9S|4ida%X+R7z?N)@CN<)XMu&eTS&bpQK zC(@8A6>)&(gSR5*hwv>I%|E&oTCebpMZj$!K=_(>Yr}1*SNMu!ZURP^{%5JSho(Zc zl|JA)$o<z*9b^IzxEgXhX(ZBrdDEM3hr}%$<(S&*3ABS&ODUXsnO>*M<1O{^m&^42 zL>|Z0tbbpRA(6-ODoSra74jH9Bpo+Ei<3uNI?~}Qb*R*%csJg^0o{;C@`o?4gSsKN zuo@)u?W^^uE{|Ypt7KkvjUFQMaIVCTyaRz_@-VJ@C-0!TcQeO4$S_R|bLjyBHc41a zb8eC{P25u3VALF<%Q1_juTqqxDA&NgJOH&#jxYw5%$Z#}2n=)7@;fOi#Hf|b+s@E2 zfI&X$&)rG&u|__$eQzYyL*#}5YF(XE>2I4^pQvnGvwA~E<-A>M<a*w7<3>6RL)oyJ z_uohc=<*QDRB_kuumt77?8&UUi5g()puINwq)X4$`w_X8w|~Y>wEY_1{^0#|Y6tPU ze<)Wms@2vo+;u)3hJltMzv2QN3g!S-N-`hV4u_rGpX=m<S5eDH6|a5mDq4FbH#}Uw ziiC8zpT!ZKyL6x`;w(C{ay5dk<Z^3({<oVBP#It9SFEP%zAq>6rPZWbmrE_S{QP)o zap}X^X!07;Fiq}FWtA$ST?n-LUxKXix$l6tm6`U3Ku_E2PPl$>&DZ~<@6@AY1FT(R z)fd$Z)e7Y;r9!@49wr@;&JzED=*<eDeeal}a-$^$LnYr+=Vhf5E;qpYLgfbc)nsVN zf)uq{GFdO{cV>DBi%?2s&6GAIL}wt&jc|(EDcP<)%FzP8+dx~m`WjM&jejRz%iH*= zY)^#)NG&^TQVa4TSnA@nOkLdGy_}^yZA(#urK3(uoEed#_DV*U!+}XtmQ(TYkU{;> zDdbhoN}-`BO9~B*Gs-VTY)et6tfPgjG_lEE)bf&<UnUvV8@rdYM7dCkdSn@8Esg<; z@c}DJlS&L2e6!A`k!PREY7<jg@2o>$qHY4(x!GML3^9qiXfv`J4FH1&p)8|IQwOc1 zXIWJj{#hrE+v&^7Q}EAn>Wj0~Po6$uM*V;R{JPq-Gik&}YNc&(!c?Pzg}NeW#jT~_ zv~{o>RV{dgQ))$CQAl^xxV_>m8sU_J+qPRlsEA-i@17K#x0!p9jlX2>MJCQB{XmcX z+6*$)&|tVm)VK6E>SL@u-n}NZ1V|<`75)wZJxmhKTJOzQen+lHy^C$c#-r?0CD3Ac zM9%gUoVT3ZoJ0)%qg;;(UI=8~4B$$72A6f+<_cPqpGZ;HE#n`DqJiKmHu<leNBZCQ zh$<JT!YArSg8BSc>Qri38aAe%Hci8qfnW)&)QUB?`m6e_`Vq2myS&G|-*`XtzUlpk z_et-A$P>2Td!_e6Z<qIE?>6sh?;`JXWan=3)|&-is)Nj7^k>pxb%goKmulE_f2GDd z5hwW~@??LYy{<i=U9R1!-K0H^JlQ8|=W7eJE!s*XI6Hy}h%cmn`;yWN(qqyA>Hfec zf$yZG?@8Zb2ypiWZV$X1cqi}(vW%Yyaqir}^?~Vu@qvYbm4PjR(m+9=F)$Dxqxr!9 zhX3b)>i^RJAlwLt{ZAm`{WO2*YX3$4oBebBQ~VqJ%lx~f%cS$98~qjjB7dEKlt1eG zpYILd*S@2E-FKPqJl~DJ1LoGR)vfnd7Wiay`pfF>gYDm|U#TAcNw!k)F*$AS`KNll zS@*J9fAF!FRU(?wztp3q`&IRogJOY8uADM}ev@i{V46RLgy)BSjoy8p_mQuB9Cqqm z?w+oH!bkA{vW@p8uOo@s2w^Skcc-b3C=V&im45Oj*(=>4O&7mF`tX^Eel9oGroGn0 zrfRZFi{D~{;{2L+v3b=+q`BA9be|00^kZrk(p+KfushQ;9w5bqE$QAio<#UE-%bO6 z!N#;SUE(ZEx8ZDIyg;>n#+8}cvp2G7?RcTs`2uBIdks|e&#Qq(!e(DUd{w##Z!iwd z#aD4JEITro2ei~||0^j&XY65%p-^Un4p~<Q)6@#!Xw15@O3C#br=<(r0*x<5C`;X? zKWS^JHZ{>4_>&el-+71>mK(#;febl0O9J;#vzxOW<|7Z2(damJbUT`|jXPeTe(t;% zsKG7UarDJwo0wSU?m7No+WFEnbzeKm+xmj?_U~jwBZ$U=_pXfFE|;ctXK8w6)80C< zw;tujRddh9j4j};&TpDV17{1D8;Nw*Yn|J5_{DO@oE;`EmbZXJyVp8QLtW@iUMtXL zX`1@2^Lj{4S=nZKElI;|&0olv0FnQNnM1wX(r{cOG#q+oU(91aHjh0<r3LgV7X@Qk zzs&PY8p)BO-fGrft~zc|^ch1_ry-JqYQG37IaCGxm)@DfHM?e`cM6VbetG!u%jnL} zujVxw6{%B!NYFAn%)PY;9j2&a+_MX|q)xF7Zyb9u>{)f@^edQU=j03>neCi<q1jp9 znmP$Mwit406!@w~5CvWJ=Uj;}iv_6@@tRXY<0l`GSzonHLgO)oBdA1KD!hQuwZLe2 z0XAR<yxF(Tr+HU+?(_6;Z+1QHs?kp&|H5~>I@N!v<;rg4_6SHb#or4r!0NTnYs^kZ zXqaU=x^0G@K{y@N6wRuqSpJThGz{<XlW<%E2gi-!=@7s>vPG!k$Z@z!oram6$6&MS zqPJimS#?pPJ`FRwl`4cbMKwx}ix}1E2H;w=byD4u<HANf4I?}Mz9FlVYMC4tG6tq$ zWarn`8IJ0k92Ybi(y+1fc%E4=AnJgU;W7HB2LsBE{vYo`BoF&!%p7n=Wg13x9$ol{ zyJ1J6h=Muz)J$y}7IhZ425$OjmEMpklQ1gMFsQ@(g%R@Ji(mn(vbfPN4SPC|YWwrO z2*0x`i=la#(OL79HP`9ccA_8vR&+)HP`|9xv(-h6L21~}`Aj_eCych$4sHvkVLRu& zIpIF5H+|;RhnA(QGHjW#$RoQBUyjrwkJX%)Zv=)_zMA=dwJhDQdvR;ipv8MFOH<Q1 zTYkCvtu2Ywzbjpyu@teCB@kYzr3hh56)0TRy|B$)fEW69f5H0N5Nm#Enp)2DcAKoj zfu0Tby(23H!Cu0{LST{qX55(@;_XBhRKI(j>qPyqUQf=~UPAol3gu3vNN$%NlzNJr zg@>^u&hZ#^>B$&U7EKMdDKd|(*DL6NZ}&EV-C%;`Y`XU~GL(byWzY1)444(!vqA5} zadD$O4bvmrS4@U`V1wR+<6=fQ4bx*?2W20I`*MTMScP6d@12I}5gvBn4!w!hGGe3d zVdZ?0FqRUmk9;XH<mQe1+eq7ek&qEh!vG1tE-yLUDip*%591@hn8{lEWutEOAOakW zkNk^^SVu+XoojGu6P@1SZ8rL*VSMCy7#Qx@8a+U9yWEv&m>xNoGt7WPAe5C#7z5I< zKyuDxxD9Lh=Z<#x;>M=*2)gU=h;`cB{<ZotUNDA&Fhbf2p7JP`wDK0gUDha&FhJUn zLmvZ@w&=t6m(tC&R+V;~HTl+KgngcA2Ms<=!ve{}{~7M^eq2*wq=vAe!QYwP(2C4; zPatTN;etkUIu6{n>=Xr`<jW5`Nkba$PAdTf-Os2cj&3r$+yl~4VAvjm#(J96BFDBL zv1$K1YJqiS-~u7A03X;X@U6$ka(Z~?y6<y)Tx*d@w}c!d3rGpl-<|}E<YTxFTCc2u zul6x{m2?`cqCw$;y@%WImEZJQ9GjGV5Lh+xXGlG;{f5kGACiW$jcKX`(z7Skn3FhX zFPfRn7W4TrklX(wGNV^}I;#}&<RJLi2hQ%jACakL9qEixm@0SFV@Xh~p7h6L0+#K{ z%&N?73YH9DZ94c=Vpb&&M<UdnSy#q2s%7aF&eB=omzFL!#;2)@$j;MTf*zihC`!{3 z-G*IlnXLgNUgh%fu}=}$H#gmm((IVc#w}ZJMucRgv)W=7N$=OtFeivER9noGH84U} zq*>aoB_iD>-$$Fde|SlnYKe}L8P8;z2Ki<Jwve{dD#=}Y?dhzVn3)rLQ3!J~1@lGK zL{@7K7h&_|txm&_#jdO45b69yVOOuWV-@#L!->Uta_C{46!a#y$EZrr0hGm9&zgcX z7hfEvoZ75y3CtdYGqENOzZG9K41LW%uxcpUY<!8R?$R_|SA1un=s==!_J&=XDrc|R zwSC*xU2C!xB_N2?FkdD!u!??u2}_JsbnQP;Q8*3nm9-I4GH%&|jgX<2zYKI)8V)R; z9DtSn7D-XEl}E7swgJtA2ZpYH1y}Slod{!@z<I?>Kl=(9$S?)y9x?&-Ps4Y`2Zfcq zaw|5eOvw<Wk|{t>%r5>%*5jkU*ci6YX{MrAwXj}5;M-{bJN}`*XMLN!hj81lKeD*2 z@<{HR@X4w!h+j|ZoA3duHe|NGQ=6rJqu#5|Q+`k`m*0~Od5rW9vQNJ$o+>;otVgU` zuVr1H%*^Ii5c?2n)Z}ZRv5RUFYz;K$)+3G5#1St3KrTfcE@vGyxR6QWypB;_RG(mV z<U(bk72)f~OfI#)Zrt|*d|vIIA4z#(OIMzL5oY0(HTaq%=kjG;TK5+7)_s?1WA#|r z3jV+!OgmcEr8vveq+VHyJw~Jp+66z-CLBSKHNEuFYe|<wqo8RIt!7{Rh4jP=P%H9R zAF@EQbqk!3k7GF#d7HE_wvtX8&B)SAw-Ts3TqRqQhK6CUnijVPnYW#Wo{|3oa;WC& z$EE^(!})?W)fNGEts{bOHFosZ>&h}4OIGdR>JQC0X~}oAbh$AiomD<^R?>0o0I;+= zY}{i(230<6I~1)bZxGW|0dc&L-_zr}zhFso)=*Fjw4(<04Zx_$X>CbUGc;pJn<<;o z%98wanCy^w{$0`^1XH85qc)3KSaZwLS#xx54Oz`m{znZv@@s(Tm|=@$>8wpUQy3Xq zbF5e}JdIEMWeu<Vlkhd=)+gbYrKx3_(UvQ1lUqI5P`7}Qxk^RTCI0(srIc}VNw7Vg zHArW6b;?rKj=w2WaSj(|JH9)Z-iRuf&`pZnZ1w-3@N2KV!%gjJYLI3GWy(=5wCY^n z9mh_6dcsgEw4)qrZ_1@#66Hqa%YuVS(Dh4zxogLXR|ybL{wd!i50!p_1@Pv;gMkwQ zasMy)hM?)+>>mcj^sw(5-&Wr+pV#|__fBuh+ve@(`2wFX-Gt9gfA4<IeT92G#Glt) zcOw*do@*c+Ay?_U^-;)?@ea9xtR)em<2!x(5CH5_pI5I^H>y?2*UGs2l?#*w(n-=3 zi16=;SBYneE5usieb*D}hpq#zOVt<k!TMMPOD@({kb4kUH_3IHCb-tRrfWf0+;SPc zb(mBsNaMd73c#P#Ru!KFHy`{(fur?%?(Xy*Rfg!&7glU-`2-z~($Bf8?wq3vB1LCf zuC?;lHMlU}<DRWg*Wk<9lI0cbw^m2o;YiD6^~fRk@uZd$;G#u-hKtwg+jVJ#h1>Wj zy;MJ(d#T>3Q0rXMFd8GQB2e?W$H){SHFKxcv7<_e2tRWV+n8g@03y80U50olGS5Dy z^drJMoJ<CJ?wC?cgd^Pl%pl}frI83f@m?~>l3$hHMEH?I3RmJRzKlYo&$!E(Lni7~ zy7Vb0%48s#9EJ!#aF-c_(3CJl_@3wbU=W%Jh6vyBjxoqb9eOV!eZoDFfD9zk$IP3_ zD_y)&??a@IxcikApjUE;IF$#qG6+q@LWIw3m5zo8qf2vhbBlB)bGRe!@Mb!5v-$KC zZlS%HHIaJRCG+E#5R@s+9Hl}EG0iP{Gm&O+uVL3pcv7Vg`7pn?MIWF`(=8`!*(+qQ zF11;%<L6(Yp6zLzl(V<OhbT?u^YPeL9hQ_cX_5#J+Is71t&Iq0@Sbki22Y{Tg@{(9 zM!0z!`X{8hbNuyf_==^FvWEGSl{#dV<Q&vNP)B`Io2m;2YfQQ{g>YrzbpBu-xr;K_ zV2dShy&Ha5sg8TTKU}55Ctk}vmb2E;!15Z)v-!ZiaIi{)IQ5ULqtsV(H|Njm;8B$Z zTAt0v|3rrB(g3TilkTI;+Mjpjz<TP7N3sf<Rp!(6I?|#{=8V*^fu?zx#2+@XhlzaF z|FD71`UF1iZ*8FC-pV4&&AN?x1(C*cfBT}1dW1;hSiG`%%|?9~k;Zb?`go&0l1O95 z(Z~t&>NR@HQfV|5&gz6a1UMX)`;Ymr_P6^-``+<&`bK%*#%EGWJr8=8B0}UE_ej@U z_^L^NT<lE4C;k*!k2E|})Q{9#)Je*RNQ${dsh6LVw@8mjW#VySp>W6E!*hCdbV0l0 zn`0fb(zDM|@H66qTD=r6M4T^V1rz#$#~9E>Eo)3cWPA48Kk_6`&~cH@s*Bp!hSLrG z&R&p%3r8T+Zpf(XqNcSrCX6meJ|>z=hT151;OOXrWzD`_;|S-c7Pj&(Sk|04b|y`M zTvu<CapJga!m^lF^wE(kw+oiF{Bo8UIVIG)3jyK-N<fPJleJU?inezRb{4a;tWGIe z)&&b2*TDE`1TyJ`I0$-_7O-$m9g1;9sv?#VF=1%yR+Jt4w2OnBZ6e_`t#(@9E|}Z6 zWRd3pfT(LpLBTS8G-`n9Ex)t48N~>LqzKy^$7MvVZ0bxd-*mwS=X}8?A)#yb@YM)+ zg4dd#m1CHfbX9gQoF{*EWleDzLpRctXN1_S6)uP4>Lt1a16+QWEQ359u&e<tGZB_g zU<wGz+TJqV&H4*iciX$Nwzphi)?He0)`6A7v6-M1_s$TMtJv04k0ExIz@EYMxQef# zqO!QT&aX)oMzEKSIht{YoBF%Utt;j2U0J_XuGK7y+mmV_GZ3=~AgLn11i7q>`m2~x zAX5}9X;IwX)gwc321)gP%B~HiU4>Wzw4i+n(69X9e=S|~-epF$$M;yc8RCs^VTM@N zMO{+P7OnAH*5%K%m=PeeE;=T=F6+uVqB1XJw-)*WM#`RBBTTcP!Aldca-bo&PE1HI z=lsT%op<_f@?GvbAK`Q-<15aqeT#iFeG_~md?9?xxy)AxXTs0kFTMZu{@eS4_c2`L zI^ey@d%5>~NN^{5w|H0LvO$}7tT%!1yZ+wZUOy84{p9%^&eGRBFL)mJJm9(0^Lx*g z`1;fto>M$KJnKB|p4qqn*5ZkH>O2*mBD1Md>!G`E!$+S@_qpbF>VDpOSS>bhsnlBI zx`HDrfIC^G<R|hU@@MiWd7j)sJ}0k{X$VIff*7%4GM|hgg7#1CJMC@lW9@0;HXEw6 z-92T<KT1!<r3{vzls}Z;#0R;)F(0VXhVDJQ{NT&|wLUJ(BRoUerTpvQEx)J>Wb>`> z)Xq?oRIRMx-r^={pt3si=Ky6@=Fk4hO8#d;s!~?mr17}L(UMnI>c|?>g4D`~v~#u5 z>i6oO)brK(YN2v4aJ8}s?(P|ZP(XsC`vLzR#4?un-u2xge~-Z*0Z09V-qYZY@8|j2 zbGK&?hN;l~KE8*&2j9WgAsU|x!C2D|%TMSx>dO(={3CgUTq>U-Pm`-8*GI5opDQ&> z-g^rR(qiWF*m2Kd0OgIA3~}Wr%2Xn6;Ai}gpD2iXTW=lze|Vk-Hm&25<)%*|S;}kq z34P#G1rcIv*g1@wTzAtOJFEG5UH6&NOypI(zOOz<*X0#l6nOVrNT6%JQTh;hIY(dk zje=0fW$ln(@aaKw#)JAimppe79+8X7EbL8Y=^}EJLG~8SW0R1Xs+!RvnZJy~{7YZ) z05S7U5!YtK1_%OckT?8@GF<C9S*<(4XMS=-8BYdJRqIYdb!C_8<B2?xOMRn%Rv`6# z3Br(*?ew3OdaV~k;NyJeLq99y8jG1U=(xu=XB?7TSI*se+^*egR#(pK*u7r(qa{yW zF+?BamY${(2D^l``!fZhZ7VHe+y1TvbpiRYaJWn6ihJp$zz!}D)qJj?AKySw*@P~x zXvKA|Ay%FJ#!%(pJ4UW#-bqM35i6&w$c}Gr{z92Vgj;zPPkezYgugM2WFEXtn@EIP zct~8}eFb^%@3CfS=&i`ACEUhk_H*A?aQEf_t3opWUWBknv6ZU@J^!O1Q&<O=^Iqtu zA_ZMNmlRvShGrlR<qv1DhjBc7^vSQ4dR^LLT^*Zrgg|6VaU$5PPsG#{aV2knK{~&s zdI!HXW-`eANNP!hySW?>NP-Br<5DE1l%ZR`16cyn<l*ulhb(o`^l9Zb$c%ARaQxcV z%sWwR2I6YY!mOV8-zybFxPy0sK`xAuGF@E7q;1I@;z8`8Sjyr`CG*|?l9(=Sw4S!O z5$-AW<)ZjGKPV8z@3b!MoqLmpYVYMufAoV=J4pClxms85>&`{tNNuD}dXr<#J8N{P zCWkq9T-r;obxHTE#0sbeuhf^2#hv0PD!L9tMoD2|-~`wePxamEy8zy+j}Wi3(W`l$ z@T_zn!=}*b?u!j!lB-@ni+oJRYwsYy<yCdJTA+NPoFgBW|18gydy036lTjV}XKd+$ zw}MGRsaV!<$c^VAo{6Nf(VW~<e-`5F!ptF*k#Dny5EEaMtGcLhn)^2f!t=yF34px# zesg9I7*LN6)Gxz9WKRQ(Z_}|eumXQDn_ov4?9^O5$u(jLO|+4CudcZ`VCflZKVT6u zV8pv%v*t2g?m7eSNrIE|OdAe?${M{V`ZC+uOjdZK&A2PNkQf+K2Vwg_jb4HRFjVK$ zl?`#B1@Hn))y^0437`I(golhxU9eO0Dahq<=Y-?C81%CWFu4XyqfQ@>W?-~-He*@U z*d!SJyQuA&o9?MTK(ka*ePEZnw2PXpSrVOD6hpIBGED(mL{%5{ZnEp`EWyt0L+}DJ zv1}h43ij@r^c!M5jX??<fiAc>Gg(!{A9=!`M)RLTajUweYl2PO!G{N#%wdkIhkV=7 z1s7+2KWN4QX4|#KbG-8fC=$6Bplpo$O{$<gbacVfnO`}~m$|ZN9WKxO7x1yu+zTLm zw2gFpC6R@8Sb>xsU2uFlOXrg|@;6B9*tw>1T}Kz(pU$#2Ht8{{YXn-hMYnLH_@#xq z3uMCu>MU&QS5xmUB&q7AfYF%>8PmI(QJ5K1PjD>saQ;fIMMLn4IvcWana?QdN?_it z8!Mj;gnJPQPJ-sLB7Lw|?SgL<iB92v44EGywWM_mrbr(!o9<(Mg;uJ9FZKWE|Fi%9 z+Pc!{D5@;nRbAa(-RZ7QBoMX`zyKj3knZYq5)cGLj{#W+K@>$4^neJ6xG)Z<EoSN| zxDh}L54Zp#j*95Gu(+QQ7Z?~g4kM077-t5MO+|D#dc>LU-dEjen);J-a=&`7w)bB3 z{l5F|bz=Kt^JB%)@kK8qANBa~bNa9Ph|n{^pMzHgUeW%iP4GYOSJes12H*E+<}O;j zZIHdJ#Y4@i`o^u)05vON&jUc4Y-HA;QJ3g$NgC6tvBB@kJa9b3jbRY*X^6)XO;(i+ zf>$b941P3B@5Ep{k+Lf7IRME4!Rd^%ZZc%#JFc=p>`LFe(`CAwb~$bJu!+rOhXom9 z`p9H4O;%qUOs*7$Ig!jt@MVNS7`DOVO23~GBEV#;l-0#19+v`;oKu(MZb+buBJ{%s zg)22EZbGD(#FC&9K;g>h7syvNtX!2q*-BacY!J9i3gb@JzYwaYEXngCJ#8q)l74=7 z1Oizob+S>9+k;q~jd1DnA{1^0kQ>{c=AHoEbgc*=Nzt(2Tm#w4ZOFp>{1Gj+s~4hc zC|ZhYgP;V14H;PS7rgvX!dJQc)LV`ARA9HzO)^ILe;F$?r`p#Sjzx-7&tEA>{$)}+ z`^lhCtK0$Q)&Tpu?9d-uF!W71^gn+Wn%3@8U3ZM`dMw$+M(i-J{;eOGdP-z~AAtPn z9%xU_TOUw<l|-0+m^V2^ID08M)x=%Zt}eV*l5ca@iiKxVe#aE>2YJcabfF#!(cD=U zDBBz=4)#D9t>WYU&1G$aM<Zzh%6w}%!D;Li*sP~e;<q{SRQRXx2z_nn*U;GD3)tm2 zQG3IG#($;ygmPAy=vxa`dlu4aiirEhoR%?q>0`5?gi;Q~I8ru12o+(V{6+uj9=xv0 zXCbbF;9|g5X92;GlV{>>FYb=Gf$ZB(St$_$#?dD6@%jKpocG4-fk+ntSx^Q??H!M3 zrfw6F;2hy&A^`L4Gz4I7<1D=r6N<5Vt6XTncn&buzgy@6i6J~nkOs(Ku2T~bH-#qi zB7FojKp6<b4PNU?F&K0r#6}6of9_<X6V1Ac#9hKbrU@S~4nR3I5Cu9qPr@33o1(~@ zu670(^Kad*!PoJ-YDB0I7DIiJ9yWwOIprC=sRn^+5;U!98={}=6(B;kxe>0!hSn!P z)!gXhH9CK)IX!z%`yPNSGBa4w2kNzKS!dPR(D|ge!}DcD9~qcPaXDRVD12^Y5q;(< z12;9i4S`CXZOD2u-6^-DT-*|C!18n#Fj~@S4q^u=ni$C2ZbQd|`^Agj+rMaoXqBO$ zr>-{iJNe+thv31}Qi?UP#)fDoGh^-?qGNuczD`qfEi2<?zWr1PU{maDY;tsS)F`?s z@@}MUc!s_cUgmT}krxMMYdf@FNKXDKGUsJ{`!Pt@f)^Ft(B~y|Y0ATRWf$E@VSp5l zFmgyOy-|>5@{KZl_l*?o=fVlAT7W8(3;*_cI#z}Sxc(+|3YJWEy6|=^H)KXK{oVou zS@zq~Z5rYc`1l5^LVz8U@Bh$z@UMJ)8siVdST;Ow)igx=@$vOm7Xd;{j`P8HVw|%% zW%U%`!sJ?e;!do!Y&NZ40yLQX06l$|E>CJCt&2n%%rq-7#g<GD4WZ+2i_*+&2Y_d0 z#R9#W%=0201sE?Gc)`>4rWyF%NYm9AgQ$%vQ3`Y<Jw-;B{1(~yU9=I`1<Ffa7o&sk z!57d)5w<13dC7+bv?dFrtx8b>fWLLz?8=#L9R!>b(?S#j<w4Bo#D$2Ia63&|-2^x< zIsO^lGZRrJE^1=ZgY=T)n9;~BnDj21wE7A#UhZhkV6+lIYnExX7f~QJbemYwWU5y} zl344Cfbg#aTI-w<W09|)8dd{N&<@il!b5%WALGZcDPdoHNBrIRYe>BIWPEx2{`kW9 zy!g%W$<ClXf$H|gOk)am9yA++4AZDG%8d(*Q0$l3DQD%Lz|f8;w>~#I9eYnlM~6k5 zqJ5(mf&z=7)Ycj2*FAxbYSFc=`zh9y6ziLZeja!yn29I{eRnE7eW<kcpmL4U(|-)* zFz)u7>T&h`;H%hKF)VmN;6H)qpmAOr@M+t%CE8V57ky!TQ~WVp-n96LcrxAzHRDeh z`;2$6HDal;z_{LM)<=dO(F38kkuGVUkqVtOdZBuJ)bPblV`Kb3V!LAR#a@lAj%93p zdTh473HxUU$9l&~P(uEz=qK11@_5uj`S`K8lWy2cdkPfZ`?^!~N04_5il(A)e4?m> z{t@cNAH^<+tsv|cqh|c1NDpLj`Z4@vczbwb_&yXtm>9k|+za_e>Y@J)z_!0L`oYlp z&|UHu9sO<jqAKW89kEXki|L;ug|_>SY1O)aHoMiTbH@(UA@JYI8xEbb$F%aGe^&5> z?_XFb4rFuvy!-)e*1UryJm<@=wILz@e5nf69n}Vf{I^Rj_uiw>a{cq9>b3W%2BPaW z$z|xrz-9R7x~xg<+r(}CMygax4{6AZG)__|yAElokbkWFr_EvdXN)}2q{G@E-9NgL zlOZ`ZEqb}`AH_5UvZ%M{Y2824-Te9RGHmSgUm>}c8AmkiQXJvxh(9f-&6>jp1$s}3 zIR}qujk+HR+cD`?XV#;%x$$z=5uyJM(Gx-Shxo_7hL*i%d07Cz^VPy%I_iNQ0XXMQ z#b;VYM*Xa90A6$}GlATUsEqnI&!!FPryfTq)ZLy(r`26$0XQM&_6=uI{WxdOjPKf5 zS69m?Mfue~=YXu8oh9|1^X%-)sM|bGoK&}Z+7s&Qh5eu)IGm!C`a(ei8SRu**LMhj z#LvG2m%>+D3R>{aN|c{oQeb!Erqufj>@w6QlT;TJ0Mg;F_pS1@r_?D0cDYTyQ90si zH<c}(_N2l$kjNVzvZI9Zch3fO$~SV@T)H2_M)|_)pt=U-4o`bpDI8ET$3wkRICP{v zr4+spX*ZRd%>XhOJ3T(vYBNg8^JEESho`+xdG<UzZ(daXU1*o(H+^dg?Cz!)HNf^v z>&$Y?EczZUXdqv5N}ca%H`N<G?Fn^yp`9{4C+d`;`Swh%(piI&&IfY#wDOauJ>@&( zX*YdudD@d|w9t--!VGd^D+4@$T8xALdfMxiqn`GZ@+VKbshsw-CzVVYib>}$Zf-^t zWp6<Pxw)(f+Tpp2p_}?sS?p;y)iz%C%1YmdIeUiL#ac{oD%j}58g<SENxP}WJ?%-~ za!-3gd8i%rqvTd?xqvjK&ogHzAhWUmd3G{4T<U2y@9;Dy5-?www-m^n9?F}th6!cz zX!7lA{ijha$3K~pm`YHC@2MiHb)wKe>3*$;)hiXP|D=>{tw))?T7jhRTUj`TnkVXf z54J)HrL2^`PD(C|VA>qg*PPmpJ}XKl&&uJIbK28loqsTy5tYy=8{{1iVxVu+I8Srq z6i;)yO`$nsQZMx#3hit*n?23RJMjhTaLzSSCyBaSJr7UJJnxq1`-3m^;P!z`!Oaqa z&c=8)fkr>t69C;k(Gvite~l-AN1DRVv_@y>4WZPsJzA>0Z-Xy>ow3zu6Pp{|9jz*Q z07a%ohc|_z`aD#ystyYLTD@3%!vBMRxVjFc!${u-{7jpJ%~k?jr2OG;t%g6hVk3U| zueldYSRVoAQF@Pz?B0mYU_i)u?JmGM=CwL$fhA*%{1b4F(jDS<Pb`8{&ln2j2}m5$ z31Mv1@8N_nMh*&scBK2l*!Gv;zAy&nO_;!#bztoEKVXXvV<udeBrs+j7;D@FmYuOA z+EJiRYrA5RZI^(zNYOe>B5=F61pE+cXOK(R4;Z<0VAXbS!d^21V(1T{I_yZo-g%uH zs$Pry8jV&vQ46d$x5<rjrmD_Ozu~&WNXY>|77;x15+*Ko<LOIqbQ*k44Ul?y0o&Gv zy60NeTO9=gc%*Cj(h?-VmhSZ!aEcuT!gnMx;ekBFv^t0?AS^ii`T)32YC~rtj~#J4 z*;~Eu8Qf~NzXWa<VLQ@qmd^gO;8_TEzIzDtQH4P0j=X%paytOg0BLku>2@kvf~7a) z(EzBoEfBCHhY$C=^M>r62DGNPjc}d3)9##$fk~(B57?9x+ajXa)*wa4@aVHBt~M&N zI(#ZTR(~E8+vMQmh~gipt?+;AAE+)yiXzjusAcaJF{@TUI$}>1udnp5CMl8Pak%0J z0nvzQPe4~6)&??LVvK|5TqZ^VVlTFL3%ppOQ2?Z@IsvsvI<dQ3^u{b;!Xt(>B=<Ew zxJ>7Y>a%f{ByOA(AsVaT5N00HdUBiiIC6=52-1YueLu4tR5hKZ1W3Y43Q~lo$X5S6 zqCrCgMy+V1UJi`OhnbIpd~h!=VO=aB2SI8lieVk%nEO5kz6I#qI0)b_;xd3u?(ljV z<Cy8>6o?6kLA^&xpf{51(7=}z4MZTxIyA2Y>%eBPSmF|xX`DJguY?OvW}^WV3S=Lq zQ1CRrSc58>44@>hfZW4R20*8^$YahO)mweUU;wls*lD{;2M@anBub@#ydxjUUsvIg z@UaNL6N6yR&fH#X=CC{gMJH!3b^L2ET&YbgnY8+eivUid6JWZRIv>7>NhQGq&JH;z zx7L+9FFlF(Odu6ttP%ZP5Z8S1MiN+nG$iFf+~SLmHa5i0pd`ibiuM;(M;=5eilO@I z(3#M<;EO>uFd2C~+xo9VzJVfTvTqBP-9@OWAc+0vTj2WFTX*A<_^qP;HL4Q}QUN%3 z8N&-t$m+zi<ACY)ks83u8pH3M&@RZe#x`C-ngBmbhKIj`8K3Rkv`j(Dz*Kq?3=cSo zoc>uDn{fn*1N=%E7ALim9E`f+g7g6%aM!(>9dNiR08j@cV7w*)B9nUxXaaJ{=jsvD zPE$NRRm-F%Py@ILo@~o$&1Ej3fr@JZ@S48&4Lq5p>#;{q*^F-wVUzQ)Dl(%Ig#g_z zPk!%aoScrOrwoo?c2kG!&qOd0UD{nt${u`R3l1hT25m=i70d}d7hKKWsrcIQ@oBJ@ z69MqsNN>X|Vlz|}F(KRgH`}tk(}D`!TwcoRH{IT232UqvPkSFb@nff=*auH*m(YXY z(b-2pF_*8b=4}jrdL39Xnn3D79_J}QkLVBtFBfXWYaR=TSYklC54o#ZuW_{vG%}6g z3ffxxNbES4$W362rbb>z`2GxiW9a)(D!Ag+lH$2RRCN_Z9rN3M=>tq)?!6hGv;Km} zW7-df-Vc1O4Q9wG{!rH<4T40!Tj*B0eyDTNpV`IDSVbEJiGH`rMiv+zZe%oL740HO z^P?rldEp~)u<nV7g(ba@HOe_o_!w&95QH`+RwGjTMo=3J#Zsr@6DbAGc3%Dj-=9iB znjdq~fNQuNCI}{bcR{irEAQO!z8#?Rsat{*SkX!TqffQ$xA?dgVHnltG2zPvX@E4n zaO<_l<z@}Kq9ooqNr0{MR{X`Cw@&dcJy3L+n33Dy%9Cf~ajhwPV${dEP>>wRlZWBR N30dTPwuTwh@P8b@)=>Ze diff --git a/cres/zap-alerts/0.yml b/cres/zap-alerts/0.yml new file mode 100644 index 000000000..4351d5d32 --- /dev/null +++ b/cres/zap-alerts/0.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 548 + - linkType: Linked To + document: + name: WASC + section: 48 +toolType: Offensive +docType: Tool +id: 0 +name: 'Zaproxy-Alert: Directory Browsing' diff --git a/cres/zap-alerts/10003.yml b/cres/zap-alerts/10003.yml new file mode 100644 index 000000000..91756ccdb --- /dev/null +++ b/cres/zap-alerts/10003.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10003 +name: 'Zaproxy-Alert: Vulnerable JS Library' diff --git a/cres/zap-alerts/10009.yml b/cres/zap-alerts/10009.yml new file mode 100644 index 000000000..a2ef841a0 --- /dev/null +++ b/cres/zap-alerts/10009.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10009 +name: 'Zaproxy-Alert: In Page Banner Information Leak' diff --git a/cres/zap-alerts/10010.yml b/cres/zap-alerts/10010.yml new file mode 100644 index 000000000..5523940cb --- /dev/null +++ b/cres/zap-alerts/10010.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 1004 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 10010 +name: 'Zaproxy-Alert: Cookie No HttpOnly Flag' diff --git a/cres/zap-alerts/10011.yml b/cres/zap-alerts/10011.yml new file mode 100644 index 000000000..170b8fa0f --- /dev/null +++ b/cres/zap-alerts/10011.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 614 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 10011 +name: 'Zaproxy-Alert: Cookie Without Secure Flag' diff --git a/cres/zap-alerts/10015.yml b/cres/zap-alerts/10015.yml new file mode 100644 index 000000000..fc49ab327 --- /dev/null +++ b/cres/zap-alerts/10015.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 525 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 10015 +name: 'Zaproxy-Alert: Re-examine Cache-control Directives' diff --git a/cres/zap-alerts/10017.yml b/cres/zap-alerts/10017.yml new file mode 100644 index 000000000..2cb4d7cba --- /dev/null +++ b/cres/zap-alerts/10017.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 829 + - linkType: Linked To + document: + name: WASC + section: 15 +toolType: Offensive +docType: Tool +id: 10017 +name: 'Zaproxy-Alert: Cross-Domain JavaScript Source File Inclusion' diff --git a/cres/zap-alerts/10019.yml b/cres/zap-alerts/10019.yml new file mode 100644 index 000000000..da5a92192 --- /dev/null +++ b/cres/zap-alerts/10019.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 345 + - linkType: Linked To + document: + name: WASC + section: 12 +toolType: Offensive +docType: Tool +id: 10019 +name: 'Zaproxy-Alert: Content-Type Header Missing' diff --git a/cres/zap-alerts/10020-1.yml b/cres/zap-alerts/10020-1.yml new file mode 100644 index 000000000..7867222f2 --- /dev/null +++ b/cres/zap-alerts/10020-1.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 1021 + - linkType: Linked To + document: + name: WASC + section: 15 +toolType: Offensive +docType: Tool +id: 10020-1 +name: 'Zaproxy-Alert: Missing Anti-clickjacking Header' diff --git a/cres/zap-alerts/10020-2.yml b/cres/zap-alerts/10020-2.yml new file mode 100644 index 000000000..f3e8fadbc --- /dev/null +++ b/cres/zap-alerts/10020-2.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 1021 + - linkType: Linked To + document: + name: WASC + section: 15 +toolType: Offensive +docType: Tool +id: 10020-2 +name: 'Zaproxy-Alert: Multiple X-Frame-Options Header Entries' diff --git a/cres/zap-alerts/10020-3.yml b/cres/zap-alerts/10020-3.yml new file mode 100644 index 000000000..41d26d2bd --- /dev/null +++ b/cres/zap-alerts/10020-3.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 1021 + - linkType: Linked To + document: + name: WASC + section: 15 +toolType: Offensive +docType: Tool +id: 10020-3 +name: 'Zaproxy-Alert: X-Frame-Options Defined via META (Non-compliant with Spec)' diff --git a/cres/zap-alerts/10020-4.yml b/cres/zap-alerts/10020-4.yml new file mode 100644 index 000000000..882a4fd7a --- /dev/null +++ b/cres/zap-alerts/10020-4.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 1021 + - linkType: Linked To + document: + name: WASC + section: 15 +toolType: Offensive +docType: Tool +id: 10020-4 +name: 'Zaproxy-Alert: X-Frame-Options Setting Malformed' diff --git a/cres/zap-alerts/10020.yml b/cres/zap-alerts/10020.yml new file mode 100644 index 000000000..aebf3e85c --- /dev/null +++ b/cres/zap-alerts/10020.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10020 +name: 'Zaproxy-Alert: Missing Anti-clickjacking Header' diff --git a/cres/zap-alerts/10021.yml b/cres/zap-alerts/10021.yml new file mode 100644 index 000000000..a00c45aa3 --- /dev/null +++ b/cres/zap-alerts/10021.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 693 + - linkType: Linked To + document: + name: WASC + section: 15 +toolType: Offensive +docType: Tool +id: 10021 +name: 'Zaproxy-Alert: X-Content-Type-Options Header Missing' diff --git a/cres/zap-alerts/10023.yml b/cres/zap-alerts/10023.yml new file mode 100644 index 000000000..d4469b06a --- /dev/null +++ b/cres/zap-alerts/10023.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 200 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 10023 +name: 'Zaproxy-Alert: Information Disclosure - Debug Error Messages' diff --git a/cres/zap-alerts/10024.yml b/cres/zap-alerts/10024.yml new file mode 100644 index 000000000..1ca8bef33 --- /dev/null +++ b/cres/zap-alerts/10024.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 200 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 10024 +name: 'Zaproxy-Alert: Information Disclosure - Sensitive Information in URL' diff --git a/cres/zap-alerts/10025.yml b/cres/zap-alerts/10025.yml new file mode 100644 index 000000000..1e2762ba2 --- /dev/null +++ b/cres/zap-alerts/10025.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 200 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 10025 +name: 'Zaproxy-Alert: Information Disclosure - Sensitive Information in HTTP Referrer Header' diff --git a/cres/zap-alerts/10026.yml b/cres/zap-alerts/10026.yml new file mode 100644 index 000000000..0b5efab67 --- /dev/null +++ b/cres/zap-alerts/10026.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10026 +name: 'Zaproxy-Alert: HTTP Parameter Override' diff --git a/cres/zap-alerts/10027.yml b/cres/zap-alerts/10027.yml new file mode 100644 index 000000000..4ba710b7e --- /dev/null +++ b/cres/zap-alerts/10027.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 200 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 10027 +name: 'Zaproxy-Alert: Information Disclosure - Suspicious Comments' diff --git a/cres/zap-alerts/10028.yml b/cres/zap-alerts/10028.yml new file mode 100644 index 000000000..eb80f7339 --- /dev/null +++ b/cres/zap-alerts/10028.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10028 +name: 'Zaproxy-Alert: Open Redirect' diff --git a/cres/zap-alerts/10029.yml b/cres/zap-alerts/10029.yml new file mode 100644 index 000000000..cb6b5debd --- /dev/null +++ b/cres/zap-alerts/10029.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10029 +name: 'Zaproxy-Alert: Cookie Poisoning' diff --git a/cres/zap-alerts/10030.yml b/cres/zap-alerts/10030.yml new file mode 100644 index 000000000..1816e8777 --- /dev/null +++ b/cres/zap-alerts/10030.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10030 +name: 'Zaproxy-Alert: User Controllable Charset' diff --git a/cres/zap-alerts/10031.yml b/cres/zap-alerts/10031.yml new file mode 100644 index 000000000..5d12d4f92 --- /dev/null +++ b/cres/zap-alerts/10031.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10031 +name: 'Zaproxy-Alert: User Controllable HTML Element Attribute (Potential XSS)' diff --git a/cres/zap-alerts/10032-1.yml b/cres/zap-alerts/10032-1.yml new file mode 100644 index 000000000..a55af4e99 --- /dev/null +++ b/cres/zap-alerts/10032-1.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 642 + - linkType: Linked To + document: + name: WASC + section: 14 +toolType: Offensive +docType: Tool +id: 10032-1 +name: 'Zaproxy-Alert: Potential IP Addresses Found in the Viewstate' diff --git a/cres/zap-alerts/10032-2.yml b/cres/zap-alerts/10032-2.yml new file mode 100644 index 000000000..5dd1be71a --- /dev/null +++ b/cres/zap-alerts/10032-2.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 642 + - linkType: Linked To + document: + name: WASC + section: 14 +toolType: Offensive +docType: Tool +id: 10032-2 +name: 'Zaproxy-Alert: Emails Found in the Viewstate' diff --git a/cres/zap-alerts/10032-3.yml b/cres/zap-alerts/10032-3.yml new file mode 100644 index 000000000..1b2e264f2 --- /dev/null +++ b/cres/zap-alerts/10032-3.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 642 + - linkType: Linked To + document: + name: WASC + section: 14 +toolType: Offensive +docType: Tool +id: 10032-3 +name: 'Zaproxy-Alert: Old Asp.Net Version in Use' diff --git a/cres/zap-alerts/10032-4.yml b/cres/zap-alerts/10032-4.yml new file mode 100644 index 000000000..dd1d4c0af --- /dev/null +++ b/cres/zap-alerts/10032-4.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 642 + - linkType: Linked To + document: + name: WASC + section: 14 +toolType: Offensive +docType: Tool +id: 10032-4 +name: 'Zaproxy-Alert: Viewstate without MAC Signature (Unsure)' diff --git a/cres/zap-alerts/10032-5.yml b/cres/zap-alerts/10032-5.yml new file mode 100644 index 000000000..a23e1771b --- /dev/null +++ b/cres/zap-alerts/10032-5.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 642 + - linkType: Linked To + document: + name: WASC + section: 14 +toolType: Offensive +docType: Tool +id: 10032-5 +name: 'Zaproxy-Alert: Viewstate without MAC Signature (Sure)' diff --git a/cres/zap-alerts/10032-6.yml b/cres/zap-alerts/10032-6.yml new file mode 100644 index 000000000..b37e896b0 --- /dev/null +++ b/cres/zap-alerts/10032-6.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 642 + - linkType: Linked To + document: + name: WASC + section: 14 +toolType: Offensive +docType: Tool +id: 10032-6 +name: 'Zaproxy-Alert: Split Viewstate in Use' diff --git a/cres/zap-alerts/10032.yml b/cres/zap-alerts/10032.yml new file mode 100644 index 000000000..5bf6f7088 --- /dev/null +++ b/cres/zap-alerts/10032.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10032 +name: 'Zaproxy-Alert: Potential IP Addresses Found in the Viewstate' diff --git a/cres/zap-alerts/10033.yml b/cres/zap-alerts/10033.yml new file mode 100644 index 000000000..109927f80 --- /dev/null +++ b/cres/zap-alerts/10033.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10033 +name: 'Zaproxy-Alert: Directory Browsing' diff --git a/cres/zap-alerts/10034.yml b/cres/zap-alerts/10034.yml new file mode 100644 index 000000000..4c48a97ee --- /dev/null +++ b/cres/zap-alerts/10034.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10034 +name: 'Zaproxy-Alert: Heartbleed OpenSSL Vulnerability (Indicative)' diff --git a/cres/zap-alerts/10035.yml b/cres/zap-alerts/10035.yml new file mode 100644 index 000000000..ab408c669 --- /dev/null +++ b/cres/zap-alerts/10035.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10035 +name: 'Zaproxy-Alert: Strict-Transport-Security Header' diff --git a/cres/zap-alerts/10036.yml b/cres/zap-alerts/10036.yml new file mode 100644 index 000000000..4e710a0f9 --- /dev/null +++ b/cres/zap-alerts/10036.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10036 +name: 'Zaproxy-Alert: HTTP Server Response Header' diff --git a/cres/zap-alerts/10037.yml b/cres/zap-alerts/10037.yml new file mode 100644 index 000000000..7123c29a1 --- /dev/null +++ b/cres/zap-alerts/10037.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 200 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 10037 +name: 'Zaproxy-Alert: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)' diff --git a/cres/zap-alerts/10038.yml b/cres/zap-alerts/10038.yml new file mode 100644 index 000000000..810d04089 --- /dev/null +++ b/cres/zap-alerts/10038.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10038 +name: 'Zaproxy-Alert: Content Security Policy (CSP) Header Not Set' diff --git a/cres/zap-alerts/10039.yml b/cres/zap-alerts/10039.yml new file mode 100644 index 000000000..32568fc64 --- /dev/null +++ b/cres/zap-alerts/10039.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10039 +name: 'Zaproxy-Alert: X-Backend-Server Header Information Leak' diff --git a/cres/zap-alerts/10040.yml b/cres/zap-alerts/10040.yml new file mode 100644 index 000000000..fff4da7ce --- /dev/null +++ b/cres/zap-alerts/10040.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 311 + - linkType: Linked To + document: + name: WASC + section: 4 +toolType: Offensive +docType: Tool +id: 10040 +name: 'Zaproxy-Alert: Secure Pages Include Mixed Content' diff --git a/cres/zap-alerts/10041.yml b/cres/zap-alerts/10041.yml new file mode 100644 index 000000000..53b1fa599 --- /dev/null +++ b/cres/zap-alerts/10041.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10041 +name: 'Zaproxy-Alert: HTTP to HTTPS Insecure Transition in Form Post' diff --git a/cres/zap-alerts/10042.yml b/cres/zap-alerts/10042.yml new file mode 100644 index 000000000..b78a79546 --- /dev/null +++ b/cres/zap-alerts/10042.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10042 +name: 'Zaproxy-Alert: HTTPS to HTTP Insecure Transition in Form Post' diff --git a/cres/zap-alerts/10043.yml b/cres/zap-alerts/10043.yml new file mode 100644 index 000000000..c84a57f53 --- /dev/null +++ b/cres/zap-alerts/10043.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10043 +name: 'Zaproxy-Alert: User Controllable JavaScript Event (XSS)' diff --git a/cres/zap-alerts/10044.yml b/cres/zap-alerts/10044.yml new file mode 100644 index 000000000..8d87b3d6e --- /dev/null +++ b/cres/zap-alerts/10044.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10044 +name: 'Zaproxy-Alert: Big Redirect Detected (Potential Sensitive Information Leak)' diff --git a/cres/zap-alerts/10045.yml b/cres/zap-alerts/10045.yml new file mode 100644 index 000000000..312f006f6 --- /dev/null +++ b/cres/zap-alerts/10045.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 541 + - linkType: Linked To + document: + name: WASC + section: 34 +toolType: Offensive +docType: Tool +id: 10045 +name: 'Zaproxy-Alert: Source Code Disclosure - /WEB-INF folder' diff --git a/cres/zap-alerts/10047.yml b/cres/zap-alerts/10047.yml new file mode 100644 index 000000000..5f35f634f --- /dev/null +++ b/cres/zap-alerts/10047.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 311 + - linkType: Linked To + document: + name: WASC + section: 4 +toolType: Offensive +docType: Tool +id: 10047 +name: 'Zaproxy-Alert: HTTPS Content Available via HTTP' diff --git a/cres/zap-alerts/10048.yml b/cres/zap-alerts/10048.yml new file mode 100644 index 000000000..225efeb70 --- /dev/null +++ b/cres/zap-alerts/10048.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 78 + - linkType: Linked To + document: + name: WASC + section: 31 +toolType: Offensive +docType: Tool +id: 10048 +name: 'Zaproxy-Alert: Remote Code Execution - Shell Shock' diff --git a/cres/zap-alerts/10049.yml b/cres/zap-alerts/10049.yml new file mode 100644 index 000000000..dcb0423f9 --- /dev/null +++ b/cres/zap-alerts/10049.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10049 +name: 'Zaproxy-Alert: Content Cacheability' diff --git a/cres/zap-alerts/10050.yml b/cres/zap-alerts/10050.yml new file mode 100644 index 000000000..477a05e59 --- /dev/null +++ b/cres/zap-alerts/10050.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10050 +name: 'Zaproxy-Alert: Retrieved from Cache' diff --git a/cres/zap-alerts/10051.yml b/cres/zap-alerts/10051.yml new file mode 100644 index 000000000..a52a4b312 --- /dev/null +++ b/cres/zap-alerts/10051.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 20 + - linkType: Linked To + document: + name: WASC + section: 20 +toolType: Offensive +docType: Tool +id: 10051 +name: 'Zaproxy-Alert: Relative Path Confusion' diff --git a/cres/zap-alerts/10052.yml b/cres/zap-alerts/10052.yml new file mode 100644 index 000000000..5a5280116 --- /dev/null +++ b/cres/zap-alerts/10052.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10052 +name: 'Zaproxy-Alert: X-ChromeLogger-Data (XCOLD) Header Information Leak' diff --git a/cres/zap-alerts/10054.yml b/cres/zap-alerts/10054.yml new file mode 100644 index 000000000..7b9ca1f69 --- /dev/null +++ b/cres/zap-alerts/10054.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 1275 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 10054 +name: 'Zaproxy-Alert: Cookie without SameSite Attribute' diff --git a/cres/zap-alerts/10055.yml b/cres/zap-alerts/10055.yml new file mode 100644 index 000000000..25a421b28 --- /dev/null +++ b/cres/zap-alerts/10055.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 693 + - linkType: Linked To + document: + name: WASC + section: 15 +toolType: Offensive +docType: Tool +id: 10055 +name: 'Zaproxy-Alert: CSP' diff --git a/cres/zap-alerts/10056.yml b/cres/zap-alerts/10056.yml new file mode 100644 index 000000000..40610d021 --- /dev/null +++ b/cres/zap-alerts/10056.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 200 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 10056 +name: 'Zaproxy-Alert: X-Debug-Token Information Leak' diff --git a/cres/zap-alerts/10057.yml b/cres/zap-alerts/10057.yml new file mode 100644 index 000000000..08a3a7b5f --- /dev/null +++ b/cres/zap-alerts/10057.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 284 + - linkType: Linked To + document: + name: WASC + section: 2 +toolType: Offensive +docType: Tool +id: 10057 +name: 'Zaproxy-Alert: Username Hash Found' diff --git a/cres/zap-alerts/10058.yml b/cres/zap-alerts/10058.yml new file mode 100644 index 000000000..520ae635c --- /dev/null +++ b/cres/zap-alerts/10058.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 16 + - linkType: Linked To + document: + name: WASC + section: 20 +toolType: Offensive +docType: Tool +id: 10058 +name: 'Zaproxy-Alert: GET for POST' diff --git a/cres/zap-alerts/10061.yml b/cres/zap-alerts/10061.yml new file mode 100644 index 000000000..d772af28d --- /dev/null +++ b/cres/zap-alerts/10061.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 933 + - linkType: Linked To + document: + name: WASC + section: 14 +toolType: Offensive +docType: Tool +id: 10061 +name: 'Zaproxy-Alert: X-AspNet-Version Response Header' diff --git a/cres/zap-alerts/10062.yml b/cres/zap-alerts/10062.yml new file mode 100644 index 000000000..d408ca47e --- /dev/null +++ b/cres/zap-alerts/10062.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10062 +name: 'Zaproxy-Alert: PII Disclosure' diff --git a/cres/zap-alerts/10063.yml b/cres/zap-alerts/10063.yml new file mode 100644 index 000000000..cc3671081 --- /dev/null +++ b/cres/zap-alerts/10063.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10063 +name: 'Zaproxy-Alert: Permissions Policy Header Not Set' diff --git a/cres/zap-alerts/10070.yml b/cres/zap-alerts/10070.yml new file mode 100644 index 000000000..7164f9883 --- /dev/null +++ b/cres/zap-alerts/10070.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10070 +name: 'Zaproxy-Alert: Use of SAML' diff --git a/cres/zap-alerts/10094.yml b/cres/zap-alerts/10094.yml new file mode 100644 index 000000000..4c6b8e24b --- /dev/null +++ b/cres/zap-alerts/10094.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10094 +name: 'Zaproxy-Alert: Base64 Disclosure' diff --git a/cres/zap-alerts/10095.yml b/cres/zap-alerts/10095.yml new file mode 100644 index 000000000..420248b93 --- /dev/null +++ b/cres/zap-alerts/10095.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 530 + - linkType: Linked To + document: + name: WASC + section: 34 +toolType: Offensive +docType: Tool +id: 10095 +name: 'Zaproxy-Alert: Backup File Disclosure' diff --git a/cres/zap-alerts/10096.yml b/cres/zap-alerts/10096.yml new file mode 100644 index 000000000..18cd89d18 --- /dev/null +++ b/cres/zap-alerts/10096.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 200 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 10096 +name: 'Zaproxy-Alert: Timestamp Disclosure' diff --git a/cres/zap-alerts/10097.yml b/cres/zap-alerts/10097.yml new file mode 100644 index 000000000..398bddb83 --- /dev/null +++ b/cres/zap-alerts/10097.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10097 +name: 'Zaproxy-Alert: Hash Disclosure' diff --git a/cres/zap-alerts/10098.yml b/cres/zap-alerts/10098.yml new file mode 100644 index 000000000..6c5ef032a --- /dev/null +++ b/cres/zap-alerts/10098.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 264 + - linkType: Linked To + document: + name: WASC + section: 14 +toolType: Offensive +docType: Tool +id: 10098 +name: 'Zaproxy-Alert: Cross-Domain Misconfiguration' diff --git a/cres/zap-alerts/10099.yml b/cres/zap-alerts/10099.yml new file mode 100644 index 000000000..7b793c596 --- /dev/null +++ b/cres/zap-alerts/10099.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10099 +name: 'Zaproxy-Alert: Source Code Disclosure' diff --git a/cres/zap-alerts/10103.yml b/cres/zap-alerts/10103.yml new file mode 100644 index 000000000..20f9ee516 --- /dev/null +++ b/cres/zap-alerts/10103.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 200 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 10103 +name: 'Zaproxy-Alert: Image Exposes Location or Privacy Data' diff --git a/cres/zap-alerts/10104.yml b/cres/zap-alerts/10104.yml new file mode 100644 index 000000000..2362bf3f1 --- /dev/null +++ b/cres/zap-alerts/10104.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10104 +name: 'Zaproxy-Alert: User Agent Fuzzer' diff --git a/cres/zap-alerts/10105.yml b/cres/zap-alerts/10105.yml new file mode 100644 index 000000000..26a770b39 --- /dev/null +++ b/cres/zap-alerts/10105.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 326 + - linkType: Linked To + document: + name: WASC + section: 4 +toolType: Offensive +docType: Tool +id: 10105 +name: 'Zaproxy-Alert: Weak Authentication Method' diff --git a/cres/zap-alerts/10106.yml b/cres/zap-alerts/10106.yml new file mode 100644 index 000000000..fd03b2516 --- /dev/null +++ b/cres/zap-alerts/10106.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 311 + - linkType: Linked To + document: + name: WASC + section: 4 +toolType: Offensive +docType: Tool +id: 10106 +name: 'Zaproxy-Alert: HTTP Only Site' diff --git a/cres/zap-alerts/10107.yml b/cres/zap-alerts/10107.yml new file mode 100644 index 000000000..eb6c91d2d --- /dev/null +++ b/cres/zap-alerts/10107.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 20 + - linkType: Linked To + document: + name: WASC + section: 20 +toolType: Offensive +docType: Tool +id: 10107 +name: 'Zaproxy-Alert: Httpoxy - Proxy Header Misuse' diff --git a/cres/zap-alerts/10108.yml b/cres/zap-alerts/10108.yml new file mode 100644 index 000000000..7b94679b4 --- /dev/null +++ b/cres/zap-alerts/10108.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10108 +name: 'Zaproxy-Alert: Reverse Tabnabbing' diff --git a/cres/zap-alerts/10109.yml b/cres/zap-alerts/10109.yml new file mode 100644 index 000000000..00ee6f7f9 --- /dev/null +++ b/cres/zap-alerts/10109.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10109 +name: 'Zaproxy-Alert: Modern Web Application' diff --git a/cres/zap-alerts/10110.yml b/cres/zap-alerts/10110.yml new file mode 100644 index 000000000..3ba45d5d3 --- /dev/null +++ b/cres/zap-alerts/10110.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 10110 +name: 'Zaproxy-Alert: Dangerous JS Functions' diff --git a/cres/zap-alerts/10202.yml b/cres/zap-alerts/10202.yml new file mode 100644 index 000000000..0c874bdd7 --- /dev/null +++ b/cres/zap-alerts/10202.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 352 + - linkType: Linked To + document: + name: WASC + section: 9 +toolType: Offensive +docType: Tool +id: 10202 +name: 'Zaproxy-Alert: Absence of Anti-CSRF Tokens' diff --git a/cres/zap-alerts/110001.yml b/cres/zap-alerts/110001.yml new file mode 100644 index 000000000..aa4af20b7 --- /dev/null +++ b/cres/zap-alerts/110001.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 209 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 110001 +name: 'Zaproxy-Alert: Application Error Disclosure via WebSockets' diff --git a/cres/zap-alerts/110002.yml b/cres/zap-alerts/110002.yml new file mode 100644 index 000000000..4e0934281 --- /dev/null +++ b/cres/zap-alerts/110002.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 110002 +name: 'Zaproxy-Alert: Base64 Disclosure in WebSocket message' diff --git a/cres/zap-alerts/110003.yml b/cres/zap-alerts/110003.yml new file mode 100644 index 000000000..599d61bb4 --- /dev/null +++ b/cres/zap-alerts/110003.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 200 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 110003 +name: 'Zaproxy-Alert: Information Disclosure - Debug Error Messages via WebSocket' diff --git a/cres/zap-alerts/110004.yml b/cres/zap-alerts/110004.yml new file mode 100644 index 000000000..577d647b2 --- /dev/null +++ b/cres/zap-alerts/110004.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 200 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 110004 +name: 'Zaproxy-Alert: Email address found in WebSocket message' diff --git a/cres/zap-alerts/110005.yml b/cres/zap-alerts/110005.yml new file mode 100644 index 000000000..d54530d57 --- /dev/null +++ b/cres/zap-alerts/110005.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 359 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 110005 +name: 'Zaproxy-Alert: Personally Identifiable Information via WebSocket' diff --git a/cres/zap-alerts/110006.yml b/cres/zap-alerts/110006.yml new file mode 100644 index 000000000..36670a9ca --- /dev/null +++ b/cres/zap-alerts/110006.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 110006 +name: 'Zaproxy-Alert: Private IP Disclosure via WebSocket' diff --git a/cres/zap-alerts/110007.yml b/cres/zap-alerts/110007.yml new file mode 100644 index 000000000..524d8a7e7 --- /dev/null +++ b/cres/zap-alerts/110007.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 284 + - linkType: Linked To + document: + name: WASC + section: 2 +toolType: Offensive +docType: Tool +id: 110007 +name: 'Zaproxy-Alert: Username Hash Found in WebSocket message' diff --git a/cres/zap-alerts/110008.yml b/cres/zap-alerts/110008.yml new file mode 100644 index 000000000..0cd792992 --- /dev/null +++ b/cres/zap-alerts/110008.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 200 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 110008 +name: 'Zaproxy-Alert: Information Disclosure - Suspicious Comments in XML via WebSocket' diff --git a/cres/zap-alerts/2.yml b/cres/zap-alerts/2.yml new file mode 100644 index 000000000..34adbc399 --- /dev/null +++ b/cres/zap-alerts/2.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 200 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 2 +name: 'Zaproxy-Alert: Private IP Disclosure' diff --git a/cres/zap-alerts/20012.yml b/cres/zap-alerts/20012.yml new file mode 100644 index 000000000..dc1e08acb --- /dev/null +++ b/cres/zap-alerts/20012.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 352 + - linkType: Linked To + document: + name: WASC + section: 9 +toolType: Offensive +docType: Tool +id: 20012 +name: 'Zaproxy-Alert: Anti-CSRF Tokens Check' diff --git a/cres/zap-alerts/20014.yml b/cres/zap-alerts/20014.yml new file mode 100644 index 000000000..6f3430767 --- /dev/null +++ b/cres/zap-alerts/20014.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 20 + - linkType: Linked To + document: + name: WASC + section: 20 +toolType: Offensive +docType: Tool +id: 20014 +name: 'Zaproxy-Alert: HTTP Parameter Pollution' diff --git a/cres/zap-alerts/20015.yml b/cres/zap-alerts/20015.yml new file mode 100644 index 000000000..b2999b7a0 --- /dev/null +++ b/cres/zap-alerts/20015.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 119 + - linkType: Linked To + document: + name: WASC + section: 20 +toolType: Offensive +docType: Tool +id: 20015 +name: 'Zaproxy-Alert: Heartbleed OpenSSL Vulnerability' diff --git a/cres/zap-alerts/20016.yml b/cres/zap-alerts/20016.yml new file mode 100644 index 000000000..4afee84b1 --- /dev/null +++ b/cres/zap-alerts/20016.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 264 + - linkType: Linked To + document: + name: WASC + section: 14 +toolType: Offensive +docType: Tool +id: 20016 +name: 'Zaproxy-Alert: Cross-Domain Misconfiguration' diff --git a/cres/zap-alerts/20017.yml b/cres/zap-alerts/20017.yml new file mode 100644 index 000000000..e500c8714 --- /dev/null +++ b/cres/zap-alerts/20017.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 20 + - linkType: Linked To + document: + name: WASC + section: 20 +toolType: Offensive +docType: Tool +id: 20017 +name: 'Zaproxy-Alert: Source Code Disclosure - CVE-2012-1823' diff --git a/cres/zap-alerts/20018.yml b/cres/zap-alerts/20018.yml new file mode 100644 index 000000000..141b69130 --- /dev/null +++ b/cres/zap-alerts/20018.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 20 + - linkType: Linked To + document: + name: WASC + section: 20 +toolType: Offensive +docType: Tool +id: 20018 +name: 'Zaproxy-Alert: Remote Code Execution - CVE-2012-1823' diff --git a/cres/zap-alerts/20019.yml b/cres/zap-alerts/20019.yml new file mode 100644 index 000000000..e402d224c --- /dev/null +++ b/cres/zap-alerts/20019.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 601 + - linkType: Linked To + document: + name: WASC + section: 38 +toolType: Offensive +docType: Tool +id: 20019 +name: 'Zaproxy-Alert: External Redirect' diff --git a/cres/zap-alerts/3.yml b/cres/zap-alerts/3.yml new file mode 100644 index 000000000..8e80359e7 --- /dev/null +++ b/cres/zap-alerts/3.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 200 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 3 +name: 'Zaproxy-Alert: Session ID in URL Rewrite' diff --git a/cres/zap-alerts/30001.yml b/cres/zap-alerts/30001.yml new file mode 100644 index 000000000..b1a11fe54 --- /dev/null +++ b/cres/zap-alerts/30001.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 120 + - linkType: Linked To + document: + name: WASC + section: 7 +toolType: Offensive +docType: Tool +id: 30001 +name: 'Zaproxy-Alert: Buffer Overflow' diff --git a/cres/zap-alerts/30002.yml b/cres/zap-alerts/30002.yml new file mode 100644 index 000000000..1f9d3691f --- /dev/null +++ b/cres/zap-alerts/30002.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 134 + - linkType: Linked To + document: + name: WASC + section: 6 +toolType: Offensive +docType: Tool +id: 30002 +name: 'Zaproxy-Alert: Format String Error' diff --git a/cres/zap-alerts/30003.yml b/cres/zap-alerts/30003.yml new file mode 100644 index 000000000..5cc4fd222 --- /dev/null +++ b/cres/zap-alerts/30003.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 190 + - linkType: Linked To + document: + name: WASC + section: 3 +toolType: Offensive +docType: Tool +id: 30003 +name: 'Zaproxy-Alert: Integer Overflow Error' diff --git a/cres/zap-alerts/40003.yml b/cres/zap-alerts/40003.yml new file mode 100644 index 000000000..9b64196fd --- /dev/null +++ b/cres/zap-alerts/40003.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 113 + - linkType: Linked To + document: + name: WASC + section: 25 +toolType: Offensive +docType: Tool +id: 40003 +name: 'Zaproxy-Alert: CRLF Injection' diff --git a/cres/zap-alerts/40008.yml b/cres/zap-alerts/40008.yml new file mode 100644 index 000000000..1397330c7 --- /dev/null +++ b/cres/zap-alerts/40008.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 472 + - linkType: Linked To + document: + name: WASC + section: 20 +toolType: Offensive +docType: Tool +id: 40008 +name: 'Zaproxy-Alert: Parameter Tampering' diff --git a/cres/zap-alerts/40009.yml b/cres/zap-alerts/40009.yml new file mode 100644 index 000000000..02fa6c9fc --- /dev/null +++ b/cres/zap-alerts/40009.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 97 + - linkType: Linked To + document: + name: WASC + section: 31 +toolType: Offensive +docType: Tool +id: 40009 +name: 'Zaproxy-Alert: Server Side Include' diff --git a/cres/zap-alerts/40012.yml b/cres/zap-alerts/40012.yml new file mode 100644 index 000000000..5c1b007e6 --- /dev/null +++ b/cres/zap-alerts/40012.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 79 + - linkType: Linked To + document: + name: WASC + section: 8 +toolType: Offensive +docType: Tool +id: 40012 +name: 'Zaproxy-Alert: Cross Site Scripting (Reflected)' diff --git a/cres/zap-alerts/40013.yml b/cres/zap-alerts/40013.yml new file mode 100644 index 000000000..881803d0f --- /dev/null +++ b/cres/zap-alerts/40013.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 384 + - linkType: Linked To + document: + name: WASC + section: 37 +toolType: Offensive +docType: Tool +id: 40013 +name: 'Zaproxy-Alert: Session Fixation' diff --git a/cres/zap-alerts/40014.yml b/cres/zap-alerts/40014.yml new file mode 100644 index 000000000..594a1c1fa --- /dev/null +++ b/cres/zap-alerts/40014.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 79 + - linkType: Linked To + document: + name: WASC + section: 8 +toolType: Offensive +docType: Tool +id: 40014 +name: 'Zaproxy-Alert: Cross Site Scripting (Persistent)' diff --git a/cres/zap-alerts/40015.yml b/cres/zap-alerts/40015.yml new file mode 100644 index 000000000..4300e0904 --- /dev/null +++ b/cres/zap-alerts/40015.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 90 + - linkType: Linked To + document: + name: WASC + section: 29 +toolType: Offensive +docType: Tool +id: 40015 +name: 'Zaproxy-Alert: LDAP Injection' diff --git a/cres/zap-alerts/40016.yml b/cres/zap-alerts/40016.yml new file mode 100644 index 000000000..6cd382423 --- /dev/null +++ b/cres/zap-alerts/40016.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 79 + - linkType: Linked To + document: + name: WASC + section: 8 +toolType: Offensive +docType: Tool +id: 40016 +name: 'Zaproxy-Alert: Cross Site Scripting (Persistent) - Prime' diff --git a/cres/zap-alerts/40017.yml b/cres/zap-alerts/40017.yml new file mode 100644 index 000000000..50c3d2153 --- /dev/null +++ b/cres/zap-alerts/40017.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 79 + - linkType: Linked To + document: + name: WASC + section: 8 +toolType: Offensive +docType: Tool +id: 40017 +name: 'Zaproxy-Alert: Cross Site Scripting (Persistent) - Spider' diff --git a/cres/zap-alerts/40018.yml b/cres/zap-alerts/40018.yml new file mode 100644 index 000000000..28907d467 --- /dev/null +++ b/cres/zap-alerts/40018.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 89 + - linkType: Linked To + document: + name: WASC + section: 19 +toolType: Offensive +docType: Tool +id: 40018 +name: 'Zaproxy-Alert: SQL Injection' diff --git a/cres/zap-alerts/40019.yml b/cres/zap-alerts/40019.yml new file mode 100644 index 000000000..da7e3eb10 --- /dev/null +++ b/cres/zap-alerts/40019.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 89 + - linkType: Linked To + document: + name: WASC + section: 19 +toolType: Offensive +docType: Tool +id: 40019 +name: 'Zaproxy-Alert: SQL Injection - MySQL' diff --git a/cres/zap-alerts/40020.yml b/cres/zap-alerts/40020.yml new file mode 100644 index 000000000..42d6e0d13 --- /dev/null +++ b/cres/zap-alerts/40020.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 89 + - linkType: Linked To + document: + name: WASC + section: 19 +toolType: Offensive +docType: Tool +id: 40020 +name: 'Zaproxy-Alert: SQL Injection - Hypersonic SQL' diff --git a/cres/zap-alerts/40021.yml b/cres/zap-alerts/40021.yml new file mode 100644 index 000000000..3773bfab1 --- /dev/null +++ b/cres/zap-alerts/40021.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 89 + - linkType: Linked To + document: + name: WASC + section: 19 +toolType: Offensive +docType: Tool +id: 40021 +name: 'Zaproxy-Alert: SQL Injection - Oracle' diff --git a/cres/zap-alerts/40022.yml b/cres/zap-alerts/40022.yml new file mode 100644 index 000000000..99847de66 --- /dev/null +++ b/cres/zap-alerts/40022.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 89 + - linkType: Linked To + document: + name: WASC + section: 19 +toolType: Offensive +docType: Tool +id: 40022 +name: 'Zaproxy-Alert: SQL Injection - PostgreSQL' diff --git a/cres/zap-alerts/40023.yml b/cres/zap-alerts/40023.yml new file mode 100644 index 000000000..65dc4f48f --- /dev/null +++ b/cres/zap-alerts/40023.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 200 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 40023 +name: 'Zaproxy-Alert: Possible Username Enumeration' diff --git a/cres/zap-alerts/40024.yml b/cres/zap-alerts/40024.yml new file mode 100644 index 000000000..f6faa568b --- /dev/null +++ b/cres/zap-alerts/40024.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 89 + - linkType: Linked To + document: + name: WASC + section: 19 +toolType: Offensive +docType: Tool +id: 40024 +name: 'Zaproxy-Alert: SQL Injection - SQLite' diff --git a/cres/zap-alerts/40025.yml b/cres/zap-alerts/40025.yml new file mode 100644 index 000000000..acc7f3433 --- /dev/null +++ b/cres/zap-alerts/40025.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 200 + - linkType: Linked To + document: + name: WASC + section: 45 +toolType: Offensive +docType: Tool +id: 40025 +name: 'Zaproxy-Alert: Proxy Disclosure' diff --git a/cres/zap-alerts/40026.yml b/cres/zap-alerts/40026.yml new file mode 100644 index 000000000..8511b87e6 --- /dev/null +++ b/cres/zap-alerts/40026.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 79 + - linkType: Linked To + document: + name: WASC + section: 8 +toolType: Offensive +docType: Tool +id: 40026 +name: 'Zaproxy-Alert: Cross Site Scripting (DOM Based)' diff --git a/cres/zap-alerts/40027.yml b/cres/zap-alerts/40027.yml new file mode 100644 index 000000000..1601482ad --- /dev/null +++ b/cres/zap-alerts/40027.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 89 + - linkType: Linked To + document: + name: WASC + section: 19 +toolType: Offensive +docType: Tool +id: 40027 +name: 'Zaproxy-Alert: SQL Injection - MsSQL' diff --git a/cres/zap-alerts/40028.yml b/cres/zap-alerts/40028.yml new file mode 100644 index 000000000..130265ec4 --- /dev/null +++ b/cres/zap-alerts/40028.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 94 + - linkType: Linked To + document: + name: WASC + section: 14 +toolType: Offensive +docType: Tool +id: 40028 +name: 'Zaproxy-Alert: ELMAH Information Leak' diff --git a/cres/zap-alerts/40029.yml b/cres/zap-alerts/40029.yml new file mode 100644 index 000000000..5ac9c41d0 --- /dev/null +++ b/cres/zap-alerts/40029.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 215 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 40029 +name: 'Zaproxy-Alert: Trace.axd Information Leak' diff --git a/cres/zap-alerts/40032.yml b/cres/zap-alerts/40032.yml new file mode 100644 index 000000000..bd0e7f553 --- /dev/null +++ b/cres/zap-alerts/40032.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 94 + - linkType: Linked To + document: + name: WASC + section: 14 +toolType: Offensive +docType: Tool +id: 40032 +name: 'Zaproxy-Alert: .htaccess Information Leak' diff --git a/cres/zap-alerts/40033.yml b/cres/zap-alerts/40033.yml new file mode 100644 index 000000000..399b3176d --- /dev/null +++ b/cres/zap-alerts/40033.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 943 + - linkType: Linked To + document: + name: WASC + section: 19 +toolType: Offensive +docType: Tool +id: 40033 +name: 'Zaproxy-Alert: NoSQL Injection - MongoDB' diff --git a/cres/zap-alerts/40034.yml b/cres/zap-alerts/40034.yml new file mode 100644 index 000000000..43e945221 --- /dev/null +++ b/cres/zap-alerts/40034.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 215 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 40034 +name: 'Zaproxy-Alert: .env Information Leak' diff --git a/cres/zap-alerts/40035.yml b/cres/zap-alerts/40035.yml new file mode 100644 index 000000000..9fb01498e --- /dev/null +++ b/cres/zap-alerts/40035.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 538 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 40035 +name: 'Zaproxy-Alert: Hidden File Finder' diff --git a/cres/zap-alerts/40036.yml b/cres/zap-alerts/40036.yml new file mode 100644 index 000000000..c6ed8f2f8 --- /dev/null +++ b/cres/zap-alerts/40036.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 40036 +name: 'Zaproxy-Alert: JWT Scan Rule' diff --git a/cres/zap-alerts/40038.yml b/cres/zap-alerts/40038.yml new file mode 100644 index 000000000..d375bb831 --- /dev/null +++ b/cres/zap-alerts/40038.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 40038 +name: 'Zaproxy-Alert: Bypassing 403' diff --git a/cres/zap-alerts/40039.yml b/cres/zap-alerts/40039.yml new file mode 100644 index 000000000..607e58a26 --- /dev/null +++ b/cres/zap-alerts/40039.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 40039 +name: 'Zaproxy-Alert: Web Cache Deception' diff --git a/cres/zap-alerts/40040-1.yml b/cres/zap-alerts/40040-1.yml new file mode 100644 index 000000000..7ef74d647 --- /dev/null +++ b/cres/zap-alerts/40040-1.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 942 + - linkType: Linked To + document: + name: WASC + section: 14 +toolType: Offensive +docType: Tool +id: 40040-1 +name: 'Zaproxy-Alert: CORS Header' diff --git a/cres/zap-alerts/40040-2.yml b/cres/zap-alerts/40040-2.yml new file mode 100644 index 000000000..b26b3d5d0 --- /dev/null +++ b/cres/zap-alerts/40040-2.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 942 + - linkType: Linked To + document: + name: WASC + section: 14 +toolType: Offensive +docType: Tool +id: 40040-2 +name: 'Zaproxy-Alert: CORS Misconfiguration' diff --git a/cres/zap-alerts/40040-3.yml b/cres/zap-alerts/40040-3.yml new file mode 100644 index 000000000..16d5b5e6e --- /dev/null +++ b/cres/zap-alerts/40040-3.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 942 + - linkType: Linked To + document: + name: WASC + section: 14 +toolType: Offensive +docType: Tool +id: 40040-3 +name: 'Zaproxy-Alert: CORS Misconfiguration' diff --git a/cres/zap-alerts/40040.yml b/cres/zap-alerts/40040.yml new file mode 100644 index 000000000..f0864a6a1 --- /dev/null +++ b/cres/zap-alerts/40040.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 40040 +name: 'Zaproxy-Alert: CORS Header' diff --git a/cres/zap-alerts/40041.yml b/cres/zap-alerts/40041.yml new file mode 100644 index 000000000..99a9a96af --- /dev/null +++ b/cres/zap-alerts/40041.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 40041 +name: 'Zaproxy-Alert: ' diff --git a/cres/zap-alerts/40042.yml b/cres/zap-alerts/40042.yml new file mode 100644 index 000000000..99d458407 --- /dev/null +++ b/cres/zap-alerts/40042.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 215 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 40042 +name: 'Zaproxy-Alert: Spring Actuator Information Leak' diff --git a/cres/zap-alerts/40043-1.yml b/cres/zap-alerts/40043-1.yml new file mode 100644 index 000000000..5d91adbee --- /dev/null +++ b/cres/zap-alerts/40043-1.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 117 + - linkType: Linked To + document: + name: WASC + section: 20 +toolType: Offensive +docType: Tool +id: 40043-1 +name: 'Zaproxy-Alert: Log4Shell (CVE-2021-44228)' diff --git a/cres/zap-alerts/40043-2.yml b/cres/zap-alerts/40043-2.yml new file mode 100644 index 000000000..e6249769f --- /dev/null +++ b/cres/zap-alerts/40043-2.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 117 + - linkType: Linked To + document: + name: WASC + section: 20 +toolType: Offensive +docType: Tool +id: 40043-2 +name: 'Zaproxy-Alert: Log4Shell (CVE-2021-45046)' diff --git a/cres/zap-alerts/40043.yml b/cres/zap-alerts/40043.yml new file mode 100644 index 000000000..f44140834 --- /dev/null +++ b/cres/zap-alerts/40043.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 40043 +name: 'Zaproxy-Alert: Log4Shell (CVE-2021-44228)' diff --git a/cres/zap-alerts/41.yml b/cres/zap-alerts/41.yml new file mode 100644 index 000000000..d010f6766 --- /dev/null +++ b/cres/zap-alerts/41.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 541 + - linkType: Linked To + document: + name: WASC + section: 34 +toolType: Offensive +docType: Tool +id: 41 +name: 'Zaproxy-Alert: Source Code Disclosure - Git ' diff --git a/cres/zap-alerts/42.yml b/cres/zap-alerts/42.yml new file mode 100644 index 000000000..bffafd9c6 --- /dev/null +++ b/cres/zap-alerts/42.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 541 + - linkType: Linked To + document: + name: WASC + section: 34 +toolType: Offensive +docType: Tool +id: 42 +name: 'Zaproxy-Alert: Source Code Disclosure - SVN' diff --git a/cres/zap-alerts/43.yml b/cres/zap-alerts/43.yml new file mode 100644 index 000000000..d18de341f --- /dev/null +++ b/cres/zap-alerts/43.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 541 + - linkType: Linked To + document: + name: WASC + section: 33 +toolType: Offensive +docType: Tool +id: 43 +name: 'Zaproxy-Alert: Source Code Disclosure - File Inclusion' diff --git a/cres/zap-alerts/6.yml b/cres/zap-alerts/6.yml new file mode 100644 index 000000000..9cd297f28 --- /dev/null +++ b/cres/zap-alerts/6.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 22 + - linkType: Linked To + document: + name: WASC + section: 33 +toolType: Offensive +docType: Tool +id: 6 +name: 'Zaproxy-Alert: Path Traversal' diff --git a/cres/zap-alerts/7.yml b/cres/zap-alerts/7.yml new file mode 100644 index 000000000..fca340c9a --- /dev/null +++ b/cres/zap-alerts/7.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 98 + - linkType: Linked To + document: + name: WASC + section: 5 +toolType: Offensive +docType: Tool +id: 7 +name: 'Zaproxy-Alert: Remote File Inclusion' diff --git a/cres/zap-alerts/90001.yml b/cres/zap-alerts/90001.yml new file mode 100644 index 000000000..58b01a9f0 --- /dev/null +++ b/cres/zap-alerts/90001.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 642 + - linkType: Linked To + document: + name: WASC + section: 14 +toolType: Offensive +docType: Tool +id: 90001 +name: 'Zaproxy-Alert: Insecure JSF ViewState' diff --git a/cres/zap-alerts/90002.yml b/cres/zap-alerts/90002.yml new file mode 100644 index 000000000..a3143d9e4 --- /dev/null +++ b/cres/zap-alerts/90002.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 90002 +name: 'Zaproxy-Alert: Java Serialization Object' diff --git a/cres/zap-alerts/90003.yml b/cres/zap-alerts/90003.yml new file mode 100644 index 000000000..023b142e0 --- /dev/null +++ b/cres/zap-alerts/90003.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 90003 +name: 'Zaproxy-Alert: Sub Resource Integrity Attribute Missing' diff --git a/cres/zap-alerts/90004-1.yml b/cres/zap-alerts/90004-1.yml new file mode 100644 index 000000000..38e3109d8 --- /dev/null +++ b/cres/zap-alerts/90004-1.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 693 + - linkType: Linked To + document: + name: WASC + section: 14 +toolType: Offensive +docType: Tool +id: 90004-1 +name: 'Zaproxy-Alert: Insufficient Site Isolation Against Spectre Vulnerability' diff --git a/cres/zap-alerts/90004-2.yml b/cres/zap-alerts/90004-2.yml new file mode 100644 index 000000000..52d2ef56d --- /dev/null +++ b/cres/zap-alerts/90004-2.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 693 + - linkType: Linked To + document: + name: WASC + section: 14 +toolType: Offensive +docType: Tool +id: 90004-2 +name: 'Zaproxy-Alert: Insufficient Site Isolation Against Spectre Vulnerability' diff --git a/cres/zap-alerts/90004-3.yml b/cres/zap-alerts/90004-3.yml new file mode 100644 index 000000000..214525d56 --- /dev/null +++ b/cres/zap-alerts/90004-3.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 693 + - linkType: Linked To + document: + name: WASC + section: 14 +toolType: Offensive +docType: Tool +id: 90004-3 +name: 'Zaproxy-Alert: Insufficient Site Isolation Against Spectre Vulnerability' diff --git a/cres/zap-alerts/90004.yml b/cres/zap-alerts/90004.yml new file mode 100644 index 000000000..440321317 --- /dev/null +++ b/cres/zap-alerts/90004.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 90004 +name: 'Zaproxy-Alert: Insufficient Site Isolation Against Spectre Vulnerability' diff --git a/cres/zap-alerts/90011.yml b/cres/zap-alerts/90011.yml new file mode 100644 index 000000000..069f81370 --- /dev/null +++ b/cres/zap-alerts/90011.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 436 + - linkType: Linked To + document: + name: WASC + section: 15 +toolType: Offensive +docType: Tool +id: 90011 +name: 'Zaproxy-Alert: Charset Mismatch' diff --git a/cres/zap-alerts/90017.yml b/cres/zap-alerts/90017.yml new file mode 100644 index 000000000..9d9d7ee76 --- /dev/null +++ b/cres/zap-alerts/90017.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 91 + - linkType: Linked To + document: + name: WASC + section: 23 +toolType: Offensive +docType: Tool +id: 90017 +name: 'Zaproxy-Alert: XSLT Injection' diff --git a/cres/zap-alerts/90018.yml b/cres/zap-alerts/90018.yml new file mode 100644 index 000000000..276b41721 --- /dev/null +++ b/cres/zap-alerts/90018.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 89 + - linkType: Linked To + document: + name: WASC + section: 19 +toolType: Offensive +docType: Tool +id: 90018 +name: 'Zaproxy-Alert: Advanced SQL Injection' diff --git a/cres/zap-alerts/90019.yml b/cres/zap-alerts/90019.yml new file mode 100644 index 000000000..aa5794778 --- /dev/null +++ b/cres/zap-alerts/90019.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 94 + - linkType: Linked To + document: + name: WASC + section: 20 +toolType: Offensive +docType: Tool +id: 90019 +name: 'Zaproxy-Alert: Server Side Code Injection' diff --git a/cres/zap-alerts/90020.yml b/cres/zap-alerts/90020.yml new file mode 100644 index 000000000..bfefcd455 --- /dev/null +++ b/cres/zap-alerts/90020.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 78 + - linkType: Linked To + document: + name: WASC + section: 31 +toolType: Offensive +docType: Tool +id: 90020 +name: 'Zaproxy-Alert: Remote OS Command Injection' diff --git a/cres/zap-alerts/90021.yml b/cres/zap-alerts/90021.yml new file mode 100644 index 000000000..98a77fea7 --- /dev/null +++ b/cres/zap-alerts/90021.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 643 + - linkType: Linked To + document: + name: WASC + section: 39 +toolType: Offensive +docType: Tool +id: 90021 +name: 'Zaproxy-Alert: XPath Injection' diff --git a/cres/zap-alerts/90022.yml b/cres/zap-alerts/90022.yml new file mode 100644 index 000000000..e4b63b1de --- /dev/null +++ b/cres/zap-alerts/90022.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 200 + - linkType: Linked To + document: + name: WASC + section: 13 +toolType: Offensive +docType: Tool +id: 90022 +name: 'Zaproxy-Alert: Application Error Disclosure' diff --git a/cres/zap-alerts/90023.yml b/cres/zap-alerts/90023.yml new file mode 100644 index 000000000..d816b1ead --- /dev/null +++ b/cres/zap-alerts/90023.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 611 + - linkType: Linked To + document: + name: WASC + section: 43 +toolType: Offensive +docType: Tool +id: 90023 +name: 'Zaproxy-Alert: XML External Entity Attack' diff --git a/cres/zap-alerts/90024.yml b/cres/zap-alerts/90024.yml new file mode 100644 index 000000000..07691e8af --- /dev/null +++ b/cres/zap-alerts/90024.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 209 + - linkType: Linked To + document: + name: WASC + section: 20 +toolType: Offensive +docType: Tool +id: 90024 +name: 'Zaproxy-Alert: Generic Padding Oracle' diff --git a/cres/zap-alerts/90025.yml b/cres/zap-alerts/90025.yml new file mode 100644 index 000000000..016d28345 --- /dev/null +++ b/cres/zap-alerts/90025.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 917 + - linkType: Linked To + document: + name: WASC + section: 20 +toolType: Offensive +docType: Tool +id: 90025 +name: 'Zaproxy-Alert: Expression Language Injection' diff --git a/cres/zap-alerts/90026.yml b/cres/zap-alerts/90026.yml new file mode 100644 index 000000000..f33756dac --- /dev/null +++ b/cres/zap-alerts/90026.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 90026 +name: 'Zaproxy-Alert: SOAP Action Spoofing' diff --git a/cres/zap-alerts/90027.yml b/cres/zap-alerts/90027.yml new file mode 100644 index 000000000..e252fc670 --- /dev/null +++ b/cres/zap-alerts/90027.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 200 + - linkType: Linked To + document: + name: WASC + section: 45 +toolType: Offensive +docType: Tool +id: 90027 +name: 'Zaproxy-Alert: Cookie Slack Detector' diff --git a/cres/zap-alerts/90028.yml b/cres/zap-alerts/90028.yml new file mode 100644 index 000000000..d86b620c6 --- /dev/null +++ b/cres/zap-alerts/90028.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 200 + - linkType: Linked To + document: + name: WASC + section: 45 +toolType: Offensive +docType: Tool +id: 90028 +name: 'Zaproxy-Alert: Insecure HTTP Method' diff --git a/cres/zap-alerts/90029.yml b/cres/zap-alerts/90029.yml new file mode 100644 index 000000000..5bec3c047 --- /dev/null +++ b/cres/zap-alerts/90029.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 90029 +name: 'Zaproxy-Alert: SOAP XML Injection' diff --git a/cres/zap-alerts/90030.yml b/cres/zap-alerts/90030.yml new file mode 100644 index 000000000..1aa3bac96 --- /dev/null +++ b/cres/zap-alerts/90030.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 90030 +name: 'Zaproxy-Alert: WSDL File Detection' diff --git a/cres/zap-alerts/90033.yml b/cres/zap-alerts/90033.yml new file mode 100644 index 000000000..972162c9e --- /dev/null +++ b/cres/zap-alerts/90033.yml @@ -0,0 +1,13 @@ +links: + - linkType: Linked To + document: + name: CWE + section: 565 + - linkType: Linked To + document: + name: WASC + section: 15 +toolType: Offensive +docType: Tool +id: 90033 +name: 'Zaproxy-Alert: Loosely Scoped Cookie' diff --git a/cres/zap-alerts/90034.yml b/cres/zap-alerts/90034.yml new file mode 100644 index 000000000..56f04503e --- /dev/null +++ b/cres/zap-alerts/90034.yml @@ -0,0 +1,5 @@ +links: [] +toolType: Offensive +docType: Tool +id: 90034 +name: 'Zaproxy-Alert: Cloud Metadata Potentially Exposed' From ae07c94bae0ec5dc6a869e8fed49b26582b7f684 Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Mon, 28 Feb 2022 20:03:37 +0000 Subject: [PATCH 02/26] Cheatsheet parser (#164) * cs parser init * fix comment * linting --- application/cmd/cre_main.py | 11 ++-- .../cheatsheets_parser.py | 50 +++++++++++++++++++ 2 files changed, 57 insertions(+), 4 deletions(-) create mode 100644 application/utils/external_project_parsers/cheatsheets_parser.py diff --git a/application/cmd/cre_main.py b/application/cmd/cre_main.py index f91d11f7c..5a6056841 100644 --- a/application/cmd/cre_main.py +++ b/application/cmd/cre_main.py @@ -12,9 +12,12 @@ from application.database import db from application.defs import cre_defs as defs from application.defs import osib_defs as odefs -from application.utils import spreadsheet_parsers -from application.utils.external_project_parsers import zap_alerts_parser from application.utils import spreadsheet as sheet_utils +from application.utils import spreadsheet_parsers +from application.utils.external_project_parsers import ( + cheatsheets_parser, + zap_alerts_parser, +) from dacite import from_dict from dacite.config import Config @@ -359,10 +362,10 @@ def run(args: argparse.Namespace) -> None: elif args.osib_out: export_to_osib(file_loc=args.osib_out, cache=args.cache_file) - elif args.zap_in: zap_alerts_parser.parse_zap_alerts(db_connect(args.cache_file)) - + elif args.cheatsheets_in: + cheatsheets_parser.parse_cheatsheets(db_connect(args.cache_file)) elif args.owasp_proj_meta: owasp_metadata_to_cre(args.owasp_proj_meta) diff --git a/application/utils/external_project_parsers/cheatsheets_parser.py b/application/utils/external_project_parsers/cheatsheets_parser.py new file mode 100644 index 000000000..a7b18ffb3 --- /dev/null +++ b/application/utils/external_project_parsers/cheatsheets_parser.py @@ -0,0 +1,50 @@ +# script to parse cheatsheet md files find the links to opencre.org and add the cheatsheets to CRE +from typing import List +from application.database import db +from application.utils import git +from application.defs import cre_defs as defs +import os +import re + + +def cheatsheet(section: str, hyperlink: str, tags: List[str]) -> defs.Standard: + return defs.Standard( + name=f"Cheat_sheets", + section=section, + tags=tags, + hyperlink=hyperlink, + ) + + +def parse_cheatsheets(cache: db.Node_collection): + c_repo = "https://github.com/OWASP/CheatSheetSeries.git" + cheasheets_path = "cheatsheets/" + title_regexp = r"# (?P<title>.+)" + cre_link = r"(https://www\.)?opencre.org/cre/(?P<cre>\d+-\d+)" + repo = git.clone(c_repo) + files = os.listdir(os.path.join(repo.working_dir, cheasheets_path)) + for mdfile in files: + pth = os.path.join(repo.working_dir, cheasheets_path, mdfile) + name = None + tag = None + section = None + + with open(pth) as mdf: + mdtext = mdf.read() + if "opencre.org" not in mdtext: + continue + title = re.search(title_regexp, mdtext) + cre = re.search(cre_link, mdtext) + if cre and title: + name = title.group("title") + cre_id = cre.group("cre") + cres = cache.get_CREs(external_id=cre_id) + hyperlink = f"{c_repo.replace('.git','')}/{cheasheets_path}{mdfile}" + for dbcre in cres: + cs = cheatsheet( + section=name, + hyperlink=hyperlink, + tags=[], + ) + dbnode = cache.add_node(cs) + cache.add_link(cre=db.dbCREfromCRE(dbcre), node=dbnode) From e9edc79a38d07aad98480b4675f2c8d743ba7a2d Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:04:37 +0000 Subject: [PATCH 03/26] Cheatsheet parser (#165) * cs parser init * fix comment * linting * fix cherry-pick * lint * new db * temp silence create spreadsheet until we automate gspread --- application/cmd/cre_main.py | 2 +- application/tests/cre_main_test.py | 18 +++++++++--------- .../cheatsheets_parser.py | 6 +++++- application/utils/git.py | 6 +++++- cre.py | 5 +++++ cres/db.sqlite | Bin 606208 -> 606208 bytes 6 files changed, 25 insertions(+), 12 deletions(-) diff --git a/application/cmd/cre_main.py b/application/cmd/cre_main.py index 5a6056841..4cb3d615c 100644 --- a/application/cmd/cre_main.py +++ b/application/cmd/cre_main.py @@ -287,7 +287,7 @@ def review_from_spreadsheet(cache: str, spreadsheet_url: str, share_with: str) - "Stored temporary files and database in %s if you want to use them next time, set cache to the location of the database in that dir" % loc ) - logger.info("A spreadsheet view is at %s" % sheet_url) + # logger.info("A spreadsheet view is at %s" % sheet_url) def review_from_disk(cache: str, cre_file_loc: str, share_with: str) -> None: diff --git a/application/tests/cre_main_test.py b/application/tests/cre_main_test.py index cabfd166b..a2ac238cd 100644 --- a/application/tests/cre_main_test.py +++ b/application/tests/cre_main_test.py @@ -420,15 +420,15 @@ def test_review_from_spreadsheet( mocked_parse_standards_from_spreadsheeet.assert_called_with( [{"cre": "cre"}], self.collection ) - mocked_create_spreadsheet.assert_called_with( - collection=self.collection, - exported_documents=[ - defs.CRE(name="c0"), - defs.Standard(name="s0", section="s1"), - ], - title="cre_review", - share_with=["foo@example.com"], - ) + # mocked_create_spreadsheet.assert_called_with( + # collection=self.collection, + # exported_documents=[ + # defs.CRE(name="c0"), + # defs.Standard(name="s0", section="s1"), + # ], + # title="cre_review", + # share_with=["foo@example.com"], + # ) mocked_export.assert_called_with(loc) @patch("application.cmd.cre_main.prepare_for_review") diff --git a/application/utils/external_project_parsers/cheatsheets_parser.py b/application/utils/external_project_parsers/cheatsheets_parser.py index a7b18ffb3..f7c24c220 100644 --- a/application/utils/external_project_parsers/cheatsheets_parser.py +++ b/application/utils/external_project_parsers/cheatsheets_parser.py @@ -47,4 +47,8 @@ def parse_cheatsheets(cache: db.Node_collection): tags=[], ) dbnode = cache.add_node(cs) - cache.add_link(cre=db.dbCREfromCRE(dbcre), node=dbnode) + cache.add_link( + cre=db.dbCREfromCRE(dbcre), + node=dbnode, + type=defs.LinkTypes.LinkedTo, + ) diff --git a/application/utils/git.py b/application/utils/git.py index 4cf5a6a7f..09aebf7f5 100644 --- a/application/utils/git.py +++ b/application/utils/git.py @@ -72,8 +72,12 @@ def createPullRequest( def clone(source: str, dest: Optional[str] = None): + class Progress(git.remote.RemoteProgress): + def update(self, op_code, cur_count, max_count=None, message=""): + print(f"update({op_code}, {cur_count}, {max_count}, {message})") + if not dest: dest = tempfile.mkdtemp() with git.Git().custom_environment(): - repo = Repo.clone_from(url=source, to_path=dest) + repo = Repo.clone_from(url=source, to_path=dest, progress=Progress()) return repo diff --git a/cre.py b/cre.py index 0f2df5088..5086bd0aa 100644 --- a/cre.py +++ b/cre.py @@ -120,6 +120,11 @@ def main() -> None: action="store_true", help="import zap alerts by cloning zap's website and parsing the alert .md files", ) + parser.add_argument( + "--cheatsheets_in", + action="store_true", + help="import cheatsheets by cloning the repo website and parsing the .md files", + ) args = parser.parse_args() cre_main.run(args) diff --git a/cres/db.sqlite b/cres/db.sqlite index 3c1fd76b0f8e5632cf424e988af1ba7abc517e6c..5c933986a4caa9b4effa4d26b88bb7222f9e5ebe 100644 GIT binary patch delta 40158 zcmbSU2YeL8+rFKhncdrRyGseF5IUiy5K4d~gkA$7w9o?t2%QjmIg$Y83P_Byh=O22 z#fpVfY@i5sK}E3xDs}}cVEf*^-Aiuok6*y}+w<YscgoJr&OFoCuWz}2eao$}F1ga- zaNG!27q~L3+H~m%OvjY&GS|%^a4uHdBMlQ?<TPh5;a0AM|HJi=^19?V|D(UqUmn%e z)<h9+XL7*3@dvO=)rk(6>&7&Jn{kX&@HtvGpp7!>S3iv6ovG7HiioqDqkGkfF4bS6 zc1+_(>$8)X>V2qZ(<YMN!5f~G7c}G=HEhUiY*<=2ZC=rWg)@Se{OEq%m#JQa+lWe8 zL4B@K{rXHrO!Z)?arF@#BNnYFEh<@1IB!bvjOq@g1zR}3s9GTL)tgCT^*UEONk}S7 z(zr(L+A-zM8<gHia8@r>ni>ClR_VqINtyL%qr7$y%joKpuBO=GK+WL^njoP(E{1E= zqzSWuRA(`bm^Rg8nW@!pFiF)ulz`hOf(N5e`|9It3-Ba0mNx3w#CX(dPEwh+kEmiI z6Zfc;@`2JSseC9roU7b;##Uv6;J0fTfnVAixehsqD<7~!cvR{&*u_ZIV{^+GzWV*# z!Hv0S+%k^oQ?hbV>B3nhg^OmdOzoP|p=;N)D6ki+bB1qWoYlvNr$361|Jh{kRwi-p zdZg|>1lMU+m5dOYC`M?GSvN@}3!Vun?%A8>12J#YSomGE$#{FqH?@P`)tef?Z`sCm z@VjB-Z1^3y(TMeojqTxg=0*;Fi#N=K-#HtG!0+4*M$VbPArXETR;-2J#T8TGx1^#E z{4T9%4Zq7Oj5w?;p8>zC$_;*P=kg@@-@0<cJ9pV)_$@CR4!;#;o#A(5SseU&%HYT0 zHDc&bg&#F$?`fnqL-GQLD1D89Nl-Q`bLDqj56U}SF>*^K(Y4U^uJkoL;e%2qFdGdv z4hI0^3Bv#4yYi`><OF!d!^h_2k4Wq@yQr`<F<)PQi8g~5?}*h4@8$Yo`FBVAsuS&) zhWg?5T(rKs4cFMXTVLP0nkG=!HrHH7v#JwKb!8?uoOiwAFm6WcO~1m?`uV$P(=^9^ zAR08{>(@8JV)~5j*D0-Qere%?8HFV?GL=sq65J2{#q{Ho#_Ide;s*N1U*L{LCTY~4 zPb$#M{=tp(Pv`RO4e#se7pBw39RX>>_~ALhXJ|7vf7F1a#IZ%w67!3uFD)r9U70wl zXh~`Df?0_JmKM(_(z~|cn^E*0xN2IJlW@av%*Hs*=v)d-tY3il<2d$rwlkW`1ejcg zIL=gS>fNYWjIMcULp?E_;(#laCbF^h>xquk0W$cKP?l^@xW|5?ZS_StG+DnToi>kc zsexsIX_;fUe7FVI$+S%GOxwrGDp=;2mPvNYN&nE+LCe4^ooN@rEkM9s&_suFSSeR} zE3E4U*9KQV7nP67o8<m7m5xfAr2Y~WkBXbb{vs8Q3Y&!f0(BmBZgTc_QvN8viSN%- z?kKm3>(5boly0K^DJA>J9MTqlgZJS%IG+88y_KEF#-oqWt!N^OXFg(XbyP8KCTbef zk7>h*jvpK+95+E+;Emqu=v8$h3o$;(a@R5LY<_slt9v8H8|#qYFF(ISN?IsGpeO&6 z`_vlub05D(4+iCq7}FuOTgU_E%d2;<Kl>hzYI_a#XTW~W)!PRX$c$gj12XSky?Z^i zjBC)I`QaKqlEJ5Ni~khEl$vjvS$YjI+;!^OQt&X?UuzZ%reI2X%^SY&>f=}Y22wiJ zxNkRW0zZ7x)#Y)$?fW?GzeTwAmA~?zBAiki;k{Syf&S3@*Y-w6JVYC`ckH=_5SW{| z25v;I-bL^&^cy*HV26~NL~(4nM)!S27L4dnlM6b`K&4mjfj;?zYfF?eu)o%~Zbq=? z0a4M_$1j*beTL`u?~oey)_Y&Q2l|OPuE9K}%hkK64Kk%mO-8$P_3rhQ5C20F8IM@| zB|4tI`tZWyTU*(<rEB$IXzr*EskI(>|BL&Sj8KBLXL?+{2l}UwV%J(W_c0=z(m50$ z^Yt}^HzLodJs!CR7uqf(7yW$oF3h(QjAKorUW<g#w|sPMALjmRv@h!eWfkMO#wY4M zI)7+bK1KEai~ANWthY9QhU4fpdXO_};P~3YZieI8t9P$Y{rK8HOf$TiSLmp|`tX8T zz;s_z_A&0wS(c1s>J;`N4{|%yepp@plk*x8*uD5axv!Bx{jUD;_2f?=x&KpeHHzdK z1XoyM)x0fq*MAGY=5?h)^qXIu9x}rpF`{3GzBOgiQ-Yfr<Cw?9I#?0^f*-@BI2|`) zFS8%BhuAyVO>8kcgz3h_Drc1=%3h^XnWGF<Ix4E`C)Y{WldhevGS>{(09RX=ET5O( zmJi4`%WLE*a&Nh%%uC-&Z%F&48>Qvac&Vq<SaOJG#UtWgu~M8P4i!6!s_>KWj$1e& zY!_Au6NM}xQ9#bmp}BOA)9ak)%yp(X>+!$v@A6OZJNPyHWWE>QjK|zL?j>#?=jRr1 zBe*oK0sW1hq6g`%bRC^ad(#%sp!$luLhdJ9$RaY5q_frRGPZ!tWSg=CeT7~{520$b z92KA*D1rHhY4{m)jM>L*VM>@WY)P<L1wXo4NE_&1FQ6Tv(aSsz&8z)P+iS>K474`% zMhofJ*Q!L!Hd#$>MsHtzpuzWRy04K1XzuI($%C3&%W=!qyVpN?7oHmW2kHl!&7e<0 zi<x=LF`H?@IEOkrI#vEB{vG}Rznx#jPvo=sM0k~7a<6a?a8=w=u7K;wHQ`wLC4H4X zK(D8ZX+G^r<H+CSEIA4-<Son^Wgm36EK>57E=r8+PuFSJ5!XE~pKF0@q^pZ7R{mQ) z3oY?|@)o&79wT>`8_RAaos(XX9+Ym7mPrLtrqoozq$^p>JWfVIthOshmCwX4#aF}! z#I52ICWpl0znID57%@YP7yc2>3NH%x2tHwfFjD9&L_7a*e&RgrywiD|a}GX(kKntp z7thBda3>taUV>)(bL{QxMs_wkgzd;`=oj=}J#-N5MC;LX)E^}wiTROvt172~F0G(0 zePt<C^d`$_cgCT2Uqa(`PbqDu&ss(m$Z%{s$Z)M$({f!2P0$7SQ95-@>sa&QqYw3E z%V@G#Ta=vA$1I_X^cchb=n~pZ-?W%EZk@n4j0=_zIr(Gq$AAYZ9cv0NbbZZT{Y)%h zKaf^PpF@EMR?{~b9WA3B^ya1DS%1UFUzftqQ%h-2efLrtr}rwQvc6_5?UoSFH;f4n zAR{b}Hv}GAOD{6|3-EACTF1^EYg&S6uYSLqj?#-4gSW|x;n@=x)28~&r8GwGx0E)~ zCm8`WHc}?P1S0a|Vk!rFU@8!CD4)TryI1im3zd;dXQh$rvg>2lA=e$QO|D|sP*<|6 zp8TtPN`6Y-C6~!F<N<P9S(eUAZ%YTHo250<6sfn=QsTvL#W%$L;*H{RalDu*CW@?Z zPIy_kU$|Z<5k?E$ggEEl&NI#<&by&Fn(rLpba!$_@t63I_~-cB`HlQ+ehA-@*SKG} z_qc=HPHsIn9lCYebM@#&`UyQk_tC9%8J!4aQW90k@8lEmB9uziWHp&a29Z<}O&s`3 z{04p;--<Wjxp*Ybz=@b+e`McdpJnf2{p=EUJe$KNu`2o<eS(gv=s~m%twS@>Fw_|( zAOam_zw3!l(Sb41Rv#ZS`uI|7Gl^TD{S@72yPcL%(@sH0^?Fa!@AL(a(nk89Pt$DO z_ZW={^mvBuMEaITsHngE9PO&#@F;yyf8-JPQ68aV^{4mK?)q)};iatHPvwaB->qY6 z$C|<eEeQAz(3MPtO;@m~%?Po2USpDA<n_UNnUS@|8(BhJ3c2AYBlop8vc#wrG)t^4 z)z;{rmq1_N4J#nOpDcmga?tp>tpp;ER?;mfm{aC3^&HAq%A3joWv8-1nG1O(LrGLP z*AGy4Jq@|V>sst8aP@MvcDW$Gd?ddBrAL*#0_v{;az{Bz`b+v;dR2M^^2~Z^mXs@X zmf|HAa?M-flj3giI&mQs6`5iSQ51d_J`fH=VR5~%OqdLPehWGX4WPU@>wMX{-+8lh zy>k}SW}Th!PRxG?h2RdpfN#xx4|%31hv~D_OGi<OoFqD#MB?x#csHJnQz0K5V9VJ) zEQgLEKN^5s%qeCAGYp;z<qk6Xj&ld)k4o&8lH$;r-=K^3>j}Ke==^P@zy1<!h8!>H z`*(AV^hV9OQnUZKTT`yFUic*#Tu$Vg8C}ec^oPds?GcND?gDBOmr4WrFSL-gWtlFu zZGUFJPM)A8Eo$0P=-u$V*SS+|c_iw0K1S10!@Hk5r`41_MK)(?wa&H%c056EVWe)g zS>z+V%|ZH-ElQm_)hI@^M<1~t^2qsvG}<k&g^o<e4u|rBvJqZ4ffv2RmE*$l5xG=u zCLNb<lg2wv;%B6$;uq{ItnS!>n~8UUAZa6fBRnK56*2|J`5b)k{hb1Tg0JFp`T9^v zm2r8TNKevR=p>p*J|}lED%+9FB^~i^@NM3VhN61RN#<sT&BGI_a-#J&3i(F*4^QyT z5L;lrllz}C{xMol+ykk8-73BfVjBbw&E!62a2lVKs#g_q4fNA1`54MJ#IgehvC?X8 zMCoS>xhXIVa92yNoxY%uYobq{$xSog<=+SSM8uBK7k2=UpNry~=x@*FRt63gbG@iu zXoS|W327N{H{}>c@7Ros)r*hNE`e38xN1gU-;7(Y7cPXz&OAn2>Vw*F*}-q88`Il? z@{t21(=9le{hHO;z9b8u#&_X4+?(8u+(a&kegGLai(DcvlXc1~P&bcIT(0A;n_OdD z2~ZdBlb6V8(k1CxsX}T2ed0HZMPh5{6E7DA2=$yNox7bgoH5WRUd`t-M;RXkX#Q14 zt1sv$&cPT)^LhMUJd#gZtS{aNk8$}Gu8ZF2UT(0Sa1Zx_KI<sgRUddacTz9B4+ck8 zzQ8p_sE7HF^NmS!eR2Yc);~PL_0=EW%k|cqevcakzAxtcF*uh`DmMI#3OrQAPhs?& zBJlq7JpQtoUN=tTTk8Ao;2H%k%;yzkdUSajf7<lix!(w>t=@D7pP`?g&gU54S+t(; zD3=geH;W%<mOkldoI`mY>Zm-0aXsfMbj8V^$a~~ra((GdX@@jcYAk*(-XYEu8w&3U zw+hpR6z50IUCzl)j(>!o$)|G{xIJ7?`UWkcZ7D-ekzHgy>4h)ihw&QRgT2TeWY@D@ z(GO@38V5r5Gv+>K3X|yg)UnG^)jO6O!6(g!QH{X*DCZN5nVf6xrOAQBUvV5`zVY+F zV5}GYjGOCwzQ@sl{NM0P4BLiJ(wp7`S<!P5FC(*^No8@ym{62H^=W=6Vn+r3xrj3m z9>XWC)N}rXqNL+CzB^(E1k*4u{14okG4eYMRv8`}IV-UFPrQUR5^=KL<OjGjcrL%n zv^iJE>%r`njt)9NOLc~fwhx*dZP1TU!EaEqT$fyjU9(&*<yU2&JVI_Hy#zxnL!jz@ z8yXRPL|J%6xIq}}yac+;=bY$l#-HQ&^0W99?o;l1t|vMOHSsfa3GG7uA_pM(GV%BL zZkD36=nx3A)zAj$ikdZKer8TE4?qr_%?top$T&_ro^kB7a-+k61rTE~D3~GiXOHml zh+S%YdC~f(O-NJodmi-@{>}UVgNZue7d#f%45tN}pTldBnURg*wZQjZ;rd+QfwTB# z2A=-7qnG1)hvQp#(lS?Xmngp_?~upI@zVR!E@_(7PP`x<5Z8$VL<uUHyM<CATi~3h zoO_%zogMj$phZ0VP~OG8&E3q6=Hlpkw3-g34ai62HZq>n$8Y0Zc$(vS<weMf`7qM< z0n>`Th0SN9(Q&jLsdG^a<|}3gGs${h<9Twh($EoCmD9*9#*$YWC0CS@%e(5mjKRQ^ zdpWH4e4R@SoVk~K1qGm#d4$o=?Bk-h?cow}aMW<m9xh5hzmsnlIDbE<vcbA2(Dn}Q zdL{_<jJ;f<nPjvvBxA7NdUgxnEb!1Yt`%zxHD*<v=&m1V37@9_E^gcH=T*1B-31c` z4mgw^uHRfITo1TBt|BPh6XZ+sd-7xQ4e}y6S8gv0(pS<E>2}F2O_q8{(c<soJK|$v z6*#=Wq%bctE6|;2IO1?L`x0Bic0iwV3G`#Si%z4>p=iH}j36w29?#?^!S}nu*^0l+ zzs~RGmpH24>KfIZPt6FbUHe$!(wAxTXveWE9>x-ls@Z<`y?<y@)Brv;{|fg$61kLU zCT0YmT6BfGH*KdG(T=T|mcNYMUl^fm6L)2QXBQQfE~!2|uF*}`aSfuG)KPruLc{+E zA3T54?5J!$wa*p8p1+K16V1FhkWU?bg}eP$bE(nHGky8g;aBi?_ypRqQPyZH(1_$H z`iu688_uUr|6gx|(bgBca6|pgzi49AFg~^L3f}+o7wr}`flpoizdq<4FVp^sz4+9A z|9da!`=AAjmX_*g{-%kI?itFbnuAI9bbanJ?HUD7Htc`B(BWRJp7;lC7?*3s&Hi-e z6HKJIvHndmBt4q>FPUP?ACM{FUNGq+Udu7#UJpLC$NxrP+n=<R;p|HJ>`W!sI-2?9 zU*6}!KWW>4d)L11#=9=Ka$eH;i!{w>mVO5%;a9Bw<7t>9aN<*(Y@jH;XGdPt=e-5R zJ^V9TAD%$O0H9|Xeaq)iuT1_N&tjqm@u_3~_hIx8S8!>G%;78N?_g36DO#x~*5jHC z$~MN|6ZvKi<&d&ONppScx*yv9E%|2h8&Ek6mM%(9NDDw|oDe<YK;d`c5vWsJLDldo z)T$-Ue$Hr+-p}zj@I~+tA8^fj^QnX61X;eq+k;6ACGhnGgLSjZ+Vh!OSky<9EG(Q} zTD+_%vCqN<r6mjJE$LGuh8-vCHm=pJ33VHHb%(m@9JjTz;$h{LE5xIwfs|ag&ozxS zrpf<j>^7gUMvF5C>yAc^#&7-q`D}Vzqx&5{cHlFE^Hi)iVm{wQTSC_ku{r#8`(4uv zW*YV6Q!~TfVQ9WhUNYA@>dN1-o;sN88qKWvmtx>VGM60nFNOBuQ%0eE?#gA5ey%y! z?%yhdrY*R%sF8eX@fG6A_v3m*Gn?Q;DlqOwlo&9rCH>z%vOnwbY0)U~FU7)2$@ui6 z^Z3+RR|wV9nDmT-CmC>sFk#Y7yD0NJ`kyNA$De42s4;x%;w$*s{%4vK^)J=R+Mj8s zC@2oHui);`&$P|Im6#WQh7z+spPF|Ccd5V7RO1=0P$TGrFVc2#SFQ$v#ZUF|Ne%Q} z7ir^vD>?U%;o3B2?lxwa@yc;SMNLpHE59f|K-a@r<s;=?<v0{L0VQLyZw1^O<?Rl? zqbt|IZ^3m&n`itcC;U#?U`#(tu4o9qiDl68ayW<*VBmi(15yfkP|0d8V1$t4d&f>x z33Q9#KbdZ*8J-INY;FFt0dtf!CeS&WnbzAKZ!$~apG^Z7vk9*ffj-5I*U3~eNpMYf zjd$fi=Y6I=M|C#Qub)ab*AttIF`^<8;Sb@0@TKsv@V4Hikfa6X6q2coi)#&iw2e50 z<LE#1cm0)VB;H-_#0)}d>=-)7LS5)!3w5T0ER;?MTBs8pV4*bH-$JRhpM_FrUkfGE zJ{Iaodt0aj&9P8>+RH?4wjIs3$hI`gLP<2!LTzYI3$>;_EYym2w@^!(VWAeZn}wRw zt`=%WyI80x?QEe$nr@*cv=bn=@$8LhnnfniR13w^6br@CWDCX8juwic9V`@0+gqp+ zZD*k<+SWo1X_AE+&^8vTPg`549&P2ephjC-NTn?-q|oLTa?xfMl4(;5Ni@+yqiL~) zM$y?8%BQm|G?LD=P#!I^&<HxiLhj*ox&?FTGz$%*g%%o0r&?$TonoQEbh3p8(Mc8> zNGDoo0G(i={&c*B`q2Ul^`+x1)Q65WkQ<V}HyvY<IdrszdeKo9%BJ}i%AzAJlu7d} z)RT^|P!BrXLfvVug)-<c3w5JIE!33`vCw>4=5(96e;!?Lk#lM2mCT{*EUuWYwa{$3 z#zM2`Y75Pzt1MJRS6XNWU16c=bh(A5(Pb7Yq)RO{bt)~j;1s&VLX&BUg(lI(7Me&G zS!e=XXrb|RfrSd_d<%`E^DH!$&V_<wX4Q#lq0e+F^;q{xX{Cjh(CaKzLN{4xG2LjP zMRbFO7Sf8qtXU+9aW}CTfi|{~lO|Y*r_e<jEKWEYXCX>sEktOHg)oh_5K9|b2+=4D zF|?tD9JGOn&_A@ki3X#;X+4Yli)t47ld2Z_gDMufOkEbbL}d$Iq>_bxr(&R>nB=i; zGs`6)5u4dC9>roaQ^libY-YK5Bw;ff#v=xsSu-B`A<b+Uhhngq(c-{`nfc<t&diXp zz?oSt7B#|V*%}LX%?ue6jiRtwq{aYg7Pv8v&3K@mGoSq7J`#+tgl6Jn7AnF=dCV|K z%Ed35pdNnN1R8!RXe6S!_*o0h#D^_ZgbxMH#9aKG3F_e&OrYWCgGK_HgP*ZbF@DO4 z-S9RAXlp+mB%NqBe$qnY@xdVC(JUMY`ob&ti6F&6Y#*~w5q{J{Gw{O}O2GSr4!C;w zfC)7GxCs>eNYIEn9%GCo)w?ewuSlcW^$z8tavtjB(|Wx{<Q>GW51d;>+Az9WLhgi2 z<j`MRN3PR*E+O6ZIctd^1brFHE~8%EyM#<@Hp#3|x1c6?q6s&n#(2C1A-yLAT&3h4 z#%+Gg>(B#abudcn`V+Sa`jIszNGIz}(21-wK^iejh_&cJVt&SJ!GqG^&9(i>3KR4r zOHGhYR+^v_S#E+fVipc-+~Cgqz}KMr$%5eBHT6h|2{f|U1S&DhgVpFhVt)Ip(LORa zcyskAVip3c(7n(FXnc^XP!*XIyt!%=F>8yJ=pJI$3@g#y#H<-sqAE8rD~=UtFELB} z6-+xaHRyIlA(>%<bTZupoyas3q!F{uSdQ)@W(}|$-AM|9H<!;N<4w?wOg2F$GRXvK z#H=|=n0d%}q`;KrB$jm#4c?tzK!%whn+!KW7BRoCX=oQ27^J2ZkU=KMCPPe+Ma<8v z5bY$U3@Jo9G0VY1w2kx&niZy#0VYT$eS^s~72Qg*4CF>r!9k8iZX>;dc2m<yZxbYw z?BKmA=oZr5LJ6ct@aB{P($fUlBr|w#GTK2pTSzC}EVPYu4Vq0(CmAM4CS8K}CL#CD zB*lU{>13g8BrRw+DV?O7Aep2F?@dJ8NqY<3NIF_5fpiF(P0S|AL23d#lc`K5Kq4er z+)boS&}>3FF$K(cbmKVEI(T<HswS<1r~utSng;C(3J6T&fC8wX7inpNY|_F6S;Ukq z;~>A8@?;#^O3W%_9J-z~)^pd8mzh@r(QC<9hzR5)6Qh&eBu^i|n~ZA#qV=5cp>P~V z?hnFf&Yi-|!WN-ISRu?8rU_$(p+b((MgM3wNsmXn(S7IudJP>$-$Q@!du$6fhIO$l zy2y^#yX_%e^hJ9}ss8r`5~qu|lVR<p$E16uU0g4&GuIYWa0AXs|E53Fub}7fEqaVT zP50BiFg&!CZltRMQ*S5BS;Q;_<-ZuZL1LXWFye0VFwYx(7~hgFk^aU7GQ{vW!%aui z!8Dtu!zgiMTA%XJSN#+D61pbp$(;13bOGitd<f%KFG>fchon1UFmekFsH~9YL*MXN zX{eMVb&=XhiBdyJ5dRT>5x*8cf!^_##An1u#Jj~?#VS~guv%OMgD(@r5n?~FyO<0^ zmNB9WhPy8c-wW=uF#hlwj9wlP?h|$kHwj*tw^1q-!#HNXFc5~r(uCGRyr984hCiI= zonJUVaJ~s+;!ipsbl&0I?%eDwcP@v?I)%<L&LJ=^w1m5j^Kk390o){RBsUudJ$pHu zINLfK@c%fS{MRs@=Mxy;c!s}~zng!Xe~I7ZhB3C){33olKb$Y(Gx%t}FN~@;=Mi^? z`;M2n-?>*|w$J0-yWAlzm1_kfrg0phpK~g`On-#okq77t^a=Vt)#>dp+U}=iFbild zi&+=CB=3RYk<ZZU=oE~fZbN(IbMkrRwDKw};P^)QRXM5XFlgnzU)cjA#M6}mWxlc; zR(2#SEtS47beQY<!*xMXl~@==JmEU#I_LTj<~vop9&z0r98@eu<*v1^N)$l%qvu_j zt~A#`*JM{dtOxnSrMco=t>u7xzx=#>T>enr20c{k<)!i*c@&H;50bOwPI4Rcx}&Yb zQT29<SU|>7s)#>%54#I8P*YaVJxSc|u29EJ305~uSJV_wHena$EH1DhtOgqwg7J8) z3DZGk^tT{ti2Io^4WvTf5Uh{;gkU|~+k)UMC&V_uy@Yh5^~t1yyKIwAMfGu32-d@y z76f-aL#!51e<xW)H2)pT9AP);Yu_Pz^rVxdB{XpZ$4(NcqS1TgFI_lA-i6gzOlS11 zqvq>~cfTkflpm7sgdvfw@<w?T^zhG=C(0vXgg#SFlUvL2vIZ+}{(#vXUq~Oo$l8(r z`Anuu<D_9yAE}$vQEDN@N{WQVOX82>7vhKFaq&g*DVPIdekj+8YsDqvY;ls9FAfs3 z#dI+#N^BxF6a|<K^sDf#a7K7ncojaCfZpo_>ErI|Z13#t6rD|BTF5v2uTBU5G7Rp2 z%0J6L%HIP$jo0xz`4X78HVfuE<<XIJ0PV>=$dz+<aGSa9+!Ne#K9=vnw}dr8DZIj6 z=HB4m=RW5^QE@+V)3`2N4mXr*$Iau$a#8df7=HehbI?z@MACx9kbb1Qn<Ud$=sWZ| zm}znwy^%gfXHyT%f?EP()UByTQ)xWRg}XpLB<IK<Fp27Eatql@wvyvyKg>Z{OeT<x zWF`!DVEhCA44)z{d<nmRAHcU`9Y29z$K`ko9)kUNIi80LaRb~Lx5Z6xFPIwmH~TaD z6(&yhE%umxuqka*t*I;B=3Cx?exrg3E6}ghX~Ht}3*|%bXUc`(Pn3q>1xiBjJjEgS zBV|MI2Z}=Qd&-31chq4*cNzMY{1c+TA%BP9*W|Ad{EGY;f?tw9Lhu~99D-kvOCk6< zxfp_<k>5k`Ecq=2&yZhDxSp9!ei7Wk4`e+$Mt-(vR7!pdS*#!zLhNaB-h^&&_oD^D z*$*N3IQc#VZzSJ^;HTtU6RtyVkZ(fp0QuU2ZuANHDnx%wz6`;S$T=rQ3}V(LlP^N# zhvah;t_9CN3&8{AYzRJ1&V=Cm<h1F*+GO%+i2Q(jV!}1x!N&%4BW4XcKt2l5kCP8W z@O|=u>BE|2@_vXsMNXM;3Hb0{2p%BshTwbTWC*@X-U-2z<ZTnKM(>cfLht}NVdcNo z=xuV`3~hBWdDBA4<c*N&TjX^Uu7Yr13&8{A)ewB0yb^*Z$jhb&tBMJ<jEq!Vl}wI> zZXYK{O}G*s-2Gw*zfPdhW!SDPCNG4@H_7uRTmiuz4#5NDPzb(Go-<voC??N_$k)g- zCY*y_B~ORoE99vVe3=|H;W9URi9Bgx$XHKU5HeOE1doyfA^0MB+=NTf3*@m7e4IdI z%ZT~XV)96cJVN%HuoO%mHt&}flZQg&^W;GT!uu~l2gw5_UE<hD?zbQ$&V3>HB-v*{ zXcgRRdRCH5?g`yLOzt+}V(@FP1;MYoLhJ!@X9zw??g+s{<aW2|+2UlfC&WHScAIcM zdY0T~LGWx>h&@1dhTxOrRtrMJZZZ9upG<ay?mt6rHsK<O*metoUwVjjA0XR8_(^h8 z2tG}2G(B6COsYfVQ{)B{E(Fi2EC`-$4Y3Ev^&$8q*<wM6*ya%X1o4}2777rb0U`Zo zK}vf=^y9>120SZ)REEgM$aN;1iKdWEAvl?A48cdq1``&cM@U5o?kD9T_%JCmA*|ve z<3ex`8EbuiGteDmj7d)ii_sythl~or+ey9&r-8x95ZpuZLU1=3VZy1%OA;)|+(P0* z>=qJd!YODoi7}yj3ff3wO*|R-NpuMMNFx(Y0^g!S&_fzn5Ik;Z!ilJo)DOYyNWBo; zL^KmlfFRTm+&~l)jz{IhX_f!uksCS>f>ptIcskL7%oHM9&~c1NCM-bfiB+W)fHOA4 zmJ+M_D*$I!{a66bh-m;5jIdR?jYI43Ul!{|rT8BUgFD88;LfTb$D+mfO_Lq#xC5UE z!Q1e06OKV^@x>4<#h1<OGbR^bvQReu(?VI;sy#=eHTdVC8#gl=V(_bJFgh3iVxesO zyM?mwZ>H~~&}w`>1Xtl7&HJOW@lO`Y!WYcj`Di8nE(BNLZ_NAoWAL{Y%Emuf$eo41 zH!Vk^<@k#bEX7}%1|xH^RS}NN#$Q`p7PhL)JhTj-Hr?cbjy_}F&&$PUEtHKvw@?=T z%rqQ<mSU@p8-YsQ_+!&xL@xfwLfQCJ3uR%ez8nsTbjox;94)~oLoflqYnl$v##U`P zJPW^XahcevA#+g~;Y>2Ofbgd4p{NAEWqp4`A@*;Z217HkRc#JNi}35F?O?PJTXo?e zfUlYCAhZBm72p6=L0l%=8%@VnG2a_a!w;C=_EvDPz(-6DD#Z7jra8zx6<eizFEj;P z1$r+u8CwN<FEj~T1$r;Xc5GDxy&O8e*YqMAO~h8woz1Mkw_7YT8(SrQwqqy0%Zx+z zP;8a`S!e>j)gYn#%W92xn)kEn;oTO}@NE`SuvPG9qVd=&%`;H}-frH{tcR^~KU2e2 zx!)6w!&V936OF}I0pA0S!B(l>V-&WEdUtm;8e1iNcQguHC46_3kE_f_>5fL?ts$6) ztrEUF8iB16zB?L@trEUF%EkVW?JyiH;Stjv4aHUg-yIFX9@8KL4aSvL`ICVLVXKJG zKm)N=#Al!Z*ec>PP=9O{@foNewu<-+)E8Std<N=+ts*`H^~UQ%VdP*dhh?B%cwLCi z#%nF;Mp<}Gh|a{TL$D`a6@oqR$`I_1SA<{&ULJzo@Ujr>ikF697hD>Go$-<oOvfc5 z*a<HdFpR_@CIhA6MIkyBFATvHydVUV@%#|%i06f12Rt_f+v7PQ*bWz)up4TNXNO=C zo)v;^@XQcQZjFmVxD}oef-Uj%5Nv^`g<x}BxOW6nTN(X9JDt59&>is&bWNOud9=?d zkHOl8T}m~qwpy!{D6^D_de(8$Hrh4EHN`c`HOQ6a>f~zUN^sS4aq^$?1%3N*(mPgK zEiICYV5QY?sjrj)ZQbTlv?NPN{9XV1IEh8#B)$82(n=qAg7myYQ~5ye_sO%cE&(Ed zlwXXlhpooAbpV?9Un<UV6^X#KD;u|WE33MU(P&1w0Kbk7$_2yZoWisZ{Q4s=s(V#u z;@!Zgu&YM^k05`-sC6p(r*S|{Mdz*GM-$aHth*;TzX7gnxW>RW6|P=zZH8+ET*me@ zFcH#WZ0ph)E@Pt>W3b#9DmRACr@^%aE@Lm2bhr%v`oc93u4=eS;aUKfF_p0jt~9ue zjb-}51skxq9oGRchR*Zg+632nxQgKN!L<agLbxWvH61Qv*OwdNGIlyifvXc--QdcA zs|Q?}aAm>O8?OFv4S>to<7O~i!{Ew=%NWr&9@vQ7^$@;eD*z*AhR4Q}jE2idi2}IB z!({|+#C{4~Mr4d9&WEcQt~qcS19J1>GM;iFT#Ml{maG|1ZjACTgUd*%m2j<s%SgGk za2cEFxQ+dD*27f}R|Q-f;WAReND&WQUby^l8LuM``kh9&;Eg_xnLn=&f0b8{;iYeN zf){-g9d|gOhi$0qtgD^8R(egEES?um3E9wl*p^S_C2kitl70@|7<rT<H<NaR;_bLC zdm5JPMWbToFrzu{s5&u$ox5?Ue!Ml`An;KVzX8QH**E~UZpoJ+x(Q`H>=XE4!di;C zb;~>L`SxsJxXR};$xAn8hz{5x#c)x+yw1g~frm7{8xz-jV^;`gtQk(WJsg-><Bw~& zu?rXsG7VDg1~3h#ow?i0@AdiSDdi0|cCLv+Md!Ms(4hf;5r;l6_E~0|&aEeDZW(60 zej%TbpMhESx?BOhVw2>-a#y*ztU#CXSJFGuA?bc;yR-qygo)BXDIJ!+$>L>L>~>Oo zUVKR0Df+|}F!wxP>?L*(V?|E*1(v(LDLgIggT<H|g(bpNVVKZEND`u8N#+mG=X=!o z2+X7NI+r=8IfuKQJ)Etb4WPs8d;SBM!v83L8}H{=LjP?ZEbMCseYhB=uYU~dCIZme zwUt}L6?0>_-dsoMyX9fqt~2y?Sh0CG%v4@a=g|V#1Sbvpz6J6dEcSbYK)a9JK-R&g zIAcj4l1$<VhkwSO;#Z-3xdUI1S7W{F8PdSLo88Q=VrQ|VVU0{G+k}<SC3FtG4RgC6 zM7N+yv=kQJjX+tb9g0R2CV8J>-e8_$?q#;Y`;Yijz1?vW1`RD<Ft=z%;;4l%ETecc zfMRN>$?2-MTey*X;bf$%-mc*sP}>x57rVn`)!RA3XouoWw;4?W-#giiCK;ZmMNr^* zYRH{C7}H7MdrE}W&5AcUWEC`;n5}v{+KeWm8&z+I2r5DKwvV8;E8ccCuO>i5p&Jm= z${k897!^{zNj8TtJfwQtL{K-W-qtn>#)(vKs|c!E@wNo2HsK3;Dc%-#CR_0~$8MWZ zmf~$@H!4uQO>KU|2$bqgv{5k3q<Wh~P+L`R;|S_{&6|LmpxO+=Ohs<5=8caanOih( zTm*-<Xx>;m2Q5|28xzTG*1XYn4w|u=w^1bL)4Wl@xx-=uEnCgo&~7-%h)jbB4tX?h zeLDw@Ud>xClDkgxYLVO~&8yaOZum|ZXb@{&rIs|g4Vu?w=b%xcd1X5{o|&R~r3lV( zO!JBn94gg7^xBdin%OfouQQS?SG_!NwV8*>EzrE2-3*#gu(Oz*gO;}DB@vtv7p#|k zLF&8Nh+D|5c~K;{Uh^_`Zk*w*BZ32OJ?;n&9?`Qdl5=aGwI=7b$|VLG{HkXSkYSHF zCR_Eaj-awM&nmljV^FE;Ss7uLt9e#Lnypnm%k5^Pv)!s^Sp)|mEVVm@=D+GGjWB}{ zmPDGZQ9UJgvr+H}iz6rqU{T1WS=KSoZ=iV=hR9&i2HYyuv%u~)AH16%L4kMk>@J~i zLG{dyFdL(J=0uvUP~DzlyWL0#VRi%sA<VKn9ciS<%m_0`k)lYm<*H|f-7F6Rm|jD< zjY^5h%ThhlYB-Yu-wN%%LHC8`nHtG0Q$17cPDelplOrg2gh_Un(6OO<CK^RXSdJS3 zp-#~Ed<7rIc>A5<;Auew1)h$xdkTFZs%LD3S*GS06KMudGCGo5qIyQvIBgtEg`wa! z-);xpAev{Sp7%AWpP6UB1)X1-XGA1-o8}oF!J);PCs*GCUbu(ZZ$W>G<{4_|pf^SH z42k3xsGh;L%48&(uXqLlRhyntJ;gK7&S<J<K$tW4sD&_tOZD^*;|!`u@$|Dh%vC*o zBaG%Lo<24s5yI<jXCS;Bn={b}u2+aMzdz9kFWc@A!pjO-1wTlbI;MIuZ4^ujQ$0N+ zC{FeCh@gs9k6ng2(RkHk$gr@w4yKSP9z%%LrXR1U9=i;KIc18+F2gu@XhVk8I^*D> z4HZ^fkHWk&)zc}0f@e;H;yT<RglEXGaEA%1$1cM-G(+=%3=0<x(4VGyK!}BZOT87% z147JhHcj(@607Ch3yr=u%>!DjmNdAjng`TaI0t=eng`UFozpcB$T1s-rf43}V|H$` z<^e%w=O#gQ1(GbBgq}Ff1ES2vF|$=qbKq)In8_Zhc|exg%~oh05N0+GO;kOg%)*^! z)l)r9LX=hhXTci-X=XEncVS4gut2j~Yn}*U2Azbe#}H;=W|<Ixq07Q4P4h&^GUzJQ zJkjv}!{ZB`hMFfrmqAaV<}q|xZLVOT%TV<gvMel&9-}l*gersXM9pIqv0+Z3Gg0%@ zs50yMp<7Y&M94DeU(`HdvdpL`prcXqM5wavC{Oc5s50n!)I1TY4Ei87PlPJ#?nY4J zN6517XqW~akP)$l7apO?prcar7^*Dn>7d6_^F+up=(*H95wZ-rFf|XzGPm9F0L_CV zJ?yV}B19T=Z)%<hkp}&onkPb}L5HX2i4bYf^Ql$VzV(z~HIspIw8{vT2A!c=rKQqB zA}s@DA2>ubrs*!?BP&P|>_U`H+QXy`3hmg_Ftg$y>>YC>F2nQnw8Lah!z``R&~LW% z$<+5BhN`QlR%vK9+pQj2WrS$UK;5-UL$ulKGIZv7@S>Ym86ng%P*<(e5NbB_E?VW1 zNUpP<XLymWRT}EdX5LAwtdVD?5`(^1tujKLWuR1j4|w5D(JBo^X7eIhtBjCj8K|RH zX-G1gT?ef)LX%~n_FAPO$!vD*v`Ryhg>lert5q7J%w;2!^qd#qvD#>r5lXBZYOPfo zO3Y^7N~<)an2l?xSAiGq7FuP5{OX39Yn2i53l`~Ul~e3qz;rIH($HUF-om^tt<o;Q z99vMLRyomT2V4`aasqH+^&<4!fro}1tM$+UQ<SwzLyy&R49pnQDkB707f?%;h9C>K zL-A@QD6+6>4(7P4l_1D!D9|MdC{C>eK~}?!S_o6z)k@G~HcC<}M@CT5Y9&asa4W}2 zwGxzBIE7->N)TpY6wHiQD|3TXO&<izn^!AAq}j}3)Jo83VHC`oS1UoH*(h*mS7<QH zUad3~T5V#$%zCxbkZ56)W3yW64i{;o7RI0`tr9d^crwELJFOB#nvFvZwMvj_;T+7! z(<(uy*}3{!B`7sJS5K=1trq0c%<d{C%?Je4n%%I0R+(+*VEUe(cNDTd_zM~>+&mS5 zzaY|VoZ&5~G#iJsz@DQpwcG6GhhAQW33e1a|5Oe<OsE>5TghdGGrB`>fDJgHzp|Bk zqpJkQE{3`?T&-O7T@Lws`2+bFtk~ZJyLGLWXUn5u$GBve%jcASlRksVuFpvOBprG$ z7sCqvAuw~VrBn|lw|*zS5BrEb3VZKt7FUV0#8F}n>>?K@@-R8i?7h5K*ap*m7YUPu z!9rJ|g`mL>PTx9Dxt%XU_vLL)zjGz*nvf4uQad<fVWW*-_%r+){8KPl?<T&SUkKCm z2Ju~B?y1WC#eD<2IvwHmL+7-QTfr5<WY%oh+bIUN?f#jbw)!t`gxRJG=ma{DcBaj! zLjELQlXnSBk|8^Zmn<hUNFGdoY)6=A=uiKSb*nJA7oLY;d4akas>`r!mBubrH$!b{ zqe|7yP+8ijCF*9VD{WMXx*4iU8?{*73>9UFGJ0&%*hT7Qs3=2RkXop2hI-OQEl@W@ zHEE;ftDB*gv{Ca^KU9)7YOd;sD$+*HQT<Ru!ld|`&eSxvSoN=oFq^IVp&GQgoTd6# zMNl(UKh%get0L786{3xrq57ddv{BPlw|`j#H%;|J-Doo_RQ*sj+Ni0jA8JM$HAVG9 z7lw_Rtoosnv{92(Kh%*m6qJ@}>_pWMbz}`^P!m)?bYR%1@v0xHOB+?7`k}V8QR7rU zRF*bstm=ol(ngI@{ZLf`Ra07~v7=Q#RFyWfQK}zmN*k50`e#N^BUL}tnKr9D)elvs zjT)i)p~kdP!y&6oi{NrqKh&N!vtg<qDo-0VRP{sMX`_ayeyBQa)L_*QHK&alr23)a ztfkzL)&o^PRGhUOPy<vyRGT)czv_ot(?<1E{ZMJzsJ^Nn>P#EeNA=sQOjw<$`mHK6 z)QgwK=BR#qm6^u&QvLQSGmXtw{q`y|jm=X1_9`=t%~bvNDl?7ksrv0zW*XZ=_2))@ zs@+w;y~<2uGgQC5%1mRsseXHvnZ|Zi{q`y|jqRfP?Nw$P+gbJ7t4wzqo38rpRc0F7 zN%cdOX-ma4)ekkMjY?JhP+{7r6x9#)rHx8f{ZL)nsE(>1YRe$yHfzf?wu9=2%F<@m zUiCv=X`|Yy{;UY9t?Gwr(`J>V`k~geQEgN|RGK!bwd(I~j9Ap_hcvd8>d%NUYpMFX zMNlnNf7b}Ax$5r{K{ZqTog=8Gsz2RMx!FY3-^tFgO;mqc1l3ser$$f-sy`)yidX%~ z5mcP&hu#g_L&mE94k5~H#ip?_s=s}R3pO3n*l5+?E`n;L`rAfOQK~;Ff@-Mx+eA<e zRDbITs=n%P1+7S1%<8HBmJw!}>TeN2sj9zu1f{6{W)YN2^*4>6WYwP-LAfQ>-z0() zRe$3MN>Kd?5tLK)$45}S>W_<{IMojw8n%a|sz0WN3icwWu|)Mp*KkI|HjTxqzflCm zs{W`53aS2v5fr2P8$?hJ)nDIEp?_3=J)pu`D{1I&)vraE{iXWV2<lJOuS8IPsD9|i z2!Bd+S@p{i)Fss~MNk*rs$Y!Ye%D}<l}+Em`UTAonk-!N!a@ek527rbgB1;$A5@v0 z`&sjYEVFYzX@1aUz}3{hOc}bM`9Yc44bN+SP-b@SN6in?%+CFw`9Yi6x$iYUh%-C) zo#ulgzm|huL|7xC`9Po5k_PvU<^zFd=f2i_AkggGSDFtLnw|Sn^MORObLTW4Xf!+b z1uXYrQ_)|ILoEjPv&?pf^1bq*@-oa0xl^f9)+zH~71jVHU1_Q)u*2^+u2Zg~u18&a zT-U=&t76w^*z2o<E5=3S3-ZVE%dp$@ov>f0Tb?gZkO#`0VfKS2{Ud!3>wu0)k4bx^ z>tV0gVpt^CS4xH5rzM#G@KtdB!^7e((J#7J!BU^mVs9};Yz%v=T^7C)-VqML_OIK8 z4bX&`C=7yKf13(2Y$5c8^Mvym=e^FGoMp}h&hfA}WSX-v><{@H{~7-#v>)z<O$^=q zTz(v^T}$EPc^>wJJ<Yw&J;~h#n;Wl%*$<<Gvmat%<BXr_r?ACwfZpMTU5;1NS+LJ> zHf=|vDJJJ()3%q$<75xnOjg3uoP6juYDXHuZe%~=kMPSd8D|gPj920!oQE@U5^jhQ z`vdy{dz5{I-NpLY<?M8JINO75%{E{i=sQ^Ub_6{PrwCP|Qdo{U6m>%_kjnfC`@Oxx z9Aen}neDJ0v0L+jc(%W*&ov*YXFK<q<^%O?=gw+Akk5ARjOGLV9L~Y=7|pjNf<wnN zA1G*;wqDaHVAjJZs1G!>-SG;|2O`?Wq0^cVM07X@YiTqesAwB!1OhVJ&ONUAKu6bb zAj+X&x>56ilCB|x+^3okq;xn3D{nL(XlXllK=Xl?wsW6oJ`mG(?qkgdYTC|yq~`fR zPltC9uS?c^pr`G2A8I}j)ZrW~+|hg>sO=oYrBKgdX?>WD8*%G>)i(vWu&(H}5E95} zyAK~|KG4zO9IWusd?2Ll9E1cy+Rj1Jf|3q$meztLK@cuz>F{vZK)9f#?QTzLJ`mI4 z9IOk{e4wW79E1yU+RnYF`9MzFI5&D%^W{g7=%nTYMICMktB5ooNNPI=fq<sAb8o9Y z5Y^$&vAS6G<wj8OXrQSPQfssIYV?-o8>*kd@K!)chx@t;K}aB_?cD2{545zMJE8hO zOoxZQ3PJ}hZKEJ`(9(97$2A{_X_K?Y5n#EJ<^wq$ZnzS?uKGYvhx@m(So49Nwwt}F z`9M&IbFiXG^MRnYa}We5YCD$=VSuI%4`T&{0h-!w_nPJdQ60{~`X|lTLr<l&erET` zTQ6%qP}1S%%g{@j52Un>Gm40=dYRz`=x5t4bX4<!fVOilYCcfV;T$ZM(tMrt6X1m# zRCD-qEQRL))oiyuqWM5JhjXxoO7($m4tH7#PC+-@&7RkMAe_TFSY4(0KscM6^(tYV zmF5HKY&V3o2kmU<p45CGo^2e{PW6F$4v$L-WFb(`HZycs^MQO0=N2P3L<aP;jWpr{ z0@}tISq&7lorAc5gtl{sR3B*Q@VG37xPXSXn?0xbKttO;Fj(EC`5Nnsd3Y<JoWt$s z8^MEgwsR0XXlEN|Bn61)@Zje|@F1RTX6PBs2jV%LgY{sV57cvz3l)2djHCelY&V3s zfPl7h5EoF;cJ67_2NF6wE{h;8AffGMPia1o(Ba%dw-Ff-(KgbE3#e!tXQT_rXgddS z0Ud4Qn0A^EgtU!APiQ_6(%~GeLeqSpq}_HB0*R2)v(V$J&ydn#_0X&Y%@?7hXQ9V5 zUxbo|C2N|`RMMfThs;bgS@VSn>ENWandni?7ontKIh*E-P|`(czvhcj(naWD#Rp0{ zY`A}2y5a>L9nSPuyda{(nNErqBs3h;SX1t=OH;g{pu>&&sb0{}VNDm<B}Vmve6~>! zDPB;|VeZyK1VE#OGY|n#XyFV*0Q8wVoPr2|JPT(a0wB)9LW5mqR4-^V8}*>#1!)%M zZcRPK3%V?v(G)MJvT#OKy$kJK9BT~EL6e1f4tvt5UXWyA6zo8wctMec`L%kK>IFGw zGuo$mL5+n`uqBP+1u+)pZq+Ea>IE%kv$|LHf)op*V3Qiv3rfsJ-J^OzhuNsR6))(p zFz;6sDqc`w;S9VP&|tNUd*KRr5ryH@!WC(%7t~mo->@T&>IE?tPNBVu7sObtR|}VS zQ@kL>!Wr-zgjhHOeuE6F@d(r`Y@nlfL577}%~QRg!D_4wqdPTkga(5Jotig7gUvvD zG;f3kgB6~dH$sEKQcukb8qD_nPd6M#Xt3$%cFh~1!C)Dv=8e!`(+sx}8f+Tct$0C$ zg+1AHm<kLMtcHQ-pAJ)jL4ws#z`#`Cp|;1Lj&4)DpvA(Brh!kO#KIZy2y|FD10I12 z3rk1XMM&|23JVz-<xe3@kp>kOW(AuEsa_CaHVWo)g9HmXG~B^dZV+HLqn(Nu1X!5S zRPY?+SC|oOG^Bb#eFdo^vx{@8F%2EmSGYs)9i*4d;jM}nq*s{H6i5URUf~Qpau1uc zDJWs@dZLD}@_{D3hF}mdx20pILy2<T2TK!X!Vc#9rT(zVMirc{;DC)~hQMJex)Z_a z7b$QA?qpa8;HAxAw*N@N!-*H&*f-GEFreLld4-wc_!YKAp9!r~cGkxBddl^*L7-<0 zKOZF*ZfsezexiJM-RmcwisSp?!2I*vT}+&|u@S7(=x46e=wM%`0o#Bk1xEbD`Ec@> zjY4e@8FdHo{cl_plRR@HU+b!%PFH%vi`>D`x{m%$nRth?O=<6X9uBJ5A*aAvE)}-$ znFQmSUZI(@JO36x2R6jnK_8_<;4FZfNh<UPxZ#|xhu8sV6N-cV>t{0YunEUofj2L5 z+ez~D4J&J7lV5ji;LOYhfz5w&OBl9j!!n)u8x8=NcbYqxJYz#?tw*El^eE8n47ZJL zJI~=Lr*oGB_R!fbe=c{EO2h|*FN7XWV?Ub>&NgK+o0bKa%*e8wP?lkP6~SFs!**b9 ztv@`FYMFhE6SDJ-oB2g0#YIb!ryInQpmnlkK4n<pg2Guv^NSXgPN}u;IDbZ9&k_Db zl5V{DD92L{Wt{6C`7&%7eG3dJ_Y^8&H~lvJTJC9%p`*#Iup3GyTa2E9u9CTqryx<U z!)5I^&DT$q@iBplSNOFgu<l|0K4+HUT^uYNQ%1Y)fb}>T(qi#tv4K$Jd>k_QcD^I* z<+6rLgDqN$VN<7P@tb%Cj%6Q0cc2WWg=0z8iOx;SI&7E;=}>59$wB{{4*JB<KH}yg zqQPHr$tmU9hN7C6QjuKuOYwij4QEoy`3=)+oh8)m?1!(pznJ8?8>ZB_DxY4rtG~YG zSd7b(H;mTvhQp~WoBzZu^@mpR^8;}wxZyO-c-DrF#~eymSDE|(tX3K#juiGde|8S$ zH*$wyPpv*=C;k|xvFp(rs1Y;6@ff^<a(D$BhUkSi@iF@L1$;9-rGm~6M4f_B`oQ=@ z+yQF6+hq>rCf66PRJj5Uduk=F5{?K_&YAo^?jn~?%U};29%r*&w2!&OWIC2ro#-7< zk8$UD!}qp9-vj)94i2?4b4t2H8RFUl2itX*wupyCO~`ZZ;(z2jaZBlODv}ZSCiXKn z2@Pg;IKFeFm!)qStFJ#xV*>*Y@=p@JEN9bj(UCM)&$$dIArzm(T>|%Q<@Y$p8J;(D z!090UU7xsaaH;Y=a<=rVRA1aDPKABT9}xOFFT+k*>-k2IdtRn)awqA5-@?V%0S5vN zL!YCSa1_uAMt0l|o`n4cHU_vvCaJ96h6K?8Tb9GEgtD<_rn<sr;obC{!*qB6Iw>D# zlgDnTU;CDO)cuy<c$%Bcq?8qIP->mkT^t+dTQ<<AJjd<Pl`8J7p5^iesm6Up>pFuC zo^TgDYd0lLPxW%e`t@(pPJvr*;PO%O<PD_8ukt~4`W1kqkY8uw+#BFT_0&#gV#V3M zKz;osnrMD^iO+G-fx$YrfC-h^JriK%rE;q>5>AnF!O0VYrE%g%P|a-+x;vkBmhzk7 zV6dCGA@ohy%xw#4i+i)5u&a<4-rNx;TJN=p>%=vySPS{1gPwPUMh8x9=Pofl=2e81 z+eLLgLs)ursZ9^vcMEqWc}4{kv7yC|S5b1WyOk?rk_#%9)Vj*9GXeoPb@oSwU0JbE zKMd#3>QAocW+qRsSWxRn-IY%OPD<~KlE+mP*SgBAJLKysxFn{>f{IzSu8Qk)6-+Se z)OjPpHUvg)gi0^DZ$)j<Sl+NsZvyXa;`%dIne&80$#*^EVF4$OXu&@iJ9ChV4 z!H#wDbRKyWcGc?1Zb7F}N2b*A1Qcc)0z-H3j}fC*$uMe_1pTH5xCH&ad+B_A>joYN z>Xq?d@I!-H5*98i6I?IB)F~uylCz|taA?qMF%cHezTjL5Yc5spC3=p|A(ceJTXB8% zWvE<EGCs#;$2MclbLdY`sN^1slPe}eUe7V}dXg=#2jJ+4=1fY3R51b4(=^%WtTQ2W zIJ3T){?TMwsBbOd;`P7B!O@1NhH>=*?|QjH_$DjH)V`jp_$CK!=8_q3HR_sNdAD%O zn2fUGio9B9Q|gSn`SHN{$NKpkI#-|45)Q#q7ju`ACspLu`ZJ(TfAqtrKs+UvaIY}Q z3n~WJI;}f92E<Zs7>ZLW`oVkYW4@Pmw)djLAuKE6npX4$gVClzrriKG%uh87sqxFX zq+W(iyyG^9GS~H^>n{08IZrw%`6NZG76%E_oadakIuqeU)$!bN`Um8jW26CI2t`v4 zx{>*w>E*bs>co`zvV@905MG`co?V{lu$g|c8Q$;9xi*PO6}`c9l4;t{7B$=c`SGTk z?JKyBam_1oz|ECcRKtNF{<x%yUjOE)asEnYeZ(p_)$7-lTufX{MK+iYGsEv}3%};5 zmimVMXvqFqV0y*uuft(1t<4y!tGPr-@Jukha)QIbH{QhLik@IF-3)e!E!f~=*BoKf z*zh$)AG(H1Np4cn19C@m)6uZHGuD<h+>)d+xuSb*bw11t>I&6)daydzr?2I<B~Pj7 zR+|ln)EQ7fT*v*&=*vfN$Dr^|t95!6g*O~j-iA${UD2-A)ug%u^p4^xn3h^a8%V?} zHpqgBSaVWO6Mgp$kjvMM;hNZIoepdU?L=jO>jT$Tc`qpN*Q5=iF18h(5tcf)I-B$F z^Yi!?un2u2hhURXqwRDf84T*OI=H{U5>`OBq2|nV$8n=rjxSRxT0?}c{2{_Q4=a*; zR<x>pPEz-C_880k%_SFBXtl1cLM5Gf&rnHIxIKaKy`WT1F0PPk-Pc{P1+LHGPD6{d z!ddI8?iOhPj$1Eb;yPDQNP=QBkLKAjwhkwd>>O;|X$pE*xeeMq3*=Abb#gk0?Gi~7 z9~Oth$q{!76Je*=9sHAgd)T_QjEkXf(tL6|X@x&w|6tv0J#-z4WsW<(gEYTArEF?N zm~6X>j{;7SZxDE`A2*JP<0=ruwTBtk=C-)PDM>AY-*dn}fTK*0Ddq0k#Hjm=sHqz| zfY7X31ZO0s4C20v>rlQ10xUEGv^UoRa9qqn6z42A8n&6HMN3<hbU19LrCG)}hjERQ zCzUU)jZ)p!Odw+zcMP$U%NOW{>0HCWz7#GR#fjy!A-rreyw>*c;JB1lW_ay8aZQq^ zmxoEEtN5}fb>gNm+eUD>TO-){B-m#DL{5^HLL)a$Sl|peDWA*jqTkaTasxgKXZLx~ z`zVd^I?fs!rIfYW)K0&!9olOz-ND5NQoQ_e61Z;>|C}?Vp!+rrDrnc|uGP?BdkN-l ztP!6R$HHl<cM9X3_c{B(QM*-q5^N)}l#}UU+7X&>tB8j0#W^tBp$pms$DuYelyuv` zbLm_MHm*rIv{bLWAxMDf#w~@4w!8o=uK0Zi-~_Ct&}hpj9|EGhK)-M|jnY4w%XiR! zP`M>>S~*ngS1zjbWg53Cu2cCSFqmb&h~f4Z0cYrRH#6gcdfXh;(=dvKjbD_Tl|0uD z`CGY<^r>`{_>;Ir><y<2ui%!!8Nv_3uFwwB5+BCP*;~;QC=YRr>=;v(6U&!%Du?<x zX_yho82wTMPVcd-9ID}v+Fw~`!BpFDNKL6}IHUyzMRC2MEm&?;Q`R;qSJ4*S8N)S0 z$?M9y)VQjsTR8?!#Bp7j<Z0#U;L4N_l`(b3I}n?|okLB_nv|#h+p9KJ2ONC&_;uX7 z>^7CdDN(RC1{!L&KuV`d72+vT5vDu$@W1l|xJqbXHz%|3(^zK5qkEX&nLduqRVNAp zb5`-&AUibM1P#<A$jNz-ldqf0)z{~|&CL(A%;S63WMrs>wirDH)vjbXr?O0rl^%s@ zM@YOy%!B>4?*Og-9%SZ+VK3|H^e*^X%1I2qjy(Y<g)^{ubS}coZf1<*C&w0}KVlN* zF0n~vuJR_emA;jou2AWBHrwz|@SI}g|CoPE6dg_(tc2_z4F*@t{yLljwY+tiS`J;L zp{|2`GZ+7FumMKq{y~9}r>V|bji5IiN*~uY*K~O&?8B^yQ-qsf(o_fNR6ERRw1C`& zf5Cm(ZRk_fnOWm_14{lKxU6kC2ggWrF#*{8=dy^)(#w|Vhw8)mv~WOZn}F*CJ&A&i zpkVUuP)5Lfu-&fiu$T5wSR-<?)Jc3@tPm4~w}m+ZhTfywV9S}!Tn-%1JC`8Xz&H<% z(%!|6MAayn@iJM#<b^g@+2UYF&$f5y=~hk47S=xQ(tmy23-8dU*tpa(qpz;W{K73A z7VKqA%!eib-I1J7R#f{1)Lo$KDIY>LKlBV&X!c?>{D6K-*qLQx^)v6%`uf&GbXTjy zveC5>T=K6G%sx!}pisFA*?pD+c3avl|0s8o*2D4k(IEWqg&nFpajWQSuqE_hyqo<6 zO3-rVEhg46tLj9jK;d})HWC=zi@)r&il^zuo=u}&cgjD@9_XJ+5}y-Z7mDCa^hfzW z`94r8S3}Qc4yl6Us@t-2(E;WH)7CM)>O^Z?)~9T^KI{mb+&-`woY<TD6?E10J3`|~ zd>JV-_H4>9)3B+%l!PNR7bN#9>tB<G<&Ekt4}N`_zQZOjC<A35DzUDj+4bS;v^{i) z)++-MZ#k<-turt^_Dy;&aNllvI8=l$bts)(%UqJYOl}`+n(u&}ly(aF&aa(i(2;nC zYei>~2k}pMIO|6rq7KX^$H$JPRVOk6^X{P4LYz|8;$J^VIIXdbS$ofYkiMNfv8-uL zT+92_9oG>L(TDYdt#mN-2bP7ECI8+Z*wt)6kSgkl>rn<>h;U#iR8%!xh@rd=r*~!< z5lhjv8)%of0cG)Ey4p0IZhxh46lY&Uy3Y;vmB%~E9PkYva}_{Ad`KP%tGjZ=)8aOP zckXbG;Lq}<d|U1x(2MucOtKtCI0Uu;-NF3Gr0FT=S=f}Y!^YWq;xH(P;eh7m`h7#8 zPx-=NULpFjME>LCX&a$;Ba{j9>P{gBRCZuxQ~o}bQXy;{3vR7$kE_u2U0cAR$2}%( z%&!fx?hig#>E`##&+m}ZRsX-nt}Y~sD2&dX8NZoz|B|q1r^HRmpKy0mP$AS!BMj6e zSas1tqNQv%MDQU9l93f3Gt>q(upTO~qUdF!7oUQZh>Gf=mq4P8B(QogsHihLuB)+w z`#LaxcfOx<&zXDAfL9*X7F(rUy|6^SX9VL&>-xpA3C0hl@~0tV)D`SQ2k9sby8)M@ z+dcv_2O~|RHYT5w3#59wpYszG<Pk9>EDJY<Ack}a^s$etS7WNOe$U}7=|=MfO!r9L zKTc<uQl}byWxx!9@a7PJ*I$Df#ycjdR@tQ*8eHb-IxH0{^sz}g579y0Ku2dGIyf{M zWT?>FaPiC)8b-R)ic<w$ZNUJ*qj!w~n4Y3S<eMu!G+E@^^C|jOmahUWz{E0{Hr-a` zx(S#oNxhfP&^u993seCZW1ptJ2IO4sm$z%z-vVPCRp~BEtE?;!0&7PZiY#m^+8}bw zyE?FrGVbhktb*c+Ig0F0>;qT}Ih$K;`)XUT_1bpI-(e0Nk$y|#QaKRxMQr{b!{5Zy zVn9d;mxX*dS2VHrtQ`ILrT%T0&WgUshDk~1mPw@djglto^X)Xpu8on{zMqS8?nc)` zu;N~45xf{CU|?N`AFHF#G2>Wp`2w57?Uo)%eH71mgDu_|X5)k60bxoA@Clf)%<z@q z$ZxS8?gux=#jm~!@Wq|lg&=_L;z!Z0UpYZ5yvN;w@0c0LzzEW;oBEd!Eiz998cOCV zn+6x*8ncr5yU6c54Hho@`l0uCQ6s<C*<ck>Ng%rBUfZTA-BjpN3<B!786Gv8@<fMW z@+|X3LG`2_A&ap8+e43;@6ra~Eo}YCo}HpvrbUBP;&E454kH|h*V@mYAbCB9zzSLP z16W8W`#~fHK&s$<%DKa^NeMbvoz0L%pF%r}V8-Z@k4Z~X8zrbXCk*v0Ayo1U{6Y4a z)4Vt22Yz)3us+q0?OVS};xO%DCHej|MmlMkbk%0gMVjcgSgPiM=t<$+kmWg5<~gxu anvk@X0Nwd79d$8)RnO^zE5_o6JpLbOyI%+Z delta 64629 zcmcG12YejG+5YWpyRvt;>t6BM*x1HavD~}mZg7`7ZfEIipDpQR6?c0r+gQ5OohTw4 zCDZ_+B*9?7v`_+sP!k9Q5|Tg&2_&JI1V{)3{?F{}u6EaQKE8bU!*Ath-kq79nVs^? z`@XYx=+K};hX!5TD-wCg=kr~LYap(1mkb$G2ub0h17Yz~UyvK+i+mP2sZ3LP3Rem> z<Xv(*H!Ac8>wmJItZ%zSnIHuAaaRCrJNs~5Pq}-)e&oWD_3=%WiSpXShRS61_BtE* zTH9WVY;5~V)+FObtZhVeXj`jaYFpr+qZ*<OTWV7cH5-s5*0wJ?ylrkU(zY(ztL=0D z6mD5ttvrk?J8`YNj%)jNa0s`wZCao^x8%gCz)Vi?`NUHvwAlNiT+&PGKC2&TdnG!| z@4IMFMCv}ia~l`v6CHtU#iR9MxqIi%TzXO4PlIPokNv0r1+9c_9|gPWR^XfcYo|@@ zu20lf$167^D`G23m(G}5x^(zA%fgOj<R#Ex+gpMExFFT>s>FX<0<$PaL5zl|k8i2_ zZ)8R@p0Q|Q*|Mdj^A;|P)oeHV#p0#&7L+bs9Xo&4>e!HE#ZXs+^)(CQ`p0hWwymMD zs`FNG=wzjBkuo`WSPseEhYjP7%xb$MG<~Eq&cDa)d4CidF!-Cs?W~Nm69$Lgt%hQp zdO|7wRrH(*hv#D~79IBE?>UY0@K<XT@i#J^L>}{rkuqT4&=bnE^CH~Twv`JTxn6C* zTzKAD(H_E}-rS7ZJvH^IEw%BQt$Rj{EiM>4wxk>47qpcwYUO&j{cO=FJ?2~Hi!O-z zBPSwt;V;6+!<)lhm8D83^!?D*;0uAI|4aEZ`8)Dz>A18({EiqE&gPep=gARLz}?K9 z<NKZOdSu}EZ(dVj(6`R#8|m|P^{pvg94oC%)Yeak4Jh4Im#8jJ#8R7MrPcMxf*EB? zXUCT5sqKmCx&ezeZ^l2#or&QC7RT!-7_cmrs+`hP5cHwaBam6xnb|CJpv0CYDw4H{ z@_J_urRDWj2Gg5{2YpLA$Y5!rDpj9|&DN8ZiP*gA^2&y~WUBfMx$JKm7W6Hrb=v1H z#*9>IdomGQn2OD<udi8DUAZSVyE4ATnT=JQ0kf*>8ZeF3Z;jXEPr^*0BgtkYi6!e| zb&2}e=2UGgURfC{H*&5kG@7ANXgW9O+vW4k@hx{Z>a41GvN9I0sHjcU)gf_1bww;$ z9b1{$RF*2=j{K@1k8ephOVoZ7Wz&te9zdI8XCjuM+10T!#!=YnRDG<bVN+$YoE4<3 zX=u<_$C}gia?4T;wRpEPQWc5V%w%18Wy+{*L2Sl~Sp_A<BT5QJj4K)GEQR@!bo!cS zHw_8;7SU|GyQ?>^x-L;pTW#*LWs74A67^eC6&++UVA=Fi)=*s2;GnOH=9F^hWWH~s zfU|ZZ(|Ww_SV2rL+nPXgmu*FJb(Hh+nu<93$@F;L))*4d7gv|4-I=J3)u)V5C2rT% z#~?8}5Uoz*!lrXVz6G=thX=bm%<NQc72bbYeQmOOOKetct)8mw=&?%^yK0koE`8pn zc=>j^4C2++)Y8FR6+>r5a)fG7kcvcQ!l(^K)~0wxtbA*{HeQZ}BvxlUrmip+TecPb zYgZCAtxfD`z=(;(fyz@=dJP=_Na=Y}!e}G9Zkt_jYttab*T~U9aQJL@+s>#>)zuZu zOri5s$IgrIjF*+yCTmbj)+uJ6afqS+jbi=J92}0sbu95_B(96mzF3)xS0pN8n`={5 zZCYhleRwR67BOCk5w$K>9<Lr;AKR3`;Hj>!O;uJR`ldax1fn(IrPW#0jMvnlN5^TK znUzzU28Mi%8m(NyUAKAF7?F5ow70lA_M|d8VbO^O(?@$8w7~ME^PR8Mo&aX1*m%PH z)^=B0FMavadDi$I*K~G>O`45K_w#3<Dv9d)f@OPZFbWcAg4)=EBxcC!e>=-0;^kXo zH5mBjyi!m5i_um!iSp#;WO*#Eqgl`r=tH$h+Qn(3(I?f@C+&<^HYAM6h$b>`p=oJ0 z=x?ZXZK8rT-omB<LEjcO;k)K&vzTnQFGq`S--ez{b1>?myE?wrO2+sZ)YL!ZJD-l9 z#+B~zGt-#tQ?+|y(`!?^ysco)DFg7LXwQwYrGduYWX8r&m`D3MMuU#a91Io1V^#6( z7};!sMqf+T)ziLabiRrddLW$%lhqXsnB;1cb=%DsH>W8U^j$y;>RIf{mdr=D*oK9P zO*4yAb@f|n6A;^7L&sX@Sg95_^$Ys8vu1Qpt!xHdjF(x*Rw~S~3zEB0KC^S!S$bB_ z!=&jfjM?7Cn4Roy$W;aUY|JEyf<-m7h;^}<iOtDs<he5$k1d$BtTZ-cVXC?SGX%y; zyt*EfNB!1V8G6sqjvi;NZmSC1xtgmQ&6G|!bv1ZYBDR(GW4#vbo2ab7D=DosXfGX1 zSPs$K>XNjdC-Lk=75XIYGiF_5Wwbex^?PEAQ|MBA2G_*~Z#F6t2f3)LPu129Hs3pP zV?A_RQ(uhk09`&EG(w=HB>&Pi(m<US&t4Us)w6{$Xa79Bv8hjpE`uX|M?F*Fyec~8 zX6>#?)!}W;PqA4hhDCjGZE|P4d{1m<ygu%H1Tr?);OPlWBbb;gD^t5@jgvGlEXFB1 zrO}$<?YNg9On^nmy1q7EU00Q?r(M=um5lzLs2y%B0X4By1LGWts!fRsI*V3XB}-!N z(ya-O&aLdR){;@4YN)ILiHKL@?SUfDa#4CRYj<*U3@c-tR&84Y7C<^r%voH9w^xOi zjF*Ni7D0&h3DJgQNYMe7z+6)qt8PF!YU@zCtu%ifS=Je~G@fBiEREfpdRt3QBj=tL zol~xBTArEM)L<;EDAxkUeL7^9?Q=w8lisjp3$2*RmFm#m#+#^VsM|{AXj4p+82jxj z#`LCMHm`JzR+AByRbr~cn5xGN(BTSC=eY}-dIo)ad_JA>9@o@qtf;Xv$^h6}N{caM zG36MTn5yfCg1MkWRk?VbHTx|rVq|D$QxAi+o;EoxO@Oq}g==vfV|qqPuipIc*l*+1 zrtTr%EQ8Ky?$<EA0ld97wg}6?X7pNTzqU&A4Va8>Q<>UCeM4<^tTIu(1tlxrnlRQ2 zt21`QU%nxIS=iJq=u5JR`m~nT>;7F+cTg$%^5!&kJ;T(`=wTVAFvf@Nb>Iv+&F$CJ z#n>`+@S==ON<Oa1UGy`gZfNQp@=Z0?O5Xi)=FD1Vtl*0ml`ZQau{C8I8<G^=y3mM} zFT~5s6E$=)*@fYYUSf#RNQvE;{vl_x>g1+QK{}(JR_evIsoj|8>|H<y&!!Eyv`Gv4 zc65-wW2&zI&wB})>+~kI<ALd2kr(W7F2?S)xUr}yikYV`T`{bgN4NH||EsCTSWfL# z#Mu(I&|X@cQ_|@(5`C2kY{t$wC7t9>5ozN|^%VJM^wLwp31RV<{cgFQQ*YVGUwmUt zto=3@)5l`Njsfk%n&>+l7Y&cWMYRlFaiQkEez=C?8ii{#t`M#+xX!{g3D*!@c=x`U zxaQ&lU-Qkt6~q<B)d^Q;Ts?60#MK|yFkB^=@O(0Wf~z|&s^Gw8$#)*E*|?_Tnu2RG zuJO3W;es~7SB&diT!V29z!k&Q2iG86g}5f-g08?vH5@cgTES9W*jUnjYRD!0>+_wI zPLVIpLL;3N7LzZd-$l#CZoF8f{}$hPz45PVG~v&_jJCJiKc^Zg4w)&Y-FRFrp%v}w zYxG5KimVSGRo+vsR4xeZ4F1UfrGK?tA)h7vO#DLpp;$#e<bKax3w=o=RHKXZ#{Nwa zP!iPYn{PPIxZg1L#!C~Jh-)zyvps^dr&-ixfV}}Br|m!*n!@I6=GlJ~Zmp-&0h9~Q zem_4E?{K$l>o^jz_Jov0(`kiLXqH!!Z7X$Syei*tyw;t0ydIXDLLpxn?T<$~yI0bA z*wk!sEKzjNZ7s+K@3KiabRge+&uuMD)|Rp^x!2f5C(XyPol>&8h7vDI9}+vUY{#Hu zF&0Y9vDkg-70I1+mB1dgIEJ?e?)qO?>W=Pf3WnIGq`A($BFs;18O8J+L#SRxFDWh= zQ7~#$Ny#`DskfHy<uy<?pnNphwh~$oQ_B%6DI77nu$Xec>cp-@Z6P{`QO9Jefo`fQ z6LCs^hfG1d;-PH2wJEVRzB7pw*riiK3%;r+w_xLG?9rk6GFX1y9`KtgQ?mh*Ke*C( zb|KqfFR0tHFf|{Vv4$G3e3WN!eQiTxFf9k#&?cyqik??pkz_Gr<(1fR8+rqSq#D5* z%6#-8iQRF!$Cwb?o2-cy?1&XmW{k>W-&30?IJa<HycU^nDT>!%Kb<JTJxUbmzoWJl z(Kvv#G)3)?D>U*ST4*RjV&fV{l#GZCsY_tf0}Wx_grcHdyLJ_(prENt=!GE5Mcbe- zDFRR2TAf0^$wZwYsY?_YX$#Pr7&wVKjHjx~p|oWvr$h(Z5>Hlxchg!MyLY@OrnI3u zPBceFVspHq(rDGecurwmLv`Ucv`S%ZRkAR(342q$z7XwKR}X~+)r)PyOB-x-On3b9 zR2|F#s5eX1Q6l;(HiN_`1~YE3pebPJ1SmH+jc(a&OQ%{QgV|#Cf`JHqp`(6Cm-UHF z{vcglPRr1su*+)Wv}eXEoztFUZ{4`0Ne*Gv!ED>Or+rB1bO-31*4jA>_;p!BT}`sw z=+QG$RdgHL@kWBu6>w>$v}N(o&!FTp$!yZ09Wvxq@jci9SJuRIjD&bS=GX0*py-6K zIk_AE?ukLwm#D4WLz@Qg8<S-f)yXDk7pHW)KE+!3{3a>rEAN0odAZJ9sB~)UQq@rV zI44n$24Y5&7-W;EN10Jtv6F7DD`;YjbW^KwrncVEB!D{&HMo<bu{&sMy<JV*L1R-r z_NoQ*|5ps^fA=nQyd?W&{2$*%W4|Uo<ZCdxSU-24UqDA8W|^2*Iij2TyjjpzV%$3$ z)LygA71iM9@fcNjb&!#vPl3Lqj!wd`vQSl(G1pld7uH{nOm89~x(gcVyKo1}s5`7P z-m;aM6Y_$1C7pW{F15S2baARLgvrvH#ZeF_Tn%jn9TvM1n+#nfT^i{Aj!pS{QhEba z)O3$K1j>XxsRna{VU*m^U1D0nN@1vXXlB@=U|yqlpvtYLDUhD+wuU4Mw-m;b^-u@Z z#A~t8ZjQxcvzL}Gm{m4w8C`)AM*P9FG*p{~oEz$N?5+`G(b9Qy<}Dl^OHpmbt|atR zW^t;qXxIMRLJc>H&9oS_%CVWV7Out`{>>Cxx}k9WPc&MM#Z6p@l3Gk?DR*z10qs9E zBtiQMwRQQ{4tv$?6t&jq%a_eA7-#Ge>1(Qo_1RYSq62M0gBb6^Aed$!qtjGX0(u|A zsEb&0mo1o27hu@-QWbQ@sz_i3tTi;|b><jm-LEm;giQqID_9Ul(^*(=Hx8~UFcdch z%cwc<-%?Gx@6AtwLYRb-zR$8fRhv`QR3V5BDCL~cekGu^#49w^j}5dF)SG($qBw%E zy(ITC)jldvN%Nx>NLtoFi`<!2$200I?K#xhbU}y>L5G~T7!Rs1FC5CMIq{g@@lrK^ zCdQj{`qXWkr(>;}f9#;i#63D8Iv3hzPfQt92U=>Z9?n;6aW~r{*5lX#gAJmm3~OKd z=xn@F2aAuDy4s}!8=KwWXjV!+j4lBkZ8b2Z8q5|&`$!q>2Xqu*qJsUUn(}Vi&h5>P zt^?~-HM%A>*XfmwD~|0qW=&YiqV9fNYEZ7&(m1lQ3?DO7Wif-f!lF2$VC0DLB^~jF z0TypHCI~a1cB5T91_g30%2cWEK{*XWfyrwNodY*km#Q?ZgqUn<W4ltd+vA22j#;Ci zQH6sFW-@!G#mY?W+o14<DRRcKeP>urZR0m=pVasrn?dzl9lS(Jd=9TVwm0O9(?$O1 zVE6ljO`(qNq+-iaIm2ON78I)qHuO5k&f5QB*U?akMy=2>j;Xm9lO;4g#z=|N_s25B zB+h1a)IM2lK*sYizb4BYFvf=)Q%3{r+QtrXb3-L%&u9>knnYDiJrukZ%;r^*q<TWy z52&SSQ=)!X0>hm0A2Vm;u?7cn$ZEjb(e8E|8(SnxOFNvIw=fJU6DCHdq{>k|)-hut zgbF}+Zdi_JhoxmS?AgVsO1gjV%zfmG9*LZctO{2sLxVpH3V|p6rSiwpm(mZVL*hZ< zbN<KtA#xA*(TPix$2q;Rw5c>i^|lyN8{C~1js(<T0<|xFDBJ>O(0v1T6NWv~>c&`G zov+6pU@I|Fj3o!w1NLUoJ1mn_xs{VnO`FadnkGJGp{Y(47%_)qyIo)y4Pe^>$HzXx zc!g+xb2gsaG%e(VZUnQj$LhWeie(Ips+ta!czU~w#()L!>IN(whRtSkvbG9ygX!H+ zZ|7lH3C!(3xCyhFTE<&5wh;##L#iUciXYzsTN&FMV$!W(nnb$2si{mQbv9(NgQG?x z(-1eKX==x#%|%%$t6wr7jKkUdj=A@6QPUJlk5KL&Y_sMsD4lC8Ot!V;OiB<~s+j%C z8dT^Cv|=m^v_!nTp0%1~ex#EKh`woI7*6>ImbPRaHD}Z5lQw}dPbFbh(dU_W*)6k+ zm`WNn7gCz};z{n=moDB^WUqULARlz=QkR-w?@tqzRq?HbTd;CAY${BqisD6v4+d7o z0%HK`1sFgD1`8{)oGvDZd@Jb`)#y<{8{=>>*Z?R476X{<*p%8q`wzhKf?W#wQXLkE zda6%B)!Dqj^eEt=l-%iNX4DLg6&o8HR*Hj7lS0%Ejisc@{qES>gx5l6hgj)OOnPkA zhuM$b>!>udtdWNvYOEua#2Sl;j(N}FL0~da7`Wh{0RM|hx>cgo1B`%<OpN`_$t@Vg zhHcIuu|_s9Hp4_uX9ij*%214A7E(iJ2j)+sC8^s;dH%tBxh^^z#1on(2C0sdZi`)J zC|9@dpnh~|nbb5PNR_0g?WtE8n`$RhIgO}L)m`I`rt#S6K}Cy+@POy}jF!_O;?^9} ziVj{?us8*^QKF(?`kujTDqCvVhRr?EY-$=FQs-LV?TK<$wchSa<$gQ=mzPu50Cxzg z>hu(l@jr8>S<o~NstxE8PHVP~jdn8^Euh{*XI5<-)|<wLd<W=$`REMya#GsvsKWG? z_Jpj%7T~g4yLOKq*cO&1b|w?Mj3LFA(VF-k+GF7rv^9y2NIh(7k~Qe1Y@x(B#9U%$ z1XeQ_vj@lq9h9{Row_|$U`D2vBI-YIrhXf5r+hR+%yNdx6Fj3jxdSdHtT2XNgR-Y0 z=tIF0;22;#STU*%rcGTq6178Vfh)0f!z^T2ZE1ljEGFaf(4xc0;1qQB#p01NyrvKz z>lAa|qGX4Sq{&TVY-^TFV^xL@L0QA><ZffDzy_0BbxcQ7<J_jvCQ&;qy9WdH4WuS9 zYO|&Pnq3?_G(5k9!8u?Vs<erEl_jB1sxUYc-J4)Vq$R<mQm<oY3>*G-Ge<h%)A(jj zjm2TCi_^Ijz#<cD$u&*eXap#suv8eM$1$C;);PSpX;g?g93E+KSB8;I9qz$%sZZSO z|Gmp0^Y}tOG3vcWUjZdcP#7ES3@00dsl^NxC0)xbVjUX-e{ISivH8@&FQG(*XHOLh zPj_vUNq}=uGK(yse_cc;VaF_PxJ2O=(+!;AAx7gS*<1}K>RK$BJ(_l%ggyUQ3lv*w z>AH%vbfKcX(tInBu)3ISJGN=0;T<^AcVt&bZR=`UXZNt@zvWbQ@t-%|f1&Mkx)Jog zp>NuFHm5b-JtagYC;4}6$97eXHBBWUIP~h2wt8Ik3=bQ0k9mvjX|mQeyzKTf)r9mN z!TD_`?Ndl(d(l!a7<$iGb1fAb)FBmnpxS}z1go~r6urY~UyGerwz#Mi*W$U0am%;^ zMh8O%2m!hy)sPf9JR7YjY~nS|A+Qh_T6=T0GbcN9%~{(tBIw&kmmEtcpqozB9j`fy zU5+AUHJAro&UTiP!15Hq+*KU%tv2=oVRx6broVYJDM^K;03O#clj&{_ZMQ6K9n)pk zq&C=_!3JiHZk7$U;D&p1VQiV9;iJZ}SQWKzx2I(sh$$Cn{HjgKYExIUIaUt-K^?Ct zp`~T2Wu`ke!1gv3g_y0NG2pI@@j@3-JtB3jaSko3ML@n7TWcqMsF7oSL<y<)Z%;Z6 z(05-}Ha|ARFzuM?A8JHi3`4PA6KL>7KaRc~{dx4s=)KWfqE|%I(Y?{_(Y0{5pAs#K z#-du3ME(|eC-Q3K$Jl<}8o4r(iR_D1M%G0ZMy5uJBmE<tB7FFh@E^jz2tOTuAbflH z>TouEAY2{Z5MCTE4VQ$^4tEKQ%4f>E%InHA%7e-s%D0uAa!^SriH*t<Wx6s_8K`tq z<j_Ate+vC7^jzp+`1M~Kx+rugv?Ej=S{9lW8XFoC>KO_KzX-k`{7vx1;G@Cg!5e~? z29E^mgNfjZ;GE#N;Lu>NU?}iq;Df+#13wKs7Pu>LW1uZ?G|+$(HaWkpw2l$F5<-=! z+*<x|rFFC&9K%1Rw2rcaMKn0l4#sG(#18i1A5~gM*um~JSZoD-f8ZZcT8r%9J2Y5G zgF1b%?-TxqN^60A`xFfhw}YS2;4nM*Aq}2u1-Ui+!%FK=JGhz#huFbYG&tA}_Te8= zTF<eA-FY41L3X$=|De)3&<>8_A5dD)wu419IKU3ZXt2K>?8@J-w8rdUKmMfB+RqLi z<nL2j&$5E3@V!cFUj%id<$b4UxQ~7NGaBq|2S232URID>$={>2_Oyb&+xUAztv!UU zoRQTKdb7KA6LC){t=+63;+_b#c5RP)0`I?zb(b5%->tNEwu419*vSsYXi&3*UHQ9| zR@DxU;g2h=Q9D>fgAqFzqrtEpT*Kd~v??@cynk*r4TtR8t7tH21$`gzKM1u3tU{l| z|3GQ=+c!Vuzpu2)R*>`a-&0y8J6OZtp|py2a14LD(kj@&BK~&NpSQy?dYf25yrkQd zR?ZHdqCuY>{0zaIZU;Z4!Gl&1O?j)5J75QkXmGzBjM3me8f5kF&3{+P?X_=<G`PnO zs{AcVZnqum#ow&tcG*FJ26tLP-+eULU<Z%WV7(PYv2Idwb#}0b*AcF@!!de$haEh` ze@DsH*ukkZn6iStztdo~9sCJ@V<=Z;y`@6_1|?T%-Q@c4*DJa0cCb4QZlgg~|26z| zN-k;NUQL5r?cgdJ++qcNKjE)ca+~eoJ^VFFE@1^xL(HNTcCd&B%k5x{1~=KkF}!}Y zl8f8nA|Anwb}&YR8|>g1{wgK6-VPSg;5s`PqrtUyuq%J1lDohPqAy*c<kr~1Q#805 zL38|nM#HP@+aJ>4N-M~9;`2&wg%$KYL4(V!AlH?@T*)o7f|zQ*rR2)&;5#(9)CzLF z`OB2t5<4jBG`!dj*Ya&jZjl|VqQQlBFvYipato|iyqn&fZ{76$oCeRggFmLh^Q<6V z%cV+go*gWr!MO<bU@K3IhUZwf(OQ?#wRoc*Bo~1(9`})Ia(?u!=ntbeN3+rT=(^~v zXhF1F<g3UZBQHk2hoyH*WL9KA#25Z;_~G!C;ho{KaB(=S{8@Qgxk+hM)+-a09-&V| zFNf|7Wkbo(>=4duV8when8!-FBv^<Q^1Z-QSQ+)e+CX3bKmD)y@9|&a*Q@=L{k`PB z%dg0H$*uBsd9K`D`b2t3`hnCUZIuMlMSNMjUig*oIR72;33X39yeR;6K-Z%)e8hR? z?abPM)0F{qM+%1~y64ybYn%T6Y|pR%*EaqC*`9w9-5r9?dp7<2$ua(QRBh&I<PJ|M zvO|irQTZR_FL{XTl7H_Zt{7*Gxh}8?sGNRybYKI0WwIx?Gb(VfGjY5l;}w}Fo?u2b z_Nc}o6{=>1)x|mp0n-(9`c<aZ#L&SSiWjIOPCGF1|4H-G;Y-jx2NS-j=7rzYI1@D4 z*Y$AJ+i=v}@jqMtj5b_eqccaf|H<I@|I6OT>-$Ie;eL2pXR=LwE=!-$kM?z(qGMMZ zBgKW~ejGLGnsm36;b*zBV-HQEb!<)cH}T2ja|8Tc2Zj4$RIDspHYb0>B!8DE`MFzo zZ5OUv*e&|)>7ui`a@~quv1pD3WwXl43W`UT)no4#udN`zE%tXUwIA5_&_@G3S;u>b zU3BumnQ|Io=XCGsQRXdNyaFdrtti~PXNqE%hr7R{DEX)7$>HVPB^}+PPp}KY{o+hf zitR#t=&Er(N#p@K_r@906_2&kHJmBR7(2=<XNoe~j`CthQKq62#iQ&vcXSkoMrm)R zEmQnm*V(TvuUsh?N4Zh1bopZGw0=@^y6E`nqEn}fisjSuI$d=9bkV8PMaBNp^EzF0 z{B+T&(?!LB)AKrAbo_MDsnbQ=6bXYZ<8H*7;Asyye!A$?>7wG$X$fmi7ac!cbn0|b zv2uD|r;CoCE;@C(s5pFjUZ;zWpDsE@Mg7g`i8H3B;t1E(BT7M}yJ8vBPU*6_3k%u@ z(=1mbJ7U;li8P-n6MGPJFd*4u^b%_*k(<wyi#=tGK#a5Pk;IC!c=4=)nN}X$L*4zI zH6zBN#WQA%x8%N8U2=PtBYkz(4SNRhUDwUbh@%<VRV{KwZ=Wjqx#aEB!-KAD?B*D3 zN1sNsx7)z?Q4fFT&UX1n*fXIoYp0+I>=xm=Q;szQZdCMi$wxjx;h*J?@>6-4d_Vd~ zv?4k%@~6o0NIcRn{7(3WaAml^@@wT5rCb>nIu*J!v?eq#_-XK=pdN%zK;W6c?!XZL ztN!c#YyJJ@*W|0@xZDfu`vz%=6cV2jo5dO8S;9YsUkG;#t->~8HfbSS$!s!^6cg?( z?h)?W+-`0KH<Igwl05IbgFDD=<`!~exqh4s$qT+aaA;~A&ZclHakOKa!46L@dYHSN z6IT0&>iHcFT(^^rt(?x~OCRBS<o|SqKXkIsBivdpKjk8XPuwF7C;Sp4aPrZk+yRom zK8Y4swN2_n_=d|jaotarHE~^Jqd7*C$-d}=(F4(Gk@q8aN2(*^!=HtJ7(No74mIFC z%1*vnnXCju_l0(c#`${(e~-OMA~+!Ma-hopHUEVFN&nUUTKRYKaruZmQTm(osB}=8 z$e$;1;{9Su93cEsxK^kThLf+zqvRl&Oa$&(u9=(e`<L%2U)!b1T*B=J->v8J>Jk+3 z&=F3^KXk1;Fu&yp_hSBM)sWr1R~kh44f!QH>b7Q|)L-V;Zw(A>>`fb@d%p5+>3qU3 z%Rk=A^~x_g%B?aYwzYhCcD`{XYMQF$&gb$U@50>|2l)q|9AD2}#|bO^L-!aBneV@c zo1Eu%a((l$asFWb>jrM~$rpEW<4OLKRmffs`Uija+j}^U6{cTW8g#PrK5ikei0DiG zqm$|Os<cgcY>E(_5uFU}<zFMZ)I?7YO>2taZ|)fUdVJYq3H;3*qbG;b$6(<0H6NoV zj*cCpXO=F!a3}sAxo{)?9=?!fdFVo%vG(alsr=y4<@kHx=v4gOfAn1Z-FuYgyyr*? ze|H~Qg1<YD&_h)XM^yZ+-*UJb|I{9)=cjfYhE>^@0vq=EsvBu`RgG}0@NI9Thnu!F z#_%`U$m8$kwfK{u*;Mo*;fH<UP%mI#OSC4kAX*k_h;|PDCGtvmP4tQINaaxIt57dg zHWd)U5A)aJ6&~gEqmAo>)Og>u@qn9Ami^ak_ip~__N36M8vXy^N%21#>-h)J9*qYA zjT-8ha90sd|1&!Ntiu^kS<$aL81=DFQMnFL@i*aV3mXdpaH!~dSaUzldra2I=YMnD z=--@+od)~ae|RvK&!fzX*nW2S!(0^mSzl8=evn%)L<akc+Dhd@Zdd;CGzQkUuIBm+ zk!s&L5DwzD<|j|&`u2`IWt`(fs+#ltgSHqmJbW4B^&9H)kr%j0ouilfXis+hw~vnZ z?)hn3FmpUs!Nuq!>+;+hOcwvTfE(B!!Ag6zn6Yx!nBw+T;V#_VlHYL-cNR@G0wpQt z7Uy50<KCEwlxyWaF|L4)^g#4k{PoR={xkYX^uy?Tu)_R0`itn#qR(O!+!>v^DMt?) z##`uM-;kMrzw4U!<L}xgdiZe7F?ud?^-((fR~*5n&bPd=jNl&;rvdR#`AOw1?g!B+ z7X$@Di0=d6HKZBhjYg1LMCyds5M0lKy|^d&qX_y|vDjDme#&9T>sxv9A0Kgk^_I7Y zDh8#8xcIk3vQCx5k@Coz$dbsM$mGaKng3QbxxE+kMIS-g)H4(fi7?ZA9DEmQr=LrI zklx6j%aIZyeSUH+M>cZ#X9?+}9}Nf`Atn3@snSGar1>TqEuC+oQPO!P8Y#^)QHeCy zL?fg*CMuR@o2W>dWuii9riluq873MoO=n2whe@TT@LXw{iH1s3O*BNBVxqy)WD}hu zO)}9SX`+b+N)t?Uwlv;E1Eg^#>MxBoQA`?RqJGk7Af49zENPS}>?@5lQ6H(qM7^aE zCh8>>o2aK$WTGBYp^3Un1t#hy4L4C&X_$$+NavcUvozF1ounbU2{mc3iB#zv6Gf## zCW=S{O%#^SHjyF?Fwt^pyNQ-b+e}m@B~7$c+G?UD(iRgfmNuJ6UnC_=xKOGv(E_R5 zMDwLhCOTh=o9H}gqlxB88%#7;T5qB`(mE5(me!hRmUMxMW=d;JG(%cVk&fn{F0C?! zrP4|hO_NrbXsWc_L{p??CYmgjnP`%<)I<}dB_^66EjH13X_1M>NefLhR$5@9D(Of- zXT85tI&2EJON}PlCLJ<SQnFstR_UNA+aet>(PnACi4xL26IDoiO;j%JG0`Szw~6A? zE)#9sDD5=i2C2bB>!o@Vt&{3Zv{tG$(FM{D6RnYIOtf0UT5SyDRZ_KyR!UWvH)5BR z_F;vGl}_$q+#AB5kh>ZPhAlZ@AQ(@i4-BO62c)YF6au=+jJHp^+(0FKgVbW8dMRU~ zIw@_UTB+GYJESHPg=?f^CQL~ep4=jnp`6~|lmw-ii2_nT6ZxgHOe9NvO(aQuOe9LZ zO(aOYOvFn)O++MC$r7HEx|=ee)QutXwZtl3avu3g>S7B2C3QB@mr^GaeIaQk`lqCt z=yNG*qJKyc6a8HZpIjXvOL(32+`c3vu-@E<^b%O#>_d78tmpP2iokkv9|E3g<k83X zs=#`4Z_-m>{k1nzus+-y@mRm^1sUtPy-0U~P0_t@m-XwOJxDiUo{?cs2-&>d)0Y#@ z%a?}97y6HlTMF4MJY%AS@DsnlaYR`tJk3BS;W-90;aMY6h-?=gGtp+@2@@rR9~sd? z3x&rS=p;PFfF?X?L<*8^!lNci3O@`8Iyz^N$igFrFhI5n51D9<@UVgWWQ*{Ck&8bn zJZOkyl=eOoC4_rTR3Y4LqQ1fjBZ1sWxSs({ILSa%xW|Yj`R?Ipqva<=$+M9a{7zr= zAJJ1-;oss9<yDoua`KNV8Nv~MXFk%2+{F3v&!0t_@{>A~39NU(;v~IbWHkY!;mUlb zGubp?16!M0Nk4%t+rAt*OIXXKIW+pZlaVgu6;5Xp!$I<W@qkgTgR{j(24;x|85kuV zW?-avh=CH34cG(Z2V#Tq=mW@Lr*ZSZY;i9Gv&3Btj1u=TFjCyZK#9mEn*BP`vB_dT z`JPx~+}+<vtY<(I>ljc)Hn;2}cZh5r*+*^{tBjlbmWgaa*-LH{+2XR7Tq0H)H}@_R z*~+tr+$yqFW)JzU$X1y><Pu#>8s*<jZV}n)v6~wvZZgvDj*FWa7$qhc7%5gTP$IJR zXBW9yWUI+8a+7$0adTItxR!x&;zkBWiW?Xx5!otK%T*FOHJ;qio%G`Mg~r|T)#4%s zrix1#m?E-4wuxLTo@a<QtrpK`V5+!)fhi&zYjJXo$S6&m<V8k(;^cC1ju9<BN}R_) zkvQ9^^hWY+aT-NB*@y%)OyT9?bR*uzQQ}Mnio{am-Uf2DILSnP#mUCa4Xec|3``ZL z8u!+dtHiM;%8L_Bbh$X*h_-%|IFW%Oah!2)9nr58OH7y-N1Nz!ag-5n-6(Mk14ZIU z<K9|wg;;2!%fw<6^%aYZXltj6BMi|6s1sv37oZV_nX+$*=Ni#27$p`MqBZ2QRpL++ zwuwUww3=Kho^8Ziy;>Z|z%+3%15?Fw7?>h5`m+lCjZvLd<YJMn8>`4gVl2O~4|#@r z{$!87<UMlBTcUc)#Uj|T_$oI%FUH6cLApx1D8C{`R-G#y2M_*Z@C_W-c?u@jJA*e# zF9oj*w!&>`cd#nBDY!B?KUf+ZBi)>TIYveek$z3CCwGwh@afXW$p_?Z*-u{M2l74n z2+xy$@N48z@=)o=(nI+H{mB?2{VTt!KdJA94|x1lIvV*P@^<94$n%lMBlkt_kULB7 zN_+CZ>QC1A<*87*+@@T6a^nE9izmLDpaQx+-})etba*St#cTqBr;=R6ApC6Po)$bI zcViI#7Sd-7!q-CjltDN{NFQ48TIpQ|;i@40kwMt-rC%@zgT3?$gD}=hKM&3~wkEKr zOV2YgZ0XW-R^*)YkQF&6J;>ls_#@J-7CbC{m%;b>M(LK5=M5(J`R_X<O6o~zni%5x zUn8c)onpDTSez`LD|QzJ;bY;q!gIp?!p*{^f-Y3%OG?FUT_<VH`-Fak%*S`1;oP|_ z1x?Mw{9UDD=gAYa<~`n9<F)49UfDRUd6!o<HqT8*7Gt#L2JfxWT64WuHcD%*^U6l% zm(VOqwB{Y&TO+jQ8n3KaYfgD(Mfn?$g<hyNS9xz0Xw8*g*>J6SyH_?$Yu@ITjU(r3 z%}K9psMfsID;uIUZ-Ff0XxwpRaK3Z~s&$UmobbjUq%~J~WdpV5a<A;{{3XajAD}hI z-M7a2a$567kBs!!nm4#)zE%>`n%8?}{j}zFZW-29t$D3SM$XcjFMv#URBH_Pw${AH z6_Fc5`fAOqy|O-P^D3bq*Pa&aO>JK35%pG^SGYvrZff&#mq-V*Q=6B$WT1U&bD3M@ zdsS^->K2h+YV#782%JxCUhEMeuSFhFPqlfWDbm?^0UuPG7r3H<Hmc3@J)-Vv^Z70j zIHTHpo?GP0sm=4;BGOH3p6hPKQAE|6=ja}x?^UgNwns*~YR$9UvJ%2+%`?5S&RX*f zudI{SJl!Ls&nPuzCFXolLb_<p)7%k9(1%R*$~xzl%tqHozLPz-Xugv?GNNhC6Wy{R zqMp2AwzwfM1%?N1IN#S7{WSXLz*znUcn!T8eKz`N^qxRSSi=9FZ{g=fZ;M_VZHqQT z7hfCQ5?$;6RG7%Wz&G$C^XF_N=N9|_EEMxU;<xcbBHJPxBFiH4B2)P9MMg%3MEXWL z1$@G6{&oHkKP4iEzYKpYMDtrWlIfcQ{gr)6jUXrqWsR~(sO3LYW-8;ALgj3whZ0su z=<oc=(EFj^g?<5F-p4}shHejC7rHEz4jl~Dg|-HUht`FbhUSDOg+_$V3H1)CA(8() z_|M=+fo{Qfg1-#DD6Gx@b0e9n```4x;(x~fi2sEDR{u5rOZ`p${r(;P&HfAgi~Y0w z6Z}Q~f&QNUh@Y4LA#4!_@t5-(<PYSxVL*9aeq6p!zC*rV{+67Pb-7+n%IoDaxHV0d zOXR_FA6b(n=?m!;6jZ;GekwgF^x~KCeWeHB@bn$&3MnTYme%c(Dy6uzLONfXCXJTP zmHJ6tq=5L9_&4!A@i*{?dRlx~yi2@Ayjr|iyinW=<3xqHT3iTQ%{Z|@9Do%^5jo*A z;V;5l!mGlw!lS}H!fh~Kv<c0^0W88l)Q#nfgA1`df~{om50(oVgm181z##mB<>3s% zCs-b4KqPxeK8HcL<jVb71UTHvXE6w0Te&ZT@UxZsFbE%8xwip19j>ji#>DVFm4ghz z(^U4e81OQcWhRA_s7x4ygQ(0g2<K4Q#~>U-rLPUh!LL*LCxh_mls;z=4xG~8SzNeO zN*@Jvy8fdc*Gqq4G2lxm{hGyqAEERHgYY4ge#Ic%2c=&!2-iXBbpukjLFqLH;Ug%$ z%Am+!2D)WDq8IlBf5d`6;u}qv*C&yq0<TLq=D(aohUecMP4s;6Wb#!pf3fr<7O6X* zmF~CTG3f^uyiod{1$Ro>lY^(g4khqu>7M++spL1TW?i@+^IeQs)X`6Rn!!_mKW6YV zz^54e5b#L@avI+von(;bo23&BD*S%w3KsVRexH<Q(k|Rn{6Gsn$qz8$$qh+zgCx_F z<BxD{d3l;RM*l<jC0OBZ3x6woIGhS!5S|+z9Uc&lDqp}c{}tsi<$KB%%2B08S*y%d zMkz5x34M;=&3HNVD7^8n3N?iq;ETUFG$k}F)B`HszXsn7J`Ym+-QZ=x!@-*1y5RZn z!5<Xt9OMEY27VRzap3O2wSi1vXJAucVPHaFupa2_|Jwh)|8@UU{=5Cx`dj?F{1yHs z@H-sp?}j0KO8&L{jC`+rqkNIPPu?molcCy|dtsRVO?pdu9z*kH=~79Two9v|nbHX9 zEGZ~{CcZ7cC_acWc&T_$+$OFNr;9~mZ&4QhCcFuzcT)I{aFMVNlS7%1pEyEP$6tqO zaW|jfm%>t8!1v|@<nQDi@)CIjy!#4rjMQP<w17+`Lr6EmbEml9a?f!OaJQfhn?{KJ z^z|gKX2!dgr}gCWXl5KloJ}Ct7pa-Co=8_kGh<wl){Rm#qg|2K(acAAM96%kold9p zbRBXp@x;0^ni*loqLJ24RWrq|NNdSuYNp5|>Z@i7J)$e3nF3c<7oecSStQ+L$k>Ld znPIMk*pI21b3LMOshOcJ5jJLOW{5}B7R?NXsJ;DGPm5;GaZ9E~GlPVFx--(0Xl9^0 z(rPtxwkvOJ`P9q+mk9ehHPhcCx>(J`Jfe%VOh5P1yOCscEpwJf$X%^v`g&xfRm=2o z%Qlb;wM=iXET?69xn=7~R?GDC%38Ec4=U5`F2=1R87<S@9dR8kOgE2=q_s>}w`?tG z)-qkZvL-Fl*(*DyWjZ-z_!tOx0j-JV5E`<hT1Iut=8z*=ChC^0;WlWQh)3poTFZnz zGE%Q)6t7IzCTBuk;bAosgsi>ua0^#!&=9*ebPGwNmhtBsM}vFG?pv$r<0X%bK3??7 z@bZQHOEe4KeQOo174gVuwwy;sv-RcskHOBxLtR&qgKGL9qC4ubVyc=x;1NyH()-<+ zt|0Yln(kknDHm$#z20aC)HL18vS`Lc!Y#)W=w8;5bUB{j*~%`bPuS^+h9`KowadwV zHBGm*j@*{v0d!aE6yX82LcV0I*h%;7YL}6{YMSn99ns5>1Krd*MaZEVqV^3GS4Q@z zX}ZC6Mq8n!J^R}-vRh5l{Vj{e8eu7(u+5ek`~RhQf@gcXlr{q0-a4MJ6pcW4w~m4= zCA-x0W_PqDcmUn#I#Mo~qNXbZ-7Q0Io_+2T>>tyc+)r3ScB*N*>2+kc7*C*kUZ)6E z*x*jNm{x&qd97%4G%v<e-CJI6F=<fKbjxeSL$pPB0^RXCMR<Z|zq^P&f$n#m(I#tY zY<HcFw1`#<``x%(Sf{43<8`K;kF?nFI-|{}X|dyV%WAbWw!BW+O5b<1^wRtd<1t*Z z&vo4*JG3-5x=z`7B&DUX({;;gwDiLK$H+p*?$&v09;sH-?(OYTQWZ_p?QMJAl}^$0 zd2WfOrrn!c*hbVeHn$FSfI<?{^c+_@U0JB6v9oo>s*I+wv2{Ezgy&&f>y+Sm*wi|b zh3NCJr*(<&JZx#5>F_x0XYEMnDX_|@Y3yfh*|HSuEoyp-M<lChY;9e!l4=?|TZbq> z)~IQ0Y+a(Q(ewm}+MCZGRnsQbvUmr~HPN)2YssiI<y!6OWK^0`t@dFFla88pb1j)R zGUZy1ba)=6TF!KR)ikAA4n>blDzr4Xma{udC*^7yY|Ghqr$@Ck*p@rmCM^xR<&>3@ zxRwUra?3VqX)vyKnV#aN`L58?pj_=jD$8qWa4wgOY|zpmU2fTWEe+P?maWs$pj}Sc zRNpmP8pO*b<F=}49o)-VxvBHDG`N>L-fk@o_T`e1wQ3sl%b9daCp8WF<r3kAfquC} zco&p@nQup@TG=UswX}zQO(7SkY0AFZ-y$~|51{1BDblpGhkH#XYqYe7drc;*wX}zO zO(LtbbPvyJJ&CMT)0BHTo-uKmmiADui3CfKhk8vQ%eAzJdQBim>!Dr~NST(lsh7_5 z(i6y1E$yLR6UY)R?V(;1$YL$+p<WZnA}#HqUK0pre-HJVKo)3e5A~XW{;#Dy)N2Ac zUrST!)jnRJI6qHId$`wlGEYnUz47L1X%7(_Pv&T84-p$rW@~8>G2Q);Sz21~W;jzz zduZ8sGDAyyXxVr&T}yjt*?3Z_rG4J~rfJRXZ+)9-7MQ9vQ<CPY@f59@vNV@$GF8rv zB){gB8Ok`Nfd8d3K<Tb13K#k;^q0_Ep;trCVq1Mr=r$a4Zwobt4uon$TS9A<Yxx)R zZ*3&!sN&DX9wHHL7nTYt?<fDtE2ZQdo$nkt9=JJhRp25VYu^*77Qf3+4U`8~1r`LR zi$4*+Ehfa7!rz7KgoDByrA?_-mhk`NpWtug8~Kg=DDqdiMcyV~E+3K`<SE!+&yzO< zh6lz5x&`_NLjKPJKL1<(zrYLmHXI3T!w&sf|D&+-9`HB&YyDfWQ`cw1J-OH)^-uH< z!ePPB<=5rk`vv(!`A6~%^7rHy<dgCcxvxA@?j+0jp8O@^8gabvzHpgPCrnbBl`X<K z{73x#e4gLQFXxAnccqV|pW*v;f0W)3o|7Jwu9WVSZjzo79+QqpyQNkMt|ZbX@ow>$ zxJWD%ekWjg*eZ-r4k&Ad-uyfK_xUWpoj;F1i~L$xC)_LiLJW&%i#5`GsZ<&x4U=M0 zS7->n7C#aHB>p!4?f&F^-PCYKMn%qz^ow+f1aXe?v+(=j--TZbKOcTPd|&tuK@49H z4M`@fhwH=1@cQtw@VxMp@W}9xaNlsJu&n$``787#zfoRRexf`=4Qu%1!7jLW$HOba z=R>11EqrdcANhgtO9arq_yFm*{^@_z!`AvQe3;LVxL6uvssQl?0(msk-Qep3@+b!J z<pFslgZS!zTw=k8<iQN$7{5G-K^)<iO+^rn@5^U1DUR;TrcMaw^yQcp_imZ#r8pgD z-{sC$<h$igR*d7a${-H7%TX)BaXDf|xLp>l2)E0E72$T7w<6psePu<sRr;3|;a2HO z25}Tz`odHJ;-t6q4=deG(kE8Bo20*4>28w#${-GBOQ#sbVQcAq25}l%`U8VF2`#;2 zNiUV2wWOCy&oGEHxYAD;?4v`|_XNW*9SLy;$M6?Pk26>V_!xsRz(=hJt<ob_gjVT? zR)kjRVFvp^ZTJ9#V@ZF(bh|9!GtzxbIs)+Cpn#c;aO21TVG|RN;hUtp87u<4i@_M+ zaR&SF$D}(M97oO;$}Q=I()TUtK%s)cG5k^K4hD+=Z)Y$Dc$*bLKP263#W*D0WW_in zeTTtuWRQ?xa0q`;x`Dwl{9fr>3>E=i#$XJvjlq8WZs`&$?k?$KEAB4oA}j7LsTC0Q z$C>$^QjUqolVYL9f<;2gf`vl01q*~K3l0}5EjUcr&LC`)!Zr&I6_OSlB5bwbU}1{| z&(Vd=48wjWFke|}wiDKvQqo6Q%^*xp!dw%=d1{U&?JCS>5N0J|mIXTtGcDLjm|;RB zn{G+F2&EKGA{;D5!ZaoxK{^XlE!atzVnU>wY)Lg?5`)wd)N?GEBH}Y|J|@DUf9dxO zj^VGC-Zmow{?3YUwe*%1;VS7(E5cRMZ><PdNxxwb2k51j8N`N7cs(Exj$k7w{MtlQ zgf|SNbBiVmOexPn(IN)e{e`Q=AWJ@<)C#Xyu&?kcyFY)j!2ANZ^GJ>GQ+6NwFyUtm z&I5eWg4Mzc3_`0Ustkg43v_(YE;OBN67FRAPLB%5Sp;xv;RhDnD46488rdM2BVig@ zFPI}?8d)dY%Ho1)3#M)#1Y0l%&{VQkFvrAHZnt2Ll&RcSLBEBi1A7*}%gQiyzF>|j zFjV1MCY&-@xXwhKgd0ty2{)K1DqPR<0W}q_w%}?3zL2!xCwCIAF_9*Go81OE6|OX= zP;gR#nFl!VP62+CG}Xjqf@vrK@f6G<3%)6sLl!hsFo!J2rEn?B7o1WsM=z+PaIqy_ zB$%TY#8IH57cD=5U~_Da-U(#BkhR3;3oQ(S6bcy&&J)rWoGUb2aE{Pq!P&ww3(gWQ zwBStPs0C*TM=Us9I1EVNKRBGwXo;r@hb%Z%Fc;YIWQuUml1>&5Sa6cC-+~i`eHNS` z?6u%{VUGpJ3A-&gR@i01F}kqR!lQ)-3yu=%EjUuBvtWr(Yrzr14r-oxlxy<A`~QvT zPonolZ;D<L)uWZs)zLZ8QPBa>XynVtpW)T>6n^;lhDd8<Kg_hNA~W&Tr9KfqzPa=k zXv_V2_@?kB;478kHL&T7!RMA#<tycV<yT-R_bN9k7b*LdZOTg6XiJoShE?ZX5YQ(= z$3xeIT0(n3JeP-Ngo;CbL!sd3aNB=1_yk;)t`0T@>w+6#)fpQc7*z3HrS}4_;HygC z3tR#6S%a@f%nOVLaSZ$Q&;5V!zXUVw?f%RChyB(5HU8QDk^X-E5WXkzd-<pGL-MWi zWni6^@+x_zTnvgBkUo{(mR<zuy9G9#gVHuwS*J^dQZGq@b@fg0Iq@WZ#`$7#zqnOg zCYFkYVlPn={tEA%XJOO1Nw`?p4=%V&m?jJtusIX>Q~YoEXZU;h8~7Z*hu;kI&J_M! zz8g=-N8}CiG&w=8!;!gNq?{~*ac3~;%ze%Mg?o*Ag1eKu8gD>rp}J8Ahi@dm*IKA< z)FpdcYw;*Y8_Dl<t%Yhw9T5+4TeTLCdh`%^T5F-|QD;0Tgj=Y7)G6b3Yb~`N8F@=< z@hD4m`V6Wpbs7b9`Vguvb!4cMd$ksizEmfdX)RP=>WcTK*5Xl^9waYnEmUFZh<A|O zr?pUpsU@Ro#DnCwT8l?zdXW4^YoRJrE20ta*J=yZnL2jP2aB{8sxoy&dqZoXI#Y-2 z04+;}SBA1o@@P#D&<cCBrU%F`)fSJ|^Z=f_F@M9)p&{Jh&UQb26xEbE9>1Sf+oLJn zPoK0l|1q-AJ=)Rz$lRkH-A`WETBvr^k!u}&l1DvSN1p`ss5{<kS_{>Vy3+naYq8X$ z`3qhV1Ny64i$^!QkG!I_cyy!t=mVCzGuuaguC`D`spG}$OR6nYPwEt*S{^m&KJv2G zve3v)w>{|g(t3H6rhDmQp)_^YVJ~?>Yk}6(Eqh6Af!@^l+`T9Y6sIl`iUP%{Gv$=M z<Y!t7RHshi9{O15PTjH>)D|dDo%!ua=5KfvFY>2a3sk1g*t=<Epfh#LkSmm?ZW(fg z+SHlr?xfZ-)f?@3tp#dRXVPutIjseHQ`czTMxI6Q_C|b0Yk}(2nRqApiPi$$sY^zu z2WU@SGCDgzd+L_`SZjg))RwKnDBVe((psQGwS|y1kSDYj=uq9Vd({>wQJocTK!u@2 zbw_(rYbnW(cnz&fHK&gLRFBwHaq8&S_2frdi$`->OCHo(Jet#5C@Wh$n$uePu3ehb z6jw_g&{{0Tsp+xC)pEns7OFXQl%*CO%A+`~C68+@9>wVnS{9GubO$YqM{&A?mWAp~ z9d+A*Z-i(q9?j_v@|fB}HK&fU>_Azl;?$XzJgT)&&8b6HMIO;wsOr=yqh;ymk<qeH z-RVYWL|PWAJax)wyLhyxRVa%`ds;<)sI_>sr!}-)dglB85^uSOJJ%Zec&aaTJgJ60 z-J>wAArGr9RAK69i5fiJqc5!?4{0qPeQAn5-O`uNHvRHav?)CL(iAO=M_-zvW%1}s zQ{1rpOSCTcYb_oX=@xQQYw@T^x6o`o8qzHU!-Hx_9o5;=S8MSoNVkxCv=)zobThR0 zErx>BVe;Qh)@v;u4e4fbLTiDB)Y-HNa<|svQIICcU0RDrL7E`Pqb*R7I&2^ZM@3tp z9(73cgR`S8(2hDp2S-LT(2Y7JCD9BNqfW^zH3PM%!<d5eC~9WEM|5X2v(J_8z^G_u zuT!F@4$O{bz|I_*A3y=X&72Yx0L;uOK><L^90kC67BvG_<`VrNngJ<uq}$&qngJ!V zC15xEwP*&6%oahSsu}PxM^5``=AdIP(f8C0$e2Tfvo6sLxR@iWeaqAgn3yZl?P>-@ zjER`)AE#fU84xi?!o5fc8s<od!!l|HB+MbgaTqlN4(1Zws%AjJT%zwrGoWCO+;_*L z84xgzYwv%%@oK=ooRRPzK)#%k5;X(r<;WXnZ`2H!ms3P;iDovs((M`-&47eCa@vKw zLBa4z3ft#p7cvI}bL51hI?>Epce+Y711{!@bd#3xaIp&Nis9j6732mj<KbczB=H?B z;~`_^G_i+_mD9u)88fG!a&n`V@$j)tG_8k^Z6Y`1OMi>0=K5#`6wJ{G<#2lf19M8? z^#lUul)&o=^vhA<a&lcX1M=mFv<Vr3dO0P?2*k@N(UB8)mm?<}QHo~3yBx9N@CF0z zazw(xBsBxl<r2Yd4V=rF4qj_uT&_shL^CrTkucOYB6qMaM=YFTQZpc5E)jAE_j2UE z5xIkTxgvc#ngR22MB0Ex0Pk{2P-CzzGucRL<=H^s69>}e$O=cKq8V^5N5b`^=-&MW z?v}h<EDq6kMAk>nkBo~9igXHp4THij!#@t6fFU6l-W%Qm6GCaYFx)%rS3XtVR(`5H zjMF%mD@WjJxlTDx8H<k}YxwrXUqY{ko(kO!SLrM^<(orgp=qIlP_K|2{3Q50eDe6A z;H|-L!PPPqTpOGh91}bnoAQ4J{v3EM@T87!9bX%0!AE2gfu(_|FzWOSNdCXUob!VJ zLH~FCm-!p9Ex*7&*FV}nz#o;rl>a3ELVf~YSh)t?(Yx>)z)N5d8YcIUMI0r1({Q%D zMQW1{!2+{Jnj?*p`b!b~M(}&$tKyHuJ7H*YAFR>+!so)Dg*Sxfg&zt(fc@!Wp%F%( z3Sqf0M;I>*6Z!~Y{wo-N-r`?^yZH(JCjMLeF@6`nm0t}D&O{!5?0kfLO-_;Dk(bF6 z<Q{S}xtuhS-6ToYkn^D>Eg)x+DDiP0b8mA$=bq&5<!-?X@F}_3_?D*qZQ)Cl+${Us znsBaFax?899Bh@`3@Zqw^TkSTx*hCJgQa#51^^{D%?`o{pya07K^Ov*+!Q-FM(10V z++;gkM1zy;V2lPQT0wlaG^gYy*ui&baJ&^nv9d~ToE?Psv635W2jLm4<k~-D4ReB$ z!)L5@^Rw2lDJZ%2?^t)`(@L)WJJ#?eR&wp%v4*8V$+dsS8rB9SXMe|<gT+C~+2657 zv5qM@<2%;I_p`gxp#2$ZPVd8CsO0SLSi_?mLHj$__$2C4CD;BPYnURGT>E#dVUAF8 z_IIrD(c2?R&i;-yf`^ry{T*u`PI@W1_Rm<4;SVXffr5_j>l)=MqT%-MSjT9v{X5n@ zd0ol1f5#g33?&z{+ja$iK*{y9gUe~q{*E=blm_W{tl5K>(4hSpYn@xn9|+~}9c%V! zY8++{<?tD67Q%t{P!3<QW+5EtRdV=<wV4sTx|LjaD~K;Z?+fMd6>Apv9DbjY!$+*m zxUjk?x%Q7(!}6l!jE`8eZwtfxqU74YV!eakqvYDZVhxLol5>8=dY6)Oe#II==U1!| zZ2yWi3^e#)yIqd%{7y9ou4_+`n7DC5UxgO9T}DOqY7Si2jz&dwY7SJ_C8||(V7e~R z4mAg!>k`$dInZ2}D5d7Wav`$y4kdiGngh#qMXOSCl;pPWJxcgWHAh*lQ?y;pQI_iz zZBw(9<~l`5HA{J}Q?wPa+)THG-=b#SOt*yJtY#_Gb*4<HSxR-Cq6#%jsjgF0u4XCM zb&58rSxR<ok&cFqt64YQE#Wt+SvTD+;WwyRN_Xv)NVs0jQoidHty8m<?>a?m)vTNF zmhcy-S(ETu?pY=L8a3-?ye0f<HA@+<GqY7{)=ha!_?2qbro4u;3%(7bW+~%!CS0y& z-ITY4U#4c0-nUeyX5E~(gkP#=-JG|CU!rCy=XK`4Sj|$>>l7_gvy}8YMGMs|Wxeep zy@X$&X5GBEgrBcw-MqJiKVQvK-rJtCgg;NsQsV0r%~P|K`8q{&)vTNOmhf}bEM>kl zmZ{Y!;b*H^H}@^!XQ^3mUsq-`)hwv5OEg2xg88~c)730^uS-;_W<h&hqG@V&IUHGC zvZ-notk)%)qGmyQU82cq7CK0mXp)+x{MT9WiE5S-V5ew;nxzcbA=3HrYSztxOZahW zmU3W6G=8j_r6kxX8lz?@3wDY|t64V-F5yS1S;~T)u|}#{n+CHzS_xmGX5Bovgdd@1 zDGzq0ELO8_B3!~3saZ;dov{klteXgz@C9ntO@vGM;c6B{Sa+oyre@t#xP(7f%~C4t z%zvnwrCiu48lq;~$uQ-@CH!DD>*m5G{5fita$#peeUO@+;E@efv*SIYv(@Z4k7$6J z9qSSGSF>Y0qL`W;?Gg1;v!iU0;mC~-Dyi9#wv3g(ubM6Ki2A765gt)*HCyZv^-{A% z9#Ky<Tj&w>P_qRPIov}_`0i?UxF=dSH9O2B>Z)eX^@zHt*`Xd$XEi&-BkH7P2YW=C zu4d2i$W%2u$RmoX*?}HWM9rS<5rx(40FOvfv;94ykeZFPi>P~M2_ICm{n}-QD4=G~ z@`(Iuwy#GdtJyvtk)&pOdqkp|?d1^(YPKg8wd*KKcwWu+@I)hOw!25fso8EGkx$Kb zb&JT?YPO3<^p%?J>=FG-)w7*EvM<%F<`I3NW>t^qpK3Ph5q+*^BOcK|)NI%z`n#4@ z96CR0fjde*)3P9CPDS7m@~H-Uyi3+dKGCvZWzKkw<ZoIQw9GC0tCj^XbIU%~vLI$| z*(puWf||L7A8A=|Gq>zREemeumVKaQLC)N=_q8n8nOpW3Eem?)mi<|4!O9Pr&HuPY z@+YkY49y+!J*@={%`JOZYXL=b%l@dffTOu(f6!V$(%iClf}sz6AK`m?q2Gso8Tx5R ze=77~=uYxz=;qMXp-V!?Li@-)`01i8?4UEbEi^eaGBh-FR;Y6*5d0eZ`9I<C<g3Bw zf{z97CD#V;z)u<FgV|ssX$$TQZVzsZHbwUbmj}<ow_!&GheqFw-WuH;JPSuF{n+vU zHTp{Qn&<_AcLTo;yo6(x4@IBRqnAb(x4VW$XHn-+(=l{xU^=Yy-2%h?p9Vs3@q7iR zs{f1=)sNt0H9J*J&r~<TvvV_CJZJkSN|SK7@*MdJnCo-U4IIXS%y{%uzW|@lD7-)6 z_eq-NcjWt_KX_68KD<AF8P!k7^W_*62xH`~@(Q_>JS+R8S776RQ~I;?j2w*qS&WE0 zPG$}idrJ36k4U#kmq}^Z{jZglN_F^siFHsiXyO-AZ`l7&iErSGw?7mAARfoL&I{oM zuoovhuZC~y1>!86v0f}r5Iz)M7hVv4B>Y48z3_b@UnpduaJUh!0hMqG7%l7+;=&5y z{OAt;E1{pzMF<Gz@=x>c!AIa_{%_Go^5;z_Lv->MdG&yF9dpOP_D;H%L2T`$YZ%0? zPBL9>u$z)h?--0UNnsH%z@!j^7*~?%?}Xtb1uW@bCBFqfmShW_!a-IGe<X<({7@1s z_<_X3iP-Y&!Vi*2rZW`wsgmg_ggxqiTmjQB=KoNGZ%_flL#UCwFA=L+e~~x_^+xh% z$!CfGBz|qd_r$L(_^$Xb3;t33(t>{wzp&stqIt?3?i%9fmh^4W^d*IJhWK|Tg-eF` znF-0$;-{w9)FDzYeqzPgEt=k@hsayvUzrqc7UIVyM7mQJyjT3lf|rROTJTNr0|wzZ zA--?H`^3Lk@VDZhO{kOKh<~!gzZTzP{#pl%#CI*>8{!`sgy)0!2MgXOzGK0AMbp_2 z-VNg0EQ13@qUq~*fc#2)i$#S$gZQQe?-LDQKb>%JUl2`azx~L;^y}MSB)(zAeO+Yd z?m74=h^C7l+!MstS%f<Bn)sRpe<7Oge0Ahi@l_^;_kn17{=w-${JAClx%e`^Hbx!P z_9exaOjIQP%)0-wX!--fk3cm0J=_Px7gz*%4T#TM@Fnp%mcibn_^gSF#AmGAKNEk# zAp8Ktr!Dw`NWV=-3$Q0CK4nRNDn7{|EdJsX7Q9dVkp*86A7`m{C&kAs;q&6748n*n zK4QUV#UEPm8S!BTVW<}$G9m3)4_e}<#Rn|-WAT0qJ|&)H5Vm*mJ`3I}-pk6+kQDE+ zginem7_3KBe5sDstUf7H_eglh!K5ylK9R7bi+55f-ajnp;tyC17|zA-Tkrw#dnUwp z)9zrI)fS1jTlXIqZ(|UqaPd|XBCqdS()+|)Eck$Uvjra$Z(@1vC=$P8j=vq`QSn9= z0k&-M1`{GPbBe1%!LG9+JRq8LbQKC_dP7zfiRKgyqqKN6iwaw`c$Eo}*Oiv^KJf|* z>JNx{3qLHH?vgb{qUj?E8?$&ByARW{*k(dxX08ITBa5bwB+SR6=_3iNv3QY{?0&J8 zK^Tn1oCWU_vlOEJVILM@45sgDOJ6Z#MYu;yGYBKF*lfY|Vv_|=h{qU&p;x@nf_I6g zizLjtqUj<DGncrAMSyinTy4Sch^uslVapO%TJQ#Og#~XEmoo^1mAK4;H;82xyk1<& zAdbb0{Y=PREuLjbTgAQ%;^@2B$AUSrH-q?;LRRd>@OsiB_GA#p+Ql9gOpD!2h>W{4 zh_mZrR|__YT`YJ^?93p}r;D8|cvRFFTtg0v=1RSW=%Qlwzcr{`*o?t#5ThpaJuOBU zTuly%=9;`3=|oFfFPh8WY9upPcpN1cWfox-;+l&aj&=)QThe;bT>e(+NXMIEq%#-D zm1KwT5|iQttMGFRUMIZF;0kg;_@@Qyg)dq6S+P*~!bDSruS_&WFjr5U%oaXnX>gWX z_`7jm=aw%NK4VdrPZd5l(G=kyEaoz@Pxz|^_X;1g`^%;ZpO|Qh@HciFhp&YXEx22F zpWQE8A$(w>slq7}O%Xm~5tkBum+-EI>xDnD2ul|V=0do1s_++6HbpSkOdNd{-ezfV zGFtdOyT4?i@Q#V53V$@w6yXmnA`UYP<{F3d&%&GR{^Etgz~7p1s_;7#O%crX66cul zQ)fPYB|gMm#+xGrzZoizVVUBWIOTI0#IJD5Lm9*`aLPj%#E)Rg=9s{5SjuKM$4^ws zW-rF?Lds^p!%srWij~8ive`-TdycZ%!)D;u38jx&4E%neWVQx=J5c(QmF_y}JqGc+ zc9OY_;y3N2pHeerFW>w&`BZGk23Y3`gaAK>9N?beHges4fAh_!9Mkz<<G^0|*0|g= zziK^x-{7K0{X0(l?$kuSOSn_WH)sycu5V+}4D$o(8(-kgZQJ<C(k}fp++EG?mYR3l zp8uq^i>%^CDZ4S$O7`Ym+~EA7ZvNsE&wV;NIEj^UyDz#h@^0kX@JHbuN@eK&kP=)U zxYvKmpN1pxP15hAZsJnmCKwTq;bVvoa<6iIeV6#Q;{)qOWZ)?LR)fE1Y($~`dmfDe z{C@SI8SKHstOq}Lt$%ly(fD!ZK`C};rFCcBb^h=4Zrn5?<ijsZ(Mlc((O)^Se{?0U z^%g7hts|vg`EXc{<nO-Ae@OG;H+=D<Cq|pBqrVQ4UoutdcCz|z|64+*{e#<YE~hs~ z=5KghT6FTMlm5%(RW#8M-=n^09-nJm5E&ePMEL+;-|3C-?M%RL+h&6O1FvHbH^{$E zJ|WM;2XG#i%5a?Rpx6~g)?0)_LU;aee1<P2uak>lB=vD8@p~W05TBL$f7N|?Togyz ze^>WRch3!jpr~kzA`rO*Z@f@IF(4=)ni$P63@|#(keLC*9FyU2a~cV&t%*rAhsm4l zYjkr=?wH+d?(5wnn|H5VZtnBlB%5QC{e7!?2AIM3efQn{>zB_iLU(m_)l<*$eU7eb zi)`8}-%0pcO^hm$oA$}y@e>Ty<LME(cUYdmPspysEr&LZsu)2&-7g=QTv0JXkG>7@ z^tfA<qV(9kMY2ZfRQWcX|FHr+C9byZklZ~Xbvf?TYVTMWeMjV`L-I`|dHs^nmpJK5 zBA)Bz2T1a^1tZt{1$te@NjekMD|yMGEyS~7F-8622KfLxbtFvEINRH{r?BVQRW_e( zqiw!zqV*f=@2!toZ?cB5V||4++iI|UXnE0c!t!IwF3VQS3haNRH@|0o-hAAQ6GKoV zzr>tjre6J1_%!n>lMnlp%{NU%Rs8Rbj~Z_>hK){Rg)!S`Fnnlu(Qvn6$Ph3z;seT1 zy8NB|NBMF2sN65R<TcpQ$b^l^UdCC9!}!*+Nm?vT5x<8w`~)@^8x-5bDtw=4(SNG{ z5B)v*{rVp48dj>$(ES}BIsP1bQ~pTj)}0MWwF#dKzd}*Fijwwog=NBYf$(qhzu<32 zDZ7{7z|Z3+k-y>im!D6<21Qp8FWE@uku-wiKgcPt7yhFM5u`+Jo=u+Nhkc(;i_A+U zFBsLy$z-W|b_#hvWE6hjc47N0vPXDJc#2OK?iBV4eqocaM3|<l(J$0D5IZR(Zrf>m zp70a!-Op|Na4O|y+fp11t+T#|?M6>ne{9`l-D+KForO;lKC--GxtH8(IcT{^S0oOT zpNU(<Zrx7Z<$OJPUB4F}sotgkGrvHbPX5MsilL>t6p_a{(W@+3sE+v1{F3>kdB1s= z`CRjI^9-}j^e(=W{ddzoY#X=9wAeHiv6Hv3lj`jdj}Bv<vBa2W_y$ps$8ntHprPGx zwxPg~EPugY&ELsCje{*8!lrST@}~tNJLO9KWbDHBJ*n1TfYmW$pQ(e=g%hwRT$waW zk`ShNk&Wm?{U&umAt_Yn6q0oHaU39_8ViYy(a|(=xDY?AZpkAVL{KltA{iM|<<xX` zu0&b=rut1K1tkTeEniS4XQ7hNJR6+^=8$~#)k5@X$s$wK#%1_z(K0eaoxTizUbU1= zH;o*3#9yS|SxBa;7tO$ry;-DFoidv&(upUyRQ01-c&2p@$*{~V7&&=@zel|qT~Fu6 zk7l&ZE24UE28MH}0K@SX;J0r|(bpSvo|Bhi#+MY5>8i63!?~GW`*IHcd~^=j<>ooK zR)u$}8)lHR#!b1nVB~}){x@nv7ARPiMNBvYgKWh~E}Mz^{VZZt+e^{a{H6GD*HY3M z@h>BL`Qg_-&WP;DB`*_oMjlxd>CPix6ZMV)(y)oDi)`)=C`ns^&4@2xLe?~hZ;NG$ z`KRV8d`GQ<GmOS3jEBJsHp4N)GK9Bw%9)V367f0Fq5rG?xV}R72h^e%g`@oEd<I#^ z-2oN3Q4UWF3nnf%YdHDq)X1-E<UC#%&I@zu$_vGG^*Rs9RO=oVJ0h=!<%fmjwOu2c zsIQ4>sK*CoRX(s!)-BJ#k@U7E>#dfTEU8c<E%>T?o$)E-MTQ3r1#(DEm7W*B5w8&| z^r!VT*mX8X_>*AbE6LSlCU*<BWvFbTnwKxHvtJyZK58zSm@PS}N@*%=$rAOGeEIU! z`QZ$x&_ug+**#>r`bvS^npzf~iu)I8D%KfO;~NU)yHmoo;VGjtaIqP9SIS)^bzyiC z9%3INWrVlH9{Qn7K9-sio`_pDT7UCnD*N$OvP$gh!zrWvF`cdAEVK#gIZI@Ry0jYT z!F?T!<ctdWwbVIb3ISYNKQ*ye>^(^qGYFtwTq(~@mBKbOO0*o$R?6M>6=Cb>yDFF+ z=#=oTsZ;b0^}Fk3tNPRnVv<VM%I(Qq*bFMBXzw}~RE%7+R?g8crx&JhcX765IL7`; z%MZ~1>&$PMcbV=mzGloYY?E(8MO3BOk4+tC=`I$2EqH`XY{8sFwsT){cY$F#A}ccF zC-_L0A`crCLwFWOn*c7_U9MoD+~?fs@~d^5rD}Ee9Qjum{fxxX<KVyv>b^YrFb@4a z#9c~CI9;Rkp7gwQTpGegl}*wTd?Ce&Z)2zDe-p35p<ZqrFZG|~5x$Dg<88ufVK#QH z`-p#;|EX@KP88l3UJ&jUu7&A)mJiwPw(YlFXmjBEv3y$!%-<W<r>)1W`|;(N)4I-D zY)!`}@9$Y&wnQv9T0(>PW~|;)s=E?)&|v;dIN$sl_5r*dCzf|%7r@o#v&?q#6?Or9 z!}JWk7CUIV)YPtf6?*_KGASn6_!+8RdX2v|K4!cP!RvtW9BgHs!?!{ZzcT#M@Fczz z8#e4VI1FnIg@!cwd-=5dJU0HjPUn~V07P$<-Sf#FY~;C6o+j(XJH;V<^uHZ(;6mLN zK)vrFFVDj|Ua#-dt<<{_^<Ai+j(z<;<<u({LkqoJ3vJbb-_pmP#52ES<ls5}Rkdz0 z^zH1$<SaF*glh9eq-o*U)+LKZ_4FUo<&;$IaG<7&xkaPrO!ANDR&wb>WvQA5o4$w~ zQKfk#%TiJ@dYIi&)wz%y*I{%_J5N^&N}*s2YVg*b^YG(zH7QnWib*<Eh&MnX9?}$I z<i5pZCsEf|6TkYO)x<OjXU(xg=m?G#nqNGkQ(ciYHTX_V{cb&ZxM*yfl9G{w>Q=>F zFCIBiZ<(quCTrE!VsfXNTS7ik3+9n!k%4*S23{>)NOD$E;h4(p=4_Jn2Fo*+^DSxS z<EFowmP0i58s0LTFQ1UU2L!zW#eYe<Dxpu9iW)r+pGh7e`P|#wZivScp*7s3Zups$ zqJHy{bYqGs+&HSu0#utV*1)gz6Y0N*F1$Kis}>~7Q`HZ)k_GDCo1kfDC(BdxsiE*1 zNY-LafM>*%#d&G6*PaswOpSu`zKKi^;NZpy5$i<xlwjWw2EdHnb+fxgR3jZKmv^gI zPLXd+33r8;jx_0?%bMWG%L!`7RQZ>c^o`TGXE=O>S%*(9k64#jKC}D?hxWCZ9x+*s zcfuDrN4`s5C4CJcT_gTUycSz@_^`?3Fm~FV&G$m3U&=iLQuOJ<^TOTgG$N;~C*G2D z>hCTgS?Z~uNFC}Me~@&M!+(@ocy;d^()Y>cuy2$~T~u40d{cT@fW~Y+gT}Nx4~=>1 z&yvH=g<Yc)VJ=Ff?j31ZTtX+2&TZsudDh(kxtw{e>7els#ymq%K83Q+?cz!OxB5Dr z3Y{^JzX<5@Ub2G-++l9xP}!u2`vplAA}_rnO*At=y^g<?lU|pef?nD$T_icBb=W#L z9h&J~e7SkQc!M~Ay*M|Di%}eEK-T8B`p5LQ>95iU^;@w6?pgX|WM^L2J*~T2r|Oz* zPum7<H8$S*jJ4Og5H8+rmPYW|ugr(c+s(6aB4Pxa1J5^pg%3}I#%a==uMO`2)OE^V z$&big@)F$)WN%Ig9bmoJ`CIwT{50}Aa)4Cfbi)_m0nXydYY?hmlcXgwd{i6^Ok%79 z4|Pt`QaP(C?%=PZFOvMEIvIu!ZTVPRn7tKt?%*mpt1<3+=}V*}X`!68BJS#U=Sj2e zq<xVLLooJ@@Tqc=t5?cd8{(P+-^@*#Cxf@gz7m{0ljoj}{CX{M2uWpfR(;&<Eh+jU zJO4ChRS|c6+F~)+&a0JjmUg^tYzAACrTKR9v&GRdjm+$$l~PU-xxLqr71oY1jy}L_ zR<*CKjUGSFt||5O8qRC(@Tfz{QlVP(k~qcAC(V_!O5%nv=Ot0G^JKN0)f9Jq@8e`1 zB^G<n$TGkO%uZg>C<C92oj%Y>xt%*aZho)bi&YypyAyUgyHm?$ppvn@;QD0s()&ni z(pnjQ?ATk^Tq-WK^Q~B<xOuDJ-bZqi#w{Jf13Aeh^X074xK4K6PiE7`@m-`5DLaGw zDUsF*Fd)Ou-I~}$UAITdv6C(1812dl(p)=v6cena0~nzm{N#e<<+U=<-`L3k`>jl> zlCzv~SBp}mMRxMYnkXqoI)OvKFu8IZi&+m#MRqcGeYEqD<_L%^Pc9xe^oM>*&PrM* z1J8{e3D8{W_(eyUCuclQ=RQMUm_Cl40DIXX?i#AYGPy?1cF0x?2Xg?5_*IM7{F&Ja zr+g~Z@VACi`Iqu0Z0)@e+Xw9tGpHigXX&2MohN)H9LIjXYsnF^l>0Aq68kTl-iOEz zgbNok!lh%mf3?pWba{hHz029<k0^(wH-yOEQ_?p=N^jp7NM1{g*nG{1{rySFCZwkK zrH}7Y#q2IiHS|$boq!M3mtG(_2$mJ8v!0cvr(D<vcpVEK)zjYRYP~=FtaO||a75BA znhX!YcGy;jU59QlJ!U!w>hW6RTI{JjTmFMgqzouwkNz5@!h^yiLOnp?5%MWHpSuNC zs7-zRO6jpwQ{Oraq(Yl^eoRYjd!FP{OH!nMew8#MHNUS4joP$EwXsGx8*vF8ZA86V za>F?)>07N9PSdBWfql~T_APy@Mods&uVzbS*wX9P$`(}_6dTmSx5eVf=^<&AU|-T# zI@-9DHO7I_ERu7+T4azWsfgrQBcJY<E+ckF-<YtEfi=d7))OKRsnSehujreHuFhj) zy)2#Hjo?)8cX$}A*SV$Kb(}s&cUpG@+dU@>uL@V%p0Mq*l>yj1g($^2RwH)5zQ8ia z{8#f6=3etE1Q?#f=38f*EGWjf5ua7eG<=FGilAYh{0+K#8%6L71rC)Gm&s?#7JQU& zsq`earmm9A_(I|$@hrZ8d`})g80UT>g@DixkxfHo6LjTrZlk)PjHIcKRb-BiOy#g` zEIj}+YZb}VkxiU#_{NVXsh^eMj7WVmmrGBpjLg_d2+@_uxh3l7D?yu#?Kr^l=pj7S zQbvN~B@Sqylv=xZyMUFQGhX6udY%*~Rm)lKIGKI-d9o}C>U#^l8WVfOY)g`p$0_xJ z7ogO~=>jnHS@e|41~6QmT7MG;Yd9$?ys$|-K=Y$IGE04BE14WwdL9DK+Htpa+i|Mq zk?rJs5MhDVj$O(xBZ~H?d|b+m{9+ZciAf9OtYvY7Uiuu#9<SveYm^q+$wlJ~1Dw_T zI!>kBGLyqGp9gK#)<0XXN0e&7vIIML?J!TnDa7kdys^t@F+5?|jA-*^(uY#N_$x6B z=<addHr)ha9X!GF`80ALX+XgIT1>V)a^hU6h)>n`wL@}NXp)m1lN<nppuMuMZItKh z8Kd5~O=<@A&FgDX!>>sh>h%GV5jk<G^eGQrvK<{Is3#TcRs<0&jHC}pX*{&b7BouG zDiPR{F8w)l2$|eDob4uCqxB2xPpoHKKCsL--(+5H`T~K>RftGTG2CQml7|qHxI>!B zRL5=DQDYDXLU<8Z{4rlmE+RJWW^@wwU!-dt6};+x%jkTzYhp?9HTA+H@c4HUdsV+- zw8<9Mq>}>l4{D@sB(<<##OU1`tv1AH1tu(|Q&eB9l}b{=tNZn%UDU8Hif9)_8>G!7 zmGtxIqEzc*W~>WX=UI$OUu~2`Vqeu48tvk2)&-7_pAcEmAhnRx?7oZ8MMA7Q0{-#w zsX|{j?k&^0&x&;qj>}>rJiJ+&W?$JiCKRMW@Ao%LPxA-Pmvq&$xE{{7$of2@%@eRO z%XZ5|^PT4NO@Bcwc`5eGA2gQYjO)t`Q{V-!fxDk0UN4$a-c+gUL8y0FsN!ElP*)<$ zxF@(CD1~hGaJuxgy|N$qikN4^I7uzSgjDx_X;)<06zMQ;Kf8a<Xp{5koFngNNc|+$ z)SrVXCF*~mt6cTObg3>aZ0JXpB9W(5z{Oqm>HV`uJJoB;Nh23b#qTppzR1i~l2@{q z_apZc8(%GJcdAOd55bM)Tq#6`d`F%^xU0c-3NFBEo8J1IbssjdnQHkRoB)R<3p>^P z#OyW~;H-heCXZ>h@iXK7I3BCi@OSJs6EajA?AVg<22`iX*hnUf4P<2Tl(<byf;$?< z)-XJ_`M*|oj&73h2jP&g4RM<f`ICG%pRt_G<NnS)%^j3;H8{7viXDPZPeDHhA$~y9 zSc@AF>tpBr{^AlblNYwAMZ2NMj@OfBvIx!QsUPmc-+ym`Qu_3IGFyl?_DY#V7@qn` zEzX$B4cmrie3CYt`*kHTMK)|8e<a$8#Fj>KQ0uRv9&ub8NM5E}F6UOMj!h&j@^~Ye zEi(5zgY$E?0oxMmW0tQi7g>n;Leop8LgTH_O0769VHz~jX|V}~aYM-eyeNDv>=P#7 zkT98CMOLXR-w;b6pBqM3Au6AGu>C8t)Jg0s``3@&)!5c&l>S8Q8~OndVv84bo3Y4| zeP(GfG)_PAKjXLq5Rl@SLbcQe^f0Br9BmpksaY128n{ezS)1S5q};Ud#QxQ2v_WgM zIMxU*Q6X!To-F00&g=)IfIkE6lM$|nwSh--ZE8k;8E!Rcw^qb%!P6*akMFQcbMW}e zGdvF0;M&xb{uQ{D5Xn?yUPB5Mg}Lg(DblP|sh_5)62p++rbykG=Q7+%oF@?b6{)%X z2rK}Fvyq=28y;}@K|9}1q0db1mZs4Dnkog7cl9Ib6+?eDK!55`n)I%HRsW*V<zUJy za{EN-OHxidm<HtxCRu9jv3zG)V15X?{RvZ#QD-<}*o4qpo17s%DEY)E#kKku^aJp_ zON1c*HGiBhChrkE3})V@Cch_M43**?eT`<E9(_+N=k2Ba?$H~|m?A0qP|T%#GRB-S zK8alRktp!??0)Cy6RAx4Pf!MW=@YS-?5~#Y22Hn(r)dP<(@c`m=j%Tgk81=UWN0tq z<|Re2m-TNN?YD}J<N>`@NN}Se@kW{?brUUu0}B?FqaQ5Sfk->elIa#4zt><iBFg)K z^aHj(U5D^RD*}x7pp2B7zh4TM3Df!CkT=OLVgr$$RVO|p{xT)pIe=htR5tpv+0;Hm zyeN|YtoSZ(FB=$Rs@MS4A{v%vA#fU&jvy?(j->Vu5KO;B<A5nq=7_+1{tc1Cnf(_d z36Vd1^oO*_zBk10h`qMIcjTpgEK(1IOzHWS*hTDX`eCAC;@YTDn<8m|<0z8;;k5Xr zeQAGSwAl*QtaHR<9Dhf264W$2$dz&@IWZHP#a8Rmg?EILNHeYzQf$AlU2SW!O@s4w zm$k!M42^UzK4V^heNXS=-otKMH}YF}JNYHKfjEewe-|m1E^~`{CU??w8XDYTO2_BQ z_aZ?z*YGw{G7dw!{1oboGjJ}`VbK1sVnp1c6F$;CNK^M3#9cN7?8lC9pK}1|D5%Ma zYSW`)4lh*DW7j9DmdC`Ik;6a60!4s{j}eMGABpMkf2W;HQnz1^ToulRpQIh!{_+jt zN_DA=tUAyP0J_ad%mn9x=7uv=#}Ima;byT~6`bT;b^ER2LUltkS*HPacK6-e@Nyob zyO>NIUiq;uvTKNZ!0RgI+%4)1FJ0v?#Qez60g@yz^f#6JkXrsc%g-&n=7-H2P46RC zKGFE1vBmJ6VIQ*ix5-P84jz;yi#zo9>t)?$;VyjcTt%)&igp#hd-#aC7|3woEG_@^ z8=8Nb`Us+;_B+K-^pVY{M1|Nd9zX&prZcn@(VI2V6j9`}C&c^UX$_3Y%V?g~3E(G+ z6&$K>B0`eQPl>P0>yrnP%p8pcQI*vftIPPuqCw4CTxj=8;-r*t`2g}ZF^1HPf9FWp z^|PnN>|*+gREkW?t=A$)HU)s_W*qW0%TO*4<Djl2agBZm=>W5EF5gT}A{u!P_##Ia z&Kg*uzNuiuN!N+G$j(FJei3owfdw>foUR^slEsl1j)>RE>_hxC&coSCt=*P;&EJ^o zO~c0bj0+3{`1*aav_pIxsdlIC7UB0o34aM}&UDTL)>)(r7Y;P4+pFdD$n?umUP9@A zwnqPLJ3xPy|2uz3{6Jz#e+G?796)6CE$eP;5#r=+7Sa5O=>t;;am(inzc*YU_o5)a zMf_IWhcr^V?gzxm|AZsS=HPqw%{WOYi+glTL;|__9h=4fu&)^ijuJ2`(NH6iOSa$y zvb1pa01X8v;8hh-t^FzC;J}zLaG@sU)CXsYvDdeVGt>{l;)5ySodcsPx<5nHV^mWi zH11GoyNJ7AY(r9S08U73Eww_7zYmCl?!ft?ZhaQlLH(y9Yb&y6_gbpWr?IPGG5qId zoZPn9@Dla}OqXAlc}c~2YCd>R59w>+iC>4*t3kL?Xy8A<(Wc4d-^dE?H(bY1*_6n( zh2m{MsDm`in1E0th;QDjvo9Vrjt*!s9e9K+7t`Qr49cT7G*6>)h4@fp>IU(k-d;H{ zMukQJGo=gD%#1F*P2%VD{5<3Y4|B5KwncZpEytS5ziD}1_>E<+Wg~AiKdQe>ujno( z)#fdx8+3|zyEIYAFs|ng8y-S@fS#ecEfg*=^n$y?+d2N6vO1;A<MIcWD4A7Wr>~>a z;|jVIpI=$;Q&u~i?XG+$B29juM_KD~w7C2TI0Z8sd_GTRQ@hLS>c*8$Um)Oa_P7+6 zH_+vGDZzG^;*5W^p`lJe?G=6A9SA7_S5WD32ip~|FQ2u{qrU}$KEEqZ>F5ds^Zl-F zhsWLG2)YU~g(t#G4K)~WUv~U}D}DYB2SQ*$KaB%d`29Y=Hnfed9={vYpd)E^ICr-B zeO=xbrPJ?g^E*01N>_kBfImAipcWUV?DlyTUn?57D9(0=-{B16PJneBC{UD!c6R_H z_IMP(>w+#fCh5R$lw5Ai8xJPD$+Zh%xu63?!SIiT8;xN?$3K&ef5!;LSNlP_{BmE1 z!|hepIl3M7PQSYoGxBx$oi3%4c8*o?V7xxBHnj?k#$y@>w8pJy98eq>n#Tu1w<xWC zU&nB=CpDC(I52rSLak{4tK-cMD$Q6XZEZbh-rS4zYXNCo{y=O-j?PYx+v%Xx!8~p& zmD{LNj9&yc2c@2pTN^zkZBBV@jk3xSaJA%S;wvwoM|dE-z~G=Xkm4U-8w_^(cJ(Ux zN}Zqn8|AVZcK{>NrrbbR(G>_P?v4&uiyJ(lbhv}=Ha0HslM?hP%^qa1qg~J?qRlmi z1G_l_ip$~m^wM8q%&HNk+0_c3qqON&+TB5=7qnF3XMNu~`9h3)V*IerJnK5p&K;m} z*<4JhzS9kc*XEzOzOXD)IN5GkjlRN$_|Dc+@u>A;fRv2dq!Hh3b+=J*Vq@xYHB+G+ zGc*X1pGqGl4@xQZ_0>vFJBS&`#Zuj!Cs)OmDl{tL6}!OJUWZ572s(m)HAxo!-7O>L zoO)sWs8;)YJKZj-2k08H;Z=GZZE<WEY=`_&&KhabiY9bTsEC8Mio+A~fX!%E0SxS} zHn|6{YK(tX1q8sOI9gi#u0Q~fQDKEdG`X7VX<<T8>A-bITa+{#T^+t|XdC(v7M~7* zvc1<AR64tw!LWGGoqZXGdc3IL$%W#STt#(F*;)t{#s=L%#lG6**f~P;09`Vrr`?4~ z`6<O|ui7)16x2eO!-I8-Y5_J%sF9W~C+#XvaknbqB6om_7kcn2El_t<4d8NtQWd?c z-HK{Uhto+Xjb+4>(SGr!F8X*dDtt_U=_Q}vy;~DU=wT=!Pr$cCVXMBRu+Zh{aI_b+ zL9cc-7r1?ej=}&<4&W=pwtN>=j`<#6TYe|#7%0pX9`hNRK%lS?zZ8rY>!1NUU<dq4 zozLUxqI1(I1Q~_O1OWmLFGO&+redkiz<PCdX-nQY@-$SdyCVdi_6IVBN5dWi)gOHw z<KI}X#PS(s-B?vdv2M3Rp`#hka3d0-i2y`-R8K|4B9Cc7=yQ*w(d%^i^AuOmSwI;R zDo+zEs6?OQqf*DZQ374gcBT+%S|#@K`T{yKjVs*LICjugfre90+()K`z-f<!GYo4e zA${@FS`9Nog#elijOJ|DrU8=$#opLZnZGD19v&s=+7%pmG1$J@2g}HWYK+;WDjZAV zP=b!O02Pk44K>vv%Aqcp?G`$u7MIfl($m#qEjHIwV|?MT)etVh0A2Cp8!H0k?ts(d zW5ye53yg`ig@lc5!rllqwb9iIUc!1)MV$im#;`!SPZK{!ATWG#cyg$5V-=P5y<weZ z`C$Iyq;PD{aW5}-HFrf#xl*GEeIWV@cYv`)3vIy?zfq+SfN@}2yt6CNPU#Tzg{W<h z3MGbdeb{acBU_OAFAan7#E44z9|skJh>agr{GhJst1$#HrU4BUj9`MQ4hX1Hu?vO@ zomBfY^Gg@H&hPGaID3_HN6?|Yew8+Hs3czxow=Jn3tbX|L4>uZc&Y^~&X`G)6{<-J z(O1y#@CIN-gJ=LTpxoB%_w}Gr9)mrdiVxCEFS|OLT`d$(z`{l??il4sL5B9)7)o;b zx;)s}pu^?xLY+ZV(}7`xm=d%j5S@e0Wd}eW>wZmLJ$S#P)8~a?p^sX;6POImAj0mQ zn1##lhQ;!BVI2MdM%RuPv@q32C&^ynYQZWW4liLUzb_*}<*xxw^}C%)9SjT|OfBG@ zCu&O?J1NFwBXP90!Xjd#QA!1Tt-&4`mOMJ%4v1K5FKZWI7!4MVl1(#zy-_R)UBX~% zi1rD&^!Iks4%wumOzHs1J35&PfxOZN5Lb+Tm(#F<a%h4&UQ^M)^h8~4eS@~<Q2@wZ z&9oQ2MHL%0B<yuP?I9QJVeGnVS0|enUNRg`F`P}`(iAU_<qQn?{JqL5$^;-%0(+0# zXH0_oSSeVuAce*FU(6f=ygTTUg<@`ihoT`sQHD)heBe!LPu*U~CYH_}*h#g-(f<Rk zg!=KY+2pbj3YRaH-I!1UCJp_s@JxI9K$T1#p??C~K^8lrEX0uAp}u6px#+5YHKlC% zDCCNws3urtDp4$54`e?Aq(;0b2gHB@E*PjF`~j*+Cx*a!bZNnp@Uf^Q`*ym3Gaw{h ziWf$Np~ulnHIC8=4Ge;74h|%6lnLS1c)c!9fijkXsDLw&;8GHS8yk%sD;6COl^kj! zF|0Id_j-%u4dW>voo>AcUYAl12;qbh(ujRsILmMzo(Q|+nGg1rBIf*t-cI01%}IpO z9Oc63fL(AYF+V6rcZlIjCPZuoU~qRUB%B&aU;%&>=nRM;9XjngNV|q)c43-S`C-=4 zTc8=87zHW-(@c-tLPI~9T&)&1dD6NS2Nv9ES%q^6I!$+=yzp1X%ZrTD4EN$Rt1S8V z*n~im>cpG%pX>XP<d`h{h<}IQMGli5VnF1i7Jcm;T&5nKsGkt|E=|9X*f$R@9*qL@ zu<(Fml710M%@|yWm_lN@;NEooRjIZ?R2QHa483K9=f*<yC<mLvG70xh*3V1{_YBS- z>9~JB>ln3(U+aXn!Mx$R&nHAKE)qL<d--72NV7f``--HOh!r|o7QSvK*UjNjhYs6J z>wVTW)=b1qD$RdGvD*^UmBzP?C5B(fFW{i9Qk<G~voufa6l-wo!G7H=;eNrx|G@9# zEBPs8BX^qXrr|Jk*#h~G_KHD7(qjP{_Bl?ZYN7l%pVHSc*n~ULFgnZC4L|&8W&{zB zNxXgKVEyQ0TJq=UQn`vpMdV=3$en0K<m46dJCR$G^w%RPJ-7z6N=QmaP?C0~u-1se z&&k|FoNy~n&%T>HK=v9h5nmR|Y_A$Jt$TI5t<Ba#%O_Hen1o8>i!IfN`@JtcO15$j zNq;ftnYPMv4R;wjxwjEU@#p8rW#a{)enT~I(+==`3^WT5>$h;dc%mybSEfEmg0hNx zg1U_xs$*WD@OZ9F9ma$ws>>0zNq9*p+@(1@De=-(1qo<_MXd#UhgyLX{_!|Te3%5G zAm>ghE7532fTDl=?vB1d6C}+G0HWwb1P7w0z*F<n*FuST0Sj8(-SDtzu%Sp{KFPlv zUAc0e3?WO@;Z@$KT4Vl94cs|jOVkr@SOrh~j_`5=4j@Vm_a>5S)G>?$ruAKcPPfzT z>k7ajKpeswjN;O$H%bu>a16Vl;R3%a*yV?o9z{zb?M8<K!3LM76BJPZ2cRjjK2&wJ zx_9B<UIp$ib+Rb2q08Vsc2GALAqqbQ->?Btzds5$7{j^$w;6=SO@TTRa1+i1ZT}DR z`bVb~`UmDU5I)a9?Mh#QyTZUPRC-mNGP*9zuw+I@O0_!lem7P8Xf+Z|pa_-TTiXzV z|AGhuuqFZ~&Aygipcpu0BkPvOA}Q<Y>k7;8|GKqxu{$6Wa13ID;CJeG6^;qNMHd}0 z12^>_v8EJyyI`Ne<W7&93PBWF8z|cOsbu0J&<6K}&S*gCWH5m<g#Lt|gw2L7y5iI0 zdA6p@6LiBhRW|2WQolXFmVwGZ%$Qanev9afMy#kY1#%1_9;Q$$dxj^q&>4jukmCTI z0vLr7F-AU2r2mYtEo!-yGPue4n7(u84lp=nWzDo}Sm0)PE~l0`_!S|a+<_@2_|8!x ztoA`wRIpGg#XeAt5E~DEA}FNICJNsXX>3pMbD~a-2iyQp14@X6P=(v)%M_-KC{(u= z`cBlrb-qBb&F{ixZM;X8$vekB7JZ6_R{*q`)5YSn7;lYx7XVlk)M!uN1e5VOmi*(i z8Utc~V_vWIqyEPY;;czD<Ph&(3OAtU!+Ot<*+@bIZiX)}3&gKIilFCdRLNPrsUp9) zsCaJvym`gNi!^+k+1QDQH%3L<?I@<MUX&C{alzdA1x3`i@w$3kenh9dOldO}=SNH& z(c6HMvmEV;a+MH+`pvF(N4J|wjK=2CFf8T^UPrKlA+kU(WTk^@E`*ALy-GHsPIz~L zrdVqNZR>s2K)PL>fowXS?4ZBPl}*QiKKwC<k@DI)Z;M-NsW?L(09zK)W^9N+M<CGY zK%6AUwaY={GE0=*?oK8D0wte%s(2yt7JgU$Sp_>BG>+F+=;)*=i9+0?!2|m5yd8zK z4SuDgDI9%W0qZ`ufQ96hMO|}?=Z2IV$n;34t*57_z{lLk0?2>i4utLtfpy!xKJ*J& zV^;#MLiQ|@86LPjh=0=Z^ju0Aii=?p+Z<G}uvs&-iiOfL2bA4Gjuuy|g9^8|Eu>`Q zMFoK_Z@~_brNH0eF7P!|m{9=w1%izmtEsd!W6`piEs1aL^aZ?*4)pWiKSY<J6#+$8 zHe~yXM5Gd88KOin8RJO{-Dgy1iBHt@j>y!$f9!z(d*ED}L%3?O>>MvWiLY1-u<sA} zyzmD`-nD0eOkIx=vDf4-s%BJ2vNR#2iRzD6$`|~%4aeytP2}bl=g(bKT%vU_R4g~1 zsRJk?8d9sHJPYN}I-1fE4$hI+aG`Odt7G|)1Y;*$+gHi*C<6((Fla0-3D=151=bph z6Co3q77k=X%Zvu;0KvLE@S<7}O{4*I*fhkuA>b5+Pz$I%4&BdU8B{XeUiPb|BOHE& zrMnPm%wx_}7ZOq|gx%WZp^^tf5sh&mSkt1#1ra*|aDf?NURkp%*hB3jbV#&gycHn} z#<ycGQeU>m=Vw87st*`mjHLqdG*>X_4tfxwVQyj6rNe6(=+kT%{=x*{*|87?l`A?% znj+X8hpjinvY>2*8vG8bCmkMbQ7@y8R~omDL#f+U_>y<3xz+Sj<Cn&A!#;c-SR(bH zddaHasyilpEEMoP<S~-Ots5#!lf$b9QTdYFq0YTWOjGkOBnu<wit=rSNVrITL?5jI z7@$Q4*I7QX6qzqFy<nPPbQtcD|0Y*U*P?oEvA$FHq>dLh^LLQ<$ywY0>`0w1oVmxW z9^EgdM^+w_P8m=WFnEdj={NWW_{(w>FF&?b>`+fVEbAiaME)3O3GxqeCFCVevWi!T zwc<qmY3vvDmhpgb1NLip6@^$%)aIX-kKrTaJn1jkBkxkFN_ayzLx+7kgq8eTwqKz@ z*J0zVkDx}h+G?}>j=$J)jb$mmzI+zv^fj1GrYHFoyn(!A3Yv-~o$eiMmshKQQ-6$m zj(>2O2=e`ftHQ`Dbi(h5?v^1l(aICeRyk9>B1F2idYK!G<e4J>p71-Zx?C%Z`O{AF zhN#=miKsnbB{o$Z_%xDLrYCj8iXc&XGE0E9#5=y%t(SA%>W~kW?6(~hOCs5AB#&t2 zk1N|y#qBvPPUHDfR>Kpyq65c9MJ{oXtweqN5^}9pEVJQaJpB5V(j1<gt%jRWc(cVp zZdZqBIsA@x@@?dZo6P2;>xb`i%dLk{xV+FjX!^BDG43$@4Aq}&@oC%ZVu^kbUpmYX zI{61s_t?bUrIvjr?ux8xl^!!hu0A3i&@Z6OHIZ|2whh*!h&8M=A2fY#sxlrm{ME2d zJ|=yO>Z8N@&-7)w{n+iG0Gpt^NK!Z_{Of$we(YIHtFqH0mwzSpfDdNxnWH8@h)R=9 z*P(DT-63^G-aKDAKgMcJoNbNuYHW6pX%3oxhL2&Z4XXUHyj0qQ@&}9lJlze#2SO<y zB2S?FzX`9HsSB6wsZ~$z6emY=?-zfIS1j67rXIfo8;Z=?kMC3;UN3ti7kn;$r^}?3 z2^Oi4vpr|K5j KXzCnk!6?89y<6FIUUS(mU9f#v+Bn^9|Hv>q`i`H6WrE2*Q|; z1Nb!#ua<U$gtxl=6wXJ}j=_;<Sd0}qi^dlLShWmBEb|?0&DuCah=ZXKP`aZH7!PS= z;1^iG7A*-vO>n2j=VsY^C>F$P{ay;(Pn{)KjMwa&nZ8JH#vfY3P-emesiTDqEHoWW z!2*@LfsV?U1E?uz=9ym7Uud8q&A|)ekzOLWuaCm58i$7>D_4uwM-<;XqRKl4%0L-t zc9skXQCF4blUXJZs*$>>8iZqsHIUAw<RDg$zbGw$F&O4zIu>*S;aaJiK|4dh8!$!d z2&z?kUdv18xC+{ka0_O`hk(hTX2zjZZY-+_Rn%8B<kBwL1KD&m4tN;o8beg*fe5u5 ztJYMlhvue6smG10(cx$XC;!u+^4PGWaZ%b|dByrI@bk(%EcFc|9CBgQ;G{Do^<bDs zKdPdugY>7{*^4P;vnl60kV~X#6+qXhLFuLy9(`e-F+7Fx^s@hX(aK$|?hqw51^YD> z4P{EsdY>0i6%f`<iNLC2>Ou1;evd9^;^JdDX>O7BLJLu%E^X9nYjwLkEpbzhn{g;E zkNM9|`Nr^igOkp9e&UQ-3NOEb2CCsxjD}NUdG?Sev)T>Mfh8=o%y)fnN2||E=?u_A zlLf#QE=0_M3D^|llHrAMiEwJ&kz_`~5-z4YRx3lfjY5VfMZj8tSd1911og?`+JJMb z>a@f#t(mwKM?h2GFgz!IMop*>P|D(lfYc-lD6!lphD_l+dmq@!i{B~C&_eJOiPY0E zQdWe!jY_JJm&W4~68s%-9*|NGbYuz__swF}PW?Uc<7kW_v$fRQt)xW~n#kjZ0?12W z!AcflxdNnF80b+nM*)1oKv)PYtmHWTE*dC7J{jpKxH8E7bRcw2sYtaY^eUwxx`Z24 zOP3>7+l9L<5|3M&OrP;3Nbi70gKn@oh!0RVx@aLv9TrWbw?_JPY2(LJv8H$y+{5Tf z6HE|1s&h1_N68fK>04x=wIuyr|0|tn^kT%d4#gnkKSjNNop>Rd$M~nI_pcK#6a=&1 zTPD-wbAm$@tvh3W&Zy&oz{?pNoqvNF-$E6DC7%5C(M(lUIi))MQj`p^YCMhHmA()P z>$JcLq=l+mz;|TEVqB{|7t4kfU_W+hacD3ZNmxW%MxWIbcr?{TLv_t=ua=<(=SGuh zG^|R;;Mc~0nV$$zcWeCAqr<Lr?_zzh(F*q`go|QvA69u)Pb1lkRte^RzveDn!r3aU zS6E)NOf#=AU4!cKTtgTKPEVXE1>i5F>Rq~%IwEY~kC8tE*k1zZx=s$~>_K&G?n3nf zyFN|Lx{^$dT+=OH0N6EePm?<LKY{c%oDd(<7tvQtz*cy`bBC}q$^>{M51Z1At%iH$ zALMn?jpA!!ivDcfQQf(MjbDLs@FDZNEq$~0pvDwRu7vAfooX3d{25K$oheUQ3+D~i zvfGuHSqGO4zhsUUf5sMyTGam!(w0<XhpYGOGI7Yn%;owr;;Hc8lnRWYKpC_<CBQ#Z zI1u{ZD+j1f9?jYQ1BC;0LVauZ^q9EqbXf-^6s?b`=`9;m8C4OYMPOsm^_Y2$tn5Zt zx7*djv~IMr)Jemz%%DO!Q>=$LK&%u>aU%GH0K4X!Gay(%;~QrHR}LjKV&$mjM;MId zf)I1?x}n~qeMGI4(^UxZ0!9X!p(zi|ylUa}oM=2fmj>Mty@p563WBJ`ABk$jRlU&R zC=TQwn12BL=wlVYcmU3X);G1D1x)H!@98#b>;Ww?mY9i=rfB$U3>Bl?!MJSp9(;3| zJD&<_M%YKc;!~9eWn*OX4)G2>_1rqB=Qdegayd~V-*k#w^+|fP<!xW!C--C9x3(`L z<Q4v1+r*)M1y}ZkH}m+1*gnTkZrJvDB)OA+$40J=e0dXZN;=l5PdavjSB`xqC;dMe C_uV`I From b2163dbd3929d30e01f5f2b38a181a5428256d36 Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Fri, 4 Mar 2022 17:22:54 +0000 Subject: [PATCH 04/26] fix deeplink (#167) --- .../frontend/src/pages/Deeplink/Deeplink.tsx | 11 ++++++---- application/frontend/src/routes.tsx | 22 +++++++++++++++++-- 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/application/frontend/src/pages/Deeplink/Deeplink.tsx b/application/frontend/src/pages/Deeplink/Deeplink.tsx index ce5faf0f4..e6123c4c1 100644 --- a/application/frontend/src/pages/Deeplink/Deeplink.tsx +++ b/application/frontend/src/pages/Deeplink/Deeplink.tsx @@ -6,17 +6,19 @@ import { useEnvironment } from '../../hooks'; import { LoadingAndErrorIndicator } from '../../components/LoadingAndErrorIndicator'; import { Document } from '../../types'; export const Deeplink = () => { - let { type, nodeName } = useParams(); + let { type, nodeName, section,subsection,tooltype } = useParams(); const { apiUrl } = useEnvironment(); const [loading, setLoading] = useState<boolean>(false); const search = useLocation().search; - const section = new URLSearchParams(search).get('section') - const subsection = new URLSearchParams(search).get('subsection') + section = section?section:new URLSearchParams(search).get('section') + subsection = subsection?subsection:new URLSearchParams(search).get('subsection') + tooltype = tooltype?tooltype:new URLSearchParams(search).get('tooltype') if (!type) { // Backwards compatible fix, the url used to be /deeplink/:nodename, new url is /deeplink/:type/:nodename type = "Standard" } - var url = `${apiUrl}/${type}/${nodeName}` + (section != null ? `?section=${section}&` : "") + (subsection != null ? `subsection=${subsection}&` : "") + var url = `${apiUrl}/${type}/${nodeName}` + (section != null ? `?section=${section}&` : "") + (subsection != null ? `subsection=${subsection}&` : "") + (tooltype !=null? `tooltype=${tooltype}&`:"") + const { error, data, refetch } = useQuery<{ standards: Document[]; }, string>('deeplink', () => fetch(url).then((res) => res.json()), { retry: false, enabled: false, @@ -40,6 +42,7 @@ export const Deeplink = () => { {!error && !loading && documents.map((standard, i) => ( + // console.log( (standard && standard.hyperlink && standard.hyperlink.length > 0) ? standard.hyperlink : window.location.href) window.location.href = (standard && standard.hyperlink && standard.hyperlink.length > 0) ? standard.hyperlink : window.location.href ))} diff --git a/application/frontend/src/routes.tsx b/application/frontend/src/routes.tsx index 3cbf6f2bc..692c62db9 100644 --- a/application/frontend/src/routes.tsx +++ b/application/frontend/src/routes.tsx @@ -54,16 +54,34 @@ export const ROUTES: IRoute[] = [ showFilter: true, }, { - path: `${DEEPLINK}/node/:type/:nodeName`, + path: `${DEEPLINK}/node/:type/:nodeName/section/:section`, component: Deeplink, showHeader: true, showFilter: false, }, { + path: `${DEEPLINK}/node/:type/:nodeName/section/:section/subsection/:subsection`, + component: Deeplink, + showHeader: true, + showFilter: false, + }, + { + path: `${DEEPLINK}/node/:type/:nodeName/tooltype/:tooltype`, + component: Deeplink, + showHeader: true, + showFilter: false, + }, + { + path: `${DEEPLINK}/node/:type/:nodeName`, + component: Deeplink, + showHeader: true, + showFilter: false, + }, + { path: `${DEEPLINK}/:nodeName`, component: Deeplink, showHeader: true, showFilter: false, }, - + ]; From f87ebbcc79b73ee7cd2788d0b3e4336bc7612b24 Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Sun, 6 Mar 2022 10:57:54 +0000 Subject: [PATCH 05/26] make the links in the index page point to the same domain the app is in (#171) --- .../frontend/src/pages/Search/components/BodyText.tsx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/application/frontend/src/pages/Search/components/BodyText.tsx b/application/frontend/src/pages/Search/components/BodyText.tsx index bcc01d2eb..bacb3fc6b 100644 --- a/application/frontend/src/pages/Search/components/BodyText.tsx +++ b/application/frontend/src/pages/Search/components/BodyText.tsx @@ -32,8 +32,8 @@ export const SearchBody = () => { </p> <p> Moreover, standards can use the CRE project to maintain permanent links to other standards. - For example <a href="https://www.opencre.org/deeplink/ASVS">ASVS Deeplink</a> could be maintained by ASVS and always redirect to an ASVS entry on github - while the following will redirect to the specific section <a href="https://www.opencre.org/deeplink/ASVS?section=v9.2.5">ASVS v9.2.5</a> + For example <a href="/deeplink/ASVS">ASVS Deeplink</a> could be maintained by ASVS and always redirect to an ASVS entry on github + while the following will redirect to the specific section <a href="/deeplink/ASVS?section=v9.2.5">ASVS v9.2.5</a> </p> <h2> @@ -64,10 +64,10 @@ export const SearchBody = () => { </h2> <p> See the CRE search bar (beta version). Try searching for - <a href="/standard/OWASP%20Top%2010%202021"> Top10 2021 </a> + <a href="node/standard/Top10 2017"> Top10 2017 </a> as standard and click around, or <a href="/cre/482-866"> 482-866 </a> - as CRE-ID, to get an idea, or <a href="https://www.opencre.org/search/session">search for "Session"</a>, or an overview of <a href="https://www.opencre.org/search/%3E%3E">all top-level topics</a>. + as CRE-ID, to get an idea, or <a href="/search/session">search for "Session"</a>, or an overview of <a href="/root_cres">all top-level topics</a>. </p> </div> ); From a74afd07753b3616dde2b20c01bc01b64503cd48 Mon Sep 17 00:00:00 2001 From: northdpole <morfeas3000@gmail.com> Date: Sun, 6 Mar 2022 14:06:29 +0000 Subject: [PATCH 06/26] revert root_cre link change --- application/frontend/src/pages/Search/components/BodyText.tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/application/frontend/src/pages/Search/components/BodyText.tsx b/application/frontend/src/pages/Search/components/BodyText.tsx index bacb3fc6b..02dcd34e7 100644 --- a/application/frontend/src/pages/Search/components/BodyText.tsx +++ b/application/frontend/src/pages/Search/components/BodyText.tsx @@ -67,7 +67,7 @@ export const SearchBody = () => { <a href="node/standard/Top10 2017"> Top10 2017 </a> as standard and click around, or <a href="/cre/482-866"> 482-866 </a> - as CRE-ID, to get an idea, or <a href="/search/session">search for "Session"</a>, or an overview of <a href="/root_cres">all top-level topics</a>. + as CRE-ID, to get an idea, or <a href="/search/session">search for "Session"</a>, or an overview of <a href="/search/>>">all top-level topics</a>. </p> </div> ); From 460d5bf5f077b079f29642e1bdfc7b9bd01168ae Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Sun, 6 Mar 2022 14:21:33 +0000 Subject: [PATCH 07/26] quicken browsing for root CREs by providing a shortcut dedicated method for it (#170) --- application/database/db.py | 98 +++++++++++++++---- application/frontend/src/const.ts | 3 +- .../pages/BrowseRootCres/browseRootCres.scss | 37 +++++++ .../pages/BrowseRootCres/browseRootCres.tsx | 62 ++++++++++++ application/frontend/src/routes.tsx | 11 ++- application/tests/db_test.py | 74 ++++++++++++++ application/web/web_main.py | 26 +++-- 7 files changed, 284 insertions(+), 27 deletions(-) create mode 100644 application/frontend/src/pages/BrowseRootCres/browseRootCres.scss create mode 100644 application/frontend/src/pages/BrowseRootCres/browseRootCres.tsx diff --git a/application/database/db.py b/application/database/db.py index 457464254..ac9acf09f 100644 --- a/application/database/db.py +++ b/application/database/db.py @@ -1,19 +1,16 @@ -from typing import cast - import logging import re from collections import Counter from itertools import permutations -from typing import Any, Dict, List, Optional, Sequence, Tuple +from typing import Any, Dict, List, Optional, Sequence, Tuple, cast import networkx as nx -from sqlalchemy.sql.expression import desc # type: ignore import yaml -from flask_sqlalchemy.model import DefaultMeta -from sqlalchemy import func - from application.defs import cre_defs from application.utils import file +from flask_sqlalchemy.model import DefaultMeta +from sqlalchemy import func +from sqlalchemy.sql.expression import desc # type: ignore from .. import sqla # type: ignore @@ -106,17 +103,53 @@ def __init__(self) -> None: self.session = sqla.session self.cre_graph = self.__load_cre_graph() + def __add_cre_graph_node(self, dbcre: CRE, graph: nx.DiGraph) -> nx.DiGraph: + if dbcre: + graph.add_node( + f"CRE: {dbcre.id}", internal_id=dbcre.id, external_id=dbcre.external_id + ) + else: + logger.error("Called with dbcre being none") + return graph + + def __add_node_graph_node(self, dbnode: Node, graph: nx.DiGraph) -> nx.DiGraph: + if dbnode: + graph.add_node( + "Node: " + str(dbnode.id), + internal_id=dbnode.id, + name=dbnode.name, + section=dbnode.section, + ) + else: + logger.error("Called with dbnode being none") + return graph + def __load_cre_graph(self) -> nx.Graph: graph = nx.DiGraph() for il in self.session.query(InternalLinks).all(): - graph.add_node(f"CRE: {il.group}") - graph.add_node(f"CRE: {il.cre}") - graph.add_edge(f"CRE: {il.group}", f"CRE: {il.cre}") + group = self.session.query(CRE).filter(CRE.id == il.group).first() + if not group: + logger.error(f"CRE {il.group} does not exist?") + graph = self.__add_cre_graph_node(dbcre=group, graph=graph) + + cre = self.session.query(CRE).filter(CRE.id == il.cre).first() + if not cre: + logger.error(f"CRE {il.cre} does not exist?") + graph = self.__add_cre_graph_node(dbcre=cre, graph=graph) + + graph.add_edge(f"CRE: {il.group}", f"CRE: {il.cre}", ltype=il.type) for lnk in self.session.query(Links).all(): - graph.add_node(f"Node: {str(lnk.node)}") - graph.add_edge(f"CRE: {lnk.cre}", f"Node: {str(lnk.node)}") + node = self.session.query(Node).filter(Node.id == lnk.node).first() + if not node: + logger.error(f"Node {lnk.node} does not exist?") + graph = self.__add_node_graph_node(dbnode=node, graph=graph) + + cre = self.session.query(CRE).filter(CRE.id == lnk.cre).first() + graph = self.__add_cre_graph_node(dbcre=cre, graph=graph) + + graph.add_edge(f"CRE: {lnk.cre}", f"Node: {str(lnk.node)}", ltype=il.type) return graph def __get_external_links(self) -> List[Tuple[CRE, Node, str]]: @@ -479,11 +512,14 @@ def get_CREs( description: Optional[str] = None, partial: Optional[bool] = False, include_only: Optional[List[str]] = None, + internal_id: Optional[str] = None, ) -> List[cre_defs.CRE]: cres: List[cre_defs.CRE] = [] query = CRE.query - if not external_id and not name and not description: - logger.error("You need to search by external_id name or description") + if not external_id and not name and not description and not internal_id: + logger.error( + "You need to search by external_id, internal_id name or description" + ) return [] if external_id: @@ -503,6 +539,9 @@ def get_CREs( query = query.filter( func.lower(CRE.description).like(description.lower()) ) + if internal_id: + query = CRE.query.filter(CRE.id == internal_id) + dbcres = query.all() if not dbcres: logger.warning( @@ -674,7 +713,9 @@ def add_cre(self, cre: cre_defs.CRE) -> CRE: ) self.session.add(entry) self.session.commit() - self.cre_graph.add_node(f"CRE: {entry.id}") + self.cre_graph = self.__add_cre_graph_node( + dbcre=entry, graph=self.cre_graph + ) return entry def add_node(self, node: cre_defs.Node) -> Optional[Node]: @@ -698,7 +739,10 @@ def add_node(self, node: cre_defs.Node) -> Optional[Node]: logger.debug(f"did not know of {dbnode.name}:{dbnode.section} ,adding") self.session.add(dbnode) self.session.commit() - self.cre_graph.add_node("Node: " + str(dbnode.id)) + + self.cre_graph = self.__add_node_graph_node( + dbnode=dbnode, graph=self.cre_graph + ) return dbnode def add_internal_link( @@ -789,7 +833,9 @@ def add_internal_link( InternalLinks(type=type.value, cre=cre.id, group=group.id) ) self.session.commit() - self.cre_graph.add_edge(f"CRE: {group.id}", f"CRE: {cre.id}") + self.cre_graph.add_edge( + f"CRE: {group.id}", f"CRE: {cre.id}", ltype=type.value + ) else: logger.warning( f"A link between CREs {group.external_id} and" @@ -836,7 +882,9 @@ def add_link( " ,adding" ) self.session.add(Links(type=type.value, cre=cre.id, node=node.id)) - self.cre_graph.add_edge(f"CRE: {cre.id}", f"Node: {str(node.id)}") + self.cre_graph.add_edge( + f"CRE: {cre.id}", f"Node: {str(node.id)}", ltype=type.value + ) else: logger.warning( f"A link between CRE {cre.external_id}" @@ -971,6 +1019,20 @@ def text_search(self, text: str) -> List[Optional[cre_defs.Document]]: results.extend(cres) return list(set(results)) + def get_root_cres(self): + """Returns CRES that only have "Contains" links""" + nodes = [ + node + for node in self.cre_graph.nodes + if self.cre_graph.in_degree(node) == 0 and node.startswith("CRE") + ] + result = [] + for nodeid in nodes: + result.extend( + self.get_CREs(internal_id=self.cre_graph.nodes[nodeid]["internal_id"]) + ) + return result + def dbNodeFromNode(doc: cre_defs.Node) -> Optional[Node]: if doc.doctype == cre_defs.Credoctypes.Standard: diff --git a/application/frontend/src/const.ts b/application/frontend/src/const.ts index 0406eba36..cd2ae72ba 100644 --- a/application/frontend/src/const.ts +++ b/application/frontend/src/const.ts @@ -24,4 +24,5 @@ export const SUBSECTION = '/subsection'; export const SEARCH = '/search'; export const CRE = '/cre'; export const GRAPH = '/graph'; -export const DEEPLINK = '/deeplink' \ No newline at end of file +export const DEEPLINK = '/deeplink' +export const BROWSEROOT = '/root_cres' \ No newline at end of file diff --git a/application/frontend/src/pages/BrowseRootCres/browseRootCres.scss b/application/frontend/src/pages/BrowseRootCres/browseRootCres.scss new file mode 100644 index 000000000..5e513064b --- /dev/null +++ b/application/frontend/src/pages/BrowseRootCres/browseRootCres.scss @@ -0,0 +1,37 @@ +.cre-page { + padding-left: 20px; + padding-right: 20px; + padding-bottom: 20px; + + &__links-container { + margin-top: 10px; + } +} + +.cre-page .cre-page { + &__heading { + font-size: 2rem; + margin-bottom: 0px; + } + &__sub-heading { + color: #999; + margin-top: 0px; + font-size: 1.2rem; + } + + &__description { + width: 50%; + } + + &__links-header { + margin-bottom: 10px; + } + + &__links { + padding-top: 10px; + } + + &__links:not(:first-child) { + padding-top: 20px; + } +} diff --git a/application/frontend/src/pages/BrowseRootCres/browseRootCres.tsx b/application/frontend/src/pages/BrowseRootCres/browseRootCres.tsx new file mode 100644 index 000000000..935bd74fa --- /dev/null +++ b/application/frontend/src/pages/BrowseRootCres/browseRootCres.tsx @@ -0,0 +1,62 @@ +import './browseRootCres.scss'; + +import React, { useEffect, useMemo, useState, useContext } from 'react'; +import { useQuery } from 'react-query'; +import { useParams } from 'react-router-dom'; + +import { DocumentNode } from '../../components/DocumentNode'; +import { LoadingAndErrorIndicator } from '../../components/LoadingAndErrorIndicator'; +import { DOCUMENT_TYPE_NAMES } from '../../const'; +import { useEnvironment } from '../../hooks'; +import { Document } from '../../types'; +import { groupLinksByType } from '../../utils'; +import { applyFilters, filterContext } from '../../hooks/applyFilters'; +import { ClearFilterButton, FilterButton } from '../../components/FilterButton/FilterButton'; +import { SearchResults } from '../Search/components/SearchResults'; + +export const BrowseRootCres = () => { + const { id } = useParams(); + const { apiUrl } = useEnvironment(); + const [loading, setLoading] = useState<boolean>(false); + const globalState = useContext(filterContext) + + const { error, data, refetch } = useQuery<{ data: Document; }, string>( + 'cre', + () => fetch(`${apiUrl}/root_cres`).then((res) => res.json()), + { + retry: false, + enabled: false, + onSettled: () => { + setLoading(false); + }, + } + ); + + useEffect(() => { + window.scrollTo(0, 0); + setLoading(true); + refetch(); + }, [id]); + + // TODO: the rest should really be shared between this and CommonRequirementEnumeration instead of ugly copy pastes + + const cre = data?.data; + let display = cre + console.log(display) + return ( + <div className="cre-page"> + <h1 className="standard-page__heading"> + Root Cres: + </h1> + <LoadingAndErrorIndicator loading={loading} error={error} /> + {!loading && !error && + <div className="ui grid"> + <div className="wide column"> + <h1 className="standard-page__heading">Related CRE's</h1> + {display && <SearchResults results={display}/>} + </div> + </div> + } + </div> + ); +}; diff --git a/application/frontend/src/routes.tsx b/application/frontend/src/routes.tsx index 692c62db9..7b619af54 100644 --- a/application/frontend/src/routes.tsx +++ b/application/frontend/src/routes.tsx @@ -13,8 +13,9 @@ export interface IRoute { } import { - INDEX, STANDARD, SECTION, CRE, GRAPH, SEARCH, DEEPLINK + INDEX, STANDARD, SECTION, CRE, GRAPH, SEARCH, DEEPLINK, BROWSEROOT } from './const'; +import { BrowseRootCres } from './pages/BrowseRootCres/browseRootCres'; export const ROUTES: IRoute[] = [ { @@ -83,5 +84,11 @@ export const ROUTES: IRoute[] = [ showHeader: true, showFilter: false, }, - + { + path: `${BROWSEROOT}`, + component: BrowseRootCres, + showHeader: true, + showFilter: false, + }, + ]; diff --git a/application/tests/db_test.py b/application/tests/db_test.py index b38d57436..25b183540 100644 --- a/application/tests/db_test.py +++ b/application/tests/db_test.py @@ -4,6 +4,7 @@ import uuid from copy import copy, deepcopy from pprint import pprint +from pydoc import doc from typing import Any, Dict, List, Union import yaml @@ -436,6 +437,7 @@ def test_get_CREs(self) -> None: dbc1 = db.CRE(external_id="123", description="gcCD1", name="gcC1") dbc2 = db.CRE(description="gcCD2", name="gcC2") dbc3 = db.CRE(description="gcCD3", name="gcC3") + db_id_only = db.CRE(description="c_get_by_internal_id_only", name="cgbiio") dbs1 = db.Node( ntype=defs.Standard.__name__, name="gcS2", @@ -459,6 +461,7 @@ def test_get_CREs(self) -> None: collection.session.add(dbc3) collection.session.add(dbs1) collection.session.add(dbs2) + collection.session.add(db_id_only) collection.session.commit() collection.session.add( @@ -474,6 +477,8 @@ def test_get_CREs(self) -> None: cd1 = defs.CRE(id="123", description="gcCD1", name="gcC1", links=[]) cd2 = defs.CRE(description="gcCD2", name="gcC2") cd3 = defs.CRE(description="gcCD3", name="gcC3") + c_id_only = defs.CRE(description="c_get_by_internal_id_only", name="cgbiio") + expected = [ copy(cd1) .add_link( @@ -567,6 +572,8 @@ def test_get_CREs(self) -> None: res = collection.get_CREs(name="gcC1", include_only=["gcS0"]) self.assertEqual(no_standards, res) + self.assertEqual([c_id_only], collection.get_CREs(internal_id=db_id_only.id)) + def test_get_standards(self) -> None: """Given: a Standard 'S1' that links to cres return the Standard in Document format""" @@ -1119,6 +1126,73 @@ def test_object_select(self) -> None: self.assertEqual(collection.object_select(None), []) + def test_get_root_cres(self): + """Given: + 5 CRES: + * C0 <-- Root + * C1 <-- Root + * C2 Part Of C0 + * C3 Part Of C1 + * C4 Part Of C2 + 3 Nodes: + * N0 Unlinked + * N1 Linked To C1 + * N2 Linked to C2 + * N3 Linked to C3 + * N4 Linked to C4 + Get_root_cres should return C0, C1 + """ + cres = [] + nodes = [] + dbcres = [] + dbnodes = [] + sqla.session.remove() + sqla.drop_all() + sqla.create_all(app=self.app) + self.collection = db.Node_collection() + collection = self.collection + collection = db.Node_collection() + for i in range(0, 5): + if i == 0 or i == 1: + cres.append(defs.CRE(name=f">> C{i}", id=f"{i}")) + else: + cres.append(defs.CRE(name=f"C{i}", id=f"{i}")) + + dbcres.append(collection.add_cre(cres[i])) + nodes.append(defs.Standard(section=f"S{i}", name=f"N{i}")) + dbnodes.append(collection.add_node(nodes[i])) + cres[i].add_link( + defs.Link(document=copy(nodes[i]), ltype=defs.LinkTypes.LinkedTo) + ) + collection.add_link( + cre=dbcres[i], node=dbnodes[i], type=defs.LinkTypes.LinkedTo + ) + + cres[0].add_link( + defs.Link(document=cres[2].shallow_copy(), ltype=defs.LinkTypes.Contains) + ) + cres[1].add_link( + defs.Link(document=cres[3].shallow_copy(), ltype=defs.LinkTypes.Contains) + ) + cres[2].add_link( + defs.Link(document=cres[4].shallow_copy(), ltype=defs.LinkTypes.Contains) + ) + + collection.add_internal_link( + group=dbcres[0], cre=dbcres[2], type=defs.LinkTypes.Contains + ) + collection.add_internal_link( + group=dbcres[1], cre=dbcres[3], type=defs.LinkTypes.Contains + ) + collection.add_internal_link( + group=dbcres[2], cre=dbcres[4], type=defs.LinkTypes.Contains + ) + collection.session.commit() + + root_cres = collection.get_root_cres() + self.maxDiff = None + self.assertEqual(root_cres, [cres[0], cres[1]]) + if __name__ == "__main__": unittest.main() diff --git a/application/web/web_main.py b/application/web/web_main.py index 3ef436f66..2551602fa 100644 --- a/application/web/web_main.py +++ b/application/web/web_main.py @@ -1,10 +1,14 @@ # type: ignore # silence mypy for the routes file +import logging import os import urllib.parse from typing import Any -import logging +from application import cache +from application.database import db +from application.defs import cre_defs as defs +from application.defs import osib_defs as odefs from flask import ( Blueprint, abort, @@ -15,11 +19,6 @@ send_from_directory, ) -from application import cache -from application.database import db -from application.defs import cre_defs as defs -from application.defs import osib_defs as odefs - ITEMS_PER_PAGE = 20 app = Blueprint("web", __name__, static_folder="../frontend/www") @@ -165,6 +164,21 @@ def text_search() -> Any: abort(404) +@app.route("/rest/v1/root_cres", methods=["GET"]) +def find_root_cres() -> Any: + """Useful for fast browsing the graph from the top""" + database = db.Node_collection() + opt_osib = request.args.get("osib") + documents = database.get_root_cres() + if documents: + res = [doc.todict() for doc in documents] + result = {"data": res} + if opt_osib: + result["osib"] = odefs.cre2osib(documents).todict() + return jsonify(result) + abort(404) + + @app.errorhandler(404) def page_not_found(e) -> Any: return "Resource Not found", 404 From e7f767b2bb69c27218f3efb44df282b08d23e75c Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Sun, 6 Mar 2022 21:12:37 +0000 Subject: [PATCH 08/26] 166 show tooling (#168) * fix search * minor fix zap parser * lint * zap alerts with links --- .../frontend/src/pages/Search/SearchName.tsx | 14 +++++++++++--- .../zap_alerts_parser.py | 16 +++++++++++++--- cres/db.sqlite | Bin 606208 -> 466944 bytes 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/application/frontend/src/pages/Search/SearchName.tsx b/application/frontend/src/pages/Search/SearchName.tsx index b47a6f444..0866b78a6 100644 --- a/application/frontend/src/pages/Search/SearchName.tsx +++ b/application/frontend/src/pages/Search/SearchName.tsx @@ -10,7 +10,7 @@ import { Document } from '../../types'; import { SearchResults } from './components/SearchResults'; const CRE = "CRE"; -const STANDARD = "Standard"; +const NODES = ["Standard", "Tool", "Code"] export const SearchName = () => { const { searchTerm } = useParams(); @@ -36,6 +36,14 @@ export const SearchName = () => { }, [searchTerm]); const groupedByType = groupBy(documents, doc => doc.doctype); + const cres = groupedByType[CRE] + + let nodes + for (var NODE of NODES){ + if(groupedByType[NODE]){ + nodes = nodes?nodes.concat(groupedByType[NODE]):groupedByType[NODE] + } + } return ( <div className="cre-page"> @@ -47,11 +55,11 @@ export const SearchName = () => { <div className="ui grid"> <div className="eight wide column"> <h1 className="standard-page__heading">Related CRE's</h1> - {groupedByType[CRE] && <SearchResults results={groupedByType[CRE]}/>} + {cres && <SearchResults results={cres}/>} </div> <div className="eight wide column"> <h1 className="standard-page__heading">Related Documents</h1> - {groupedByType[STANDARD] && <SearchResults results={groupedByType[STANDARD]}/>} + {nodes && <SearchResults results={nodes}/>} </div> </div> } diff --git a/application/utils/external_project_parsers/zap_alerts_parser.py b/application/utils/external_project_parsers/zap_alerts_parser.py index e2b08b774..58d969cf6 100644 --- a/application/utils/external_project_parsers/zap_alerts_parser.py +++ b/application/utils/external_project_parsers/zap_alerts_parser.py @@ -6,6 +6,11 @@ from application.defs import cre_defs as defs import os import re +import logging + +logging.basicConfig() +logger = logging.getLogger(__name__) +logger.setLevel(logging.INFO) def zap_alert( @@ -29,7 +34,7 @@ def parse_zap_alerts(cache: db.Node_collection): zap_md_alert_id_regexp = r"alertid: ?(?P<id>\d+)" zap_md_alert_type_regexp = r"alerttype: ?(?P<type>\".+\")" zap_md_solution_regexp = r"solution: ?(?P<solution>\".+\")" - zap_md_code_regexp = r"code: ?(?P<code>\".+\")" + zap_md_code_regexp = r"code: ?(?P<code>.+)" repo = git.clone(zaproxy_website) for mdfile in os.listdir(os.path.join(repo.working_dir, alerts_path)): @@ -56,10 +61,15 @@ def parse_zap_alerts(cache: db.Node_collection): desc = re.search(zap_md_solution_regexp, mdtext) if desc: description = desc.group("solution") + cd = re.search(zap_md_code_regexp, mdtext) if cd: - code = desc.group("code") - + code = cd.group("code") + else: + logger.error( + f"Alert id: {externalId} titled {name} could not be parsed, missing link to code" + ) + continue cwe = re.search(zap_md_cwe_regexp, mdtext) if cwe: cweId = cwe.group("cweId") diff --git a/cres/db.sqlite b/cres/db.sqlite index 5c933986a4caa9b4effa4d26b88bb7222f9e5ebe..db5b4873ff20390e3aae1c6ca9986a59773aae6b 100644 GIT binary patch literal 466944 zcmeFa2Vh&*bvOPV2oL~)2UwOBS(ar%vS^8xKw<;hq9{tDEs7LDSzfXNkst+&Bq)HC zOgoPApxDk%n$hgE8EvK$XEe?DH>=sRiPMZ`I<swNlQyGi@_oN^?tKG;6e&A#zWyP{ zjKw?Nz31M0?is&xZuZEb!c0CiRxC~CW<qi05=B*&J)w}Icz>%XN(ukw@vk5M2Jx>G z{~CW(<3HyAfArBgaJS}lDQ%vWN>B^F+p{w8P3=hF0pEGe?|sO3aQ?Q<k|qV36lhYQ zNr5H>niTjGQ$RnhxmPY<uAbjHlRG()A1TrQoIOLm-NU`1;qJYMdPDd{Xj7ZFFdFJR zJluPrcPMmtU^sO6=%GVfLT%ps9W(jTRBqw~%5Uf%>N(gwM86)*mq$v4>6t=t%Kq!A z++^PV_nF*y+5Y#Qfy3G1p>BLAG=2I6eR*)GufKcfrqK1hH-$D8Mmwl;Tdmot!kO7T z)jTm)$WM%xLq`wy9XZ+?+C-n)60!}iqpibtm-5*^F@gVxpR1IXyH~DVtKJ(o*6zea zVd^vppBMkJt!f?Do4;RA>p3$wU9}YJ$4kZ8>Gcg4nHHka;@cKNEEj*jdd+0NTWBBE zuHG20F*iEFpXVjtKQPqWci=EB`6k)ABQ(^zzjvtja8GYmY{>epVDF5kN`tm{Mc-dU zH?wC>Oy>$Eb01ZWzpW#BS?kK)wW?B>8qMEPJ~IKK`b2JarpSNieJG|Ar6KTtZrA!0 z4{d|<t;^giJ37>R518vURUDPIsJivHNY%<!mo-{E)M&Us)MLYfx|Oqiyn6l6^_CFz z(|GZ0?RfSyl8d0aSUh`YObi~sy*nO=eHFPzBgRm(jMg;TI<{Zhx^kdnp*7@>+ZNLL zdo=JRv6_{eg6@?oR;c%`;MJrW^zWrrD@VUsfO*!k!*YJ4mSdJ@Pd4~%E#EwwFO_Rp z?R*^Ae(tL{IZbzdUd%JO5Hmi*3uqo4!Gh)Rw}h;zU_;R`wuEeh+!B(L0H5A?N$bk( zE9P4u8p??%{ahY&iN$CSw65H`e7*))`xA5?UBTao>UxLIy>jzrwc_Qq%T44bPZmZ_ z$N|*+)ls#gHHEaeve}8L*-3+bo8qyKD&pGCTTKrqrcaMlpEz58pv6vq>&hdW=bKt> zXVIEpw1Dq0^U?4hYVhX@{@47|q(GAbO$szA(4;_<0!<1uDbS=qlLAc&G%3)eK$8Oh zODGUf9qsXvR5BV%XVTGJstxmM>i_>s7PmQ#CIy-lXi}g_fhGl-6lhYQNr5H>niObK zph<xy1tbN6E$v>r{_n!?-N7#tmjAlo?}EPyek1s^;J*dG8~k#UWK9Y*DbS=qlLAc& zG%3)eK$8MZ3N$Iuq(GAbO$szA@aIo~OU_?{LHhM;@N-{f5I>hy*5GGAAH`3_JB=T$ z+Z=&!D6QJV^qXLCL*SQz(}A}JKP!Ggzij?#QlLqJCIy-lXi}g_fhGl-6lhYQNr5H> zniTkdhXR`Jbm@1kR*#nRp`Pr}{?K%(I3rUE<i>M_sq#z+xhhWOr)CNxxtaWEXl!<h zGY;gC$6{_vC^tG9%Aqh!87+_}j#3JY6sKlN#fdVdjtk9BEzmxaii8vC*sUN~Teov| zwPSy=G?EWZ7pC*bEszh*6hkAY@*}51#o3ur`g|8glpmQz#)y&P<aBWg<0?mz@o+jB zRbGx>4sUe!tX2;d$3w%1koKcEH6<rAmMcu4Svi%;gyX41TkyHc;~FlLXN&Xt)sEgN z%54)G$(LpdV>EM`S1EtCDE>1UPotN#nn4%tf=lmRt@acrCy`o)h(x0e6~{s+b5kIW zMLp36lFyW9%1Ca4Yy{;HC^S<%ou4X)`Y0dBbRIvZW+vu9)X|Wb>cm_$5({UdQTp1B zhJ#+*FMVO>z-n~}pDz_gW{~J+BwsEU&gN^zn8DW~$<zu>`M9!8d4>{vIQX963xa2Z z*9DV--v<6E@XWwSAgnw?`?~fzEwAm=R{Ou^f4BdI{&D{yf7IXVdyntwzJA|&pS$f1 zZD-nUY}?@dmUqUR@%+T|dC$0`*ZqC>U%HRE{jG0l9d!M|^)lBU*QL%MI$!TR)ADf3 zn_Bib9(FuieYZNNZc~F8!pCWH+x)G{YHgrBmdJ!tiPXMAnb*hM4cY9WE?RM!2%+3l znwy>}j+b)Nr{+8z>fMVYP_x#fPJx4)XyHz`$1>?~EEy#}lLJqn6ihhUxrvGV)Oa4r zVy1BHab(J~V>oUF9Dz`|aA)4WjDy?U=t*CuMRA0qnG|((Q3tI!h2upZJie8C+^l7y zsc<SD?VTzUXPGHX=20Vm$8@124n78U;V+33y~R4ww`aKfUQHg~KPHEWr-{rrY4JoX zoK7VMXo}^TB4%?cS3U){UBiZ$`RH1TMp*G_sTdecJb55LmB*Cxp~6&QrjVNmP3Owx zbHx&JWSuL_oT^$K!G%j;Q^iRnYB^Ob5l1meMnq&DHd@5$;u4vdD4rvJUdqp6;c%nW zeWWv$q)D96lCeZMkx2EUZyL;OxiB>znw*`ODTKyyBbZgqY<47gk74py#ze%N#YC}q zdUl$)XemEaKLu>EQgM2&BTlVpm7?KTG)>#8rlGlEw#2CF^;$9-4`&idsyaJe%8!DZ zGCQhncXO22Uu#b$;^9OrL)Dq1<KhfW7Ds1s!GIuQnQ)bbnPvvbiIrJb&*}VJ6;B(E zaNlZsERw>xN|=4;Lt;s&=keO*Y_tjNN9@)v?zKY$iw(zOX}U-09xCN;$2E%o3(sN> zI1OiU`;YQL37^cBvAqU{2aS7-8eqi>V{^#WbGCqUeX2MynlE)8@8sS$V||mjJ)_;$ z&6p3JoU{4}(aPY6LU<_WOJT7YN%p|v(;bTcRqY1xnOnl#{YEX5h(aFVh0IMuo;iz_ zBi4OT7{O*7FP5;OC(GD`2AR+^_HiDoiQPt%urEO07Vf-7i_tDgF!SLtG~AFh!rbU2 z29B#1ECg3<VG2p_P&r@TxtTW6q!vl1Ap1o27K)R3x{$@DW-+T+f?z;LI9H|}Q^Yx# zlUu*se=U#1rzOBq<B{YbCRjkqs3K?1E7Q84E#%J;4GTE_=5_)#CvuSHD2o#4aVl2= zHS?vt9W<JAS}Gn1C)4R}KBi`)Q~8N$<cZpX;g3wrGG$PPGg&1C;?mf4@fXLbjXa@_ z_6SKi5phLaaNS6>l>2+Zg|lz(E3Ro(G%cxRO$ky;Z0Mn{T`n*k)>JIIPp~bBe0lIe zVpotlOLQ-p#2K9}(N;14jzoyqYo)nu8;GRiS~?vI$CDY^6P+Bh>M3jomi+{83b9Ox zQIrc;^DufeGz@1_k)iyVSzg9ckuIUJ5SAJX3kHJ!rcsqCJ>mpLIYFC64k<qc@q1#D zMtcsTI}R?7j7Ccb6{PFm-`%sGhB>DtGtn?kq@9DviG(Ke*eBS;I44AJ{5xKpnL&rf zM9Q&s)X6a|mX6>CO=Kay)-Y$2{pP3m5avf$hG-eOG&=t{hIjJ8CQ&rKmO9I6Nt}#G zBGyCnz-ANT@bomD2a9EZT40@6k@1;Rw_L?k3$`P2HJpgX`)6lnap6?e$8Cfz3{l?F z9y&w)IH!{s26Ugo*}_DAJYViEjhsT7zL6Qo1FP21sM@t?G8x9d_M(m}si;?rM3do2 zD$eY3gl58g9YQ^BQJj6;V!0iwsp@GhiC!X!3{}OV(Jrt=9t@Z-NL*KR?_qh7R1mi> zc;FS(x?hWC65&`T!5^BKux^u59$NrvnC$bqRZI_;V1>~L*RLksXnv$X`QOB~NYV{1 z?;_u{<*I>qTrTFApi3+vt^_ehspf&p%dS?fq^j*&0tY!ANzqr0fvtL+D2igA;9S^G zW#<Yi8qlQLaY6MYbQ#rO-5yDST_hve$z9mg_8vpasYYB&XSRmpF`7NNd=<yqbt%;- zV(%xziAcuQ*x<uL-{nnK9Gf|p11qIFL0mQE&@%CbWDMIrn(l!NK*tiC!e9c|TtYQ= zYf;>!$z-bPt^?uBjolrjddJ(N5GkVZIGw@~bXCFy%Lk)+)yxBF--WRNf2utmhg6cx zfPgqPBvwGSrp%XeXjSsVfF@21_9OUABz@r%L$kL!!`3VD-A?x_cv30hqe0xFrBi9F zee?zrUPuHj6~S~!Gqc^fxa()2gn}JyYNJ*?n$*f^$IPR*cYC@2jS1XSsd!5E&y`Ib z9qKfVa;7wk`Ga#6rockR3gfdvjNj;?F1m5mr9h`dui!@{nUXQVx(dqM+*A<^JV9qQ zDH-?}RXmx4F#?CwR6NOEQXC;;2lm)-&*1V_Vs0BXxus6A270ZFI_zps$MEG;W?z1K zqBsY(H&dK0P87%I?5nxPNp+WRjKwn8I8n^7s;jG8sCcWE03XR@lGe@x^T$O20qJbM z-0q-CJDDpdQyJUlqYZ6tqBSa23xgmmpYGaKU9nB=QT8kESD^dPIo=+;DY!j&dEn=c zUj+U!@M6bH0yBZ3KqRnC`w#6i+8eZcwGnMl+o7%Xf6M=7|1*{M``dgU_r20L<xBWh zxBas1HLwI+=KZPT6W&jF-{w8--Rt=;&-*-6o|`<|-M@3c&s}owX#H*LS6V;X`m)xW zTQ|7A<9e-Y*mb4zTh7-yZ*2KZ%llf+x2$S8tbRj%gL)?h_C<H6tE{YdrdK<5?UENd z@mUt9bL07FOn10+Sd@fB!_pLQ43NECoQ0LC96DKqPIGd$Fd;-)A?nWJ98c!A6Zb9U zapU1yfZ&EV5Lkp8huAnLY*Hkm@#cY5Np{F*1ZJIhBppsh(&~$lK;hWMOGeF>^HAV& zXH>(oAI{G}IX!J&gX&vXI5$%P?PHQGSbJCBvI#aphiz}?Asmm8LV&$MdnTPBZ6~3= z_8MnDHQ!epnI+*#DF3vmB_W2<FU#uRCY-mdcJxf-bEOc@Z(#%*0>;RR0$sp;T?19M z)0tQ}7Eh=zpRW<RoUf7c&)b~i#+P!{Hv#YUu~Km|G%_K~B{Rhm_I-pjw`5wqX{$3& zO`*UuBd)sBiB}QhlD1J6AIs@fGMvt2lz%zl(xb3v8cj(7C?Z`qlL~Vi&y`pafKH9E ziyIQB1y6)P%_G?o!URSqX&WklF+n=P-(#@b#L}^e!!BLJ(Acg!3r?6DMco`pTwq-+ zXhNa@L2<4)Lv3zm23)rs+LRv;-C3B%v7J0w?ue%1;Ur9=|C4s+jNZgKWXmcsX|g+z zkb;YVbyaSdh=Q-ilFF-hI8QI4-6SsJkwS5{%)Q1yqf8{CylQbDrQ2e(2yHGChuJco zQeHXa(pNP4D&JeD3Z+qq)+KP5iNeWJu2cX$YUWYfrTW5c&H`48sW}C`&lJr=hW-8| z#7S7uscUJ?ApskCUJkR#T{JyeoQ0OjUo_g0$~vCMdP1ogBkRq%eD3rV7A0R!U{|Np zQME1UJZ?<qWML`?t({vjmpm!hCyd&-?da%4)6kt`G39}7=Q$d3j!b{XpoE2q79EF^ zjSRG%h%WY7#bd--lTYk$_TszfQwT~X3*hx8-$Oi+fMga`zOc+m1cz%Qf(tbrORLWc zIpeDxd&PX`LeQV(ImkrQB!a1T@5S&Odnbyx>LKPps*{|AbS~OYbY%JH;jSQA1Edv) zu$+cykxV9(e`C6cF7kIk-K2BUg@Z9IJOk#oAA`P8PD0LzCF062uXpKg<ICbUhg2?G z)5obcuJ4(gb^5I#fZ;*TO=aK=0gZpP!#TNHU8-?G+9WpbcAmjFsx1>jB5q)sz@iH) zNLe;l?_1*xQ~T--5hq165>?)NnR7KtaW-bB%XEy>>6E%>z@-PlrOy^&SP~XLOn89j z6grg$k6`_?Rs%$xT$MJGh(Mx`M%4`|=Lxerc0oy1Q?g5@AmlbYU_fh=iDSDYlFDli zxpd!ZRSd)2npov2;rQ7iwkf$z#7hNYOF)gs5<}H1Pm_r!4Sg_`i4KX2ho=NzPt{g} z*jE_I#6gi%T>1C?&U^TVA`hB062c_Lk_nvv>j>d_g7P%<E!J+?CY#;Y7XuBU87gml zoU=<)jmwXisvyk<=T1zi`u;G5K+@bHBRblhyQ?Ze53#8!QjNLfR+qlHrrIO7+(~<2 zXUuu5=AI^z+jx(G#v{FX<rG#q9Z#xhahKTUmJb~qhKWP$80Z6|bh%)NIiVI17c3R; zVB=yoJ0SJB4Ai(pEUI3!(b>%-po@(?d5r~y{>z>1pn}avAdLfS_}1-4>oCS-_(N@1 zEtye<db7iZ{#1^@o|sOgly8d3v-u6Cq7p7z!`VnDe;|kD!(Bk0LTCk0S|jT8H5jcb z<XiGQLh$5^-Qe=k2#!`Hon>w-s+l`_afUr<6ztGdmtF>8cyt#KrA@;>&dj4GNh@y( zIg`d*CrG6<W>Sul0-H_@M4VZS5Z-9(0>Y&yw6*L&_aIu#k*twOlCLMFe3y9~HK_G_ z(;AJybx^<&WaD<#f+bRka0G|#;VZ%8)b7E)u5<a5=5oSG8;(XJQ_G#JNHH14V<kzl z0HhM?6E1bG<lpVxhr2hNj7QXa)?rqtmX(suWNr!~oVY6CE=xt!9G_iN!{MD_)k;Ee z%_L%H7gB>T+f+u~eYJC|O;f7Ucgbi5gTL~<wazHlIeOp#wrKcR-|)eGL*2(RU@x&` zM7`@OXBU+Z70RbW-6RH-X{d4BtFT_EDLENjsPMZ^hTy)DlZnM(QjI3nq)~$<$|;yE zS#g6#1qOtxH=`!xbO)<sP6!I4fCG%jVev^OBd7TC-?a<Y0$g~)R-Z4Guxds{&;)xT zrTiuP@^|g(o1%M{IH|mXA<>w=l_ZV{v}xs;eE1>#lQFe8O;Zb91G74L#Bf7kqmjTF zSKcP64K1FX^$`CJJ7fw*oLDBQyo~R^UAy+uMFuj#p+ww1Nq0<KsjP(nqFP#t$*9xt zd!^Hn8&+dyd26+CsifadU<1ddECia4&@nRZ;&Q+^h!D_6Y4g+DI=mslMG7?YE#yZL zJ{zIZlws7JF@zc-%Q>=kPQYx0Zc@oKZE$s6o7$oDDsNSsPj}{=+nu47pSHZW<>@WM zEmtbPP~IB+e()K=iC|wa75Giy3xRhBUKh9@76DcJr1nf$^Ex!Q|9k$A!WQr>|Cm4J z_xQf!dx!5n-*MkYSOXqtyUlTZ+ZEo=dS4D(z;>_ddB5i=o*wt_-S2SU?%vt@o7TT? zy}R{T>oUhnTwim&)Kzr#I6mk6FGr6fr2a&Gvw8+YQ-t<!TZTPOFsU9a6{Nx{i(hCA z2310T$O8>R@kt`r8)WPZyq{4>^<PRsl~AdJ#hIO@oq8>_{Ppu_s?A?B1;jNi4QZo= z^2kIHI}&pDDMHLlV4ISKMQl#2ob3uHg%S$~s82bcz)6inlIp8imo~I?GF+36HWPxA zv`acvEFMX~1Gvf5zk+1vUF|ShiEokkD9nEnOSBPEmprrhFo|`n${5DuC^%3mnN(jP z^gn4`%!h6a?+44vhX<q+j;@fNEbbgQnDeEHxkM%sj-;c?$5<-G4r8k%wZngtJ`o;< zTh455G>bspj6)^=XqWQ{?`+v@C_e^<2e-hWFh3aeNyDa%{1Fx=tj`?G4l@|avW1!> zi$G(ECeq4>qt2uDPtfQ`?ABAW1*{8nr6~V+g>$3Tg6Wx{`v@%ZN$rq0aT0AtRm0>0 zPMU~Ac#Fi89|$F`suqbkQusnmc$6UK#g*>^Vg(b9)!{`VKQ4%{QlHvS@;~nqR#_j> zHc`I3+1XdS<%r$d%}FV8hR5RS3l>o~jvFL{oBCZWyBJ%!synuyY$ENZgI27@!~=aJ z8jC1jWA)T*zwiN?ktay`O0V;7Yc_mvSp9`T#<Cq?cICqO6yL76K!u_T;{lj#1b1>; z`64SCHm7Kr>}(@+)(EA6?E_gMa_3f9zEoQ+L*5I`>pGS0)(w0M*jmCdHbGoubPkUT z;X^DZTWYm&w99d*|LH_ry>g%PE}ABrj|4cQ+9O8ytkfbmoh)H$`BH~rc7`(u)}@4c z>lSCfIew!Po*;M~J8o$h=`_|eliAnj(p#)g!Zi<E$y9l6YUC8$C+r6zB4N`{Vfy2z z!k7`@Q!G@3$TCw-k^40jQSLuTJsEVn80WQgf49rEW+D{Fz;4+36WTPwX3rTYWgT{1 zoXi5yvPSb`IpB0?pQe*B^%?uHV~o)(y%%<_W%e-7l<R>x+q_WhLWf+>vf3!@B87=^ z1P-VOq}A1|_886J;ANMP06j1WLYNxOeMJ^W_&?bgK<4{Y@`!y8F3$TSJw|Tk*Yex! zS0$xhSTk9NqfKyh=ny$d$>Ma9nQwJ{J~=bk0JGz##Dxf<^(1g_;bbDB?qYRkffi6q z=nG|b3T86u4%n8w=33<Gz9pco)D=VE6oS>2fJ$Pro`MWiglWgltKu+Y#?z6(9_O67 zT`zo_3)y@U^M^iw6GjS>dikRv5{#H4!78y|0SgrxG?0AL(}1J_F%0<_ela#ki&Gme z6JCae5Awc208FK!0;H45-^5|rR|#Coy_D%Bj`EQMFC}b10R~GLRlx6N$|-0y@kII# z!As|F0~;z^V(g97XK#W5)B2J;H}<VfcYib!pJUAK1@W#D7wZp$?Kq6uqxqAw0L~e9 zff68RZ0w3f$mg3>SMoJ&*LUoCQG&dJiJ0>DqEDd}fe#D|*Db44y~K%l<B;(*mCPvb z6kFe{Z3rP^cUd}N3U&_|O_aZ5t!rP6b!?DW7t9A_m;)9B(#Eq`Ifbw<ZOL@G5z+#B zCCHRf-mucS4l_5))3Afa(f>QvKxtLQ@39Vs$5nb_U98KY)X?NCxl!nHDfPLmwA!ke z_61QRtv*lOX!)r*HdT{mVP}R!nM@>ed?yUD7~mK*!co}w$MS3`fdoqb9~PE|IuszR zh~W&RgQv4OcPXul=Srip^)A6d`O}t63%m6+d#yogob&9yLp`{~a70r;!$M+K-ahEk zml;D29i)p#0*!2jFWv@_aY=r+`iAO1F$XP*RnnPABmp)TQ63U<J9}vj$=b$VLZf!S zo0N-`ud=y*A2q7B^d`ZKpe?K2mpGSWlml5hkT4G@I$P&#n2tG#I(eKBORJ!OmeX8f zLDVPhbQYlnR@JH&OW{DShlI%HmtN}Js2Qz=_rG;LY%lng3B<5@>ZKdMg-rrh6>wdF zC6fS?WjDHXY;RN`F+d_b4;<~=CsD2J%@lBV(x(6<V%5d0igyN2;^<1i94_k!{3tQ7 z;m1oMo~&JAA@74b!#EXHM>Tb;l2RTZ{Xf+5?Uq-zoNeg}emVH&;1h!b!N&!@9(YCI z*1#p&`?P0iXSA*U|M7p-|8)NW-*0@M^Zk`C=iBXTZF?`g{u{mjt~}uVkoP`shquM^ zkms46UGAT{U+uom?QQ*z`YXpP9R2DOT~n?BSBLXgEiY*qZQ0tg%<(nHiyWiS_TQ(z zQhk<s8bew5kM6yd5iNJEkTE4kp<vcp_6*OKZ8>ok4G9o_o<|<hLZ5U!4R(`9`seHf z&nLQ7x=kN_e{5qT+tC7nLe6Xj{FlHleT*I=C{MKqnba7(&dIo7h*t1Y=A<*cakm4f zsoVV4G&JZ$(tz3vUOAE@h~gytj3lR%yaX({K);a`)VM=Ea61zyw>1K1B>aMXY(rqf z4xF_lrV;=Ux(W9MvET6ZFw4T1$*vC0WjVLEgv=sLNdR!iU{51#El|j$4}%Ibos9?7 zyN70Yw+6%+G#CT+xn!xgV>flv3lJTcW{iQxwhMycn@0S?&RtY>Qj=_cskg(fozxs4 zI2bkon#>A`iB`2dQUJRM<BBD07o?Xetz0@y%7q=g0EAU#ai30{1bo>VkY>P+Do9YU zw!yc}21mG(?cJJgMY5bg0%hDY1!D-FU)U}`l}JPgI^HWIH3)Tp2%j<=kqEp9|ENS{ z6QxXk7osh866_F8mD7CWiANSDCxP|`N5y|LP8L?Fndmf8<){`<L!ik3fXiDP0V-kB zNQw@y71#|-XzKEYA~o5rCF5jv&KzQ8gPjI!$b!T6RB^PtW{PTsHR&R#^&DI=NyQrh z7=&*incNRuMl$h<IT#pke5CxO*}k3v?Wc(5J2mN8*tM(i$=*Fq)y`;$Ey3mka8M{u z)#3<=ItChmFdSu=B1@30NZB|x#@lzT26%fo9*xjR>E7Gj)3qNzs3EbrE@`9|Xl^)q zApwhRDcs>hRF{qic-CZrmC15no;z;Q;@}pkRC-WYd_tuC8JC?1z?9x^G3GAl1g8HZ zw5f03z);8GQJUoJMiQvgiG<OU(Tk9iNFijC2aZ}7X?_fN4@rbhm8{=C!b3xB5j)Hx z2GvL%nULZxu?ZTOP!1T5hXZ|d2!qG<0!bN`8yJ5HUAONf4eu^34*X{<!$AUI@xXbS zpzY8AK&DbRV>*@RAmUEKWMM{%c68>bmjT2(fn!CPxz_eV6qet_$$mW5-;NDJ_?@^h zhnhCGoZzW$)F^N%6^RQ5P(@=hG*{si1Vo%%`4nDiVAai4g6duF;@ffCZ8U^&EfIzD zD;34MaJYw@+}K3^j>1VOrr@hI^6HOVbDY}lMtmEqAp7Q1QMTVg^$LKv1J)Buit)>? z=w_!-mM%**s+O1z-psRCH2~9L`vPy4$76JqttnW;>UCz(AwNz?GScwq8Xg6DB40ju z6Aj~Zdn!qg1llpA<JHW`e$MEGQGn4zZZ2Q4yW{(Al;<Lvf_d8%HyEWRC1VN*4wrLd z@R_p~G(7?2MgtnAkI|rV8mulDRO(P3jzn7^0qHMLh(i?Y1FV=loS0TQbOSX63SD^h z8u<Hm9Oe0HB#eXQgDc>08{T^$;#fkl!UM!N@M1W{OwOF@9H!RT%Q*Uxm>CBIG0ZUP z7;Z^|4CPB3vsAwuac&F?=$3|(dfY(&kUY5(#_|ZkFnf>Cch7<Mu~qG&EOLhic}QLy zf3`pwhOdh=W33yY5hbzR89E>+QH?6teweBhI1~lm`lZ3^QvKBUgqDdxd5_1WutFhx z%-4+d!QZgNC73L*^C*6B^&x84p(SCTfrEr@2{eM^7ADnl=k-)btP6nBNIVM;VcG8> zF6AZ&hel^hM0^fj$0S>(k$4QS0re*1Zl(T6P3q!0A>UF^Bp(EV4cbgn*Y$CaE-eB% zCl=*c1&CFJa&dyKYo@mhoR4A~i62!drZ#8#o`W=-GKUMmAC$$Zg22zFHabnX3d;ow zz=vB}xZfdh!RW?)4(`2v-~QN+1JuK5gwY}7CzhVK2Sx}>nUF?wl82PpPpwA~GKwob z&B0GO$hC;%G^WBKqc)z0Su%<*-AgTV_%7T9;vy>Nap4Owl1=>_xR3U{D4|W$`Dt9) z9pQb{uwOHb{?!hKI^RHN4^<yP5DTF%l48B9$;mrPu(OG|jeDtnx0Zp$C?1O%^(~`= zS+ScccC-^JBb|w4+3#ZbFM2Gq$6TB84kf9)SaImigz|xw{|@%4`-1C(O5lruHwK;* zSgrj=`-pa*)~Bidm;1M=CH2+n_Z*RyFSR_iWt-!djt_YL)^odOmHP|s7rRHCKXAvL zCFeU^KiR4S-T$wyx453?ns5!d(#p@37pv{6Klu6J)7!q$_O~tnt-PbH(ssc6WA7Wi zXT94zKXA-BGLBaDA@$|z6V=_2;@D=fpRkYy-~-krHvK#s<$goXV@o8WJjnhjaUU$U z-!T(r44u4qBalyEpHnYc?d(7T3hLJM4nb1|79ytn>~iPTvP?iX5g`aMB(40%Dj>l` zBU*YgaD%DDQZeP{jwdKCg>9#D40N3fKn7G1Y(@6q5P}8qV9*$2YLt!o#{Eg29*%^i z<5=ZAD5t^l2|sj}eO*Qa#(LOc9=KaA*jv?InZXy+KuNj;;?(K^h+iwhK`?<k1fm2w z(kZA%#A5*cLEIX_v9m*c9f%rbsM24~+t+D=VbR$$pnMnVOZh9;8W3+63~^>A4#O8s zTp>4sm>)~PCBFhVAK-R?!j~byKyiyHPi7~$F|{(lV3Ro#9&YSEL~1Hb;m|L;#tQj~ zQ2>SEGm0wTVH~E>WQs5&xYEmX#Y;@Gi4I`58=E~C-kC!|K1m=_7*6jMz73<Fi<Eft zQgBwEEHJ5$ushk?$kop6t5u_~8bMZyxsPWQWA(|IqG$(V(PRXfg|st{t&E)k-wJ+a z5QR?pP=ajamdR5@L^9Ecymn-VVbC;$U5Io7Eh~It<bDBiT0O&lC3#&6c7>%jL$zrK z86m&;e9e(yb5&eDCr>?RaxkmF!cO1cM26cgcy&fQ$i0Ht40VQW<MNv@cz{!z9}%*t z9Ei9yiHb=8-%ogcpj=@vn(F_zxYKCy+!R3$Be-NT0Dk>+6%Z3@m1Zxs{mE;9zIF7L zM{?69uQD{R8?)Isq*$b9Py@`OdaJN*l#2j<BIU&y1bkp&dE&%sU<6y(t|m=!r?(@3 z0LM(^zL0o!C?XUz3DJDU7L{P?MI;&G{!m^g@W4i6kQqlC2E0d>I76o6*eaaaM(1Sf zk!!J7*<DKiH=ZK+h(Q}x0v=_fku*zfw{JcOcCgmxq;f_|j_I5t2OK%4-jW1J-5A$} z<wGe?_Gg?U=7O2tC|aw1hqECP;J^i05=3eaO5qfzsDx-t`LtwjywcU81R`|Ei7xgG z3}v&^z;Kf34`)tFsH0JmJTqzau<#4Xb*biv8?j&Dq<{nj&1z<@3p)mW<Q#EN@Bw(= znSlt!up9>}3Tl<|^z8`60U4I0?nx!_CWgWo{LJF=WSHxcRyw$$kXgoH`6A{k1*2yy z5mViY(lT6qfSZ47QlLqJM?!&<E*-db<51e10c7qWZw6h)Y;hk&b`6px*h7Hps<y7} z^4SDPVh0>6h<%8wZys^!2>o5)6X8evjp6~9t}<U@tPDa)mT1qC2C<tt($E}gl^Jke zYnEhhYGoHfv4}T{G0fYz*5oX0)#Ft{@O9aN!y(Bdr3wO(hhP*~0}Am$)&}L<jER8s zN2(w#m?eUxfvZo%W9s#zE*;?nvJP%#d!`GymX_QmE?jB1WFs&5@)*qG0C=#^mG3I^ zB1=NKfm*H}yw-WZ`Ud1O%TWh|GudcoC=4-^N~t$+pp`Kk#QsbmScU;qvLd2;Nhwy3 zGRV@XNCxI9ilwTq3jkRHArr$4{4na;dqeOIaL8$OF9+ZlHAt?7so9oCKqeaSaF`{k z*%VRulAy<Mv?ENIH~==~5K9dxG(qu`fZ!yfDOF>1(|+Cp*wz%xkf-jbAxXuCI%^ln zH{vcQC)FJ@DL5pN+)DL#BK@DtuqeJkmm>Oru)vk+q6Pw!?3Gw#ZyQ*^b;{=y`261y ze0uP<pd;`uVEj)9x>Q%dtNj$(|C^xyk7+|%(EmRFi~J}3F@M1K1>bq!E?=PS>ut|$ z%eFa{&v}33eXsXU??LYh&$m1u@aUd|<I|oM>OJnyyI<!%scv<zYW-I0+gqQ}nr&V0 zdf4@9U;(x`|Ht`J=RL}gokyI`mQS|4v*oUq-7Nvf&mB*4tW^I){oqA#rz@RXHHQ&0 z-YpJN4=99aQT1&cQEvD=47H(epZdnQ^QP5~L(pHO|5ro?5Y@3p&|^wP@>Q~@0r5Jp z%th4K@M@tm(k1W(8|s=Ci}fGNf-EGpF@leisj3`>P?P{*?`6DeBoHdp1BCnO(Cvts zq%}8Sfwi!6^bRH|!RG2qSQ;I|IpK7Vr1yeL&`}R<GL?%PdpnRXj<XeXFpdfJF-Nio z)ua!R=|uuUm>v=l@dU$yaE1Sg^9(lx{+sl~i%(1>Qy*O|><L2x7%)q*e_&J;Vr)cn zY^g>JQ35_YvGX${37`#PiKO}*4u2Y~;vt6ZNW=wa)Ms+gj{F?%C35nP=4B7cD<Z(h ztBdglOULmvt5rjJN{niQv<n@03}!iL*Q6Z*g9`GD7N=sc9Yql+mFKws>b3|*6GkJ8 z+ak<msw{G%m6K%UO+?j^<p{1-$@x4sJAse`NbH#z2C`y9F5Yt_y-l|X(}U4eX!J|Y zF(xyWUCU5Lqpx}W6w;qD%*qOC6NKG%#n{n0tmnuqwKcj$6t);lLU}5~GmUOwh`@Q1 zEgCpR(}X_H#MMqdIt^QqEu%0+pa3iwX=DV)jmX0)23vItVA*EQ<>AV;dyOoYWRmO_ z$PclNv2n&1$&4?M)*~Wx-&%CKh@uF=Kq4IV7@J$nMsi-0*iUrQ!BJqEq1^>QK0~C1 zpBAaL$XKej?m@;~wYK$Q9KF&<JQ|^x%i0dWXS!}2%;5$$$wZ40!-e@c)?8~Fz;8<w zqdA)`q)R!2iKe3&^)j}P)HXb{zc17k8rt8NOuz(*Wn0eIdtJ4Ci2gKt2DA;c�HO zk*l`uby?DQSxz!r81C&999SvXewGQlgwgaOeC^U(pI_*rAS)*fWf#0Cl+Uv8V_Xz$ zAt7%tdFO#=fsHc`YeO=cRG!D?HKQVJEV>FvHLjN5aMO{o7+c5MrieNLCN!qr!ZDzO zCgeuKIAbtSVJ9o^6G2vBv~)p2MjM}<fZdRiRv^}&uL+>+OC)DVnG1_fxu95_gZ*4^ zLF8eGrqy1y{~CQ&+big9<;v{41>a}cg>?%ca1c}xQICkB;>OF11tpWj#9SQlU@(6x zKVrr(P$NxMZ$ijt5{4X2A?6wu;^)R752yo+O0Oz&v8JO4YgY$2hQe_DQFf{+4qmmh zvpHn34oB0eyZK-q7CAJ9DNo?oOdB`0GhMPs4>!xk?`fQD#C?|G$AB{|`GhVUOx4zb z#KFPIB&BXKfP4(0SU_!`WAVq3jiv?91$$FI1xt2twR+*~VAf7)m`_jU<-3Z{+){dj zmxIsT*2NBlIj1#E!|Q=Lahfuj?o8u=i+%*xz-a@w=xiDJ0)<r?Ivxc;;0&-(N9kfR z$+&VK-v~yF@+^tm><qEO{MiQ}LgwSjd5$77>XY0DvlvI%j)c~qngzGx&AQ%-H^jw) z=p^<lP>gyqo>ZPD90^7*Fs$OECTKz|J?TxPe$Bxl(>dN5l2Bh9YY9z2svM+yi6#@O zgGG{lBi$iMX;y9X!r&8?Gg>1fE)HW%-N_P^*_If#$aaox5(i`rsXvq-3K~IRD<Ly{ zmUW9QtlS-)5}s59+e4;;$_5r3SN?*{pZ!=eI8U*Yi5*oXcC8kjWLn@PqqxzEygmT< zfS-_1DBW)y+kmUFM;IylbEoq_0FhA?>~sz>OJ{-m;AFkhmMqmMsFMUU!qU@PVY^Ta z`y>QL3XqJYlgj5gD@;G^sgzGhqG50ji9rx7ip5?lfe(zP6ioy>I^v5dRZ%Re{58vF zGGU=iUw9cKzoB5@L|5|yk-Ts@&lcspU9c&QpfKJBz`w)q5>sOgd8b-N!bO>baV1|4 zRKRdnf-zQe`xtx^v2;Scg54HW(Nx5va1tgEE%;J%2-cNo@dzOTMb$1g;!+39GZ&ZF zQf9+k&3+APOScwzlqTljFae*ADlcIngUX1@Us(N8UWjNqmv{r9djG%xzsQ`IoIyAm zS#^s`?~py=o_ch$Aj{OsT^t}t)1qtMytR$xlSGvHKCj?tA+9X+R@l<3mr-UQy^?J= zwu;s|3DGv8hHLu*SxE=Bs3S9dUamPSN~-0Y!@1r49e3V6;NIb0(fZxi2U;tfq3>bW z1FnM0?fiG=m!0o$KhW}Pyb$n-z^?+Y3Ea~1fc8P{yf&;|t7-mk2SWaWKkEB!%Q@d) zBQBuJw+tBozSQ>Cw#l}B@Bi_>$NMC2x7Y3Ytmi(@?v~HByrty@Ez>OnEgKv^aQuy9 z#IZ&FwfYhD8S0R_L0zVNP5Hp$b$|Cgi?7?P*`&aq1qI?dC&WFl7V10#@S-<BY~Tx$ z!Q=+sP$oF)Gc?fyI;T>-Yq^vi44GkxlE=P*Y`4xCNQ=uQkivKh#jveh5P*R`de0EX zXcn<J5NI>0{cO2}ynxY63ezR|r%6^LixmC0G-;91UI<>4;l%f8CAPFR3F(~rG`w6U zTdB>#g0WqqbK2A8K+<u%7=CqyuF!ZlBBwehFz7MnO6tht?_t>6s&?p509r<~81~8H z9c*nPQ2?oAkUJW`?1JDR!EiNtn*g^>$#j(*L}y2<?tLPC{Tw1kfRKzNFDfx!>~8Ag zm?l+-MX4LzPvBJoGLy9io4$ax;lP;-DjbQssEb=PB=5mq%~ZwU(AKNDfsw8|e=aw1 z&7IVWaLF9(FVURPbRfk+t}&AVbj(pb<kuFluoTzIsMQAHvWYvyKx9;|S#{wU-pDy> zmDQvkWTU`*8dLjOYOxcUqp?#GvH3DHEt{okD*(PEd|{jtP+c}dzgi98ARFbRiEdw+ zemlFIqP!v*89M^J5hTjOB$CO^gbq*&;UkB-*aN{xXF^y&UghMN`-)j?U`2`PoEZ4X za;bnA=YM`p1<h_L@zxHu1APXNVJs_wjK()Zo3MmsgtI`27vcUET7N>QE0lrM8kv1p z@6)fLsoe#bEda{#=t014YRq8B7=TQA@?nA5sdF$30CFJ2;91H!3bm$JZ>MhV)?|>j zxw6QRu%sAoeFOCaR4$>k5=oh9@WQD9)B4raFb4!aXATuuV4*FriI|WLQ;kxM?$Fm$ z%hQ@n8+yT()yYQF`a1DpnLYG^&CT4Pdv&DPXUw(GJT6LWxn5t(yTc6-G$Z^BC#0z$ zghm#R>|3K>MMDZ}(x6^zXYbZI&Hk(=U-J@I#?l@FTd#9I{<J3Za8WKVGqM|A5QfcP zp>rmF3bbPNhJ<BvMyqvBwBMmg?Sl#}m1MQPisk@-w!mCf1F^bv&Xj)yaDHfv46LO9 zHa5~z{tPIHI5WUaQm7+oI2}85PMDu<m!2c~+69yx`vL3FIjMdx2FvNr7Rrd`f3p%^ z^i7)7ImLd@M)C|HEii68SVd%%4qe*FA4XRo^mTyKwwN+VQs>0`JsYLP(J(cd+6|FX z*d(iN*u6TZ<3GMpTG<wBl&ku9;IgI43fJnKqd&Ycf{14fS!9VrMgtPJaPe1le}&G8 z`mt>U)VK<Myiw;A`~Y8zYz6bDGuWbQw1x15kjOfBf!uW4bw5=vXh;zW=e&r_>7q-O zBZb&&3`egOs#9e`7}R}yf|qF$Y1J!0evbgM72Ip#t1~*kf^cN5wCD6+(C}mKl>IuV z^S=kwWH-&=#kzS0bdR{g5M~CDWh&i=MBEHzt2L}mP*kSn{1NU-pns7a)X4Z%LSn;m zpYG-!TX5mP_Lz!D>4XJ|C8p&GzF$c!`qasa`*nUS;2uPiGMd=nx=ThQqd)TC<4;0w zrCoG%xin@PvcW=jPe=!C%D*f7l}{<bp9Q}Wd>j1#NyPlWBk<I~wc0ndd$fq=@c+>N zSz!Oq`v?4C-%ow-^F7hGAKCtY-1hdib8WreUwJ?1eZBH2@6)^|y*oU=^1RJ+#<Riw z8|3(#aVON?)^D`F4bcDttwGmAt|z!IbN<}<3Fk|llg_S|pS66b<;932IMb47@i_j; z@fycjM?(Fj`Z5gZV*aozAS*>CliNq5a7(4r>KoAIEf>@6BHG;G($}nZP;?4x^ry&` zR4SaDg}IaQ1e|t3r2a5K2l6#YATl81!CnQ`0{;n=0mZ|B1wfyQsc%BJYsIUbk4hY= zj7uHkc!HzTtZv$Yzm|C)rv>jNgvm=rzXXbf@LYrkj>i+q>)8*w#17c9DSJ?#&k+;D zl;}bx*@D4R1jm35#<LqSL?FduN%cB*_zhE9+;BA+g}s@)p2jMl;+%cM1W!e{9?Z~4 zEzFrukeV3|Qt1()iIovkioB+<jHZ#x`*Y$O6m*L-XeDyWacTfu>Cjmd@KZ)pNwv&S zuVJ&Uu<fy=jwpD_)@gcx5Ov5-AmqiTn6^YpEpZB)VNQxjL4}C=fld`yz7a%%6BQ4E z$R|OZY}3t(=vJbBtyP$$dBiCz@8|TVS<_?;VT5Ymi7Ye1%uVu$Fd;|PI0I>`k^o?* zUN{SY%pRaVjnk%7wO>N>os10-K}!aS8U(e;;J52-wX6MtRUuI_bgGA8TB2{u1BTwo zc}bRL5izxwJshH%;jlESq`)cS$+)_I+@%AkFDkJlM2=FvhQrl4-H}EC!E+3KgP#R2 zMC7JOM-Y)kc_?#}<i3!8Rys`libEVBw8&hq{6VsfQ^>l{ArH`rWdbb$_%hPxn2E^Y zvf{UPfvFoQfYsn$v&v{gAj(d?mTmM)43(1sb_aGNyQ(^G+xY|a=tUrW{2;sBsJ$(s z6$)P=jAI~N(bA@spl}d)=x=1pf5R4y8@!GYgVX?KZ#alUn|eA7E`{vz6G+A!$3jNq zQRU5x<jb^6grdDDzC0-o5k?@h^qUy;F!WaT2tlyqB_!AYlz2{T%I^lm;%VhWwe52T zhJ8`()fcmipD1u@W(Hj&8pFDA$Q~o|TG#MOF|`bEm$6txy`A|T^+BEiFi??w&KN7_ z&LgK7%!A6ug}<LF(`i71u|m~LIgBolNmQ-)2T{>@mkCMKaJXX1d-(RDzBZmXh)}bQ zA-V#`3U@HQ78p6*285w0n6qCm4(|HJ&pwqQ`%6@vU`z%LVm%?);KIu<p%-%bN01-( zG`q|UfrII5iz>pak3d*P)p5>!X4Dcl3DZ$Rq>XxGRpJY!4jY*RI>;z~{Ys?$hls(D z4a?!9e1;)KrcI{|XC(0)ED3{6tN9hBTFn4LqX<X4*-BcUmTU=<7Nrt{AF_*i7EnGR zxQ?CFS(zVz!bOaCzG>u0TLE2~9L1b#L*&XR$G|aC$b0(%#usG`=15y|5PAD@NYUL( zaErWXir)eD3q66smJ#F-dm=+)xgjnDOJ}DG(x$LW&0hT*$!Ns=!LDZt<R-8SF<!EV z!DS2>XI$-Lsl)7<76Fmb5SwIHoZ9z0=;^2^-Yxl^<OK2)Q27wc1L>pDqYxxZ8kUk6 zCG){ydXRnb;=9&->TM8mO3I5EY$NOATH;qvFqa~yc%o=e0vDK~Gh`P8b(Vo0MMC6g zO8FpzrDby&U(Q)dk^Ua0MUZ$OBWYy~WMa*C0Z>m?OyYtvwwmulBy@-X2T5?EPp)z% zHQYHw1lkA|<lq{4H*g6N2iGr2t+)mWxCHDYoT~I}5TQHqKCbdshPcSCY$*?wuU~<% zU-||IY>P7@L!-M{7R^!^owZD2?TDAcT1W2!0v&+~#+CmTU=3+3$#+R3i8yQ`HWv~g zS%iRDpp6o?-02Vo5vj|fX#!DJl;nENae8XQVRQ$qE3Ds80r-Jwvv0U=#RD{On-`|V zE5sO@@d;$cm>Qp@Q!jZrd7oi{Q?HVYTUd6`>B7BdZ#aOs0rLy8vnbxJK{gw8?QJd{ z@4Xm9wa?gyG9VBl4y|#cz+#HXG%OJdvDjVN{^7x{zJ5DUuY=^W1lW2=oHjXB+fp1H z2BeuOOPeeKobT0wqgqvA^%H@<;#5-3K)fuit{3_A%n{R~(w;P~?Og5qJ~AG%fQ(^g zzyu`@A$J^}-5X8exZ_=N<v)dNKEJ_Cn$(o%XI=U#>^osedxXv;>6yC6AQTzru$?S4 zius%ro|MHkmr!2I&mxhJ&3G2+uP?zvNh&!iq|ahjYw;_)92q6}5MBTr3Pu7y44j1S z|9kCI+EcX~v@QN$`akV|iT`&0UjJpjZ~30%oA%w{i~25U`+nPN+s4{9cz@!37qb5K zdzX8@@A-n~WkCLiJgs=^?+*8Mt-o%4f9vC0{jPs@J=e9@)#iN2sXIHIftLSlc^6*# zJB*0`FGK5p;vzKcW|coP3iRllW$DZc`Bci%-&mm}idXBLkZP+YpC>UrZB_R`L?0p3 zR#ubGy3n_3E-7-)(6)x^%@4rD^pn)&7`y}=^=}y1tk}^883I7!y^oB{F`aWs9fRM2 z<E)I&E*O&)(@%)8Qd(|=@ZNxn8MzoG8x2#CD+|X}FVt++Ib~E{lWz-klakeK;S?<q zvA*p}ol{1w)1>jivPN94-%2l=Mvd3AZFlHVo%2VX*$SbS^2?iv<t29%k;Qan&X<@T zAYWT_ml2sUpx;chr=*b-te-JcU{+(FSo|?Dt5PIv++#xL6jQgr_s?1P_d!yF&;coe z0F<`jR!5d3^&4p*$2FM>-<%*Eu?svsG1IRfV_ULMi;9OMsNo}cS749MIi<?TEW|IC z^bqcOX>Xk*bWS>jhk6k(f`=)4kOHFS8B0?6YM-$@q7M@V?rxW9{7njwg-eLyi+TmX z?!UTK&kFYhUVi5U!6Jd>Bgr&u?>?yy(U5!F<x_w?nAd!-1=`yU>PN(|kmm@Fyma!B zV@NmagEW*rW;w_@bre?JY<G5;&!64t%ldYY&iScw7&u!X7jLq(Por1o6jpa@GN5d* zaXi`u!wgpH{o=XyItBAK{SeJ+<R+P4Kzf%f_6u!eo{R)i4!?jJaJi10SHyDak?C>$ zI{Nlaa2K<xu(%E{(fg>?a=2*eEyxr+e4BO7MAgTO4U@*gc8|2qS*L&n5D&WG0Lmv> zYD4je+u2`$N$H$%>I7q1@TQBsCH{N<H(<JSPB?W0AOe2e#cDY3D=<1|nmWc)!rLxZ ziv`|+N$8w!>gaO$yo=Rn{+D1tzTNs>qUafoUcQ6{i^#V$)7LJY^HCL%3XD}rxsr=l zLAUFBXb1%e3Ty>fn(1JZ&iQun1i3JpFJM-`O5a5v>cUEJv`bwS%zAw%RRI0~#DG<c z0ej}{BCVS%^&M1c9lZ8*y3+?{;fh2Ie7?L!-%cfAcxw@&6p7ZppLs~%#*7JB@Px&T zh<)*9x0t?_K1Yx-z&p~MQWK&9*-h=>mJtaL7OL82JwuK9IOi{df{c4W1SQa5Y?o-c zT~AZ(otk`0z$P<<pr)HCNW*%H>h*J?O2nhcdKgLL#|FCeB-KBH+=u*%fK}hvwqiUY zNPxtT4SIrFtlKEx1pqKaJ|s}pBBjTv+6n9iig!xN8_8V5d2{A()ML~T*%ieraq~YT z7ty0sGs`>(mI=Av7qVgO)+5y941_W^?uaI2+g+?xs7vpn9>7FI<{8PV7f4Zat=>s3 z4rtP1PJ2!6j(V$lQV&z*<C=WoS0I%x{2;Kd>RWhAmyy7hu#f3(#`m$|+O%xQxD3u5 zz~(RZV)0&sSq2`hNA_6zetk0y{vI4_enwSF%H*73>rx|&8?y7(Kf}6Kzm__RV)O8u z6xJRyj0Su34yu8)hr(aFL`NylRo_Hi01<*NV5gERX%I`=DRA@J)qk?Ead6AE`bKJf zK$CU=X@01xY}yLi9P5?c$`_Tu=K?Qu9z+g+JG2it-mZ;mUgw+rUu-?%dZF6of46_u zb*cY=|EiWlzJGRPeE0f>d~IzXYnyA^>zMU^)%&3L@y;iC6Ri(<e&g!)e8&A6_p;!+ zmIpmA_IN#cwX7a@{2|ci`e)^f>hIJq1%Bsjb)R+bXt~GzUG*KFVaLYS=Py<3Qjaf$ zbh_E4BVXS!^2CaGBLbWv`4P;J!V7|x6(E@^zapeu%E2e>kjNhfTqf8To=Y6TQ`m@8 zfuZ+7HWrd(XZqdD^n|ckG4vU}M(i=%4(jF=PQU_=<;vSa!`6GC_p%2>DtQ#1g##{P z$4NcGqVgG#7YVa|<55#U&VT|_x3d|R^w&YgRbvDMx`gRX1o>ywO&gH^4FrH+BTV6F z!nuPhn^Kh1T(GayjT~-ktJE_vlw~_D@1i)EBOY>B+Z{hZmOg%d1EN40rX?t9>Py)N zPJ}?T5d~DyNkz;VC;N~fva^U|D+2Y+2c2rs1%doh>JUdXQ)6BjnlsY@>Hew~gj8TF zuR;p%Xd&!T9pG#y)EaTKi1>s3y1G?uDwC*s$eC6yZ?wn6LvXxP$Y@X2%Nkc8tnQQx z8>*{#U{mf7NlTs^J@0{Z2I{Oiut^3<iNwPOSgR~huw^_TjU7Vq$*`CE*uu?g!0QAf zBMglcbJzvh5{75W&P6Xgk@pKxdaCEBOUJv~GF+gL@5;-hF)W6#nG}XrBlw+vX~z7~ z(+!;6)QENNpm&-e&#BIuVUWIOq;U*wqFy?L2^I)nm{!wji)V+jtcsv%q$^W-Q5KhB zRpw;fZyu=GDfj`AnpK#$C-5}y>@=N5SnSIL#mvC+`xKE7Xi;lV1_L9JU~y^-x<c<* zU)rd4v4nOXo)IW>I9M{R-p^hl`b16MMAqX>CM&Zjs^`Um9A(S*qsC|MG*3u=8YwLi z1`RX1M93f{8Xg9m7<eq`gBFsW-i(eQ1a$5$mp)#_02h&TX$y`%fah=~fM1v_Nr+e+ z>_;ZHB7Yh?isNTNVLG>P?H8sZ$SRH~L3N5FD2aSkhtkelrRS*bxf-_bBPq&l?4`On zUn)|}g=Ge+c|TMfvXDUN%$5Z_DUwicHfeW`-k%V|5KM^lH9~#R!J=e1z~0Zu#OjE_ z0cIekX4$+h&lg+;xjV$pM-EZs@+o6PWdb2$y2|f4(Ahe?T!W4cA{b$_!N}pP<#);H z@n}%2L}FGt5><Y|yWVO^zC<aH3r>pNbQ-TDQa+=Y@)M?qIVAoJ8wIg*xg}@Zw47H` z42Z&8fshB~$Lyv)2EM{KAheLvB&txx4Ga^BFv2i_DF4dLYf+|0X{J=Z6=-YBRgKF+ zD&Wc|_{BBZH*8t-v^S7WwwzP+tRQ6w;5!W2AR<wpy$w|!q3kJ?&6oUtbclsPiZ>t9 zWYC4{tzJ9kex#{T>H&G5%5W>?1q_nGHeE_Gb|Z!RX6N;S*Ues#WyJ>Qc`as)k1Q{@ zOz?dj2X@l&A~{h)JgVM{kx$C(78!h~rlh#-Ow+CWh@Web55nx=_mufNi^`BKQ)>6( z>eU2c_(~<&N2U}9pAjDPx`)!L88^YeXfG!4RK#99R>)MA_p|Y|7VH!Rz$=s|1sDz- zV7!Pl3Km8WNp)}+$CB$sA~-P-mH{Q7!f@n0LU>M=aBBG@<q#^zkRBJRUc{6FE~sZq zom_dhwMi&6jzmD(;I;)LJdxbVkVE)$1O=0DB~!qHbCM$Qwu#&&G!>4tmx<A9`lF<8 z^yUNPL&~xNgc}+4N~lb8LHJT4wZ+_R)%UR_(jny-$t7{d>d^-myfo#D9JwAmzRIgr zTYC|&d&svzPO?XzzKCrgv**i{`iBzE<Dz?+5`Z69t(m>KFYu~87=Jtnr2%<+slyA3 zm5UWEq(~7K5$22Qny#qDh%FJkDhfdFMiB?keP3jjewpaM58@o<UBB2rix#E9b1x`L zKfr(*o)s9sVbaHus7{S&TSTDCkhSLk!`i6b{FZm}2*NzC{FAsBNl9YayRrK7YJnlV zXn}hkiTjnt{R2pdycocz@Oar2U>vMc5gV|9C`s}l$5bpC-6V3R3F<%sL}rZ=9-D;R z7AEl&T9kN<l|5{@;Al(DPKmz(FiMG~%k(}~3aNg!Xjtz(%G;FS`-4vk?g?HR_@UYp zcrfsUz;5ji+Ph$mI;vfw{K5Zs{=e{_@UQo~d>`|@+&Akx;B&UUS9x38Y}=LIS9mjc z^Y0%$PxjmZ<o_4lFL3v`9jzZ~y}k8dYYe#mFS_3EdZBB-^LNfqI_I1@=h~Kc1NFZK zum8Q&k#&R}tJH_p`xd|L`YQa&+}$fA4v&mh7X#xX|MT7oyIxPU%aq^J&>}gvbq;wk zgk?b73O%+b6!uiuVRvAw%v5RQiiDBX=I@kADjT~jZ#;hqo5<W7t0U(wE+Jl(wKI91 zW15b0Bs6TwfT&`h0dia)G+XtE?XvS6?u6)8cB7=(U4LF9%hFc)yG-NB^q%K<COncS zo{W>RHA{XZZ|8X*eeI&2zC)J9(cR}cTK<gI=<T~j!QKn!y}T?vcuxoHHX7|Q;c1+~ zed$;A{EyRz&wFUL{Tz1)WtWckLOSutc@e^thL0giJ_hCo7qW;f_UfXUkygC>JVzCs zK|nJwW$DP?LJ_79q?)u#C#I1H!5fgjio}qRz!CN{l&m<<p-yWwys$&>Ss3Q9!{?n$ zTkTPLJ1pOMo`a(YjCZ_<9<}lXu|iXYKX~3j6t_P`b%Ff5q|r5eit6xrPB$>Jbx99M zv6|TU47H!<WCaw04v1+aW8*iVz4e~$rImYV4l51n?%D-QW2VBn21eK`4CHIpz&?;v zxiD5XRN)i@ady%`EZU0)d3ZGkO^tDRg)<7Q!ed$Rkfjp%Brx}DE1V=C3ZpYUWfK9C z=jee0$WR$R);D}`-%$6lqm?^(!B@kt%GT6J$!4;%!U+T>am?BLLF>L0tI4hkXB8*{ zNdw<xJaPc(3m_0f4&;}ftL%Z&+E6V^4pcb7z+8J;JWnAn5vhq-)=0jHjXR~z(r8=Z zxgC|Ww5r*5`38&uBU<3K7<=>n$}Cgb2f!4YCLf`Jv#T;g!#TokZ9q!Q3Cf@eXriRI z*dE^4T;YrdeHZ}8Oj*HF20874RXZvrK8TtOlCo-(AyT%OKeTFRg%gqBo}ieLcxtIH zlf)|1^!a1FfsppOTRfUZwgGxd6cz_kzlb5yx=W>Nq*7!WQye<rrV;bm!0Npr)O4Z_ zV8M6-a*3JH@2X7kSH=N>VEdZQsqx3R>D^G7<gc&MWJn_W2N#NPTx29oPi2BAK8Htb zIUqxba4cUfAr51I<#z66xeRKdUX~sa1E<EG3O|Qj#{L5=JD#A9mKdF~xpIoe(x=Hl z#Nh>_727NP*eG1)B1j}_4?nW0e;X@f)N6Nbz4|DU?Ug*$1U^D!7p_h#O#7FOg!7~% zzM{e~OvJs5XTf`5eK(&9-&SGt<v6Y)&OTh-^#w8(cU2gNc?2&V1I!kW8*lpI`Dd_c zgBgg}8JLsd>R4A{U@0E%6A38@5-RwN743Or<?*~R*Fg}4N)(OsP`s!45c(r|GktG` zah2zAy8&&UVHDShCG5**JPj)oE>xsOsk3CSsxZK^9qUF>Zd(r`PRp=B?yCS|Nf}d8 zNV<q@heqT%WF@<?n+>~IHW4xy+QbjC;(<9fjREW5Q(-vf9Hc)^+Bzt*m?8vmDH&gP zRTz8;Tn_oFBZ(y&-M3X3YYF~@VE|PmkcKrp&@xiX*~loRXoV4%M<tmubna{_Z{xVZ z$}u7zk`du%f!$ZiC2SF1Aer)}3L_$WH2Fw?p`*bpT>Ff`<_e=A`v4W-Hv){RjUN)& zS;^9PCN=3mAn9W%euo_u1~8sx^bDM%)P4yr)m@b%^!cJD6XHUegp4~`?R>F4$w=}) z1az_*AYT<OZq4~-WvlvC#TRS)L)%x{9&9_^wx?~a_nUZ^?^)hy@342P=f6Gg_l$bh zxgT;r!L9l3X`O71yT0Xmi!0;&gY#p)UpjAgZbU}EC$;Qx{K4@l$4eYHIM%6O4gP<@ z=LL@i+XMd=cyHjjfnxzx`>gf~?MBV*|GNLx{>S@+)fzvBfIpg7y}tVQ&A(kF1$rw| z3zsiL?7zr|C1MrU!jB>C3Hz*RgI>_T-CbeTdlsTT9ve=}r&aCXVVTC9aikEmD4>h7 z;_}%6Ob$0gXNA*;3;+ksZ&ip1(C&sQ1vYE=ir@$$H=fwe<w%7!=qz93FiKngwRzp@ zyDM%wK4+jl@k>#LplyW-T<D3ZofTG)C&2(Y;kwC>7MZ90P=(dwa=U!3(HMb<B|B^8 zse#FTzIPt&fZ(GQp;ZH*D17@DZMdvP3PdWbTm#T15C9f!Nkngm6*y9H@FlG+m#K-3 zj3gJE;dtLbw)N%8s)pwwQDJ=<n12!CYKFGTtA@n)S(50h17g!UtIxMAPe5x0>RmjF zO}19PP^`qs)y*)H8U2YoyWJaQIDeKeaMG~JO7JMA3o!HPY=Nj6)>%J4uv|K!O|Nhx zM>U3dM1O*@2$*3qnh~fyb2_;a#D%l)sN!5va#*;;VISe7bK)HV3JM($-C39hENSv& zxdVNsbyoFr4Cg}_E1MT6qE>kA$Ui+#+-q3poPhn1GXZBo#=HweUHWcQrW-EzAL*A9 z`W;NIJ|La(VnZg?H$DZitP2cBSd!#<%!fF-cQL_)n<k(@PH=VNRP<C2&}ZWzJZsP~ zte@l0t<n<o#6&bc@8^i7^fjy#<>Iq^{SpdjB7TPU@9Vf;Kg->^p<Y4!jK%h145y{h z2xk>~mZ8xymOw(e=Lv`0qt6nH1e_7_IP?`c#*^Hq)frS07^Z4QR~CT88}%6;&^l=7 z96|Z$g=A)QHZ&Yxo<x{xED;w|HHXy&&6^%lqSFs7Fh6$4`xD!Eht5`q{BnuPuvi*X zWkDbZnqRK7)!}N`)hX3udOzVq#79=?Y*1(i=$fAi<|4_6R_jF~X9p}JuvTSaTxO2< z3Vn)7H{v$o*F?G0d|_0dq{9B?5*T6)xG{bNgWRRFqFsbC#b6MVU5wFa7Xc!<N@r(F z7vSprq5>lh?Jq5C(pd@b5#m8AE;25{9WJBGh4F-U$6lS)>~kDOkW41TT2)uXLh&hq zbXv2Qgz5maIV;*bd2a)_G9RwxYMoW=t$@*k&goRYkq{p&&WbRP>a1YzY)9@ApiW|z zeV<fjJijHMN3&bkI&@aGd-<wK$K%y)s#PEGsdWqTsx$f=AC2o*(6eii<fFlHMC!qM zmV-A`Iw%-;RfUb!YnKZ!XTrQ-aK9X`tl{x!U`ZHH#7GNx(UI<ZDpv~j5r?`9nMA6) zxQmgP35=1hojI^JFb{$?*w~W^oJ>_#Qx_Cf1E!oba<ySkLCrDVy5Q6}0Lt<cIHP&w z?42lYs&Jx5D1A6h$bWwbEf^~S1*;}Q{^80hW8TQwhk46!B4VDB8B#p|$f+sP{-Hq$ z8I*Piv?)dz33L%n2Dc|tvW!4Kznlg=$8s3VDvRz<_-<t$pm2qgNA@$MKZ8+;^Z>Z2 zPtM{Q1tJ)R0C(jm0^l*ANab<#)vP8T<EfQK8$8>St*qdguf(y0i7_2Ngv+7}QUJ*U z#3d+CExnep$pn(hERh|A2+Z-z*jADQDK%s&m(f5*H2Jts?LZcI4(OW7a%#F878uxe zGV$7`=7T_+E0<EmJ|xk@?U~HfRjhgvXlrE|)y^ZFgkSint-a8rKwXtfs4W@5`5Aeb z1c>zVa*@}1)qC?>E9`a6BkeNGGpTfSi-q6WzNW&S*WGYr0q`A9&ii6?cZJ=tvmgM; zb})R~hjngIuMfI{>y)blzb7VD3jQwmtKc(({}KFg@CQLX`0e1o1iu(820t78c<@8e z=ieE8F!+YxYl0ht_XqC^&ISv?k>GLY_(y`_;OgLtU@+(nwgi4(|IdOPuvyroK$8MZ z3N$Iuq(GAbO$szA(4;_<0!<1uDbS?ApMU~qo<at?;!`fe&&j8_@$>Zkcj4#l_fO*I z$o(gSad?*KPshD0@$;7Zhl0;luHxU!_v6_8l#~DHeG~Y3<i5lBId~sEadqfEikZE- zf*;DkduQ;o_uc{gyjJhP&+xrb{M>vqeq4%wtN&bceiXmxI^T_-Th7zxH=TFk=f(;- zNY+(`@pDauKGI*g1V7j61^m29r;i`d6ZqM#(-b#60YCQU@#FG6_;K0g4$qttaCbWJ zm+9b0U{m0ozVB)GYyaZCQ;Yll!TWX3GSBPXoo)Ase^9IWr%8b(1)3CSQlLqJ$DRV- zN%cK{+EEnr<K82RvZ9h#95*B3X!isH)3=4zb6f>5sC|PWcxmJdSnG$2#fkOu88ph3 zFin}tMJ*#UHv2iLOvbB=*8%{y7@g}3g@Ag3V+@Z}PtC{-B-dpJySnl3;K4zo1Wq6% zt;!*h_ZWKVKh$*{Uck<BDrd6_+yQv2f&dpM31<p0I%4i69#eu#%bn|;Ye3D>5icS^ zSLiL(Gd$2Mav2T|WQWDXdPNo;egK0VYg9xTlPOMfnzEz=^$u98@oRzn$&YrfZ}}hZ zq!L-;%8lu}ym;()g+5n3F!3Oz@HAVr4~0Wnyx@+PGK#ZhJV`ESShXUAT{4JE2{mTm zzMGjXkzdd9@$v5`ks0GueqtK1AelV{SRw-Z(8~q6sX0J0M)ReKIm$3HT`D4lHv-PF zsFZJ%-i4bfV$MJJ#}$gVH2<tT?(NWB+8RxB9PR_<GLZ;Eq(Wzt+3s*O9kMc>HH_e~ z<Gy$-c##Zm++<}$s6sCu-K4Ma9w3qxt4Y>_oIz#4ZTk@!pPLyuCCGx!Hj)n=9o`?# zFd&HNLx>d+iIW$SvyrnCncG!5K8X?pBMHqQ6o_hZ)^2QFxX_E7b_LiXyf4XX#1-I) z1V!kfr-@3&dk#Z9KU+OS01ZowusN73pTao+g{kLb`IA|AC^2^FBNam@SmHF{yU>dK zum-do0e75HN9MQ}%YjjmLlfR(5$9t)Fh7alZ_W}U(6JIW*3lUnK+tmDw%zl<S<}a; zM$W+2h&=k%H|QuJ?+0>Kz)^~gBcF5=JC&2`Q;FHF0FCkaF&=-z2E$~C+%o(hor$mD ztgZ$1u3Ya~(at;QSa$dT{TuEXx@j;Ri5mN$g*1fK*Lm9WTnzxQ+{}scsXX%P+%P*q zu}<{Zuk8^<E1_P9D~GaF+33#k&A=)ZJ^ugt&lLlnj?<0KZ4XY)@KE>RY=2)i+c$7H z)H85+f8V~|!^3^uhx&$Z3Uwde7wS7a+<RaMe=}&R`a#X>4|_Ta4f^cs4sQ)*W#nNW z5`D=uD1<+tbJuO8594iRc1bGe&^Av;cY`hm`;i$Yw2!jR93bTFR1OCsv==vy+5GN6 zpHc(Se%zIw6|1<n?(7ZO8`7PL&X`$$Fz}E<8uOp*&#KEk%a`+LdXDwt2`^(Lj;{po zRi5)F8^+>3v|_a+oyw$(bw)e48UrQ^fTEDi;j#FmwR}oh?(iwW>jN**zOSYH=Y3!D zwX}76pX>Ry$LoGt>sMQ^biEyK^=)vJ96swGb&K*5<yQQoD9#&|&p#GJ|D$~q6Z-WZ zt@A(Mj`NrM6dZ8;S);GveH!hIb;gZ-N}+Y-ZCzdCg_%>cCp#fGbqyRNL6oX?0S|hz z>ujPk(i!W*PvoWRirj%{vKyjdyPVQFIjVQ9^eG(&#CM9-a!>csa2%qV5H@hLcF&F$ zW<o>2A|YW{?LbD#rIAibU(-2WJlh34&+SNQRqmn(KEqb5SXX&kh*e<{VoJpc)IcVz zTsaR27{Q;fUdPXGp=38$Awi#aCOf0o2<-Px8j-%?aTsxQz7fYly=TFdLx7jz`JwU0 zYM3!>+YJ}mUE`NoYrIbKqFATNJTGRAqv0E3^zwknVab;eR#{QhKh|rT7n<Y$_VV#y zqcu#{?z^R&)5dG4Zwp}GA8)wtA(f;<Hdrk1oBco`LXxcB3bmv9lN?$aoZhKn@V)a5 zK2<Z$(0=5Hq}+gy)qqoX`+dr~onpLehKtkDNC;`T(%rEWdrK5ed}3k37SH9%)163f z)^+aOxiEB4;)daw;&d3<&bp|lE_6lzA8y#6KJ4==9eQv+f@MM%ls!Y62w00DAmN(G z0SmY+sd43w$BL>My{m2B+XmYt8R|Yde2~QRp6=m+p-_MK;qC*y{rJUWHR7bc#fuSl z&$kW<a~+`QTB_P(HQa>0+k@eb&o^AC8F|i`a>3p6Sj`}=54vgRyXTui%%r$X1yQec z(aVW{M!P<SB;{C??P5k}s%0$f`lvA_Bwd8uR77a=V<WckSoDa?I-(5*8wquf=B7DA z;leENPj$CMBl;HSLT5A@8Z6?;Amr|cehvbU<VW$i;bSAf5{dO#3x?a@aD#XEz`QUx z)O$nUz|m~z(7*v0Ee;P1_w6T+2n)tzax7_3dMDJ<c`k62XF}PVvctXop`+Q}KZ^lp z^q9I3mD8c4hqFg}dU~_j{YMW;N_P)q3WLMh$BN2nG7~*fEi1wA20t2neefB;`ws<^ z!IgpE2EG>fhrnM2^uS1<H?T3_)qbRXMtiIF0>rc&*Y;=|G>`vB{?Gc~>VLlfod0J3 zPR9d|=lDbZ7T*tipYXlO_iSIuH|$IKR<-@E?Hg_HZ+m6i`L=x9fwqn|AKnc7ocFEX z=Xqzn$Gls;t3AK>e9QAe&#OK6dd59{p3NT3{WJIH-ET)G!E^4L-8<Y@xs}%Mw0^kt zZ(E;&tb&JHJ6kVt{Q`Lf-|2dh>rU6Lu3fH>%i;W<^P|q!IiKd7a2`fN^Gor{;Fs{u z;7eMb&~jVLo|g43PR9=%pLCRwpJ1zFjYCzxuYO#8qxx*TPjF7XMcu82s_k3R&J-y| z>ZcY)d#F!es=iTg3(6SFKU80qHp&iF507j}DWgpNN`0ZJ5U5|S@72`!j?|Z#8vkH@ znQ8Fr#|KxF`OUIuMa{xZ4GK+r^u`8-5o02UtLH&$U=Bz9bbX=uN%d3pgEc>yT_XqU z5N3@;XVTJn)xHL$)<+LED7C(Nph2nmS@pWQ(nP1Zp2~L{l$tB5JlvqvTvFxR4NA>5 zRld`p)SQv>tp=s$jFfLQC^cuKe6OxFZd;&T4NA?P)g28=&7Rerb)_+De=8qtP-;=* zeGN)2YJ99gsYQ){Xi#d7S$TDXQgh78C+bS0oz|#6*PzrI)t4KTTBG{62Bp@hzSN-9 z8r4^7O5;_A`j!TzW?R)+R~ok&`GXBgt+w8}QriluFK<w4(n@V@P-@ajbu}n8X{CA^ zl$x|s-3>~uF)MYYwiQ&>2BqexlqWSPwMO-dYBm>*gI}AYI^CeDH7G|-DahDqm9D5O zO<EnRD;tzrZ68-xYWLw>)u7aBySA=0ZXHl{RfAG%d9P?tY7$ai-JsMW<eCPhCLz@; z8<bjOzPzp!*QRmTsF&51Ms3V&LxWQ5yP*c9R?q8dN~2hO^O9Gd*Pzt87GBVx)Vda4 z+@RE?v+|+_r6!$~r#2`x>8!l0L8&=k<s}VD&G{<NuPKdm+O7rVhYd=tp1;_j)av=G zb)`0@qI{%5sYQ(sHYl~I@u3E#7BxOlb9~{~uufUNK~rnU|5#Uw<u^8+^0QhYW~<e& z`qKJBv!(j7+QN+0Qu$qdq1jUT@7lt&)l#h!xzg5XRTA@TK3^#lL#;*1arN)(3$1Vd zrnb;7awX~uP136!^@ZkcQ7@@4w7&UYwS^G$Ov2w=UubRy^^MiiV-#1WIiON~nK_<f zeW%uN?yGHR^R%q4FEc-Qd3~Ar!BzET<_GVo*?67NgvFti4>u^asPp*-r6zflhZ>Zc z!&P3@pwt|&^3M%Q%^@p4sw=gfGxh2QrDj{Ty{^>8zm=CZD78lQ!Um;g&&sdsN+Z^x zP<~vy=uw+g{~z^*7We)|eWA4kzpO8`R^UJD3#|qCRehl~)1THCS`+<bTX0x;vbtPR z?^pjOm<nDV_@BVH)&9VT1Fs7_BQPBp4rJ8Z9m9ducn#oT?ZevZv}b73>OZRA)`qo= zcBQ8HzvutB|4shq_-Fh#`gcJ8cl!R-_i5jQzUTYy@ZI9u?Yp{VNAMXfH?^D%zP{zb zmglv6MvXY$==i?l<1G%yvw|O0mpi+I-*ud6S?hDR{iyA8ZEtUTVcVT;x3%qUYj5*< ze+)~(+q^IE-r>E)yUV-I>-7B4^GVMGp67VVo}-?OXSMqe?uXqUcE8sBH20)?&>eR_ zuJyOAUvGVX>#JJtZ9Ua`J!}QbT>t6%vg<vrm%E<i8gZl@SE#>tZg9F={@u0T)#36x zf9Cvx^Y5H5a^B^<Em-udP^#$_hpuQ6Q~hmiA%ts#!>B*0F2qK*n27qN+Ctk6sn*<q z5K?UWO|3b7Txt#J3$-2F8SUrm3(XCu{!?`!RBhXMKU-gDee-kmh31}8KT}-@re~cU z^^?_w5Fu^U{eEqsjeo1(t1q;^`Q7?L^LVHa*B4q-`F4GwwW8mwEwtZ_->5CLUGwVK zYYXjct>&JBie)2w%}K|a*eF!PK&a3n!q02JX<yG8xdRiiwaiwxgyGBf&5zd?THpLg zbs?P=i|{paM;fEGXnS*YODeQl9;+|3mh8s*LTf-b)fU<be@lI#)$-QbLP!DT*}kp5 z&>HRW`a)~8L)C@Y@0Kc{zOBB{)CANw*B6>siTd{XLhEF|qrT9Z%3JCSt*Ja%UuaF` zf%-y=d~dBSv|YyP-_;jd-M+KF(CYSG)rH9_)7_=@h1OJ-)fZadyuQBB`sVW5LYp+G zcGeeK-G=K6t!}$&3*#0FP|egAni`|JwZ72WCh7V@Yn!C%3$1OEtS_{-$+r4Ji?;Fl zLW>BoYUv3a0r#1ClD5}3wMZ1HEwmq&?)pND3VZ7dEh_A*FSMwzr@qjl!tVM)iwZsU zg%%Zh>kF-U?yoJho1M1Q7g___TwiDnh-~XNbqzQ+8y~;6zR()brfR(c8{Xo^w^ui$ zGIN^B`TB-tubXSjY`l1)wo{vBMtO2=LmPR<>&r~)OxBl~#5q%6X3k=|zRa9Np}H*A zxz(b~hWawI&ugkDNbSr%)eqG+%vdT!M}3*Ole_E7%#9qaFEa^qu)fSB%$E8xa}tUA zGIJ6KYRl4=wi&B0Gsn5JzRVowuKF@_oO|la%yI6nFEhv4S6gQDDJAR6%sw;qWoDo0 z+Onjzexdp@bN$xVmzndsy1vXD%li5<b1YZZZZx~p{NegSli2D<>kG}%s2{5@G>4;p zqINtsme5;YW{!1xZCT8sTUULVNw=-_W#)bg)|Z)6ysW;=oJ3E3nK{lH&mF5=W~XY6 zg^x=u!hHY^;nnjvg{x^wAr$5()q(0l(h97?U)L8}<EhdANeH)E{%dVZyEEa3ZJx5y zrT$QHeA98WW3Bo_c+3ketDFxzUj{$=x|Sb#Qtscn|K2_4-qrelT0h$Q^wuom0lwyX zm22D;4!$bb8(bCmLE!a)zCf$?DeW({o3su7m;0~tuk?Kx?*yKN_x}sthrEB`jeCA# z{_~)xtUgb@NnN3QTY33BbP~Tt#p@QV&@5ae1=1d%!Rq4-DG(@aJ_$CIpT_HvHY}K` zFAzYKqL|9*3B3J{Fv8pv-Xx(QRa4A+lI}oo<G?&0O(ODesxT>Gq7+1Dyn}{3;s#WZ z1JmrmoxqZE4B)VMDtb$3xP;GRz*`t;HH56ggy=WNaL)q6Pl))ZKExV~m+1B3y+zox z&8APBC&CL9i-+uEY8aY{k%-jSW`9qfC%TJPU~6ayF$*>#5@u|?l$#74LQpT@v!{@L zeW-}E>SlN6V;%$~G+xk*=x#qcu&-q$>FG!}ZjuaT=MX?ViHT7pL$PGVfj#v)Pe-nC zt3+sU0#S_=roqW)c@6rJG8U<>@q~i_zLl*pKc&mlvAJ<q@mOeZwuCo<>;t}kpQq#K zJoTd-B~qB0rPyBiumIYIvh<d5e%u=Web;+BM&{`xf&k&^X>2$|!y>Y@b`k3Ox_7G# zr&FsDm4n0K3n2cE&$kh?1ir(xIUzgZcR6MoAt)BrCNrLnosA}t1q4nUnyLIm2r1Qh z5v+z2dpv;rHP|9qAoqLmOg+N>ChR@PR|3sFb~@$h*xI-Qpy$O)yxrraJfC~(ySLBB zYqCIFTLZ??ohl<V+WcH$ei~t?;S?07XrjjBa3GS|^wj(`irbnZA|7$?_ANHP%hS=< zc#7DO#=7vv5W&^eF_vTV5BUNcLe1~=AO@<z>hxnrTyQ5ov)j`#4{OaJDg)bzGF5|3 zmGCNX3Av#GKjqVElI$5fJit~q{62OEm|_X33J~6G58g5xKYjkjsZc*+s|f8XnK}p3 zBfQjX{Is^K)rIpXE%HwL-&t**m8FaTDJvrY1$dk-jN&>pu0Vsn%IoL3xu}Pv(F3PR zXJm32X(f!d_)kJCQ_>3aJS(sB|Euzr|A%P3-_vnZgN;qoj~dfQ=!BFZc*4ENL_b?~ zw3VM6^dR!7{(Mk35nDG1Rvasg&x*_jwkzBqsq*o8cm#E{Fic#1A?};q4aP7;5#h!u zC()%FoP4faFxO1|%m2&XcfiL{T#awJvRC&OV}orhpNni{`y^daGsVcVYzr63lH6$G zES(CLbV4WDh`xLHL=QED1TZzGlLARdAb~&{B$R}NB&3s`5D4iB$@hP=b>?=@B`f>* zzW<qDa-%o9^WMCj^5)GeE4Yev)^Eb5fntz=aeB+p2&Cu@H=<-q89Bg+Ml^kM0r3Jb z*D0$LNH`GZK4VPlo7%aGbFER<0<*Q~`5ohs9A{t<1PAaqZ-Sr>u+j`^D~4QY?A<pO zkUfBkny?nTU|<k&022Yw2u6uzh=u+J7{Dj~w}UvrRn%DbEUqxaV4=>z>kBNAKzj_l z`MbwunX?HAE0DuQ@s`qGzOFDv7<`@mC~ie~E$|NC%RW$GpaI4M4YX@laupq@hi1VB zwiA%@$Kfl%;D$gUNXTkWojVReHHab8(*@GL&$^AeaK}ihd!QG51ho$9+k>1TeLph4 z#*=Q~r@UX9NvzeRSCB+iSK;u+G;D$T;M@VjIc`lGh$QNCAYVx?<tpU38fJV6BztDC zv(DLPXklE;4{P!Vgi_hh!A4z)5pxwe*bw!*P>dM2HSsaoi4n#R%m4@^qPC(+Jp09{ zvGuHg^GRwB(@U|BvbD_1OfNqf{Cn^NK`L-dpwhqBU*mhxx5N8w@1W<?o+V(TA9H`r zz1;Pxs~>a#ZH`|#E_O_}{*Sqy8DbptN9Y*!HR`_qcIN5t$w5r?ze<JwWgO@`&g`;` z>8Pg8?L0NxKxD))&^2ZM4I--;2D@hYsFMW6pK7ig1p!Sy*i9jqntU=vaR!>=+AP!1 zTKnjZXm1)33U<X&0EO;2geZWWA{9Xio_0XUg49f_?&%s$4bP#tep_{~?-T=#79{}g z=kvRBC}^UVQ3Co_SRu02p8|+ZwnAiUTogcbk`*FdSN-37A!|ggRn+|buL6B1m`TCR zMW&7v_dN#@c%s2f3}(qYb;R`5n-O6)MpKBW&I*yPcb_^$+()QI`~T9Ywy(yDoWn6^ z6J|u1CGynu+jHYV^*d%J2fK)zI&%7=W<>Rdeeu*G@`ev$I#rp8!LHJ#ju_v`)cOMt zzJq(BZ<(3s`oprVEX_xRY!+-y%~)hhBBCfgBPc)-Z151}CcquUr>e*&25ef4ThFQc zRQ<;TqS=a2qV3vX<aZc$)BeSlm~1iFdY9{4WM&@bFfnz^3l1FAVzbbSoWrrmE-)j) zEGwt3-+l9~5FLgw!zT}l!C@<MbStkZ?Dt$NM7q7f)FFbU@gR2Z-E)is#k_(C3KMyU zdZ4I{^bCO1o*ayT?ikcZV-sGcpPHmkVDtR{j}87S_@m&n!Fz*~!E=Heg4Mxkfxia6 z7kDbLHy}Y0#kGN@fuR4->{9x-{_p#r@qg5RwSN>m08aLoJ6`wueSZQE`&y>e_lEC_ zY%}{s-vhqunM;{l=~o>m`zGii_WQoGeQVgWe3icG-uJw3dSCE<-1{NOG0@BW!{K+7 zdpCF!-q~Kp^BeX$&nuvNxWlu@GwAp{-RbG@EC)XTj(eN?4)-*7uj4-U0q!bpl-tgo zLht1kb3ylC+&^GG;eO8jp!<6FdG0QDw|lkY3dabYb8MwQ<BqtGX8+{+m+NPY!}T@x zDEb7~$6U9#E_S7u7a_7h+%?<9IDg~JIft0{oSp1+=I7269QQfrJ3WqffK~WEJOE{F zOgC_3vv@^3u3K@km*N$%nEo}{3-F4XxIX*XBwmq->kBM<HeOMa&<`?f7hVxF%r4n8 zXL8e~BQ+8O@iL>;)q4C%_H_J}TFB?E1`uXX!z-d#N45|Z34MC9okT^Afun=@Idv?~ zJgtns5UVzrxRI<dTH1hDBpM9d>+p)&guW=VEsl4n=^8%$7k@g|U?9E{uc(b0oV_BC zfkw^c_$!d?UT5G6ydqYkp8{D4uc(O`AN)eRB948FT|`B_(bV`c+%!S|t_Gh*@fTuo zgB`<oMNNY-JO}ZLSc8FLCs|?OIESb(Bn@@|uc(O|Z(K`M#0(tgkrf7WcRQY;@Va=t zQFlF2flZI=@QP^E7$hk3$v^Zl@c&Z*=SW?`_#y;zAqB8Dc$qKY1FOy$KViJ3+8Sf# zxQU8{F%1@z6~+QHm#om6Vs0lYjPb*~NLCmhmL@8qI=Rdzh>B{Xe@~MY233`KMNN(V z21|q-u1V-Khk1#3BW57~I9Z|NVD=Fe#yn?!MO0v`^n9{H?>X}mvce!&z$+3B`m|x* zCMxQTrhZIR#EmcLCoA-(ST9i#)rS@HAW?z!V<B0ge{;4RuZSBfGV^VsqShey`(%aQ zbLM+Qg|Q7Wza}e;5A_GK!f5J?WQ9&H^G~9}812m8$O>bL3lSA@qp6P)6)~fO_mCC( z_h23-D~zTdBPy`(K`xbsT);d^yisio>JO3?233!f6$Vwek`?+WVLpjh#OjTv9w94q zUNKLS6-HBEBPxu&miY=<VKntBSz&zIPZJfj#v8vOD~wU{DWamr==sOU3gdfxov4WG zIM}85>WT>fvkAD~5F5Z7iW;+njS>~cI?en8Zz*cf`bXl0xXxO(ny4@YTIL<10&D7B zLL`DL_uA&cI?0-99Sid_qNduIoGg=9WAOcd$eNhG%&=@;jnU1Y=hYZ%@1MyUY)i;< z+5|;|q2HtLCGDtDrQR$0!{$nzeEL>%r9KMjyUmq4sq{VhmAFscK69nf>_^R&MzeR3 zm7s&eToQZCmHLFGA2wI&ET^9~SLy?v?lM;z>^s|BX|QjHxzgxox4F{j=bibLxS#D) z=1Qa4FPJNhW<Qr-88sYV=m*V}1`{4IR~k&na~P@z=PiQ?d(Cee)PB}nX;AxlvJ&|m z7|m|-I^Uy~((lj?FZ(HolvmHP%rnd+|K;G55cO}G|0drfzFD4oxc_i3ag*-9x*v6) z?w;j(+STm*q_fZQJBR34!?b$aTrSTJFYmg{zu31k@X3HTDDgx5(eyh^tMVVchh9xP zspqNv2g{?M|NluMFG^p}0>iL%7G`Ztk(y|DEm*+sPQraNx@(prmySUYX|S|KX>kA` zCpilDq(%nQ6S4&%TwOyZos72ZQ+E}x{q1Oq#KF*6c{<#ZNe`0NcK<G5zzarl2{1JV zb0gJ6T5Uo{xECy!Hp!=7(j*&RjB92=Y8oY(;PnH&a6v!OJ*e9TQI8fdwt^-gNs4T_ zlpM^n(4y{WQZ1&;iJM}v@McI9G=h97fM=>@J+h(#t9Z!brPF?U0rNhD7`Ie3nJrU~ zbZ`|J>t4sI!%gF0fDf(}fE@2SSVw6#gR)Im9yJdaFjzy>K$5e;v>N<aHnPg|ZlE42 z)D`&d_2JeLNHT<mQAW3X)0yzt0NB(InN82oh^Y&=j*mssy)YcXrVottkpXxH?6gu! zvaYdy$gk9m64+$IBmH0iiHx3mQiEWGF$%GFGvVE-!NE!m)dd%TMd!FRCa|o9JQAY= zJHXIQjo6z(z6i2)Xa_h%fOku0vab&+af9e(Veo%};J)g_fE-FNG2l;#-ku&z_f6=y zcYzmzoPH_KKn(S=#xTa;00T`+SJnfm<cMTHT0hP&WSI(WCBX1)I5Gq&w|WO;@0sTF zz<>m7M<6agOdaG?VvN66T$fNN{44w`U<ME5C91<)!PXC)Ix^w)1H(H}GwPzC5k%j= zpRW(bjuWzLNm~+Ji_jpzY!<2ifmC`<s?g*I>~V-654;DvKJ<A=4+rXvGhp&JS$|QO z25B%cO%BS_9*rMJb*7{OGuAV(nbW@+M9P=Hnbxb_1>7glC)0;<c=fpAc44um{Ra$U z<JL<pc>JtQfk|b$FEyM3CH%oIuise1Rh(`$@0%hqu<LDa?QCvBF`L7!t0BqM>eluR zatP;eV`sR%xua9-8hxM0dn!&BXIt(A$RP}tXJoe@f$V9ikrezN_;@vfs|?IAc^-G7 znWrW&1XIpr7%g_m9f~b(H)8zg@G?mLhf)rrC&4-q67iw*ZOA`s01Y58Ytp9&^%59u zms@|y7_xfrPESCdI(ZM;-#42852Fa;k9nHKYQSz5@NZ1_7`Bxc!6#bLX#IR5ygE5B zh)7;HoZdZ*Y~;a13f~8NQN3cIH8`R1w%79`3T1gV{uLfa31pW$IwmhNEmf^(wFaYA z)wM=zkot82yIvTGXn%rm(&&rpX$<hRVsH5VLZPJ62mfzB#3Hlh;S6M>Yf6r2pBl|8 zltxS^_WR;mPer%nv>aKGx&X_o2%PPJEQGLJsw;%<G)Hh*$>alxD<NN=oD2`X2Bfg; zPNL*{a&AWW1ZYsoNeaP_3x-=JlkOgX&jqVB<R%KkcpJ)8BAa0K4YaPIaS3@Zli**6 znt|6527O4<Pl6l8P=T=ooETA)86qzim43twl<h)a6ks(U(+9@szCxZIK#cBy*Eukh zg7${H`$u7=B+bI9-@^2-YOrK&v>r_0Vg4cO!=4nlWR5~I7PK=Br*@+;iWsDSq#yWy zOQBTZhwyI@CQ8N<a{?SGQ{eC?FAQjt9@+u>u`yXO0@TR@TlB8fV0r|t%vG=y^bZf5 zJ8n!$>b=ce#cu0W4qRYlzp<eK*q-5&Bj#(i^oaeMEqCLXx|!>{9qkKVOojK?V{x&k zVzby`xf&$uKm>vX8+wU2JTx>utSyD%w&YlU=D!gR!cCAPur1sVf=YKkBsfToF4s6T zoEqDm9^FZ-mfGhV@8T-9TCbG}@W~xb!%n>_J%l_O)hq<fXx4Sh_WH(mDY)^S7gb$L z&5I~F&~%Q1bP3}M^;)Co;=&s^xGQXI?%dkizAn6~r2~>7ZiF35dyoEY@Nbj@ybNX6 zWHY)1#Q0a1oOT#5%GRU3dtm|pIS^MH41r3WnQHb#V=#OO1_H`-YyEE<S8<8;%&!5L z(RA;ad`3zsT!rP!SPbMbsHA?tn6A-0R=D8=NCev9>(Cp{6cWIYqm0UfRq5_=G~>vF z*E>i6Y-HLff2+UNU*>oD-txWX`<(A?-xa=decOGf_!j$u-oJQ%;C<fvu-DBtv0nB( z&r6=HV=wsh|B<_&I}2{yUvgjN-sC>U(d+uDYoBY_JJ(g^{5Ah2KFzf8wa$AT3HGzW z_nc=kFFTJ5eld8Z<9opd=7zw(A)CN%Z+{@>|Aqe^KY6!q{b5Sb_dN$1xpLW)h{5yB zp4tHt3MB4@gApXMl6P^Gp&E7z<j6#%mu11Xv|Mq?#arlr^9Ne+jX(pIFYj5-l`CGY z_{(h|5WsQ@GgUdsS-yHnJy)*eO2uDQ-JDg6KdTp+&n38W#Z8)caR-u5nv&@M%)Mk@ zv*Z(OTabYaywXQ|;aI7=^;x#?`w36EXeL-qLWsXo**`Wks2MbMBVv^7zp2rIRHo7} zA;PMvESk|)F}5elmCN2##5dmG8)sPZws~|Eq{+3gW)7mGwgsEm^$lEklPn6zwQAbp zl_?O{wt#d6ZV_luSiO1jO0HZ99)Q2uv1vWXpeQpMdarF11QD=;D$vA9r*P$pZV7K< z(>PKtz-cxK39o^Lii~DS!-=c8a>a)fZ=kh9mLSkpVUV&4vV?<AnPoF4G;!ryO-xw7 z3X;zo4IH2^%PmQ<d>!P5f|Il1WUgF^DS-FLvKje-yt!R(ISx>+aM-3aInL_EI?Hje z8j^0M$KYG2)7#=r=FS?fT#0;wQ@k2U%9}x3lSFzY^CC3e5+7`#J3+kPAEnF-)^9>& zlF<PevHKY<4$Bd{s&zwH(Z+7;=s3`btzE&DD`5ff&XQRg_p=5v_qKB7Y12rPMaoDA zoT5MtgCzAa$i_a}Cr^X@&LHMXEnK-0e1oJ1iKudWpxPXO%wEXtalb9GHEX$YB@7AK zQc6~lf!eQQY`hnxF*`s*%mbDSFIwM`jzj;ns^n}jHkdzIGpRo<M=y~N^P6Seq23rQ z85y+7WUR&-v)3{;JIZvXI|hd}XLW#rWM62-VxF>`Uu4oWOB!y#?}{;#uz8kjU)$N) z1`J2~IORBov_A&#ESScgYq^HWXF23G2P-hyVXHQB1d;ls8as`EC-i-)4ZpT-z^roK zBP;ZKG<E?|5!G!W*coJne&xwtOjZ~~MF^sdi}BSsyxzFTUWqqUpU|)GnC}o3hSdnW zil{K|#F<~>6?F|d4(1KA!sy;bI8k-_3+yQb+<1Nt(NLXH(MMM3-DbXNDVS{;7#$l& zL1;A3a*NN-{Ks;}%8C~4xNqpBtwuNNTF;dan3lE8!w~fWi4bs_ZBHqxVbC4HwhXHq zobY-qrz?BxDz03KFCi1FiX`$#mZ!n`<OJ*y`=^Mx(Q=ni9s41VF5F>QOGM1?)^X*1 zroMn`6U1AjVxN#VZzYb<0i<Q--zRY8N(>sJE9*f(85rqDI~~mN0(9Ke#+57K9`JY3 zK^wgX*5!w~S3FzCl`Fw6@CK3EdjBhn$C8!udq!9Wt6{;wrIm$nxdEgJ6cb~hZ&<!M zkg3U&V=64y*>x$1L!k#kvqX8{X0H4K)7NVO$q%{t!X?xwh^FDz9Y{h2210nG6pE9v z|ILwk-g0ua3`5w41BuB?yskH>)!<$4+vhvY*XXP83EqErf9m}j*yG>o6}_F_#h!n{ zdH*iYm}jl$IIz0^B6kV5%>5hpC*0%iO8#T~Hr^Hd7<dV+0S|#61nvq91rq*$`XBRO z<3Gp0#=p={yFTN(*){5FbuDvwoWFEF=e*N-k@GZXo%3kNA000_9&%jnNI6zI=Cbdx z-vb+j8`%-`-yt1zX-GF-`gb@v;MfXb9R4r-b62vzD`r3DbJOLpBFxr~&Nb+N5m1V* zhL}Q{*uwm)z$4YV6&CZ?LXQ}N$@W5z=<*Ts!$Ob5by{97^oSud?XY-c{YHq0XFPI# zfkzChVCL_I9??6^ZY%VNA#}ADdPMIuTUF>0z0>U0LXQ|dI=av!y4=P#n;%)Zxnq6A z=rnswp+^jXYF42~403x5JhE`1{u#ezex$K;?P(FrEc2B@j~Ix$3q7Lqh53A;M-09k zXZgrRj4#Yxg&xuQ!rWcx5q-Qc_xnbvjwzn%tGOygyQ#S7ft^PfZa8Aqv1ns;O&9u& zXs5m|us494a3eTamHs)taUxfxh&mR{B$Q?}nV?IFJ7~Q8p<1p=(Y{%{9M@h}Rb2XO z?4p%il@bxm;<c#q+R9O+p6ya}o?WWWQ*VO#a64DEQx;xKO+>4;&LjB`bOk-BE>&01 zrRoa0%478%9qp^jV-0$ftgkRt)iI?>LVMAL?&MK$LA?p)=4Bj2VnJ7v3RNI^=f`2u z4>Z&V5B#t`#%KrurL;^JY*`;|!v}s=Uz_I~m<WAIqrQ3IhxNscjvkl_eLBxNaKrk% zroI3VPeV*D%nD-%>pyVI`f@<Ms2?#~+nSp6FU7o0!1a&9_7iZO|IC*OxXx?lHUh5m zm3fPR>nvpB1YGA9^AQ5BbB1|SKk*{^4JI(3Azsis%>35(TdL-em!(2xjx8t}A#Uo^ zvaxM*XLw8F`j%Bh`gZDaz<G=X-a-qh&O&yg&?5$So+$K)&L~za^oYTlJLYlI7syjt z7mga++L|M)w3U-hoXX8pPV%ty$}4ZQuCXB^>)T+#(o8J7b`Om8cgc1;U3i>8xbM)K zqV8<q<|&6?tf{()q3rC^m6Kh^gYLCLfAdH6+&txy3461)tKh<~zxeeyH%|`bOJgtA zbXhLD+Dm6F=jJKbVc0u~$hHmZyR;a-UCqdo8~O%xZfn-*q}SJS^OOrB?A17IP{YWW zc2}wkS?)k95Ox`sR1G2Z4=XBTI+dW8M0Y0SZM=U4H&59ZF;uWAz%GW=vfTslN|$;= zw8)6nsN=lhcy68|7US<n^os@UL3;jXu1ZlmnD(H?>IQ8SQlcwr2)jV1(`6vF*h6mF z#8oN7%A(bJwN>@rUv5q2oE|#dqQzfq<*LT9T?x8nND6gIi==s{+%BoAwP^RcR<0^l zsNGtnU2Vh<rsOukhE`T`Ve`Y-J%1X2C1F1GRf@li=Ym%U=LS9zX!d{Czti_0-}SzQ z-cNf^_59E?;$gWDa+U5cxwpCAc3tM;oL4&+I_`HYgN%L&<}=KR^fUA-Xrze$CL}Bl zP_vxo9pxR;*B|Zv^H5@z#Uop4BE~&q1Y&H%#8IwrBF)3yU}ihq2T@=qBnS<pg@Y?E zC@kokj7E!b^}2iaZWPfMNp0v?5nxQ=;1Utg27z)g0&&8VBT7`b38~r$WMTAMUsN?* zho|3I6e0~bmeJzy;;uCJ8}n>AytpG)xR20S!-6PjJjb#l9o~Lpag_|*rg43E#@Z4y z&#~-QhqK=)2@Bz*MU}J}jmIkN;)H}EIL%ZdI2rssLUS3#bTZ-AMZCkw-+l>;^0Yu+ zyOHyot#MTw*-{@t+jPXZih-rNS1N~YszI`}PZ`A$?ff_WwEC9kNGMd4il|)f6GCIS z-u)MdVhB+zf{Yh35#3r^?iC6bW$u-&70IesDG9<wfusii=7`Sy%W7H&t#`Sx^hgA* z+^b^M(YmTeq=1Ol8S>sa(mbO>829W<g@W8WM?yiT%%92*_x6Jf1)j=BW^dEn53({# zWQVC|5W~vUGc1juHXsgRd)QCUP(<N;HrkW-_Ja&X6*eQYvq0?!8N?R0K&GoMrk0H; zps=}T`r&_SksWJ^>@ZF0V=Rzisl2DQXEQ939j2a5w?Kv^b(`9r9c_Wk-hNqd=ub$~ z09l?4Vlzzm!Jpxdvchd=iboF~w_t_)h{#^({6CAnnBv=lcL#nKX!Kw1`@XN-JLL6v z?(-bYJ;JSa{}`g^@vi$_tDHY^&T~BN*vx*1-N0N%Urf)UPT%j5pI)%v>Qbe|h#UPB za>bM-s&n(4*ulf^$U9?d%SU%+w7YT`+@dS{(z~iaibmRrOci8>+8I%t@?;0D%t(E8 zb)+V4Xe*Gna59sE*!9TSbHThSxCTS<a#tWnZ7}sa38wU-;c?_Ab`o-8tP`8X4L%B- zWeYLkzjK#8;vH!ao#J|skDC?wxEzy@4?;bxk$W)mGSc*cyj)P_e4)6`&`2#UsF5=5 zPu92#Yoww|f&y@JjErJQVN&9$#)77wvg`$5wmOa^#TLM$iZ9cYLskM$o2v2jP()6M z^c+o~7|(EZ3ui0w1aU14&NG#7nm<DiF&mUd&yks1h`6M<#*#&LHnvzEi<07MOB}YO z$UGc9VzYr`rt+z);Zxhe5v_+$T^-S*E})aNxXM7IkKBYkG*&~mM{F_>Vf`^p$wL^r z7X9fFS6ZU6^Z6~&G+Lsub7-+dgA$Xd^BrTFElJ5d2*iL0c}X;d{)U3fr|B4dsLN+8 zG6)_>D7c8RjzY@Dp%ild%|r$Vc8n&GlU7nh=}XM(oE`R>Co#%gV#Z;IxA{24gm@yX zrJIzsG)+o7O(^rFvh14E=@H2*kLW6j$P%L><Whl*dhl<KXr>$dlqcjMC;AmMcxL5g z(mm2d*NaQU<v{dFg@~?0*@clWj~c=RjNy%F1xK3NI<ZEC3^9;}t^kW`w2ZTOBpBI~ z6vYMV)32|OG~qSkA`vpqK!U&mghS8^HP51)q|vZIIMS3R#JC74YanlI0ZQX}vrl0x z0wU>MyMjN`WXE9~*8<rmC}igeU@$wQ3Gg@Q8wM{9efDLFMQk)7E)yXU52WpsnQTFA zT**7$sCYeXfPgY^iCi>#;{jKQn#sP*y0Yxc{4IQ0@QL8Yz%K$~V2=Muf4lD^-rsvG zJui4xaBpzCxoPgl-0NJwaz5aA*KsZSk6A<im_83o!;|oz^*`68j)-+l3Hm<dfGb3A zdmobZe}SaFBhU#rt+v7PQ{c3Eh!NtB=u!`wpm-uF4p<1GHg8SyPLi+<_5+JHSgz1O z#X&{oI?}93M0><OgEjiu$KLgt#Ssg}=%M*u*&ozNvDN6AuEnuu(~^JkNQylcIBZ_K z<_)Z**lmeJH&WIH%^@7=&HdP6iNnr$-i#w@iNlVn#f;-@OB_>sqV2N8F{LM3w|Ew4 zeAg(8$zn|7doZTN+JLau8;~Xv$Y>N)zJ=|Rlj50{-8E?`Yz#kfxp)SwomCB1(k-l= zhZ2TP>->??g(BL-rQ+#8y?P?flg-h}zrSdsN1EJ395$-c_PbHVz%%+l5gCs-*|8pR zyD<*2jcSTDn@Mq-fd<<(?4U8PQd=!?OzmpB#S+I<PTO8_vw;KCYTLm9it{be2p$a? z)aN~7r-2Cj_O=k26|}u#hk*v`kDc#g*`HlvyP*g!oao!MYgsSoh40a7B3dj82)PSx z`<Y&GlVuN0m=0kvx9p*P@vYQCi324LlsHi0K#2n-4wN`h;y{T5B@UE0P~t#|10@c; z-#MW8|6hUp|Bnma8C)2+Kd{XIF@M7MX<vu;ZSPfH-gBep815t7T=zZh#jb~3Yn*R7 zFLBOx>~$Q)KFF?QzQ>F(Zu$<ohPuL5U&Z4k&>dCOSzgOEZborVP;RTy)W~=b<aPl& z@}d|`$dvR-NdKfds?3#*QR~3B(~jyf3XultB63Ldh#DwEcI*WGlNpgMby@*LNZ*v# zBb)B@1rWjgv>DOi=n=YAH1%lezfnrsXdu#*k#+VWPgv<zQxZ5yXdN=}*y@lK9?>Hq zCx#YfB358mS_c(&M!RsZR)LatS}4{T+-dD6n9YO)jtp9-HJ5mMUVI1bmX(x{7el^9 ztUZ4;(+z`U<-t&6%lF-k0~{DE`Z1OFph?Nf&A{G=%J0X7gxn0&8Lf>4d#;EFJr*V; z<bGhnZEM*&c=tf$lVHMa=Q{on`i<NaOt|d~okPHld>2f(?U+*>0&e8cV8X4(q0?5m zL%DuA`0tIp989=vUHu$9Zt#3C<F<9NcCfgUl9iW(JqxG&H6$rnc{#*wiEd^b;N)Oh zZ*9gV$g?#%Ujl~&4TrWCLO1j<!iRT&f@4AcAc@=BvkqZmf}4OD_Ys<yVCiqhtp}|< zygUcneKYPOv>1W`z8Uus+JL~E-i-T*EQTp5Vc^yzZhNws<sJNl6gTh~llh2jvbN6b zrI$+_C~=^~ff5Hw94K+1#DNkAN*pM0pu~X^2TB|$ao~Ri2hjchF^&zC`-|@Fu6JB< z=ZnrB#}keX{D=7J;8%lZ2mT)TKwz=|ZvS%MH^CmD(Q_3<0yy6(I5w~%^Ar=Hw^Dzl zuAREBx_>`)ZIxOoaiGM3Bglc2c&?$y)D))CN?S^5OB02q;t1FZsX<oq;xTnJMj)HK z5|0TowvVGImBq6cLe%t#X<&<LNT7Sg*|Zljd&Q;1VJq(2x}&z_euFp!+~00#sRjLw zM#HNhtl40C1X2NOnafdL<z{el8!zgoh(>$GLE~HKL$un~1)!x;zgOI8fyiFO0ZT*> zRP7x29BNo63$JE<HgpaQrC??ZclVE`ht)hbMKPj7zScEoNtD5$fD+LWE=g^D3CO>= z1+Ees+gecM&Sl~y#wuZEOdR~Dm1P1Y&W6lBz?33|VgiQ5V`5Ca80g)g%&YuW4W2L( zVQVql!Y!HfU=e2&5C!46E&{5p!*ij2HK1hZ-6_bbU3_92#4hndG$t~@<T;{wOe7Mp zc8#TnWu8I`?<9&+oEd^BT@YVvEFB(B?G8h-ZZuZVFG||oqpWpuFyygRcmMFfx#LBO z@`mPBA|+m6-UjLqgFT{nz7?LSw@0MK39v_ORHnr|%pUQ8x$LwH`Gc`VM5$Bdkjj?X z@lxV>=FZxSxo^3c_lmoXMN!|LY>En2n|MmxW$uu@KueY#N{QoUJoaoT3*Z?u<FT1T z$eM2%D?GOB5v=iyTH&!}b76%?KL67%QhZ(TrC@vDH-Sq7VgIN78+|YN`n><~-VD+I zy147yqpnMxk2qd;%wo4O=g}|H<<vz}a;~5^PDwMRMt}q26124y+=vqprB(?S(+;vZ znZHw8D34Suo<zNPChSrbjY9?Y;dosb@>WLDy^$U0<bXnv4yOh)8`EQ{@K}Fx4E}E* z6Yfr<lmg+A{)r4EBprmUco6cMj!uM=negt^;9zC3q}zC%xB_;^ij=ZxndOXlO;}6c z8rI{FLjcpBRG3T)TC^V2h|6Kyttf9Q@P%TvASrdHCoth?Rcd4~Js}H9Bk93(-$b#9 zkJXADuwPefEkt~xHY^9y3a?5JB?pGXZRx>*?ul^oaBq6FJB36!L*#qk^eRy+wt;j| zv8hn6;?*cvZ+9v=h<Xr469<ye_Y90G0_*#*OYv$k4RT1und1dUSsX?gq#zj`*fBl^ z14}(gz%fnkUB_4&1yAox_Vqy}9*byMcw{iy4Z!i?9?(MQ-w>ond1MxEWvG>Ak3-6r z%_0hQZFvN#3pWmqrAFZll0qSkhsKB1Y|EK&TXL*F^WStg+|<(1(H8E9g|WLoIRecu z*Um4)sWB98K8%vJ48Q?q3`+)m#P@|daXrX!6_*rRH*2cH9cm)xNJ^QlJ+Q5fBuAAK z8yfTG$y}^;sHR$658`6s?j#_yO>(qncXAYx`o8bGlW0g;2&Fc?1g(V9K1_`~Pu2{9 z-pp3&Oh}u#B@t=tMtTU8+XY252Nh8tsF5|}Vgr#ajj1)F6w&~zE*;vj4l>o`56nYx zC$VDO#h?M!@>Wz8%v)j7$6KF|3x_MK(*|oKsc^Jg;b^806vJ9K4Sw449<k<UAJXEg z{L~P|?D5kY(OH-lS65Qn%R5XcDf>Woo8J+8E-!_KI*P2E$1$6F1#6C-57CuRnx-t^ zg_EJ1Jyi~M5P}*YH9DFe%|ue?b*Dy<N-oofVkDb7Y3p!q-AQqEFRbe;kW$KO5053n ztCItRVGu3X4X1Yxhhd_RrBne-5lMPcy`n-KES{j82>4&4rnB=Y_62r6e=A=PI)Gn; z4&Ye-Y~K?;r?=g62lr!ci96-G!}+@NM8|g=Bg%iwv&`xAU+AmpMbsetcToR=|8zJG z>cL_><bRF6y%=~)I1hpY!KbJT58|=I@`zZDZe^l{BvQET>>M43>^~rQf^?q0qaP`a zN;E1iK=&|_LUhJz!kzuF9&H32L#9|%#%j97qhX0w@4}B!Zv9{zvUTehZGc<9Xk_Jh z1|nw+bc0;iEl#t<V#`g?ghf0?JPK|m)SN{pU^f%d>aLdI%y@6_K=%L~#k<sq9*Z`> z6(gKkEv^}@cRw;*0<<dMQCKxy9;=Df8qJGMq5z{It&E1eyF`d#0%uGJqcRq52Nlj} z5B&6uE0<d60M(uvNso?&*QACaH(4<wt<*s`Li_7RZGJa)4WxE23pdKCmIgA*WG#Wx z9Sfcxk+})Xt`!?a9=fr!(ATH|mS;vlegWlXTJ4fLWHgnBEKk76yf{-AI#B~j(1Oqj z>m+FKK*As##2r~N6K+b5B)f~1Rt(Vu`A`Btv~@ldcp$1O0wd|szNBUo0h(lGcBtQ= zD66GRoLDXTfqXT+K%N>IJrN@(K=G$+G$vMwKA>4mf@?u@l%%;mH3my$G2=N!!BWHv zB&%1<=G8K)>6B#k60&CKDdtp+c8ea%?akIf+q}Kih#YW5&DNOrAv;=7M6Q;Nt6SSQ zG<LSMZiI5%=Faez#`P_$WI$17jZ79ui>vI4f+^8u93>5n&6Ha=q(r9`9$QCNE6q@! z=rHgY8WUUnu|692iL4ouz33MOR2uM&i*_nFOSH0HvuAKXD27sCyQZl!wDD)pIL^{; zBEYPo!gN2ye~@1qd^Wf}@OEGi<o^4lzs2`c--J)_J^(iVuX~0(40j6`ao^!ixL$Bg zbEX`RJ65ybWzS(=X9no+(EZAP)IX_jQ`ULT=(OD_`M>)8omrHCN>xo&$mbr2m{MtL zp2Pe@CQz9SY@U&!<S<-?p^HB_|Ln}7R8%Hxc4vD5Y-}@Ce!!2jGmElHnMkq~<YIpe zK>4Li*la1>3uEKBgJJ+=iZYXAYtJrB(#|Z(29?JE2vV89D<8^@!~U?HVa8_jP+u6E z7|EhMPO7+;FPJn%VqhuT+|hxAlE%%QYnwNAwluYLZqM)f5jp;WNoEXeWV0xfleKA1 zi)=C9-W<_sEuQ!!(;~*Rkiki_L(XGwBP7xSGlSNRO`F@>fwMZN0o2*vy1pn(mWk@i zqJ&WDh*u;W*e@$>S<Hbsc`VX6KGu&;D2mAxx;4zAv`{8Yw$}1Om{4-4JWMfrH=)*; zVEsPu8s3-fG?QcVw#u5E{%i+eQq_d|$F%9DQ3w@^v1>+UYp<|I)tAMh>}tKT8BnSa zCM?XZf$1;|(Nq?Tv#SWIwUsu-{X}F-Eo3^J7#U0VjV8go4<=nIYYMZA@Ys?ctnrw_ z>>@n2Hco3i5M@`J+M0k5nDQ6UL)oCM4t}XD7D3m*V{3F<;pxkwXt{Yyl}&f2LSq}n z%r#-M)gx<6sVs_|t76i|woS7QtFh3RMbUFjJ+d_xtb5d##bW4c>q5d_=tgTysVo*T z*Wlfh&!fI979H2<(P3EW`m-n&u6d)dCBa)WuP=**zSTO_U~dt!#)RzukE6OM{xpdG zUl({Okn+FhztO+M_pEQ5_bspFr9B_?EajfzLhdtMk2?S3+~l~AeVc7$uBX3EFMt>K z|4%$cLY}&Pmba2^8<4Lkn5d!ytbA1iS9k-%$W=^p8C#X=9e^vdVrhqE3dKqZthXwV z)vejs13gg<3hl9exYj#gF+x;{&tJ)p$azDiN355?5KQyX&C_S2C&Der*l<W8w*&dH z!6gl1I&8N?;kLnKagr+_(!^yF@-DX4#kX}tz@0Fikw*kr^=7(92NcVn;xHS?5tm3{ zi>4(N&gXSUq(0mRJ_>2%z7Xz64$HT!nPO2}FUBM=Xw%MiW@_sUw*-uAb$}F$>N>~` zf?S*%EbmWYOu#j;Y=;<b>>EwVI<TT~xK^x?z|u}T>zg@TgN=vI(d2NZH#J%;#@4`O z18cp)lP!T0n;IP&P#j~6MQ;Ko8(8=io@{Z9-i~e<3q|wjhEW+8t0iP5sAkeI4~3Yq zl(i3JcB1ucps%<bj=_jX?QcZ9pRPiI$I*TX)2lC#_3HI-T(f29QybY*A6b<gOGaQv zL>>_!e!vN|U&55?1}a<Uj)JIm7zY9am8}Co0aO=DpqD?e&A5r7)&@%>qv<5@Yga0w znS@vEidUtEtGeqWP=}Zq=|P+Yr}@!|-TkT2RKJ9&>W#kIlBx^zwO{J8VymsQLIG60 z5~l4pQbgJ6Re^*`n4;f6WNWAtK!oY|HAFUVBnuz{?Y?#zHW1mGX9W;}Rz4q*%{&GL z5P?G7jL6nmxBwzd2d=TsrZTPoB1{EtAe#D7C)P@!0<YL?Df)p0lpI||U8BS4Ue&Y+ zJKhvURzZY`^QFx|d882K^<gC*&scJ3q&VU#P+5=8|I?{cD1JlmhQMn9pMQ&Qm-kCv zk7p$};eO8bw(Df)HIAFuH`yBIYWgcQ1CJ8_#FMjNz*5nz^fK?V2+nihliD#pGBP-U ze7M2<SQd0P=y%m%DF`N}sUo=w%k+tjSul+$V4R7bus$p+reFiRlHfNC)|=^Za2zhq zXGAnYC&22aVxZ7xh&7lvubuYSr;^|zo9Q1I3Ad*Qi`R!(gIJzrpcB@n_Rz~%z0!%* zprk04Ij>9x+~?9jsP%m=dZG?=DcaCLw$#O>whpe#!B$B-<e8@^c=CgrG5AXlfYZ1! zHH)%vBIebK<I*MIA}v~nG((TnfYxw$U`SKA!Md+#E0Tk-&}ab^k~;<=ngXWi+MEF= z4OoNJm~_j)aRd4c-$t_&&!mtObkRCqBSs|TYhrEKfcg#5sX%y!PQj8XtL#>$!F{-B z1Sf!C<aAP);J8BY8WgBw7_?uh@XB;gaopVy|KehsbRimA&Vmai9Li;V-TsHtrt#z; zQklLFrVGT4lTa)b)iB>;euKevcXxUmOc)?;0?ZYNsL(x_&J@jr8GVVU*esz4Dd!ga z5Y>pzOiI%^A;PsqRol9-$z8NLP%Sn|C{T*Es}1TZu?Crx?Rnd8(fR>*26D)hLf<2b zByD9+)7bw$AwAjv%Mc2TQg9iHf)YND_M+Z#)Qe|GyU;Q;ry#eH1fl4jV9u%m3kG5P z+C1Dnn1l<n-U0Xn8~<UrLDM4&DPb*(CXGhx#Ha*e-!#pqc}W7do6i2x6vT0AM6oZl zD?fDmRICXQt%Vf{#U3fRB1IvPs&-X|OaE&|)8iu<`TnvolSy|g*~yE?eTdv7p{OIL z7aUxPLL!jiKv=ZTkPz!6h%%y`_$|f`76%po3|k?HjU2wIXr#x*DhVQ&6mWfltpMD$ zz;|;1MI=&(zq*tbjpSIs@lEPj=1R)Z!~T`OA^7>=j6kpd@BTjDKYV9<U-l+FfAZ|% ze$QR(`kU(!*L>$Cjz6#yY!!2*@*g)(`;Slx;D0#2Nhk2XOXUM|!0}BcdElr1k3AvI z+jESMs#2HV1xoZ9@Tm@ieMPJ~7HzC<0QYC`k<k`m&8xZ#R)H>K<?2F_H;`;wl|QSD zD+{IBszYyb&7K)vYMK(=WM|XX=6JQ~Vx)U_s&Z&xY&2B~KBZOYvZJa;w_?du!5fwR zV?%@I@0sqUsuZF9B2#CpV@h8!Bgld7gX~$f8alTB_jhKoKq;Cxip_Agh3)lsX5mUv zQ-2%SY$@~$V{_jL22BP2iGe*3exO|Sr>$!02N9$z)1OL>Wjfb)gqsFN;6@7RB+*Gp zt_^pf+We8!jb2pVON|bsGL^>A!m6sE%`T<QE~U*b1*6=iJPO3QdmvIl`F3TiZd9sO zf{<~5?1;ZUIRR8@@*oI$@?-WW(;DxR8}Bk2H<Rez15pmjRpGh<Cy}&_p8~ST22G@_ z*&~p%FWO-GG6$G_(FTR@<$EBoKotr*2sT}dP4lm@x=xvZnlec-{+E}UJR%QexjFPk zJ*QDWDlnM;4}f=OK?jh(GSt{Jf-bx=?99SJ-Hh!ptwX+(sHF$_iFRh;_?l0c&8yY@ zu>lMHtu4nfdp5xP!-fR_H?SQhrti$c5zfrXc>XeRC|31_`{sLzT5y0*yfX`jnS6q5 z-pCdv$p7s_7;|8lYbMOropfQsc4n~vh}tNy>Ag`H8$Waq-vtX*Xb@z}KBF)};<79< z5>*ox<(+Af_Zp-kQ9Twro7*?EY%HD&piGUpFpJDYt1LAL=m|*i)4ZjnsX4s9wP{`c z<T@gT&N3C^(kwCzJ;{<zaJ_`1!^Y;$t*!0r!mC<3z(sLmb5mzg$d!qKwc@}|c003R zl9@j-ZDvd;JTm3`f5#ORx7huNdzI@)uJc?+IUjH~Ij-P02loa387TKZ<=^JJ-}^i7 z$zGqQnY)JGK;3qLMQ_Tg-G7|2rb-Q!I8fri`<DY^tvCmkay6J<-WCa2<zg|o`^bPP z5tviJ)rXq73mGn?hrv6$IO=wpu5R%-Sg=*UFf62@EuqsCjj30hZD7&-IHNYBVp}<K zc8jwNL|AuhN$jTXbc-`BvDk9gx4?3&B^Fy2za}ibA}B7k0f2oPTO70cG`qzahOPFz zg7LjgN)balwR`t&WQTnYvcrbo0=C)>k&JrL6&XzT^?@?1Tbyom5gQbyP~wMjure_c zQW;jj8enbrgEC8^oFi&xNkslGxJv2Kt$2zf*CDFJmE!S0_fBgu6rQNj=tl8*kR}hs zp<jlgLJ#+V0goD}vNN3?EZRC2g=7Vby^!!l?!@$sEghZV`s(UPO+37-rfvOl*((rt zr&+MEs!^;E7eU8WL%4hom-S$s+XNjRg@B61Hk1KcL@+P}V%2L=GqI2#sTrc0K%|&( z<Hl9tw)U1SjZIK)Z(7^Z3Fn5*?Qld>zt|B?jM26}QV$^t7XtCB7S>FBog9;;xvewY zx;ot2*4(a~Ad5wBT~b_NEEv<2IKSXIZ!1K94306;1WMn~JJ1IXIlbb11Bbru9)^4r z;wEt(Fn=Aot+5LCUK2Iac<e|bD?^y#s!=)-^u0&UkR&exuzaCKpeP>*4x=?un7d(! zUaXo7w_wqW8zP&*4ZE+)5U#p*4~+G9$)W7Kwu}#=xWGFGzyJ=eKJq(Yz1NU|jL}6N z<XSugERbb%E_?y?pr1GVVP}Bgv)$*852%j8>H?cj+7Z!9AY#PDVi{0dQ)oXx0jfq) zU??(J)GWLpRL29ZMbr$3L_viA@48NPKJDyu{LUfqxA2w0=YyvQ-VIzK=L6(?QSTnl ztDbUhxBDgSKk_i)&XIqY{wi^x#DV|6IRJ~x!UJ)j&mwM+&ATt_P$zvBVS{W&L@a;^ ziyEW_Z>hI;zg7T|McAPF!x1IM^~r<yj?Ey9<;5_vdC_IvYj@*8Xwmynte!k->`9-H zVZtgHAPnyV5AjAbG4+QdGNHH#JX$rmBTq_#3zORL`sPMB*P)|L%lhUu%|(%r5Fz4H z@QBs!!_0(&rEPOtqjH8p2bxuzJ6no$_yTHc#0qe$EpW<(`gpjpsR_snH=}UqP0br1 zE@rVf8yBNnfmSu<M4lQIXayG{HCBphR1TVnZjhTH`9!fuj)B$(`S@CE5fIIYzpa}g z*yx7Fjg4!H%HNpSxfxmRBhlV`76f9W5Hkf`;dXX5uL8PJX#9@w)|Sq-tq>i*WfclW zySk-GKAneK+l>IV#l7)Oh|3_fX94vB>Q%U{b$tuchRB+c)~4oFMN@|$a{5qs(7ff{ zX1rnR<-HFD2Q?uw8GRm#+Oq&6i_oC<!pRrdu=*?_gW9}CD9|G;FsLR5MJr9pY5T0} zN0C9*`xgU|Im4iROnq2vPy>@KJ%0h-VZlKSM7Ff;)`-yk|4gc#;+une13wNV{F3h# z-%M|>=TjaZx8401L;zR}R{t+JX0tn)&oCS5pVJr8M^m4KR|@<)D+{_0?Q>u$GvoRD z%OQLYA~V8SS-2=PA&A+Mrw9b8EV|HBC%vXuv>AQT>N+QtMOS(zJhq0D6`sB<y3r#R zu?A4Z+Ol=3i)?8CO)Q?BT8@m3ZuLx<?0kCA6Ix*stFmylr)5UUlORC{*O2cG2fkaQ zy9SCCqXAI_MqqGHSYVHZ2i{MiwGcUATm{#S1%&i=#NsCKL5HyDvM02bb1i?C9}%T1 zqDG8n;f_*sgU%Zf@POe1+A;)L$-wmxyo)m#q>L|)=!<9qLpyLt&_Z6AiLO&3UO<2m zIXzslm|G{V%7UMQ<{N3I6Z|<--Tf$0Jw&-2AKjH27=$3A;O^gq{LUeAU@9s5n=6&Y z2><~6t`$$rf-^%!Qjy-x{iq4!*Bjv9uP1Dj{X09llf(EO=n=gJ1o~^lMOl>BQN39( z(;rvHi!ro|HDcmoWfnXvG+#(FrC{-@Iny?w2ta!H++tB26BlQBgSUA{XJ9@Uld4{u zYn50E#iBG?4O<Dy#b|vSj7WVSC9Ff_z-}D?dR4!xyukpDvF7MR#f}Tr09jD{K(cC! zVkWs>-~Esq{%A5YHVP?J!SArB;gjoO+F{uj&16G>U$h>Nj1EAu(ME`NGl1@?f$X9T zX881VK(QAXt>%j~Q(PO~plu#XoF6%IHS8_LqPP|o3J*|RXSs<$mq2?t0STdpU|{S5 z=^{N^oc#__0{a~Yq+0KH@Bk>QV4s!)=Nb8bHw-`+urV;J)Z?%hi`5Bne%1~2FSXRR z0sV0Z*E2pk0ujN7`-(+mJSNs<AzNhOkOlFm9KvH@csxCx!DWhKuX6DyI{(jdY^V4S zfCk{J!3Tp^2UiBp@ZaN~;Y)aTc#rj5!u^?hkUQIbi|hBUyIs?rFFHkMo#QRXJ&x_p zUuysPUqk=7{t|q`N-036te_>>lybn+GNsLx8Y^+Y76;bsi4wlrH8GPG=m3!t;0@VV zd(EC|qNP}k$w>SFEx{XVOI1Wm@mRHK(>Q?tc&u7&sgi8TtZhC3P4TGKQiNzJR&Ubs z9-t+7L#1gM(Na8isC<Gq<d#Iwo~7XOuVy@1io5)S4QwZ-Ihg{Vf7D`^abUG@`d>nH zD{;t9|L}&=t;Ku5yu4f$hFb7$HI1fvKvV;ZJTS^0?}el@ePF{0w&rqX@+s)0fdE25 zC<q|vf`-7<X|Z_^Sd>p!jIpInTRS?}p#Mc0JJ)WERGUVKwbAA7)DFXte+)!A=vAa| z9E|3xb|s=!iOAN}j;=-s&a0+2?9xu;U225Ps_H~u_CuqlE}}lv1@d^;)>Lw5S6ecZ z*_|Hk>1s<ulN0Ko1fy~+U`kEQ<Y9b(;SF!7EiEEiipLLm^2U`ZC%X55A-H8ki*+eH zrsEWRcWAK7uzfdw=jnUEth-!2W!8~HQqO-k&<&$9Jqr1Kr+^|dq>S3GiLf<$7LeSI znFiefzFRz|EKB0XJ;+R39m?H#L)mnbT7;ooZyw6}OxQGz=1qFIt8qB9J2k4TBWLXa zb8xjsSvIdnrVGv@^r*qyBYkp09PZ)1R2NKI&?=|Kx>k=XNr{jeABD0(!HHl40NZfO z4PZ4yHA;gIi#pe*U_dG@8mosg39uMBHG9DJyF9I&0k;x!q(3bm{bc2=Y))=y6}2yy znF11<R6KJ07sYJdG(s|_IVA4bgRVlAk)QSDjT6&4ScGvBCB})dM`gO?)I^G}WfuzG z3q9{@9_~gtIa58*Q_zE_2Gw<W4zW_yCJuF7hBxGvX74!;S`y^%JiWE8sY#b#kgw6~ zJ+sMLU7kd>=kJ-dpKw}@)lns!&&tvC&J;{$Ib9SuIDm6fdhlQZh3)tKHG5_fEQnX@ zl<PMH2aqeP70GLO&#}-AB~HY-7Ey^3YE+`(3{sw_x|Ebb2h)K9Z`zXaOD~r=P~t#| z10@cWI8fq1i324LlsHi0K#2n-4wN`h;=un34xs!0`P3xE-^?!wJ`>y$_<ca~Kkq-y z_m1xb?<?Mv=ii<iJWIGQa;Lf9bzkY8@A|B(-T7Om<ecUB1Utrhm^+v_{Z;x*>Ro8$ zY|Ab$wuF+v{_H8BDa-fasJ0gg*xKWvKf3}@sW$3bzFC{Dp#_q__GeEvqq6CyR1nok zW>j%oJ`vG^s7^GairM>A1yP+~h03HlJp@;h!o6B<MisRcuci<xX?eB*d<eTGC#X8- zh<PS&5S%4JWcGoKbshbXB}Wf>2YP!Y-6RoPW=Kw|8SYMY_ou>eCl?-0?+))sbtlKc z(r>IEa_xZ55M5=2yFu-l92ka_HEOyVXc|T634<-*P^L1x5n|UUZ^*O^WWqZjR2a%y z0?okd2t%dm;yg3jT{%3E8LR9|@2Y|bEGWiUrV8u~cSaP_kfnW9W<&`pW#oq*O$~y5 zUkYw2QS!Y7^QsVepp{(#T4&^!dJ@DwT{JvCv?Dco5~3%Stv5cD;++GT3+#ElCn8&F zBiO~*1o*O~vUT}*qLsDwyk@Mtb5hybd_1T>w!DC>`%`0uN7tfjn(9NDOV)T2W<0S< zTOs$X@x-n0m^AP9`xCRmW4gGsk0)w{$JSbB&9`bRJcnT%R9WG%<#lG=pGqq{rt50^ z-zQ>)XUgYke|DLHN0U$DmA3j*V0%qv!OTY!g)~RU#MCcw{n;f39<58TnC9;xhw_OE zbg4fJCO%r13{<vOp8}}B;S5E6v<|g^cB<;|)&aD;WisLQ1H(J9pm6yeKO#<YGD&^e z#Rh*A&tmXwwI{q;duaA$AvC1+B@9fq=8H8Zad{RC?3m}c1HFd4(QWOmD1;*fV?g0V zT2P#h4N44##?COZKr7Z4iPiUI!2&3sPd4{UYd-a5QA|dYcdo4+rVu7%@?*ku7`}a9 z7MbGYVX`R=TKB0x3nnodCT(Sj+mkyBtStRmFnGyFWpk1iK;?vUxR3ulI*s@9|K$J7 z|AGHC|1<sv{CD_Q_!s!+l`8VEUiz!Vff5Hw94K+1#DNkAN*pM0pu~X^2TB|$aiGM3 z5(kbj2hP5(5ip*1Z7=-)mTOSP+0Lud@c*q>*24d<zWhS?|HLGEra=zSUw7GRDA!~? z@c%KfmEm8b-29ac{58yfm4A|dkiU}uBY!LZGk}!-l{ir1K#2n-4wN`h;y{T5B@UE0 zP~t#|10@cWI8fri)N`Q4>tGm$K8me#?ts>}DSwWz9=C&k69DxxfcgtPlU@gZ)+&GA zOFc*Z0sf4;9W+gMl#N3<2>&zwouxFihuPpB1ZaoyXEpP>Yc{g~f0=%gf;0b5`B(X8 z`H%B=@z?Vre=eWoH}Q>pH9waR2LB!WeejLo3&AIY_XlqY=7QtFo?u6CWiT2H2l>E% z0&fL=5O^{0*}wyV4+SOzy8@{|XP_w%3(O0I{Qu+sga3#Aulqmef6#xc|8oCsf3JVD zf0aM(pYIp^l<#fdk9^<oJ>`4I_hH`^zVm#2zAe6HU&6P*ca)FzzT^F|_a*Ps-iN&( z@m}ej@b-JRdRKdEybHb4yo~3Mo}YML_I%#+i03xXRi5)b1D<W3HJ(~ex#wsP%e~9} zlzWBy0{19)J9jmA0e23!om<P*af`U=oWuPm_s`s~x}R}B=Dx#ywflT`zk7>&l{@AR zyMwOxT)%~Uh+lR+4lxg}b6xBjbe-l}>#B7vbRFfQoPTis!1;pnGtQ4XZvsz<5$9RX z_0Hwa<DD~{4#&HWpEzD}Jmq-Maf>7CNITAOv^Z)V3mpRcZ}vCrx7laeN7!50J?y#c znQRMN!_H#^%s-f4Ft0LCGY>E~Ga@s@Y-gI8C^Lug(0`$SN`C`BkNKY<wmRlA3^FW3 zIgr!TC#ZV`aU%)4gStl$H;}N~sk;SnJqde|x=Rq(k+9pSI|cF7eAr$=Y{`e+A&6`9 zVYdt78WMIjb(<irCSg}m9}&c65_To^VL@C)!mglh6~rbIb~*JSL0n0~CaGHlv5|!3 zs1FL_DfzIQ1#txl+e6(Xh$oY<%cvU#@gx%VLFxuUJTV`3y&#^D54%nfm*>MiAczh5 zuxkaeJ|A|CAlBu>t`@}FeArcjSd$OCQV<g)EK6M>h;b5j4RyI7#z>e*O@_p%V=irs zt3E2ni`4+4^`X`~91^RDhkB_!A+eGGrKrn7VuS$oP+37-Mq<2_k_2&SK1>XWONdvy zsY`jW0zd{8J7)3X@g(FDUR+E-oEP)rA`)^DFP4*#3wd!N3Aun57m$$id2v1onc&5F zB;-6^43m)Eyf~MH?Bc~T5;D$<b4bV-FCIriGQ2pOfFwtGaTWnNdzcqzl8|$G@mK=V zHNuO>5RkLdyf}k^oC)nrCm}<;cr*do<>$p|1muiCUOb9`oW7G61p;!~IlLGmAlnCE zpCKUI`gt)(Li%_yKtP6idC^Zmwx)Q|M?m^}c+pEjx_Qw<LU!;XM?#Xk=q4d&^P-D{ zbn&8-gq+2T4ia)EFR}z=%Ne}LkdV`PktQLh@ghY+w)2;efNlK6Bw#Cl5eeABUq}Kr z^B0hSPX2rXu(^z%AOUmu^GHAkzncJbmhrntKs!H906NO}F%qze&k%t2GJcc<%;C=^ z0d4#U0oYW=r%AvZewYNb@<Rlmt&ATe0UP<91faEyKZgX&;Ri^-2ELyFY%JsZNWdJv zmjtZmQv_goCEr5=B78RqDC2jKfOUM51f0sBO#n`b^IasMg+Ge`tf=JABmoir3=*)G zKb-)aT*;qC0wVl&60nBfMgUG)&2J?E&HNSuaN;U{GYM$oI|;xEEBOu*(8#wFfaP(1 z6A3tlZzBK=aUNtMY>Q}E!Gl1A0qWyCNJBW_WFABz3{V&6K@P$JC-EQzVSw5bd60l` zKp79>4-Pni2iXS$)GX&g@WBBMJV-qlAW_SM$b$pwd60K7K)jX*VFw4)@gV77fLJXL zVh#?d;X%g10MSYw1RNX?;X%5=0SO*N8w^k#=RvN)0Wltg8VpcX$%90L1EM^LGZ>(< zng>}12UPJO$Y6j-B@a>z4v6p|!r*{qJjgE?VA)b0gcl63bP10n7ehc;TEUZY%aSr4 zi7mzxOOEG}&|&~8%6KHQV1UIu2rL-j_;Mbk6&$dLN1}@H%HndK6jT;3<ViWDyo@Ks zl=3+|DW#Mz;7K86VHr=#C=2KFq=>R$9#2Xr3&K1ppv*7hN%>^{9G(<U=FjCx>119R zPYNgV=J2F!GVeH^6iw#N=1Iw<Y!*)nCS@~uQZC_-<w>#Rm}7WSDmi8bPYNZ$={zZu z1drxPkz~d+o|H&t9L19Y$qa!f<&i*$C&iHf&y&&!1BYGWV>5vu$RZx&>-&QsiC};G zf*^-re|v)<g<yYsf*^xne{(^QK(N2zEK2<C3WD^3)jNYAdtiS%f*^Tdf3rc5JFvf* z07xAkk1or5*<aJAGe4*Je}V1)Tl_EiAM@V@J-`e6bNo~M6a1t6ef;eZ8{ld_%byQA zfquS=-@<R;SMewCF}?zH1Jl`SnZL7lvkZF~dp_@DKg83_AA)}izQukj_$K=d`x^T& z^K<qEN0noC@O#b)XPW(y^BQN?QSK0euLi#s{6g@F;6uT?g0}{*4^9Rz3TA=>!DMi2 zur;_QxFT2=tO}L~X9tC#JMizoUqH|Bi@+O!Z-K7i*}$jS5w<t*2;0t{5x9pvnOz&W zHShs8!OmdA?2^D9)*rYakO}MzBm-Lmt%2siNr9R`B(NYbGr$L&{(t%Z<o})jP5<}& zFZ;g)x`~hbAMoGhzr}xzKkL81pYad)yFg2^&fnxe0W=jA{<;3?exIN9{mb`9->-Z> z^nDw27SH*f^gZU==iBSM*>{ys^zHTy`BJ_!eI33Q-wI!iZz<?7X8Wf3Jl_BD{>}Tg z_gA3Hc-{LA?{nTKy^neKdG~s6_Fm)N<GsLpu6Mwj^ltaIde?YYc<a1X-g568?{u%v z%X<C=T8>|Ne(3p@=S9zRp3iwc?s>p-m**DGHJ&}5i#+3=Ay2nwyJwT9#k0aw<B5Ro zW433S$LFEBzj1GIZ*p&N-{M~6p5s2peUf{KyNA1#yPms(yM!Berno_FhjWv2jq`MF zoAV^Dm1}m!ofX^(T-51v&UH@bj_2lb)19>AZ;rP(KgYWN;ds;WJ;%%Lx81*ReBALl z$CuncaDU7FHOD^3?T#Bkm-1=%BaSN^mpI1V_c)S{t&W}UTOCb~2FC{X_3kU&qI<V{ z$ldMU?rwEAyH9f0xFhZb?wM}h?R5Ri^+(rlTt9Wa?)rx7IoFe}$6WhddtJA<u5o2u z6Rxx?<vQKf;acZvay7WBT;;CWF2Ut?zU6$=`90^$&M!Hic0S>J$a$CZ7DtU^nPa}= zSO?4u_Mhw@*<X7cG{gAV5m$#?@~}HyZF0%Y-00e%l-Pb(i(ER6O}eV&(roq&SEX9o z;fkoGKG!m(1lqHua%mPkw?r-Vxhmw+On@D)mik<a<<hYLTcnhjCtc-o$<3bYTCbKy zT<eq)bG_?Sxx_)KRfXN;+9;QN%)_pBx#VTLT$@zbjjqi~3EJyaVK=$9$R$6#vDJAC zRbf^lSwNIm*k5u(YJ<Pz236RH-CtB;A9g=0mo_l>xt>%@_qsl#mL79`S}v`J+E1ya zdtFbcrN>;4%cXVfC9Y4ZrHfskP)f{gu8+&5Q=#@_YUyIvV@e5XAC*fj(DEZ{=`q*C zN(nyULvm>?y!)V9y4dxAQi6BymrHA)cAr|h*!5AR1hx0crPa{#y-JC_$aRle>UZ5O zmzv?-yVTOft~=$@DtK<MTxx=M?@&wkx^7oXkGXD>ODow6T_2H4e�E>1ydl*J(-# zKHPS-G~(I@A7;ej;~X}SjJch8fW1X6-Ot{nmiDnXs--*G52~fT?9FQFHueTt?cCmW zuJT)!QGVx)%1>;9Hm_Gp_p{fkrG4x*YUxh)I<>Ty{eW7!jlEiKV^iy}@>@2d{LV?s zPqZ<gVkgzo1MF35>3;TdwR9(YrCQp{ULn8PwsBDTEmKByD^Qh_pJ`?8XR~T)A1kS) zJJ~&IX)k-3TDpw|<p3zyTQ>|Szhyg>-#O>VPi%xXFI7wTvlpqQee8v5=}z_%wX~PL zSS{VgULd!zaec4yTh_1q&gqk%*g$`sQI?za^oxwL+^nNtV2<a25@uZ)vqUM(VU%U( zRQhX7xePkBj9IJ{<}k{l(?WlhSs=ICLMNGpa%nC76(%e{wziC!uN3Am^W?fU^p}}A zGH6X1Ggm3hVanvX)%2H`*=i}t94D8W>F1f5@?*_q%q$tSihhncRxUNsUu0&;l}+W$ zF*0Z+{VX$GEj_~=E%*DBmM-Ntezsh*f_a2h#?^|oXUH`xD$i1WBWKFLC$HJA{8pZ> z{6<cbe@|MyP5Eu!Dz|hZ^GUW>E#1TpsHGd(ezkN1+b2JN;;JpmZ<Dg1p1^#9P05fG zR(2}CjmkE%9BAv7-(Jq#$@a)~%TL*){Kl0fx&fX^%Fi^wGdtwEh83;KZ@f+Ztv`8# z@*7tc_&Vletg<@P!8=N?>rPrHKT{W1Hj7&3qpZ@;+7nNeYidtetNfO=$oOiQ53<Vg zU&GwQDl1D3b0fP=t-XQWDnDPde2wzkuv)H3K+BtDNTPm~@>|<1*TkVkg#+=rm2yqI zwn_et)ix@>HK)i=Mw!Q0rEk&1NpelJa)t66Iaz+9nt7B}dRq;BRQORHKT&?BI(CBm zOcn4>;Y?MuL9VH)TrSsC0wqc>E1_=+M=GIj%Jx~w+`uY4sjRM-->a;ulYb+XwaRa# zM)_TqklS0vJjAY2OAoS2pO!6EuG5w-iOJ6{t%%A`EP+|RLM`3To~V}gu?o#gpf^en zmoR%-rSD6Quaa9>QdTWLT>&j9{iuMor%r|KV{6sYoos_z+RG~RS1gXmEmV|M$~DKs zH;SvJ``8+_bT6BbpE`cgQsuW?SveLn_pvegnZ?Y#tkR3c%sp(i{M6#|CCcwYWd$jR z9#qLsmqQN}eC5pTY($0K#x9eeFJG`o`7JwM`JJN(ISZM)S*4|g(2}xZErgbq$nP(N zmXzlg&R;0Mx3EkRgciWlN(&3%X=TM)0N=S>ermzI1<G%DzTD1y<}Ow%-N`Cz*?f3U zS>NUZ7G({a&)mj_<u~WgovZwo%~O8ogyojz0p7W4X)mj+Zu6Ks*f}cfc2-&4=0Qud z<u~V*l_|e-<|x0%DNoF0Ze?f5kh!y!wXux(2&*iAWl%R$t}C0RJX1Dvri@_@^C4DQ z1&^b<=!a$4Z2Bx(kzZz0AEY0WVYBEn=?CP}O!^F3kz|ggPp9|Euw$58SY-u0=9pt- zJjcwKA=k`cZf1EIGGp2_<@czglwU!RpP0@(!R}T|kF&ef(oO97YUxIHLM`3Eo+rOK zeVwwBO+PiM{9UQ6kkcc|DmcANSr>We^$ht5{#b<%LHME}xwRn7+-Yj*M)oMRbOS5M z&j+VZSALH^TCNGe(?PX#BO6dlH?V%SbUo{npAUpW$}i8$HGX;@{a3l<qd!XjMJ{>i z`{+NbrF-c=$t4ec5B;uO;^@2SKguOHeHZ<<T1wLI$eWk*VrrjKxQP0wQn--1PbpkL z-K!MNr|wY-6V%;G;XLXtrLdd2Qz`7C_9}&O>JFtaM%}IyGSqEyADAGh0zlqi0s+q9 z0lR?fSg*_Bp=rNg{_*+bAFl%Rc;vr0PX2Mb<sX+z{&70xABRK!VOjZyVH^&R$Aj+w zpQUf1_}|01|9Spn{B8W@{1|^Wzn)*tFXoTt>EIvW=Krg3O20e!f#8L3I^Pm(3RVZ_ z1igX31%4iQHSqbsLvZWAComf53ak$_1QrFR1t|Yp{_p$0;(r{@)Yrm!x*yKcEB#ge z<NO}qUwv=-UhzHcd(d}_?=s)HzO#JmeD%JCKEeAR@9(_d^*-<Yxc3h4Ro?TwDQ`QR zhL?F~dR?ABd4BBqy5~vHM?E)sE`>AiX>iY<@XQ1K$v?SY!U^{o?h)?8+$1-~CAp1o zf;}GY_-Xea+;6zQ;(pwHm-|}x1@1m~hx-&bbIt<({29)gFS$PFy5DuPOM>&|8Lk$% z-(TPgIsXmu4PSRY@BFy)4(C<Q^PDMXyK{wenR6zv@lSBO{|(1y9s3+NIYh^><8;Sb zIB(8(@a%hVyZ;^bIrd}h?d+B8ZnlTr1UiYO?6Itqd6)Sy^CI&Z=04^I<`QNQyWjsS z{U-ei{WSd`d;<JmXcFmmja%5$nP)?jNV|)Jo(WAN{Voprd}tDBcyZ8!p-H6UH9)5^ z4}~U?mKO(oL6`(RFJ@0bOUzTkB&d2x*yn^v(DstB&kK{F@FihShbBSi%NU9=S{evV zBCW51bsO_kXcFmtanR>NlSuQ6gFYLYM7m!b^kirfX@7ChXM{=6|Ke1L%%?+>paRCJ z5L2N^Py*wiYkESHpav#D-JwZP1QVbgp-E5$6QE>h5|qIN=<LuWsDlYmS7;Ix!UX87 z&?KmY3DB9LNu(4udbF8&AT){8!Z_&8&?Hg}<Dk8vNu(OaLHCCyk#ZOZ?F&sJ^)L>) zEi{P~#0IDnVMHoo90VAVk{Aa8Mx-XjL4Xk{ig6HNM5<x~)Pb5u%3>S@%_DU&4ua;9 z!WaiZ^GIckgP?h&G&VqRdJRn?wJ{EY=8@tU2SM{lb&P|cd89nXLC`!>ALAh47g8V_ zAUNBGCXosm2LVQ;M8-jY5vh@J5MV@#WE=z-L6uB^03&FVF;E-A2nuBa1Q<c5On?9* zsFev2U<A!F0s2&E5|qmr2#&>}NzgA7AZQ*`%mfIU2Q4!Jg62WdOn{(6plc>T&>@Nd z!J#>nyCe^EXDD}Z9%yeUcTpbb{!s41JkY*S?t(nfZK2%x1ZX;QQz$o)2f8toJ1-A( zLnya95A;MRw<{0ycqlhcPUNfOLT(H|#;2vPX6_VnnS9tIq1<TRt1Y42xdZ|@|AulS z<WpBwhH~jVP(;WLlkH!{d?J(^%6n{0C^txgu3RnTc9L&i$$T)BJ16h4=1^{cpzK7% z#{N7Iu(2->1Z?ch1AQ`-OA#PAV~27*1PG4Qp<H(!2zarB0KuU;luPD;;Hk4o>aT!L z(nWUi3iL_N%7=YClshx;)ssWHGYAB5C=caM&jWodlsk<8!2vy#+fIPs93IMT%L4(& zw&sC=V_Wh-@If{cAULIma-9SSj_09V2TA?qwL-3)?BwOlqoLfUyvJ%nxi+FPIKhW< ztpo@T>Y?1mJP@?CfdIjwJ(OEdfZ&WC%B{--LBCJU13|xA@<7m|wIr#NF!<Nxfne~j zCObLFJRHh3=RLM8lv_o#56Avct|<@nU?{hed@;8~$bm41Pv{)tHArLl2A-=3<w$7^ zR0W|NDUE@CAe1AeF;EnQa-=l2gn_jUq%myiT*AQG2ErHy0zE<~2eKFeg62UKBS6qR zNMZyCnkOZ(3e<cJ@zn9meW4sFi5<_}8_JQA7^osbIZ_e>eM2Y*k{E^&6c3>s2x0{2 zo=^@1F$@H%hfod#F#-hCgCItLZV%-^5F<da%7Y+=fk62X%7Gw8fS@f9#0b#cp&STe z1PGcZ1u;-fgmR=H20DsRjugZ|SrN*Sg4lfYA}NT0k|LBN1u@WNgmR=H1`3Q&jugZ| zlM%|1f*7bSLOD_pn}?bw1u;-&gmR=HHV-vV3Syw%2<1pY4D=bH94Ux_8Y7e=1u@WZ zgmR=HwuSj{C`Srnpa}@&rW1??#YZSd3Sywe2<1pY4Acan94Uwe8CX0>K`h9?;z0^x zplJx@NI?u#A)y>8h=E=qlp_VP0BW8T!~&>!QV<I;*Yi0L#5~3}&s-<uKn}y#iA$Id z2sseMNZ7SP4kR%Wc8!n&QH+FLE#yEJBVktwIS|H3*p)&Kq%jh9g^&YrjD%e-<Uk%H zVUy_m|5;kJI{(-63;9s+z2L8duR&&jhl3vqUKSh)o)KIdOn}wDKk#=r{l5};DsX?` zrog3v!N9h_sz7z%xB%z>v;QYx@BbP9z5eU`7sA=U)8FW?^w09UeD8v-{|mlP`R?{z z>pS1q>udL&>|5fS;bXji@P6O>W$!28<bS1imv@JEqj$M?k@qOie>}hSe8=-e&!e7? zcqTm=PnTz%r_Qs$!*l=Qeg)_LFTkDlEnJox;m+hv1>63GT*&>N``7N*;5PbU_lMk< zxkub*xYxQ9VAt<={oVC**DJ24;M9MU>r$}l-{xB7s&*ac;+%hW{>1rpu<5_od7bk@ zXTP)4c?z8Qj|GeVcN{-(eAV%|<4(ubj`JKnjyA`Mj^iCiJ1F+|?04Dc;lzI%dpYDn zIGbJ1*0T%Q5c3}M8|K^0v&<vRt;`<gT;@!sg{fiYf$haV=wHyU!g>Dz`etA{`X^-b z2F*fxjgTb=4Rtg1bs?KKXckc46ta1PW&yog$mR{2`E;|8%^NiH=v6{CZ_tG4CLx<Q zXy(!@g>2rSDWe;OEJ*SAK$=6JB1j;{<FMoC6@mnEJPw;lpDaiq$m6hM>5~KrBzX)* zeVF=(Ab}{4!RTY?69oxmc??F~h@Jys9)r;{=%^rpG*7}#2uUE$;~Vz$S%L)OJpR~p zdbuEtldz*vb9n;&(R70#<q7oD=z2jy0==;!&_|(nL82#Nb%KOMdh9s?J%?m^0#++X zc|v`Nt`Q_8)ML-_=v^e$6R?CJ<%#t{^c)iFvFCzxT#yDxSO7iOpAU-(QXdKPqvv|_ zVby|^B4IwdN|1U;n3t{;q;3-Cp(BE{gM@MPGC@j`FgFZ)2?_XEKiu?ELCTZxUFf+y z3ExF85hNtxWA8fAb0FdqFuFpJK*q;m4*GaO0wEuVvFKfp@(CEdSdc)>$6*Y;NRU9z z$6*v*E=VBgV=(G}=!Jp=l0FXm54}K;K-9-zpcI}jNJ!Q<`a%7ho+n78uur{5hXn}< z``B~;qUQ<{Nc%YKpLCfZfw+&u{z1<XB#`%U*x%{n1PKIw9QHSQwjhDTkHh{-!`uRq zABTa{njnG9kHh{<A1g>LB<xT0F@m&~guP485TrFE>@9k_Agv~0zo(BDq-GNKEc!;P z@?i8dL24plzoU;5q?IJ>x3nNgjU?<hbV!hp?2qyEO_~=Z5dLx4&*`8bf%H$p0)hnM zKLJBa7|8zwjP?r>8~{j|PmtgQK*GF&1V;cI_A}ZeNN@(gVLzogL4rd74*Lo179=<Y z;IJRlE<u8001o>R?F>oeIUqwjLK1ln7^T^eM4kiArJ0aKo&!c`IwX<jfHX}B5}X5Y zls}~YN08tkK*IhbNN^G$VgD8+I0}%k_XG*f0yyjq>R*BchXEY+ed?crR6)YNhd#ye zB<#D?-vwzg345LTn;<PBVc((tDoEud?Az2|1Zg1&dyV?DAT1za-=ba=r1|-<KZT@u z05de`)HnMD2~GugH@-=|D@brGz+taae-tD*7vQkZQ11v591L*SE7aS91SbO=_A>Pc zL4u<J4*L}KmLS2|0EazE{a%pZaDc;}p?)Vwa5}(YU!Z;~NN_yBVJ}g?5hOSt;IPkA zzZN7oAmFgCQ@;`<I3eJ$7pPwf5*!go*e?VL&ImZ{tJKd02@VN3>?_opf&`}o9QI}E zXMzOB1RVAy>ZgJP=L8(~JoOVnf`bAMdye|CAi+rihkcFuks!fQ0f&8&`k^4fSpkPV zMg2ekW1~FS8-kQ4_&r5^Uyw+_kNP<EJwYM`Kk8%DcLj+Q{HVvM*9D0b{HRB%?+6kp z_)(8g-xefN@S`54UK1oz@S`50z7>){@WW2amr&mfi6Hk8pjQQv6#J;pQLhLhDfUsH zrCt`qJhAU_>Lo!W#XjnB>KlTXC-yxK;;=}Hebgsm5{abP2e20e5s7`+TKxd^1wka` zKI#GLYl2A1ebf`wR|S!j`>6ZTyQJI)u&)RrDfdzP&~v2R2e2;-A}RM#AEmw|h@{*{ z{Xh2J1I~(KTNkhD?!9;K&<PL}92`VMz=4U(AaRHyQHCfW3^N;MU;<1a!*(Y#N;0B? zIiez<pkhMI8BB0g#4P5V{eRun&2;rSo_p{6pZm^x@6P;wP+xt!s=B(myLxr4RcqZy z9yj8=+()p(+lcdWAGw}9X2f~9k6cF{HR8P7N3JE07;#?iBb&_r@p2!yhm1Hc_mPcc zml5aXK5R37(1`PLAGimMI4}2syWfcOav!*zMx2-X!0j;Nyxa%wJ|oV{ec<jj;=J4k zZo3iZ<vwuRj5sg%f!k`tdASeVJw}|D`@n56;=J4k?rtN_%YESPGUB}42kuTI&dYt^ zHXCtX?gMv+5%<V__mJC-xJT~0humhwdASdDZ#Ci`x$howixKz8efN-?jkrhdyNBFl z#65D~J><ra@D}YU+$?E7!Snz7+J1Qbe?ogmyH~qIyH2}YyGToE%V7^trOnbNYolTJ ze+oPToTO!9&xWqa>YwTl>gVeF>VDYrKXt^G|1xzI)(V!X3)DI4nd*4;G<AU5Q_WI4 zs>i6B>QjDIzE(a`-jaGL`<NxavRSzv*88iKvz6trBdCztNd~M5CMYA6Vx>^&u5?n` zDTWe={0^)APb2R}-iW+_D24Y&?vC6Pxhk?Ya;{VwSs7`F%#F;9OpJ_#)qXEn8+3}a zgNK1Y`1kO4;ltrW;WuG-@MQR*@OJnbxE9t2tHR0fl5j0-_NRtV4-X6X4d;csgpUg! z6%NDmz>lHNL+^#&480iI6M7)DMYvhmD?BYcENqt=rFpPz9|g<y9@xha5Pyd)|J9*& zq4PqqP-CbHs~3~8elZv;7};3EI5yNGBx4=pJFH|J#9GF4Sk2fGyeoJkd={(?o*P^l zYzWQ`mcnzv=-}YsDZ%XEiNRxoErPQAhy0!VseDj=O@0m$7<bBd$v4UyV7-5iyaIL( zbLE-xM0un<P%e_YW8I^ztjoT@FR;yjKk#PYg~0B>j=<)?b%D#^-5?%V7?>BB8JG|_ zEzlopAzcFP11$rx|9Ag4{*U~B^S=yV2M_q~_TT8g(toi(1&jL{e;HOsM)?Q&3;iei zJNR4s!|;6YJ!~W1@$K_H?R&_#)pv{UYTsJlIan`Q;G6B6>Kp4D0zU{nd?&zGLiLH# zPtxboA?bDLIq6a9Ug>tMpj;xIFU7?D;)_@}*(u&BUN2rQt`ZZlm#7j;#fjnwaR7WG zbQQLV$BC^FUGfj%Tj68jEn?Z>REl58DJ+=?EGJ3wR-6A-zRE^F$?I(Nqr93Bnu+qw ze}6Fo_BeJ6hHP|#{Ii8Hf6AZRsJ;BD{cDE&iH+LI?^|e^bhP}I&9#!>v{4KB6&tDY zQx+<h!t$dw=a+Zd$S2>+JeXWBd?a<WA$g2^&fs-mkGCOtlzhe@-e=@6gPVl+q@x}9 zw$#>v&q&AEkU;));6vmS2Ju!SA2SI57~};8uNDqTEo_Jv>GKT22?lxAfg8y)4!nju z?ZB(aQw(kpF7y3nLpqUO<G=~@Y6p&|S21`c%I>fs`I#<f@N(hxz!n?Q(R7UsVFb9A z!OKwKZX423^kN&Lz-k8JoPz9f;2QFv16Pv=9C$Ig-+>pAoeo?@?CxAjE+qFk>;=TW zLYI>B$#%wKEs~zgAeP_gQU>8of^22*LSdgIJ8-WQaNsMF--hHW@+5;72>T_;f%_z% z4ao-b1cT=b2PEpieUj+Fy^>%<EEeuz@H}C^_@@K+NyLWa3i3FE=L)Zh_7yr;*eCws zuzN9so1S-Y4wsYN44xyrDgNTXed4b+B$tuL7(82eL;T5suZurAaG&_I4aueCQ3qZ^ z9$_$zK78lEec}%e+$(->L$aPc%wS4*Rs6<*`^0Z;h-J@*7);_UzINbV@hb<uB7SK@ zavs^nAbfj}dl)=RcwT(hh9p7maA2G;W7C-Mxx`F{W5Op=p7ppw)TeA3j**wipBA@L zO!{AANVwI%-$u9iU$@aFKbsO(3LE`zFpj<<^t0?7SGE_J9rX${^0M{g3N-Snjc)O? zIb?;f$-mF$Hv0E6L|+&BSdFY`FZ8vj<!I!2hOoKjB^#~tzi6Yi{udacuL;aldzrA= z|D44wqpu3gAbT0zC-kzorTFz(hUi{_8EG%YhJ_-FTOua>&oD$^5tsq?68zfJ;uh1F zg<Pw9i~9)q473;6C@vD?el`&<61MsuvC1#PDekt>M*m|B(U*j5tLmZ-0<+m(2m{b3 zEoxzethY+l3$I9*FhnJqZ=pJ2r^J56nha$}T_AiTt+9SxAUrCqv(Y2cT85}V+0~wp z$7_|v%}2S5ZS;tA5kpvaWL>EhgVF^SS1ZcWc{U12Yy(cMut&O(al-A=`3zA)+4)q@ zChQPZ*aXMATt&<27OU7ivC_}FJdc*qyDe@m%CYXvrL*W=7FQ{LF0&mrmEtEdvtF(g z-;?LqzaErl+2}2KnvGtQN7(2^ncV`F;`1`Qw3QgylkH#k$jl<WQhZcqcHEWXPMKL6 zSBg92pk3}h*>9t}0$<zcj=;w@x;^lLjcy3o??v(20K2Cv#j6AC)~ggR3p{9-TOYX3 zMiqXxQ=n2D?PmjCNlWRS>{mLIZno}%igI!R17+lV24<1-7$_y@GBA_C5DYfN6*CAF zktR5kq#2k_QdWy|glEJrY_v;cZ+$rZA?%9G7G4$)TffdmxzB9$gvew9`28VwS<TI^ zA?$KRg_pz+tzuE(S&<DwRM=zh!i)-!iyzs)J}5GA0-k~hJGpZ4A-R?HYq{{E_@0ek z5D(etc9Dr4a3n-FTO9lXk=raZOL$KFn~gSz2dqxbiji9wXiILjKxrM>U=^AvJSDQZ zW~T6jxYy<$6koT|10tK)W(qsSeOA?(3&<4=)Q~H!QZsOZY=W5~JS4J7XNK^g$gc7X z;Q{ewtHO-=<Z`RRnIPDtcc%D~+=p=())#E_G;T=qBAr=FF0-iV=p~zIrVCGsPutuR zB9p47<5=uInvP>VYgL_ILoQ{Yny{&1n)tq4Vbz?5GVIQpCSD%c#W-A=JvMq=eB4I6 zMK&Q#6CM-UgftDudctaWS`}e42yBu?HkVBm9ue7GHWdT$u+_*^;Wk`N^K7QhBWo?{ z4B=ss-R&?z7I#@co-voKvA~o{vf3&It6=e78$BRyx6%FLHXH2}x7uijc#l<eas|1V zfjQ(N3rvcV3#~%1MG)Iq)Wm57T2*vs;#7iFHWQpd-~h-3Q^;ACsr|&sF_unR$<m1{ zSUO=jOUEy>T7_w@c(aXe5pS^3&EoYo+9cj&qmAN?Ho8i@&T3;q3EM<5q5V>p&sbuW zfbp$(t&MIGud&h1;?*|VByO_NMscH6bNsl4EN#EY`UUp2;#D@fMZCgBH;e4vE5Sw= zcI%g5qs*07&63j_O#S~Zy6PY6|2t`h`iJ_d`ntMXy-VGI{rUCk40Qx{<#&W5gkSLu zzgKx!xdUJBXJe=ROl6dEiqctWrBHbM+aGx%a!=%%$oY|lky(+^ky9ckMp}gb2!9%W zE&N#cPWbveJ6s3b|I@-f!^gu*!Y`o@L$8D$3f&gEG?WO{gwBAMzuZv!P$>9A@KErD z;Qg@tUyE<$xxtCSfx+&<wn0Dq`@JncBi}1uCtn2beskm!xxd^^J{n)a-vr(XJQvs* zxGAtM5W|=6q`;s+kHE3`;{DEl(Epr&hyMon^;_<*@Q?Qo!1wLZe#!S0y!t)m+veNk zyAW3Y<@lQI>+9-k<MY9%-#bUF{u9!CX}UB5d)iNwTEYh43-NE_)8c*NjpAA{Ce9Nl ziG##!vAr0ESHF*heXs(!Q`jJ!D>MqTgfT*2p{sDTAknYr-{{kHJG~Y|-}Gmsc!d_N zq;DH3UZI8e;#)?FS7_nA_%}UeDzuuk1++9`q<DQ6ULpsK6tB+$x8F$d`Ydp7YANWm zTwYC9w%1erxP{)8^bIWqWtOYZ3KW7W%e5N3g1)Y&pviJk%js)+>J*NG1g58;$8wc| zD5j^N#&S`Rzw{KeSRA!iPeF<0q9BLqDd?~`>J=?zs<4_yXK^1bmB%yaJFmck9H*sB z1y)nFMIH1MufJMEUouj>{t9pC7mXCJzrx<G7mO6IzrrrB=k*lySFWyN!>^u#`pQLN z=dYH6_R7_b5$&}UbXRUBLr+0-<*J5l!deQ7D_5b@Pz`D;H-l<WTDhuW2eF=l&dNn$ zyRe>u%8H|&(o)b^xtcl^jYD7MX3#j)Rjz8-ZmgxCt#TC_hHCA32GyXca#h1lWIY8% zm5Ul`_6d3_j@qN8+Hy?|!8L`F%2j9xeOymLN9CfhNm)xlMdj+$piX)U3MyA2>|fSX z&`-H2>|fSXP)~8xBSxwvr*FV!y@!nyubslSy@!kxubrZ2&|OA~*G|zX^g$!VYp3XB z`hbz*wNrEwz28Xj+9^7S?le-ob_$CUJB$>soua4F`-~K?ouU)yy#|Csx88(~r`wGb zubrYLbeoalwNrE)-D;$G?G!zo-eaVA?GznLw-_m2J4MIPyNwjDox(CmsgdHfQ{e70 zQoMEwt08w9DQKr$x*j?bb(2s}@!V!3xsvBjHOuk(DS9fsLr*S8xu&O|4y!Seyn2cb zqqiH$rF?Tk>1{@mS5MI)^j0IutEXsx=$n%s_0-4o7Ci~|l<Tg-CPqC8?UakcZbm%` z<&=xUwnjZ!@1btclTb~$N@1g;o`hz~MPbLIo`hn`MFsG5C83w%sB4WRua=_y=q4k{ ztEFgPy3t7TYAM=>USlMAwG{15uhx^MTFN!Nr?fSayjF^yLa#ECyjF_#q8p4Pua%-j z^hzViYo%x*y~0THS}EF-UT!3LtrWP+j3lp>0(YsA<h4@ZE-{k4RtnsDBgt!}z^yZq zyjBX_S|f>7Rrj6Plddt6yjBY3RvXD_-f|ZkNnR_3au*rNGx%}^bd{0hwNkWzUT7qF ztrWNmj3lp>0(ZWV<h4@Z&NGs{Rtns?Mv~V`fjh@YmU#PewvptuQYe=;lDt+5T*^rD zS}AZzBRR&~UcyL@_HuC}Im*kOWh6&>xtNh0;pJ8u$<w^t3L`n(%PlvOr+T?%Msk>! zTWTad!dn4dVkAAnTLE2cBt61g0bOJyP2sIcON}vDXe2$-TLEn}k{;=;fHoLOkMveR z>y0F&H@>|(BMJG9=N1@A2yi?%-$?fHa<xVhG8|tHQz3*nH<wSVjU=Qvo~tsF5aW1m zo{@wc$8&RyBm_C0t2C03<an;aNJ5n3xj9A>!W_@dHj)tMcrL0ZO?j?qoU!txCwYMm z3r~6y0-dWA)}8bu<T)3G1sOdFagL*A>PcRj!<K$M*^MiO9sPRJl;)Z`f$jc!(iG>K zDD3vvle|2KZU1`Gl;@gCVgJ98gh1y$$vk+wPC}&PIC_SWgiPn=a?ElN>Nt*0F_Mt# z++4O<4sspG(aA;<lAW9DZkB^+$8mI$k%VyP;>ZR%(MUqP<GBe&@>nl7-bg~gbCsj* zXo-=8gy-hkn#YBV$8mI=o`jI+ez%;A`vyXuyV%L}bUg_%&t0q=ib2eC7wbmH>Pg6X z?qXe0%p>P@rDKdFFXus-fX?x99=V*3Hj=!Y2b}`S@p2xyjE*vr9yzZI9cd&za$XlY z!bp1Lyw3DABk7UzPNc()q({!{L{ANcr_l~@Ixp-Nc0}4ppGa>@d!?tOUD7?$&Hj`8 z8Sr->@crid+V`RFfbXU7VR%}*-**?R<gf5u6ucsMQ7{=?43Bn?h1*7IBju4P_|hK~ zDT-u8j#nls1K@G5t8$z+1Xcq*u$$l*P1Qv8Cs+&|!kWT!>Z9tt@cp+*y+l1<jj0Xr zEpR5H3Y-eN`Rja1e1li}X89&Tx7`un^olG5epLO+ui=No+X9~j-VMAKcosJP+XJ@+ zHU`$iyWGk^J$(324~z>83-k%(1WpXJ3+Mq~SPK1&eF$lIFPs{QM5zB4|CiVW@FsTu z@5Va7W_b9&%zvRj?q3M60<(gXf+K^)h#=4{m>E1O7?S^l4*nCYGwhY0l6T4X$T!PZ zK?8p_)*BYcv*oGsSa}F+2Zn}whqHwXh0FXC<X--H{+a&M{Qdp;+V|S0@Tj;?dm1(s zTeVx@OL1-JzR(>~NBE~xBtiTUdkEfz-+*Vu?czpwOT10GN<2@j7gvhw!<rD6)*wp2 zFnBnu2)!5CqV`q3QeISo+U)Sb@U7u>(%IsPVjnR_)Wvq;PO1_4HvEjV4E_dw5xxw) z5xGgtg}21VBY!BR@K$(D_*`ke@TTy7WNG*ZDJq>Ijgbap6{9<17ZiuC4P7d{;OiMW zD>N6L7aD!tLc>FOp?;wmq4B;<*e{$E%J3Z({5li}{ucbu7YZH-z9jt_+!MTC`VN*1 zH-x@WTB)6t{mM>lEW1OnwlgQZB0SB!QxN^($;g9|S9}*Kcf!u&a%Gj0P!=g>C<<aL z>E01Pl@~KL)Ly6$YaRHhRK?&{;jq-*fuBlQ4BjB#FDo__K9){k@DtIHY@OD7q9)zW z*!M(Tx{bj@U~hGxD&68hMY@^6ccH?#$%bN3y3t{8mu_(2Zs~dlJ|<nq;6YTo)`qCI z$zgAoHae^#*?Qr3P}bH9zk{;2UickoOg6Bx?}!oUN(SFX*(+>_vX?vT?b2lqd_}s{ zhSWz37=#@y?cu;bs6Bjd!BpHHzPDf@elja?0A4}Pu^}$N*)}A<(rygyM}ahhFm0y& z9jMTL4vf$~4h+-Y4h+##YzS>}Uj|_?O$RUtdu7^-L6|AiA_ifdObZ!=Q8Mkx;LXC@ z(n$_{M(S)s@&vJ!pfJ26w!##)b;Q<(-YC2ysjMul>xiuyh4DE(jj^yfr!4jgfvGtr zMN1hB3v)V*K^T_Pp$x)KoDO0T=HYZ8gRlyx#SG#Lj@rs#*bow1s|(XcVym8E(MW7{ zG7K4stz_ORd?sbH7GQiy1qNYrNhyPf(LtVL@K)iyz+E;ZPZL{*49iAhANUsWF*$=3 zxJCF->gvGvq%ID8Te7eGEy6RBeT`wuNNgoDOdW}>roLJDL^_dGyBQW2o$Lp0A3EH? z=zVxN>m0aGs%LO7*czK9-%<PF+$#!FHDh6<OIt7q+gxfe_=NDiWM7vjgm0x04*QK{ zUn1D-Qk}7TP{6)gd!XaAuNDk=sm2OCF8m-3ap1R-eGMNMwn&3*mK>z^y|EhywlC*y z;XBE`oV#%d`+CFRm)a)}n_e1bEj%i=kREWLA=wrck79~>&|xL%ej7ruzQcyJCAIs2 zEeh1`<Rijw(qvWuW-jy?24TfQk7f{t(zG>$upy=)2Ogk72kxgbgD|@#wvEI6xX3w- zh2br+%^h|Me@IgqyHogGI>UiaOH*t}KBH|JgatWm&mauKX*&k@;wG4Hcj6UX?@C6$ zf+=LK19wPsY>1~TGbjmEfGIoez{r<HDwWv~jm>u8VX54K`=qE1$=CEa24511G}DIY zdZ`V`m(;%RUljh7rZM(Kv^&Frho$Kb+$WuBL-GYZmO&V&(>4q~C;TdvIPe!~oCBYc z#@mp5M2}(+cImX013#cG8H6=BjWGC>@Ut}5f!|7}Gk7O1i#_?lGMh?_-7I`5*^?h^ zv#H3~@5E!JrybZ%dWyks#WvED4h%_8F!+twR@&phW2DC!{9HU*+HFJV_aAfEHqxUG zY%M*);Aa@rhixbxB|YT8khF`z!??lkb6^YUUI$9jb_ceSwmGn+w3We6QSBZFwve_s zP?GL;pds0F+b5zV-O1Qba6@foa6e$mhU6F8mBBm3Z2|kPzEk*0vR@;I#5)6@u>uDH z4>S0kcw=BcgS*8|ffpUPG4KL|?}*m~o@ek*iORPz_%4*D_BiY%-_qk5i_IIfBZIHt zR<5uiZn=4p4dmn|<<37xtlA;zq#$MRARuwrO!;ev&6K}la3^f^zHnfB**>>-VUhQ? zQ>~@E&#Bf@-pk-Ek|saH;CqrH+xNq6DI(kV!){5I?fL8mDInW3*B0^az&EVg7U65D zj{~2P`r44ZNdpYtjk~(H4apnS&){8PPq86+o%$Gri*VVV&vuIs%l6~6TYNxPBM*|W zJ!q`#A#uBG56MAsd*DxH1S$OIqxuhjWsSWHwYWW79TI<$FJtUMz)KnYPW)O<GYETX z@`?j*A}>4eM)HyaZy+y1pym6!Mf^>^niV)C3G!xTKQSHq{>%UDLx}rjd%8LZI8Hs* z)15=&EAk*#_8_4Bs@n;hgaM4*38Mu2YQ76ofgEitY5n(|b&mFg+}UaD3Hd|@x8m9C zVMFpP`PqTbke?XD?g8?V10NtCI`Dq-fdhAv_Z_%{yyw9C$RP*bOWt+hc5={x+sHc( z+)C^x05<;QEr;Dg{^r2D$pHu6MeLaX_WR^bhuuuxaNr%}bqC%~UUT4W<W&dWO6-RW zmiT0^w%jx7yT#AsrL62h+yr+pxLZ6dFTvRU<@jPR8tuZ$Vhb8Qi9zf<qxPu3Ci<i$ zjC~E0&2k4Gmh7XwhHJ6RX2}oKzCzfOMmsTfA0)8_-2VSPi2irAcD}X{*8XGQ;otQC zM-ch%4fS#LZuKhlTzsR?R7a{s>Itf@{HA=Oyb3@3o0Th}|F2WdR8E7fen&-%{1*8* zvM=&zWHaLZr6UU>(<8$p1(6OBCH!;vgYe7n{dX%o=EvbJe+nY~<%BcfA^-c(yI4oq z8M-mFCbR<H@F#?dLs{_r=Y#kAw}MXxx5MZCs^F4f6rS$;2D{+foWi^PoAMrc3!?j- zCpW_H-zd44+(|Y9zXv`Eyc&2E*6&vY(t!n76BrI(^Bn?;|7ZUPuyx<%zZG8p;{Iy? z6#o!^4pupWuxx+V_q=bX??&Gm-wI!)Z-TGbmjyd^pY*l#mh`l=UAk6UB`v|1^XXDw zsf%=!M8(g=H^n{T7I^$SPi%z!`Y5rN*hw^m-~TK7|IhX)tzyF2M%tsaiV0~W?NM6A zgp`r?D6L{b(ny<1tENRl8WR#m+M~6K32`Is(OSiXvyAi-Z{3)Y_GqnQ!b&5}YprmM z6-F9bEB?64jWpC&Jh#k9LvO`%ON}%XS3I}GNJDeQbBm2MR98H=$VfwX#d8adG?Z67 z*Jz|Y+N+q*V5B|TtC&!4q&?cJm{4b=J=&|7u)s*0+AD6H=NoB{`YI;W8flOEDkjtz zX^;9UCR7_~kNOIZB8{|1eH9bt8EKFDDkjV|(jN6yOsF){9`#jBs4&tV^;JxmW28Om ztC%p`NPE;*F(GQCJ?g8NP;R6>>Z_PgW~4pptC%p$NPE;*F`?8*d(>AkVWyFu;vLf& zM%tskiV0^LX^;9UCQLWd9`#jBm}aCs>Z_PA)ku5PS25uXBkfUN#e^wF+M~XT36qVq zM|~9&CK+ju`YI+&G}0dRRZN&*q&@1Zm@wW*d(>Akp~Ogg)K@WKoRRjZuVTXKM%tsk ziV0(lv`2jv6UG>6kNPSmj5g99^;Jw5Wu!gotC%p-NPE;*F=2#}_NcF7!f8g@qrQp> z!;Q2@eH9Z<HPRmSRZJLWq&@1Zm@w2xd(>AkVTh6TsIOweU?c5OU&Vw$M%tskiU|Xa zv`2jv6N-(rM|~9&1{mpH-uth=k@l#sVnRP7?NMLFguX`FqrQp>eT;O0x4qs*+M~XT z38xrokNPSm^fJ;O^;JwLGSX0A@pDe0k%s<?=Xx4xD6n|0z(_-b#dG;a8Y(QF%QMo@ zVewq9k%khB=W>iRv{*csZKR>b;<+A18hR|A>u#i>$l|#yBkj>-#e|cMv`3Q_6S^5` zk0vW7bT!f*O;$|kVx&Eqte9|;k@je^VnSyl?a^e#gcFUlN0Sv3IvHtRlZAKQ2}YXN zWP$5wq<KvixZ{nqN0Sv3Iv8n>CMzan8tG%a<8qvlHZ@t?d#1gS_NcOALWYqxRasoQ zV~zAtUap;yHg#ECxwb~yqs)p4#~5i|nT7K>+DP-tEO2d%G_TA8*V;()$}Dh48EKC) zD<-ru(jH}2OlWDOJ<6<@(85T2lvy#sFz{{0oyST+H_}0#TOnu$%-y+i%LLU(2fUnO zr2SqlVx)auE^MSFFBdY>qL&LAX~E0MMw)uLfRXmdf6D~Fk@CoY%LJd1^2mS71j$Hw z<iBNtXrw&y-!efkQXctlnLv${NB&zT5F_Q0|CZ4|jg&|JTSosdQXctl8U5WzdE~!k z^fx2b=s92dtC8}^e@p2vM#>}qEulXfDUbZOn0{fTJo4XS`jehA<v*7d(c%mv<q`iD z(;tnLNBmnvztB^r_~)v+2vt4O-y-^hk@84?3(cyg^yjL&5LG?G-$MGmk@5(Cjpj*s zguh1mossege+~3oJ!J}iu0u575FXjDfqrA8JhETCc?gf}S5LpzQ>N_aYOWs5c|^Z@ z`jwILh<<hSOC#kG{T7&q@Q8j3=;ubtBl^vzpBX8S=r@}lHc}qZZ#MnZNO?rR`ScSb z<q`en(~pgmNA#<u9~vo-=vPZWGEx(8x~^%i#w_O%{c7k3M#>}lRnvF$lqveThN>Dv z<&pfV>H9{?Bl%UCRZYpyRkaFLJ%V2qea}dF1iyLoke)IHKUdXxsOpjX=FxYJlt=EH zYaZ2<`&?D$qN+#in@bNGDUaA!N#F5d5kk<uGnaY#X}>UFW}5$+N1%BGnn$2{1e!;n zc?6nApm_wEN1%BGnn$2{1e!;nc?ABiAA$bK_Be+=@ks&_s(o#q&;XX0u=%ff1e!;n zc?6nApm_wEN1%BGnn$2{1e!;nc?6nApm_wEN8tbV5wQ1oT!pw2cbfM9uhTt5`&v7s z?bROFwrMwL>*4jkK`YnB!{2{C_U*UQB=tLZ`QNAR!H)f#)JxT~)rIP8brNC$7O5w} ztA9xOMfnu_zn@X=S8i7}C>Owwf0Z%~9s&C*SxSbYz;plS*a!Z6WEXY?Tpd{zSrMtm zzJO7YzVH>0ft>-rhd)Pbz!$N*|E}=H@WtU6{PNETj|uk=_kc%!ElfgRV~4=Yp+`eo zuv>jiC>~l6Dh-{ET>?3w4k05%u}|RL;LE{BgIlmuU`;R{TmYZ?r(-XFPOt;K>5JIM z|GvCWeq7!r-ypA-Q`j*Ol_$tU<O1v&XeEpA8F(o03U&=_30xak4Q~ST0+Rzn0=a?X z5I68=|A+p){zv?G`ZxH`^*8!w`N#PC_`AR>z69S0Z~LCb&VieJ>wIxvt#7*TG+!Zn z;2Y8((qZWhX%BoUY((t9CDLrEL>eGvNo^4`;5+R5e^Go;yj8qZOp5cd&wm7V51a_E z_k!@H@HgQZ;XdI8VU4g-m?umYh6wq>34%fYpoi%jxLo|7jvx~mf-tDIrlGX5rXK#y zpU@Fwf~WTA@d+O4aUBsR_)@!d1eoBd#}veuXh-R|XjN%Lv^<ufBDO?3DmZy^k&eI; z?m8EdNA>s^j@m{Z(c_~%)Wdpwl!tmqkB{_FyY%=75A~oPKg~nkrp1SYqDKZ{n@^9Q z>M8Vq9v|kR?$_c&rFMdIHi$QKmKGo4W^N_h_4r_}+IF&2iw|-a+C=Wr;sf2xMsklH zFXpNt)`=b;;Gyo*<NZC<y?VT#he8+ndZ=xBypM<4s>OS|`*1b6O^=_#6}pXV(c`^5 z)ZKc#$V1(w#|u5woqD{dhuW;i3p~^vdOY7l-LA*;IO-~Ls~*qwP`Bvu91nG~9?$kr zH|g;n9_mIt-rYmppvSX3)b)D&WDj+n9`EL%uGQmRJ=7*W-o-<0)Z-_4sB83iXAgC? z7C+H_HO?lNYVl5PCS@`wpjy*ydubaz-jQqQQnEphAMc^A)Z!iZdewS7(^KdQJ${^r zx?GR9_fVH<@eFsTl4O-0Kb9-Bid>?{+j*$<dc3WNTBpa4@lb2^_|YC}jUI2~p;qhh z)*k9&J${sjx=4$+0@XBFt7`OkORi9YT&Txec&H2XxZ$DB*W<c}I!}*l9_m~@u6n3* z^tj@o&er1*50%#AVGotk;~@`~)Z#(+$R|i#g-hb5xwV{}rNjfS$+xUViThpoSw1!H zlQQU$A@RkOxa2C}%TVH?D?fdq8W-FZ7Oqs|lp|KCal#SH)fkswrmp1jOVt%zeu=uA z%P&@!ars5cQdf_r)~HL|Ki4#>i@AJ*x`@lys|&e&o!ZFd7pM(fe!g1I<!hBX*WssR zC<|QK$<@kyS9Vf`TI;S{QKi;!`FUzJm!GRvarsJho;yErjyjji&sHnBd{nLA^5yCr zE?=h3=JK=DD3>o)%enkawT#QpP-k)ZGu2WqKV6;4<)^7LxcpT0OfG+hI-Sc;QKxbF z$?8-tKS@2qofjvlQ@H$ibuyPPQ6bti-QMCj6>^O$f4T~x#+4tdLZWfy$EXlzT=~(8 zTb9WwR!mXG5p8l>s}N+GN*9k(A;q}zBUOknuKWlU@{22fnhN2?l^?D`a&hHPRUx*x z^21cfEUx@e6%vapKSYJN;>r(JhjRHr>JTnJP#Nqxo#NICWRxRkm)%+&=q}xAfC}-X zsr6R<Rmdi;d_NU}i7Ve%g;e6o_fa8|xbnSK$Rn=&DQa&n-%Euk;`+Tvg&g9_7pf3K zT=||VBoJ4=K!y0>%IB+)JzV)b6@rH=pQ}RZaOHDUh#anbwhDQ}mG7ZK*l^{$tB^EY z`79M;hAV%v3K_$d@1~sW8tzuDRR|YNKez0vLb7n>yC_{;#XGlFAyPE`+~On^@`Nkj zS%ENd<YIO>QSIdZ+32J~j%X@woS;IAaOFFy5FuRo<5kEHu6ze2)75<YOyxLtHbaHf z&{SGKPR-!*?UiF)#kCBjojcn`g`m(>yUnpGqy$&KoeB}bm2ay;K5*raQ6U_-@<%I2 zxtdp7E3I5vMN%OWG?f;PQXvnx@~u<|1Fn2a6_S7}-$I2L;K~~+WB^xQS0Mnn@|udb zzbmh*c=fyT3j7PX@=`<%a`~_-bNP@O;POG$&*f#6d*e$1#r?vU{EGX1FZmR_?t@3< z15v@tz9}n&<hyAnX|n*^|8KS1wd=JF+B)q5EvYTj>a}_PW0ZMHnKD%=K_tFGN^d1k zJFLB@9l%P#v)XR$0c|V3*<baa;U6m>*2=W0S~snu)=q1w{;Gbf9#-E|52()~cEDD6 z`MVzR1J<b*s7b^HtXJo$W$IM;`WvARQhTd;YBxj_Xs5PR!>Wk50^j=H^6f>8xrcq* zeYg9r)k?Gx+93EN$di7NzS6>)=(}9qt3KenSUIdLL*#+?lmm!F@T{_1c|h5U^@r=R z0<jKj5J{yQ{1LQMS}I{hjQon&frlgSMGi#vMxKrAjyw?A8oAxC`F*}$@eTh`BpF#2 zsgLCO(&3N7&xLn~cSf#{Y>2FjTp&-AK9tA#%jHw$evx^RvdGj(Nn`~49QO7<;F}Z3 z3Umw{6VL)a|F8b9Bi$k$5p}R-Bpeao?cgilGXF4tKYsyY40M#&${P^*;QH|8h&-4G zFA7(MOT!bxBf<mxABOh&4}@0uUkcUv_aGudw{Rw+5Qaj3hQ14Z5_;P=U%t^Dn@?Wg zJKcY`Z<=qYueUGT*U8t`r}-qr1zaxAmfn<JkakO(r5$pfe3G0Yw~zyY-vVC;J`5ZP zycF0IxIb`L;0Aa`xG0beED6*E%COEcDljlm7@8BBh82~eq27pF*eTRDq=ls5&%rN) z9|ZRYUkpAT+!?$xc!T5h@h`n4o**A%MI2lds0x%K@`BYiVhcWjHIxJXmk?*L9DWx@ z`v>`t_qXv!{M7e@@38Nn?^WM3xZ>M<xB9N}7x}ZWnsP2YG1U3yNMA@lOYe&xi37z# zkqSQuhlN*#gNVfV3=v*E;%-BFpT5U0i!|r{9~%MYw`47O+VN$$79pv!7`ujs9bblP zXvpzexCY(@yZYu>u~6oc1f5}_W672DObfLo7t!ggfz|LnXgf(+4ex`tla$r)K6rvt zz~^{+T8(g9w*RNqh_cneDIm~H8={Z4r?S=PV|y#kOkIXx`;1#fPogYb+Cq9UWueig z(TnKoR=JZ}Qx<ZlLo52S)y-D)LdxO`wW1eL7IUZ-J)g3`L9OU{^m)77xs*i&YDLeX zEPz=ndNyS-geKB7Wif;%(iCMegeKA?ebTBsktXO9Hj2|d782-L^l__CD+Rj20xJZ1 zr3ID?l*L2BX41<oW|2Wz*rE^u64qD^1j$*n+CuX%`ZL+!TnsmEJ_ml~cs;uqzS~5H z{lam8crkp<*&eYjhBG?i4DUe!Z&4};3+N^x#K`kWoZ60m&IYs{|D*tI$3IEH16Hj@ z@*erwMu*5x7HS~xk{@k!ko;hycgXiPdYgP_p?VT`oFuNN$2o2x*VFcn55M&^!}095 zo*wHsi(HS}pqO=ZJ#LPH%n#oBdck%Ow~k&X*gpQ&(PJD(nd{)B()P8r4o)g<uUhLc zs<tbwwRD5fhBdnut}AV4a%<tb(sqHi7OpD`odPW#Pnv7t#j?O*4Vv#jo#r`Eqqz=L zX^sOGn(e>{?O_c_6<sBCw$MDF6D>3ssFQ^%f$Rrp4Pq_XzP>Id-wG{QL#yevg6_Z# zf@a-Hu?)hZXvN4yj=wFeD#PE_xup01;;d#h9BD0dV+Xqmu|I8>a#tbXr|p>ODtOtv z-6^n%*skBMLMZH89rhY>ivzDFH#4|_-YB$p;0;2C19Js?LfAmF1bafb5{|6<vjSJr zwvPMME9l8|JY%n*-Kg!!>k8VHj$^mVWf}Bz_B$2?$@LDrl3eG&E664XUQRYT@G^p6 zQl`(vOREV2Oj)Q6xq<zB3B6uu=fKW%v;$A1qa4_Yj&$G&bc6$`(3ZjVxB(Rhc62<d zuBXR49#z-V4vt6F^)%D*sEV~vauchDMNmXNCuGF`;&t^_W36HplU&UpRxim_4qQ(* zIB*@g(t&Hq6%JfOE_dK+V!MS~MJ^_`TewxYArV;39L7~OWIZd2RY$VUfftaq4m_W% zao~AmwFA#37d!AAa*+eiCaWBnCKoy|MJ{k)lAQ0rI62RHxUfEGNBS$Pu_OJ>^4XF8 zd@(!HpD%+Ta0{Nj=?m=;XbV@`A<!1CutT6NTyBRzTeyscKwG$!g+N=lgoQv`xR`}N zTexVM6*_Ec4GUjZ)40US*EF!OW;OMTSiX)0C#zY|$nx_WSXx_erBgEMtaNhq0xO+V zG2cons%lv}uZE>_t65rEWu+76%wy^7xh#!Vvb4N{rDbziI%_sdOQS5ES<ccKWh^~& z7E7m>vUJ)^mQJ0)(lgFv>6Ga#oji@Dlcrj!IN=PIj-SHPlF2L`H;JXEPh{!X2`n8m zo~5HptTd;197|iDZl%Se#<Fze7?zG0&C=6Gv2^%ImYzC-rNd5R>CoXU9das52M=TE zprI@sIE1CG2U}@&>p@o9YQR92_Ah2>zX2@m+n=R<`mwZkUzVQIho!xGv$W_GmKOG6 zY0n~-78J5Hzb8xc3Rs$(&(fScmS*R&v_}q0yJxdBs|QO@?#|L~SuAaRvX!>%+Kr`M zx>{-H)?KW$#Yrczv~y=G?Qr6WR%&$W#L^Q^U}?vWEIs~smUif1rR_5_S(<U2mFmZ} zXKDKkE7dZNWoessR@&y+wk&OT3`^S{&C+Aqu=MEGR;so>%1RZfm6ZxdwPb0l7A$RP zu(XBFQbS{@j#U7N41%VxRE@Ay30tWY39&RBWNAodX)wT2+0W8|kEMQzr9Sxa4pJ%# zJ|scG)c<c5HxTV}ZNK&;wEx#?7vbB#LYtrs)Uve<Eu{Vk&Hu~lL->Zj5`Ov@spabF zYCkngJys1WKj7Q@CFLP}b6>8c;RA36H2%GnE=n84hp+8-BQHYVe>=PYo)c-rcXLUk zIMO3>9JKwvg%5|{3_lg#j<4Z0(Dhe`&j=3-=Z8Clwb1XOPeZSV9uM6U+7wz9T8gjI z@zC;j548))!S93b1z!s83f>mHJeUsF!(acHU>|q`Yz_VXSMpnk2DnqcMZQc<%MJ1@ z_~!2~_rMo$IPep`e)mGRe`nyT!1;m2f!Trafnr1i%m{@1Kfx#9EB=T5cR;s)o_~>l zwts?uus;u9rv@V4e}%P(=b+uc*|*-8K%DzCeItBD_~LFM{V9DW?MJMH?b7wqYH5Wu zSDFNm`Z-djq=>)ZYjvOaC?ec%@V=g!^UWjhpBe!j-alMc6*NZEI-GyFse4QcDugE6 z54y#qpha*|%jqgT1w{f!U8Ez}Bu{P95o?mCHmC?S*-mg2By@>j#+h`NxsBefBhDmG zEzuEX(oNk;8}t;k3$8BQO6zq5ndGTDGs+}SEij`@HW_Hp`SdO`%A~tcl-{W!%A~8% zJbICaAd@a;F5O_pm~>aWoo+T`O!CwnW{gRmsxo6t^3+^2#w1Tw>M5unTqjscZ_`uI zKycKpDxyrf26RSiGsdK=pSK|N4`NKZYYn2eXoxZCDm2l&qEJS-njS%KRuN#*)%1wg zW^_q+nSpeKlIrGKE045RQ(fJ4dV_#gqUnO40^%e$Q3#?lns5we@b#x6s$>&^k3bbc zC7TF*3#tey*+k%zP(wgTmm;6uRAt7K<d{ko@g!Y6xxor2={g;<f#&K6C&^P;I^s$4 z)Qvg<O7heV8UjkX2DA&MW;{uEA$%H{@g$oHkxMAm5Kpp+!Iur58R#yWt^>h$yctfi zsSv>@x`uF)E(RaMS_&$RCaa@A%reko9AWV42h-BUz#%XW#+x?aGg?C+$);+Ee1HcV z`V3c(@PQ3`K6jzj=Cc5$hPx0ss3C-;t0jEcX$T<cx+Y|Oy@K$OO-iV`3^f&UU05u} zXowr>YUF@<sbSG@<h;m!^KO7iL(?s`u~<XE$fhFnYJws@R}r!g2ZEC0NFA~l1k@Zy z2zm+b4k$XB&WK(@-qaB!lB4KG9Wf$#>KYv(A~}k@rXxZmN14$ISMU_sXU2!*N|C)f z;zRP(%PPV{Hg%M|n4uvyr0Z<2B4_D{4C$&xo~Ku72n^X&i0sA{Ls&?6p<VP!Gb|)e zU15fWbW^v{%Qb|BY-);L3cEB!g>)67>j;8QF7QwYIyv7%A)F+vAzWj;jv$<5jfX-w z$!eaWm+6QJ$yKBXgEr4ik$dPRW<*F=DR}RGMMFeLSLfH0?Hb}iHZkOCa-W`@<E}>6 zl1(~-LAqL^Yw3C&u^>5$T&*D#WK&ag4NU(K2-3x@Hm}VrcQtYqU8f@oq^l)RYjp&H z<f%0}VnFiLY7HSEn_4GWu+$I$(#2riQbYJh7lY+X4Z$B>3|299gno24jpbw&ksq7x zGMcK<5cV;H9<d3<I<tzPk4=*>mYY>Xe00@G;Le=jIuec3RSJSVHa+hrwbl^m(KRE` zvrf_w=8<DMD+uz~RHs8L4FMiqJ;7SGhVYIY1BK&go;hDbXh*Khc^U#ca?H6}5)x9= zIbzLQOF}?$GiPfE>F8px2CgBXBgdq)B&4IJT38d;5X_Nd5*k7|aty8uj6$1gVXa(4 z7)SS5EYHvp#L;!7=yLM3ju?&{MOW$w;mA?s866QEISMZ*1aRai^VWa`Mw2}pUEW$p z^hUlA?qHZ<xE|W&bcK%Cjc%%fF4Ymbk*AiZh}`J9KNhuC5w_7qEX2`x!DtR$tRrNj zyPY|7k&cLsJhf0qz($^GR1mMRoe;FGifMz2SdFfOEkGS!ESe3O5|J9+&CG^OiAaq+ zRcA(O<f#Q_q((OtrSr{5jXYIrMr!0KJXWT7<On}>u6aFSx8WMza$0Q$YUHUZ9f2Bo zYMzcbjXX71N0>&Qs?-ss(M^@o3LQZjd1{W17>ztNTStgSo<jIbPFg~o_j2?5|4Di+ zwZ8wK(ze3_V6_(0s<bKEP%Tf()D-m>^&?pRKdRoTUJd>IQgx0x9$Ncc^*A*GUHvD@ z>&hNz-LF+HhRuH^qW%q5a+KqgNaW|phtRY?0(<|fBIidIAv)l=$N*UTw~YkC--X`| zzYu;Pd<)_LBw*=3Ej&D28158q8K$8xLvMwi4edZAfVH7ms46rC8tMGd@gXDlNAPg) zjo=f(ZLsjaD7Y+G5u6Yl80--|HW-wDkl&MEmLHODmoLZHf1Ny29xeBgyU49!+5c7G zt-v#Z`=Iq+bHuJcFK~Q7^Z(}m#Qz%N0N(At1~CAa`YYJCKix{N^>_5^zTbVH`rh<C z;oIul<Xh!i>Z|Zg^bPUl`#Shk=~wAv={0EDw@BAW7f4H`InqRFhy<_AQbhb&{7~GB zcz&D3E5&of2C+;WEA|z;ipPk4;aljgpBL^IZWb;PQo;h^Oksr3Tj(aV6T<XY`Z0Z# zKJNNHR1-5@vo^G7L`}?aF>^^mMUYL`lTs?^h_K0Ddc-t6)<exw5MQ%to?a;^h^^U_ zUx7Si-6IA^%aK3Ym0yND#M~plFEY$vn(m_xrZe^AQ635bQCoSaGgZXWboGBQ-ZCxR z57}fh8Y*YNi|FQvhRTV#pr-0cSnjwU#X<B89WgX{YKo2!nmjdGM+8ltnxrCtrmIsE z@zjO5GQ;UaJqb%5*YSqa33?L7JRCJ%O>*MySWFLouFMEpq9=VG3L#7-4~1~0qK86g zQeNsELC5GxUg{k|N9##m>K#Ex=?Pxy9YIIx30~?QNKexfywp384%ZXB)H{%#swS4X z$7*0}HQ|<d>97nvv4rb+F&(BR7P~7IPt+5OxH1FiP(8uPymSB^q9q#L_r?ISO;2zl zFYQkUYl(U^b;Rh2_Ak~GyvW<14$>36$lIR|)DyhO+n=H$FY@-M1JpzfZhYq*0A;tD zsCE(1d25L(cPIOq%se;K2ZCjS7j{3Q{q#hodjt?(tgoJ^@KAm91Sjqy@>p*@!HK(| zPEiw4*YJ`LTkDB(uB8uXFFjG_p^EebFYbOo3zbAET5?{@<O4MUDfY<e!<Ir#K!`m; zz@$P?OmnwOb7`KIa0{_Chpf^PXShcs2j9dAQ-*cMm1dh|CUXpgpu{Au=^ivkPfYYs z*?M9EM`h9OdSbkrBG9+$2~(IoA|iw8rYB5k)=hO)6A)*Qd}xx(GPJ~4cc;3TmlE=9 zQ!N;GbkP$KXqzak9dy<ckZ3vTL_GnKmZLi932xO76;IF;5Nche*3*u9f?M??(6{Od zh_zg)4tfG|Ek|YQ2?(|vb)24nWXn<Q^#nv)j=~dc%C=1-1JedA!EJbgS%a1+b`1@B zg=;#%#n7Y4m3o4cY+;JiPET->EvUA7!jx>A4hNeEJ;8~#SZO(0PjI3ws5V;S6xRU> zOeORLC)r{>2G0Vw><8*7J;5#efoi2EIO!HtOFh9!x1d_+2~N5NW#|b`x&@`{iCpe{ z)>2JR<aj7mPjDhGDk^${6LCRBv_yCJDZ(B~OPDKv&Xa>OcuqJ0m%uzqPjCV*sF0rE z1YA%-HNma_`Ea|N>wiw$P<zL<1Qr0@%%ysQlWqxYsq_RV-GU0}2~N5N<<}FObPLL- zCphUAl%yv(=@yizCphUAl%OSGvV5dlWVJagreNfB9c6Gka$BALG*8C85J>(o%Rnw_ zs`ZE24kV){=6ACeWTPhLH++*P_;tXqDbW*cxC{I>`BP7DG7|Zk{Glf}841+ydV-UY zK>emCT5@fDMSj&2Ej-jOdV&*^$d}}2J;8}dpnlR5oR|daM?JxbNuYkv6P%a?>U%xG ziAkWo(-NkbbYzIXHHQXEf=$df=Fo6r68VCBt0y=y3Dh@Q!W5H^wDdXlLM6;)K}YvM zKF6)WNl7ru_*zeJQWB`I^aLj*f%;NUa8eSeFZ2W_C4u@}PjFHasL!-`%-yN?$oqPn z6OzdL<YO&v3Q0$#4f4LE$2l1Zg+9{b+{z%R5B2y`?gG9~KG5QjlbY5PV5g?Vu{P*t z4ry`7Nlgsw*0eapBsX(Vi#PJjJ6ar4lDo{?Y8>l=M_$`7Yt!SLj70uM-qPcoj0EaI zHI5BZO;_bWg&MDQ6Z<Rlcnx=6Z;}IgyxK$USL3FPbmZ#3QLM$?A`*EOtHANO?jo;b z=y6^^+JQCRI4>aWAaCe#UO?JGUf1KifV2Z^yzwa4r5)r|J<f|rJFvzZ=S8F)SmTZJ zBGL}>iXJcZwDqzcpUF}8k(c!N3=j398aG!2j|{>i6ZQCXuFUh~1uf342tJ3!q4-p; z(6i(@E$)`4$Zo7l#HVnDc9Ey_IMxJRFV$V-$&m6f?Ic_%DQ_vSC{HR6DqDQV``Y*- zKC0X#Jq$bg)zIrNRce)TWr{KydjN{0-q_K9JT&|fg+_jmZk4Wyd<ISbYp|(*B(gnn zTV!KoedN5zO4!m@V2A&>$goJCNKWKLSjFoRU-*~sm*MxJ`+orz_B*6(sgr3DFSTVh z@scL~5?(A`B&J{yP!^sX9u*!WmWO+ZQ^MWD9mQVZqr+-g4E+@PJaj17E7(2QF?e)P zh3@|+!~#4dzaDx6F$5nA-50vUjA)NY_Gg6}5z!t|>=DntA0pZ#j(w<w*xia_|8?*~ z@#x?Iu_G)B_5>dY-YxtXyfJvC@LKTVU<#22Yl3CL$-z;<fx>gbW5N#kIr&lf0{LF7 zFl>@9k<WtvfVuJvcn~;E?kRVZGv%X%&4Cqxy1<;kw7}_sp`sAT37i;c7trMafm;Gs z2i6Lo%b~!Zf$tEV@NHNlJQdg_913g=oGU7U-r`{YSJ*-D3v3bg`(N}w?%%0>uYC%C z1K0a6_pkCN{8j!^|3q!Ae}sPkb`x|xVmJSs?@|9E?H0ssJjb8uZ-Xd?uWP-1*ZO8+ z=ftJHxxTY}7x?b=HENpH7WN#S)Gx4tF%q#23w>GA57J@jp!AINDy$dkuzoQOu?^Qr z=Sthe%f&Cn_YvK2w|JfSg1AH6EDe<;afw(fY!WUNE)+*=%e4jCZ0z_Ls}0fK(e`Oi zYY%B#;V0r}*V+Z3WwAz~UK5TLg?||CvZ=gfRR>j|(9uSf!to5<kRfys-nAQp7E?Hx z@x5CMT^Ty1wa|s3!qx(dmT4cA^#JNop*t%uqP394NT~0GV;F>vRbZB_6v|b>4q^(m zoWMfTn)*1Ql~vYM#0f1Kgt|>IShF))3(Q~^@!zKlw!tj)UqX--h2l$)S<#KfLVz6> zsxHBAk<f7oK8E&Y2ofuJNru2oqD^g<Ah0@@(2W8!iKds(YXo~#E<yb0Kb-<s(?4uT z_R-%RxR?Isz?bQ->{u^m&|eq{Jrw=ff~Nk7{=^^@Pfj#@D4ggIjNL`Apx-kH1rz<w zf~IDPe#;;<O7t5C-b}xC;0^RE2VPIVbl`QA1u~}V=w<YCo28f1&n#$ahUj4%B2@aP ztN>I&^b^KH2Sh(+EObBgBOB87^h1Zents3_lsxo(2BF=d?^)2)>d-?DTua||;2L_+ zfvf2|?4qP<=$i~BGU#j8&!(z`zRJk6PNI8l)S1GF8J41Sc?R9h3PJ%uAG0A{Ngs9C zXXqmiOX<T78>bK14Ya1a9P%vspi^`OeSkqM;M4mZxP<OxwHCFeI~ZEnn%>8L#u7cf z*MW=Zb_Xt`+Z@<Px5|<b6lepzhgDy&kZxhWV$q%6?ZA3^mjmnQoeo?;H#3Mub;``D zX_VGdW>yVYLz!8%xq41-Wo5ByPMKLXEvHrVW`~_enUyfux%5Vdt)$F;87tTo^m@jY z(mC`x2hOI~IxtE%Ik22=Wam>V&}$sBj9%@)S(KRxQ!HK5OBp+u&Y+h#@Jza%H88j} zW%j-li<6Yu`<jcAl-c{5i;<Ms`vRUpnY}OI6w2&<0VmT{tl2?y61|W$JF$W?b6<+p zMas;50VmM&Skd8hJUy2c9a~M$VI-Ch>Ddk(N7D{GokBS;2m&2J$I_$&$IyfWN7J|i zN71t!IFiN~#PT0q>A>N1g#%Be%UKr&wx-J%8kRwqvY)ZAN0%_Ncp_cQNUY@1MGhQ7 z7ut|)qm2w=$&NO#TK$V@y+aP7bq*Xz7dWt(&UfGdTFW3-*k~1lSX!g=EQs~9esrz_ z`_f7W_MsIFV(E;|ao{O*w$%l!mC-08u|`JA9au!m99T$aSx*T0fR<XExx_`MF^H8c zdWH?jDms<HY_OAU2zCmCSiYi@9GFcfGKl3WI)Oo~F43_JVpWNbVGzqGbO0MKUxpng z+O+VugF~Ai=}yRKeB#m!tCsm~OOLf7p1gJp;%k<+We}gSl)VoLKICYavG{_cAqMeL zOOLi8`IEMB;2*TL1AnJSIq)}XzcBH!O6?csSL7Gkf)&8WDK#AU6V)B~Bh?)E163XP zJyjg|9gQ%E4@nwy;5Sre5MPcoz^>%yJ}3G-KGO($Cz>B)<Tq9nA7SKI2Yx_)VYS|u z$nT8A_a0#{Rr6zrus53d5k$UbMGsVvuNc~2LB3>_@VP_S`;5Fv_LI-q?{5?n`*ns7 z8*-SDuVj!<StZE%PN;GS_)e&D2=-2>a!B+9TgJ?N2aim20-QspcY>BfmUn`d!~K&J zw0sxY;{+|=MILv8mhZy%!9I4}UF0#cmqC0?kxv}>24OE$f{!OBVmm&XoQUoCSaKq^ z<0Hw5*p81QCt^E3ikyh;JIKpU#CCiHIT73MBQH7;+u==#JkAabH&Nt82R=+*aNtAa zc?a$y&pGfx@~i_NAWu2)etgxK^B!C|-A0~q;92AeHhSB9<Y`929TQ<MU|5>mN7xG( z@Ls}Rz<}GyLr&RkWS0ZCk_Q=tGbO@ayExR{WT(U4MRqvwPQqTiD6pB_>#%o_?GC)1 zuoo|ZpDD73vG68En81LINB0mWFu>I1Hp1Tb1P+wQR#x^Zgq^>~fj1NOo<@P2$lVTm zBe@G+-u+FI_Wx954Txz-D~w<e2DHLy48m|$7|tLJW`$E7c#$y7ft!S(4%{FNv2G_= z#0rBM2}@XEkOP+p0~v(nt5EE~dSQSA>xBLeTp;vg5T>m{Uj|{)D)eCxwyZ*L24Tc1 zoWdZCSA|{<yhA8*V3knlz_~(C2UZFN48kZ?$amnaLf-$>JE8f!n@6B|1e!;nc?6nA zpm_wEN1%BGnn$2{1e!;nc?6nA;D6ExnD+l+c`4C)s}HJ*a!RBk{ABpJP<8Nf`5@@# zzvdBW9)ac&XdZ#)5ojKP<`MW8jzD=dOpa=&;4dS7OmWG?l8HIl-E+I=mNb;sl$X|( zS2Q%tuRo<nk2#eM6^*mHm(^DH7&EE3WNZ(!Y>!!0wX=FG%<qmWJ@9{zXibmo#W_V; zXe4V?X;o!eWo=`9_v-R^L3x;TDPf1H9X-5cd}dL0c2+@N=E8!p<Fkq~2h~>3Z)}Lx zWsWLsD66QfnUgs#x}dSLE?OO}X{h&hrmViMtb0vmeM9#-wF`TUt*f0IEo-RnQCC?% zFRQw=rgV-~tw;TQc95(xgygBKtwM=tRkXA|npGbytt+eO*rA90OaFz@y86o6n!W|y zb55*jtezFE>udHaKCUc6y2QhO)$zj2lKIiH%Gs4=nS&6OXHIQhWwbuCc6R1iv{zeG zT2-|qb9gyU0Yyq@RYfz0*UYZ1t1fN8vHo2rRT%Fv3m0S9U!7CW%#tPb4bf`zG{!~C zYU|4DGe_4pRF*~mT|Mp@?^KE&=lxZW3o^&nRW2+oTk>!2XF<IEO!TwUU-dH|w|PxH z?uLKYK<3BC%rNg~-(U4G?>}?nVzg_^qV@IWQ#!V>Zhmcj^xyV`=EcXJX`WHwug)kp zv$(OL0?%c`lFWu$r|bWj)BJZ`q}=$)({UFS|J51gWR9)H%(^5K6Er)Y^2WM<-xbJN zF)d6w^ku!x7+*U-Cp$AYJEyR?V8+0@+Ii8M8O3Gh-7>=r35H47JFK;fO6%u$udSQY zW6`2TS@YRkp4Cu0KdS+66SJirXv$2p{$YFZfm1PB)&Fp`N(N=+W|l<fm)2P`t~sOG zbDKGK6YBB48QNG=X3oZVSv4&2_U(Vmd&cbKzwm|L+*I=jG><^@2sDpC^9VGLK=TMR zk3jPXG><^@2sDpC^9VGL!2h8mpwRb89ySSu?+VWh{i$6XstENCeiD2nSQ|Vwc!K<a ze4#u|R<UD!OW?e~=)h6_&;1Yiuk<hUPY6APsCnD9{=V6W&vv&|E1f3gNxFCtyT#8% zB>R@|aW`A&B?Ns1^ezOR>O+3RVg7sm@)KkIq#eQ(X6N<HD$2<o8Ewcct6MU^p>|GP z>HG?;kyqE2H&$VRe0FJNRc3v(4C_`^OZq0pnANJ4o`v~Y`MCvHmdUJdz-qd=T+>hy z%`C0+wu4ps*_Cq|*{aUa#AvgAOv%a3&B`q*98yz{c0EVNy1%7K$Sf<Z$($9<Y@Cli zl}F1nYwI%WqVuat%cA9-6Qj(Aij~5mo>{rM`B*qKSMJNqu0(6BGeL#&(uUI9#7MK` zB&9GvH!D9c$Lw<He5_q9L;?PkORG$!Ktn}!y{|jz^dAm<R^l|X<xxs*UT#)iZo&Av zXerLVsuDec)}pK~+EAZaTAx{ob!2n+x+aF3<%cP`g#}spMR_Impkf4TF$i_hIgM55 zKkIgR;?w{N$9pLS+4)&{`PoC*S>aOD)K@lCE{s}dm$?Z2&1~v8E&}>so?T^mG;>xh zezY!trPr|5&8(%!${Hv@%yrg5iD71+N;~CX%`UHyjZS76&Y%vZm!dPJ){3Cnin$_~ zSsg8_D1|zwx)@5C$_D6iaAqA7L(NutDLr%0*Mhtf>x5>Nmd$INUw`E08JQSjol;QA zEhx;w0ik#?H7xd-*JU~ta4%I>&#$e6TC0JbrMU#y5Up=OQFE}Y6~e5<VDq2_oeFSa za|^TCaAww_Y;ASs!qTe7X#Jq3TY5>S#2~YLUnMuYD61$hdz7VoLbK+fO6!(bmjUXi zti(XpZa%bL+1a>9t-HkT2<w8o-ONO>Sw2rG$ScY!EX*E^o6a+8tr7#wBJGr%o_Q$J zb08a;;}iW&x)4u8&#az3i~9Am&%wNJo$mBY^fL=h=$wN)y&yk(aBXHyZ9`^svALGd zI@M57SKBzJBJ<So<Hu$~J2nf;w@uGn??hj-fl4J8mpCUUcT{CfWi>9X^}I6unfdgZ z3$N8tsP)VnHnS8Xy#NE)&^OV?tX<MMFE1~vsHo_l9KLw$@XQJ0M%Hsj_h*s-o}})H z5!R`8VozbNJ*ZgBb=|z~Q5~7+ZC0r7l#j6~%Fmq`t*e|3wSYOtKuKUd?53UoJ-6=i ziYTTC^xeEu=9ez1sx2*dH`goC%WN)+i<F(!voL2=V?(2*@jKF(IdfoMz-m2Pe}?vS zer*koQ-5-z$gDd8b@7b!#0_Do2g{;$rmD~`UKd?h%V20NDfkcP4sU_>iJs;$dMJ6h zMYu?L{rZiAf;6+Z9{QSkb2jXdC@>2YD7m?LSv_+K`t^fm2lHYzw6Km6wL>DGl_}_n zM)Gh!G1X>Gv<fThn1V21CnxgQ$>2`K$>fwQsVT$lQ)Ar_mDSPAr8sHK`j~60YUk8< zO5~cw`zow>?#S9XnGI&K`XlwM;p&;lG0TlQE<3*n-7~LmEheBwbJ@PK2I^u=<Y+T$ zHaZ8&sNprH8W@+qD3NVeJpH($+#K`v##xz@igobJ(mAD=Jgp2`v1=Tu+9}b4^^H}{ zG5dC;lsN~Q4dD<4iSA~(=}KV^hOQ{@A0DEy#=H|S{Wr~d$0xGPdWCkqe6xLfHf(Bq zMB-#?QVS?K(53gx&b8hz=1b91$!AuT);DBf*1~L-8Lg|suwwcwufnjHL)=)ya^>u| z`m97Z^N^#IB1{xL^Lm<%MHiPv=bPujYMPq7#+piV;;dRSG11jJdIn}*^X*npQc=4o zb567dPYYh*xOXt2Sx2h3uYXf>(0!X7z#I$J|9tDkbL3F<eG*;Fj-1}PuxEZ&L3ZId zOa*ANA#?Jmk>*rkDHKm~uFvGjL%MKJeTT$JX7vJvRWCAYjYTb-b_EO-qBS^+6B3=x zGQAbN3bP7x3MQGaldLLO3b2U`lTk%&dHv|biPkA9N>Oe$WR4uX>e=IOKC#x6cjVbG zH>HGG(6(hZ)HOmcj;Wxob}=T2y3CT2F`4Djh0u(jnCN64x4)8?1JR){*LB=MW5$)3 zubA4#I;g?MBu=o7tSR}~cwy({6fdl;EXO@<UINTJW9lk#D`&E!TZ8PHOw8+rGW^@K zYoeoh=wXWa%F53#D8ZYw!F=)>@p5GyK6N~X%6eitCyqA@7hCU@{QRD-!nhWV){B?P z3K5N*?43~lD&H?rXtp}3Q%{^zVO{|@nwSxBf8ZSe6`T3SuVD`m_ZmGjk!g)emQqxd zgIg}Ysb7Ehu+J}LnrAd+if5)$x7rdXEu)3{%#%t+jUU@%_^9HsO%HCDk%{B10|b?v z{DQ2!oNVU+Cuf#d)|*rB$>s&E$73|BcCl;dN+u4=tS_spoZrCaXLiu(iS|}=-ISjB zJ+tzA=Kg1!b2Wv-nPP$|o#BD5nbT-KRrW~{B4+>9U^ny4BhWko{0NLnoMKKujhzZ| z3$wEG@}0La<gIGF*KBcWR<vPJGz#JHA4+6y$*v~R!Fs-j9MuzF71>4kCzX_p8`>pv z5?&IR@#jZt%B}gj22+eZvtgcsl+0$?lT8`L{934l&}~lIm{-g>nPp6Aa*_F7GG9w* z#%x;goj}@?Lqxk5KL3wbC&H)yW6JfB?;<(jn?gT^HU|#`*T}!f{R7_zj`vUZ-QYVL zG4I-l&x->Phy4zr6Fq>+|40AD8`EQ8X~=A&k~xz~#t$?9WeplLdMGZL*Ye^YTZJr& z&N4rOEuj<UA=dC^&1uAEDU1+vdgNzKiq4u*+;n+oI1=iN@vLx<?A$C)sF;DPF=H?m z0BV<*67h^C!MCYOUY1#V#?Z>D=!_wFli^z#W?VB)HDxYbzZnpla3K2&dWOrwuX{y9 zb=9!+=n!ey(y~vPH)zt3g8U-y$(AjOcCW5%sEb-=Fy@C^kMihjd{UV=Pkj&6uv&_X z=}}?Q!?vRIS!S4-Fu2LIEN&pgWSe#}5P6TB^{C2vyiuAy+j@A9+%(LrogV**Hio4~ zawn8qknL^uKR6-Ou!m*@*HX{CUjN0GP=gIkFnwB>bQ;90fVvHW{M0a`z9Nd%lEJlQ z^YCCgW0Gn8mRVx{_IC#}tFc;;b))s&n}(;X>8Bp7#io0U9nEUdKCR*0Y2_B>|J{-P z`4vYEc3S<@ryhA|5<`wWG{Xmv9-oz+<88I6yKYmef5AhOm&J@&8<zaT2PB6*AmeKB zfDCTBaqYnv#t%kePj9#Xqr0WBr`3|ukIee-o#NW1hoY~BbrT&mX6&Frg-%yHj_y$$ zFGvr;Jyy%^u}SWGY*1ZoeSKC5=5)(!8M8&^P*}7@u>dp{AMu!2%(uY*|2wbgI5SN1 zXlqtt$C=S|oEhHxF<zV=jE*m39WQfte7L=gm^m1x*7y<|Gt2xS#!1YM)<tW|qW{|N zJ4c(rjy8iG4X0us?Vp~+nDn5gM<IITQ79QwQj(Qj;9MxjT>Zc8QRs=;6(1nAHUIEQ zD6pOc=cQm>t{LWS;k{h;qcM<sH1Z1m&g%X@cr;Lh%@c*`VqD<`><UkDU*Qramz0=G zxAr~r-*a!W1L17T|L$!6>2+<H9)PZoVqGtAcO5TtOxtzl_w~PW`Zi?*yV-v>hxg~M zO<~@D_1d5YyEdcK{hDsv|Bt;dfv>7K-@bFUd+vTuAS|+7L6jhY><g<Qgb)n`vVbTO z0|W>J0!aXI4>30@R;#UAZQWa2wQ994b*WmlYHeMr)vB#ptF2pWt^4{tbI#1YcjhKw zDCqZnKl1<m`hR^m^UlmW%X#mad7pQ6Y~mJGFE}neBT4H4o4C2@^k+H!7-hSmarY)m zn6q<tvLD#B;^S4T*Vk{VWAk>FU>kg(l9%6J<}FG%wmGt6CI-LW8T^HbgD=z`VeT8f z%iZKePwa=?RH%a6gLa!$k-U+*J7%D{>}GbF&|K$41HPqwqGA8j|Kwzdm!^}OGN)sD zd{)IhgObY11>dA+P#{d668bSR<`_@Qa2x}^9XkJ7jBmJX8WjrDD61f87vIY?LJ3<F zyn^}z>lr}%=#GL|b8Y7UACcGxS?V2>cI3zYnY#J-2+04LzmxXXn|x<cly>Ban(~r< z9qmn1UbeHm7IfssC&{wJt!L3U`I{@p-g>AP<opunYi(MF^V5n?kY)9C8*9tquh&*= z!%s1OD#&I_j$oDSjF@xwHSLQMOjEX`X|V2jc824gmv&?cn({ISJ5nfNw~5C8-%0vh zcK*NLhHeR69y&X8N@#tkCNwuREi^jh34R!SHTXpE?%>aY7X;4=ZVj#s9uv$DP6&nr zUm*M6GlBa8*9R^NL<22>6Y;Hodf<q_P-F)9m;VL-!^j74h5u~-$^Ny-12Ee^*+0y$ z`2OX4-uIC27rr0)dVJe`t9*-m(|w2gQoLV!-}L?o?EOFY{=ggcHhWikkM`yv?_bdK zspoaiQ=WS~Kl6OwvkScZ$9d*^vOHrwUS$3IoB0RxSLTn+@0zEBkAJB-*PLn|VjAxE zz_I_R`&RcA?z7z|yVts_+()^mxJS4(<6YxL<6+|#<1%FYJIPpMEH-8ulZ>H;OMhE` zPJckZQNKj*(p$lxU#=JEhv{MMb7cB^TDw=fPP<S$OWOjT`~_N$7D1lBkHM1vgnE~H zje5R%rrM|;tIkt1)X}P`ypJq@k14k+S1IQxrz-1}YUL<piZVjc$h+i4@-VrDTn4iX ze^%G2+BiiiZ`iyMAN#ADTz^vDwz^J{v8S!BlV$8Jt81r(sk+s5l7NvPs+!fcL&6m3 z+b&_MYISXsFxLlGSF3=zo~G?<kum6NmNB$%tAweF)wM;${z&yT$r$u)mNDqtBw<uv zql77MT3s7O>?vBu1{p&g4Kjv0)=QX5tgdwurrd6Itrf8+X&v=4hC0^B80uIpVYH4_ z0tWK`cdf2E0dqZ}d|`E+C}FD0>Z%p7$7x$u${5;mf{dXpD`e~|tLu0XyF>ZX>N-xw z(3a&g_K4MWtccyKd~S6u6EJd#@~G9dRL1^eb=63i>kX@`TEJY7(Xv%C_L<dHDPx~n zT}wplVdcM8*J2s_#OkULF!BTX+#(tK*y>s+V;@;v<r3z4)#^G%z+4YeeMid})>fH} zy=QeT5U~eo*-{z9bMr;)0s35tjD2Wz&6Ba4tgd1a`wcBSSH{r3A{l$%>N-lm$VIg5 z92rCVW=ojsFILwq0dw6%$8x5OVIIs7u^Z`g(?#qCiWQ33&nZ?QV^~M|B6hv<Z>uX$ zz{rKPY_5#`%j(LJFysg7%GSn__?~@+@<zA|Iba3o9jhx-DCznYtsz6iZl)`Bnv7wk zPL(mN)N~np)9RWcV%I2twYrX!G1NO*#$LC&(qs%Xcan(xgz7s&#-Q(T8N*7QC}Yrf zn224a{L|{1AYxZ4|FF8oi`W$uJ5<2P1<K1-S46^G_gY=!MC|*t&0}Q@Z5|_Iu)$~v zbKPxqjS{i*l-I1TLj=rq8LeZajG>MZG6owA7cg=@EjvucP&QS@{%&;*l`-fWB4IA< zx+wzY`l0eStIHBF@?GT>t1B#G=Te)7B+T`o)fE&l*VW2PR#!m4$T_qhei=hQd@_cW z@0GC^EhM!_^nA!Ut}CrBQ@~t()KhWG*dMJfL&l!6x^xlirDZi4d*13&MXZNDr^p!U zATsuX)#VbgZj|jjL&l!BI!_m|F8bVQGWJKSQ}X`0ls{RWlK0n1%Szr~r}Ag3Q}X_z z^f}S{b48WstWMGU1NN-dDSCgd4qA4b*uD-0?UTH}4%$A+`#X!4mAt>RlxM6?$@^=k z&q>~2JFP?V{@RtN!kzH`61LNI%A?^<IDZ0kceoS2Ujnq2J_XlLfSwF@!t)cLhr*q3 z{1Tvg<*sli{5}DCFx&~ZPk<f>cf#uvpeMqe^%C^Ea3_4egs0Xh*M>Xc@(Ix6;ZAsb z0`v!~Q*!vuRDN%DiVhz+OS#YL6dgWb_gbBz!w2jRt5bCN$XUpY+6jj*q1si-W8qHt zdjfQ^)hW7rq#ZA>PSM>1c3ZfUx_cz{^M$lGhdbfzC1^X58W+x<0NokxtdXFH!<}&T zgs1KZcf!*XAdDRxy#%P1s)wH^Ku`}iPk`<Tcf!jPAPf|oyaZ?^oj~yM1n7})CtSP) z=mc6LJUjtHjd1V;2pxidCqTaqcf!3BAan@cT>`XSIVao+=Pm(SL2E3LAk0s=cEVGb zpYZGi=r`d`ICcVbzr+6*a)qV@PY&D|aQPSbF7&?Wo#JUV?=?fh&(nkdanJ$>EpX5R z2Q6^W0tYSd|EC4o(%W+46i{15zP#dv>6uxHL~;=vnb>E#Ne52f1WlgZoVJX%Y&4j0 z%JtLWOq*>fokm{ZLO8ywS2e9|-BH*4?QqJ`HfOfwv}K{q70%&vKW)y4H4=@dx3hV` z0=<>@t=T%GZAx2ad~!%+inM3{7x9D9=Cl>GWuU#w9Xm_yU0j}?#W}fRSM=x&S<dLU z7<c2p9b?m`!Pe8z_Bs8|5fFD}7ep$y)H|_*EwM`~-^$#uTZ1`0742QpudS<!(zCg( z=iydbW78IT=QUE^u(m!@ymNKqx3d^&vtZ}+f$dzBo|PG4Ev8pF5d~{U`+Pfgrmbn4 z-!=v9ZRvkr;E9Y#F=B6;XiVf9-gMj8h~Ftj%p6X_8*S24Cmirw>q$o2)V3qhlahgE z4EPfp8`=AX1|MM$bRwC)wI;VMZkwDyVkvFhm`$1a+~SG%eiJv9#5iL+x^rHAOT)Tv zhmqB8Z~$r5C%U>^p(BH@1TP4@g~-}*{%8ER`98-9{d(V6?^B*Xc*dE}n7uer|FOHv zc+^POU)3+tD|B7^hx(~{f;vaJKv}4$<W8~`sX)8-%`qzLXvK|&RC_XP!Y!6eTqjQ& z=sn+ErbV3FCnGyra9fI9SD%r1TZ&$jqB~D)$7hU||NFHmra6AG&(WN8f2y>jS-859 znK{^N$tYoWv!r7yG&z@s8>q<!t;o?++Ob7!QC94J(bv4-l9|P?)i(*6ata4~!38DQ zRhi9#COZrt3n_sYdM{UzP{P)vb-GsW+m!q|rABpZij9GNH!F6N%)YoivZHZ;iCEOy zim>@e)wbrfV1S4eAx3d$OGC^4xLjy!u4S5Qx#pya*yicjh{p97xlp~{CVyCn3v)Ei zWIr^@(OAnhCN;)A%yr_|vG=|{Gpb{QI8L$6#koS)Ak4O`yx1^)%@u$WY~HRHG-c-w zHn0RGn5K1trrgX}lfP!0P=aY%D`+an8f=?T!q(I_vIC^;(;A#t_Nad1fC^X~5c`eg z1UVtB2*F8=qoZ~{VrIdz(eiadf(E0mtYZzjDZD`jy&+~~Ia{KCzN>j(r`o=i8`ZHI ztxt#miCyBP6SS;jmDsn;jKS`#nJD56VrmCC&8M-e&%^r}#5`vZmu_oB<UNf(wuccn zBM~50zXo*5oJ->C4B^*TR@!l*Fi#PvKS&P%CD@Fw6*T4K4^|UOIL11%V<k4p{_cs# z%>$>824*5`WoH6^#eUc|<5kc|K~_a#_=n@#!~?)~xjMk$&0`(yI7fQ-mc=?IO_>9B z<$oVy9dptvL1<9Fqqd@PO|3&IV^6!9&CNVYXN?^R*|L|g$FhzU;#$cVbd*3Qim-`v zyfBgS3kSP(q6E`)oS+HJD}$WeD8V!>mo&w;im&-%$j;-vJ66z?pPMv8_Tprrgxx0W zd0Y2w-`mGhqdJzM=?U9qY+Ri8`BI@{1v!I#ccKI{c8#DZyKu0+F-q8)&giJdMpEd! zIuA|!O;WUq25lGD(f^^rp8s3)231x|l_mLDZIe2xVw=OR;jv5kb8D)~(+@jLo{k4< zb3lTYxs-K;GV_CkreSsLQhsGg(Y%Ev%<h$f-9gwRw{LG#GoSw^St4ixUD+Ttp@iM0 zwj~{l<MwNa+0TimN?JMx%6?!v={J688kp5sw359;?k(oA#qN|>d&~8ua*+%7)E{*J zPWhGcf|{bbmCu#`xPPf`P;1p{+-tv1y<Gji`keYN_xai(T1eBh4DHw2E#7KxnRm7~ z+dIiS#+%}Gdp`I42RHR!@I2vp(DN(L4W6q!7kSS1w0lnSZ1Sw~Ec29miadFqBRvsM zD(>!oWxj8|;r^L>y?dtlSM!hN!{*)QFU+5qmzd|8QS%gYi&<|TXI7Z=%tGAhpJ0wK z1E%8sDD<ZGvi6MjsQYdArS22lnab;Gwz^F_PwUc7b9Zaa+B$88``*yj&|39=ZGPzZ z(Be>uI$Qf`XgcB<4hxM81w(4^<KR2NzXhKSJ{G($cx&+5;AO$@1$%;L1Y3g*h;OJ0 zE(p#FW(AK3jt*KuBk)<^-N0*s=L3%i9thkK_<7*Uz=eU`fn9+efyO{xU@6G7jsiQ- z<iI#YK6w0J`v2?yr~fbhr~JS5-{rpvTnT0BB;^U^25pJ<Blj!r)7>rZO8<}j7yHlg zcOW*R$-l<G+`q_Q>@V=A`^Wo-`~806`_T86?`7XJzDIq(_TA$9sWwslM157gP3=|3 zC>MpU34J$oYUmzqM(8E?pWLPH!x2q!p0CSyny=Zn&bPw1#5dnJ!<XTk=sUz0@@d{r zy#MmP>V3}pd&F1V=Dp5)x%d0tUhkRSZQc#uT0}&=W;|~^ZaiSzVf@^<(zsB$%Ghn} zGIkh^MxC+LI7SQ6nPD7d<QkKWafp@h=wIsp)&HsgMSn{Ft$vq&lm27<V*MPwLqAz> z(%0zA^+kHIUVwR1t2`L`K)Xdx*T?I_b-zxu54E>2o2o-Mv%O#Wk84=+Yrv~1ibBHb zbLK)@bbX+_u086YLG>APfrEZX4k6|20rh@!EPvn+W&wLZ9i#ouK}|A+tm5bw=9OH0 zz&w<TH@QFN;#lo5TSOb~Hd7oisNQO-j%ccB+NX}_Q*Uv9$sf4c{kbi=J|?5dB1im4 z9jE=CiDVRUIz&u$vi2E!RvoQ9Zi}exdiNU+`U%h{nMlTv3jS<F`vZUWr|y>=(W_qL z{;MMf)gQZGaGw1{Jyd&wKYOM78IC?;PUYwo?ms%{r|Nj^DJ~AzI7-Hn#r)ax+&4Q9 zd`8BRB^-U<#EnimSYGwNW~U<t)%VP(BYM=|m=P{!XpVJ=hoqC$4r;28n$x&AP5Xq4 zQ#EHSNKkW`KXp)_M$Bt%(e;@+L3^5u!!@UG#I1g6UgSLMR-ZR(xcHP=66#cDB+s*h z$UzJ2)dJ2e3Tu-+2AfdYBoEsNREP?H;BeDf(U`Ln%n$jq5%a%}sA>`OJx2^`qs`a3 zILds@5lwBl`JyelKGBAm&N3!$ZHW0N=K&QWTgD%1mdQ2(j}|uB2J?XyGTD9?*1YDg zc@?U8qa(UC#k_%u>Mu>!bhr9*_rEwgS^J2KX&Uc^I!XJ0qXF%GCMxe}tZ!~|Bsr0x zuBS+yBN}SD_AVDEYpnAIHqZYs6dL}`L^7GIWFj=wI-;&>8f%%3XWwF|^0f927w^{I zW+F)=E0_okCpe-;CXwSEQAOu}&P41K7jp4=vzm)fne({#kU5EqzcdLKf9_@#tJuKV zxT)yS-}wWRv{$(p(Ei3mH2oDOk|W4+CZdtYIijLGrM=8VayU8G5s7-Z#wGzF;|Xh| zOC71PecweUl4bU@uCLTo&3Og5zJjv9Fq9ldmOA2>>Jb{7Twjt2#Mv8NU#PE{8=MEe zP%m;j69(u+?KzGP*Z$1KRPA{tl0!+ABYv(Pra9Bo^*P$`EJI0zRN5j*QS)>*A5zp@ zoz0RIHCtyRl%h`7>-n=I^o?9h)z@<|Mc>55kiMCTB%f^MVkT*JL`yBv7jki)?sx~p zQfKST)RsC+XZE$!nYv>>JTOCNuM10^t}|0xYN5`0VW|Z=d+AwfzRuo?7W(GAnV}(9 zU&JfU){o)hWZf|o9vGpsk+;-T-5D03DLR{;mKxI8{Iy6PX<`~kCfVYMVYOJF!Ns}y zbS}=;9e)V!!z_J1M`!9KT%4g7b8)&pmy3n^QCuw0=WsD!pUuTQeHIsU^_g6ptQT={ zgkH+URGlrHFgjGm(U5*L6G<*%;}*im=Q(Id)$~FpD(~s}TzpzDU?RyOja<wmY!U?3 zBK>d&4XQ`!6S+8B&*tJRJ(G(w^$ae~(5G^7x}MI(Lj6cC7U+|?n6IaCF;8bZK@ekn z1V^*=!?-wEpTflvdKMQ`^=Vv8(Q~*M(sP+evWc_wNDyPprhP!2qYrT&2w>74%Eejw zI4;iA$8vFoKAMZu^-)|b)JJl$Kp(-ye0?|<^Ymd{%+*u5n4=HnVz!>b#mV|1TpXcC zxR|Ps;bMwDo{J%U0uxCVVT(6_zBM?g9~}yDah4w7;!NGo#TmMni_>)v7YlVa7YlUu z682*i>Kx6}H7@4r?A7d7b99BH*}991lXa7eBlI8_Q*|E~Q}i$wL%PL8Oi#i@bZ8wH zGss#;^r>0eS4>pi)xKmRnMT;w=2bJbFC5fMrjj*|7*_vfo*w$4%g4MBj=p5B#7`s{ zebGEN^hgr=Z}ZI12YdPz^@(}Dqt~rIWTv4eu9x2bA8(Fug{}{Eh1P^3!PkQq28#oC z2TlQ1@L~SP{TKSn{3*UKeOLRceNzyje~0%RZ@o9mYkA)FJmWdlGsXO^d4pML=0nNB zzk?PyXn}(kIB0=`7C2~u|EDc5x*e$!0!V_g2;9X@%}CxL@QjUUM}~wzATuy~Hh-Xn z(c>Q1o?%lMPqeA<3ktGr?qY{$zJ+GjK^~qKkf$R-bITN@w@J>KW2dsP)q$5B4EuGf zL3K<ii&wX#wj)bIAaEq=6%IjGwNJGx%|+^fg7ln>>=K&p9v7?X;{5uQ36o}fXhQym z9S)x|h>~%=$;mncdS>a_^$pE5{YEnqb4)6(TAa49J>9Ov7s$y4mwRr3-7}iPg=(R> zE$k}no`H`!vZ}dhM@xOPL(0th!}0(`nl>ZfLHiV2-<Uu?4s|jMvZ|1`2)PT80;d)E z305Hs5LL6fscB<Feflb#>8+7#K|-D_;LmKp*&!7{2HJr88Y9|~c!7=%r=#X=E1NgA zeKIAio`wVuImj1~&p0J*I%zwH&e(Q4SHiSF4pM65XJ_&U8gW;9HNC2x(Qao$sKNut zbdXy>8{M*PEpms@R6)4Z+S-u5x(?}dU=ti?(mW=U+U?{B#R>V1;z<v1ZGz^tLEk9< z@Zs%;)21)P0E6vz8@;(4C$FYiTtF8}!Ir7*cH)DI0PgG{`4UT*(}<)h$eGguUQZ|K z#w0wB)ESLC)8@1vMti<|Vpd)Tu1RM&2{tJ4J?`DvmqKY43LL-It)`@^$O!^eNDMTw z-A;HgOUSigr+5%kEi7suZ;xvLsTQ)4bSIaknE~Pd>PDL92B|#OQ*!V|nBA$AP8<w% zLIMaUKU52{wzSkQZFg9~F;Q}|)3dVkmokR$`f2rSp4%nuObbXvz%yCcU@R35rblDr zHk%L@^9#2RThgrd2(?KnjEHPMS^1O^Jg0pe#f}dkqg8q~ZM-uKG)WKg$uzV^HrDT) zhUtuqP)LBl)3ubhJDCZP=pZjEJuf#_&KW+MJp%a{;(2I}h~T8!J_WY(AMk`8YgtzG zoc1wJEAk7F4=FpRxUs&jnf8F@pQl<H8)!bIvS}4|ZXZ4?D%(fXVy7X$5YlTD6kq`$ zN&@%Y6S%0I<Q8a50v)@PYG*An(A3l2PR#lfZXZRJ4nh78EQ!3_W2>r)+7F@7Htcao ztCXL~NN^*?Xy3-j1{jx4f1b+d*!1~Sb9#lH`NU3Dg8gJp`$(!|Yakz4%P^>PAz^!{ zvuU_7E$N(0pVxpXKvQI4f?%pdXj&p%p0lS#OPkU@!k%f{0^pdVnN8@G`5pG=5=$Dw zZp}N1g;s5AXhiZUn)8NUOK(Q14#+cTCL&z3p($-(E;=RS8v?fAddw9lwMP(@JJ;}S z1vD>CW&3cu5vhR!<cva|7u;fi5uC>`R^Wf7b+smJr;QD(kfaJk*EER+O#nr^i|jad z(yTR2P0cOGv=6hDx&yiS`RQ1)d_#{V`*PZ48--{2!0KP$WM@i2st%g3Y*PKYNL6K7 zT7G*fHFep<yew?oS=oF}_rJ9yUeYgW2QeHSXykNB&(6-N*+MVD37v`0X-sLDH=Rys z3WB!XHua(HL#Ph=Zo=v<$dBLUid%VndkTFfpFNY8@JxJ-EpE5yLpzVi%*_FfV&(!n z`%L0Irukx!_oi{1ohD%0<{elh*jf3i!nT1dX^D%$tG(>XbKU7OC%Ip8U*q2FPB%U? z?lZzTFZTq05FCeyfa?NV0vWzjd?h~9`>5x3Pt;T9@tAj*>-2l{-T3Z!j{g+@QTRe| zZ?HD>Q1HpnS)mH8UYnx6t^QPPQnQp#mES1!$_VmTayh9dV^CS*|Lwb%ROd-+3kAjm z0z?c`EGtSch&Z(2v4mE10#b(oONu9Dn6$ZRb2>Pzks-k$rp0!Q3`NZ?Y5abOuhdLC zq5lf<5lfSpUl13YkzY`%g6j#+FcId`Z$tB>B9Zy^^=oM6I9@g|(?oD%zh!eHMK#q6 zN)}a@6&F=kR7MsSEh;K4SqOj^_7<9HMg14fiCGBSV?6f&FX<^a)7JH0GMmP@P-f)4 znwTpyPryjI``3neQahX99!F}AqvXyr(`NLqoJOnK+Tp?BP0)nQ2J3jEjC@v1Nt!*G znUTtp^aSIURV?Dg$nyga2(lp*t*OHvk93COWaFjvfd^zS!IRot6Tx+u2U2qp=U6Dc z-r}Pfp)riSZr5FN%(P?rS5d&D^NRW1UWEBl_V}jeow4$F7MN+X`Y)d!DX&Lru*iJ& z_O|z#SixTvn`u@37sMQPepev6%TCFK_necjtr)q)*2UriU3UyH%0<Np<18vJuBcg5 z-OmbGYHW3_-}f!%>zABorq%S*#iAMv5A(w5D;#c65%y*{E^)_?+legAFw@feS5gqE zrtfS#x@k)+D3#PKG1Hp*FObjbsjOe!gkLe0^=pu0i?)F7gq8I)A7!MJW>&LbfxHQ> zb5F!l4N#TRrV2Y}=0p~kR4y#5t}dAelULJK5m{DNy`Z9|I#M=|Zbb9xRs=kP?Wq6t zQ{yGB#b4j7dw&uuYEFM9KzkA23yyx;oNC(cMRwD8SIOI%X4<p?N+Rg9WNBG(Nu<1@ z_?TFUw~jK?77kDXVV4z)ifbw>VTM?>fT}Ai%3})tJizj&#*HklC@(8s9w}NhFS59@ zqPS#UO(j~-h@PwS%!$t0OT0Ns6VX+1&$*wwqiSe@IkC=ev0RL%ld%({mEetNZ;yM* z7NMrhHo=rnx1U5sUzaCexp&}+O5cEVLBu91y#zib77#ThVZtWt-mY^h%(RXDjYUm* zE_68#GW9MU?f9`r6E)JMh+KFr5gvrX?d$r^0GlHga86tY79g^#A|SuGZc8103dJ|a zvj=!BpnNvnpY0!*vDNQ%Hnxz5V=89S&d7_d2Af+6-G{-nV0VDGch~~vnn<q$RF|0t z--Kobk=~kuA-EpbZr`o0@9ce*ePd4yu$+r&1bM=q87Vo5X6}u@AV^>qbCmkA2;LBh zbF80zuMfj#yJ-EC&J;^mBCRaeOjG>D+M8>p<@Y}q;Swx@n~6lvXn?TQlIrQqIqRp& zJrgOodi-~}yv~pe&}*A#VsFeBuA7TYuu$~tRG{IUC}R&C6s}(k(22dXLAY)jU^m53 z7h<T{_Ecqmg`q2mr*Gs_mjr{yx>~=niODL$Hev6B@=7hH@A*o+G%9MU@YX2BOJ`9< z{DsIHtq$;00B->JV9TqjOBP0Is!IATtITF~dqj^FW%DC7i>hjhi}AvkUsKNNFT#s@ z;o|DpJ0#mo%k6KIDNfIel$R7$RiguCOUuejN=tZikAur+zg?5Nn~S&H;-X6Sx}P7J zS5sXUe_t&RmD-t-_b@&7%p~KwWnhOdn>u``D^jv(enn-m@RR4*0o-~zA#);Ch_%Ph z;h2{j+ksuTVj-3FZ=Ec>0ECa<_yL43uGCZIc3OtnVbU3r!)z?AY1ED%T$}LDXk~A< z`dC@l?E|ku`_&Q8qK5boy64&N6QnQawYzQ`XxBui@pFyl-!5{zzlHebmG~O{B|ZNi z<9gE-xDEH!yKvk5OkbXNxi{olX+CbYn}zOwyRURFL)8E2`YZYc+V8b_i1|NWwUkE` zot#c`Q1t(iztX5B1cKxaIxGw&oZysbSkRP>+_%h6`??WWIV_|^jfM~vG|Pz!nwaQY z?ajA~)fCSUx2M!`P#32raO#PN4YnN>4aOr|;$eejixw}%*G;)|2Q0EBKfR1**RJKC zw~^~AmOe3G2yUU>iKWiA2c;w$z@Wt05C%<Rz&Q+}eqnHPvIiSQj1o?~(5R>nfwmi+ z!5xznXq%bAlP1yxo=D=>PyVWjSq1c){KTxnJ;&N+W=ty@q`uOqSL$d|2-99dtdK6* z>8Kv{U=}m3q9YP#F@D0}=g=O0q6~5xQ+<1w$Md6Rd>&WDBD9=&oc({rJQfqr&=Z>4 zrS;9LYOC?f9t(K$I=02Qg~7=ibgD~~a0X{&)WG2MM}|VbcE;(hVj1T5Llh#_jNEGt z+v`^E#Q*2H>yttf%c45EnGmy&D0O+1_A&`GQN-z}C#s>N{qb3VWCy0jM=6#F*PfyO zQ<$Zsv7e5qV#hKDO}YR&8z*$QEUHMl22CoFnZa2lqC}imICdJ`t1B;?g&{}r6C@$K zY<^BG1UI&(_srLW686BAb(|shFKManZ4zWKwwE?v$LW{^j8rN;aVuKd(A>HW-}o2T zwK|8>|NAUpDr>pQq-oHW-f<e5v(9-1R3tX1+CC0jY~L<8x^8=&lb}7}Q~Z8dhISoj z9d0nx#_QM<fk0`;sluohW({^IP{LV`%R5eq@5MV~d$FB%IeC>IFrQ-ZR0If6w$m=- z7!)iztJWYXUjrPGx{dWscu(7%EA2R0FjMxRw`Y`Knsy4BGV=#(aFlQiKE30lxWQ+{ z4PH)D_9iXP17+~c%yb-r;|qzCkTd4L6$<{FeNN7f$(bE?2zJQM8LZod5{@0}I=08` z(C&%b!Or)cwA~#jJM2roZ^y^2wVi@0`#7Ywn%-uiU+ZIDkKM_$N;<ZolPB04OV`L) zCml~Gb4G+B>CS&;vHvQzCqfbv!T~eDp1gT6KO^$+HX{2k<(8peE}g`+AX{v}SsHVQ zW<>Z~<y&d5n5vY11^#v$JJ2c<?K-bwp>u6)V7t=a|6y~eD|BgScJMF3Q-h-dzX~k( zf9$`&_eY=GJJ)lb`4{t4JaF*upal+E;GhK#THv4s4qD*<YYWux3d6S?$-Y|_RV}Sr znmILhY7))Zx`x*E+g44*RmW-e$IWT<(P^t1n^sNRo-;LLYSuLTFK#GL%Qy+Ysg`D@ zCtj?ax@pbIUHJH&I?Aah;M9{nHT!?6C@T{cWvAnsEGlTr+J*1hIIzRtm^O(3{_CDI za=&x+H<Hr;ho5an?h2sQ>~m^ztM_~m{!KSGyRB%KAI)W-xuxcU8y;7eDvK6XEi7}c z;?Up!&SjyZ^0I2@zDwDn>XOn*{8!SqsBgmNw2f^GcHvun+74%?$jsijo|6}`e~E2s zaDqH=lOy(3o8GA6NdrLZ>jZAJd|O?~%xgPpmlu6uEUnUj;Bsssn%+FP8=T+hq@qn+ zxeF%>{cH_Mzg`Ei2MJrl%3buNK;C<@rY3!T+4l<E{Z{b5?4nW+@Lj*39wePb?t2gP zek({iCffH3@WDQ*2RT#s;~=a3R<Iw(K<TG~%>CH|(r*R(ZIJ0TqA})oU7=rx&J4Z> zF1#NFPYLD+-U~bzxF|5ie~-VxKgsu;??m4eU#j;b@4enmZ>4vt=f9o{!RI&Ld>us( z{vEWyK?@wTz(ETfw7@|N9JIjyXn`udZTKh!nFTjaqoM6Aj&kcZ`*vGoQY@UAUFJxm zm;CFtH#Mw5Fy#iEBH2MMPJDBIc2;^pel|&+p*28d!={GTX*9?m0sAM{M?jR_d;|i2 zox7dTB1B2%=j5d$EZ^0aqaDx6Mp|ew`g3pdwoR*WcLu)#w{2-`LX0~?ED`P5l9QL6 zUXYdH`syfc+bCqhMuidD@|}?e=kjN1bKREpOUkFw7~e=^-A*V$ST$m5ZR&t|O;uTW z1?d?D1ue(vZAWkoo0`@%#Ny*nCu=c{nZ+$oJBGGp3$CQnXBrU$8|&g4Jc^^LmT9!B zExB1a>3JF1wbNk?*0y-x>(*>)*gP#BYAPBdGdBz2;kn08&}Q(W_RTIkz?@MU<l4qA zXmad@SY|t{ziA!qal`5eI)MmD#C9S52UrYNBLzs~&J0987i4CT#Rb}G7#W2UVzTYP zZiIzJ(6WY2xVeG*QSA43OKwg^dTw4GY0J~<(4wzZkY3nj<(7@n(nl%wWy8pJ7E9l> zIRjs*vNH-?=M2-v(SK#L$%*>TAtW0!fjB`3_T+H_)u^>;K!B486OG<nzoV`(6QR&K zIR&Te(A&^Jp%6F}>YC{=t)fg6D2!lXWTuRVXJNGH)IxV#nvfUB=0%tiu_qq=C(J3z z9ucWqi#zg>rY)^VZb<{EThNNB83>op&dT3Vp|^$52gJ$SbP4fb`$kH+9%-ag6LWtZ zt~S8JxO#{ltZl$Njz#5zabsgk9wOcg^736>M`<lkw{9~IKIs=e#CO-9gh8}do1=1V zbJL~>;>nx0*%8<*N<1IY+hCG#eNe5pjf`mk%L0smikb22?d7u>G4imfs0V8mkvnlt zgUb2y(sJ-aI5#uf_0cB1?U+3%jcJX=)eofIVTrJxw`0)}Q4VgBb&<;X2p-SLO3%p6 zbA8gNx0UUe+Gtw4#^lP%X=T~@SpRvhk7sLJF>jo4*@*=MmI^zt)ZRJh9@MgJ6`i1T zI?x@EaU*19p?pqm!$@u7C}lxw>lV(z;jncSk`v}>r{G@(7dgI-&O?MdvAA>BkBhaP zgH|HyAm@(P@}UD4Af4@iMximj5O4^jXXoU*?jEikI!Y<shUp2Smim?gtor=ieAitw zw2h+(3*)H=(MQw9ZCj`oP*SuwbS?>uB$(P@f!K-rA?bNJ898l!eU~qxG&Yx3+zkZr zN=pm4AJ!x*aCWN*Zerjr(3D6E-XE=W+iq}zC*yPqYaB8IY{DR6z@RkO)AdSMxLnE9 zyezz$vUBrhYfb2(6Nrg-O9Yz-I+DO7!<M<Y%OF1qh!!%)N%nhYzRh&AZF7T7+yFim zP%bn(j23uX(ybqDXl~lJZav*_9A1-*yi738<ZY$r|Gy#~uF%_|=RyyJZVX)l9>CVn ziJ|gP0od}b;FrO-g3kpX4E`c`X|OMNQm{T)8JrWG5*!)S1OEy9CGbe#mx0T{hQBjV zA6OEY6-Wb{2=Tw;|Fi!=|4sfM`n&zx{B{0?{zCsmzvcVF_Xara@AF;nyU5q!+v+>P zSLVz09qJ2!q5d`Rlis_%KlOgk+veSb7=#jUCh`h+JRf*o@%-L%hv#a~xt`NJ4W1fL zktf|V(xaRI!QF&M%wL+9o4d`O$QH1~L==aaY7+N5?mxR9bl>Fup}X6?&0XhS=q_|m zbX&$3#v8^n;5WG5xX9=*wi+iGW#F_w)ClOG=&$Kd>UZlu)xW2=>6^e{U!rH~V|0)9 zf%b~_d+iSGYVBO@G_66a(TcQmZKS5F|55*<KBE2-Ecd(Booc<hM4hFksi`Va-ckOn zJgD5H{7~suwkdVUk65ToR4noZd4oJd?jzTei(qvAXZ7T1;}ke3n>S(yu5KbANVR%$ zMJ%X>tezYhOR;*gWo)+9lO<y#te#96n`QN6$k<G)XPS(qT0K)`Y=+g7E@RWJo+&am z+3Gn`#tN;T$ud@8^`yyIzST2H#`3J5BV;Vs>N#A-imaZAGIo^JbC`_5&J#o|K<zwU z#$e||Wej$X$QbNAPR3y8u`&ibkC8Fhd9;kd&ZA@uc0NSLVCRuC20M?CG1z&yjKR+E zcoOGdK!u%CWej#6Dq}fT&kz}#WA&uS80>6`n4j7?EMu^9NXB62pp3!J0U3jx{W1nS z`(zAu_R1LS?2$3p*_1KZ*)3zRvms-!vo2$>vnFG(vnpe-vm#@#Gm$XmJ*&qhVc0ji z&k!-t(puf8OPKPm)qR?Xft}XsK2^j#YKGN)iija?h1GqsjHOxKJ7sK|)qRqTO|`mr zh?tw|+b(0!w@t<-S>3HN7O=WoBush7>TVV>gVwQC#!$x=8B4din<R|t+bm+>q_?^^ zNtp7q)!is#cU#>XWeoZ@h}h+{eGM{(_N|w(DOUG789UPIUMpb)wyGB~u+>}LYh(;{ ztd=p9T_s}ytGiCZs9jDJF_73>-L)bHvU;m~rGQbYdaL^c38Q6Kh!_~_t?uImjDQl~ z>OM}uz*Y}^%Vli1)qSjtO|-g~i5MvBt?s2Vc9_*&BVwPa&{r*E6Rhqk5&M)rS1DuT zt?nfvhU_j@_hK14)atGfv5)C<i)1WfbuSb#B$=_g%SG%%b*$BWjEs%3x{nqy<kqpe z%S7ybTJHiG8)bEuir9Z?f9K1X*Xk}2vG>$NtnPU-hPhEJV(+LUtnRrIrrc+B7fBec z_b3?~W_8aIvA2~ktnS$oM#p@XjG@glMeIJjqq=9vSc=s>UB<8<6v~)obr(n&T{HP2 z_7<%}^#5FMsi;Hr|A3(m(f<QB)an-fKVU<wZqfg9y-Dj3{Xbx+L-hZEp$^gi1BQNx z{-5g&`kd(hx!$1rpXmSLIg}OsKi8|YEu#MiENpd){-5h_^f}T00~WNpMgI>N_9oH) zbG@QGXmyMJpX(LXV|9!EAD+9`>K6S!V85}tMgI@j{Z_Z=|G8eKb%_3->t$Mp=>Oq4 z)FJwRcn)nA{Xf@BRG;Yoxn83BME?)ZL7(XV;W@w6E&6}1zfygo|L6KE)hGIYcn<nR z{}0$x;cobUB>tPEg+g%u5};<~j&L`;zXWKja$mR`&Yu9?8}5ehCqVC6-ID8fnd%F7 z!}UveYztKe&rg7$431wSq<X{M@cR;=Cgs6!H{8BNNcDuf;q@g#%C+HcIDLtbYKFVv z^9hjK>K0u-*9)p)b&D>a>jgUfMVHU@Jbg}d`CQM_=OmZ!Qsru^TXOj>Rj#tSC716~ z<p!%;a``TGeQb3}F5iz(N0;RC{YX`;F3IKlk?SM+`~Oha>8?;sC=e_S+#fi}e-pU; zZt?!Zd#UGfPpA27bDNp&e$9Qcdx_g^+-)3d1oe&DU$qMS{>@X~R<0n=k+aD>sMv?U zwz<(P+;5m@U%T3Mj2Om}nRFND+X(%@Wx~X)igUqqi`do*M1rlwR~{#JDViz7E@cin zNhnG%O&Ox5?4-*!dy9nRG1>E@)8dwmheA6+KuKB;lw}8sQxQ{DA{q=I>70PEn#%H8 zu$6((b#*JV$yC86c^OIfgZ5$*lwg|D1x<ySN!Muhq6sBzO>M_Sr^Ky$f;exJQ*$3E z>w@!jV8R5^#CA*>B0=$q9j6Ahi#ZiAGt7~KVY0FZYZ#Pp4C9MV9w7eKIc<qkJM4$} z)}+om0k#Rm7M^I@05RbU@wqorgb%IjHd8+7{m>e!u{N$TIT(0cbW(iM=+dM~ihKVy zCQWJd2w@`R4LS-FCG3f?DtfrrH7(oT*z1$1FN$ysnU#T4oY*1Tp6M+jl;0w`OlfqY z(A=DiBrEP^L8Am)0f$MNk^*M;s);4~j!qCX6=o&fHr$IQlwfTdFKEh54&vR5CX}!> zl|&DPrZ_iBVL{UE<UNP#7Zxx*5kb$OW0hH`a%ps&(6hWj=jTQVyG3pDqGRK0szO{- znMs!aHr7<87&{8?DV(yeNn)=VBU*N_Bb4uqP+NI)ble`bF?%>Us*_%v2h1J==BSPb zsLr!r@gSI`G0t$OTIw2W=i?FuEJOLL>)DJOCD>)qi;1nJwzB9Ual0&!*~QL%o{?ni z17(+ibDw7vIHUtL_I;AtrnR*-n{mVlCkTPYwpproZmD;2c9%v+3d<)qH)*2pZDYuF zwwShQ(Ghq*vQU8~iTo5boB7$i%^qtHmUE_v<Hj90K5p3$ugru>VoqO6EnObGlH|8& zaddcmBo|5}nY3$v3nS?;9n{80av{#nS2r|mYq1BCkKr(33=1=pCgEPj5G9-~kVI24 zhBKVdl?jPsNasz&X~%vTEPEERUL`qNbE8A!qZ0oi=ltAAnw|%2R0bfQ5Vv4Th2pRa z)Ryo|ENr(KBJ4JWgLQ)onHPLSGzCLa=L|_%;*d~Ux507m#$s>2KG7Smpti&&_XPtJ zC-+TSPJvK|YqV>rEA+SESHa4_&4Ee&bA506%Dh*2-JbR43+B0InY-0J#aM5QMNW4^ zD^gEYv&gT>HZcEPhJyY6l|~l{vm5DF2I+C2ggqps(S?$xq$R$Wb&|!Lpf-239D`Ei z3`$z!pp-N>BW1$^>^rz-vTi>t6<c8~SD0k<(&#Zlr*aCDXi4_cDU`6yv#Tk3G}fKd zsg5|=31jXPctDa2cc50`9)FhZjmPg>Ci)O*YK{f7(|XBOD~*;3gO`_+^qp!igNG8% z&RrB;5Z^S*Vy`lL@G`$SXKfE(5%B#c@#|MHZWc-AXe)}A4%mr|Bod!*WzOXZohYAI zv{>pyNpwEOG~ox*V7Dvw{SNMTN!%E5_xl^B-Wlktn>d(XgB_+cI!~DE1=)i&3`#h2 z{itYh+%hu7XwrN3TbU-g!ZfK`l1wo=SC}OQNjvIZ7Jh;AbG&Uyv?y+i265ddf8G36 zY#~mSuR+jM5<N;VPX1txlh41O%n_zsW`5EhvKK3(gfrzl(b;(6_eTghx4v$3WWRoj zq#6@>Ym*%0QPEjwOpW7x%u4h=Fwwww&O;aCzS@59LxefJCpWNdcyuP3x5Q~)VPf-^ z*zpUoPsjU@L(^7F*$JI*(oAuZv(z>rIs;8}sLt9-5}Q_0MX9{$=ad8k&Z}RG%hDjp zrvCE(MDkftRh#s+rk1HsZswTibTo6BW5GFz&7?1!ga+={5f)!&dmQ2k(ZT`j*zfGa zrF;5AX+PL8rarNGpj4#llkGSpT7YIQbnKX$Xvdfy&@J#EGzY4APQ3{y3GQe<n$_R0 zhXvIO%fW`f|45E)g)zRrWDAXo=AkM5Z6$c6BZVH#6N(&#``1cPU2ChZh3dqCOtMs3 zG#AZV?F`^Ci34b}`+<ZX3G`y@e*3qT{qYCxv9U@t2e0A@PGjR=lZqBEE=iv!|7P8% zH*sEi(UvXso7Xg)G;LmbiG4X={`!mG&?of!J9>YBqoUcd7jtUG;^N}i;qQb+(~7)q z-8Gcl?{d!s$Nw(lXk(22C;bO{xgOFU)plvq)OXdWdW@<oH!CM95pw_j{J;ItyMsDt zay`ADBrb~=re|eE7PBBS#EY?DqJ}zT2*&G(28%fPFPDH8nMU8l6UXt1Pfi^mEfQ6Z zyf~{@H_;5D_-2B5HKZz~>1`3%7bCwRr&OA0TL)-d1})K2kLW(98BoD#bU+!7xWP?{ zt&BD4<N<O?(IzDpi0{Z;8*<dqz?k(7TOyTBjj`NvWM_$)wygg~X433!HjO#{ztg6H zw45|Rt`oE?vmi-JVrD+FqXA<$W`Gvt)0&Yn*fulGB!!sIM(pr4I3~e~vlF$KIGjlG z#y<eEw0`mN*p3`BcA66@K?!XnD2~=QQ=h2_pZ5`wg!6IM=a}uc4LqEg39mrvka4q> zBJgO7b8vvO@ut;I7NmHKT9IV)_yM|}6JZ}8rcm}J#87Qs=i~!h*o2@hJMDI?X)Oa} z;G;duj?aa}rY%FJU#x=F@tM#(KpH5jgifv&M4~lwGs(u;x{&3}?8mm5k%f#oiZ);_ z&wLCOb~-XRm3D+!JgF4ff=ofh1K0(5CRr4-vvQc4m@S&-n`z4jD7)t+B23H8Q_Qr9 z{i!LRZfBOH<H756{bYc|JB!OfI8{tz@DO8{yu-MDJka=;(~L+ZNU6tJ!f1A)BAOwu zvUovRbxCn`VuC!^)dMZRa%4xMx%o;KS4S%5M=FrR&`AUsYx-60c31vByhsMJayd34 zmbWVA6(-I*YUJ1gaNUU1L8t9Q?FWk-w7@|N9JIhe3mmk-K?@wTz`j`k{C{MW`hqL; zLFmoUOQEMjkA&_C-5k0m^uy41L!F^hLt8^@L&t{}he|@zL({+rFftSjslktf?*#uA zd^Y%4@V?-!+J@k@!OMc*3-$!h2(|_rf-8en!3Dut!K~mB!O=l0XaqhByc>8e@O<F$ zzypChwA#Q8fvdnTcy^#Ya8h7XU{zpQpgd3%$O{}9h=4!9>;KCCzW)vXU;TgdKkUET z{|o<5{FnI8^+)}u__z4${m1z$v@<og`nrD}cm<~VC-_JB1AfK#k?(EaE51MZe&@T_ z_e<Z;e3$yp_jUVD_qF)eYboFwsPvWkX8JOHhx<nP!am*msW!>`Z|~o|fA;>t`y21= z-s^Ge;R0_T_y@LoH+oO>)_9Nh&hh4W)4XH7L%gQv3(tF=e|TQ>Jn4DJbEoG<^>c6% z{J`@a&sm<Gp3R=so?|@=J##(zo+;{oJcoLQd3+w1`GNVS`I7lGcna<@Z#J(ne`tQ! z>_kR|t>#+ucyqB?Voo=wnTMGp&7i5eKL&Hb-`vl-A9LU5zSVuL`!e_U+&%6ya08>k zz0zIfUf`bP&T=2&9__Z=hVhy4uJM}jg7Jj$pz$l?2IDH@2gY}dvy7d_W@ELn+*o83 z8wEzXG2R$%_zj|esK2GZtUseas{dNQ1xyD&($CYo^wacaeVx8SU!u>~XXqLFMEwvw zq-)wI+P}0{wdb_oYxirnY1e6&YumJHtxTJ(Wou*97qstdz56!j4wm{xEa24?MIlqQ zBRw8ROw}fP+>SU_OY`WCI0mA|A2{6n+!2Rq6U|Q@ajJHh`LQF8(8ik|aCD6MPc9x} zzRJa+=5t(3F`snAp_*kr?ubLQkog#YAZY&95mPm<d9Nd8kYmZ^OmuypT*03;%-gxB zo4@3uX8wYS>SyM~T>RMlE*C#Czr)3M&2}!nW1h;zH_Yu^eAQgb#h1-GF8;+lo{N7n zkLKdz=5#Lp-pu3TZ_OjQ_@H?h7w<C<;o=>pkBhgPCKqor*;q_fZ*afM(d*p*;NrFJ zzjN^_H@B~PxtrN{s`^9s@Av~3xbNiR`R-e}xW<UJVYM-mql=6YOjMpVhBJ{YBbPD} z18|umPEk)Z0$f~a1i4slgqWz@Zupr<mXHfPnnDyZWj(pj0gqH`4K@#tR96~aj+PtD zB1b|2v&fNTG5MaO;K=pl`_7}2QOe-r2?n#+WVPI2b9yoqu!%gGRFLx=1(Vm4^PN&@ z>OagDE?(?@n2X2hA8|27XLCMH4e6h8G^l^fMNR*NiKLvI&BbHLZbv*qU9Nw~MVHQ& z$`Ryf(&wOuD;MeSGm(^$UPqir77$QU(B*oV@{!JFz+t46AY_rE6Vzq;TU^Z3|HZ{z z{T(ij(ErUu<vsmPF219`!NvRZx0y)hlPD8iPmxYX9Ir0b*&-gV=ILzejaPH^*ZBjJ zbT$jet0Q!__Qxyt>94T|ND1k1#6#5u`d_)2r@z9*T>WJ(j?n+c#bNqim<VMrF_Fw8 zXE|a-t<l+>kEqr9vmDLSU*KY{{yY~)=r1x6%KpqmQcT#|AE#F7PdVr~bn_W5=IT## zafJRSCPKp>nMmf6U5+?b{mQ(CiyxY7<j1Nnn9Df&3pblPW7VIzSvSY3mHO}b1B-RG z2aZJ>p5SP%&Nj)hurFKMW6_2`um?yHX>-IeXv0sq_@T)r7hcNdQjY$@&8G4gw1Ex4 z7<GyMTmHae{UI*q>5p<TSAT?yBXqW>j6oaNY8gY0B4;`ej7HNR;9{=+8!nE}ALQat z{XQ-Z(b@h!8p`fxD49dfaKusSDkGJPb;eLGt}uo%kyMe39q|x6o5IC9!{Xu!V+a$m znT451D#=Am#AfybM;u9JlhYk>g!+oPnu|}HrCj`;`*toa)bHS8xqc@Tm0#(<Vj`JE zPIJWJYPo(J7mv|zWg?kLPI1Ix>a%7!7mwC|%*8VOYA(*!Z|34G{U$EX)NkbC4E^U^ zoUUKb#X|jBE*9uN<6^%4Q!eJ|Y|;+Hl4f&fn3}C$#UGfgU&qA}I(w@QQ&aUDIGUp0 z!o`rz-oV4i3~~}fNhaCph^gu)=J&YxzR5PRRQ2B`o4={*zf3mrsp?B+Er0e!b2%5E zGZ%63Zj%jcs(QVfZEdOQPu*-UNmZ|OvlW}FUg2izI8{B*&Dxu)7VGD8WpnlOxHwzC zoQt#cOSw2x{}C5w=$CMDy3S@_s#>VC8I`IQ=oj(_^7RY2n5TcAi@AEt4wH2@`%<yG zFXIoS>ObUSihczbL;96WR4&$;FOy29lkLtsE%gwx!}<52>K7&(!J+B{=6H_Y<o<+< zv-R(AahA?@tD)*looyOJ)fsvZe_*=K#%d^f*~!rYoxLuGs`)zG;fG@Nv;BD}CKTIU zhhjpp?O~`oS?}T+#_GGcI7Vl4U?|LRHb+x+_9`5zrs(HzG^C%)L{dmvxtK||IpPrY zesdfb7wB8KI9q4yafmugXDe?AdVDf}V1~}->=1Rj&MY|uJ&x%u&{=Im(Bl?fEKhId zVy?cGi<9;3TpXb@w{i&94O<IC&>^<h41rU@X8jQ5b-jrdBL#$2k)r<7WEH2Vm$=zZ zoT8TMY=xw#^YxWZu@rT--pIvS`UWn})El@sLtn?m>H1nO7V2xbSfH<_@&9*_zJd7v z!okmj{|r7Iyf=7V@WS9(!7afR_+_6Hj0F9Gj{|=XJQ27na82O+z?p%@z_EdOfsDZD zfQjGkFZ&<!-|oN4e~$lD|9XG5|0w?y{6^P&@A_W!J?y*1cbTuxcam?7Z!vz4Px2vj z#QV1QIqw7B8@-o!yS%OV?OpCI@E+z3dp`I4)AO|FUe9&NIB=F{i)V#rfhWfk@%YV; z&A*#Zn0Mhf_4($RW}|tmInT^6N1LYmefP`w1%12wD)%|=Q{C&`)$XI*Q`{rm8h$Uo zXgqA(Vq9kQ87CQQjK#)GW0En{aOrRB&*=~7H|m$*7jdh8B5ptw=!fZH?Q`v)+SA&- z`2BmKc9yn9TcIt`a<qu%S3g$&u0EmOrCy_+ub!zks>iDH)C_gBYAWw5FDs8Jw<}jE z=P0Kt>y>KdC}oN=Lea>(<VEr@xrJN?lPCRIy%P1*1W@7hO4L&mK+V=GQBO@!bFJP+ zfmVi00A)_EL_GyJ((2tHKlh&1D^X8P08LG=L_Gzc&+3(^r{E}By%O~lJVvWmqMm}2 zX!T0eQ{&Z1R<A@o1s~Mvm8ho<rS(eGQ-{)eCF-d|X}uEl)S<NAm12M4np(Xl$k;He zSEQaI5n8WAJr$w#iqunh4)u!EQzSy`6{)B2T#eN$QcnS^wt7YCDKd`MD^gDZL%kyP z6fo2)Qcsa_v|f>V3eQzpy(0A#fq!ZBiquoUP=`o81q^kF)Kdfwsnsh|PvN;rtG8UV z=~#8K)hkj@kukL1qs8aO(0WDcDLjXIMd~R6C)DZ{si*MV6029Fo&tt?Md~Rsn${~) zPXR-{BJ~t7)GJa?5%{ZCuSh+G=Z0FnBJ~uoAy%(QJw>ii%dOtoVt=ntE3DpGGPcO- z6{)Al6=b&6D^gF95mcW@Jw-++zp{Eo>M1<8(CU?_r+%PZVD*aBQw091)hkj@0XxR( z6{)AlFi<h|iquoUQmkH)dI}iYEK*MagY8A?DPXg#UXgkV*i5Teq@DtnYW0fLQ^00e zy(0A#u<2Is6w#)`KzG+GQcvNzLaTSO{9J+6D^gG4xqPcvq@DtX`65zJ0mFO|si%M) zZS{)OQ^3lsUXgkVShm$GQcsaoYG;vp3K;AxQcnScoki*?V6d}DJp~MQ9xL`YmD+iX zjKR(#^%Tm&&LZ^`FxXk7o&p9ti_}xVU}uqf3K;AxQcnScoki*?V6Zc&rxNK%Q>mT7 zJtbnrRxik>L~O3r3-&1iQ!ci8K|hs<4W)LL_^04_TD{<(5}$*eK|m#9urnB_L=1NJ z%NXno4l40E*x4&%urpYw#OGjV&`^mO>@4z75qRlVugF6M40aZIsDQ!FA`cZX*jeJC zf+uhFN<36UK_S>H@lXv_$5_1*4;5U0t4HFYg2QX|oG$hQ{;<_^nv8+s^;8)H#p@|D z28!2{WegOrJ7o+MuP4bEC|-BS7${!1%NQtLx5*eNURz}h6t68Z28!2a83V=ZRv81u z>lPVXVD(7;AATiRJ(B;ILTxJfe<{?alK+R_2Ud^d|D|A$=#l)t6zmZ_lK+>2J)%eQ z|5C6Q_elO<3igN|$^T2i9?>KDe<|1_dL;iZ1#`DY^8ZpWcY7rNF9mbANAmwtFn4<- z|1Sk|w@32-@XN{Sk^DdWgtB@h|1X8kUCIBmsGTMM&!Tpg{6CA@S@QoZYG=v+v#6aV z|Iea!mi#}9+FA1dENW-T|Ffu_CI8Q&c9#4<i`rT8|14@}$^WycohARzqIQ=2Ka1K~ z^8YNg#Ojg!KTDlw^+^7oMeQv4e_?88$^Q#eJ4^mwnA%zL|H9PHlK&T`c9#6VFtxMf z|AncYCI2r>?JW6!VQOc|{|i$)Oa5P&+FA1d!qm=^{}-lqmi)gkwX@{^g{hq-|1Yc- zTRoEh7gpz5J(B+y0zGGs=>L%rI01Vk|1YGx7tq^XV_m%t|6c)E{HOU}^N;d9>9f4^ zJuRLzFznZv!`+o`)40cIB@No0>J4hW@)P9*y-)uc8RvQih4;^2X|z#@{L39QO%Y1i zk$<Jpje@4EK@&Nk1k<!Z(lpqx#;igX^tmOvDi-wFenc$jljg%s&-lg|GLSd|cgWW^ ztlQ=!udvBh=GB9BW+$aVtBv2#tz~zwr=bWHYZ1l*9uxb<aV@T}w$cCs1jr>QvrRSu z>0r_kpVd&mqcplsuwH)tU`b9;!inXa9$g!=-mV!j>pA>A+59Rm=gQcpK%JcQW%a9s zUh><!F;nb;zsI48L|l1m{kmpEQ_!%j)f+k4OTA!+%*?^^J)nebhh1iLjo&q~&51+X zC9qhOH?2da9D%;VF2jwo`s)#h^rJ>L@8C2g1+eW~gOb#M`)hT4PQ<yt9ImTxY))hh z$aN($hthxu@bRpxuPtdo`X758+2f<X@AB9?=&0y=OcRHNz>d_4tri-oRT^y&CQ(*0 zz1dy@qfx@H5S5*|f41y>(^49(6MBNoVM#M=&wO+!VfUmodZM5yCp(EXV=p#A38tx5 z(3G1K3zLgY*S)kUC&$(VLX4I1X&GnrD5<Pm@J(*?4xtz}gj#IWwIU-8-_!ZO!u+c@ zQXV!$qcC%vAebX7bFjn@C}C^b8C`*BP=^SzZB$}3=z-s8%A&`k7pZn|=ceLiC7Bt6 zrck6sm_?2gERvT@(6X1Qh7!&MsfaF*Pmuc9yUg(flGqLo)Vpk7JOPJDrPd~sU09Dq ziff$d(pDNhHr}P0c$dl-Ri|epz3dKDmj>cJiE|D)@xc{#PB}2nIZ5hjtJc>wV<|YJ zGc&p@-jz90SH7{g%0OKa-zhXwT%ximjV=}DDH0J5a&tuq#}f0SHE~PCDWn~GqNM%c zKn?1i*rec(F)!8L<jNL;*{5n@wM_3*8m$&>l9Mzg_p){~a~%JxG+HHU${p<Qfy`X? zdtgSiGH%^j(mead2yq6QXCfC)F+%=h><iB1SQ1?lZ@$D~lgwrKtxOK_4Oms*43<%c zWW2f_i81S1WiG3d=wgg+0u9t)eSkvd0vr*oh#Mz0HnwGp=2xUom>{pm17;k`uN({W zt}O+Z8ItI3UN^0>q-fs45_=r!`Tt$ytZ(xC{}JD<zAJs__)ha}@GbMr!+rd*KA-nv z<o|oh`)luY-V42FdAE31co*R2eZ=eceC+wV=LyeUo@+ekd(QMU;+Fk9Plji-$76nI zzKR<Fcbh*mFEG!-jrx`5F=l}|(M)lF<$fC(03UMS?7r09>)zpB?XGaoz`gk)##hE$ z#<Rw6a9jRjqtj?HYK>!zd}D%v`=0tg^grTe{I&W8db{4FAFr3{+4?x$r+tKb@Q-VE zYCqA=)6UQ~YRj}@ZJIU;5eWZPUs8Xk-lkruen&k;U8h#5bJQc%;i{_qTX{kGt#XTU zxpKC03hn^ZD07u*%4o$yJ|wS_C&=C8XXFAH9)IE8IHyWTIZ>vr5AVh?RRXj?JtMpu zr&I!TdU!VusS+XOlJIVvQ6)g7v>=YC1PBFjLX`;7f;gZ`faWV#hj-(ADiKmo3-8A9 zlmMZrIGsv>N@$HZoDv|^h_k5#Xdcytqp1X_nAV7sDFM1Fyc-8o0(3)oH_oLJpt<U) z)^6!oYK3~TwOcxtTA@y`c1y=n$E!Q6-O{ntaq217Zs}NRIn^f}OD(7Rq+_XT)ScFD z=~(I-^(1SzbS!lZxzpM$9ZM~vZIO<pmLi47Zs}NRDL&=xmX4*Csx8)T=~!y1y4~6> z9ZMaJ6e7E&W2qWihjc7eL+g-^rD|v$(y>$xtwTDNs;2s+W2tJYPdb*Wruw8~scNcE zI+m(JdX(MLu~Ze(qwJQBrK+et=~${txz6g7j-@K0uTMIbs)W8i=~$`~`ue0}sY<F( zI+j{O^-0H4OQ=5SSZay7&FYhmr54k&(y`QHT2?xiTCBEOebTYiV&&&npL8r$LG?+; zQWaF6bSzat`z9SrRnWdk$5M-^KIvF$5!ELhOD&>hrDLf@>UyhBI+pqg)h8WG{e<e1 zj-`G=+b11M{e;#b9ZUU$zy{K>R5`6fI+iM@bx6lj<+KjzSgKsP((03rrOIhPq+_WC z^f~ERY5{#tI+iL`9<lnQW2sW*A*)Y1mYT0NTYb{8R0+kTW2rgHh2cINOC@Z7e&zgd zA5NtN=)7<r4y6(yb!)f}XHo*RCESN2sYFP*F5HI`sRYPJ)#E@)fS?}dQHc;$kK-r- zf_j`rB|=m^4x<tvuUZ@K!&y`U<WV<<`*0MM0GZ0U;Xa&1B|vW4E*wM&5ZZ-vs6>di z3&&6bgm&Q+DiNaUaR`+N(ZQ6?pk}L0R-beRHCs8?>XXi(W~rO4KIsf<ChigSNoP<q zm3yr|=?rS7y2<L3&Y)(hjaHv@1~miez51jxs2ND_)hC@n%|LpuKIsf<2GXtdNoP>g zmGiAW=?rSRa-P*Eok2~f{guw3rsIx9pL7OQNcBl)P=!>VbOu$ZZnXOH#Ix`Mb%WKH zD`NS|_2Ir8VTc-$f2=QCfHtZP;l3;Z+CZPm6rcumQMfNdg4T!orU}q!wJzK@Re(mR zE5d#060|DZH${Thh5JO8Zj|zDxKDKH4xze4m+lZ11x1%`Bz;PB=|<A0M3-&^eM)rc zMkse!eQ@a#?~r7xYpg!_bONS4YxTjYOT;qO6;>a-IuToI^}($Zv3jcyew~0(eQ@j& zu?(sYo}Gw6A6z>TgFg6n0!H;o&fQen56QWks;;*BB<F6by2$F2oV%%1pXA(OSgk(E zxkE&X)h9W3qtrU9Pjc=sj8>oI+#y26>XV$iLugsaxjTfmMRM+@;7(qj<lIeBS6Y3N zbBBODt50(7rYN^teUfu`B-JN5cL>0<`XuKL@p)FC<lG@7&+3z$I|STWeUfvB&^)V8 za_%OpCs=)wbB72$t50(7uBP^roV%;3T_or3YJ#zpoV%+~wpViQu2PS;dL`%XD(LH# zoV%+C?nsKxo$F$HM^bX`5D94YO3qyx?kDt0&RrVL+<PVGE)D4_dnM;CO+C))m7F_- z4O+dDb9aR5vU(-w4$*^FujJfasUB<fO3vMt%12hO<lJ3JaPL`i?htH9fB%nlo#F~j z4gNjwf&UACrQhqD<K5;x(({Vv0?$J8O!sfxJKfU|XMVBa*YDRp)o#?*x=vC5h%5m2 zDwin#B-`n4*nRkG+tI1TzLK=(#=eqNl~h%we}gp0dFfT)I%{a!-0$JHNQB(alT|nk z-Bf3POqtN)C`xZwlfI=HN$gg))~#xw+<NKYe@bu0|1@o)#A>CTUg0xh)}S*6qJ;Au z?$}Ou%!s>oNJdOLS36*zn)Yl&G5<z!Q`5$VdgMxLZEbE?wXKz%IZc3ZK=PJe$KkS0 z6IK$AZwC884#zjnC%Mv2k6`h<%)zQc3CH4NIt`p?^+)uJ1GLR8bztfP1)s>!W}kcg zPh`Xix@!g9$>-vsP8|&_b2v>i6OY{3^iAMl+YkJ?{j3S6&NzE+X{Rb$KP&0@U@srw z^RiezkWNL=l$D$GseCV*P{J9<d7UJ_a)j#xi@wQo+MIMcoVa_#@7757Zul83I0Eao zHMZ6kV`HID*EO=E+D?~Xk?cVq_@IPi5nuESOq>#D;-n`|oW)?8+|ks$CQ=33#kzI- zgI$}etYs>b=5cBCbfIH~nMr4(dl_n!usc>7Jx$P*Kj@ofD8V$HDrm|bbV4$eV46-5 zG-YKCws$Du3|nFJ<oHA`jJ*Qvq!Y=PL=My|V1SdPg!FfFo11pD&?6XU4mpi4i|&j! zKAxBjmw2!WlT31;8lN%nDio84@IDmRtzKVWyR5!$BYmI8ZcUsdjA?GxU^gd}V6$U~ zq-n6PtK2O1;)`w<G-VI^-U3RnHf<9%6%4j_*#&ItogZzD4|@D$xwvxq;%{>66_fqY z!Nl&mb4x2F`rWdAr+iChaow6VbT_WRJ()%)KOrtYw8VRoaPh(JNz#}du<5(ko`~6i z?XH50oOTw@iaop~(Pj*9{O~h#&?npMVEc&ZR=h>(oVSRO{EXfk!5gF*elaEV-Q2RJ zsTnC6_9t^b&i<VW=xrvaf;}+lw??<bMz4KZeCM=BFX<}Tw>Ns?j}UwGs;bIstILt0 zqG1b8bz5*e--6WS$TLW9@y7dJUbmB`du9yMY^d8dMw{aO9wYVp8@uC@vDaBE-gc=% zUXO;>hVAs&K7OnXw6%77Lmf?+>C9+k%q(7Cw|R3t_mHBSg^epKJE@C%aU@W}d0Q=t zZi*Rh*Xo$zoS&@U+;ZRZuPt${mz=bv2^k@<3Y;IgOL5nUQouXjqc_+}#w*t-<_Tt{ zSsHvSP#3z#oM~p7hnu6!u&D>{3oH%Y?EcjKZ};DEqW%Yb4Y=KXz55FH1@1m~n|r%^ zqx(d6jr(Z#9Cwa8%{|sV1d#$?81EVXK&1VX#zV%P#*N0+0x#XM#zJE*&fKRMhZ@5S zA7bx6(BITw(x28J(eKf3*00fjsDD@Q)KAs7>T7WdzgREnpO-GU!2f=Xn+|Mr-~`-; zuDqmeP@dLmwQA)NtxUN`o1^6@H-|o;{Da^lyj4rn#)9eaO>Ky8hGwc?`0w)n*nhGA zxBi>d_tbx=FZxgRH~BmK=Y$UPmZ?wr7x|0*Yy8VYBfYcLhy3IH!~F&RboEX@@qOs` zt2g?d@jdE$%lC39=*?EI_WjiNBj2xmw}e#hB=rZl;n3{s@|_1p#L?hAObxsnyjJ~= zZ;5ZdZ-s9iSQ4$k9RV+R5-(HF@*Uy}`6l`@z?^6Ve(wJY+=<^)cltDSv%1>*iT7XX zvEEnJh2H1Xx!&J<?^pA^*Qry~L)BrbPjx9DC~x-9P&g1jq0LU{_YmBmc*}g*e8zm# z{Iz*Y;4|E$xD;#(-R9|Li@Dx=x%d0t-UK$p+XBY~jtb-kCI=!8J7eI=z=eU`fn9+e z;D2~L=^K#4GqIBVUP*Vv739|n<8nEk+>`LU@}}$1g#Szyo$@$rF&IS;4$%z8ih;8; zgRx@Z$jmswc@`&S#tK$UZ88=(;)&{+#ywnYF@DWN^0+e15o__lU0iH2?q(wSgEG|- zSK<Li{WD<C6vj_<9JyOz{6x#iT?!*5I+on2gdAnd$gh;3BQ7PkD}G0;A-5`CN315l zR6LGYMQ%|{N30|_D{e<zLVlqbj<}fIr09-VL2gtuM_fd1P!ulKDXJqbBtKV(BbJlv z$yZ#gQ(TUCG`UUjIpP9x9r=Qbb>vG&EG5^H&m2CQ(#_;^2b_;vEuT7K3Hd2uBs9h3 z4kh5Ab6lU0j~#I~STO$Oh&V7a<};C8O5Slq9EBOhTx>MvGEuqDDB<G0#ylpHACb2m z5vN<mY%Y3?qnM~XXcTerT4N3q$q&g}j)+4nV>%blH)e71JYyyo&oyQ+kz7LFaQZ&| z5b~x2;v~z+XQFbxQOL#fi~=T-i^)G75hq+m9uvtA$UhtrXIw@u6Ujy7bw|u27n0Yw zcmer47r#$l<>L3q-?(@_d4-GTk(asnUGfqa&n185;yL6mT>K7sk&9=O7aTE{>?Y51 zv5)+ji@oGIF7}XTx!6q@2~#fVBF}KNlRVAEDET87JIGU9Jc~TZ#dh)p7k81zx!6Yj zz{NAk@40ved5nvvlizXiH1a4HPbH6V@f7kf7f&X?<>F5A5EoA(4{~t_d4P-C$#1y0 zjoi=0R&pN~Tgbg!Y$j|c$t7C}+h20Y7Q(iVT+&3?rjkoGlRKSaIb;)IJ4p^{BzJIh zBe|W68^~>3Y#_ICaXtAZ7uS(nxVV<w%*A^03rEC>pK%xy!HPD4iR3tPH50*#_G3rP zRM#4Za<SfsaB+n(o{7*fj)`PBxsr*{aFruwK*Ja=)*GX_xWX9gh#S=o<KIkF{$sFp zz7b3FU5;L2uw}fF{7qTNQ1Xg$jI-P}j#0`TaD)1=na;&7gDtELYNzoAM>`C*G&i6I zw#+vuml$lhZ6Gfz3)r*dCFN+Rh7DtsG6!r>KQ}Mq;*IVPxY%j1HQ0deu$9?>?y%+9 zfXdj?ZGhTRR*d{rneT{e$=k{bF21E4&&4;D;~a6d8a3F0UX3c)f?lnjWv~UkTDizz z3wkyAi&EkgTZR3St?gB6qrukpD)OQ-&v~Fu`GLWfd7W~O!IpU)c|n=W9w5&vMO^%| za+G6{I=@ovfK}@2CgZ@WgvdCsDj+iQtwj)<*sH4%c3?JZgwg-wsAwdwDvP-IlCs#T zqH&B;;eZ=q^vk(;qx(ZHb{gzmu~Ka@*aB*Vao%?xz<odC2V9(BT;zzj-Dh0rh`7{e zT;Pbf%V&I_ixZ6RIU;V~8Rt48F5MaDFj0Bh_zp)~jI+78-PrAjxKL;GIU?@S8NEzI zu^x`L7~NdlZge>!?#LOPOvJNMj<y&bT-<J)<%qcdX0&thDq|NDVTU%3UT2)?h`8Hk zoWaGbjMJHjXHVnkb;hZVh<j_sDO|kDIGKs+He;tF;&PgC5*M#Bb}&(GHMVo~=f*Zi z#Kkj%ahKt~nZX#%aLvqM69%`-3^rkKsm$OL2G2G*8gPZo*vv$Ay|Kv=ahc0l$Hl9R zwM>NGdX8Rctl{W-V|BohHz}96*(SJ&{9ReXP%OwQN1UMr%m*BCspc`+rd<P(ZQ9ik z?{cQ+rZGyT^Jt^`H<Q)YsD9tg_UuNr+jx&Z&}sbF5i`{fOg0}fAhP+eh5S=F)_I_b z{6ksF#n+W(j<{L*h4BRw$?HlD7hhAV9dW7pXOs1(2I67|t%k_f&=&HBvfM#S)hA81 zqD$2$%-QT&ZKTQej}2O?`8?PAn3>~<HR@w#HhUIgmLryGV@<X@FNKCz*s~DXzBEI< z*BtJkOVztfi#-4_?1<G6L&0aimb1T9JHq^mS8;^-CDZVK+Pf0KHj1mgnptUA+Lh!b zm^)!HM-qtbI3e7Zb0_3>0^v%KZP`{LTaF~#F#%FL5jKY<nNsKh1zaf51`4#arG*yC z(E`0o3$%rDmHxCq3*|1*|C`;Nm3Cv(Bn}W-*_gaHJ3Bk`=6W;lLaId_Xky8KH&biq z4bqb)I2qs{!_~s1tq&2yr<kwR(Jx9rHo;{8A2h+m03R^HMF8&)KO`6`+ryXi@uZs7 zsi7apUp2wW0I$cl_t^UTW(FuL`sytZGb>_(P)+om9Ux`G!9s@+elq;M@D<^7cxkvQ ztib2r1EC8-4WW}lV}tJo9}9jJp8C%Y9v|FCeM@~*y-od$dX{>Ox~K9wJO%i{8MXxi z^7%rCxP>mFi%6OK*QnU#cJ+Ge{fKx}zIlc~PDg0e+ITdXK1Q!7GBDQ-d&Q!Vayo8! zbl7LtB^uU7)2WK(iA20&nPFwFLwcr1lgUI<Z;y1x6OqQ0-qjLoXwebIOmC01BUoBv zEQtte2!fYR6qQn?&xJ@H(ePLa$tbf3Y1E_Z8=}UoXsQa)Wv!53G1!YlnSng+fAxso z8g0M@Q!LfW%4<(1IuREP$sKL6bsfAeNyMQ=7`29IH6G%{rWitpAv^n4L!4dH=@aTr ziO57&UsMB@^M(aC%hDK4M`H1m4pA~gAvb~bik>n)gb-qFi8N}8n;ljmWH4&NGIk(m zRfSk_gp81q<${aC^(j^(7Ok%qRjQm(w`{h)Jh2uRYX(Kdz3BU%6YPE}0ozG|o=X2L zP`y`kl6^XEX3=?z(SuF#L>C{tUGNiNj=g%A-!>yq9y%7I$q0SOLc}#QtQ~JAqv?)h zn;wt0HK$v2NS+$j;%SwRP;@a2_E<cQEbBTj$T12r(i5%iY&@Zx*^nqIJ-Qy3?NCaA z_@YAec%Ku#v7IgaB(wKU^RH&hhUBE~hb<eN)XW=&Igb(@2>7QrBrstO@_>Hr5NKEF z^Y|3k8#+?yM611|G~=rD)4LMTr~Na@mp;jED}B2}fe|RsGt=L}*2}PaMl<QUzAVxP zO_RAs)K-0FqE4SM<CIyIQzk>xU~0|LQzn{|dqq3eOU&kO%xt~3-FVa5EwS51Fq@Ou zhS}bqG8R4^t1#2{s{-GVjwV^~*-q@QiFgMSg<``^>d<sq8!?t+1TMvzn&?Q!V{PCK z5EGp(sP@*5g`tA}IdGit;0O);6eZWlb;B?WE-rzoi#4n@2v466Tq8``z6K8ejmFLh zm=fp~EnR@<q-$8H+eDlBjaQUbA+~+r*umTl@)>A;%sCJt^oukY5n78RjyfU$n<S{1 z1)(d(2OATGtW9j|#kRs&H1qA4vER}+QMJY$tll=iRw0+0F<V{2N!#L`4vdt=*0!OS zjFiRJ_#pR<l*N{U($<l(*y2}u>14UQ)(A1{s_v9yb(T`;QevXHk;=4HU1{G)S!{tm z-Mn=c)2o5)D}gQ@DNCX9Q%1^CsLQyKvJ~nvccd(~iX>gJHI<C&PCnA2l8M<08+85% zWfoj<(9lR(3Zr1oNLlPrKxd4Ur7#L6jg+N8NcjZ0{4D1vFk4jPXrE(D6cohC8zX(8 zK;+tyvJ{9sVYn;~dwsfim@G4yhZFll<R@EaaXJ2>t47LFDCK)wXEAl73S>=<l%+t{ z#7J2R<1@|l|G)3KPzb*q{(bnz;ctbn4QIm}!Y$zy;pvF?w_n&FdJ~cUejfT>=&PYi zL+6LqhE|4VK{`Dy6bQZ<d=?S??h4)%yd3uf?ZLBx^MgkQ4+?7P2kPI{$JGZAx$kQA z615vK`<AN5s}t37$jx6?o=_f8Zd0y8Y`zX9qAXO7hU8ldydQWm@Y}$>h{E@UKqjy* za8_VmU|QgSK+yk=|IdiIcenp0|L6QY{#O5K{#pJS|5$hcctd_h{+WEIe7!s<pC`xU z6>_ayiCB7G=~d}T=^^P3=~`(3_6t#IDI(`hl*%QK?`7W;h?jSp?<(Jgz7Agm+6YJc z4)$r@_q{J7Hr~D7o4sG~W}tg;mUo_an)d*25RvfyEdENoTf9m9oY*6_il>RQ#2Rs| z=%;VcXXwx9o%DJ-NYA4&x`NiyO1d}ol2^%-<RNkg?EeQyH;Iy^<ajcXloOBVWzQ3y z2Ryey@_1p<s;*_5oQ6*sGDpk0ELJmQww85StY*k8E$gya&5)T|)@8ApAv3hB%VIS{ zrfXT3#cGDsYFU@XYKEMoWnC7l8FHeQby=)t$O&5ZOm{nu*Rrr!EjH@PkmIy0Ojey~ z$7)&FtUA+<(XudFb*3GyWns1IOgl=;!fe%<cBGbt-KsO~2rUc4RcG2XEep$4XWHRf zc9}bEs+NWAsx#jdEeqpSXIhPxh4rd4ZL*ey`KmLmTFb(I)tOeMWnsYTOsmwguwZqj zP13S3VRfb*re$Hn>P$OS%estMGi0Kcbs4c{$OJ7r+x_l%E$cF3&5%R1tjmZsLk`xm zE+f_qIY`U8j94?|KrQPsV$F~WE$cF3&5#4MtjmZsLv$_cGGfh;{k5#ih&4mTY1!l4 z?HH?NT}G@KvY(c98L?)_zFO90#F`=dXjzvLYliHtWnD(B8M2p_bs4c{$evo(WyG2x zduUl0u{!&xT+70W)tR=tmYw2G8>3}m$Lh?to0f$kt20g0van<=PP-L`!C9EHI@2!J zvan@!rlqtjj9Hy&Wm*>2td2C#yIL0Jti@^F>>IFWb*AAPFlcqAZPv1|XmzHYr)3Xu zrmd$LEeo60;(Y7rrCQcy)ViJyYFU?2>w0pfmUS7mcCqqYMy*{Gb#WQBcG0|+bs4pG zvGQC-t(~kqmr-jcD{nt%ojX~1E~C~?R-VhK^=8j2TGnOMdNccm%c%8cn$xl_qt=^g zR?E7KT5tBeu4P?Dt!Y-C%cwO?2ehoqs5MP)*Rs1g+mU8<b{Vy%Sa~j^))c)&%estO zQ>;9fQEQ5o=Q3(dvhrL;tw~m%%cwQU%5xdDu4C`Ij9S;RcU?xU>)5+4qt=@|FKJny zv%NQY{-$MJMy)q_{;FkNMy>5^+`Eig+bPDq%c!-TUZiDRMy<DaUeK~Gqt;t6h6Y?l zt+$}g11_W1TReZ!23$t15FKg*=Q`W5#q%d^z-83B1<nHoTt=;1K)(T(QR^1krwzD_ zTDOo_wE>q=>lXCofXk?Li|2W5z-815l>lwPWz-5GzBb@8YK^n+CY|koj8z+O8MQ*M zKpSuwwL+Uj8%Q|ch2Dua(B@9VH(Fh3tZi|38osgCnFf6lZD5TnjeR5LPQy1^+-d#V zK(i~2wZp~#L5)NkaPfaoIMD`N{9laG%EkXd8$}y%@qbV%(FR=nAGAxf0T=%VH4|;X z#s5LyL>qANf6zA323-7KJsedGxcEOPooE9t{twzGWdq><iu`SyPi`t30Q=`ix~6OZ z+@B-q>aqbae~zRZ%Lc&v6(`Y6WdmUSijvM_#e?&6B%ydPevTv*55CWlgyO;W6(_Oc z!Sxj-oeO6q17P|bNuMnn0MF-0y0mNnEMIXFD+?T7QPKu@x)=b%SCn)PO9H=Fl+;ao z%LW*`=UEVITZ`MX<q1#jxUvDp?G-1D(*|73UXEO&4Y-)S9JyK>a4~y1Hi%rzUe5EY zvH>uAMHT5HAR~A^M-s>gR<AgT_LL2P(<@FQ-_!<NjNaLB$ur<$^q{h<4Y(M+)hwTj z(Szo$HsE6Ppe&>fxEMVs@RkjL(JQLTLgso5e4Zl-uE)UUIg;Rd3|wAO60}pw2EgPw zlJFvUJVz2<1dCUcbTadj1`f}W1TSe|@QRa|UpDY}MM?A7i(u~@Nq7<5U2zh75zJjt z(mYmG@OF-*Z?N;f9LNgchR_;F`Okzd`?bocfvkAF<JTkFzeQ)(61a;{fUXw4wTo0` zJE|e?z8#rMSwAWY_y#_zl6PLY-WPXXS*4On6ev-kM1c|ob~y_4%<9{%U|+k`B@?zK zTRbAiM`n=y;r6v|t7Oxzc6MxiA*RcmKFwirJoPABa>pzGA54z%hGB9%r?1Re(sqY9 znQDbN>22)`gSckspp4f=T!(P=<MSFa`NK)QO^&0E)j3T+ssXWMzD?%zg&bWsZK^Gy z=N0}Bg8*-scIPMc1q<_Hj;rfz)ec_jM@5GJ&{>5r8{F1>d8{=G<teib9et|ZhD|lD zHrQGRpKu$T-d+%*2Gw6ZyQ9s}Ns2I6ZboAcgwryn3tkC71eK<?StZlW25hVbmC!6} zjWOM_L|f0^eF_|6)R_)3j)ewQB)vM-5``N3{JO=9m_E9xgRP@5eSV}f!nCX+aE!t7 zxPt{iF)ore--a`PsHPS=yXa9hD;e%->Q@`u-9~f_R`OO(mUg)<pj4p}1xgesQJ_SD z5(P>WC{dt9ff5Bu6ev-kM1c|oN)#wjphSTZ1xgesQJ_SD5(P>WC{dt9ff5Bu6ev-k zM1c|oN)*^`3Iymf&)(!7k<OvV(HeRP-ItcZdi`DUck%Dy^WyIj_x^tIPVpA;E8^#U z2Z~wWUcR7@c;E8A<bB5bJMSa%6Y|gH`(X7yDR@9|kDwa#sBgmd|7rEN>ci?i>K*FW z-~r$=^+NT0HKo=BrmHRF9`X$N9eG6D<UiIw*?+KqAAi^{%J0ap$j^E2@!sM6n)hn& zW!?+D=X+D$7Fgjg^Um=e=dJM`;@#I<=Jks2%HNT<$k)o3%NNU^kvrry@@jdxJP%GJ zrpgoKvGQ)RB)tdw{}-e`NWYXGkiI8<L%L4-f|QjuN$aInsa`r&S|HU*M@WZBIy?dd zeE;^n?t9Vql<zmbpZM<f-R`@=ccpL8cY$w%uiY2*o$g!gn+YEQRpB?ne?{bgN5c<= ze-Qp=_{Q*6;Y-7P;d8_5!cE~b!b`%l!pFd8!a?D^!=W$@y&ZZPo)aDm{WNrM=-Z*M zhpq{IE_6|7V<?Sy0IT5Ve=a=#PeDY2{X!ai{{JiZ4;G;S{uJ&<RDfF?p7kTaQ-ceF z)5Z1hJy0*6DlQbKi${u+!~?`VL`4+fh2XFBPxMjx5d8uDCcTkfMK7g&^jx}*HqkTG zL)3lMGS#cRtNdMg9=;cTuH2`5SGidkQm#-gQF@e4Wvz0yvO<}!oTwbGOjO1xV-y+Q z7+wqfCGf|<uL2JSz8|<XaDCv5fm~p7pc}p(8v-i>3&q1kT`b2)z$jp&!5A-3(A((^ z^h)}o{J8ux`nvoh`fo8nXVP}Mm`3U8^lthTB1is&+(C~fUn5tO%j^M5_YxEfAunyO z^G?_vONW|XExYN((nJn!mL_oUJZZd`6-*4~qmp8Qp1+gTCJ19u$<M)zWO*@$xu_&t zsh(HJDh|F(&N4yRdP<ao7fHlFTksnVG1FkWE}h81{Uyr*D-6}8<9X^>={OGVCmqYd zeWhbKxQ}!+2ltka;^1D=ksRDpI)a0HNYgl2E?M4OGh}zk^5&W$V<gL)YliG5)$qKU zG}#0<lY6P<&2=-mhgx1@H<LT*Q&tAyGt_dmx`{kYE#I-5$am-yrnB5lN&2{%wU_*W zS{`zH$=&q3JoPSWIdJYJ->2U*Q_u0dOVVZm>9NG}?F;*2$#NnK6JjZBW`*Uj6tY0i ztHknbn)3XEoXt~TAq{3(sj<XzcM3aVNj0Ct%viGA1aBmJki40?5#Bj+9NeA2zL*f= z*+|9^%hmHnvKzUCr)tD<?R!3)om#Ga&m&=Cxq99}Ld0_QynzIX<?49@QHka1c>__1 z<?49@2@uQG^9JH4maFFtL?)K2=M6+6J?4iu5Fhyr2fbt?2Sswe33hm1CzikD4vg0p zGZjYO((WA0NaYp?nvUV%mC|k&==mqH+$^U(uMx}JG0eK9GBd+QvW)zcgG<RH99%*k z=HO!T5C<2LpKx#?u{`W<Bnyb;VRs`rnOGinH<J0p^2ofA%p>>l*XEKRac~Z~mxHs( zJsg}xe#pU@<Odv_LGI?@baEF5Yl$`XHj<NwHTE`=6NxoWH<A;GHBL9eW6O8=YsZmq zbMRPl2M3QK-{RoW<eMBkirmh@Bgt(XJc8WH!D-|h96X%d!ojKJW)4mvTR2!lzRtnP z<ZB$PCO2`girmP-N^%1SClSjz@J4bNxt^yUO0MJJMDi65P9Q@Z98a$0;34E14jxRd z=HNl(%N#tAT*bi(awP{3AYbC3PQJ*&{mB<NIF5XtgJa1R9Ndpw&cS`j=Qy|zxr~E* zlh1N+FLEgd_auYXlHKWfgT&0_PK^7t=Jf9zOV*f)8we%magY$p1^Nc!AscwAK+ds1 z&%a4G2R|U|Iru*5;^2FvlY{>v9qMtyd-hKDKL(g&ST7zRzixsVvOrqP!ILG6{uwe~ zvic`O=1JDNlp%8^Yqf&EBgtBJ;O0oOb^v%clB^X7PK~4nUhWLZTK3_>NU~OVcrKEx z9RLoCq}4p{iP9<#o*<pY!Q-VfIe46O1_zIoPUqk;(rFw#T3X4$qoh+gc%*a+2ak|e zaB!NmoP&o;bsU^3E#u%6X(<P5q$M1jEG_0>wX}$XRnkHZR!R#vI7vF0gNI4;Ie4fv zkAoAXxg4Az&Eep9X*LHBk!Er5U}+`?50YkZ@IYxg2P>pn4jv$#WP<DIZ{*n+=-cUJ zz1#B+N%0acl@8|MpmY!iGtwazh+Y0b3-r8A)^YGHlHlMgBxz3b^<zo9nF#MKlFq@5 zRKdZ`(g7BTV)wT|&zmI9!B<F|SytCr(rPBcbBnYe2Q$(*4sMplS|G~W*L<rtMy<V~ z2b|DtW@1m2+G~D}S_{=ilBKfw{zfuDB@SLfeH^@)dO3Iz6*+hzr5x<1goAz5!@&!v zz`+dpHwQP94>-7qywAa2@*W3!$iF!F8S*X%H<EWacs_ZXgXfXAICw63lY<+`8yq}` zSgXKBcs=_kPhC%5<6swgm4lt+9~|r;f9GJDyu!g0d6|Pr@)8Hvk-u@U9f8j*E-gV` z<X{{5KMuB%zi=>4Uf|$b@@EdNA<uI#MxNtf3wf4<&Ey#lHj$?}7$tw=U?X{ogAL?K z4%U-Daxg;vz`?W0?>V@dJi)<L<Z%w3MIPhendEmIJcIm}gQt^6Id~fR4F^|}UvuzO z@+%IWLVn4?733EjTuy$@!8-D@|FO-g)Z7vUN)#wjphSTZ1xgesQJ_SD5(P>WC{dt9 zff5D&Cn>=E|NX)9pb&m3{CN2O@U7u1!~KW?cy@R}_$WxS%R=uV7T}|ydqP`6pAT&g zwTI4x-1_j49#VsE2cHlA65juB3|<!e4C24949*Nr4(=C})z=~a|Ec<2^*S}Lo~yQ~ z%hi+AN$OszsQg3uqw*8wTgo+%Jg-+8l_kn?$^>P1MF_kUcsy`F<jhwF`UB~}*?|Rt zqXGv7$^st$YyRi_kNO|<f5(5L{|o+${O9`H{Hy&-{I&k6&>q;sFUfDqFUr4{ACd2p zZ<fC-=j9$bDK|hTV3vF&Gy?XP1Jb{wmk<x&7t%e_ZPJkRS!uJ>AvHk{V6Jqubf~nS z6!d-I`-krt->-f5`M%}5-gmjL&$r&U#&?Eqf$w-<m2ZDvna|^W&HJ49QSSrZZ+ma> zejXYM=Xlq8&-5<zp5UE~I03tPMez;s1@Uq5A@O_S*TpNv0r7k>Ax6Yy;tcU{@nA^n zCHf9z^?#s0g(UnIdNs|{9-5?$h#N4Q9!V!4azKE*M_wjRkzbH|$?fDT<T8>WourwZ z2I1JTWD*$%aihocn&)}XZ_#bmkD9L)%L%EgT{z1#hyF^<pTtq&PWme)f1+6KF`lks z4^Q9^k@uHs{&<ce?=O}7afQ6Vj^$X4{zA<k!?Sv-7<#mg4l(p78x7H)EBPY}ul`KU zA7MYNqCltF=nz8>x6xDRPu2WX8$}>eH9y5hmov16qrx-v5hXvFf9Fj4h?=kF4?Qw{ zSj|^)RCtFzq~<F*>OuHuB|nM38lyi}^M~0Fs~CEyjSew%qK!)QK{Y?YMkzzbb5wYi zp@-P$)AT_le{kVD52*Qr_(M<;=z%sm#Lx;G-JRaA<`3Yg@Fqi{a$)tepWdhD_qWk8 z^haub97lyW7&_KQZ)E6x9Q9mIf28F1EmZ1WHNTJju!;iR+eU{Nx|faKO7Btgd)g=> zzN+~>I4V5H&~h8SkN!}}@6Nx|NPnQ_$MA=qa(cI#-_1tL7^>MQ;>W7_G8<jN(6Egn zj;xvwaa6dEeqYT8ZS*?&JteR5&&KGTYF^<FL35x18y%u|DtUh)?|0R_Y(K1`KqVU; zqTf~WzCzybsClpbu!;f|ZFGpC)J8+}+iITJs6_8j^Bx<e3>7$vA#{hD+i0UtGxU6p zdKCICHFq9Ig<BYUE=N5f`b{;r!A8f?+tu7THaeD}-8Q;Ay-m%n=O{)P&@PU8w$NME zT&In$WoU<u#u%Em(HuilHhLvPlN=Rpqqi!#bp^_OL(R4Ghv*TY2^$?^Xq$~n^cFSO zYNM2)agKsiK-b#n(+ovOV{49-)0@>?%tp)T%}TDNP>U^UuGxNAMS(Wi=n&na<f4VV zUsrRD_QNU)w82J)7+P<m<LKAaT*OAlGW2X4EvGlBxz#pW#?VzZ8lX3-xwC8(agEj7 znKp{p#%k^i8x7H~s=3oSD!fjwS8}Hns(hWATge}S$UslE(IJMOVx#5sD{5|qjg~QV zxs8_7AvITLqh)kR$t^2<=UO$l)P7h+fiAJpA%-sIC?@JPYHm>xdbOHcXrq6kUsiGp z3I$)K=1%4h(Ey<HZFGpC^K5iCdZn71YoinCm(<)G8%1zuH8<Nv5#U+P&9YGhc~)~X zZ4`l?)!Ymly@7sF$xY{#QW=KL*4$1Nmet;CJ$($tUTcm%;eGlAHD_<O*sMOU<gnSA zub#;;d#{brE7TnJT5H@^F|@GR4l%T_*&^_`nk#I!d(qD+xuVVXGBsDc*#a%zY=IUw z+j9C@HCNbd%jjpd9Gp@YhulCMbu9<4)J18+=gDJQ4sNN7)2?7?@Jn5sb`yC{%fT^q zQJN=1a#{|ashw$AEeF@s&a?q7=L$QLA(v=5SJ;sZxme4&!j5FfMOw}kb|gbC)N-z{ zBN@`K<y>J$GNez-9qg{l1zOG(b|gbGTFw=ABttf9xeE8Yo3xxO>_~?6YB^Wfkqqh4 za;~r=8S)t|=L$QLAse-vE9^*yoUi3vVMj9LJT2!6JCY&iYB^Wfkqp_O<y>J$GUOaB z=L$QLA>CTe6?P;;)@wOe*pUqB(sHh_Bj8}QoGa`|hID8-SJ;sZNo%>?-1JLnInAAx z)N*C+v~^l8>`rUfav^tGLdyl+X>D3gb*HszIak<`42f$wSJ;sZS*zt-VMj7#jh1tT z9m$ZGmUD$2$&eN;=L$QLA<bIO>#j?amUD$2$&jd)bA=trkVY*>-0wDMIak<`45`<0 zuCOB+64A1*up=3Aww85;9m$Z@TGkbIBtuqdSy$MR3^_~7y26fR$eCK!6?P;;&d{>1 zup=3Ax|Vf?9m$Z>w5%)aNQSJ`vaYZr8FH$Yb%h<tkW;j*E9^*ytkANqup=3=T+1fi z^sCdd>)dI}v~0UOZK;+`xYL$s**16DVlCV1PFtj9<L<PDTGkbI1e#S^))jUnLr&JR zuCOD}wbHV#up>~q(z33wBhbF$C&<#jB?^=%P@+JI0woHRC{Ut6i2@}GlqgW5K#2k+ z3X~{NqCklPB?^=%P@+JI0woHRC{Ut6i2@}GlqgW5K#2k+3X~}D>7_tWA%f^tg}^@Y zk-kT~s`J;k%KQ~B8TNOlH#?l(=|z?bEK#6Dff5C_fdZS3?W<RXGX!C(uxUnl@6o5% zF41e_(Pa7<y<$cpu{IXfPmQHp5D`|di#Bv5qx$T4q`6{oQ&Y4p73+*ns#p?1^w-X4 zMa8Kt(Y9!3G^t1Q2J_8^L|Zx%YfI@VmN|`FdaMlrUt5hBu{t8Z#!|>_#gEm~iM7$T zNqQRP=&`h(!dK&sdL-Tz=}zhOQN0~siZ<#UDFmU_BW-%Lts&Xno<>qbOQfwW8n4o4 zwWU}c(=7-ki*iu3QRgPqnSCo2O&bAc&HANKPosjYyi`X+%kcHAs#u;##CeR~W>BM} zzN#V7T76EWJ(*bF&Hk;7u1~WzCfZWf_3=b~bt~Fk9cgS_jD+@7L!>R)5s#*-Q^^MN z(HaD%txhDHiwmi?3n_lZ>;;qfjP`XXY#9oxVny_}^hH#mP7rE@-m&GqGm5)!4!R>5 zYtWaV8mxtjlaYpaw7BbP5#g8h+=}+bNSaYCsz=bV4UD8_fL}e8Xi9fQlF>=5w^|d8 zv8Ha5unoyrdm0o?*u?JEL5}ulGTyCsB5JTvWTA_IM$n1qeS9RHj<&Y5Si*W^)aXMH zZq#Is*kqm_O-Htw)UMYoYMI1x(0bGAzOz+fHJd7%CD&A`ZEugq8q8rmE13kXX2wzt z@dO)<#T2(E%d%)^EZSv~GSQK2h+-@@M)gD!k}y!)BhAq&eO_yOJlYy<OY03CsdS=M zj~Yd@hp8%k1_m3#FJlt%Y{tCMTcd0`#8R!8P^?QjkqNV`qb;_sBWe|qj5bA+=$vRZ z9=4@pO)->%>}&`$#AED}6Y7(RE{uYSdRI#<9@XQC=4SQ*mZcE{j>S`YqRnhUG|A>Y zs}1I5qu!QC>(TY?31gxnzflwRUI)q>bw7`8Iu-Sl(NT^r?rH2>t(enEDDPcZJe%s4 zF3{(-t-<8LSk)^>o=u}%EL_8JTNe!1Yjx}5c4dbd%7P$%unn6-DNBh0B?^=%@LxuO zfM=r+78(TcG2#pVB6yR~pgtj7t?sT|NiP@v>V1r~d!8VV^Iz%o;eLH@de8q5vK%Wn z3qrXdkm4<5Mlz8~>2)!%T6G5d#J1B3GZ!z^r$@lpPBi#T@xb}=2E4oHw!FI}noPw~ z;5^e4u_e{DGj_lzrD9QaZH2gR&lvy7D68jGXJIpAN$g{ZWVb$@?eVCF`4V`RNIkat zM*F$J1K@d;uFtbr6L2TV=(-MMX`H0DM%IGKHd$`42&^uRdK1`%l-`)Y{}?9_YisNP zf0K-*)~2c|;Jm+8IQ>INH;PA-<at|DeHJ+LWLqSzFN>P(GReGWOkRP^8=RCenQeVh zLZ6#Xw=Zr3FKe84*rs0LK3v#Y+{cSZJZ>F<ScA)(<t}__h4V|Za6*XdV9k?J42q^i z2l%E~n|^AvzAn+Q7Uz^!q=V5jduCa*HG$Jpl)aP!&xPX+m~w->?H%=CJ@K90dyexj z#D{vvJHIsBIB@B8=_DI(2Ghd}?Mkx2$T+k5NW<FZq)`j7jLpeNt98yYd3tbs@u<Q1 zfJ3d17$+_qCqP*}Wt0nkRA0_G*RB{EZw(M|ofv3|)^^4}8mz73L(%m(ou%1`L+#6Y zRs?!HtojE!t8dJj%9#mvqSEK%%wx_Sz0PEtXS1^BwKc?XEKIbS4YN9`D09lpY>rGu zxp*Sd$cAbXTy=tVb2<qYo1J@%oT*6$Bg-gbCFnSIjZd><C_6MJ6Y)4Q*LUL(%1)%1 zhrEH2!chRt3S*gAGm0U-9k2Er>^}?i>xsGOhw5U1s9fIN9@XbY(d?wYForWbpY;~C zq7fW`+0nu}C>zH!g8=Q(1{@F?42qz2IOHW`?7YYb!AefEl5yn2=>o?)V>nrlKrS}s zFnDmz#DW2W1buG`r)@{8wmoa_SU(QJ<(nFu?Vq(^VeMRukixygf@ox|IZ*5)R98zB zO--^xE?ct9cQBeU#5*vXyZMMV<|rtD6^+e?NqVe_T~)+VY;2%}HmsfI8X8OE{AN8g zpWuFgEtHXl1~%hy*usm}M8StT*xPA-hGeHGmXt`w&M{7vRk(h^yYW=w7@c25MB}ZI zmMZH)B9^GenU`I6fZ~<LL9r4?wo2o$SY07bR2~<<y6wa)<t$O4M1c|oK5hzZ2jjdf z+7vhLDow_jzNRh}j@!}t9w*1JcWe{GUc_`8yND<R4;1=$^us&zy?Jss8nFW>hb75a ztHo&=2L~FuOSoWX)@;Yh>ec*^Oq6e$;oQ+JCVe=$gu$o(_X;BDvx49mvtz{kuYGH> zymXkUYf7N%;yBmnGoxwaylYNZ(V_$ky@pe|P=&uU@izm1wfNKV2S%FR^a~OE)#I-M zf2E%i1xgesQJ_SD5(P>WC{dt9ff5Bu6ev-kM1c|oN)-4MQ6S*?HR7(nCxmB)lEF)r zZwF>eH+p|5-cPS1HzIlK-{WwvcpUw=&_;83^`1{rQ@5&W&+<UeL|m8jbUW|VisfSk z)kUUM(2;77HN+AfDJUGaGG)XRlT)u;xIpiWMGEq2Q=n$asZ9a6mD`Y3C!^_(B-DC~ z#BfG>YouFmiN@QRJ}=Zlaa#i^9Fu-E#n$8BZm2CnU>WabVnoQ@AS-TV^6w~<$U%h> zVzjCX`Z7I4_}x}b{nRI%=kL+bRncwjDF_%%CF|nOL|?5~w!rM2nF&*40D9EJt2(ou zU9oH)(^?3LhYKI3;qnnvw<qN9nYuF?KX>`^B~bmqSV>~InDX!KrUre>J736u#7*9= z;(J6>TLLN*4jrT7u6NAinbG<VOZ!7#XsVW^EIM$lAC|*V@wHS>n9{wWuif5}YGD)5 z)F-xN-xwoaU*oPICg|BM&@+~;X``XVaI2ZE54F9Np>NA?d1h``hn6yLMS<Rh{uH`( zvr8dpUMo{lnZ@+Wp<%WlVX56ibpv9o&PYSIJ`=VE=GdNY863ppi7qyRW9(f+`2vbO zP^pJbic5(ddk^d~pbiviOSQ&esL;su;w^pnNruK#yUt8vun|Egt3KMubcy1;CdHea zp<rZul`BX!7*;K<QEYfgrq#u&#rDft>!C|xSV`dXYoLr|ls;!k9rSEk+Y@crc~Qh- zd@^Zdn*?<`rhEq*4=A^_b)Xtas4dx6GqB7+8;wsGiZ{N%2cE@S(YTbbqZH^l!Vl?C zd9UPLfSFPtjDo;9En&t%MH*Mo5;F(oa;9$=MF+>gAvGGRR2XToX48BGT1QxCVMGMM zm01K+5@Oj~4CO883Z?XDgqhg@z$8e;z!jPLYSwyf@JB6BFY1Oeo9<Ld)79&Q@9t=u zKgsuc;(n%6+uQ1*H}>~BW(&hq(e&C*C`cMQtc*Ejd%sC?OUKP%ISrz8Me8jSCs3}S zv1g|-{Xi%>#v`ziNlwzE>4qw%7YDtzrdTu7xQtc7P#nYrgl48;KE}1)__ymuGSV@a z5~h&Zkk*&8m8LzBv<&QG>2B<-<3mJv<&&iL$NTMs|5Ubr)2+J})@#s3h5Qz)J9I8P znAV-yrI;J0u~`bnPU+Y=rXDL(#RM1Ij>VbjBDULaGaW?CGOUpm;)Kv2g!YfKg)M#v zm&<$n!?e%PF=jg9W~(re%>ic4T{cY7jIBo~TO-g`y{>M7KEY53oQPqwHyQ;!mXG15 z=NLoTvUjYrNh8=C8fqE4h?OCI=3^jF=@TUilqgW5K#2k+3X~{NqCklPB?^=%P@+JI z0woHRDDVkWAc*fjEY1?buZEuu|0aBY_>S;b!&ij+!`<Pv;WNVv!zYBR!+KZ?lh8jy z&xd{+dNA~z(2b!lgf0qg2(^Y*g%*cS3e|)vLc52&!8e0{2|gZtICxj^=HQouxnNH) z6>JQy2+j^38JrN@I~Y*^rM{#-rT#*_N4-rQQa`I^)K0ZoU8&Afk5La($EqRa-^xFf zXOv$n_bJ~}u2(Ks`jqv`8s!XSfpUUUt>}uTkib6!&j)@RcrftYz)gWK1}+Yq8)yxz z3M>ws6sQSQ1jYnJ{~P`n{Ezv6;=j}XHUF3Vm-x@~xB1WZFZECNAMQWczlUFz-;w_+ z|3Ut#e7Agye6>6%_sS``QC=a>mXDMt%KONQ^q%yx^px}q=^p7eX-K+E%1E73v$Rs0 zCmkbAlEz9Q-@kpY`kwXu#&^H(4&PUOSNJaUo#R{UJJYw&ccQPxSK%Au^LpR({>A&a z_aX21ykGZT=^gN%?@f5m_Ac|z@E-0x*t>^U65keI6n`&1BHkt5EPh$ciJuYIiS^=g zbV})`M1fBO1=LFwJ9PDp;w0tL0FQDV6Ax1__1h1t7%JQ75JM#!Ef)_}FZJ1I8AH7` zI!>IZUMkw?ScXy?mBb0^rNl-lLp>Z7o@J<DqfY}J+{jVSDdKo_@O&Fx!O-(;bU8!M zwb63%5Or{ajg~R=92?z3JXjg*F0}q2b#T4?uu25lWurq3?X=O5c%VAiVWWGA73yHx zM%Rl6sDmjRl|)?~Oxh@A=sJ#~xj@@(^l64BIO>@r?ynBEaa6cd++P`N<yBtA9>)1Y z<Q=CDuH`85j#CEL6!HR#aV#c|RR>#mR!<c}n{9N6p-na#68BRFqebYx%3x!mq<z%E z2K!-^2(;cthZq{M(Nn~|)xooEbOl3K+vswJuHvZhjJTIFcozT8nc`mR;F<iPM;7-~ z2hZTB@Q%2LI(RxqJ!rKucp85-Cho2duCyOkG4xa$9b)JyHY$l@)WH=tN*TJGqv$N4 zbvF96I7S&<R`||t>floT5JUyK#72i0y4Xf{7d3To5l4kL8M=_89=}+o4lc0KF=AL9 zJei}y8w{Oqqc<{i9!EWwi(zGOZlO{kb#RXTuu23v+eU{NI?G0H6@%*FOdCCxp))ut zJjc-KHhQ0^DucEBJB^~E4xYpxddkIsI(VXumNE1M8$CtztAoee=n94&XQRs*dMrnU z`$SnCJjO<^6D4KvX#Uxl=u-!e;txS{phw#1kmyqek0|8zs)N()hgEQ;Jb1W`4vAi6 zaB3m1s18oCA6AJ#Yix9gp_6SiBvN&-+D0XjsDo8DN*P+oQ4ArVlWg>9h91UIk0N^1 z!9zJJ+``a_9QA}mK^>f6qvPnm)xq&LI+me_*k}#?Kpi~TMkh1$ARFDCzON1*$Wh@< zhQj3!A$7G2XL+{J_te1yY;-L{bsLQ_bblMoF?5`bUdhn092IV(?<s@(*>t7<QU~|t z4?R^3-N#0U7`nHOO7vZIa4#FB4BeBX!m|wB!$zNGXgNnc<@6nOaCaLmqwgq#V+yr+ zTOHiZepp3;YBoAV-&O|83VGjB2gCNmDhf1YqeBc0+UPj?raGwF=vampw%Z!|hB_Fq zpH60IVZSY>ud9QF{kDvuh5a@_|EUfZ_S+D=1`OK!t?)X1RT;#7>oK}7M*pD>7Pi|e zh8DKlA%@!9EeQ2@b<o~!J!L@ih3&SSzM|#}+ie+rMag5k<==T(%@=mtDhjl)+YT|* z-fe~Z=u2uIyRA9Gfc{O*+uN=1C;C?<kL{Kh{GysK?6y@DXkoV<VrXHv-HraAnlJ3O z6X{>nd||h(qc5oWb^NoQWejb%(Zvic?6!*-YVWq58|Vv4-rj9hhGDlgtEjN7_Gatp zV<@&At99?wKdX7{wifyfeO}39yER`ulVR9xd0U@T^M%c}iUKWcwnGfXW^2vMIDJ;l z7k1md=rc+lyDcy2X*FNiY^x~H!e%?f(86Y0PXDCl?adb54iuZM^_?5(Q%WAYEid>< zHE(aWn6y9(o9z%ovDsR$meW6~`ND2n#?ZoUJC6QA%@=mtu?#Kjwi5llnzwgb4`pa! zw|$nO*ljJMKF!dj9QB++pHTBlY;*-f3)}5-hT7XL2L0n|zOdbvF|@GV?m-_@^4M;9 z>wl-_?cElw2U^%|hZu_8)@pr-{#MNww%fhvqiVje-L9v<QS*iER-(UF^M&n}GPJPW zKFiR;cKbB_bwE5=P{@;le17oB;Dz!x<^81VeEq(&e12~$dD8O%e)o6(ej1J>JE@MK z&YyNtQM+O>|K-i=oo%QkZgx2VTw>`7>MNii)dr0!xJvJ6jV2A9LsRw0vJPmBb#}y| zU~Bt$Zh`}7(>ofRNb|R$3uid_Hk`P(86f<fwK0V&I5F#pN1!yv6tFtr^vrO0*3=Pa zE~H^#V0r(Bu4<!cj{v9QhBxZ8p$b_aO?O4%NDcb2F|%OftA<fXQ5tgw-<3!j4%rMf zT*EcCrMW)IbYz!~rI}`=;ndF3&BIp><vUB4(r{}IZ9c={C3Eb|st9L_^f~YMJ#%-( z;rnT;(?UPg-nR0r#C#|v;FJ?etn(}f<c8K}vH8N*=0&39n<^~Yc@&r^GqpUI)2Aho zbPH3;gu}vAByLO%`l_^taOk#u_fQ#knC>zcLmd(RFQ+rZrj>PdMxo+<J*vNhsRi!u z)S+A05l_e9_+4LFIh*M|RxXCCeE53js>HM4elixdj5jRBRznjNkrbdzKFo{eU}yTP z?eI3r^kgv&*`xsm&GHodZ_<~fr-kgcHSy!fHLM>n%Wb7z3rC5Sa8uu~b`1>1m;!x~ zT@Q}a<96H+SVU$Xr(7mi3lhzT*TG6Hu1}b8%B;#Mlc&^F9zJdI;YXOB#}GdO4pZU# zp5<FJg{fw;!NZo5DOEK`R@E48C8J%;_dR{%a2Z<oZYN#y&<RGQ3S)6vh~+lXXs*i3 zr^Au&ZkuC<C#?RIbEphkvBRfKIcmErW~|*w1SMdGen~icg-7C)KH&s3VDdza6^xzw zXiEgolgtw;GcB-m)}aawH>ilLVK@v;b;FBls}%_%-K~$uf(n{cncg=SrkWQe7Qi)A zM|)~Kqtke}U5$=s^g$W6IRqP;^V=F@W=;eoU<PZ3B?Wt8pzUmyPKd6Lu-FI3=;y@R z^~!a6C9}f7_bMA;*-?2YLS!(Pp3T*fb~rbUR^u77Z({!*zNVVx0mv#-UHDp+QT)Uz z!_};QR7cH}8ht_vzBjqo&91Jls)P|r!w3Rm1oD7;sg||`ip9LFW+|y?wee~tNC}6c z2-nb(ZjDc5bYZTjpu^uBL0}Z-0JIe;&@0FAG5z7PVFO|`Mw=pRA;91s4+D^@R7YFY z8qlOF*&3@#)U!YYRff-6Soh7q+x7V7cw>`vW^YKOu-&7WkzZo{&;-|_(eW6c9|XTi z)_xo_y!4I#c?t}>|1Ow`5JYzH3UmMcztE%Gy8rfcm|lR#I9JMfun%d5X~1Hv%uO%` z+fhH*SVqhp$8u+#VulBRV^;a5!(-C`0rLv`Z717r;k?`UEG9l!0I=9BR0?MKWHTPi zXuW6Cf5I=|r2qNxw2cH{@_$9RUkH)lfy!3{t^SMUTcjhsFVj3Z1<9X^pG~2@)}X*l z`R52d-Q~TriUSQ4bI}eX;B7YMFN*I~@JL@2yvXoI|M6P+k20<fENN1PWBo#4D8%iW zn`n(P5Aul2Wd^jWW|67l@NS-}w%=e!P53XbhR=h8r%dKv5C9fvTeT+DdqiJc6~NF> z6?*n}g@@W!mcEGWHnDdWhd)aCjWX&IIQAJu47(%h(&p3p)~d{IX{wM}=c1hZ3{+?F znF}Lv#!^NbhmEdf(JW%!QE=uIOe`)i42xejcA0UN;T|1a81qhHa<YbbARH+~^$9S@ z1;#>If!i_;OvY6L)^)JIP3&yO%EB2IE4f(^csKKXGa}Z6Xca<d#M0wgL@!wQVWWuX zvzI|MR5xomW2<q`f&AlHWg^%nP_kjvg$#?A&6_iC5$-3DDcKc+sh3q7GsfPB)oGGZ zYs(Orl{a(NqSIhITpKqcVX&BQs534^h6x`A`!mCk(ug+)TSR7c7i;K71I8N-u4D$0 z%y1g~yLD^QiR0t0JGgph_pMQ}NU~{}DDOS8c%7Wl5=pX<fH+qoBw<6#uw!X<f<<Rr zv3z#rQO1oH8#!r2>SF{nNQJX>J$lI)A4PXd#!e5*#fYAcG#frs<}P2jfE{%ZcMXB` zz}O@B9WKg@D>&{{<r5~QMG;OA$29Ft^~F?#%>gBQr<M0s7gKU&rQu(qaybj(2=2{1 z?y;kc5o}?&b!`DN$1IA5P}kkslxSlk4VIlOPzN)+MX*IMZR{q<86ctB5gdUL)v)el zM2+!SAUq(4b^C$2mEw^s%n)}t-(up<TVk5`!hZ4-9mOjR3K|4-kiF-$z7~Z!C$7P@ zLGPSms=HX_A}U*v9Y@)qLQuKdczer^gj6)&ThJJ3w>f%e<5u-GD=hqIjj*SCNMW+r zv3qdm#TKJl!$VN<H02>I*)_>dYwc*_N3L8Sb+oW|T3?eDV72Ek7oT=20+Hyo&d49u z-A_?p+MEF91-m>j78)!*ZGhPfGvlGMm8XtP1h(MgCJ-TN+Sq}|Id2NVAxBHC(eVTP zzRTHoC*ivLq6R;O(5B(?-lfF@zt*_V(U(QgM1CzgGf~H{=W1#yr`8-jW#VuHh2PZ~ z+q6}VVZzURNr7;<g+pM>G&abT5t@i!<y94Lp9l(MnxZ4>Pf~{%Vr|5TorL2ZBD}ye zNIb^43Hz4S3bu)3-e}2Qn3AIzq-MJf@|icMGZQHX@q5nbYb*r9Jk~*bcKJG^ZrN<z zSgYU`j2(%GA@wdX9cQGHO<S+2o6hNLP?>Z08e#MJ^4`V8?fY;^S<$@YOHWB|hDC_o zeL`-wOZ52)OGsHH;dBgccK#0ue-*-qgr=z9Q2rQr%|B0Wke2!8dp-1a@>9=4c=%uO zgK4}$Va)H=yaP59c&90xV0YCCY}B(*O-D!eZ0tKn5!PAFix$t~W#+v)yBP-;!Q#xZ zt+G-#<u^4`Dr=6KGIdvNvsrmocf0B{I-^r2Ll%KrJ4sOA*R2RkEfSnuOagbr;)UHv z*;Sid9IzM_T^Dz>viIb^^|<YVlQ-OUd0cVMi%%Pcfr7ps&gGrU&0EoOKFmEAN;BhO zZm<8hQ7(h_&C`zGRT*u^6_pY0ajUDUS$$oq!2Byt6{6+6b;YA*L~7PWM{qA`oO#_I z7K;dL^RL!M$*$8NFXW}giVlllm`wMRqa@&HnN$1tS{P5ffzEL$_H|mvmsol4#9}%^ z;AchpE2gOXG|YJj>%xkOHw!PaLogHCvxtOdS<KVdPTXV*!^@CjGD#`!MA^o`{;kF( z2kWIoTXli!te%^$HS~F$bO`o!SaiU6I<c4z3m|J9L3Um=MmQZfch27W50dmz4v|8W zMtQd7?Q;;Mr@k+}t;=%i)3Pk5+{^N&gZomdP{%f(O=Dbl6C()RhUxQV(QOYyyK9Qy zcG^%J&6&<3I2Uj_hhtM;QenZa3_kGq;`upzP-?7pJhtA}J+{-DyCdt5QD5dS%?_dM zZ0X{@b%ooqsl_dIDR%8*?P9gFway$(>fPAat_mBC8*E7Wnv2_1ytfqgs^Q&s7qfo$ zp3GQHxG(%viSj;z-Mt_f<>Ea@7xc9EB@}k`ZOoq)#XaEWvgaZgGSh8DyyQ>Gx?ZTU zv(2aUwH2;_YKq%j+t|s(K#i=0MXDM*eMY6$#i0n<0iCUFUMY%RLFI<ObPjk<frjSQ zLg*pSg`tMvGeM7fwOXUxt(*~fC-AwzME?W+l>C--r0)@5%Ig(-kk$Gn`49iyDVGL4 z)BH?Bu-6sGb2&nE;!3i$z4*}1mg0(qkv20(H7<plV#!uq5F<W3<0aGfJBDLni<h){ zZyw~_%5CI<av$S2A>fQOHz%WTN{fER&1hpR)ewirWhM=cCt~K^D75gHNRj!AKaAvY zn%KUdUa!9uE#0)YQ&(qMw2~?I;R;os!Swc^&1XbhN5c_Lo{29l<ySk<C-;I2(V7us zo3*{c@oKSP4rE|bzb*)u^zm(pN+ahau-TP{N9aj<E4(j5bI;IfNBhSck-VYwh=U8> zvjnT4knv(;L6XYl%<S{Fa1@f$_Ktc8QBiJWeI@))BWieSs~Pwn8h7F(@jlP1+ef%k z?oTxZYULD$y-V-B4!)WpXf|%F99y~b%8Jc+ag6saVfyGufK}!+w#o#ZbFU7e0oYC1 zyqQdT0o_u>PB7SW<7&48!f?zTLsQujf5W^2%I#1VE_w}86eIj<6+{GVC1E;ndMngz zi{3SL4@}t=%imfbYcm~SLrKDX-H@QODkRM+V6N=ryIT0p=o<csynUFAOW3V?+#=fS z*!qGQj(C9N5w=;CZ<?X5?jA{|@<|=jF*Jsgy$u?jNdGPGDIBr=WawEH=s6m#=sC|l zWZ(chX$bmL4$(go+mByaxg-J2_h@6~^zQMd?aeaF>VQk`X2+uO#tA7)XWhOE!LDQo z>6n_1DWMyMtL{`sJF|VjV(hGtsT{yIu!H>5gr~QkDxaP=j+dd=z4aJ0Ci4;_EW$jd zI)Op6Ft#3>{tQ#U#TYZ9-+!fW!j89ff?PYyw;kN0v9KNDe@lQ)<2L-%$hdddsx`$W zvQyB~1>Cc?cxYg?Fl8GGF3K|e>~ehr^1?J2CC2O<O$Y>jyd$$~o7%J3usbkk@t>4K zx3@jRM#^^Z@SvF~CSXm0t^XzL#Iqeg+x7+H#>@D^>&jc(`Guop9K-%ozZZ@)#v#o3 z)Zf(>;h61cN>SD$WW)n^f76mMEoQ+7T3eY~w`-YwU;U+UWKk*G3Jyy{>uXF`72m-$ zW!tSe;Pwcv+fEuLWX5(UoXfcNg{>rJ=H+c&3zTP#@4?y$2Zbn%*-|a8*eN(BFxJ;l zpG|Yci3(8*ReZee_D_=6jo4pXwQp<oioP4V+=v9ftv$ANzA5sG;c5WN;Pj#!H&Iw# zn~Hjogx=Wh^V6_g#a4n{WAy(E1_CVLed$LKnEYQA?iE6>gp|N*fieC{>9@WYy{~%1 z^k<%X@nBc~={dJwg8UA4wT!EDYGQ7`Wo^;5&DJtdHh8$@TQd&K9rcFQTalOuXLU<V zl&VJ5n)>S22<~eljg5=jigf4;7dYFib-!fZJh%LEv)u1f1)QO#3Y!ls?>(dVZfYB& zLlrgJz6&h{i!v^Q8%Hf+G~!+Ha9AmJqZCaR2Ec!iH4gi-(W^Yvm*bkU_k?~gR0BN5 z^*B@mPIC-~BH6OzOg)@xz_9n@c<U2U0r&{+xQ#X&`T#Cnzg7KWK~_1Vn0_;iW4vA$ zhnY3hDVX+YB3Vo)OKv;LRiYq^9gP6YsAV*1*4Z&edeZ$=5xUv+J+zFsLHxxQ(HIPw z+tL%k5hJWzYjl`aS1hXDiAu-YJV6T7sxH)XWh!M<)7kEpexeBAL=3ToL(OAZba-B* zXkFZu`j%IhaZWbl<Y;T}@_vsh!1n^wg|+hDX~n~MdIxhbV%vTW*Ol8NgtlVY#-nY` zxIyM3X&&FND+U7*7P1YO)zBx#jWxpeF}5A|T8ulc$6RVQw1q8$Z??XSddV#s6scr` zxd;D;g|_GwlR(3Zj_dnjED7T*V+=V2s>6$p3uAIP{p+2!QjB`KI7SZ?B{y0MEMTY{ zt*jgQHti#vEIZOXcC@k2ppNEUP~LaGVT4d4^ryB(LC5qVv32{l!_@_jsfPJ;$)m*o zwnvGbHse1MJ+0M!=P3eicZ}8T=;BS|!|r#so)|l=l{+@^jSHyZ=YDUf?_5<lku|Z0 zy11V?vz8k+jY}5SEgx=IEWV333|(19rjp3i5!;z$7_Pyv&GBT@DwTzs-D&g~4M#X9 znufrNUC=sK!+>;z@B!%)q{Ad#DwhKAY5%(KMc-5KYX1}8-M-s>H~6mf4f-zdZSb}G zqQ298i+wYFNBgRL2m1E%1%1T(miHy^Gv42MAMxJfy~F!8@73PRycfdDeahS7Jqv#B z=Xj6v)_4!`?&~ds{=mE9-^J&}C&ZtN_le(yzxyHa3h@%LN9+{Wif4!34gDkZ=g=QQ zzY6_0beDJ{Js@;DVhvms`fTXJ(D|WMC>B~BS{|B@hyzE24htO++B2kvJi)huF9)9s zJ`wyy@PXj>gSQ252woMuG}sqBH@J@ek^CUo6g(riBseR0Ot3n55TX!-f>eE5eOY~0 zeN6qSdawFz_3P?2H0PhJeonne-KeJ3n7T@>Q|GG3t5ekR>VB%G`jmgszmSIzo8ZsN z@0DLD_bYcQw<upxKCcWYy-Jr7S0c(O%E`(}$~5IrWq)ONafLWvoG6YH$A~h0pT0&P zq~E8v(l64@w41ik2D*|iq({<8R6(H6H^^VfpU9)+MsgLo)PF1@6zt;<`$fbkct!CC zK0v&K{|h`B_;ujNfx7~?1-=^iQXn751kMR0#KY+xfyTgTfkkw>{9Is0;HW?)A|UJ; zPy-(SoBqG~pQgVe-}L|1|FHju{%`qj@_*U?S${vGAte3H{xcB|VK%*<^aVshhzE|1 z<?nFND}RfFqI{bP!hx?mWP)(dD_?DbaLp@!*~&}*C4Z5FZ_98?Ym`ghlCvEAhuq7- zm*ourt?MN-5x%132dw9xNNpGy=!<fPSqJ!PmD@}ZzF6h8R?X;ha+HHl%V(P)yqn5r z@zf{f(>eG%c^(IUAs@}bpUKlW_+$A{4n80sXo8p1AIbai)O+Q<P4HHFkGvO8y;BZw z@Vm0a!SBeT32vdcN^hB94&du1cqPDp^1R=W{?5TI(hD5?y7U|euah3*;I+~(Ie3-y zunFEkzbM^jf_(t*;Tf)wzQ@7Kq&rM7LvqqB9L!2Lb8tY~!of?VuXFHX>1!OkNV<uG z7fLsBuwS}?gMHFhIe39|JqI(=bsXF*eT9RYBy0F)NUwA)PwkPe;oxT^Yfxv%M#&n~ z8FIdK70+;<bR`GRmA=Hm4U#qLGvplU3p}-3`aB2MOIL8POS+tcozmwx*dblU!L;;Q z4yGgoQeaakLz0p;n=)jbl;^4KQjUWO$(mys(k2b?)K=*d4#uU6Ik;B3h=XgS3pp5* z`Z?GlS!+UuG)ouo)Fvsz!Kk#EgN@QA4mL>E<j#<KsfVXVq|b2hY-uA0S4-z}aFui( z2hWnu<=~kTTON$YpCO&Y!PBK~4xT2h=io}Ii-V_1og6$xvgUDytdP<?b-9${V4alY z;4*0)2bW6i99$wLIJj7{R)P#!B(;V`&&|8~#dxWHj=cqON&Jf0n+QANmpOQlY^{@s zP$B<?r|u&^%fa1cz6^@H$<{K6cnI=CJVQu+&;)O#7fV$fOi7g-ER!a2&@WY6pyyrb zFcZ9mZk7ZKB)9wiZGoP@_&(s^3zEkKZ>BlP+5>K;S!qw6nvtwc;%3k5(jHc-=M`xm z6Wl`keD82D<9pWv$*aD%IrxC@UmU#BXOU!!=Xu|oR;uSuzV}S<CeKTfwd366`J3e9 zsehHcCU_(5_F3!MjdZ=wTF-9ueBWoSXE)H4Z;hGv2C~H$<KXqaI0vuut+hbUExr~L zyq=!vqZUXW^AQX5Eb>{@xeggDN?u3L@LH6-jy&eID0!V{q4$0BwXe{XUTZJ>3VF-> znw9FA>wVP(hv;JO4>-8Udp8Fccz<Yto)f%xnc%f_lK6idJWRBP(Y5qY@vl5}qWGc( zdM1c3nBX;35v|4iYVr-yS~9OD*NfJgdNsLDwAR$Cg||g(A^kEXqP2Q{nLH|5YwDMU zw?u0py^4yWwK!fysc5Z;S0Qhg`QfV&@55RguOzREr<kc%l841pEl_w-Tw#J=ByWq0 zIQW*hkc0me7h52rcq}l%FOYwVCvosK@k9$0o)k|o!OxRd#AzISSUkc4g-6B1P4Eix zw0M983ipV*30_WK5XW-xDRF-eJ}i#2K;dq2KNI|%@DH)x1TQ1ci{%`APTZY?Pl?vV zxeP7d!%7t%633X}XUU(%eNFIE@{FjN;2>&NW`V*3V%P-p<S8-8!6!v)g~^jYiUFSb zu&7#~@D<T-f;mjR2RL|*@5dax+GnjLInS?r_xnZSA)efEzK1MmobM+lG|))DVL=V_ z77MDUH(OAIZn2=V>DMi2HT{|et)e$s&{_0G^UIfzo2j)gUP7*+Y4iCd^Jvn7rc!IX zTug4KZD!)db7-ptRnc|}s-)JQc@epst~C=cnoZ*tG>cjj|3Y#bU1fg!LVR(x`TW8Y z=vfvtm7Z-r?kBg<WoBak5wy;NrqQM5<36&5&NdVKs_0w`s-$x)XcC=eX1o9usx=cY zIFwGepo#P(>=W<(ukMyi{vQ;6C_wlBTs5aG3Pk;7(jR<_#24u!<Y~_z@Mu^5>D{Y; zcSY!8!v7VnyXskxy~lOP-VIg9rbGv{lAy+05bIn1(TneT3J+~TIJ^3Sno5+FmNKmg zm|qiS7htNgkNSQGI-R5S#%HwEtr^hk=^vvo%>d&*&tWRHjr!Fe;nm(~uCmP9vm5?` z9D78c0L}foDFSRr3~}ee;!92LcgIx3-P+d>x5M3K+$r%2&rPS>&FVU?@_P5_*AxNT zY&8O$yE!Dg+oI35b!Tt4cH1s-(P`-D87g{C>O}g>RAC{bPA}ZtIBd9ZF$$k|dL4Yp z!)cnK7Ert@@PV*Ba?wV(4L96uK+;(sfn5yT>qQ!1AjG^;;VYx{a=X(=y(4$*CcR8@ zIf%T;-yh}*D80}|a?CeFL|QpB!E~YwkK(4)s%|YtE_KeL;b^bL))oAGI2E_vO__!w z%sYVTZz`UE^Z7>8LAr5EZ}<gAikTB3FPL^JlRaAr%!B)Q!^VplaU>J*I5NW(UKH8j zJ}e2ZR;H{v(%ufkCBryj)Jy*8G+GQonshYDU@O5oI-|FyKLpJ<&GKyF=!=nUWnncI zGZZt6vzX>D#dE^$lTWoHi+OD;k}mHmOZ$T=6N14-Cfry!R#D3cpmI6PTDiT36^3D0 z(pbYa3gbI7?uuz_XZW!<Mj&^=$c7|_S2EF_G{U~HkqCX8$~5~BEblttVHL(k>>cY7 zEQw5~nQ`dQ!l2}n9+75+8DT7fI7VVmv|lw$?x!*pO^0OB%06-!i(%G*QLcTXn|v(Z z#)#f~dynr|RN-W{$@H9B-s|ucXBuoKlHL0BWTJ~jCn+8@e2=kp><sfxmb>1{4V{{K zY$d`V!he=hO(Qd;T#Lo513W1kA91Fth4s%^5E~O%6&a@*YisO)JzX-ES_|`@QPQtS zS7ry)Yiu%bDmX_<tUplDJ#qM=bK7PV*_srM5sQvHt%;-JQ`g09F*L6&cAI4#&~ak= zNIebxeno&Gk})kD9Ess_m?_6MqX&mKMJj4EUyMiD>d{RM!%)gvA{~9YY43g+Ou@da zoxR7q=D*vg^~`9K;VzQd%PpL>yjGvEDA5L^XE-8{F|W{up>iD-PKQDjCqRX@<hn~W z7hcnME~btd=tsAl;WjaoyZ=>}&;dF@kUU*N@I_hitqq4gU9>Lv1LyB2egP0%A^iFi zuf$HRz@}<H)CkKn>zsB+?r~eUm4|mW#rY^NxpX&J^pC-%JN+BY3Wsgu2sp;DLw0$r zK)i&JJUAO&$}Sn`U!-FZinH`nqQHM61$q|wnYn83H20ck7-Nj&F5j3PyP$u3s0m#v z{PMr4pL)DTT)m#doc;45j@gaAfsN%(^u$hI5CrcwyL|X>B7dnZB?^=%P@=&0P+-^q zyDJTodi&<Vxb6`T?mfs4;YazVF6Zjb{ln{XnG1v2OiF6JP=N<}JH!?24x9yc;9iYz zm1JB^>1NzboThm|2Yo_AGRnLmAj%H{haoN~Zm(K#ugPvInOikj4zkO1l!%a`i<1a7 z!#$MYsc}n+M=VFg@))+&H`vWrI)?i#7M=n=$Pg|hk&K;V`bsj4&)5^Y*r-{1yu@>| zt1;^)mEEAhi5ya_2%>t0IIbrVU>6m*_;r%WeK6aOYl`9%o4c4#`d&iB#SD}GpDl#` z777LrR~IUW`+p@rCcW!x5I;w*^_+-Dqx$JNqyK;ryzX=NTDHrlq8qJU>Ke~<O~tF} zxZCPo)vsH@GkPUgL@g$!WpM?V(JcGdj4r|gY+;xWclW!TSwvz;GM9J=!_KCX6<3&f zA!9=y9>icuzSb(x8o|~*76y3=vnYvZEdbiB826^Ut3HZRZ(I;}>n(^hW%!cXnF6iC zo$zQbOhK_Fpp=8co7(&LS4|C%O&#UEwZ#(r6<C`P&=<lOd-2*46%Q2iKep73Rs^sU zR91N3L2G4RV<L%vShvGD0>Vdbn%_UpkkwBWHg&mV_58h}J};h2_D%5rUZ;*ap3>;< z|9Qu--gM63G5upz7M26o|L}<K2wnv{{Z6*d&0A9J$+c)Bu=~@}!(uWnNJ;riwt81G z!Cbv!B|zw}!VQ0YqOlt{`_NZlUKLv*Q-uOR2d4Y{x+T@M_**h}34el>1Ka>qHNb$d z=!DfpY6jNJu<(mPmWy%9JUJo|x)Gh+44`Mq>7Xw#YWdpex`B!9EvnX<x^D#~DMz>T zoYudeVmb)`zvGCRyBJ<9L51l|F1@m@u6Ta!?2UPJhODUQ;wDy2xO{LnuCsq%Mc81e zeK~?K{6|ZDY}j?}@E19pbB|rj&4pP{N6ULx_wS<$aA%6y7IX>QILEcML(}1A9Gf+t zpnp@wH;=;G(&%TAMXh;_Tj_|D_wTKmQ7C)-E|$bte-^VixXdsAFf*qDBGRT<Gn3cb z9z8+mB4*5T@X5G6wp7*CEzl<zgcyBP&Yi}lwX-Igkq4Xt?Y#^Oazmi)n02-F@U#sT z1S~5|gQ7TSUNMpQa{q~TK8uq#11Di<>$OHBOtr$bxUA^kQxWE|#l@}8Vh8D51_quv z=q_&D&R#orM0Jl>kk`+#cJ!RyzemCQkwbgM(jXmKNpDwZoLNa$M@wbG(Yju(zufQu zG*#H(a*AX5c3PCs*`dvtzO&;Ihk_0tnOyj4`<1ufXu=!pl*as`vr7gujznT@Ec!|F z1ZMMiMIA(8=YPdBQwTm4l$CVg3jc%hp_1UO6;C7oL~`k88z`{pu>MIZQ@qA;WpCGU zWn29B54ZXLSGe>4WLI$(^ML6iL8sR-<a_J;4^x>*05~MLKyz$U!v>ZZu77rgI1`^J zd2LFKbi8QnKeP}s#i4xc*5m^|Jg+p$2JReg2Z6rqyY#wstfr39wCULXi9GICLwWCk z#rIRQ7A<3-vwh2Cy$+mv|$^yu&z6u_FibA%kPAapTSuH_Z~*1$IN)jBCObKiNeW zG=`zq$qGgojV2uzd$AN#W=9EaEJ%srtudB1LUtGr%_r9VxD}EQY$l#r#hN$eI44`0 z?uNEJzdSc}-}SmEi;<K{9HSdt=`q#S(Rgd5rOI-N8cS3oIy#GsfP4SSXfl~dRw5#9 zWjoVltRC&nQ=w0Hi2Gp`b#!0vA^j6n;Z#Fo7aoBe;fxGkehKV0TH)<6sV{+TfDt-% z7@n>ISG<sxut?dFHt5fvV`}4qe@~*LSX2nc5wzQ7!8{~}yIout>^y>u^5(VOZmHc+ z2c<Uc)jwV}<EHhtx|U5wDdzjzP+Qk)J7Ftlj6J5s$({{IF-uj`;G^u55a<Pc_EE$( zFl;`IQlJyf?rN+$@tV|Cv1*!gEe561D7zG50xF}knMq4ST1V`$Ht2{ZVG?AF<8=3^ zFLeszcC_7;s!cIY&e1nL3;PdIn450nMB>yWE_TsBOh4?jHFihlqhoD#s79aGfA9#G zQ*QBQ(eAvn&mg1es+EWb)l%3viW|47tp6Y=L?eC(j7-ie@10k?XVjT47THEI$_OGw zgc<hmvhyb0e+(!x%0V`|yPTC)(3R=krUZ`d$Bewr8MLhbz(Q2W^5PyD{=#tP;)TrZ zf3(q|h`w`1U}K_neJZuh6UxdCi!k>!=;m?#6{>I^GmqXp!!^)q3-)ZL$z#zCyfZR% zs(9HL)<n897VR>w-;M1a`&>7(!%JEB<;-5XJ=P9MyLl&qT@p-(T@Xwm=i&+%USZh< zev&!kMb_wg=2Z`@4IU4_Vn_7WD9kF`VkunxCm1u-$)fy3^p3U|MEkl~7h6A}8V|A5 zL)#ygRAz7n>*jufVPX?aPGt2(HNdSP%wDrmoyKU|F#HDZ#%gEoPdeK_4AzM8XmIqG hVCFn5gHaQfk?s7W-ZXZCn60RnA!0L3TOFdd{|EB-B8mV2 literal 606208 zcmeEv2Vfjmng7ge?{OT*aU3TTCyuSeD{bGk6DN^n*%nr_R<`3bvyxWQ#;aX<cV%1Y z>l7gL4k2&>j&eDAFLwtVAwcLQv<tl-oueKH{D0q@H*aRPxQP4-cdYLsY<=_E_rCY_ z_r2`y!9p#sPM0flxtbc6PLpI=x>8joDez=TlAeeEQuuER{#%Lv?D$XrBkO-@|G(&? zJF+?8%1B;U(B^x&f5`hG*D}wQ-uqk?_aB0941L1?H0}SKzjFSneLo#Y2Ll}pbTH7t z05ITth1|;#fxi-WKKVbcjC|h7fBkp&rT3}Qx-*<BH!YW?LTM_0w0fur>3ATwP%E>4 zADFD<4@B|9;mJswmxi7@oGV=`ySn7NcGPkc#XR*`Do^DP6bq$;RqMab?HlXw9q(7i zd$$hut5%r0!Rx6l&ga#=y<>eld&f4aUJt%d2ZqP{cl3{`!z1JB@Sedz`aSjE63{m? zoE;zQMH_YgAX}U<6?JrMV5oO&zq+e`zq$ckZ&V4`MID;jO*gh<-Ox<7kBs#X>=>r@ z)Vxa_>)+l#)<4|WpQW{^8wyh=?u^Zc&EMP|n~1qT_C<>h7Y-em&lM`_p5cMrd-~1G z@OE8#mUHDu*YS3m4bJw3ZMtcn&htM_a?}1F+rPrKa>WYyt`%%IsRjKPu<V>RJFllO z)p8d~xjD-=R`Zj!Lb+t#+3LbXi{I9AGgb3fhx3(cL&K>&XsR&Z*k8#^Iu=@?<(m66 zZ8b=Qt;9kY&6^0Ev(I##)ABZ|eERr{SPBS=rm;~qO>(2k7t!VIT7RZ<<)tgyZ4ixd zAWA<&_5I6TE0-^q?^vZDDbSbQvIUIb+U`L9Xf0nU<%$QeL#Fd&nwR<4jr-NO4JX1+ zsc>i^&yLA-Azz%T3hLA_Wtt3-Q14piT6xJO@-YuvTdtU&n<z{k;8<$-r(#)i1CTfd zZ+4)xFsH9*Lp;`Hp#am4H}r5|{@|pQEtvYlT(_L=T)F#_b{p2%S+wC7Hc3)0SQ=05 zwE8>2z_Hb<Tr1BzPrlQkpL9cRGDf|@ast-k*lQoGZ6z<)&Q!_^^J`l&WnvhuWU1wF z^A0wWJZqF?jiRUNTeCppz_v2d{4I@TmVGo+5`EsT=-JMd{pYnifA~(rg(l1xx-JfY zaOBX>CH#NqPX_}X40JHi!9WKC9Sn3Z(7`|l104)>Fwnt32Ll}p{2#$UP*&E(CsWC2 zES*V5b15&@)v^Eok8Eyd866CCFwnt32Ll}pbTH7tKnDXI40JHi!9WKC9Sm>`gly|P zX8YfP-#bFzCg|$WA40zl{VeoD?Vr3s=YKjF=wP6Ofer>b80cW2gMkhPIvD6+po4)9 z209q%VBmiV2D*+7Vy3}kbY<<L`T%~W>ty*mw<^K+OO9X`f0w)=HTX#A<H2l*Zu@us zbTH7tKnDXI40JHi!9WKC9Sn3Z(7`|l104+fFT?<hyt%*TwEeS=df#e!EPrUBfZOTw zm2!Dn#s3#j9i>*NEz;j>vw5{jl~0QK!}+3`tEy8Al|pGo&6g_WVsQ>%sz+w?CAE^D zEThf@fkwth)pA80+TI&aX2O|NBpF(iR<v4~d%OL%)k=S<x`6Q~D~t2B@=PT+KU<ho z^C+Q#&a3KVuB1-n)rEOLrt(wNb0t4t%uVK}qOn*wmPyOI(YNa?`?}R~pV7x+G#v@2 z)3GxF^rh{&)ynv6C6DrXb0|hqRI!}OBGoi0%#_s0*<5KRPhD5%v4mPYfu_lX^lG$a zR(Gq(Fa39(9{cXq%20l;Tv^<xW^07CjcTqmrS2)s<x063EVB=@%%oD`WHK&2m+t>> zmF|~9-weGc^!(7_P%e}V{yzBW;M0SX!EoRgf%^l+KvzKaf8GBs{|o#z|2BV@Kj`}} z-$#5m`-XfW?{~aU@(z19dLH#W+q1*{NB8^P3Af+%X;;-X<XYqWqVq}4wByH)=Q_q5 zmpWYbf4A?mueN>K_DtJ0<?G7r%3As3^1R$DpDBF_lW6fLwbd!D4jc$1V~KDgks88M za;R6hP$hDhTPW5F>U3_h2K=H(6R4$Dn9NbJo6CBs-N8USkqW00ksbL`zCsO)<?_LW zd8$TJ$%6!r6l$}mNHaZMm@E*%;lE0GezEIHYTX}*Mxx<ZG`*+V)UaGCf{II%`S2C= z=};gUjfXRdBz?M2ny=)i3X`lvMZ<_!U+%)^^}xDhA|6h}GW0zr1Iov#0R1c!^J=ZE zR<R;bO(`F)6>vo6bJgmRa%GB&;}kGgwnX({ez9sM%keF&Z+TrTk_yL?3DI|6tpIQ3 zIqG>v$3&r2s1<TJcow{=lb{Yuuh(A2dhH6NfXY}bJy@P$1Xao3fI3AuG2sQQ0SEeU zu88tEG~e(<t_nh<(^@MZ%$KUHL8)9TOw++QT$s$Ov*qGczS4c&rL6Z$u))c2JQeLV zW|LPZ7L7jG)&S)d?0vox)@EPBDA;|fd4&JBkb^eN<Yv}=I*>_3aqieo=H|hV4x^=& zE#!(bW$eQ2TvaWUbTpx7DqV!#1i8^MvTOhrjWt#WHnBl$ff$iXB1L#-b7@JLG}GMF z92QWmfg}ru^B521hwyQ}dPRn)=};h&PK6Wc$ksx6E{{VzY2KxBrHVd4eqfm(oia`Y z_>DGJbs){>LiCl2MYokvwTpJ?a2|V2JQuW9AyOAK#o4a-H|MvDn^QEGnE*Il80?n! zM4K%>oyE*C88A0?o>bH|s?u&$3rRMOz5wUb{~skmUxKE&7)WNKVGt1^pB*R=y(Tzt zuJXi&3sr0_3Z2q_Gv!(hqD5awH5R8%_61_#?5TJno5xl+91LxVRnQ@$oBY&@7`0gw zz-6j%G9KBNt8P}uw{E*4O20mY;}QWuC;Cem4)mUz#P&kwl!?O>i3n<yg(?y7e6CWf z_JF8CTUAKNeG!Jc^8y)=Q#=}>74>fI?d#c&AJh;WFxN8;fkU#5NzaWWbV{1I)L7#f zeM^g-&sXLORVoWs9q8e-5sxIosZ@HjQm)Yv?j0Rab2GU@sagZ?qGjVC+{lg=&AA6` z$zVDg2DXiibq#mZA{W-DqRDVNk<fe6dzpgNC#JlpPE^WAh*$Sa6{<{(gKTTH+~mP( zU%510m|37BP%aIJ+0+7oR4NgUWFk7&m_+65M4y<({3goa+>p6@#xQy8)^q{&yRhZe z@&eGkZ6nR^ra(L%fgFz#3XAz1)(0VcxKPYPB#&fiPs$5K!Gx&lB6edACF06+^I*LA zbyxQ#)XPX9p2~nK;;nk2minO83ooYcFV(--7tt{CHC=42>zPbTMdE{nxdPK23?zfG zSm~w8gu;A&l6_O8!*AXupt{<#01~Qh-au2B2_&Mia55Fe#vBGo>5H2#=8qO83Mgs_ zhJl$|2f1iHwY?&ciKfGuNM>8Uw5XQyM;ODc5;LC4Pv;<V>z<3)3T|2vNkzb>VuYB! z?AUfv^oXLcp@N`Hrw9}^y-;Fch>98%l-v}K8Dw@CUzJgSm>TjEqHT&sj@S&6d5!I9 z$V=DJoC|?yG8Rt9k{T}gvLNjkqwUc&AEr@SCb08DwhlQE%Ot=%qWXqmT9A!pA}Afr z+T4iHs`;5pen$H@_GxONR>)U(UO>}0xGt590PTW&t@t$`dOGeT28+4He5JQCIg2`z zlXRd5*0MR-0#T@F(In=?RM^@qXr1%5>0F^0uI8p8IGC(rDr<}V96p~WHMuDXPLxcg z2J<x)vahJC4;5(VVAm>%qB$(p#3@EWNo@JVYE<yfDO8J^QB~?M9!NtMOQ$23U*2n` zL1Go@^XQ9QAPMmmNyKo(tB`WoJ|b8Qt&uI?PTFjUz<g<@HhayvY}KK4xRx4DMB_sX zwS}Bc=KA(qW^WwRZgq%O0FGsx?y4E3U2AAo{ecLWRU{Q>3XH~$Nz;OQg3X2$rnO#n z4t;tskWAv!M20>k&I%S`D2Z4F+JV85&JS&EHje_6P|l#0tftmOfhfocB*g|Q7PW1o zBUgdxaTxT@`+UOLY|#!)If+Kt_lEvM_?g0qXS|zfs^tYVJvv`z%CB|eU8}S;CP=MJ zXiAz@;)t$RokgFn3nU^qGLaOGs!wdyN(~gn^6{S;iL1`!AkFqM>z&;z2s8qD6$?j_ zsWA{0R2G^l(FCE^!~|$nXVCYn*F{pXa3&dnHP-_*%G{&6oW201Wj2N5F+vPfGRx6j zcRGEs1yVm5PDC=M#!!|t@q>Y@>N2gPWDIgWn(l*MPSnICg(i+JI*q=#A`pdkn@pyN zqy@c!6$$$74bgYkt&2j>k7}}D5+7E;$(X1#+R+My#$iTbEXamh7mveKNM?X191c?T zi;&%*CO$Qb_B|5N4hAR^25%&N;)6jv%IFNlr!g9^W|9Pz&3>B1$huepGA)tXR;W@H zTBx9$xn#40J>!E}y$q*iG6^5Gy(W-Or9nB-y=06m(itv;IZz{$4h?ZpBW18Ov%yQP z`XJgfq!1Ck(YHWuiOULNXkdNSUJvVkeF9QD6;JX0*~j?`j0YwJG-HA(Ph?#eO5iev zBC+00UGxUf95{yd#gsKntcU^U<`znv`&Bo)=tF3?2|DRXuH8=4hZ9gw=!grPkXS2E zmWzzrj`xjT?4-6m>(Vg{l7gU|FP0Y}ooeOza<M$KXx{YY4yP0dtPgMsoh2v4;u<@3 zuzY<imI2X4u|f;@0vmxh1rj)hnM~54TKGtqW<{jEPN9#sFqJi#%9se(LV#;z`Ya5D zFnd#D+ML4ip;!8_Gy-n~Z2!g3WT-E+E~Es%5`1g$?%=i3mx7yvX9a#A_;TPKf#(KF zfkElxflOev|3CZ>_@Cl;_&(^n&sXsE_|Eix*!w(h+Plp21J4INH+!-kr~6ax+uS#} z2i*bJ2V75e?UY{aO1lEik2#<3%sS6<e8}-+$EZWL-*2C`Ut;@>?di5D+ZDD8m0v3F zQ=X|@rJOH+L;jFlln3Q5_y&HV+T*L0t<cq&sRN~kYZ;`e;4sQ}z;ob`eD;+A<?_p+ zgUe4k%O0h_59e#Jn-2;WEZ=pZeT&7JV__GZo1A{SeSJXp_-H%kSZm)z?ZhE9?F8Q@ z+j*F!=@SwW<hWYo%xBqEj{5nl74$)3gInY~_6%&}ZU{!Hx|fOxKi!VOk%sY(nynN0 zif)-g<BP=7@J>YJsk80t(Jwq3g?t#t3a23&g~*Rb<=HFkRRTe^ui&Vdc&N$^2q<>U zSO?Q01(JClpwMLC0E<Q<(w9>3Z^_ib$q8~U`Oiz)53q6B$;_))h0z5m0^xB~{0)z= zg2YwQ7ol|&7b7Vc|Cx;RG3LI)r@Yx%emW0pwGtjJLv2|U-^aj8Xm$_B?EB2a?97fc z#$xaT(If(f5KW||k4Ei#%uV{Tqr{3@w1_3su#z&;M>u*--y||P_|dp@yGBiB#-iJY zI9rK0jH5_wbc4O0P-x;l4FVAsXE+^?k7!;~<4d?zAn~DOP7qUX5TaattD^WQxopS^ z=gt-?RXz_37U(98i|MSe`t!xbC?s?y8tqTmuK^BVm%u*MFiYxGu|T@XK+gy$mpN{k zn>3w)D>R;vzPQ;wqc>`p3eys&E1=QIB6FjW`wG6s2ziW>Y5BTM_B=I(7mEoDi^@gb z7Gkhm7BG9Zng&6nK@g8V(NT|@nu1zPiYe*g73P|OGmm&0h`3sYMh0CO?j=GA5Qy1< zH?uiHUxtSk-%b$)#nLf3J?y9lFu-gcJbwXvoOyzCq>z*PKt>W2Cm;vniPhHT)~mW9 zKcn7Qm{%vta}(9BXeu5~Ml-VJ4%T|pEK#;QBu&T-1466OF(fA$YnX^a0K}5gTQ9R8 z)Ms&=c2Lvds4Op#A7LsV1Cla01#cO1)K|1>O<P}^Ex>O`K88iLSeU5fDmdMZ^C5{h zRR&AR#L3c4NpIe4FMwtlR>%YtjuK(lO@NI}&H}LlL`NUKkf~n#f<BoEjb+n_x@&-Z zT{GY_#2KfH<s<5meC}Wg$jw(1ptN*4DlbdguM<7MtcM$cwPHTfi9GfM$~u#|M4-_$ zoNlq0^zXg)BQ#~^Z`UWKIe2OF;I?62N}>zGi+NRXFw$fsd21IAs?vu(HLXra4YqIa z+En8SI8LHb=?$mZS70pIpAks#bS%BF6@x2Vi)By|xF{6N!i~a2q+Lg+Dmx+YH*mj? zc2=rsFs39T0>5Lc*1E_ag-e*oxd-$+ukipuoYU}MRFhC!Vu`r)r(KS^OCMQN4xo4Q z*2FsKYpA2OoN-8vDZtMI%{rBdV+}Fcak>4_YWdWCj@((9Sz`}lCJh@FC%0TAD!uCr z`)WWzXbbaIIxgvSO5Qf&sE1Z7y@$*29BYm%OnHRON}bK)EHZChBkRLAR?9jOffW#q z$`>%P!@DzkvN&I2IDjIDXBP;&8SvdyA}PIX&{6lTmbG?*bg)k)&C|Y7BO|hBv`YGz z05+AxGqW74^W?it!@NvoqO%+9efpBXmo3Bq<*+cBi3204xb%A#qJrK=o)6))oLDGu z3N=U^?!7Acewb3gLKfL=12NzbhNkp>CWG3kf8@}FcBp8RGK`eGE~hwaOhcl@VhMS4 zo&5@6!u%nvR2Tl-N;>UYNBxq9&;D{}Jr4m~%7nUQ3Z#|mW$_8~+;FI-u<z-3QodB< z;+8f$#}R(eXb9YAiUNF?V$N{8R?0_NJRzGM0XrdYOa@kBA{Ld`v522pi{}RMN+!s9 z$zz4FbdQxudXc;s>(7qsW>+-=A8tC4l76Husz@A<=~?i|mw6nANInOQbNLN}048lj zK75hA7dY0Mz-|G@XR?yVf~wI74pAgsV0=&eOwjIZzDS~SBN|K=7nq0y3{++@qEoQ5 zlIirGy5gvVXKQ`1(1OmRG+6{4k-V)MX|jM6aZnr&`unBi0jX$Q8Djzib0&5T5dmK> zdA?{5!H3J_p4DtPT2VYgtT!!vK(#0J#TLn&)R$6?lHr?9<RkVhrU-|jAq!aNB+IfR zy`yNcNa8z@gcyPd`|TCrW~@P@Ymzo;l4;9a_qFU;f_b15(ofC-JCorX?>Um65c?U0 zz=m>NT5eypnrsccz>y@+K`J31J0DBH@3LG|Fuab@G!*qzM9#CLN?(vVrqO}%Rg#p- zMC|Zdds^#;eZ*K6*QcVeH=&WreasjU{Xji23|n%b!LA=Z&knr_pX}MO1N0c)H!!|) z+gR_u47f%t8IkMf+It8-R;V6SdrA6MNtnhV&fwvYH}kc?)IxB4PDR`m`W$@`iy^KQ zP0E|}FPKJFLfo6J3T`g28yIC7Im5*1<(I?Yhmg_2XVB(>eBGgl)naQ?(u+3QchO`9 zN+j!uwz$}Xjv$=kNsv1%E$NvT*@wuq+g6@jpa~hCS+mwEC)eZj&}Z=970dJVrFxM{ z<_2p3vLcNwE<M1}4I`eZ%&;<ar(_DQo>(R+-Nyvm<(F?I2?azUq)Ti(Nx~y89b;x+ zD`%+YCRJD1FQNGobE3Ek8(u!L8r0=!w8puSeuJY9MPx%3`bC$zk8&V1g`Tj8lSBuA zUMpcl2?<#sv~47E(qgb0MyiN-)pRX{aC(G%%tdf=bd!Q@6M^vf0oDK8A-zY!z5h>! zUL4vPS{D3#@D0JI1q;Dl!FX_a;75V?2A&Q-$)<qM|1JOP{WJcve4qC{*|*QP&iiZc zd%cU^t)4%6-sZW%v&H>8_dDIUxc9l2xgK@h=bCq2;QWpAoz6w)fHUOygySC^M;&_| z7sKlRg8h(v7<mAX+U~bqrTkiXP`N`%E6ZW=-zx8teV9($KTM7>ug<8WzD#6zOz2xf zDrI#&SQ6Az`0C*#uPyd~?O@qC(g4YG3t>${MDy`i;~6l)L_~Tj;}?1epbFkHmt!7# z7_2?`oK!e4vS}iZ1?H;PjEWQpDVB&yzhWG|x&2i`gGQ4c_TmdvNH|KP(r<W@3K$Zm zRHA?$+g14GxwdLu7tKD$bfp{s`6Q_?k)(9j5ZN%YKJ-#!W<2y3zQBH|(OE<6ibujO z*0fH2#72%x3|1G{us~<aEY1nJMJX3#IAzBMx*&LnDN1i*E()V7VgW3bKqF(4971O6 z&P*0H$-sk|hBE$3CK>b&W(za3&}~>62M&m4v}uNM8evZaYUP_J9CdJNy#<M0G|<B$ zB-6ltv|#EKqULn!n9_xGp~i1b#?=OR61q|l4~a-zUfAKN%LW!tJ)p!RQWstdyHM<` zRq1UTPU1nR3z#}DR%wj}0Ij-=Z;U_lz;)C@&risX46FQ5a1#t_5A*MrW=JbUBtiNq z<E7l^O2)Y14^D&CC*m=A*Oa5aiEyv^WvxLBj%FhfgIV$zhs7|N4uXR?t!0s6V_?z} zV-w_;#0De5N*=t}zQY*9>N9|A0PLVfwkDFG<f{#aGG8Ngu?R(n$z1*+lwyP+qVoPr z>;p!h6m2e%LT>#Qe(?n4^HoeX>T5Lj2E8sEiKON2Ot;g&Al1ks#H-wW?GD?A*r25Q zF}0ELdStEPh*3@wldK3-K_tiI7_+?5DSgc)D40I%KV|?U4gg9v^@2WNd5}0r!a1Cb zrsOl2erxTaL|!7C5Mr6t1q2IcGy#M@A%-$YHHxRw@|nzYXKl%t=FwW1*)HU~M?fzE z?FzAFdF2-S9IcE6AIh3l1@49wF`pMRl?g4B-GcxUKgg*xRNi<>K6<&mELt;?phN<S zW8h7x3RDO^o1qG=1vCOp9ge9g0>rS;V$z*V-{6B!iqHa4tf7`C<7u|C%U~RORx4I@ zgDg;O(|E4HdT7U7I{@<|%aD01bagw5P*)1d%a<7yS^HwTw8`O?qD-h*TzVrDNcy*! znc<UTeyI&aSY0iAXRt4$v553l=H(OZ5jZ60QH|2ZkZpnx5kkL)T9?6UAxpl}Z@<M@ zEL$Yw6R-f7_no<NaONnvk*Q`-s~CYZ!Ak~ICY_ePz^q79#t@`07%bt1((d3o1;Ivc z+ysxJZ2C&q`PH_0MLZWN#bk!5CBmx6se!L<5pSqrAa(={KZw2!)i?qMX((;q-e$jv zmdU(wTC!aOD*`QWr@;o6!;-IbG2b`{3V}p8?Go}6H{x{a^Vd6J3&aWGM`kLYPJ`kz znX3mJb(=BdY>o_oQgyL3Ig9Waiy;z{aBxdl{>*F`D_USj9Lr(IO;K(V1m=@=QcwE0 zOUdlwxnb#T*lWF?@-$rS%o&Fi80HzSL4<diB_1W78Cf84=)dV?Y>2sBI40@%0s(p; zlXe7F8PmO|;DRa?s}Zos2<(rw%xcw}u?!dl^Prl6r>OKQpyqoO6hSUn#J!o<hD^p( za>h(OCl|Nlu|5~$ReWp~PZtbEGr?*5_KXcufSjUB(=23Q{hrZ0w9N7X)D7lpfUPnS zg$V~;Qr^l`lH;_Xlq-x-Wuf3qM!pgXl}GGFp685-)x$lmX+ss{hcZ|HEEHPGuQGFm zIGnffbY!~Ez9<Nd(yoeSSO)N~&r<NSh{b7)pV%E1s+nYS(3C*hI2&Z%%I9eg6~2NK zcVcq3(56Gef-hF{P=z4wlCr9C6~vmkH>0{RKVPoE58ngJ25~axqSww_m~!B>=~6Hi z42QUWBAt|8mVjSarieA`rAlXLiX9d(L7vtH=Ppm`O2JT#C(=h*^hGq{DNJT6rQlOE z6JHG5N3`CL8xQAkb3c>J)Gd8Im7iEZIx@*!U=#|=6f6YbHx{9weNsMm9ionk*%UQf zwh0Q&!h(2})~9B$;uwr;@pGo*^b<Q^G(a)WR5ByIUZZ01b)O}OWf<%!c%b0El3vRU z;%yBc$x-4TEOL^8A3B0?*Rz=C0Ol}a+U(?VJ&#iTq6o>nd!-#wOaq>V_c)IJU$+Jx z1zGz&wndMH^BB34sfK{+Mz$e(G&4IT-Oscp(<ef&)4oVcFW1CMySy}>x3>N=s1}$A zbTrJPSbzx#m7Xj&`d^+**pylg&uuspi|^9d8Eb5aao8{OEcg#(;m~Eb4fa78Fi`;Y z2V(P|HEUEGRNYDZn_p`%rFOB6)LmpkMSut{F2X)#mVGS(6*d}=NRMd3o6@hum!`9> zPMN(Qy2kJyEKa_S8d*(+Bsc>yw&ecP?8~utBUw5e$z(*TdtLu3ZI?dd^yNYi%RdR- zE1xEh%Xj+c{HMXnzt?-0ZPGSi>$aT^i~ip|1<z*pue>i0ZI(V0d|hzf{ixR;-01#j z;Kza60?S~}f5mo>_uI->m4}qqD)at#D1)vM=dYY^vClgXdwY}%okOmdJ1=zn*6|X@ zZb#Dod(X=~$LwG8JYxS)=qCHCT=%$db%*^wa{X4m-?of70F?72{iW-+4uM7h(+owr ze~!g@EM}mZn<g1!wd5jT_3(zuw=&+zbM6@8Nu?Bt;bhqI1bWhgE&W2fglJ2|<y*Ka z%<}fcC)}#sP%Tf_dce7+x`^)}xGLYIg?;&;n#nT@iXdK1nO@*8JdvCd>iO`P2*18U z8tXw2`t$<j%N6G4kgN`NiodhlGhqI;1WQGZ?qsyh$HA!vDeB#kEFjm0=9tuS6UZNs zL^y78Jpvl?VEeQkp4j7Mjsq<NlX+B`P(bKuwmel$#>v%}DW~m|=<DP&5qa+7`OF2U z`3DW>Km=J1@kmB`&YAY}Rx1M~x{!dCq>+`HP9>yo#S!L~2bj2Hc8{i0Sa%+>3ZcMU z5gto0;ml30)%LE{%677vg#MU-M?M0(;m<4+fWfB9M@r;vjsUe8D3pI(g&YidJ5(Hw zL<HM$<p6nva~C0^qV!iMb9k(qTV=X^a#c1PN1A5_A&eDTC~N>>c;;s{><JQrli*{> z5;lcVnT`c-5~3Qq;ZcDvw+amrhHYAUGE<QUW=b#=dnQ<5QmjXFU^d1hxobWRzYMM( z$o6qZ9X@W}1FT`q6~wU*ngojI!D1klBL9s+MRkL|$g%C)x)4<%Z>#KNY)zw)DrIbv z@xv2aK!4U4X9B)zSQK)Qd00V!kgd8V&#Zr*9=M!^YluMgJVu_{coy3)0titOg{_=` zar9#5SRoLTe<zpU$+JSwVI)FrNiiZbxVQ)!03Af7d!gn#wA0c+XCnWSc{#|#)Fzda zT~&!j&c4P`@8UfHNsrBS8-9o9GG@8Z3do8z2^dR$Do<lw%`_<XvF1a9oo+Rjcw+6E z#t+E>K$jiF(s_33s!NewpfD=vAuO@$2JD2c2Zf74tb5ITOiAf!%*mlq5d5T+8!(6P zYfarjnRUAddzfa<9E5~mXre4_V_P{(DIXCiFyFk|QO8-;y0F}BAgkWuCOhf0d%B*6 zRQ@iOHlg)wtmF7e=sa_M-EzdoWu6PmGh@&2%t@>5>40KFKKM3Im65yMA3)aID%?)g z_!W;5r4cZTrDC#Va4S9F0?mSn{bwhUo+U#^1hUAnM8eE+d&)|?{PNvaP01O`9mIpf zljLIs^(?|fJPfwS^k6POV0}}Mz&(%lk=(?@DU>vacoF4d#h}oCo@Gr8AtQ#eVtAT9 z&MIl7WZaO-X7aG&aweI8pcdq(fj1yyU;0PSpCqbkB%N+w7f^QAYV&%`SI#j-b;knC z3HWf)1gsiYz@+yuV`Mw?xpRJ;C!ZNjnI@{cs~FR$Xl^dhCHH2f;NrlwKzVsL%mqd3 z1+CynBQHPt00py;Dc}HC2L*xP_dM+^`vrWPG$x0;SqLtrW%*qD7HxwIy8JS^bmU0f zz8^=0u`uR=(<1RSQ5rHgSt%nRrQKbDH$5Cf;JAzVG^q`X<(A5&u=TvgfQeW-A)oKN zRtg#l6jRZe&=wql$Ir<f30q2fZ`M&?Nz<7;*h6L;jB*l`bPmZev;nSUNCc=?JnqzG zL@bQe@eC?p1sXwIKF4=0<EQ<W&>&r>gi$8FgdKMc&GUtMwv*JU7W&2Z5d}~6h*VwX zCt$aCB8bbR5oCGAQAZtDbS-KCb8t{@9K2dJ?y1p}LYPRRSQ@C$;yT`_3J|<#+6_FW zO2T~^hG+tT0L`^-XbSM(rKP6>vkoZ(g$I64rVI)xM15}?&aya#?omUECk_ET0&pQj zW7221E0#4Rr!9yI0f-8&_QD?uG9~E&S0_BPxPCxPFAX0fG!^L?jJxXUBu_TNp&{|v zbfR>j591DzUFjWKVu#)sN-MC0kqTPWl-d)<@IS{%Nz^hDH_{}vz)L1dA^GTb&2go7 zzJwbs{7%eTO^bjQX~~)8_h+GynAI?1HW|1yvdjk8>|(eV;7&p=90hw>sv@)0VF2uy zbJP)wZmabOwdVvmRq6)XDN4AY1HyR+@_1&{vF!t06b->m3E5qA)Dcy93`T>32Xmom zut6FOj_gP#CA*kEc|cPfvGBb4;tM0~>cRxO(+l#ZNF&b;#hqWuke5@;Hrff(1p#UE zMI!hFks8I*OcqK<!1tIvV!G-Tg|jdck4pc*)GlG3o!o6~euula?sptRnwDs--2ukM zB|RfXiys*`b+{_dbFDY3RcIPa?b6AaIR;1tozgtPnqvuTujGjXP}HMwknR*RqoJ_( zU5PYDSz}DNRY3e0$C>=jIH}Yncp*Er+(}5sMq|^F6dW>{)FHw6*(?lCF!S=rakCW( z$%mxz9KX4T(>EpDGeo%LetD3IbbhwzW;maOc5xj4g1?zpHy}}+f%wV9W0MsBzf}IS z<Zy@nEi@DSX7KH{?*wmg90~RYertau@Dk+v+iVlc)s7GPf8hT||6%`-bD!UCzuNaU zU){IK`y20Ty@%{C^twG?_dL@xVL!)nk^2w0_kWM;>Fy7^SGb?+NV#vdouRx){<G8X zjJm$#{F(FZu4~=<9lvnzw7trZJ)OTjE*O9+4DFGnm}puci$TE0Oqws<+y~2QQA30D zKK*bBw>@Q+Od^RFhEOIh-_8PjdvJ>K^GKyY+6^-_DEx!-h?7M@MF=z+(1;9C?pq|8 zkZ-%mQAf79X<{c4eBTHHhvJVrmAF=A)nGL%kGL8V*)TN4yh-pvB+?;g_lP36LW*M{ z*N{%(<71O_AiYqyakO#<XvTv=TG|cQd%3TJ=>~Ku1ef3CD${WZ4;EQv#vs26(saKg zNilN-2PT+L>*{=^Oct}jw;LS!bFAtIcW;4xQ9deeddt_d5+yW)oXWL!7H+bdI>wc? zC>+dj_<i<?9i$X(K7CE^0k?w!FnRC@gaIkLu)u2kUU33mk0=!0y)2`hMuq;VXZ&$y zs%Iq~hQEe_N=%ocugDXQ(kt>FF*Kt`O>M#a!M!b5B*ALj+(;qPmWU<gF_yW&7JQ;o z4_aD6R32fj_i?(K!^3`1nYB<Jw0T{-j6r3MV}N1iTiHv=X}IME`VquNDG8(;QM#na zJ!Qf`%T1&UV~Lo2g_b{~?FktQxYq<%HRv`>MiU7sLmLLU622Eo%!-3#Ww0t`BBmlS zIn1U`T^aewy1j=+Oftbg0ecBryu9&jdorL<PSPloPsqh1c@7$v*I$Ul9~?PkiG?Xm zObcsqnx<n7f|4&{S`_<;ebYBGmc_B-YGfRW9^I<AQ0#z4l-g}&-JVAc1yUF2W+)~` z+0bw|oz8ML_QJ2jY|^>hQJ@{UK**Sa0!6+e=Gwv`mHkXLHs-*-pnM}JG|<6uLQqP9 zW&2X*CeC>!9)%SKqfKGBGFp<_j2k0HN-8Yjg9uMk%12E4A9n7<l-Mv7nxq|OEgKwP zyrXCux^z4#{UJgbtHxjmR<X-_FjugjbaXID3IY;Yp~{T(>%ETpn$-#)u#oT3<ABU2 zW7vR=rMuPGFNMKHx>}K48PMx1K*>a6T0AZNqG29jJ=g#kX_P{^fx79^Pz?o*?hZ>o zXS>JAo2jn2x5XAtbZAMIrARVaD?es|1-LUc-)mC(BujPOhXpfX0t5V@$*iRt2hhvM z&akgpE$f9dcpZ%x^V;&!VNxIWZYjTs>NB@F(S1>VyVPSPIEGG&upsEBAKfH)8Tgs> zLZ-Fih>_qhD^wr^leWn&(l5-xQA$_Z>2@9*h6kCejgIH>$^!A~L07;Dyll0seO<s@ z^lO3$c_JgNb+IDG9q2L+c%vSACmR&0Zck($IqJ?7`l2X;!Eq_x6iW?iF$nsSqg=4G z9AnXJY(!Zh4tdrU6ABGqv2KY-*rs!-sL2_gE-=9E6S8sgM7%6eK~ffHLF2ec+QeEn z%;)D}eRoCRjZSBx*Jvq@T05Rw1J~WDR!ibVmoDFm2sy(tpQ3(K(-4AMr~pf8tQ5n` z%p|k~KQSS(Q&2H@h{muTOjx2o3mFMjUZZJ?;FLTdqcIWo4M{iVKh^98_^!ZQqtZVa zL~>$Vyv6lEvG-9*)Xt=KXl6MrWr<abc-^B-g4!DFI%7mCkQ7Z{$wKWkU_*K-BV|LH zV1CGmzN8PiI&8NZzdnf)F1!E?#2$R<G$KqRq?e+KNi_+}3D+|xSXKdnEXt8JDOB9& z=hy#3NFhyY9X{seq<E>S&6@w8CU)W>=*)4l1BJoTZBw#};+!Zel+~gXtZyWNRLe#3 zqR|1g6e6Qut@@UcKObR2D}F#{jZiM3Y!J(WG7VoERlQ@HA4y9SlO#zFzb7ssM8{b$ zkWB&xEefXTlVC=IkstsGt%)`&o)=FiuVqPe)Gphb9cMISz8J|ewJF6KH%Fw`)a{Ns zC!fZ9Ai5+q9Zw)Z*HT!7=`Sr&!wckG1j&A$MlO#@B`01PD#Dzjd*+$OWcHLBUQq4Q zPMCag^h?sENE9&J0GE1SN%sF`wkJ!Wueb(6uM52-^pw!`Aus#@PYymYm<)U&@RYzM z{zu)z{tx(H>p$Y}bJqNJ--GTmo$Fj@+n$Vj0DFBd*P{1lj%PU@alFy-1bf}#@xH=) z*#04J%6_re=lGT9W1eR^Kj?acbJR2I+3fMVKjD0V`ybuUbKh+HiR}ZAi`Cm1w1a`a zF$}OUL00F#<UbrmN?Q)Mk@`z;+~;9y!VQ7nA?q9&0@WyPtwdlp-N|_2I2C!r{ShON zQA=_umS><MB%nA%Q%U(oW|AA<k|Dqy8z@0R*Nk-SmI_OOjf00z#VDyTk&+iR<0K2G zJB)oQy@qJl!~%w7p$}GjLaQXv;46XsOrfFz$uayD;i>}sk7?Z8j3W7^!ko&~>sn10 zTWji>$set(MXRn;84Bn|<wK&6S;YUCvSG~b1bt+n|HhDGFwabSn#cMBJCQQ8UZq)2 z7mhOVqTLqcsbkjlk?|IZC*(4VDryU%tO!`qr?8Yb3kW3TId&~C%Y)V;UKE8z8cV0; zBD21AF!Ruv#6Ge%5NnLe2Q8gY0^H;xB3?T9h6vfEG*gpUhR?nbo`exWWX3%g3CgyI z3+q~DDKX-ta1hhhVe`){Xj%iA!ieU=RTY<qE<l+SB}@7|a}eRKx29E~VT#P^WL$m% z%k$H^)9o8%mB8>KhZim^%R5<qe%8p1W-?2?5lMTRUJkmhBA*TU`B6E+33C=VYnciJ zZz9iTWqZfSii{TF9$^Wzs4Pc!ehMIF2z>*Fixjx1l9VrD@m;ZK#JWpW%8;g^_23SI z-w}9pVws41F>}|C!FXh)ugJjy^M(c1g~fi=RsCJaOQQR(@&*>d%5ob>k3x~Iv_NL2 zH4%pDgOE=(G~=ivmq<e|@d)PWU@gMd7T8+YgDjT}{;5R@9a8-XEdwZz9Emx)7{QuT z?K1B3ilc5BN*u@m<}nm&*EXEoAG}gcW3CTf;*H|^y_dOHvJ|H@KGE9IF@%x^uSY%# z495`o^|1K-ILk{WvpWWlDH24auZNJND8q{9)sgHhoSoImGq#GA(3YXFl=QFc!c$gD zEd~ZAkepLM$(%4uE4o31++eF#uig5tq7X9GoO=SZN;Kr^j1bfdYm{07+q1bU3SLnB zCl-n4OkZ1dWEOm3R0pD`>{u*pKfCXv^=(+`#@Waq`xLi~u439W9Zm8o(lr3`Mxas; z<C!WeWyEs<3852g;0Tq>i>0r-0;PWBwr#<Wcnp`-yktjXbnC8d+hgQI0mWa>PdU}d zWT}B0`nq(T5gy1QZaR}2Es7}K2U#SMhJtsH6_(I1NQRLS4HnPx^w|)U=njL9WrMR) z7vz!pFcVtTo_m)xSEK$N%m1gaE$-_`pU|$~(8sg~%;9UfVNT|SE;o&^nD(JwUKF_t zU_CMEoh$7<0kA$QwQ6!lNuNc!dx(&yxg_*lB6S0hTt(ttF^Ah9L_BbR@VXx019UNi zQs0;_kYyYZCB~AmN)%;@&>QC4KyjEUGj0$mq<Z2IuXL#+o`|!UeU_J&gbhX49atIz zb2b*}at3i`?Jka1BL`;)4&aFNZ+tiCx;W)D=mjNORgxfKt*24Mi0pxs4>32VcG`hT zt#}DYzRZHbbYZi5rW*}Ww}m->v@8AKWJsBfrlj|=3>Ds-5(0a0+YwudFb~|q+$Tw# z1_c%(NKHy2HR4lT1kse)gu%YZhyiD&ouO1#3Jgsir1C1LWGy|!>Ur@&OnLOu*O*}s z0MM#)QM#g@&P4WUcNntTJ?MN7E<{gFl#gl*R=Y<Br3VwBWB?LnNaElbq@@4g)+wv% zp1^s>9R}$;*HO(2MelASCI3+*mE}2zzTvRZs`?V|nb#_SgNXDY;NvgNED-PIlurqH ziBwGbE+=z7*%S4i-Ma&~F~tbHvnYzfpkT1{z3Uxylw#4RYF@E^cN1<*q9^_Q!E1%= z6Cj;&S?qasXneG1U<hRu1X8+)NhM%3eqZAhe5xi^zjGX7k71UDu25O!KiQ=NV<J?C z%zSy864O!EUHYL`8%=yjLW5{YFqk$;rUm5ah-;{{YdlAODg}iE{w>+236I9R@O;03 z0usomHYL3PsZFbJXf-0C6c(10hU1`RsrFzOxue9K`~W)9n01L)nqy}(iO^dl7QIbJ z6r(${fi5aB;SB@munFny%TQ5Bp&S3aqLB0rR%3`NTc92?+#c~7lQ?6#ia{z1HnFL? zCa=P|g58zC*A&Tt1P4A%{$cInQ8E)G`@hHW8!7Zv*K0%12n~c*1-~DBk^7?Hfa5p8 zNKgvA54ZoX4qO;;xXy81g9-p2^w*uQ^k3ya-S<)7Gkuf3%X~KPXT8t%W}V-6eaCx& z=O><5JC}QodM<JQ!u?g}taGFLb?ztrjTu{=>2xsA!9WKCf43Mo$G$0`=(SOMwUqZh zE!ZUA%~Y*XEzKPIpq4*BuuU#89d#^E#oEmUGnfuMjmRUnFCZwX)CUr5Z~+nuUleHr z1y(%L+7=!Ht&D+@(ZZ~3?Lm)fl0uk?s64~GJEPh?MHsT0i-KwWmIOv<wxnf3eKeHk z4795_awHBgYg=Cvvm@9QXX*`_t}y{p<)d(yAx11;!}Q`&Ued~H;~8-f(x{;;P!b0e z0l3z2%L&GM1O_at8=$w>{3Tl240%Pc09;%^st2`W76eU;N+y%u3<nBJ1Ed<H$j6Zf z819GkI_G2^8n<T1Xkl5`ET1XIbRcwrKpWb|<X#pf&=(Kn7{#Kn1GOXhhICE?eNfez zZ|icFaB<?&)25bG!5KM3TeL)%F)eF(feN>QpxApQNVS3XkNBkJDkD?8jFcWVUz>z_ zi~>7J>7@}=Zk5NhXJ;s>{fJ)B2wNx=S-LtNN6<KxiOjPr6_l?4gCas@A~TsPyEP7E zocyy0{3(SE*iU4i>P@wp73_k@;Q}gT(j{8h61wAnoGL62jq)ZiJ*3&NyX^_B&ca@% z%jta~)0U?dKvUBS;*;W=ucY9ejKq>RusT8d4jR;I4pp%<a$feLp~6uV?jtNhdJ3yB zsdvL1S$YVp#j_u2D$)R_QxEfOwQPkh4D*08O6l%<l;v*e-|GX+VS(fk(+HIqL}8}H zt`}?90q|M?yP5J|EUmV&wU#(@{P#roQzYHYv~27E{<xm2M#*n2%o)N;44$|(%=O;b z0HI|%DRd@93!Yh%!I?~>*6V6^v9GZqGOpDgO7c#^=MV$_&SuVzrq8ySO)HdY#_BWj zDt6EszkNcMsEJkJX`BlxAcE9!(9Y6=_<GYNJn6z8h3R2_Z1jWd3p^EOO0Q%79Eus3 za=&5z07KKXt>m0yVF{!xN}pq9m(H}S!at)`Bfz=GwM`@rC8g(c=EQE{sePzWa!|bi zhCg$5@bU^*g}2iHqG~jdfm%xm76FM$A7|d~QE_9Ij}@aA&fseJ7gj3|T-a1MSWl1B zOsz~&>w)s&G%Qouu;OAIM-?@ur2l5eW<)E*DsBo{DFd+revLkg>~6Y+@w^x=?#Ltb zP7`r+c=MR|u+bsJazV)Z4?A=la~qAYLL7o2urLf^!+h8maj_*FO{Z>Qr)5}sSc@FT z*bjE4MU=cD@dRmsD<TW577pCq;47snYVc65<jp;Z1<0ljczeS~$>TssXrrnFN0@S; zYYy|`E}Had&4YF-GNR?X9sK=|b5FKA+6L2Pxu1!g0_?Q|{%S&iRqz->ofT{a92N^z zye@*vQ>ZNjS0%Zfpgb_w2Nh(_;9<PG8Q0TWR2S${81n-gWj|RBHm!taT)Kl5l+nK@ z=PYtbS+TuIb?xi|7ztAj)*82UxdV~v)ltdHBr*o?(L7dqFSvJuL75()1qR4(M1DBZ zdltE0&QJq*@*0X!qYyJLTu47-q%V{Pi{y_ZwGDN9cRQd1pBEY+O?W2shtO|AzX<&( z^xe?cLthSkF7%1eheIC-y*Kps&>KVl6nbUorJ)ywo*jB>=&sOhcrBnBnhVX~y})Zi zdqN{x7k{@3b!Xun40JHi!9WKC9Sn3Z(7`|l104)>Fwnt32Lpdc7?{0#4y!HRy$?U< z@21LiNAA7^KX1DG4E(I$bt`_}dDkp{j@>ngpHp{j#LwxwT=-eIa~eNyxN{eN9=tP! zpL2Jr_*uT=7W_PP#}o0haz`J2F5IymKM&tQmiywdDg3<g82$d1V_o=p>oMx>w)!Fb zJXRmU&pYZ#{Jg8a8b6;>#}DZqn&8u-_;K2*0DfK}y+%Uy|L2Exhb{=6hS&ez7rZ{W zE%39zeSt0hANt?oFZ)&B4}EX(J<;d({>1w^@B6$*z1MnIc|L-S{#EXGxp%nNxPI<> zo9i~$CYRm$Cg&}v^7n}2`HrkZwg1TeE_>C!)4tyJJ=<GtFR)#2yV7={&7*umsVF`2 zH|2Ze)foOne-0gUvv)9et>C3I9)pq@$1Bi5i5SIWE;i;sfLG9X48}Z8nU3*ePBz@C z056u-b~rsb=A<gG?K<XQ-MRw&nJ4XqsU<!Yb>%Vka%DBZtHkj+o=SbWtB%>&gw7A} z9G%B5>1We1_9kXN!0-DScW()0?9yx7E5c_TV-ICs5a5NGwo?l&sdm*diQdp$7vPn( z7>I@FX7a1+w-Kx>z-t6Dm?*TDtlvt|>jM0_u9JP;>+Je1)NXx%mltHcijsr%n+Z6y zoZnM6R>{JM{1!5E%(Lsv+eWgN*KeXG<p95%e9Cv4&#m7`9rOgaQ+%}1S-zpZNFVeC z`0G~MTUssOzuH<qN}nFVv4Yz(nb42|&+Vzanii=ap-!^EJA3ZuBpwEe)elpXeF6Ub zhW;{w@zh6)r#d3_1#KLDN!vhn+w0s{)N9n_P=LP-(mW2u1oezr771?1irZ4JQV(<3 zeijweqdF%WOdG6MsC{)Ee<DMlftK`$Tzk4>Pd8EV|7{-EFh72^w|<D7*fjxurTnqF zp&qHvYslp{&kf|Zy`#RnUS@L%EazVCztmZd(-EteXd3$h{2dD&UB`X%qOU$jjSj8g z??n*-HeN6^?w+)IXo|j$)r;ED{31QS_Rgc(Z7$t!svo3A`2c@hte5U?^csN)BP_#0 zc9skK7uRo~wmZO)aL*x;6wKF1*f+8`*Vha5ac_X9X_`K6px9D<mTgP_3jVUt|If#Z zNH||#pJ4-r13W9$m>W0=q9pW;%wLl1I#{1(19(6cEUQ)@U}>qj*VXf^yGsH*<M(8{ zGiCWAsMI!(c(^{r`VT;RVEM{=|4U7KzOp_^dtZetWltvXQt${eqLvPVXPC^19$Q#d zpP(+zTh0se4(RFCs1vcRo+H@8a$c2lDFr=obeGkiNZqUm@T^%Pjg|ES^t<x|{6dLw z!{n^`_4F8bG|-$#zNda2H9E8j7pUm<4DoD+spz(L_o&^o8?8gkBlT;k-~1;2qV1_X zg4?>sMEx4-@fs*9pvzc%8>?ZWN7zl%wI<di>Q`&c=<+p6mWu@<%6Oc2K?dvl^<$tt zVWPJaVM$`uM&i#2-a)yteihB48sP6sBf$Wigr3AT!rLc!nL1J5r!9m(Ox(vZxlZ_u z@$ULwYIe&y{zi$uj#GWH%Et?yyTS+<UsZU4*bzni-st&eNn2YA8Mzr6D5SUt<I zu%7OZB2fdH#gg(oEQuj2>tl4RdT^{7F4kOM-%Z0!?&no4`%k_OCO@JlxKMIdeN;Qq z%_#}-`Us7^Kfo`YoLq;e)rYCo@&GSn16FlOeTaTFz;*#wl8%3Gskc5zUoQlBeu|z0 zb1JDVsroMJ<3NDFi>_n)gzu>L)So~NcL(?b=|;nLFR3emlH~LMP=NuyCiL{s!2n+W z3)~xA6<8NigXQ2C{69RAY2JZ%Fwnt32Ll}pbTH7tKnDXI40JHi!9WKCj}Hc5&g@|$ z<1Z9rHUBv$?T*F+Ya~e-+1HyLRr^rqrlw|R^QcKZ$RDXU{VvPv@+vYqIeVMCYY%HX zJb;>W8NB10jH`!}qeG~Op)%W2FN~=dZrX<n5%2&{=0!(6f!|6L@;%u<E0XT6bc;cI z_uvT<br@HmP|<yXp8J9`Umr#OA9TO`9QTS<tYvR@Z+368JJuZ&AN)M{g5W`E?Fnab z=8(IqK%L0eH4pTLH(|-FqJzrc6QJUK6j7jje7K@b_XG7|yMhl(c8qz}W_MR_i$!Jo zaLHZ8HH&b0I?P^|=)*mYQodN#dyw9Y=4Y&QFJI0k)wi!7&ur+xEupVVe$$dx^}D<F zwHjtDoK~qu3@&D10C=88-~nNiuZn%tJGJdbk1MykyY{#0sTbGlR9=h%KIhiYHR@f- z6xlz0jeEsv))m{9Xrepb9T#7G6JIPFa*t@(*|0A=zN1UshZ4quy!0X1qc#K&XZy2R zToJoeW&i3M93F@FQtwguB6>U@|F!=^@&8rQH>J?7;JtzG22%bzd|$wg{$9^>+~06} zTvs_?;*2?d=-6+6Gv4?6tu3h>l;0^2%MLX8-|=VdDz9|GN?PWcfFR>koK8ei$J36p zyb_3tzBx!#70KujDkxUn+|x68B;Sqq*DCpLRD@+uO!eR;QC7|z9?TxJ=$@_36=zoZ zB%C|ysD3`%Vw}6~L}PC=DCD~^(G9O@5935V^eH{kHqmo9(H-fI_24I}KlenAqKxI< z7zKAsC#rjHsvbSlCv^>IBOMa!Vk`*<2`s6P>dVlJOY^g+Q^O;OCN?2fR;^5Smrx|4 zd!~H22j5W%lxh#XB^NeIaQ0N^HI^5i)UFBR3siQ_Rr9Emp2HiL7o5)mnt1K&3S7aZ zI^0{5-O-D*+bLVvl<GTHV9pC|=Nwb}#`cenkL(!h9o;$5r|#<Cuj1}z@7BSA?9QS7 z;c>Nhc$+%ZJKVdYpZ?j1)ycosN@DdZ&cI6YZC8?3M;9jGR9APQ^cEf-s-UntFMFc) ziRZ@ig0cP8_aeP^dD~Nw((zhfe!5SJ?$B1L5voOGQl0I-0v>m$s9E;%l^LpcB9=z7 z7Ui=bY7ywqSG&tca@Bcuns5bM2lb%O16rR4v_20ofqZ}oX?Dcw>y}|w`?Xp1HVg7` zD%3{zs@1{VBBo|g{$nvcz4HUC^8-fb&GQVLhI#gC^XzJ#r}aob26MA^*fgIVAuErI zZfe@16Y#j`CXL4hTk$x-OZ5$Z40zn;08ZI;8V1W&9tRa9-N538v~u89G&HU8ufZc| za`kRMCg0y~@~H+TN!^Zu&Ge$i<2B(_ecb1ly6T~JGtQh?(^EIlt$YYbR9n)jq#;g> zGR>80*W<OUOufg8ec(*2nTV2V@1F6U5GDhCz2hTekGFII<s|DHJ(w|P9L+OMh<yNa z8^Yt!Gwiw8#|y!U`W0?WccvZL#7RL$<u@_w6WR$n1Np0nb09okA9WGsyV@-wcH+5H zp}@Z(s*lw#c4AX5)mGG?9%9K+eMz`Q3=vj_B0KYV5l}Q%k2s7Y+G4U1wRb8vkE`1G z2B!JAO*vBEXg}T=jjE$%sDG%%2x}M!p3F~CsguWTzV(<5(;aF_;Jtk?=10f+_YREg z$*O}RJ4S}p;gRuy?ZgoWMus1kNz<h2-3lh%T7m+eQM3EA<NZVGo^1c$#Dp{Tn0!1e zr`0{f**$%IFxa>68RVGm9mf(z$Fq+YmeW-KFQr^7;hz7o(AJPG_`%?v!Tz8#@KE6H z!1jRC|B(M~|8~FA_mJ;y-*%tV`;hl;?{=@#^N{Cm&vuW~{gC@^_jb3_^^ogs*LIiF z`H=H&=XR&l@qpt7$Hn&lv_D|K!G4bIQQLjCYi;K!k1F>m*DB}8kIMH+&z5hKC**#4 z1JL$U=`+&vF%|fl?vt)$e_8Sm`Ke28+G+S$V&Dq*$U5fiIwe<@eiW2<FR6W0w14|4 zwjUTC-HV#^dVBf%OKNYp^WL?j_QH85KYK~-#rowhEUA4&tpBH{=!#_ci=??LQu~)M zGUfkR%4{OSy(=#)sl9M!$e&+QdtuhfpIlOV;rf&Rc}eXJYMQymJ#yVCoF)zbQOj;v z+{AbVhzB_2#FFM_w10R>?F~wM^(nXCJ`%p*0x|z@pKAMUaFZMBmtKB~?fb{ZcEahd zkFPkE)L!6Edd4ZXCqHR8B4|sgEvdbrEoE{^?Tz&>E~&j(zmh-I_9MgF5dqWjFK=B+ zdlPR-Evdc1TYkT!_G15}?=Gpm*gxrCmek(ZKmVz=ZwNEpvy}D`LpEHxr1pkv_|1~q z8@&C8OKLCnPkzgi+Kc^@|7%I@#s0~+EvdaYfAVKevHjLP*}<@B|L$5+dqdND%97d( z{3*+q(*D8=b^akebc*eJ$9G<B;=g!-;nXx;t-Ue-(30AV{g<A*r1r-CKmBq(fBEDz zb<BU*wEw9kH5c2zc}dO1>F+=F#bfe<c`Hv|((q#QPE{|}a3}UodDW7J7kd{)^9xQv zE$kf~?GJC$DPMlCSKccX<+CN5&;Bd>+w3)a!oJe>-?p#X-fw%Q?QUDawoA^)XNSHO zdNB0r(33+qga$+1s1fkX;3L6z2VWYj2d9ENf)@t^fu9FH7kEeD#eth~ZDA|!O1u3( z@_*9*X8-f>YT(uW%lzm1CEvGv5Bgq>Hv@0*4f?u$r+I(r{k-=b-WPdqL^XlSy{cF7 zd<TAo*Lv>p6g|V9i05?ouiRfieSv%3H@mNQU+G@!w!6OP`iScR*V9}j*QhJzI>Y%J z=a-!Cao*>=)%ir{R_BHAJp91%u;X=(XE^2^V~&LFxwgZ${kAQ(^KB002g=8kH!9Cn zjwt(;OO-Y9pXG1MAC@1GpCMP|y|#+g_H9Vj=#EB>6dLJ^Eudmg<ZI!^c)PW?&cFWV zF>s1}M9aJpd_ehH6G=q64U*VtO~{INN4o_FlXo`*1%HyW%|JtQ8E*y}YRTSapqQ?F zbu&;fC3&zJXe{N-B_T?zR{7kL+6#mzpIB0RfivkPOKLCBsvKz8XiDNTQ1@sHsDZn$ zH$h|FVrBC37Em#7+1mmtW+ks^0X25p*8(c$EPcBLRLoiWX%jSRq)y4_w1673+Ry@O z%xYT;sF;;}Q46S;mE6?;jdv$ZyHIQaHQLTKLCrgOqy^MyTWf-vc2K#t1=QHVato+| zt5OT7fvai@sDZ0PEuhAn^G#6m4i;KK#jK=vwt$LRDc7}tidji7XaO~5b+7>nJenBh z9ZgWA><PW)o)%D}=O;Bm&9w2N7Eq(@y-m=#>4ZL`1=QHzXSRR}Ov=w`0Tq~(8*vr0 zaFyq^Xlu;*sZG$B36u3EXw;N+`id4%1JC!hfEweztN}_=O{n$Kr&~aU6p%jO0xCG6 z^pzG+foJK<EuaF=(t|Ca0?$$-2c|iT^-7K0o1kL7(q|ibj#$!nuWSJoJ<DrbKt<2; z#Z6EXSCM|$0xGZ}2U|b|HssS<Km|7BKntjtv-IQ^P-D)^nxH0J$-|8*#3lpH%Km1c z=vTR>5tuPr%1>+tik9;Ajli_gQc;?LM$11p0#ioTu2OFX3Jfa$&<qp^R9@B$G{(HH z5tuZ_lt0!C6l2P-YX*uj<;7;8G3LHTV8RgP()*f$f{v6!%|J0B>9x&3F(K&{%|J0B z=>x0zMFm;Qh&QK8Z)k>zA<t=si4iYq9MHrKrMEXwZ8wte4ZidJ7Et4)o!bH`FeIPf z0xIS!{ip?0%vip#1ymqO-rfW?U+1{L1=MK!$|k6Z`%7Q*%Ab{H<qKucpr_k&n){dT z&%58@ev$h|_qFcJ-74(u@4Fs$z25a~*Me)m>oV7QE}QfF&W|}??|i27kTdH{J6AjY z<oK53A;kNiA>SN&05t^WL)lOY?+E@+@EgGggRc!fHCPIc1yjMZ1Ahv93wZ?(1fCJ7 z1oj3t2hI&B{_pu8_P@dZ9RFeee*YH#`F^`2?KmXA-7$_yy(sih=-a;U`yTea-uEnD zRql11ZU3Wuy>G8?lkXhwpS|Dme#rY;?^C@c@0d5~J<Ib4&(}O3@cg6aNuC?*-?Tqy ze~tYf`<#8$9=D%q`#o|H-e-G-?JnD_ZI`XvwoLhz@<ru6%1f2ol}Tm0(xv$2p8**y z{#eNgH#Q8BpnSR!h^%*AOHn@52s9};%7c=Xgh}9wrVVV4#uUV&e73P$G!<h$B1twX zI@$Tt!9WKC$Hze9IZB$&(Knib#tHm-BhVyal>cZ33L&9<r5R{+`=v&X5Hp-ayPIJ` zY+c_B6GAK43=^|iX`Kw+RWcaK>zW&inI3G03D(tMr~)$)L$6VuYZXTfYK+-nKryHo zRC!H{wqjW2pBm>B?G_Qno0?(5PPw%iCajbrjR=Ywx`Oh?W}v{j@`mPK1=??Eh6xnh z+zb;4IEn$;?Lkdf0(QEMyM8-b00naTS^!1(e6e{*(eO4a%AqTnmDJz1fQpsKzit5) zYmtA|0xE`;f7b*}7)L?g)B-9FgPd*w6&oWbTR_Fm$e9*UV@0tRP-8_sEuhAVF0)b# z-9I#dzib4W{WEWB1{xD?AVO###u1iZ)!fpU?(3U@#)SUK3bfo)m7doO6x~Yiu~HMY z6x}|dv7t$gm0sKo6b+?+Z3LPSBt5kmC=etym|zJrf~40pw=`DLfIVtyOz7FxmhtYi z0aV`B2uzu@w|{R0noKa|1I<9O6y;sbKtY>I1BNW_Q02YNEyYrl2D1<QWm?Kxt=k#v z-el0%Wz8^wy<Y2x)Xo_3IgJf7#^K)C3=>CtwizZ4cD5NNFn6dKCJ;B&3=@mEsu?C0 zG2aMF8=_%PGfd2Lq8TRUIn@jk^PFjhiFr;p!^Au*jj)ulfmb)fM4#6+!$hCgHo}s| z{-v8?V*iqjM3FSS56V9_0|jD~S2y=6Fmq`$Osry4Gfb?ayKzACL41BQ(3njFtHKR$ z1E<Qp%`L@rl>3^2Vm``C8-b?c0LlZ6D=}GwC2K>n76o>cPc;LLm3*A?|L;&7Qs~>T zwf`yfv`{%T7D|Rz2LC(w)!_SsuMFNDECdIGJ;BohzYcsU@ZP}70`<TY>IYvO2>5^Q z|D69F{uldi_8;(X^{?~0eLwPj()VWH^L$5qSNpd3R8$i9p7*2P*Lk1mt$6o%Gv3vn zKY70CdC>D3#Q5htqn^0uO!x2IkGkLIeueuk_pE!DyW73Y^()sGUGH(d)OEXS5_bwV zx=wfg&iOUxgU$z>&vG7iUW+(?m-95oZyjHAd<c>L=Q?h3OgIJ{QO8*h$^L!&C+%;y z-)Fzme$YN<-(*+qF5Ay+U$p(3?Nzp?*{ZgyZN0WG+iA*gm9HreDQ{3-pxmlVD?>_B zSpziueg3hQ)DXvY*!p{+Fz&bf-nd8{I*XU)P^gGP)FABJtPMm*do8~=sxF*m{k>4f zYu4Y3iLSB!UXXXuJfYYoVGbx)SpkAMD_2_qVy4PN<{?l*SNFG!TN-3UPtwz^05K=& zl@>r+EJC{93NX5QzZD?3iS!f;ASGJJmLe&!lwbxoT2_%1V^3N-N{Wt@*IEGrAJRK4 zfVgNOKVSujp_QBk5EEl7Ps5~^u@okdO-!s#eww9$Vd*HU6(A<1*ew84g5o!<0MSDJ zmSt??_Z4%4=q3a34s!#8^p&!ufw8OdhphmC4|$8FCxH(65=(=mAX@oH7C=Ifp!^dH zATBIh`4?7zph5X<7C_8c-g*llD#lPww*rjmMpn6(uh4fd8Z~8QUt@(B`RdY-Es%(5 zje8m(2D*l<keGp&s~R9;Zqm;iAc7;waVx|i6-8=*2&5_h(f|>ZDt*T)ViD;w={1FB zpwVYTJce3|B`Xd2I|LMCDl^U9isdP@jX;xCs1%!lMz;r>fkwAeR$vBth9EZO{AQp* zK9y#m*e0dHexq&$KT%dUw=~dqPBYLz-?_~|W1Z(U1C4b~Gy=`L@|0$v(d{#ufkwA? zHv-Mxr1@r`frJJHF9Q=zAVF?WoC#<kp&^h!Kx4LdHjin{_UTq&+M?vTn}J5R&Ss#| zt*sFVOH~)9%8F*7v6Nsl&=_-BGte0Gj7FgOAf4F^G+H)zNMYogW_xyHOEcnEH3N;= zdYgg9m;oygk!aJFy`&jvw0uz`&};`ZgkfO@n!0^ub4#P!`x}8V)3Lv?8E72)g=U~} z>~C%c8Wev^GteND!_7d0Od5Q)aJ`t;S#54<tdsn!rlNTW)|n2{t<6AVKW}da8r>eV z0%7wSG$c2ylYn9=@=eVx#hCJcHv`3(a>Il$qN&@rH?}kpnEcjepwaC+8-a1d$1Xq8 z3>4Bq{$evwkcr$7&;$w$Uy9sdzY<W8iTv^AZUvdhUup x{o(7^3OR#z^KX;N&y z+}zYa(YqUgro$rtpc!aj;Xj*!;;_g+YX%xv_--@Mz(Rv^LXKwx3qL0N{|5PVDfENT zr$X-ty)<-Z=pZ}*n?h>H75pi({Qm_$fO~?6g8PG42G<9J@B%y<_#k5V&kh_#rvHvW zci>F_AN}9)e+=&gzSw`ef5t!TPx{aC+u#fMtnb~v`+ZOHl@YPu;=9o2^Zu9jE8Y(v zX8%m@Vej>*BM|nUfvEkrJRkME+4Ex0?VcIr{U<%=c<k;UBNO3X_kQ<!*H7RHxD4+K z{+sh2=eX04mjz$wxX!WK{x$pk_E~!r*8Mwd$83Ezm-1odY03^ID1S-5Qy#*il;HuY z_NkYSk~X=!u3)OF{u`}^C#p%rqEx4?T$#(&+LWiHnw!Tj>mhw4<?h<ls{iqDN=02V zlnX4)G*x=CIkWDrYU^f66)!l{awy2B9zo4OqY&hdN_k<vs#V*pR?CxG3DBx8NNtXG zl|#qF31cc_`N?u+%4lWJxVyHro=IFCD;M*q%UR7&i4MeYwl>vKd&k2ub+AxFflX9H z5h!3qLXYGs`BJ`WjIOl9JW5&~AM-Z(3OCA|G*>D;+2SU)OWmk6(z5*t>x?Lu^RYcm zRCQ7%KjQALWb2_*>R^8_ip`FW4eT8l?BCI^<NHGF6C>n?!mL<sQqA^{_KvaAE$Ya2 zb=#it0aP5}H@z?Db$5-l+TcErg?<32jO+Gd`H0HjL7U5$YI+AY2{e9b>*>bTURK>i z?H}GgGS+9Q(YQ9vn~B3{9KEE<9w*6{P$i1L=B5v){CSHTRW4g@Oe~@HPELY=*cn0L zNmQDeEKuc1K~m>m#<#V_s3=TD4<`+2hteqICx-r0dtAk0yuc%B$ZB&aOyIRhI;$pJ zDStdEenaTa&gLqn8cfRnVA(rb?^7&7CDqjOwAz0Z=c<GfYuUvr-USn@R{qd_k7Be( zBYRLwv$>9@y2IUdP3u9Un;LOVPumTZC+Lw(t-zNt{C~IOJ*Z2XQTG+7a42?7L!3bO z?{N;a;>=CQD4GU^%#~}X|HL+2wE10|8oxLP(Uid~wJJ=7!^DGnYbaGYu~0LrF)6=o zPn%KHhtuBG1J@hMRSudr>03|qbkzf`i8Go|NBhTy22kE-8&J*)DXIGg#&?eF8CM6k zQNcOAz><oxbEYD6rjkqNjkvoGw%HKWoL)fP;=_#KnH(5HowfWC^;@?;uVJqQy1v<- z9#IjD?lWO<b)4osY^nXEd@Snj>S;3*lt4!DsJ?zwH0s+W#(MZl&J~-F9!gjDjSTng z85^UTuKKX})%e)Rpy=RDm@F%V+|1)34MqkB`u4MWu%lxmef`_^;E_YU>A7ad+9pE< zeWB&|hW2!;<@bi-^gXl7Yf~()_b>0T0t~hBB^H3Gl+2x0fKcm{7gzztq~2hel;NQJ zocZ?|!wL2Yb4Qtk&_|`uSpadPr%zh|CV!gW3`iSZbLp#AfWWNsJoBW|#-u)K`MvmF zewL-9v;Zh)Spj0Q(uXX7q}U|s3l>1a7<<G5h>J~<o^P3yv8&HFH%KML*z&XmkPw?E zzuXEiy84P0AT~pOF2)wc%Toz4M#Rz}E><DE+6pj?g)s}j@Zc)1w*aC7Q_A}-V@Jho z3)Tk4WdC3R80Ai+=U4$oi#MAAN#p1#*INKdu^IA{Er5ie1nIq2fUyjh1z?~`u~0(N z*l@*XX@U3K^t%2}vI2}T?lPk)X`KALwSicM@+@lufst*N21Z0owuH)(hWlB5v89Dk zqeS{oD?p4b-)IITHW?&hIj)IKVtMj9ON+E<A^pGth#QnXZv_}#-CzZXg)1I2MiNG# zWS6CZY2h!m0>sgf|G^B18=)BKGZugmdQ)z)0>o^UM=gMqvGD(}0t9lUFIfPlK!qh9 z5>JZLBwt`{VRUt`6<{o|*8(u{m(5myAYA#V1z-ex6bna+$BpgyvUxk=h7{Q9wdJHO z(!EmXgQ2@%^*dniSA)Gld*H!9EwI-AY5za?ua+LM|EvFe-*;^f+g>Q$YhUYo6>jiv z@cyUwjot<C7O(7iAENo&Jzn=`+|PCoyO-m}K;5<5<#RrQ*8{F|s*dkCUL~Jq>vkM; zblZP}$oq?xLFIJ$5&6aPZu>RuLhfy>!9G^`8Jc#Xv`}8C>K21ZF|+M&-}FR=<eoNa zOW!C8PL4xyMa}-Xg%W@5f*y=uuV7Slo?<%#N;E6e)u6UeP3Ti8SRH6%k)ody){geW z>|xeJ^BhiG@7UW$@4~<*C_U^MbfXS%v#o}fr(OlveI1l*SL@#N>b2ADA00VCL0(rI z3kg#_UTs`w%-t1jp$3CG@F2<}Sz+o{6!Bh|7xb{g9*|P)NWA^;+YO}ee!0RcY>R=e z+UoAw-D++qDXoqcb9n518is**q-6-ETeVh(2S#+U5A#{kG^aK`A)LdEItmXCp6_Ly z^0!GuZ&&BAgQ3<t_}CN^_qCrI-jV=|Ag4fYwF+yKd>F<;_qMV4X#1n;Sbw;+J*K?5 z{lS7!bAl?xj`j!Z1YF4u4-<2OG}uxgyR_O{WL^Lm$E?tBwMst5EL?74BbI}e^tGal zQDP;cdA3%rpqRL|?dfeiC>UDvO=2`SZcs*=C~VLCRL(T;vNm1}G)}Pnu{3U^pVQh{ zt7whaO_%`ChSuGRV!@#{4hXc==)yd%XccVZOh79<r=sJDs!)sPc!u(mc%rCKHGD6& zK##lYlGey38#^~mKCUTabNoBGylCEAkfJ^+`Ianlhx}FL$#T)4Y2R@=is;OV9KLv- zMJr5A|G?|ph1!Do`6!#Wo%94APT+?1wBtcT;E&j{>B7tc=N3lgdPX|>F328ua(A`D z-w;)N)>tfXF%QO7s=;M>82?kQEQ<E-c06GSXJrr%*3{JP3nj(|b49$^B^tWgosuD( z66@UY05r6Z8G(E0-F@z^Z0kuw;A&3FF>u>Tfeoy^BTuhe%?Lt}oeAy-ZX|>ulDl*B z2m+|R@b)c&ory_1+W08@hO{$cLbx^@J2+sAq6d5XWyjR5z1jZ3f#H7g*K8lyu}5<& z>usfXwPB+e9saLuVWtGHnb<62*0y#ho4uvR+_GFy4dv$NfoXk2xm}2WMub+tBRJ$y z9V}}P4Tz?4J7$EYQT9qjxPa4u*X%LrY<apy@d?pdYL94ee*JTFLmbq+)p`%opW7WP zjDP%NCH<*QbOR!I6Bcdp0@DVU@Pd=s4IXZ{$E4B;W@bE0gtq#$mG86(HDK(x1>yZi zi5D6Ky|G<LXb;t!2m8_{$+QwYVMk|Ki@%vhm;V%TcZFLVECl1Aju+;@i)*>Ld4sh6 zxZB-TZruQ)l8vJUy|77B3x+l{mS;}}?SMX`F(@4Y(x=+@NQyYkT=Yl|*p2*@7OES$ zTb6n@5wY~ic5dB0kg1>@@HRO3Yh~WM{xTsK@9Oqkp=f?hKtesFmMjxULWqRT5Pbks zntboeftQ##pY-uIS`FH3f|fWfDUYVb3XHFYXPBwP4Ymdv$JBn}&NzxQGp6;Q-9}KM z1)TPMm2$P(_=b#Fgt;H-W5?+TY*#2YmewjQA7Kj<0+esJ3q4>)bU>g}fupc)bh5A^ zQ@v}lHK9RU;9)GRTBSgViL}*ih3aInT*VHGzFcis6JZ1a8xz{q76kfm8x@UOLxV84 z9?MgF%5=b_k5c?UBX5<ItRkU8-b?H~wjbJFXxrwv-2M&wtL!(pKIM9z>snWr^DBtH zU+(z5<D-sSLl5JY|7a)}{B-d7!M(vXxYhqapc;tzfA9Y{{~i7d@m9c#eR<z{ycKZF zyTg0B=Mm5So+-~NycO_VcUFE#ekun1Kl7&z6=q>eL?||vFP0IgX;2{y^+%@y=_hRj z1a)+L0iley5vXG%Ao?nW8VqHkc)^<VL6z*7yX#O3GNxxu5lYTaE}*skj)@jQJ3;D! z5^WPkq%M(r05u55Vxvd~(72>=V8qlS1=x>k+RP0v>~Rr-BL<O2rXC6IJ*CNF4(D~c zfPa{e9S(5Ycxk+ieMK`y;>K)+o{8<%^A%`hJgYb-CK_vxLj-Ga-mCe!LP;}{!AAAx zVR<*^S&A;xZG;YHWL0y-4(Yu?#huDms<VZ8marjuOtrCYXpJO~wY@!2FUdAEO1;1v z(9jFngkl1T_DvDVXG$NbGBb?cww801Dbe)O<22=A{2gT0lya0pu(doTw0dPTxse>L ziHM^3Kvfw^HRAaCJGMEB<eMpH_kwnInvblqsg2~NZ363^oGdSppK^wzr@{Ay>{K#O zaChZePY&_p<N0ie2r2hL;HbZi-HEBhDO;g3Unb9h_<ma(^^CrcvJ=(hU!_+bVcyRe z*zId01gR5f#pXwL$MBx0>AAAzzP7f}il{Hkeh88`hxMU0l^5{TvVoA^Vg7h=gFS`* zVw=>)>9iqyqq{5Hc;u+NjMm+DFa<M;uV`Z)Q4``{+L6;VPjkD=k3;Tciq6d!a|P&C zEeLW;T>-tf%J88<lPue1j(ZM?C{Kp|k!>=i;+f<&oEw;D55Nk_x~$EifG{#xgl^C_ zJLi<KHkd|x<be<w={m9)a(5dJj3(gUaMF;&9(ghgmBaZ$5$6hQqL0pIzA^`w0BO@2 z&>-#6Hb)a(Ce^(QMY0n#HPWo?5lLnz@oKesKS$b_U+5~KEy(auHn`A~AGGlbpe-`; z2pL9OfsWxe8X+3N1*OaMK03=yeq?2+{fN+KxG>zQ@ij5xU>lOfh$qrrcD3=HjE;j` zh}e;<Lk}I+CTD?E?ERqyWDr^Wxzdv;6UWzzk&c6Avh&CbL#zO*zqVrR_Q}z{zCP*h zHX1r6i993CD}^pKL$HdM*`aX>{a(7OjeUXEaLsc*(9q`2jqWb(@g!?H6xuM~X%&jR znBE<2rQA5k<YW#x7bk>aO;#A3R62G&u**U*jjWWiJL$buP!W_wSggF8lNnM>zTSp* zu+kIIj&yswrdjeaK;W^!#I}5OvQoeUf~L$s<>EGe!qF^oDW(?S>3KM8HD9422)f!t z2+=TYsF<c6_<7UUt88eKC5#T>P|%!(y)%`(mBy9z?W9STh)7Hr&hS!oI$sgPUDO^& z&@qg5V1-;s6;0Q*$B|A|3`digtcBxU*iNC&f?&kHF!qJbfuE2m$70+I+E4ie6rrqb zcTmX#-6-^%^qD8L@$x}<f){Z+ij)!agWeV`cc2aHMGv435;*gf0=zrDcrqO^n#r2U z51{O9-#DcX>4HjQUCdVoIVO;{qfO8QBg2r>SX7g{T-i?ce?qxR3jI6o{_hUS!S@Ao z!PSAU1zsK)3M}`3%73qapZ{FncYLq(P5V}Ozv#WsJL!#h9`(G;bG^sqev5nBopAla z^>Wu`&QCh?&WoM0<4ca0Ip!Q!+J9$%ll^A<rMBPM-ebGnmR5eMyj-~oRrkLw|Fe8R zR;8~?FFTGCVAS0;hX*U=_Z;V&4(M+d1MR#bec^bDY$2Y7%b!QpqLxg1(!7*9Sxc`& zQbE3jWY40bq`_~8V53bIC?BK`(KTVrSz`dwn~pQ91f+H;JXfBAs=#c({-faBHTG9- z9S9*HuQ^UfadK^xs&laW$!$1V$<OC_&`TJ&`tp=tw(;E1@}R3}$96Oa2QrB-lU6BD zwc&Ksk_<T5!!^7r4_y>uObZ+p!~$#w+C=K8HPUm-;4HZ!DOt>iJyfVpLFr=da((L3 z>)QxI>cY@6^<bMiP%RfNY+jyhqZXk9SZF)ptAwKk4tbNSRzACpbBWqOZjX(O_p@Yc zy819c*ARxZn-IO@Dl&w}^~ozY9H$@HW|%24SVV-T^7DE803v$l=Rsp^2?CGu>NaW` z%?EUj2<xKwSbAfdXa;?pglY{VYZ%mPG<a)!>VVIL0s&;0?JAXz;0i$v+O57m>7EVl zu2#M?8Y;daF5Y8TzIxmbqsE7yX(N<bkE))<EfOaN#`o)!QQk5O1(Fr6YfvDmEi_1z zEc}1$y$5s@x7YAJ(v+>UL&x-`nzneGy{6e17cdyx*ap+VWo<9mUgNb5ri84MkluT5 zBq6<%git~Y>Am*`r1xImtC3{yfS3HA=R5E7eD66<&S8GmN*awuy1Kf$(&)_%x*PRt zC+aA%pXZm=1(V7uD`B1%A+x`5t-fRptxWg6;x`gY>flD5Y0czD9@;2_|CXC`G_>^Q z#t2#IhkIw1@reiA7CKdXjiB^OxSQ_H+sR{r`Ge&0AKa~sDbUceh;M;z#^|_78kj}u zi2OTheT6&`+@f8yfL6ey1(BjKXK(C$oqJ^bjt_Rg`C;;@_5yfJ&~l*vfp-tl>2+5F zUd#A9Sn}y?GXN9`jDT!Y2ob|P1)2bMB3+0d`w+0Vqp-OgI+k;G5R7m})v9AjvZGV< zDlv~)(|LsuV{NSHC3V8IZ`Q8j?Ex7(-#n(Z^HB!O;F(}sE-Q!CGyM(GIVowHY~zcb zcW2T;oDs(qLTU<>Z~EL!<tNpA)VeMH7G!*9yPrsUSek2WZD=B<=!P1ozK-;~+WQon z$27;ODX)`!L$ah`Mo~uL%-l@p?Cgb3kdGPD^Ky%4&LR6UGV-%J*(20Dj&X*R$OE<C z3_fr$rk6F<@KOj5#F<5qByMMZc1dYL(QIc{ZZS9+<b(9)3GtKhCC<N01H@(V21l|W za@0Biv=O5ZC!VM4p3vux?$^YE)oF{$u7{P$V36$Lf)^30uLw1OcU}9F{2WKIhov3Z zA_#pI2AW75*8}`bym6KoxBdgq1N?QoQG}SXn9#@yS2UC1-Z(-R#(Q<da+Og5mKZk0 zhQ=3bjTSzNCuNA)ir<nhjp<58UI_f6GFvNZ+hvCEM;tp8)R`CZAT}M)`PLZ<EPNQp zm_!nJVR0w|CTUoWhbGDjajbWW@In0Qf-$6HL9h7eX|M1*bht=oQUvY}N)_~tFc@Fq z<}4Ha(LqSH&n!DB&2RCW4vd_&wam?h7_`X1Xt03`zs64t!oK}(x(x?jK4{P#4pI24 zI4eeEJrbNR!0iG?3AiWd^14Blj5}GNv>CKS{AE1T6v-yQYXWlWv|k;g8c=fq?^wbw zaVG2}bE1B+#aCAY(I_gR=3#u$H+;6|@N=AH2a-cF&q04ttc{N+npS-!tWPlqkCJeV z8=mk}JfQ{of#HtX5Qw?#Xq_B?5oZQZib5t8(0<lH;{`P_cH!sq_@a(D9LBD}96Lnd z&*=Pry8!3pC&SABZScjv(fAuU3-Dwu&GDOKkE7Z#Qhi!IQ!P~c+Mlp*w$FxB{$7S} z_+{Eu>r>VXtfiLU;LQCqElVuJ%!kc4o2$)k)BC1#O;hl8IJIx55>Zm*zvOLT5tu4{ zCEX$__#^xnoVvdrzQGs3z0nWoMRX^41k|7zaN<7_J`i>aSGP}VB~rew|GH}6*cym8 zKID=?x}mJD6OBl0jyIse{&(MTy!VhR-XIJKi5^}b(WeUBwMbV9$(lBo6=?i%G9cOv zOxB42%}pvGLWgMKR4;7LATy3l71SudyJJ^%UZ{RmCr^&+;w;sY<V5Y(kG>%G3Ybum z-RK=d<T1kvJ}HhV8uIe#zJ2<x{9`Bl<?%*VNSEp?fbm2h&0#H$Y3=;sg+JqsMMXph zA~G%nLrBL`7(E$-?uc$z!^FaPvc3oup;&c>8HPha5b?TrXHF_XSn7y5E~6l+b6@Y` zBB)akw&49nMn?V=VtzcUQ4!IKVkI^6XrYh62A&RmQk;`x9<#7BMWcvJ3S%=m+T<N; ztQPa)^@bwich;dEfVmF52g=%=hQ-<O^a@BwY){-ho2(5TtyhS%a?N9wcV2jy59HQI zK(*7?ZQ7@_uv|y{r&z8X?=v^vSPR8CzQ>d}GoGTD3loIc?vPs#3y?(3X?Nb{uM__m zXVtklmn=Fm590C8oKRyO@g1UV$e1_tci~xzP4QZ2E@|hT&1Ku|Yx80D!8b&;=NE}L zlgTBjKhH0t7Hoyk)H5o<>;h|fq}l7*9JTqi#I(G|IEz>C%-|_W&6UUca*3<s39npe z`A6AqkJVDdhIsSnTrwAkty1v8s6J*MBZlLwz(c8FS`eE)3v4i8`sq-E#rk+c3(|HR z8bl-~oMO@#jI>XD#kvXRF=IMw=#Uat(#ybyBgUXB*2Yu+AUd4KQnm(eP#3JEC;ha) z;Z^ZuaW3)e$_lzb?S=as(=t}Z)yp9vUjhBk9HTk}cYCQq@p>j?9?%V!t_ax*ql>mm z;(yVewB|SuL{`D-V7Esn1DseLZ^{X`Og6mZg61aDr*lHYLpb&gRK<S-pu3ah0T`ml ze1{xW(_Y|U98W4}T%fjt`M(l&edx;w%yXNB5yxm~GwqpF#&I_xnHXDWhu4qZM~`vo z6)WN^Mj)KC8yi8G&V=q=8~f<x$EiIK$}yJo-26f~!eo9%UT&7*j1Xbpao+jANaM12 z)3{8K#s-rf42)H@Me9y^y#DYH;O(U!m2#|w5$38z8TrL?a_R9V`c@YG02X+J5_*P6 zZhlGjjG`Em^|*K=V<w39>EJm8^S{noA&xu!%LD<=H7RFC3z+VY@<JC^#1nFGsFMfY zSYss_Mc4^k#|la0TxcG%sWWi{={vTlxPnC2t03xKhw+#Q`@%37VOu*p^GUcZ{_BA$ za&~@hMxLu6$5otNq@M%Ru?oXqkFYm>+5E87!=LTHQMOy-i3`wciLp*s%!|MW`>3VB z`{MOlNEf@Q64Z{^{ocf~*)FSu+vBOFkO|w$;LHlwfuuiP_1+b~dj0JNI=b1VwZ5XJ z5!L~XW-pW-Z;XO+fNyOOw)yIsHCYd=D+d|IUkoa<3NHxLgmVSq3z+Li9n&2)^(FNR zb%8q2{-*sJd%1m_?K|5x+X=QAHanc%cZ;>jnr<~&-mqM6sj^Hk{|YDfpKi`GJ4`Q| zE;r3H4NzWJE>!ZAUh+Hgweljlr}VOPjZ`k2s~rIUf?{ca_!b%^UMUuf3HSwk8D51) zpij{iXepcD#hE1)W`iIo46gwtKO3x$4Z1;wwAxG%tg&(|Tk9<hICie6hs2Rjx&N*$ z_KBnQ6y|}}Q`8KmUSfZn9;_*A35DBTZ^WE9YBIQF=t4aLlB^Nd{dE6w=+OqR@(FX; zZu+B)&?K=3969OgGO2^<&EVNfR>t(v6s}ppDll@zjxRXg7BG?<>|CZxP_$L?Y<L^N z<KxUWNLs_d+OANtXEE&T#N*;Dl@{hr(j&&MZVNxg>DEx=V7P?Avl09`JBC7DR^f*@ z>$;E*q(L?uI>lu^IaDu$oFP?|IWw268pj?XC43*Ju|Pg>j02orm0egu)|d<6lrK6A zwin^M_(kZ@;azYD8m!k=!n6|>m54cz%*<k|03V5?GeZ$Nyatc)qvgfGhvRjnybcq5 z#|tCA=EmLI_)xspo<}B`RMl_KKp#Q4`#)sXE@6bf;^^McrBj{r$pQlCBWw+f`A_m^ z5VPW_GLSaVo|es(+Y@ER8Al-z=#L;g;f5eGoP{;55#24=XlN0q$9wK<-AbU_HrPG& z#c8HaQmak-bBh^q1{f#?Svxr<n^-lc{aL2PlOWmf5|4TSm?7)iVA>PM^*_%hv!)!_ z1gP%`I(nz9m=>?^LAqG8z)|PniBscO9L$um;p`OHrBhc1yMke*0aib2!4K|OJw}`o zXKD@=2h%2E;{n(Aj@L+99@Je$?9qJU<m2RVOuZSTU&jla6lYL{a=^?gcG3uYZdSp* z-}Z{182|1twc_<nhK#tYP-5zF?jEb3l!hBu8INoT#1mamZn7p)OQyK|1c175ON?D7 zCC*v`dE{hgDG01a*r@}ru+tZp9KW%`^eMZ(B?PLAJ~^-DZMCDe{c+}A<krww!4lC~ zTk*xw(@84Wep(l7q(?;Lg{o@|lWp&DZU=3(J)y31w7*zS{GI`$Xh*8z8aOnvs;WJm z`#7(JYlc*U!ZNCHI-C?o^_W8rB$`9a0ia>7sRz}eGFA_o5Xbfa$pS1HtUI?C&=u#w zAUc_Ile>T?G^i9t#Zw#~M?gb5*lePw)8!gjbZx)cxHvupkjT$(X7mCS$Hq?r_9Oj1 zM@yqIalBOEE?$=8D8WBE&Rc>M|7K21jQ5tv0)I{@SW8Y11$)m?2H{chs$Ji=0^8eR zUs`ABM#d{CS<#P4(Ba?RUil;9$dx%{NgqrcWTHegt78j0JpMBh8(w<?YB6uW;jlR4 zKirTECha>nV{&LuJ2d`t{@WXI#xZDswr>>P#SLUf5Iwa)-+AAD_aSjg4q3qYMd0J1 zy9L6eo^IGTnAQi!nbSeqKqqNoRAbBN?ROs(r)@wEDX}?_t`*z!2gVVJkdBzaSgAV( z(DoY+i1U6SAz2|}36HTH^^c>bLNa2SJ-U{TKINxh9BmDf6T8<j$&XsU7Zc+6TtIq# zHGx>zbwxXNz;0Jt`5L^lB-pW`SL_SZ#k4q+$p0WX&I<s&9VTwm%OWrW*9VFHw^mm~ z+h4%a<0N!<BrGPU(8W&f#3gaM3Ay9H3@?kp#a@_<-x0KzwHvj1Efc=`x7~3P*a1X1 z<$t4EppLMAXur+A#y-jRo9%vEt*zA7!}=_I%`e|N(DJ@zujOP*g=Mm(zxg@y{pJQZ zt^Y&QX{J<VyE0F4DrWf!`E+@)JVyFlx=bpS`od0t%iyg3<>Cm@f<K4bcKz2?1OL}* zz;=>J5mdFWnwC~FJ!{}e3i)fInja*7G_Z5hFbPXINhUvgATo~-VGCrbCrOGhK&?<c zscx4$;BFTmv9sRJT>zaYi6p5{P4xsok@a<AJMMWBCQ<sS$^H~qa*7`cTUH$zauOn; z9yK+^2j1cCw6x-RGvEsVB`$J`cvewH>7tVa6T|?2XMd{Cm73}+g|${Eu?1B-Bg7e8 zKV`isyb5ff<DKvi@kXwQ^%>Qdcl3vZA7ITNj+lZ45jdZrA~LmY6S;kznw;!$xs&~% zEINY?HLw6h3@?zTF$mwJ0LfYdQ-UVgWuV^@rgiM6w6+sS`mpMDdtE6$H#@f^=qz*A z!y)D5NItS;rkBoHRz)Tj#1C3uEY?kx1#KHi2CX9l-hj*P_hr-av(lE;lAWtfHFfkT zEwW31_zsXKkIgv}<09KSrELSrv3O*_?T3#KxY^eYoHZ~vfa-y{X+!IAk|(vTC&}lk z?v!L#Al2JmAoe7nt%YG#X><e@ev_awE60p$TSrpls{Ukn_bJIGY>Qp6{Vw#uYs1x$ za!Ok(iM>ko`chp!e@aJecuhP7d<KNP<c6|H1e!2x%Z`v22d6GoPHkIDlGmvz0iP@2 zOUbU+mz=`-wnwrx6Yk<91+0QOxRYcFZ<{!rvkL3owuUtSanSq?^I>mW3(2=sZwP+3 zI|Ez}*FY<S7Y3_XG2Vv-<o(eX8YypU)|+Osn&L?X_Y`=0`l7>8@7USIDouZ=O4xBi z-k|=W6KGJz_5h761P=`U?qDk$ompHsW_??eev@j|o$Pg`dOb1i|364R9?D-^*6M`g zLcsOL(Dt1A@*JtOu-?AOO<_@-xW>TWq{c(_bJ`;M-EHu8lVK}Ts(yFy@YHQf##TrY zmN$miK&6c*RR?vhZw;uU{v=M&x?AVBHR|~dQUmT}Sb_DzA#?DwP^D%3iv=W`ig0*U zh%W*ib(gY;vjMg)knM#8!_Y9{EQ`#x)#L@Xswt_dE_bSj<U5QOU|3AvWShltGS6vi z&~xdT3Z2Ib$BjcSHBC*R`N9;XqlEvG%Yx$KX>DPWQ3RT~*X8#4Nk)mwXNDt9iB3}d zs?b{9s&<^RB(&92NzIH$ya~g16>{6^NbVbZ`}~kQe8*IO*s?nCQf&(U7aljWxF~0E zTP?{eN%eT(k>QkVCRxZtM?a-xWZNndVXEp6xS`8I&Bh8fE|bFbgWFcpjE;&|3r^1! z#OHZ(TZlvmsovyN&=Hf1g07<)q~2+(g0Ngb*Ky!wfd~Mv4G^OJ+iFPaL@1{l<eDdw zHjxVbxW!3r)#S%&H96JmO7?q<SqGivL3m}PLDmybZV(4xSg(%|(EyvJliI3C;<>6H zgg6XdSz%{=xXBq@3vH`ia4;DTZF62x-q5xnNs+920s+_nMMf=FDRpJ_Fv%j;p9O7| zdP^Uwx<RyiJ?>1h{t<-1q`neF(~Nn!S?p^^aR)0FwZ54wW;t0+hZ`f)+bYQImyb+I z0TCbYFd5wdqP-&?8F#?+#`+-5Dt4Th-d0XBSp(y-7uFC{$<X&-E=iBJGSWszsxzUJ zIBV#kJXvikNY3j)Dh6E1UO%f(A~a%O0i2;)1~S1}0ZwhO?`$*^9b;gK)lYECY+FvU zX;o7}Veq-V%$>kl!FDR?569o9o*BFxXe?w`Per>IRa)CJl1o?(ctC!+{fl6?9XO}Q zG=-4SE3l5bUeGZMq}Zgkr6dCozfcTsav-x7&H*`ElIpkDTQ7SW_6+W}B_we%^c@(k zl2b`XjWkz*n~MI-W#Ap*;?Kis&)>F~Bw4I_U^w;r+`RV_B@8+d+?ynTC6$iGOzu9d zZ4pT}W1=5=KxzsMjQY!T5?2m#^p8_7A{_7pPAE-<hCmoubuWq0Z3{^jnX1?8hi#eA ztY{Wcuv!q%u^EhOTR@`bs@@bRWJ)TJ3JY@J3J5zE46!rYN=fXpksfFezJP}`wK8V~ zQAWt#26&b-s-r?@)(<nT;|I>hI>t|Jn@@77Q~iDqbW<<MWeu35S*z8D7hR^7gOwb7 z2r5BofMx)agdSirrEMNbze@G{d|)=!)7O(7pw#_PUrKD>YT;~w$tQF*nk$Kw)>cB2 zht<?TDyX4us6&t`b;ds9Bt1}<UHUKz&jTtdG;X2+_}hv}28&g<FU6JWapyr>FmyO4 z?8?;_S*ys7N7`{~Tc@@a(Z@~+_`wM`nLM_x_mbXC#%UO}kIIM2M0NyiPTO3Pev=B1 z44X#-OjsE23`#VSSx{r3Qj`as%?-rT3NHpEFl_9tEdzV)=(a+VQKlM5g^u9$XLKkN zpfuCA0x3u{@wOF^sHJLv$QB=c;SC_4S|Eb)&K)YQt1X`-nxhYyK5ue~zFtiGlM8A? zSH)q(hdo5PUNN?94v9ZQ^#+nbfcc8`P#CAFplJ+NH`BF8QX;GACODsbo1jg0{Oowq zai`;SM-a~cAEf@KzOFu?UZ6Ip`RaJpYX8)}-+qIAlYN<evOU4}i|rNL1Ge)a;djW5 zo<wW$7F>W$QiAw|*eJU2C#FHlyUI06xiVb-M7~%qltpQ;RApKU=M1d1j57aje%5@Q zIr86~`b{!>=!f<SN;8TJ!L5Ou&{kX%gh@$8ImjmP3n2e=1al*ca4^m6(LXDMJ4tGo z5O$jU+!<yMJ?XcT<V{V`!NC8vu?m_+`~Hs3@<IIy%^td~y_0;P{eT+DR^yq$jI7ba z;u#s2JIhcwZz_8()Om)`h}q`l&XRXK&SPbQ>>=Zj-i-8>YU(M}N$ny}iP@tczuHMD zGHb&65oEgC+B|wpIh$ZR=QfjL0YNBqRyc3E*+b7SKlah42ccii2k8WDIZoA}12fH@ zdAeiNvFWo4<~Zp$4M8`B6(;VO*I7Bx&MdP>KU=G_r;D9f!xkZS*6Oh>Fl`>IqD~qh zJ^Zv7bXD*bTTSZ3nG=R3EZx`actsPgE--uOaiqsSqn@k2MhIt9=?CG!EbCt$b;lgD zM?aaa(?<nG6q*wZX2nfp%>LKxau%CC>*KruaQLRPp)B3o*jZ4%5=Iz!emKMigeO_{ zJMNQTHO=hFj+-}e^!%6Ru{F=^(ZATy$qUJ?CxsymE2b2nP0cE6DeJU}JO)if{}APW znptPPXm>uV{7y2NSyEC6)lN<lr=F3-{@>9zJIM}L9Y^HNESZxR;|bnLa<mJQ>)o%D zra)RJ%m@m(J))EJzR6~f{=vvj9tK=+gWz^j8!iJ+u4B6jYCBHJjgG9HCV%fZf&(_Z zt^$3yU8r?(dtuA*(!;TLjU78sJH7wH<4Dz6#qg=U(qK8PmVtpzSI^=#Dtu57#4rE5 zLuFUGt{Uj7f&X`EV3>J$U!xayiVyt0ogGKF?iykqt{*$n;p?8_%jo#1cUfmy1mLsZ z9iIc+=VV!QIG3jQAPQHL@hhF@;faazM7$^+x7ptLZ8{=6*I6DZ6Fd|A?IpQ=D65dz zrzKH*JW6=DdANSM%+WDoK6IYiSuW&L=o5J^Me$;!@)*nG#c2OdUe9<j+CSaaFJ6rH zr^$^Mqy6QyK&AB~O(gbt$+L8PqP{L(Chb+fva?D{hH8yz1=Hfift&G4DU27#-w~%E zUL0RXoYHu4yd7~C$BPrwEd3)`V~B0p<hkH~US@oL9N$dXxC#4B{<D(}#Ns&aZjebT zc+zz2xpE$Rnxj~hYxb1J(OUDeG77=<p%cxs6D0-hInKn79I4acB;A>gl1}#5JI%uc z?J+H)c^zLk?r_vQMw*AI&%vJmS@vJ;58LbEME@6Ur`u*)f3e;Nr~i$D9sf_m`G1X; zY)gXqOV|N$fjRj9j)3hdX;%$&)j(Gbbk#st4RqDOzt_NYvj@(gQ`JuFH()){7axwV zV~8!|%~QL_C_Aun$DB`yZ5h7Y63J{=!-ZG>J#xE7jtBjF<c^O#UptN!gBh|qDMq^{ zpY-n;x9jw1$iGK!pU<G}|6Yprxj^E-XWXuc3*WfRQ|W1x)CAng<8@3BgtPuV>vnw^ z^_^n&OpSSgF?wiZ!JNF~TG3F;ajcmnar<$6*<e#98{v*???oGqV__xsv|@Ui-*L+% zTzZ`47yfYvFimE$!(U-v^zoax0K4ttTA}BM8k^u7GUQZ5dX#8P_3<eQnsppoA*^gR zLbbGiqKBQa)|oz!mKT{lp*XK<UOjB~AuA=Y*a)A$)9vkajTh{=bYZx&qHTt`ihkNm zCkEgW;x3|_p!3RF^-}UvEITV*_v6fZ^qi>U$x-`JJ1G->=s2cXwxO1MW>t46>m)r& zm}~av->U9Js=-0L;AvK<dzulOEd6@GzqA093oT#<srb%nDX-X>83Ol7FgSzh9@a}b zDN_$BXyMe!W0!Ea7tQfoA>KCM?4e)t>MRT00i+mqE&Nv(mo7Wb0$TChy#IWzx*z7M z>2Vq-IiC5rofg#`XCXpQ4ZA47+eqIV-bwxD<(NHl<J=t9AITaUxWIx>9@zES+G{7d zpnb>b>Fw(v$65cwmmX)msQ}su95_H+S~?5>u$>#+vpQYQMthIb59YwC4B0OU-&crN zC+HR#6acgK0#O4NYrkthYF}%gY9DFuXs^-0f7cJXVszC&R}FO4KvxZP)j(Gbbk#st z4RqB&R}FO4KvxZP)j(Gb{4dnNvNPAhT}#fG1pm%EZ3Fzf@YLz>@1o5X_;>lq1@Ldu zNxk7;XS5i@Mb;ida2W}+|3lhC+N;{*@K@J=T{X~E16?)HRRdi$&{YFnHPBT9T{X~E z16?)HRRdi$&{YHf<29fi5;WsYhg&6#vGA2}H9ie~8KM7)Qt>cp1^k&v|Llbx7kiO( z!)WZwgy&H+{5jMlA%rI8g~|DUFQW$q?K|y5?L}>mcCU85cD@$XR%>P2Ty2_`qz%?o z$Dgn>;4R0Kj)xt$I4*IV;%IVIIEvt$0Jmd^!=e7AeyP5#KBYdQZdET;H>=HRB^>QB z9ZoNEs+#?8`&agN>`&Xb+i$gBW<S;5Vh`F&?3s42eW<;g?H}9Mws&pM*dDdrX1g4| zE4ap1Wt(TqviWSoY~5{w^&9JZaNgh!>+RMntfyPoTC1(|t=U$;b-1;M6<NN8GYFrv z?6llrxzcimrPWenDYfKSk}V@FJuTS$o%sXv^X6UVJIz;_&or+yhs+DiGt4RGk>*}z z(eyo>RrrEwx9Kj^)uuB|t)^=DenF<mV;W*ol|Piv;7bMvl>3$Im2;Ji$|_}{GDAsL zhAZ9Wf8?*^x8*10hvb{&3+1RBmY2%2<%x2l+#60g_)dCXdRBT=x>dSVIz@^|Wm17O zRT?MtlT6}I;>Y5P;%@Oy_yWS|;u<js-$BR_lf*%y4gZFZ;8*cJd@sHhpABC}4B=9o zjeU41*3e(*3-l&B2(O9$r$vjUAqeHcx8A^&t0Wvu(xOGikhNNLt|6q-uSE-uAvs#K zz!>7wqWQ)UuNIwS49V7_dB%_|Ejrs60_B-y3|XT^a}6QA3$^G>V@QD(onZ`tGUpgW zTC`}kF{FnU%`%2`*P@xmkZxLZx-q0#i)I)@nzZONV@O1crW-=$lxop5V+hpPRAWeq z7M)@YY1E>V4Iz2(?30Wk@az+fA&^h1F=VwC4H!aZLp~|S5XdLl7!uN=eq%_37WElI zW`(t=*BFwZMLouldM)ZUgyhy~(IjICyo(9O5O^0ZV+g#9@y3u^EjrE^vPz4NHH6Gu zsYS;aL*Tha8$)WeXrdux2E4CP#t?X4BaI<Y&m)W>)mn78AtVR#8D<QDe1;lBARnhO zq)LkpF@$78K7)-Rkk24vNKlIoG=@}a(E)~#EXb$7F$D7IXAG&(q6x;3axL1|5RzG@ zMf(^-{93fPF=V<H?PUyEp+$QdLZ&a*qCJcu&=R^EL!c#eGloD*(2OC_>Kw+9Wm;4< zgk&t%qIP2ll+b1jS*k^?hLCBH%3=(Gdzp<POSGuT5Rwk56l2JIEh-yB7HLt*5RwMH zQZ$A@uf)cXg<2FDLl$UJ!4NXFRNG_>@M$L)1LkWRjREtt4TgXzh1z;!K#8`_7*MRW z8UiL4X={xEJ+w8(fbLq0F`%2)Yz#=ynv4N+wTK~LQlZvp3@Ff68w2vS24lb+Eo=yw zn5Wen17>S=#(-H`tsx*aS6gKaNYGXq17>O=L%@8$R$~mv(W;FBKCQ|a;MIc0fNZVO z7?7n^7z1W#<%WQHeyz+HkfW_I2Kcn)#sIIj%ovcZEj0#YX-kX&nc8AQK*=<1kue}$ zTWAbO(-s&5rfa3ffDCQEA)t7gHqRK4u9X-A(%|Dzu_{gRRL!W-6i?BN3QfST8TFZf zPcy1B0k3A%W&&=_sLTYCG@~vPn5-F9nH0Zf)MQe8no*HS@oGjrCS{UlRAW-yno)~M znW!0+nB-K=sKX@tG@}ZW?A44KOmc!|RA7<=no)o8`!%Eb;`eDr?ZxlajLM5YMKkIy zez#^+UHnO!QFHMpYevPz=huvSi_fPS)fS&uGioh9k7iU_d~VICv-pxUqsro&pcyrm ze3xcaSn|hfMtvoJoMu#4^2cgMZ6$w<W>i*&4AP9c%8=2TQB@f{NHc0GgA+BQqB3}t zX4F%hBQ>L%;vAtFwG`)Y&8Va}hiOI~#W_?nswhsUX4FueLo}m;;vB3Q^%HH7W>inK zftpb}Nf@9Rm6L@2no&1#^wW&0iKB;R)Jz=RHKStU=%yL<5=Vk&R7)IvHKSJ2r;lb- zO8WHHj5<l5UYb!QQG04ejYRFC85I(>yJpl!)NYzl9Z@ySsEw!&&8UoEnBE%17PdP; z6|r<o&1?=(L}LE7IzSDH`P<?EB_!r=_>!LCZ<7NQkeJ^U2dE!0f6ER~K4Sis9H4r{ z{4F{_@rd~wtDtsREbUWAtMVvXgx?jkKVbF$EA6oMzV-�iM$KX*;wBwL7(&v@5|L zaH_Tu&Ibr-%e8shY%N0zXfADpHbCp4nH_&Sesp~9_|WmX<5|Z($0Lrr9XC0ya$M** z!*Qac#Ze2Ef<=zGjv0=r4xeM3W4L30qo>0L-xv5p{XzXg{TM6<FRM?(*9Nw$_k#W4 zTJ;k3Z1rR~CAASw#4S@7!uhkgYK9t6UFvW+C0$cx`ycl2>__bH+F!OmY2R&s(0;r9 zdi&+}^X;eGqxM$&YJ13DW?yKZYtOZ3*eBYP>?7?1?A`4q+h4XHY@gZQx4mk6+P25` zknJwp7TXoJ^KGZvHrgV#kZn0w9%kDzYyq3gHr&?FrrBicAJ*@zN38E!U$#DJ-EDmk z>=4&mFSVX+J;~Z?4O@fO#n!pj8P+tgNQ|{Qt$nO^D~9tCzOfv#ylr{Wau942_gikY zTx+@5a;7C}S!1b#?<Fj>6u{XDlPw-gqGb?RDlF!I%s-jGFn?%%9nMAEXMV(dxA`XX zmFDx!r%D$~XG&3NjZ`O9NDIN1kS$G?JW`@GNa`tB#DBo1@P+uH_`3M4xKDgUyj#2p zYzya$r-~cJh!}z|EzA>VgN-2|y2RmPKT#89{0II{ep=oG_KQ2^8|BO8bLCUy_3~=D z8tfRwa;}^%C(GmHp>khY1$)MC(l^o}>22vn>7cYzx*zNs*Wx3}y~-`h)$paq)0It1 zGgwE;lu~7mlBrBol9Z9k0HwQPlK+x_kUx{(mtV#2nwFZ1O}VCYQ?hBCX{dRVd5t-2 zt~M_>mzoQ}B9m?on3K$j<{{?3X3cCe{bTyY^o{9=>3!4drsquu!AA3t>2A|4rfW@? zn$9(yYT9I4V+w=4CJ}5keNCFlr2M1&qI{zqQQlWxQ=V1!E05}i5{rZ|_KNjN8>9Kk zN=7NlEJn#nE+fA(laWuE!N{xRF!CtbjND2Vqa-Dh(FA2WBbSoFXuL9w(KscY(O4yo z(HLbaqtVI~Mv2N~Mx&HTj7BOG8I4d<84XtgjD{&GjD{-7jGT&}(GbPQXt3gCG)VC< z8mPD#4N#I8^;ae^>ZiCEB`D(=^;O0(>Z6Qh)LR+DsFyODQBNh2Q4eJlqwdN`M%|PV zj5K99BZo4Kk*W-3WLKPw<|!dYB}xsWVx^i<ky6EIt`cNas8lj4P%0SZE9H#lC}oWD zlogC-E6W+pQkF5wRhBZEsVreMLs`ryM_I%uTUp2`OIg4uQz>OMU761)Lz%~Dno`0j zT`6XirW7%ns?23HMJZ%7St(#NNy%q4QJKRiRmo!%P-Zi#Q=*J&l@l4QQZ_MKshq$l zq-<nVqikSQt*mEMrL1EVR9YETDr*^4C~Fv%D=m!5lx9XNlqN>Yl?bC{N+YAC%4$YS zlm<qNl`x}4N<E{6N*$vGN-d*OWfgSsDrOM<zj$HyYgSHY)TEroD59Los8QL>Xti<* zqXy+<Mq%Y7YHpuhPp`A;^lNHvExpcMNv{d3^lM;p9=-bK(yOnKUcCkM>dvRvq&fOE zWztM~otQ(f{@L{En?<kQTzYlS(67m<+4LI7pjTfOy?Qh0HDS7b^`}gw*W^j`>Yqlh zzI1x^rqQc=3cV&x)~`PQM0)k5(yKQ>ubvcobtltnlAm5Da4BU|hOj!bDuWqWltGNl z%0NaYWdI{Z>CZ@3`Z1D}1V*CLml0O_FhWXiMuO6d68=Z&$>?vT2cy4~?u`Cax-t4g z(HQ-%fFegm7yO%|GWu1qGx|lb>EsdiAS#hO!WKm3l}ES$QF-MS9z#?%xrN<`N+dVL zqms)lT#Kl@N)mP<Du<GUorp@GB;jU6B~p@bHKLL$Nw^A8$(1CWhp1eeAnZU?Hcb#7 zMN~FT5VoUIGb{k%33-T$FqiNUq9Vs7T!yG<atW6rDw<rv*@%j!@xnGl1=4uoL6om& zGCmPe$uv&biqiGx9tTg6!RT}}O{cNKEodU6>(LZO*P=;`&O>R8&P7uhosA~zGzOlQ zj&5Uwn~<M{U5Mz|HwK<Im4%&)=*T!4N<drHXyHcW)qfo=+<-hfB?{LgI?g2u*C9I2 zB|?4EaV}A~2GMaY5ps636z8HOokl@@(-ChJ)HfaRMhRCUI^vBIu0V9e8zo$h=!iE8 za-pN;NT^&o_Kk$frDNYn;S%K3a~>&Nh=%D^I&wA|st1h_E=IH?j1VqDgY+Lq<RRKi zhC_VX`iDcCqOE_pa6Y1~e>mKg_Lt$pxrp|cVGu@p#4re>Jz|(}4x&9`7`$fMBZdiQ zA=)E`31=eOBZdm6Biav!3a24W@43#Aqv>@-BE1eDMX$p~((BL>^y(Z=uS15>>tMP7 zIb`&B{qG@zT>5oz;#hheHHKaX(f2S250K{R6*36hr1?4x#Qi1O6bIr2i8jxH*e=l~ zI}js@HsgW9s}gP618_fyj+X-<1sy{NKs?%d`$HHVIs4<j64eg-!>@E)?T7nFGxYoR zgRopm!r2m)ya@va>*Y=8KS;m!>C=Z^d-tZ-UcK~J*Ske{oI<m(mqL@UheAYnj6$LC zB!vRu2?~DUAcY>n0SeuP{S>+h`}8|#gPim_aEN|&^czU82?_Mtw=cc+7(lPx`_pT; ze)?7I*^^#-^q|-7-RZSkH+t3R8&@4v?%8pzv|q0UJFb!rG73uc@$C5$EvUVRL?6c9 zU3x-~WW%eZU5u)vJ&b}9eRx~Gv|E2LTMua;h3?W`J(3l#ly))-NslrzNjr41;2P-> zMvJ8FI+<~`^pKv3S(6^tgG^A^2N(sV`x#YA_b?hH-K!@s^^mqv=q^1-L6h#&BPqfI zh_)g{xF6Bhp$PXO+IAG-UPRlDBHV*$J5hwY(M*>1E<{_ABHW2`SlAsXo6+qki_vW; zlhLh+j>cG3^*4d-c15xvWV7iPt5v^PEc(T4)-Nz4B2g4YzsRzFktF>hiuwg(NwQch zaQ+{fC!Q#1ziQvY&i@Z!_Wy$R1e^x=uy&8ORl82ROgm3IO*>Ir178OWYD=_YZ5GV` zQ^7A_6c~_tX*LZzesg^5IO2HE@v7q)umEg#-0RrtxEA~b&UT#aSnp_bgd8gzrH*_@ zwqpv|0LD6oIuab3Ljk{mAHf3fk@}|kf_hNhr9P<Mq28!op`Ndv2H$09flpdg!e=3h zVE#W%O;z3MXz(XUP#vlQJ_SG9zqTK?zh{5V{+#`B`!4%7`(5^%?bp~Zv7ck#Y(D|K z4C?Jw@U?>Z_I&X~dzO8Y-EB{_54QKV+wIu)D|j6ovb_!G8XmOmf-f1|X1mUIsqGxw z$+mU223xglnXSY&%Qg)x0TXN^Z2iF#!EF88`lI!8>xb4itj}5ZTen;9wQjXuYrWWd z7T5yTSsTDJVVQNFHP4!9on-Y`M_Y%0H9)mWmOm`tTRyXVV0j%p6%JT-fIZ+g%k`Ga zEazG_TQ*vnEUPT#U=b*^%&??^=fZf)a7%wncZ(Tp0zaF-GJj%z+x(LGN%Ldohs<|@ zRp2V~h2}HNQS(}uL06fVnoG>H%^5I%cA1Bp`@!s4HvM7x&h)A2J<}_ur%aETwwdlQ z-C(-RbdKp{(>hawsmip(R0MPJX{LZ_f@y@Qzp1;)4D;uol`oZ#lsA;;$n064-(RC# zq@1Bdm9<J(2`Y<~A|+RurUaA;$_S-D%<#?N3Gp-dLVPU0DL*eCkRO%r0gs3)z@Bij z+$z`074iakjyzos$m7A9&_}k(g7g!73G#jE73oQ77uXWEN>@u4NT*60q}5WDv{)(x z>&7H0Ng4s(5)Mfee-*zHKLXpvGvXd`n|Ql;op`Z$hSFEiJLL4`!i5x;3FlBq5YDC0 zL%4uKcj0^r-GuXW$XF_zNnx>YHihZJSvpKxBAiBHv2X^31mScY(iaP-QdlIMLSeqJ zS?`YdW0UB0%mn?1IgP>&3Z()SWphe|oixNJ?9w4`weT<nIz*L<Ey@|(LFYNt#PL}a z;rI+{<oGmN&G9MJ!0|~G=J*7vr+BWg4}~b6gPqb+jzgp+6wk(kr9}*3Fk4LVEa820 z0mp;rVvdiai#Q%Y7g9V^cn_V+@ojV-$Ajp6if0J#qO&-@gU;l55S_#EadbAt(}lOu z=^Woer*S-pSnZr9yopYxp{Ie{(kUDdqEk6Ojy6*~Rd@rnaeN)Yf-rHHI#oD`PNKM3 zcnxjh_$oSq<11(*$AjoZil@Nc)^U6ZwQ@X&HgJ3#t*3ah@FH5n@debv@gQ1D@gyii z9mmH}Eyn|B703N(CB>+)7u8TaQFsK+=lC$9`p_mc1bwQH6r0dsbc9ha^qEd4;Jf8@ zjP8`z>uv6Y9C;IkY<U9(zkDJEpL_xZue?!Dwh`YYM;P5HH|ala%#qhp$d;Qa_~lj# zK6woVuiT<1+ko$s!;J2b>-8Tu^pG1VbeC6C=q5Mlk=Ene<vK>U$*c4q*O$n(deAz2 zt6anAe0in*<GK<#qzAR)tumcfwc=Z3I_YY~=gZaluWRwmGMyx?MdRcZdeXIJawP@7 zTtUGnms9Y{bUL;M-z3us*BZP<Ua0@LrdD1=Ayr;R!6z@J;Fam5tP#~>`b3Sw*?6^H zhSg{lrVp|jxiNjp)xu?%R?lkTQe3acYd|Y8eWnH!!t{X~Al@qaE5uu=QyA4?`ov*W zjp?K@jH)o5Qif3w)9GUvJOr!t;)U}tt(ZFD4AfoEq*gc;QH`!v*o;&bb_%jHIvLp* zorJ86+K`1&6qy;Fh)nt|R&5ggp^$@Q3fTx#$U=yMA1M@kNTT3HB84PGrTfYggkSZL zl{vy+6taciDP#%1QSb|YQ}79YQt%3Y=n&c{d`BTi_?bes@B@V`;d=^x;TH-%;U@}S z;YS^6HVB_l$PvDwkS%;kAxrpzf?xQSf=~FGf>-#8LXz;g4%O?04=LmbM<`?qpHRpW zKBnLoKBeFj4pZ<7hbSZoAL&rFPI#L_tMC?u9N~Qm*}^*%{K5wme8PJayu!OW1lI~L zQOFVAppY%RN+C;lg@RvrlY&opoq|_*jY5*}vJRDNgr_Lv2rp2`7M`V$B|JmHFT6;> zCp=HVD?CRbNqAasE*1D%IZqF&SSZh-kS-TcNR#QztQ=n>&(wp;7s|O5(&gC{(qyV+ zm*J~rswkJ?OJ%B1m*Gp~Y&}|;U!FlBNv4YR3VfAJ%?v9bJ~dISfcVq&Xe<2kbP7o_ zHDoNuSIX2tu^bPQC+j~hUnozZkS<e0#WH+_OwAL^AXjRNSO&QU^k~cc@<a+rGBsE% z#h1%&y(X4Id>^ArWUn4=sbBU}NRp|!VhO%X9<Rq*f-jOMFd8Jg^k_@cWonsN44IA9 ze_RYVAH(Qkd9)sFv0omi2Q7j;5*b}6kJ4!&zCa$TM_ag19!6oBJd#4XJc2@+OidOG zK(11g#R7buOpOr>@VPRb1kayQp=(6*b86@{J4mltmGtTl(W|eTUcFWNbzV*xy=E_? z*Q}-Vnz@8t{pIxPTS2eh<@&W``T}~*D5ckFi|I9e5xu4@)UU<U=F@BXJbFzlq1UO! z^g4wa5sGk~^pqZw@AA^?cn`gfbJOepH=R#-M6b@gLg7&g1;Tb6W;X~APzVWh);YUS zc!-7+2y{X^D=gfvhs>%M?xm0*+^0isop29@THy`~tAyJr^bqc*&|SETLO0<~9cHc+ zZle$qZlzEoY}H{#wXlUksc;L065%EaKH+8^a;k*uD3l5}QYaCwr{EKA&>=f0Tuq@; zxQarla4iL&aE%UG6~g5d%7x1)lnPf;@CjGwkXa^NN@0a?5ryf(#T5L)B|7}?PYd*7 zq%9QMC@c`76bgltDHI4N=`giaI8kp;Q|F&Ruk$w2t8bHjol>%%UW?b!YvBg{I=QHo zUgtK^YeF-<_E<}=-Ph1-w-)_6sW3vX1&#EYznWg>G+5<VQ9ry%Fg<L#6XuDRn$9vs zO)aKXrWN1~Kg(PMtFv(Ut9g`pfVmsYEq{k~*-uPwnw~T5vrK@QYJx=tKl@+cD*zvw zUo$@qv(yL8x0$asUt~Vre1bV*t}!pQUuZwgzR})jueL9NHTfL)exMsx<onyfb;9-= z%)>vny<vOSwinjp@338OyTo>;?L=F%Z6&P6m)LS`X|NMuv~7^Bhs|XD6V~DnTi>?6 zU_Aiy@4KyAte0EQf!X(3Yn`>+S_*UT3~P#Y9IV6lwpuO!Sbl_g_j{I?El<EI{C$>N zELU01hdK9pOM@k7Sp;kFS(b@-6Fvi9jIYDD<8AmEya#`UKf<qzBVeuEA&U4{agkUk zW{Z=+OaDIc7V#=rTi-0M7aPQ&<dk|#R#<`mQT$ANPkb4^e7I8@CqE_cmLHIBm9K%l z0jJ3u<wjUnUn0+ybL7dgTOKL*mo-^}RrRl>kEJ(Yr@&t6A?Xh3dg&5a=RZ+umR7-z zfl?_?%8*jDpR~`xALAA6No|*QKUia~)-C`~j190iqe@$>6>8bqB(TGb(E4c(O?3R~ z_{#AScws!_*yGsdxZQD`<6`i^*aUkuLXKsQV#iGI!0<W}9RnTR!S?cp`mK6MeM@~_ z-4FXV?gG2ZW#D(w2H(A{1+R<w>TIyNB&%b=;?f(w{`immNBigY_wBEM$HgxD1F)0h z8n7TFo5sQld@qwl`CIux`4qnR_>yu^*#Xvro0Th-^ORGRbznQFguN5_;2V&txRhZ^ zU&XE<up4|Ke;~gq(CN%RFxLOT5RF3LaZE(tQ``>`eqxA5qaP_AfY4tkJ`VUh3q@nl z&lC@$B=k3nfX1QUIF3cXQhWmWFy`pRh@%Hf6b~W~W`#TmAG-X9hCYc>u!&<bmN|Mb zsKXdx;mIIYXy6mbk41{lKwdp5J`MYH>>T|Ve1yo{^l6Boadcy_9g)zdPykyvda#Y7 z8(S&9h^FCw423OtAjRiVI!@r2hWk={7EQ&yIZna7IC^j&iqD|QxCh5cxI4#*xEsY6 zQ3mc$@g1}bFJLGf#0x3Dg_dG4YmjPqYaxbNs!r*+lu;UHlh`-W5<Hitc@xdUMGPUQ zVv28|#dr?KML3URKU~N$0p~M>WCavoM+@<6jtg)u$5K3#A;g_U@ijCbXL6i}vpDv{ zGdL#TY=)35hvKVH-gJ&7cq+$!csj=fJdI;toW>Ax$e{QND#AXFbFr6WKb*ob0s9$3 zvSf-cqbxj_<2XEoA-r}c#TU_ZJOFIEWRq9dfB%y;K<oc%;V`<I;~{h<$4}4|96v^v zbKHWiqIi|?5xR`yhv-s{AD~MpUXK2jSRcL|{Ux#9dO7-2V%>R*@D18e<8Fa6JkD_o zIzaJ8;ahYI$8XTh9KS|4aXgG}<+ufHrFetzCAyL07w86x*9xDb>p6aguA_L3@F}{M z;}LWX#oL6R(cK(>LU(ce5#7o02XqI=@6qiXzeBfCycNyDi5zqBD2_An2!_IqcqGNG z!dGYu#amDTPU4u4CveQgZi+XfIe09`JUoVDKkVX|fX6X}PB@<87Gy>HDDFig(YG8& zpl>MdLBr8k9EYJV8NwL#HO0r!Q1k`G-RMNj>TEaKfLT@VM(Z%E-`%JMvj^G@l8wE9 z-Dn7AwZ03@z{6=~yHE}uMsX*~#zQIYK$&<D#qDSU`ir9r{mF4W`h(&l$ca9u_%IrT z4pV#x4Md+Xgr_(}aU1H5-r#6QZ!v_1_$J50=pBw*(AyLrM7_|f9DAad8A7sGI37l? zbKHVnqxb;ofnMU+9lc2Le$)*;&rw4!P`nRm=sAuK^en}Dk&2#X2<`V7iuWKpdV-@3 z9b^c7=qZj{(32GJMupfz@h()1100L+M2`LN6pjga5<_S^lR2J+Qz_nwX5-Nm??404 z#~k~kk0{=b`k@awCZP8@_C@b;?1SEA2sY&pDBgxFXfH=I+QZR=9^<H>-5h1Ki=%{g zaum@Hju<`45uxoI1@s6*;UDxc$G_1-9REVwIR1$q<oE}AfaCAzevZGP`#AoJ?&bIk zx`*Od!j<?Gj#uE5sUq=J9^Om?zeEjq9mg<k<yeC^Fa!%I*t3Zu@?{=gPXoU|^|*;+ z4PL`gIDnfuUX9n%RA1!b78>|D`au#nelN1V^f}roi9B?NggI`OB#v(JAC5!BzZnXb zNr>WS=sWQjj^BzubKEKZ!EuN9JI9;FUpa0T|70j!CjLh8Q}m6<MA4_{HSs$hx>Nj- z;|}o$j+@1wIG!vrVfHCx_B{<fg1#1+L^y)J5<laiUy7e{+$l0?cLePanY25CHj7N! z9f8c4v^$Kx5LrV%j6N4xLqCjmicHcRh8&o9ISe@*p|>~;IWYNi2z@59Hh&0xD!xr4 z972c1cR218Sx-0wnXz7T2r^@R=@4YbI?yNRh{(jtCy)b^N}r%ZA`?ZQK*`>u`F;YK zF=_V+WcC&dh0I>3_%ZrKWRm7%NXBH<$B>N4s*fQVlXf4YO(GLpAEOgQCaXS%%$NlG z5Y^#En(v3uBqJ2xN0qpYV+CHpu^cbwScaETd>5_2i#aaGOBsSFT0-$1v>Y!Y-~anU zK7#-MFxOP(DYKMx#jlJ}1}i;befcl>d-(`_d#HzMvi}J_|A*~w+h4FBfRhC7wr>HC z|8wjo+1J|Z?B(`Sdmi}ur`X5Yov^}hg;NE71W*6>Y%klMu<f+nXS>CA75MpYwylTN z{h)2Jt<aWjn`BFZwf%lJhfTEpYW>Rkk@a=!GuA!UZQ$d79jxo0VcleHvW8$)zt}p{ zI@Rj6CRzttyIU1l(f=0w``@xWZ`p5o#B!JAMp(^1+tLQ!{k4`d%Y4gh(?zBTc&ndo zI>9speBX;qHL$Wj%`(I?*3!%T5BU3kX8zIqp7}oWPFT;s#r(4Q3G-&~_Fr#qFfRg+ z_@H^BIl-J|o&an57)~kp(yW3<{L`k}Ob?n~gEf7RX_RS-X@E&qJ~4Gueh1I@=af5@ zeageio64oi4N8l07OdN^P*#Z&?Em;py&iv!KgQ4EH}F~b5`4XSSp60}J)VZs9zKWn z{;GDVcD8m0ocpj%tI!r|b>QpK26ly!T9!6Z%Xj?Y_)hDl_19#_i;jbi!;ZHdSHtd( z``{#q9gc`2gxee&9jD=k@Ev%sZef_ITN}W_0Ct9fjzsk#@aotL9v*MQ&W<zH6XA4- zm1>E)9K1TxRG&H;KP!y=&-8SN+2`1p>h<C^$A)%=bk#st4Yb#QF7ZK~+%M8W1#q9Z znuqQc!yNaB^&B4)YdP)~S8?1WuH?8=3~}5c)^OY|203mO>nH}mxrB~TV9XjS(Gd!z zppT@5G(rj<BrV`LP%5S92iMIUhPbzsO%d#LQWnRaQYOb9(sYK9EQ5#klBQAgK(cg> zJ*6~`J*24&A=wlj+FhDVF$rtZB!*Dli3}lbDv#ih0u+bAEmAnzrDTpa$<I-hd=!U5 zTrWqv<l$(O+zjCsNj%glO`zyP?@2C(SeC|fv`FI^3TH`Ud8k>Ub6PYWlF_*a8V||n zWE#*UjiPbKL$Z+!u_BG2I1Z8xX9&rLag?N?3?Z45hr-T7ieur~1~Y`G7{o)dG?3yL zh%kVoAoXVmar-eu|40cGN23<07sm}!PmT+v9vqvc?i~M+x^etn(kPBXzex^`1(M3~ zR|&ivU{Zia4w7s%a3uOgvQiv@ewHj8CrM_GKS?Hv!_g#3;rOE@Q*@$_#iu!bBtFIQ zL-9$D?}>Ek39dUIh>z3IA?SVa0LS;lCm0Inh;%{<&OPsm`)TN4^scy%<2&MBii6PG z;(Z+767S{srg%5U1LAIu`^B9c_lY|=?iIIl+#^21@iFlsj=RNe9CwKia@;9Cz;TCo zKgaFjJsh`+4|Cis?&8=cKFV=}_!!3)aSz3T=ne5Ij?anLa(q_2hT{S84vzc9+c@qM zZ{@gGyoKW)@n(*XiCZ}C7H{OZOT2;OPVst<JH+caZWV9hxLLfNW1F~@;|B3gjxFL{ zv~3Mc6tAX%1JLW@=^PJ;mvh`NUdnNwcnQb7;zb<yh!=8vOgx|CZt*;hyTo%j?iA1A zxI;Xf<96{3j$6eGIG!(_#qm7xOpcqy%Q&`)7jxVoUcs?Nypm#nm|M1Td{tb-@qoCQ z<9_jEj{C%uIPMjr9QTMPa(qlYf#Ys*Bgb9h297($^&EGI>o{%|H*wr7p2D$BY~#2= zJe6aMcp68$xRzo+^om%`@nx}!<4a;C#{*)MAn-pnixG}(VgttwVl&4Uv4vs+dQmLl z_<~r>@p*AB#{*&+$Nl1Rj{C%A9QTS#IPMV_b9_u($Z@y0fa5N)l;ciuKF1y6JdWGN zB92?dMI1MaD>$}^OF3>3%Q?1)6%_lT=fn(-&x+GHJ|m`cJRs(C+%M*F+$YZFxL3^O zxJR7H@i8%n<8CpV<1R6a<4!S?;|_5;$F1TFj+@0f9NWZM95;vs99zUfiha=2;v|mS z#mO8OifJ6(;uMC$L2)X@-smZDEXOCsF&v)|6FD9b1045@$sG5IevW%ZFULKihvQ>n z635*l8|QnYU80MJ?i9y!+#!zRxLq90ajWR&xLHi$*e3coZV*#Bwuloc_Cg26KE(e& z8Gj-C56%A%z%Kv0)h*!Tf1Y}Zx=w9StJEdn;Xgy2s(RH#b)ecEy!-#Ke``Nvf6M;7 zeg83Y{R;a6`y4nuFx5W6KBC==;2YhW{{`CtI7jeaHruDW`fF@UZN=b6kZ$wa#@L3~ zdfTklf2==QzW`7E*Q`&&eE%Wqoz@#*PybogsI|qq%DMu)_-9$uVMqTM>tJh7tJ(4w zc<>*wyaW6BAGbVexyN#o<qGiLKN-#&tcTtF3oLUi0r1<OZn0U0TKbqjH~(Z2z+?Xv z^ZRi2;Qi*U<_pZHny)rDnm53n_a)}J;7LD2nF8kywwZ1;oejSE51ZDQ`<o}jxr8}p zw^;)(i|4?{;uF(8vjqMY<)#!<hA9tr&exhsO?{NlO*Z8xlc2nBa>^s*esZ=vNlsFp zQeIJZE4L}vg4g~7N)7DHKS7BoOO-_M)b}U@6-E9IPAxnv{~<pv?~t#QZ<f!KUy$$B zcm6Mi69B5@Lhwt_y%OL|iQlAs(w))`aE9T-;G@tc&6j3NXTd21wcwr5OG=jD%oAyv z_^$Z3_=ET<oI~)Ecu?FS-Yeb=rw^Pbo+7Rj!(yelP|O!I#Z)+ZV3^ofw2KJ;3{CBS z>p$A+PsTqhR*EO#pA-wlDE?6~bNoRuar|CUIDV(d9KTg0j^8LE$FCL4@hb&!{8C{f zM-+b{|HDH+m;dJYnfw>WPvt*39+Cgxcv$|O<01Jsj-SZCa{O5Sh2ux^&m2FLf1-FI zs*!(Wh!4s?aBPyl=MmP*-|^57<Zmf%f@I$?gk)cHd{F+1<3;k99N(9}pm+j)PX3(Z zHu*D-@5!HXd{;ig@g4avRg+Fgk`M8~x8+YLZiKu(=D1D%h~tCuhaBIOKcE?GOp@Q{ zfp5w0QQQC-yvuQ${0_$l<+nM$DZfQC*pMW@$phbz-=G+Q3|{BBO@58z>+-7{Uz1<q z_^SLe#r60V`6Z6q<QF-<EWbc+wmu|3&nQWLj{p3U{4B+FaNB1%Zj+zp_^kXC#~0-% zX$I>;@)L}b<b(X@7v#q&w&HE_0glhg`)SnHki3rvJ}>X3xEAiZhvPQ+F^<p5yJ@Pm zA$b=Md`8|$aV36Q-of!H`B9Ef%G)Wn;3woq7($zRn1>#eAL979yp7`l`9X@!c%S?L z#|LHDt4F44%^~?d9=Kn=mtqq{y@&qZ6q4`efqUh<C^q8l@|_HYtK~a*=r;Lwj*rN< zF@*gAx6-^CljN=Z_dW706jwuDH#3C1ZsMWa<SiT@k#FSqn0y1xYju)*JrCS1Uq`VH z?~<=&2zgz@L$}FSb9_X;iXoKiN}5+)l6(dKeW!dm#Re$XWeg#&OL^!v`4Wzg$QN_m zAzwuEYDkhV<bjXM7f=jCUgtA}yw2mH+vIaOJ|dsP5XyBn4}DlZi()l?NIsL}Hu(&W z56Y+0`&JK<Pve0P$fr`Q!pr5&9GA(baJ*kWnPL#%C!fUeUb&6qJ#v&{C2o=zaJ*hF z<#?k!pJD|>n8)#YxrE~laxuknh)~4wdU-C#>tv=ruE1x=gJ|dqbfr9yAwEYQKyf)f zTkgm46uCdeW%w*Pf#aESUy4g1vpyV8mwPdUe0x(|f=`osay(V;!Ev+Po#JAAirkIk z$+AXq5pI*&(6$I~lC3<nNwzUW%Vm|Ja8R~WT!>GU*&wzMl8HRDNoE7yLP*9&#D$Pd zrV$q4O%fZ=7T^=4zj$bq#0I<tkPNX<NXACQQoLGvo`!<&u=FCwYo!+`&c_?2UpY2O zztg5OKVSNdQM&Xeqcn+)m-Fxj=?9u-9&VC;qQB3}mwsfFF8#tNP5PNeEWzugZ#k}$ zzM;RDq)Xp3N|U~$KNsUx=}V4lrO)Z_#q*^v7^O>JGfI=bq7jSm8tD+nCJFXv5kXdz zFR`JoC|&xDg{4VskerKKqz`DCxnLUokp4b5U;2nqy7UR7H0fg+u@E;)Y*;IVCx4gz zUYIYv!zf*PpHZ5`2FL=4_y$d0fFshY90y6S(WnLK5*r^2(xf+8*i`9t8ZjS7WfKj| zUnrYtU><IiUg9`NdYS&7H&tTe<Sg7EJxhO|g~JjX{c-`Hp`p3BUSdPu41AL8prO-o zg~UYrbX+doNwb}<NleIR;4<kB8Z`s2keFnjhL=lBh)=`IBqqeC;iVE2;?rOao{9cx z!llx!G>3G&L}Kzf9j%paV4<i+Vp2X`xLUf279l-PV)8x>FP5&NfoX}-)r@*b*D>lY zUCT(5n6RIU7fDQlPsIzR%joY@dq_;yPwg%-Sw96YkeF1Tf=eYP)hFZm5)<W<OC%=W zC*gS#lj@UjiNvJ(BwQ?=Pak9wE|SjUI9Fm)eG)E|m{gyH3nV7hC*geQEFO1`#H9Kp zoF_4<J_*m3PNxwj;#m?C>l1OV#KihUJX2y~eIlMAF|j@o=SWPfPsG_06YCRkmc+#R zM4Txxu|5$`mrmrj$dER1oF<*XF<sioF-_XQajLYQ;}mHf$H`JF$4Sy!juWLd98;wh zjsdBeV~W(oF<FXm^h=E#ebQ=<Ua5hjM+$RvOZ6O+q&kihq*{(HX%)xu(n^lwq!7ha zJXWgVI7X`GI9jUWm?#A~j*==lj+81mj*!YZ4wuTv`TtqM`2zTuZ`8(t|M+FFOWy=* zw8O#U`ziaK_7m;db^%t=&$BIpz3|<wKUiP2-UBma)v_JVv|DX)!CLkfnAxV7&9F9o zJ)F#zX6g$kvE2>l!X?TtffxKj*(v=XJqSCzb6{t;RXil_7cUnVi~aG7csA~d4x<N9 zBT5(k5*~+wc%!+BFhDI;-M$o;#~;WH*H?wAn;V19nZ+f=&I<NtSyL!n?`&ucHv}7N zTm8|QB+<N{-sFHQB_*{ZQD$*roHPrHi_@bsNV3&x0Pf}W1&V`B&bnYzS!G#MSrXi- zDOlg+$_hmq!jX`Ezp8MfGovuq*%*Yd`baS1j^>aYidDBa)#Xk07Y8dyQOlZ}!mj29 z$R`+ahFgM-&Z_3xT4$uGtYTGqG@IVko9uJ>lf5)aZL6NB4pKPFn?tpg&a(PSXJxRV zHr!eV#c+n;X+sUc+E9HkDVjxcn5%l-sV-k~a&~=$+_W*+5QKu4hiXGjt<G>&OzN@G zOp;=T>ht(r9-oIiD6Ko^=*%%tL3ItGT2ji|vg$~3bUKN=RP_WrF0a>{Sre>S<tz`? zmo>IRF`9zajpPR9L8y&j%uS*=nqh*3(Pq`>4!DxtfsESP@ET{h9v-f#u{qKNA1jE2 zn;R>jQp&?kHS9r~LUmAM@U)H1^@Jxon`(lMG<SHraF@E6+g6a$K&93@%b-T#MX(G> z1{LATU`})zDg7qZo8ohMQvDh5D)d^7&{xx0<&Jm4`wUiuAjekcnh=z%I4d_Tnocqb ztAP}+E5(z-UTq}U2=PMe;90`uD}xnH5$EXOgz5>$6miVtXd1~Nq<RBBSBl$R3>6ow zCNG%OceozjDm(|grchNCWLjTME6G_KYzfvzMn|WT)R}6E$LsQ?_={Vi{_321Wkp)+ zD{30U^`UioHy9k9LZT+YBd55My@A4-)<~$L4B8ucWO!G@qLWF4fSLmB+~*I>EGa2$ z|It|!EUOGQM*2o4kw`<;RKMF5NDj<s4pr*SEixoJk^JI;q9j9=re<}tN@zszHY0<g zsU(I=^`&~?#e1e7)mZYP0lj5dRJc1dS!nc4`YYGFv*G<hh45m>v@K&Fo*Ydfw+pEO zD3I6dV;z9Ev2bIk8oCSQ)Kn8{taLV%H9~uBZz^M>$t3j*H8sWUa;N%>q3M)|*BT<% zhRPeu8biTIO4LsxFIQ82epiY=Iin>Us&qEjLl3Wk`;cZ(Q5zy1ln4zdW^FCB36M>J zsE;HpQ~jP)cqz%W7tz+LH&ka+*jXQLB2U&-2E`?Bwme){9+?vLl9a39btbz~-R^%) zSqJU0A{1_p==l~!J$haDh9alB;Ef-fp7fR2s%d}Pqsvqd@~Sc%Zj8*1y7f#=YH}dp z@}{`6>!Dv(1dnd@P9h<LYny_N^?GNj3G2PSED{Oo9i`e?T$DQ|5KSUam^(7Xo9yy= zeOcj(W+LRMP}fC4aCLL2F-QU<8I2V+p(dzR5OT@U2_$9qNS_~GhsTo%5gPUG*wJc8 zg*Jw34e4A_7fClqP4&P4kqk{3`WP8IoF&0X6X|>8uGuYRwat1VMnuPx_(Kx|sXiiN zJDPlE>;RM!9Y>-qhn@i)%MH=0Kt6XA1s=X30(Ins+kx;b&dSRqgFtmKF*=qc%uqcr z2qb%aX=$uPx~w1NBt_E;67fdIkeH<^bV-*t;F%W*a?u^znAk%*Bf6MKijF3U=Bg=f zkIO@f&mY%NeCM39dMFIJ=eTGhNs$XrLQ<rX+Z1OMm*_7vwt?w`VrFy{iCqS-fyfGf zNlhaRJ<d9izqRaHD}#|xb-lBqrmVg?=!8}gX#g456#FtqMn{rdrmB7)jD&t~Y!yI# zg{nY^k*+j7I)cPo105DB%j=l~-Gy|Sq&mI$P`@qk1YxM)W4gRPazj52MlzzqNhZy@ z%<%dA^Yqc#&<$e5vOY?<NU_=2sCUnd=rEdx8{S$V*^{Gp0X{5~&ZCb`&Tw-R8Tu=e zLZBn)3PDHKL!(1U9?4MAK9@H&04*z6Um2{gh#6alMV%xL$ZI`LN=zL3$mER`Mu(6{ zt%;swzsv3O%q(k!Y@B5c4Im9@PbzPPzF1M)TuB;ubN!k!czKneiqz{83c5{GtD!w) zM+cKEH>xQxV)+Bfp!z^Bh9SHeG>nFZa3gu9%3wod5N^;e`CJhgD4ftiYwE+b;cBSs z1<^rNS|s{m?DYDRi-L8a1wl6TK{8wrMWPBC40PzocxPp7?;lU(p|0@JM+i1m7>YP7 zIxx0sl1ayDufRxCW3axusb)ZQ0Esk4g`NcimM^=p5#A)U#7a<~ss}{-(_d5lK3A&W zlNYXrF*s7u7;FmGw)T(qBflo99)GIK?{$-3+m)U%(FF2iHjI&8S85<7Ee(E#v4)C| zpy4*YXkQX{#*k#c2U@phKGZj96;6HhZ3F=al7|nzx%EVqfVQ3-?L$&!CI(Xcu0TpM z3{IeW(s5pwQ4x3w7_H!*pumogN!OdE^MOv7>`5+cgf0)GQpZ>dPgol!ilU)Dr$>8{ zbW0OGDNxE}PeF52Lvxc8+GAL6HAF0ic;P_s=($2U4L47X_9U6i9g<2EkYwK+c-@Vy z<DJD#M6DUGmwR44ZMv1tOpp@o<sKXDL6W)>-5xhc(A3;|a(j@&q^^#>Pyc9l5*gl& z&kgr+=YZ1M{#p~G-N=s_Fzltc+$kX9xvEB65~~r&b9_`IF=wmEZlZxh8=`k5&k9{v zFF=g=DTq2q^x#CI2tpMxZKD~ohY`1|{{OJ|9^i2lS-WsoPY#`IBOAwYwz0?3jIxb` zEaxQKa>N)jmd4Up(u_Pak}YtW7D6*3n2doXEen{OqseJWONM0$yJXlUXV`_^d#Y<% z>MH!*`|SO9|GnS$l%A(mr{Ag6Z&z2nJ#$VsC<|kB8!I2aNMKTl#*&60SPpp-uoMz? zV2;3yoRN$RBvM&a0qQPXz7Q{`ErEQU&Cv+l)C3}%p*OfPxF$?lVQ>lA@KgtDL|^5T z1HB)`(nNDdw!k_JOG!EiD-c{(DHsq_4&9?^89zQoP*f#l!SbTgC9#%Ry0BN|7#$m* z3PkGg<%=geY7$wV@fnAsf&PONQv&M1xFgxzmV)IF3T%N%BsCrm1(pf82Z(HmraKDZ z;*Y^%7zY&r6(%E)LMQ8uJFV3Gj2Cz4`2HoOFr<o0mx9`bDc)F)pps@N8LJD7YHWj1 zWz5Z^;BF${8lHseNSkwNYUgD<xTZZYXi9=5q44r#0*eW_GUE8I4yGmRvB2yVh%~_B z0@o(frJ9V}I7&q-1L0UvR=%*Mwb@ua*`}K@dwuo5^awXLTVgO{_VzIuOEskyW?V*% zHkfdW;J&qJ4v~bZ#t7V5!KB-(^PwnE1(OHd_cX>D8iQD=L<5#1Ey+0XVXp3v^=1WJ zgL%T*;%%um7=RI&UfSV!@eOG_FB5<r?EinEXEyo$|1IzZe^R+$xmCGJxkxz^p8K~; zNh%HS)V~$VJY||v1U}(|6?jVmJn`={`Ca){c;f#<@*VQE@}=;!zmwp3|84SCd6T?K zUMSCiC;d&3hspim+k~H_FTv;hb?^Z<fB!#EI#ueFcEA(<HiNWT0#|LBG|3Wc{%3fy z-;4go{rCEB_Fw7$6+GMjME~*rR(NyZQT`funqMXS`ajw~$S=XO{J!^n;(Oco3Ov*Q z0pD%#B)^M&XZdoz-S9+z{M-LZ-+bSZzL0O6Z-`HY=lTB?-YEE<_Yd$4zlXhd{tJHj zpZ%ZuIh(i38Q=_X1~>zp0nWgGjsfyx$^i7JZH#F?VjE?e58FnX=0mm-rum?4xM@CM z%X<(EK=<479s~ox`7`e}FaRP+^UeeVAd)oiK`;OvwB<br2B5obd0&A6=zuNnnJ@rC zO-Gwe=(d1q?zD|H&34;3V)lowYo_^#O)<@fZTVkb`=f_!eiMDr<}=L)Y<U-h{?PUO zkH7t)>n=0Hy*8(5-eYr^=0Tg?H1D>Frg@hw?;y}0jw0``&>xOMH8bco$uxJ`@_rEg zQM)bg9nl{Z*=!_3KXj)}FwHx}znkWGG4GC`q1(m0lY)kB6MrHZRCKGDcOp>HE#hAZ zs-VlnS4=Z2=70E>(XYi92`VF9%>QmKL!@s0M{WsSD&~I#m(V5R^CYhyT`WFhniq-r zU%~yTOMKQub@4f3`p|{qQ>OVV@k!Iv#ixnsMHh&Vo96lAZ%wmHe1e!Bbe{OAY3>&v zG0iUVF=D#Wx#B~nd5-v?X`UiJOiUL#TfE;i&l2x5%~Qk&i0MRUiuao48R9*}bfDA4 zgQj_!c(-Zp6YnCX9i1xPVVZvNPGZ{7DdO#>d9rw$X`UqBN=y;u#2ZaBE8bw5-Qx9z zDf}Jvh&P#Lmw1b5ZWV7P=1=HE@jBD&60b4M6U3`cvs1h(Z^AQIuO;T+;2d9Rni=tO z)7&avVVVoY1H}9*+9O_In!CmGO>>t>e&-kd3Xl1?&_vtCi%fI9_$y-m2pP^b&Ev(h zO!GMLY}0HP_nYQ=@f>3Q0M86L-84JI(@b-{cxK*&*zYrl`90bpo@$!g#ZyePUED{^ z@8GE;C!1!Qc#>(R#hhs-#U5gQi*6RbH_e;G?@aSX@mte8ApU5YSBgIn^BZ)7__=8w z5Wg|aE5)x(^9u1R(@ctAn&t@c3u1nat`|Qs&FjR!nC1cTGt<0M{M0l@h#wR4D|D^+ zzG<!(|7@Bg#1HZ&5cQF1o*{ln%rDV3;yb2!wfMGaUM0R|ng_)9O!G?dU1ENL4v2p; z%`3$}n&uVao2GfW_?l@Z#WzfIg!no!KS#e2U(K5^!~B7mpP{6<$27NzyG^rE%;ZgY z>V<CjlL((J5%&`CQ<M@rO|wz#cEG|ZD&OGc^EBnJ#Q4vxrMzX%0B3+Rz!~5Sa0WO7 zoB_@NXMi)n8Q=_X2L6Q%tm_OwZId$Vi2whE0=)I_9A&oBPrg8o$VW&&!n^qPN)-?T z@RWa_f1`h-?`z+azJ0z*pA(|yPlM?A0q}nN96aq#1^@r2-JS3bIu+j1-tDS%4ROBf ze8|}i&wLL${_c1go`G+-zh%G2eu4cc`y|`vwu|A3`l|SXc)Hjuu7(%ris&_THQInm zkzKfuI>vf^iQykn37$G7;J6HaC3VS;R;%xZ;dN`cY)6_Kz|k+=*aH43jo^$3uF37# zG0pHa2gi~v#0|sndNW*QdcC@)=!>!IMETfq@aifl4(D3|Pa*IzH!H2i4JR6sk=DkJ z(fT4>pc4G^pj)NIwcwco4S}<48@PKCm%rwYCHg|6_Z|sHC4@rd;Cf?t`G6OATXQ7Y zTL4^nV&D*-1YelE8!`4og3tkQL4kh>;t3kmjTnd0v8B+<a5=b>8=i$p$eU=v9#h~? zX6@uy-3V@g=PH0lSVeKsQsOKLPUO%O_P{f0ZiohTBZQ%JY)KKgLl>2s92?96kGKog zdIP!<zfdfdf_rg!dC?r~_ndbO0-CYw?Eu{fPym;4aM&y_FPlx68KoOh2<1{JT!y1G zX3WSRgV9vJJ2P}6`e60=Pz5;tl$b6t(H-E*3DE|)F>oVFv^6vmM>=p6-CS*T8Jwn9 z;gbVy_u%Rq3Wb-(;^2;R95@+)BUQYuWi$4P0_UknG6Jz4*oO<eqatvahC|+T-3TA3 z9bXJSsTJVsPCRlB)jSRaS-o;eifVm{ZbS{F#+JY_f|uYL>_`UT570LDroxUub@}iN zV_@c;?~MW38tG_GMCz?%FV&40g0`{X)(=jeC8qNd_>;D@#e4lcqv`EY#`m+&<J4MT zrEWwOMB(It!%=x?X<HhcgGlfR=^S=4vigwr)iYT)!VJJ|t{8my%V3~HHiQ3NT{MZE zoANHF;2@YF<_z5kI#@fltf(|tUR(-+7?u_wcEfZN$6jCH7mB_8r~y1&Hv$q0rDBM! z31J`UmEbfLr~+T|R0?~*j?|5~gi;AY0D=&kFk=SL16OE^#jkm!ZbT-ON~L8`NimE$ z;s6&1M`dI5!O3XXNpwP}G7Oo*<>BgPa9GEujq<RAA<_Uow%FSfyNbe@#Ew)6GTS5| zVh7yQz+n%DD0pib12vX{5Qb*RTYqS;yVbf8$FQw3jL&XK=|bWt2A5{9Z<<jLo(@uN zMzl!)ocq9AE)r->fSYf}q3a!|Lxh6_-tOQXYjv(QMj0OHrfdCV-H2{jEWvdQr!-XC z=Ws?MO^$;w6>#5!BLi2n)NmbQ8YFPo2CrB0d7p=x;bd8+8=(tJM-+kcECjB=TmsIX zhW8*`W!SMYA2kHEVYk^{H_!?_gfCj~APqwRNlB48&T*@~{&=v{=Zo4~bhuvB*D0&3 zs^R7b=crUSq762J=Qj+KisD1oO+|E&*=&dou?7-&VdJCCPjIcoc@Sz{tOt$R-6e&< z;jXMGj6LQf*h?>752GXiLns}DxfA<?S{#FMkQK1m7B_rBVW1eFrGoloeEblf05c}U zY~aekbvxQ>3^LPi6pF?03ew!MMxSJ~J`9#1yk?cwHiDaWLo^Q4O&!FrfsZwK-Q$*w z)d<fxz14vOAnpJxHZT>n8l$!Evnjd}m{0=&ZDrt|o?m5*0Io<p1#wEoKnP60KCjqa zdg4soh)-BQ7J@>8;iA01wBc?FKALcq;9fug7BHAhfGa2oP_Tvp%+pD*!Zhsi3{hh% zVZni;NC(y}U4o}+@ak*`Ofa1?*R7j7k(zP)e4q#G5W^sWYdtQw9122j!IKg$DyU(M zZiFmMlS&|>1LB6(;+T>k_9G?h2&@H-iTczseXK#OBvpiq!2df$O<RWRcJGv3UynUH z!B4k0x($ZM4v0cX25M_-;L>l8)kVkZM)1OP2)zSB%fm*yMzhs5D{JxUN&?tw^wCDc zic|vgWl1QMk2Erl9@eWG64XQ*H_mMDdP4l0ArHL@m+3~d!X~Mx3}%;7b0x)B5%{_r zQ%$7V7!0uR7;z`{5c?Q|&@<f#QK*)}5Zw_jFTvyA2;z$;;z4?9TBZl`bd`WFbrD3s zko6M#(}TBpJ}dwhhi15P$w0ufCaky?DluWegAq|#t&^w*a6|^z{gBz||8srh8q1IT zpl$>*EG60pdIf<Dc&)0BZf<KZ!c=e<;B3{m8S74wJ`7)ewT6#yxTxHmB6<hi(j|rK zmPa5kuy=x~)rT5KJ`jROaV$Xbl0;ooAr6fo!IS}z6FBZ9Frimz<lXou8WXq?N7h?g zAd<$hp{WYph+L?XDnK%phbq{P)Zhr%7VvqtdgYU{<8&jeVWw0HA$H-uY0f-`CG!>r z3Ii+WEu5qq5e^Gs9f!HL^cQU`nNzjA?>H-UBjh0pp+pclRUTq{w5S%JzD2b)%lgWg zM^mU9ArLEI1eQP~TSb03fJG871+eU=K?4Mh&`T^JK!;T7M)*TiswjehDy%V#1tec0 z4u0{5l!BtEwiY}uU=g1L*5Us+-3Wo0DHTH$LPc@u+*Dnp6+EU%YbFg4xKO1VF%NA( z01mz?qZ`@Yh@%RiN|-*{aTC}nAKJlPCL<Wfi_O)IkOv5rfoURCln({Uw-q&`CyWUg zN0!3jS-T3Z^!cL?>qh*;T8LVJlTluTC;k>Ad?JY5<a>S7QzVin1^(*I9aXv!2hj#| zSs3(nh(!27v;bautRC#fEe`Y^hah7g{J{2TqzQZEM^jUDBV3{e<~ay7DGtvwVwuPR z!YYOXH(=#8`ia-HbgD!*q9!GkC@isITR9@wB3^THjAYJ;jah*^e+QV28xB2(qM z5k0Y?e+jH?FsB-k1%VV6<aiYK339p^xTdFd5+pHmd~pT7`zxt6ZnF$A1gD0`3W&0{ zwgxh(u8}A*P@5e%JOjsAMt8u?QaV~#A8EnsB0jU26^QOKVmGN^mZ0v(bHV)n*vr4D zG~64v(-PT1hCv}dFyjzX(9IP(34W0J<GY>GPz5;~z5R;d@WuALimErJ2N+u^JPqbA zdI%tH2pkt{g<Dk!|C|VQmg`3JL&ONA4uv3I8{g}}DvY^?L4k=SfyxjvosX=Bn_rMr zLEVUUSPH5H-z65;;sBMtOr#_pmJrjo9ij|GxZy_1m-x0jND}G}obPZ3I0Kvk&H!hC zGr$?(3~&ZG1DpZQ0B3+R@ZXey$;AKv40z+};rRFeSJ4B4@}=^Q@}lwx#Qy(AIZHV~ zNh|frDtH523A|r^07U$MBflrVBtHsomcIgG{ZEwJ<t_4Bc&B^?MEMVr-O>-zN7Ad( z<I<hd0eF*q7GnDwrFGH*sY03{4U*jcAL0G+ufY=q@AhBqKi_{6MDsWKH~1I(r@=e> zhWLHHzxh7)y$&(_2YuK0F7TZMZ|ZA;_w+6HP4i8H$bFypZ}7za*Wvwq_d?A6h2B%) z-Fyk}Chu}@l{e%a32)^?o-aLb!xQ=+^xWjR)N{Hg<4MA^`D;DZo?_2vPk)ci{k8jD zcqad&?%Um0xX*$2?X|nNxYxMnyDQui+ymWC*SGM*{TE#ixo(1|7@qFh>uPl!>#A{0 zhj-i$blII>I{)Z=3f{1Hx$_L?9%nPW(|$g@sc@uIh9~NO1YQmgIc{)V=s3x-!x44V zI%YYhIEFgB_8;sY*k6KY>ECF-(B1>j&#$+yw9m2!?St(u+c&niZO_6}^RKp@YdgWV z&324!F+3}OtgXLI5I+@P6Mrk-Dqbp{D()1wifhF=;3+Xe^rIi)d5JH=3CsVfnRWJI zq6oi;;3p!bglmQS)XZ82x>wDtVW4}|%xVTYsAg6%(A{dLmVxe4GAjW>eJwiG%nByc zooZ$|1KpuyYV1Qqab>g_|KtQ6-K%7lS&<ustJTa>s@SE%?P_KT1Kp-(7BkSTYGx4w z-J)g|GSJOxW&s1;q-N$b(2YuFp0!)Q!QGlmWx86pLCwrzpzGC4H3MC)W@a<cb!w)H zfexsdSqyZonwiN!*C?48)^1%UK)LBurUSxNO6Evwre6!tg=ti#%Y`e|%v1)tLd{fC z&?Ule)Jz2fU8ZKr8R*warp(&l#rUk2T9FHdy=ta}D)uYkQZ-Y|K$obQFauqzW<m^f zk(w!DpbO<pAvB20fpu~~$xN~Kphw6knV=OpQP{6!CesMynPf#yz<G|K5y&$UTJIbC z`&-n^1gby#g$tC-cskP{H8YOMbiSGy%RuKTnK9PpI&rs0)5tzGGm0v<PdHc2jAWp5 z)J%YZ&Q>!c80aiDGn|3WR5QaE=nOS8lz~oHGea2YG$k__pgv;u#nsH=R3=?GRm}`y zpi|V$Kn6Nl%@i=uNowXW2I^5W0~jc$X8JQwR?YNdpl&szG0=%>MrEKbHKQ=l32H`W zpiU(tS<jCyz=NIq_94ie<faIFrHl^%b8rUZ5(MY<?N4^f8IOG!>Lt#(N6NS@8Jq*9 zjLWh=zFp2Ztp(b5%NYj+?2<Ef3fL)UY!q<3oDnJDI5~qTphM0G6tF|yL+x*uc3XNi zu1(ry*&Q2~cUp7D)AI4ueo8)$+E2<I)c!Vk2escSZ>RPXQoE(O(F3J6%kHQaDQ(#u z*(|55g>6l8lG@)YZ=?2Oax1mpC?}}>202dcZ;@N5{ixhb?bl09mhQ|bkhWTP*UB+# z?zMGtBelO-ZlLxf@)m0USUF1VZ<6b&{bS@hYJa1=nc6>Ej!^p><YTG*qvTE0{(AWs zYJZ)y(Q-Iz3#6khyVDEg4c6TK*T_dv`>Un(mh7tvq;;0v+5#DbOy9N9Z<P!x#<E{4 zt+r$@UM8)w?hcSay7c8<wo(S&V%fLLpjs^ZD`b!?mi^^&4Ygk*FSG6sSSo{7>B~Q0 zi3~!;vcFgcm15anB!fh;>@So-pIG)6$RJKE`}1W`CYJqq@;qvPt_-5Y^7$MY6p3ZO zS_U~{*`F<g7P0JC$sj~5`?F+FA(s7_GDr~1{tS5rwLe`3^<nw^Ncl)=f0_)!!}9r5 z8B~X5zfuOtVcD;cDlDgOK!FTeqwiy_TrQ*b%j8mOzf=a1VaZ=2gTk=v7fWGF^}_>F z$htdF23gUUI}nx&sr`^Vh1xHYgVcVZJek^`B2S|BgYps7{$v@1gr&VnGRO$a{t+^0 z2+RIN85D$Ne}WA1!LmPI9z*SqlSfngV`b0{mi%L65Dk|7(K09o%l;@C<bq{?qzqc2 zZ(kiDgHW*S50{2o=u`$tL#(?4Wl#rwxd#oCK^s{1hsq!fEc-)bPz9F#!7@k!%l_fg zVV3IU0%?F{SF+2X1Nw4{hshuUEc*jwPym+w{xU58mi>M*to@dKO@@WvvaiY#wXev2 zYG0Op)V?Hpt^0PrOfC6#pX{bS_sTA6-y>5izTGWT3%=bY*)4}}cS<(vu0w*g-qR~E zY!a;WeY>L9u|jy({(%6o|6eQDD3>W0z;pjjQaY96m6X!tzs!Gu|4g`B?}YpHl)p*& zSb0}@9lj@cN_kj0sNCYa+jo<*(pl&n2XBtwpiELmD?^n2a+6#qZ;)%{#o$r37~b(d zNv@Ws!Seto$)n{Va(~$;+oZoqUrQfL@4{07UzDDb9+nPDw@BAWmq`~$XDYSIVx=0M zH(2Z_c3dPMFQ*irVuSb4e=UCuPaS++eo=l(epo&z-y&ZlUj`8iXTq}wJN<R=eL^jK zm(bt$u<rmo1@LUCPTBzPF}TKmi<E*l&v#14OHGcwj&?`0qt3D38F8+4E_GJJBi5%$ zL!|zaPqM+A2fy}z?0?t)Iy`;wDgVR%gYXSSHGD@=4Bt|WcBY+8jyD}II-YRMcTD&D z;Ms#e`o8de==-DZW#7}zVem~tm9NLQ$CviSe8<3B2N(FJ`@+8QzM(!1;wDb@p66ZW zt@c)UgWgfzL5{QFwMajCzw~|p-)lVQebjrm_Xh88+>0F(9K#&_94`A$_Al)pIBszq zaNK8GVVh^0W-Eek2L{^|n_c`-{7ih;x!QTGbCGi<d=D|vIo#Rb>2~}K?{tfM*Lyp? zJG^z`tMG&w$t!xk_k051jlAM{%JYEdHqX@_)#Gsg)&05qJ@+5n&p;GM$}_}svF9vT zt!KCANY6@7qi3UMz9-}v=icwW(|w)$*X~o?x_i63*&T7Ofp<H6=~@8ai-cX{T|-@( z%jx`^`(by`Jqo@>@w<`hJJ-jqw_Go~o^;*sy47`+>mt`i*O{)YYnLnOYH+^ke9`&1 z^FHS-&I8Vi;9Z6Ao<hfmcAsN~?N7FsY)?9h?a$j^w?Ae-2;Z4pZa?3?&wheEZm+Yi zvoE#JwwK!{+dJ$d?FDwh_O0zN;zNSqC>F<<--hs%GjJ#d$QPccBZQ7HO#w~Jo5DZP z1k?OG8gH6Eqj9GB6B=upe?wzDb|i{Jgws&ku+qZ!XjI<%4vlntD7bMK3}iW)fpoVW zA#r&Df;&AZSc9gcJ$dU$v^#H2L%Yb6T25_7#}Vt4X4GMPI!rhpwUPGE5Z*z9O!FBu z&@?|o1xD7C@F_YhZ+(IW<gJfUf9GzY>`=t~?=hq2+ck8TVfYKsDMpQ6VLv+Ausp(E zbdq7MK(kRcZ&ji0yfq7*Xjse9Ow?&qk{pPf2DD9h3pw0t(B1$0F7QwP-(<iznR^Bb zuNx<Gk8qlhe}vI#!u`S@yz3Fn%>3`aF9T!_IyoSahpY+kC8}^enQq|QQz8EhwG#oo zmZ0!`sgQr1+6jPO4ToO(Pai(13cmRieq);Zgv*EtUv&z<HqCQ{OHK1^;S$q4OSsrH z&lK{{Rof?=A>^O7whvw}m4C$AJ{Yj%4Qs-_xR8HF8+=76<e$-|3#SPAC#>nh$wK~V zY`Sogkbl^k4vgfV#-<B7A^(gvUC0Xghpp*Cw~&9>nl79u<R8qY3td9~!ECy4f{=gM znl5w-r;?t-cZdR+W#P+1;bh}73&w?$3<F|>dJMz4N5~OlppZ3;@$EvlVYKfSP9(-I zp^F$hg%gNzyg(-5_TvPyDz$eA@O2|BPwhK|y)H0N`}RFXI<9TEk&cb;GSYZ@CrMMs zlQel8Nw;;7v~>qb6Wfh+^uTr_9o5oiq$8WtMrvzHk#uX4q_J%zZEPiJLxQAR;v|i> zkhH$pNM{r@k#y}=BVAh;BkATwl13Uxdh8aGZi<rhn0k_KtRv~sn@PGMLeis-CF%N2 zBwcq5Neea_>GXo5jkN!o4J2KCl##9~SZ}1Y1?!Bo->S7FtzBcJ#miQcbigVjUAD58 zr1q60U9p0s%a@b1rp8DIEL}#@B}+-VcnL`tEhg#0MI>FYkfie$kaXUBlFpq+(m8WU zT0MuPv#Uv3HJhZfsz^F>7D;E!B<b`SBt3FENv9o2(y7x(S~-=Z6_q3{s4!Bkyqu(E zWh5;vC22_sNsEh(ba)_4(t#l(4TOtG8Y(1d(G-#v21z<)GD(AzNILlll1`dP(jz92 zbmDlDP8dhh@ncCkZVXAsjwb1tQ6wEblBA;oBpo@zNYxR;NjiL(kt&0Rl62q@BONqs zFiD3VPSPQRNIG~RNe?eDQn}zTBbDp}j8r_VKS>AlBWZt)r2SNqY6?kJ_!a=JM^TYT zD*H()`Ha-=_mb4-A*t6*Qjd$I@PjrkZ+F3+Bu<@nk~(Zoy9Xhg=zzo{!t?*pV7p45 z|NkfDC3p|ueabD$0p&vF45eGyscciWz@7baWv((+DFk1D!xb6s#ea}Lg?9!1UVd7B z5Ih2|kuQ<YmV4wqa$1hb$9SfBiacXIgFOno31E>tQ!bGw!f)@d%ERUUaHj}&l;AJ$ zv-Fkpq4b9Iy!05{``;*CE}bv!lTMI2q&VESuY*v?*${d;8Qw=WQ1VO2{~g?yzvX`! zJP7Xh-v&Me7yHlh=lr|jTZu+^KEX==0{;xSOP}B$=I`fs`F`?!>H7fu37+#k3g1!O z;QNj5Jm0ClPTvk+i*K`Ut#661%2)22>>KGT@cDd#_dD+=-nYHK2mgWxy?0P=1!(q0 zylcEmytDK7?E}4j@HP0(^ReeG&&!@CJ@<QV^<3q-$aAJA>)8c92MwO1Ju5u(Ja+ew z?$6xMz`gUi?vvda@HS|2AM0N2UgVzXE_F|G2iyg4w=BB8cYWfz-SsxSJMk&k1Fmaa zm$=S$^*BFrzUgXn?Qv~&ZE~%0p6SdwcR7>J2ItY>b#SCJ<Q(T(<eKR!aZPj$clCF< zoj*Ij%HLBz0r%GzIafG`I(~9$PN(Bb#|Mtr9nU!)b=(c#daQFSb(A|MJ4QMRz&GJj z`#a#9aHk^<z6-x`oaZ>z(Fy(wvmJhi&Hk$W8T<A2Q{k?AioL?V-`;6&v2TVu@E!Kc z>}%mYj(E`UzyEOz7`hL2hf)63#wUhR{^i77Ve}FCRBuN4ml*49h&(bC>2N#ue*WWu zh&%-q>F5MRo`MRWKa0r2Q^9-&k%y;(`3`!^5I$gLQ2zDAdI2I&Nd<5(B2P($x;jz* zMaFwXM4pU_n$ccF?mNKTgYxeu-c^8JC0*HBfPPP^Z$i7#E2g;%y=<C0(MxW-=n>KJ zDF3439qs4^^66FppEu3p&~v8Qfu1$Z9q1WiwxjLncf^dLcJ#DqwxOp?GmV}ky=rMg zPY|#bsK`IUIgU~&{|M(eybkp-k|B<^p+`-#73Ck{97hTCFhLtp3(7yjISL#+NYE&1 zLJyecR+N8)a}>qUeJ0w7?j^m6iYWis<|t}F`NuX#(H3+!`Mj<G-AM{9K=tSj)2u_c zo91S88_Bw$0NqN!qfrErr!S-V=vZ_!LFc1Q=qA%V2Hj|y8xgt7fV@W|a+d+-29$rt z^HI%+++?7o=qN;PGQeDq$TOS4T!*eAJ*aI#2Z*(HAR<p}Msv|xbOizD2GHfC(Zy&D zBKH_*F<OntJqDPo5V^+yvlfwi3@}$Ba*qM#3PkQPz+8^VJqDOHDF3$S#RZ7mVxW0w z86wYt26HJQ_ZVO<LFbXq%qu|T76ZV=h}>eJIcO0gw-{h9MC29&%@M9e<Q4-}qXp<p zQbF}vMD8#EoR7#I2AJ~@xx)Z+E+TgrV9r704g<}GYl=L$8O;JSN9vkcfVzk^qX3;i ztZ4;kFJY@3+TTgQ@@8~AvC5j!4)Sp+Do5K*vkbKpvlx}26fwhaohMCmAKFID5TLE5 zxeq0XS%ktUZki#~Ld+?s5H%a7Z~+RUCexgZwwmT76eAs*I1n`w@H}(`YB0@-Xp3Q@ z3D9oTH20!<Vva`>P#wv8E*gh6o90*)G0idPSkoMhHswvI>=?sDBjAg=qlqcQY*s}~ z2{Ozw&1cX|V)`M&bYl9zJd&7hm_<v7iI9S(nWl`Unx=#*P1BDmOw)(Ti76m2Dl<(F zDm6^_hSQCTP1A+Krs+f>({!LB)3l>P)3l)}#QYgvSsx_kPte~<2Ghb%PBfWV-!DU> ziS^Y$G>2sT9KI*4Hq8v0O+Np$4Fw4J5ghGCV!i_t;S6HF4b}G}<{yPWA-iebjclZX zH=B`2tT&nwA|Jmlyom(Ud_(vL`TVuD!ruw_dtsmOGXY;2DEvgMmj?=eBOkvA_u8Kk z^9A8W;ZtHhFFY%JLd@rc=Y@}n`MB_mKo&>gzJTyK0S^kl6Y|dyKPWsc<R2b>P<TrC z(9H0pK$c43pzwt7zKK3Ayl0xf72YN0UBY7mSu2IRghz$9P4p4rEz^8h_>*ZqB>d4d z9~8)93B?`|-XJJ=RSM4#^9JE{;Rn-vP59n4{~&y4ny(7qn&$6?Z%p$Q;cL@;S@_B{ zUlP6~Jl-%+_>oxG4;21NJ_bKj;Z@VTSNOeY-XpwXng<243WF=?-NH*IdYAB`Y2GP3 zZ<==q&za_4;aSqywNBv$0)juLKvqdO*z1KyO!PW|ERBF(D?DJL*9iBU<^kbB)4W`G zn3&*2DUhX6xMHC21p&cpQXosCaJg`Wa5q80HB=xAwE*sz!hHk<r%T};VuJswKvaQn zsc@S>Q~{W`3Pcrvd5iF*nfGRa$O1rb5{N7S^G1Ql0s(w7g}X@JOQ5|wP4m~n9mE9Z zOW}56g4d;R8!^G#Qn=MLFA;7r&5MPbP4gn*Ceyr7xRIFWqfuysX^uok5fj`Sg#)H} zzHo(Uo+n&RPRjlkfh@(s{y_p+fQ55}zaWj|JV*F5Qcd$Cq?qQ1NH)z6kYt+gBfn|B zhkT~_F7le@JIG_2ZzGp!K7-uEJR1ejdea<%)|uvTv^H<T0=R~lXQ5$ewP_ATt4wnU zsx{5QXr*Z$j#ilFAhg^x2cjC&EI`Xl^Dwm3GzXw1rr94Y&YQ44EHce!&_ZIKiTa@h zrm3O%rm3QNc@v7wCFU8zw`hcEeuIXa=GSPLX?}%<n&y{ih-rR-2LF${f#C<l8Q=_X z1~>zp0nPwtfHS}u;0$mEI0Kvk&cH7i!14bNp-TnjGvy8CN##!E3W)yKl~&~#WeNP^ zKS3#g*#EEOx8!H!d*rL-{Sf(|mN(1G<r(s1c`*Er|DE)n^n&z&biMQ|sRyF|w@9nt zm-`}Vxa9Z$)&G(I75^jtoBfygPxbHgZ}qSB&+&)+!y(@P2jBa?7ku~ou7zLbPxPgH z$NHA~rh>2h03Y&x1|IQ`dvEjp8s0Rp%iH8#=bh^fdq;Tvo*z9QcwPiA_Uk<7d%8Vo zc>lmM@HUv>Im{!1Kl>Z*Cm_22GWTijUGA;!weC6YkbAh>=la3*zUu|>M!(i|p6f(c z3gY^gx~78n`T&>c{M`A5^9kqe&dZ$poX0yG!KZ$<v&cEj>2-YXc+c^?<37hVj{S}< zN7Av$vBXj780*mNKimIof7$+^{W|-3_AdK2`$qdhdntIOOST_v@7tcY-D|tbcD5~J zYq71j&9#MW!)zY$Tk&o2cj8^*<?!BvU1AL0d{89@#luAh`Vzf~o<O(3NjTJ>)_ItH zgeWeF#hc)fnyV7vjrLoua{!Ayrgipbu}8Jeek}GUty811lW=`1i@mOODlGO#ty8A4 z9$Z#pG3bk*#op99eJu8d*6F3O9Ins9V$c^ii@m0Gx@atm%Q{&M`r=@*7qw11i~T|C zw9!~Mu1{pKSG7*WV!ziq1sXdM%IbSq>=jMl&0;TW`YslGNz-@ISQoDEcout1(~o1Z z7d5?u#a__#9W-_Vu5UYwJ+JBQEcTqHx6#;s;aN>jv)D75o?@}zX?l{yp4RkjEcTS9 zx3buinx0^>Cp10IVvlQj3ypQ+V{2wH;Hrtm9@X@%EcS?|$7pPy@UW&g(pW}#NYxwc zBT(OU8G<J!=vx@*3{{UZ(1WU8PeDbvU>yTJpz50$=welmFwp&~ek=tQ3a6?1CI-4t z)sJDIU#a>=2D(qxk7l4NRDA;j-K*$F0fc&|qbW;NeLa<Fig1sruVbKts=k(i?$-1* zG^=}syEJ_@i`}W}tEi$uVZW-^GSIoIzLJ4XQS}uJbcd=hr=ZEg?TTIlP~Q<v9<S=l zm`t~+`cevV3b(5I5(c_O)fY3+&8ohLfo@Xug$#6~sxM%m8&rKh16{A`^BCwlRiDd1 z*Q)v)2D(Pos~PBORiDj3SE+gx1x>;Oa~1>TRDC7`9Z>Zd6m$e0h0_^mpQ<0pK$oie zGzNlmHkE;3+*dNtm8xDrK@)L{<qQNZmNC$os$R-KFvv?7=yFvrrl1L!i7*3Qrs^RE z`n9STQP6nYuR;cbeobK@U?Rvsm#F$=1_CA~G0;V-egp-L!!1r^AeaFrFc8cD;~D4z zRUgMd=d1cy20BmG$57B%d^wJ0Ah;YyG0>TcJ`$k53vKLTRSz(k&QbIcRHiX7zYM1` zjS<dP^<fNjmZ}e>pwXCzAq)h}4`v`35r;DnOxlAO=yX*dNI|1;^#u$B)q_^EtO=vw znI}3(H41_u4oZ!JPF8ggY7}&ms)J6mKrKR#s)J0kKqCdX8bPH|P*&AJq*<V5p<C5K zqfyX_styv3g1S^46dDDcpz0vdD5z6~SBle+u0k*Y4P{gv)EQN9ucCuEvz-2>5=94T zW<};HItVi>Qmp78%dALP(Lt11k-3TvlFW+CQFIVwR-{nLfE=?Tdz1`_F$=P_M9F{@ zvm*193<xnRQmkY^hFOuYk^vEBMdm6QkYHA1j*<ZZW<_=@8IWHVBnGX6__89<I!G@o z0<DAavLetr$Sx}at%K;YBG5WWE-SK2$$;RpAdS#E$So@Zt%KOIBG5WWEh_@8gV3@f z&^pL0D*~;9$g(1EE<j>gk)28g1eOJ9fc{{4)i+r*K!32hvLMhOEUqjF^apDz3j+PY z(#nEBf3UK$AkZHytSrd!N(SqyK4c5@2g@o80{y|N%7Q?Du&A;i&>yU+EC}=mODYR; zoRXmx)s_w=gB4X@o+z}A1(gMX*0G+lAkaF<DJuf4gP5`+&^ne<mQr&Lb<4>y&H!hC zGr$?(3~&ZG1DpZQ0B3+Rz!~5Sa0WO7oB_@NXMi)n8Q=_X1~>zp0nPwtfHS}u;0$mE zI0Kvk&H!hCGr$?(3~&ZG1DpZQ0B3+Rz!~5Sa0WO7oB_@NXMi)n8Q=_X1~>zp0nPwt zfHS}u;0$mEI0Kvk&H!hCGr$?(3~&ZG1DpZQ0B3+Rz!~5Sa0WO7oB_@NXMi)n8Q=_X z1~>zp0nPwtfHS}u;0$mE{;wD~5=xx`+f3Njz;-NbvtT;~w&k$Z!nO~##jusaRt?)! z*mlCU1GdeuoeEnBwi4KIefZr13t&4Fwlr*U*fzp;I&5Lss$iQ7+Y;EiVavj{0=5%j z+Y4J1wv%8>!4`q-XxQptTMOG+uuXxj2)1I_DqyRGZ5nLTVVeQlY}n?(HXpWyuq}dZ zDQwGNtAPz4FYX&YuG3({{lfL)<5&$F=3zZ-N5O{M#(m!e8}17}-dfmVux*8{3APs4 z@G&M}+Xh<_HhkP|u(iX6dFp`eIM^_6yI|W5+aB2V!luL430oIzm;=m54z?cHPKFJi z3(ODy;|y>HI0Kvk&H!hCGr$?(3~&ZG1DpZQz(37^1SP74`vj#`nI=CcZ<9wzw@M2o zxBm(MMgFz^u;1l-$#;V<>l^NU$$Of&$~(yOx#xb*X`Z#7VeUV<FLbYP{loRF>t@$+ zuIaA9&ZnJOXQfkhyyf_{W0xc1nC%#9|Fiwq_PO>#`%t^b_KxjFTZe6#ZJhXpc%9fG zmZBHY?dUSJ7cE9E=*B<!H!tIG3PYqlQfYBXu&k(bZhT83Sr-k&Bk8teq&bj^ZflFi z0Z42KY;H@%;?Yzpu%$V%JrzhN0+IGatUeHd5295WJFY0vzdT$TEUO65jYl>&M+0?< z_?B1$RE2jU&Cz5!5NU|S;;D3?Efr}1ES_kIG{>T;IW@K6j1AYZqJLR&QLwbUcxfUY zODB?nR9mVwT9=MOQ*CL;o{lBrq*W*s$cVU5uzy7<96?F(j2W}del{l>Vs(&3%^;km zzf=}34wjY{0W>%xU}(HlQc)JH2o+bG{ls-2yT=8eWey)(8Y&GIg+sNGc>U(Yj>-6F z($M*6GIkv9d3_;tE|y9(N7As{+S(keGy0YaMACtDBd{1vZ%-tf0?pC(XmeGvt}&K| z<7i7pXYa<XZ<mV0<-yXT((1-Y9JpwWq*9Q-KCnHOZVa?0qbZa6L^B+FydEmt-kU4D z3)it$DlZKML*->PTed`#y&neZaFwxmLtsl=ybd1}keu$Q+KJ1wNfkvE!IE(4vP3$z zr321HGzop)oM?lyW1f#dERK&Mmdu~1)<`-XO~z9t$KxtCNTFh=qNHLW9xyHWD!|02 zs4*H(=cx!JqtNF_^SI-1shJW`9V`nK%}E5}2|NU%fm9ketAl}7myD)U6FYFexl&PC zX)sh#JSUclG{a~M)JL~O+M3e=$W)JOk2I%Bci^lWjgwkjQr??2)fj<HfyP(^<}lVC zYmPSHp;K3vXp5&)McZ+)S}9x%<FvHGLP4H^z9tBX(Xs8g#B`|?50#Sej2X4jIyi^M zF$Y>AaTvxe&?l`8XFE(P3ReWn!{ybrE9YtHJXBE>EG{put*Kf*AcdhJQc-y*7_O*T zIk$GzmbT^%Nn^w*W6MI}V7N3~8*Pmw@u-@gjI=hcSQ40kFN0W1tT~dLXi%JhF-R^1 zW0VKBBoi%x`batwXpVG5lh(mDcN=c9?XaRU7$_BG^Nb6;EgmyY9E`9;y>a?sctNAa zP)Ii>6KxHRcs!&!Qt4<*EgVd!6<4!bDlRXF3%qD$bSsQyIF0e(c08_|W00}lxI}=A zK)Rzfni`Y9MW(^z5)M|BS1f@8NC)sC2NtYawLH)gO*ba$Q^VpoS5OLtDuSU<QPuK= zh1;W>VMHX`V|CHg;1>Mxcqvp8f{V9wUL=O6C42^&J4QF-&nokrS1gAE!6Tgz0arkM zGh6~kHsMT7kO?lf($dvXaqo2k!ye8gOm3;REn8xBG2Hc*SUlF!)&f^;ydm8<Wh*XS zBb61Ez+6zeJeg>Z)x+i9TLp|@803%>A5SznK8EvGNui?RV0lq_l`(vQZA>%1rp${x zwY1SV=RT<%W|^{zP?a&6njZ(!Nw{#0Gd!8h2hkmM(N<&XgYLpiggHpZ+TjXnjQ~xv z8*sbZ;nIeqEGx}lVa*2RFc~BxFo7n?X$j!#w6~$UL`!QT6~i?z*<y6bBNfBNU0iNn zrqTSO&|4&#z!xn{!pXMgXet1;HNx3XBs<`8-_{mO8rMT=WEA(PR0@?=z}YV$Of)B8 zPBJS>O{>RQVp3^&8C;B^>c(hY6E(@f`N=OAo0HK<T_cRJ-oj;dxbP;aA{+`<6vK*> z!dGQev;ztmgPF{x<P;~Pt<69aUWbNk#^okTr7#JW7lmOw;6j0RJi(-<MDT}jy2EfG z78TdRQT0vCsQ^qz#ySM`H%3y>o#n?Glxb2?ML1YmT!d?bvkj|eAPK#IixL+hXV5an zV4NirtsTahz{h2o*cNRvYII0NaMgrE#kj^u++1hs$=HXvJkXM;2l|aF>XIF;=|lsb zEMP88v_@g_fb)}@bqqe5lvG|;9xN#?t&Ng(3D1pDSc11iBdHi(nc?~+C17B|Bx%&S zeD>lw^TJ1N#5KUhQ;t`R^8d01W1ZUqgA4`(9$uS`E>#?jOV>%oC3phFmmXX=_0f8~ zI>4#SPx_WgGytn9jOs+Zd;=~Sfp*J-<rN`ZGL@ecn>*l=gVSP`Ck#($jkdyZPYfP~ z3oez)%S(b46&3mGz$nn$9$DJpSnH!x*5m9oQh7x&OuVJ!eA9FqBg&j{#;?QqtE7sG zP_P)JfiXV%mJApn`Kf9ATAXp>*f400@`|EbV|_C^4(mmA-}&lTx+XsllvI=li;H?^ zn1pe$8#=2!2J1cy8Mv}~hd;jRnj>%$@k|Tzu6c>iUX9z`E)fltpMT72CeRpd29i>f zVJ50;ZmY)v0X~C;hLQ;jR^d9D#)hFs;ZlSAh&igEp=LZYg1SlMg`s6!r$8B553aG+ zIJk*pi;7?gC?Zw0w!$Qe``pI@jM_+Z11xIk#ugBmaBK}A9LSiQ44lG{fv)1qx*gOP z%+$vCwzf2OCGPWdsSHkJQE}N?;0orZQ~*|hCeQ&1th``cjb4GXRl<l21&hkdmg2b{ zt2vkjTktGx)EioE)HN0^89YN&TR(&IVDua6vNk`l1{awNw3h_Si$PCXs$(?K=w+k} zVYsBqO3Hfm1l5JPOL3-MQZcC7^3rgA7$*#ow>=tZ3QVYLjz(ZYkM2klMS#Z#bUy)7 zZgYnzm?kbE-710AD-<rnmr**_5)E#Sq~HY9z#^Q8!}WyE<n+ZjYYPwv(`mSPPIL<> z-Fo0}OB5Hui=?G!A|4GIusO75F2cpPNu{O5!IDsMZCh(=0@Qx0ZF8zF8QUC92Ju;k zrPEOHR*6_2HP-pqLSv{@n}=*%@-R!{^WLW^@!{p=aSRWa4r5Rlj4-*31H&W97zX6B z#3~R5MQlO7sS-Rdm4)(4N4gPoduwAy3U~yK0V57iuVhZcRON>xR9OcT@@AOfqwR?% zI3Q4PKw_+=1%@e1Y+!GP0}M1LQt9RMjixjyR0is%!Z-t1SK<39Je)0^h7o0~pD;7S z1&SvpV`)u86LGN2^R#iEQR5`g(y(Y2_jVr65i}g#(HhH7<<P|cxh2xjWIUUYhGKK` z+=TEI8w&M}WEcYfHyw|~>!Ynv_!mz@|L`%JQ)KZRJY?3xwHOYTmzC7uBP0_wSzB3h z3`#OmHSVD9GnVLz;?ntKqQK$`L=2obb42C`igk7(!ksM4Fs(G=5o%$~7|^(f_2mA9 z+<U-{ZZg`2uN=6gV;jN0q4Ph^0B3+Rz!~5Sa0WO7oB_@NXMi)n8Q=_X1~>zp0nPwt zfHS}u;0$mEI0Kvk&H!hCGr$?(3~&ZG1DpZQ0B3+Rz!~5Sa0WO7oB_@NXMi)n8Q=_X z1~>zp0nPwtfHS}u;0$mEI0Kvk&H!hCGr$?(3~&ZG1DpZQ0B3+Rz!~5Sa0WO7oB_@N zXMi)n8Q=_X1~>zp0nPwtfHS}u;0$mEI0Kvk&H!hCGr$?(3~&ZG1DpZQ0B3+Rz!~5S za0WO7oB_@NXMi)n8Q=_X1~>zp0nPwtfHS}u;0$mEI0Kvk&H!hCGr$?(3~&ZG1DpZQ z0B3+Rz!~5Sa0WO7oB_@NXMi)n8Q=_X1~>zp0nPwtfHS}u;0$mEI0Kvk&H!hCGr$?( z3~&ZG1DpZQ0B3+Rz!~5Sa0WO7oB_@NXMi)n8Q=_X1~>zp0nPwtfHS}u;0$mEI0Kvk z&H!hCGr$?(3~&ZG1DpZQ0B3+Rz!~5Sa0WO7oB_@NXMi)n8Q=_X1~>zp0nPwtfHS}u z;0$mEI0Kvk&H!hCGr$?(3~&ZG1DpZQ0B3+Rz!~5Sa0WO7oB_@NXMi)n8Q=_X1~>zp z0nPwtfHS}u;0$mEI0Kvk&H!hCGr$?(3~&ZG1DpZQ0B3+Rz!~5Sa0WO7oB_@NXMi)n z8Q=_X1~>zp0nPwtfHS}u;0$mEI0Kvk&H!hCGr$?(3~&ZG1DpZQ0B3+Rz!~5Sa0WO7 zoB_@NXMi)n8Q=_X1~>zp0nPwtfHS}u;0$mEI0Kvk&H!hCGr$?(3~&ZG1DpZQ0B3+R zz!~5Sa0WO7oB_@NXMi)n8Q=_X1~>zp0nPwtfHS}u;0$mEI0Kvk&H!hCGr$?(3~&ZG z1DpZQ0B3+Rz!~5Sa0WO7oB_@NXMi)n8Q=_X1~>zp0nPwtfHS}u;0$mEI0Kvk&H!hC zGr$?(3~&ZG1DpZQ0B3+Rz!~5Sa0WO7oB_@NXMi)n8Q=_X1~>zp0nPwtfHS}u;0$mE zI0Kvk&H!hCGw?rx0SS&GAY3LWw<}BJcjQUZF8|a1V|-tDU-i!P?Drhu4!QlVi(D(6 z?>X;xu5h{>=Q$=hoc8_pBW!QkrrQRIG4vqPpn`wjUsKl-pK#dWxTnK16RT?1)UGL> zQaq)kHXVuAN0Rl8>2zyqYGGkREZx|)c}iWPrLbmgRqgUZoV9Rsb7FI0d&!idDd9r+ zUl@%S7VQXygKLU|wb4{6mWT&iBJoH=v?Ur(Pid*oOzv9j6DH0i&23w@uy$3TqNpfX zS{!IEt*Q=&!hzbkwY3XtmIYSLUAc7OvZ_^Jvwf*cCF`cdW2y9%hD3Ye@?>Ibv@V@0 zOvX}8mgWjmt)%K;T_T=NCYm8fv^g3{MT4nmBw5!udSqe#lbP+&B<}3=(kY>F@wS%D z(d2ZaH<>YAi=e-S|7CwefjM*6EUcazSW;8H_&?UqP-arsLg?r8L-w;4cr6Mno4aal z&C11rISXs6YnCmWTfOQ((p{r7qq-J&h0z0z-b%fLpscujN@z;h>{ez(*L<H4swKxX z%@}oo>c(g!9jI-LM$@T9wJ=Q9MmGmmC7Pn~z?MWZuqe_VvF0)BGDmS8E}k+<N0YH= zYD!{zB-J`4k!&cmd{l^Q-UKyoGHTugHE+T-Z!%inWVAk|G2PNUziXaX=-=PyVN><m zx#7y9U$nSAI;AC+PDYJJ>Lck$VSRK<EFMe4cuN&R38SW_uDQRw3}G~~)%|NO!=|n| zzih4S-__cvuIm5dY=`@rZ0eeQs4n%62J;O5s|cw2Woso<O8-4{&+nQ=4U@9aFQ(VJ z|NSt568T{=^HBZ%Hw}|fT{8}O;v>puwc7scZV7x>Rg_{;xf83%ia4Di1TRxE8qL zLPbUYESI=Qp3G^7>iNHE$c^fndPp+yoY#B)GHqRzKA~o;aeVsr32SRt&7Ww@akbI9 zwqz{b5m*&XrDO4i!2GsYeH4El#4Bd7=oj7Yo7%Q--yUowt7LF{bTce}q^@9^)D>*N zb-_9wDl7@&X|JlawK-N7!Bf;Gv*Atoh6{_z%(Z>f(%!Yb@6&KFpV62$s}qSPm}fUt zrPImS<~C^1pni0Hq9qcG2O}oj)Kzh)bMcFF`>(nDGo!o8VQE=QmX?{nTv}EoBk@$E z4igZlYD+gJlCk3qI{pQVi>2;ORNcQ=UNVPul|eTbl5U26+0DGh3iO?ae?kB9m0C|O zyYA@&x=MS8X=mv_GfaDjx;ZcWhlXj08m5Oh=2{R0EfF$WQ+X{LtB30-S|6)RM>fZr z;c5(mNDjhSf#Dp7JWX9CzZ}JIf&Y8v!ltg`U$$nMOiYIVMb}KQD-05|iVQ|Zx`V0< z7xzl{s@1C&%w4u>VfDgQ>)Av9|3$kS-N_u$6@m^=J7k9!Rs}<$z{<J7-oF0l?lg?P zWQx0rptnm8*;{-sQWOB$UcGwdN?^8^X@FL(tXc9OA=&6uLswzn7#wNbK7y#5QpWb^ zpBaOp;F@p{&x~--m|un9*0G^$%As2N|0LNC-O~K7AT8Iz|E#Jn3lmlU@4Id1HFE|y z1DpZQ0B3+Rz!~5Sa0WO7oB_@NXMi*C{|W>6%bferIfC+u@~ZNPa-;GqC99;BW0fUJ zg)&A_<)7q_<d@_J<ZI>q@(FUQe6+kkE|CMWB>gD8FFh~aD_t#}D|Je((ne{KR4$E{ z6#q~DkNhwBAMju6-|s)c-|9cwzrbJOAL*BTfAxLnd)fDp?*`w6zLR`Ad|Q0AzFEGY zZ?Mnh{l@!__gU{f-mAU)y<Ogv_gL>z?=<g3Z-H0zeCB!0^O)ym&qbadPrGNcr^YkQ zGu|`6Be*|xzvh0-eT(~I_sQ-KchtSYJ;Oc8J;-f$ed&7B^`z?#*JZBLTsvJc*BaMs z*A&+fm)rS`^KIwvoOe5~be`$l>uh$ecg}N$ox`18$9Il*9M3rJc3j~&!?D}3)v?x5 z?I?5%ak%VX+y7*L%6^CaGW$OJ@%9FLt$n6_l6|1vX8YXsy6v~NTWpuuPO%+lYp|`h zRog<g5jMa0qxgaNqWFM#y?B9`72Cu*ak)4{oFonso#<=yHhKmfL{|a%zxY#orrJj! zaY-!R6s?CJk2i@IC_R+`p<d{i61As-%5;o)uG&-1K<6kuWpuehwWpNHbiUG4LS@<r zl^0W)HsZ>|3<Q;j=yFhb5tHdWrKga}bo5NMX9|_+Xz?tyC&)m<)Sk%<v|s6&L{+r` z`gsJEX#?)(L<TxX?U}$pXRAHqDd;HNhj9#arqVMOpgz{u&r*8E(8x@sXEcq>P<lqu z$a=MBBp`h!biH_n+7qClb>iu2&j<!OP3;-ZK>M_wVfGPXUtQ=}u}A9}%3$aMt!D^> ziKl8kgK2D&*roLx&SIx%J%ecM81ZDSXCRB6r1ccg*hbu!!x#+rWdMVTIjyHZjU6p! zwVr+~)~)quEOw&Sqte(0d>jgkouKu|G&W!C)OsWuI|^;mdi)F~{8sDnF_@Uvdb}*Q zN9*yhn6CD?0qYw#XxVzL$3<sbCT6rACylMgU2!lN?uwnka93<B23-+ZY_HaXXlxyB zLtrpyBe#dappD#a7TcrccCpxQHMbKm%i*q>spgJnpcz{3IJ)E-F|Fo0m~6|m+zvL| zE;YBE&bAsFXlEd3pp7oM8aI$;vOxnWHrq}$m!z|;f(EuR5H!$Ams}+tujLXfcAT1v z(?x5cwiX70+M4N-wPJ^wYhtpk(Q;eaY&+CkjLx<a8fau7XrO^Exf1iSg~<kdMA>ZH z)m%NDZ3Q$?$3QdG+-3%X$|7`SE5u=1?pPLUS96=_qRXLyV;BgIU?W{}IX;4;nQYML z1~yxpnmdZlRs#*JXCP=`9bK{pH?Wq;HeJiDVY9(et!A;5np;H|T>?dG>1<0dAuCxd zspVGC*jnK-Ew`M-F4l523?^>Va?5CJk(khOOIfT{%Ppa?g*e}07K^L7MbxUZQfyIj z3jyl8#Qpu0+yWZW)ZBckm|xtY=H@X_RLRYy%PmuLbC^ucO0Js9<b&pB(+D(IMHTbm z=4LSvG&hqj2hGi3GBv5W=@jG@x2m}#8OWvPrZG@V&CyEDBOayZuu|(=pFLuulEYH1 zk36@c=4hqn78{ftt<+p_$XKcM6?4HMW1-epw+kOKt<+p195PmFmU7S>7HZaV!_*wD z)Lde{mII|`RTi_wIyDDc%{sNuR<s;wH9Fg7EeB%FidBgbEeC3i#*Wo;px3O}EMdQv z1HndP=W01nY!oJL(sCf#XzUm*2bzt>HflK#ZB}fiaG{n1*+yZgQO$vHvmV;aC0Y)Y z8=Y;3mILiZVdBwh4#b<a=!|}94#XP;!Px@wMnP~Quz2e`HE70oEyrlL8R7;thqap} z+jOWOOE)W|X*ou@O&5>Sa*T4DF0R*djB-0tT&Lw2<#wdFR?T7MW@%#DDlNwdw`n3Q zNQ`isDz4UYjBuMOLRm(*O%-dk93$MOiYv7oBiyEnE3_OV+@^}lwHzbdriwLMjuCEC zMOY0O;WkxVs^u8rHdTa^%?P)t;$kg_g<Ic+f-1#DT8>d}mEuAz$0)Z-ae<a&lv|}Z zU&}Gdtx}w)<rw8wDbCe$jB=|K=V&=bxmAkQT8>d}mEvqI%P6->u}aG_%B@nIrDYlA zRw){8?sucyKY#!4mwu4mlb)0Akq$^_NqePcX`M7jDw2juZvQv_w;+n(PXBNGr}=mK z8~v;Nv;33&gZy^i7rr-qkNa-*UE(_#?*8k2%Y8@sCin*U1n(yhaqx)uM(?k@S#R37 z_pkJh^=h7<J%9GR?0L|0o##AHmuH)2qi3O~)HBi}xqo!O?|$BWulp+Z+3t+H#l7A= z7oru0xjn9LU2nU7=eo;vx$AV-F1Yhw?W%GGU5C3I&M%#BI-hXf=DgH-inGHRg@}gf z&WX;$oXGL1;}4EU9XB~Ha-8JY;fOj`I%Ya1I}V3fhp+8#*?(uh+kU0}EPKY@Vqb5c zYY*9n**&&zZExFtXS>UGx$Sh@E?W%l{Htt1+u=5c_@(%!_=I?yc&T`b*da#672<Sp zqIj5y(5L7R=uvbNx)4aW{%Kh(p{ap4L(5_fO<~iuEF+>T#Ur&W7SU9`X<C+1(Usy< zEsIq&m9J9EVi`?g6<U_j(UoGkmc=@n%2%dk86jOMmTK7~o3BL6VkJ$LE!MJ(l&%!R zT9%R0m10QCVku3PEz+`BOH){(mSx0rr8q^)VlhqS3u;+LO;?JOwJcWCRK7`C7RzZ1 zRv{jtWf?tPAx_k?SWi>=CTLkkP*;fKwJa9YRK9Uq7AtBB8>?lpq^7VjT9(n&72;?u z%V_Efag>(Dn%YvfTsTF`Vo`0y#F1K-R@K6(VnEAcRo#~lun}68mes;3xIQeaE%{Cn zhih4^tNSoihThS#jIb^P*_*|}+L})ss%Al1Ta?K#(WhoXSX0mtH4D1h0u2?Bngv}= zL4Gy6l7R-PSy0v1T*Aw07DTlb5(leU(9{-a2(BI^H3dOkpr|S6a5W2p+5!#61wl_! z5EP{4^k8wIn#FRukBY-_L9C}OkZ_8cr3LljVu6+gL2c!*M0i=tf}*A{@h~k5n%atm zMWkgxRMS|0Eeo=m#`<Yl5Y`li+W=)vVd4NS3)0$(g>V}nu4xR~0Ci1c&<4nB3d3!H zzNRoy)3PA2tyrO`XjxF$6o$teNNftj^?}HyFj3aBpt7ylDBNez*)-<YvY@nS%%^2R zYSWmcWy3T!64wW6+nR5r2=#&7rZK3G(c2?&pRwNV8wF^j=+&}};0~fcYFS2b2StaL zWdwIn^k`W|a0i8xwJamJgQ8o@GJ<<DZi5lrlW`l2;GQhHv@9dIC*w94!97`YYFR9} zEyp$qx4|gxNw^J0aZeKMS{5sAYgya|mfTiMv}swaxh>cc_<Uf|ZN)IpjOso@6tyf? z-Ijb4aak<8DNN9^jP9O@>tl5HMD!0WOY3goJoI-hOY3gHe%7*BclWgc*iTxP5#AF} zyOw2y_XM<4%l4znq6uidmSu$Z1k|Qw8R0zv{Y}d<!g~VxtCnSi_c-*UmSu$ZI8>u$ z8R0z+{h(&C@V4APjD;zm(cNRw_ga?G-DA*qT9(n>V-Uy{Mt6@v-)dP#caO&T7~MS@ zeWPV*-7WkDov3AL-3{2iT9($`fZd~IY27XS1@2L^wC;v{Uu)g8?gp$#>!x)#U?a3{ zT6Y8XmDWwmJ>k#LziwLY0d}v}P0KyN?$NqwxhMP?`qxd%J;-;3)=kSjz`oSFX}Jg3 z7g~24HH3tZa9?P-2N?8)mV1CfUud}}e1!W#%RR{Viq=ibJ-|-Tx@oxw*yma|E%$^E zabIY;2N?8)mV1CfUud}}e2Du(%RR{Vnbu9qJ-|NIx@oxw*e6;yE%$^Ea9?P-2N?8) zmV1CfUud}}e1Q8x%RR{VvDQt?J;45=b<=WBcptY*%RRuLU0Ut|2JO;vPk0}<%gDX= z(Vw+$M((|jKG3=ux%WQ$Nb6?g-g~$&wA>Tk!+oLU9$?THTJ8z&;l6;}vrcvIp%1n0 z)hq^m0l`P-dtd7Y#b?Fd#eD(EM`O?z(0nuoeF4!&VYn}#`X~(T(YitQ(b#US8+0Fy zy{C19@Uvhj083dnC_fr|SL+7pM`Q13-Jtzw>}{<Z#Ge%#f$IbHM`6OLS~nyAMxeK} zZbtr%K!4J@8TmIH*T=}e;pk24Ehx7+1DpZQ0B3+Rz!~5Sa0WO7oB_@NXMi)n8Q=_X z1~>zp0nPwtfHS}u;0$mEI0Kvk&H!hCGr$@6@5um;|9>1^A}F6KZzxYIcPUpWXDWM@ z7Ud{qzEYx$RAl*Y@C1OD<%i@O<qPGL<Q?)Bd9^%84#~r1AH)E>FTEh$FI_8LAoWNc zQlqp+nk$8+5t8ix+5Z>+@BNSYZ}(s3Ki$8_-|S!SpXV?32YR0a@UZVD-^CCKaGbBv zx7s(`SLhq+^LW4WzUzI#`+)a)?}gqT?{;s!cZGL`canFI*XjAz^N#0P&pn>2Jm+{i zJ*}Q&Jc~UQp0S>O?ti#HasR>nTla15%iO2C_dq<r2KPdDg?pU4zguv9>U!PvgzI+W zSpd6STU~2ib6g?UaF@^dgYyIDi_Qm}*E!F3c01dgbr2IU!#T-0$mwu=<#-F825``E zz;UkQ1jjbVF^<KK3ddMSe+ROEZhzDMr2Q`Y0sGl@-M-C!ti8rQ!#>$Q*zUG{XM5lF zvh88pP4G;BeGnPYWLs~WZ!5KpvGupv#4jK=;7Rcg@pADDaj)1S9wp8f%f!*5ihf3) zKy<)k=oUC3`9HNYU>_!m)$o1*cp7mEEk-NV&Jhf>LhT&RK+Dz6VGL9wcMi3KXY<Nv zb0i(DM~e&8&LLEud1#s1IhcW#s-1^3&=R?GkhP|HP}4vr&tkQ+fP&_rMQZ0^475<` z8~`<mW}oH=*Q%ZUsZ7;qfzsIzAk<4j^;)%4V=~QGJ5>gnr*<j~G*|7E8E6hXyuv;N znY8!|<W4{An_cn>`{hob1@H)al}@j<)3Y(+u_CiD;<gV%y(ex3nyqxYXrxN%bkfKy zxzk}Kb|!SjZUtr(D4jNIndNAv(kar&45<@Yj%YblB3LV#R-ov6tVL?jbVc7yBS$Lw zE*hDp=sT?kSuR{F>&IIwE^n6g<1B!1DgYf;;1mFMSO8Sktm@mTGg6AmRlS{o%4EIG zat?+G=gWH90t^vOQ}q;8s2G(fdJ@_)&m;;9?<o2<8ri4ltyUz2^CW0wpQ^{Hs*6xq z)ms=Sr0UHSGzAr^dXp6rE<iz5-^xIfRXxT)lVrUS`e2SpG;yG+H&A)bLr19k76zKA z=uvCeC*Xsrr;)v?US}<a#-j<UzS#;1=b~|{9$}!ds(vg3jZyVY3^ZENkFhi;oQu1# z(TaQ|yrt+zTM#rtIA7H_P!*kzMydKy3^Y>J*Hh5hD4^==7-)p5uVtX&ioV9upm4ST zEUcz7orQ*}`YHw*s_L~2G(^=`GSFaEU%^0!tNL;V8l>tq3<M{283Prl`ceiuOx2e# z&;V6m%s~AWeUbGL&%(Sfq>*P-eF0VMOw>=+=QEI|>hl;#RrI;ms?HSNk@Y!%m;+S! zYM`Q5TeEyF>{s;JG?G#DDhq;S0gzc%M8dtENh8lF`V0#qydwZI-GU%LuIETA;uA8e zKFxX*2q8t)r!tVN>Xi&6sd@zi`BlA~fqbf7MnMAds(L8{c@(|G+AX*6mZ}$9GYS7d zZdDI6kW1Aez_4%Chg?ooFJd5vsuwblUDc;BkWJNt6!bF^WqmSqtM}yn<W%%YmVOF9 zVfv1sN}Z07s!wDfLDeVFknj&xAJ0I4SM_lW^s}muWuTu_eGCKrP1Z+S`}zGcMIU8d zlhVTXiawG?zLWKUwa}++s!r)8;SAwhRj2e4K;Ni3rI!HuTGfYAJvu}9O4TXF1i8Lc zbxJV-^o6QZiV2|46&))kb14D@2Kqo6fy<LpOpxg_MF+*yry^3qr;0v+Mm|w=5KPuQ zA1iu4Yt?V#(@E(i;T+*Fs!r)8fc~uNlwJbpBUPvL5<nlSx<t`(j_`r1`x)qcRrfK_ zd#dhbpm!DBs+*v8pv7(N`#A#80=mg^F`Og3E$L2+z)232b&yTHl5HEl%<NQ|KMH?R zbr4RLYW^tPE$bq*)q5Sh3E~8VQy=gKh!cS-^t$k-ngQ)(spoa!4LP&hTI{v8N@kb! zAbv0GlQUR5^)~g&KsjTTPQuFoP}1po04V8n!$38&gKGH(;dM1bi6`L(;Wafwi6?;m zpk~^bg0HHXGz0x!%}@dg3cjLdl1#3b)yy^qdP&Y;3DtXSS3u9Pg6akC3n-bmm5&!; z{moGNNq9kcQOPu0Gd(Xnt7d5V^qla#lG$p_^f(NU46U9H3cph`jZ_~G3QwyUT0b2W zo>DWkemW>Tsb-=~!6(#AJp(<iW+(+E929=5W@rU<m++XHp%v6!!lP=2R#0~dkEj`1 zLER-htY(g(TD(hmNX=|ypa<2=(G2u}l-XdpD)zu>ILdNW>;Z|Kq4m>g!u|OE|1NaO z|9kQOOS~1{F<#a4ljkGPOP&Wj*TUNfPk=lAqdf~eC7yuC@BYF4p8GlXJ?;bUv)p^# z&F*#XIqo9&(Er8WcYwEXoM~eLk^l*S+_fajwxk%g+++(RQP?auilQjmlth!1<SH5h zmn0+-paD=4U9-Rf%8_s`J-M7y?OYtCIhW@2=H%k^T$+<}+9kP5ae8v8clW=uSP(n2 z3y};&t)BZAd7fDMw7c`|yHnnodB1O5F6Zx@-*bM>`GoUPCG+2;bHsUrbF1?_XHDI& z>Yl0lbltn^URzhFJ6<<dH&}N~-4%6f>uj~p);?YPWbNa%57$1gHeGvH?Eq%_m(=n# zf35j(%~xwaTJsj1c_?F^e`ig9O<T=HHD1S`Fw6h4<3o-&IbQ0J9MhQN_ag7#CP%&f z_xA7GKW~2@X813(-*1oE_u0Gce*5|MTJG1}x4EadcXO`;<ocg*f{Dd_4)=_3f{Df5 zggC$xOf2pu!~vdQVsSTdpA=3ovACN^zzh?MyNP>JIKjl?ZsI;6oM2*cH*p!^1QUz9 ziTk*4f{Df5#C=RS!NlTj;vN%DFtNCsxQ_}am{{CR+((2HZFJDfCho(+2__bI6A3tC zVsST-fFmXrcN6z-!U-l8cN6z5;RF+lyNP?haDs`&-Nb!UIKjl?ZY0<<vA7!v_Dn49 zMuI&Pi@T9v&&1+xB-k^txEl%fOf2q3f;|(9yOChe#Nuuw*fX)X8wvJIEbc~vJrj$& zkzmin;%+3^GqJcE3HD4Z?nZ(=6N|f%`+{(SiN)Q>eV#wD3Ex)}Bf9Z&;lxJzlW*jn z7EUmsxEl!cOepRK0zDIoyMaK@gyL=>(9@x~+y(+Y9f}JZpkGJ(vVlO)gyL=>&@-X9 z8wm7FDDDOVJrjz%fk4lM;%*?&GoiQ}2=q)S?gj!q6N<ZmK+lBYZs1-hoFJjN<&a{$ z+Y5vfOf2pOQtg>o+zs3}gcD3G?ga#UCKmSsf;|(9djY|oiN(EuU{A;5au*Qn=~!IY zfIS_H3mdSfV{u^v_H-;RY#$TybSy4xj|q7?78kaU3i<nKTrL3i`TJPghlTvTtnEWW z{vOu$K_O4a;-ZYN3wb&g7dDTOr(<zp`<jraV{y6jfpeaY#f9xYAy3ER!uClaPsifI zmKXALEG}$M3VAvf7q(9bc{&yswv3RcV{u{oxR9q~abW|_bSy4xz?qK4g$+2<vAD1S zXF3)aHsDOh;=%@;=~!IYfHNJ73)@$PJROS*+gF4<9g7Rw`-MCmiwoPo3VAvfmphMO zPsifI2JGorT-bm;9g7Pau%}~jVFUJbEG}%o{!Y3Moky_0gS7$s+gTg1zm2s4`&(HX zu%}~jQ7*8jV{u^v_H-;RY`}gW`#fMz$Kv9;FAI4(78kZJ33)me7dBu|$Kt~FMIlee z;&ST=_H-;RY`~t5#f1&n)3La)0edDEcRj(LiN#${uxDa%*AwiSSlsob-ZQbd>q)(5 zVsY1#de6k-t|#@LiN#${uxDa%*AwiSSlsmldxrk4C-t78f9o-<<{A38p8LFzXXxL0 z?sGz(p?~KhHAMbe`um=X%&+-t7#s2!<hQXle9Nm@+h>J*7j0WdzGWwC!?)~UZTOZ9 z{aZ)AWgB}Pz9mEd){$??(7$!$TQc--9r>0F{aZ)AB}4z#k#EV+zjfqWGW2g9`IZd* zTSvYnL;u#1Z^_WVb>v$z^lu&a86nTmzjfSGLY|?2>qt9d=-)c-(?Xu1e`^W$4E<Y6 z+7Uzl){=I_(7&|=dxrk4CGCize`^W$4E<Y6uxIGsT7o@8|JD-h3H{UXlC=bThX1W4 z*l%F31NIlNHei1~YXkP@u{L18p0#~I$TR$JEr+(Sj=c`pGyHEY_bDOI@V_+#dxrn5 zA=oqgZw<ko;eTrg_6+}9L$GJ~-x`8F!~fP0>>2*IhG5U|zcmDVhX1YM9wYPr_j51M z&j0_e>1b25X>ZfErpuewH2!bn&l<nc_=(21H~wSe^BQLx4>b-pUfXzO<NC%L@2|bz z@qX6(g!c{J7kMAlWB{!9{ND3@&*wew^Zb+NMV<#dhdui}J)RcN29MMITlaU}pL0Lq ze$@Q}_kGy+A3^^At?u*OH4VRNc&6dg4ex4rZ9}2qIClL98?I@%qG4@=t^V2ir|X}r zf4u(T`sdZB>+h-`z@Gml^}Oq^t{=O;>iVebEv{F%WY>)A4%aSM*yVG1oPTuw(D^0j z2c3^OU*deObIN%O_WN6%8<pJu->dsv-4k_>*1e$azPib}k-8h|wqm!xruJ90&(wap z_Fc8Ftt}t};8^Wo?KQPm)UK_y)jV7Cbj_1BkJmh0^SqigcKQcuI%_Ve;T?Z<{MhkT z$44D+alFDIJ7yerICeS04j(fA|Iz+K`<Lt=v_EEl3HJD>?6=r=*jw!z?Jn+j-1oT8 zaZhlM0(66)kZ1V#8qyXRKE8(ZLku5ZL;4|xkFO#95W~mUkba2a<7+sy1%{8WA!7i; z$Jda4h~eXFxc3QphL4}aJt5>6K7I~&xsYS{_&MBrg&f1j1@1jUj^X11_iiD_@Nu4d zmyl!lIM2OP$jwph*Y<n#FS+Ba?Tte27;F1yAxHCZ-1`n8H_Kl4xR9gyxb1hOj1+y{ z?>Lk}^Ko4FPeP97<FF-#9L>jJyHLo{d>pp73ptvP+kQ*RrTI8)D3|8ru)R&l(R>^> zltJ@x*xoASXg+TH4LC!N=Hs^CfHUN1J`UT9gdEMsaWBfC`8aHE5ppyixBZ&D2hGP} z!+X$t9JV(LIhv2dc2daEd>pnn2|1dN+kQpLp!qm#D1+wXu;Clgd>l4>BbtxHhIga+ zIBahaax@>e{nGYHA$JR1H-5=ID&!7OHm-?#o{(escoX-CklROJ*NFZ;$MEq+QpPZQ z-Rp%M!^gec>x3M`$GzNZg&f1jJ){hVk9)YBkYo6`hkK2XWB9m-d$o{b__&)qkKyBP z?o~pL;p1-ZVIjxx@di>Z!^azNphS-0;|<&^g&f1j>&d+gAFt>BLC7(Dyq<f7kYo6` zi+f1OF?`&`y<EsKeB8yoOvo{O+)3_b__&jMsgPs%xRZN{kYo6G9rt1($MEqw4sDC! z<F#1h$uWGq7Hd2?hL6{Be=p=1K3;?Mh#bSmYq;kNIfjor$a}QW^~%8&gdD@i9o&MD z3sKkE{)b>s^KsY?3ptvP!!|GE7(Q<2{!Yj-eB4gj2gAqh+zBB^^Ksi>!KHFEAIE++ zzAw$kaUJ}l`8aH{kfZrHY*`^k^Ksi>xPBo=^KsZv$7wze8{U`Z<FH9Wj^^XGkAOSo zXg&_xeL{}r<FKJGrujH*_Xs(fkHdz(iRR<5Jy*!leBAbDQZCKMVMDnzABPR)(tI4Y z2ZbEX$6<Rw$kBWpw)=$~&BtwjBIVM295$3o^KsZv?mD_&{fWFU&Bt-wy+Upcecd0) zy)+-U{gI4YG#|J9kvxy)<FL&MIhv2#{y==D`8aIHg&fVtVLK+|Xg+THFLE!<$6=cl zax@=@4dV>W|6ofCIhz03er`kGN%KG3&ymkQNBCcPY2Eho0U<}zKirD0lcs;Lq3fjS zA0C$yay0$3{el!r(?8oUNU?<eX^Q>DfFRTC50@ncnPz{m-7Uy8`?EcZB4nEV*`7ra zGGTw3BA!JNH2K42GlI;Jzh}9GAT#9eXQT**{QZm+LCBw`h@YW|S(wUmRol-n&dLn; z`xzG(WQO~FpIpaqzwdL?ybSKAN${IQf?pZbPix|)cp1!3W4hb+3SI{Bqf9U7W$-?& ziEHI$&_2p^gqOkkG^QEyERa6RglB>CX-(W=UIyi(Ofg;t<I|WDwpZ~o2%px(O*YBk zdzzys5(B&pwntqw!OI|flxduo!SyJUD98-e`z|*o$PCr{E*BMKhU$HnJ0!>q)%z|N z5oCtyeH#ZM$qd!|Ho6Fzp?cru?h<5%>ODj5WvJdW<X(pAJ;NR3WkU5dHS1f~^D<$2 zTGMsBypJ*6D#$d?vwe%ZQ;=z%XZt28l;(N1Z*uztndW)0-66;{&$B(voloZfFRDFH zJO8hI{$H*!**Mxb(Ad>@S>u{UoA>A5Z+ZX4`!4V6ywCUE3+?|t?{;qsP5`L){Fmnk zo-cVm<T>eiIZgn)+jG!!lc&>jsplN`|GJ-bf7AUb_d9V0z(Y{}PhbV0+uiKm;C40q zUOfTuO${$=$TrM0+}UtrLkCm<LjC{L{|svYpTr4(uc<H8&()9D57*yN@2|h0-s$?C z>-(-RxIO?Kz)M{jR|2a5{jPS`W*6`LZ|6^)-*7(Ze24SZ&IRXjr|2AVUJoU}`Odn! z-`0IkJp=G1by8it?)JJ}b!~MQ*EQAtwe}~qU$6ZHv;eQFov%HHm4KUTudBTZAXz^P z0SkfuFA(4#0yoo)M+Y27`G-KwG^U_qmVXG$j54M9hd|6IQ;L5Gyo@p>`G>&EDAV2i zL!f1pX@-9Ytc)@x_=iBsC{vt&2%L;EP4f?dl2N89z5q%_nU3%UFfz(?m@j~kQKlGQ z03V}FlY9Ymj51B|1<*0dG|m^m#we4>7eK}+(->a>7o$v3z5pslnGW#<P%+9B;R|45 zl<6+M03t@2M)?AG7-c%h7ibz5blk}oXc`uD+`$)U8Wwci&KGDJ7IfUk7ibz5bll1p zXc`uD+`<=V8WwaM;0rVj3p)1m1)7Eh9sBqKO~ZnY5xzjvu%Kg@FVHkB=osP)goc%= zYtV5sU!Zwd&@sptXdV`H?BxqI4+}c>@CEQN>RG$_0%#az8sH0HVU+16z5o(NnQr6@ z;9!)gpD%!dQKnsd0St^X_3;G|Fv_%(FMxkhre3}P`bC*`@CC3h%GARbz`iKccD?}i zMVY$!0@xR2x`8i%d{L(B`2x5XWx9?pfO=7;Yxx407iGGJFYIMZ+xWsB#&k7b*v*)_ z_`(2V>f{SIF{Tc_a3f=C=L`Lesf{n}VoYJa(8riUd|@YJ3i5?s#uVTSI~Y?dU+7^> zEqq}+V`}CL-Hgf47j9roTlvEEjOi-Aa2;d1k}q7#n6~hRYZ%iNd|?}7x|}au&6qCZ z3tf!qQohj1m@eT99gJx+Uub7c7xRTS#&i*12s0)hUkEX#3;9BjF+GPb1Q^pMzR=2; zHu8lQ#<YPiG&80P_=2A?ozEAxGN$wR!c~lEJzuzzF`dg7wlJo3eBlblw3aVi&Y0Hl zh07SzIeg(##w75COBfT+7dA7dCcbbnV`}6J7cnL;U+^&|4_~;DF}eA|a~M+tU)aQ$ z>iNP(#^mA)8yJ(5FI>Qw>iEL>jH#9{oX41I_`-U|<lqbEGA27;SjU(+zOa@t+4#a5 z+GPJ<zHkm>`X9a^FsA?J3p```D_>}0On>1Ejg0Bfe8J0@{=^qNjOmYj!OfWdAQZsA zG;1%MZ2vEz00O49W$nKg3SeMbn`Hl;Pyhv^ZNC)?;9#`vH$nj<jJEw+D1e30wqFSa z&@kHeOQ8TBM%#WN6hOpi+s}mpm>6w)R#*TPqisJE7Qn@5+fRiBkTKf!6JY^tjJEw) zSO6WPZT~4OfRE9({}2{H$Y|S-{=Xpe)=OFlSO{1MSO{1MSO{1MSO{1MSO{1MSO{1M zSO{1MSO{1MSO{1MSO{1MSO{1MSO{1MSO{1MSO{1M{2xbv=>I>=y@KTb|F@>6n%>j& zXwwUu9%!0sx>e2p-_-cm#-BDm-T0}-cQ(GR@$Vb&Z;T=Te|Mw5@%+YGWB~ZK_bKmt zypMWchztPJ-rK#qylvjiUcvLfo}YWZ<@p!SyF9P+{JrNsPt0?`v%?ecJjdg4|JnUx z_t)GXcR%iawI=(2tNS@_Ps5)Ze%$a?WdDCl!z&tO!~opU(BIJ3a8ZM|{!jHks{eBR zhmiaKrS(#My#BWOo%O-`=hQd2{>$|P*B221@J82*k@^1!lL_$i&i6Ur;C!L;erL?N z&$->%?7YC~g#Q1#b)T(!Z`~txe_wZR-9+7R-StY=|56@+ch|nI_MzIj+VR@q+UueI zUtjA$&i`j>o~n6w&Fg9&s+p@1Yi_Q&wq{Gsx*EIV7mjZ^KIQml$EzI+j$@9fW3OYI z<8sGZht2-1{b~D?_Q&lH+n;Ao+wZau*gNf)AlLt2xgT?1<vz;21>hU}gas&NX|2W& zg#}1uY1<Ek1!!ey+rJA75X;iG?+Xi1%W7@U<tBxN6l1ghi?9H_EOnhdEi6DVOW6?j zwgAN}WwU=zSb$_!YkQEC0nIFBBV|A|OWWQpEI>6&+g>6pKsHO;zAG$1H><ThVE=-! z0O2fcdylXH<t%Ocj<5jfEN%O?umJ5WZF`1afOu9Dox?rQA}l~WOJDYH!UEK@THF1^ z707348(e{YmbT$_A)uvg-{cpdpw$+8KZ=EdmcHy;!U80;THAf3SZHWz8;XU9mbRf- zsAy>$iiM0;TkL%(7BX7;vZsXw=xDXJ6e$)$TH1zUp`@j4-w+lcrKN3O7Z!$D+t-8z zh-tOg-E04<umCkJZ9^H5)6%xD@C(q>YG32t7{35LEoH)+K~GEH`LDtP1hrb*J><=x zsHJTv6_Q%o_IY6enp)cSWqtvoT5YlSz!QjSDHA+_sFuF-OTq$FwOZSp9i>86OWQur zFF;qTecW73Sb(mUzU+&_0)(|%+i~(@P}b5m6ai^1Z9@^z)@qA5jv}C~r7!!OumEwb z)^^zbSz!U{TH5v*VFB`5+V+&N0DZ02cGUi9VF3bL%0{{nC~PSk=|Ui}rEQ-Q7ND`E zZJ!htAhOlkX6>I47DBA;-TVS%w%XU7#p^<5OW*pWumGK{)|R$^f?t5pR(oq2w?b%3 zU-off0ZLn~EopzhumGtoWkYQ00<^Z2jnn~%ZE4&4gaxQ=DI0eczW}+d)|Dix8RWLq zW%iE=3((tYZFdt_Ah@M$#1$xRDI0MGl3UsaSD?A2Z6D<qAiCAMayMLo=$5|hBf<hy zw_4k@{lmfnWVe)!xB}fRWh1UYcuU*h3Y52$ji3VQt=5%kxB}@db(#G`!UD9nTH6dk z1>#%EMqGjVma-97Ait$;a0U8X+V(+yVGV5MxKC~du0ViGU-kiE0Sa8LEkRs?1edZA zSD?YAY{V6aaA_M{feM$haaRcokl|7``xC+fbhujEg#Eq30wctoAZ0K@+zC5c5E0^P zUTtENu)yeWC+zPM78o7wxP4SuV05_S_JhI#qr)Ayzf)LXbhx7ZpM?cRhb!9OAuKRD zT+#k`(*kt3nz-Z#!cFr~;c6{Ao93ax)mlPL^HAVwEy1RF=x?=_UVa|xTTN`o1NOJ_ z^AO)srnfiELwl>a?|zgIhNrcleDFK11?7X?X)P!p+)isj`CxXM!tN*KgV<4~w>8a! z*J<v%@0_N2usW?pXqpG7(^`0b9*j=&p!>+PLFg#cTljhKIgROF`<t8QLFY7&x_5-1 z2brTTI?2z2%V|va*k9N*4=Sg*?;hL-B1c{HCVn0~PGg$0zmT5?jiXGD@$+DDl<AF4 z^I&nBryq|r&4a^fE%+>8a9RsK0{ENO66EK>-ZYOsj!tGC<V|a`|5MXE$eZTAW1UU& zpl(_Vo(<xrwcy#HZJGxiv%jHf9;{7!(G))q&PHAIs4&lPwlNU*d4{u%*<UBjGn{SA z{)jNoaJDG9m*H$taxcT#qW0Gd^9*M@MDArc+aYo<!`TkmU)wYf&Zc>>==DwWpln*p zbxreNY+B2${5<%Y=H;XI*EG$8u4yhhga?7FX)SmVsG8P-2Z5+*9(2h5>ZW-RHO)nl zFh38Trnx9$e>p!7nnsyk)-(^6roFF)p9e>yE_zkdJUE)>qPy^LFf`3YcaevKpiw3~ z9Q;gsA07^NMqTu9(>&Oj=AuzR0B)wW;Dy1=G`Ee~Hx={$-M75>f4Om{@s7q_jp0UL zqX%dI{m}a*?+3k)d0*mvt|t4R%kw+W_dK8TJmGoN^8(ELCp{yc8$4S*=Xq+}zj8n0 z{<QmDi2X0PkGsd*gYIkGSGd=@Z4J*hJl*hQ!{ZGPH$1N)-EdcfKL7te)aUC{^`kiP zucLl*eUs}iuK#p>#q|-_n_Vw=WfAv(yQ|L?a$V?hJOAMPf%A*b4>;fGe6jOE=MkLt z*K_t||3khT8P#7i+}fTdxg5{{C>wX4AfpM;w%Y|6jexe@Cdg<7TH7~}14l+XplqZJ zv;@k=-6F_n3$*QkAfqv8ZC~fk7i2UC%0`}t_CVQ)&u9>|4LK>$Bxu`yK}MU<+P+50 zK&zl^qzp6*%0|jSyP$0-11*ELtrui84cay$$Y>l|+uKOFXdaY}luJ)sY;Pmw(i0ch zh6I_OxY*uiD+n?@alv)Nf=o|bY+ohi(i0ckS4p|_#0A%(+z{>GS4p{K;!+Ou#dS9e zGCgy#y`38rWP0Xedn0mK$u0D~Z{+q0ax-h&BglT*_D{s;t&ENMd=+COK3~b&b_?<r z)`na=SJ1Y%ayJR`<+SZh+>L^K8EeCPT*}yNj|lQ5jE&nR$eU@~hq*pMzL>S`6y%F& z+lRPbLH5zMuh<?H<O>-aXtn$t*0w{CH_^5aay^2)k+yxAJZ}SI<F*SjnY?Je@0Yo5 zL8fOfwl8xx2r@l;v3-%dUXbb83vAa3GCg~-eVz*l@;bVV&vVxbGCh02b=L^;8v44= zk$dUsi|upVHbJJRFR)!L$n^9Dwk|<#qM!F!^1MdY78YbLYiku`4{PfbWH)X540&Dy zYs0<utgS<kU9{~fa<7xMwexZvY~^W=?J49bs%0;06XY7&_G$7s2W!Kt*;!jikU7>C z6l5E1`xiVf`ygv;6|xVowiY3KKW%$I*DPf3V{LvRdoOF-Dr7N}(N@1tp_*nfm7#2? z_E}73Xxo)S7SkE6?UUqQOlT+@w?)X#(zYkbb(qv>uX~caLdd3Q+b76%nAT{o`vlU= zW-+m$ZI=mIOl`Ebk8_s_*#v95M99Wz+s8;5(~OPVEM%ux+r>im2yOc)cae}iOxxav zBP+8piiJJMt>v?mjOju?JHeQqBV@<vhdse<60#y~doOW#jInVWg>00zy@lH#WDl{n z3xsThw!ImBefBQKhQ2;K%Gl7?XAiQr^+NVe)^@Ity@R&B$MzpW_IB2W_rSbI`_bNm zyp>tZd?=gkmqM1F`q<vXtrN2J)W`O2QU*QsfemHsqo4O~Zmp1|r#`q2Wel^|tr4>H z)W`NN?i?XYPkmq$ge*PvvAvUP60!{Udnd;WS%&-lGr5l8e*erh3R#Bxy~FlXA<J;T zcW_=I%W%KP2?h-Jdz@gvaKFb1&J6c^oO26VhWkBAp2u*%N6GUT?)NCckKulgat%V3 z;eIE%dLhejzmuFx$THmTB<B>e4EH<9)d^XK`<>)!g)GDUPI5Iumf?OUIfsyCxZg?6 zE@T<*car0TEW`ayayB8$aKDqb{}r+f_d99(A0f+dzmvBA7P4)0y*g?8tB_^5-$~nF zge=4TPTKw~WEt*v()K4I%W%Jwwm%A4hWnkg{Xxhw-0!6Azl1Eq{Z86`FJu|+chdGd zA<J;TleXUqS%&+awEafNGTiT^?bkw<;eL;hI>d0lM@SuFxZfkTUkO=;`#nPH6~p}= zvHe2GGTiSm+s}n8!~I@wdsfIY-0$_ap9xup`@M#=Er$EO#`Y5dhp<!q(5r1f7H|qX zWBX45$FNhjSCRK+xZkVD`!d|`Rkj}qIE$UR_lE)wV`pqX5O5khWqa86?*a~FXKddW za3VWn`<}tpvt_anun@2iun@2iun@2iun@2iun@2iun@2iun@2iun@2iun@2iun@2i zun@2iun@2iun@2iun@2iun@2iun@2iun@2iun@2iun@2iun@2iun@2iun@2iun@2i zun@2iun@2iun@2iun@2iun@2iun@2iun@2iun;)I2$1}Lm)gc{P3Jbg+52VhxOb!H z9iE-;e{;XkeHdB!UfOU|{rBr%UT=53($(txl=EQS@9O63F0Orl?NF_&=Cw7QjxX4M zVt>%Smir7hYWuzIOL&yQZz8wVZCiIfDQuH;QTOov;r+qpU~_0V9f^-cl4FzU^i1mN zmX?WFdUEzqb2KsCviCsu@L&tMwB^uL;!w-caC2*Oum%6$BF0-<j|T$&{Xu{CY<g0R zr(@AbI+lnxPmf)kyQ;yqdA(AScTfNDh_AD?)!!a!Zw@qvOT|s(uGG5|S`Bw5b6Zf- z2KvPVt<8awE2r<x`*K$_*w(C3iaOGBpf}jo#ugGiCN@vU(n+y7k(_85i=-nhW8!!$ z9wXqTT5w16WO{mPGIzP5(?Rxm)qk#u+-3SN(N_Larw<+}lDpJx+k2^kPiF5G2Zl%b zw)hT+hkV0gbT%1F&-q5gR5}))@b%5c#zgY({_c@od;G1s_f8y(q-GQhj~zSapGhVT zi_x_In0UyaQlI5d7oX*yAkRYO4YY*)C~UNQW@bvQt)r!aN7aH`TEk3*F8@o=uU<4d zo=A@F5XU34Q|Zy3q&P;Ze`G49e7T9-B}Q=SDnj)iPRwmCm$XS~(e2HlW*t;3DJksV z-|p{8&dsC~6UoTT<Q&?wn7i1hoT_>bqjLIk7g4Pz6zXJa`x31OcPQUL%=wHwuBycw zc`W8GWXlOO;~TJUujC7~`u7L?-O1==ER7mHi;jYPf#(>NQ`MI?DrX|Msa#HJj0mqr zPdSm>XjD>FZ)7|giMb8sl1i;4eEM6-MDBueIc4msstd+%G?6>ssHDZA_4IYvV(z?h zNoDL#dpnYZ+<Lby&|4g%{R;2!^-PM9v~PG)6w|4}NGf$KksR|4rxVG@gsA;Twy{OY zeJSNOF&Pt6&E=s&^G_|MM~<qG997C2RmxL3k-pryRCm-BXx9~W>cJd$s6)cKGK}S_ zu?j;%Uv4esb4S-oyHMPr_&k|g1E2M*X%%YOMD83tJYB2N>s*o(z)XuTrDdjVV5azA z>GSsGcnZa~psrt9Vj#jDDvC{pD6T@UFqvyCqqtdN1D)XaI?q=!7Pb5LclvjLqxuJv z2{IfN3I1fxt1n7}-`~;!RVb=2=b=7DFu2l2h&$9z;nq7HYSumOG~grc&oz{JZrAd7 zZqLA;5r07Uxyqf_>E*eYyY)=PKwL+M!HyS6ZlFwZw<i<FQev{yKdK<s>p`q?5?SHP zOXE3L8N^$c2V!xup!=q)1>z|t3+>cop@d~m1Vhm10WoqUE~Zi#o5)<xV6twRECehB zECehBECehBECehBECehBECehBECehB{*NI*R=qFcHrkqA*0i<p<Bc`mS9)7L_j-7o z(syUW?;GYDF0Q}Y^{=kOF1z!Ub?>aZsgA4thuT2RQ#B9PtarTK(Pz)wH*jC(#_@>% zbHBcvlUo043+h(Qmt2Z1?WoroEnO`x`kvNB%UZ^1-KzPLPKVX?wi><DfmK=5m9EV> z+_o*z;vP(5QMb_+@*Qm(?(v6x{c-GjPb(@9Uo4KDnFzMNeZzC9v^eb>5>tuUWK>L* z7ST(1MpMaXb3B$xH%}yvwqPBZY}BV(lCjhg|8yjd&75hhLbjx4h)AR@<c}ue>11LG zSBO($Bqd@$KZ4!R%@?((|8o6NF`2?b^tD*EzbrmGeMn4ROZ*da_A*wb&8jL_rHwaz zIkp_K>8tz1D_KZ3+Kd%*Hntq1pwX=mucREK_vw=#q-tv@plcIL)K=V~)K*b`z{umO zHam<w7Ulc(<pi5`Jwvs~i1K|#<>;1|t1YKbzL)+2ow`?9>I-xhJ2_Fl$H-&dCSbK5 zOHp~Qyf{C+yv6yRp<4&fq>`tLT7oBw?hxygl`So;<-HCf=oyTRjX`=ex;Gh#PKj!T zK5hi3u6<MsrzjsYDrXfM&QYUss_MFo8|bW2IUVfSP%UoKn4B(G!+k5MhProNwLPLG zt6^AQPkZB0Qd7xxE7>6u<&+Vgr+p}xl#}IhN_)tm=BmD1h3!32zPnshakPdy^z@IS zlk!ZtoYE^{ysoAyR(PdeIe~6mPzY2E>d!zITgVc<c%Z9D`sBEg%epaPC9S7|%Thp| z2I=cBlD@n3q_5R?AV!E-D&-r9#gF*PIso0fohhEzIw4P$@hQq_pcbi4b=TqF-{tQ~ zOi$0oRcUAny1NPah*3#ZwL9aIq^o6Uy|>(6=|coNeS<@LM|yik`uFbf?cM3?-?MY? z(C%*KuiYcQq2A#Uv%W~Mb3%^kajKG#8RIk|Pa2g})refFqzR*vR^i)|Z(d*jYFpEu z##eZM=<W0*-EVF9QNuQvte=H|g@A>Cg@A>Cg@A>Cg}@m{KsrB<MUz0k7r#wXmp(QD zA!JE}DEM|SE@q!9IzcySQ^F3EsDoi8T%ko9q@X@~wEXO1m_jj1VR}ruERU6zEp5eV z1G{M7@9*>t&qSt8pS8geX-6JQHCyhk<Y|X*I5D0+hAoAyzMZk;bn#CJO{KOS`r~PF zf&>bhGuP?&cSzlNti^0OQt3U~%dw2a`N3rDXe2u4+c_Io)bqam_{ihx6w|DiXqUF< zvCy++y3$Lum0zNJN=&9xTYcSQM`Ni3iKp4>BQLfC%K~_#qh@XR^!wYSEAm)F+R|0& zEyAU}soe>L*TVPsgjtA(rPe&wp-Kxa`i2@p_kp0)SYkHi>q(4>XF-z<Nx^&qKHpTt zmt7p{_Xk5%+uVu3EV7lSY!I3SbTA|}=dpaYrKh6TLCWhLsKVGzG_OYq28pNV+CE@w zx~1_k@1MOldj8S<toxdV=hZ)5e}(IQ=Lel!-M-p~YkpC4ts`dtfSu=#;Nr96CvDA> z^~38cf*qj19umisVrtT~$`Oz*%46+t%a)4%w)#dQF+_8l*Hr{trOWeJcHGiYbW-0} z1bsWFBFC`fJ}r*L%x!Jbm3gvkxvdhOfiB+;(T@NlKx+1=7wD1(^D&QYi&R_DU97UA zH%P=IQ&V%ke%0;Bp(&B7#y8KRuST+hy)$A`!QUj&L%%=JDf#nQ5#7>V@s&D!J0r0v ze=0Jr3@TA^3^C>AIoyFNgN4;oRGD_)ZgD!1oI4AKz(BjymLG?=H&=wWjj9=YXVWvY zX%N_{G<cqQok)O?BN2|Porr$$4upMs5^+Cja0=QSF&-7o>XidwsUtrIU-wl6IfS}^ zzAl<pnj)#ssKdl|lyoeKxM{A3q-*n0xE`tKI?Xo9^Eib>4~anD)E5Y1usMVmP-l<^ z^(5fyO(qjb-!8EJDKo2d0AwQqSJkdgKQ0D*g9&ixIR#p5RGQt@!QZ<o``hDhUlh&x zx{snxM-IivuwqVShC7&}jKbeO<GS4A4+Sta0b5REeIpW&i&MUC43u-|Kg@DDMC!!B zQ(=5o)rlT|K)Nb_C;YwE5aYoCe<0x74$&hTnn;-FlzFpO#TmGJ$0^-yExS7mnSip! zVM=Wv?zW;f++MLZkSorj9)h?7E_7QNUZzLu>BjQipcog^MUq*{jb#eF#2KJ_YejT% zK?k}AGIg3Iix?)axe#}xOY*nC-$1dg>CtWXk<@i)VfUCfiGrW)#J>%;l&xuB<0IZb zdAmG!yPtBeZ4m3<jhuh4a5X!B=)BJvtouw|tj<;Y;hHbjjMZG=c)R@(dlz>JZu?t) zl3xa`4XCuGU%#lmYh+{)$##<9T)vTHB%Yc{px-ZLOFPv9w`TeJROxp}0Z1)D3K(51 zpq!3PSrykL<H-mz=&YJLF59varJqh4VxH13pjY}04-brv3=EI<#AYVJ#Yg+&so8N% zm6g;SWncy(b4bNeR$nPXu?ZQpnNI0QgiyK{*6lf*BBi6T7$)PAL32y+Z(0fbIuWaR z@P{b)hs8M7{jmH8%ohV2Py>+?<!CH2x-X7N5fNdEW7u<1_)alh$D|CxTtdC1C=6AH zdIfo2pB$lt;lYp&%_Ss-xI@(xf{L<ESE-q+;Iwo^28}Fbd5kWvt_=4M5BposoG7>5 zKMYMHrjFXJHBAmkZKlWG<1>jAYC-9a{gGshOhk*-p-(<YeWSJ&r`*CF$~QVFgBq4n zZh4gqP65=bs)UU}q>u}Q{N027kTV{XLFRM?1gjFmQU!=I=vS$hl|;Q&X7Vx$jp>tb zqc9J4>BO;1wTrG&zyv6b-s7rNe#Rc(!g#z=ad5D!s1BZx50pJFsb7QD38#%a{Rw%$ zQAxTksQTeWYLWMWsi`whhN%sA`@4L-$FZP>*=A`=4}0ZDW2Qx$!6Rv_JW`Pi!{xJS zszKb5u9Ao0uewviKs-bs?!mq~Hl~%8ZBr-q#2X0Hhv2Td_o#OlGb43py?=Tp0+QNI z(rKm0{-Zgo5pcRwx<tMiP8&}+a6yM}2vLt@)n^8|p3PZsC2mMN<U#mpti`|u?U-st zCy5Xq?QJ%BRE$kcMX*AQ`Q0o87|ChGWs*&V;y;?RU`5=Nu95fRJ=9r@zLK>0_Rmhm zu}4!}Skuf&l_kRAC|I3YE1K}XO}b3p1OJWHJGdZJtS{xNZOYW2I3hL6yWy#tpjD4_ zP%|}*K%!&rq#7P$U0WU~W6P{-<AMNodMA@4!|X29X%lNfpq0%3*V*1>YwBo}yl?gV z)pL`3sNr?>zpcN~m2-Zy?tkifYF}0J?V6zDx%MyE*K=dI)bt;QzncKB@mf5A_bggz zBkq7<+z5Y-8OGpl41Y@3tl6Kz+61Y|=JamFBPk^J!{xn(%U8Idb8*BbTad{}DxI8F z5{CN*(Oa9+RS>VxRqTS>#$5$2=<xNDF=Pe_07RcQ&$(G1cfjMmQ+Z4_q}2g0F-`;m z%4&gGJEnlJ9i7`wcx<c?!3EIo6|*w*$H@*UHq*@lw+&--FI+Vqqv2{;sjWT$+g%h$ z5^>?~7-rY$1ahPj5ddhuIh>BTCtWP>fd5w&TOl)!;DS)lH#nQb0)bgWh~k6PA@{&b z;~jKz1=+eYSeqwHyr%YY*ulF_-VWE*ydwqxw}NKk#Ev<#>xi@?XInoVYL&X>ZoGl9 zB$$9tNkkUc(6#blObJZPo<e-YOWc5$h*hfRLH!7crin8`rhNlqWDHB!ld&1!Py!9t ztiC4LC0#0CkC#v<VEVd*C|afZK&m=zVtWmCN>|F)!BJz~96m>|V{v{vB$BNcGrjG= zZqc>yRwa7|u(qRjnVy+K^Gs{PAWW+V?b57#4H5dO+{wV>HjFXx*tEL!M~0u}2><qB z8JMI#Qdft!lC3d3CO%Qr#G@4}xr$7C@iu&^ZKwQFVIN87j}A$VqwsA{;OsBc91g?b zt54~0sOWGX5uU`AMTqT*G1KS_<mH2MS7i+;X}TZ;=na>vAuZ21O#28yDJXa1BNz+) z$twjw&Z1=P2UVT4l^wBEbSj~&0h#7?K<bq{;I+DnWzfc3iJvJEJ-xEOuQYOX(Xcdh zX?Ffhdl6;+f3EGQt?8wWKWYqkv!1VbE_2`0@MOce_2aIS&ObWCbyDr8aMs`Tj(Ph@ z?oZscxVY+{)FZb8zC@+zB`sWBWGyA+m_gq(^rTL?4X<&a5^sS5y|hw%mbnf+x?c{% z_lo0cpuEam^4-j-J;dgB$RX1CZK{Yi;Vs3JV$f5NDF;&dO<~a77mrTi3?~Eu;4hk1 z=S#%dy&co|W1s`O4ncen<8(Oa2m@FdFD@E(llVk(h6j0H!h+3e0FbEn$^kfCu^$X* zqWQFQj=p4Kb|$5)gkyy{5iN$2n1_BFa^SS$MT~Rc5cI>9h?mJ?GsQPd!CT;c#VL3o zR9++3eue{y<Pj_=nWVobu7|KV+6>p#B|H5{8X#jq3Q;`CQuQ~x(g&p*WItS<sMrw& zK=2iThf=|}&tiQ>ZLMTE2~kO<GgnP(xB;v?;z-^Kk&5KQw9*1a($$!`76yH7r+gJW zzO@o(prieCoWaz=3p*B9!gu2xi@{;+01RRgj|5|&a-^ckn38_ar0x*zV2J?d7MGOb z%$6JcErqHP9sV#TM#OW|yzRsk;tF`X+qh;7lU4tcf}=P)QruQg>NTec!YSzr8OJPF zh#&{XPzXnr?xK4lDJpr2O+&a{+9F>DU)3ceeSK(Cr=0{?MK?MwCd~r24UG*aJy&jQ zSoK%t$cnQN6sS`)v-}OCv0Vax)vydbxClU7^miEPK19=W1E`fDsa4(#Z&jMA_ZBM< zrLIg_?nHkUn<!3#%|bYc8gcQdYQ)*JVGN7|lk!Dn@mpEtTU93I3W8bEXP#>d+nR1_ ze4Y1K-m5*&cYn++G~8VOYS%AaA?Iw}m+IWLgEcR8{J^orek1ov+q1T?6wX5iSc*$! zssMrt&>LVAxZ<{&Db;|ug@_l33M(`;To5cx8ci2;5oZwbLUf77oB<b{O_i3oBi)`K zA@lPMhO`(-^07Fn-EuEQN+Puj*aKPI!%W1tCo(OzAQ?6kUMVF+acWkfMXKh~l)9t% zF16>0hEbhjF_nIJ2o!E4GChM?3KrrK)U2!)ld0AYgxQ)GnMNE#QW7F(G!{kRf=&cu zmop^zOr{&eA;e@8Eu*@wrpFrjnzXyJ<x~iZvs`oP$q-mwN1n(VE4q#pO~myWDoR;e zS6m1g5|75jW9E=Npx%z`Qbf^cyp@a#+CWI}o<(adHpt@Uy^@n@B!M$CirY}TMMSlY znf4NGNU}m?jjCiqUv)tKlGx5sc5}?CBw^|5JW({>X*gj4(pat0)^Bwwvsg>idALbC z-NZSmGf&iw#uIT|06nJGdsZ`H+C-eVhL~a^9W)Ms#syeyBD={@|6n&6J2*3mRAkDm zdJ+gqEqS6GG+rDd?h<KD$z2jq3bzryXI30PaY(u*Pn3hB#w-9=w379_nc|p8IAT#P zmhxfnUwjwS`VS?Hn@9+aX%~U~EE1OzcclJ25fIK9<Bh2QHoyuA{h<Vj<UUGt^wUTa zL-^JX3^-U}D6YbjK`ClxLLuTR62}m2p>b9{1g(dCL$eV1kZQACoQxceB}`gofGfyQ zN5q8{R-Jm4HN9gP=6f+_&XCv;1?L_F?*V&Lx|BgUg_KQ1QmAIAW5!2Z(COPxMtC$v zb@gdTj3$yM4d}!lWEmyuLgP3ET+p%TusTed1uZu4@<dFiDjD?9Ldv_C3(_|@iQFY5 z#-#|eSxzhQ{}<bCu{G^%{7&PG8hP(y-s?TT_pEWBbl=tRhlaN{?5O{<>nE<~y4E8L zz*BV();?Oht>#~AVl_6$dmOv%KeW%;8@c10*Y<imMDy#DeRRxWKo{1yRFq^Os74Q8 zXtWrjd)!JQ0V^zqOv=wODk{W&ozqa1bdJ2qZM#+|cH0MvNf5y85KdO?q>Bg9_2|}o zln8czIx&Nh)IU?YVe#ZTf3P*s*^JndF_3|=L^RbLOSFjbmMJK0Q|XpyC%K2rNd05b zV)>E8Dmixy!T-fGrzYi%MgZtSqfY|>lkx_mqI9ver=h5E`GRs$7b>yM9SCi%>aE)R z`#bzfaw`8oVqyYaI%1s1<@1dSs;d4N7St!7N42hw4qZK2qIKa8rFD(V>-8=Nt4k<g z=<>LHu2Df%HRB2et<x72T9vQ8)~KMWGGG|Kk#s;_Q%-8IZFxxzw(lDr@VDx!-fAVl zKxb6i=N?6ah($*i6B-mVUm($iD*Gf^#G^+_2@KAmDsmv8JMU|Wii|tdiYyp?jniMh zq=?*9{u+Ci_cgjlcHMRczea1DpGq&pehhS1qgZW4PM6qGgu6_LqrEAR5rzJ%Xf_(5 zsjE&a>75Ph_PFfT7gS{$8N-4yUfHww*|L`}@3Zyn-Lvydo*Eg%F<|lW*u*TEt06xK z7LZ4Gh%-}(IWmDTOczo-M{=~gJbxR-3QL-ViH%YZQ@-owsl<dIsVlM2*eAQGrq>qI zwUs5B9_~;pOM}rj)IF~1%F-v-Q!a-?y3Te9mvM*cvP<uBxT<U?0mEw7Co^YAhjp}L z376Z##p9UA<vJsmPe01iLAiFZrDXb-*HU_ihIXCFmeNV3Q&Nc7Xemo5d$=m-d-MoN z^o7L^<?Hv!HB>zc23lE)zr;tu9cn#t7=097wXC}8i?Y33P$|1jM|B4>8|8|5P{sk% zflzT;vO%AlO(nahAqkuMq~e((nrv(RvJD?+o#MeXImxoMwQGf6huork9x?l%5o%R^ z9wXGG_AE}HuCO`Sy^pK~smf$1ys&uHJv$alYo*A#7d#UOS`x=JQ+Df*76KLm76KLm z76KLm76KLm76KLm76KLm76KLm|3?u}mRW2`Thqf$Lyhx|jougG48U95&$w+3a>Ld2 zAFfZk9&!oJmpX5%`(o{HYM)<wWzBZScO3WF=dthqBzGQeUExo<ID0?VO8mtoCPpTK zC5cYoNNid}awy2DQ)aD;bV^rb?}L|WmNO<S6<$KdMvkybiZfWsQ5NgXay8J}m%W!- z&TJ3p7PyvJ&cq$cdf8m|p7MHGud-9#*4$RzDr3mMA1mWX?F+#H_B8y67leYic<hD0 zHy%xl6*teNsq9>N*;!oPvU72Rrk%xpwRSmM|Aq~kc4eh{R5^1(RYxmWN3zF(wHht4 zrkHU(46t?IZUt+{!5}iOht*9a2ofUMV}@nu_8_V#LmJB-Eq}Lt%lvKwdq(`Ny1m}j z`fh=MzXzIoY@rP!lDxbd+OfEc(34E0Qlop5F-SQ^5yGKlM8m3dgq)<Oey>?WEUVcQ z)qgLXQ*BTus@ddW%aCr(;t=W55ee6?<a_B}^-O;+`Vfs>BfAG6D>z)#6002;&Xz8v z)Gu{lRmxeG+ky3E@20xpKxn0+9NeM41<q^MzeP2*0Ov3)uN$7rCXC9~b+IexF_vAn z6wSuVRdaZGRkMH3;C>9pXKV=Q@b||dpdKv`X^Z^{L@?U3JNkEb<Cvk{IBSTmq<z_G zx}t=29pMt=bs$_6z075&j6RmGovy~m>dPLX-=b~B+jMQkUAnpKVWYRufwCHJA>ERV zm8;yf%d2ud%IKw&DxT@yu#Kv1J;TFHJ)6r;8sVzzl~x7Ucorw^mPVP_@^CFSWu1Sk zg=_1nnlddgAmOJt150HOB;9119NnZHdU~_tXb(j}Zw&j^T{@DrM5FF1>OAJMqS05= z)wb36YI9l5p<d<TQ}-sTQMR-r8!gwEb<3?WJNNoGZ$4w4e*m37kyaJuS$z?RtO-GE z8S3rcvAb6py!*0;sD3fnsvDb@s0g@2Wt=#2R>uZIRjHI%Hb`dS=h~jIH4Qhuz0u(v z_PoLUC-;pFude@DeTOUW{JL{v-Bj&6YyMPojpO<D@7bHVG%h|1eh5M&d5?{Q5D^wa zf>o95DQZ-R5?rpHkgdi&v6UuzCNvksHH4CrbjQY_<hUSg<hznqWxAMF$}G>r2qh;u zj*Uaf;W<*3&~Yt@Hd6u_%<?#doDZi+cHHX^hHylER5|<DH;^a>z?tPN61-lSC&`Z0 zJUh&)6Yxa}g~b?2Bs)$XLEmGVw?U~Ze@(d!8hDH2yUDS<$;5PI0!PWlqDWUig_9S` zVkpy`51<i}Y{kRHWk>_(kpK+|T#-|{9JEF9IS?74sj#<7ZF!QmSoNG)KqZw#*9a*s zxH)U8#4ltt>4M|xF<^SgkuFs;x{}oHM<NsEoKyvOks`G{Pf`<CtRhH}TIw>&fz0Iw zY8ueUmAW-g(i2xky2IB!r5tLP7JVcMq;EKuHV<hedC!x4z-rL7LCt7Ku<{fF<C1eq z6zz~Woj7VzU_PlD<hXj0`PcZkdU8dZ?*OI<NhA<Q-*-0jcnGd;$&-w~#>oVT&taU7 zb2OGr#7VFLLQ~bT+q`-lMm%^3E*tN{5SKA}$C76Sydk8PAo+WZQ%ewEgTCHrF*$*g zedl}wv586Z&Q&1J09ul{w=%RCycgXaOdyiotg#w7C9ceq<h&JW5jNw>z79{$rW51i zrg__n&X*+PHO?SGD#BTmL4vr0nm{t}8Yf-YJ%|n2-6HlleLE7z;>b2lw(Cp*m$)MN z@+9@{7Q@YBT+pHVio-I@^07nOk|(Kk)!NGNGx$i3^dfj_H$u&FR*C=LWE-$G-QM`= z#(_q=H}Ad9GvNNAd(!P|xW4`q^>eO*i+6sy?my}d*FLY-Q}cqFHIAq3UEJ5W1>2u( zFT<^izrO5U%*w|~SA>IV+(sljYPj-oI`>8;Z}uQUUDRf}MIY*-1Qq#8K}Dw_;)RY< z(gnWsW$&cm3wP;Oz?WD!!X4_u(H(~HRkMM_E*xb&S)8}Mw+LUZe!0ta*sE#n*ycMh zJksY^mV5QVJ!UNTVkua=b90MsV{w~rGM%1DUER`RihEtOdxKbbWR{=%vh=a!?P1+6 z&=R!=cPO>zo-8?*Toopi7J+dVylxqDHCBP=vbUh{^Nam^x$rZx0zH>ST2p=5y8VdN zcyH-o7P(1F`z6Z^x-9OO=sHC+YA6&I+6L5<fXss4ADPP{ov9vO-4L-#=#Knt=(g%M zzRf_lwJ0J2^HRe02X<g%nMSuaJ529B>00X&t-q_d=P;K=u2B6~(v3u`@|9v)r2Q<l zfzjm+DaF0mGu8$wDT(Onzhm!i|DgyDY#S}=ipc89C~|j`y#A`3s4qK6jrN_Pm3}eY zq4d{tS)}dMe==RgU6oIEXBO!;OP{Q7d7rE}?&~%*O=(#49{TXjte~hjyPIlPox1*N ziFVal(l{Vzrv4-8Kv<2BBxaHGvQ%~{cD${+j5vl-(D5v?RhBBlO7{F)&sh6C)t-MV z-H3<8ak6`Hsz%(K?Wbx-$4YBQN2zuo=Va*%m06FD!L3H^=*#v|9Z{e|*K;gU#c_w) z5g~b_{w=DRbu3>x)|5py#(<jF@GAXmZo7z-^kvP~X_(HDCu&t-NNW^<z;sd+(+V8Y zMOma;45-_@*XmtDZ-WgFRYQVJF(hL{`c`BJP@d#do}^nCAcdqz87U|akk6vrYevie z)IxP+Nb^&Av~JQ#i1tR?YivzN8h_dN2Jid4H+#P3S@1NuU+nI0I8^^1^$*wkTwizH z<~&yS7pwsMOYPd41oZ#i_Lp!!=Wf7_tNW8SWs&_caC31!(51)l=2@~QFc`rpXh^i4 zES;%ZJ%Y-EN7)DK@RPP=k@PX3rgHApJGgh4><CSht;6!S#tBej92=q4ySaB5S$>qq zmkA+K1}Tr%JG(gx(L_K^PJX@KSwbu|ZkFrKY4DULt*5G!z!dt3Q(#&KQsW_x#=S9e zG;$g|U3|RONyx&<<Mo)HpM@kMpr(Os(_^~$wA0(d7ayy2QmIecF36jO`r#C7Ttq^x zIij!n`lvi`v~>EG9<7VA5ICHoPXu%JDa_e-%kc2&MGTJ~Es}CP`jn`(WT9&asHei; zr2nJ}saLj4eT$_2^!jQvZ8)XN7iOVm*t@ydPwrkG5APnt^8XHYgeeaw$BrE%*+R(x z<v%7K@~6}zv;1kK62&~mKQW7Fik73{KufzH3CP6wSnPPqj$%*`Xwza9Ee?m?EMyC% zjHkPcs6q+CW<1p`^(YSg?HNzQe(bnmIl_;F)gm*ZlJ``lD^Mfo>57hut_JCnMzfF> zl&JDe%llr%<sKa={F^>l*ndDgL}iUzY_sY*PRpsNGI*JGxo7+AI8OW;-HQ$S@u|cy z6<$aXSa`!#g*Ppm4fbW*X-?a<(#dsTaXke4{Q9@heT3DhBz@U1{T3lz+gOU3hf11a zY@_Sn;><AfXcqh8rK-NnppN3Ij_!3=tEyL8)d^FzTpL2RZ)gBvVq*{=M2l>{FB_mf zR=a*qyTr%B9cshDW;gq>0?lV+sbDUPt!sVRx(~5B)xDWQuq&W@<s}fr9V&v@B-X#h z8L94K7Ms7NvdfDtRdpDKi!GB`9EVzJR(Gyo1ZmZM&DCmFry4<8>9(bW$1cvcMh9_Z zg>vwh@;&>qS5h@27+Pt~z#VGMz`3TSuTxrRsWRQ{awF>`A$tXArK-R3>uIGDS9W^W zD0HD}><nRbr|;I&Ed(qCECehBECehBECehBECehBECehBECehBECehBECehBECehB zECehBECehBECehBECehBECehB&IAHPFnY1=OSY!I#&0#g!23_$F3;yYvis%kD;qx4 zFkAnE`pvFyx~5#0IN$3`IPG;$)ZJ9a)xM<m#+q-}ytw8{$M+m5M}z$}_RU-r4>=2d zQd9PFh%73{f$WZ?QY5oiY(hzMa~kC0<cXu@C+aoN*JLj%D|KpDqSVo;7R^xV%w;b% z(#%w)Xj-mjW-@z8x$MnKlKjr*Ky{&O?f(6p{vDBY#9z)shg|vN+07_Q4SO#Mw*pn> z4mVP69nM}{F6h!?;(ruVU0P34P|&{<hk2*`rS$bFyj5TJB1$^d9$sm57w%A`Q{!1* z*=-FzRjKNX@afB5NVyzdaROD`p}2fF`<$}N8l<a{cn2#Zy@_#qrNMw<HT%io>_$Vk zt3mn{Zf~I6?h5LPSxR*oEFJ@XID3JC+tn$)PvQ3Yl-q6kJR(cDjXTsza-N~vIv7@< zd9CPnZ+1Q0)+CA6C6`#j>#pJn0f)2a8aQ2LYT!yWyEnUza=Js;^)KOcM=`O;;p|#N zr&k5(zU&&Rg0zQqt$qowafez#&M|abC!;+b6-0_;g)&*#y8^Nh(7|X1S->Eq4Ghu6 zCMt;bW_h|ot+W+%lv+WP;g`{=gHOkoIh<`YEKE0^o{qw#Sk_yv2Fpx^(LJ*3HordX zVAZNYo1aQ7yLb$SCXRlG5+IRC&W$2(E~0}{k*QHaQV<&!othmJ)#~7(s>6y$pv3{m zZTN+B4gYj}p~Kk*gTksiE34wLA&qD2%hlo5<@E~N_YDvDTXjuqwW<RSKiNK;ip53D zh6WN7v1qwI6wgu^-8VCph>VRU#z*(X#p5%@+zLu<7@3<vDEnl3da5t$qPp$2HeI*2 zM7NDQ)Nb2p_<>fXHb`yRI!rrb#rVsc_1gY@apbEdN1%ygzEa#!O37urGm$(NNsgsX z!%S3D$YO9(Y80X8qoqQ0lT+gGMYd;cO|NO%*BJMH*ZY7s?D>i(=@HzIyZ5?l8y;=A zqy8`TuXMf7wbl7qr{p}p?u&K9wXd(etmZq8zc?OroMS&>zkvG^9&y(Hq`R`U<yN%J zAlYIo(ouO6T2V0voTe4+MvaQb60<3#OD(mZ8mj$t1#}(2672_fsO`sL(0<yh3gE2V z!8x;bv>!ER=4O5SA>D+p*nymehN5&jYInpn6Y2Jc<nIzYwup3B-$7?bX<x-$Tm z9V9D_W*#gzhh@ef7XveOee$X`hYAPx(JYfBW+(>YkM<r%kUB}CQe+mH2PkIIrDKLm zH3l_oEQ2FU^`EJl8Nl*ClRtAGnnt8JwDjwn29j0!dXFpF+^3MiI~_|SA<AOLm($Q% zNH)w;0i(qNPL+#bE_1IDSh`8$3Ru{(!RpK0Lv?>`t-7kZ#23dMO4SiFIE}RQ$xF*! z)zLdJr2PSZcQQJOba2u1Y*Hi(beZFn$D!~_>nQF}JU*Dw9QNrgt}9|ipsLebg8{f4 z@^=sR!&Rw1gOff3YKHSmjcZ~ljlgNDccsVah>LV*2Ip~>;$K&kc}|ziaJ71`Q^vn8 zm2vi9MspUZ=5toXU$vj}U<T)amKMAh3kX)X4y`SqH<P4#-=J<gV~MsHEH2|7%-n70 zsIF<Rphux9c3)<OYJ=gBZc@L5r?^9Hg9$@db#3}@b@gBdCuACYv}%ST3X6l8X@df) zT*cMaih~()W~I8%vRLiHr>~njm^orlKy^Xh6hwWQ!%TJ2p}%BxDdy!kn8D$bIxMQo z^+35QxidHeGN2v=bGg3D9_k$)@s&E+)6i#==ba+`Q#7MF6>^!mK#J)?b@aiMPMc19 zqa-cZFD4I-j^MC*<s?9*7wF57qafEPjO_@Hf^2VFY0rl{)c!;?s328NMzpPw__*HI zX=}Qr@iFgryjwi8?x)-v8shcut*>+KalX3l=XKq+FRJ<Xnl{JZ*}rKIa`U!-$K^KZ zvOLmHY-ua9QvD$ZZNB0m2g<Q^Gl^uHO*3^yPTRw23vJRR`77aRppvIy)zjg0B5Brf zQ}8nkKarcFvY#Q<Pcx5wgP$R3a~^3dwzO2jGpPDmJb%%w&rS{-gAk;`DJ*!8v*{ET z;toz>fl8#(DJ<PM*<@!-oEpQaf3bL4j7Q>8lTJ8+D>&f<l8{O#oOI)alabi8I5l@R zINOej01Zi{iqMUdLN$>32C+wxh{we#b1E*}!8uY8qLj{VV|&(aoDRAt5ud_Ql~Y>B z&2pC<(FHk6<$8;5t6XD!BZ<UR$}C?)IA-o5_^OJ-^w5&iHI?H^r?5(|aoa41Nhb!; zP35|KR&`?C=)}VL3*oPtu9pG0f5=ZC@HjjZo0=l0<3X@AlR!RPQ*b73p<+NORH0(v zf=(pGjUv}&JiX|vZ*VFSH_PEpDU{y?hxZx|!f?35z+oa$Or=d5IEYsmI3R7RFmT|4 zcCFilHJWwS81V(C&TW9R>T;L9GPjkTEuRr<R*h&wKMeU*g?<>X6E1sOI?~E4U&A;( z^L+T)U#a$n%D$Gm2A`@bG0W$W6v#s-w&kWuJ_n6_PDWyJ6RU7g+L>Pur&C3znR8W9 zDR6LNKiDKr^&|Vz+QWAjmjt@wk*PU!9QXi{X|vD|kV6%rc&jiHk~cYv4pk)XU^cf7 z{u<9Zdj>HQ4$r01;<Rr&j+369F$GxS##z5<Z#ifoU?E^3U?E^3U?E^3U?E^3U?E^3 zU?E^3U?EU70%T?AB3shd^l;-38}Drlct7nGJomXj;y&PZL;HVQ{hRB1Tz_)C(6z<+ zZRf1hTlcZL=Gsry-cu{oys4(!@oGoAJ<mPOU5rO8^CxZ1jA3O&m839hQo}v|P_VQ# zg5w|{W`&m5tR*zX8!4EH!e8}(H)a`_Tv3+K?3|59l>;36Q;Dev`I9N@I>agI%FH2n ztqST5Q0{_8I1xp#j?a8&yHF=0r>Ya-uy2Q$PQ(>Vp;C%WAHqJZS>T4lV&*Q$a#Y!V zNgUi+m4wYu94uX!8HIdnxVV11O)uZthf_fDA!A1)Q6l<I5MA-<IYE>>87gn($@p*S z$vPdbm^o+!MKvl_Lny?|o%(XBi$*alXFPL9S#eeRw1Mi>gN6n5XKsf`Y@PCHry&vx z1Oh8niIH0rnV6WlO%G0W86^yTmYOoRqCQs6uChZU$I>D$>7G(k#c{P&on*^AQCI)^ zGq=z%wgz><T1%)g1Gq(n@qix2Dx-0XH2-2|zrLI*vzi!{)1TSLVAHm8Y}!iLj2QV` zjj-9Uiiw$FqjGeD>=g*84a@1v4AC0RkS;7>iE7gx>QHOV%|;&U9#^f$(p8zk@*v3) z5h7$#x0H4yqO;S`DwxPX;7wm<F9mQ%c%^j@cPIdlW%dAIRWW{kF|ef-33I9%V>%Jo z(&}Ffp+tB~e`Yt^T6Ci0C8|WAwXK-yLd*;p)ro2%77S~#)Rnmjb>ddT4c=iWasnVu zN5!cG)XAkSbS3Jz7vadWrdE(ZKoT-HVl=6IAlm*|GCd2O+h8P(n5p>0Y0#&ukHo>= z#YgJK6DgGGhf@<pMEB|`*T`fnIYv$#N0=Q6JWNHCv6(dFVsS{BNV7W)UMgjf!^hKe z%Bj=EGDgc~=-eL9>?*gBMcRT^!jj}_d!fEeAJwe8f-7w#xI<~y<C&cXE>{<6V%$i= znO-y!RV<~S3xyYZP9j@HFB*?dCNb+Qau^oCGa_8a6fWEr$?PZtw5Hha0iNmtw1VjO z!hYx+$72)d^hh<oz_#Dk^bbupH@?#QGjEUQyPlW2f8&0>d%Noy*Ky}j=Q(w6tGltz zR(om9$7+r_9=1PWzuE5Oytt|24~?h?h^upE1H_43BbiouqW+e>q>qY4MW2b1aRPWi zI-1#Djwzg5UYd=by?b^-NW)f>RSQoEsvmC_q8&{2l=KceM5NZ3Bb|@7k0>4Fj7CBJ zI69t4jt<Wr8cR$=mV}U%BVqz6S(LWem+7Wjb!f#AE4V`)tZyh++Qq@Ty3AAo{a`KK zmAT$y+ag_RJo5GUgMs3@jOg1FnHF0jV`E9O*g<mR6;Bq$KPQ!1cLmPyolT}<M@3&E z>FbFUhZ^NVz_W$@uxG0M2LsZ9%yr})i-AOvz8M8um;H{B+4N*086%t!?>U^9O-4oY zUahq+b1hZh0xQlbhC7t{7Rg*wu5XK-WObuRkm)4xA-0wKg>B317Y6o>`1M)oR;ypA zbcA&=YY51b()@9Rb@a$#NX}qT8~)YQhX}1WKP2u@KSY<|hp1*A#D0iKrqi$tUHs(= zSdP97a&Emk+t5^~YG$Bp8PWrp_QeX7tzTw^A_GmU4$jr8P^~K;Xb|tN3^Yny<ZwC} zi>685uQ=5G$@F4Ws9Iav3{kFTJ%L48K9mUq<vW!j;(6yU59MOCX<(c0!0<?)zxcPH z`nO{86CI^qwJ*@&*PY*78q+m7*2u6vB#uuN^J(=Y6G*@{j0_W_#gr(emcGq5nNH87 zu5M{D#a}vO3kkLq$3{(bwo-o?pz;^)*t^?*D3UsrtNob}dQi<eZfj6iLzY}N2o_UK zMlwOeR-v0>Rnfm;Pa$y1Jp~d2MW(Tf5^x;G9>ey6k|?RFwOsYdi#-83<{eMgO=kNt zt<<0t2<STBr4S922Bj85K&x4ZVY?aWl1wuuJ8D3zo}~pkeY+EfNdBsx#F#lTPMF;U zI<bD}ho5RZi{8(0$hR-0hGQvxH)a>+?XiV0hunI~IVARp#du1g>@yMIOY$Be*PV}~ z_BM;Ohl9PDt5A2#8Gct@b&EB3EQ6@^5)IMJqjY`C3c3P=c@!BN&$T^dYZ_|&N6h{M zo~-+6cT+>O{&lWDxcZ#Wt9z<$bL~XU2Wz~J+w6~Vf8cs>@oN2~U>+HQOUnk#3OAw^ zI<bU_VJ<N}JsXcjmFaH^l|Y%snNw4VQ;23-1FwyvnQ%deuX{?#&XpERd+uZ{lMK<O zR8!&-0v?gnxI(}qE@;>ItR_Y<)!}xjIgh-^Thz5;ebs1FLU)0y7$-a7h|NT{K$33L zEQs5rmOKxS`-%$`dXK|;k5zJKmdjy;o+F`hNt&Z~IYhY(W^Z0}8|r9Cx;&4R%v(At zAzTdS*47ELkPS+mdE|56a-ircGxp+L0-?nQr>xJA6)7^F?G~exk$5aMZCdvh2uT;` zJ@EaiioRnYj*N>SIVQ0if?rVDmPhvIEyc+myH-Z72rME@h!{155P3@?YF1_f#W}c- zeA1_IA4`43fWaXQfLNC-avk!QcnT^xCFiAC)msVAM1txH;hE$G&!X^5;ttXmx!`Ze zuugaH^9RD<6^NHl#C_efV=;5G7b$*7*X5DNdP}sTr%14Yy(-M738}zZ02Ri&BbJIz zB~nN=X-eH7ZxBLcI&x!Ih)nMuA=zTok;J!C6vqx>b<!MX;fmCoM~diDz%(-g!q+0r zh(yyV-?3PFvOGubOD1M#iV3}uXCV=d71^m-FVcpwu?8<<JT~G*!e!7&AA<bjX1N+h zo&{u@F3n5zn1_5ri7BzT472F9S>A@E_B=9GZ`oIDk9u!|z5x*XB++9oR%<dV?M9M! zktD}A%X5-U2AQoZ^wFpiXHy?d+(C{LB*!jo+p|bxzn1Fhc1|UZA^R~pz^J0aFb8IM zC0&_ATI~wT>uzjJwqX-;TtsESj<?!%o8@e<ZMCNI)^jZcECehBECehBECehBECehB zECehBECehBECkLT1jsVh#kS|$nr>=*abt`3vtG%2f#;o`n8)t^NB7MQKW})X;rjY- zAP2zXF0V6M_XeB>kf}Yt=7i(Rj!6e+f3JOyy@q=&x8L>~Jf!MhB!d+ACDFs8_OiN2 zFIKJ-$sm2bK^do0L)w?QoE9*x_~@H}diG5ugRJld-kweYQ(xv%%G+?44vQt^R=7h^ zb&h9{YQ5y`ViZz!XS*1N^z>ymQ!a<vLb^4yV>n(bmc}7liR45JqyUkYF>xF_)+A~o z)q*<|m&Y<lUtV%qqqC_7U;~}acm|orOT}oA(ILGOIge4yFVa<zl;LWgT4tviI<U5Y zZx@amC9Bcul6pC~Uk70-8EwYybGmsVakK^39frm<)sl>*j`*h+<K0?PGo7ui{<e@G zdy(lRwozM>km*EHqCX`@aN61Ci(1rwxgHyrWK->01XW)apCwrwu2p=J8Z$^7er-`U zC8<$&C=fd>WIvn;2g!qbbn;+D%j!=jW)OnopDEq2=!rkrisLMkVq`2mDUKzgspeRs zMU1x~I|m|STB2?K(y^@m$kdcS7N40-r_`#9jNk?zOy@z>A8cEOr1Cc2xCS^OCE>q+ zIx!X-k3|kaMp!)KQ28SuLh@dd)B%cfkqk0=mvGW_+1230cG=R^8Ip<ncEdeTcoFO% zik~#r{-^N?$HW;C{|5zY_sk6Rr6%sgDZWXUWk_aj<Gp5bMVD`vh%KW8v`ZpHA7-_} zU>Bsp$jcq5oNlB$oyP90Z+JF29wG61rQFcfOM{C~MtGX?<k8ZTb<$vDpg<b#Q)HkR znM7+xI4;B}Q)EZHde@3i94$Rj?-HLulI>F8HC&7sHt4%_%FQbKt^m5%qD;u26z`tJ zN$Vs4u-JQv8Dz_56Vz14qYTI4NCsK1b*(?xT+Oh?w*J1%T57Bhw(I(qCFlw6P=ih& z)HLu`r!HSXpRV`z9Ln3!ic@aj4wace@mTV9k(pF?_Ll)O8OuPXXi!WwpU|L~zDyH^ zOItwK9+vouxI@JSsy_pVb+uvzU(vwfu?!S@2F2)zW_88%WjquvohwdXgFDpP4FO!q z;l+`-%JV##NXSSADm8;Ls==OZK~gwFv}DGI$n@++>U_{aM6as>(Avxkrk%+`+>!zr zqA4>zAp#e4mK1zYAL6(hLQwkSNAaIT(ws4$_(UkxxwbFZntB>v))@7^%JU<S;2v#w zY5kAt{jU3+A9D(Ix7NO)=65wa951tf*WSk6hl|hJAF|#Nv78#>!bnE&x*fg&%uCX~ zQldU2sxpah5oe^f3=zhubW87To0<@T1g$Ry<R}t9WWa;c-4vn-$J@YYiAv7+@JCz# zWzO^rrfw=h6wT2*5l0Y2L}YNr=Op0*MbWP5ONzjj=9^{#OtLo;Nt|)^Mz~Gnsj-PT z&TLuiOH9K!5JvV!B8fB3=t;Z{DKS~7%}Q><-I19YFmtoO4d58Kj7A8@ERhg@$yq*R zGO5fQeFHdak2r3c!$GMvLzHl8D2ai?0YvVJNz8pyX)I%)S_~(~(`1RqG@o%4oJ3@B z#z}Vw$Pl!vPM$4chl*FyR_Ouw-EFAvBv+hGN_My-bxQZcUo`_5Gl&ch_!qP3E{5|G zHR@u@Py|Yu({m8lfc1Uw-MHf*t4p1}y+~YET)<h>TANa*6>m_d?}fj{%oN$ykP5gM zqoL+pQ?h{##1I?PGZ&pQr!f+@fb%_-aqcF$a>`lakTpOQ%}cpVypeWFbMQB1yxxZ^ zT75mUsdQpGb`SbGE!c^1Uk?JOu;@2s_Rt96gRN4tbR2JD9JWZVKu{7n%T*Z|;XKJY zL{jsZ(<X^S(x7yVBps@)1b(2Sgg8<P8g?q(So4PlKAJ|@NiiZ@Oo6SK({7Oiu><Y) zD87R6ScI1jw3lCrY$6=RQJ-Ur@_p0%ZkM)8v+(;!#ZS>z@>}U?u;xe-dT;fWJjNeM zXK&u2y9C>|Rw><J+fq!_wQf)U@QAOtUF193HaKv#60582ZZ_{}>6W%gDZIGKfAxbJ zmH;qsPAW$rm(nhlUb>X!<c#F$!YI}ybxBD$tL{$doyEMrw`bo_|H!Sr?matvgG2rM zyL<5Gp`Km+BfUK%`-Xal&2nCu|110duWTA@{AuHB8?W}h%sb%uf#)AQA@}FqS@))f zuQVKPsHwlv^&01|oew#?>wL9GYV9>o)ZAR-ME?IF`-|-@+&p*P>Dd3rKy^2uG$vob zy2FQTdp*5_Bfh;meR~Ichq_1l_wF$by^elq28(x8?ibx!@)E0>NIqRm_#j;*CCb|f zvlX`ybQ{xEZX*Q!Q^*jTMB<O~e!_SXIrEMsl1Ebhso0@pBpDNn`w9^$Zn*xZTgzR+ zqNr~DZ<{oYN>E`#6g^67sn^2*RB0*Dlm<n*yVibbimnrZR^3wiQgs5iC`-EI(vdRU z8r49EeZ3XHZMcuqCmp6%q1*I%#+L9IcNACWrC8Zz&8~&6U97}qeg4NjX_9g{+@VX1 zwuHmDL&bQa?63yosvI^{W(1^hY+Z`Q(R{Z)v+(}esW=)U+2Th+Ph}4qQH15Bzo%g@ zvs}bzxd?5}P-VMxba+w}(+WD7O_Es7RM)q>9BN8RRDG>qwY+10L#Dd0e+W5e#bcv; zr^ZH$XYeYSRQJV`rQp1=(Va-zlq#l8MW!K4D~^hznw231pnhqLZtktEx*mFoni#+> z%CjO8PMR^;UC}*o1#L&yyIv_BLhow4M2-$DjAc4(CX=^C@ViPW+3x0ya4X`Bbh$(h zhEZ3VnUybG5X6*wMntrA>BI@MJPjf+Sh@?Ys;l`1t_FSk;;Gpgk_(Zn&=pq-OkTew z5C)?X4w)%cyY<C9)6fc3m1jE8g*?*%|MuC`Kw=^mMW*R-i5wKOq1gK^_On%%V${#} zNq161Lr2$&4<6_$?x;p3%~>!SV5(`4dSLn_auCcK1(+i^2qx6N(xD7@DE&uNBFDg} z5NrIcYADlv$f$%fU<^vBW)Ij16>_eN78M=pOLVKD_F}I(E|F7R^c7F{ycP7S6-d;6 z%H@u>l@dSPp?pZmC+#cG1yU8~0=kM_<y@f4ADf<;QglS+$-q=%Vgma$P#~7ljHs23 z90;SYY`V(35?FPWtxp=JFzpQMrW#9B1KgqdJ7nmu?s--Edo$&4s7sd_ehGhZhw3j* zdojSblO5u!^7pLW%C{V|5U>!i5U>!i5U>!i5U>!i5U>!i5U>!i5U>z9Z3vK6$8&8H zwx)r`*Lr{H4SAmH{*3#)hC}sla{bg5a^6$-xw^XA8*5(c_?@HOp5gwLy8suj{3o^K zh^kW6K{1QtBq^dQ5#Ft26xW<&&MtPGk(~#{At{_A!b)S&5V<1g8=O6a_|mC4Ri_^# zJ9i{h8QK)n{D!D9S6Ng^{0>m+=HW@~?wh2>R=kl~b3{~WEN&)Ov=VW%58}Aq<H|7# zQ|jJ{IT|^|BkAfK5meq@+|1Bd=Rj8}bVH3?SE4r5Q(%gRU7F^7pi8<UN92`iZeRoN zJADTbO^UtGl=>QG)n*)8b6JiEC_@#I?to@;I)S4#Oguakbpj&8&fGD0YMkPqT+v=Z zEty7a&!Ji5BQOnR2n};YAURz`nUSzzj}Q{J(uo9G^>}X_8v~-KWFCj2JRXf<^T3?f zAWkClE|E)C*xK%adTe`QHa-?X?tJWP6M?E(Q5{f|Bl;_shPUc|F^hRW!W=bH1N<48 zDTq9HF%Zm@+A<8kq)?8CGmT@a@Mc{^IU7$+$BOy$6@?Z_$3QmeO^UW7UP;?>M5b9m zR)%1M5bgJ1Qk;ntV-J9STAUyUa+m`;aSqjmNF&wQ1E$l)`(eo0pCE@Q?}eC8aX1+l z(@I4rM_ZWXI7XXbZU&B5Oh|)Rwjz%z4VmS(X;N1LFvC)F4r<I2VP#uqH~NyZDdGyf zUk7l8HnYOvS-1eh&si34MV!LKfQUVfCkD6x)p}7PgQGZ*#RnZp)U=jJ9Kt|91(%Hn zdg3yUDT_=aZi#f)NS+iSiQdVuxdT~VOdNBFXOce$MQKT3&GsU=0;f``@iV}9F~N&D zy$5jzT=g&<Hs-1XY|?8Z76@YH^d!iLN#`plo?s>e?Q4aZ47mcac+h`gzKAg6m?Ew- zyFvsB<Ga8XwKct`X<y@`-rsuv&U?LQi~A!DpKlNwHq^h<^;cJq^V`lB*L?<=|6W-0 zoti5hN9^z6e$8Epo0j*JdZfL8C1FS|aY78v$0JAVptVGC4hjA<Hd_o7CT(U&Bziet zA5tR~$6`~eBJmQhvFB8;fg|(i*C6uJt&2^l7>ZMT9n<F9`_SQbOS|zJYD^I`u;D$) z=@dAxIgTlJI-$N2Bz!~xR8oWbc1B`Ti0v|GcqTqd0cij)VVr6M7eK_Sd<!^^V5kHM zZt(R)kdnZxfrI!YZIf<-)5Zi87hr;@oQLd3zCxV&c8?Mih!Cg6S0UfPtm+?Vms+J8 z;eLg68n};GMr{KyzscfIxE84&J{z+O0yz$a)A~Gw5gPo$q*#B&A%sBfg3HDsP~?iU zDE^$dBh^ZMh-&C6_U;$yqZ+yo&7v>qiID%BB&pey-~wGeCjXQoVFyTLK%$Mx!2;3p zKeZ?i8zm3Zr(x@rb}mLLWY#Y)QepeP;Q{|8m$2TH3qN-37>Niai7)-f#6x9OB*`C% z_UNCOMX+eg(Qu$8>^~qL8r9?+ET3~dQoOhYvQa3a6`C@t=%PnU|1#9uy<>N;BK+%< zdMOEEN5@Jfgt$YM5biLP5b9*9RY?e?HmL_Sw!+M`pTukR@7cL`Xtxrqhd&SQ8}aS$ z9_ZgujNSu5#+uC78I9Y-ItC6c3`yJJc*TVbMA!E2>F*x!@7?Ji?j73S-_wie&AlXM zlSCbw;x`hwic&Ye>iNY6R}#{Po2$~X8tdq9pz2|;L#OawLduFelzJ#i*Bg1Pd)!K@ zp^?W@T)M8@1;m!u1$2+>y3KzEgO%F+WEzX(8jAz`Vh_+7_N$$N5^>ZI28Qg8;^+=6 z#YfYldk>L5Xms)Duwp#sgmi5g*^89W4P;xct}Y<uTi9P*P4}zY7YN_ToFiSch;25o zJZy`BU?H}ttXB8h`ZolEg%s44P_I$4!Gt(3kl)c==#)tQ&?Tb3`lM}C8)*yc<k?HK z5!|7)kqPN){g(_iR~4jS{3Rv7)P-)Z$8bJ|3^$;mRDQi-F-=A~bJ#xd2M%|h%Hg1I zd-rhfK>waz5+1&@zi*!!7j8xm4TpmVr4D>cH8jFo45$hrpsJd2HyA)bRmk5x*pJ58 zC$&@6F4(qGihw(mYDX%;1-4mRQ(NQFMvwQXcdKW>{X_RF-Oh$rH4NAPq+W8p!})#Z zW&f|eYmaT~I`5($)`PE`c1fD%QO1^?$Tnq>6e)SGlh71RGqE0_C_9dwFf?^dF_c7^ zlx(YcxHmUUx1rbytnJY3k8UW20bM%`!GHqAfVO`GMSvkgfet7-6bOQD84v^mvH{s2 zL$}|#58lVQw8T&}ljYN2$uaLe-}#;Ip2v5-^ZV^94*YHZhyC+?U+?{w-k|HXp5Nf1 zkNYP|QN!2u8LZ7w%W*z9C{4m~LaL|Rqg@E|hScB@uH!A_H&^V#)NRQ%V4?evbU=#0 z&|ot|p&6M)bSp3iR^#q`hcGi7l@3c`n0ca^nUn0CaJ>c%;*6-X+H?!lNyIv(5Uka9 zQhe`6rULU@o59Kz@ZclT#Hjz)#nrCC8<~<Gl_p@Yc0t_1;HZ%TF^j{rLaDM<!(hEE z2GYs_+ZB!Myjz$@qSBY7V`##`W*!n|Ogn|jcGpl2$3U1i4ilS%?;+r-g<%3Sl{F<w zTLIGBU6+={2RIqSRx1eGn{2gkObBAE3XU7{s|q0ybL-hsZCP1Cb}Om@!y^-jeI142 z&ap4{3-|?&O4LLMMo*_O8DZ6-9Gqw&yso)*Oq!C8z<f>gng22;5yM_pl9P~#g7d1i zt#w^@K$%&(=I)bI(pl*+OuyOei;NmPj6qSAPsZhR<LI0D(84F?69AdiS!wK6?U{s{ zg064!$#2i(aZzG&MBHvZVt4j-_r^u(A)_9Br`YE0d*}T{N;+g&oW>&DHRT=lM0i5m z6CHH2xf6RLzXau?TgXbxR0?G?-(CBmO!bXMj8J)_iFqX@StX9b)7<u92N>~$7Jgw8 zN1Thb1*79~`;r8aqj`1me<iuQ5J7roE*qTSf>#|25k!LOT4{6JOnak;VJAXrI3QD5 zMdZbhi&Ah*Ndb#vho?AVg`Ik2O5^(aoMe(aI^XnuKX;d2f#u`N9Zl&&d@x^NRDlhh zB<*v1!0;1eh~V6=m7&Oah`@3Hnnxk+NLXvX>65Cd2Vsj~k;GQw>K4N1fzvn^6P46G z(3L5NG<$HKVAO-ino>_rt0#y2FRdQ_s39fY2lHQ0=hOm!=Aj4gu&80dyMP+JLsPDZ zRgtBG7%$(0M(DLQ3l-j~DXa<i^+-M7{`<M_g7<yzPrVt>RnMIJ9rw3KhK64sUKo0J zXmjZB;QtQZv+r;AogBE{|5pD<--X`qx&Ffy#)IwtAtPl4^SN_0D#Q4QGLRb!#A`M9 ztFo$H+JKl_cgS>^J<{<y2*dQ;Z`%PnI0}t4U&!(>ov~#kwt+f|<<l^I3NzQ`Z9Vf~ zwn-CpaFC6qRnO&(kHRxc*Yeo!=nVc1-0cgJ+Y%jt%~2$_fr6|_VjF(YU|nwHC^MJ? zU33#>6#RO*sb43UUpLH6h}BJKyLFRgp855OI@rgWY|+?BFXSj1dmKwnf|6Qsxzx4n zUd1>he=}Y)=hzfWzlZr-po~^N$k}|gjLl_NTw1XO3HOZG%$eDj{Q^$Cg%rYTAYuaz z8{34be070$zxqu*QC2&g=~^oy<vJM8^o8Y^66cPLN895K!-63aT*O$9cAG>d5%ezC z8BLkCj5TU&YZ=?THtBL5d}aD#_Q~BXW*5Qa8=T<wZXH|9#&o0{*Rtx-mT`!sV2YEj z8%k!8vgCWX4z9GZ`<3ayYvpEU5#Pwekulx9QuRxg)o-Nb{Ro~=DlOM9@*UY`_`i8a zmg|fZ&E_`kDb$6U*OsbZu%Z;<wl+KL5h4+luc};s%E|5yxw|}42TR(#8Z565wBqjJ z6M^%K*;Fub7CX5RXJ40`Kdfxzbmvc0DrIC9<sdVuUA9s@@kBshfpyACa3CgDOW3dE z7Lg~^IP8Z9>4*KNs+H@=dCF-)PQ|WN-O3~vZ8?O3C$w)3L~^|Mb3;^%d%7k=bfBIc z={ca1_8G%TEHY)BV@uD}7maasmxQwFxazzcR^*-cHce~d*5m3_qwlnNDwi#-iIpvt zF}GZ2Jae}3ru~EbCWt>=2jASS2Jld0058`Wp&VxzH$Lr+E0pU<`sQovnB&bgalA(J zUin-diO<@EzS{&A)$zD6Pp3wU9UL##a6G6}u>?Z+T+X6pr+o7VHnrSD{0a$+Ra^)Q z)-d|uztv?GPAb+)>&hyC&HVTFJksMoirxQ@ygtuGcYWj^mE8aGuxn^#=z+mU_Wf|+ zzX$$!V5Wbm@BO~N?0XD*|94$CT;n~DNUIWrne|1I*vhQIC4Y4Z)2IbgB_4#KdQ-H= zgVb?Z`l5Aqk8;!9PP2PdB_%CN_ZXjt9%~C5!=yehwfHeQByLG3r7s{@byeN+U*LmP zi;9OpP!8wF9Sydr6{!<pE77)lq`T38S+xOCz5z(P#bz3NB?Q)tO*P9JZY$TAW%FvU zZ62k6R$@ZSe5w!U7cF$8E!F2vi_1+#xL5Dsa(F^<-lFt-yvs$}-mN*gTv__OF)S2z zH!P@mm|WvJHY_yF!!(v=Y?M8<y^+VLiA+Fi+U6qC(%16Zs9=?Rj<w7Hk0-P)Vv^6= z6s?a6ZOV3Iuj152AxXeTrRAD9h!I#?8_*W3dI*KZBuwFYeT%3MT7YI($^1@vuncAv zr9l;Z+}$hrVYHUfGsceuYSt>tf!M58pa9nP7@)o|r@fFj=#u0!9DSE3Udc@6%<Vk! znzqbv$!Zl|t*5sh(+<4!eUkdGETu^EY_DbT2~Ts=_6~y&o>1N--6?s%XsvDyq>F0T zA<Y9Su~1ded#siSafyt|0PyjTyl~|LiCxR9Vo+o)uLZ>$1#yG9m!3iGcKYPFcD68n zv+#h^CwEjDLCmkI+F^K7xmXuKp5GJemFw$F#;Z%`94z)TnUaRBoj=75&O3Gflsc>} zOAyA^CrOhg4EMfPK;|`JkR3G$fSnmN7P4S5VOPn)v{Hqr$|f}GkY2>rAvmLB2TL_> z7^_ta<LgLE8ZTC^9fPy74E)-$D$b)!k;!AV4OP#qahQ6Hap&Y~Y`vX_6yAXcj}_Db z=~1l2SzPmEbUbuueQWKqSUt(?k}}dhrn%=<mpJxgnJlizDk>K^BS5SjR1~;9Al4Wq z(gI#sS%>B;4s5g(Kt(^sL><ztR!!mZ9aD+cE)4RG!a<p;fuZOgvb(=EB)H;se|OII z&=E1|pv2^&BhC83I3DY+p;74pi3vn&d6qo3xW><}@OFuZ3{Xx=^HQ%#N0K)&vK!|$ zX96y4RW~Zw!gkA{Bap^)u_g^Ra}Ra{R=L`Pqh4H|*0LCP)6Q<SDctVyJv~nd5CVh% zAwUQa0)zk|KnM^5ga9Ex2oM5<03kpK5CVh%AwUQa0)zk|KnM^5ga9Ex2oM5<03kpK z5CVh%AwUQa0)zk|KnM^5ga9Ex2oM6DM}S>r7=xIf|Ihq$zJK-o#COj7f%jGKbDobp z|Lj@y9B}{GebqfQ^4*cx@CU<h4L>)0_t1w!e>fx#{?Fi_4j$h3vwb%PzA>;m(AWQZ z|3u$=eJ}Uj+53augzMLM<^Quk2y^w|%8j!y7jC?Kl7zXKImMgydySx2YEKyk5)@%Y zy@v5`s&sYW<to1HR1v3x(#qYwCKbKpR8d>>q)jS%(W#=gs7snu^nz1G99?qz(51d& zy~-Km8ne??&R9gb$Gfr(i#56f^@6(MRot!J_DwF{aKfgoE2B+1;kr{r9NAF&E!uw# z95r_<m&eTHNKptjHJT-fkg(SYRnG64IbrU0vd-advo6G}-qUZeCtDfk&WrgnSZWI8 z9CS8vvtj`ku}ifz^=A2|#UUdT9Ns%PB%V-SRD>42l`#Qmc4U}?dc3`&sg6_xop*ah z(`{)7frQL);D#<cUr~cFNoRA|1IMp8I(`iEQDYn`LcH8=Oq;A(&aFPM24hr;4f|JU zkPoC*ZSKj<GCR7b%5_*Q^UX4S?t6&w^Ntv^!KKlosgk8tu}}kj-Hshvg(uXH4wTLI z&YB+QXtLV(oFb@}?G;TKPNSQ>2Ni)9nXjlZEbm=KDbdmg(QvDMfG5;G0KG78G3Tf4 zLz604EDlGxe%`@r@PukH2zq&o+hW>q{=@@$d<#4aVcc+>qKUXxU&cV8&3+BLeem|@ zntqmz6><?ovvyp<9r>D`;VX(6YmdEi^5P|@iaG%A=taP*E=R3{dC0t|Dw-Hz_1=yd z&aijwPT9y`!`!-fhfgIER%Q8$Chk|=;^|KG6kClR>Up)tf6DiFzCZFk=sn>1vFDqf zBkq$UzZ@x#>>qx0=)Z>E9ukM{8+>E1wC~k{Uk*G!;OhTP|7QP@zVGx+^uE{ov)(`N z4fpz7f91N=^PfH6$IDv$8$I8&6HP0Cl$8=SVocV0|LufrNW<2|h^k{d)rrq71v1pn ztHV$^aXuNIZgq`|C)9xxjH&hkVtTv-1Lyus)6uH2DJ?$98xtPqn%4f%Il9o)EwHN5 zhw9P!roVy`uKueO=s`_g5ec_Chv5meE5ISjcLg_xx8Hine->0{nk>c<p6V=<T+EtP zG1})kV{gnEIvX6>S?UQ3hLfR&OYHIk#1krpkJ~Yv9B*^-b!Ob!pKj{TjUFqWu^ST} zpYDV^ucS~BA315bs1D*DxK8jiTqm!x)TDXWNmNCJD=NPVim|OLR~Qf0o(j?!6@b-R zt>9J~G}7gy5%bt3(>~ZD5%b_iosO|ZHjjB2Y|xA@Qi*vifHCqq_^fiOaGv7ysTs@H z6Ag2#p&h0#JfXa3CE@5t-0Rx+qtq#j$&pCQtC@&4<C+BP^%?iLF*xs?=Z`|MzR7aX zOhN929Q`d=B%ctsK@hi|FDkTfd%z-z7n%hcl%d+B^d{Z=2<(|xzt<_J?{#})vr??) zH&#FZr}4z^fmw;F>AgDtJU{H8w0c39`{;IX+(=kk#XvvaK6M`N#45aag0HAeRTAfY zrc{PzyB@6FJ<Tl!uEyR^_x&ymTvlFCW#H1;lXFip$u&m78egwn7pv;D4b^yi|CttI zdP~|LcSffjzhV|H3>*GZWE$%hs@yQNXE^6<-yG?MSfiKazE(o=+ybc!y?orl{%W0` znB;X)%wgKfh&9nlB@cp0wbxBj?fTdq?Zj?rbkeccL6yn+U0=vc{>Uwt#iyYXSlNW= zt~vwn!6>P|F{i(g8y}?;&_utLl;KLH!uX>V5vL{Pzx2;6pnqmi@ot-{IHA>(1KVv* zsmEX~Z`8wC-{MxCeohDw0)zk|KnM^5ga9Ex2oM5<03kpK5CWe<1X$4d3qAkV<G<kh zYu{tukGy9*SKV*A?-&t>e>ChHN)Ns}IJfV;eWL>x`oD$z{&4SGy&>1X<AG1rpL8>1 zgz((0gz&gyl`e$vLY5Goaky5?Wvlu1+D4_iDK6(K5SKyhCzo6=u(&=-Sa@$;Tvd;s zCM;3>*kr3`Ie0>Ok#y%V=s4Y>9#%ZlRL6-sUsrJZ_%cqhU}<e*RXLCeE|(D0&94R_ zScrQFo7-xfa@;8#%yr)$goDFDTm#Y62yL<^iFojMAiWNSA!zdG@-|RnS%+{CQ=HPH zn0l<da61%+m{HP^qcB>Np5l#;z-XLas<LZ=<PDaoUF?nw53G$y@guOdtooSET1Zn( z2eO&?+~RC{aWOqV7f8&{olegr=d$Ve*>v_oAU-z}NY7=HsSN(FD~K~2r89@ohU;n@ zu5!}qp;$oqc-KmbBrDT$YD9$*z{Pod=~}+99WVr|yVa6VOnPh#O({8cN1A!OF21Qt zP^njglz_MOra)KPz)Tb$Hb#g0<BR7O&#|+lwvuHhg6BfPIP|?B7F*cds*1P@CEf9m zF*q(Y9UL3UC;B+h=HM8C(pUi&1ef!h`O8dsEMF)<>sJ{V#Y0X_Zyc!TCbTjzIyU{( zK{&~pqmwW>IXKBizN*|8QJh_s{$j4aRD&R!Ma8%)Zo-U|4vnG_QO8Ea6Tw*EY%-3t ztA$MZT>5M>mF$Y4%n<3w0T}8$p5x!6fyLxPJQL5d@p1liU}h<sPA+!K+Nd<PAJ(2| z25Te`Pb6SoAUSt>K9fk!Vl3~Ltr02oAZ$&mw%W#RAPbR3o5<*lSST@3zwS)#ib>K~ z;8yrTmMoE&Uz*DXX5(}5R9Ep0OW7|m4K;5wfJ2jkg=A(noy{g^U^nyN#lZP=_RRcJ zHlR-Pr_%||vonGCQuYj+`qh$dc}-|iI{E;*!1;18`UsbU=g+1S>f&S}GoMJ#EFs^r zYxbt@w`>O@6Wn@zr=*?<H6K>I&uMnyCb+g|mt)YGZz3fbUkXMP0a@$@*whl=S}tuu z*i%uI><+@PNE-bjEDkx3c}tiNlh>HNXDh`bk^{PBCh7lus^S=AEFnM$5CVh%AwUQa z0)zk|KnM^5ga9Ex2oM5<03kpK5CVh%AwUQa0)zk|KnM^5ga9Ex2oM5<03kpK5CVh% zAwUQa0)zk|KnM^5gurJN0d_y(@saQM_&@Of+W&L^-}}Gk|Azmjf8Br4f5sp6kNWTM z{m%Ek?^nJzeQ)^w!uKb>7kwq)IbYHj_3iihy}$Fm@BNkcP464t?|Q%P-S%GbE_xsH z2EF%sN1!11ThA{%Kk@v)^BvD?o|@;fC*yh4bJTN>XUP4L`?v02xPR*Yq5F0BAGo*N zm)-O3FT2Owcf0#XJ{);x<n57vfKl{E2oM5<03kpK5CVh%A@CVSz%M`Fe}AtFY&x6y z(t6GHwXk0<SxR0*$%>_<j*_CK<ds#we8pO_CCDO5dK+(krRN>Lylnl^-GW@O{>b&J zAYZl?_570{=WRuA3-WWeqIU&3XDgEY^0O#1TKCFbg8Yo_M_(1>OV%Qn?2|9{-`nfT zh^u)}KDlo83i8vI->kau*achBO`rUf`LUPo^2z7T1uvrdbC!q7u9pRQ$yW4|AZKkw zFM8!gylGgs=mnpgF~9l7H9>yT^33zD7X*31R`eA?p0^ck3-X+;=!RdO#mjs3%C5Pt z3-VdZk4i37_=K$pUH-VOXwxUB&33MB`Q<a_cW?BdD^r%I)?GD0K5Z+i3Ubm`bXAaN zY(*P_oUj#D1o@PuXvMWA$Z<=N=vo!z$81GqL4MR$^t>QHVk;^M@=06KickKsxy>TH z=Y;JyMM3_3ThSG-e7yf&m+o}e@9@df=GPS9JX4lu&bXEZIc6&=2y)a`blE3Qn%{Kh zF25WxcfuuCUXa6<r&6xx1UY0Y$_es>t>{@nK4vR=Mv%vCMVACQXe+wtlaHE>dKz7D z#PXY2*VBT0*j98wkjHFAPx<7B&2L&<^T`jH3(jMhIb?Y#={oO|51N0I3<&b5<u^~b z&I$4XThWpr@3$3Y1^Gc+(c))#LZPM;0)zk|KnM^5ga9Ex2oM5<03kpK5CVh%AwUQa z0)zk|KnM^5ga9Ex2oM5<03kpK5CVh%AwUQa0)zk|KnM^5ga9Ex2oM5<03kpK5CVh% iAwUQa0)zk|KnM^5ga9Ex2oM5<03kpK5CWeV1pW^_H_=G| From ec42ec59219ef429e3fcf4c86ad7551156229583 Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Sun, 6 Mar 2022 21:55:05 +0000 Subject: [PATCH 09/26] rename zap alert to rule (#172) --- .../external_project_parsers/zap_alerts_parser.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/application/utils/external_project_parsers/zap_alerts_parser.py b/application/utils/external_project_parsers/zap_alerts_parser.py index 58d969cf6..8fbe02155 100644 --- a/application/utils/external_project_parsers/zap_alerts_parser.py +++ b/application/utils/external_project_parsers/zap_alerts_parser.py @@ -1,12 +1,13 @@ # script to parse zaproxy website md files describing alerts find the CWE ids # and add the alerts to CRE +import logging +import os +import re from typing import List + from application.database import db -from application.utils import git from application.defs import cre_defs as defs -import os -import re -import logging +from application.utils import git logging.basicConfig() logger = logging.getLogger(__name__) @@ -18,7 +19,7 @@ def zap_alert( ) -> defs.Tool: return defs.Tool( tooltype=defs.ToolTypes.Offensive, - name=f"ZAP Alert: {name}", + name=f"ZAP Rule: {name}", id=id, description=description, tags=tags, From 55f6ad72075b69221101948316465f0bea4cc33d Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Sun, 6 Mar 2022 22:11:13 +0000 Subject: [PATCH 10/26] fix cheatsheets links (#173) * fix cheatsheets links * linting --- application/database/db.py | 6 +++--- .../utils/external_project_parsers/cheatsheets_parser.py | 4 +++- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/application/database/db.py b/application/database/db.py index ac9acf09f..e0272df62 100644 --- a/application/database/db.py +++ b/application/database/db.py @@ -208,13 +208,13 @@ def __introduces_cycle(self, node_from: str, node_to: str) -> Any: return False @classmethod - def object_select(cls, node: Node) -> List[Node]: + def object_select(cls, node: Node, skip_attributes: List = []) -> List[Node]: if not node: return [] qu = Node.query.filter() for vk, v in vars(node).items(): - if hasattr(Node, vk): + if vk not in skip_attributes and hasattr(Node, vk): if v: attr = getattr(Node, vk) qu = qu.filter(attr == v) @@ -727,7 +727,7 @@ def add_node(self, node: cre_defs.Node) -> Optional[Node]: logger.warning(f"{node} has no registered type, cannot add, skipping") return None - entries = self.object_select(dbnode) + entries = self.object_select(dbnode, skip_attributes=["link"]) if entries: entry = entries[0] diff --git a/application/utils/external_project_parsers/cheatsheets_parser.py b/application/utils/external_project_parsers/cheatsheets_parser.py index f7c24c220..f105fd898 100644 --- a/application/utils/external_project_parsers/cheatsheets_parser.py +++ b/application/utils/external_project_parsers/cheatsheets_parser.py @@ -39,7 +39,9 @@ def parse_cheatsheets(cache: db.Node_collection): name = title.group("title") cre_id = cre.group("cre") cres = cache.get_CREs(external_id=cre_id) - hyperlink = f"{c_repo.replace('.git','')}/{cheasheets_path}{mdfile}" + hyperlink = ( + f"{c_repo.replace('.git','')}/tree/master/{cheasheets_path}{mdfile}" + ) for dbcre in cres: cs = cheatsheet( section=name, From 3eedcfa834e083f89002138a80f910ed68a94e13 Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Sat, 12 Mar 2022 23:17:18 +0000 Subject: [PATCH 11/26] expand OPC and WSTG standards names on import (#174) * expand OPC and WSTG standards names on import * lint --- application/tests/spreadsheet_parsers_test.py | 10 +++++++--- application/utils/spreadsheet_parsers.py | 4 ++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/application/tests/spreadsheet_parsers_test.py b/application/tests/spreadsheet_parsers_test.py index 6a773cfe5..c36640586 100644 --- a/application/tests/spreadsheet_parsers_test.py +++ b/application/tests/spreadsheet_parsers_test.py @@ -4,11 +4,11 @@ from application.defs import cre_defs as defs from application.utils.spreadsheet_parsers import ( + parse_export_format, parse_hierarchical_export_format, parse_uknown_key_val_standards_spreadsheet, parse_v0_standards, parse_v1_standards, - parse_export_format, ) @@ -1216,13 +1216,17 @@ def test_parse_hierarchical_export_format(self) -> None: ) sOPC = defs.Standard( - name="OPC", section="123654", hyperlink="https://example.com/opc" + name="OWASP Proactive Controls", + section="123654", + hyperlink="https://example.com/opc", ) sCWE19876 = defs.Standard( name="CWE", section="19876", hyperlink="https://example.com/cwe19876" ) sWSTG = defs.Standard( - name="WSTG", section="2.1.2.3", hyperlink="https://example.com/wstg" + name="(WSTG) Web Security Testing Guide", + section="2.1.2.3", + hyperlink="https://example.com/wstg", ) sNIST4 = defs.Standard(name="NIST 800-63", section="4444") sNIST3 = defs.Standard(name="NIST 800-63", section="3333") diff --git a/application/utils/spreadsheet_parsers.py b/application/utils/spreadsheet_parsers.py index aea2ce839..cd8003b10 100644 --- a/application/utils/spreadsheet_parsers.py +++ b/application/utils/spreadsheet_parsers.py @@ -605,7 +605,7 @@ def parse_standards( "subsection": "", "hyperlink": "Standard ASVS Hyperlink", }, - "OPC": { + "OWASP Proactive Controls": { "section": "Standard OPC (ASVS source)", "subsection": "", "hyperlink": "Standard OPC (ASVS source)-hyperlink", @@ -621,7 +621,7 @@ def parse_standards( "hyperlink": "Standard NIST 800-53 v5-hyperlink", "separator": "\n", }, - "WSTG": { + "(WSTG) Web Security Testing Guide": { "section": "Standard WSTG", "subsection": "", "hyperlink": "Standard WSTG-Hyperlink", From 09359bd58fd04d752474a8c1f22f48c534d70edc Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Sun, 13 Mar 2022 15:12:57 +0000 Subject: [PATCH 12/26] CRE graph view init (#159) * CRE graph view init * graph works, missing layout * frontend graph alpha * make links open in new tab --- application/frontend/src/const.ts | 2 +- .../CommonRequirementEnumeration.tsx | 8 +- .../frontend/src/pages/Graph/Graph.tsx | 320 +++++++++++++----- application/frontend/src/types.ts | 2 +- package.json | 4 + yarn.lock | 190 +++++++++-- 6 files changed, 404 insertions(+), 122 deletions(-) diff --git a/application/frontend/src/const.ts b/application/frontend/src/const.ts index cd2ae72ba..1661a7e9c 100644 --- a/application/frontend/src/const.ts +++ b/application/frontend/src/const.ts @@ -25,4 +25,4 @@ export const SEARCH = '/search'; export const CRE = '/cre'; export const GRAPH = '/graph'; export const DEEPLINK = '/deeplink' -export const BROWSEROOT = '/root_cres' \ No newline at end of file +export const BROWSEROOT = '/root_cres' diff --git a/application/frontend/src/pages/CommonRequirementEnumeration/CommonRequirementEnumeration.tsx b/application/frontend/src/pages/CommonRequirementEnumeration/CommonRequirementEnumeration.tsx index 1661d7b59..d91ae2b2e 100644 --- a/application/frontend/src/pages/CommonRequirementEnumeration/CommonRequirementEnumeration.tsx +++ b/application/frontend/src/pages/CommonRequirementEnumeration/CommonRequirementEnumeration.tsx @@ -44,8 +44,8 @@ export const CommonRequirementEnumeration = () => { } let currentUrlParams = new URLSearchParams(window.location.search); let display:Document - display = currentUrlParams.get("applyFilters") === "true"? filteredCRE:cre - + display = currentUrlParams.get("applyFilters") === "true"? filteredCRE:cre + const linksByType = useMemo(() => (display ? groupLinksByType(display) : {}), [display]); return ( @@ -66,11 +66,11 @@ export const CommonRequirementEnumeration = () => { <div className="cre-page__tags">Tags:{display.tags.map((tag) => ( <b>{tag} </b>))}</div>:""} {currentUrlParams.get("applyFilters")==="true"? - <div className="cre-page__filters"> + <div className="cre-page__filters"> Filtering on: {currentUrlParams.getAll("filters").map((filter)=>( <b key={filter}>{filter.replace("s:","").replace("c:","")}, </b>))} - + <ClearFilterButton/> </div>:""} <div className="cre-page__links-container"> diff --git a/application/frontend/src/pages/Graph/Graph.tsx b/application/frontend/src/pages/Graph/Graph.tsx index ec6f2171f..3afa3125b 100644 --- a/application/frontend/src/pages/Graph/Graph.tsx +++ b/application/frontend/src/pages/Graph/Graph.tsx @@ -1,97 +1,245 @@ -import React from 'react'; -import ForceGraph2D from 'react-force-graph-2d'; +import React, { useEffect, useState } from 'react'; +import { LoadingAndErrorIndicator } from '../../components/LoadingAndErrorIndicator'; -// import { Document, PROD_DATA } from '../../data'; +import ReactFlow, { + removeElements, + addEdge, + MiniMap, + Controls, + Background, + FlowElement, + Node, + Edge, + ReactFlowProps, + isNode, + isEdge, + Elements, +} from 'react-flow-renderer'; -interface GraphData { - nodes: GraphNode[]; - links: GraphLink[]; -} +import { Document, LinkedDocument } from '../../types'; +import { useQuery } from 'react-query'; +import { useParams } from 'react-router-dom'; +import { useEnvironment } from '../../hooks'; +import Elk, { ElkNode, ElkEdge, ElkPort, ElkPrimitiveEdge } from "elkjs"; +import { FlowNode } from 'typescript'; -interface GraphNode { - id: string; - group: number; -} -interface GraphLink { - source: string; - target: string; - value: number; +interface ReactFlowNode { } +interface CREGraph { + nodes: Node<ReactFlowNode>[], + edges: Edge<ReactFlowNode>[], + root: (Node<ReactFlowNode> | Edge<ReactFlowNode>)[], } -// const convertToGraphData = (documents: Document[]): GraphData => { -// const graphNodes: GraphNode[] = []; -// const graphLinks: GraphLink[] = []; - -// documents.forEach((document) => { -// const documentId = `${document.name} ${document.section}`; -// graphNodes.push({ -// id: documentId, -// group: 1, -// }); - -// document.links.forEach((linkedDocument) => { -// const linkedDocumentId = linkedDocument.document.name; -// graphNodes.push({ -// id: linkedDocumentId, -// group: 1, -// }); -// graphLinks.push({ -// source: documentId, -// target: linkedDocumentId, -// value: 1, -// }); -// }); -// }); - -// return { -// nodes: graphNodes, -// links: graphLinks, -// }; -// }; +const documentToReactFlowNode = (cDoc: (Document | any)): CREGraph => { + + let result: CREGraph = { nodes: [], edges: [], root: [] } + let root: (Node<ReactFlowNode> | Edge<ReactFlowNode>)[] = [] + let node = { + id: cDoc.id, + type: cDoc.doctype, + position: { x: 0, y: 0 }, + data: { label: <a target="_blank" href={cDoc.hyperlink}> {cDoc.id} - {cDoc.name}</a> }, + } + root.push(node) + result.nodes.push(node) + + if (cDoc.links) { + for (let link of cDoc.links) { + const { id, doctype, hyperlink, name, section, subsection } = link.document + const unique_node_id = id || section || name + const node_label = name + " - " + section || id + let node = { + id: unique_node_id, + type: doctype, + position: { x: 0, y: 0 }, + data: { label: <a target="_blank" href={hyperlink}> {node_label}</a> }, // TODO: add section/subsection + } + let edge = { + type: link.ltype, + data: { label: <></> }, + id: cDoc.id + '-' + unique_node_id, + source: cDoc.id, + target: unique_node_id, + label: link.ltype, + animated: true, + } + result.root.push(node) + result.nodes.push(node) + + result.edges.push(edge) + result.root.push(edge) + } + } + return result; +}; + +const onLoad = (reactFlowInstance) => { + reactFlowInstance.fitView(); +}; export const Graph = () => { - // const data = convertToGraphData(PROD_DATA); + + const { id } = useParams(); + const { apiUrl } = useEnvironment(); + const [loading, setLoading] = useState<boolean>(true); + + + const { error, data, refetch } = useQuery<{ data: Document; }, string>( + 'cre', + () => fetch(`${apiUrl}/id/${id}`).then((res) => res.json()), + { + retry: false, + enabled: false, + onSettled: () => { + setLoading(false); + }, + } + ); + useEffect(() => { + window.scrollTo(0, 0); + setLoading(true); + refetch(); + }, [id]); + + + + const [layout, setLayout] = useState<(Node<ReactFlowNode> | Edge<ReactFlowNode>)[]>(); + + useEffect(() => { + async function draw() { + if (data) { + console.log('flow running:', id); + + let cre = data.data + let graph = documentToReactFlowNode(cre) + const els = await createGraphLayoutElk(graph.nodes, graph.edges); + setLayout(els); + } + } + draw(); + }, [data]); + return ( - <ForceGraph2D - graphData={{ nodes: [], links: [] }} - nodeAutoColorBy="group" - nodeCanvasObject={(node, ctx, globalScale) => { - const label = node.id; - const fontSize = 12 / globalScale; - ctx.font = `${fontSize}px Sans-Serif`; - const textWidth = ctx.measureText(label as string).width; - const backgroundDimensions = [textWidth, fontSize].map((n) => n + fontSize); - - ctx.fillStyle = 'rgba(255, 255, 255, 0.8)'; - ctx.fillRect( - (node.x || 0) - backgroundDimensions[0] / 2, - (node.y || 0) - backgroundDimensions[1] / 2, - backgroundDimensions[0], - backgroundDimensions[1] - ); - - ctx.textAlign = 'center'; - ctx.textBaseline = 'middle'; - // @ts-ignore - ctx.fillStyle = node.color; - ctx.fillText(label as string, node.x || 0, node.y || 0); - - // @ts-ignore - node.__bckgDimensions = backgroundDimensions; // to re-use in nodePointerAreaPaint - }} - nodePointerAreaPaint={(node, color, ctx) => { - ctx.fillStyle = color; - // @ts-ignore - const backgroundDimensions = node.__bckgDimensions; - backgroundDimensions && - ctx.fillRect( - (node.x || 0) - backgroundDimensions[0] / 2, - (node.y || 0) - backgroundDimensions[1] / 2, - backgroundDimensions[0], - backgroundDimensions[1] - ); - }} - /> + loading || error ? + <LoadingAndErrorIndicator loading={loading} error={error} /> + : + layout ? ( + <ReactFlow + elements={layout} + // onConnect={onConnect} + onLoad={onLoad} + snapToGrid={true} + snapGrid={[15, 15]} + > + <MiniMap + nodeStrokeColor='#0041d0' + nodeColor='#00FF00' + nodeBorderRadius={2} + /> + <Controls /> + <Background color="#ffff" gap={16} /> + </ReactFlow> + + ) : <div /> ); }; + + +const createGraphLayoutElk = async ( + flowNodes: Node<ReactFlowNode>[], + flowEdges: Edge<ReactFlowNode>[] +): Promise<(Node<ReactFlowNode> | Edge<ReactFlowNode>)[]> => { + const elkNodes: ElkNode[] = [] + const elkEdges: ElkPrimitiveEdge[] = [] + + flowNodes.forEach((node) => { + let ports: ElkPort[] = [] + ports = [{ + id: `${node.id}`, + layoutOptions: { + 'org.eclipse.elk.port.side': 'EAST', + 'org.eclipse.elk.port.index': '10', + } + }, + // { + + ] + + elkNodes.push({ + id: `${node.id}`, + width: 200, + height: 50, + ports, + // layoutOptions: { 'org.eclipse.elk.portConstraints': 'FIXED_SIDE' }, + }) + }) + + flowEdges.forEach((edge) => { + let sourcePort + + if (edge.source) { + // Create a link with the node port on branch node type + // sourcePort = `${edge.source}` + let edg = { + id: edge.id, + source: edge.source, + target: edge.target, + // sourcePort, + } + console.log(edg) + elkEdges.push(edg) + }else{ + console.log("edge does not have a source?") + console.log(edge) + } + + + }) + let elk = new Elk(); + console.log(elkEdges) + console.log(elkNodes) + console.log(flowNodes) + const newGraph = await elk.layout({ + id: 'root', + layoutOptions: { + 'spacing.nodeNodeBetweenLayers': '100', + // 'elk.direction': 'DOWN', + + 'org.eclipse.elk.algorithm': 'org.eclipse.elk.radial', //'org.eclipse.elk.layered', + 'org.eclipse.elk.aspectRatio': '1.0f', + 'org.eclipse.elk.force.repulsion': '1.0', + 'org.eclipse.elk.spacing.nodeNode':'100', + 'org.eclipse.elk.padding': '10', + "elk.spacing.edgeNode": '30', + "elk.edgeRouting": "ORTHOGONAL", + 'elk.partitioning.activate': 'true', + "nodeFlexibility": "NODE_SIZE", + 'org.eclipse.elk.layered.allowNonFlowPortsToSwitchSides': 'true', + }, + children: elkNodes, + edges: elkEdges, + }) + + return [ + ...flowNodes.map((nodeState) => { + const node = newGraph?.children?.find((n) => n.id === nodeState.id) + + if (node?.x && node?.y && node?.width && node?.height) { + nodeState.position = { + x: node.x + Math.random() / 1000, // unfortunately we need this little hack to pass a slightly different position so react-flow react to the changes + y: node.y, + } + // if (nodeState?.data?.elementType !== 'Hidden') { + // nodeState.style = {} + // } + } + nodeState.style = {border: '1px solid', padding:'0.5%', margin:'0.5%'} + return nodeState + }), + ...flowEdges.map((e) => { + e.style = {} + return e + }), + ] +} diff --git a/application/frontend/src/types.ts b/application/frontend/src/types.ts index 6b1bbd326..b5c669baa 100644 --- a/application/frontend/src/types.ts +++ b/application/frontend/src/types.ts @@ -5,7 +5,7 @@ export interface Document { links?: LinkedDocument[]; // For CREs description?: string; - id?: string; + id: string; // For Standards hyperlink?: string; section?: string; diff --git a/package.json b/package.json index b35a558a7..6a6fd47b5 100755 --- a/package.json +++ b/package.json @@ -49,6 +49,7 @@ "d3-dag": "^0.6.3", "date-fns": "^2.16.1", "del-cli": "^3.0.1", + "elkjs": "^0.7.1", "enzyme": "3.11.0", "eslint-plugin-react-hooks": "4.2.0", "file-loader": "^6.2.0", @@ -64,6 +65,8 @@ "react-d3-library": "^1.1.8", "react-digraph": "^8.0.0-beta.2", "react-dom": "^17.0.2", + "react-flow": "^1.0.3", + "react-flow-renderer": "^9.7.4", "react-force-graph-2d": "^1.23.2", "react-hot-toast": "^1.0.0", "react-query": "^3.15.2", @@ -74,6 +77,7 @@ "semantic-ui-react": "^2.0.3", "sinon": "^10.0.0", "typescript": "4.2.4", + "web-worker": "^1.2.0", "webpack-cli": "^4.4.0" }, "importSort": { diff --git a/yarn.lock b/yarn.lock index 9b6b6c824..574c99be9 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1753,6 +1753,13 @@ dependencies: regenerator-runtime "^0.13.4" +"@babel/runtime@^7.15.4", "@babel/runtime@^7.16.7", "@babel/runtime@^7.9.2": + version "7.17.2" + resolved "https://registry.yarnpkg.com/@babel/runtime/-/runtime-7.17.2.tgz#66f68591605e59da47523c631416b18508779941" + integrity sha512-hzeyJyMA1YGdJTuWU0e/j4wKXrU4OMFvY2MSlaI9B7VQb0r5cxTE3EAIS2Q7Tn2RIcDkRvTA/v2JsAEhxe99uw== + dependencies: + regenerator-runtime "^0.13.4" + "@babel/runtime@^7.16.3": version "7.16.7" resolved "https://registry.yarnpkg.com/@babel/runtime/-/runtime-7.16.7.tgz#03ff99f64106588c9c403c6ecb8c3bafbbdff1fa" @@ -2804,6 +2811,14 @@ dependencies: "@types/node" "*" +"@types/hoist-non-react-statics@^3.3.0": + version "3.3.1" + resolved "https://registry.yarnpkg.com/@types/hoist-non-react-statics/-/hoist-non-react-statics-3.3.1.tgz#1124aafe5118cb591977aeb1ceaaed1070eb039f" + integrity sha512-iMIqiko6ooLrTh1joXodJK5X9xeEALT1kM5G3ZLhD3hszxBdIEd5C75U834D9mLcINgD4OyZf5uQXjkuYydWvA== + dependencies: + "@types/react" "*" + hoist-non-react-statics "^3.3.0" + "@types/html-minifier-terser@^5.0.0": version "5.1.1" resolved "https://registry.yarnpkg.com/@types/html-minifier-terser/-/html-minifier-terser-5.1.1.tgz#3c9ee980f1a10d6021ae6632ca3e79ca2ec4fb50" @@ -2917,6 +2932,16 @@ dependencies: "@types/react" "*" +"@types/react-redux@^7.1.20": + version "7.1.22" + resolved "https://registry.yarnpkg.com/@types/react-redux/-/react-redux-7.1.22.tgz#0eab76a37ef477cc4b53665aeaf29cb60631b72a" + integrity sha512-GxIA1kM7ClU73I6wg9IRTVwSO9GS+SAKZKe0Enj+82HMU6aoESFU2HNAdNi3+J53IaOHPiUfT3kSG4L828joDQ== + dependencies: + "@types/hoist-non-react-statics" "^3.3.0" + "@types/react" "*" + hoist-non-react-statics "^3.3.0" + redux "^4.0.0" + "@types/react@*", "@types/react@^17.0.4": version "17.0.9" resolved "https://registry.yarnpkg.com/@types/react/-/react-17.0.9.tgz#1147fb520024a62c9b3841f5cb4db89b73ddb87f" @@ -5415,6 +5440,11 @@ class-utils@^0.3.5: isobject "^3.0.0" static-extend "^0.1.1" +classcat@^5.0.3: + version "5.0.3" + resolved "https://registry.yarnpkg.com/classcat/-/classcat-5.0.3.tgz#38eaa0ec6eb1b10faf101bbcef2afb319c23c17b" + integrity sha512-6dK2ke4VEJZOFx2ZfdDAl5OhEL8lvkl6EHF92IfRePfHxQTqir5NlcNVUv+2idjDqCX2NDc8m8YSAI5NI975ZQ== + clean-css@^4.2.3: version "4.2.3" resolved "https://registry.yarnpkg.com/clean-css/-/clean-css-4.2.3.tgz#507b5de7d97b48ee53d84adb0160ff6216380f78" @@ -6064,6 +6094,11 @@ d3-binarytree@^0.2.0: version "2.0.0" resolved "https://registry.yarnpkg.com/d3-color/-/d3-color-2.0.0.tgz#8d625cab42ed9b8f601a1760a389f7ea9189d62e" +"d3-color@1 - 3": + version "3.0.1" + resolved "https://registry.yarnpkg.com/d3-color/-/d3-color-3.0.1.tgz#03316e595955d1fcd39d9f3610ad41bb90194d0a" + integrity sha512-6/SlHkDOBLyQSJ1j1Ghs82OIUXpKWlR0hCsw0XrLSQhuUPuCSmLQ1QPH98vpnQxMUQM2/gfAkUEWsupVpd9JGw== + d3-dag@^0.6.3: version "0.6.3" resolved "https://registry.yarnpkg.com/d3-dag/-/d3-dag-0.6.3.tgz#8fc297d6ff0b35fd8c5f250ff8b09c8371b16dee" @@ -6077,6 +6112,11 @@ d3-dag@^0.6.3: version "2.0.0" resolved "https://registry.yarnpkg.com/d3-dispatch/-/d3-dispatch-2.0.0.tgz#8a18e16f76dd3fcaef42163c97b926aa9b55e7cf" +"d3-dispatch@1 - 3": + version "3.0.1" + resolved "https://registry.yarnpkg.com/d3-dispatch/-/d3-dispatch-3.0.1.tgz#5fc75284e9c2375c36c839411a0cf550cbfc4d5e" + integrity sha512-rzUyPU/S7rwUflMyLc1ETDeBj0NRuHKKAcvukozwhshr6g6c5d8zh4c2gQjY2bZ0dXeGLWc1PF174P2tVvKhfg== + d3-drag@2, d3-drag@^2.0.0: version "2.0.0" resolved "https://registry.yarnpkg.com/d3-drag/-/d3-drag-2.0.0.tgz#9eaf046ce9ed1c25c88661911c1d5a4d8eb7ea6d" @@ -6084,10 +6124,23 @@ d3-drag@2, d3-drag@^2.0.0: d3-dispatch "1 - 2" d3-selection "2" +"d3-drag@2 - 3": + version "3.0.0" + resolved "https://registry.yarnpkg.com/d3-drag/-/d3-drag-3.0.0.tgz#994aae9cd23c719f53b5e10e3a0a6108c69607ba" + integrity sha512-pWbUJLdETVA8lQNJecMxoXfH6x+mO2UQo8rSmZ+QqxcbyA3hfeprFgIT//HW2nlHChWeIIMwS2Fq+gEARkhTkg== + dependencies: + d3-dispatch "1 - 3" + d3-selection "3" + "d3-ease@1 - 2": version "2.0.0" resolved "https://registry.yarnpkg.com/d3-ease/-/d3-ease-2.0.0.tgz#fd1762bfca00dae4bacea504b1d628ff290ac563" +"d3-ease@1 - 3": + version "3.0.1" + resolved "https://registry.yarnpkg.com/d3-ease/-/d3-ease-3.0.1.tgz#9658ac38a2140d59d346160f1f6c30fda0bd12f4" + integrity sha512-wR/XK3D3XcLIZwpbvQwQ5fK+8Ykds1ip7A2Txe0yxncXSdq1L9skcG7blcedkOX+ZcgxGAmLX1FrRGbADwzi0w== + d3-force-3d@^2.3.2: version "2.3.2" resolved "https://registry.yarnpkg.com/d3-force-3d/-/d3-force-3d-2.3.2.tgz#3eba201e9f72456decb3b39c534e8ee6eb6e9a76" @@ -6108,6 +6161,13 @@ d3-force-3d@^2.3.2: dependencies: d3-color "1 - 2" +"d3-interpolate@1 - 3": + version "3.0.1" + resolved "https://registry.yarnpkg.com/d3-interpolate/-/d3-interpolate-3.0.1.tgz#3c47aa5b32c5b3dfb56ef3fd4342078a632b400d" + integrity sha512-3bYs1rOD33uo8aqJfKP3JWPAibgw8Zm2+L9vBKEHJ2Rg+viTR7o5Mmv5mZcieN+FRYaAOWX5SJATX6k1PWz72g== + dependencies: + d3-color "1 - 3" + d3-octree@^0.2.0: version "0.2.0" resolved "https://registry.yarnpkg.com/d3-octree/-/d3-octree-0.2.0.tgz#d3b3e578733cd0bbb7b6a15f80b0d7b38ab2e54c" @@ -6137,6 +6197,11 @@ d3-selection@2, d3-selection@^2.0.0: version "2.0.0" resolved "https://registry.yarnpkg.com/d3-selection/-/d3-selection-2.0.0.tgz#94a11638ea2141b7565f883780dabc7ef6a61066" +"d3-selection@2 - 3", d3-selection@3, d3-selection@^3.0.0: + version "3.0.0" + resolved "https://registry.yarnpkg.com/d3-selection/-/d3-selection-3.0.0.tgz#c25338207efa72cc5b9bd1458a1a41901f1e1b31" + integrity sha512-fmTRWbNMmsmWq6xJV8D19U/gw/bwrHfNXxrIN+HfZgnzqTHp9jOmKMhsTUjXOJnZOdZY9Q28y4yebKzqDKlxlQ== + "d3-time-format@2 - 3": version "3.0.0" resolved "https://registry.yarnpkg.com/d3-time-format/-/d3-time-format-3.0.0.tgz#df8056c83659e01f20ac5da5fdeae7c08d5f1bb6" @@ -6153,6 +6218,11 @@ d3-selection@2, d3-selection@^2.0.0: version "2.0.0" resolved "https://registry.yarnpkg.com/d3-timer/-/d3-timer-2.0.0.tgz#055edb1d170cfe31ab2da8968deee940b56623e6" +"d3-timer@1 - 3": + version "3.0.1" + resolved "https://registry.yarnpkg.com/d3-timer/-/d3-timer-3.0.1.tgz#6284d2a2708285b1abb7e201eda4380af35e63b0" + integrity sha512-ndfJ/JxxMd3nw31uyKoY2naivF+r29V+Lc0svZxe1JvvIRmi8hUsrMvdOwgS1o6uBHmiz91geQ0ylPP0aj1VUA== + d3-transition@2: version "2.0.0" resolved "https://registry.yarnpkg.com/d3-transition/-/d3-transition-2.0.0.tgz#366ef70c22ef88d1e34105f507516991a291c94c" @@ -6163,6 +6233,17 @@ d3-transition@2: d3-interpolate "1 - 2" d3-timer "1 - 2" +"d3-transition@2 - 3": + version "3.0.1" + resolved "https://registry.yarnpkg.com/d3-transition/-/d3-transition-3.0.1.tgz#6869fdde1448868077fdd5989200cb61b2a1645f" + integrity sha512-ApKvfjsSR6tg06xrL434C0WydLr7JewBB3V+/39RMHsaXTOG0zmt/OAXeng5M5LBm0ojmxJrpomQVZ1aPvBL4w== + dependencies: + d3-color "1 - 3" + d3-dispatch "1 - 3" + d3-ease "1 - 3" + d3-interpolate "1 - 3" + d3-timer "1 - 3" + d3-zoom@^2.0.0: version "2.0.0" resolved "https://registry.yarnpkg.com/d3-zoom/-/d3-zoom-2.0.0.tgz#f04d0afd05518becce879d04709c47ecd93fba54" @@ -6173,6 +6254,17 @@ d3-zoom@^2.0.0: d3-selection "2" d3-transition "2" +d3-zoom@^3.0.0: + version "3.0.0" + resolved "https://registry.yarnpkg.com/d3-zoom/-/d3-zoom-3.0.0.tgz#d13f4165c73217ffeaa54295cd6969b3e7aee8f3" + integrity sha512-b8AmV3kfQaqWAuacbPuNbL6vahnOJflOhexLzMMNLga62+/nh0JzvJ0aO/5a5MVgUFGS7Hu1P9P03o3fJkDCyw== + dependencies: + d3-dispatch "1 - 3" + d3-drag "2 - 3" + d3-interpolate "1 - 3" + d3-selection "2 - 3" + d3-transition "2 - 3" + d3@^3.5.17: version "3.5.17" resolved "https://registry.yarnpkg.com/d3/-/d3-3.5.17.tgz#bc46748004378b21a360c9fc7cf5231790762fb8" @@ -6656,6 +6748,11 @@ electron-to-chromium@^1.4.17: resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.4.51.tgz#a432f5a5d983ace79278a33057300cf949627e63" integrity sha512-JNEmcYl3mk1tGQmy0EvL5eik/CKSBuzAyGP0QFdG6LIgxQe3II0BL1m2zKc2MZMf3uGqHWE1TFddJML0RpjSHQ== +elkjs@^0.7.1: + version "0.7.1" + resolved "https://registry.yarnpkg.com/elkjs/-/elkjs-0.7.1.tgz#4751c5e918a4988139baf7f214e010aea22de969" + integrity sha512-lD86RWdh480/UuRoHhRcnv2IMkIcK6yMDEuT8TPBIbO3db4HfnVF+1lgYdQi99Ck0yb+lg5Eb46JCHI5uOsmAw== + emittery@^0.7.1: version "0.7.2" resolved "https://registry.yarnpkg.com/emittery/-/emittery-0.7.2.tgz#25595908e13af0f5674ab419396e2fb394cdfa82" @@ -7797,11 +7894,6 @@ for-in@^0.1.3: resolved "https://registry.yarnpkg.com/for-in/-/for-in-0.1.8.tgz#d8773908e31256109952b1fdb9b3fa867d2775e1" integrity sha1-2Hc5COMSVhCZUrH9ubP6hn0ndeE= -for-in@^0.1.3: - version "0.1.8" - resolved "https://registry.yarnpkg.com/for-in/-/for-in-0.1.8.tgz#d8773908e31256109952b1fdb9b3fa867d2775e1" - integrity sha1-2Hc5COMSVhCZUrH9ubP6hn0ndeE= - for-in@^1.0.1, for-in@^1.0.2: version "1.0.2" resolved "https://registry.yarnpkg.com/for-in/-/for-in-1.0.2.tgz#81068d295a8142ec0ac726c6e2200c30fb6d5e80" @@ -8314,7 +8406,7 @@ history@^4.9.0: tiny-warning "^1.0.0" value-equal "^1.0.1" -hoist-non-react-statics@^3.1.0: +hoist-non-react-statics@^3.1.0, hoist-non-react-statics@^3.3.0, hoist-non-react-statics@^3.3.2: version "3.3.2" resolved "https://registry.yarnpkg.com/hoist-non-react-statics/-/hoist-non-react-statics-3.3.2.tgz#ece0acaf71d62c2969c2ec59feff42a4b1a85b45" dependencies: @@ -8416,19 +8508,6 @@ html-minifier-terser@^6.0.2: relateurl "^0.2.7" terser "^5.10.0" -html-minifier-terser@^6.0.2: - version "6.1.0" - resolved "https://registry.yarnpkg.com/html-minifier-terser/-/html-minifier-terser-6.1.0.tgz#bfc818934cc07918f6b3669f5774ecdfd48f32ab" - integrity sha512-YXxSlJBZTP7RS3tWnQw74ooKa6L9b9i9QYXY21eUEvhZ3u9XLfv6OnFsQq6RxkhHygsaUMvYsZRV5rU/OVNZxw== - dependencies: - camel-case "^4.1.2" - clean-css "^5.2.2" - commander "^8.3.0" - he "^1.2.0" - param-case "^3.0.4" - relateurl "^0.2.7" - terser "^5.10.0" - html-react-parser@^0.6.1: version "0.6.4" resolved "https://registry.yarnpkg.com/html-react-parser/-/html-react-parser-0.6.4.tgz#a58f462a399a07ecfb4a8d3791cc360770b64e91" @@ -11185,16 +11264,7 @@ nano-time@1.0.0: dependencies: big-integer "^1.6.16" -nanoid@^3.1.23: - version "3.2.0" - resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.2.0.tgz#62667522da6673971cca916a6d3eff3f415ff80c" - -nanoid@^3.1.30: - version "3.2.0" - resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.2.0.tgz#62667522da6673971cca916a6d3eff3f415ff80c" - integrity sha512-fmsZYa9lpn69Ad5eDn7FMcnnSR+8R34W9qJEijxYhTbfOWzr22n1QxCMzXLK+ODyW2973V3Fux959iQoUxzUIA== - -nanoid@^3.1.30: +nanoid@^3.1.23, nanoid@^3.1.30: version "3.2.0" resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.2.0.tgz#62667522da6673971cca916a6d3eff3f415ff80c" integrity sha512-fmsZYa9lpn69Ad5eDn7FMcnnSR+8R34W9qJEijxYhTbfOWzr22n1QxCMzXLK+ODyW2973V3Fux959iQoUxzUIA== @@ -12848,6 +12918,15 @@ prop-types@^15.5.10, prop-types@^15.6.2, prop-types@^15.7.0, prop-types@^15.7.2: object-assign "^4.1.1" react-is "^16.8.1" +prop-types@^15.6.0: + version "15.8.1" + resolved "https://registry.yarnpkg.com/prop-types/-/prop-types-15.8.1.tgz#67d87bf1a694f48435cf332c24af10214a3140b5" + integrity sha512-oj87CgZICdulUohogVAR7AjlC0327U4el4L6eAvOqCeudMDVU0NThNaV+b9Df4dXgSP1gXMTnPdhfe/2qDH5cg== + dependencies: + loose-envify "^1.4.0" + object-assign "^4.1.1" + react-is "^16.13.1" + proxy-addr@~2.0.5: version "2.0.7" resolved "https://registry.yarnpkg.com/proxy-addr/-/proxy-addr-2.0.7.tgz#f19fe69ceab311eeb94b42e70e8c2070f9ba1025" @@ -13076,6 +13155,14 @@ react-dom@^17.0.2: object-assign "^4.1.1" scheduler "^0.20.2" +react-draggable@^4.4.4: + version "4.4.4" + resolved "https://registry.yarnpkg.com/react-draggable/-/react-draggable-4.4.4.tgz#5b26d9996be63d32d285a426f41055de87e59b2f" + integrity sha512-6e0WdcNLwpBx/YIDpoyd2Xb04PB0elrDrulKUgdrIlwuYvxh5Ok9M+F8cljm8kPXXs43PmMzek9RrB1b7mLMqA== + dependencies: + clsx "^1.1.1" + prop-types "^15.6.0" + react-error-overlay@^6.0.10: version "6.0.10" resolved "https://registry.yarnpkg.com/react-error-overlay/-/react-error-overlay-6.0.10.tgz#0fe26db4fa85d9dbb8624729580e90e7159a59a6" @@ -13085,6 +13172,25 @@ react-fast-compare@^3.0.1: version "3.2.0" resolved "https://registry.yarnpkg.com/react-fast-compare/-/react-fast-compare-3.2.0.tgz#641a9da81b6a6320f270e89724fb45a0b39e43bb" +react-flow-renderer@^9.7.4: + version "9.7.4" + resolved "https://registry.yarnpkg.com/react-flow-renderer/-/react-flow-renderer-9.7.4.tgz#11394c05ca953b650e2017d056c075fd3df9075c" + integrity sha512-GxHBXzkn8Y+TEG8pul7h6Fjo4cKrT0kW9UQ34OAGZqAnSBLbBsx9W++TF8GiULBbTn3O8o7HtHxux685Op10mQ== + dependencies: + "@babel/runtime" "^7.16.7" + classcat "^5.0.3" + d3-selection "^3.0.0" + d3-zoom "^3.0.0" + fast-deep-equal "^3.1.3" + react-draggable "^4.4.4" + react-redux "^7.2.6" + redux "^4.1.2" + +react-flow@^1.0.3: + version "1.0.3" + resolved "https://registry.yarnpkg.com/react-flow/-/react-flow-1.0.3.tgz#2b009ce8e445bb2ea3d6ca4fe41f316c5e0c2cf3" + integrity sha1-KwCc6ORFuy6j1spP5B8xbF4MLPM= + react-force-graph-2d@^1.23.2: version "1.23.6" resolved "https://registry.yarnpkg.com/react-force-graph-2d/-/react-force-graph-2d-1.23.6.tgz#0fa29348a30d3a71c6ed7f79d5af51eac66a6c18" @@ -13103,7 +13209,7 @@ react-hot-toast@^1.0.0: version "17.0.2" resolved "https://registry.yarnpkg.com/react-is/-/react-is-17.0.2.tgz#e691d4a8e9c789365655539ab372762b0efb54f0" -react-is@^16.6.0, react-is@^16.6.3, react-is@^16.7.0, react-is@^16.8.1: +react-is@^16.13.1, react-is@^16.6.0, react-is@^16.6.3, react-is@^16.7.0, react-is@^16.8.1: version "16.13.1" resolved "https://registry.yarnpkg.com/react-is/-/react-is-16.13.1.tgz#789729a4dc36de2999dc156dd6c1d9c18cea56a4" @@ -13129,6 +13235,18 @@ react-query@^3.15.2: broadcast-channel "^3.4.1" match-sorter "^6.0.2" +react-redux@^7.2.6: + version "7.2.6" + resolved "https://registry.yarnpkg.com/react-redux/-/react-redux-7.2.6.tgz#49633a24fe552b5f9caf58feb8a138936ddfe9aa" + integrity sha512-10RPdsz0UUrRL1NZE0ejTkucnclYSgXp5q+tB5SWx2qeG2ZJQJyymgAhwKy73yiL/13btfB6fPr+rgbMAaZIAQ== + dependencies: + "@babel/runtime" "^7.15.4" + "@types/react-redux" "^7.1.20" + hoist-non-react-statics "^3.3.2" + loose-envify "^1.4.0" + prop-types "^15.7.2" + react-is "^17.0.2" + react-refresh@^0.11.0: version "0.11.0" resolved "https://registry.yarnpkg.com/react-refresh/-/react-refresh-0.11.0.tgz#77198b944733f0f1f1a90e791de4541f9f074046" @@ -13362,6 +13480,13 @@ redent@^3.0.0: indent-string "^4.0.0" strip-indent "^3.0.0" +redux@^4.0.0, redux@^4.1.2: + version "4.1.2" + resolved "https://registry.yarnpkg.com/redux/-/redux-4.1.2.tgz#140f35426d99bb4729af760afcf79eaaac407104" + integrity sha512-SH8PglcebESbd/shgf6mii6EIoRM0zrQyjcuQ+ojmfxjTtE0z9Y8pa62iA/OJ58qjP6j27uyW4kUF4jl/jd6sw== + dependencies: + "@babel/runtime" "^7.9.2" + regenerate-unicode-properties@^8.2.0: version "8.2.0" resolved "https://registry.yarnpkg.com/regenerate-unicode-properties/-/regenerate-unicode-properties-8.2.0.tgz#e5de7111d655e7ba60c057dbe9ff37c87e65cdec" @@ -15455,6 +15580,11 @@ wcwidth@^1.0.0: dependencies: defaults "^1.0.3" +web-worker@^1.2.0: + version "1.2.0" + resolved "https://registry.yarnpkg.com/web-worker/-/web-worker-1.2.0.tgz#5d85a04a7fbc1e7db58f66595d7a3ac7c9c180da" + integrity sha512-PgF341avzqyx60neE9DD+XS26MMNMoUQRz9NOZwW32nPQrF6p77f1htcnjBSEV8BGMKZ16choqUG4hyI0Hx7mA== + webidl-conversions@^3.0.0: version "3.0.1" resolved "https://registry.yarnpkg.com/webidl-conversions/-/webidl-conversions-3.0.1.tgz#24534275e2a7bc6be7bc86611cc16ae0a5654871" From c598e9c7f661e0793bf36e0fe3f2536a8fa739d3 Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Thu, 17 Mar 2022 19:39:19 +0000 Subject: [PATCH 13/26] =?UTF-8?q?make=20graph=20a=20singleton=20so=20we=20?= =?UTF-8?q?don't=20have=20to=20reload=20the=20whole=20db=20every=20?= =?UTF-8?q?=E2=80=A6=20(#176)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * make graph a singleton so we don't have to reload the whole db every page load * fix web_main_test that was breaking due to poor test setup * make graph a singleton so we don't have to reload the whole db every page load * debugging * Revert "Merge branch 'graph_singleton' of github.com:OWASP/common-requirement-enumeration into graph_singleton" This reverts commit 0c0048ab94c398ddaec27d45dc35930bc4e11d12, reversing changes made to abe04bec61313900bbdc82f51bfb5d97843ed913. * debugging * fix tests --- application/database/db.py | 163 ++++++++++++++++---------- application/tests/db_test.py | 54 ++++++++- application/tests/spreadsheet_test.py | 56 ++++----- application/tests/web_main_test.py | 20 +++- application/utils/file.py | 2 - application/utils/spreadsheet.py | 3 - application/web/web_main.py | 3 +- 7 files changed, 190 insertions(+), 111 deletions(-) diff --git a/application/database/db.py b/application/database/db.py index e0272df62..7241c638b 100644 --- a/application/database/db.py +++ b/application/database/db.py @@ -2,7 +2,7 @@ import re from collections import Counter from itertools import permutations -from typing import Any, Dict, List, Optional, Sequence, Tuple, cast +from typing import Any, Dict, List, Optional, Tuple, cast import networkx as nx import yaml @@ -98,12 +98,28 @@ class Links(BaseModel): # type: ignore ) -class Node_collection: - def __init__(self) -> None: - self.session = sqla.session - self.cre_graph = self.__load_cre_graph() +class CRE_Graph: + graph: nx.Graph = None + __instance = None + + @classmethod + def instance(cls, session): + if cls.__instance is None: + cls.__instance = cls.__new__(cls) + cls.graph = cls.load_cre_graph(session) + return cls.__instance - def __add_cre_graph_node(self, dbcre: CRE, graph: nx.DiGraph) -> nx.DiGraph: + def __init__(sel): + raise ValueError("CRE_Graph is a singleton, please call instance() instead") + + def add_edge(self, *args, **kwargs): + return self.graph.add_edge(*args, **kwargs) + + def add_node(self, *args, **kwargs): + return self.graph.add_node(*args, **kwargs) + + @classmethod + def add_cre(cls, dbcre: CRE, graph: nx.DiGraph) -> nx.DiGraph: if dbcre: graph.add_node( f"CRE: {dbcre.id}", internal_id=dbcre.id, external_id=dbcre.external_id @@ -112,7 +128,8 @@ def __add_cre_graph_node(self, dbcre: CRE, graph: nx.DiGraph) -> nx.DiGraph: logger.error("Called with dbcre being none") return graph - def __add_node_graph_node(self, dbnode: Node, graph: nx.DiGraph) -> nx.DiGraph: + @classmethod + def add_dbnode(cls, dbnode: Node, graph: nx.DiGraph) -> nx.DiGraph: if dbnode: graph.add_node( "Node: " + str(dbnode.id), @@ -124,34 +141,45 @@ def __add_node_graph_node(self, dbnode: Node, graph: nx.DiGraph) -> nx.DiGraph: logger.error("Called with dbnode being none") return graph - def __load_cre_graph(self) -> nx.Graph: + @classmethod + def load_cre_graph(cls, session) -> nx.Graph: graph = nx.DiGraph() - for il in self.session.query(InternalLinks).all(): - group = self.session.query(CRE).filter(CRE.id == il.group).first() + for il in session.query(InternalLinks).all(): + group = session.query(CRE).filter(CRE.id == il.group).first() if not group: logger.error(f"CRE {il.group} does not exist?") - graph = self.__add_cre_graph_node(dbcre=group, graph=graph) + graph = cls.add_cre(dbcre=group, graph=graph) - cre = self.session.query(CRE).filter(CRE.id == il.cre).first() + cre = session.query(CRE).filter(CRE.id == il.cre).first() if not cre: logger.error(f"CRE {il.cre} does not exist?") - graph = self.__add_cre_graph_node(dbcre=cre, graph=graph) + graph = cls.add_cre(dbcre=cre, graph=graph) graph.add_edge(f"CRE: {il.group}", f"CRE: {il.cre}", ltype=il.type) - for lnk in self.session.query(Links).all(): - node = self.session.query(Node).filter(Node.id == lnk.node).first() + for lnk in session.query(Links).all(): + node = session.query(Node).filter(Node.id == lnk.node).first() if not node: logger.error(f"Node {lnk.node} does not exist?") - graph = self.__add_node_graph_node(dbnode=node, graph=graph) + graph = cls.add_dbnode(dbnode=node, graph=graph) - cre = self.session.query(CRE).filter(CRE.id == lnk.cre).first() - graph = self.__add_cre_graph_node(dbcre=cre, graph=graph) + cre = session.query(CRE).filter(CRE.id == lnk.cre).first() + graph = cls.add_cre(dbcre=cre, graph=graph) - graph.add_edge(f"CRE: {lnk.cre}", f"Node: {str(lnk.node)}", ltype=il.type) + graph.add_edge(f"CRE: {lnk.cre}", f"Node: {str(lnk.node)}", ltype=lnk.type) return graph + +class Node_collection: + graph: nx.Graph = None + session = sqla.session + + def __init__(self) -> None: + self.graph = CRE_Graph.instance(sqla.session) + # self.graph = CRE_Graph.instance(session=sqla.session) + self.session = sqla.session + def __get_external_links(self) -> List[Tuple[CRE, Node, str]]: external_links: List[Tuple[CRE, Node, str]] = [] @@ -177,16 +205,33 @@ def __get_unlinked_nodes(self) -> List[Node]: linked_nodes = ( self.session.query(Node.id).join(Links).filter(Node.id == Links.node) ) - nodes: List[Node] = ( self.session.query(Node).filter(Node.id.notin_(linked_nodes)).all() ) - return nodes + def __get_unlinked_cres(self) -> List[CRE]: + internally_linked_cres = self.session.query(CRE.id).join( + InternalLinks, + sqla.or_(InternalLinks.group == CRE.id, InternalLinks.cre == CRE.id), + ) + externally_linked_cres = ( + self.session.query(CRE.id).join(Links).filter(Links.cre == CRE.id) + ) + + cres = ( + self.session.query(CRE) + .filter( + CRE.id.notin_(internally_linked_cres), + CRE.id.notin_(externally_linked_cres), + ) + .all() + ) + return cres + def __introduces_cycle(self, node_from: str, node_to: str) -> Any: try: - existing_cycle = nx.find_cycle(self.cre_graph) + existing_cycle = nx.find_cycle(self.graph.graph) if existing_cycle: logger.fatal( "Existing graph contains cycle," @@ -200,7 +245,7 @@ def __introduces_cycle(self, node_from: str, node_to: str) -> Any: ) except nx.exception.NetworkXNoCycle: pass # happy path, we don't want cycles - new_graph = self.cre_graph.copy() + new_graph = self.graph.graph.copy() new_graph.add_edge(node_from, node_to) try: return nx.find_cycle(new_graph) @@ -353,6 +398,7 @@ def get_nodes_with_pagination( If a standard entry is not linked to by a CRE in the list the Standard entry will be returned empty. """ nodes = [] + dbnodes = self.__get_nodes_query__( name=name, section=section, @@ -385,6 +431,7 @@ def get_nodes_with_pagination( ) ) nodes.append(node) + return total_pages, nodes, dbnodes else: logger.warning(f"Node {name} of type {ntype} does not exist in the db") @@ -595,16 +642,13 @@ def get_CREs( cres.append(cre) return cres - def export(self, dir: str, dry_run: bool = False) -> List[cre_defs.Document]: + def export(self, dir: str = None, dry_run: bool = False) -> List[cre_defs.Document]: """Exports the database to a CRE file collection on disk""" docs: Dict[str, cre_defs.Document] = {} cre, standard = None, None # internal links are Group/HigherLevelCRE -> CRE - for link in self.__get_internal_links(): - group = link[0] - cre = link[1] - type = link[2] + for group, cre, type in self.__get_internal_links(): grp = None # when cres link to each other it's a two way link # so handle cre1(group) -> cre2 link first @@ -633,10 +677,7 @@ def export(self, dir: str, dry_run: bool = False) -> List[cre_defs.Document]: ) # external links are CRE -> standard - for link in self.__get_external_links(): - internal_doc = link[0] - standard = link[1] - type = link[2] + for internal_doc, standard, type in self.__get_external_links(): cr = None grp = None if internal_doc.name in docs.keys(): @@ -644,31 +685,31 @@ def export(self, dir: str, dry_run: bool = False) -> List[cre_defs.Document]: else: cr = CREfromDB(internal_doc) if len(standard.name) != 0: - cr.add_link( + docs[cr.name] = cr.add_link( cre_defs.Link( ltype=cre_defs.LinkTypes.from_str(type), document=nodeFromDB(standard), ) ) - docs[cr.name] = cr + # unlinked cres next + for ucre in self.__get_unlinked_cres(): + docs[ucre.name] = CREfromDB(ucre) # unlinked nodes last for unode in self.__get_unlinked_nodes(): - unode = nodeFromDB(unode) - docs[ - "%s-%s:%s:%s" % (unode.name, unode.doctype, unode.id, unode.description) - ] = unode - logger.info(f"{unode.name} is unlinked?") - - for _, doc in docs.items(): - title = ( - doc.name.replace("/", "-") - .replace(" ", "_") - .replace('"', "") - .replace("'", "") - + ".yaml" - ) - if not dry_run: + nde = nodeFromDB(unode) + docs["%s-%s:%s:%s" % (nde.name, nde.doctype, nde.id, nde.description)] = nde + logger.info(f"{nde.name} is unlinked?") + + if not dry_run: + for _, doc in docs.items(): + title = ( + doc.name.replace("/", "-") + .replace(" ", "_") + .replace('"', "") + .replace("'", "") + + ".yaml" + ) file.writeToDisk( file_title=title, file_content=yaml.safe_dump(doc.todict()), @@ -713,9 +754,7 @@ def add_cre(self, cre: cre_defs.CRE) -> CRE: ) self.session.add(entry) self.session.commit() - self.cre_graph = self.__add_cre_graph_node( - dbcre=entry, graph=self.cre_graph - ) + self.graph = self.graph.add_cre(dbcre=entry, graph=self.graph) return entry def add_node(self, node: cre_defs.Node) -> Optional[Node]: @@ -740,9 +779,7 @@ def add_node(self, node: cre_defs.Node) -> Optional[Node]: self.session.add(dbnode) self.session.commit() - self.cre_graph = self.__add_node_graph_node( - dbnode=dbnode, graph=self.cre_graph - ) + self.graph = self.graph.add_dbnode(dbnode=dbnode, graph=self.graph) return dbnode def add_internal_link( @@ -833,13 +870,13 @@ def add_internal_link( InternalLinks(type=type.value, cre=cre.id, group=group.id) ) self.session.commit() - self.cre_graph.add_edge( + self.graph.add_edge( f"CRE: {group.id}", f"CRE: {cre.id}", ltype=type.value ) else: logger.warning( - f"A link between CREs {group.external_id} and" - f" {cre.external_id} " + f"A link between CREs {group.external_id}-{group.name} and" + f" {cre.external_id}-{cre.name} " f"would introduce cycle {cycle}, skipping" ) @@ -882,7 +919,7 @@ def add_link( " ,adding" ) self.session.add(Links(type=type.value, cre=cre.id, node=node.id)) - self.cre_graph.add_edge( + self.graph.add_edge( f"CRE: {cre.id}", f"Node: {str(node.id)}", ltype=type.value ) else: @@ -901,7 +938,7 @@ def find_path_between_nodes( """One line method to return paths in a graph, this starts getting complicated when we have more linktypes""" res: bool = nx.has_path( - self.cre_graph.to_undirected(), + self.graph.graph.to_undirected(), "Node: " + str(node_source_id), "Node: " + str(node_destination_id), ) @@ -1023,13 +1060,13 @@ def get_root_cres(self): """Returns CRES that only have "Contains" links""" nodes = [ node - for node in self.cre_graph.nodes - if self.cre_graph.in_degree(node) == 0 and node.startswith("CRE") + for node in self.graph.graph.nodes + if self.graph.graph.in_degree(node) == 0 and node.startswith("CRE") ] result = [] for nodeid in nodes: result.extend( - self.get_CREs(internal_id=self.cre_graph.nodes[nodeid]["internal_id"]) + self.get_CREs(internal_id=self.graph.graph.nodes[nodeid]["internal_id"]) ) return result diff --git a/application/tests/db_test.py b/application/tests/db_test.py index 25b183540..1e5924e41 100644 --- a/application/tests/db_test.py +++ b/application/tests/db_test.py @@ -27,6 +27,7 @@ def setUp(self) -> None: self.app_context.push() self.collection = db.Node_collection() collection = self.collection + collection.graph.graph = db.CRE_Graph.load_cre_graph(sqla.session) dbcre = collection.add_cre( defs.CRE(id="111-000", description="CREdesc", name="CREname") @@ -154,9 +155,33 @@ def test_export(self) -> None: with a link to "BarStand" and "GroupName" and one for "GroupName" with a link to "CREName" """ loc = tempfile.mkdtemp() + collection = db.Node_collection() + collection = self.collection + collection.graph.graph = db.CRE_Graph.load_cre_graph(sqla.session) + code0 = defs.Code(name="co0") code1 = defs.Code(name="co1") tool0 = defs.Tool(name="t0", tooltype=defs.ToolTypes.Unknown) + + dbstandard = collection.add_node( + defs.Standard( + subsection="4.5.6", + section="FooStand", + name="BarStand", + hyperlink="https://example.com", + tags=["a", "b", "c"], + ) + ) + + collection.add_node( + defs.Standard( + subsection="4.5.6", + section="Unlinked", + name="Unlinked", + hyperlink="https://example.com", + ) + ) + self.collection.add_link(self.dbcre, self.collection.add_node(code0)) self.collection.add_node(code1) self.collection.add_node(tool0) @@ -181,7 +206,7 @@ def test_export(self) -> None: links=[ defs.Link( document=defs.CRE( - id="111-001", description="Groupdesc", name="GroupName" + id="112-001", description="Groupdesc", name="GroupName" ) ), defs.Link( @@ -209,15 +234,30 @@ def test_export(self) -> None: # load yamls from loc, parse, # ensure yaml1 is result[0].todict and - # yaml2 is expected[1].todic + # yaml2 is expected[1].todict group = expected[0].todict() cre = expected[1].todict() - groupname = expected[0].name + ".yaml" + groupname = ( + expected[0] + .name.replace("/", "-") + .replace(" ", "_") + .replace('"', "") + .replace("'", "") + + ".yaml" + ) + with open(os.path.join(loc, groupname), "r") as f: doc = yaml.safe_load(f) self.assertDictEqual(group, doc) - crename = expected[1].name + ".yaml" + crename = ( + expected[1] + .name.replace("/", "-") + .replace(" ", "_") + .replace('"', "") + .replace("'", "") + + ".yaml" + ) self.maxDiff = None with open(os.path.join(loc, crename), "r") as f: doc = yaml.safe_load(f) @@ -736,6 +776,7 @@ def test_gap_analysis(self) -> None: """ collection = db.Node_collection() + collection.graph.graph = db.CRE_Graph.load_cre_graph(sqla.session) cres = { "dbca": collection.add_cre(defs.CRE(id="1", description="CA", name="CA")), @@ -1149,9 +1190,10 @@ def test_get_root_cres(self): sqla.session.remove() sqla.drop_all() sqla.create_all(app=self.app) - self.collection = db.Node_collection() - collection = self.collection + collection = db.Node_collection() + collection.graph.graph = db.CRE_Graph.load_cre_graph(sqla.session) + for i in range(0, 5): if i == 0 or i == 1: cres.append(defs.CRE(name=f">> C{i}", id=f"{i}")) diff --git a/application/tests/spreadsheet_test.py b/application/tests/spreadsheet_test.py index 4bf582314..7408807c0 100644 --- a/application/tests/spreadsheet_test.py +++ b/application/tests/spreadsheet_test.py @@ -3,6 +3,7 @@ from application import create_app, sqla # type: ignore from application.database import db +from application.defs import cre_defs as defs from application.utils.spreadsheet import prepare_spreadsheet @@ -453,51 +454,44 @@ def test_prepare_spreadsheet_simple(self) -> None: * 1 element contains ONLY the mapping of "CREname" to the remaining subsection of "ConflictStandName" """ # empty string means temporary db - collection = self.collection - - # test 0, single CRE, connects to several standards, 1 cre maps to the same standard in multiple sections/subsections - dbcre = db.CRE(description="CREdesc", name="CREname", external_id="123-321-0") - collection.session.add(dbcre) + collection = db.Node_collection() - conflict0 = db.Node( + # test 0, single CRE, connects to several standards + # 1 cre maps to the same standard in multiple sections/subsections + cre = defs.CRE(description="CREdesc", name="CREname", id="123-321-0") + conflict0 = defs.Standard( subsection="4.5.0", section="ConflictStandSection", name="ConflictStandName", - link="https://example.com/0", - ntype="Standard", + hyperlink="https://example.com/0", ) - conflict1 = db.Node( + conflict1 = defs.Standard( subsection="4.5.1", section="ConflictStandSection", name="ConflictStandName", - link="https://example.com/1", - ntype="Standard", + hyperlink="https://example.com/1", ) - collection.session.add(conflict0) - collection.session.add(conflict1) - collection.session.commit() - collection.session.add(db.Links(cre=dbcre.id, node=conflict0.id)) - collection.session.add(db.Links(cre=dbcre.id, node=conflict1.id)) - - dbs0 = db.Node( + s0 = defs.Standard( subsection="4.5.0", section="NormalStandSection0", name="NormalStand0", - link="https://example.com/0", - ntype="Standard", + hyperlink="https://example.com/0", ) - dbs1 = db.Node( + s1 = defs.Standard( subsection="4.5.1", section="NormalStandSection1", name="NormalStand1", - link="https://example.com/1", - ntype="Standard", + hyperlink="https://example.com/1", ) - collection.session.add(dbs0) - collection.session.add(dbs1) - collection.session.commit() - collection.session.add(db.Links(cre=dbcre.id, node=dbs0.id)) - collection.session.add(db.Links(cre=dbcre.id, node=dbs1.id)) + dbcre = collection.add_cre(cre) + dbc0 = collection.add_node(conflict0) + dbc1 = collection.add_node(conflict1) + dbs0 = collection.add_node(s0) + dbs1 = collection.add_node(s1) + collection.add_link(dbcre, dbc0) + collection.add_link(dbcre, dbc1) + collection.add_link(dbcre, dbs0) + collection.add_link(dbcre, dbs1) expected = [ { @@ -535,10 +529,10 @@ def test_prepare_spreadsheet_simple(self) -> None: "Standard:NormalStand1:subsection": None, }, ] + export = collection.export(dry_run=True) + result = prepare_spreadsheet(collection, export) + self.maxDiff = None - result = prepare_spreadsheet( - collection, collection.export(dir=tempfile.mkdtemp()) - ) self.assertCountEqual(result, expected) diff --git a/application/tests/web_main_test.py b/application/tests/web_main_test.py index ce48ff1c6..3eadd1da1 100644 --- a/application/tests/web_main_test.py +++ b/application/tests/web_main_test.py @@ -8,7 +8,8 @@ from application import create_app, sqla # type: ignore from application.database import db -from application.defs import cre_defs as defs, osib_defs +from application.defs import cre_defs as defs +from application.defs import osib_defs from application.web import web_main @@ -23,7 +24,6 @@ def setUp(self) -> None: sqla.create_all(app=self.app) self.app_context = self.app.app_context() self.app_context.push() - self.collection = db.Node_collection() def test_extend_cre_with_tag_links(self) -> None: """ @@ -89,6 +89,8 @@ def test_extend_cre_with_tag_links(self) -> None: def test_find_by_id(self) -> None: collection = db.Node_collection() + collection.graph.graph = db.CRE_Graph.load_cre_graph(sqla.session) + cres = { "ca": defs.CRE(id="1", description="CA", name="CA", tags=["ta"]), "cd": defs.CRE(id="2", description="CD", name="CD", tags=["td"]), @@ -106,7 +108,7 @@ def test_find_by_id(self) -> None: collection.add_internal_link(group=dca, cre=dcd, type=defs.LinkTypes.Contains) collection.add_internal_link(group=dcb, cre=dcd, type=defs.LinkTypes.Contains) - + self.maxDiff = None with self.app.test_client() as client: response = client.get(f"/rest/v1/id/9999999999") self.assertEqual(404, response.status_code) @@ -127,11 +129,14 @@ def test_find_by_id(self) -> None: "data": cres["cb"].todict(), "osib": osib_defs.cre2osib([cres["cb"]]).todict(), } + self.assertEqual(json.loads(osib_response.data.decode()), osib_expected) self.assertEqual(200, osib_response.status_code) def test_find_by_name(self) -> None: collection = db.Node_collection() + collection.graph.graph = db.CRE_Graph.load_cre_graph(sqla.session) + cres = { "ca": defs.CRE(id="1", description="CA", name="CA", tags=["ta"]), "cd": defs.CRE(id="2", description="CD", name="CD", tags=["td"]), @@ -146,9 +151,9 @@ def test_find_by_name(self) -> None: dca = collection.add_cre(cres["ca"]) dcb = collection.add_cre(cres["cb"]) dcd = collection.add_cre(cres["cd"]) - collection.add_internal_link(group=dca, cre=dcd, type=defs.LinkTypes.Contains) collection.add_internal_link(group=dcb, cre=dcd, type=defs.LinkTypes.Contains) + self.maxDiff = None with self.app.test_client() as client: response = client.get(f"/rest/v1/name/CW") @@ -161,6 +166,7 @@ def test_find_by_name(self) -> None: ) self.assertEqual(200, response.status_code) self.assertEqual(json.loads(response.data.decode()), expected) + osib_response = client.get( f"/rest/v1/name/{cres['cb'].name}?osib=true", headers={"Content-Type": "application/json"}, @@ -187,7 +193,9 @@ def test_find_node_by_name(self) -> None: "sd": defs.Standard( name="s1", section="s22", subsection="s333", version="4.0.0" ), - "se": defs.Standard(name="s1", hyperlink="https://example.com/foo"), + "se": defs.Standard( + name="s1", hyperlink="https://example.com/foo", tags=["s1"] + ), "c0": defs.Code( name="C0", description="print(0)", hyperlink="https://example.com/c0" ), @@ -196,6 +204,7 @@ def test_find_node_by_name(self) -> None: collection.add_node(v) self.maxDiff = None + with self.app.test_client() as client: response = client.get(f"/rest/v1/standard/9999999999") self.assertEqual(404, response.status_code) @@ -215,6 +224,7 @@ def test_find_node_by_name(self) -> None: f"/rest/v1/standard/{nodes['sa'].name}", headers={"Content-Type": "application/json"}, ) + self.assertEqual(json.loads(response.data.decode()), expected) self.assertEqual(200, response.status_code) diff --git a/application/utils/file.py b/application/utils/file.py index b1d820654..61276f96b 100644 --- a/application/utils/file.py +++ b/application/utils/file.py @@ -1,10 +1,8 @@ import os - from typing import Dict def writeToDisk(file_title: str, cres_loc: str, file_content: str) -> Dict[str, str]: - with open(os.path.join(cres_loc, file_title), "w+", encoding="utf8") as fp: fp.write(file_content) return {file_title: file_content} diff --git a/application/utils/spreadsheet.py b/application/utils/spreadsheet.py index af06bfd2b..ca46fbef5 100644 --- a/application/utils/spreadsheet.py +++ b/application/utils/spreadsheet.py @@ -5,9 +5,7 @@ from typing import Any, Dict, List, Optional import gspread - import yaml - from application.database import db from application.defs import cre_defs as defs @@ -150,7 +148,6 @@ def prepare_spreadsheet( of key,value dict representing the mappings """ nodes = collection.get_node_names() # get header from db (cheap enough) - header: Dict[str, Optional[str]] = { defs.ExportFormat.cre_name_key(): None, defs.ExportFormat.cre_id_key(): None, diff --git a/application/web/web_main.py b/application/web/web_main.py index 2551602fa..efcc10908 100644 --- a/application/web/web_main.py +++ b/application/web/web_main.py @@ -100,6 +100,7 @@ def find_node_by_name(name: str, ntype: str = defs.Credoctypes.Standard.value) - version=opt_version, ntype=ntype, ) + result = {} result["total_pages"] = total_pages result["page"] = page @@ -201,7 +202,7 @@ def before_request(): return if not request.is_secure: - print("https redir") + url = request.url.replace("http://", "https://", 1) code = 301 return redirect(url, code=code) From 41f6e95b5cbe24593c4ae8403ea1dcf3684acadb Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Thu, 17 Mar 2022 20:05:56 +0000 Subject: [PATCH 14/26] Improve coverage (#177) * make graph a singleton so we don't have to reload the whole db every page load * fix web_main_test that was breaking due to poor test setup * make graph a singleton so we don't have to reload the whole db every page load * debugging * Revert "Merge branch 'graph_singleton' of github.com:OWASP/common-requirement-enumeration into graph_singleton" This reverts commit 0c0048ab94c398ddaec27d45dc35930bc4e11d12, reversing changes made to abe04bec61313900bbdc82f51bfb5d97843ed913. * debugging * fix tests * add test_find_root_cres * lint --- application/tests/web_main_test.py | 54 ++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/application/tests/web_main_test.py b/application/tests/web_main_test.py index 3eadd1da1..428c7d609 100644 --- a/application/tests/web_main_test.py +++ b/application/tests/web_main_test.py @@ -397,3 +397,57 @@ def test_test_search(self) -> None: resp = client.get(r) self.assertEqual(200, resp.status_code) self.assertDictEqual(resp.json[0], expected[0]) + + def test_find_root_cres(self) -> None: + self.maxDiff = None + collection = db.Node_collection() + with self.app.test_client() as client: + response = client.get( + "/rest/v1/root_cres", + headers={"Content-Type": "application/json"}, + ) + self.assertEqual(404, response.status_code) + + cres = { + "ca": defs.CRE(id="1", description="CA", name="CA", tags=["ta"]), + "cd": defs.CRE(id="2", description="CD", name="CD", tags=["td"]), + "cb": defs.CRE(id="3", description="CB", name="CB", tags=["tb"]), + } + cres["ca"].add_link( + defs.Link( + ltype=defs.LinkTypes.Contains, document=cres["cd"].shallow_copy() + ) + ) + cres["cb"].add_link( + defs.Link( + ltype=defs.LinkTypes.Contains, document=cres["cd"].shallow_copy() + ) + ) + dca = collection.add_cre(cres["ca"]) + dcb = collection.add_cre(cres["cb"]) + dcd = collection.add_cre(cres["cd"]) + collection.add_internal_link( + group=dca, cre=dcd, type=defs.LinkTypes.Contains + ) + collection.add_internal_link( + group=dcb, cre=dcd, type=defs.LinkTypes.Contains + ) + + expected = {"data": [cres["ca"].todict(), cres["cb"].todict()]} + response = client.get( + "/rest/v1/root_cres", + headers={"Content-Type": "application/json"}, + ) + self.assertEqual(json.loads(response.data.decode()), expected) + self.assertEqual(200, response.status_code) + + osib_response = client.get( + "/rest/v1/root_cres?osib=true", + headers={"Content-Type": "application/json"}, + ) + osib_expected = { + "data": [cres["ca"].todict(), cres["cb"].todict()], + "osib": osib_defs.cre2osib([cres["ca"], cres["cb"]]).todict(), + } + self.assertEqual(json.loads(osib_response.data.decode()), osib_expected) + self.assertEqual(200, osib_response.status_code) From f73c35a96f324dca450bca5b189e7b4eb7fd6360 Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Thu, 17 Mar 2022 21:08:30 +0000 Subject: [PATCH 15/26] new db (#175) * new db * new data --- ...idation_sanitization_and_whitelisting.yaml | 9 +- cres/>>Authentication.yaml | 11 + cres/>>Authorized_access.yaml | 35 +- cres/>>Business_logic.yaml | 18 +- cres/>>Dependency_strength.yaml | 62 +- cres/>>Development_&_operations.yaml | 20 +- cres/>>Input_and_output_verification.yaml | 27 +- cres/>>Logging_and_error_handling.yaml | 40 +- cres/>>Personal_data_handling.yaml | 94 +++ cres/>>Secure_communication.yaml | 11 +- cres/>>Secure_data_storage.yaml | 6 + cres/>>Secure_user_management.yaml | 8 +- cres/>>Session_management.yaml | 10 +- cres/>>TBD.yaml | 766 +++++++++++++++++- cres/>>Tags.yaml | 25 +- cres/API-web_services.yaml | 11 +- ...ection_for_cookie_based_REST_services.yaml | 15 +- cres/Add_integrity_check_to_SOAP_payload.yaml | 3 +- cres/Allow_long_passwords.yaml | 4 +- ...rity_checks_on_all_resources_and_code.yaml | 28 + ...elpers,_including_paste_functionality.yaml | 2 +- cres/Allow_unicode_in_passwords.yaml | 2 +- ...Allow_user_revocation_of_Oauth_tokens.yaml | 4 - cres/Architecture.yaml | 39 +- cres/Autenticate_encrypted_data.yaml | 39 + ...dded_by_a_trusted_proxy_or_SSO_device.yaml | 2 - ...Authenticate_all_external_connections.yaml | 7 - cres/Authentication_mechanism.yaml | 25 +- cres/Authorized_access.yaml | 10 + cres/Avoid_deserialization_logic.yaml | 5 + ..._with_exception_of_consecutive_spaces.yaml | 4 +- ...d_unauthorized_client_data_collection.yaml | 7 +- ..._for_authentication_of_access_control.yaml | 2 - ...utheticators_only_as_seconday_factors.yaml | 28 + ...f_file_metadata_from_untrusted_origin.yaml | 8 +- ...ck_execution-output_of_uploaded_files.yaml | 13 +- ...ion_of_content_from_untrusted_clients.yaml | 5 + cres/Centralize_security_controls.yaml | 6 +- ...with_presence_of_old_and_new_password.yaml | 7 +- ...s_against_integer_overflow_weaknesses.yaml | 5 +- ..._passwords_against_breached_passwords.yaml | 4 +- ..._source_code_to_not_contain_backdoors.yaml | 21 + ...ce_code_to_not_contain_malicious_code.yaml | 4 +- ..._source_code_to_not_contain_timebombs.yaml | 4 +- ..._that_old_or_outdated_data_is_deleted.yaml | 17 +- ...y_sensitive_data_in_protection_levels.yaml | 6 +- ...thentication_data_from_client_storage.yaml | 2 +- ...ear_policy_complient_I-O_requirements.yaml | 38 + ...or_tokens_Iindependently_and_securely.yaml | 35 + cres/Communication_authentication.yaml | 7 +- cres/Communication_encryption.yaml | 4 - cres/Configuration.yaml | 22 - .../Configure_CSP_configuration_properly.yaml | 16 +- ...Configure_HSTS_configuration_properly.yaml | 2 +- ...igure_X-Content-Type-Options_properly.yaml | 2 +- ...gure_X-Frame-Options_for_CSP_properly.yaml | 33 + ...tional_features_based_on_user_stories.yaml | 4 +- cres/Cookie-config.yaml | 24 +- ...cally_secure_random_number_generators.yaml | 2 +- ...c_authentication_software_and_devices.yaml | 21 + cres/Cryptography.yaml | 55 +- cres/DOS.yaml | 30 +- ...ta_security_requirement_documentation.yaml | 14 +- ...e_and_perform_security_analysis_on_it.yaml | 13 +- ...ne_security_steps_in_every_SDLC_stage.yaml | 2 +- ...etime_of_time-based_one-time_passowrd.yaml | 33 + cres/Deny_new_users_by_default.yaml | 4 +- cres/Deployed_topology.yaml | 7 + cres/Deployment.yaml | 26 +- cres/Deployment_process.yaml | 22 +- cres/Deserialization_Prevention.yaml | 21 + cres/Developer_Configuration_Management.yaml | 12 +- cres/Development_verification.yaml | 17 +- cres/Disable_insecure_SSL-TLS_versions.yaml | 18 +- ...sallow_shared_high_privilige_accounts.yaml | 43 + ...nformation_in_HTTP_header_or_responce.yaml | 214 +++++ ...echnical_information_in_error_message.yaml | 8 +- ...otation_rules_or_history_requirements.yaml | 2 +- cres/Do_not_expose_data_through_API_URLs.yaml | 2 +- .../Do_not_expose_data_through_HTTP_verb.yaml | 2 +- cres/Do_not_expose_session_token_in_URL.yaml | 2 +- ...all_back_to_insecure_protocols_in_TCP.yaml | 4 +- ...racter_types_for_password_composition.yaml | 4 +- ...ot_log_credentials_or_payment_details.yaml | 2 +- ...clear_text)_authenticators_by_default.yaml | 2 +- ...ent_password_during_password_recovery.yaml | 2 +- ...tive_data_on_client_(browser)_storage.yaml | 2 +- ...l_or_dynamic_code_execution_functions.yaml | 2 +- ...se_password_hints_or_secret_questions.yaml | 2 +- ...boundaries_and_significant_data_flows.yaml | 11 +- ...ument_explicit_key-secret_managementt.yaml | 40 + ...irements_for_(data)_protection_levels.yaml | 6 +- cres/Documentation_and_requirements.yaml | 26 +- ...ponents_business_or_security_function.yaml | 27 + ...gurable_alert_against_usage_anomalies.yaml | 7 - ...on_to_log_out_from_all_active_session.yaml | 4 +- cres/Encode_output_context-specifically.yaml | 26 +- ...output_near_the_consuming_interpreter.yaml | 2 +- ...hile_preserving_user_input_formatting.yaml | 4 +- cres/Encode_user_input_before_logging.yaml | 26 +- cres/Encrypt_data_at_rest.yaml | 12 +- cres/Encrypt_financial_data_at_rest.yaml | 27 +- cres/Encrypt_health_data_at_rest.yaml | 27 +- cres/Encrypt_personal_data_at_rest.yaml | 33 +- ...de_both_confidentiality_and_integrity.yaml | 2 +- cres/Encryption_algorithms.yaml | 9 +- ...Enforce_JSON_schema_before_processing.yaml | 22 +- ...h_an_authentication_third_party_(CSP).yaml | 33 + cres/Enforce_high_entropy_session_tokens.yaml | 4 +- ...validation_on_a_trusted_service_layer.yaml | 2 +- ...for_externally_hosted_assets_(eg_SRI).yaml | 48 ++ cres/Enforce_least_privilege.yaml | 4 +- ...ization_both_at_URI_and_final_resourc.yaml | 38 + ...ence_of_business_flows_to_avoid_abuse.yaml | 2 +- ...Enforce_schema_on_XML_structure-field.yaml | 17 +- ...a_on_type-contents_of_structured_data.yaml | 19 +- ...cess_control_on_trusted_service_layer.yaml | 46 ++ ..._elements_can_be_upgraded_or_replaced.yaml | 13 +- ..._integrity_of_DNS_entries_and_domains.yaml | 3 +- ...re_proper_generation_of_secure_random.yaml | 9 +- ...orithms_for_generating_session_tokens.yaml | 4 +- cres/Ensure_session_timeout_(soft-hard).yaml | 6 +- ...l-safe_is_in_place_for_access_control.yaml | 4 +- ...usted_origin_of_third_party_resources.yaml | 9 +- ...users_can_remove_or_export_their_data.yaml | 12 +- cres/Escape_output_against_XSS.yaml | 27 +- cres/Fail_securely.yaml | 1 + cres/File_download.yaml | 9 + cres/File_execution.yaml | 6 +- cres/File_handling.yaml | 5 - cres/Force_format_strings_as_constants.yaml | 5 +- ...ing_for_specific_interpreters_context.yaml | 4 +- ...to_check_outdated-insecure_components.yaml | 8 +- ...ncoders_and_parsers_throughout_system.yaml | 7 - ...ew_session_token_after_authentication.yaml | 11 +- cres/Guidelines.yaml | 2 + cres/HTTP_security_headers.yaml | 4 +- ..._by_excluding_unwanted_functiuonality.yaml | 21 + cres/Http_headers.yaml | 3 +- ...itive_data_and_subject_it_to_a_policy.yaml | 173 +--- ...d_origin_(local_file_context,_eg_LFI).yaml | 28 + ..._origin_(remote_file_context,_eg_RFI).yaml | 36 + ...xecution_logic_from_untrusted_sources.yaml | 3 +- ...its_against_identified_business_risks.yaml | 2 +- ...and_use_it_only_after_opt-in_consent..yaml | 29 + ...form_users_for_authentication_renewal.yaml | 5 + cres/Injection.yaml | 47 +- cres/Input_validation.yaml | 17 +- ...pplication_request_minimal_permisions.yaml | 26 + ...t_cryptographic_modules_fail_securely.yaml | 4 +- ...thorize_users_access_to_functionality.yaml | 7 +- cres/Limit_REST_HTTP_methods.yaml | 2 +- ...ess_to_admin-management_functionality.yaml | 2 +- ..._specifically_authorized_actors-users.yaml | 2 +- ...act_GraphQL-data_layer_expression_DoS.yaml | 7 +- ...erization)_to_avoid_injection_attacks.yaml | 28 +- cres/Log_access_protection.yaml | 6 + cres/Log_consistent_format_across_system.yaml | 40 + cres/Log_discretely.yaml | 6 + ..._sufficiently_to_recreate_their_order.yaml | 4 +- cres/Log_injection_protection.yaml | 6 + cres/Log_integrity.yaml | 15 +- cres/Log_only_non-sensitive_data.yaml | 4 +- cres/Log_time_synchronization.yaml | 6 + cres/MFA-OTP.yaml | 18 +- ...inventory_of_third_party_repositories.yaml | 6 +- ...cure_coding_resources_for_programmers.yaml | 4 +- cres/Manage_temporary_storage.yaml | 4 +- cres/Memory,_String,_and_Unmanaged_Code.yaml | 9 - ...e_intensity_(e.g._number_of_requests).yaml | 8 +- ...istic_human_time_business_logic_flows.yaml | 9 +- cres/Monitor_suspected_automation_abuse.yaml | 9 +- .../Monitor_unusual_activities_on_system.yaml | 9 +- ...ation_components._Minimize_privileges.yaml | 5 +- cres/Network_protection.yaml | 8 + cres/Notify_user_about_credential_change.yaml | 2 +- ...out_anomalies_in_their_usage_patterns.yaml | 5 + ...Offer_password_changing_functionality.yaml | 7 +- ...put_encoding_and_injection_prevention.yaml | 10 +- cres/Parse_JSON_safely.yaml | 7 +- ...tographic_operations_in_constant_time.yaml | 2 - cres/Prevent_security_disclosure.yaml | 8 +- ...n_foe_all_applications_and_frameworks.yaml | 36 + ...authorized_access-modification_(IDOR).yaml | 2 +- ..._against_JS_or_JSON_injection_attacks.yaml | 4 +- cres/Protect_against_LDAP_injection.yaml | 7 +- cres/Protect_against_LFI_-_RFI.yaml | 5 +- ...t_against_OS_command_injection_attack.yaml | 10 +- cres/Protect_against_XML-XPath_injection.yaml | 7 +- ..._directory_browsing-discovery_attacks.yaml | 5 +- ...inst_mass_parameter_assignment_attack.yaml | 2 +- ...cation_between_application_components.yaml | 9 +- cres/Protect_logs_against_log_injection.yaml | 26 +- ...tect_logs_against_unauthorized_access.yaml | 166 +--- cres/Provide_a_password_strength_meter.yaml | 2 +- ...tire_password_or_last_typed_character.yaml | 2 +- ...system_flexibility_for_access_control.yaml | 6 +- cres/RESTful.yaml | 7 +- ...nticate_before_sensitive_transactions.yaml | 2 +- ...tication_from_federation_or_assertion.yaml | 2 +- cres/Remove_dead_code.yaml | 39 + cres/Restrict_XML_parsing_(against_XXE).yaml | 23 +- cres/Restrict_excessive_authentication.yaml | 2 +- ...ate_applications_at_the_network_level.yaml | 2 +- cres/Sandbox_third_party_libraries.yaml | 6 +- cres/Sanitization_and_sandboxing.yaml | 19 +- ...riptable_or_template_language_content.yaml | 16 +- ..._where_template-injection_is_a_threat.yaml | 11 +- ...sted_origin_if_processing_is_required.yaml | 5 +- cres/Sanitize_unstructured_data.yaml | 2 +- cres/Sanitize_untrusted_HTML_input.yaml | 4 +- ...to_mail_systems_(SMTP-IMAP_injection).yaml | 2 +- cres/Scan_untrusted_files_for_malware.yaml | 2 +- cres/Secret_storage.yaml | 2 +- cres/Secure_Development.yaml | 6 + cres/Secure_auto-updates_over_full_stack.yaml | 3 +- cres/Secure_communication.yaml | 8 + cres/Secure_random_values.yaml | 2 - ...lized_objects_(e.g._integrity_checks).yaml | 2 +- cres/Secure_transfer_of_logs_(remotely).yaml | 27 + ...ely_store_files_with_untrusted_origin.yaml | 2 +- cres/Securely_store_regulated_data.yaml | 2 - ...Send_authentication_secrets_encrypted.yaml | 14 +- ...)_authorization_logic_from_data_layer.yaml | 7 - cres/Server_protection.yaml | 10 +- cres/Session_logout_and_timeout.yaml | 47 ++ cres/Session_token_generation.yaml | 5 + ...refix_for_cookie-based_session_tokens.yaml | 44 + ...ibute_for_cookie-based_session_tokens.yaml | 17 +- ...content-Disposition_for_API_responses.yaml | 27 + ...session_tokens_as_precise_as_possible.yaml | 50 ++ cres/Set_proper_(C)_compiler_flags.yaml | 3 +- ...ibute_for_cookie-based_session_tokens.yaml | 19 +- ...ibute_for_cookie-based_session_tokens.yaml | 17 +- .../Set_sufficient_anti-chaching_headers.yaml | 32 + ...t_feasible_iteration_count_for_PBKDF2.yaml | 2 +- ...ghest_feasible_work_factor_for_bcrypt.yaml | 2 +- ...xceptions_or_unanticipated_exceptions.yaml | 4 +- ...annot_execute-damage_server_or_client.yaml | 10 +- cres/Store_passwords_salted_and_hashed.yaml | 2 +- ...ciber-provided_authentication_devices.yaml | 28 + cres/Synchronize_time_zones_for_logs.yaml | 3 +- cres/TLS.yaml | 10 +- cres/Techniques.yaml | 2 + ...all_sessions_when_password_is_changed.yaml | 4 +- cres/Terminate_session_after_logout.yaml | 6 +- ...t_model_every_design_change_or_sprint.yaml | 7 - cres/Token-based_session_management.yaml | 19 + ...arty_components_build-_or_compiletime.yaml | 44 + ..._even_when_using_RBAC_for_permissions.yaml | 2 +- ...ols_for_unauthenticated_functionality.yaml | 15 +- ..._centralized_access_control_mechanism.yaml | 24 +- ...dedicated_secrets_management_solution.yaml | 2 +- ...rt_error_handler_for_unhandled_errors.yaml | 4 +- ...ue_challenge_nonce_of_sufficient_size.yaml | 9 +- ...y_module_for_cryptographic_operations.yaml | 2 +- ...Use_approved_cryptographic_algorithms.yaml | 6 +- ..._generation,_seeding_and_verification.yaml | 2 +- ..._generation,_seeding_and_verification.yaml | 43 + ..._centralized_authentication_mechanism.yaml | 8 +- ...cally_secure_random_number_generators.yaml | 2 +- ...al_secrets_rather_than_static_secrets.yaml | 9 +- cres/Use_exception_handling_uniformly.yaml | 4 +- ...e_OS_accounts_for_system_(components).yaml | 2 +- cres/Use_least_privilege_for_resources.yaml | 2 +- ...Use_memory-safe_functions_exclusively.yaml | 7 +- ..._and_initialization_vectors_only_once.yaml | 13 +- ...Use_proper_source_code_control_system.yaml | 6 +- ...ry_mechanisms_for_forgotten_passwords.yaml | 4 +- ...f_the_art_cryptographic_configuration.yaml | 13 +- ...ufficient_entropy_for_each_credential.yaml | 2 +- cres/Use_upredictable_lookup_secrets.yaml | 28 + ...ypto_only_for_backwards_compatibility.yaml | 13 +- ...ords_are_of_sufficient_minimum_length.yaml | 4 +- ...ptographically_secure_characteristics.yaml | 39 + cres/Validate_HTTP_request_headers.yaml | 17 +- cres/Validate_max_input-file_sizes.yaml | 5 +- ...inst_HTTP_parameter_polution_attacks).yaml | 42 + ...Verify_content-type_for_REST_services.yaml | 3 +- ...rify_strong_TLS_algorithms_by_testing.yaml | 11 +- ...henticity_of_both_headers_and_payload.yaml | 16 - ...s_in_browers,_use_secure_methods_only.yaml | 39 + cres/White-list_CORS_resources.yaml | 27 + cres/White-list_HTTP_methods.yaml | 4 +- cres/Whitelist_all_external_(HTTP)_input.yaml | 19 +- cres/Whitelist_data_sources_and_sinks.yaml | 12 +- ...st_file_extensions_served_by_web_tier.yaml | 9 +- cres/Whitelist_redirected-forwarded_URLs.yaml | 5 +- cres/XML_Parser_hardening.yaml | 7 +- cres/XSS.yaml | 29 +- cres/db.sqlite | Bin 466944 -> 397312 bytes 291 files changed, 3384 insertions(+), 1638 deletions(-) create mode 100644 cres/>>Personal_data_handling.yaml create mode 100644 cres/Allow_only_trusted_sources_both_buildtime_and_runtime;_therefore_perform_integrity_checks_on_all_resources_and_code.yaml create mode 100644 cres/Autenticate_encrypted_data.yaml create mode 100644 cres/Authorized_access.yaml create mode 100644 cres/Biometric_autheticators_only_as_seconday_factors.yaml create mode 100644 cres/Check_source_code_to_not_contain_backdoors.yaml create mode 100644 cres/Clear_policy_complient_I-O_requirements.yaml create mode 100644 cres/Communicate_out_of_band_authentication_requests,_codes_or_tokens_Iindependently_and_securely.yaml create mode 100644 cres/Configure_X-Frame-Options_for_CSP_properly.yaml create mode 100644 cres/Cryptographic_authentication_software_and_devices.yaml create mode 100644 cres/Defined_lifetime_of_time-based_one-time_passowrd.yaml create mode 100644 cres/Disallow_shared_high_privilige_accounts.yaml create mode 100644 cres/Do_not_disclose_technical_information_in_HTTP_header_or_responce.yaml create mode 100644 cres/Document_explicit_key-secret_managementt.yaml create mode 100644 cres/Docuymentation_of_all_components_business_or_security_function.yaml create mode 100644 cres/Enforce_authentication_time-out_when_dealing_with_an_authentication_third_party_(CSP).yaml create mode 100644 cres/Enforce_integrity_ckeck_for_externally_hosted_assets_(eg_SRI).yaml create mode 100644 cres/Enforce_model-based_authorization_both_at_URI_and_final_resourc.yaml create mode 100644 cres/Enfroce_access_control_on_trusted_service_layer.yaml create mode 100644 cres/Harden_application_by_excluding_unwanted_functiuonality.yaml create mode 100644 cres/Ignore-at_least_validate_filename_metadata_from_untrusted_origin_(local_file_context,_eg_LFI).yaml create mode 100644 cres/Ignore-at_least_validate_filename_metadata_from_untrusted_origin_(remote_file_context,_eg_RFI).yaml create mode 100644 cres/Inform_users_clearly_about_the_collection_and_use_of_personal_data,_and_use_it_only_after_opt-in_consent..yaml create mode 100644 cres/Let_application_request_minimal_permisions.yaml create mode 100644 cres/Log_consistent_format_across_system.yaml create mode 100644 cres/Proper_Configuration_foe_all_applications_and_frameworks.yaml create mode 100644 cres/Remove_dead_code.yaml create mode 100644 cres/Secure_communication.yaml create mode 100644 cres/Secure_transfer_of_logs_(remotely).yaml create mode 100644 cres/Session_logout_and_timeout.yaml create mode 100644 cres/Set__Host_prefix_for_cookie-based_session_tokens.yaml create mode 100644 cres/Set_metadate-content-Disposition_for_API_responses.yaml create mode 100644 cres/Set_path_attribute_in_cookie-bases_session_tokens_as_precise_as_possible.yaml create mode 100644 cres/Set_sufficient_anti-chaching_headers.yaml create mode 100644 cres/Support_subsciber-provided_authentication_devices.yaml create mode 100644 cres/Token-based_session_management.yaml create mode 100644 cres/Update_third_party_components_build-_or_compiletime.yaml create mode 100644 cres/Use_approved_cryptographic_algorithms_in_generation,_seeding_and_verification.yaml create mode 100644 cres/Use_upredictable_lookup_secrets.yaml create mode 100644 cres/Using_stateless_tokens,_ensure_cryptographically_secure_characteristics.yaml create mode 100644 cres/Validatie-enforce_HTTP_inputs_(against_HTTP_parameter_polution_attacks).yaml create mode 100644 cres/When_storing_session_tokens_in_browers,_use_secure_methods_only.yaml create mode 100644 cres/White-list_CORS_resources.yaml diff --git a/cres/(SSRF)_When_depending_on_internal_server_input,_use_validation_sanitization_and_whitelisting.yaml b/cres/(SSRF)_When_depending_on_internal_server_input,_use_validation_sanitization_and_whitelisting.yaml index 4e41eb096..4b12db8e4 100644 --- a/cres/(SSRF)_When_depending_on_internal_server_input,_use_validation_sanitization_and_whitelisting.yaml +++ b/cres/(SSRF)_When_depending_on_internal_server_input,_use_validation_sanitization_and_whitelisting.yaml @@ -9,11 +9,6 @@ links: - Injection - XSS ltype: Contains -- document: - doctype: CRE - id: 028-727 - name: SSRF - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md @@ -29,7 +24,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-INPV-11 ltype: Linked To - document: @@ -58,5 +53,3 @@ links: ltype: Linked To name: (SSRF) When depending on internal server input, use validation sanitization and whitelisting -tags: -- SSRF diff --git a/cres/>>Authentication.yaml b/cres/>>Authentication.yaml index 10425ca9b..3cef7f644 100644 --- a/cres/>>Authentication.yaml +++ b/cres/>>Authentication.yaml @@ -11,6 +11,11 @@ links: id: 455-885 name: Credentials directives ltype: Contains +- document: + doctype: CRE + id: 634-733 + name: Communication authentication + ltype: Related - document: doctype: CRE id: 065-782 @@ -82,4 +87,10 @@ links: name: NIST 800-53 v5 section: IA-8 Identification and Authentication (non-organizational Users) ltype: Linked To +- document: + doctype: Standard + hyperlink: Loading... + name: Top10 2017 + section: A2_Broken_Authentication + ltype: Linked To name: '>>Authentication' diff --git a/cres/>>Authorized_access.yaml b/cres/>>Authorized_access.yaml index 188cfe146..2187d3f4f 100644 --- a/cres/>>Authorized_access.yaml +++ b/cres/>>Authorized_access.yaml @@ -4,9 +4,7 @@ links: - document: doctype: CRE id: 540-566 - name: Let application request minimal permissions - tags: - - Personal data handling + name: Let application request minimal permisions ltype: Contains - document: doctype: CRE @@ -16,7 +14,7 @@ links: - document: doctype: CRE id: 650-560 - name: Enforce access control on trusted service layer + name: Enfroce access control on trusted service layer tags: - Architecture ltype: Contains @@ -35,8 +33,6 @@ links: id: 060-472 name: Use CSRF protection against authenticated functionality, add anti-automation controls for unauthenticated functionality - tags: - - CSRF ltype: Contains - document: doctype: CRE @@ -60,7 +56,7 @@ links: ltype: Contains - document: doctype: CRE - id: 368-633 + id: 624-716 name: Use least privilege for resources ltype: Contains - document: @@ -71,7 +67,7 @@ links: - document: doctype: CRE id: 664-080 - name: Enforce model-based authorization both at URI and final resource + name: Enforce model-based authorization both at URI and final resourc ltype: Contains - document: doctype: CRE @@ -95,23 +91,6 @@ links: id: 640-364 name: Enforce access control on trusted parts/serverside ltype: Contains -- document: - doctype: CRE - id: 651-530 - name: 'Was: TBD' - ltype: Contains -- document: - doctype: CRE - id: 278-413 - name: Mutually authenticate application components. Minimize privileges - tags: - - Architecture - ltype: Related -- document: - doctype: CRE - id: 746-705 - name: Limit/authorize user's access to functionality - ltype: Related - document: doctype: CRE id: 273-600 @@ -170,4 +149,10 @@ links: name: NIST 800-53 v5 section: SC-2 Separation of System and User Functionality ltype: Linked To +- document: + doctype: Standard + hyperlink: Loading... + name: Top10 2017 + section: A5_Broken_Access_Control + ltype: Linked To name: '>>Authorized access' diff --git a/cres/>>Business_logic.yaml b/cres/>>Business_logic.yaml index 20e097885..956073b35 100644 --- a/cres/>>Business_logic.yaml +++ b/cres/>>Business_logic.yaml @@ -10,15 +10,11 @@ links: doctype: CRE id: 630-573 name: Monitor suspected automation abuse - tags: - - DOS ltype: Contains - document: doctype: CRE id: 725-682 name: Enable configurable alert against usage anomalies - tags: - - DOS ltype: Contains - document: doctype: CRE @@ -29,8 +25,6 @@ links: doctype: CRE id: 418-853 name: Monitor unusual activities on system - tags: - - DOS ltype: Contains - document: doctype: CRE @@ -51,8 +45,6 @@ links: doctype: CRE id: 456-535 name: Monitor for realistic "human time" business logic flows - tags: - - DOS ltype: Contains - document: doctype: CRE @@ -67,18 +59,14 @@ links: - document: doctype: CRE id: 082-327 - name: Inform users clearly about the collection and use of personal data, and + name: Inform users clearly about the collection and use of personal data, and use it only after opt-in consent. - tags: - - Personal data handling - ltype: Contains + ltype: Related - document: doctype: CRE id: 762-451 name: Ensure users can remove or export their data - tags: - - Personal data handling - ltype: Contains + ltype: Related name: '>>Business logic' tags: - DOS diff --git a/cres/>>Dependency_strength.yaml b/cres/>>Dependency_strength.yaml index 5014a4d70..250dbb47c 100644 --- a/cres/>>Dependency_strength.yaml +++ b/cres/>>Dependency_strength.yaml @@ -1,12 +1,45 @@ doctype: CRE id: 613-285 links: +- document: + doctype: CRE + id: 053-751 + name: Force pipeline to check outdated/insecure components + ltype: Contains - document: doctype: CRE id: 462-245 - name: Remove unnecessary features, documentation, configuration etc - tags: - - Configuration + name: Remove dead code + ltype: Contains +- document: + doctype: CRE + id: 577-260 + name: Enforce integrity ckeck for externally hosted assets (eg SRI) + ltype: Contains +- document: + doctype: CRE + id: 863-521 + name: Maintain/manage inventory of third party repositories + ltype: Contains +- document: + doctype: CRE + id: 838-636 + name: Check source code to not contain backdoors + ltype: Contains +- document: + doctype: CRE + id: 265-800 + name: Check source code to not contain malicious code + ltype: Contains +- document: + doctype: CRE + id: 418-525 + name: Check source code to not contain timebombs + ltype: Contains +- document: + doctype: CRE + id: 834-645 + name: Avoid unauthorized client data collection ltype: Contains - document: doctype: CRE @@ -16,19 +49,22 @@ links: - document: doctype: CRE id: 154-031 - name: Harden application by excluding unwanted functionality - tags: - - Configuration + name: Harden application by excluding unwanted functiuonality ltype: Contains - document: doctype: CRE - id: 613-286 - name: Dependency management + id: 860-084 + name: Sandbox third party libraries ltype: Contains - document: doctype: CRE - id: 613-287 - name: Dependency integrity + id: 715-223 + name: Ensure trusted origin of third party resources + ltype: Contains +- document: + doctype: CRE + id: 715-334 + name: Update third party components build- or compiletime ltype: Contains - document: doctype: Standard @@ -48,4 +84,10 @@ links: name: NIST 800-53 v5 section: SA-4 Acquisition Process ltype: Linked To +- document: + doctype: Standard + hyperlink: Loading... + name: Top10 2017 + section: A9-Using_Components_with_Known_Vulnerabilities + ltype: Linked To name: '>>Dependency strength' diff --git a/cres/>>Development_&_operations.yaml b/cres/>>Development_&_operations.yaml index 4168a0fda..ce9ab537d 100644 --- a/cres/>>Development_&_operations.yaml +++ b/cres/>>Development_&_operations.yaml @@ -30,27 +30,23 @@ links: ltype: Contains - document: doctype: CRE - id: 344-611 - name: Centralize security controls - tags: - - Architecture + id: 354-846 + name: Documentation and requirements ltype: Contains - document: doctype: CRE - id: 625-323 - name: Documentation and requirements - tags: - - Architecture + id: 840-758 + name: Secure Development ltype: Contains - document: doctype: CRE - id: 863-521 - name: Maintain/manage inventory of third party repositories + id: 577-260 + name: Enforce integrity ckeck for externally hosted assets (eg SRI) ltype: Related - document: doctype: CRE - id: 577-260 - name: Enforce integrity check for externally hosted assets (eg SRI) + id: 863-521 + name: Maintain/manage inventory of third party repositories ltype: Related - document: doctype: Standard diff --git a/cres/>>Input_and_output_verification.yaml b/cres/>>Input_and_output_verification.yaml index 6fcba5120..dff3c254c 100644 --- a/cres/>>Input_and_output_verification.yaml +++ b/cres/>>Input_and_output_verification.yaml @@ -28,8 +28,6 @@ links: doctype: CRE id: 866-553 name: Memory, String, and Unmanaged Code - tags: - - Injection ltype: Contains - document: doctype: CRE @@ -58,34 +56,21 @@ links: doctype: CRE id: 541-441 name: Validate HTTP request headers - tags: - - Injection + ltype: Contains +- document: + doctype: CRE + id: 764-508 + name: XML Parser hardening ltype: Contains - document: doctype: CRE id: 630-573 name: Monitor suspected automation abuse - tags: - - DOS ltype: Related - document: doctype: CRE id: 782-234 - name: Clear policy compliant I/O requirements - ltype: Related -- document: - doctype: CRE - id: 821-540 - name: Protect logs against log injection - tags: - - Injection - ltype: Related -- document: - doctype: CRE - id: 048-612 - name: Encode user input before logging - tags: - - Injection + name: Clear policy complient I/O requirements ltype: Related - document: doctype: Standard diff --git a/cres/>>Logging_and_error_handling.yaml b/cres/>>Logging_and_error_handling.yaml index 9e3f08e2b..159ce620d 100644 --- a/cres/>>Logging_and_error_handling.yaml +++ b/cres/>>Logging_and_error_handling.yaml @@ -3,18 +3,15 @@ id: 842-876 links: - document: doctype: CRE - id: 148-420 - name: Log integrity - ltype: Contains -- document: - doctype: CRE - id: 843-841 - name: Log discretely + id: 260-200 + name: Log consistent format across system + tags: + - Architecture ltype: Contains - document: doctype: CRE - id: 402-706 - name: Log relevant + id: 026-280 + name: Secure transfer of logs (remotely) ltype: Contains - document: doctype: CRE @@ -26,19 +23,30 @@ links: id: 141-555 name: Fail securely ltype: Contains +- document: + doctype: CRE + id: 843-841 + name: Log discretely + ltype: Contains +- document: + doctype: CRE + id: 148-420 + name: Log integrity + ltype: Contains +- document: + doctype: CRE + id: 402-706 + name: Log relevant + ltype: Contains - document: doctype: CRE id: 725-682 name: Enable configurable alert against usage anomalies - tags: - - DOS ltype: Related - document: doctype: CRE id: 418-853 name: Monitor unusual activities on system - tags: - - DOS ltype: Related - document: doctype: CRE @@ -100,4 +108,10 @@ links: name: NIST 800-53 v5 section: AU-7 Audit Record Reduction and Report Generation ltype: Linked To +- document: + doctype: Standard + hyperlink: Loading... + name: Top10 2017 + section: A10_Insufficient_Logging&Monitoring + ltype: Linked To name: '>>Logging and error handling' diff --git a/cres/>>Personal_data_handling.yaml b/cres/>>Personal_data_handling.yaml new file mode 100644 index 000000000..97c4e5e95 --- /dev/null +++ b/cres/>>Personal_data_handling.yaml @@ -0,0 +1,94 @@ +doctype: CRE +id: 362-550 +links: +- document: + doctype: CRE + id: 227-045 + name: Identify sensitive data and subject it to a policy + ltype: Contains +- document: + doctype: CRE + id: 082-327 + name: Inform users clearly about the collection and use of personal data, and + use it only after opt-in consent. + ltype: Contains +- document: + doctype: CRE + id: 762-451 + name: Ensure users can remove or export their data + ltype: Contains +- document: + doctype: CRE + id: 268-272 + name: Classify personal data regarding retention so that old or outdated data + is deleted + ltype: Contains +- document: + doctype: CRE + id: 540-566 + name: Let application request minimal permisions + ltype: Related +- document: + doctype: CRE + id: 765-788 + name: Classify sensitive data in protection levels + ltype: Related +- document: + doctype: CRE + id: 731-120 + name: Document requirements for (data) protection levels + ltype: Related +- document: + doctype: CRE + id: 482-866 + name: Encrypt personal data at rest + ltype: Related +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PT-1 + name: NIST 800-53 v5 + section: PT-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PT-2 + name: NIST 800-53 v5 + section: PT-2 Authority to Process Personally Identifiable Information + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PT-3 + name: NIST 800-53 v5 + section: PT-3 Personally Identifiable Information Processing Purposes + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PT-4 + name: NIST 800-53 v5 + section: PT-4 Consent + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PT-5 + name: NIST 800-53 v5 + section: PT-5 Privacy Notice + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PT-6 + name: NIST 800-53 v5 + section: PT-6 System of Records Notice + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PT-7 + name: NIST 800-53 v5 + section: PT-7 Specific Categories of Personally Identifiable Information + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PT-8 + name: NIST 800-53 v5 + section: PT-8 Computer Matching Requirements + ltype: Linked To +name: '>>Personal data handling' diff --git a/cres/>>Secure_communication.yaml b/cres/>>Secure_communication.yaml index b3df401db..bd3cd8b84 100644 --- a/cres/>>Secure_communication.yaml +++ b/cres/>>Secure_communication.yaml @@ -30,11 +30,6 @@ links: id: 683-036 name: Wireless link protection ltype: Contains -- document: - doctype: CRE - id: 270-634 - name: Send authentication secrets encrypted - ltype: Related - document: doctype: CRE id: 456-636 @@ -58,6 +53,12 @@ links: name: NIST 800-53 v5 section: SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY ltype: Linked To +- document: + doctype: Standard + hyperlink: Loading... + name: Top10 2017 + section: A3-Sensitive_Data_Exposure + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-3 diff --git a/cres/>>Secure_data_storage.yaml b/cres/>>Secure_data_storage.yaml index 170a2ad98..11d946465 100644 --- a/cres/>>Secure_data_storage.yaml +++ b/cres/>>Secure_data_storage.yaml @@ -37,4 +37,10 @@ links: tags: - Cryptography ltype: Contains +- document: + doctype: Standard + hyperlink: Loading... + name: Top10 2017 + section: A3-Sensitive_Data_Exposure + ltype: Linked To name: '>>Secure data storage' diff --git a/cres/>>Secure_user_management.yaml b/cres/>>Secure_user_management.yaml index 703e5347f..410234fa5 100644 --- a/cres/>>Secure_user_management.yaml +++ b/cres/>>Secure_user_management.yaml @@ -9,7 +9,7 @@ links: - document: doctype: CRE id: 623-347 - name: Disallow shared high privileged accounts + name: Disallow shared high privilige accounts ltype: Contains - document: doctype: CRE @@ -51,4 +51,10 @@ links: id: 673-736 name: Enable option to log out from all active session ltype: Related +- document: + doctype: Standard + hyperlink: Loading... + name: Top10 2017 + section: A2_Broken_Authentication + ltype: Linked To name: '>>Secure user management' diff --git a/cres/>>Session_management.yaml b/cres/>>Session_management.yaml index ef7cb99fd..ca41cef66 100644 --- a/cres/>>Session_management.yaml +++ b/cres/>>Session_management.yaml @@ -29,7 +29,7 @@ links: - document: doctype: CRE id: 470-731 - name: Session lifecycle + name: Session logout and timeout ltype: Contains - document: doctype: CRE @@ -39,7 +39,7 @@ links: - document: doctype: CRE id: 114-277 - name: Session integrity + name: Token-based session management ltype: Contains - document: doctype: Standard @@ -59,4 +59,10 @@ links: name: NIST 800-53 v5 section: SC-23 SESSION AUTHENTICITY ltype: Linked To +- document: + doctype: Standard + hyperlink: Loading... + name: Top10 2017 + section: A2_Broken_Authentication + ltype: Linked To name: '>>Session management' diff --git a/cres/>>TBD.yaml b/cres/>>TBD.yaml index b047f8beb..bb25528d5 100644 --- a/cres/>>TBD.yaml +++ b/cres/>>TBD.yaml @@ -1,8 +1,766 @@ doctype: CRE +id: 651-530 links: - document: - doctype: CRE - id: 651-530 - name: 'Was: TBD' - ltype: Contains + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-16 + name: NIST 800-53 v5 + section: AC-16 Security and Privacy Attributes + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-17 + name: NIST 800-53 v5 + section: AC-17 Remote Access + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-18 + name: NIST 800-53 v5 + section: AC-18 Wireless Access + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-19 + name: NIST 800-53 v5 + section: AC-19 Access Control for Mobile Devices + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-20 + name: NIST 800-53 v5 + section: AC-20 Use of External Systems + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-21 + name: NIST 800-53 v5 + section: AC-21 Information Sharing + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-22 + name: NIST 800-53 v5 + section: AC-22 Publicly Accessible Content + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-23 + name: NIST 800-53 v5 + section: AC-23 Data Mining Protection + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-25 + name: NIST 800-53 v5 + section: AC-25 Reference Monitor + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-4 + name: NIST 800-53 v5 + section: AC-4 Information Flow Enforcement + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AT-1 + name: NIST 800-53 v5 + section: AT-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AT-2 + name: NIST 800-53 v5 + section: AT-2 Literacy Training and Awareness + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AT-3 + name: NIST 800-53 v5 + section: AT-3 Role-based Training + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AT-4 + name: NIST 800-53 v5 + section: AT-4 Training Records + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AT-5 + name: NIST 800-53 v5 + section: AT-5 Contacts with Security Groups and Associations + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AT-6 + name: NIST 800-53 v5 + section: AT-6 Training Feedback + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-13 + name: NIST 800-53 v5 + section: AU-13 Monitoring for Information Disclosure + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-14 + name: NIST 800-53 v5 + section: AU-14 Session Audit + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-1 + name: NIST 800-53 v5 + section: CP-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-10 + name: NIST 800-53 v5 + section: CP-10 System Recovery and Reconstitution + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-11 + name: NIST 800-53 v5 + section: CP-11 Alternate Communications Protocols + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-12 + name: NIST 800-53 v5 + section: CP-12 Safe Mode + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-13 + name: NIST 800-53 v5 + section: CP-13 Alternative Security Mechanisms + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-2 + name: NIST 800-53 v5 + section: CP-2 Contingency Plan + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-3 + name: NIST 800-53 v5 + section: CP-3 Contingency Training + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-4 + name: NIST 800-53 v5 + section: CP-4 Contingency Plan Testing + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-5 + name: NIST 800-53 v5 + section: CP-5 Contingency Plan Update + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-6 + name: NIST 800-53 v5 + section: CP-6 Alternate Storage Site + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-7 + name: NIST 800-53 v5 + section: CP-7 Alternate Processing Site + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-8 + name: NIST 800-53 v5 + section: CP-8 Telecommunications Services + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-9 + name: NIST 800-53 v5 + section: CP-9 System Backup + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-1 + name: NIST 800-53 v5 + section: IR-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-10 + name: NIST 800-53 v5 + section: IR-10 Integrated Information Security Analysis Team + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-2 + name: NIST 800-53 v5 + section: IR-2 Incident Response Training + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-3 + name: NIST 800-53 v5 + section: IR-3 Incident Response Testing + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-4 + name: NIST 800-53 v5 + section: IR-4 Incident Handling + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-5 + name: NIST 800-53 v5 + section: IR-5 Incident Monitoring + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-6 + name: NIST 800-53 v5 + section: IR-6 Incident Reporting + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-7 + name: NIST 800-53 v5 + section: IR-7 Incident Response Assistance + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-8 + name: NIST 800-53 v5 + section: IR-8 Incident Response Plan + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-9 + name: NIST 800-53 v5 + section: IR-9 Information Spillage Response + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MA-1 + name: NIST 800-53 v5 + section: MA-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MA-2 + name: NIST 800-53 v5 + section: MA-2 Controlled Maintenance + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MA-3 + name: NIST 800-53 v5 + section: MA-3 Maintenance Tools + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MA-4 + name: NIST 800-53 v5 + section: MA-4 Nonlocal Maintenance + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MA-5 + name: NIST 800-53 v5 + section: MA-5 Maintenance Personnel + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MA-6 + name: NIST 800-53 v5 + section: MA-6 Timely Maintenance + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MA-7 + name: NIST 800-53 v5 + section: MA-7 Field Maintenance + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-1 + name: NIST 800-53 v5 + section: MP-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-2 + name: NIST 800-53 v5 + section: MP-2 Media Access + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-3 + name: NIST 800-53 v5 + section: MP-3 Media Marking + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-4 + name: NIST 800-53 v5 + section: MP-4 Media Storage + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-5 + name: NIST 800-53 v5 + section: MP-5 Media Transport + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-6 + name: NIST 800-53 v5 + section: MP-6 Media Sanitization + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-7 + name: NIST 800-53 v5 + section: MP-7 Media Use + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=MP-8 + name: NIST 800-53 v5 + section: MP-8 Media Downgrading + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-1 + name: NIST 800-53 v5 + section: PE-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-10 + name: NIST 800-53 v5 + section: PE-10 Emergency Shutoff + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-11 + name: NIST 800-53 v5 + section: PE-11 Emergency Power + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-12 + name: NIST 800-53 v5 + section: PE-12 Emergency Lighting + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-13 + name: NIST 800-53 v5 + section: PE-13 Fire Protection + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-14 + name: NIST 800-53 v5 + section: PE-14 Environmental Controls + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-15 + name: NIST 800-53 v5 + section: PE-15 Water Damage Protection + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-16 + name: NIST 800-53 v5 + section: PE-16 Delivery and Removal + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-17 + name: NIST 800-53 v5 + section: PE-17 Alternate Work Site + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-18 + name: NIST 800-53 v5 + section: PE-18 Location of System Components + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-19 + name: NIST 800-53 v5 + section: PE-19 Information Leakage + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-2 + name: NIST 800-53 v5 + section: PE-2 Physical Access Authorizations + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-20 + name: NIST 800-53 v5 + section: PE-20 Asset Monitoring and Tracking + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-21 + name: NIST 800-53 v5 + section: PE-21 Electromagnetic Pulse Protection + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-22 + name: NIST 800-53 v5 + section: PE-22 Component Marking + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-23 + name: NIST 800-53 v5 + section: PE-23 Facility Location + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-3 + name: NIST 800-53 v5 + section: PE-3 Physical Access Control + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-4 + name: NIST 800-53 v5 + section: PE-4 Access Control for Transmission + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-5 + name: NIST 800-53 v5 + section: PE-5 Access Control for Output Devices + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-6 + name: NIST 800-53 v5 + section: PE-6 Monitoring Physical Access + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-7 + name: NIST 800-53 v5 + section: PE-7 Visitor Control + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-8 + name: NIST 800-53 v5 + section: PE-8 Visitor Access Records + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-9 + name: NIST 800-53 v5 + section: PE-9 Power Equipment and Cabling + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-4 + name: NIST 800-53 v5 + section: PL-4 Rules of Behavior + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-15 + name: NIST 800-53 v5 + section: SC-15 Collaborative Computing Devices and Applications + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-1 + name: NIST 800-53 v5 + section: SR-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-10 + name: NIST 800-53 v5 + section: SR-10 Inspection of Systems or Components + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-11 + name: NIST 800-53 v5 + section: SR-11 Component Authenticity + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-12 + name: NIST 800-53 v5 + section: SR-12 Component Disposal + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-2 + name: NIST 800-53 v5 + section: SR-2 Supply Chain Risk Management Plan + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-3 + name: NIST 800-53 v5 + section: SR-3 Supply Chain Controls and Processes + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-4 + name: NIST 800-53 v5 + section: SR-4 Provenance + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-5 + name: NIST 800-53 v5 + section: SR-5 Acquisition Strategies, Tools, and Methods + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-6 + name: NIST 800-53 v5 + section: SR-6 Supplier Assessments and Reviews + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-7 + name: NIST 800-53 v5 + section: SR-7 Supply Chain Operations Security + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-8 + name: NIST 800-53 v5 + section: SR-8 Notification Agreements + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SR-9 + name: NIST 800-53 v5 + section: SR-9 Tamper Resistance and Detection + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-22 + name: NIST 800-53 v5 + section: SC-22 Architecture and Provisioning for Name/address Resolution Service + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-1 + name: NIST 800-53 v5 + section: CA-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-2 + name: NIST 800-53 v5 + section: CA-2 Control Assessments + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-5 + name: NIST 800-53 v5 + section: CA-5 Plan of Action and Milestones + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-6 + name: NIST 800-53 v5 + section: CA-6 Authorization + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-7 + name: NIST 800-53 v5 + section: CA-7 Continuous Monitoring + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-8 + name: NIST 800-53 v5 + section: CA-8 Penetration Testing + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-1 + name: NIST 800-53 v5 + section: PL-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-10 + name: NIST 800-53 v5 + section: PL-10 Baseline Selection + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-11 + name: NIST 800-53 v5 + section: PL-11 Baseline Tailoring + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-1 + name: NIST 800-53 v5 + section: SC-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-31 + name: NIST 800-53 v5 + section: SC-31 Covert Channel Analysis + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-6 + name: NIST 800-53 v5 + section: SC-6 Resource Availability + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-1 + name: NIST 800-53 v5 + section: SI-1 Policy and Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-11 + name: NIST 800-53 v5 + section: SI-11 Error Handling + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-12 + name: NIST 800-53 v5 + section: SI-12 Information Management and Retention + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-13 + name: NIST 800-53 v5 + section: SI-13 Predictable Failure Prevention + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-14 + name: NIST 800-53 v5 + section: SI-14 Non-persistence + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-15 + name: NIST 800-53 v5 + section: SI-15 Information Output Filtering + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-16 + name: NIST 800-53 v5 + section: SI-16 Memory Protection + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-17 + name: NIST 800-53 v5 + section: SI-17 Fail-safe Procedures + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-18 + name: NIST 800-53 v5 + section: SI-18 Personally Identifiable Information Quality Operations + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-19 + name: NIST 800-53 v5 + section: SI-19 De-identification + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-2 + name: NIST 800-53 v5 + section: SI-2 Flaw Remediation + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-20 + name: NIST 800-53 v5 + section: SI-20 Tainting + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-21 + name: NIST 800-53 v5 + section: SI-21 Information Refresh + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-22 + name: NIST 800-53 v5 + section: SI-22 Information Diversity + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-23 + name: NIST 800-53 v5 + section: SI-23 Information Fragmentation + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-3 + name: NIST 800-53 v5 + section: SI-3 Malicious Code Protection + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-4 + name: NIST 800-53 v5 + section: SI-4 System Monitoring + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-5 + name: NIST 800-53 v5 + section: SI-5 Security Alerts, Advisories, and Directives + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-6 + name: NIST 800-53 v5 + section: SI-6 Security and Privacy Function Verification + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-7 + name: NIST 800-53 v5 + section: SI-7 Software, Firmware, and Information Integrity + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-8 + name: NIST 800-53 v5 + section: SI-8 Spam Protection + ltype: Linked To name: '>>TBD' diff --git a/cres/>>Tags.yaml b/cres/>>Tags.yaml index 52df5178a..0c43be0ab 100644 --- a/cres/>>Tags.yaml +++ b/cres/>>Tags.yaml @@ -25,13 +25,6 @@ links: doctype: CRE id: 760-764 name: Injection - tags: - - XSS - ltype: Contains -- document: - doctype: CRE - id: 760-765 - name: XSS ltype: Contains - document: doctype: CRE @@ -45,22 +38,12 @@ links: ltype: Contains - document: doctype: CRE - id: 155-155 - name: Architecture - ltype: Contains -- document: - doctype: CRE - id: 028-727 - name: SSRF - ltype: Contains -- document: - doctype: CRE - id: 028-727 - name: CSRF + id: 028-726 + name: XSS ltype: Contains - document: doctype: CRE - id: 028-728 - name: Personal data handling + id: 155-155 + name: Architecture ltype: Contains name: '>>Tags' diff --git a/cres/API-web_services.yaml b/cres/API-web_services.yaml index 5cd561340..54b0c1c8d 100644 --- a/cres/API-web_services.yaml +++ b/cres/API-web_services.yaml @@ -15,15 +15,18 @@ links: doctype: CRE id: 061-186 name: Force uniform encoders and parsers throughout system - tags: - - SSRF ltype: Contains - document: doctype: CRE id: 612-252 name: Separate GraphQL (or similar) authorization logic from data layer + ltype: Contains +- document: + doctype: CRE + id: 268-088 + name: Limit query impact GraphQL/data layer expression DoS tags: - - Architecture + - DOS ltype: Contains - document: doctype: CRE @@ -43,7 +46,7 @@ links: - document: doctype: CRE id: 664-080 - name: Enforce model-based authorization both at URI and final resource + name: Enforce model-based authorization both at URI and final resourc ltype: Related - document: doctype: CRE diff --git a/cres/Add_CSRF_protection_for_cookie_based_REST_services.yaml b/cres/Add_CSRF_protection_for_cookie_based_REST_services.yaml index 919593b86..b42b51fa6 100644 --- a/cres/Add_CSRF_protection_for_cookie_based_REST_services.yaml +++ b/cres/Add_CSRF_protection_for_cookie_based_REST_services.yaml @@ -6,11 +6,6 @@ links: id: 071-288 name: RESTful ltype: Contains -- document: - doctype: CRE - id: 028-727 - name: CSRF - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md @@ -26,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-SESS-05 ltype: Linked To - document: @@ -49,18 +44,18 @@ links: ltype: Linked To - document: doctype: Tool - name: 'ZAP Alert: "Anti-CSRF Tokens Check"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/CsrfTokenScanRule.java + name: 'ZAP Rule: "Anti-CSRF Tokens Check"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "Absence of Anti-CSRF Tokens"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRule.java + name: 'ZAP Rule: "Absence of Anti-CSRF Tokens"' tags: - '"Passive"' tooltype: Offensive ltype: SAME name: Add CSRF protection for cookie based REST services -tags: -- CSRF diff --git a/cres/Add_integrity_check_to_SOAP_payload.yaml b/cres/Add_integrity_check_to_SOAP_payload.yaml index f037e16dc..ec624974b 100644 --- a/cres/Add_integrity_check_to_SOAP_payload.yaml +++ b/cres/Add_integrity_check_to_SOAP_payload.yaml @@ -33,7 +33,8 @@ links: description: '"Ensure each page is setting the specific and appropriate content-type value for the content being delivered."' doctype: Tool - name: 'ZAP Alert: "Content-Type Header Missing"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentTypeMissingScanRule.java + name: 'ZAP Rule: "Content-Type Header Missing"' tags: - '"Passive"' tooltype: Offensive diff --git a/cres/Allow_long_passwords.yaml b/cres/Allow_long_passwords.yaml index 77fca9de0..d90dcbe4b 100644 --- a/cres/Allow_long_passwords.yaml +++ b/cres/Allow_long_passwords.yaml @@ -15,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html - name: OPC + name: OWASP Proactive Controls section: C6 ltype: Linked To - document: @@ -27,7 +27,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHN-07 ltype: Linked To - document: diff --git a/cres/Allow_only_trusted_sources_both_buildtime_and_runtime;_therefore_perform_integrity_checks_on_all_resources_and_code.yaml b/cres/Allow_only_trusted_sources_both_buildtime_and_runtime;_therefore_perform_integrity_checks_on_all_resources_and_code.yaml new file mode 100644 index 000000000..65435f280 --- /dev/null +++ b/cres/Allow_only_trusted_sources_both_buildtime_and_runtime;_therefore_perform_integrity_checks_on_all_resources_and_code.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 307-507 +links: +- document: + doctype: CRE + id: 615-188 + name: Deployment process + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x18-V10-Malicious.md + name: ASVS + section: V10.3.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/353.html + name: CWE + section: '353' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +name: Allow only trusted sources both buildtime and runtime; therefore perform integrity + checks on all resources and code diff --git a/cres/Allow_password_helpers,_including_paste_functionality.yaml b/cres/Allow_password_helpers,_including_paste_functionality.yaml index 88b97c7d5..0d4ca9b3c 100644 --- a/cres/Allow_password_helpers,_including_paste_functionality.yaml +++ b/cres/Allow_password_helpers,_including_paste_functionality.yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHN-07 ltype: Linked To - document: diff --git a/cres/Allow_unicode_in_passwords.yaml b/cres/Allow_unicode_in_passwords.yaml index e9d44efa9..6e0717f41 100644 --- a/cres/Allow_unicode_in_passwords.yaml +++ b/cres/Allow_unicode_in_passwords.yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHN-07 ltype: Linked To - document: diff --git a/cres/Allow_user_revocation_of_Oauth_tokens.yaml b/cres/Allow_user_revocation_of_Oauth_tokens.yaml index 958ddef9d..868770552 100644 --- a/cres/Allow_user_revocation_of_Oauth_tokens.yaml +++ b/cres/Allow_user_revocation_of_Oauth_tokens.yaml @@ -6,10 +6,6 @@ links: id: 258-115 name: Re-authentication from federation or assertion ltype: Contains -- document: - doctype: CRE - name: '>>Authorization' - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md diff --git a/cres/Architecture.yaml b/cres/Architecture.yaml index 055e0386c..8f28f0258 100644 --- a/cres/Architecture.yaml +++ b/cres/Architecture.yaml @@ -18,7 +18,7 @@ links: - document: doctype: CRE id: 650-560 - name: Enforce access control on trusted service layer + name: Enfroce access control on trusted service layer tags: - Architecture ltype: Related @@ -36,20 +36,6 @@ links: tags: - Architecture ltype: Related -- document: - doctype: CRE - id: 340-754 - name: Threat model every design change or sprint - tags: - - Architecture - ltype: Related -- document: - doctype: CRE - id: 625-323 - name: Documentation and requirements - tags: - - Architecture - ltype: Related - document: doctype: CRE id: 344-611 @@ -57,27 +43,6 @@ links: tags: - Architecture ltype: Related -- document: - doctype: CRE - id: 004-130 - name: Define High-level architecture and perform security analysis on it - tags: - - Architecture - ltype: Related -- document: - doctype: CRE - id: 820-877 - name: Document all trust boundaries and significant data flows - tags: - - Architecture - ltype: Related -- document: - doctype: CRE - id: 612-252 - name: Separate GraphQL (or similar) authorization logic from data layer - tags: - - Architecture - ltype: Related - document: doctype: CRE id: 848-711 @@ -88,7 +53,7 @@ links: - document: doctype: CRE id: 260-200 - name: Log in consistent format across system + name: Log consistent format across system tags: - Architecture ltype: Related diff --git a/cres/Autenticate_encrypted_data.yaml b/cres/Autenticate_encrypted_data.yaml new file mode 100644 index 000000000..395013559 --- /dev/null +++ b/cres/Autenticate_encrypted_data.yaml @@ -0,0 +1,39 @@ +doctype: CRE +id: 786-224 +links: +- document: + doctype: CRE + id: 742-432 + name: Encryption algorithms + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x14-V6-Cryptography.md + name: ASVS + section: V6.2.7 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/326.html + name: CWE + section: '326' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + name: (WSTG) Web Security Testing Guide + section: WSTG-CRYP-04 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Cryptographic Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Key Management Cheat Sheet + ltype: Linked To +name: Autenticate encrypted data diff --git a/cres/Authenticate_HTTP_headers_added_by_a_trusted_proxy_or_SSO_device.yaml b/cres/Authenticate_HTTP_headers_added_by_a_trusted_proxy_or_SSO_device.yaml index 522c3bad7..eec1edaef 100644 --- a/cres/Authenticate_HTTP_headers_added_by_a_trusted_proxy_or_SSO_device.yaml +++ b/cres/Authenticate_HTTP_headers_added_by_a_trusted_proxy_or_SSO_device.yaml @@ -5,8 +5,6 @@ links: doctype: CRE id: 541-441 name: Validate HTTP request headers - tags: - - Injection ltype: Contains - document: doctype: Standard diff --git a/cres/Authenticate_all_external_connections.yaml b/cres/Authenticate_all_external_connections.yaml index 8b0d88632..c6b7d0dd8 100644 --- a/cres/Authenticate_all_external_connections.yaml +++ b/cres/Authenticate_all_external_connections.yaml @@ -6,11 +6,6 @@ links: id: 634-733 name: Communication authentication ltype: Contains -- document: - doctype: CRE - id: 170-772 - name: Cryptography - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x17-V9-Communications.md @@ -24,5 +19,3 @@ links: section: '287' ltype: Linked To name: Authenticate all external connections -tags: -- Cryptography diff --git a/cres/Authentication_mechanism.yaml b/cres/Authentication_mechanism.yaml index 7f555a919..7e6d674c8 100644 --- a/cres/Authentication_mechanism.yaml +++ b/cres/Authentication_mechanism.yaml @@ -38,7 +38,7 @@ links: - document: doctype: CRE id: 585-408 - name: Cryptographic directives + name: Cryptographic authentication software and devices ltype: Contains - document: doctype: CRE @@ -59,13 +59,28 @@ links: ltype: Contains - document: doctype: CRE - id: 177-260 - name: '>>Session management' + id: 138-448 + name: Inform users for authentication renewal ltype: Related - document: doctype: CRE - id: 551-054 - name: Use ephemeral secrets rather than static secrets + id: 808-425 + name: Notify users about anomalies in their usage patterns + ltype: Related +- document: + doctype: CRE + id: 751-176 + name: Offer password changing functionality + ltype: Related +- document: + doctype: CRE + id: 327-505 + name: Change password with presence of old and new password + ltype: Related +- document: + doctype: CRE + id: 177-260 + name: '>>Session management' ltype: Related - document: doctype: Standard diff --git a/cres/Authorized_access.yaml b/cres/Authorized_access.yaml new file mode 100644 index 000000000..1d51d28bf --- /dev/null +++ b/cres/Authorized_access.yaml @@ -0,0 +1,10 @@ +doctype: CRE +links: +- document: + doctype: CRE + id: 278-413 + name: Mutually authenticate application components. Minimize privileges + tags: + - Architecture + ltype: Related +name: Authorized access diff --git a/cres/Avoid_deserialization_logic.yaml b/cres/Avoid_deserialization_logic.yaml index 85a43d968..52fbbb3ea 100644 --- a/cres/Avoid_deserialization_logic.yaml +++ b/cres/Avoid_deserialization_logic.yaml @@ -1,6 +1,11 @@ doctype: CRE id: 831-563 links: +- document: + doctype: CRE + id: 836-068 + name: Deserialization Prevention + ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md diff --git a/cres/Avoid_password_truncation,_with_exception_of_consecutive_spaces.yaml b/cres/Avoid_password_truncation,_with_exception_of_consecutive_spaces.yaml index 70e4d194c..676f8c6e3 100644 --- a/cres/Avoid_password_truncation,_with_exception_of_consecutive_spaces.yaml +++ b/cres/Avoid_password_truncation,_with_exception_of_consecutive_spaces.yaml @@ -15,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html - name: OPC + name: OWASP Proactive Controls section: C6 ltype: Linked To - document: @@ -27,7 +27,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHN-07 ltype: Linked To - document: diff --git a/cres/Avoid_unauthorized_client_data_collection.yaml b/cres/Avoid_unauthorized_client_data_collection.yaml index 1b8e872da..e2660d0a2 100644 --- a/cres/Avoid_unauthorized_client_data_collection.yaml +++ b/cres/Avoid_unauthorized_client_data_collection.yaml @@ -3,8 +3,8 @@ id: 834-645 links: - document: doctype: CRE - id: 613-287 - name: Dependency integrity + id: 613-285 + name: '>>Dependency strength' ltype: Contains - document: doctype: Standard @@ -20,7 +20,8 @@ links: ltype: Linked To - document: doctype: Tool - name: 'ZAP Alert: "Personally Identifiable Information via WebSocket"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/websocket/src/main/zapHomeFiles/scripts/templates/websocketpassive/PII%20Disclosure.js + name: 'ZAP Rule: "Personally Identifiable Information via WebSocket"' tags: - '"WebSocket Passive"' tooltype: Offensive diff --git a/cres/Avoid_using_of_Origin_header_for_authentication_of_access_control.yaml b/cres/Avoid_using_of_Origin_header_for_authentication_of_access_control.yaml index 3a4eaee60..ae3566cd7 100644 --- a/cres/Avoid_using_of_Origin_header_for_authentication_of_access_control.yaml +++ b/cres/Avoid_using_of_Origin_header_for_authentication_of_access_control.yaml @@ -5,8 +5,6 @@ links: doctype: CRE id: 541-441 name: Validate HTTP request headers - tags: - - Injection ltype: Contains - document: doctype: Standard diff --git a/cres/Biometric_autheticators_only_as_seconday_factors.yaml b/cres/Biometric_autheticators_only_as_seconday_factors.yaml new file mode 100644 index 000000000..2eabda588 --- /dev/null +++ b/cres/Biometric_autheticators_only_as_seconday_factors.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 076-470 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.8.7 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/308.html + name: CWE + section: '308' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.2.3 + ltype: Linked To +name: Biometric autheticators only as seconday factors diff --git a/cres/Block_direct_execution_of_file_metadata_from_untrusted_origin.yaml b/cres/Block_direct_execution_of_file_metadata_from_untrusted_origin.yaml index 54a19b597..9783a7814 100644 --- a/cres/Block_direct_execution_of_file_metadata_from_untrusted_origin.yaml +++ b/cres/Block_direct_execution_of_file_metadata_from_untrusted_origin.yaml @@ -21,12 +21,13 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-INPV-12 ltype: Linked To - document: doctype: Tool - name: 'ZAP Alert: "Remote OS Command Injection"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java + name: 'ZAP Rule: "Remote OS Command Injection"' tags: - '"Active"' tooltype: Offensive @@ -34,7 +35,8 @@ links: - document: description: '"Update Bash on the server to the latest version"' doctype: Tool - name: 'ZAP Alert: "Remote Code Execution - Shell Shock"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ShellShockScanRule.java + name: 'ZAP Rule: "Remote Code Execution - Shell Shock"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Block_execution-output_of_uploaded_files.yaml b/cres/Block_execution-output_of_uploaded_files.yaml index 7d8ae231a..539ff4b08 100644 --- a/cres/Block_execution-output_of_uploaded_files.yaml +++ b/cres/Block_execution-output_of_uploaded_files.yaml @@ -3,9 +3,14 @@ id: 545-243 links: - document: doctype: CRE - id: 130-550 - name: File handling + id: 040-843 + name: File download ltype: Contains +- document: + doctype: CRE + id: 623-550 + name: DOS + ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x20-V12-Files-Resources.md @@ -21,7 +26,9 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-BUSL-09 ltype: Linked To name: Block execution/output of uploaded files +tags: +- DOS diff --git a/cres/Block_serialization_of_content_from_untrusted_clients.yaml b/cres/Block_serialization_of_content_from_untrusted_clients.yaml index f044f1869..9fb5ab45e 100644 --- a/cres/Block_serialization_of_content_from_untrusted_clients.yaml +++ b/cres/Block_serialization_of_content_from_untrusted_clients.yaml @@ -1,6 +1,11 @@ doctype: CRE id: 736-554 links: +- document: + doctype: CRE + id: 836-068 + name: Deserialization Prevention + ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md diff --git a/cres/Centralize_security_controls.yaml b/cres/Centralize_security_controls.yaml index 54179a9b5..2ab650d7c 100644 --- a/cres/Centralize_security_controls.yaml +++ b/cres/Centralize_security_controls.yaml @@ -3,8 +3,8 @@ id: 344-611 links: - document: doctype: CRE - id: 153-513 - name: '>>Development & operations' + id: 354-846 + name: Documentation and requirements ltype: Contains - document: doctype: CRE @@ -20,7 +20,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c10-handle-errors-exceptions.html - name: OPC + name: OWASP Proactive Controls section: C10 ltype: Linked To - document: diff --git a/cres/Change_password_with_presence_of_old_and_new_password.yaml b/cres/Change_password_with_presence_of_old_and_new_password.yaml index a1c4c0c5e..ba405160d 100644 --- a/cres/Change_password_with_presence_of_old_and_new_password.yaml +++ b/cres/Change_password_with_presence_of_old_and_new_password.yaml @@ -6,6 +6,11 @@ links: id: 586-842 name: '>>Secure user management' ltype: Contains +- document: + doctype: CRE + id: 270-568 + name: Authentication mechanism + ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md @@ -21,7 +26,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHN-07 ltype: Linked To - document: diff --git a/cres/Check_boundaries_against_integer_overflow_weaknesses.yaml b/cres/Check_boundaries_against_integer_overflow_weaknesses.yaml index 4a6463113..517a7eb42 100644 --- a/cres/Check_boundaries_against_integer_overflow_weaknesses.yaml +++ b/cres/Check_boundaries_against_integer_overflow_weaknesses.yaml @@ -5,8 +5,6 @@ links: doctype: CRE id: 866-553 name: Memory, String, and Unmanaged Code - tags: - - Injection ltype: Contains - document: doctype: Standard @@ -25,7 +23,8 @@ links: of integer being input to prevent overflows and divide by 0 errors. This will require a recompile of the background executable."' doctype: Tool - name: 'ZAP Alert: "Integer Overflow Error"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/IntegerOverflowScanRule.java + name: 'ZAP Rule: "Integer Overflow Error"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Check_new_passwords_against_breached_passwords.yaml b/cres/Check_new_passwords_against_breached_passwords.yaml index 8c0f92984..25a063c09 100644 --- a/cres/Check_new_passwords_against_breached_passwords.yaml +++ b/cres/Check_new_passwords_against_breached_passwords.yaml @@ -15,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html - name: OPC + name: OWASP Proactive Controls section: C6 ltype: Linked To - document: @@ -27,7 +27,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHN-07 ltype: Linked To - document: diff --git a/cres/Check_source_code_to_not_contain_backdoors.yaml b/cres/Check_source_code_to_not_contain_backdoors.yaml new file mode 100644 index 000000000..1eb90dbff --- /dev/null +++ b/cres/Check_source_code_to_not_contain_backdoors.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 838-636 +links: +- document: + doctype: CRE + id: 613-285 + name: '>>Dependency strength' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x18-V10-Malicious.md + name: ASVS + section: V10.2.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/507.html + name: CWE + section: '507' + ltype: Linked To +name: Check source code to not contain backdoors diff --git a/cres/Check_source_code_to_not_contain_malicious_code.yaml b/cres/Check_source_code_to_not_contain_malicious_code.yaml index 2ae0f0466..93425e80d 100644 --- a/cres/Check_source_code_to_not_contain_malicious_code.yaml +++ b/cres/Check_source_code_to_not_contain_malicious_code.yaml @@ -3,8 +3,8 @@ id: 265-800 links: - document: doctype: CRE - id: 613-287 - name: Dependency integrity + id: 613-285 + name: '>>Dependency strength' ltype: Contains - document: doctype: Standard diff --git a/cres/Check_source_code_to_not_contain_timebombs.yaml b/cres/Check_source_code_to_not_contain_timebombs.yaml index de95f58b4..994844602 100644 --- a/cres/Check_source_code_to_not_contain_timebombs.yaml +++ b/cres/Check_source_code_to_not_contain_timebombs.yaml @@ -3,8 +3,8 @@ id: 418-525 links: - document: doctype: CRE - id: 613-287 - name: Dependency integrity + id: 613-285 + name: '>>Dependency strength' ltype: Contains - document: doctype: Standard diff --git a/cres/Classify_personal_data_regarding_retention_so_that_old_or_outdated_data_is_deleted.yaml b/cres/Classify_personal_data_regarding_retention_so_that_old_or_outdated_data_is_deleted.yaml index 6191f0f60..3be2e54ea 100644 --- a/cres/Classify_personal_data_regarding_retention_so_that_old_or_outdated_data_is_deleted.yaml +++ b/cres/Classify_personal_data_regarding_retention_so_that_old_or_outdated_data_is_deleted.yaml @@ -3,20 +3,9 @@ id: 268-272 links: - document: doctype: CRE - name: '>>Documentation and requirements' + id: 362-550 + name: '>>Personal data handling' ltype: Contains -- document: - doctype: CRE - id: 028-728 - name: Personal data handling - ltype: Related -- document: - doctype: CRE - id: 783-355 - name: Deployment - tags: - - Configuration - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md @@ -30,5 +19,3 @@ links: section: '285' ltype: Linked To name: Classify personal data regarding retention so that old or outdated data is deleted -tags: -- Personal data handling diff --git a/cres/Classify_sensitive_data_in_protection_levels.yaml b/cres/Classify_sensitive_data_in_protection_levels.yaml index f4439b4c1..2e0a4ddcd 100644 --- a/cres/Classify_sensitive_data_in_protection_levels.yaml +++ b/cres/Classify_sensitive_data_in_protection_levels.yaml @@ -8,8 +8,8 @@ links: ltype: Contains - document: doctype: CRE - id: 028-728 - name: Personal data handling + id: 362-550 + name: '>>Personal data handling' ltype: Related - document: doctype: Standard @@ -30,5 +30,3 @@ links: section: User Privacy Protection Cheat Sheet ltype: Linked To name: Classify sensitive data in protection levels -tags: -- Personal data handling diff --git a/cres/Clear_authentication_data_from_client_storage.yaml b/cres/Clear_authentication_data_from_client_storage.yaml index 3016eb103..561eef502 100644 --- a/cres/Clear_authentication_data_from_client_storage.yaml +++ b/cres/Clear_authentication_data_from_client_storage.yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/12-Testing_Browser_Storage.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CLNT-12 ltype: Linked To name: Clear authentication data from client storage diff --git a/cres/Clear_policy_complient_I-O_requirements.yaml b/cres/Clear_policy_complient_I-O_requirements.yaml new file mode 100644 index 000000000..a185d5aa1 --- /dev/null +++ b/cres/Clear_policy_complient_I-O_requirements.yaml @@ -0,0 +1,38 @@ +doctype: CRE +id: 782-234 +links: +- document: + doctype: CRE + id: 354-846 + name: Documentation and requirements + ltype: Contains +- document: + doctype: CRE + id: 503-455 + name: '>>Input and output verification' + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.5.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/1029.html + name: CWE + section: '1029' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html + name: Cheat_sheets + section: Deserialization Cheat Sheet + ltype: Linked To +name: Clear policy complient I/O requirements diff --git a/cres/Communicate_out_of_band_authentication_requests,_codes_or_tokens_Iindependently_and_securely.yaml b/cres/Communicate_out_of_band_authentication_requests,_codes_or_tokens_Iindependently_and_securely.yaml new file mode 100644 index 000000000..483c24367 --- /dev/null +++ b/cres/Communicate_out_of_band_authentication_requests,_codes_or_tokens_Iindependently_and_securely.yaml @@ -0,0 +1,35 @@ +doctype: CRE +id: 102-811 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.7.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/523.html + name: CWE + section: '523' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.3.2 + ltype: Linked To +name: Communicate out of band authentication requests, codes or tokens Iindependently + and securely diff --git a/cres/Communication_authentication.yaml b/cres/Communication_authentication.yaml index aee411444..613a2b95f 100644 --- a/cres/Communication_authentication.yaml +++ b/cres/Communication_authentication.yaml @@ -6,12 +6,15 @@ links: id: 278-646 name: '>>Secure communication' ltype: Contains +- document: + doctype: CRE + id: 633-428 + name: '>>Authentication' + ltype: Related - document: doctype: CRE id: 605-735 name: Authenticate all external connections - tags: - - Cryptography ltype: Contains - document: doctype: CRE diff --git a/cres/Communication_encryption.yaml b/cres/Communication_encryption.yaml index 50cd0f669..4334700f1 100644 --- a/cres/Communication_encryption.yaml +++ b/cres/Communication_encryption.yaml @@ -15,15 +15,11 @@ links: doctype: CRE id: 527-034 name: Protect communication between application components - tags: - - Cryptography ltype: Contains - document: doctype: CRE id: 426-842 name: Verify the authenticity of both headers and payload - tags: - - Cryptography ltype: Contains name: Communication encryption tags: diff --git a/cres/Configuration.yaml b/cres/Configuration.yaml index 27e566353..b287d4707 100644 --- a/cres/Configuration.yaml +++ b/cres/Configuration.yaml @@ -8,20 +8,6 @@ links: tags: - Configuration ltype: Related -- document: - doctype: CRE - id: 462-245 - name: Remove unnecessary features, documentation, configuration etc - tags: - - Configuration - ltype: Related -- document: - doctype: CRE - id: 154-031 - name: Harden application by excluding unwanted functionality - tags: - - Configuration - ltype: Related - document: doctype: CRE id: 783-355 @@ -29,13 +15,6 @@ links: tags: - Configuration ltype: Related -- document: - doctype: CRE - id: 180-488 - name: Proper Configuration for all applications and frameworks - tags: - - Configuration - ltype: Related - document: doctype: CRE id: 308-515 @@ -48,7 +27,6 @@ links: id: 764-507 name: Restrict XML parsing (against XXE) tags: - - Injection - Configuration ltype: Related - document: diff --git a/cres/Configure_CSP_configuration_properly.yaml b/cres/Configure_CSP_configuration_properly.yaml index 7f16cf4cc..397e05481 100644 --- a/cres/Configure_CSP_configuration_properly.yaml +++ b/cres/Configure_CSP_configuration_properly.yaml @@ -8,7 +8,7 @@ links: ltype: Contains - document: doctype: CRE - id: 760-765 + id: 028-726 name: XSS ltype: Related - document: @@ -28,7 +28,7 @@ links: hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html; https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting.html; https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-INPV-01; WSTG-INPV-02; WSTG-CLNT-01 ltype: Linked To - document: @@ -44,7 +44,8 @@ links: you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy''s ''frame-ancestors'' directive."' doctype: Tool - name: 'ZAP Alert: "X-Frame-Options Setting Malformed"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java + name: 'ZAP Rule: "X-Frame-Options Setting Malformed"' tags: - '"Passive"' tooltype: Offensive @@ -52,7 +53,8 @@ links: - document: description: '"Ensure only a single X-Frame-Options header is present in the response."' doctype: Tool - name: 'ZAP Alert: "Multiple X-Frame-Options Header Entries"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java + name: 'ZAP Rule: "Multiple X-Frame-Options Header Entries"' tags: - '"Passive"' tooltype: Offensive @@ -61,14 +63,16 @@ links: description: '"Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy''s ''frame-ancestors'' directive."' doctype: Tool - name: 'ZAP Alert: "X-Frame-Options Defined via META (Non-compliant with Spec)"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java + name: 'ZAP Rule: "X-Frame-Options Defined via META (Non-compliant with Spec)"' tags: - '"Passive"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "Missing Anti-clickjacking Header"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java + name: 'ZAP Rule: "Missing Anti-clickjacking Header"' tags: - '"Passive"' tooltype: Offensive diff --git a/cres/Configure_HSTS_configuration_properly.yaml b/cres/Configure_HSTS_configuration_properly.yaml index 9c3e8db64..65aa44614 100644 --- a/cres/Configure_HSTS_configuration_properly.yaml +++ b/cres/Configure_HSTS_configuration_properly.yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CONF-07 ltype: Linked To - document: diff --git a/cres/Configure_X-Content-Type-Options_properly.yaml b/cres/Configure_X-Content-Type-Options_properly.yaml index 79ad0797a..eae4ac614 100644 --- a/cres/Configure_X-Content-Type-Options_properly.yaml +++ b/cres/Configure_X-Content-Type-Options_properly.yaml @@ -23,7 +23,7 @@ links: hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html; https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting.html; https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-INPV-01; WSTG-INPV-02; WSTG-CLNT-01 ltype: Linked To - document: diff --git a/cres/Configure_X-Frame-Options_for_CSP_properly.yaml b/cres/Configure_X-Frame-Options_for_CSP_properly.yaml new file mode 100644 index 000000000..e455a7700 --- /dev/null +++ b/cres/Configure_X-Frame-Options_for_CSP_properly.yaml @@ -0,0 +1,33 @@ +doctype: CRE +id: 480-071 +links: +- document: + doctype: CRE + id: 636-347 + name: HTTP security headers + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.4.7 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/346.html + name: CWE + section: '346' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/09-Testing_for_Clickjacking.html + name: (WSTG) Web Security Testing Guide + section: WSTG-CLNT-09 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html + name: Cheat_sheets + section: Content Security Policy Cheat Sheet + ltype: Linked To +name: Configure X-Frame-Options for CSP properly diff --git a/cres/Constrain_functional_features_based_on_user_stories.yaml b/cres/Constrain_functional_features_based_on_user_stories.yaml index 546a8d7fd..5ecd50e36 100644 --- a/cres/Constrain_functional_features_based_on_user_stories.yaml +++ b/cres/Constrain_functional_features_based_on_user_stories.yaml @@ -3,10 +3,8 @@ id: 822-100 links: - document: doctype: CRE - id: 625-323 + id: 354-846 name: Documentation and requirements - tags: - - Architecture ltype: Contains - document: doctype: Standard diff --git a/cres/Cookie-config.yaml b/cres/Cookie-config.yaml index 26a8e0b3f..a04d16131 100644 --- a/cres/Cookie-config.yaml +++ b/cres/Cookie-config.yaml @@ -6,11 +6,31 @@ links: id: 177-260 name: '>>Session management' ltype: Contains +- document: + doctype: CRE + id: 232-034 + name: Set '_Host' prefix for cookie-based session tokens + ltype: Contains +- document: + doctype: CRE + id: 804-220 + name: Set httponly attribute for cookie-based session tokens + tags: + - XSS + ltype: Contains - document: doctype: CRE id: 342-055 name: Set "samesite" attribute for cookie-based session tokens - tags: - - CSRF + ltype: Contains +- document: + doctype: CRE + id: 688-081 + name: Set "secure" attribute for cookie-based session tokens + ltype: Contains +- document: + doctype: CRE + id: 705-182 + name: Set path attribute in cookie-bases session tokens as precise as possible ltype: Contains name: Cookie-config diff --git a/cres/Create_random_GUIDs_with_cryptographically_secure_random_number_generators.yaml b/cres/Create_random_GUIDs_with_cryptographically_secure_random_number_generators.yaml index e487be1c9..3b0a372f6 100644 --- a/cres/Create_random_GUIDs_with_cryptographically_secure_random_number_generators.yaml +++ b/cres/Create_random_GUIDs_with_cryptographically_secure_random_number_generators.yaml @@ -23,7 +23,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CRYP-04 ltype: Linked To name: Create random GUIDs with cryptographically secure random number generators diff --git a/cres/Cryptographic_authentication_software_and_devices.yaml b/cres/Cryptographic_authentication_software_and_devices.yaml new file mode 100644 index 000000000..50a255732 --- /dev/null +++ b/cres/Cryptographic_authentication_software_and_devices.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 585-408 +links: +- document: + doctype: CRE + id: 270-568 + name: Authentication mechanism + ltype: Contains +- document: + doctype: CRE + id: 002-801 + name: Use approved cryptographic algorithms for generation, seeding and verification + tags: + - Cryptography + ltype: Contains +- document: + doctype: CRE + id: 287-251 + name: Use a unique challenge nonce of sufficient size + ltype: Contains +name: Cryptographic authentication software and devices diff --git a/cres/Cryptography.yaml b/cres/Cryptography.yaml index 6ca7846ab..e6f53b4f6 100644 --- a/cres/Cryptography.yaml +++ b/cres/Cryptography.yaml @@ -8,13 +8,6 @@ links: tags: - Cryptography ltype: Related -- document: - doctype: CRE - id: 062-850 - name: MFA/OTP - tags: - - Cryptography - ltype: Related - document: doctype: CRE id: 002-801 @@ -24,8 +17,8 @@ links: ltype: Related - document: doctype: CRE - id: 287-251 - name: Use a unique challenge nonce of sufficient size + id: 062-850 + name: MFA/OTP tags: - Cryptography ltype: Related @@ -50,13 +43,6 @@ links: tags: - Cryptography ltype: Related -- document: - doctype: CRE - id: 605-735 - name: Authenticate all external connections - tags: - - Cryptography - ltype: Related - document: doctype: CRE id: 435-702 @@ -64,27 +50,6 @@ links: tags: - Cryptography ltype: Related -- document: - doctype: CRE - id: 527-034 - name: Protect communication between application components - tags: - - Cryptography - ltype: Related -- document: - doctype: CRE - id: 426-842 - name: Verify the authenticity of both headers and payload - tags: - - Cryptography - ltype: Related -- document: - doctype: CRE - id: 248-646 - name: Disable insecure SSL/TLS versions - tags: - - Cryptography - ltype: Related - document: doctype: CRE id: 400-007 @@ -92,13 +57,6 @@ links: tags: - Cryptography ltype: Related -- document: - doctype: CRE - id: 742-432 - name: Encryption algorithms - tags: - - Cryptography - ltype: Related - document: doctype: CRE id: 542-270 @@ -106,13 +64,6 @@ links: tags: - Cryptography ltype: Related -- document: - doctype: CRE - id: 664-571 - name: Ensure proper generation of secure random - tags: - - Cryptography - ltype: Related - document: doctype: CRE id: 704-530 @@ -137,6 +88,8 @@ links: hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-17 name: NIST 800-53 v5 section: SC-17 Public Key Infrastructure Certificates + subsection: Mapped to Tag cryptography. I believe cryptography deserves a chapter + on its own. ltype: Linked To - document: doctype: Standard diff --git a/cres/DOS.yaml b/cres/DOS.yaml index 26728276a..4fd0a9b72 100644 --- a/cres/DOS.yaml +++ b/cres/DOS.yaml @@ -10,43 +10,29 @@ links: ltype: Related - document: doctype: CRE - id: 630-573 - name: Monitor suspected automation abuse - tags: - - DOS - ltype: Related -- document: - doctype: CRE - id: 725-682 - name: Enable configurable alert against usage anomalies - tags: - - DOS - ltype: Related -- document: - doctype: CRE - id: 418-853 - name: Monitor unusual activities on system + id: 268-088 + name: Limit query impact GraphQL/data layer expression DoS tags: - DOS ltype: Related - document: doctype: CRE - id: 456-535 - name: Monitor for realistic "human time" business logic flows + id: 814-322 + name: Whitelist data sources and sinks tags: - DOS ltype: Related - document: doctype: CRE - id: 268-088 - name: Limit query impact GraphQL/data layer expression DoS + id: 314-701 + name: Whitelist file extensions served by web tier tags: - DOS ltype: Related - document: doctype: CRE - id: 814-322 - name: Whitelist data sources and sinks + id: 545-243 + name: Block execution/output of uploaded files tags: - DOS ltype: Related diff --git a/cres/Data_security_requirement_documentation.yaml b/cres/Data_security_requirement_documentation.yaml index d9fa7de78..8bec5dced 100644 --- a/cres/Data_security_requirement_documentation.yaml +++ b/cres/Data_security_requirement_documentation.yaml @@ -3,23 +3,23 @@ id: 625-323 links: - document: doctype: CRE - id: 625-323 + id: 354-846 name: Documentation and requirements - tags: - - Architecture ltype: Contains - document: doctype: CRE id: 765-788 name: Classify sensitive data in protection levels - tags: - - Personal data handling ltype: Contains - document: doctype: CRE id: 731-120 name: Document requirements for (data) protection levels - tags: - - Personal data handling ltype: Contains +- document: + doctype: Standard + hyperlink: Loading... + name: Top10 2017 + section: A3-Sensitive_Data_Exposure + ltype: Linked To name: Data security requirement documentation diff --git a/cres/Define_High-level_architecture_and_perform_security_analysis_on_it.yaml b/cres/Define_High-level_architecture_and_perform_security_analysis_on_it.yaml index 991324ed9..f8abc68b2 100644 --- a/cres/Define_High-level_architecture_and_perform_security_analysis_on_it.yaml +++ b/cres/Define_High-level_architecture_and_perform_security_analysis_on_it.yaml @@ -3,16 +3,9 @@ id: 004-130 links: - document: doctype: CRE - id: 625-323 + id: 354-846 name: Documentation and requirements - tags: - - Architecture ltype: Contains -- document: - doctype: CRE - id: 155-155 - name: Architecture - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md @@ -22,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c1-security-requirements.html - name: OPC + name: OWASP Proactive Controls section: C1 ltype: Linked To - document: @@ -50,5 +43,3 @@ links: section: Attack Surface Analysis Cheat Sheet ltype: Linked To name: Define High-level architecture and perform security analysis on it -tags: -- Architecture diff --git a/cres/Define_security_steps_in_every_SDLC_stage.yaml b/cres/Define_security_steps_in_every_SDLC_stage.yaml index 2e8739c5f..25ff196c2 100644 --- a/cres/Define_security_steps_in_every_SDLC_stage.yaml +++ b/cres/Define_security_steps_in_every_SDLC_stage.yaml @@ -15,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c1-security-requirements.html - name: OPC + name: OWASP Proactive Controls section: C1 ltype: Linked To - document: diff --git a/cres/Defined_lifetime_of_time-based_one-time_passowrd.yaml b/cres/Defined_lifetime_of_time-based_one-time_passowrd.yaml new file mode 100644 index 000000000..95882e0f7 --- /dev/null +++ b/cres/Defined_lifetime_of_time-based_one-time_passowrd.yaml @@ -0,0 +1,33 @@ +doctype: CRE +id: 681-823 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.8.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/613.html + name: CWE + section: '613' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.4.2 + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.5.2 + ltype: Linked To +name: Defined lifetime of time-based one-time passowrd diff --git a/cres/Deny_new_users_by_default.yaml b/cres/Deny_new_users_by_default.yaml index 806b0293b..72894ab03 100644 --- a/cres/Deny_new_users_by_default.yaml +++ b/cres/Deny_new_users_by_default.yaml @@ -20,7 +20,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c7-enforce-access-controls.html - name: OPC + name: OWASP Proactive Controls section: C7 ltype: Linked To - document: @@ -32,7 +32,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/01-Test_Role_Definitions.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-IDNT-01 ltype: Linked To - document: diff --git a/cres/Deployed_topology.yaml b/cres/Deployed_topology.yaml index 2945ec380..512605ce3 100644 --- a/cres/Deployed_topology.yaml +++ b/cres/Deployed_topology.yaml @@ -56,30 +56,36 @@ links: hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-47 name: NIST 800-53 v5 section: SC-47 Alternate Communications Paths + subsection: 'Tagged Architecture, placed under Deployed Topology. CISSP has chapter: + secure network architecture' ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-36 name: NIST 800-53 v5 section: SC-36 Distributed Processing and Storage + subsection: Tagged Architecture, placed under Deployed Topology. ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-30 name: NIST 800-53 v5 section: SC-30 Concealment and Misdirection + subsection: mapped to Deployed topology ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-46 name: NIST 800-53 v5 section: SC-46 Cross Domain Policy Enforcement + subsection: mapped to Deployed topology ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-26 name: NIST 800-53 v5 section: SC-26 Decoys + subsection: mapped to Deployed topology ltype: Linked To - document: doctype: Standard @@ -92,6 +98,7 @@ links: hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-37 name: NIST 800-53 v5 section: SC-37 Out-of-band Channels + subsection: Note that this covers physical delivery as well. ltype: Linked To - document: doctype: Standard diff --git a/cres/Deployment.yaml b/cres/Deployment.yaml index 084c66b60..4b36583d8 100644 --- a/cres/Deployment.yaml +++ b/cres/Deployment.yaml @@ -43,11 +43,21 @@ links: id: 636-347 name: HTTP security headers ltype: Contains +- document: + doctype: CRE + id: 336-511 + name: Network protection + ltype: Contains - document: doctype: CRE id: 266-527 name: Physical security ltype: Contains +- document: + doctype: CRE + id: 180-487 + name: Server protection + ltype: Contains - document: doctype: CRE id: 612-364 @@ -58,30 +68,30 @@ links: id: 273-600 name: Segregate components of differing trust levels ltype: Contains -- document: - doctype: CRE - id: 268-272 - name: Classify personal data regarding retention so that old or outdated data - is deleted - tags: - - Personal data handling - ltype: Related - document: doctype: CRE id: 163-776 name: Backups ltype: Related +- document: + doctype: Standard + hyperlink: Loading... + name: Top10 2017 + section: A6_Security_Misconfiguration + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-29 name: NIST 800-53 v5 section: SC-29 Heterogeneity + subsection: mapped under deployment process ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-27 name: NIST 800-53 v5 section: SC-27 Platform-independent Applications + subsection: This addresses a portability concern, which is a topic in architecture. ltype: Linked To name: Deployment tags: diff --git a/cres/Deployment_process.yaml b/cres/Deployment_process.yaml index c3f5038af..cd4588e91 100644 --- a/cres/Deployment_process.yaml +++ b/cres/Deployment_process.yaml @@ -1,13 +1,6 @@ doctype: CRE id: 615-188 links: -- document: - doctype: CRE - id: 783-355 - name: Deployment - tags: - - Configuration - ltype: Contains - document: doctype: CRE id: 263-184 @@ -16,7 +9,7 @@ links: - document: doctype: CRE id: 307-507 - name: Allow only trusted sources both build time and runtime; therefore perform + name: Allow only trusted sources both buildtime and runtime; therefore perform integrity checks on all resources and code ltype: Contains - document: @@ -44,10 +37,23 @@ links: id: 028-254 name: Secure auto-updates over full stack ltype: Contains +- document: + doctype: CRE + id: 053-751 + name: Force pipeline to check outdated/insecure components + ltype: Related +- document: + doctype: CRE + id: 783-355 + name: Deployment + tags: + - Configuration + ltype: Contains - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-51 name: NIST 800-53 v5 section: SC-51 Hardware-based Protection + subsection: mapped under deployment process ltype: Linked To name: Deployment process diff --git a/cres/Deserialization_Prevention.yaml b/cres/Deserialization_Prevention.yaml index f3905a7e7..26d9a5f8b 100644 --- a/cres/Deserialization_Prevention.yaml +++ b/cres/Deserialization_Prevention.yaml @@ -6,6 +6,21 @@ links: id: 503-455 name: '>>Input and output verification' ltype: Contains +- document: + doctype: CRE + id: 736-554 + name: Block serialization of content from untrusted clients + ltype: Contains +- document: + doctype: CRE + id: 831-563 + name: Avoid deserialization logic + ltype: Contains +- document: + doctype: CRE + id: 387-848 + name: Parse JSON safely + ltype: Contains - document: doctype: CRE id: 762-616 @@ -23,4 +38,10 @@ links: id: 184-284 name: Log all security relevant events ltype: Related +- document: + doctype: Standard + hyperlink: Loading... + name: Top10 2017 + section: A8_Insecure_Deserialization + ltype: Linked To name: Deserialization Prevention diff --git a/cres/Developer_Configuration_Management.yaml b/cres/Developer_Configuration_Management.yaml index ed4925827..8a2d8fc72 100644 --- a/cres/Developer_Configuration_Management.yaml +++ b/cres/Developer_Configuration_Management.yaml @@ -1,6 +1,11 @@ doctype: CRE id: 601-155 links: +- document: + doctype: CRE + id: 153-513 + name: '>>Development & operations' + ltype: Contains - document: doctype: CRE id: 757-271 @@ -9,13 +14,8 @@ links: - document: doctype: CRE id: 715-334 - name: Update third party components build- or compile time + name: Update third party components build- or compiletime ltype: Related -- document: - doctype: CRE - id: 153-513 - name: '>>Development & operations' - ltype: Contains - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-10 diff --git a/cres/Development_verification.yaml b/cres/Development_verification.yaml index 992e97330..203cd05e5 100644 --- a/cres/Development_verification.yaml +++ b/cres/Development_verification.yaml @@ -1,26 +1,19 @@ doctype: CRE id: 433-442 links: +- document: + doctype: CRE + id: 153-513 + name: '>>Development & operations' + ltype: Contains - document: doctype: CRE id: 340-754 name: Threat model every design change or sprint - tags: - - Architecture ltype: Contains - document: doctype: CRE id: 611-158 name: Use SAST for malicious content ltype: Contains -- document: - doctype: CRE - id: 053-751 - name: Force pipeline to check outdated/insecure components - ltype: Related -- document: - doctype: CRE - id: 153-513 - name: '>>Development & operations' - ltype: Contains name: Development verification diff --git a/cres/Disable_insecure_SSL-TLS_versions.yaml b/cres/Disable_insecure_SSL-TLS_versions.yaml index 027e222a4..cb9d1a551 100644 --- a/cres/Disable_insecure_SSL-TLS_versions.yaml +++ b/cres/Disable_insecure_SSL-TLS_versions.yaml @@ -8,11 +8,6 @@ links: tags: - Cryptoghraphy ltype: Contains -- document: - doctype: CRE - id: 170-772 - name: Cryptography - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x17-V9-Communications.md @@ -28,7 +23,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CRYP-01 ltype: Linked To - document: @@ -49,15 +44,4 @@ links: name: Cheat_sheets section: TLS Cipher String Cheat Sheet ltype: Linked To -- document: - description: '"Protect the connection using HTTPS or use a stronger authentication - mechanism"' - doctype: Tool - name: 'ZAP Alert: "Weak Authentication Method"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME name: Disable insecure SSL/TLS versions -tags: -- Cryptography diff --git a/cres/Disallow_shared_high_privilige_accounts.yaml b/cres/Disallow_shared_high_privilige_accounts.yaml new file mode 100644 index 000000000..ea5640fcd --- /dev/null +++ b/cres/Disallow_shared_high_privilige_accounts.yaml @@ -0,0 +1,43 @@ +doctype: CRE +id: 623-347 +links: +- document: + doctype: CRE + id: 586-842 + name: '>>Secure user management' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.5.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/16.html + name: CWE + section: '16' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html + name: Cheat_sheets + section: Choosing and Using Security Questions Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html + name: Cheat_sheets + section: Forgot Password Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.1.2 + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: A.3 + ltype: Linked To +name: Disallow shared high privilige accounts diff --git a/cres/Do_not_disclose_technical_information_in_HTTP_header_or_responce.yaml b/cres/Do_not_disclose_technical_information_in_HTTP_header_or_responce.yaml new file mode 100644 index 000000000..95a4cdff9 --- /dev/null +++ b/cres/Do_not_disclose_technical_information_in_HTTP_header_or_responce.yaml @@ -0,0 +1,214 @@ +doctype: CRE +id: 403-005 +links: +- document: + doctype: CRE + id: 308-515 + name: Prevent security disclosure + tags: + - Configuration + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.3.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/200.html + name: CWE + section: '200' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/01-Information_Gathering/README.html + name: (WSTG) Web Security Testing Guide + section: WSTG-INFO-## + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html + name: Cheat_sheets + section: Error Handling Cheat Sheet + ltype: Linked To +- document: + description: '"Review the source code of this page. Implement custom error pages. + Consider implementing a mechanism to provide a unique error reference/identifier + to the client (browser) while logging the details on the server side and not + exposing them to the user."' + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ApplicationErrorScanRule.java + name: 'ZAP Rule: "Application Error Disclosure"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Do not divulge details of whether a username is valid or invalid. + In particular, for unsuccessful login attempts, do not differentiate between + an invalid user and an invalid password in the error message, page title, page + contents, HTTP headers, or redirection logic."' + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java + name: 'ZAP Rule: "Possible Username Enumeration"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Limit access to Symfony''s Profiler, either via authentication/authorization + or limiting inclusion of the header to specific clients (by IP, etc.)."' + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRule.java + name: 'ZAP Rule: "X-Debug-Token Information Leak"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Remove all comments that return information that may help an attacker + and fix any underlying problems they refer to."' + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/websocket/src/main/zapHomeFiles/scripts/templates/websocketpassive/XML%20Comments%20Disclosure.js + name: 'ZAP Rule: "Information Disclosure - Suspicious Comments in XML via WebSocket"' + tags: + - '"WebSocket Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Remove all comments that return information that may help an attacker + and fix any underlying problems they refer to."' + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRule.java + name: 'ZAP Rule: "Information Disclosure - Suspicious Comments"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Do not pass sensitive information in URIs."' + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRule.java + name: 'ZAP Rule: "Information Disclosure - Sensitive Information in HTTP Referrer + Header"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Disable debugging messages before pushing to production."' + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/websocket/src/main/zapHomeFiles/scripts/templates/websocketpassive/Debug%20Error%20Disclosure.js + name: 'ZAP Rule: "Information Disclosure - Debug Error Messages via WebSocket"' + tags: + - '"WebSocket Passive"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java + name: 'ZAP Rule: "Proxy Disclosure"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SlackerCookieScanRule.java + name: 'ZAP Rule: "Cookie Slack Detector"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Disable debugging messages before pushing to production."' + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRule.java + name: 'ZAP Rule: "Information Disclosure - Debug Error Messages"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Before allowing images to be stored on the server and/or transmitted + to the browser, strip out the embedded location information from image. This + could mean removing all Exif data or just the GPS component. Other data, like + serial numbers, should also be removed."' + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/imagelocationscanner/src/main/java/org/zaproxy/zap/extension/imagelocationscanner/ImageLocationScanRule.java + name: 'ZAP Rule: "Image Exposes Location or Privacy Data"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Do not pass sensitive information in URIs."' + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureInUrlScanRule.java + name: 'ZAP Rule: "Information Disclosure - Sensitive Information in URL"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"TBA"' + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java + name: 'ZAP Rule: "Insecure HTTP Method"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Remove emails that are not public."' + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/websocket/src/main/zapHomeFiles/scripts/templates/websocketpassive/Email%20Disclosure.js + name: 'ZAP Rule: "Email address found in WebSocket message"' + tags: + - '"WebSocket Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"For secure content, put session ID in a cookie. To be even more + secure consider using a combination of cookie and URL rewrite."' + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java + name: 'ZAP Rule: "Session ID in URL Rewrite"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Remove the private IP address from the HTTP response body. For + comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can + be seen by client browsers."' + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRule.java + name: 'ZAP Rule: "Private IP Disclosure"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Ensure that your web server, application server, load balancer, + etc. is configured to suppress ''X-Powered-By'' headers."' + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRule.java + name: 'ZAP Rule: "Server Leaks Information via ''X-Powered-By'' HTTP Response + Header Field(s)"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +- document: + description: '"Manually confirm that the timestamp data is not sensitive, and + that the data cannot be aggregated to disclose exploitable patterns."' + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/TimestampDisclosureScanRule.java + name: 'ZAP Rule: "Timestamp Disclosure"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Do not disclose technical information in HTTP header or responce diff --git a/cres/Do_not_disclose_technical_information_in_error_message.yaml b/cres/Do_not_disclose_technical_information_in_error_message.yaml index 7916fd33a..fbca41e63 100644 --- a/cres/Do_not_disclose_technical_information_in_error_message.yaml +++ b/cres/Do_not_disclose_technical_information_in_error_message.yaml @@ -28,7 +28,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/01-Testing_for_Error_Code.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ERRH-01 ltype: Linked To - document: @@ -41,7 +41,8 @@ links: description: '"Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption."' doctype: Tool - name: 'ZAP Alert: "Generic Padding Oracle"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/PaddingOracleScanRule.java + name: 'ZAP Rule: "Generic Padding Oracle"' tags: - '"Active"' tooltype: Offensive @@ -52,7 +53,8 @@ links: a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user."' doctype: Tool - name: 'ZAP Alert: "Application Error Disclosure via WebSockets"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/websocket/src/main/zapHomeFiles/scripts/templates/websocketpassive/Application%20Error%20Scanner.js + name: 'ZAP Rule: "Application Error Disclosure via WebSockets"' tags: - '"WebSocket Passive"' tooltype: Offensive diff --git a/cres/Do_not_enforce_password_rotation_rules_or_history_requirements.yaml b/cres/Do_not_enforce_password_rotation_rules_or_history_requirements.yaml index cc8cb9a6d..d29b84b2d 100644 --- a/cres/Do_not_enforce_password_rotation_rules_or_history_requirements.yaml +++ b/cres/Do_not_enforce_password_rotation_rules_or_history_requirements.yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHN-07 ltype: Linked To - document: diff --git a/cres/Do_not_expose_data_through_API_URLs.yaml b/cres/Do_not_expose_data_through_API_URLs.yaml index 61587b0a8..91dc53595 100644 --- a/cres/Do_not_expose_data_through_API_URLs.yaml +++ b/cres/Do_not_expose_data_through_API_URLs.yaml @@ -26,7 +26,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-SESS-04 ltype: Linked To - document: diff --git a/cres/Do_not_expose_data_through_HTTP_verb.yaml b/cres/Do_not_expose_data_through_HTTP_verb.yaml index 963a37e25..8543fa0ee 100644 --- a/cres/Do_not_expose_data_through_HTTP_verb.yaml +++ b/cres/Do_not_expose_data_through_HTTP_verb.yaml @@ -26,7 +26,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/03-Testing_for_Sensitive_Information_Sent_via_Unencrypted_Channels.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CRYP-03 ltype: Linked To name: Do not expose data through HTTP verb diff --git a/cres/Do_not_expose_session_token_in_URL.yaml b/cres/Do_not_expose_session_token_in_URL.yaml index 477c0da40..97f25e3cc 100644 --- a/cres/Do_not_expose_session_token_in_URL.yaml +++ b/cres/Do_not_expose_session_token_in_URL.yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-SESS-04 ltype: Linked To name: Do not expose session token in URL diff --git a/cres/Do_not_fall_back_to_insecure_protocols_in_TCP.yaml b/cres/Do_not_fall_back_to_insecure_protocols_in_TCP.yaml index cb9f0d3ba..c1a826da4 100644 --- a/cres/Do_not_fall_back_to_insecure_protocols_in_TCP.yaml +++ b/cres/Do_not_fall_back_to_insecure_protocols_in_TCP.yaml @@ -17,7 +17,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html - name: OPC + name: OWASP Proactive Controls section: C8 ltype: Linked To - document: @@ -29,7 +29,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CRYP-01 ltype: Linked To - document: diff --git a/cres/Do_not_limit_character_types_for_password_composition.yaml b/cres/Do_not_limit_character_types_for_password_composition.yaml index fd9dcb655..985c8abf7 100644 --- a/cres/Do_not_limit_character_types_for_password_composition.yaml +++ b/cres/Do_not_limit_character_types_for_password_composition.yaml @@ -15,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html - name: OPC + name: OWASP Proactive Controls section: C6 ltype: Linked To - document: @@ -27,7 +27,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHN-07 ltype: Linked To - document: diff --git a/cres/Do_not_log_credentials_or_payment_details.yaml b/cres/Do_not_log_credentials_or_payment_details.yaml index b4457404a..ee0d4f7fd 100644 --- a/cres/Do_not_log_credentials_or_payment_details.yaml +++ b/cres/Do_not_log_credentials_or_payment_details.yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration.html#log-review - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CONF-02 ltype: Linked To - document: diff --git a/cres/Do_not_offer_weak_(clear_text)_authenticators_by_default.yaml b/cres/Do_not_offer_weak_(clear_text)_authenticators_by_default.yaml index ff3225b3a..70a4c928f 100644 --- a/cres/Do_not_offer_weak_(clear_text)_authenticators_by_default.yaml +++ b/cres/Do_not_offer_weak_(clear_text)_authenticators_by_default.yaml @@ -1,5 +1,5 @@ doctype: CRE -id: 354-752 +id: 320-618 links: - document: doctype: CRE diff --git a/cres/Do_not_reveal_the_current_password_during_password_recovery.yaml b/cres/Do_not_reveal_the_current_password_during_password_recovery.yaml index c3d47c985..854967368 100644 --- a/cres/Do_not_reveal_the_current_password_during_password_recovery.yaml +++ b/cres/Do_not_reveal_the_current_password_during_password_recovery.yaml @@ -15,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html - name: OPC + name: OWASP Proactive Controls section: C6 ltype: Linked To - document: diff --git a/cres/Do_not_store_sensitive_data_on_client_(browser)_storage.yaml b/cres/Do_not_store_sensitive_data_on_client_(browser)_storage.yaml index da2056b11..e9f6be4bd 100644 --- a/cres/Do_not_store_sensitive_data_on_client_(browser)_storage.yaml +++ b/cres/Do_not_store_sensitive_data_on_client_(browser)_storage.yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/12-Testing_Browser_Storage.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CLNT-12 ltype: Linked To name: Do not store sensitive data on client (browser) storage diff --git a/cres/Do_not_use_eval_or_dynamic_code_execution_functions.yaml b/cres/Do_not_use_eval_or_dynamic_code_execution_functions.yaml index bf97892fe..297eb0a0f 100644 --- a/cres/Do_not_use_eval_or_dynamic_code_execution_functions.yaml +++ b/cres/Do_not_use_eval_or_dynamic_code_execution_functions.yaml @@ -24,7 +24,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/02-Testing_for_JavaScript_Execution.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CLNT-02 ltype: Linked To - document: diff --git a/cres/Do_not_use_password_hints_or_secret_questions.yaml b/cres/Do_not_use_password_hints_or_secret_questions.yaml index 3d9ebaf5f..eedca5fa3 100644 --- a/cres/Do_not_use_password_hints_or_secret_questions.yaml +++ b/cres/Do_not_use_password_hints_or_secret_questions.yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/08-Testing_for_Weak_Security_Question_Answer.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHN-08 ltype: Linked To - document: diff --git a/cres/Document_all_trust_boundaries_and_significant_data_flows.yaml b/cres/Document_all_trust_boundaries_and_significant_data_flows.yaml index 10ce4c076..2b21adc9c 100644 --- a/cres/Document_all_trust_boundaries_and_significant_data_flows.yaml +++ b/cres/Document_all_trust_boundaries_and_significant_data_flows.yaml @@ -3,16 +3,9 @@ id: 820-877 links: - document: doctype: CRE - id: 625-323 + id: 354-846 name: Documentation and requirements - tags: - - Architecture ltype: Contains -- document: - doctype: CRE - id: 155-155 - name: Architecture - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md @@ -44,5 +37,3 @@ links: section: Attack Surface Analysis Cheat Sheet ltype: Linked To name: Document all trust boundaries and significant data flows -tags: -- Architecture diff --git a/cres/Document_explicit_key-secret_managementt.yaml b/cres/Document_explicit_key-secret_managementt.yaml new file mode 100644 index 000000000..a0a843dc9 --- /dev/null +++ b/cres/Document_explicit_key-secret_managementt.yaml @@ -0,0 +1,40 @@ +doctype: CRE +id: 287-305 +links: +- document: + doctype: CRE + id: 354-846 + name: Documentation and requirements + ltype: Contains +- document: + doctype: CRE + id: 223-780 + name: Secret storage + tags: + - Cryptography + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.6.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/320.html + name: CWE + section: '320' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html + name: Cheat_sheets + section: Cryptographic Storage Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Key Management Cheat Sheet + ltype: Linked To +name: Document explicit key/secret managementt diff --git a/cres/Document_requirements_for_(data)_protection_levels.yaml b/cres/Document_requirements_for_(data)_protection_levels.yaml index d32210b12..c979c5a1f 100644 --- a/cres/Document_requirements_for_(data)_protection_levels.yaml +++ b/cres/Document_requirements_for_(data)_protection_levels.yaml @@ -8,8 +8,8 @@ links: ltype: Contains - document: doctype: CRE - id: 028-728 - name: Personal data handling + id: 362-550 + name: '>>Personal data handling' ltype: Related - document: doctype: Standard @@ -30,5 +30,3 @@ links: section: User Privacy Protection Cheat Sheet ltype: Linked To name: Document requirements for (data) protection levels -tags: -- Personal data handling diff --git a/cres/Documentation_and_requirements.yaml b/cres/Documentation_and_requirements.yaml index 1b5692878..25be03252 100644 --- a/cres/Documentation_and_requirements.yaml +++ b/cres/Documentation_and_requirements.yaml @@ -1,5 +1,5 @@ doctype: CRE -id: 625-323 +id: 354-846 links: - document: doctype: CRE @@ -13,22 +13,25 @@ links: ltype: Contains - document: doctype: CRE - id: 004-130 - name: Define High-level architecture and perform security analysis on it + id: 344-611 + name: Centralize security controls tags: - Architecture ltype: Contains +- document: + doctype: CRE + id: 004-130 + name: Define High-level architecture and perform security analysis on it + ltype: Contains - document: doctype: CRE id: 820-877 name: Document all trust boundaries and significant data flows - tags: - - Architecture ltype: Contains - document: doctype: CRE id: 782-234 - name: Clear policy compliant I/O requirements + name: Clear policy complient I/O requirements ltype: Contains - document: doctype: CRE @@ -38,23 +41,18 @@ links: - document: doctype: CRE id: 162-655 - name: Documentation of all components' business or security function + name: Docuymentation of all components' business or security function ltype: Contains - document: doctype: CRE id: 287-305 - name: Document explicit key/secret management + name: Document explicit key/secret managementt ltype: Contains - document: doctype: CRE id: 625-323 name: Data security requirement documentation ltype: Contains -- document: - doctype: CRE - id: 155-155 - name: Architecture - ltype: Related - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SA-5 @@ -62,5 +60,3 @@ links: section: SA-5 System Documentation ltype: Linked To name: Documentation and requirements -tags: -- Architecture diff --git a/cres/Docuymentation_of_all_components_business_or_security_function.yaml b/cres/Docuymentation_of_all_components_business_or_security_function.yaml new file mode 100644 index 000000000..05bccd4db --- /dev/null +++ b/cres/Docuymentation_of_all_components_business_or_security_function.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 162-655 +links: +- document: + doctype: CRE + id: 354-846 + name: Documentation and requirements + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.11.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/1059.html + name: CWE + section: '1059' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html + name: Cheat_sheets + section: Abuse Case Cheat Sheet + ltype: Linked To +name: Docuymentation of all components' business or security function diff --git a/cres/Enable_configurable_alert_against_usage_anomalies.yaml b/cres/Enable_configurable_alert_against_usage_anomalies.yaml index dd747922c..c2d384f80 100644 --- a/cres/Enable_configurable_alert_against_usage_anomalies.yaml +++ b/cres/Enable_configurable_alert_against_usage_anomalies.yaml @@ -8,11 +8,6 @@ links: tags: - DOS ltype: Contains -- document: - doctype: CRE - id: 623-550 - name: DOS - ltype: Related - document: doctype: CRE id: 842-876 @@ -37,5 +32,3 @@ links: section: Abuse Case Cheat Sheet ltype: Linked To name: Enable configurable alert against usage anomalies -tags: -- DOS diff --git a/cres/Enable_option_to_log_out_from_all_active_session.yaml b/cres/Enable_option_to_log_out_from_all_active_session.yaml index 7e69a3b44..e259b24e9 100644 --- a/cres/Enable_option_to_log_out_from_all_active_session.yaml +++ b/cres/Enable_option_to_log_out_from_all_active_session.yaml @@ -4,7 +4,7 @@ links: - document: doctype: CRE id: 470-731 - name: Session lifecycle + name: Session logout and timeout ltype: Contains - document: doctype: CRE @@ -26,7 +26,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality.html#testing-for-server-side-session-termination - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-SESS-06 ltype: Linked To - document: diff --git a/cres/Encode_output_context-specifically.yaml b/cres/Encode_output_context-specifically.yaml index 2c1e76389..d61c4d26b 100644 --- a/cres/Encode_output_context-specifically.yaml +++ b/cres/Encode_output_context-specifically.yaml @@ -24,7 +24,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-INPV-05 ltype: Linked To - document: @@ -119,56 +119,64 @@ links: ltype: Linked To - document: doctype: Tool - name: 'ZAP Alert: "SQL Injection - Oracle"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SqlInjectionOracleScanRule.java + name: 'ZAP Rule: "SQL Injection - Oracle"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "Advanced SQL Injection"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/sqliplugin/src/main/java/org/zaproxy/zap/extension/sqliplugin/SQLInjectionScanRule.java + name: 'ZAP Rule: "Advanced SQL Injection"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "SQL Injection - Hypersonic SQL"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SqlInjectionHypersonicScanRule.java + name: 'ZAP Rule: "SQL Injection - Hypersonic SQL"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "SQL Injection - MsSQL"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SqlInjectionMsSqlScanRule.java + name: 'ZAP Rule: "SQL Injection - MsSQL"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "SQL Injection - MySQL"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SqlInjectionMySqlScanRule.java + name: 'ZAP Rule: "SQL Injection - MySQL"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "SQL Injection - PostgreSQL"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SqlInjectionPostgreScanRule.java + name: 'ZAP Rule: "SQL Injection - PostgreSQL"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "SQL Injection"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRule.java + name: 'ZAP Rule: "SQL Injection"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "SQL Injection - SQLite"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SqlInjectionSqLiteScanRule.java + name: 'ZAP Rule: "SQL Injection - SQLite"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Encode_output_near_the_consuming_interpreter.yaml b/cres/Encode_output_near_the_consuming_interpreter.yaml index 627478c6f..d40da9d63 100644 --- a/cres/Encode_output_near_the_consuming_interpreter.yaml +++ b/cres/Encode_output_near_the_consuming_interpreter.yaml @@ -18,7 +18,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html - name: OPC + name: OWASP Proactive Controls section: C4 ltype: Linked To - document: diff --git a/cres/Encode_output_while_preserving_user_input_formatting.yaml b/cres/Encode_output_while_preserving_user_input_formatting.yaml index 26b86510d..b11d25c9d 100644 --- a/cres/Encode_output_while_preserving_user_input_formatting.yaml +++ b/cres/Encode_output_while_preserving_user_input_formatting.yaml @@ -18,7 +18,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html - name: OPC + name: OWASP Proactive Controls section: C4 ltype: Linked To - document: @@ -30,7 +30,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/6-Appendix/D-Encoded_Injection.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-APPE-D ltype: Linked To - document: diff --git a/cres/Encode_user_input_before_logging.yaml b/cres/Encode_user_input_before_logging.yaml index 0d7b28b97..ca9feba9d 100644 --- a/cres/Encode_user_input_before_logging.yaml +++ b/cres/Encode_user_input_before_logging.yaml @@ -3,19 +3,13 @@ id: 048-612 links: - document: doctype: CRE + id: 821-541 name: Log injection protection ltype: Contains -- document: - doctype: CRE - id: 503-455 - name: '>>Input and output verification' - ltype: Related - document: doctype: CRE id: 760-764 name: Injection - tags: - - XSS ltype: Related - document: doctype: Standard @@ -26,7 +20,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html - name: OPC + name: OWASP Proactive Controls section: C9 ltype: Linked To - document: @@ -38,7 +32,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/03-Test_Integrity_Checks.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-BUSL-03 ltype: Linked To - document: @@ -47,20 +41,6 @@ links: name: Cheat_sheets section: Logging Cheat Sheet ltype: Linked To -- document: - description: '"Upgrade Log4j2 to version 2.15.0 or newer. In previous releases - (>2.10) this behavior can be mitigated by setting system property ''log4j2.formatMsgNoLookups'' - to ''true'' or by removing the JndiLookup class from the classpath (example: - zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). - Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) - protects against remote code execution by defaulting ''com.sun.jndi.rmi.object.trustURLCodebase'' - and ''com.sun.jndi.cosnaming.object.trustURLCodebase'' to ''false''."' - doctype: Tool - name: 'ZAP Alert: "Log4Shell (CVE-2021-44228)"' - tags: - - '"Active"' - tooltype: Offensive - ltype: SAME name: Encode user input before logging tags: - Injection diff --git a/cres/Encrypt_data_at_rest.yaml b/cres/Encrypt_data_at_rest.yaml index 2bf9803b9..9c535dc5a 100644 --- a/cres/Encrypt_data_at_rest.yaml +++ b/cres/Encrypt_data_at_rest.yaml @@ -6,13 +6,6 @@ links: id: 126-668 name: '>>Secure data storage' ltype: Contains -- document: - doctype: CRE - id: 742-432 - name: Encryption algorithms - tags: - - Cryptography - ltype: Contains - document: doctype: CRE id: 170-772 @@ -24,6 +17,11 @@ links: name: Encrypt sensitive data with algorithms that provide both confidentiality and integrity ltype: Contains +- document: + doctype: CRE + id: 742-432 + name: Encryption algorithms + ltype: Contains - document: doctype: CRE id: 275-483 diff --git a/cres/Encrypt_financial_data_at_rest.yaml b/cres/Encrypt_financial_data_at_rest.yaml index e91686ac9..bf794c97d 100644 --- a/cres/Encrypt_financial_data_at_rest.yaml +++ b/cres/Encrypt_financial_data_at_rest.yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CRYP-04 ltype: Linked To - document: @@ -36,29 +36,4 @@ links: name: Cheat_sheets section: User Privacy Protection Cheat Sheet ltype: Linked To -- document: - doctype: Tool - name: 'ZAP Alert: "Secure Pages Include Mixed Content"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Configure your web or application server to use SSL (https)."' - doctype: Tool - name: 'ZAP Alert: "HTTP Only Site"' - tags: - - '"Active"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Ensure that your web server, application server, load balancer, - etc. is configured to only serve such content via HTTPS. Consider implementing - HTTP Strict Transport Security."' - doctype: Tool - name: 'ZAP Alert: "HTTPS Content Available via HTTP"' - tags: - - '"Active"' - tooltype: Offensive - ltype: SAME name: Encrypt financial data at rest diff --git a/cres/Encrypt_health_data_at_rest.yaml b/cres/Encrypt_health_data_at_rest.yaml index 2eb1ee2c4..88f49ed91 100644 --- a/cres/Encrypt_health_data_at_rest.yaml +++ b/cres/Encrypt_health_data_at_rest.yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CRYP-04 ltype: Linked To - document: @@ -36,29 +36,4 @@ links: name: Cheat_sheets section: User Privacy Protection Cheat Sheet ltype: Linked To -- document: - doctype: Tool - name: 'ZAP Alert: "Secure Pages Include Mixed Content"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Configure your web or application server to use SSL (https)."' - doctype: Tool - name: 'ZAP Alert: "HTTP Only Site"' - tags: - - '"Active"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Ensure that your web server, application server, load balancer, - etc. is configured to only serve such content via HTTPS. Consider implementing - HTTP Strict Transport Security."' - doctype: Tool - name: 'ZAP Alert: "HTTPS Content Available via HTTP"' - tags: - - '"Active"' - tooltype: Offensive - ltype: SAME name: Encrypt health data at rest diff --git a/cres/Encrypt_personal_data_at_rest.yaml b/cres/Encrypt_personal_data_at_rest.yaml index 9dabd5677..a8e1b2b19 100644 --- a/cres/Encrypt_personal_data_at_rest.yaml +++ b/cres/Encrypt_personal_data_at_rest.yaml @@ -8,8 +8,8 @@ links: ltype: Contains - document: doctype: CRE - id: 028-728 - name: Personal data handling + id: 362-550 + name: '>>Personal data handling' ltype: Related - document: doctype: Standard @@ -26,7 +26,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CRYP-04 ltype: Linked To - document: @@ -41,31 +41,4 @@ links: name: Cheat_sheets section: User Privacy Protection Cheat Sheet ltype: Linked To -- document: - doctype: Tool - name: 'ZAP Alert: "Secure Pages Include Mixed Content"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Configure your web or application server to use SSL (https)."' - doctype: Tool - name: 'ZAP Alert: "HTTP Only Site"' - tags: - - '"Active"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Ensure that your web server, application server, load balancer, - etc. is configured to only serve such content via HTTPS. Consider implementing - HTTP Strict Transport Security."' - doctype: Tool - name: 'ZAP Alert: "HTTPS Content Available via HTTP"' - tags: - - '"Active"' - tooltype: Offensive - ltype: SAME name: Encrypt personal data at rest -tags: -- Personal data handling diff --git a/cres/Encrypt_sensitive_data_with_algorithms_that_provide_both_confidentiality_and_integrity.yaml b/cres/Encrypt_sensitive_data_with_algorithms_that_provide_both_confidentiality_and_integrity.yaml index 6a34fc8ac..a1530df0d 100644 --- a/cres/Encrypt_sensitive_data_with_algorithms_that_provide_both_confidentiality_and_integrity.yaml +++ b/cres/Encrypt_sensitive_data_with_algorithms_that_provide_both_confidentiality_and_integrity.yaml @@ -17,7 +17,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html - name: OPC + name: OWASP Proactive Controls section: C8 ltype: Linked To - document: diff --git a/cres/Encryption_algorithms.yaml b/cres/Encryption_algorithms.yaml index 2c1a843aa..076491e3e 100644 --- a/cres/Encryption_algorithms.yaml +++ b/cres/Encryption_algorithms.yaml @@ -8,11 +8,6 @@ links: tags: - Cryptography ltype: Contains -- document: - doctype: CRE - id: 170-772 - name: Cryptography - ltype: Related - document: doctype: CRE id: 742-431 @@ -21,7 +16,7 @@ links: - document: doctype: CRE id: 786-224 - name: Authenticate encrypted data + name: Autenticate encrypted data ltype: Contains - document: doctype: CRE @@ -54,5 +49,3 @@ links: name: Use weak crypto only for backwards compatibility ltype: Contains name: Encryption algorithms -tags: -- Cryptography diff --git a/cres/Enforce_JSON_schema_before_processing.yaml b/cres/Enforce_JSON_schema_before_processing.yaml index f37fec4cf..9b9471125 100644 --- a/cres/Enforce_JSON_schema_before_processing.yaml +++ b/cres/Enforce_JSON_schema_before_processing.yaml @@ -3,11 +3,8 @@ id: 146-706 links: - document: doctype: CRE - id: 010-308 - name: Input validation - tags: - - Injection - - XSS + id: 071-288 + name: RESTful ltype: Contains - document: doctype: Standard @@ -41,21 +38,24 @@ links: ltype: Linked To - document: doctype: Tool - name: 'ZAP Alert: "Remote Code Execution - CVE-2012-1823"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RemoteCodeExecutionCve20121823ScanRule.java + name: 'ZAP Rule: "Remote Code Execution - CVE-2012-1823"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "Relative Path Confusion"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java + name: 'ZAP Rule: "Relative Path Confusion"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "Source Code Disclosure - CVE-2012-1823"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureCve20121823ScanRule.java + name: 'ZAP Rule: "Source Code Disclosure - CVE-2012-1823"' tags: - '"Active"' tooltype: Offensive @@ -64,7 +64,8 @@ links: description: '"The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application."' doctype: Tool - name: 'ZAP Alert: "Httpoxy - Proxy Header Misuse"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttPoxyScanRule.java + name: 'ZAP Rule: "Httpoxy - Proxy Header Misuse"' tags: - '"Active"' tooltype: Offensive @@ -72,7 +73,8 @@ links: - document: description: '"Properly sanitize the user input for parameter delimiters"' doctype: Tool - name: 'ZAP Alert: "HTTP Parameter Pollution"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java + name: 'ZAP Rule: "HTTP Parameter Pollution"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Enforce_authentication_time-out_when_dealing_with_an_authentication_third_party_(CSP).yaml b/cres/Enforce_authentication_time-out_when_dealing_with_an_authentication_third_party_(CSP).yaml new file mode 100644 index 000000000..203a387d7 --- /dev/null +++ b/cres/Enforce_authentication_time-out_when_dealing_with_an_authentication_third_party_(CSP).yaml @@ -0,0 +1,33 @@ +doctype: CRE +id: 618-403 +links: +- document: + doctype: CRE + id: 258-115 + name: Re-authentication from federation or assertion + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.6.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/613.html + name: CWE + section: '613' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#session-id-predictability-and-randomness + name: (WSTG) Web Security Testing Guide + section: WSTG-SESS-01 + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 7.2.1 + ltype: Linked To +name: Enforce authentication time-out when dealing with an authentication third party + (CSP) diff --git a/cres/Enforce_high_entropy_session_tokens.yaml b/cres/Enforce_high_entropy_session_tokens.yaml index f27869573..23c6afbfb 100644 --- a/cres/Enforce_high_entropy_session_tokens.yaml +++ b/cres/Enforce_high_entropy_session_tokens.yaml @@ -20,7 +20,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html - name: OPC + name: OWASP Proactive Controls section: C6 ltype: Linked To - document: @@ -32,7 +32,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#session-id-predictability-and-randomness - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-SESS-01 ltype: Linked To - document: diff --git a/cres/Enforce_input_validation_on_a_trusted_service_layer.yaml b/cres/Enforce_input_validation_on_a_trusted_service_layer.yaml index c80fc5b39..2fcc694cd 100644 --- a/cres/Enforce_input_validation_on_a_trusted_service_layer.yaml +++ b/cres/Enforce_input_validation_on_a_trusted_service_layer.yaml @@ -23,7 +23,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html - name: OPC + name: OWASP Proactive Controls section: C5 ltype: Linked To - document: diff --git a/cres/Enforce_integrity_ckeck_for_externally_hosted_assets_(eg_SRI).yaml b/cres/Enforce_integrity_ckeck_for_externally_hosted_assets_(eg_SRI).yaml new file mode 100644 index 000000000..8f6ddb934 --- /dev/null +++ b/cres/Enforce_integrity_ckeck_for_externally_hosted_assets_(eg_SRI).yaml @@ -0,0 +1,48 @@ +doctype: CRE +id: 577-260 +links: +- document: + doctype: CRE + id: 613-285 + name: '>>Dependency strength' + ltype: Contains +- document: + doctype: CRE + id: 153-513 + name: '>>Development & operations' + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.2.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/829.html + name: CWE + section: '829' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Vulnerable Dependency Management Cheat Sheet + ltype: Linked To +- document: + description: '"Ensure JavaScript source files are loaded from only trusted sources, + and the sources can''t be controlled by end users of the application."' + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainScriptInclusionScanRule.java + name: 'ZAP Rule: "Cross-Domain JavaScript Source File Inclusion"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Enforce integrity ckeck for externally hosted assets (eg SRI) diff --git a/cres/Enforce_least_privilege.yaml b/cres/Enforce_least_privilege.yaml index ed2264c62..7fc988319 100644 --- a/cres/Enforce_least_privilege.yaml +++ b/cres/Enforce_least_privilege.yaml @@ -15,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c7-enforce-access-controls.html - name: OPC + name: OWASP Proactive Controls section: C7 ltype: Linked To - document: @@ -27,7 +27,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/01-Test_Role_Definitions.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-IDNT-01 ltype: Linked To - document: diff --git a/cres/Enforce_model-based_authorization_both_at_URI_and_final_resourc.yaml b/cres/Enforce_model-based_authorization_both_at_URI_and_final_resourc.yaml new file mode 100644 index 000000000..4724162bf --- /dev/null +++ b/cres/Enforce_model-based_authorization_both_at_URI_and_final_resourc.yaml @@ -0,0 +1,38 @@ +doctype: CRE +id: 664-080 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: CRE + id: 118-110 + name: API/web services + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md + name: ASVS + section: V13.1.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/285.html + name: CWE + section: '285' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Web Service Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Server Side Request Forgery Prevention Cheat Sheet + ltype: Linked To +name: Enforce model-based authorization both at URI and final resourc diff --git a/cres/Enforce_natural_sequence_of_business_flows_to_avoid_abuse.yaml b/cres/Enforce_natural_sequence_of_business_flows_to_avoid_abuse.yaml index 14dee7450..362776615 100644 --- a/cres/Enforce_natural_sequence_of_business_flows_to_avoid_abuse.yaml +++ b/cres/Enforce_natural_sequence_of_business_flows_to_avoid_abuse.yaml @@ -23,7 +23,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-BUSL-$$ ltype: Linked To - document: diff --git a/cres/Enforce_schema_on_XML_structure-field.yaml b/cres/Enforce_schema_on_XML_structure-field.yaml index e6a9eddb7..2770149c2 100644 --- a/cres/Enforce_schema_on_XML_structure-field.yaml +++ b/cres/Enforce_schema_on_XML_structure-field.yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-INPV-07 ltype: Linked To - document: @@ -32,21 +32,24 @@ links: ltype: Linked To - document: doctype: Tool - name: 'ZAP Alert: "Remote Code Execution - CVE-2012-1823"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RemoteCodeExecutionCve20121823ScanRule.java + name: 'ZAP Rule: "Remote Code Execution - CVE-2012-1823"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "Relative Path Confusion"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java + name: 'ZAP Rule: "Relative Path Confusion"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "Source Code Disclosure - CVE-2012-1823"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureCve20121823ScanRule.java + name: 'ZAP Rule: "Source Code Disclosure - CVE-2012-1823"' tags: - '"Active"' tooltype: Offensive @@ -55,7 +58,8 @@ links: description: '"The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application."' doctype: Tool - name: 'ZAP Alert: "Httpoxy - Proxy Header Misuse"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttPoxyScanRule.java + name: 'ZAP Rule: "Httpoxy - Proxy Header Misuse"' tags: - '"Active"' tooltype: Offensive @@ -63,7 +67,8 @@ links: - document: description: '"Properly sanitize the user input for parameter delimiters"' doctype: Tool - name: 'ZAP Alert: "HTTP Parameter Pollution"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java + name: 'ZAP Rule: "HTTP Parameter Pollution"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Enforce_schema_on_type-contents_of_structured_data.yaml b/cres/Enforce_schema_on_type-contents_of_structured_data.yaml index e5bb7af36..3f7d6b3ee 100644 --- a/cres/Enforce_schema_on_type-contents_of_structured_data.yaml +++ b/cres/Enforce_schema_on_type-contents_of_structured_data.yaml @@ -18,7 +18,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html - name: OPC + name: OWASP Proactive Controls section: C5 ltype: Linked To - document: @@ -30,7 +30,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/ - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-INPV-00 ltype: Linked To - document: @@ -47,21 +47,24 @@ links: ltype: Linked To - document: doctype: Tool - name: 'ZAP Alert: "Remote Code Execution - CVE-2012-1823"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RemoteCodeExecutionCve20121823ScanRule.java + name: 'ZAP Rule: "Remote Code Execution - CVE-2012-1823"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "Relative Path Confusion"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java + name: 'ZAP Rule: "Relative Path Confusion"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "Source Code Disclosure - CVE-2012-1823"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureCve20121823ScanRule.java + name: 'ZAP Rule: "Source Code Disclosure - CVE-2012-1823"' tags: - '"Active"' tooltype: Offensive @@ -70,7 +73,8 @@ links: description: '"The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application."' doctype: Tool - name: 'ZAP Alert: "Httpoxy - Proxy Header Misuse"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttPoxyScanRule.java + name: 'ZAP Rule: "Httpoxy - Proxy Header Misuse"' tags: - '"Active"' tooltype: Offensive @@ -78,7 +82,8 @@ links: - document: description: '"Properly sanitize the user input for parameter delimiters"' doctype: Tool - name: 'ZAP Alert: "HTTP Parameter Pollution"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java + name: 'ZAP Rule: "HTTP Parameter Pollution"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Enfroce_access_control_on_trusted_service_layer.yaml b/cres/Enfroce_access_control_on_trusted_service_layer.yaml new file mode 100644 index 000000000..8585dd4f1 --- /dev/null +++ b/cres/Enfroce_access_control_on_trusted_service_layer.yaml @@ -0,0 +1,46 @@ +doctype: CRE +id: 650-560 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: CRE + id: 155-155 + name: Architecture + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V4-Access-Control.md + name: ASVS + section: V4.1.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/602.html + name: CWE + section: '602' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html + name: (WSTG) Web Security Testing Guide + section: WSTG-ATHZ-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html + name: Cheat_sheets + section: Access Control Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.html + name: Cheat_sheets + section: Authorization Testing Automation Cheat Sheet + ltype: Linked To +name: Enfroce access control on trusted service layer +tags: +- Architecture diff --git a/cres/Ensure_cryptographic_elements_can_be_upgraded_or_replaced.yaml b/cres/Ensure_cryptographic_elements_can_be_upgraded_or_replaced.yaml index fc3051f4b..69e7f730c 100644 --- a/cres/Ensure_cryptographic_elements_can_be_upgraded_or_replaced.yaml +++ b/cres/Ensure_cryptographic_elements_can_be_upgraded_or_replaced.yaml @@ -5,8 +5,6 @@ links: doctype: CRE id: 742-432 name: Encryption algorithms - tags: - - Cryptography ltype: Contains - document: doctype: Standard @@ -17,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html - name: OPC + name: OWASP Proactive Controls section: C8 ltype: Linked To - document: @@ -38,13 +36,4 @@ links: name: Cheat_sheets section: Key Management Cheat Sheet ltype: Linked To -- document: - description: '"Protect the connection using HTTPS or use a stronger authentication - mechanism"' - doctype: Tool - name: 'ZAP Alert: "Weak Authentication Method"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME name: Ensure cryptographic elements can be upgraded or replaced diff --git a/cres/Ensure_integrity_of_DNS_entries_and_domains.yaml b/cres/Ensure_integrity_of_DNS_entries_and_domains.yaml index 22cdbd66b..b9ef4e9a3 100644 --- a/cres/Ensure_integrity_of_DNS_entries_and_domains.yaml +++ b/cres/Ensure_integrity_of_DNS_entries_and_domains.yaml @@ -3,6 +3,7 @@ id: 336-512 links: - document: doctype: CRE + id: 336-511 name: Network protection ltype: Contains - document: @@ -25,7 +26,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CONF-10 ltype: Linked To - document: diff --git a/cres/Ensure_proper_generation_of_secure_random.yaml b/cres/Ensure_proper_generation_of_secure_random.yaml index 1a4043d16..c6e59530e 100644 --- a/cres/Ensure_proper_generation_of_secure_random.yaml +++ b/cres/Ensure_proper_generation_of_secure_random.yaml @@ -8,11 +8,6 @@ links: tags: - Cryptography ltype: Contains -- document: - doctype: CRE - id: 170-772 - name: Cryptography - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x14-V6-Cryptography.md @@ -28,9 +23,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CRYP-04 ltype: Linked To name: Ensure proper generation of secure random -tags: -- Cryptography diff --git a/cres/Ensure_secure_algorithms_for_generating_session_tokens.yaml b/cres/Ensure_secure_algorithms_for_generating_session_tokens.yaml index 4e6e79013..046c79f97 100644 --- a/cres/Ensure_secure_algorithms_for_generating_session_tokens.yaml +++ b/cres/Ensure_secure_algorithms_for_generating_session_tokens.yaml @@ -20,7 +20,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html - name: OPC + name: OWASP Proactive Controls section: C6 ltype: Linked To - document: @@ -32,7 +32,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#session-id-predictability-and-randomness - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-SESS-01 ltype: Linked To - document: diff --git a/cres/Ensure_session_timeout_(soft-hard).yaml b/cres/Ensure_session_timeout_(soft-hard).yaml index 65b72ae91..e233a00d9 100644 --- a/cres/Ensure_session_timeout_(soft-hard).yaml +++ b/cres/Ensure_session_timeout_(soft-hard).yaml @@ -4,7 +4,7 @@ links: - document: doctype: CRE id: 470-731 - name: Session lifecycle + name: Session logout and timeout ltype: Contains - document: doctype: CRE @@ -20,7 +20,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html - name: OPC + name: OWASP Proactive Controls section: C6 ltype: Linked To - document: @@ -32,7 +32,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/07-Testing_Session_Timeout.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-SESS-07 ltype: Linked To - document: diff --git a/cres/Ensure_that_secure_fail-safe_is_in_place_for_access_control.yaml b/cres/Ensure_that_secure_fail-safe_is_in_place_for_access_control.yaml index 2193bee56..0ccbaf34a 100644 --- a/cres/Ensure_that_secure_fail-safe_is_in_place_for_access_control.yaml +++ b/cres/Ensure_that_secure_fail-safe_is_in_place_for_access_control.yaml @@ -20,7 +20,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c10-handle-errors-exceptions.html - name: OPC + name: OWASP Proactive Controls section: C10 ltype: Linked To - document: @@ -32,7 +32,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/01-Testing_for_Error_Code.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ERRH-01 ltype: Linked To - document: diff --git a/cres/Ensure_trusted_origin_of_third_party_resources.yaml b/cres/Ensure_trusted_origin_of_third_party_resources.yaml index 3d9f81ec1..620d1ec2a 100644 --- a/cres/Ensure_trusted_origin_of_third_party_resources.yaml +++ b/cres/Ensure_trusted_origin_of_third_party_resources.yaml @@ -3,8 +3,8 @@ id: 715-223 links: - document: doctype: CRE - id: 613-287 - name: Dependency integrity + id: 613-285 + name: '>>Dependency strength' ltype: Contains - document: doctype: Standard @@ -15,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c2-leverage-security-frameworks-libraries.html - name: OPC + name: OWASP Proactive Controls section: C2 ltype: Linked To - document: @@ -40,7 +40,8 @@ links: description: '"Ensure JavaScript source files are loaded from only trusted sources, and the sources can''t be controlled by end users of the application."' doctype: Tool - name: 'ZAP Alert: "Cross-Domain JavaScript Source File Inclusion"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainScriptInclusionScanRule.java + name: 'ZAP Rule: "Cross-Domain JavaScript Source File Inclusion"' tags: - '"Passive"' tooltype: Offensive diff --git a/cres/Ensure_users_can_remove_or_export_their_data.yaml b/cres/Ensure_users_can_remove_or_export_their_data.yaml index fea84cb4e..d4eabad76 100644 --- a/cres/Ensure_users_can_remove_or_export_their_data.yaml +++ b/cres/Ensure_users_can_remove_or_export_their_data.yaml @@ -1,17 +1,17 @@ doctype: CRE id: 762-451 links: +- document: + doctype: CRE + id: 362-550 + name: '>>Personal data handling' + ltype: Contains - document: doctype: CRE id: 854-643 name: '>>Business logic' tags: - DOS - ltype: Contains -- document: - doctype: CRE - id: 028-728 - name: Personal data handling ltype: Related - document: doctype: Standard @@ -26,5 +26,3 @@ links: section: '212' ltype: Linked To name: Ensure users can remove or export their data -tags: -- Personal data handling diff --git a/cres/Escape_output_against_XSS.yaml b/cres/Escape_output_against_XSS.yaml index d461150eb..11a7db495 100644 --- a/cres/Escape_output_against_XSS.yaml +++ b/cres/Escape_output_against_XSS.yaml @@ -18,7 +18,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html - name: OPC + name: OWASP Proactive Controls section: C4 ltype: Linked To - document: @@ -30,7 +30,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-INPV-01 ltype: Linked To - document: @@ -125,14 +125,16 @@ links: ltype: Linked To - document: doctype: Tool - name: 'ZAP Alert: "Cross Site Scripting (Reflected)"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRule.java + name: 'ZAP Rule: "Cross Site Scripting (Reflected)"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "Cross Site Scripting (Persistent)"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRule.java + name: 'ZAP Rule: "Cross Site Scripting (Persistent)"' tags: - '"Active"' tooltype: Offensive @@ -140,7 +142,8 @@ links: - document: description: '"N/A"' doctype: Tool - name: 'ZAP Alert: "Cross Site Scripting (Persistent) - Prime"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssPrimeScanRule.java + name: 'ZAP Rule: "Cross Site Scripting (Persistent) - Prime"' tags: - '"Active"' tooltype: Offensive @@ -148,14 +151,24 @@ links: - document: description: '"N/A"' doctype: Tool - name: 'ZAP Alert: "Cross Site Scripting (Persistent) - Spider"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssSpiderScanRule.java + name: 'ZAP Rule: "Cross Site Scripting (Persistent) - Spider"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "Cross Site Scripting (DOM Based)"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/OutOfBandXssScanRule.java + name: 'ZAP Rule: "Out of Band XSS"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +- document: + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/domxss/src/main/java/org/zaproxy/zap/extension/domxss/DomXssScanRule.java + name: 'ZAP Rule: "Cross Site Scripting (DOM Based)"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Fail_securely.yaml b/cres/Fail_securely.yaml index d1d76741a..73bafffa6 100644 --- a/cres/Fail_securely.yaml +++ b/cres/Fail_securely.yaml @@ -21,5 +21,6 @@ links: hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-24 name: NIST 800-53 v5 section: SC-24 Fail in Known State + subsection: mapped under fail securely ltype: Linked To name: Fail securely diff --git a/cres/File_download.yaml b/cres/File_download.yaml index a179cfc14..dd7381df5 100644 --- a/cres/File_download.yaml +++ b/cres/File_download.yaml @@ -10,5 +10,14 @@ links: doctype: CRE id: 314-701 name: Whitelist file extensions served by web tier + tags: + - DOS + ltype: Contains +- document: + doctype: CRE + id: 545-243 + name: Block execution/output of uploaded files + tags: + - DOS ltype: Contains name: File download diff --git a/cres/File_execution.yaml b/cres/File_execution.yaml index 2d776f8f5..a074472ea 100644 --- a/cres/File_execution.yaml +++ b/cres/File_execution.yaml @@ -29,15 +29,13 @@ links: - document: doctype: CRE id: 737-086 - name: Ignore/at least validate filename metadata from untrusted origin (local + name: Ignore/at least validate filename metadata from untrusted origin (local file context, eg LFI) ltype: Contains - document: doctype: CRE id: 742-056 - name: Ignore/at least validate filename metadata from untrusted origin (remote + name: Ignore/at least validate filename metadata from untrusted origin (remote file context, eg RFI) - tags: - - SSRF ltype: Contains name: File execution diff --git a/cres/File_handling.yaml b/cres/File_handling.yaml index 59fe54bda..b4d5da9dd 100644 --- a/cres/File_handling.yaml +++ b/cres/File_handling.yaml @@ -23,11 +23,6 @@ links: id: 040-843 name: File download ltype: Contains -- document: - doctype: CRE - id: 545-243 - name: Block execution/output of uploaded files - ltype: Contains - document: doctype: CRE id: 451-082 diff --git a/cres/Force_format_strings_as_constants.yaml b/cres/Force_format_strings_as_constants.yaml index 20c54d635..7a178f417 100644 --- a/cres/Force_format_strings_as_constants.yaml +++ b/cres/Force_format_strings_as_constants.yaml @@ -5,8 +5,6 @@ links: doctype: CRE id: 866-553 name: Memory, String, and Unmanaged Code - tags: - - Injection ltype: Contains - document: doctype: Standard @@ -24,7 +22,8 @@ links: description: '"Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable."' doctype: Tool - name: 'ZAP Alert: "Format String Error"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java + name: 'ZAP Rule: "Format String Error"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Force_output_encoding_for_specific_interpreters_context.yaml b/cres/Force_output_encoding_for_specific_interpreters_context.yaml index 604593b2c..2f6bc4917 100644 --- a/cres/Force_output_encoding_for_specific_interpreters_context.yaml +++ b/cres/Force_output_encoding_for_specific_interpreters_context.yaml @@ -18,7 +18,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html - name: OPC + name: OWASP Proactive Controls section: C4 ltype: Linked To - document: @@ -30,7 +30,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/6-Appendix/D-Encoded_Injection.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-APPE-D ltype: Linked To - document: diff --git a/cres/Force_pipeline_to_check_outdated-insecure_components.yaml b/cres/Force_pipeline_to_check_outdated-insecure_components.yaml index 21fcbea62..fdc45bc6a 100644 --- a/cres/Force_pipeline_to_check_outdated-insecure_components.yaml +++ b/cres/Force_pipeline_to_check_outdated-insecure_components.yaml @@ -3,13 +3,13 @@ id: 053-751 links: - document: doctype: CRE - id: 613-286 - name: Dependency management + id: 613-285 + name: '>>Dependency strength' ltype: Contains - document: doctype: CRE - id: 433-442 - name: Development verification + id: 615-188 + name: Deployment process ltype: Related - document: doctype: Standard diff --git a/cres/Force_uniform_encoders_and_parsers_throughout_system.yaml b/cres/Force_uniform_encoders_and_parsers_throughout_system.yaml index 3af813a00..22ca02fd7 100644 --- a/cres/Force_uniform_encoders_and_parsers_throughout_system.yaml +++ b/cres/Force_uniform_encoders_and_parsers_throughout_system.yaml @@ -6,11 +6,6 @@ links: id: 118-110 name: API/web services ltype: Contains -- document: - doctype: CRE - id: 028-727 - name: SSRF - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md @@ -36,5 +31,3 @@ links: section: Server Side Request Forgery Prevention Cheat Sheet ltype: Linked To name: Force uniform encoders and parsers throughout system -tags: -- SSRF diff --git a/cres/Generate_a_new_session_token_after_authentication.yaml b/cres/Generate_a_new_session_token_after_authentication.yaml index 7e8fa84d1..176e35097 100644 --- a/cres/Generate_a_new_session_token_after_authentication.yaml +++ b/cres/Generate_a_new_session_token_after_authentication.yaml @@ -15,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html - name: OPC + name: OWASP Proactive Controls section: C6 ltype: Linked To - document: @@ -32,7 +32,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/03-Testing_for_Session_Fixation.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-SESS-03 ltype: Linked To - document: @@ -46,11 +46,4 @@ links: name: NIST 800-63 section: '7.1' ltype: Linked To -- document: - doctype: Tool - name: 'ZAP Alert: "Session Fixation"' - tags: - - '"Active"' - tooltype: Offensive - ltype: SAME name: Generate a new session token after authentication diff --git a/cres/Guidelines.yaml b/cres/Guidelines.yaml index b4aed95ca..dffa2ce74 100644 --- a/cres/Guidelines.yaml +++ b/cres/Guidelines.yaml @@ -10,6 +10,7 @@ links: ltype: Contains - document: doctype: CRE + id: 840-758 name: Secure Development ltype: Contains - document: @@ -29,5 +30,6 @@ links: hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-18 name: NIST 800-53 v5 section: SC-18 Mobile Code + subsection: introduced new section ltype: Linked To name: Guidelines diff --git a/cres/HTTP_security_headers.yaml b/cres/HTTP_security_headers.yaml index e4a361c7d..0acedb110 100644 --- a/cres/HTTP_security_headers.yaml +++ b/cres/HTTP_security_headers.yaml @@ -11,7 +11,7 @@ links: - document: doctype: CRE id: 736-237 - name: Set metadata/content-Disposition for API responses + name: Set metadate/content-Disposition for API responses ltype: Contains - document: doctype: CRE @@ -38,7 +38,7 @@ links: - document: doctype: CRE id: 480-071 - name: Prevent Click jacking through X-Frame-Options or CSP + name: Configure X-Frame-Options for CSP properly ltype: Contains - document: doctype: CRE diff --git a/cres/Harden_application_by_excluding_unwanted_functiuonality.yaml b/cres/Harden_application_by_excluding_unwanted_functiuonality.yaml new file mode 100644 index 000000000..7a69a82b0 --- /dev/null +++ b/cres/Harden_application_by_excluding_unwanted_functiuonality.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 154-031 +links: +- document: + doctype: CRE + id: 613-285 + name: '>>Dependency strength' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x18-V10-Malicious.md + name: ASVS + section: V10.2.6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/507.html + name: CWE + section: '507' + ltype: Linked To +name: Harden application by excluding unwanted functiuonality diff --git a/cres/Http_headers.yaml b/cres/Http_headers.yaml index 1a1b1195e..423ba0b18 100644 --- a/cres/Http_headers.yaml +++ b/cres/Http_headers.yaml @@ -1,8 +1,9 @@ doctype: CRE +id: 473-759 links: - document: doctype: CRE id: 473-758 - name: Set sufficient anti-caching headers + name: Set sufficient anti-chaching headers ltype: Related name: Http headers diff --git a/cres/Identify_sensitive_data_and_subject_it_to_a_policy.yaml b/cres/Identify_sensitive_data_and_subject_it_to_a_policy.yaml index e64a1db27..a4b7dbcda 100644 --- a/cres/Identify_sensitive_data_and_subject_it_to_a_policy.yaml +++ b/cres/Identify_sensitive_data_and_subject_it_to_a_policy.yaml @@ -3,13 +3,9 @@ id: 227-045 links: - document: doctype: CRE - name: '>>Documentation and requirements' + id: 362-550 + name: '>>Personal data handling' ltype: Contains -- document: - doctype: CRE - id: 028-728 - name: Personal data handling - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md @@ -19,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html - name: OPC + name: OWASP Proactive Controls section: C8 ltype: Linked To - document: @@ -28,167 +24,4 @@ links: name: CWE section: '200' ltype: Linked To -- document: - description: '"Review the source code of this page. Implement custom error pages. - Consider implementing a mechanism to provide a unique error reference/identifier - to the client (browser) while logging the details on the server side and not - exposing them to the user."' - doctype: Tool - name: 'ZAP Alert: "Application Error Disclosure"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Do not divulge details of whether a username is valid or invalid. - In particular, for unsuccessful login attempts, do not differentiate between - an invalid user and an invalid password in the error message, page title, page - contents, HTTP headers, or redirection logic."' - doctype: Tool - name: 'ZAP Alert: "Possible Username Enumeration"' - tags: - - '"Active"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Limit access to Symfony''s Profiler, either via authentication/authorization - or limiting inclusion of the header to specific clients (by IP, etc.)."' - doctype: Tool - name: 'ZAP Alert: "X-Debug-Token Information Leak"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Remove all comments that return information that may help an attacker - and fix any underlying problems they refer to."' - doctype: Tool - name: 'ZAP Alert: "Information Disclosure - Suspicious Comments in XML via WebSocket"' - tags: - - '"WebSocket Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Remove all comments that return information that may help an attacker - and fix any underlying problems they refer to."' - doctype: Tool - name: 'ZAP Alert: "Information Disclosure - Suspicious Comments"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Do not pass sensitive information in URIs."' - doctype: Tool - name: 'ZAP Alert: "Information Disclosure - Sensitive Information in HTTP Referrer - Header"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Disable debugging messages before pushing to production."' - doctype: Tool - name: 'ZAP Alert: "Information Disclosure - Debug Error Messages via WebSocket"' - tags: - - '"WebSocket Passive"' - tooltype: Offensive - ltype: SAME -- document: - doctype: Tool - name: 'ZAP Alert: "Proxy Disclosure"' - tags: - - '"Active"' - tooltype: Offensive - ltype: SAME -- document: - doctype: Tool - name: 'ZAP Alert: "Cookie Slack Detector"' - tags: - - '"Active"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Disable debugging messages before pushing to production."' - doctype: Tool - name: 'ZAP Alert: "Information Disclosure - Debug Error Messages"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Before allowing images to be stored on the server and/or transmitted - to the browser, strip out the embedded location information from image. This - could mean removing all Exif data or just the GPS component. Other data, like - serial numbers, should also be removed."' - doctype: Tool - name: 'ZAP Alert: "Image Exposes Location or Privacy Data"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Do not pass sensitive information in URIs."' - doctype: Tool - name: 'ZAP Alert: "Information Disclosure - Sensitive Information in URL"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"TBA"' - doctype: Tool - name: 'ZAP Alert: "Insecure HTTP Method"' - tags: - - '"Active"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Remove emails that are not public."' - doctype: Tool - name: 'ZAP Alert: "Email address found in WebSocket message"' - tags: - - '"WebSocket Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"For secure content, put session ID in a cookie. To be even more - secure consider using a combination of cookie and URL rewrite."' - doctype: Tool - name: 'ZAP Alert: "Session ID in URL Rewrite"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Remove the private IP address from the HTTP response body. For - comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can - be seen by client browsers."' - doctype: Tool - name: 'ZAP Alert: "Private IP Disclosure"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Ensure that your web server, application server, load balancer, - etc. is configured to suppress ''X-Powered-By'' headers."' - doctype: Tool - name: 'ZAP Alert: "Server Leaks Information via ''X-Powered-By'' HTTP Response - Header Field(s)"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Manually confirm that the timestamp data is not sensitive, and - that the data cannot be aggregated to disclose exploitable patterns."' - doctype: Tool - name: 'ZAP Alert: "Timestamp Disclosure"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME name: Identify sensitive data and subject it to a policy -tags: -- Personal data handling diff --git a/cres/Ignore-at_least_validate_filename_metadata_from_untrusted_origin_(local_file_context,_eg_LFI).yaml b/cres/Ignore-at_least_validate_filename_metadata_from_untrusted_origin_(local_file_context,_eg_LFI).yaml new file mode 100644 index 000000000..e0e5b37f2 --- /dev/null +++ b/cres/Ignore-at_least_validate_filename_metadata_from_untrusted_origin_(local_file_context,_eg_LFI).yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 737-086 +links: +- document: + doctype: CRE + id: 451-082 + name: File execution + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x20-V12-Files-Resources.md + name: ASVS + section: V12.3.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/73.html + name: CWE + section: '73' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.html + name: (WSTG) Web Security Testing Guide + section: WSTG-ATHZ-01 + ltype: Linked To +name: Ignore/at least validate filename metadata from untrusted origin (local file + context, eg LFI) diff --git a/cres/Ignore-at_least_validate_filename_metadata_from_untrusted_origin_(remote_file_context,_eg_RFI).yaml b/cres/Ignore-at_least_validate_filename_metadata_from_untrusted_origin_(remote_file_context,_eg_RFI).yaml new file mode 100644 index 000000000..37c44c504 --- /dev/null +++ b/cres/Ignore-at_least_validate_filename_metadata_from_untrusted_origin_(remote_file_context,_eg_RFI).yaml @@ -0,0 +1,36 @@ +doctype: CRE +id: 742-056 +links: +- document: + doctype: CRE + id: 451-082 + name: File execution + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x20-V12-Files-Resources.md + name: ASVS + section: V12.3.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/98.html + name: CWE + section: '98' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.html + name: (WSTG) Web Security Testing Guide + section: WSTG-ATHZ-01 + ltype: Linked To +- document: + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteFileIncludeScanRule.java + name: 'ZAP Rule: "Remote File Inclusion"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Ignore/at least validate filename metadata from untrusted origin (remote file + context, eg RFI) diff --git a/cres/Ignore-block_execution_logic_from_untrusted_sources.yaml b/cres/Ignore-block_execution_logic_from_untrusted_sources.yaml index 0a178cdcc..5905b5e1c 100644 --- a/cres/Ignore-block_execution_logic_from_untrusted_sources.yaml +++ b/cres/Ignore-block_execution_logic_from_untrusted_sources.yaml @@ -22,7 +22,8 @@ links: description: '"Ensure JavaScript source files are loaded from only trusted sources, and the sources can''t be controlled by end users of the application."' doctype: Tool - name: 'ZAP Alert: "Cross-Domain JavaScript Source File Inclusion"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainScriptInclusionScanRule.java + name: 'ZAP Rule: "Cross-Domain JavaScript Source File Inclusion"' tags: - '"Passive"' tooltype: Offensive diff --git a/cres/Implement_business_logic_limits_against_identified_business_risks.yaml b/cres/Implement_business_logic_limits_against_identified_business_risks.yaml index 9cc54fbbd..42971b99c 100644 --- a/cres/Implement_business_logic_limits_against_identified_business_risks.yaml +++ b/cres/Implement_business_logic_limits_against_identified_business_risks.yaml @@ -23,7 +23,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-BUSL-$$ ltype: Linked To - document: diff --git a/cres/Inform_users_clearly_about_the_collection_and_use_of_personal_data,_and_use_it_only_after_opt-in_consent..yaml b/cres/Inform_users_clearly_about_the_collection_and_use_of_personal_data,_and_use_it_only_after_opt-in_consent..yaml new file mode 100644 index 000000000..74f3c2376 --- /dev/null +++ b/cres/Inform_users_clearly_about_the_collection_and_use_of_personal_data,_and_use_it_only_after_opt-in_consent..yaml @@ -0,0 +1,29 @@ +doctype: CRE +id: 082-327 +links: +- document: + doctype: CRE + id: 362-550 + name: '>>Personal data handling' + ltype: Contains +- document: + doctype: CRE + id: 854-643 + name: '>>Business logic' + tags: + - DOS + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md + name: ASVS + section: V8.3.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/285.html + name: CWE + section: '285' + ltype: Linked To +name: Inform users clearly about the collection and use of personal data, and use + it only after opt-in consent. diff --git a/cres/Inform_users_for_authentication_renewal.yaml b/cres/Inform_users_for_authentication_renewal.yaml index 5cb87200d..3fb6f40e3 100644 --- a/cres/Inform_users_for_authentication_renewal.yaml +++ b/cres/Inform_users_for_authentication_renewal.yaml @@ -6,6 +6,11 @@ links: id: 586-842 name: '>>Secure user management' ltype: Contains +- document: + doctype: CRE + id: 270-568 + name: Authentication mechanism + ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md diff --git a/cres/Injection.yaml b/cres/Injection.yaml index c58c269df..2cfc26d28 100644 --- a/cres/Injection.yaml +++ b/cres/Injection.yaml @@ -1,27 +1,6 @@ doctype: CRE id: 760-764 links: -- document: - doctype: CRE - id: 764-765 - name: Sanitization and sandboxing - tags: - - Injection - - XSS - ltype: Related -- document: - doctype: CRE - id: 010-308 - name: Input validation - tags: - - Injection - - XSS - ltype: Related -- document: - doctype: CRE - id: 760-765 - name: XSS - ltype: Related - document: doctype: CRE id: 384-344 @@ -33,10 +12,11 @@ links: ltype: Related - document: doctype: CRE - id: 866-553 - name: Memory, String, and Unmanaged Code + id: 010-308 + name: Input validation tags: - Injection + - XSS ltype: Related - document: doctype: CRE @@ -48,18 +28,11 @@ links: ltype: Related - document: doctype: CRE - id: 541-441 - name: Validate HTTP request headers - tags: - - Injection - ltype: Related -- document: - doctype: CRE - id: 764-507 - name: Restrict XML parsing (against XXE) + id: 764-765 + name: Sanitization and sandboxing tags: - Injection - - Configuration + - XSS ltype: Related - document: doctype: CRE @@ -80,6 +53,10 @@ links: id: 546-564 name: '>>Tags' ltype: Contains +- document: + doctype: Standard + hyperlink: Loading... + name: Top10 2017 + section: A1-Injection + ltype: Linked To name: Injection -tags: -- XSS diff --git a/cres/Input_validation.yaml b/cres/Input_validation.yaml index 821140f25..c7aec1244 100644 --- a/cres/Input_validation.yaml +++ b/cres/Input_validation.yaml @@ -8,20 +8,13 @@ links: ltype: Contains - document: doctype: CRE - id: 146-706 - name: Enforce JSON schema before processing - ltype: Contains -- document: - doctype: CRE - id: 760-765 - name: XSS + id: 760-764 + name: Injection ltype: Related - document: doctype: CRE - id: 760-764 - name: Injection - tags: - - XSS + id: 028-726 + name: XSS ltype: Related - document: doctype: CRE @@ -38,7 +31,7 @@ links: - document: doctype: CRE id: 743-237 - name: Validatie/enforce HTTP inputs (against HTTP parameter pollution attacks) + name: Validatie/enforce HTTP inputs (against HTTP parameter polution attacks) ltype: Contains - document: doctype: CRE diff --git a/cres/Let_application_request_minimal_permisions.yaml b/cres/Let_application_request_minimal_permisions.yaml new file mode 100644 index 000000000..5df095815 --- /dev/null +++ b/cres/Let_application_request_minimal_permisions.yaml @@ -0,0 +1,26 @@ +doctype: CRE +id: 540-566 +links: +- document: + doctype: CRE + id: 724-770 + name: '>>Authorized access' + ltype: Contains +- document: + doctype: CRE + id: 362-550 + name: '>>Personal data handling' + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x18-V10-Malicious.md + name: ASVS + section: V10.2.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/272.html + name: CWE + section: '272' + ltype: Linked To +name: Let application request minimal permisions diff --git a/cres/Let_cryptographic_modules_fail_securely.yaml b/cres/Let_cryptographic_modules_fail_securely.yaml index ae463f5dd..8f56c3f34 100644 --- a/cres/Let_cryptographic_modules_fail_securely.yaml +++ b/cres/Let_cryptographic_modules_fail_securely.yaml @@ -5,8 +5,6 @@ links: doctype: CRE id: 742-432 name: Encryption algorithms - tags: - - Cryptography ltype: Contains - document: doctype: CRE @@ -28,7 +26,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/02-Testing_for_Padding_Oracle.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CRYP-02 ltype: Linked To - document: diff --git a/cres/Limit-authorize_users_access_to_functionality.yaml b/cres/Limit-authorize_users_access_to_functionality.yaml index 4ce109b15..c417af32a 100644 --- a/cres/Limit-authorize_users_access_to_functionality.yaml +++ b/cres/Limit-authorize_users_access_to_functionality.yaml @@ -8,11 +8,6 @@ links: tags: - DOS ltype: Contains -- document: - doctype: CRE - id: 724-770 - name: '>>Authorized access' - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x19-V11-BusLogic.md @@ -28,7 +23,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-BUSL-$$ ltype: Linked To - document: diff --git a/cres/Limit_REST_HTTP_methods.yaml b/cres/Limit_REST_HTTP_methods.yaml index 0d76ff80a..00a3e467e 100644 --- a/cres/Limit_REST_HTTP_methods.yaml +++ b/cres/Limit_REST_HTTP_methods.yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/03-Testing_for_HTTP_Verb_Tampering.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-INPV-03 ltype: Linked To - document: diff --git a/cres/Limit_access_to_admin-management_functionality.yaml b/cres/Limit_access_to_admin-management_functionality.yaml index b881498c1..ea2f82e0c 100644 --- a/cres/Limit_access_to_admin-management_functionality.yaml +++ b/cres/Limit_access_to_admin-management_functionality.yaml @@ -26,7 +26,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHZ-02 ltype: Linked To - document: diff --git a/cres/Limit_modification_of_access_controls_to_specifically_authorized_actors-users.yaml b/cres/Limit_modification_of_access_controls_to_specifically_authorized_actors-users.yaml index cc1363643..62039507d 100644 --- a/cres/Limit_modification_of_access_controls_to_specifically_authorized_actors-users.yaml +++ b/cres/Limit_modification_of_access_controls_to_specifically_authorized_actors-users.yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHZ-02 ltype: Linked To - document: diff --git a/cres/Limit_query_impact_GraphQL-data_layer_expression_DoS.yaml b/cres/Limit_query_impact_GraphQL-data_layer_expression_DoS.yaml index 140d6852a..7e53b9647 100644 --- a/cres/Limit_query_impact_GraphQL-data_layer_expression_DoS.yaml +++ b/cres/Limit_query_impact_GraphQL-data_layer_expression_DoS.yaml @@ -3,11 +3,8 @@ id: 268-088 links: - document: doctype: CRE - id: 764-765 - name: Sanitization and sandboxing - tags: - - Injection - - XSS + id: 118-110 + name: API/web services ltype: Contains - document: doctype: CRE diff --git a/cres/Lock-precompile_queries_(parameterization)_to_avoid_injection_attacks.yaml b/cres/Lock-precompile_queries_(parameterization)_to_avoid_injection_attacks.yaml index e49bae057..ed8c2fdd4 100644 --- a/cres/Lock-precompile_queries_(parameterization)_to_avoid_injection_attacks.yaml +++ b/cres/Lock-precompile_queries_(parameterization)_to_avoid_injection_attacks.yaml @@ -18,7 +18,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c3-secure-database-access.html - name: OPC + name: OWASP Proactive Controls section: C3 ltype: Linked To - document: @@ -30,7 +30,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-INPV-05 ltype: Linked To - document: @@ -125,56 +125,64 @@ links: ltype: Linked To - document: doctype: Tool - name: 'ZAP Alert: "SQL Injection - Oracle"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SqlInjectionOracleScanRule.java + name: 'ZAP Rule: "SQL Injection - Oracle"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "Advanced SQL Injection"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/sqliplugin/src/main/java/org/zaproxy/zap/extension/sqliplugin/SQLInjectionScanRule.java + name: 'ZAP Rule: "Advanced SQL Injection"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "SQL Injection - Hypersonic SQL"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SqlInjectionHypersonicScanRule.java + name: 'ZAP Rule: "SQL Injection - Hypersonic SQL"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "SQL Injection - MsSQL"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SqlInjectionMsSqlScanRule.java + name: 'ZAP Rule: "SQL Injection - MsSQL"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "SQL Injection - MySQL"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SqlInjectionMySqlScanRule.java + name: 'ZAP Rule: "SQL Injection - MySQL"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "SQL Injection - PostgreSQL"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SqlInjectionPostgreScanRule.java + name: 'ZAP Rule: "SQL Injection - PostgreSQL"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "SQL Injection"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRule.java + name: 'ZAP Rule: "SQL Injection"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "SQL Injection - SQLite"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SqlInjectionSqLiteScanRule.java + name: 'ZAP Rule: "SQL Injection - SQLite"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Log_access_protection.yaml b/cres/Log_access_protection.yaml index df8806974..fbf182561 100644 --- a/cres/Log_access_protection.yaml +++ b/cres/Log_access_protection.yaml @@ -1,5 +1,11 @@ doctype: CRE +id: 713-684 links: +- document: + doctype: CRE + id: 148-420 + name: Log integrity + ltype: Contains - document: doctype: CRE id: 713-683 diff --git a/cres/Log_consistent_format_across_system.yaml b/cres/Log_consistent_format_across_system.yaml new file mode 100644 index 000000000..1ee54d372 --- /dev/null +++ b/cres/Log_consistent_format_across_system.yaml @@ -0,0 +1,40 @@ +doctype: CRE +id: 260-200 +links: +- document: + doctype: CRE + id: 842-876 + name: '>>Logging and error handling' + ltype: Contains +- document: + doctype: CRE + id: 155-155 + name: Architecture + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.7.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html + name: OWASP Proactive Controls + section: C9 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/1009.html + name: CWE + section: '1009' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html + name: Cheat_sheets + section: Logging Cheat Sheet + ltype: Linked To +name: Log consistent format across system +tags: +- Architecture diff --git a/cres/Log_discretely.yaml b/cres/Log_discretely.yaml index 0171c3e6e..e8e5ddf9d 100644 --- a/cres/Log_discretely.yaml +++ b/cres/Log_discretely.yaml @@ -26,4 +26,10 @@ links: id: 015-063 name: Log access to sensitive data ltype: Related +- document: + doctype: Standard + hyperlink: Loading... + name: Top10 2017 + section: A3-Sensitive_Data_Exposure + ltype: Linked To name: Log discretely diff --git a/cres/Log_events_sufficiently_to_recreate_their_order.yaml b/cres/Log_events_sufficiently_to_recreate_their_order.yaml index 7a2cb73ab..f48fb8311 100644 --- a/cres/Log_events_sufficiently_to_recreate_their_order.yaml +++ b/cres/Log_events_sufficiently_to_recreate_their_order.yaml @@ -15,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html - name: OPC + name: OWASP Proactive Controls section: C9 ltype: Linked To - document: @@ -27,7 +27,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration.html#log-review - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CONF-02 ltype: Linked To - document: diff --git a/cres/Log_injection_protection.yaml b/cres/Log_injection_protection.yaml index 6942d5cff..24fcd2bb6 100644 --- a/cres/Log_injection_protection.yaml +++ b/cres/Log_injection_protection.yaml @@ -1,5 +1,11 @@ doctype: CRE +id: 821-541 links: +- document: + doctype: CRE + id: 148-420 + name: Log integrity + ltype: Contains - document: doctype: CRE id: 821-540 diff --git a/cres/Log_integrity.yaml b/cres/Log_integrity.yaml index 35a361ab1..349044f44 100644 --- a/cres/Log_integrity.yaml +++ b/cres/Log_integrity.yaml @@ -8,15 +8,18 @@ links: ltype: Contains - document: doctype: CRE - id: 260-200 - name: Log in consistent format across system - tags: - - Architecture + id: 713-684 + name: Log access protection ltype: Contains - document: doctype: CRE - id: 026-280 - name: Securely transfer logs (remotely) + id: 821-541 + name: Log injection protection + ltype: Contains +- document: + doctype: CRE + id: 770-362 + name: Log time synchronization ltype: Contains - document: doctype: Standard diff --git a/cres/Log_only_non-sensitive_data.yaml b/cres/Log_only_non-sensitive_data.yaml index 7768014bc..27c87c0e8 100644 --- a/cres/Log_only_non-sensitive_data.yaml +++ b/cres/Log_only_non-sensitive_data.yaml @@ -15,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html - name: OPC + name: OWASP Proactive Controls section: C9 ltype: Linked To - document: @@ -27,7 +27,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration.html#log-review - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CONF-02 ltype: Linked To - document: diff --git a/cres/Log_time_synchronization.yaml b/cres/Log_time_synchronization.yaml index c22719eeb..eaf637db4 100644 --- a/cres/Log_time_synchronization.yaml +++ b/cres/Log_time_synchronization.yaml @@ -1,5 +1,11 @@ doctype: CRE +id: 770-362 links: +- document: + doctype: CRE + id: 148-420 + name: Log integrity + ltype: Contains - document: doctype: CRE id: 770-361 diff --git a/cres/MFA-OTP.yaml b/cres/MFA-OTP.yaml index 8ee632d20..d8a64c861 100644 --- a/cres/MFA-OTP.yaml +++ b/cres/MFA-OTP.yaml @@ -14,7 +14,7 @@ links: - document: doctype: CRE id: 076-470 - name: Biometric authenticators only as secondary factors + name: Biometric autheticators only as seconday factors ltype: Contains - document: doctype: CRE @@ -25,7 +25,6 @@ links: doctype: CRE id: 841-757 name: Use approved cryptographic algorithms in generation, seeding and verification - of OTPs ltype: Contains - document: doctype: CRE @@ -55,7 +54,7 @@ links: - document: doctype: CRE id: 513-845 - name: Use unpredictable lookup secrets + name: Use upredictable lookup secrets ltype: Contains - document: doctype: CRE @@ -86,7 +85,7 @@ links: - document: doctype: CRE id: 102-811 - name: Communicate out of band authentication requests, codes or tokens independently + name: Communicate out of band authentication requests, codes or tokens Iindependently and securely ltype: Contains - document: @@ -115,12 +114,12 @@ links: - document: doctype: CRE id: 553-413 - name: Support subscriber-provided authentication devices + name: Support subsciber-provided authentication devices ltype: Contains - document: doctype: CRE id: 681-823 - name: Defined lifetime of time-based one-time password + name: Defined lifetime of time-based one-time passowrd ltype: Contains - document: doctype: CRE @@ -129,14 +128,9 @@ links: ltype: Contains - document: doctype: CRE - id: 354-752 + id: 320-618 name: Do not offer weak (clear text) authenticators by default ltype: Contains -- document: - doctype: CRE - id: 270-634 - name: Send authentication secrets encrypted - ltype: Related name: MFA/OTP tags: - Cryptography diff --git a/cres/Maintain-manage_inventory_of_third_party_repositories.yaml b/cres/Maintain-manage_inventory_of_third_party_repositories.yaml index 157ecc47f..643ae9d15 100644 --- a/cres/Maintain-manage_inventory_of_third_party_repositories.yaml +++ b/cres/Maintain-manage_inventory_of_third_party_repositories.yaml @@ -3,8 +3,8 @@ id: 863-521 links: - document: doctype: CRE - id: 613-286 - name: Dependency management + id: 613-285 + name: '>>Dependency strength' ltype: Contains - document: doctype: CRE @@ -20,7 +20,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c2-leverage-security-frameworks-libraries.html - name: OPC + name: OWASP Proactive Controls section: C2 ltype: Linked To - document: diff --git a/cres/Make_(centrally)_available_secure_coding_resources_for_programmers.yaml b/cres/Make_(centrally)_available_secure_coding_resources_for_programmers.yaml index b6dd07aaa..1ab3b5c2b 100644 --- a/cres/Make_(centrally)_available_secure_coding_resources_for_programmers.yaml +++ b/cres/Make_(centrally)_available_secure_coding_resources_for_programmers.yaml @@ -3,10 +3,8 @@ id: 036-275 links: - document: doctype: CRE - id: 625-323 + id: 354-846 name: Documentation and requirements - tags: - - Architecture ltype: Contains - document: doctype: Standard diff --git a/cres/Manage_temporary_storage.yaml b/cres/Manage_temporary_storage.yaml index c0c2391cb..7724ba127 100644 --- a/cres/Manage_temporary_storage.yaml +++ b/cres/Manage_temporary_storage.yaml @@ -14,7 +14,7 @@ links: - document: doctype: CRE id: 473-758 - name: Set sufficient anti-caching headers + name: Set sufficient anti-chaching headers ltype: Contains - document: doctype: CRE @@ -41,5 +41,7 @@ links: hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-4 name: NIST 800-53 v5 section: SC-4 Information in Shared System Resources + subsection: mapped under manage cache for now because that section contains associated + ASVS items. Note that SC-4 is broader than cache. ltype: Linked To name: Manage temporary storage diff --git a/cres/Memory,_String,_and_Unmanaged_Code.yaml b/cres/Memory,_String,_and_Unmanaged_Code.yaml index 336cf6c6e..381e4e730 100644 --- a/cres/Memory,_String,_and_Unmanaged_Code.yaml +++ b/cres/Memory,_String,_and_Unmanaged_Code.yaml @@ -6,13 +6,6 @@ links: id: 503-455 name: '>>Input and output verification' ltype: Contains -- document: - doctype: CRE - id: 760-764 - name: Injection - tags: - - XSS - ltype: Related - document: doctype: CRE id: 824-732 @@ -29,5 +22,3 @@ links: name: Use memory-safe functions exclusively ltype: Contains name: Memory, String, and Unmanaged Code -tags: -- Injection diff --git a/cres/Monitor_expectation_of_usage_intensity_(e.g._number_of_requests).yaml b/cres/Monitor_expectation_of_usage_intensity_(e.g._number_of_requests).yaml index 4ced95a2a..df060aad5 100644 --- a/cres/Monitor_expectation_of_usage_intensity_(e.g._number_of_requests).yaml +++ b/cres/Monitor_expectation_of_usage_intensity_(e.g._number_of_requests).yaml @@ -11,13 +11,13 @@ links: ltype: Contains - document: doctype: CRE - id: 623-550 - name: DOS + id: 842-876 + name: '>>Logging and error handling' ltype: Related - document: doctype: CRE - id: 842-876 - name: '>>Logging and error handling' + id: 623-550 + name: DOS ltype: Related - document: doctype: Standard diff --git a/cres/Monitor_for_realistic_human_time_business_logic_flows.yaml b/cres/Monitor_for_realistic_human_time_business_logic_flows.yaml index 568c8c954..ef3f5a0a6 100644 --- a/cres/Monitor_for_realistic_human_time_business_logic_flows.yaml +++ b/cres/Monitor_for_realistic_human_time_business_logic_flows.yaml @@ -8,11 +8,6 @@ links: tags: - DOS ltype: Contains -- document: - doctype: CRE - id: 623-550 - name: DOS - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x19-V11-BusLogic.md @@ -28,7 +23,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-BUSL-$$ ltype: Linked To - document: @@ -38,5 +33,3 @@ links: section: Abuse Case Cheat Sheet ltype: Linked To name: Monitor for realistic "human time" business logic flows -tags: -- DOS diff --git a/cres/Monitor_suspected_automation_abuse.yaml b/cres/Monitor_suspected_automation_abuse.yaml index d26bd157e..e1bf153c2 100644 --- a/cres/Monitor_suspected_automation_abuse.yaml +++ b/cres/Monitor_suspected_automation_abuse.yaml @@ -13,11 +13,6 @@ links: id: 503-455 name: '>>Input and output verification' ltype: Related -- document: - doctype: CRE - id: 623-550 - name: DOS - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x19-V11-BusLogic.md @@ -33,7 +28,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-BUSL-$$ ltype: Linked To - document: @@ -43,5 +38,3 @@ links: section: Abuse Case Cheat Sheet ltype: Linked To name: Monitor suspected automation abuse -tags: -- DOS diff --git a/cres/Monitor_unusual_activities_on_system.yaml b/cres/Monitor_unusual_activities_on_system.yaml index 877989247..09dc7c63b 100644 --- a/cres/Monitor_unusual_activities_on_system.yaml +++ b/cres/Monitor_unusual_activities_on_system.yaml @@ -8,11 +8,6 @@ links: tags: - DOS ltype: Contains -- document: - doctype: CRE - id: 623-550 - name: DOS - ltype: Related - document: doctype: CRE id: 842-876 @@ -27,7 +22,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html - name: OPC + name: OWASP Proactive Controls section: C9 ltype: Linked To - document: @@ -43,5 +38,3 @@ links: section: Abuse Case Cheat Sheet ltype: Linked To name: Monitor unusual activities on system -tags: -- DOS diff --git a/cres/Mutually_authenticate_application_components._Minimize_privileges.yaml b/cres/Mutually_authenticate_application_components._Minimize_privileges.yaml index b16b34997..11172615c 100644 --- a/cres/Mutually_authenticate_application_components._Minimize_privileges.yaml +++ b/cres/Mutually_authenticate_application_components._Minimize_privileges.yaml @@ -13,8 +13,7 @@ links: ltype: Related - document: doctype: CRE - id: 724-770 - name: '>>Authorized access' + name: Authorized access ltype: Related - document: doctype: Standard @@ -25,7 +24,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c3-secure-database-access.html - name: OPC + name: OWASP Proactive Controls section: C3 ltype: Linked To - document: diff --git a/cres/Network_protection.yaml b/cres/Network_protection.yaml index 35c72e32a..86aa59985 100644 --- a/cres/Network_protection.yaml +++ b/cres/Network_protection.yaml @@ -1,5 +1,13 @@ doctype: CRE +id: 336-511 links: +- document: + doctype: CRE + id: 783-355 + name: Deployment + tags: + - Configuration + ltype: Contains - document: doctype: CRE id: 336-512 diff --git a/cres/Notify_user_about_credential_change.yaml b/cres/Notify_user_about_credential_change.yaml index 6e81d111a..14f0164db 100644 --- a/cres/Notify_user_about_credential_change.yaml +++ b/cres/Notify_user_about_credential_change.yaml @@ -26,7 +26,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/02-Testing_for_Default_Credentials.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHN-02 ltype: Linked To - document: diff --git a/cres/Notify_users_about_anomalies_in_their_usage_patterns.yaml b/cres/Notify_users_about_anomalies_in_their_usage_patterns.yaml index 0b4484a9f..67b9cc22f 100644 --- a/cres/Notify_users_about_anomalies_in_their_usage_patterns.yaml +++ b/cres/Notify_users_about_anomalies_in_their_usage_patterns.yaml @@ -6,6 +6,11 @@ links: id: 586-842 name: '>>Secure user management' ltype: Contains +- document: + doctype: CRE + id: 270-568 + name: Authentication mechanism + ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md diff --git a/cres/Offer_password_changing_functionality.yaml b/cres/Offer_password_changing_functionality.yaml index a0a4c9634..62d74d808 100644 --- a/cres/Offer_password_changing_functionality.yaml +++ b/cres/Offer_password_changing_functionality.yaml @@ -6,6 +6,11 @@ links: id: 586-842 name: '>>Secure user management' ltype: Contains +- document: + doctype: CRE + id: 270-568 + name: Authentication mechanism + ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md @@ -21,7 +26,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHN-07 ltype: Linked To - document: diff --git a/cres/Output_encoding_and_injection_prevention.yaml b/cres/Output_encoding_and_injection_prevention.yaml index 48a6c040d..5fdf8cd21 100644 --- a/cres/Output_encoding_and_injection_prevention.yaml +++ b/cres/Output_encoding_and_injection_prevention.yaml @@ -8,15 +8,13 @@ links: ltype: Contains - document: doctype: CRE - id: 760-765 - name: XSS + id: 760-764 + name: Injection ltype: Related - document: doctype: CRE - id: 760-764 - name: Injection - tags: - - XSS + id: 028-726 + name: XSS ltype: Related - document: doctype: CRE diff --git a/cres/Parse_JSON_safely.yaml b/cres/Parse_JSON_safely.yaml index a13a8f36c..600cd8a3b 100644 --- a/cres/Parse_JSON_safely.yaml +++ b/cres/Parse_JSON_safely.yaml @@ -1,6 +1,11 @@ doctype: CRE id: 387-848 links: +- document: + doctype: CRE + id: 836-068 + name: Deserialization Prevention + ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md @@ -16,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/02-Testing_for_JavaScript_Execution.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CLNT-02 ltype: Linked To - document: diff --git a/cres/Perform_cryptographic_operations_in_constant_time.yaml b/cres/Perform_cryptographic_operations_in_constant_time.yaml index 81031dcc3..14ca1ca8d 100644 --- a/cres/Perform_cryptographic_operations_in_constant_time.yaml +++ b/cres/Perform_cryptographic_operations_in_constant_time.yaml @@ -5,8 +5,6 @@ links: doctype: CRE id: 742-432 name: Encryption algorithms - tags: - - Cryptography ltype: Contains - document: doctype: Standard diff --git a/cres/Prevent_security_disclosure.yaml b/cres/Prevent_security_disclosure.yaml index 1a6a31f08..8850c256d 100644 --- a/cres/Prevent_security_disclosure.yaml +++ b/cres/Prevent_security_disclosure.yaml @@ -24,8 +24,14 @@ links: - document: doctype: CRE id: 403-005 - name: Do not disclose technical information in HTTP header or response + name: Do not disclose technical information in HTTP header or responce ltype: Contains +- document: + doctype: Standard + hyperlink: Loading... + name: Top10 2017 + section: A3-Sensitive_Data_Exposure + ltype: Linked To name: Prevent security disclosure tags: - Configuration diff --git a/cres/Proper_Configuration_foe_all_applications_and_frameworks.yaml b/cres/Proper_Configuration_foe_all_applications_and_frameworks.yaml new file mode 100644 index 000000000..0c10bd89d --- /dev/null +++ b/cres/Proper_Configuration_foe_all_applications_and_frameworks.yaml @@ -0,0 +1,36 @@ +doctype: CRE +id: 180-488 +links: +- document: + doctype: CRE + id: 180-487 + name: Server protection + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.1.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/16.html + name: CWE + section: '16' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +- document: + description: '"Ensure that only POST is accepted where POST is expected."' + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/GetForPostScanRule.java + name: 'ZAP Rule: "GET for POST"' + tags: + - '"Active"' + tooltype: Offensive + ltype: SAME +name: Proper Configuration foe all applications and frameworks diff --git a/cres/Protect_API_against_unauthorized_access-modification_(IDOR).yaml b/cres/Protect_API_against_unauthorized_access-modification_(IDOR).yaml index b959e3459..b69eefad0 100644 --- a/cres/Protect_API_against_unauthorized_access-modification_(IDOR).yaml +++ b/cres/Protect_API_against_unauthorized_access-modification_(IDOR).yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHZ-04 ltype: Linked To - document: diff --git a/cres/Protect_against_JS_or_JSON_injection_attacks.yaml b/cres/Protect_against_JS_or_JSON_injection_attacks.yaml index d9e157c08..b2229b9b0 100644 --- a/cres/Protect_against_JS_or_JSON_injection_attacks.yaml +++ b/cres/Protect_against_JS_or_JSON_injection_attacks.yaml @@ -18,7 +18,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html - name: OPC + name: OWASP Proactive Controls section: C4 ltype: Linked To - document: @@ -30,7 +30,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CLNT-01 ltype: Linked To - document: diff --git a/cres/Protect_against_LDAP_injection.yaml b/cres/Protect_against_LDAP_injection.yaml index f9f760233..c750863ac 100644 --- a/cres/Protect_against_LDAP_injection.yaml +++ b/cres/Protect_against_LDAP_injection.yaml @@ -18,7 +18,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html - name: OPC + name: OWASP Proactive Controls section: C4 ltype: Linked To - document: @@ -30,7 +30,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/06-Testing_for_LDAP_Injection.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-INPV-06 ltype: Linked To - document: @@ -125,7 +125,8 @@ links: ltype: Linked To - document: doctype: Tool - name: 'ZAP Alert: "LDAP Injection"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/LdapInjectionScanRule.java + name: 'ZAP Rule: "LDAP Injection"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Protect_against_LFI_-_RFI.yaml b/cres/Protect_against_LFI_-_RFI.yaml index fb3cd7702..f8af4acde 100644 --- a/cres/Protect_against_LFI_-_RFI.yaml +++ b/cres/Protect_against_LFI_-_RFI.yaml @@ -24,7 +24,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-INPV-11 ltype: Linked To - document: @@ -121,7 +121,8 @@ links: description: '"Ensure JavaScript source files are loaded from only trusted sources, and the sources can''t be controlled by end users of the application."' doctype: Tool - name: 'ZAP Alert: "Cross-Domain JavaScript Source File Inclusion"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainScriptInclusionScanRule.java + name: 'ZAP Rule: "Cross-Domain JavaScript Source File Inclusion"' tags: - '"Passive"' tooltype: Offensive diff --git a/cres/Protect_against_OS_command_injection_attack.yaml b/cres/Protect_against_OS_command_injection_attack.yaml index d662c44df..f0c66e411 100644 --- a/cres/Protect_against_OS_command_injection_attack.yaml +++ b/cres/Protect_against_OS_command_injection_attack.yaml @@ -18,7 +18,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html - name: OPC + name: OWASP Proactive Controls section: C4 ltype: Linked To - document: @@ -30,7 +30,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-INPV-12 ltype: Linked To - document: @@ -125,7 +125,8 @@ links: ltype: Linked To - document: doctype: Tool - name: 'ZAP Alert: "Remote OS Command Injection"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java + name: 'ZAP Rule: "Remote OS Command Injection"' tags: - '"Active"' tooltype: Offensive @@ -133,7 +134,8 @@ links: - document: description: '"Update Bash on the server to the latest version"' doctype: Tool - name: 'ZAP Alert: "Remote Code Execution - Shell Shock"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ShellShockScanRule.java + name: 'ZAP Rule: "Remote Code Execution - Shell Shock"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Protect_against_XML-XPath_injection.yaml b/cres/Protect_against_XML-XPath_injection.yaml index 3c22e43a1..0bf0eef3d 100644 --- a/cres/Protect_against_XML-XPath_injection.yaml +++ b/cres/Protect_against_XML-XPath_injection.yaml @@ -18,7 +18,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html - name: OPC + name: OWASP Proactive Controls section: C4 ltype: Linked To - document: @@ -31,7 +31,7 @@ links: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.html; https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-INPV-07; WSTG-INPV-09 ltype: Linked To - document: @@ -126,7 +126,8 @@ links: ltype: Linked To - document: doctype: Tool - name: 'ZAP Alert: "XPath Injection"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/XpathInjectionScanRule.java + name: 'ZAP Rule: "XPath Injection"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Protect_against_directory_browsing-discovery_attacks.yaml b/cres/Protect_against_directory_browsing-discovery_attacks.yaml index e33d44fb8..348d3a00b 100644 --- a/cres/Protect_against_directory_browsing-discovery_attacks.yaml +++ b/cres/Protect_against_directory_browsing-discovery_attacks.yaml @@ -26,7 +26,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/03-Test_File_Extensions_Handling_for_Sensitive_Information.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CONF-03 ltype: Linked To - document: @@ -39,7 +39,8 @@ links: description: '"Disable directory browsing. If this is required, make sure the listed files does not induce risks."' doctype: Tool - name: 'ZAP Alert: "Directory Browsing"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java + name: 'ZAP Rule: "Directory Browsing"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Protect_against_mass_parameter_assignment_attack.yaml b/cres/Protect_against_mass_parameter_assignment_attack.yaml index 5bb3d2110..4a8471fb6 100644 --- a/cres/Protect_against_mass_parameter_assignment_attack.yaml +++ b/cres/Protect_against_mass_parameter_assignment_attack.yaml @@ -18,7 +18,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html - name: OPC + name: OWASP Proactive Controls section: C5 ltype: Linked To - document: diff --git a/cres/Protect_communication_between_application_components.yaml b/cres/Protect_communication_between_application_components.yaml index 5fbf3fe51..bbd462eec 100644 --- a/cres/Protect_communication_between_application_components.yaml +++ b/cres/Protect_communication_between_application_components.yaml @@ -8,11 +8,6 @@ links: tags: - Cryptography ltype: Contains -- document: - doctype: CRE - id: 170-772 - name: Cryptography - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md @@ -22,7 +17,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c3-secure-database-access.html - name: OPC + name: OWASP Proactive Controls section: C3 ltype: Linked To - document: @@ -44,5 +39,3 @@ links: section: TLS Cipher String Cheat Sheet ltype: Linked To name: Protect communication between application components -tags: -- Cryptography diff --git a/cres/Protect_logs_against_log_injection.yaml b/cres/Protect_logs_against_log_injection.yaml index 65920fb28..8038958b0 100644 --- a/cres/Protect_logs_against_log_injection.yaml +++ b/cres/Protect_logs_against_log_injection.yaml @@ -3,19 +3,13 @@ id: 821-540 links: - document: doctype: CRE + id: 821-541 name: Log injection protection ltype: Contains -- document: - doctype: CRE - id: 503-455 - name: '>>Input and output verification' - ltype: Related - document: doctype: CRE id: 760-764 name: Injection - tags: - - XSS ltype: Related - document: doctype: Standard @@ -26,7 +20,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html - name: OPC + name: OWASP Proactive Controls section: C9 ltype: Linked To - document: @@ -38,7 +32,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/03-Test_Integrity_Checks.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-BUSL-03 ltype: Linked To - document: @@ -47,20 +41,6 @@ links: name: Cheat_sheets section: Logging Cheat Sheet ltype: Linked To -- document: - description: '"Upgrade Log4j2 to version 2.15.0 or newer. In previous releases - (>2.10) this behavior can be mitigated by setting system property ''log4j2.formatMsgNoLookups'' - to ''true'' or by removing the JndiLookup class from the classpath (example: - zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). - Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) - protects against remote code execution by defaulting ''com.sun.jndi.rmi.object.trustURLCodebase'' - and ''com.sun.jndi.cosnaming.object.trustURLCodebase'' to ''false''."' - doctype: Tool - name: 'ZAP Alert: "Log4Shell (CVE-2021-44228)"' - tags: - - '"Active"' - tooltype: Offensive - ltype: SAME name: Protect logs against log injection tags: - Injection diff --git a/cres/Protect_logs_against_unauthorized_access.yaml b/cres/Protect_logs_against_unauthorized_access.yaml index f5a0a34bd..ba127c6b8 100644 --- a/cres/Protect_logs_against_unauthorized_access.yaml +++ b/cres/Protect_logs_against_unauthorized_access.yaml @@ -3,6 +3,7 @@ id: 713-683 links: - document: doctype: CRE + id: 713-684 name: Log access protection ltype: Contains - document: @@ -14,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html - name: OPC + name: OWASP Proactive Controls section: C9 ltype: Linked To - document: @@ -26,7 +27,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/03-Testing_for_Privilege_Escalation.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHZ-03 ltype: Linked To - document: @@ -36,165 +37,4 @@ links: section: Logging Cheat Sheet.htmlhttps://cheatsheetseries.owasp.org/cheatsheets/Logging Cheat Sheet ltype: Linked To -- document: - description: '"Review the source code of this page. Implement custom error pages. - Consider implementing a mechanism to provide a unique error reference/identifier - to the client (browser) while logging the details on the server side and not - exposing them to the user."' - doctype: Tool - name: 'ZAP Alert: "Application Error Disclosure"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Do not divulge details of whether a username is valid or invalid. - In particular, for unsuccessful login attempts, do not differentiate between - an invalid user and an invalid password in the error message, page title, page - contents, HTTP headers, or redirection logic."' - doctype: Tool - name: 'ZAP Alert: "Possible Username Enumeration"' - tags: - - '"Active"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Limit access to Symfony''s Profiler, either via authentication/authorization - or limiting inclusion of the header to specific clients (by IP, etc.)."' - doctype: Tool - name: 'ZAP Alert: "X-Debug-Token Information Leak"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Remove all comments that return information that may help an attacker - and fix any underlying problems they refer to."' - doctype: Tool - name: 'ZAP Alert: "Information Disclosure - Suspicious Comments in XML via WebSocket"' - tags: - - '"WebSocket Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Remove all comments that return information that may help an attacker - and fix any underlying problems they refer to."' - doctype: Tool - name: 'ZAP Alert: "Information Disclosure - Suspicious Comments"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Do not pass sensitive information in URIs."' - doctype: Tool - name: 'ZAP Alert: "Information Disclosure - Sensitive Information in HTTP Referrer - Header"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Disable debugging messages before pushing to production."' - doctype: Tool - name: 'ZAP Alert: "Information Disclosure - Debug Error Messages via WebSocket"' - tags: - - '"WebSocket Passive"' - tooltype: Offensive - ltype: SAME -- document: - doctype: Tool - name: 'ZAP Alert: "Proxy Disclosure"' - tags: - - '"Active"' - tooltype: Offensive - ltype: SAME -- document: - doctype: Tool - name: 'ZAP Alert: "Cookie Slack Detector"' - tags: - - '"Active"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Disable debugging messages before pushing to production."' - doctype: Tool - name: 'ZAP Alert: "Information Disclosure - Debug Error Messages"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Before allowing images to be stored on the server and/or transmitted - to the browser, strip out the embedded location information from image. This - could mean removing all Exif data or just the GPS component. Other data, like - serial numbers, should also be removed."' - doctype: Tool - name: 'ZAP Alert: "Image Exposes Location or Privacy Data"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Do not pass sensitive information in URIs."' - doctype: Tool - name: 'ZAP Alert: "Information Disclosure - Sensitive Information in URL"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"TBA"' - doctype: Tool - name: 'ZAP Alert: "Insecure HTTP Method"' - tags: - - '"Active"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Remove emails that are not public."' - doctype: Tool - name: 'ZAP Alert: "Email address found in WebSocket message"' - tags: - - '"WebSocket Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"For secure content, put session ID in a cookie. To be even more - secure consider using a combination of cookie and URL rewrite."' - doctype: Tool - name: 'ZAP Alert: "Session ID in URL Rewrite"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Remove the private IP address from the HTTP response body. For - comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can - be seen by client browsers."' - doctype: Tool - name: 'ZAP Alert: "Private IP Disclosure"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Ensure that your web server, application server, load balancer, - etc. is configured to suppress ''X-Powered-By'' headers."' - doctype: Tool - name: 'ZAP Alert: "Server Leaks Information via ''X-Powered-By'' HTTP Response - Header Field(s)"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Manually confirm that the timestamp data is not sensitive, and - that the data cannot be aggregated to disclose exploitable patterns."' - doctype: Tool - name: 'ZAP Alert: "Timestamp Disclosure"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME name: Protect logs against unauthorized access diff --git a/cres/Provide_a_password_strength_meter.yaml b/cres/Provide_a_password_strength_meter.yaml index 78e170ed7..658109474 100644 --- a/cres/Provide_a_password_strength_meter.yaml +++ b/cres/Provide_a_password_strength_meter.yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHN-07 ltype: Linked To - document: diff --git a/cres/Provide_options_to_view_entire_password_or_last_typed_character.yaml b/cres/Provide_options_to_view_entire_password_or_last_typed_character.yaml index 7bda23dea..977e6d2ac 100644 --- a/cres/Provide_options_to_view_entire_password_or_last_typed_character.yaml +++ b/cres/Provide_options_to_view_entire_password_or_last_typed_character.yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHN-07 ltype: Linked To - document: diff --git a/cres/Provide_system_flexibility_for_access_control.yaml b/cres/Provide_system_flexibility_for_access_control.yaml index c97d26ceb..742330856 100644 --- a/cres/Provide_system_flexibility_for_access_control.yaml +++ b/cres/Provide_system_flexibility_for_access_control.yaml @@ -30,7 +30,8 @@ links: is tied to an authorization check to ensure the user is authorized for the requested object. "' doctype: Tool - name: 'ZAP Alert: "Username Hash Found"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRule.java + name: 'ZAP Rule: "Username Hash Found"' tags: - '"Passive"' tooltype: Offensive @@ -41,7 +42,8 @@ links: is tied to an authorization check to ensure the user is authorized for the requested object."' doctype: Tool - name: 'ZAP Alert: "Username Hash Found in WebSocket message"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/websocket/src/main/zapHomeFiles/scripts/templates/websocketpassive/Username%20Idor%20Scanner.js + name: 'ZAP Rule: "Username Hash Found in WebSocket message"' tags: - '"WebSocket Passive"' tooltype: Offensive diff --git a/cres/RESTful.yaml b/cres/RESTful.yaml index efb819122..90d2a9856 100644 --- a/cres/RESTful.yaml +++ b/cres/RESTful.yaml @@ -16,11 +16,14 @@ links: id: 543-512 name: Verify content-type for REST services ltype: Contains +- document: + doctype: CRE + id: 146-706 + name: Enforce JSON schema before processing + ltype: Contains - document: doctype: CRE id: 464-084 name: Add CSRF protection for cookie based REST services - tags: - - CSRF ltype: Contains name: RESTful diff --git a/cres/Re-authenticate_before_sensitive_transactions.yaml b/cres/Re-authenticate_before_sensitive_transactions.yaml index fc2f0feb3..dbddb03f9 100644 --- a/cres/Re-authenticate_before_sensitive_transactions.yaml +++ b/cres/Re-authenticate_before_sensitive_transactions.yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#session-id-predictability-and-randomness - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-SESS-01 ltype: Linked To - document: diff --git a/cres/Re-authentication_from_federation_or_assertion.yaml b/cres/Re-authentication_from_federation_or_assertion.yaml index 874175fb0..7db4809d0 100644 --- a/cres/Re-authentication_from_federation_or_assertion.yaml +++ b/cres/Re-authentication_from_federation_or_assertion.yaml @@ -15,7 +15,7 @@ links: - document: doctype: CRE id: 618-403 - name: Enforce authentication timeout when dealing with an authentication third + name: Enforce authentication time-out when dealing with an authentication third party (CSP) ltype: Contains - document: diff --git a/cres/Remove_dead_code.yaml b/cres/Remove_dead_code.yaml new file mode 100644 index 000000000..9375e3e0a --- /dev/null +++ b/cres/Remove_dead_code.yaml @@ -0,0 +1,39 @@ +doctype: CRE +id: 462-245 +links: +- document: + doctype: CRE + id: 613-285 + name: '>>Dependency strength' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.2.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/1002.html + name: CWE + section: '1002' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html + name: (WSTG) Web Security Testing Guide + section: WSTG-CONF-04 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Vulnerable Dependency Management Cheat Sheet + ltype: Linked To +name: Remove dead code diff --git a/cres/Restrict_XML_parsing_(against_XXE).yaml b/cres/Restrict_XML_parsing_(against_XXE).yaml index 2614602e2..c8e443abb 100644 --- a/cres/Restrict_XML_parsing_(against_XXE).yaml +++ b/cres/Restrict_XML_parsing_(against_XXE).yaml @@ -3,6 +3,7 @@ id: 764-507 links: - document: doctype: CRE + id: 764-508 name: XML Parser hardening ltype: Contains - document: @@ -10,13 +11,6 @@ links: id: 486-813 name: Configuration ltype: Related -- document: - doctype: CRE - id: 760-764 - name: Injection - tags: - - XSS - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md @@ -32,7 +26,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-INPV-07 ltype: Linked To - document: @@ -54,14 +48,11 @@ links: section: XML Security Cheat Sheet ltype: Linked To - document: - description: '"TBA"' - doctype: Tool - name: 'ZAP Alert: "XML External Entity Attack"' - tags: - - '"Active"' - tooltype: Offensive - ltype: SAME + doctype: Standard + hyperlink: Loading... + name: Top10 2017 + section: A4-XML_External_Entities_(XXE) + ltype: Linked To name: Restrict XML parsing (against XXE) tags: -- Injection - Configuration diff --git a/cres/Restrict_excessive_authentication.yaml b/cres/Restrict_excessive_authentication.yaml index e29f96232..b57a284fa 100644 --- a/cres/Restrict_excessive_authentication.yaml +++ b/cres/Restrict_excessive_authentication.yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/03-Testing_for_Weak_Lock_Out_Mechanism.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHN-03 ltype: Linked To - document: diff --git a/cres/Sandbox,_containerize_and-or_isolate_applications_at_the_network_level.yaml b/cres/Sandbox,_containerize_and-or_isolate_applications_at_the_network_level.yaml index 40ff96acf..823bcf6ec 100644 --- a/cres/Sandbox,_containerize_and-or_isolate_applications_at_the_network_level.yaml +++ b/cres/Sandbox,_containerize_and-or_isolate_applications_at_the_network_level.yaml @@ -27,7 +27,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html - name: OPC + name: OWASP Proactive Controls section: C5 ltype: Linked To - document: diff --git a/cres/Sandbox_third_party_libraries.yaml b/cres/Sandbox_third_party_libraries.yaml index 390c681c0..4a4ed3649 100644 --- a/cres/Sandbox_third_party_libraries.yaml +++ b/cres/Sandbox_third_party_libraries.yaml @@ -3,8 +3,8 @@ id: 860-084 links: - document: doctype: CRE - id: 613-287 - name: Dependency integrity + id: 613-285 + name: '>>Dependency strength' ltype: Contains - document: doctype: Standard @@ -15,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c2-leverage-security-frameworks-libraries.html - name: OPC + name: OWASP Proactive Controls section: C2 ltype: Linked To - document: diff --git a/cres/Sanitization_and_sandboxing.yaml b/cres/Sanitization_and_sandboxing.yaml index ddba920d6..b87903ab2 100644 --- a/cres/Sanitization_and_sandboxing.yaml +++ b/cres/Sanitization_and_sandboxing.yaml @@ -8,22 +8,13 @@ links: ltype: Contains - document: doctype: CRE - id: 268-088 - name: Limit query impact GraphQL/data layer expression DoS - tags: - - DOS - ltype: Contains -- document: - doctype: CRE - id: 760-765 - name: XSS + id: 760-764 + name: Injection ltype: Related - document: doctype: CRE - id: 760-764 - name: Injection - tags: - - XSS + id: 028-726 + name: XSS ltype: Related - document: doctype: CRE @@ -56,8 +47,6 @@ links: id: 657-084 name: (SSRF) When depending on internal server input, use validation sanitization and whitelisting - tags: - - SSRF ltype: Contains - document: doctype: CRE diff --git a/cres/Sanitize,_disable,_or_sandbox_untrusted_scriptable_or_template_language_content.yaml b/cres/Sanitize,_disable,_or_sandbox_untrusted_scriptable_or_template_language_content.yaml index d6c4cc2ed..992dd89ae 100644 --- a/cres/Sanitize,_disable,_or_sandbox_untrusted_scriptable_or_template_language_content.yaml +++ b/cres/Sanitize,_disable,_or_sandbox_untrusted_scriptable_or_template_language_content.yaml @@ -24,7 +24,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/05-Testing_for_CSS_Injection.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CLNT-05 ltype: Linked To - document: @@ -52,16 +52,9 @@ links: section: Unvalidated Redirects and Forwards Cheat Sheet ltype: Linked To - document: - description: '"Ensure the .htaccess file is not accessible."' doctype: Tool - name: 'ZAP Alert: ".htaccess Information Leak"' - tags: - - '"Active"' - tooltype: Offensive - ltype: SAME -- document: - doctype: Tool - name: 'ZAP Alert: "Server Side Code Injection"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CodeInjectionScanRule.java + name: 'ZAP Rule: "Server Side Code Injection"' tags: - '"Active"' tooltype: Offensive @@ -71,7 +64,8 @@ links: if it isn''t then disable it. If it is then ensure access to it requires authentication and authorization. See also: https://elmah.github.io/a/securing-error-log-pages/"' doctype: Tool - name: 'ZAP Alert: "ELMAH Information Leak"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ElmahScanRule.java + name: 'ZAP Rule: "ELMAH Information Leak"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Sanitize-sandbox_user_input_where_template-injection_is_a_threat.yaml b/cres/Sanitize-sandbox_user_input_where_template-injection_is_a_threat.yaml index f40959c3a..5eea2c658 100644 --- a/cres/Sanitize-sandbox_user_input_where_template-injection_is_a_threat.yaml +++ b/cres/Sanitize-sandbox_user_input_where_template-injection_is_a_threat.yaml @@ -24,7 +24,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-INPV-18 ltype: Linked To - document: @@ -54,14 +54,16 @@ links: - document: description: '"Ensure the .htaccess file is not accessible."' doctype: Tool - name: 'ZAP Alert: ".htaccess Information Leak"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HtAccessScanRule.java + name: 'ZAP Rule: ".htaccess Information Leak"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "Server Side Code Injection"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CodeInjectionScanRule.java + name: 'ZAP Rule: "Server Side Code Injection"' tags: - '"Active"' tooltype: Offensive @@ -71,7 +73,8 @@ links: if it isn''t then disable it. If it is then ensure access to it requires authentication and authorization. See also: https://elmah.github.io/a/securing-error-log-pages/"' doctype: Tool - name: 'ZAP Alert: "ELMAH Information Leak"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ElmahScanRule.java + name: 'ZAP Rule: "ELMAH Information Leak"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Sanitize_filename_metadata_from_untrusted_origin_if_processing_is_required.yaml b/cres/Sanitize_filename_metadata_from_untrusted_origin_if_processing_is_required.yaml index 965722d2c..1386f9722 100644 --- a/cres/Sanitize_filename_metadata_from_untrusted_origin_if_processing_is_required.yaml +++ b/cres/Sanitize_filename_metadata_from_untrusted_origin_if_processing_is_required.yaml @@ -21,12 +21,13 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHZ-01 ltype: Linked To - document: doctype: Tool - name: 'ZAP Alert: "Path Traversal"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java + name: 'ZAP Rule: "Path Traversal"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Sanitize_unstructured_data.yaml b/cres/Sanitize_unstructured_data.yaml index 30a86d017..acba953c3 100644 --- a/cres/Sanitize_unstructured_data.yaml +++ b/cres/Sanitize_unstructured_data.yaml @@ -24,7 +24,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/ - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-INPV-00 ltype: Linked To - document: diff --git a/cres/Sanitize_untrusted_HTML_input.yaml b/cres/Sanitize_untrusted_HTML_input.yaml index 09125930d..2880c2230 100644 --- a/cres/Sanitize_untrusted_HTML_input.yaml +++ b/cres/Sanitize_untrusted_HTML_input.yaml @@ -18,7 +18,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html - name: OPC + name: OWASP Proactive Controls section: C5 ltype: Linked To - document: @@ -30,7 +30,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/03-Testing_for_HTML_Injection.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CLNT-03 ltype: Linked To - document: diff --git a/cres/Sanitize_user_input_before_passing_content_to_mail_systems_(SMTP-IMAP_injection).yaml b/cres/Sanitize_user_input_before_passing_content_to_mail_systems_(SMTP-IMAP_injection).yaml index 997a68168..d9200dfae 100644 --- a/cres/Sanitize_user_input_before_passing_content_to_mail_systems_(SMTP-IMAP_injection).yaml +++ b/cres/Sanitize_user_input_before_passing_content_to_mail_systems_(SMTP-IMAP_injection).yaml @@ -24,7 +24,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/10-Testing_for_IMAP_SMTP_Injection.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-INPV-10 ltype: Linked To - document: diff --git a/cres/Scan_untrusted_files_for_malware.yaml b/cres/Scan_untrusted_files_for_malware.yaml index 6a53dd61e..44a88faa6 100644 --- a/cres/Scan_untrusted_files_for_malware.yaml +++ b/cres/Scan_untrusted_files_for_malware.yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-BUSL-09 ltype: Linked To name: Scan untrusted files for malware diff --git a/cres/Secret_storage.yaml b/cres/Secret_storage.yaml index feb70c8ed..93541a42d 100644 --- a/cres/Secret_storage.yaml +++ b/cres/Secret_storage.yaml @@ -76,7 +76,7 @@ links: - document: doctype: CRE id: 287-305 - name: Document explicit key/secret management + name: Document explicit key/secret managementt ltype: Related - document: doctype: CRE diff --git a/cres/Secure_Development.yaml b/cres/Secure_Development.yaml index 80e5622b6..3e5d14bbd 100644 --- a/cres/Secure_Development.yaml +++ b/cres/Secure_Development.yaml @@ -1,5 +1,11 @@ doctype: CRE +id: 840-758 links: +- document: + doctype: CRE + id: 153-513 + name: '>>Development & operations' + ltype: Contains - document: doctype: CRE id: 840-757 diff --git a/cres/Secure_auto-updates_over_full_stack.yaml b/cres/Secure_auto-updates_over_full_stack.yaml index 445b23223..e76ef5fe8 100644 --- a/cres/Secure_auto-updates_over_full_stack.yaml +++ b/cres/Secure_auto-updates_over_full_stack.yaml @@ -27,7 +27,8 @@ links: - document: description: '"Ensure that only POST is accepted where POST is expected."' doctype: Tool - name: 'ZAP Alert: "GET for POST"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/GetForPostScanRule.java + name: 'ZAP Rule: "GET for POST"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Secure_communication.yaml b/cres/Secure_communication.yaml new file mode 100644 index 000000000..6ed8a69c9 --- /dev/null +++ b/cres/Secure_communication.yaml @@ -0,0 +1,8 @@ +doctype: CRE +links: +- document: + doctype: CRE + id: 270-634 + name: Send authentication secrets encrypted + ltype: Related +name: Secure communication diff --git a/cres/Secure_random_values.yaml b/cres/Secure_random_values.yaml index e515ba1b5..f2b7aa504 100644 --- a/cres/Secure_random_values.yaml +++ b/cres/Secure_random_values.yaml @@ -20,8 +20,6 @@ links: doctype: CRE id: 664-571 name: Ensure proper generation of secure random - tags: - - Cryptography ltype: Contains - document: doctype: CRE diff --git a/cres/Secure_serialized_objects_(e.g._integrity_checks).yaml b/cres/Secure_serialized_objects_(e.g._integrity_checks).yaml index fa67b3434..1753ba42a 100644 --- a/cres/Secure_serialized_objects_(e.g._integrity_checks).yaml +++ b/cres/Secure_serialized_objects_(e.g._integrity_checks).yaml @@ -15,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html - name: OPC + name: OWASP Proactive Controls section: C5 ltype: Linked To - document: diff --git a/cres/Secure_transfer_of_logs_(remotely).yaml b/cres/Secure_transfer_of_logs_(remotely).yaml new file mode 100644 index 000000000..ab213b3ed --- /dev/null +++ b/cres/Secure_transfer_of_logs_(remotely).yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 026-280 +links: +- document: + doctype: CRE + id: 842-876 + name: '>>Logging and error handling' + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: V1.7.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html + name: OWASP Proactive Controls + section: C9 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html + name: Cheat_sheets + section: Logging Cheat Sheet + ltype: Linked To +name: Secure transfer of logs (remotely) diff --git a/cres/Securely_store_files_with_untrusted_origin.yaml b/cres/Securely_store_files_with_untrusted_origin.yaml index c5cc0e465..3abb1ffff 100644 --- a/cres/Securely_store_files_with_untrusted_origin.yaml +++ b/cres/Securely_store_files_with_untrusted_origin.yaml @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-BUSL-09 ltype: Linked To name: Securely store files with untrusted origin diff --git a/cres/Securely_store_regulated_data.yaml b/cres/Securely_store_regulated_data.yaml index e2c9948e3..37451269c 100644 --- a/cres/Securely_store_regulated_data.yaml +++ b/cres/Securely_store_regulated_data.yaml @@ -22,7 +22,5 @@ links: doctype: CRE id: 482-866 name: Encrypt personal data at rest - tags: - - Personal data handling ltype: Contains name: Securely store regulated data diff --git a/cres/Send_authentication_secrets_encrypted.yaml b/cres/Send_authentication_secrets_encrypted.yaml index 1e5d73c2c..6708f7737 100644 --- a/cres/Send_authentication_secrets_encrypted.yaml +++ b/cres/Send_authentication_secrets_encrypted.yaml @@ -8,15 +8,7 @@ links: ltype: Contains - document: doctype: CRE - id: 062-850 - name: MFA/OTP - tags: - - Cryptography - ltype: Related -- document: - doctype: CRE - id: 278-646 - name: '>>Secure communication' + name: Secure communication ltype: Related - document: doctype: Standard @@ -27,7 +19,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html - name: OPC + name: OWASP Proactive Controls section: C6 ltype: Linked To - document: @@ -39,7 +31,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/01-Testing_for_Credentials_Transported_over_an_Encrypted_Channel.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHN-01 ltype: Linked To - document: diff --git a/cres/Separate_GraphQL_(or_similar)_authorization_logic_from_data_layer.yaml b/cres/Separate_GraphQL_(or_similar)_authorization_logic_from_data_layer.yaml index 4b22bf527..e0368a0eb 100644 --- a/cres/Separate_GraphQL_(or_similar)_authorization_logic_from_data_layer.yaml +++ b/cres/Separate_GraphQL_(or_similar)_authorization_logic_from_data_layer.yaml @@ -6,11 +6,6 @@ links: id: 118-110 name: API/web services ltype: Contains -- document: - doctype: CRE - id: 155-155 - name: Architecture - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md @@ -24,5 +19,3 @@ links: section: '285' ltype: Linked To name: Separate GraphQL (or similar) authorization logic from data layer -tags: -- Architecture diff --git a/cres/Server_protection.yaml b/cres/Server_protection.yaml index 7e111e980..9c75d5eec 100644 --- a/cres/Server_protection.yaml +++ b/cres/Server_protection.yaml @@ -1,10 +1,16 @@ doctype: CRE +id: 180-487 links: - document: doctype: CRE - id: 180-488 - name: Proper Configuration for all applications and frameworks + id: 783-355 + name: Deployment tags: - Configuration ltype: Contains +- document: + doctype: CRE + id: 180-488 + name: Proper Configuration foe all applications and frameworks + ltype: Contains name: Server protection diff --git a/cres/Session_logout_and_timeout.yaml b/cres/Session_logout_and_timeout.yaml new file mode 100644 index 000000000..62f41d388 --- /dev/null +++ b/cres/Session_logout_and_timeout.yaml @@ -0,0 +1,47 @@ +doctype: CRE +id: 470-731 +links: +- document: + doctype: CRE + id: 177-260 + name: '>>Session management' + ltype: Contains +- document: + doctype: CRE + id: 673-736 + name: Enable option to log out from all active session + ltype: Contains +- document: + doctype: CRE + id: 238-346 + name: Terminate all sessions when password is changed + ltype: Contains +- document: + doctype: CRE + id: 457-165 + name: Terminate session after logout + ltype: Contains +- document: + doctype: CRE + id: 065-782 + name: Ensure session timeout (soft/hard) + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-10 + name: NIST 800-53 v5 + section: SC-10 NETWORK DISCONNECT + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-11 + name: NIST 800-53 v5 + section: AC-11 DEVICE LOCK + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-12 + name: NIST 800-53 v5 + section: AC-12 SESSION TERMINATION + ltype: Linked To +name: Session logout and timeout diff --git a/cres/Session_token_generation.yaml b/cres/Session_token_generation.yaml index f55576a2c..b08515f2e 100644 --- a/cres/Session_token_generation.yaml +++ b/cres/Session_token_generation.yaml @@ -6,6 +6,11 @@ links: id: 177-260 name: '>>Session management' ltype: Contains +- document: + doctype: CRE + id: 455-358 + name: When storing session tokens in browers, use secure methods only + ltype: Contains - document: doctype: CRE id: 704-530 diff --git a/cres/Set__Host_prefix_for_cookie-based_session_tokens.yaml b/cres/Set__Host_prefix_for_cookie-based_session_tokens.yaml new file mode 100644 index 000000000..b37895c25 --- /dev/null +++ b/cres/Set__Host_prefix_for_cookie-based_session_tokens.yaml @@ -0,0 +1,44 @@ +doctype: CRE +id: 232-034 +links: +- document: + doctype: CRE + id: 110-531 + name: Cookie-config + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.4.4 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/16.html + name: CWE + section: '16' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute + name: (WSTG) Web Security Testing Guide + section: WSTG-SESS-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Session Management Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross-Site Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 7.1.1 + ltype: Linked To +name: Set '_Host' prefix for cookie-based session tokens diff --git a/cres/Set_httponly_attribute_for_cookie-based_session_tokens.yaml b/cres/Set_httponly_attribute_for_cookie-based_session_tokens.yaml index c20225cc6..0d6962d20 100644 --- a/cres/Set_httponly_attribute_for_cookie-based_session_tokens.yaml +++ b/cres/Set_httponly_attribute_for_cookie-based_session_tokens.yaml @@ -3,11 +3,12 @@ id: 804-220 links: - document: doctype: CRE - name: Protect session ID + id: 110-531 + name: Cookie-config ltype: Contains - document: doctype: CRE - id: 760-765 + id: 028-726 name: XSS ltype: Related - document: @@ -19,7 +20,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html - name: OPC + name: OWASP Proactive Controls section: C6 ltype: Linked To - document: @@ -31,7 +32,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-SESS-02 ltype: Linked To - document: @@ -51,14 +52,6 @@ links: name: NIST 800-63 section: 7.1.1 ltype: Linked To -- document: - description: '"Ensure that the HttpOnly flag is set for all cookies."' - doctype: Tool - name: 'ZAP Alert: "Cookie No HttpOnly Flag"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME name: Set httponly attribute for cookie-based session tokens tags: - XSS diff --git a/cres/Set_metadate-content-Disposition_for_API_responses.yaml b/cres/Set_metadate-content-Disposition_for_API_responses.yaml new file mode 100644 index 000000000..95af5c894 --- /dev/null +++ b/cres/Set_metadate-content-Disposition_for_API_responses.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 736-237 +links: +- document: + doctype: CRE + id: 636-347 + name: HTTP security headers + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.4.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/116.html + name: CWE + section: '116' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html + name: Cheat_sheets + section: Content Security Policy Cheat Sheet + ltype: Linked To +name: Set metadate/content-Disposition for API responses diff --git a/cres/Set_path_attribute_in_cookie-bases_session_tokens_as_precise_as_possible.yaml b/cres/Set_path_attribute_in_cookie-bases_session_tokens_as_precise_as_possible.yaml new file mode 100644 index 000000000..96ea3f66e --- /dev/null +++ b/cres/Set_path_attribute_in_cookie-bases_session_tokens_as_precise_as_possible.yaml @@ -0,0 +1,50 @@ +doctype: CRE +id: 705-182 +links: +- document: + doctype: CRE + id: 110-531 + name: Cookie-config + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.4.5 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html + name: OWASP Proactive Controls + section: C6 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/16.html + name: CWE + section: '16' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute + name: (WSTG) Web Security Testing Guide + section: WSTG-SESS-02 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Session Management Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html + name: Cheat_sheets + section: Cross-Site Request Forgery Prevention Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 7.1.1 + ltype: Linked To +name: Set path attribute in cookie-bases session tokens as precise as possible diff --git a/cres/Set_proper_(C)_compiler_flags.yaml b/cres/Set_proper_(C)_compiler_flags.yaml index 9008a0bc0..17eefc15b 100644 --- a/cres/Set_proper_(C)_compiler_flags.yaml +++ b/cres/Set_proper_(C)_compiler_flags.yaml @@ -28,7 +28,8 @@ links: description: '"Rewrite the background program using proper return length checking. This will require a recompile of the background executable."' doctype: Tool - name: 'ZAP Alert: "Buffer Overflow"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java + name: 'ZAP Rule: "Buffer Overflow"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Set_samesite_attribute_for_cookie-based_session_tokens.yaml b/cres/Set_samesite_attribute_for_cookie-based_session_tokens.yaml index 878dda828..695d06863 100644 --- a/cres/Set_samesite_attribute_for_cookie-based_session_tokens.yaml +++ b/cres/Set_samesite_attribute_for_cookie-based_session_tokens.yaml @@ -6,11 +6,6 @@ links: id: 110-531 name: Cookie-config ltype: Contains -- document: - doctype: CRE - id: 028-727 - name: CSRF - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md @@ -20,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html - name: OPC + name: OWASP Proactive Controls section: C6 ltype: Linked To - document: @@ -32,7 +27,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-SESS-02 ltype: Linked To - document: @@ -52,14 +47,4 @@ links: name: NIST 800-63 section: are g ltype: Linked To -- document: - description: '"Ensure that only POST is accepted where POST is expected."' - doctype: Tool - name: 'ZAP Alert: "GET for POST"' - tags: - - '"Active"' - tooltype: Offensive - ltype: SAME name: Set "samesite" attribute for cookie-based session tokens -tags: -- CSRF diff --git a/cres/Set_secure_attribute_for_cookie-based_session_tokens.yaml b/cres/Set_secure_attribute_for_cookie-based_session_tokens.yaml index 7e2947f48..321b94adb 100644 --- a/cres/Set_secure_attribute_for_cookie-based_session_tokens.yaml +++ b/cres/Set_secure_attribute_for_cookie-based_session_tokens.yaml @@ -3,7 +3,8 @@ id: 688-081 links: - document: doctype: CRE - name: Protect session ID + id: 110-531 + name: Cookie-config ltype: Contains - document: doctype: Standard @@ -14,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html - name: OPC + name: OWASP Proactive Controls section: C6 ltype: Linked To - document: @@ -26,7 +27,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-SESS-02 ltype: Linked To - document: @@ -46,14 +47,4 @@ links: name: NIST 800-63 section: 7.1.1 ltype: Linked To -- document: - description: '"Whenever a cookie contains sensitive information or is a session - token, then it should always be passed using an encrypted channel. Ensure that - the secure flag is set for cookies containing such sensitive information."' - doctype: Tool - name: 'ZAP Alert: "Cookie Without Secure Flag"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME name: Set "secure" attribute for cookie-based session tokens diff --git a/cres/Set_sufficient_anti-chaching_headers.yaml b/cres/Set_sufficient_anti-chaching_headers.yaml new file mode 100644 index 000000000..976343fb7 --- /dev/null +++ b/cres/Set_sufficient_anti-chaching_headers.yaml @@ -0,0 +1,32 @@ +doctype: CRE +id: 473-758 +links: +- document: + doctype: CRE + id: 208-830 + name: Manage temporary storage + ltype: Contains +- document: + doctype: CRE + id: 473-759 + name: Http headers + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x16-V8-Data-Protection.md + name: ASVS + section: V8.2.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/525.html + name: CWE + section: '525' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses.html + name: (WSTG) Web Security Testing Guide + section: WSTG-ATHN-06 + ltype: Linked To +name: Set sufficient anti-chaching headers diff --git a/cres/Set_the_highest_feasible_iteration_count_for_PBKDF2.yaml b/cres/Set_the_highest_feasible_iteration_count_for_PBKDF2.yaml index 738e02fb9..b98655513 100644 --- a/cres/Set_the_highest_feasible_iteration_count_for_PBKDF2.yaml +++ b/cres/Set_the_highest_feasible_iteration_count_for_PBKDF2.yaml @@ -17,7 +17,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html - name: OPC + name: OWASP Proactive Controls section: C6 ltype: Linked To - document: diff --git a/cres/Set_the_highest_feasible_work_factor_for_bcrypt.yaml b/cres/Set_the_highest_feasible_work_factor_for_bcrypt.yaml index 249881900..b1c3d9b45 100644 --- a/cres/Set_the_highest_feasible_work_factor_for_bcrypt.yaml +++ b/cres/Set_the_highest_feasible_work_factor_for_bcrypt.yaml @@ -17,7 +17,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html - name: OPC + name: OWASP Proactive Controls section: C6 ltype: Linked To - document: diff --git a/cres/Show_generic_message_for_security_exceptions_or_unanticipated_exceptions.yaml b/cres/Show_generic_message_for_security_exceptions_or_unanticipated_exceptions.yaml index 9f0cff463..5175c5b75 100644 --- a/cres/Show_generic_message_for_security_exceptions_or_unanticipated_exceptions.yaml +++ b/cres/Show_generic_message_for_security_exceptions_or_unanticipated_exceptions.yaml @@ -15,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c10-handle-errors-exceptions.html - name: OPC + name: OWASP Proactive Controls section: C10 ltype: Linked To - document: @@ -27,7 +27,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ERRH-02 ltype: Linked To - document: diff --git a/cres/Store_and_serve_user-uploaded_files_such_that_they_cannot_execute-damage_server_or_client.yaml b/cres/Store_and_serve_user-uploaded_files_such_that_they_cannot_execute-damage_server_or_client.yaml index 357a549a2..0a1354dfe 100644 --- a/cres/Store_and_serve_user-uploaded_files_such_that_they_cannot_execute-damage_server_or_client.yaml +++ b/cres/Store_and_serve_user-uploaded_files_such_that_they_cannot_execute-damage_server_or_client.yaml @@ -8,15 +8,13 @@ links: ltype: Contains - document: doctype: CRE - id: 760-765 - name: XSS + id: 760-764 + name: Injection ltype: Related - document: doctype: CRE - id: 760-764 - name: Injection - tags: - - XSS + id: 028-726 + name: XSS ltype: Related - document: doctype: Standard diff --git a/cres/Store_passwords_salted_and_hashed.yaml b/cres/Store_passwords_salted_and_hashed.yaml index 39d7d7401..856342745 100644 --- a/cres/Store_passwords_salted_and_hashed.yaml +++ b/cres/Store_passwords_salted_and_hashed.yaml @@ -17,7 +17,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html - name: OPC + name: OWASP Proactive Controls section: C6 ltype: Linked To - document: diff --git a/cres/Support_subsciber-provided_authentication_devices.yaml b/cres/Support_subsciber-provided_authentication_devices.yaml new file mode 100644 index 000000000..2b6353928 --- /dev/null +++ b/cres/Support_subsciber-provided_authentication_devices.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 553-413 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.3.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/308.html + name: CWE + section: '308' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 6.1.3 + ltype: Linked To +name: Support subsciber-provided authentication devices diff --git a/cres/Synchronize_time_zones_for_logs.yaml b/cres/Synchronize_time_zones_for_logs.yaml index 7540f03bf..8e435d88a 100644 --- a/cres/Synchronize_time_zones_for_logs.yaml +++ b/cres/Synchronize_time_zones_for_logs.yaml @@ -3,6 +3,7 @@ id: 770-361 links: - document: doctype: CRE + id: 770-362 name: Log time synchronization ltype: Contains - document: @@ -14,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html - name: OPC + name: OWASP Proactive Controls section: C9 ltype: Linked To - document: diff --git a/cres/TLS.yaml b/cres/TLS.yaml index b048710c8..788f08a83 100644 --- a/cres/TLS.yaml +++ b/cres/TLS.yaml @@ -1,10 +1,6 @@ doctype: CRE id: 228-551 links: -- document: - doctype: CRE - name: Cryptoghraphy - ltype: Related - document: doctype: CRE id: 726-868 @@ -12,6 +8,10 @@ links: tags: - Architecture ltype: Related +- document: + doctype: CRE + name: Cryptoghraphy + ltype: Related - document: doctype: CRE id: 745-045 @@ -43,8 +43,6 @@ links: doctype: CRE id: 248-646 name: Disable insecure SSL/TLS versions - tags: - - Cryptography ltype: Contains - document: doctype: CRE diff --git a/cres/Techniques.yaml b/cres/Techniques.yaml index c01735d4b..f3d01d5c1 100644 --- a/cres/Techniques.yaml +++ b/cres/Techniques.yaml @@ -3,6 +3,7 @@ id: 255-443 links: - document: doctype: CRE + id: 840-758 name: Secure Development ltype: Contains - document: @@ -10,6 +11,7 @@ links: hyperlink: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-44 name: NIST 800-53 v5 section: SC-44 Detonation Chambers + subsection: mapped to new section secure development/techniques ltype: Linked To - document: doctype: Standard diff --git a/cres/Terminate_all_sessions_when_password_is_changed.yaml b/cres/Terminate_all_sessions_when_password_is_changed.yaml index ae71bbf38..4fa028e3d 100644 --- a/cres/Terminate_all_sessions_when_password_is_changed.yaml +++ b/cres/Terminate_all_sessions_when_password_is_changed.yaml @@ -4,7 +4,7 @@ links: - document: doctype: CRE id: 470-731 - name: Session lifecycle + name: Session logout and timeout ltype: Contains - document: doctype: Standard @@ -21,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality.html#testing-for-server-side-session-termination - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-SESS-06 ltype: Linked To - document: diff --git a/cres/Terminate_session_after_logout.yaml b/cres/Terminate_session_after_logout.yaml index 0418b76de..4e205fe4e 100644 --- a/cres/Terminate_session_after_logout.yaml +++ b/cres/Terminate_session_after_logout.yaml @@ -4,7 +4,7 @@ links: - document: doctype: CRE id: 470-731 - name: Session lifecycle + name: Session logout and timeout ltype: Contains - document: doctype: Standard @@ -15,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html - name: OPC + name: OWASP Proactive Controls section: C6 ltype: Linked To - document: @@ -32,7 +32,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality.html#testing-for-server-side-session-termination - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-SESS-06 ltype: Linked To - document: diff --git a/cres/Threat_model_every_design_change_or_sprint.yaml b/cres/Threat_model_every_design_change_or_sprint.yaml index 64800ac8b..a0e1812f2 100644 --- a/cres/Threat_model_every_design_change_or_sprint.yaml +++ b/cres/Threat_model_every_design_change_or_sprint.yaml @@ -6,11 +6,6 @@ links: id: 433-442 name: Development verification ltype: Contains -- document: - doctype: CRE - id: 155-155 - name: Architecture - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x10-V1-Architecture.md @@ -42,5 +37,3 @@ links: section: Attack Surface Analysis Cheat Sheet ltype: Linked To name: Threat model every design change or sprint -tags: -- Architecture diff --git a/cres/Token-based_session_management.yaml b/cres/Token-based_session_management.yaml new file mode 100644 index 000000000..826b46bc3 --- /dev/null +++ b/cres/Token-based_session_management.yaml @@ -0,0 +1,19 @@ +doctype: CRE +id: 114-277 +links: +- document: + doctype: CRE + id: 177-260 + name: '>>Session management' + ltype: Contains +- document: + doctype: CRE + id: 551-054 + name: Use ephemeral secrets rather than static secrets + ltype: Contains +- document: + doctype: CRE + id: 483-883 + name: Using stateless tokens, ensure cryptographically secure characteristics + ltype: Contains +name: Token-based session management diff --git a/cres/Update_third_party_components_build-_or_compiletime.yaml b/cres/Update_third_party_components_build-_or_compiletime.yaml new file mode 100644 index 000000000..1ddcc4483 --- /dev/null +++ b/cres/Update_third_party_components_build-_or_compiletime.yaml @@ -0,0 +1,44 @@ +doctype: CRE +id: 715-334 +links: +- document: + doctype: CRE + id: 613-285 + name: '>>Dependency strength' + ltype: Contains +- document: + doctype: CRE + id: 601-155 + name: Developer Configuration Management + ltype: Related +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.2.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c2-leverage-security-frameworks-libraries.html + name: OWASP Proactive Controls + section: C2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/1026.html + name: CWE + section: '1026' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + name: Cheat_sheets + section: Docker Security Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Vulnerable Dependency Management Cheat Sheet + ltype: Linked To +name: Update third party components build- or compiletime diff --git a/cres/Use_ABAC-FBAC_on_data-feature_level,_even_when_using_RBAC_for_permissions.yaml b/cres/Use_ABAC-FBAC_on_data-feature_level,_even_when_using_RBAC_for_permissions.yaml index 8609a289e..20437b87e 100644 --- a/cres/Use_ABAC-FBAC_on_data-feature_level,_even_when_using_RBAC_for_permissions.yaml +++ b/cres/Use_ABAC-FBAC_on_data-feature_level,_even_when_using_RBAC_for_permissions.yaml @@ -15,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c7-enforce-access-controls.html - name: OPC + name: OWASP Proactive Controls section: C7 ltype: Linked To - document: diff --git a/cres/Use_CSRF_protection_against_authenticated_functionality,_add_anti-automation_controls_for_unauthenticated_functionality.yaml b/cres/Use_CSRF_protection_against_authenticated_functionality,_add_anti-automation_controls_for_unauthenticated_functionality.yaml index 9dcdfa345..dd9efdeda 100644 --- a/cres/Use_CSRF_protection_against_authenticated_functionality,_add_anti-automation_controls_for_unauthenticated_functionality.yaml +++ b/cres/Use_CSRF_protection_against_authenticated_functionality,_add_anti-automation_controls_for_unauthenticated_functionality.yaml @@ -6,11 +6,6 @@ links: id: 724-770 name: '>>Authorized access' ltype: Contains -- document: - doctype: CRE - id: 028-727 - name: CSRF - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V4-Access-Control.md @@ -26,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-SESS-05 ltype: Linked To - document: @@ -49,19 +44,19 @@ links: ltype: Linked To - document: doctype: Tool - name: 'ZAP Alert: "Anti-CSRF Tokens Check"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/CsrfTokenScanRule.java + name: 'ZAP Rule: "Anti-CSRF Tokens Check"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "Absence of Anti-CSRF Tokens"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRule.java + name: 'ZAP Rule: "Absence of Anti-CSRF Tokens"' tags: - '"Passive"' tooltype: Offensive ltype: SAME name: Use CSRF protection against authenticated functionality, add anti-automation controls for unauthenticated functionality -tags: -- CSRF diff --git a/cres/Use_a_centralized_access_control_mechanism.yaml b/cres/Use_a_centralized_access_control_mechanism.yaml index ba02d926c..a49c1e590 100644 --- a/cres/Use_a_centralized_access_control_mechanism.yaml +++ b/cres/Use_a_centralized_access_control_mechanism.yaml @@ -20,7 +20,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c7-enforce-access-controls.html - name: OPC + name: OWASP Proactive Controls section: C7 ltype: Linked To - document: @@ -29,28 +29,6 @@ links: name: CWE section: '284' ltype: Linked To -- document: - description: '"Use per user or session indirect object references (create a temporary - mapping at time of use). Or, ensure that each use of a direct object reference - is tied to an authorization check to ensure the user is authorized for the requested - object. "' - doctype: Tool - name: 'ZAP Alert: "Username Hash Found"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME -- document: - description: '"Use per user or session indirect object references (create a temporary - mapping at time of use). Or, ensure that each use of a direct object reference - is tied to an authorization check to ensure the user is authorized for the requested - object."' - doctype: Tool - name: 'ZAP Alert: "Username Hash Found in WebSocket message"' - tags: - - '"WebSocket Passive"' - tooltype: Offensive - ltype: SAME name: Use a centralized access control mechanism tags: - Architecture diff --git a/cres/Use_a_dedicated_secrets_management_solution.yaml b/cres/Use_a_dedicated_secrets_management_solution.yaml index 3e481f220..c8e6c08d2 100644 --- a/cres/Use_a_dedicated_secrets_management_solution.yaml +++ b/cres/Use_a_dedicated_secrets_management_solution.yaml @@ -17,7 +17,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html - name: OPC + name: OWASP Proactive Controls section: C8 ltype: Linked To - document: diff --git a/cres/Use_a_standard_last-resort_error_handler_for_unhandled_errors.yaml b/cres/Use_a_standard_last-resort_error_handler_for_unhandled_errors.yaml index f91641f9e..5598d6ed2 100644 --- a/cres/Use_a_standard_last-resort_error_handler_for_unhandled_errors.yaml +++ b/cres/Use_a_standard_last-resort_error_handler_for_unhandled_errors.yaml @@ -15,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c10-handle-errors-exceptions.html - name: OPC + name: OWASP Proactive Controls section: C10 ltype: Linked To - document: @@ -27,7 +27,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ERRH-02 ltype: Linked To - document: diff --git a/cres/Use_a_unique_challenge_nonce_of_sufficient_size.yaml b/cres/Use_a_unique_challenge_nonce_of_sufficient_size.yaml index 0c689e6e0..a0fbe25b4 100644 --- a/cres/Use_a_unique_challenge_nonce_of_sufficient_size.yaml +++ b/cres/Use_a_unique_challenge_nonce_of_sufficient_size.yaml @@ -4,13 +4,8 @@ links: - document: doctype: CRE id: 585-408 - name: Cryptographic directives + name: Cryptographic authentication software and devices ltype: Contains -- document: - doctype: CRE - id: 170-772 - name: Cryptography - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md @@ -41,5 +36,3 @@ links: section: 5.1.7.2 ltype: Linked To name: Use a unique challenge nonce of sufficient size -tags: -- Cryptography diff --git a/cres/Use_an_isolated_security_module_for_cryptographic_operations.yaml b/cres/Use_an_isolated_security_module_for_cryptographic_operations.yaml index 1fb70b14e..8fe85ff08 100644 --- a/cres/Use_an_isolated_security_module_for_cryptographic_operations.yaml +++ b/cres/Use_an_isolated_security_module_for_cryptographic_operations.yaml @@ -17,7 +17,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html - name: OPC + name: OWASP Proactive Controls section: C8 ltype: Linked To - document: diff --git a/cres/Use_approved_cryptographic_algorithms.yaml b/cres/Use_approved_cryptographic_algorithms.yaml index d989eed08..ce5c5d06c 100644 --- a/cres/Use_approved_cryptographic_algorithms.yaml +++ b/cres/Use_approved_cryptographic_algorithms.yaml @@ -5,8 +5,6 @@ links: doctype: CRE id: 742-432 name: Encryption algorithms - tags: - - Cryptography ltype: Contains - document: doctype: Standard @@ -17,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html - name: OPC + name: OWASP Proactive Controls section: C8 ltype: Linked To - document: @@ -29,7 +27,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CRYP-04 ltype: Linked To - document: diff --git a/cres/Use_approved_cryptographic_algorithms_for_generation,_seeding_and_verification.yaml b/cres/Use_approved_cryptographic_algorithms_for_generation,_seeding_and_verification.yaml index 115504357..859f8da5e 100644 --- a/cres/Use_approved_cryptographic_algorithms_for_generation,_seeding_and_verification.yaml +++ b/cres/Use_approved_cryptographic_algorithms_for_generation,_seeding_and_verification.yaml @@ -4,7 +4,7 @@ links: - document: doctype: CRE id: 585-408 - name: Cryptographic directives + name: Cryptographic authentication software and devices ltype: Contains - document: doctype: CRE diff --git a/cres/Use_approved_cryptographic_algorithms_in_generation,_seeding_and_verification.yaml b/cres/Use_approved_cryptographic_algorithms_in_generation,_seeding_and_verification.yaml new file mode 100644 index 000000000..6b9cabb91 --- /dev/null +++ b/cres/Use_approved_cryptographic_algorithms_in_generation,_seeding_and_verification.yaml @@ -0,0 +1,43 @@ +doctype: CRE +id: 841-757 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.8.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/326.html + name: CWE + section: '326' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.4.2 + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.5.2 + ltype: Linked To +- document: + description: '"Protect the connection using HTTPS or use a stronger authentication + mechanism"' + doctype: Tool + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java + name: 'ZAP Rule: "Weak Authentication Method"' + tags: + - '"Passive"' + tooltype: Offensive + ltype: SAME +name: Use approved cryptographic algorithms in generation, seeding and verification diff --git a/cres/Use_centralized_authentication_mechanism.yaml b/cres/Use_centralized_authentication_mechanism.yaml index 3b0bd7745..f81e573ee 100644 --- a/cres/Use_centralized_authentication_mechanism.yaml +++ b/cres/Use_centralized_authentication_mechanism.yaml @@ -8,13 +8,13 @@ links: ltype: Contains - document: doctype: CRE - id: 155-155 - name: Architecture + id: 402-706 + name: Log relevant ltype: Related - document: doctype: CRE - id: 402-706 - name: Log relevant + id: 155-155 + name: Architecture ltype: Related - document: doctype: Standard diff --git a/cres/Use_cryptographically_secure_random_number_generators.yaml b/cres/Use_cryptographically_secure_random_number_generators.yaml index 621885c54..14fd0f920 100644 --- a/cres/Use_cryptographically_secure_random_number_generators.yaml +++ b/cres/Use_cryptographically_secure_random_number_generators.yaml @@ -23,7 +23,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CRYP-04 ltype: Linked To name: Use cryptographically secure random number generators diff --git a/cres/Use_ephemeral_secrets_rather_than_static_secrets.yaml b/cres/Use_ephemeral_secrets_rather_than_static_secrets.yaml index 985d04ee6..2fc4ae755 100644 --- a/cres/Use_ephemeral_secrets_rather_than_static_secrets.yaml +++ b/cres/Use_ephemeral_secrets_rather_than_static_secrets.yaml @@ -4,13 +4,8 @@ links: - document: doctype: CRE id: 114-277 - name: Session integrity + name: Token-based session management ltype: Contains -- document: - doctype: CRE - id: 270-568 - name: Authentication mechanism - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md @@ -26,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#session-id-predictability-and-randomness - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-SESS-01 ltype: Linked To - document: diff --git a/cres/Use_exception_handling_uniformly.yaml b/cres/Use_exception_handling_uniformly.yaml index 4885a3bf5..20ed28efb 100644 --- a/cres/Use_exception_handling_uniformly.yaml +++ b/cres/Use_exception_handling_uniformly.yaml @@ -15,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c10-handle-errors-exceptions.html - name: OPC + name: OWASP Proactive Controls section: C10 ltype: Linked To - document: @@ -27,7 +27,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ERRH-02 ltype: Linked To - document: diff --git a/cres/Use_least_privilege_OS_accounts_for_system_(components).yaml b/cres/Use_least_privilege_OS_accounts_for_system_(components).yaml index ef4ee586a..82e0f979b 100644 --- a/cres/Use_least_privilege_OS_accounts_for_system_(components).yaml +++ b/cres/Use_least_privilege_OS_accounts_for_system_(components).yaml @@ -22,7 +22,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c3-secure-database-access.html - name: OPC + name: OWASP Proactive Controls section: C3 ltype: Linked To - document: diff --git a/cres/Use_least_privilege_for_resources.yaml b/cres/Use_least_privilege_for_resources.yaml index d7a9b1006..1222e9566 100644 --- a/cres/Use_least_privilege_for_resources.yaml +++ b/cres/Use_least_privilege_for_resources.yaml @@ -1,5 +1,5 @@ doctype: CRE -id: 368-633 +id: 624-716 links: - document: doctype: CRE diff --git a/cres/Use_memory-safe_functions_exclusively.yaml b/cres/Use_memory-safe_functions_exclusively.yaml index 447e71fd9..65acd8594 100644 --- a/cres/Use_memory-safe_functions_exclusively.yaml +++ b/cres/Use_memory-safe_functions_exclusively.yaml @@ -5,8 +5,6 @@ links: doctype: CRE id: 866-553 name: Memory, String, and Unmanaged Code - tags: - - Injection ltype: Contains - document: doctype: Standard @@ -23,14 +21,15 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/13-Testing_for_Buffer_Overflow.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-INPV-13 ltype: Linked To - document: description: '"Rewrite the background program using proper return length checking. This will require a recompile of the background executable."' doctype: Tool - name: 'ZAP Alert: "Buffer Overflow"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java + name: 'ZAP Rule: "Buffer Overflow"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Use_nonces_and_initialization_vectors_only_once.yaml b/cres/Use_nonces_and_initialization_vectors_only_once.yaml index d4d6824ec..9a0ce5720 100644 --- a/cres/Use_nonces_and_initialization_vectors_only_once.yaml +++ b/cres/Use_nonces_and_initialization_vectors_only_once.yaml @@ -5,8 +5,6 @@ links: doctype: CRE id: 742-432 name: Encryption algorithms - tags: - - Cryptography ltype: Contains - document: doctype: Standard @@ -23,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CRYP-04 ltype: Linked To - document: @@ -38,13 +36,4 @@ links: name: Cheat_sheets section: Key Management Cheat Sheet ltype: Linked To -- document: - description: '"Protect the connection using HTTPS or use a stronger authentication - mechanism"' - doctype: Tool - name: 'ZAP Alert: "Weak Authentication Method"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME name: Use nonces and initialization vectors only once diff --git a/cres/Use_proper_source_code_control_system.yaml b/cres/Use_proper_source_code_control_system.yaml index 4f5ad5a41..3c501797d 100644 --- a/cres/Use_proper_source_code_control_system.yaml +++ b/cres/Use_proper_source_code_control_system.yaml @@ -36,7 +36,8 @@ links: is tied to an authorization check to ensure the user is authorized for the requested object. "' doctype: Tool - name: 'ZAP Alert: "Username Hash Found"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRule.java + name: 'ZAP Rule: "Username Hash Found"' tags: - '"Passive"' tooltype: Offensive @@ -47,7 +48,8 @@ links: is tied to an authorization check to ensure the user is authorized for the requested object."' doctype: Tool - name: 'ZAP Alert: "Username Hash Found in WebSocket message"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/websocket/src/main/zapHomeFiles/scripts/templates/websocketpassive/Username%20Idor%20Scanner.js + name: 'ZAP Rule: "Username Hash Found in WebSocket message"' tags: - '"WebSocket Passive"' tooltype: Offensive diff --git a/cres/Use_secure_recovery_mechanisms_for_forgotten_passwords.yaml b/cres/Use_secure_recovery_mechanisms_for_forgotten_passwords.yaml index 1ac71c0ad..2c511a1fe 100644 --- a/cres/Use_secure_recovery_mechanisms_for_forgotten_passwords.yaml +++ b/cres/Use_secure_recovery_mechanisms_for_forgotten_passwords.yaml @@ -15,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html - name: OPC + name: OWASP Proactive Controls section: C6 ltype: Linked To - document: @@ -27,7 +27,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHN-09 ltype: Linked To - document: diff --git a/cres/Use_state_of_the_art_cryptographic_configuration.yaml b/cres/Use_state_of_the_art_cryptographic_configuration.yaml index f60be6549..63df72a2d 100644 --- a/cres/Use_state_of_the_art_cryptographic_configuration.yaml +++ b/cres/Use_state_of_the_art_cryptographic_configuration.yaml @@ -5,8 +5,6 @@ links: doctype: CRE id: 742-432 name: Encryption algorithms - tags: - - Cryptography ltype: Contains - document: doctype: Standard @@ -23,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CRYP-04 ltype: Linked To - document: @@ -38,13 +36,4 @@ links: name: Cheat_sheets section: Key Management Cheat Sheet ltype: Linked To -- document: - description: '"Protect the connection using HTTPS or use a stronger authentication - mechanism"' - doctype: Tool - name: 'ZAP Alert: "Weak Authentication Method"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME name: Use state of the art cryptographic configuration diff --git a/cres/Use_unique_random_salt_with_sufficient_entropy_for_each_credential.yaml b/cres/Use_unique_random_salt_with_sufficient_entropy_for_each_credential.yaml index d43580b2d..c1e4ccc4f 100644 --- a/cres/Use_unique_random_salt_with_sufficient_entropy_for_each_credential.yaml +++ b/cres/Use_unique_random_salt_with_sufficient_entropy_for_each_credential.yaml @@ -17,7 +17,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html - name: OPC + name: OWASP Proactive Controls section: C6 ltype: Linked To - document: diff --git a/cres/Use_upredictable_lookup_secrets.yaml b/cres/Use_upredictable_lookup_secrets.yaml new file mode 100644 index 000000000..9e024ef53 --- /dev/null +++ b/cres/Use_upredictable_lookup_secrets.yaml @@ -0,0 +1,28 @@ +doctype: CRE +id: 513-845 +links: +- document: + doctype: CRE + id: 062-850 + name: MFA/OTP + tags: + - Cryptography + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x11-V2-Authentication.md + name: ASVS + section: V2.6.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/310.html + name: CWE + section: '310' + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: 5.1.2.2 + ltype: Linked To +name: Use upredictable lookup secrets diff --git a/cres/Use_weak_crypto_only_for_backwards_compatibility.yaml b/cres/Use_weak_crypto_only_for_backwards_compatibility.yaml index 74ee6175a..03e0751e4 100644 --- a/cres/Use_weak_crypto_only_for_backwards_compatibility.yaml +++ b/cres/Use_weak_crypto_only_for_backwards_compatibility.yaml @@ -5,8 +5,6 @@ links: doctype: CRE id: 742-432 name: Encryption algorithms - tags: - - Cryptography ltype: Contains - document: doctype: Standard @@ -23,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CRYP-04 ltype: Linked To - document: @@ -38,13 +36,4 @@ links: name: Cheat_sheets section: Key Management Cheat Sheet ltype: Linked To -- document: - description: '"Protect the connection using HTTPS or use a stronger authentication - mechanism"' - doctype: Tool - name: 'ZAP Alert: "Weak Authentication Method"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME name: Use weak crypto only for backwards compatibility diff --git a/cres/User_passwords_are_of_sufficient_minimum_length.yaml b/cres/User_passwords_are_of_sufficient_minimum_length.yaml index 137dc6665..35a74fe2c 100644 --- a/cres/User_passwords_are_of_sufficient_minimum_length.yaml +++ b/cres/User_passwords_are_of_sufficient_minimum_length.yaml @@ -15,7 +15,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html - name: OPC + name: OWASP Proactive Controls section: C6 ltype: Linked To - document: @@ -27,7 +27,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-ATHN-07 ltype: Linked To - document: diff --git a/cres/Using_stateless_tokens,_ensure_cryptographically_secure_characteristics.yaml b/cres/Using_stateless_tokens,_ensure_cryptographically_secure_characteristics.yaml new file mode 100644 index 000000000..18f537538 --- /dev/null +++ b/cres/Using_stateless_tokens,_ensure_cryptographically_secure_characteristics.yaml @@ -0,0 +1,39 @@ +doctype: CRE +id: 483-883 +links: +- document: + doctype: CRE + id: 114-277 + name: Token-based session management + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.5.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/345.html + name: CWE + section: '345' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + name: (WSTG) Web Security Testing Guide + section: WSTG-CRYP-04 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html + name: Cheat_sheets + section: JSON Web Token for Java Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html + name: Cheat_sheets + section: REST Security Cheat Sheet + ltype: Linked To +name: Using stateless tokens, ensure cryptographically secure characteristics diff --git a/cres/Validate_HTTP_request_headers.yaml b/cres/Validate_HTTP_request_headers.yaml index fa5b18567..c2d3d8d42 100644 --- a/cres/Validate_HTTP_request_headers.yaml +++ b/cres/Validate_HTTP_request_headers.yaml @@ -6,13 +6,6 @@ links: id: 503-455 name: '>>Input and output verification' ltype: Contains -- document: - doctype: CRE - id: 760-764 - name: Injection - tags: - - XSS - ltype: Related - document: doctype: CRE id: 405-411 @@ -21,7 +14,7 @@ links: - document: doctype: CRE id: 316-272 - name: Whitelist CORS resources + name: White-list CORS resources ltype: Contains - document: doctype: CRE @@ -33,6 +26,10 @@ links: id: 483-715 name: White-list HTTP methods ltype: Contains +- document: + doctype: Standard + hyperlink: Loading... + name: Top10 2017 + section: A6_Security_Misconfiguration + ltype: Linked To name: Validate HTTP request headers -tags: -- Injection diff --git a/cres/Validate_max_input-file_sizes.yaml b/cres/Validate_max_input-file_sizes.yaml index bf87c170d..10e5a8f86 100644 --- a/cres/Validate_max_input-file_sizes.yaml +++ b/cres/Validate_max_input-file_sizes.yaml @@ -26,7 +26,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-BUSL-09 ltype: Linked To - document: @@ -39,7 +39,8 @@ links: description: '"Upgrade your Apache server to a currently stable version. Alternative solutions or workarounds are outlined in the references. "' doctype: Tool - name: 'ZAP Alert: "Apache Range Header DoS (CVE-2011-3192)"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ApacheRangeHeaderDosScanRule.java + name: 'ZAP Rule: "Apache Range Header DoS (CVE-2011-3192)"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Validatie-enforce_HTTP_inputs_(against_HTTP_parameter_polution_attacks).yaml b/cres/Validatie-enforce_HTTP_inputs_(against_HTTP_parameter_polution_attacks).yaml new file mode 100644 index 000000000..9bd6d73ab --- /dev/null +++ b/cres/Validatie-enforce_HTTP_inputs_(against_HTTP_parameter_polution_attacks).yaml @@ -0,0 +1,42 @@ +doctype: CRE +id: 743-237 +links: +- document: + doctype: CRE + id: 010-308 + name: Input validation + tags: + - Injection + - XSS + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md + name: ASVS + section: V5.1.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/235.html + name: CWE + section: '235' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution.html + name: (WSTG) Web Security Testing Guide + section: WSTG-INPV-04 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html + name: Cheat_sheets + section: Mass Assignment Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html + name: Cheat_sheets + section: Input Validation Cheat Sheet + ltype: Linked To +name: Validatie/enforce HTTP inputs (against HTTP parameter polution attacks) diff --git a/cres/Verify_content-type_for_REST_services.yaml b/cres/Verify_content-type_for_REST_services.yaml index 1ddd490f2..ecbbe25e0 100644 --- a/cres/Verify_content-type_for_REST_services.yaml +++ b/cres/Verify_content-type_for_REST_services.yaml @@ -40,7 +40,8 @@ links: description: '"Force UTF-8 for all text content in both the HTTP header and meta tags in HTML or encoding declarations in XML."' doctype: Tool - name: 'ZAP Alert: "Charset Mismatch"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java + name: 'ZAP Rule: "Charset Mismatch"' tags: - '"Passive"' tooltype: Offensive diff --git a/cres/Verify_strong_TLS_algorithms_by_testing.yaml b/cres/Verify_strong_TLS_algorithms_by_testing.yaml index 212322756..5ee4a055c 100644 --- a/cres/Verify_strong_TLS_algorithms_by_testing.yaml +++ b/cres/Verify_strong_TLS_algorithms_by_testing.yaml @@ -23,7 +23,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CRYP-01 ltype: Linked To - document: @@ -44,13 +44,4 @@ links: name: Cheat_sheets section: TLS Cipher String Cheat Sheet ltype: Linked To -- document: - description: '"Protect the connection using HTTPS or use a stronger authentication - mechanism"' - doctype: Tool - name: 'ZAP Alert: "Weak Authentication Method"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME name: Verify strong TLS algorithms by testing diff --git a/cres/Verify_the_authenticity_of_both_headers_and_payload.yaml b/cres/Verify_the_authenticity_of_both_headers_and_payload.yaml index f6678c785..6f00f867c 100644 --- a/cres/Verify_the_authenticity_of_both_headers_and_payload.yaml +++ b/cres/Verify_the_authenticity_of_both_headers_and_payload.yaml @@ -8,11 +8,6 @@ links: tags: - Cryptography ltype: Contains -- document: - doctype: CRE - id: 170-772 - name: Cryptography - ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x21-V13-API.md @@ -43,15 +38,4 @@ links: name: Cheat_sheets section: Cross-Site Request Forgery Prevention Cheat Sheet ltype: Linked To -- document: - description: '"Ensure each page is setting the specific and appropriate content-type - value for the content being delivered."' - doctype: Tool - name: 'ZAP Alert: "Content-Type Header Missing"' - tags: - - '"Passive"' - tooltype: Offensive - ltype: SAME name: Verify the authenticity of both headers and payload -tags: -- Cryptography diff --git a/cres/When_storing_session_tokens_in_browers,_use_secure_methods_only.yaml b/cres/When_storing_session_tokens_in_browers,_use_secure_methods_only.yaml new file mode 100644 index 000000000..31aec8ac2 --- /dev/null +++ b/cres/When_storing_session_tokens_in_browers,_use_secure_methods_only.yaml @@ -0,0 +1,39 @@ +doctype: CRE +id: 455-358 +links: +- document: + doctype: CRE + id: 470-731 + name: Session token generation + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x12-V3-Session-management.md + name: ASVS + section: V3.2.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/539.html + name: CWE + section: '539' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html; + https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/12-Testing_Browser_Storage.html + name: (WSTG) Web Security Testing Guide + section: WSTG-SESS-02; WSTG-CLNT-12 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html + name: Cheat_sheets + section: Session Management Cheat Sheet + ltype: Linked To +- document: + doctype: Standard + name: NIST 800-63 + section: '7.1' + ltype: Linked To +name: When storing session tokens in browers, use secure methods only diff --git a/cres/White-list_CORS_resources.yaml b/cres/White-list_CORS_resources.yaml new file mode 100644 index 000000000..6dbc7e1ad --- /dev/null +++ b/cres/White-list_CORS_resources.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 316-272 +links: +- document: + doctype: CRE + id: 541-441 + name: Validate HTTP request headers + ltype: Contains +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x22-V14-Config.md + name: ASVS + section: V14.5.3 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://cwe.mitre.org/data/definitions/346.html + name: CWE + section: '346' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/07-Testing_Cross_Origin_Resource_Sharing.html + name: (WSTG) Web Security Testing Guide + section: WSTG-CLNT-07 + ltype: Linked To +name: White-list CORS resources diff --git a/cres/White-list_HTTP_methods.yaml b/cres/White-list_HTTP_methods.yaml index a3e313e14..09898f49a 100644 --- a/cres/White-list_HTTP_methods.yaml +++ b/cres/White-list_HTTP_methods.yaml @@ -5,8 +5,6 @@ links: doctype: CRE id: 541-441 name: Validate HTTP request headers - tags: - - Injection ltype: Contains - document: doctype: Standard @@ -23,7 +21,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CONF-06 ltype: Linked To name: White-list HTTP methods diff --git a/cres/Whitelist_all_external_(HTTP)_input.yaml b/cres/Whitelist_all_external_(HTTP)_input.yaml index 070c13979..74832d7d7 100644 --- a/cres/Whitelist_all_external_(HTTP)_input.yaml +++ b/cres/Whitelist_all_external_(HTTP)_input.yaml @@ -18,7 +18,7 @@ links: - document: doctype: Standard hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html - name: OPC + name: OWASP Proactive Controls section: C5 ltype: Linked To - document: @@ -30,7 +30,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/ - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-INPV-00 ltype: Linked To - document: @@ -47,21 +47,24 @@ links: ltype: Linked To - document: doctype: Tool - name: 'ZAP Alert: "Remote Code Execution - CVE-2012-1823"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RemoteCodeExecutionCve20121823ScanRule.java + name: 'ZAP Rule: "Remote Code Execution - CVE-2012-1823"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "Relative Path Confusion"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java + name: 'ZAP Rule: "Relative Path Confusion"' tags: - '"Active"' tooltype: Offensive ltype: SAME - document: doctype: Tool - name: 'ZAP Alert: "Source Code Disclosure - CVE-2012-1823"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureCve20121823ScanRule.java + name: 'ZAP Rule: "Source Code Disclosure - CVE-2012-1823"' tags: - '"Active"' tooltype: Offensive @@ -70,7 +73,8 @@ links: description: '"The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application."' doctype: Tool - name: 'ZAP Alert: "Httpoxy - Proxy Header Misuse"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttPoxyScanRule.java + name: 'ZAP Rule: "Httpoxy - Proxy Header Misuse"' tags: - '"Active"' tooltype: Offensive @@ -78,7 +82,8 @@ links: - document: description: '"Properly sanitize the user input for parameter delimiters"' doctype: Tool - name: 'ZAP Alert: "HTTP Parameter Pollution"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java + name: 'ZAP Rule: "HTTP Parameter Pollution"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/Whitelist_data_sources_and_sinks.yaml b/cres/Whitelist_data_sources_and_sinks.yaml index 344c7cee3..d1b1a1669 100644 --- a/cres/Whitelist_data_sources_and_sinks.yaml +++ b/cres/Whitelist_data_sources_and_sinks.yaml @@ -6,11 +6,6 @@ links: id: 130-550 name: File handling ltype: Contains -- document: - doctype: CRE - id: 623-550 - name: DOS - ltype: Related - document: doctype: CRE id: 726-868 @@ -18,6 +13,11 @@ links: tags: - Architecture ltype: Related +- document: + doctype: CRE + id: 623-550 + name: DOS + ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x20-V12-Files-Resources.md @@ -33,7 +33,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-BUSL-09 ltype: Linked To - document: diff --git a/cres/Whitelist_file_extensions_served_by_web_tier.yaml b/cres/Whitelist_file_extensions_served_by_web_tier.yaml index 057288ba5..78b877d4a 100644 --- a/cres/Whitelist_file_extensions_served_by_web_tier.yaml +++ b/cres/Whitelist_file_extensions_served_by_web_tier.yaml @@ -6,6 +6,11 @@ links: id: 040-843 name: File download ltype: Contains +- document: + doctype: CRE + id: 623-550 + name: DOS + ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/en/0x20-V12-Files-Resources.md @@ -21,7 +26,9 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/08-Test_Upload_of_Unexpected_File_Types.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-BUSL-08 ltype: Linked To name: Whitelist file extensions served by web tier +tags: +- DOS diff --git a/cres/Whitelist_redirected-forwarded_URLs.yaml b/cres/Whitelist_redirected-forwarded_URLs.yaml index 4e8917668..dc579fa56 100644 --- a/cres/Whitelist_redirected-forwarded_URLs.yaml +++ b/cres/Whitelist_redirected-forwarded_URLs.yaml @@ -24,7 +24,7 @@ links: - document: doctype: Standard hyperlink: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect.html - name: WSTG + name: (WSTG) Web Security Testing Guide section: WSTG-CLNT-04 ltype: Linked To - document: @@ -41,7 +41,8 @@ links: ltype: Linked To - document: doctype: Tool - name: 'ZAP Alert: "External Redirect"' + hyperlink: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java + name: 'ZAP Rule: "External Redirect"' tags: - '"Active"' tooltype: Offensive diff --git a/cres/XML_Parser_hardening.yaml b/cres/XML_Parser_hardening.yaml index 226e6c473..3b395e0cf 100644 --- a/cres/XML_Parser_hardening.yaml +++ b/cres/XML_Parser_hardening.yaml @@ -1,11 +1,16 @@ doctype: CRE +id: 764-508 links: +- document: + doctype: CRE + id: 503-455 + name: '>>Input and output verification' + ltype: Contains - document: doctype: CRE id: 764-507 name: Restrict XML parsing (against XXE) tags: - - Injection - Configuration ltype: Contains name: XML Parser hardening diff --git a/cres/XSS.yaml b/cres/XSS.yaml index c9ae386aa..df856a803 100644 --- a/cres/XSS.yaml +++ b/cres/XSS.yaml @@ -1,5 +1,5 @@ doctype: CRE -id: 760-765 +id: 028-726 links: - document: doctype: CRE @@ -10,8 +10,9 @@ links: ltype: Related - document: doctype: CRE - id: 764-765 - name: Sanitization and sandboxing + id: 384-344 + name: Store and serve user-uploaded files such that they cannot execute/damage + server or client tags: - Injection - XSS @@ -26,24 +27,16 @@ links: ltype: Related - document: doctype: CRE - id: 760-764 - name: Injection - tags: - - XSS - ltype: Related -- document: - doctype: CRE - id: 384-344 - name: Store and serve user-uploaded files such that they cannot execute/damage - server or client + id: 161-451 + name: Output encoding and injection prevention tags: - Injection - XSS ltype: Related - document: doctype: CRE - id: 161-451 - name: Output encoding and injection prevention + id: 764-765 + name: Sanitization and sandboxing tags: - Injection - XSS @@ -60,4 +53,10 @@ links: id: 546-564 name: '>>Tags' ltype: Contains +- document: + doctype: Standard + hyperlink: Loading... + name: Top10 2017 + section: A7-Cross-Site_Scripting_(XSS) + ltype: Linked To name: XSS diff --git a/cres/db.sqlite b/cres/db.sqlite index db5b4873ff20390e3aae1c6ca9986a59773aae6b..9b104ddc552ed47039c5215785c0d6f9359ed755 100644 GIT binary patch literal 397312 zcmeEv3w#_`b@$A^v=8l$6en>U$MN_fTZ+BXzIScMcGi+CE0HW&E8B6LL|I8IY2%ev z-d$N%0tvHDLU|TiD34M~TMFe}DDQWHro2iiEtEni&=1-`3m;IvmO{(-{m-4*nYlab zIF_A?ufJW$T6^x?d(S=hoO92;bI!S$V?+5$PM#^2=Cc(!DzpirDBLE?f)MBw1R;z6 zY9BxTaMXU_U(xjUMgBw^-6PNTyY>iP$EO6zFMYuOv%o*PL!KA9?r-^5$ERASYyWd? zc5S{$BTaCV0!<4152t`{tN03Si1_n`mo?gINorZYd9(Ovw33}H<fclwi9&wiOj-Y< zt#_<HJ>D;mrw<MF%UgB$R=LybsjMvK<P+(!-XrO;-LluSb+%MoTHGoR9v$x==pU1h zj*QDkj}Hw|8EQ6!_l_LRjE|*JMP58Jfu~si^61#$aC+>Nd`JH&xl?O*w~XR0YRpt= z#;7#Gx~Dee!y{w;g9AsYdaZVsJl21>f2{v#Z-0gwk~{O$Pt_P6u{1^fKaFOV&Q2_5 z^CkKC(ZOTK`|I%cc6r_-gfDBBF1Y+H>$|$dM+fv-S}0DNrpovg;O2|QV3akQG9pBy z>7rT<3rwU}=gZsyH*08mw@mFcrn0FX(RsDBR_EW`7#lFd-^>LJ5%b)!CmQfT{p1<L z@OJGBxYmz!i9&v1I(NQ&wt)42BD+*6vfpeJtaHY~6JZ*a@ms2%^0lnL?mF?&>)0$( z3H{f~%@{#wp7PTTslSk&=OnJ2o2ulC3uYlKFHJUpR<g5Y^Hb+?rE*=x=^Vs9zgXYi zf?3Krk)~mq+vHh;jf7(etGt2M?6I1l(C~K48v6J{9|{<W(AX`TklZb6gXr>h?QC_e z-*?@`CWiW$2-CN}^%b^vT$b!LA8t}$?I;j#bFJ^+d@;Tz1!K}R?9X=TXQFxQv39us zPwiPbV{ci%Zk>2xe{D6!JUBQl4!~0=@!a`JuC$OXOhCz-tS6IdGlT0@e!V8=wJ!C1 zDW$uRKfA=%+liTct}tEJ?G#o0n$Ux0?Qpo(?^*X$97yY&Q|S_0*6-RSRy~X;*+Oo9 zGCwt;Y3RD2HjY?zg+w^5+Qh=re2o;H(MT7!`k2OD*TTf&nJJzKruHzT{WjP7W4kUk zr259fbpSi~+D*Jon|e|Dk%0d<KTQfWDbS=qlLAc&G%3)eK$8MZ3N$Iuq(GAbO$szA z@IQnC0nyeGol3;Rkz^_v&L+GVS9AaWKV)*7!)Q{VNr5H>niObKph<xy1)3CSQlLqJ zCIy-lXi`9<fMoCRnD_rqz@5_nqS6uR7t;Tc{<ri!^`};$`A?GqO$szA(4;_<0!<1u zDbS=qlLAc&G%3)eK$8MZ3jBXUfmrnzFzu?6xBpGb5Wc+%g#fs2vq@(KXW*6iTNskQ z7kH&KEL8(Ppr6f8lLAc&G%3)eK$8MZ3N$Iuq(GAbO$szA(4;_<0?!Nur2WEurk1Z6 zbt>%}ZT$=7CFBE`Tq@@ma^<o-Qz$N%cgmHyQZ73!m$Ngu%1TcuSI(C!*@dZ`Tq(+> zEdHG;E==bs4@^0l3I*e_knjRDzUMTe{5Oin%Q-o_xL7Kl%S|JX(#m3`I9tjt&gG}% zY+<%o%2(#*(N(b|&*m0#r7X2WIbCwo`Gr|IyD&{@Tk<pcDOM5+MS`hNcqiK5wAm5e zC=L~8^9%CK(gI6tlSPW1m1Js9Fd7N1lin`0n+D1L+_lq@-e}8Y7l7{rIeBTJTq!M0 zRWR&nc{*Fk#-piVES3<r;pu(#m7o4^&oz#nez8{_?Hmnv#YHCqw+XKlq;E?flwK~K zlWv#df&U16G4P_mR3Pa8FaKNp=lyZNzxAJ6-_rWL*4fr%>rJhq?<>CN`%e2dd4J;l zTkiwjw71jqQ_nj*eIB>_BktdGCtLob<vlGkEjwLLxE^-N&QCZC&NjzCINs-2ais0< zv_H$<W_zb?Lj0-tJaJI;3f}|*b)Wv*T*5~Gv;81hFcD7m6_JFgA{S?7awT~=mpvnQ zP8D+5l3YQehb|fEi{^3*6`GD>sVq;fAjQs1cBxS5I!Mj*`(vS4FdRwHv{&-;x!`2B z4BC#2kIKb`!V12oa{CX^qx1emDjZBjqJ6m;@Y}Rp$b-R91$~>V78i0s242jT%f;o= z^nv|Uz37j}qrq4>nps+0ES4%P`_EK<GFJ)`v*oAJq6t|_UNoIMm!AUr-r9otO0Pc} zj|G$Q2%!o#C=$Ezqgw`Z%8R8uap?-<MMjXir`WiNfeR!w$VNm$l$}CP<@`Rat5_@) zj3&aGgjME{0TMh>1{n)7q;0l<#E{u3kd#qMlLY*l$}Y&0Ik}WOS3H9O%`6o_!~Fa_ zq$69&;qPV4hFmC?E2Dc^SMC0AA{7j$*aQ@pXd>lFk|Gn*M2k`mNj=JyGLobr&rw-M zUlnw*fWK<fbk82v;x2zGoCqeOI`WtzbeucCm{+Bhy0~;tYDc?`j_yyf=KK9&lId`` zw>Uq)v_Omn4p<H1gOpZlF^8{(3J|10tCLY!i6)6<PWhv;NHCd*jnELwpmt84%a-S? zoWf|L_!ER-)#pz{fMGN~pem@GoG0~xnIn!|E|!oIg>g!GX$E>KkM3(+Py!Ogd8o5F z;!qRG7()|=)2g^-3(&Ppq2`uIa^|d^bSL68hzWl@5+fZojOs)y($=%`JVY>G;~{>o zZ;esCGZ;LkF&5HCQ79JAEG-hMrCh~21Pr58TwLjjQf->0a4-^1lCacO)EQ=XgdV-a z9}h=^saTvIU0Q@@%}=o;FLm|q3bXn5cf@0m<4B5$Aqfx3+I(?(2{M5dMx7>32@uJ- zRY5+JTPbVWmMPou5NliPh=dZsNIa&u4N+oKLM>}jW>A_Zn<^OQR`2d%t#<hnpkySH z#M;BStdzSSdDS3N!6ghC(r^yz(6m{Hk^0lbizXckHa|m}lk|~1S1e5DO5OK#v(|TE ze&eJo(uOX=n!Lgk18YO3nSmxPVd|mnRA#IY6RXMHAl)1{sNI|nvgUXCQ?W3#9-GKZ zugh3lH8MTrvOKt(HE#Duh)ZHj`7j(brB+8-V3?hr2jWn>Sk}+c6d=bD9?q5b?;<9e z_lJ^+U@RFrlrPTbDkZWOh#vaF!<a71)Ge%!?25+v<>6ZxCO&^Gl?+Bh@lkaxkc%u) zU76<nTt2r<G|WT%YZ6S<EM&_SnbO9=PMOQXvH?nmx(J(Pe<BLQCYek#G1V*0<qC^P zjJF%;PZgG!!GbbM@@uw7ZtbKt&iEt1C=w47FJ@tRP*x@Cs8Gl)%;vxoWKw~7%vuCC z%G^#ipso(h^kLPnnmuJ^?;Cfx1V1d0jJkqN>G~K`KiHv7FbQiS64tB)tV=oQK~h%` z+!AR%ojB8wWGE*6cPTdo8?dypcRP_|)}Ks9g3)-*-XO`*ADsg`uq8>=O)^`mfJHgK zjiEtHcPf}lgvPLnv1u$7X%U){vFu}Fp+N9AVO6FChy`F-kije(O1Xtnu~3*NY}xXu zVMf?8JEbHKA5QmfB{Wz3aTqC(NFuwsnn2FgfynbYOdpt7vtMBX%oZyZtjD#1lp|ZH zk(2&N61G(|mcimwzYy2dZ*F0V%*EXFdYPu7$4~MP!{Y%a*knv3H&bI-e;kq#ibZ;f z9$+?gv0GfECC^Y9w8lfaz*?2L(>F7!NgaqpC5vfzsj>vN<DO?mdO@?Yq59?*p>i<` z-SRNxbe@c57((arh1_heoGwkxA(thyn>TDCtUCPRcsz*z%tc){QBl7?6pjZ&i6~Q- z%q(Jh9kvEmQOG{o-M4O}N6)~f!=tejJ&H*qE-=Ia2-A*(mMdEKFull`ilqQL@J6aV z><_16!AL5`Ix4`hs;wr-5}P}h#dND}-oAm+!>OvmaELw6lWsaUm8XQ4>as}Y2o~=m zTWQN2;$1hWV~o)v7E_l5b&S{*VF4{b%WF+-SWl03z(R%*5=v07HN-YtuNH;DCy)!X zRCZrSMI-(cYK7v7F&J&ohJ+6@FhRe%S-+N^-`EjKz-Ebuz{x#eYIBS7I(j1N*Y-)k zqkac<;2L@Y7IrEgjD=FB$~8T#?f@8*6=y2TS+aP^no%umxn1oc&bAcEUf2MbOR|`1 zva_R&o;c_aV<nBp6U6KE1T+3XIGwT65<PcMM;InWI2t7>oWg@8EU-*4jCzENE|6v} zj09L$9nmPPl6VRPgw&8(0liC!eKpiL`(ebdN(}fBdM1>-w8YTpjmE%wCAPL}Tai+C zD<LuBkHk{2!4iG>GUZRkx}oWmOlGKOd?-^(QCg1q==szBWFiS(37?=XFqy1umqHJk z_Rg>kD&PvJuTC%3>h&kE1&Ah?9MH2M=z^B`btaoHV0%(ddszEBV_4S`(S+7MdpK8u zal&Sz%;ppuWY7zmF24YkGn1cPQqBIIZfYWpr7;1z#`;zL1;h%ZJ~UIFL}+gdJqU## zBiW8?OUDd7IGLR~Lqe_70raXAr;3F#K=OF+=sFiE!<~MO1=X$eElz5%rz06b&xurD zZn02Yftsuo7mJ1B?238zH#z9pbvq-G6c{ax5pqp!vs3XNe++sjm5Ljjip2s83k<4r zxpIe%9@@{ecs!9ZF)PP(n?!mn2!b$s_P_!DLE8WK2#*NTiNL=EE(9k0|K@+2e@pB8 zTZ^rOt=oJb^!=7E=>3lOL2ty{>iGlDUG5*dKj)sr{{AH`g%-Q(+phDj9_QoEXFIQT zyv1?I{vY-)+Y9z>wqM#_ZaZspi@z%-gug)ZPx%>`^9t+M`SICwruSrjG?dKXC}%ob znx3mv7R!5kdZw0h-Sc@Y9Nk#WdPp_*V1v(WOiX1DYIM(4<_oj4KH<6ztRZDfI&&g( zBGMh{4%fFfiw*SBWH<PsXXIo$GulIs_DmLvlRf8R-J$MC559YH3q7Ip;c)OoB*>Gj zdwzO$#@bQx8R;lz?I_h9dj>`{-Ke8yfOK1@yu!BiY>xa#2Q%YxD#V1nJKP<u4QqDN zicGXSQY)@;#g)(Fwk(iQ8ODrEoVX@b>u%t_I`*`X|B~z(Q`vLEIxH|~t)HtmtgZJp zq%j*-t+#=DxKSl=WOaE$hZ^dr?zWC9)t#ts?aC)>_O!L5q`@>-k9@OtHR|XYn5ThL z+#JLsmpccjq0YgbjWD+G>6OpHz)23{NZc~dmyiY2P%%Ey2;=zG=NkDqWI<hA%p#sP z7-x3eic0jEQ07}R7ZuA?ZQ!$GR%9a2h%_Cuc9eJ~l+o;HqmG_|m1X+~$h*<9vc$2n zn6&Kd(MIT41n(+{$}lG?c#%<?<C><rgs7l~Dk?)(j8o6VOl`m8q69Rpz5}=O<1!Y? zr#r5&Hm*VIxRTEVs}CIEFvf}3WzGa@s53EO#W>ad3@ELwhcBur_SA5n?YANm>9!2* z${Bfk-$mI17DWx6?Y$R$DrP)2aEP0VXykI&57bbnB5fUg%FyXGR=o1jE1uhYLPxK< zso2#!hf|&jyqv+iiLriIujz6bhhXf~j+Mz7DytEthQ<_CQ)^+*oGW)1m$T(XwwW;% z^-zlwMvD__Z>&W&=z)VA^<rV28T5{xdZUCID)kQ3Q!mzig-c!}cp?@|vqPpJcI0%( zgpJbH{TF3qUFFW+T8~VmJM~O3^4vajq%IKp_AuNX)>*hl#H+wGJNJTVvMSRIs?(@W zzp<B>GZlI>hvVH*I<Uq$6V8g*qgTX3Mh6qM4knBaEG$L)|INa81?g1aje*<z|L%WD z>wmVsymhzlWxhMSgPxaqobGSB&$XOykzC(%J;(VQ&MwEt9n1D_+K=0NY>(TXZCfXP z7S(^XKg#4DpD@zFrlWeS^JHdxpi4fPo0K!Pv)FO<s7fAK!dX3)2h-z6js~qK5r*I{ zFE7(OeR|0jT+U4fYv;N_?bs_gOKssqA>0!SqO*xKPQ$gM?1@^(6I#bT@K4}R8H|!- zP<v<sXZaH+;ruW$s=eZ!7%ig76;(N;IOPzJSWK)-*c+(98k$Qs6cbBxS1u+4NIz*l z_=#S&i4@gLiMUmT>@ilIt0&moV;5cJl16_@OBCXtR>i-|EdF=oR%E;)&(7wq(vpD& zCyWLy;;md40VX3VCP_0U{PB4PZU;c>s^}k+GZj=2YuAF;K$xHTh{bNX1hYmXnn@OF zH1qn}a`k3@w#V90{24Jg&U72fYU*;7mA;9rjd~4~Rm!TYbX|9he0#9UO{5pf%kV8= zN4CL6WPJvf<n6l~N^XMf4t0K+-PH&k3v*t%>Qf%PMW5vh_RE=Ni_NzNv%JST%leYk zi?`3Sxd|*)c&U}EOdK|O9gykEX1%KsnJs&PD<|{z&W5v2X974CsF~@CXXiz1{KM?+ zxm+9ERnU)Wi^dAB>SV*lSK>Q>OHtL>CpnEhS5)8i(p$ab?5%H2wB(v-m9GMZy;?sL z=x2iUW0)&?KNgLyJltV0wC{2l+G1F&0Yis5hBj>I^29h?v&!VknVX&<PZ3aMLVK$S z2r>IYuAmxV+qpFjPHi>*s_ElPtZAsh8d9#?<`ed}t1NI2dqsskLXjM)@M2xtT$Ot* z;=<?_#QVlzI7FtYS|NxRt+X2}2jK>l>L#ygyw;vBPL;d!MS9CsfZsy7(leC^=I0l2 z<r%gj!Rb6?FIx!KJXchy-P%ZMEz@`9Qk&aibhL@R$D<>>D>}{&1y6*7=2x)ToGR_I zLFeNarL(>`)TZ$Y=^RzJ3b`P?$0SGOpz4;(Xq?;JXz048s-bW>G;TEXftxvAjfO1D zbO~NX4He%_jqtUQ>`L)fdT#OwT?48}6!rIp@u++*o<1IoGN}OLl803qK5rFy4E|8? zfwhQWxir;HE`Hs!#dAH7D%!u5drJB8nc%!`nD>+y>9r(Wxog6M2m|<=W3I~ZI-i=` zwxvfaIS8FVJ~{ibrtH8~e{l8QPZ%lNHv;4E#W0S@{j}$o;pYNJm)W&KGvXEBB@7Ag z5#am3BAt@<NjC(36!>J|Re?%iED#E`3!m}-z^3>=Ehfb;3-9s21>R75{To_;t986J zD16WNufDI@`g||&-Rb>>_siZt_P)wHhO42U@cg0YxUJwxx_|C|yZgL5E<Wk@wS1=K zH(QRiT<`jO*YCOVt{a^nbUw%Cao*whHsS(a>Nw}<bF|yPZGW@9WZ!4|xp<R!%Jwze z`+y$zIqFpW8`n8DY_uIXFpleh<K(K7h>6eI><AMqb9`U`r)a^GgX2f~#?mKKi74C~ zL*j!G$H|ShH1m{%S6>M}Kj(^S^ak<FNESXjaMd7Rb2wzczbGUw-ssr5(bfxp<b00! z08S=hDAss1EKYB6#943TO;0X9I_HFwaHmX!#O$3;WeaMnUSXPh@4)fFKFy_h${cgT z+}_yvf$j;ca#GFB6+sQ52pSHD#QSWo7bp(osXo^@)-(DX>cd43KsY2mEF&z%cBr^S zZWSxEnvkO$P)~)E<iaFAd#_^_=(3m!q6M8tY2+a_CC`+K^YT<dbt6|dbs_RMjwi)a zEP4f}7h0Vh+*sN0;QT^$lPNqGiHXD4IyM3aIM*yKmcy8rWHKS%w$+hTDais9SYPB^ zjm;?HHG=RN5)Wdi>*|KP)v;$IB3X1dDU)A}<}_nxfjGt^x|5gY{?&e)qfE0)u{Llb zGC9Y}GdQdzcO*ChQIrVgmvIcC1p_t(xBGA?Bz!&L$N~qGTNp(Y@&1d%8#RAN%|UW= z64j_*=ChQO?+hL;!5uU>qPYU&j7RRxjKZ(62ru5kN({kEp=4P2Lc%e@*Fzgb^58g} zgZ1jQYM}(&wNokKFM1ru%+<znh@dIKIZ-`1(z}UJd<I7Kc_t?YdPg$j%vH<qu+po9 z;9?byC56w09mmaG5cX4MpDeuwxP@j^_^c*bCcmv1m?RaB3eV|q?5D;|u39yA0x@IJ zI2_L+!uPuz{q;}rTnoR}U@{sNzL$3@{WMLr2Cse?hZZT4iaAaLCniDg_`<Oqd7R<M zkJS8N&j=WhxdoGbRZgZN!ALYFd~J^-N0o4%$6V<+FHZ6{!+dIzsyYmplbF~fCia^X zP9=<i)vA)qcM<pTGLb`Hvv8lH!(~KKkX#ZY7U7+W5Fa@9lVdsDM<H#RjLLbqmSKg% zZ{mbVGE!ig)`krToZ*(>%a&!aOXOn<=Q9=>2Om-l5Q4&VV75|$XqV;A+^qaSeo>w* z&QF%RNY3Nol<;3F+q2fn#ibGp(8De9aI>SpF7Qi*q>v&|SjAWvo^g@5@cLUFXF#A! z)tiUw<y5}7R7OkFxd>>4^;`IZr`IX@`%M?2V^fH;gX5s^`+FUEkd}420JnVIb6U>M z0!ug^PC~CwQHYLSMB)u?do=A>s^L4Ss$1v`y&gpr%wqMSodg9kvRF0>Ys{5nV2NZh zEc)V(d-N9a3#6`DEf#??nS*|Sb24)-Bu)w^5!w)m2yah2mI-Crd+SK40YEfE(8$b< zpXQ#nkLFR~C@mNd#UD~-3T>)>tcIg9O%81!qOlla@xsF29ztKXLxmzZ14}79X!8%S zI7nJa>0z{?E*MLwxCC!-c%d>mC?}ya;_;a9XKava6S?y^g(nW}0ZT5bF;+Um&A_)C zi+mjM8&Tn>cQ}=nTF<H{Bs`9_+SEBc4S(B8)>yL)6rjCfY9&%wctEg!ztu6nQM}wh z4lVv;*Ct00c+|~Kl$`QIVc{bqPDO&TajuAX8#NG$Obph&j5mSs4QKMhYb?TF-3Txm zg5a?b9G$~qv4g38t+@rNg`tq6v9=zw!NNVYpe^Z8eTi6H_`@Nm;@c>y^=f=7V?q|x zg?+cm9^|sk)*fy4$PQr}&GI5ez9iu$kC4c*PDgKTNQlhiW*y$G`KeSCgHJ?-#}7Lm z#)C_h;yn4oYgWzVQeNXcgLQYyx$+|1(3$naLe(;TgAwQpILr%gz24E|7tu^@tQu*y zV|id;QfiukqB~eqKm%N1Z5@t-+(U5BHZ9YdcX!*}PGwi!V^<!~q=iX!tLCO*NWl{w zp2f9W$q66L`MI3HEGMIJF{vtC8nQOFoP1;)AzCWOK!;3|1_p{*nnWg5SRKx@n5#@? zM00ab!Mi;c35z>#aCBgFrkDsV7Ge`ya?&6ly>X&hqQ$|q&X5Jd-fe5{;^h#+r;@RR z@DDo>rYveUG-4v5Y1tB`y^Jb{Ll7;zGGnSpeN1P&rx%o@1vGUjqEmr&rnbR?s%j%v z*AAFwMcC_%tMs5nFgE?Yk76)Ns-DE6h|$cO6eyH7Em9aU%?C6iTZ>emavBg^i6O&D z;cYT3d~K`+3c{_8q#P#a`($h+<j4TS>FN5$X-UhBq+!8jS7_CY#j!A8QTeBXj<afo z-pttHdV)`}ZH8uXa@3C{V!;q3;=4CN=ZNXi!5+MAthw@+!&oP=D_LN2f$a~y(4^=~ zs2F2Y5+~y-7CE;KRx|C9)Q7Nm8~*SVgo6+O;mMmFJ@m{NHpC|9hA14>5$zx*w2jYb ziQ?twP4BWI5rklc<6^w_1hYqQHYT&~5d8$n#8x9E#xz_<Ig14=*K`2}OB4|z@px#C ztwsk9X!~QfXu)s=Yt|mbfG`gU;T5|bcM!&d3$%97;-)PlSYq`E{Ww??8w24*Y_D?Q zKp)<?7mADQCEN~#;b|fMm|QYfqQakO+Y)&3v(Q}_b2U32ey<4Ui3`8O)_?;C4v~h( z3XVWhQiF)zPGG63vh9cJZLeu-Rf8oFC!0)$PHe<%dg{ILH7EW1$!4{6X22(SPffAZ z(3-%5>^X2Q3ri$Zj|3DGou`rSrb$<0JXMJ<tLX&PA4HaAijFGa=mX6pV2OjN#I5xH zzgKvdApNcMcIhE$M7lokMBuf7y8~_hkNRKiKkMHEe}KPheL?Gh?`OWh^!=_c>pSRk zc|YVm>)q-3zGu?2*ZoUG{6FZv!|iN&FJk^Tx<27jTz9!PIA7<?Iqi;ra(vqH`;MYx zxBct(m)jpkbU?p-o$VX8ciEnA8@IKK-w<DgvxOVQ7U4TU<7s?)6c!zE3=s_!{TLlC zBJLS{QC_0eglvthq1LiU8<CS07Ag^3r%g`%ob`=l+7uQhu?|7iV1RfCpc@r|A}4kt zW|M7Add*v!`yOVYI2$_R6h($t?I7@E@jQi-GeZ`vhuAa#dw^NKT%<ErwmsC=EGQgA zbs`jSAy+}*@EO&(H*4!d4^i*SNPxhsvsGDkk!MpIC;dsB0)&%^5tconrpPFGW`WM0 zOj}<_Y5G}IX9<yAh{}t^kE%hzq)>n}ELsvVEE+K9STqdAfOxm1GQB)r#1<e|S}4aJ zq$W=LA?%1gOARhC9jrD%iwowbw#3oWgK)sya<;JJ0jhNnas8x7LRvr$O<%bJCY~Zw zf<nT(R_Hmz@4?6qr=k?J#7=dzj1Q)Gr*iDPiU>_=G?vsKEhCT?d@`4xWr-9JKbQyl zkWU!wm2zmAYGwQpY&H||l!*cw0f0s=a*WY1*Kv+&>_=o8)3dsUr6HTtaQhNHcAY<j zEqyc@rA6Y}3V}8vt{7%~Dn*JP*%bQ91YKH3Td`0oHH1jV3Wb}}R$v}hSw$Y8fbwHQ zEEEPI!Yk+pp@6lmSYI&%1|BJC;bMs}Hk<KCCbx+AVep|=S?(mMLED9FNll?aib~ZN zOqZ!PJhLuY7wNMMEl?iplu8^f(k>1m!)$u7!@%-MOafJdju^urNlS5Qc8<8FyaJ15 zKD<ax9QQ|YOqNI?QkKQ2Bg#0aYbUa6wLJudJ(sr^smeZoJWBdrBL-U`nRNtff37%P z-n2kZ1^wE3Siel(I8Vhp5!nYTH6A~VfHTcBEv(#EU~~%mwVm(P-%{^6L%rt^Hy6Pw zR7+W*3IyfSDCOp{A*4+?#d9JjgDO=-`Q`f=auZ-01SUt4oG`HzD0Je)<dW2hu?t}H zK+=P41$Q>ETQ31qsR8RV5L=2xN7O#i9=pX#_rW~jeAbVQ0u&!N$T*&&{rDpan(gw^ zB%4OG2iqqrtEV3wbJW0ozqX(sIM8^#KRB!QgO^_v9oSFG0&K<aglN^PS%Baz9N4Q% zUzxnMW*CJwLt}-5(QxQE#+*Ks?(I2@FRDmn?9tBjR6UEG2M*uWFl%*xHb&2qZUU+1 z^Xx#QJeXq*+x<~EXC)Fz*gSL;BZIf}{rr-7JEr2?gDerc-63}l_Kl2n9i65@F71SY z1WP(rYpHgcpl)T05bw!Sahcxi_Dtu?T0FOQuEH%p!&3}3<N#sDVW>tmbe$_`$!$o> z8UoGiWvn^J$ACQM4338^@RixWeUpUVgZ?O1)JTfu0-%>22%E13SIZ+AT|Y89sp5<* zJbFxaS9g|L8Nm_?3n$F7E!4L{6xMC-?f231`@kS{>JqJup{~y92{zQ7EWt=36jhZW zM`O#znI%+UdrJx#t;Lk<W*Dr6au1Wfz4sCdv;G(~WIPeZyikfBO;;h)RPKC!5{m;O z_X%^JCwJUKb!ojy;;;$vo(n7NSVa|UY}2#_NparIM(`l?Cbnitmf5F%3sB<()6xh% z$R%um++wqVc=3GDWZ;mhq_Y`@pvsN4-D6$-eWwZEJVN4e&J>BObkv4KVoRwndW<~- z-}#Zd*ce1V0@-mc2NkA?>9m?-3%tbh8`BH9SvrSg`%BExG>#Q=<s+vEjWZpIIPKMm zb4$gily{PJN=TwEL8kre;GGO7J8}!*AX-<e?2Hq(0_}q+usBF5!svXHPE!k%8O%DD z$&-Xs){iV<Kq@hmgOy`=Yl3C5_(B{gIS5Q2O-aCZDa$9QBBIt+tG<D~f9r8JUO&CR z!O8>e1SM13G0PO94$>Iu1k^s3=Ao!4NkaEH)rL$#1%)Dd-Vo?mtqFZwLdRaY(#{M$ zpZ058adiVt`HSlJ>ceA<cs{>&zH^1AM2C)1zsu0U7-gasO<iDy3v47cZ3#<bqH?N^ zKGPqRa-p~|G|Eu&Kn)>KJXx~<a~iAZRiK7do+=?34@<}~hfNJ>PxA@;mJz}z4t8hT zb(IqQPJZ7}dL++MSK#RO^3Hn`!&G^~pNb$|STxeFW~rl;KTN;Yu*EM-aS7+O;5>@1 z-#A3|y8Ln2*Lamds}(9?<Azj8<?cJEkW?rvwh-Q;(_ydC6f9k~zk&W%GenKv&PdkI ztOLB~qt>(>F4`+cs$$6l1r0$-l$apUIkw4WzI~9j==6tRZbiaTY7rKSwuRAhSCK;0 zav_l{aqluso9Ww*&}hmmT>#$PWFS>!qmbE6(u5_soM-t4z_{v+G6S5UHG1fdzQd7Q z2dITJFpp_7lDudOYzw7j^&yNV8A_?cRC@|3rpVrA$x^b=%E<i0-g{{K36p`2S0n{? z5}oX)npyOVL<j1ESk|m(m|Mhb(9UXoBy$0UI~Q|{Fde#reN=JSpG?LOxnD~o!z$GF zFQkW5Q*Aoe-Aj*;An66YrA8nT%{Na@#!;#|E3E81M9-)FDV#J%$-!HFzP25y<$1${ zX?n1$gHC0VsZfS(ofzWSsP!7}o>yr9f1{8Uq&oty_J7x(XuW{kes*u#^BeAOxjlGi ze}n6^^C!+XIX63=ZU2G&Gq(4L|12hjF9?sK($o2Dz44+EAbQ}`z=k?+6pJV8CB0En zs)y1IhBu0l0N{!ohZ-jUP{Qls-7%<ocbw(@Q8K+a=8{cB#@<!4_@L$1#M6VJqzqgS zoR=<&b42bPJ2g5!GBB1NJu=uU-_d_c#(p$?XlO8VWVrt*f}M``$;0WR>4ARwxn?7Y zRNJp>6}oat55}@dX+Zv@Ji0WAH-a+U<7I4_N-$=%jGA(<DV4}DR(VJ=%pdrYm<4a8 zTOLG;L!5G8UuF_Wvg+8@1A3hfP>>o4J16Kz$_%x<(7k3fNp8LNqH?DDb}9aK@GaH6 zsCuy8>9K5-W2HC0h=X&4C9w=ytn`W^k<jLZ+9tvPs7<TS=;mvH&ncB7(;PlEuS<D| z9c~!%a}^w1b(hWw);PkWYVX*s7`C(n!$y%DY5oxF%E`qyXu)Kljn|Qv9s3up#r{c+ zbfm6}SL0!L5goZV0DW_hI=gi~dxPm<vQ9+~tH~94GOUR_5pqhmAISG#4EY4S46%qC z?;sB&H8A-RtQEqE1Fc?R%YKIMmhs|ZI3&Z}H<^x194e7l+XRnq4b36Epn_y}cXun} zKIl|My4Z+QvUUVid+SO&Jibx6lMeFWF^@M7>Nz6zO0?lAch&l<ao5y;hZ`p5F{Si) zF^`QMM^PS^)5ph;U@;r)O^=U^t@Y|g7%96wz*ti`R<Vic^8j5vtot3V6@g>QK{wEy zy%^g>WxQ&m?fWIUXRSsMRYqHg^II-9gvh0Fr=#>=A+C=ox41AV`_vKD*+<~9aBWD~ z$6@g+QWWx9kv|+!LQX?O8z38!)6+1tDE5KZH*1D+NZIXpDj5ySns+7XNDz1`ha8`| zwedx#=~g0kpgY`<!PC9LJ@V*S|B1no;~9BqWMJf|d~{@d@Gxn_!I7hDLS#Zp>9zss z#w#$&Q*!21X1sq`KA!3Sl|VS9M8v0}a#B8iG;_SSw?C6Pe0)fwbb1^^7#+{76_t}t z?BP444%*3QrC&(@CjD6YXX(4rH>JOm{#yDA>CdG<l|CfBM|y|!Cg~5P-;rJ+y;ORE z^r-YOq6Ny*yfiCirPI=J_zet7z0!UuDTSq7YI9HLaG?22lLAc&G%3)eK$8MZ3N$Iu zq(GAbO$szA(4;_<0>4@mxbL}XAaw6@cj5c=bFahqU5`DC?^BP>;rrxcWB5Mt*sb^; ze{4Ixk3D9?_t8i1!}slvQV8>rM`e5uJnF@F-y=)-KJ>^beBbs+FTM{x62tfYN2u<t zk6erIy^l}}$qN;H$1hCbJ96O&zI!eZ4#5j<eBV;d<GZsufbZ?qAilR&seM^l#P>!e zgYOMW3g0&<GQO`<?D%dWl-+yq<-5`5|E>`5o_63zI&h8uN4{T|5`nbzQQw_DXW+jA zACk^`Pq+T2?~hU5{4^=hq(GAbO$szA(4;_<0!<1uDR2o23@Y0_r^)Qh3%0uu5<Lcw z?Y;6=#Iop_YvdzpLWE(8x>=arI$kUmwrbwg%r|+FLJQ%(k6e-zxypQJYq1^7)fzs0 z@McCD3WT;%I0U?Mf)qJM!LYc@lKg>He_J&%#bl0JL7WU;D8r4nd#jD!e%*Q0-Ie!m z^80PPGw0}VFtSHx(a?so1-;W{;m<=1_wpRlos8k;HvJ8+?Zs#^9C0K6m$k{^QRFKd zrn{2izfn44diQQ$MztGna^nsws>U+kr6^Tp?e(DT>v-URa*tO@5>=ngQ8lAR0|O@n zxT|qus#o<n^tAI%Wc)$W)!cOO(8^9VvA`JeFHp2sZ3+(ObA{>7au+uTESzEmQSwMt zqK2L4N(e<UMMp4yNWduA9RchGx`iD-bCs!Xnm0^|n(B!8S(b4xHiaqHBcvrcz-;tk zh!fQz&smJ{k!{=v2j__w`svO?IQ|dm`MXM(ko>tUg0%Y(>!qT9NX-DiVnb=d5x9Xn zBFWVgH&<&O+!R$t*Kw+Z!^?V#)<yc0g)#yz$<rQB(*rCji^c>mQcN|4GZHw5WN$1d z12Ungl+IJEf|gN%Wz1r|cFXcOLKHxWB_zR^&($LS2rb};0p$@L1I#G`@P1@=V66{~ zQsO1;#!ECYf-Xz!F_1cchM`TD7pj@UaNR4ebEfvQ1tj`mw{ufaA@TRkfvDgERkhEx zo7~8PuQM23b!Fr+wtWLnt>amc%atk~4Ll+QYHhK9x9xRz^s@%dE}SRwCA!cPxl=31 z8HAxWaFG;;q!$a4lo7zrtNC>Acf+^KDq`?=j)svF5E5QNzbr?moJPbOE;rYO)c!Vf zd3Vg+6>reOSQ<iFmjpqV!q=eU@C|OHE~l<>WnChsi>Ub9D7^V82a`DBhFfF<tjEwN zT^x@X10an!0aBDKx=VK?p-e$FJnYof&Wn(scNhs9nD-r`I?KrASpYw0v}-YIEeJoO z_x~R0vxM(G($A%zN<WmIl>R|_Li&pIMHNg%%}<j8O$szA(4;_<0!<1uDbS=qlLAc& zG%3)eK$8MZ3jE4Y;P{J%fXnC$ufcck^N-;>^*nMVh(4EG40b<8t^r#f8Nv7Z3*^FZ zy^<jx1E=&}`X?j(tMnb|z0%)EkK<SK)1*L?0!<1uDbS=qlLAc&G%3)eK$8MZ3N$Iu zq(GAbYfpiY*I~2SgeS!ZZNEX-+~IN9M4On2I?v(PK2|DTFMiwpMk?K`KK*7qPYxb8 zyB(rv8(S2<LGS-<(ogA`F?#<`e>6W$3N$Iuq(GAbO$szA(4;_<0!<1uDbS=qlLAc& zG%4^uf&x1(Y{ED?l#}%0UzC1KgF3AKLw`0uO$szA(4;_<0!<1uDbS=qlLAc&G%3)e zK$8MZ3N$J3|2qZxRcC;gias&o6~8AO7G5QYKXG2;6m4H~{JG<t<DkQ4f5QGz`y1?! z+3&?u`=qZ)Z<QWGp8qX@uLoWjIO6|Ld(id^=P&)A@IS{t=y$Y!sP$}XpYW<yyYDl; zKk(h-+v)u$?}xne!ryzlop*bF>G_nW>KXS0ZSNO9BEC$_+cLJ0`{(Wtxy#O1J9oJw zE&tf^iI%07Zr3kdA96h`PzsPf$AcSf+9mL{`x6)FqEK7|qUOrLUDddsZ2^}rYWX?3 zY8M<Pa3ya%5)<#<?YLv3t$%^;-IS4(q+;C5T*{r(l6J(SNnAXg6jMEpW9ShVz7>kN z%8_y}u)HN|W)CCzO9IzShvRYKy+OyY`T23&X~{Br;LeYJN<G6W((S;wL|%B`Esg;~ zh215`U&t-vT4tm~sl;%@cPfz(PjotZjYp9frBInuhpasq!DX|!{ZTx=%Q0v?NH;n! zOi@M<MxNTUiDWRANQvW){}eooarZll8%6$h!YqH6Rawgt!LsX2v+H}x@l-q*3#G2v z>PYHc;x<EM8=1wu%9XkKax#X?&7%=<aN4Qt(Vszb6>ip+@vNy5GMxZX<nLkkF0)Ij zS-u!{+jy4UyiBPt@<`n?i*8opxCa;4d5TB2IO0Yh<^jh-p<pPK6c5RcD5i(9s_^$V z$8o!CG8q!nVaIWu!|2|1B*I}0X_wZkIdYIeWD<AX2XQm7cp&7+JY@~K8T|OzP&pcn z((Rw(tvelQVi6>m!Mtd9Vj))z-9An?-ln37U?`CiUcA{6rsoz5#g%#DXb@xyNpk4A z@Ng<6yk)&(i@BVx3yp#W-?Pclvr$y*v1~QCdA&Hhl8hw4NGWHB;~<q@<X&p+-s*d9 zb<ERKU>`J5$j{^|`FVCJG5xFEC0<;}1sRy`qAf0$rW3e;G!=;+NH``4F{(`Wn=a8D zK?-w=?7C%)6Swka`i6P|L;9UWI1!A7;=;Q}ol3i2?+EUL4Hii5a91u;#n2_|ba^vP zJOq(4>KJX~!Yh`<MZI(}1a=5VL&8^Mj?-w5CR@kCbQ!QbU7T7X!ZMLeMB)&isPOl$ zZow(EIo6@(NG5@sQseQEpxof-;N)W^oD6|sBG<FouU&jim)Oc^k=>(<oGfJ$h6>%Z zR!#yb+{G)N+Yidtv`-Ni7_ldiCTW&s5Mud(DE&`%iYYa%kwg+Vwnh`;*(s;OL=EG| z^;vZy%I1dh5G~^pIwZ3KcOk=$DqIjsUY;v+`4UK(En#jtdo!b5i7>9y4MoMGs`85R zLa`!iBEXG>?y3bt$3hX1IVw&<flyT0)%)yooY^Q|<{jYL&EcmGI?fV#Rr-{t=5q5$ zpoB?4>aQLs5y}IGOF415cJ1oVX(r!^IPThwMMQVRak5eUJBNpiDm^ol6Dtu82Sf3& z@Q;Tb4;xh$vS3rF+cMn_j+|H2*W?nCm{EGGnL=@yWt+;LE9Q}u2?e=$G!{&N{U052 zDn2%BHnq4(IakmGjb@JSsaF>rrVpVXkB<#9X&@C}ptS<&xTX>bTnU~EO>J}RGukTP zPGwRb`E&U~ZZ;Q9q=JcP^u9ZsN{fNGu1)2sGr6fV>NU{kag!-pN9v)uA_N#HBh?TH z*qNJ^Gh>5Yaa@HQNrZ&g-R3Bpn_2`DVztXdbrOT)|5>EaLJ})9L5a2WtJ_mC=-qHw zbPYHa(ZCp&+OylgF))7cB>v?_H^^&O(BE|c^H02^%EuHbOqTx*36mHfXh;y>mwVJ4 zU*-ICE<v|JCt|bQ^xvMrwO1MsO{$s0G#w1N3da(-syiWkX9v_ddQ{hN5?$oyny1^< z+1SeosPj}j=4OTg9-}+gG3_Nt5m8BN7xF)gMnfP+A{-GTX~z=LlRXWIrYD!@FngFq zcGWBiwy70Thgp^hFOF3v9!`jXJ&s&`3k$idp7pN0gnR3e01XmRLYw$bg`kIF^0YDe z=lf=obG{O+rPw2u2!Yj7p_JHu0JcL-qp@{*77{?lRklExwz9KGS_S@FDpQ`e>_TxK zjFBrRp>Pwai15fT@jZ;XsU^0|X&f_y+KiM)Mn^Kc(~u(ML(}#7%+dlBWpN>#h`^$X z3r{fXhZ@s0I};L<-Y-YvKs=TZKEQNE?OE=gc*gymwD5P)vP+8(@iAME%E>5fy+}y- zR@`xqia1-Ip(=5?aK1t}w}Z2$KvdH$;+04W7A55T8~u)Fn`+T0nPkY5#ifPmYzd@c z7?<<23(PXb%FiqiraV%SP%xED3V)|A<EoMdBhXS>!PUlUzvWao3O))wu*WfrW!!kG zc56JYTW5NZQIZgavVx(Cynk5JU`3?1Gl4eM%t4$f6W#R6LUtY<G0x1L$Lh`~Q=5l! z6sB!578N(`h9O+*x@M{qO_&WpiSnq0+KuRgPQ^|{VQWr#E{lbJX`#HbFf~^y;@VKs z8W<mx=>oebKBy*fgwOyJMwbMZ;{+7ZbB|C<wSLK_0@|#%rBVregaxl$#>Mc^`Y=l% z0Q&DzZi+I)t;Ay>T_oJmhiR&{Q=FNBz%C<)qTD$JZ3-#Mov(D6m(*gZEKkx!&@<Vk zLM4i6!g_j}Y6+>sq9q;#(2Q6tLM3#rT6WX9N;Y38hhUb6;vw;-v}0NCyO2lPLAq7C z1d{+*&`O4tgw@uD!V&_~E(peB2%DTl{Fr&-XNbq>8d}O+2vH=9j1)<+Qk*Il*nEul zjwWOAU?>)E!K&cVJI`r~)SyyPHJ9WPl6JB&Acr9?oL}L@CkksinhcHhI#%>qoz9o1 z3S>@0nC3`37J!SYw@9>LQ{+k|jA|Yl8;Sxvgj97Qal=uk;=hbWj*O3w%4*(7qA;{2 z6v$K#h7C3Vaq&h~`toJaq_|8>hRk}!64s@j=^XSRls1@6-9iRwVNlT}3mSq+W>_p4 z7v2zsWhwU6T44-3%{WtAW%H!zrjXhZQbsmpG?qNy>F77r(HO<d5upSb_R*D~V?=$B zbf`XGnaofRUC0d{C9|>|p`{|0XjM0yK!u*3&P^`O%49nbK{3VCOH6Y`LMiC#xOhW{ zV?T&VW_59qX)QFT?|)-hJ7Tej@P4m-PS`KJTEIPjRdG)06`zzGfj<j87C0Pm`5*T` z=0EIrwLaeZSnJ_dm+x`kW4^;am-lh;kGzk04|`pn$32gE4%`07*6DHC=G>3FA9Eje zyILM^d939Y*Y{m-cHQr~#rb{bYn*pGZ*n~0c#Y$3u~T?bc(wgu$4xk4=(Ig)|Cs$z zpwQqm>>f$8B#E6TGvfnY@=2s0&D6FSwaxax5+;tygBjeb7z{=B$?R9}(9v;d?pmHh zd&fcdNXO;3rq^#-Ree1vq}_g*_0!`=j$$;m{%!wynf2?&Z~N+H)>r%2FOIi;<udE{ zj-47c<NxQYsvpzG|A|%A*XeKjlgq5Ha#OO_zkSQ9>g)8gZv=y{Z@}cMYBs8)wcDDg zRUfl>{i+(*FM=0dxvKicoW1Qb>kl3sJprv)8=UxmS5;ppj`*jms;|qO_^MUaH|YP( zRn-sG#&279nHrGMFO<|Yp!#c1tu^sGtHCCuOMrNORrPfV5Wlgi`Z_m?f4i#sIyZ{% zUR8aAo9;jD9#NC_KE3rwrGJ>44Q_P`8Jv<>6>diTzg|^+ozuj3Tz37#Bf)Lkbl&>G z<<{@R>THZ(c<p7@?;jgGVqRTFS5;r9pYVdqtgo(aI&awCdAapRjvfw%4f^-3roKrw zQ>&`4%cgC0^>x`2{%KYH>-59+{PL``UZS7LIy!l|^~pL68M<-*s_N^y(H2=%eO<TN zF4wwb)?G-azxbh5^{><4*14+s#!C6zRn^z!PyE_t)<1MSGi08>7p<zkVQIW{RrL+} zWmi*w`}Ugt6h3*G^<kagg&n+J|8nPFt#9Ce&#L;@=U;fqs_Gl_|MCNx{EJU-ZB=(C zy8Pa<s_Odmcdx3tF8zB}Rb3~3epS_V+I67%w#(SqrbkEngMBs55kKX%eNA{++$OqS zBHku$v;Ej{o&Dck-*bJ=^)}Z%u7j>EF1z!)&Odj)$@v23f^*E7aNg+nFUPkWpLC2k z-r#tiqaZ#Y-edcS{qO7_c0_Eivt6*w*apSF7Jp>hW%J`6flo<qkbX_NUmB9SrMAFN z0)G>DZ{U@I2Lg8o4g}<Y&Ho*oG5nGL`Tm0cs6XVtruC<-Uuk`R>#JLz)p~F1ZLM3y zSF}2O|LFU)@6Em!`WAen;(L4%-?iR<^M2L)LGNq44|(tN9`bI-ImDBm&wAeKd9i2F zGv<kTu6O^;{WbT8-LG{&$35xpbMJ7wTfX1&g_d`=ysTxp<#fxzmTmUmwO3nO>@)V; z?Yr#(+t+CHg23O5fqO9`-HD8KkELsF@r1Qd7fbQZ`oeg(QTR93LY*hX_tYU0#U(I$ zsqHP6QbMzW7be-#wC&CH4ev4CAM++_p)SU@H`cXF!`B&2^jS(x7t@HN^$n-G^@hbM zYoXC@w!ScF)U*v+3-y||L-mCT6S@<w2OI9V>+6IK(uv3UA+noM^ikOUPlHkenSbA? zUE3qFYkN?)TUSs;YniTnN<2bT&zQ^qvKH#RXZugS5cNzv@&jw3F_M3A@k7BxhD@Zp zy}oX^Ti14?MH~_aQ``QszGlo+__6xJxG~Y9VlC8ZE1s$^jCJc|5I$@z)I~-3Lu;W< z2H|(Dg?gXDNBKDmLl$)5-C`}%yWC_g(|g=p-=Rsqgm+oyBxZ1e=x<P}(?FCPl<L@u zTN{+>_zM54L8*?h*wLU=Cz5!?QW`PM>6;pq8g<`_<1k7>%YW)AWYT-$-In%DrNR>p zO7(FFUv5xp;BqfNX(WU?$Dgs5>7+etEz=3RXf4yxDPWlF3MNBY7>CvS8WifNCL0v$ z8_9WVmwLr=9RVOh21DCo4NCQq*m@e2>SM758<gtZ+7g!1m_b`{UxQLz{fT=Tlp0K* zY*4DtjJUT!sXijnI^LLxaYGI2>LU^lSW2UY;uXK&pj4-o_}vDjM$1oHN=*y9*w&!b zpoXJCsX>iv8k8E;ur(;vaTcsNo79$Acbix^2H7#N+GJ@tY;c{})u7bC>TrWn9V>BX zgHnT%x73wJyUp`kY*1>{U9^-&O}z1NgHogJvZXX)qDHAfsWC@q8<ZN<IM<-mphl%Z zse#p;rPMq}g$AWMR>Hd*l<NHozuBPF=y##66x?hwGhSdRH5&xK(V*05`PVI_=J|bH zgHogJ?^{ZvriJ#m8k8FR{E7ypI<3T4Hz+k`@U;y}bxMk_X;5n5Tu)~#vnEPD&r;X4 zFpBlt1zO#VeqZ09uF>xs>PqP<K;3i|zR;jlUpIv>H7M0}yYSTpr8=F3zim*e(^>e_ z2BkWkg>N({)yFG*twE_iUg3*%rMMZ<q}vZQDAijQw>2o$TNZa&O3k`mYEY_ELv%MN z)u|zR8<gtQ5bI5S+SKVd3y=C?er*(n1nGvrPXjLqZ1un2U&I^#-)W8cKIfbC{)y)a zPsshOmM^w!b*(tx?W{Qd%>EO*Y<o!jvbYu1xQ{ZX*jt4z#plOolTxg^Np(D!lrxLD zDRM%Pd*OXSp5x?MG9!<|)1jz(9}Y6FnVCFuaxmRuTHD{wRVs_+y*)is<<eC50z6W> zXN%{0MoY!};ki}rDdo#&g7feap3RZdLr-}z1&46Be3D-qU8UGl%8`>~E?9<h&(z$u zEzDOGB?mQki~aHL@DBA-&HbamS?N)1J^|NEUSv=SIkN(9$9WpZ7(9zg(`ET+5guB( zwL&?ebSNTFj$RDqxPD*i+9DcPZdPzJX;;U^5RFk31|kS5YemYKGV(C7wDV#ZMxPGv z(tW|?o=RS5qe~@reeGI}D5{J;L?dds*oY!>T6IE(w>Z4WG}NEYFxP5G5oPzY!A0qd zjVLUS7U8eC!kjJHc;FFeT%-Emtx>`Up5+y`>}S|+880q|Lvkb(PNw4%he{McFp*}y z%oAXJ(pWXB4&i!bFi>}Qw{qw~40pcaaB=f(1a4Arde*&bHT6XP)W^vi`LO0l3*X$z zO0D((Rw59R%8myxh<L+6q<e!2d8j{~8J9=L22TtQ^$+x~38I9EvTFs19=sT$aXHgJ znjTA!55j|d<gna#e0&hDXxeG)e=AvmZCvR(4{Y~c4BM!j?(GG7a{tl8BV)b&!~I9c z*9zCD5?%(bgDS3Pd20b<iNs`85^C2V%Y85&m`CJVp&W@RUFV*PzEGaMy(7nuj?2U8 zqv?S)rEf$TUm{IU^o2QQC2%+<kM@rZ4~~!b_W^I>;Ea57aQw)~@o{;u53DhGc(7OF z>@higeEbN(RLELQK{%%Du3!opYkRN_wEf7?VDBk8eY6kiW2Cpg@A%l-No07o>=Ulr zpw7V-{oR1RF{o*XSp-HdO?Jb<yJzHNIy2fskM>L!ijzI(V%@OXd+^<pTj&X$M>Nuj zNRU=(SVmg#N%#EpY^hO4`flwic67E;NBV~3Dt5Hks3U!Ea}_%(HtI-!e{=OZ8d&fO zxHg^y@(k{ck0dOEnOe?uBMhLF>n@gNdng<P?&=8qVm|-n9@OZbtIQYX=7I4>3s>n! z!B-FE*+L`Q=v&CE*wL9r9qH!@SFfY3_j`qH>ly9*`l^$N;`GVb87sNGPk_rf%~bW| z<+vqSX0*7REiba!TwY!dE~-1#;BsyfTTnG(HdvvMoQ2uoEV;8o-orhyApG4Y(u)*m z#4Ndqn(zCB=KJ1*FjHO!7$wo5_Rs{vE+$SQnq^|BICW-XWT`SSjG&AxHqP^mk7)n@ z*W!Bx>BrKyrN2THz&oYilU^z*(pf1h9h1^hNZKp~0{<2G7exMlHt>PK9|c~4=zyib zbRZKr6bR!jzU2R<{|Ejj{GaoG(Eld?EB(*)pY!MZ<NjWM#J|Pg*7|>2f7tqs*3TnH zz?)lN)%t6#%dIo5$6Nbaqpe$8+gk<S|Mva8?=O5G_PxdTYTxsG=Y6xj6TW_5%(u;V zjZgIc$ooz27rY<wzSaBN-sgK)ymQ`@h&+hnt^Yc&>c=w>*F8`Kae@p4WI@;CaB4 z_uT0j@FYAPo@+gJ_fOp4c7M_RG56cuzvF(P`$6~p?o;j~?j-yHu5&wD{<Y;FTK=l# z<1O!Kd2P!JTOMecYdO)<*Ai)wTLP~CMD)T}U5~ro?fQM!OI#1R3a-0cM_dWlcGop7 z!TCey6VA^%-|u{b^JUJebJ2OPbI7^Z+3CFA>2Ul6-VtALeAw}3$15F=IVz4x$Ef3g zW4Gf*hui*d_V3ugWdFGR?e^E$pKm`8?}KssA$!Pvv%S^!bK8@)uh>3idl$SYUTk}o z?S9*xw!^lVZL6(K{H6FW;@8AaW16&&q+}eMMR6#<a0W3f<Hgavk}}3ac1p@I9<oDH zMtR5{Ng3fG3zBk_hs;aLFb5gwl$0SJg5K}oA?W>f9)jKnc?fzx!b4J$GQdN&Ny=d! zQjnB>4ssOu^zjhj)5}AE&mkTHe9}Aw_}s=rfX_i50(=hekTa69pMzZ2Cn>k`kX}jI z$3uYgULJD4r0n4#>m((`L#~mOBoAqqlmrjSOG=!F%t=a&hs;V!l!M%MhonS!2q+fj zAx9)7#6xBzrH6wY#Mrxe2*w`dA!uhe56MZ&E)H@4?cBmc&`uW*xkpkudC0V+?BpQ( zrzB+u57{6o9Xw=GQnquDTeFg~jfY?^w(=0n#TFidxsZ9teUh@7hfGMy%^YOky^^wt zhhSVc@sPVEWg`dKi}|{dhhV-o@DR}X1|D)+Qr2^jJ!t289)fnR;~{A0S{`zjq^#p0 zDYSD94?#QaJmi$5wDFKTvCeRiB-#n^5VYgxAtxoJm4}>=6dwmk9G4U?59yQ?4-ZL5 zikpXwOG*m|iDx9m#Y4aeP96eIaPSatf}Mwe>ufw^Oj1M+5*v{efrlidhk3v;=^+jf z9g&{R12#y{;sK-5gB&0-B0azZZkJYgz)|Tu2MG5`%RHc0I>!Tsr6nFPBvm*-=nkpO z19nO!9&o#KmIn+<iyWY*Pb%_&Bhms77?9>UK=)y(zysDvXL!Ih()~Q3UCQ%-4bmJB z=$B?WK(J4m;Q_r;jt3l)rg=bGn&JSvZ<8i@z(Fa?0}e>{ae!U>r3oIeLAsX*+$!C} z0dDD(?&bk|rPDlMr*sz&*dd+b0ehr7c|b}!$piLDCpbV?r*xbL?3KoOz)p!bX}Weu zyhYQsN8$~du9U>vGhIoEH)lFy5^v3PMkU^u>5NFcEz_BhcvGe`F7cMk&X~j-GCQLZ zZ^!J6NW2-dGc55|%+8R+8!;W75^uwF?38#DrelZ1TQD8lCEkGP*e3DzOGl5yn=jit zCEj}3zEk3jm+d<w-gepEE%Bzy_U#gHxoi(gyy3EKx5V2m+jdI4*|Kei#9J-fHb}hD zvTc{d+bml<CEjG&x>MpUmaRJ^-eB2!i^SV2TenNRxw3Ve#9J#{yCmLN+0rTTw#t^B z5^t((*&*?k%9aj^H&nK4mv}p6%QlHOQ?_iCcq?V|%@S{<Y~CXAHp<O6OT3A4vn=rz z%FUZ4-awIVmU#O_+9dJj$@-fl-a1*oQR0o0z>N}bn*`QLylE1+M&d1#K)b{nCV>qS zZ<hpaka)A?`t=fTm0W+l#2Y2oUnlW4iT_%OH%a{KB;F$NUnB7biN9Uq?Gb;Q#G502 zN#d;$8#cR~+Oqiruthw^POLQmOT_fs7l0jN`t1$C3Niim1Ym=he!By(Kuo`}7v+At z0<b<z<<0<X57Tc)0G5a8H+<W<-!?z24v$CQInw_B6XNRx>4(x2(r2aj!(abpQdL@% z?uF0(Ua3>M9{B)%68Ki&3xN*@-VERU#{!kWWMCBj`?~`-2HgICgAf0g{2%wf-TxZ+ z@t^n4VCR1bzWg`)TU&qL`Xv1MKh^rK*4MSZ7(V^?x1PklKiqnAtIzi{-*<gq@_o$r zR^O|TRiNy<&o}Jb>)YwO7JL35dcW@djQ73X*Lz<IAOADnJH7qhh<CHM)$<>ofAai| z=TALv_x!f!*E~y}NzaJqR!^7bdhGUp<o<^Hv+nn~U+;dY`yuxk_nq#3cf`Hf-P-aW z$S?TU*y+Em<<%|EZK<?mTaLEuYw2pazQykPk?R|-&$`}=eg3bzp5@BBPP+PBVb{$r zpYvykeE5>{W6rlaU*&wvS$5usU4F{B-Pz{&Psfvvzj1ur@mB2dA8{-??sgn;#2m7t z)&4W=@V{vPu>FthFS9?#Ua;S3@5BE7CcE4AQ`@&}pSQi=_Ile(u)CkLjoWUs?Y7-u zbBI3@pTOS!-I#<1pY{u2e49<5FX4BDzi+<)-Z#TuD155@0@$C2eX{)mB!Gu~qWuDd zfQNmf{Q~5`40{2!2T|Z*f7gBi(!j%>Xukk~FvFftbs-Zx47flpc-Yt5FF-bU*w@-G zKt9Z{=TUo*5grCyASXQRtL+ycD`wcQQC-Lj4+Acc86Ngm?H3?7JnV1VFF<z8u;)^H zkRKlQmG%p;+j-cR+p93$&9KK%w+ic>hy6`^6$U&H`|I{9Y<M2_rS>Y!cr)x#Y7dq? z5Bp?$6~;Ud`>XaU?0Fvc#r7&pdNb@1Y7bUD5BtmZ>QX)I3+>ek4||317wy$@J?!)C z)lxm|bM4i$^{~&jR~PGHpJ}fa>tUa6uP)TX{=B_9Uk`h{y;`V;{aJhU3=g|N<GsHg z2KwdeVV`KP⪚Iw7ojZ!(JqOyuCWZ!xZ6TZPgqW3`2frh2LwdPS=5cy{$S`2l{AR zb&><kP{nK==p$`a+7cMe&j_z+tJ0>x4Ek_em9_;2C?~wAtx6jMGw9WARoWVuL9c47 z(&oSn`cPYywg+a=AGB3zgJ1@IP^$7<gz4Mbs<cNi9-0<D&{m~gf*JJww(9XZ(EHk} z<2+TLBfPi0nyH7qr>#21Rh<%E-c~(U2YOjsb+iuj{I=>y9q8R{)uS9}Quq_8It-Ap z&`-*3)uFnF-qlvUg9AB*ceYh;uLJ#YTXnDw^p3Xbkvh=Z+o}U~ptrSE57&X-+E(qa z1HGlK+E)j9b6d5y4)mtB>Y+N&AGKA}b)Yx4RcT9MOp#M~LtB+L6$U6vj7i%HGw89l zDs3#xpg(M@($>NN-A7zVn+r4Og>6;ZUYJ3zZL87-!wkZl(H6rD0^idn!wh<TTa~sM z255qMjMstCW2_GJlD2BJ4g@BT)Pa7#ts3S)_Yx&Sb)eU^ReS0{zuQ*r=0NulUcovL z@Y-Dm0ws3Ufqtj0dP^M$l<2Ah{kBx?1jyjtbFFRFo!mor6AnA-K+p*tbs*@3?RB76 zwpF*)fnL#8-C76wt+whG4s@CXly)S>1f3QjptL73gI*$4`CZBBgKbsXmY5&<O{vOn zOzwilp`D5G&|SiBv{h+uVg|jmtxCHS19Xb$K>HIj2y;O@6f+1sLVFZ52x=V08V7oD zTNSpN33Mkl4^xc;p?O$p9OwmYRTyd<2uu$<jRQTetqL=Z1N~ZC6;_%FG%q~2tqLQ} z1Ue}|K4GJAphw%PFwsn)IpLAEDl9Y(bfK*Z1C0Y!+p4h7IFQm-g?Yw-o+DLZotap0 z?qR74+sq7kNUFjzGee#&RbiKzASa$BRbiExArB&R84r0ts=^{OKeHk!u*b}h^O6E< z%nVtU6xd>B$T>-YC1!>!Neb*RGo&IZu)<7`<2Y%C4Q7VmeH1J(GX$sFu)oX@ypMwQ zWrpmL6xd#72;N7*@-joVNeb*PGo&mju)0i;ao_`+%M1ZNu(-?+-~)Th3;{l{w#*RV z16#`s0Y0#_%#f0#z|Jy3GUy#vmKlQHVPlyg=p7c88G_znUzs839oCf@g5JrtGL%~8 ztfY`>WkANzJ6TpH2zn>O$^=30WLKFW=$*_e69m1JRb_&pcQUF>5X=SHR3^xxq>xEv zK#l<)vZzcD;6nzL2?Bh`o-#pz4{uH#13qL<nVtbYWKEeMz=w<}6Qn39u%%3p(N5a` zZxZeiqyg;lf6M=Q|77cDS|9fPE~4yno?m$0>HY-v(E;q7uXmkx{@D3O$NS*_zsL5M zwmsti7A4`0sCx0wfFkqmE-8zX(52j6QZeSHkW)4r&LNwa7Zn1@40nyyIERFSC&IzB zDdRYNsFb^vn+?B@{-@{nG03Mgs^RjC`F%u#YLG-_Wx}|Yz;ONuGv|+qv0@=N!BVrU zu0xED1Ii|TMv{6&P7Uo#%}6rAT2ii2Zt@BH+f^5&lgww0oW-?l=9=?zx!2;q!^je> z6c>>JiM(Od3VM7-5Wdi<?ouv04fi(WZ7+A{i{$oJK)^`3(leC|YMDxdYFdB2BExD{ z*=X>I>TO2>i59lI9B;cw@B}<<m``?48y0a&T)ELFbQHDm_aYH#WuiQnL)zQkQn6eP zW{}7p0U<2iu6!8IT$Bsn$o(&~8ghneSbQm|F|{q^?97$B4OT*$^IB1l(a(g|&xF>` zgwfB0iW%!iow&5J0f;}SB0gnCe6W@=wl9zTs1<o+l7eb52;{`gQHFD)*{gtlt+xra zw+Xd33`OhhDF;zdZZPCD_w?jcP3owJRn-{YAnsN6&q@R{6!cMCXeg#}&PR*Q<pl9e z{ak8tyPlKVXx!p}cL}*g4NXF>w@Qe~@vTOcs~{ms<vK9hS(VXFnHepE#PEnj$iUm} znH3SWBhYo)Lf5BcuXW0`Kz&$6J#I!_O+%~ZwXeD4T?JtvZ$Cm7VPl4;U%lwwtE|J^ zX<naxbrq!4Fcx08jLD0@nHVX=adiol+JJHm$7ac>rRhts8ER;3)^24pQ!M3GWV16$ zo1qG(o}MaDGhkT;_l&86ICIt1Z+0*i>j<X>4y{o7ZFquCXfasoMGzC2DZ1T4(*zPX zMF}GhUX7-gm?G5BrYK;YB2!MET634dOyP^HmAe!_#3`qW)38~bxN*vw*D6Jz;qCyI zZk|1SMav}DMUC=AV66-53fZEx0$nY_po>FSy=Fo)1FnMH^RZr5RPI)M26I16dsI!2 zX^Aj+#+W<B@o+!ocAq$ca5K7-rU$oWnSGJf(q5!3*SOisadRYPS)MP!&8WdzQm#`x zut!zjdgb&*?NKA`W{tlYT~=?9!it4I^>iT@WLfRY!QA<&9J}qOtcjVsk(gP=c@@O$ zu+oCan1jT)mUthExr@n%arpq{i@#%`xV#|4?nK~nc5x9-#JG_HEAkALGq?0yVeMiA zV*`qdXN#moRbPrNlB$xMR-DF?xj|hrxe)jo7hDecQ&=)X!C?eYPUVYBWpy{;0O>QT zhO<V#rx3$7kE>lk;^Axsms}wdm~3{~*%YQ;w(J1@o1)uOwEw?BY!Rfg<OzH%a2%fe zn_7o`-QInkS@%m?zSJVQx}DE){GB6Y|Fr!f`zBjK{E&DI75-;^29y-XaPgQWZt4;Y zhZ>r=C#~XcN+7cue!Ix38dMVCx!#66*E@_5S}aqhD-1I^c5Tqw@EYNx1eN$xAsmqp zr8E6QgGc*i%J4fla9j<mT@&E|!jXHGn4vsO_V$$=C)C;7QI72*aZ3Q#CD;x%7~AEP zh{1NX12R*NnANad!vnGoC5$-?t4voHQ;Ibv9G1tmi?>FzmAN&UI);X_O$h<f;KdM) z#N~0QVWjGqUZYe1v?9lqTa+H4sRe9X=^0BQnt!2;`)$T>k&7A%wpK)qrIdS=ZeW|9 z2UQzc7}2DR5VK%$2G`jk-9Rr4qlH|dj4UI#U59S^#8rfJNgJhFkr(Gy%ItC=Tz`jK zU2!^=E#u~;LZN%D1{h5$2bCZOsO?m&(-Do!{n|}=Sje^YA9@z&80wiUa@(+d%bE=# zuIyEIV+b9zE;O2>NP^<%iz{W#@I#Id%MGGyg?%KUWRzXN{^Z55k6~4#<5js2yEllh zmf53Uy}gQTsb9fi#S+S>atnra>|(=;hG?;#!WCvT1eT~|IA5M-$FMj+{1qHiG^7-j zE{y4(rHe3H6pV)aOr`uJ?B3~GA{nxLNjGG0l^BvVjb~?PQD}Y*vs+#)WT*5kiO!rz zmBOyKT|4!VsBTm`ky7EfLWX`L;ff{YbOBaA?gq_~$#1$HQl|B=yqfXKy@Qzyt~!Hy zMCk4!n%}GK(d30(1y|gi;V#ZyE8&eLl_6y(IO1Utry+IXAvvSnEnRzy14b~C)ev7; z1$wQ<6AxiLJDzGhu|4t;q}*Q4mazF(HPEl{cw&2UN{7`*j2Q{;u9lHFt86#=G2X&i zBI7S-&)s+rG@xwb4CqAElC<Fx1~h7D`?jr(aJHN~Tsh8)N7;hoMQz`<%Y3|u8%od6 zdy(2TcUOM+skV6WR|;Oo2H}F(;k5t4{!RNQZI9UBXn%q99qH53TcwxSeoyQW58-6s zgtP~-B4XgXwx8SA2R;*cTi~V00B|a>Kd>d>^ncI)7yftpU+!P=-{VjFJN%y3AGCh4 z_1&$nw9Udd{>_d*cf80cI=<t)+4gbqD~M+QS6fj0fbAQOj3XgFEWXBed+US9_MdLu z-rC~(J~9Ek)AuspvhOb6exK~Kd;bxU0B`mFy0_##?oD|&dVcBow&#<cH+Y`sDZuwX z;<*mF{=e@2sQdTakGN;ux4VPxHbnM+rR4)HuW5O>WwNEerL)E7`l0Ku><jjo{g~_B z;)LrJt_N_t!ELT>E|>Fr&d)pF;rtEflJidIK0y$l)!<-*PfCqM;70CE+do?ib)K<( zpD#qJbmLu(?R)5nFGn6yqh<Rw)<V5yds}^>DJ8mHvKH#6!FIp3P!~+Q&su2o>9H2- zJ7K%4zA$MTimkrT^qRpg@`ZR8X=o(d&+7|K?~rUib8O&?QE0sDx8GP_h|G?)#l*gj zFGQMNqo(br)<XTf*7g&=5Lx$4llo(8p-x@fkF13{Lbe~)C+{|84wkHCI^}P$mg!SA zVJ*`;oaNJo;;bNKqQJMooSPbmf(qit5e4n^LE5{mg*ra=V11$Kh{E1wE!0P8@3a;g z&F-)k8VGHxFEq`UUA7kL6tdrJEi{_l#1|$Z+j^m`?v?~9)UmZ4v)0u6v<=l4nmF24 zcacWYoSoKox3#9x=Y+M;=yS5Z(Buzbo3<7jHFNcaCSM!doVC!P(5$u4!1lPc(CD-7 zS`|{NM&Up5H4{)K`bn<s)7C=WJ<0Y-YoYENW&5nP&`=1Uvli-nYx|V7&>+H}Sqlv! z{He9j80X{lg{F+pw$ED&jb^`KEi{__B3~FcYen%<YoR_A@q)F`=ySidQ14UxwfaJn zAc-Hf7V6E4byt5tgBzS6e!RYB)VPpE{CjJm&L-lwtc5z8h+nrB>TDu@)mo^tiTGt} zq0T1ax2=T+ZU4$zXb|Bqc|8tQ3{75J=EQ%nRy8R9iTXmbusE%SIu&fK)<T^Mw)NIR zg9>%G)=<(dg9`s<t*KMNR%h~X>AGw;S!?R!v~901G^fA+fVI#-=>6709U<}U)<R=i z-fJz?5fb0U7lPr9wL^HRwNP(Xcptx_Q%$|u1N9Y6YFzj&YoT6I_+WjZi9kY~d~*Jj z!f#t^>I4#AZ!I)N^84081ECl5!;EzAF$fg0mg%j=`9`Up-l*+c^%YabO(eHk%XEgm z+ghgc^MJKX=boIkOs7rSTBZ+T$XcckV!FO8Y1~~fXf4z6JYg-<@x0SorsH|qTBhT9 zm$gjCbEdw`bUD>gYnk5WF>9IL=4gFc+?c;z)-rwmx~ygT_<F2mIxazLnU2fWdPXzt zzij`@TBsA-_D|MA9UI$|^<A25)k$laj?Q>}S;QbszqL#!%^1D^-zY2zf$s;N<A1S# zN9z-<72ijE4)1Hd<H)Gzai3~=gX<@*sPiGm2jKa?%l1v%imgZd40i4tP;GS|MOHF~ z?|Av5zB-n(oGWzI*%QpqFBX``g^_!)P@J8`p>%M*h#Z^n&_jxCO0YSljNv>;^R-;B zI*!oo7y25wn!~a^a2yE-4=t64inIAC=5Tq8JHJZB^eL^ie~I%e)X?x9ZHTX>y~{bk zYJl$uhi`O`ZfZPDd{INg_h>_Wbu+Bi-WB0Hs0<_5y6To=&b1y6O~CzpX$G(B@_6Bb z?3j!Rb`0xGP_v*+Y1ey|A)E$l9{+VdKI!AQ-6Fj-ohNsBx MOfO9_7e+eP9?LBj zOBHz_w~$jav)9_M4fDU{J`2K9=~eD{s$nGRhjA{STiz|FaXkm#*Oqs)w>Ro=AS-J% zjD(U_ZpSdrsP7uAvk?c$%Zqe-1l?kw&Wtw8wO3Kh8*a^R0>E6vm9R31LELe%K_CM< zV<{kBdtru~Qx>yRYn8blNXL|Y$`K%aPs6u7cp$93q75SE1&L-=7v^li7z(M|wc?v_ zLJ27YKwrDhrS26!p-&fJnB;ivMK&B!dX&S!x&NXh5A!&W<tor>cyYXDWDYC4m42Xn zku>cfbL~wZd+A5_qpaPf95m|>D}8t=vqz=y7V}G)^yCthNN<+DDEjKkoYASV32Myh z>)o&P8ou7^pI#sXy9(X7O1!q3JX5~jaC?RIl3zev6Rnx~shU51&scxDZ@8Z=?E}go z&PYfmFV{#w4b4bMH#8D-Yq~bxD>4!g%6HrUWA9DC<SMHE;i~Swz4z_g2?<#U>5ye+ zAf4&GJ9{RR$z-xkl9?<JLYSqK44IATnIyx0yGJ$wQ9zMBiU^2`1Q1YJBO;)(iHIo3 z4x$3$hKk>>s&04Rd#6JPd0+B=&-0%rPwL#$x2jHUr%s()=NwGc)n!*#Qv>W2gAFWP z#tIP%p<(4J#79_Hv%FyuM;wwh#>rA+>U<F1C<r(0fw*3l2qK6>L(TF~<Kj?L-I{d` zwRJ2aLUWyn^>8R+lrX9?>O739780RwS5c?B`!s`E?yh3JI@d4{qp9L?xKPD@glpvB z^Dv{%DM#_J;tpgQmZMnhR%e%3K*uLz0m7DP*pm3)VgccO+A_rrmLB^v?<`nH%qsP4 z;i`b{qflX>4y0$xUlquWP-hnVHXr$9ear44hr-44d4Zb$wZ4rq3**wA?akO6VZ+_q z*)z!Qg_X4<6~6vAFYbW3H@lnI%_HO#4RCk_0Ct5GR^U4_IQ1YRfH1A%Gn<|N8_2ha z|33c?|3dk1^7ZmY`7qxDzC8T+9qsdZU-Ev(+u@CP{^@z#bED@pe3kdO|LFdO`!@H5 z?gn?2>o=}1yN-8FaK7Ta+1ctG@A#ABR!5g(nZsf~-Ck!OBfTzNFP$va!%yKGwmWQ} zvu(0f+kDpNtmj!ftc}*A;Ti7@%fpr{Et@Q3=pX6h^z*cVjv&7UN#?(5b-A64_pSCt zlWFkeaG|G|2`Nm5`!anY?eY+;%6l_?or6(z8OyQW7mg)Ek$9?<V@XqU6Yinvx;j|M z6jztBOlwC*6RA)#nJ#6j#U-rrc{VgP%~u;(wv&A+)D?}TaN9oEmFaIm1dj|4F^KUC z;XWLKzj1r~AjTmGtIHrFk?~_ncAmO~mC)l$C8MEaB*|}qWN_1~uLCztPr-$_9&V4F z4OV7mY@Go!9)wWr!$|<Q!ZK~!vsFi`^{jwuUo4#prQ_*UEq#z#mNp?URkmdd40<Zn z#q5PzUpf{EC6ck49X%cGLEL}Vst^`;ooruUsMfJpck<>W67hw&e7wC#i+B+M578Y= z(hP3t>*<0CQNMQeyRDO*s<X4zMXZnxUo;g9CBxw+(3{!HuErtE4I0hfVPO;7JGNi| zaViM%0)m~H9k?}Isn!Z=lQ1icCF5Egv;K}Qbjo0N+qOO&*2U@KNOd85wb~a+hePo+ zI-lDYV@Ug9zz#Y1NVP`15KSgSiD+t7;qEcFbwVFbR2Q%pBEA@gFA<5X)GpSQia1K0 z&)!J+l6WH)Pc3O~UL~&Ku_1t92>Yq*;p#m0(j;Fx9uB1vsd^UB19otk>;!c#`z3_I zLEncX3p=`7aOJr;h|ASE4*agVd?-7_?7K06m~6~vTwhn|P1a)tvN3oC=3tzfQFS(} zZoLmggrcbkBEM-fJechn=z}eP8@sg3#t$*((4Q=X<wSKB%M{V5Pir%95gU%4UdDlr zQD?F@8ho)t98)Zb>qP?$FD3*dw@+u)G*wNrx99reu~;Y`kLn5v;=(rz1j;jp)D(Mf zg)be!l1rqu_iz)cU=YemuG`VlIl$kqR+H@g)xIRG3nPg{>HS*6k}i42n4%_Fj!6}% zbPSz~9EEN(<VdP<_S$A2mR~3q#%qYY!<L|k(-K4{^=6s<9C`$U*R*JPEpWKTTA{{R z#u{G)p+*yt*t~iAwoVH&e#A-7hSey0v&k2Zrg8s2uJv&X%uz!Fy^LF6Nuc!LmVr); zOMgq-_W5drWjWawMd5KaGe8cObC6{MFV6&92Rb_2`E1e62aws@(aUFFwHjt6fOUq` ztoe1&ef4E9R=qgSw6u1xNPv7H7P|#z2`opwFBXZ1BC!aYje<i4D{HGTZ@PN1;eg7{ zmaW-@I)lBu$rnjQLeXdx$0RU|R?`d*wr0TdGP)_NQZ>XUebyHXr?4tgHJzP3JA*yl zXk3Api0PUQw)XUI6Ak4YfX_8>9B_l#Fe`wA3SKz+nQd^o)gqW9$_%!kL&0tN^v`N* zt39(=oz93q6WdBG6iLT5!(eUH%lGZ{Aec6S(V@h_;7&yD!c=IOs2;-#ieU02P!MKu zVUDq$WAQ&1s7JFmvc44Fh{fV-`FJy<2<QtDvXQa!5@Y0p8VX{Y(0ZG<Rjp!0bnqgg z(U>-ph0cQh8rl^$l=?!8jXqkfWV!2o>0~$*hBqGcVr$PX!^@o=t$i)b>&POtg1vky z=5!n~P=sA|&7c=cF^Ph$gF#rkc0yeO-aXL0vjw|BJ7#V-nC<`z=!<z(r%q$VobF3v z6Nsl0*aOjR807&>!d|8o&9qlz+QQ=qrZV^)-#bEC<{JXsds{cV^bK+l)s~gB8Jkx; zl#D0D<~7ibMX-$-))%t|S<o!>S!bu<{V8<{%h=+JN7CT^%$oz-%5+>13c~K5eq;e7 zL+`PEZtdx6&CXFLvz*&8H4-7j5#DdkuA)f@<E|<7C{b}bmJVUp*l+e$EcW)Ep1$lt zbrQ?D6XOJS5{;|?S&X!55!o2Cdk2_q4_MH!k>>IR`XiHFrUv=qa`+M{>;cKJW+b6s z8{1h|Fi9k%S+!t3Z|eb@12@TL;mZcH22_u08mcC!6B$V%UmVg&G@e+K=>nU=Vs2qu zRC}gIJ(B%C;0uFEr4o_FJ#3RHFd(Lb<qI*`GtkeNTzhp#!P!h{${(dpU}a#7g+~e) zb~7&8n}K0+H-fjqk|5K)wSU_<^$7M-g)b6MhvLyN(~TB)(edhd_G1-xuo(8I2>Y?U zBiq&og;?j{cy*lk6&xBXG{%k5aj#x8RaeKdUsr=OLxM{~T48J!e5j>63-N??HD)4u z1U9>nD>?_O=BQ&>j;5*TT=*^Gq+k+3OD=>WFe0dnTH3h5ir8ZHh7MKg;VgR{h>eEQ zspPzQAeSjeId9_D<VE5psiWDu2?&RAFv|3X70Y2z0Qs&DudsEAY)7l3*gN&UL_C7+ zHnI-0k@a<uiz;kmh6kmBq>@k%V=vcMumV%b1Xuy&QXx+9`m=&JpxlOT<^~8-)O5(X z33a5%7sFPPh$J+ZK&3sBb$4eE+g}V@>p~Tgv#>{0M3Nvb5rLf;?4g4g+8)k57(eeQ zR0M{J9hPe_4V71`0anOrtP4nKiP#E^MBm_a=*F4!C_YWBg|!R|{|)mqOv|HHh2;oU zgrT|u$qn7CR!9=8XV4@=@#9oKdl^$JhM3`rFgsHfN1#HL*^f2gKgm!y3HELjo3)N$ z-K6^1o6CHOFx#&&jYX}jiJ1PJ0G;$RTlKQn!P4W&P%4~Q-hudk)kU@zgu<||0{fM4 zJ%NQJ_^ZZVSE(Mp$^#HAL3A9eobT<>GjcT@cIcj+*$S|D=2MFw1o{UN1f5ON7Ut6l z1@^(*hH*b=y+J-0znc+ssxO{EFUJzvM={PPP)H|oB7*x-+Xm3loLL@)eOapwD+Iss zIv1-hR?L~`&3GstiLMgTIA)4=7&SBm3@g~O6+8}8)I?9C>f}xI`;u5^>13**@D<lw zZzt=zQaRW{Fo(8uU@jC1WC7x{4XT5eXvL-!#vw1fNbCSvtfdUwn2N^>WJNz=4MBd` z*0FV4hzX$?#s~_{jHq_j%(Z-bNn=imPlzaGAUlB19^AhfI+n?G-I}1iSd~QAB-maS zhCBuyj4^=O&_EyZWZ7C}g9DyZq?~su8?F|9Y-_;}nR%*>6@)WmG!aUsqjlXat(dbI zOQA$y4=s?>z=gEF9mryBV1Yw$#73KSTkaw?bcnd-(IL-j&p7wnuDx!jTXm-`Z`xPb zUbZ}L+iH)=IeCk`4AK6^;I{wQv6Tj0pYwjnyUsh$JKpoG=N#!(`#+oyI6IxkIDX@3 zm(D><yfxBz&u;n;`Xij|kFZr*-?3d}-D|zl{!440wa$ON|2Th@-zPt5|E_$e^aJ^7 z`+4Mc+{bT%E@6iG;BS7m+(lhx-2b1S)3&zp7H!!UcQQ8gix7_&Gnj4WoF%t&o5!p; zqDIM+vuqvX;ocE*UdJ6;+PjK^0y~-+R@q=A5e;FkY@BSHUC4^yxXogVfWBf|PkS~I zW7|=>XMt^?@D8RUJFIr$(<44&_qFtHTfLkICk=MC3}O$;>;lK;zRqBn*~Any;dDBC zoTOG1O6UTcFP!&S+cb8DnaU2JSvIe^NX_11QgxC4K@w?$sFST`d@!4cvIP^{Y}-T* zGmrUrTNV0|xt}RAZEd3`R~#>?$Bd^1X&C|@ssPa)r7-E>%zU{qF3l=utV0}6`I#15 z=X5UUOlJ~#KMT~JP2-f9j74Tnx2-@kA!@J_M)9zSBU)w$Bw}`0grWmS3rH35ah0|@ z?d2jvFL6XBx`uH$2q$Alm|xVo3L=*l1v?HICmv6Ysj$_G5}TKErB=7tt+_K7Y{OY7 zv6%kEJsZ;n{)!J|chR;aazWg-QOg_5Le}Qfv3sDaRmepHIO#zD0nr~jW;PC?H60C8 zVxLUhVvwfU=3{8GZ7sdvX<`d3FeJznG3@5)Sc3YSB=vAq165Ns=96~p39`w@mOv$r zNG+J7coK3-Rf!vxM2D7sc4p4P5g8_NjE+v*GR1-CQz+PmZHvip5MR0E%Wr02z&rZ* z(SfPoAfRkd+FH=9Obeqs@f4&etg#Mo&>+s6T_PqqwqEGelIthfLgOuFF+-C+$i?s( z&3@GcsucD!$Y0bFL-$glo8|j`mT$JhreSwxXG>=Ur-^txeQG6!9euS`9GAO$x^bte zu(Psx6a_)iRGf~VXFC~%i@gwXwBaQo>J11-kKiM0dkMnMwxew@8cl`5@k9q0vZ7yV zV{KT}+>sEU>R3q;$eW2oqKi+k!Wz?5f%`d;vXd~5vE-(ywz;A;{B&R1fVq^0?}3=X zQCeMmt2Evv4P6?(H6Z%Z8AsVtqAZQclwL_e@K2`WG_+k(>oE{pyP=V&hLGNwX@TIO z$%Pp{kGnC~3M$+dvxZY^RweVv(8*tCn{GdjQP2%+4K82YP?d_I|I$hF&mEGw*)+Os zs1FM2U`s1wJD7XOT{y4uA;C;#+z8Vv%LF|>F@=1~e!)O-9ZAa;=257pw?BkqE9%GC z_Rk2Xp)QT4PHL1?Kbm;3vXUlqk#iT=vc(=lTyh*7GrMp^Vj^Qf9x`fyHBCzjr_XpQ zO#ap^sbh;J?7Pn~_l@Ng`ntd|)+}CB6=!1|iIIPFN@~L=D0IIADGqhRM{*4tNu1BZ zi6r?D%fPS{7TeA&?%ZvCgT4JdTiM<S(Ga|!ZN9MB2D52}OxcTH7>5MMf!d85xJRNm zNvBhE<vd%@c#C$=1gsTS-8->N#dgYfnxGhHBR>d-@tGhNrn_owgGDODlEg-|6}{HK ztxGVHt=hFS94!syW>b8P$LP*#+iG1ITGiMl+4QW;!f3mi9W$%KP=ut?QQE&mQmsX{ z%3XVCH8T%lA@;c;2u~kO1<9H!xS81Rv~4T`o*zj>Hf)nr>|O<?!F+@i{emz@h>%~m z@clp72z9&G4)mectvDuPCuS-qCNp$&b!FN+Agu%5i47dnGTR>q8;m6*v-K_f7{#Zi zAtkpaZJUcd0tSMWSg4*&c&tsW!B7uCE=#gwc`8CTCy=esob8!GA-FNGj<C~j$CFUI zvQA-=I%8SsSaii$+tl%vCH?)qh2wb~%Cb~qCfy`9UhG1~`2}%m09!5J<26b;2ia$? zbR<kyEwY`8;y#_ePSf_0Z*neL_A7_>1%%vpxNQ<9Zt)w3_R)jfJKMH>JS|S>&Yqs_ z1HFt&sA1sZh3QL6cQ3hw+tWK3!|68}564xnl=J9vW25bdq80klLLZt7Fbu@>U>52? z2wf%Nj_)W;tZNsiJfVJM=iUrsri}ZVE18kR+Js1w<T9|(Wes$9;FQ({dYQfp4s2MF z5J{L=%8u7P16#MT<suY4VW>GG>Ey{Z5TY%gMj58*(a1G*w$lqGXrfb5X##qRQZw3s z%>ZH({)f6i+l`XZFus*WsBea?u}}(Y1=bmJ&Cv~g7IQ0stpnPC{%jiJH6$nM9%Gw~ z*O~r9$aYCgRPZYDKA)-lhb*LWoF!8Ue8)&e$$R4<7l<qcjhd!LAz$E<InPwwG9Y1L zcZ`yEOWE4tlaR@gVXRo_@5rCWU{!Frx*$r&!SYh!<l#II6Mc%uB~2MfuHsXV{UoGr z-9!UZ;A4(i$PV;E;KQQK^g(ukq>~=c$z*v;Dnm_=NUjXqnuJWj`s!m8e3~kdT;3q5 zk|yXIPZLG?ov#EoV=!0oRhTnpy#NROWhfO1kKHJ#Ra!}yaeW!?lp8K5G#P;lEnE)+ zuS;1lL&hn^0Y!-EJ<x#+;@H5P3q!lxi5AaDVzoiQt9DzhbcN-g7XQEeANc?1f8GD0 z|2hAYhy?hM|A+oN{NF)5z-tf@@O=MSxF68zZ}o5Ruk<fMWWcb08hipA=J&uaz~ALR z%CE@J%TLG;BTC?H@{RH}@@4V`a$X*kd*qCKyxb%&l^4iK#0;DwA0Zzmdu5yN-@Xrg z?;v{M3%+L%cVMsYhrT_&n|-@|m;1ipI~(5%`k{Dl^&RJ1<6DY|g0m1)aGLK3-w2=6 z`;qqp@7uVU@T~W7?}OgEa6{pG?-kHTobSzfPx1C4&S0zeIPV(oQtv|VEN|3%wD&0Q zIPVCr+iUTB=y@Mr2440&kLZJsdLH!L<GIaqv*&A`D?DHFobSnbPVw}4PV%(E|G*m0 zQqMxfB#e5F_8jFI=NaK~do1n`-S4~KcE9X?-u;yOQTK!HdvFutX7|_JSGd3AKHr^l zp8`(>C%I2V%)(XfCGG|ASrB$tx`Xa9ZUuT3;`)c{UDungmt4=eo^U<ly5Dt|>sHr| zu4{3N;v(1QT&KCRu9I9Xt_|>Qu-G-%6?YxuI?6THrMMi<kDPyXzJq%f&pV%VKH|L3 zd8hN+h;?|S^GnY2oM$<AI=h`2=kd-a_&}&}rk&N!Y0e4G!<-(c1@RBxb-dyDo#U5| z$F1LSJm|Q~@g2uE;2+@<$N7%496KDHjyA`!jz;)OnB$1TU&4`&Q4TL|aQp*)6JE2w zV1LT~i2Yvs9rjxgCGm3m7pz+?|FrhnKWA;WrmRb?3#^;0<E<mCQ>-ED1J=8&k6N9G zq?omzWN)!=us7Nl+vnQj_G9cv*~i)yyF>a&`m6Mg^osPn^rZ9%;w#=MeH(W~u7nSU z^Q5z+ol>`yk&c&|q@_{~;w@H76Qsi=k7Tj^)Alazko?Z}OWWhNhiv!QzGu79cCGEp zwhIx1@l;!%t;2SrZM|)!t<E;b7PB2~n`9ef^V^tbi}$Q=SbuAM+WH;q_0}t_7hBJ^ zo<>|YYOyS}yei#;2T44xu>4Va*lD8(ToaRiEP$xAR{$%dhj^almUpBFIciy@^Z-XK zv%DtVuR*U$_lX}TOZRH1KS)2~sHK(C4>@Wn-v0q1)~88Sf3Vs=%yZXR_c|nA;EI^^ zQvpP!M+C4!`U#v^9KZjf{@)v)rU!T@ubD+&5x`9Hk^s`=MFCWjR|QZ(UKYSK@_PYH zCcopr>K^h-0n8%55x`9HoB-0~R|2RcF9@K5JTHK0<kte2OrGVys&4WN0d$d{3t$#` zS^zW269T9t&j_G`JSBi><Vg-Rb`mky8)uQn1!g7@)2T5{#B^$`BtH{BRglL7FpWGa zfXU=199X%X+$(@tL@bq+Gsy!2lP32IppuB?w6cOcBrwy6SVSu)ll!zq@wRjq|841H z>28i{u)HPRu0h+SJNS<cE2KLG5R<;oe_LXCQ~It3y(ZnJL9a^R<F75Ll=cW<vUDr| zt={s6bh8G%CVg9jUX^a)uhmyd-x0uM>0A7_#g^Bl8#L%;=|&COE`5`~wm2r;#8Guv z)Yog!tJ2ps=oRT}{I$AD=^Gri$nvtZTZ4WtUB{tX%S+Og{I%K@(p3V8OV<h@CS4<d zsB|@dd!gk;=?V?{o%B@=`mJ<1e{I1Qa;pHA5z+7kONi)-1r_8r{?q&n5sjU{gnV0I z7Lo4?pq7Z{&ub?)a?HF<<R$?uBHt1~ExDNkbK8jMgt@Kc8v-+y+`xf3E#!IuoJg({ zz-A&^G-o9Fy1<MeqI2d1$Zn3AeF71UoxO=%EilIu(IK-o64Ag}%ZTW!Sxd-Q`8%^J z$Q2xzc^tV^0L#c%1h9l$CV&d^We%i|C0`W426C|gmXS*YP(i-Lfz*0(p#avA3k0x? zd_e#e<RT6v*OJc*pqZR2fFwCj0F~r?4kVh$IRaQiasq(2B>{{iXA58i`J4a(WXOTN zhsIZ*$r15Jq6#2M&f>qsR-Go&#xq1Z_H>>`8&4JK%0ZDXJ%y){6+1+_d_bg&c8Roh zCr`u6`bE05Poxbei?kxk)9NKXBCYQh>7rhq&RE<f(z<OT9or$&k)0wPv0bErllbfm z(Z5(<=9ti;ts<@6BGQE!k=C^Hbozoek<M=w>AV)69y9kuk<K|mq+>Vp^yt~^MLO$v zk<L6;r0ESJt=uHiij5+jb{tQuW~~+J%rzoSuNG-)l}IbsiL|0wq|=&sTA5rf(!?^6 z#v4T%TPf1$3Z7QPmx?sjAkyd(kw)r88eYuPsnrWaT3IL3ibW!wRx8pe3q?A)hNn|z z%n@m5mPjk-i?m{%NT<ye>6F<#ojiS}NRLT~v?49iX(^G8P4e`pqaz}%njzB4xJWBv zBApf$>6EZYCs*@yQe{Y_71KpJ?HG|xJzAtwszf@uQlv*!@O0v&sUkgc8c&Z5P8R9J zqeOb-6h3o~uyojdu0iW;zu?e#%Qo9jHE4_NF%4R8dt8I+Z9fwbdD`|UhsMDZ*~1#N z#r6{os<%DDp|O@Nw!IpZu?Zn>tfk)eV~!hRX}1a4ZVYe_3LH7#_5i2z@FOOQbo`M# z9ew!WA{{+iq@zahB|PdRa*qHyh}gbHZ6jhs8?}|(E`C}>gq%34mi$m)D#;H7Fp}IY zfDuIOk)s0S`@9DKk&{F^A;?pC+ys%19V^l?V?;Xg2$7B$FVes`p85_uOr#@6igd&X zkp==HRTPo>{k-j7%RSOu4Z2-gph0`2`J6uQLTR1=MoJ3>FhZ)~FL^9?ODPSyU7Dpq zd!(8CHP1pREr5~I9081wX7iWuiCRi((D$Xd2Cb129CBIil%g7RqZH$i({hIt=7l&F zDZ)_>%k5G~gZ4<%HRv{}N`tmbNAnDhky5n)Mo2RRph(B?mk`XCF4Le}=~4~)E^W}D z@6aV0^le(NLATJw8uTq%r$IN<MH+Myt<|6#=|T<qCKcU<NV`<<28%575wQ4tcAJY* zua_qt4^P}~p152*aXNY8aPY)#=ZPfo#Af4()yfl##b$H4TyD#q^k~ahto9Lh+}4o( zF8xV*O?p9kT6$D^K)MT_@otc=mM)b(FXf~`eAVA7ogl51mP@tLEGZ&YN)x5gl25YP zKE&DVb=wQJr)-bd?zP<xuYcF!WOjiq=l?sj3a|K|_dnr(7#fA!{5O7#KH&)e2)|SQ zNd5rc2wsw(l^>TMl<$(i1Dk{^<csCA<<sOod7HdhUW>a3HF8Q0$&=-AvLf4|OL*V+ zrtf#qBs}W7-*>0)7T?#PN4Us0<U7UJ>)Yx(0rxYO;qFcf7uY8I#`^p|$@?$wd)_y^ zzx6(ih==!i@ATf{{hIf3??v7r=n#6nTfE0ZgRlfQ9OBR)1ihoZUau9}gZDgddS3MW z((@Q}2X}jJ^?cKFwdWGgd7d*p1D;Ok4K{chJ$0Vh&>B?1f8l747d{L>w0zC|p5-g< zH{8FqZGi>EGFy+W*|y7ai~DJKH@we%yZa{iTe!r1uKRRo54O6GcdvFYcF%_9V5)nZ z+wZoy{^|OY>lNq>e&%}6^?lbZuHDcVeBO1IYXI7U&8}uwgKM5E=Bji}aE*Yb;NQ;o zoUg+x;uFpvJMVFR7g~a^IxlkOox7Y}u+doWTn-IE(s_(C=p5yAJO1nV!0{He15Z01 zas0?}o8z0%41CdXw&PSsuOs6)4tjw_j+u@bj>(QO4j;4vf49G5|GoWL`(yU|p%b{- zey#md`+4>=aN^$vuZnBz_4YaTh<%!Uy!CDPlzhheQ|rCfJ=PnoS6jbiJ;!>Q^<?W7 z>qhG;Yn^qLwHjK3u~yk?wfw{KN6X8WUs)cvJYcz#@RfJ^Ea`osftAu<2wx#*SpFk@ zfFtf@pXT`X|ML7V_5dHVGb*JI1u#qcrvNIXe+Xcj^mhTwl>VlT<-erAa_CrcF+E&^ zzCcH7&_#5V23<(UYS0CA42KX%nI5J=7toO!^m#f$gU+V`4LXl18gwoddl=#$Qy<5z zC!eEUPSm>7s8s-`Qi}jip;Q2aRLsJ4yU2e9W+(Yb06WNk1TaAUEr5RVFAl8DlD`OG z77;zMb|(3oz@*7v1yD&uZ>_B$qLbE6BchYmP9`7lcbfaiI|7(R-V?w~@+SeL$sYw! zN!}Mg1$kEh)5xDW&~!3+O#rjV+X9$L-Vi{Vye@!B@&^G_khcUdjlAi$Su7TEGucgF z5a3Og3foc*q$B9l1yG{T6hJHer3R8W>8}dlZu+bMZ=?bGL;+Oj&kLYLf1!cM_EZ7f zO`jCtH>saKUH~2RX9B!|%Ji`U=%bGc@EewiwpkiTz4WIA&_f>);Puo^A1;6{`V#?u zox13c3!szk72wyXgFaLM?eswb?xqsGuK?QUy&4G8A1Hvk>HPw{4t=&n1F4n%pa5Fv zJsOB?KPrH`=??{XEwI-Wz&GeM1@Luxbpd>hUR3~h(`yBI4SAJbSpZ+5R|xQG@_TxD z0ep#mr2xK2zgz%+M=ulLRhEsmZx_JhY_}A^V{P9O;Fa`5t2QiOwKUky7TB*sHa=ei zA$FfDz{`OhDu8u11QTa7>T=6M+Zh^&ch3^wSIEz3e*t`)W((kBw66d@N>46;Kc&3| z@DbWm0DnTe3*f`Fs{sC(b_(z^I?lFEfR~^Z+BCX|PNZ)M?1kihx>bM|kl)fT7Qnsq z(gOGpy`%s>NWUb&&yyGEMFsHJ^a}-WFTGfR=ab*i&lkYwsn${FlfCr90`?(#fdJ1V zzouIEokyOd=M=De>3IS?m;8$63*eJf>)&%xm^K#Yl85N$#0%$;XQ^5Me@V5jJ_qk= zV{tZlhH7JRHhG$!F5W$xJVj3{fP3kg0{k3#k`5NYC+MyMxR;(<03V{K2ylq}g6=4Q zKc@o)a4+2{z&vQ!UH~7WCl$a4X-5HkfNm3@O75du1b7y?lQtK?J7^PU;%CxH^bZ;o zq;G3bfWE__(=Gp&{-{C!k_6*CeWoP1<LMQW;HjriliuYooo4x$^p*yFD80$K;b|i! z!Gcd4Aqhr#T0j!@oND=}^ag+ZRLegk!D&xjBE8O0r&#_jy{thmN<uMw$`a`njvBQ5 zO?pX#{wlqwK`%<b=g=<82hy(vM5jy7b24_Vm3}9HO6j)(sE}R|z%=PM{Oz5VzevB- zp!cPx`HwqKl!Ov^=XB{gfvJ#$o_Xgq=~<51;iZ*4TbA}(b_j?(XxYi3KH6jH7Z5q$ zGQgpeX}6_UgCdrb1w<~hWHsngOCN`NX_uu-gE}pp0>XPe8g!|pn?pTxyX7PeI?1w4 zgE}l*HE5e<i-5=#mhGJ6o&}Z;j_M-kP?<xWmLA)$1cW2{a~#@k>9#$qL0vY{Hz!#- zZBKLDNqFxW4s}?z+n&^*lWb22i2lL$6o<BvA?nefJaubOj=D5RrA`exi#j-Y+s>qR z0h~c40h~^4{H3krUfQNXyJ<#)zChbKw1xbLwrJ1~>1GYuO<OhSDtaP^GUNwzqXykW zkJX^B)8jPg3c5*yzDkeRpbO~<9BQ{5WfSMjc5*jeFL2~8x=w?>PuFsi+ZWIc9Mwi{ zr;QqP8C|16m(tZ5bUt0hp;oeouGFC0=yG02Ymlzss21`KDs%@ekSgYDxU=az4xLD@ zrzs7(h6)A2iR3Dp)^HcnIT~~U6`Fw)$@z39$89EGr!fus8jWhu#Z+huHbYiSYPbt% zf<q@*=GesiJ;5^DCg$J?peiDMCD+lg23<?5IkbsfLxti1%4sTe0-HeJ(b}(9(kczQ zkj~Jc3uuT#$K!^l81dujdsea7k0)2qY2sJ%RXSCJE~is8=qq%x27Q?xr9l_c3Jz@~ zm(fWYbSVvL&?R(&23<@i@~+=FpB~9k$B{45@f!3+I*$K%+yZ(8v;Ut!ZX*6W{VV)d z`D!_Z2!QAK=6av;c6)C3xZE3Y`mA<7>^#Le+VQCUCh0?IsqI4ROV)40ZoistMApyd zPo1ImmRum2eVx>V;I#=>h1!K}+|F84F!XFXByLVX5MuuHAXtnlmG>)C6N;n|d5N1= z<8E0~!N!=~Dq7Xov7-exZ+dGnewPDAM;%+c4^@*QDK)NkmpsmxoM$zmNi4XO)}#<_ z&Fz2*PCFvP!LA4QTMilBNp+#x1-dnFab@U+s~kZ$H<?%^>~)!88HNM*=rp%?%{?$x zDBudtKt2=CeXMU0kfzg($X<Ltjau0Nvke%f!a^&!Be81vtl+9ngj>^f^W>G)HENZ* z9Szsw%bAwVs^y`X!CG8XWj048WBEhUKt_u?Q#}d9ZY=B12rnQOUR~|lH4V+j25VL> zf-9qjbv3ns*VHa)U`~zJ!j$Du5ub*`vknkn-r*UDPqCnuwRNkSgN=)WjjQUk*p`Qi z-jsTbx(y!Bv`}}3pxo;QI+>eFW;~`dz%5OX{{cT}r7D<z8_mX7@81T-(k=a)o3>># z{oGMaZi2eC<i4l=K-~9ycCL{=h5Md(XbmprWp-|E>}=n>5SA+gz1-{1+HQC>fL8-p z0k(7JKH2?v@@Y`Fz}wX*zIM85*Vn;APSKNbkyY)?%z*h%UuFh;GjjW_>UQShLfCy) zvn;%`Tht7^GHK3lM+)b+h+t8QVNodX0NgU+LhU;ElBngTiEw?}ptc+7jf95{)PCG^ zMUaKlyG3m)(Od8+7SY8K_!RWQUU*$3q~C#AoafbQD;D`O=CQL}{I^7;6cJ2Z#>7^l z`JmB)_=!N<?Zccy91=#r+_6QP)fPC(?cg(K5~A$E-(55uN!82@t!1}TH`f+@Qfy{d zuQ&7H;hPI9m^lxDbyk6Voxj|p)f3TIbIWpb>}POp+J*?&nmZ(I%PkaB7_iT3bB(JN z>Sj=z5Y!Hr5TdbQlW_T=8J`_0N~19~sh$8*wP53ANR0;9mV9djHNQ!vQ9NXnN88j* zrFE)vsy)oX+5zyD$S^0>Th!xAwG_F5E<j3Qavex5<+wq;y3ycZFg0_S$MXGfFy!D2 ztW7<xM6#}9hH>x%A$eHG)T_rD=#3?Zc{AS+y~v@_yP+(-MaS}=ri+Ks+orBBTgyTD zT^v?Ry}HiSE5mwyzr7;1%`NKM61}>KH>|t^8O8Dwuh~Fy3Vx)_$J~$K>XCyFBs>4# zgP?c*cX022um4v6RsM7R{r(gE%l&Ep6u%<>TYgi1M!sLZMZR1fl6!HNe~BEIgR<B6 z58T~<0=M>W^j+#Z%h&1K;9G<{`bXe?{s*|5|2XdDU+=xxdzyEfx7oYEJKa0RYxBJ8 zdBO7t^a|H`F7WK~w0l;0=6EVShk1zm9rttYz3yAxSK%voKkm;j$IbaEZpHO)+?Ia^ z_vCMJUG5rk^}05>mby}|$u7V1U(Pq2Pvai^x13+Wx9uM1MrXY<=A7vCIR5T<#qkTr z5AY@X62t)9?pW`rbyPdX<5t86_LuCB+wZbpZ@(CK)VJB25e0C%eT>~Ey^C89k4U#m z*GU&hyQFq$l{5$U8xE6*?H${5w!OAnZCBaOwe{nU`Epy@HpQk`|80E}U$^hK-eSGn zI%Ms&9&cTO2!lbZ7vHj9wLD?@q2)%)rIxcSot6!jMV7GT2#b?`KwpB7!@KD9^kRBi zV5reH(E^L?Zf3&P+=H(K#|MU18gb9lje(&RCLGxt7+P+^(c=O`%gnfA14B!VxL?z; zfuRNyj+M8>grj2uL-l6d`oPd)Gj2m*sLqIcj@7ZqgkyEonsBU+g=QS;s4?RX4-73Z z<JJX+<{NRpV)f25;aI(MO*mHX95b#tFf`kQBj*K%W|?qwZD44o5%(;sH*LbPdQ&DG zt2b%Jq27cU*Ay6v8*z8jHG!d+5%){FEHD%`<5mZTB4*sGz);wTdxp_mZNf2{XP9t| z=8zfJ7#Nyv#;ptt9b?3OpRNcD9c{$@fG!UVRhe;UN2Lizt_uuRm~eDyU}%~Vx0f~q zhNhZvO9DevjJStrePC#^5%)CN9T+;wgrm~~LzB$7#et!q5%&PC3k*#(;+|yX9cjYR zMS-CSW?XGx=m;}zVPI&y5%(0W2@H)h;}!&l#u{<IpwYn47&C5uVCZl&ZeCyr9tiY2 z=jSZ%C^K$uVCXP2Zcbomq!~9mFf_u5`xz@QV8$f_Ly8#}2@LtoxLJWA*@%0bmFF|# zkk@O*%?u2AjJU^GUbh*SR)$=_!Es7~?>=^HV905HEfv6ZY(rN)%8Ij_acG)k#w7wn zHZv|B7_u61PtaIk$YR9(l+{7aI5d}-ap6GzOe5}IS{=xrVaCk}<WD!_LV^5gM%-<f zy7^O0I4p(yDQ4U;f&8Em_dS+(mkCFY4&-+laksMfc9?LqDv%#A;=aq?>o?(OWgwq5 z<0=CAJ|pfsbXp*PvKcouknc6(zRl|BG2!TxK)&0In;gh@8F9DJqm+E7Z6eIX3RCDz z8c_1vO{hsq{v;DB7|3@R3&Zt;Kz^GM_ak~_Aivd!`ynHEiwQ?31o9ap?hblHAm47r zjSuA8%(!uZe5(<6JNATpiwTE4A%CI?hdm*`*^E0pkUznU8y(1RGU9F~ZwB(mn{jB{ zMiY*X3gnM7<D@|TSTpXhKz@S}cPAYg$gelzZesPWGviS2S`&_11Nmk%4)r#faU%lx zHAdWxtd7-Y9O_tQ!qGq=Z<76Pq^QFr``t*DK;9(#eUmx@d6Vpi`%!_sN%q6-s6gH% z``ti&fxJof`v&y}@+R5u8`KlXn`FQ1sVk5-$$q#>708=pKU|~=<V~{Q*Qqm*H_3ju zS{2BfWWTRbdmwL;{dTiHHOYRv*;+8kez=qs$eU!p-P9Jyn`FQ1Sa~Md?>bhVN%p&r z%>$F{cOA6^@+R4D52b;;N%q@ANg!{M{q~Um2J$A^Zx8t>kWU!r#vbyYK;9(#?IHgT z<V~{Q9`dh1-X#0&As+_vCfRQf`DY++lKu9Oe+2R-*>4Z|dmwL;{q~T*1@b1@Zx8uv zAa9cW_K*((d6Vq7hx{dwH_3i`$oql3N%q@A-V5YSvfm!^ZXj=x{q~SQ2l6J_Zx8uX zAa9cW_K-gY@+R4D4|yk$H_3i`$R7fElkB&LydB7!WWPP+tw7!+`{8z8Aa9cWu4Qw` zB>P=U-U#GPvfs7j^+4Vv`&~<33*=3*AFlER@+R5u8uCgYZ<77KMP3f%O|l;@`~~tR z+3#xdQXp@V{jMf2vh)8qk|X}4e75iBz9YS@p4(vKzSwn{^EGG6aTe}*Pmp?GZEdk$ zV{Nv)YgtBLrB~1xc?+5TNB-J#?vm1EtoYUt)<=c?G^(UDbob%V3b;6I>*yKCvPgS5 zmqBF$AMXdKGC>ZmGHK5_%MyH0TB&jbJB$Q}4^&wPf7%+s_Ob*Yl-6}P!Rn-(REp|2 zu+OND!?a-s8PzcwV(|i)E0R)B$1TiJ96au9&xVTrta)Fw<ZPwB(0$oDn87oD*{aW3 z4I`J19;jLvIW%f5WvM-wkuy`P#&Z;36SU|@rW*paE7%Qzf;Um_>Pz<-m|Zv+wurKQ zZ8N&zAZ5nZo*mWrs>8gMWUHCm)e!u}VwBhoi|TBzxVjL6I~DE#5-w?(4>mT2Eq!g< zCQsr)GvFF>KE{@XG?|;25t$}j4$fs{sgWE3-Q{EF;RRe4;6V*Qz7}gD*idkreW-{| zt4FJ6g6Q(!#6WZ^xSTtpTg+XkYc75d6}2e@#yX?)p=tQkNZ<<|^J~v8TfvzS_Yo}| zj@7~i(ALbMB0Ql^Q%?us+Q+=%gvWz$i^p7<il~;Qua||r<}>;1i1Cgigx6`Hw0sCJ zybv?3KGCrZ$yUvw>fjjW@u?tNyH;fS1PQVu@n91!szI$?Tz$na#GiE^N8-4ea|)=P zU-sKBqc#>?#9{{2@EMGoP`$mnYgC^(y)iYU4uW3oDp8r<je?a4FJ8<S9sH$oFPVpG zHXuG_SltDJ%g5AY9UKX+g_|^Zsm%7n`x>T26I=@JgfqNDMsoyL8FzwaZRM5e<ZzKl z5YL=u>$%(^qdSbryrVQZhV!=nOMx}n(5q>60Q4SP_8JK8#YGGIblDrQOvE@eoP&{u zzU~L@<rxR=&cxEeMmUD#t1nx;!h1;O2B!vdItzNs%W}AKgF7rjCemMaUETp_owb8- zNqcAr2U+OnzJ2#I?ovkz*K^rTX*lrX@h%P(xzUKaSUnl^X3K6U=;vrSSUUj!h+RA^ zjlQ#SGrbm$S(%gbL%lU}I^E9AWC@)_tT$V~Xx(K!(OPevVI5`px8)VfW0pOZwB-tT z^ncKC6D-099Vc2QI_hBwKFa<d_=Wo!e8FvocHlMX3h6{CVEcvb9NS#nAUN4S0~Y-E zIH%#hz%qG+Wwq~V-vz$a-ha_a-iN$rIzF&I<gN33L|^s%$TQ?w?r}NaaNkA03ETIG z>+i6O+2h*cn&P|$ggr-g6C`K-kLVdbWg#`rsZG8KKA%NgNX@bfsaYOVZ+)f}AMN1> zo_n`l+Ongi+`U-qs9NXL^}|ZQmH6%~Bv7`0*Ju%pI2$Qj23%rHZ5UQYljb5=cOv6N z8UqwtZL^$H>xN}srMXir#T6eO+t~8j80W~5BJ29PnFvX!T{5w}s{bK1GhO`Q<t5Ik zEyF6~USwI27Kq%u<=o|Zk>Qu2+H$+GhT;jD{N`}y$UuRnR1r^~GT@68(aQ}5rHVgT zwitgX#waEa8h$8Uts&1Ceu$UqUTydxR@88iFBym`9^2{F`V7fLv2NO7_#s~GaeA}y zhf-0m47#SOHN(0bZcKS7Azj~cl|oUPWy39IGxx4PqZHG$t@KlMnPQ4#eL{nCYTK}i zYx{a|B5dk_i&b#yj^2KV(lBU&iiXGYDL23AkL$HrLpiyd1zoj$8Sb<mtg@+pU<>Xk z@2{X)WmhXZETQt^{#=MWuIrjYn`m^Ub7~K3laZ2bJ;FgNGtS|cVoQasW>J-}jI-rh zHf^SJYVEKtT9|=T@O4m5iWo%YGSZ(fb>eQmneiA|MIkyOuq+NB<0WO<L@rD@r}7D6 zXcH@n4T)wlRVHJgY;V@^_zJ<Mfj&6q&S)oS`1&qW03DmwYBq3BO=+N=VasJiya^{_ zu@7rK3wg88NbF><ezBE!61~=dFKYVe*#>;^1|9uKztm<%OG~Z6_(O4-)2|zTh!lAY zy}<ZGsqXI^>MpJS7xegaiNidrF9?o-3lo++Y4{;lD(TmTA4)1nYK=Ij#)kFn$1U{w zvco7Mtt`QkK!DS&<%W^Iflc?^Pr32_k7nD){wW-i?`QwqTXq?+^K8*huXM@3Y&Wzn zcTVjX*5hltcL)}M<M0~ztw+EUct>X(2JXUfHiozOa%<`$$P>r1!VIgqw5u-X0eL>2 zq7h};QZow?)*oB}@8<g)(J{-MQ@0LlN;8jOiFkB~V95j_1l$AT*O`=+ZOJkSCiTNx zf*>}v9leO?39iqB0+;E9k*l0jPaZ}_lL-6U#6m}|(Zb!KFSoMTMIXNdk;@i3r>-4d z;Ogbjv}nOv_EQA?8QARnVMXxhN*^cb(Ct`Ve2*{;D9=}e7>wC0H%Tnh2@4iDr>-7W zA@(EITvMo=vIFq=V&~LN!wP6b|Mzr3SKqE{J0jsCZVZ_3a4C^KR(3Y6fPfi91E2=n zR|Dv+Wo6^#i)vQss{Z(qqmP!|-Iiqr_cQ%sYn@Y19oG0l)cW8ez8-^(t=!u>k1)<7 zvVA-?<f~<cZ4nM=KRf>S%8o|a>4&%)`#NvXpU!hmT~Vf8pKumGQkK^*X<o5BQIdJe z&4QnloyKhWA+&1ov{5E!MZ!6C_Ar8Zw1Bldu2k7ccYfJPhj`T6^~Tg?sw2D0=QM?L zER&ONEXyPoHLeH>TQ7vN+8>j67^Bn38f#eWwT9R+O(L*Dxn@TjHSyFSP;rqv#6|7{ zWP4Yz@BfoY5AlE1-zdK>UnM7ePs09xvbWt!a8G}^`!4q}@J!#}Jj-#4W3+v}eWY}= zG{*K_+Y;+X*2}ER;054n%S`%9+D)gSnEm~!v0Mm>lNIF^C$)&@ib>X;MOcg4mfjXE zFg4>uOg~?cd5TAv&*D=f^lI^FU2ZzQ=mt2|9n7|}crGi_^6};tk)-w|{+QDD+~Qq_ z*o>k$S19g43`B;1iEqgrU8<(|kvnow)tEmUx8$nI)=?CrKSfi_b=2o74Ik1Y(V}=; zD1AScImn@XNUtbMZBc|Tly?9fKb+cW25RFohxNsNs6`G=?Uvls617D;A{gMBSHJ;K zTh^SlJ~zccax76i>=Zg=KO`fEHnS&}NY>5lgCcqO%-)has#J}xXNL9k!S;+Q=O&dd zvo!AWGE4D9SLm;Uyv&kd0cLsB<`6!V;e#2X1!uKM5iHyEVH6x}(`#}QVGdl&nVsGo zIK8<b9KmECrym4mGMU2aY=39xjs&0Iv@bp%iw9RCV4(;K${h{V@mO*k#MuSG(z>$d z+5VY)lxN>j;w`xerM}iN(1Yn~GrP!Ha!0^D%tn=&*_X2=kEWPMkAC)@7xMrH<J?OE z?ktqTQD$-Q!jZAP9Z^1UQsAK*`}zy}Ca%`BW%|0OBNkdm+cp-Dtp#y`dJ&xt@*}%s z107u(0uE<p9IBp<rqsIJcubVoz6|Q4GlNT5M5`Va`mLjX@c*b0eRSr++&HY7x?!s( zxw&xo+q?pi(e+oU3capdHe+*R;gdtN?4HeKP)!+n0BW}aD{3q0aX(JQD@xw1DfBjr zD={6}&7$^_2M*Ph8w275V^ELL6ZZ);2M0)$C~<Q^7cra|C3kp<KR4}@KM#|v4w64d zN_PxdC|Dd4+2K}j=uB=jxW-t)^NO3(K}lU@ckPDUDD2vLPan|(mPf-;A(6J^V0>G~ z)5oxWJAhrq%<0tGxsm(c4B*%(toynPt*{7PZn|t(SS-bP^qC0%jJTHEh_YRDFfxa^ zi|TU$gCG`74%=$>BZwh~Ch00=sU0>$4q`ytbN*5tMPV;G<6!ED3>Wt5bF!gR;;93@ z0gW7*?BpvETwIy)gCn@CVSdhQAUT#Os_=^w_v25B$e{_;o)XErK0cU*S*DNK`Ttk+ ze&T=6|FZvScmTNFe?8*;4Z#OMyT2Kc{^IZgaG2kQFZ!>-55SM*JLMbXFT)rA4ta~b z9=-t5a-}?0cKbf`z3qD*-uLhEeam;H@AJOX;1S?>-wNMcc-)7&!}}laAK`2NXWk!q zzwN!+d!hGqZ<lwIcZGMZH{_k*^?Cl|`J?A|o?m$G^L*EHt>+8yr{Ck*3}5>5J=LCx z9?UoQd+y)6pL9Rq{+@fc`-^VXeX_d+e)4PF5%(l_z)fB6xqk0@()EDrd+?6`MVIP2 z8FBPhyJ}n!*Ccqww>m#?zUq9&xz~9+{NZ2f9C8jIUfx<~ofGOO#L2Td-gmt0c*^mB z<9m+Xj*A^<z;D0?M8u0aCOW+Kf7)NSKMjBP-?3k5Ki58BZ$(_YIrb|1XuDN<Px_to z7-A*dAYFp^b=`<vw^T|=Q*a~VBikR~JK)E*+YqPj0^1;b|2Nqd*h02(Hiz{C>+h{U zxBk$2ll9BiJiG^NLL|MEb*gowm012{dBO5i%bk|%Enl>pVc8D<0d<zBWunDP|4Cn` zPh+@>e~P-^Ho;<H-_lxeyN+B$9#PbFCe%+9b*%~Yu%b4bP(N1GCIjjYvR6^pm{1QX z>S`0}K}B6<LOr0UjV9Fnin`K-x=&G8m{9jB>T(n6TYhyJP_)>_J0wM2YI^BMirQd8 z{m`#2v5mJ_)?^?>XWGdf<Sf5hugBa>?o`yphHQ6|ANbWe{Y$&a9>2OskGYQQQPf&P zwmsw?MO|n@-L0rKCe&Suy1<0`zM{@Ip+MC<6Y35{oohnf?pNpN$-0JoOHpSVUiucf zO;Kl=P~TJ3nI_b&ikdc|zN@Gy6Y4vPnlz!lt*8kT>J~+f8&Fr1n-w)?LfxdOQ4{J$ zMU9wH-&EAF33Y>_R+~`YP}CVF)b)xQGNHb%sMAfTuPN#=Ce&_4J=%o2PEo5&sB0Cq z(uBIkuU6<s<81O3zdB8i8Df~J$X1%kUpZV+rx*(Q3b{&AC!0`L`qiV1`MMN!lIf)@ z6g6l<eN|B>noyVf)g$#p<;jJLI>GSLh2+bMdV~penWBz2p)OU_aVFFyiaOSW`jVoK zF`>SwsE3<S7c1&$6Y2|!I?9B)$gds-RH^?i>{ir~hL>{W0!1BRLVaFQ118k@imI4U z=P9b+ggRGIWfSTgMfI6bXDh1Lg!-JKdQ7Mx1)kXTtU5>Xe$}NPj2uyAgnS!M3p}fx zoaIv;Kv0c|wRQVcyY9JFl2yqzffl<&I@71xbT3E~e5zIVylIE5TJ#xqoFS{!fH+-N zi2-q%e5T>~RQU|U^C|M_hUY=~G{f^Q`BcO6PTwgyiZ*u3gZiJl2jpFb=YDyo;W;bs zFg*9k1BU05<$l9+ubeeJ_xSpB)gL>-ce3trLzk~t_qcwW+@sIDtyAtcJa3n~49_RY zordQQdAt63-B$S|!}Auo!|<Guw;7(><*kP2HhGKTxmC^>o?GO0!}E!9o8fu0+-i6} zL2fZTZ<0?mJRdJ_Hau^XPcS?mCvP%5A1fbkc-|myG(4}DkJCR}*UHBlo}1+jhUX?3 z@=a-aTi3`CZgkJ9Wk@!<=T$Pq8r^fF44FpvywbNuH@uP2zSa828X1C2>Ft^oGNc&Y z^Kuy?jP7}v4EaU(yi|tpqI+(TA-U+Dm&lM?bkFrNgcjZNVtI+-xlXP(JTH<Vt?1sb zmFo=83w;n&ip-*Bw69k87#=M{LMi1wY=I2%ME5*jhHRpHo+m>v(LK+VA(iN!=g1IA zbkDQpIfmz1GNcjR?=xkHBD&|a3^_#ioRT4g=$?}@BoN(mLWcOEdydPHJ#^188G?uI zIVwZy&^<?Fh#b1-unc)a_gpPQ*w8)CkRfU4o<lOk4Bhi|88U|M`551HU3VWgT83~@ z`g!EhG9(M#bCs`3_j<)>86rjL=Mj~1h2gov2Wg@>wv(pG5G6{l2d2spBy`VHWJnRZ z=gBfe2;K8hG6V?S^CVwTSNxGd-$ec61o=q)+sZ^4GD9i1a-{DF-Ru4dzVZ6U!(|8x zrMC}1LWY!}dmb-CM9@8tlOZ4Ip2x}%4s_3Be4}*5%cFgV=^lMH86rXHZObSb@__F7 zFd4#t?s=pPNkI2JLWUTidk)Bu0d&ub3;{s*?3c0o>z-v9TfgqvCu83)J=?s9RiS_O z$WFtv8{z)+zq@3+;n^u0c6^(|r{C~xcAtK~w@E&1_pYLRVD(|MFFjh=`Tt@1P2&Hv z|3&}f{=5A*_%HFF<?r$z=U?Ja_$R{y;D6<J<X_7V%X{SO<O}6f<gIcuqVLU+C&(V0 z`rkmzy@!0a`L4ws|5JS(zV*I3U(7ej=lA~G`<C}v?_Tfsyw`d!@D3uPUK9KPhP+33 z-JZXDUiCcXx!?0`&lR3?JpG;)&q~D1tMrWWSloYhzksNC-*<ll5%E-ak9(7Q8GHdw zb&qiU*Y%F;*RF?Mx4XWE6aE>l?XC^3#jZHc_cFWzzUlm>^Fc(ryUKZ<bBD9dx!O4o zG494VC7kSEa{S!!Ls&6<*^x(7yG@Rzj+A4HBVhl?{s;SW_8;5#AhP`z;1RIHzRq52 z58Ef$-H3(w8sZ?{j~Iy8NEb?{NuAQM(qbtl9VPi~|F*qldlpgXzlW3kMYhvzCn56u zA{$(9*u2&c5pDh%>qFLCt=C#FvYu+)W?gGth)8!wSY4LC!LH&7%a1HKTfS;J+mf}M zXlb;}u~b<`Tdee5`dj)Ky$6Fa{7-=!37zan7ts@Bc##-yDF}vi(P%$hNR*DdbOYU_ zz=4E5S1mnWf&U02YNG=85k}N;3cN=cQO7E99$`dnQ1S)=oz~Lzavn>uMAW)%N*;@` zq@SQm={hBEkk5fytK<#xIZ(}VUeTAds!PdZS?Wq^piN31E7O2lqvWwT4XD*h-XNXR z2D(bgV~HBxYE%$Y$%tC1<gri<Z>>-ez1fIbuH>;?b#E=C%alA;tO2!D$z#zPPz_4n zW<o8I^H{s3?pruo&Rg_|`Uy%N>sMD!4Xu~+ME_3BIwc2rUH8rcx>(6UWH+Gd{JGPS zt#Hzy3&<Tx4syHhrTKJ`KL^phbl{@%Yn0q6rk84!+@J}yP|58wp^$N>3AI4Z?EvF0 zkl-d?k#hq&gbNCrT)&>kc?^@)W9E>vlw6;_VDbk#PsyEZLd{ijy(ZKgCD&s>y-jB; zxo#6`mYnO-buW2)w335}U+O0E7M-c&wwq9CC3lhumGb2}P?D>lk9teaZPT@OJITqp ztvbX>46#LrID%X$=Q29PIC7DagS=lNhE~&<Ki8)3p(wTZbFF$zgj$qbiy_+#8dY+T z{B<SGpb;ep;a`Ue(Xf(({9i&L{7toz!x6xMnxW)y3NWBTN)87B9qI}?UCAA1LLH;z zjy0i<mUA2Q{eSrce{Q|LHC1c|;836|`^&US$>Cg}LtREIl^l)+22_QT!|A|)nx^E| zm{3!d+-d{rQaVM+;h><)cqyH%<Qh$=qm<lA6Kax@!->I=F{tElXfU8AD!FAQ)R9VV zsR@OSXwY>8xs*KN&lxnHm$ISPYdq;#a;1{P8A4axmGlTDhhu~RHD1XrGN3M@<CL6H z=XnVotK@K^&}F=Yj`8Pe^h904MhC|V-AiAhhbuXpEDR{DDjY5hs8LD|=L-YsFeQg0 zh5<EF$>Ee?K#fpxvrMRflACElDM}8<4MRr1lEaC^fRdFQ4jl%R&!0=^oA@Qx?{Nc$ zEijxtblJX0y-F@>LV1*2#DsFoxiE?<ZtHf8a<#5(Y9*>aH^Yeeiju=gL|5Cz)TQL6 zn@~<AcZ><;P;y6`P<AC(WkN|x4o4G1@irxg(}@9P_2&%g&Wl;MOw|#J5U-eyQ*;<g zSYsyZFyy~1*HH!x%QZ=l`H1DhX{ES%k^c}?$xSp6^gg9Z4u=*Ujqg*U<P35Yd7u1O z$sJ*Qi+rTy#+y+8QE~=Rio8eut>g@%6j1+Cat2X~yh}dBJq1Hq?~;EiIfE#LxBj8z z45AcJe^+vcnKJ%O$r*$xy!BUqZiK!gK44uF&}06>x&{XvT|fMpe4ykE!W8*4`HMd% z>+}5yy2zXln8H*ff5JR4NK)hr<b5S)kfeZmPeE)+eRW?T?<zTiB!##BtmF)m6i|Os zat28Xs6YC1&~}!_`3>@>k~0WW<W2I9KgR^A;t_|uiP>p2knkq?gObBJNY@E(lDCzd zL6$;MZ~1csXRYGrv;p#lUxhHG$Gq-WAxo7o{p2;jdb$zws$YdDrGMuYzY0l8k9k>E znHsbp{bVstszHt-_mJN!szHtd>RwshsUMY>w#h1_sM0XKxJ^+93{CwVc}Y?GO{f=T zl?hVC(fw_WUxi+@)Ys3G3uP6m(b6lwnxLpgA?j}OJ4H1LQFoKyDymV4x|_V9s9lEo z?<T)dRHGPmH+f!BjbhZ@<kyO76r=7Y&naq$sjOcq>NXSVSw-DyK;1=tsi<2_sApsq z@>HpXd)FzdL7pNHlBfNuUY;UPlBX24)lks=<VnBUqVK#%$rFldkf+Ff<QIx+kf(t9 zxuP27sr$&!6xAqC-A5i*RHHm~A9+ksjq=oe<WWU6%2W4|pZe5eF~<sneC7mMg)mi| zb7zu^+&F8_BM%e*9sV8uko-6Khw`a%gY5U+=R3hS4SxJ@@$T@>z<K>{e374vuka7L z&v!Su1BgX`y({CYa=zvKj<drVc6{i#!O`Q0<3#;{J#SCpyZAlQ$<lnuVtdfmXA9z6 z_tn-7^euX;^+?Ohw2RIHtAE(C+p@(ng`ACe?$-=I^nP+o+6k9hxMg5521To_ffuk< zxHyOaXZ$*mW-wd0OJu!qmJ?of%4S5kE__q(=pKOkK$yfKL{bkkMk{9hX4F{~DW5fI zwCFEpxnZFbt~tuqmf*qLg76NZ`5<C84=Xx4VOreNU2;!l{l>mq8s!ATDHJoh(yYdc zS7@!*@4Kb@aTsI$dW{oaa>|em=PsYfM-KV>zA8rv1!HX1U|jq~v@2XlEz(W?w!jH% zkusInz%g9|?7I89nR)nNwm;LwI-najTA49+q0{LZvz=AK0(;opfRCy|(8bzJUw_9I z%@(?l*BYJagzuNKmB&yyyO}HIRo$*OgTpg=`XXnQFefzDTC)~p>ufXGfDg2H^y^D2 zRBzcBc2@DrGp1>cLejzJjxHG3_qTNQ7Tan$Znd+D8?O(~kkaZ|lWFVe<MyTl!ubU2 z_ca;rkD(qbMJ$v83FPs8m&j&0qr6xmi()ptXb(P}Te6Chb?b&a*62hS#^HU6MkP>I zwikn!!8K*A^nzJ3pBgYIT-?&pX_z37&UeBGVA=8zV2V?SGD==9U{=(Id&I>S{&bEL zeyfn54jZW$Us23+KyjEvV~ah0L_}i(!!t*Nb<E=doO5wM42Al}FLB~ld|7f4J5v~P z!DOzbTf171$z5y&^XE_~hdlBz1;H<0Ctn%x!C=U(v#Kf-WR1j}Rl*#6SO+jKZkmq~ zUQ991x@FEP;rU^Bo|ukXa?dFGg|Y}&pgViA7{Ov$Yv*bMFnrQR5Y$ya$I495pJ4ce zbCcneM2xxD;2t@5K~bohJe+V=rS>rxVQ!$%m+1uoe32J&S&rQYH^U6xA2<7P(pe?k z8kneU4ke3GQiF>#nf6vh0xZ;MZEkYH*HD>B(~LF4uSGG-aTc4c#L?>edIoxhIXU)& zo;J~l;>@)+?W^t02+Rg+avrc%Tim5wYxc4K)HK7l)S8~oOh{Nl778dfVfDTkVly0o zEr%gOAB%Te$i{g`4f79&&97AZs(tl*^Zt6?+6Xqm_Yw0-tz`^(P2IYN#<fks<&E`? zD}yT=n;RB4)YddNG_EW*0NV(kXT$Tu(de;F&2=k+Yn$rI=C#bz>UNn%y%zpH*RE_@ zTU(2`rHj`t*XplnMro^>n+kPffhNjvs9H>#<#ja(1Ir?zHY~5JuPbCZ1>?kbuHodu zjJIx8jfg(VLXj?7+uTqJn>x6U&AtX^korw3xVW=tXRwa#fo=Q>e4%FRO3ZO?&O5y7 zSg?jSHCVTDapRiWx)pURn+y4NrL=5jHc%UivW-EDg;`)Og>2RpU?1Ey((vk{*Z_oo zQnp5zWV9&LhIoTI@nGk^*avFWoI<V;E1|S$7pq>r@4kvggR2Hw;eEOjL7X`a9W0tE zqXRssSi-V>2pH&XxIEJ{&ZccG2Jv(0zPKiGhMBWPwrADtGRQ}zh19U`F#^l2t!-Sp zvN^b-W@SyiVT^XvI}x0>3?HfuMP{1&8Z!ff1ruHtM0Q69{KOWUy<}g!2j!%L>tR#@ z!57X0c*hlU)$ePgLar2MNEZTan)58Kb5;rGTf>$fw%elkCxlNe=5{~4PP7j6>*%f9 z_uPzNuNB^R;KgG_OW$_g9&HVu=&DkE<(Dq@R>S~a(SWtS2wl#3O>lif^ODB3&B2C6 zSQ$kg6l`1*tXbQ<gyD=_X<%Q%6uJby{s!Qia0j38nlQ#hwBXBUU1}PuVi#BMdp=?> zZUUPCOAIzMx>p+6<5);S)%%zlaNY<0T3ZM9R=ccN*O+}s_L%!PR<KyfYuBtnlZ({? z)x4&0d7%KyM<7<XH5xv)!BvgR8(3&)9wxf6wr-I=Hgtc|IaQn&^+rq^RxB^g2>yf7 zks2K=>)VWFD=xG;2pI5z^6^e0=ulY~4a}b$^I(Fd^09P~OUt^3D#T+wkf6=vP2vB4 zDe<qCFOjQ#ulbhvEZ%FpYw)H0T<6)&qa61-j&msXg!H6zj_nrfBi0t{;g$(>3$>7? z#`8J+h}Xl)r@TK^W<`&UM;z0{(Pgl^ZCfAC)u$MwtD=>}XJX#NsA|bAE*V<rY&~Oz ziB=%#APi>U_Mi@ZvqG4LnS9N%zF~r6Uq4@^4b_br!!$9o0v(@~8EibF?#L}F#@x;g z9ze|P$S^~FZg<DSPVd~gGt?{m!iRQdT1y6XV7bg$Txjb69Qai4h)1g9AuNi`I)m4e zF{P%;sSY1_%xxIevD_k__CRYpe5ZAEZ*Fecp6P+Fd2W4EpQ|<5@eFIwe(bSg3E_F5 zJ-4tly^3}`u^9(5y~^0}s3+!XU`?z}-PaU@Ji)iSOmHPaBUEcP!`L>nJ)HwwIac63 zm2gBg0GInaAVV-e9Iz9HdoTVXx~Iy#EIzC02(PQ_a|>7-NA9zYP)9M^KS3K?gwM@> zFdwwDsb>IU?4fH~xIQ=EFyA7nVe?}@^9?yP`@eam`Br3S@q@BLHCroUAfO6v6mu;% z`xEko<tv**;bG=*|66<^5((9Ic0kzP%-n%(F0zZ6eC=aK^W~3M+P0sBvo;Xg!k=Rp zh*-%5XOaKz$AB+hu&kY3b|8k?FdoFd(vq81wvPWv)6|yS%(8VHjIrmi33Wy;U7S#P z*C(7%jVl+2h6ly@-<nXLVxtMC#74v1-)<J}Z#P55(G4YMALgZ|eAbq2s%$S0GXp+| z*)r6cOQM%IarSxc*iY8W4J%iz3xy-IgX^1`>qFuxsy)^6B|Xd{^?z*yQX%e0ZF9+y zT4`NJ4C@;Df=+x1$h2?fDpl}+{><j0J6hi3vx9{NeMsny8t7#%zYZ<2`{I|zeub|y zq2b$izc%C&;GhQY1jA;?{`RtPRD{}U$;HdAiea1ML9B|}TnvsoMCb~=yPH&~<W{XT zbv9SR$y-rSFnI2W?!$A3rt~SD=~ne%*BLD5-mNer+di4+4z1)OC)q4Y9_B2gJ{K`; zYLNr?U#2-QYsrPn4#>f{c^bAE%*s{cuv9%0e5#yZ9H@viy;3bam3A=AUi$#P8wR_f z+{lXWe}_s)jil9Max*~v+<nQY@!0>BXd>*~8Dr=F8gc{i|HOZxf3ttN{0I3Cxl4}8 z67KY$;;Zn!=)KXK@s9HR)^mgBB;3%K-A}o%c5ib}gT4K|uFGAWuC!}}^KIu%xO0E3 zbGCD$)8_cG<9tW8{T=%?_Il~p(n-=RiP&zjoo17)k6ACpjra=72bQZWD=a?TcfXu& zrIX2@K*GoT)#ZG4GTwK(FBuI(I}};Ww9dhvfqr<$3c@XCPdhuJFpXoj7b;$S$c2j| z=stV<nD3y9Y_N?fUU&6Jb6!@?dS5yg2_;ftrYG%!;;?Tplx;y2j4fK&t!yx}tF3c@ zoq;+BYjPfzX}}jxM?<Mp1gfF7?ZMWbf$nzbWSQ5ctvEks`+1e{H5+87$Sq7gzBALZ zoqfQ_WM|~utc*rqIvNk9Vo}im5R4DVK^8l!dn?M}bY|gWzdsw!xmboKUo;klE;zNG zIcw@fShXPb3GSLS(_W4I%ug_;{@OLmv-5LKmgQt$G7$?!;j~aF=Yv^rldhH^oP+ld z_GWlkHHgJorXWVm_za8#Q+p7u$Xn*-9IS*cUpO8OB@$sx=Ur@IR|~YVy#>#*pttDU zwS_wcU!JqG{Mo7Lcsi7dL<$seFJ?i_u^IDHj(>1P)i;2z_U%}*Lg&@V92eK<+)}O0 zNe&bT2U)2&S`<qa_WewCMr#`nEFheu1uF~Vz>y^~dkY6#L1eZnoU@6(4PzF><GQ|u z%QcL=rZlf)<y2u*G09fvteh0z$Ve&~iX`INjS#$z3CB*6tW{fr13XX=n|s|^rU<Oe z%-A|3D5BP}-<i)Ks2;LaiyE6o=PZnjiM~`a97-kQMNh8?$j5%z=u5`pp>#Udlwpm5 zavPUHSeQdm5hmIIcaMrL+`?{(q;iC38yQc=Lg{FDc}EvM&u0;WgzJ?`L>RMyl796} z-n#h}v2+~n&v1NzIKp$W!O5Um2;OAO7R(O7r&#|s%wPDC9}Kp&ba(e)F>*I<nd<hI zE=DQOjup`tY~zQqVjHJp8x5&vFoNqxCeZ=mL{uAIEXkH#qT8!k!*~<2Aak{PdSMXI z!bBu3R$`GZ?$T@r79?W??YQXBh4qg)%4Qp%pIMB@*5D}}y;!|nt$Ywt>S>II7GDg) zdIT{+x&8oOZCGD}A+U}WUseaO(TE9)i$M4kA5u?cIal~15v)+0*U<yP(n}&Iqok{) zlYPnTR8Qg5H()kL(cEOi)^1c$jSggi5Bm%2LsZ%gB@I|pe+yfe!7Y6~UAnRb0YNBg z_%{#UNg9Wn9z+Y*EN-aUt`73*>V2tLDilut4^-EQIAfi>OA7py*R~wBHLJULZDW1$ zC^%~*w%^8Kl*%`%u!`3#UR1SA-N}n}_>$>ZC>4z^1P$ARf&prCO<Q@q6F$Df7N|Se zh-H1LR4Notg*6&md6{D3vcfuhwqpM<QJ3W!qU;8BfD<&ymrNx>kz~3FH#Pd%5@Yp$ zl0oa(5`^-TMNMQ|7JTw)Zp7NtYCofH)5t_T0rnjeO)ZjDt?hP<$rzSB7RDSk%d%!h z#v<5V!jaNu!Fz>qG_WHUqJpo-_F(HE_NLZge@CVd*~h4TEc;~au8~kQom$Kmov382 zdNTWIsxOsDhoZ?S|4Cy*<JDgFTa_=Kh+u+=--`5(Q+wF271&F{p>#aPbGG;F?C$Jo zX%DO2?8g-&(;zq&jg|=J(_QOq!GJotx3k4RPwiq^dVCRdd^DCQG7H{BwzDy|SZ=jw zrA<{kSpjqTR0_wE#m|iJb-$gB33G;sPMWN4XYbAQ#o}mID#^b8vN%qd^Ics7-P#?o zh<Xw)ZE8H0K$l0E$MoWlOeA3*ol%<3v-4n;+QIVFalW34#f*8FMiTq7R{mslo1h|^ zN{5p1<h*&BX461LSl!CrYQhjCL&;dOroCNAAqX)AmdpheT%~GighTb-mO<9_QFRN; zvfh`(i7%We?$ISFfql>_3I^c7na=k4YKCPx*%wd7G1PHZPi@nh#ky|eOt-D4XM0CR z^M=hm*s}@8zWqkkc2R94o<x5o3!(v!q@>l|ngP4a=$1!RZ4;Ri*#8re=sLJD+=6zA zujnB@=#0Y}YMQCGvP>CYI2;M3;>jBHX-NA<%a(U(q&dlkyoakTEbk;=G?9R05Npn~ zZR_q}TlReQME1+c;HHrfyb8n7_yBinulEAT3#?>wuu5MI3s2mcovCgXbfuD*G3j(| zCzGGhoGe?MTn)`<FMM<ANECVF>Ip0_B!XxH>m{~`Z3;N*4DfN*kq~Ux=;9JdLfyo& zZSrAJhhpJGk!VOQEHZZg|Hs~&z{gdU{p0uExwCJ*Kub$$JKY=TG_z)=EN#;yP180_ znxq>`Lz+yMHXE6wZCK4rmMJPKZm1~Yii(1uD1wMA3W&IiuN#OU?kgY)!vFi6yUe|J zX1b69@B91P&->z;le0eOoaa3EobUNQf&Hn`a+Cuz8QYZVoOif>>;k6c+}?0SBv=t= z8AqwRnxR9M5~d>1dSpv355O}^51G2O)oTq?&FOVx=Tke<uzn*j-$VFr#RP-VtQp+2 zufX>NA^VisgOMVugYCmGvSVZC$r4Dw2#-W#RoF9!0x<39OPU(O%!>eBp6SGqt{K}+ z*)B)T&_aoXCIM<c+s_S#Jg|^t(lR6{uzRvLfhC`A9NWbtB4Jj=aJL?UKLqqQu(7AB zo4KFvH4v&Y&4tT%OwPW%I3VEO(KJ*(`qncXAKOVyt62(rD~QEd1wjrGr7l@b%E;18 z2W};;w~8CbcBoB>R>1Ix*W=<Uu%cbg-aA?rfCG-6UdE)$3L?$LzK<YWc^6~z6qAft zcKcF8=`+W+Q&Z}gP6)@7^jXwQxFW@Tk)5ck>n<_YLaAXgL9-{~F@^jST)rt-&-nHk zh4DpVgaRTjz-&qk;uB}MW~^Brjc_s)j3tweLjw>Jp<;BDkDUXsJTW?O!ivFV6HbP) z<$Zcb$C{{|-QEy(rFbOK%#5}GZNJ*Z7Ijv+*iv-Rp0RC|t9^GAa)UOh=_eebPG4gG zsNUKP<&Ez#`mDojknaZ5$5sJo(5Qlwy`cy`e<BqyanBrUpr|@8HXKC7o3YRo^%Y>B zDQKpGc*PEu7~4vz+wi3cgBV|$ieOTKUBL|)t5mRoZ7Pb7<z^^#Cc)m(im`gi+3F2J zxkRB{bU6_w&{41jHE0E>8R`3f5jVm4-|Mdj!(Y_<G0!ueD?L&7Bkqjr2d@3Dh0Z&` zqGxq{&=I%)&VGUIS=)`awbsY1@3O8G-zF}%R15FnpWs8>cTmWy{a2gmF`Q579HMC_ zVn@DoK@N7PyC>6~KcDheHt%TO5st2kOz-w997G|(%Er1?eH~*fGhH~|DeVyyFc}%; z&<JlhQ0qWA<Waj?Z(b*KLo_lL$#kN<_409)$y+Q=fPfNGm5u6iJWz*~!`9s!b&3Y} z(wP)mUEIAiwVHwGnd|X4zOmTYGaWQ1$Q@|01It(pfDXLlkT*|w@b23SrK>Pm!#vZS zTgs|G1qBL|VPKH9+;Z5ZiV^ZgjYlk&%Cuu$nW&AEC*C2!*qqGX636J+l#bQmmbT1} z?HHX(ZfzW5@IU;o`XNwojGoH06%#_i?Z$CjMik|DUYEHDHxjb<Z~cu#G)TTtn5o!G z7GP`5p+N(dK7SpN%Cr_XwPIRouxL{|Gkfy-RwLG(o~Mzb71d=fG~OzO3n4~FyH!FK zwn?Ni7ZeI7JUv8CF*0Bfrk`JeFx})p;RM_TnMy2}ymguLi~<bhT>@(B<;a_C7+Dkn z?k*Hy{KU_$RAyIUJ>gZ;K{u3`Tsuv&Id0nKa7f{8PGxo!Yx8vO@r$-OmDygbp6Q@6 ziq=z`X))Sn(E<R=QPy2WR3_n0Wtxk%xS+V{s!!a&HRVk-v&mD5Co_tLrhW{*fwm4> zQ=8dl5O5;zSNIs$C33K3*^z04fXST*%n%J~I89|-NXuTAX)v#rg8TTRObM(O8LgJe zY%Mk?rgNQKbQX`T&eUU0?3QI?2H=9_U+-XE!HTgDz#80Ijl7`~Bpe=dXSQG;k$sDd z1##=qHmrCB+0ipJJc7fM#<pP@rpf+j#I0+y=-8|wrN~yb$by|@ESTAh=5)!jY|uC7 zRrvuu&i1i7&^q`UZO!`{ZOuDzEog9OW>bD$Xhurt#P3(NnL5K#*7*+BI(g(R7CG2b z?#yf~(&Xu(IEyX}djEfxWt{W>(f=v`F8lBNi+q3gJ?ilLuJoM+R{x)P5989B0}sG0 zo&j+6yWBr?e-Zq7*SX(gd&=GCUhev(>tn7%;NhR`e8%|+XSaQYbD86L$32cw$7b7m zZ5P_=Y(DGvtv6V+*3-mi#rwtgh!f&@qRsLPRQlh4|CPXhCBW^njxC%koVc4r<!X|9 zZiQH-l`9`U(3xf$|Jgfm2**+Y9RPR`=ib$99h)<kM+@i=E7=JpPUmskB4Y>2aj4(J z4ux<uYdDr=m;X4x7(O^Kv>*4_IJJm}<3Zr}t~^7mWtCHrfC%(}bpS91Tub%#>>Xmj znIv8NCu7`=GsKyw9hX!goO?zS(UG9oFqdxvP-3X3oiGLLx)eAB;~iNNkX+oO&ny?W z%>|8)lA5lsP!YRc)gU3ecGZ+oZ{wi^U$#_S%StCS4el~=ZyUf3NC(bZ;L<J~jRHLp zPx`v8V^x%lIeDUkRvZuG{{SYJ-*_R63p+>?7xk>;gx>*q1zqc=`f+OC%kGB`;!+P+ z672*EqCYjXG}3{1{f5dY4zD4C#q-1<HNOujaPHIALC5u}7%pBSu{d{qNZd}XU|xv( z;W7`t++-jSU?1v9GF^nFqqx+rNQMT_7JI0;pix%xeRd~$sZgPy4Y+?I+KYky2wD;j z$NAJ*VwX8DZu8`8x%@R1t||J{Z8FbB9M>`NSeS1=S)7Y@)-<<tj`ZT_8u!S_;ngUP z$AQWLa>$*Qk41sYJ=CK(cBSiuHu;4vbp<ku0ZS3D2=Ccq9dqZi4k)MII4ff>7-<CP zq7WUxyz3x&;xY|$5psZ3@KhG9OAW>3Tdy;!#L>Be@+1#971>b2@a21?UcAvw0Zy6n z7h6f(Rz^b+{`{DDK9#}FhL~a4&Mu&+GzMYPU*U!0fEPqV{LVGv05U1pK<q}Cu3QG; zjW0kKA8bjcaREUC$zWf&k?%_-apRjzhWKp|f-|3gDAhI6i#so32B4SyG#7FI26unz zO%*NfVJrhoH+DrY4=ur35`4{4@!YwBY$PEOWo*MmjdGPA386}~xQb04?Z%ttcOEu` zMTNNzxw0m=p%#W^0yqsdMEG;rqE$z`Ek8O~m#O|Pa1*f16}UeOMdB?R#4Gax&5wk7 zWr&L~pcC@gI*cgYWA%e^1QRwL1~LkBg*zM<FU%JM<VHTnNI$IrKxHn$0Lil~fn$6C zN%#=c80u&ma^VLCMDdlKBrHoT#D^=zk$f$N8+fda;e#nGah+b&%^zG&1w+vof7ZET zU%mtt;&L=RodUz-?dwoKEhK^{XlOhc1q1A2VDAvFD4|@+JIKQzyMa>xPZdzciCC;7 zBsLdT4^3IV3uZoCL#jO{xkjKPPfd#Lg&E)(o;pwSOv|A_tCE=WiExsixeUrRzfcrp zBp^b8a)KqrV+m-6D1XYCVqKAB<oI1HIZhbOc#=PPwU{bQyQ!I$J%bNuIaHWe1+ZKd zi7<cCM(da*FF4%bXu>NpJIZBmr1F(xU`1VZLsMB4v$dikk*X0dXH9rj*Okg`C-(!k zAFGOp-OUnAg9c6JM2TV<V*BLYIbSSCb=|luCd8GRGE#wi%SeLzy8LJCaVc2<gk9|& zjY8c4c*%W}t%(K`IMz650LBqJ4VF^40vO16n7bw-?w-px^lQ+!?zS|kHq$mjds8|J z02_AGL|EL3ES;cc$gg&G=Sv%%ekG4401*Om@^Utjw+?`7X_Q^>W4QuIOAlZ12oqQM zOtnDm^Z?w*pp=7{$l!QNCn1_xBz{>rCNi%pK*^uqzm-d8AcO#1NFH1uhUW@f75ijR zJKLA9fWzE9TdiaMxqSTyeMO_|y51U09o>>%1zs)%5rj+a1Hejk0p0?g9ScY2v#EMK zrNyHmHdR+2YeQ%pb-kq>iyn-lYqZM_VZj8Gp@cUKvq4Znsw4d)X*wmKJ^O&HR{=qg zH{=)|lP2R)Zj$LlHAi}cfYgM}g+wqkG*cjIATlb@;CLd+Wvj(Y^EJ>;K9s@;;stMe zU{Uu7lmy$%7Uhv43a*ae6a-g_N8{X8=(RUr%Buy_Dwtf}vRGV=($wKGC~5`G#r;9< zCj))21T7R9WinUQ_I@-PpjAMdFv*j&*dUj8#Kl%j5Qv=+xP)@)3iOTi4)+8)Ax<)2 z47ja0@ZGUkMZD2ECZQ?QhGr0M02mMM$Lqy|R31<i`2TXbrO=hMifIdA)@a_w25->- zZi=w`rP4_P%SOW74a`J?;aLtFGz9xH84sO8_y2eDSJ3zWPvHIU7XNkr9DM&><gfRi z<zMbU8SMXm@IB_c&v&!$1HLI=+Slsa44;2XeJA-i@1NlD@0;E)cyI7t4etML?{@Ec zZ@Kq$uha9q=Sk0_o;y9C^t=;jg8iOdo@!4B%>NGebM9ZczYR9QkGtRDz5*`_cDUEO zSGiAf+gyLgS;E7v+g%@VUG2KW)#++-t#O^<n&lFle|G*9tpB$<Kjgg1dBC~Xxz%}= za~WP8yo`4TKL+Rj=N#_`SHX~Dk7JXg!m-HV0~_IQ;LGoB`=`P9pRxCY!(anE`OUYx zY|q=Cv^{G3itQ7&Yiw88_JQwzy=|54G@H%(clhyp*m}G5Bi5^}msmTkP1ZHmGpw_~ zVEAY8r{Xu@#qUGnRpJ40ueen_OI#+NWO>>0d&`e4_gX$@dB0`SGGy5UAAS{<MHZj% zZ{at>_l3K`^Zy<pBlHXB2^-+SZ@%E-pXZ<C9|g<*C-`glE2K%6xIhrL0D*{U*D}C+ z_!ZKm(;Rn?H0dzLx%sb2lXi35-O{AZ80X@@Dot9=ad%0RqA||Ne_oojnB#7dCIxfc zozf(4j{Ax<$(iHskS4A)#yL>O#1-baTcnB0&2cwN6PKCeMx=>L&2bB*iA&6JUzR3D zjd6CW_mDXb^&T|GeMy=)V2(o_Bj&i<rHNr<oQ*$Unn;`CxcjAvA#>c@q=}17aXji6 zG{=2Wniw#~S*aiW<~a1D&m8v!X`<I0cbhb^-yC<VG_lVZCsG|f<~Y>RZH~hjb(!NZ zMxEw3^ettM`<yh<VT`kI_evA(ra1ny(!^e49M8X9nrJh}-6Tz1WQ^nZtE7omQykT? z#}vnZMw+<L5XZg3e_EQjz#R7}Y2tiC953)UN)zW9;<%To-reT7w@MSc%yFNTCU%<R zJ|Ru)Fvk6d%G+*^`?xgGVvhTmG|_B~dx=NAP3E|dN)y}6aUYQ;8jW!;Qr-r0+zryi zR&(5krHOiD+`svEOA}knao0-|o6T__k|s78<Nif?>&$T<lqNQs<F1n?YK?I(@E?#S zHkjkyFHO`K<NnFNPnxJU$6YH;RGH)6D^097#y!tlq=`y%+<T;nb;h{os2^+1aqp5Q z)|lhoDNUSfjC+=3e~vk>PntN}9CwX0ah5UeAN)I{iPh#fteK=a4tgkIjQcZxwKP#- zisR6axG9d>7c<AbMVg43<K8SyM2vBN;x|hZaFe6k^SD3J91oe}(BE=%++k^Al`-x? zepH$Wn&ZZ$iIwI!=;t%daT#gi409axRhc<1Crzv{#(k6OU2cv;z01sTsCTJ3Zc3V1 zVvd`XCKj9HCZvf)#<*`#y$j88s5fAaL%j>kap>=Sb6i%Mm}iW8fcCP}O>wlB%{9gG zDDO0L+?X^m#~AkvwRyHV?oHCfsphyVrHNU_xZlD?nwV*hyIh($#T<8$G;y*y?lNiO zBy-%Q(u8D=yF{9pVT}6?wb^fuJ0wl`%yA>qgx4H*P@3=<<DTZAhuo$(e*cUKvj2F^ z{^OorCrud5KkjJ`s>x{nAr7j^X#R0e^9Q5}qxr`@Mb#S3Kkg~2mdrn0wNIg1qxFYm z=$X;_L)@@5VYL3ZUsDxE>yP_2su(BhPgljS*Gc0>;}6Nw(zwz1L)?%wZZ!V5CsD<? z(fH$@q$<ex(^c^#sxaDq$a=3dZnXW7_2L=hu>JVF-JRy{oiPs6Pank(&KMstL=ACQ z%@~K_r%N@&56l>c-KUGXn0xn(ahQFEsCUg6ht;Q#f_I&97=4DQ{u$%2`E*f(R2ED= zLlnw_#ix(r`(}*8;4?(^&KQTir;8fk-alg;=AJ%^-|ruXwa4d$IIwQUIBY#bqJ1;Q zVd@#8dS;Bn(lbPLOXEgEkNXwhC5;;mJ;ZfN<3>XdaVcrsXy_rXLmD?4dfXHIUTNHD z=y6X#F^wAyJ)~=w#*Ky^_c-M>8G4UXUX!8sINv6X8x1|~m;6OD#>vpji;4S1bjCQ@ zdHSfxjBzsa^ilQFxXH@<1>Y)-o2<N_Q$w~RYko#@Kj(K!<0dQb=lmXN++^kbjGrTo zo2<N_QF$gS?`QmMY20Mx{fxhmzW*0+8O}e)_jbnrH||~Rx!2R?;oP^ox4XTrn_Qcn z`y9V^EU-7*uC_jIEfXIUuMlTh9<ekE9~a8_UvV!Z`!xQIW*vD55ZG)1*^jT9CYUf9 z+z}6|uf=g`rrfQvW2|6}!WTej{?@Er;~mOuJ~l=inf0asqV!s^$dn>xF%rlS5=Q2? z0V)`XembyYNRpbY4VV;(fpvPScGj#eKq4LmtF=1L${EdCiw)DXu$ad@Ov|$(5Jzn? z;;2rKI68jzO$~{2Y;Y)40Ex<!0IfCb>K7Ps_4K>|Yc!g*6cbYcK<;=zj>jsd+N@xJ zAH_ojlk_NKjT~&SQ&~RW3l%XHKk;z?+AL>iaWr<kvlBU3i}z%%M2i*dqxSFzPk+pB zCXPe!xc$>T{E1|)0D`byo`WV-DIAR)lQ#-&?!6xGf2dKw!d_ky3yTCtc4P5+H#a&~ znYj$j-CtD5c=rRh7fqF0o9pXjB4RKCZ;+{yE4S3O$ZWrLTU%;soAAp#@UIt7WpZp| z=2CRxpxg;F))ef<jOxEX-Pa>?Q{d=cdxJ%{JIYIxKxF|D_3Jtw5O=s@Y+dFO^rffh zfYi~fZ&og#>KHCYb)mu_5|xIVkvC*KsEK2i%qVsbg^_8gdH2v{&;Bqi=q&9OYH<ZS z!`OwHLwQ@H_SkF<nQyNEBL7<18n`zv&9Env8RGtnF=tX=>r~i)qJj?=Rl(DFA7xO% zdol-#R1lfg!yQ8fHJK5EtrR(4(%*>s3U#<>Lr>UdRGUc~_RUzd;N8bjc6#Jc25qQl zQw#RtSG#ZS$y{8tg6SBJhC$nt87xx4^q|tF3I>W+aKc7&Po}>}1=D-CVdz0^rq488 z3Z#G3=@L_>OK;Jpp0MdMX3gw}vR2+#FV`z;#?+yz*Awt!j><cNx^B<x%d6|=<5AZI z#{L_kuA>HmQ6d{?-H{sF3!d{npqQY>*?<!MKfwY2f4_g!zs&a!-)+88-x}|8-p_dl zy=Qq|@!ag`^Z4Blx!>Y$aJ}gIy6bY+Mwiw3i1Qk-0-WNw&oO~Jcgg-sF#c_^du(5{ zwOa479<s*8r^PqnhWt~OeoKwzbm2kay+Q+jH-7+Je@~)1!@mpR7O$$%s|daGh9ii9 z{&oOM7?zf-qxzn-41B`}ZvF{%bqbtFqqsvK9snoEKv&+s*QZOknV{11c30`Q?|f$y z{9|n{+Pui>z(xW@4s^j!5ujX3dq4~bL{tZB5^FcWIfP(VEg*hw2|p@mQv?nRn;Keb zm_rb9&r?UPa_X70jX-5ffF`Y4j_~C%zq9Q8vAM+?mmr^l!$d(6>_LkLQ}_>{qB=JH zG~Utxfz{Cgz$i!x!O6$)qzXD0Xv=m$uT};CIR@1mr6ln(Zbbvz$ttx${ORb}(&9rI zsUYt=1Eack@1+OrrV^g-NI>xbTHO!tTmYh}6?3=1L)O~L;&O;Fr*Xi_1UC1Be+rl% zAbAW!)d{{7<>h^Ee&$TAaFop};?jf~5nU10NMJ2z9x-7!pKw75|5dC+&CiME>P7bv zW8u2tN@i|}*1%_vjy93m-T;fro?i&BMCh!o!0u|~C;-c=<S2^$u1eDKkv>$kv_wTG z+J^vN*@4<lE>YVFV)N(M!Anjb)nRfGMPi2vAY3!Ux6y}~3{odW!}tbNy+CkeZDw3r z!jC7)gBzqB1BAzG017uyM;xSh9Kk$34zv&SYEoW{g;Kt{=zKjMdRxAHY@V|$HCA4< zbMT5JJE00}20<gdNeuxcuMmC)@*Xc!>3V>dneGg<v~>Yp2<kE!s6M(XPzQuFfSGuk zppPepAHvF$P5|O_5dD-{jetu(*sm#sncE%s4ldr!SN#>tU%JClHd>-o@`u+8@*}|8 z8KqVgsG)EeibbF}p_0E$b&puIF?n|hPm(mOaMr}!d8v+*u)GwyI86sx)|Bu>M)~1N zGA~tV(0qQi`ct97Mv6~TxL&Gi+TGaFP}@}5xUsG(u(@V;0Q*4Y`Ym<M8_9_p^K(?_ zuWMEbAGOq?Fr4j;F#c6SfUB+GK3~GYA7z0{#G00!4NaQ^)pgA{d)bOzO3i3FwX|+K zidRI-O(lGpHPiWmdiJU=O+{a6Vi!KzsH|?2<2dAoXFiqOMt`tU(+~R2l>8hAhb{f> zJ%eER)Ou1~!Y3RGgu6aWdu*raVZep4WSR#$hl$)%%Y1GrbE6W@`qb1%V1TxqQ^Exo zYCrPBb-t8uM&u+%czDM|+#$g6V)E(D5$=gn`i#y8)wlA{016>ZU`r3ElB-7X0!HmN z_m7z3qp)xg;76~SNSUERjjo=!$EzG=&BfMnWf1=Jwu7E)kn9l>v#geBG0TK=TE)LC zEiQPx!J4O5LpkAY1g|up2eh1j$AT;7R1@NY2fZq+jRB&4>`)6~mK?T-Dsb*GSbmY# z{H^rV!5-a91gh#zLt8L8ozdnU_t(;yv8`yek-s^aC{nj2S<Wuu=nlQXh9cYi<iiI5 z?KYToObddPNT$40Wnww<ty@;zNSnL?_N->#D#A0VfG);MCH&zm)KoNNptRP#G(7 z4n<gY0Adw4q*@7oF5&NvN{Fi^uz^zMI3c{T^g)uHmO<Vv1EAAW<G4SSQd%f4rj0Z` z(x_Cp`_!zK)g^owQd6R`ZpGU)yn8fwFin<Lb>v_V6CRHcs=C`?tQKw&mc#}JC=7~h zr>Iju*^f+Mz}J^>9ZXFRsZzw6!Kaswmk$tlfa6KHstov(k08Dy`}Gz+QexdUk<M3_ zSTVs1H<Z|>krUreGK*87u5S?N{9>Nag%6k56p<fZBzw~PX_+uiKDD31_4ow5xQN`5 z1y&5B=c0Ey%_FdgdSHFf0;>W)JglNVP&+eLOZG?2gcLrs$x+r;yvTS!b>-JXR;TLm zlx!H<#fWEGugHWCmhf<n*2UxwRnpg8nyriNgY=F;?U|*5?*A8aU*i1l^!t1__;z~J zo_jpa9;bVO>sD8d^FPiRj*mJj?0>d9ZP(eFtWR4%Xbp+K6)zRTmisN2SiHi0!Vba1 zKgRd-OHj<~^>1JH%=|gjQkmxuEPvBG3MLMxNRWt%(?Lx=10_(KJ;QK(20C6<fZC1B zk!c-}gPpc?X3O%;R_|5Ak!jsh7NvEFWLJPfOm@(vrw|L{d|!FosCFSw8djTKZs=z$ zbiC)^$ie!#FS{(?Pu=iL>nfo1@GLbod$roPV;r7XNG8zPmt9h{+0#1dE#2(JhGwsh z6jXDRLs{fdq`jy}v!{6iUb@)}4b6@hx^z2Avynq-cA#jp3&e0dR}ZC{U6WmaX6s-u z$>W?OtCLEj=ND=8^xQdunz*>)smabWH2S!m0xCWM_hnBn+UVCr(zV&Sh6z#;D_HeM znIOoa$ojOR&5oIe?nF$Gv9|1-{CR)Fah&&u3&i+FocCkrQp`Ttv7!7<+jK=+lbvmx zP{+Fp66z{Awdlx9>l&!kD%h8uRkX5#P56XNgP!cn{4{7iwrNn=vhh6l$TLsN*K8WZ ziO-%<8?evGVova?nU5g63?+wyIEzfT^|q2_g9!o0Mja`(z-qFm7^cH<??BoHbaK%V zDv-#D7@>XHlZsR}J#bn{4LsJFmGaYJ_pwcf_1l}bfY|2snhr1k*DLJ%ty{=<Nq#;g znNDck&K!oc4s^C|@0Z_L!`C324a5naW^<u7JHw#1<M9Hub`-UZ9E#fZ7agG2WHyYI zXMMOYRsc%d^!LTv`@!AUL!Ubx_@t9B4RKzLPpA#D->mcrxJ1@f(yCR`ib`75N(zBM z7iGQqIaPl=bE?3weXUf?5$2TaKvy@X>LKO!o`I1xn^Nj*@)%~*>TtnwILd574rMmE zi_E6!Q5lzB?tIpT*`)A}FV@c{S}p;3A)SC}!xo>iEah67yHlxQrN_=9J)S0qeW}gW zW&H{FN8w6N40zt+8S@;#Tm6eX+dZ2+YdtYfnP<M|WW3q`kNfZLXWTz`f6x65_nq!r z@OJ<G?zg$e-J|Y)ce{I+yB=@&6YiDnh3;8yjF#&;*Y91AyME|;$aS~tHrI{t7kG_p z%5|CRV!Y}<-__`<ah>HVcP(+vars;p=L^n1IiGYs228=%owqwb<NUDm-FWAJrE}QX z<J{wHc5ZZ@D_kjDC45+Tx9}O^5#j5??ZTggCxyo>ODuCNK8r<o!P03t-_i)A!C97a z%dM7ATCTIa126I~vs^6B6kV2AEYDhgXZfY&2bKpdUlq@^e%pGl^-I>9z)JWY>zl1_ zvW~z<VXL*pT89_^QR@opJnKnTyZDm$H}N;(&&2PF4~Sn8Zx%l$zE8Yb%!-G^K5zi+ z6t{?#Vuk-X|L^^e`+w+v$bYy0Hvf(O5Bjh1Px&wNU+nMnpYLz<*MLW%+`q&>$M5%B zeJ}d{>U-MvQ{Q)d_xtYfea`n$-?hHC`ZB(Q@VU6xx6`-9SLsXmR{9qDX8GJ;Sa{z1 z2k#T!A9)}4ehoYepYndl`%W-2UIAAs-EiyD<gN9d;|+V4dFOg(c&(m)d;a2i%JV;9 zUbxTmWzT0lAMw1`8F4Omp6-;KHph#OzdD|F{M7Ls$Ni2wz?tw-$F+{PIx>!fj$TKb zV~1n2W1S=JI0GIWPjNWyFWdiN|E>KOU{Uy{{Vx0G?VqrJ!2Wjog#8lxfW5=M+rHIa zWl!3J_C@wn?H)T1UWGr{p0NGM_OR`1wlCN|1>cYFwB>A<+lFjiwhL_AY#VH6+d{Ub zU|R6oMC-q-f42S_Q_m#|g23Tbqwo<mm=Ug5gX6*tYA`E&NDh9JKVSHS8k`V5ss_h} zPpZLD;YK<5Aiq%fv>H1ld|VAq3LjGw<b+SD!ExcUYA_>wMh%V%pHqY93pdHZhxxc* zRf91>RD%)0E(agtBZ8m?!ve1cLxR%dZy|x(DGI#6eQUSiR0<Fli|f^3Ks-kY^8d2@ zUJbrrc}5LZ2sSzRZT>95uLdgwNexDXlhj~Xm>~xr;a3YDH5d_mYA`H#<>0sYq~KD6 z3Be%;Kh0bDpUS~U(ehbx@F)DKLZuSq?iZ@%;A8xD;Vd=SA}GChjGrT{Rbyuh=PE&D zTcZXK3unv0AM-6jg&J%Y;%ab?uv!hy77|JjB_!qGkN9muL=83yVKul}h|0kq@(n^z z4Q>@ys=+xzNDa;wRw+T0TP_EGAo#^ON|4_mEL4Llg+)q`yFpki2fxo(3Uk%qI^i@q z_&vT_n6Cz_gn4Rky>Pk`L<tMz;CK0`V3C90;nxbY)!-W8R5ch8l;%9jpDWCiV;|+u z5l&HqXA38DoF(;o9mf8*p8rbV|CbVw*V{L+BYjv7KEP*$52(R0;r(jxeBpyi5NhQ* zIe0%`CoEHg8-=BE@IJm)SRx0%&esS5Ie0f;&cC7tSMe{a!65%1Irvq6KL1-eco#p9 z|BVvlZs3*u;!fclaY&B6Q#e~3P=fpx;S4pnStwJ3n}p>`ko&N(LJr=+HwiI0_$9tx zI8zSZ&Y#TxL=JwDKb?PC4bJ7CQiG@Qzm|hv;OFp9s=?X(6Ke2O{&6)pi~pq(<nHHx zB?oWgdHxPH$njrRg5YWSk{W!Ozg-RfhyS7)e2M>p8hnwzO%48=zf}$Xi~qbDe1X43 z4gQnASq(nVE1Umq+;hBQ9o)t}%PV%kZQMV2#Zb77`#Z0g8n<zO;}xUgHtw&yVvF3y z{e}OeTJE2D#e}&H>=%kzavS$Y{$px_Kk$lSa~t=2{v&Ga@Aw<!;H}t_l<nYFekK2+ z63d^-|62)S<X@75pXbluUr>UG{g)iPg)ifuSAvNBryRUlm?bI`@n(Jn|Ev<rFX#WE z1d;YRIruq#8UJ@RxRn2!9Q-W5g#U{gT+IJj2_oBH<={>HBK}Wu@H2Rd|2{eRX?`aE zGc|Y$|37l@xBMl-JJjGs!n@?)Gs03)u{ECI-y~eC#PU}P?^T1Nf>Q2pgiYd`<=Ec{ zYsCX<aHY6Q4bB#osr(zkE&7#M7^H7kgNKB-slkK7Th-u*aJ3wKT8N4%CCLBHqReWr zF$hy??0!LM185+Gw<xjPwZdUF_+B9=8-q`;6RwgYpF+!(zdwbR538{&#hq$!wy3P# zr_ge*63dSWSv5E;WYpk(VL}O_31Ao_%k!yq!nhpyYyO`WMQ4DNLAXMV9TF~AgZqUy zDM1u4CKvGQb;6Z$Bsdj>LuzopaH$gH?iEJW;QNKk<Xlg#6E2Y>K@cD)q6060(4oer zgmyL9A?%fdc+@Yns=>WNn-YXRy+{t?g}<;z4YmmvC_yB+P!8f5zi_@B#3OuRr`(!f z)C;?mP*gZi2}Ok6azebg7h2TdPGP$eM4>z6AfC_*jcV`$p+ODK5t`NDY+;)cM7Ab5 z_*3i|Th-us!WK2STiC1wk+xnA{tv%P*q{b?3bkr*j<87$&K5Q*L1e3wgFoSS3hUM2 z4q=@doFmkz!P!EUi_dTgevG%=VY$*$YjFz?3GWgb{crNu`tA5eJ?vZO{U<p7#=M)o zlII7W_ju0p%ys|N{Yh~Dhg>h<JwUr_mh<P%>z(b+x%jHw=P0-T3}1>D*q7S=i0{B5 zTZQ!>)-PKxv({MM_>#U>Y!jDRo)tEN-(Vwu5_dhH@jt+SQxHqo5BxoNF7W^KKfnJj z?$Q5udRPL|S5*)6Vx>&=4QK`9bq5qtab(HdgsR8o+{-1fgeW7X0ecu6O9!6&PYG-p zG68#Q05SnyMP5k}NsQxKwJ()`(V&D#V0~qC&6c{YH39bIxORIJdyt{!{bIraXN85p zEaU}_tQjCUoIz^{zC8Zy#S$ne$`=h(lb7F0#<LzEh_)WR`0o<XE6N!mtT�$XLTI z3g}R4?7zamo)>9seIq(rkArfmR1Xlf94Jv4avTlYJ5u2&TV1R&LR)Ph-_qzBNKN58 z9jGa_jh5jO0<C9=E0ClECRZ$9x>QREJ*&$QXvCG+K!1Nq8-L4CiLpSHF}yZ`-*Uou z>B`U=dvWPLM)es$@TmhIS_Vr@I8+G0w>&!uV_dAtfztgv+KBX*K>OA;F%E<L#AzNR zEE`se84qXaE75Wkk;L3<2Y3??jnr)P3`qllT6#+?ROC$*$qVS30$J6>y}!iVKnWH4 z5(qo2TQZh?C7|ud7tiNY7?AZDdrFKiGD0D#-Q9>wpI&{o?lq3Gx*}5_*@$+*EG6ak zUh8I837jLc(*iHZZo<l1I!oZ2ksl~edYS@X1avp1R~8yxUd6it-q_ZswJB9%+EJND z27FpNwmLu~P^cnb9f<&cNgI&Lek#xOs0Za?4jzq+Ah3dbX$%Z?we>5gbgXT{_NTSi zT5deixv+Qz3Dawi`hkuS+zx5LY^Hcsq4}^_YKoUrVagKNkV<use+M<M7m)DU;(4*1 zZg1I$w;y#?l`RcTfx_1xE-19h;+ZjR6$t_6TL|oRZgG@#70-!XDa8oK)dCbmJ6)?5 z@4tgE<@VyGVIm)Wq>eaBcC1ad^A=76+6P(bz|aCrJphO88v5T>N{28cbyH1HC)~P* zt?GCPuaq7TEUL;5yoBn(Q>o&Tu$CT>qpTjW1ZKIakr+5e@r<W0u%7t^QCn(hFYyos zS@0ep)r+^7eSIVSnum4syBf>h66y;DB=DAjUbaDfsE<h?Ti7`|WN}-GJp$P=?X~R9 z;3%g(#*p`-5-%Z;m)>`Qgb4;*e>;X1I}0vl4Up#65)gZ22BhDd*{pT<l&}Jjo7s_C z)#kSemJ3Tf2tZDGJJ&Z_8>S0NyxTx7Sb(aWXijOWxgLOXsI7FLW=C4iFL#ukNlVQ1 z{Dw-wvjVt>0E)aLZ(f~O;spSu4{NoOjck}B^dy0vG3G1YeT0JWd{ds8O|thRcvpau zpdWZX)icZ}$}~CbDzURri;l9h>?~o>z!auuGsWL97>p90FR|C62)rSad!d={*f15= zeYN#GSHiSF{zPC4o&XF7ioPV}UMaOo>aj|UZEsEu)8x}+&)tr%#_H*QITHSV9(OP2 zf3JU~?-uW0z3rYKg00`@UgY|UYmM_+=OM>Sj$7^DvNzbRw!^ly*89XK#17n~hlDKu z6u%o;-{5~^CuiX+acR9wQ54r>HZ-g|v=m+!F@Gl~0KB0Udn6*bF?+Ta&62%%kCo}0 zwXvms3*PdnPpH_Rro}tN3OoXp#oX)$G-bOip>y?3scxu;L#Z^Zz+KJFCss-*x|J2( zilUDwsj_Shn%6EjZ?nF6RYL>mG}{~K0bdU`S8OvUbSzm7t+e~JYBe0Ou?w=*0B<dp z8+(l4t;)v6nqal6E!0N|uL`?W5d?n&m>hZzl~>D5mVokU6O!SF#=O}oH+Qa#bswv5 z*jd@!NZT~?{-T|Gq^k;G)T}{4P(0uRfga(>8G_K)bWoDUvq)gF;N_(Q?+-f$+S99g z2Fg?Y<sg~BiB5TYEQmcByG$^ZZf_e*1+go)u?CH1*8|WrM;4jN@EM(+`_*IRL<GZU zWgcvIj0~TQbt@b_Ap;f*?o91%)sb%G*QsKAlpl$83m(gqWDM55euTU&wGz8PCmiW0 z;$2rL-s!#mK&{6{pjw+<Yry%1S0C?_A>>ecv8Grr3I^dgAjHSfi*t>=h!(7kqo5Vx zH%;lqImLQW0Hu8`dNJ0XJv%?ukCCxRCbKQ*?yJ&G$1v4Pk=e!!v%Cs~6aB-`${nfJ z?M+)WU@a4IZT2j~U{w?X?~gKA$e|3@>cYVaubR#yhGU*`quFG!x(f#4wU{Wi*@QuY ztHT9dK8gg9Ly=%bv0l6`(>;}q=j&GAQpTtC0<`E;%CYWjEWfNSJT|zt%-dKnny=Ne zI?@gT4~F_3gb{%?s;)d+8^M;6CyTDlMh!CqUi8eH;8A7<awsz+k{=y)&z~Np-7&AN zF?Ti$gR(|8ID&eElCfI`^332T<ZA!~Gp+d|3-SKWYzWP%lACj;zB%>qU`vnGaY4jh zXS2Ue>r;SAY|WQg*qC#&<@wocJ)YTIu(Q7rvw1YTs@S}GUCe~;Y%pK<V)p1fi8tp3 ztNeI$c13VUGDsJFK{{NK={WG@yfeEJRVj4Vs&d0a@#(ywDXQJ*`~MF9t%d&ow)m4k zt<Uhi<om7fhrWA!Hvy?W?i=)7;M?en`2s$V_XY1$-tT(v^4{oum-kKHUhgh%wKoLs ze-6*Ho+mty0D=B7&)YqhdAdC<o^_s;p4lGJ{a3sqc+mX?_lLnJc*x!1ZgijHUg16k zZwCJ8`ibj)*DbE=TshaU>mt_{R}wD-W;kDR{?_?J=RMAwoYy+XorBH`@E#!M3^+ZG z7aUJHzU#Qlaiim1jyD0rzROYV2suu7IPA~bpRhk-|FZpKK&)S8@3yzt*V$LvXWK>F zUu{3PJqTRFhiz}M9kO-U8g1v;R@hFlan?Ute`3AgdW-csYtA}sy~w)7nzSyl&cG{x z--<sJ?-6eTc41r`6fY1riZL-DdMqzkp0a$`au+xb-)$MQ^jUV}{Xy6=&*BuG6MiLp zTet)M5#AwOF7yc7g-RhP%n_{o-}qnf5Ak2*Z-B@P|4CCu7gYSIaK|=fbU}r<hoq@W zgR=<4Jt$2XT~HzJo6?lg1r_4HAx#-wP$BLCY0Bt=3UN<KQ$`n5i2JoPWpqJ>xcj6j zqYEm;Jt<8YT~P6};7(`C=z<Dy<I<GT1r_2Rm8Og?s1SFxG!-}YcNYI`Y0Bt=3h5q^ zri?DA5O<X{6*1@imNaE_L4|Y=OH)P{REUG@jV`DV2iY54P$3SoH@cug9As~FL4`QT z-spk~age>y1r_2RlctO=s1Wz#8B^qfD(_o_pB0d%j2@_v>{rs1(E}B5br8ML0~O*R zdZPy_#6k2%4^)VQ=#3tz5C_pOG>UX4iQede3h5wvqX#O)LG(rsREUG<jUK2F2hkfn zP$3SYH+rB#97J#QK!rGn-sph}aS*-H0~O*RdZPy_#Jx|NGJ2pw+_lowOmlxR?TsF& zknRa-%IJZLKZRs}k}>ZoBzvO=Dx`z#jUK2F2iY4vP$3SoH+rB#9At0wK!rHS-sph} zage>y0~O*Rd-6b)_dA0)$lmCJ3UQFV(FGOaAbX<=D#StdMi*3wgY1nis1OI)lM5<C zy^l*%Mjup2XOX6iKBy4)OKFNX<~^C@Z1h0|Sn{|uNj|7_b({=2Pa2(2A>Gx|q|pf# z;=V0S8l6xf?h$Fy=!6P!S4orPgvwCIx1>p<7b>KCSei6?p+X!yuEGnIG4DgtB-~IL z;~tbIN6c~GlqTVb%9!pO(j+`l8RH(1CWp*%zmO*3i^`bp=h7scQ5oazlP2Mf${6=E zX%g<J^l>La_LJ~OWsHOD;gHH02ie0Tl`#&ohf6AB9ApolRK_^S9$u-8agaUSQW@hQ zd-$a?#zFQ*$5i}DBzvP{D#StdM#of$gY1otsSpR*x0&mJ?2V48kPfmpI;KM0Po+tt zV=Bb`k2Gm?Oocee-sqSLaX*nJjgF~!iDXZXsdV#CqIplAsSI(DJ-Mbb#6k8(-&80M zvN!ssLL6kj-JBP)H~OYRI>_GWn+kD|eUmvaWN-9Mg>;a;(Ki+1Ao~V$UdVo{IS#U~ zH^)KtTg-8fNt2t+aX*$OH<{ypBu&;C<7U7k;^anC9DHm|)|%q@ur#^B9EY*2F~|K- znyfa)`DrXo=AWO&(q#VmNr#!tKR@X(llkYTu{4=~ei}=Y`R6AcW-|Z$G?pgw&rf4% zGXMOvj!fpCpT^Q;{`qMvP3E7U){)8l^JA}=G?{;XT1RoStbQO(n#?~x|9xrFWd8YS z9huBOKmR>x(q#VmNcJZ4&quO1nSVZ#y~+IZk?c+8pO0j3GXH!edz1O+BiWnGKOf27 zWd8X`_GJF))~}CbZ?gY<Bzu$n=Ofvh>^~pL-emvzNcJZC&quO1*?&GB^WJ3t`S|Zj zlP3GmN3u8Be?I;@(xl1$^OEdM_MewzZ?gZqBzu$n=Ox*j>_0Eb-emuIN%kiD&r7m5 z*?(S=y~+OblI&+1W$z`~o9sU?$=+oDc}eyr`_D_VH`#w)lD*0P^OEdM_MewzZ?gZq zq;pL6pO<8Bvj4pNz0#z~{`2r(r|<u2?ncgk7Z?C{`j`5C=eyH)4PK)2-beA;e3#em z`MKw#-~{lyZ+2hgdIc}}yIp5He}^yf0ep!&9k<}yJL2%#pSFJ$ufsRlCEJs>yKV2c zjoPYhGp+w)eYdsAdJ?{%-zoOv&3sH0EkC#1WVz6i5dMZY{V5?SIQSp%pW-j#1KjV> zkP`paWVYG3x!wV9GLZ}>lOf=D38|_lr3S4sQN1$oU7G0L8PKE+NYr5fhGUsVD&Tx? zC|VIrhC^FG%dKOyM&>?-;sYdI&jx>Prh&5cc`FjJU@Q^`Mlg^j0{H-_U~vx$B7Ac> zs5VcVxgoQa@?Yr<M<O8iPt<_bcF4e`jhcbRqT|1G0Mw44+YXEj0-8w#r~^ZRA-EA} zYfp77&(u>vmEJ_M0`#~sK+Fix0Qg-hfO}VBmqrG<bB$!SP|BU&L@W}FMZ?r&pvOU~ ziUh_kxAk@nfX=qNFCENmrcCwTNHh|RM&d2F=S9cZMNBZA0(&l+*G6K+5A@)S%qB`- z>y0Gh!B{fN&<upi25m0-H<aocp?hJuMT;_ZlsKWZC;|_R)L!Bu&bOc=v(b)3W2?P! z99c(WAte=v`TL2u7!WAxUEm<vtILK#Ktri_xGf6o9l#&i05Ieqm`MQsBiIo^%)8Ll z(W*=>wWV!oIGhMZ6S8yy?U3aVF%+Z4ZSpe(<=Q*Yr^2oD^tOvL8>p1k-ik2V8prV? z^_rlYBZFzpmB5xv4eOHA8;K`?tV*b}Ru<2YmH~6A2h_$x;Hn*#dr57kYjsGHB+4dr zFjGyH#+Sx1u#rSamU&<ZX$SfOAiEh!rK|EZ<D*M6Rh0f*ZzO~@6Aj5gPZUd4wGGK* z1@K)kvtBM2^o_w#2y>JTkJ1pi3HovanMz6@^~R&gU?LHs<4cp&PRXpJBy+vtiYSs) z$l%2EqRd)~PGB`u1S=|%Yt|@zU?a;q+Lc<9Swo4oFArm;$77-Dfk6MjZ~(+b1DMGy z<#6}Vz(`kjfG#rvxC`G~rC)PrXU?Spdb|+~aX1{Q@9FO$DrdG{`$zir5?Os`fO!A= z$bAP>7HyF9#Sq}|xtVh)ck}XSGzv|VJVN!AjdcOsPo@pEugjcG`P1GQ`k0JGc7SNS zb5zz9I_73-0h_IGLkV{wGBMF$+i34VTSsN)EGlBe8;>M{p=eAw8pg!d!SSFdh7W?% zn$|W5c;v?(NTD!fug<KdGEx|%P_QBqt{)j50cSZ@gW3qv9L4jl%p@uAX5_^hslbG2 z+Y5X%ynzh&Xdd2xs8U{*L^26VzSCO~iU$+XxDNe_8hU#%bPO%pODnTqKI2Z$&s0#R za&I(}#2`i2tYO@{xVliNY8PhWlpyYnM54ipaD2@ghyi-BPX}0Dn2E`0;uR<)iut6y z>(KC3D>G3_v)PN8iq3?aNBi3`eSrJMguuoSxCE5q@<Svzj!9Q!B9y#-K`53)wWO<n zX$gz~8xAFcs~*T5J5MTr#GsMy(y%wlOqeomTabkBB}`j&(5TQrTUQ&A##1JgqA;*( zS>u@yWxddwz#UgbGFmk2NI#7n)OB7*EzOiuzH^nXMYf=H)}^%8M>Z{%W>(4R<ferw zoz@D{oyx_-qD+v|K~J-G#3-Gj4fBaMXI3($X7`4}kWeVX_7~a|8P9g07ih;Iv=+2k zAT>0EEevSYj$VilVhfD)%fCA0zhU1wld7!uCZQ-Qq7_tF>QH-1-W^z4!h8X!Oxu0$ z=#I=8toC`(ytKQ;o4W@N2FU-;5N+X@JA@{tn%F)?>R&4kzA2~y(6QjF8f3du{%_}G z%BUgRmM1D=!FVWv*DLImT7W#vLRF-x87tIr+_kHw%&_X0WL8l2v%T00gNbl_XEz{a z!Ct&wk(Cq_P4_@YdTVAmYrfZ;1PN6v5;m+Arp`2d&_Nc!UM$!EoOUoz4H$$&qtuD! z<_37+ARPX(%rdHXtv4EmS&)e6>aA*MYNqW&rkQWZEM+zOy)mrPSU6mHV4$Z1^P2hv zUDPntgXtWQYi9z~DGJ)Dk;b?)o{?EXRo8lHJBq<`D?rJ^w5mXStu&Z`iSnvho>@$Z zE7_hA1A%frvF4LRHWv0}7O{rbcq_1JhLW)r&CN|4$^tt<dQVQ32>eD(?nl9jTEW`H zCLmX|l9noMhQ$0v?M}-z$v<dYg*&5RxHJI<xxZ^qW+AIA=uIZWm`<^Ly9yTkAg)%a zW+*W-z2FNe(8o+gh7V2$Ry5bQG?v%ZS2pGsSJ{?KfK}l1hGX$yG#pYZSQ+T(Nt0S# zNdt;TcI+KEq!V59j@m$)VIF1OD_449W&tbiOfM*<gRzRpu@<K*3e}MbK;{`1Yk$`W ztr(?KTQl=n`CjZ^5!eFSpq6Vb%**9qcM5t?Eel>T6uqXnis~j4a$RN~je8pNGZ9S0 zqRMVcW0b-mQQtd8``h}kc$uC}sm`kdog@A1=_54q=~P6kH&lW75LfL1Ql&6U6+4fu zZET<H8oeVmjDbn7$jqgTRo+M}gtfuc8Q$@Y!kp-bO{=#mw`NXL`yGl>zm;}kjM{t2 z?0|;srpFS!7+car@^r$2(XCnP4AvVq;PzBiW)9Uo3X?aA?M-d;(aV!nrlQD#nb}kd zta7s8&?<S#U>WQk>7oyo6q-W{ykmsPDwH{u(l>j7M+00l(I~5SZTo>PE8j)_Uh*@v zIWvp({8VoOmVYu4#e32H<%2`?J_HW{Qvn!7Lp|6aS7`Q<@?xrtRzMrmBKe_j8y<!c zoK9wDQbXFkNvz>SIB9N3Lo<fEuaB0aIq$Lzu474~#bXJ4F=?Bjs(QC<s0)+_nl{v( znK_vf)<LCU!;Kfzv87tS5?5zVqSPrEDG9QN%q`l~OvAUSxnXNTi_+y8iSlm442)qI zl8Q|*FfvT`09!hThJ$JHazf@2tgO|U8FFpOP=#zkvDvNU=ufp_4dUYwS<@qZq*RzL zgVdqXmSy~u7b?9124pl|!{D?5C9f(5fT}AqK1v8P5teE^Tw!b$)Eq_+MUr-;DzN5M z6GooFqyXvre=fh7^Y8Y3*(Z4qcpmd?az6@gKZolc=cCR}$L}2<v47oOV|&r&vtDD} zBz9Z=XmJTw3n%gKMz;U{%S)g(+in0)Rm2KVDMtZMAqN9bU6S3KM}Mf`DFCJm5IDz! zG&xpC?`XCyk8;UZJ}s2XvDbZ3vAUCH5ZY_e@3B4E);uz*?l_Q9;R0078-a`hv{sMv ztHS1BdKfU8-BV1u1*EdCk#sM7b<zzL@O-}!(uEq=OPBT*lXPpc7hw78JPZ`9)}yR` z4G4dJu~91U0sfkdQcw20{3snG`?(Auf8EwVDG0f7`s4LcP=0+>?1c~0vbEXW27Qea zGP9mJ%7`I{0(RY1Y{&{G?rSn+7iM?nhwQlA$`@dJ-;jkBH!Q5?ZDzOfHQ618b(Jj8 zS4SHq+1<!!c6+fwDiFeJF-WOwOTKOu&KaK`a+DaIgZeXRz(&XVv(5R*&~qGnSm7gz zH)Jvx7jaXn6Ytb<i_ltf5!Ym!46`F~yt5;r&W>&Q5z1RV1s2?EF*|CrjRr*&P84X4 zqfBw+P!v%^v0l6`?=i-l*{vmD?(0*y*UBU0PXOqiN<1Rwer~oNjVboz6&eOFxYeVI z6Z)9cpuCRwiuBa%7Bp|0{3Kwt{z<?#d~So-K)st#zO_$)$XLOx=7I|!2rSNSM$;}- zUTf-`hL83t<)b|>!0J>dPEzo!6eown(|Wql(A=sNpSP@9mEsGVIWM~j&D<$BbFIFa z?7KhTz!N&cM!WBbL%cX!S3-_O+lF(TO>GC-PJkS>;`Pnz>2Iat3*_j+_iF`rkn?}T zf4M*Ad&alV`-=Ag?_0qjKkljW2=0g67r0Mz-Qn_sq5pE{*^Xa<F}~K}v)>J5eWmSX z+e5Z1Y^!Y+>pj5D*NcA<za)-{P2z0a@?VEr{$*fkZRBp^4uY@$lfs2UfPaSnFsdv; z@zz{Nd<%oP<57-haDc1YWS09%cwt1QgyvdzB}m1F`p6}(?C(=gZX|Oa;YvU&^4?Ou zgX=&v!mcLi0-+L@7sK!$TG;`Y>bQVODZWHyA3M01PHP3;Q_4YU9rzry0_oUG^;D_y zLIl`7p>mI>mG|{h9zUCcCU>Fi_AF23W8k;2yuSoLMKgGth@3>ZGz{Q;5tpoOc~Z3Z zm0)6_jA30y?HWTb-D~R{WvxY6NhmWhP|<;z>JC>X*<h!*T66MZeQybN5Gv^?>>%$c z!AOW%vl?y4pXJI=!_;dZOuT&c>q`)Tp$xG5$@Cyac*DL{f<Xt_h!;-rngS`}7`MoL zzq<q}39`edvcBmXK%qki-|SFYn>$}E!7W1hjTC{^n8Uc>(k+a;O3>g?-msx=*l0Ln z?AB_%bCsj4tk|F<XDHCphJ#KVJ8H?lQi3&yDhh1qZ953Um_Fhpq=};Cx}yYr6LP^- za&;;QEC}jR@2a(YUoPq27#ZO`7E%}hvm~wvWag;O9(MVnm-RN>qLWf+(4a<I>0c@} zOHnw;4sj(BOcNCk#u|Vg@(QbEz5NIsssJftA3S*#n<HN=!F@x5AX2;h^lp$3tKoPC zN6h*W_(JIs2s7ftAbLt9d?`Ia<89TBvhBr(8N5Z<b31z4hneuG-voKe@55TJZ!O^j zms)R}p*qDz%CiaQ<QQMwjQD)%9R-T2hTTJNL{<Ys-z`Uw9u(Bp4Gm58jOY{L#_cVE z9hF<^s*TK__Z(r&kD{4wF2RJ@Tm{Vpda3?&Uk`2^afMk$=$1U7Nt0h?sokcEIKG-H zw>H<;H8+F5Or|ZZCbl?qp=EcVa%(mE)KXL1gkNfT{AH!Ki7M={>*3HCj<kzT!>UqJ zsKT}fmCCN51C<9b725VPuf}Sfme1{Rlx^NzNL>Xf#KVD&@Z3$CxqOzRTLFDQuHbqc zO~R!HZiRaX<g33ylW+SccRR|iEH+P3JP4`=I)_>DDOxF5l-Q%`nv3m9Y?mH@mL3h% z$bTjst2UhbWa;69EApDHkaVzNL$JA~X-8dEO`x%<p{1s(MMoybeXVrcVyp9Ae-&-} zL@9Mr1*{(W*bg%X<D&Yb*ZOqx*a~Oa_Oa%o!x7WdzLBM_V~?Xd#dJ$sR~JO6Ka*G) zkkO0EKvlDWLYkI=!2w+0j;;z+VTLvWA_DMZH`w!1LuV=Qxj;YgO#?&wfv{|+8~gTQ zXc4WYH(ul@+gVk-onX#lyg}6ixSxk3^@1@}CJ(MJwFZIphBZj5;4`I%HwN2K-t=1t zKa>X)88#`tw%1X%HeI}lG1NSat%glB5E2t6EuC*xf9fDff&G=?Sb%#2fmQFoAWgw? z`7)Z&YHD-&j?zmv76r2<-SHQ*ZTM9scmlEhVlXk~sZ!N8sH|HCrX;|hR&($O1(0zD z7!a+by7C6}nNdd?*@gL<Qf3lb5DM&sBTG2sP6xL1^zYXx0JVPM&asWovi6L%xS$Pt zASOd|H?#?sxjcTVYEnfns}o#HGe|^RJFaM<7l0Qy2-H`58=)2$+*BPKy86WwBV=rP zpdCgEP5<T{%>m5UzVs^41_NWka*#L)7qJ(#N~E$734k)yuuAL6_e!tY=xXXZkunGB z(gT2Q==MH7Rmxba3PzJULq+=lQETL$-3N-$zM_(gCIT=Sf&-mUy%;_s%?4X?I^Uz= zZgi&|pkiPb2fIhp3>?t`U=3mbT1p2Frh0p|&T*f+40Ng^#jC2I4-cTN_5#yPUq-B> zbY)F76SNk?@oJQd*3VCY&@@$i7l_6KH7Y#OWRt5lpp3253j1sc&O;1wR5q9Z%z*95 zte+Z&XJJ9~i{Oj-H9P+Z1x1Y(0E{PXUn=~JU3Y{DfHf@7b)5WwbrJJMXZ-Q({$JvT zIlS!mc<=Ql!0~_Bv()`F*R!sbj!m}5#V18k$l)7)IDgSS-O$*s?68}w<hU@$&CJxE z2be|^_;b$+EHWP5ENTGR6;L_{QY#k`4f=u9B4W^1`O|bqv6r-A-#;{3j{gl3*c6%Y z{Z_uWcVKTh?E&R&9UTpbXakg@e+YG@D|-jK+se~J?egFE;cTQFM6*<aT2i@IQbE2g zAbQn~S(;HMwSN^Al8I&09&R_sMY*vvXJ%@2o!gme+izlqg=J5$Kz&CW31x<!F2Z!7 zO;5#%D7aY#ut%sP23R4L)CTY+0Igk6D<;gIhFzbo;086p9ka}IS@5aP9t~)x1hW1z z$n8*e$it;+PGtNuGuw1>s~lvCxQVg$Z)9lcK=nX#U`5rA8hlgYJ}??y9VycbQJF1^ zw#yGG0;4cM14=mrham+F>{0+P8HTW-vS$lyjk53Hf&Nt*2P%dl0ENpaa@gqvnIvsM zpZ9k_>*KQqupE3-Ky6`jAxO^<&O=cqRQ0OBbfuo3uIqtlJ7&q7vdR5s;*+IUJ&-oc z*|GDo7rVJ_%6dFoFM51r1*-tRgu%8Ss|wpds(pVENuRKFIh~GHrH49MI}N?dj%Eiv zTr2f%eEG~wgRXmxV3+J6WczkZ3V;w(F!V?IlqW<*dbvnL1s)jbg+Zm@3<(+wEF?xB z3y{IASXtN}84Q(hWj(Sl;#Dw52uutBGM>i_tyCb<=@Itiq;sT~0OFWPK+yrANoS57 z^5X~WCu~{`lZ}x_{u2gPu7iQQXuE`2p~ekDm0-GRQ_}z~gk?@f4z>h>pt3Lnvf&xh zN<F9%ztDdAo(Ck58Kl(2_ErBo=C(R;x^XiMex@rs;E|_xX5P$9m2U8B70h@e_6D*w z8iv~1dsD?mT_%`jtGf-uKo^p*&Y2cTD<6<dNNn4eUwX)JTf77sAWM%a@lnEQ;wS~m zh7B1FB=m&t;g<TcKpA~%R0m#O$uFh;mk3;umMkoTsIz;r{T}W@+WE%qGc&7oqOR1v zP?3*fVDAyG7GHFFfopqT6FwC12}Jr-IXjTyll0^c%Zg?zmJ%?`?A;vHIGzsmDX$Ia zkI=n1GfCsj1WQj%#th2*b1vEeFe2>P7*=h655A|AA~YRdE}yz|_Q)FsgKV-Vae);u z<PTyJlo6a98U%}iUW2eEYidE>5!9)IvY0`uJ!VqU_fbozXj;S59%kLPd#u)tE{krY z*gzRZc&s|xmq!=OJXUnUhKAtc#j5qJ8gH)|x*#0XoqD#`;#`6qca}HRR94s5uv>Bv zW%lOxyL#P3HQo&eOY4OH75iQD#l4ylT4X`iX7?Ll1(DG4;+v3z39K!<53mA-jqGGb zd=`$aicX7b5zh;D;O!(k+Ux>!r8e7RYVGkNIU*q$%F&kXF521xgqrRHf{`SbQ_tj& zh6Axxp;eJ`{FfMxLx;?*1-o|_Zg-2ZdmGQ1$zq!3y*MkdRXw~exWTQ>b{Yg1TU`JZ zJPLXQIh0{e6&2ic;3H<iWj)yr=nz?O6V7ARA&onNp~TsNoy{$^L77{#V0OG_8YKaZ zVxo9dprFLutVf07c|{(&z(jg>;5AoxM{3?`WAo^g*3>}4|9_9a^LY6G>V2zyXZYsg zyx>3HzrZ{F_q_MPH~q)G@9<{u&ZiYGEzj|;@SXyH^v`>q#CgKkJfHDg=XtAV)RXe; z@YH&uo+X|c9^U;Y_b=TKyYGZA!E5o}V9?#>u6M6-pW&YCw!^dFQ?4JuyWp*^54qmv zdXuZywaZoKio2G%PI6hCe{nwHe8l-x=ck<ScTPGF!uMc{bDcBnoagj8{_XgU<1xpB zjxRVq?sx~V3jK~&c(y;svBELOVYNSRf71S_{cHBm*srta?4$O5_8s<(_SN>K_E~np z_7B_Rw(r{RvVGR}KHF8cOX0bG7g!A9wuQEntS?*tV*Q!*5$jj2pR-<XeY5qTwcFZa zU1tqj7g>E)PW+?z3-Mv`cJY&7Iv}3FHlQG?#kja!JQ<t^f3^I|@@>oAmQPzgV41R{ zEghCdOQj`fnUA*=FAC2HKN0R1z9`%vTq9f|3<&27TZD6kRl)*chQRZG;(y6Mj3F}r z^Bg`!oGA#+mGw3JX+nc^*u*|@26xzV_#`dKETLXHY$BdGL)hXuJVQ$&3H6@Ce(mQ1 zVYBD3Py0EaetNZ^4q+3HinO01{dB88IXGUG;J#E(S;D<fsP!CnYDwVXR61;A731E= z;rz+2CgEoZ8>PcWLNSz5=Q(WEl1P-q$R!5Ps;J1KB{@~tARRW+h#^Uh=P<7&IZddR z4jUQ7xNFgt+?84qzfdLRjO1Y`WxXeNxt3&(P$}h1ykTX+I#2FWEr~-|E9Fd-VP&8| z$(bm_%J^|l?vR#Eq--X(urmI9Pws%41QJJ*5rf3x<M)s!H>@RrBUvezHYE|(cydEp z68MRhau=JEoa@dFiZgjO*Y*hKcya@}3}?G@{rNwh?aB42f5fyr%aiNXe)@&gQqIHy zwn9jHa{F{i5>n1Y|FweO=E-$yNlp{uQqIKuwL++vkt60W9YNyq`JP-#&Beh@uaq-! zek~Vb?p(Xt_6sP5iS28d5b@;N)IxZt5ccFQQh##)7D7_a#PPL^hX73+U(1AYPwqlB z8>F&I%9-fBmQpqoz1LD9=*gX@WpfBCJ-OZ5PmzA^Qh#Fj@pGs4^C@AalrvI!aqs3& z^W?UxNzjZlrJRYyYYBg~C)cbcnJJth<xB)#OZabia@*7-+&?LaiMwkF|9~ggpeEs6 zLYb5^(RMB2-tEcNYe`NKmV0tr)Suk*!g48RBI{ZrtnlPEX-PgsNlZLlOLz>=MlH#Q zDT#@qYYD&5liQ#sfee;OITJhA5@CraSFI-D;BH#VnTWX-lbF_PNgfs!yK|N5Jn9e@ zNjVc6*J2XdS~Uao8d|YN`zZ+vrJRX_Yca|295o5|un>@PCi<<#B*U|`Bp(+RNI4Vp z)?)r<DQ9BdS}e@-<PvH&h+w{yGm&mB7Ebr%;<_YrrJRXxYY~Ycs!MX3lrvFnEuv0` zwIqIFj+8U8Y%QW*mTO5I!fYvLBG_6)y$oteL`q`f)>_0r?#Z30Cc#pe?a7^?{d|gY zm>9Jd@o$lGCPuAA!l|Czay1+85oSp_6PeaR>hw}I2?uxSQqIJqwU9c!SWUwFg_%;$ zM4`2iI=xU!vOqXR%9+@+7E-4dXi4T%5)*OOLg8djZl0E8rXWc<6KB>!;UrIPu9^f( z6-i8VSqp_3p4=QQ$qxj-lru491*p@fYDwUGUdowBvI5lUnQ9VDDW8-x@nZ$RXO%Nq zC;{qa-a>H*Zck3qN)ZLOlrynn1q81rr&%Z%X(TZbVg&?`C#RVy9DJioITIJw0_u@w zt6(*{q@2-K;TKSkG+Tw2D2dTlK@tpO-c~tHa7sC&t->#$4(4r@(*%c<GukTr0>Lij zEXECY0spcmCuoA0FW97<iSl%TVD;oUEy*lFl%}pUmNFl`oVr3wB2kjd%}KuDnYv6% z;ugTSdZ{_d1D>f%v?P8(kfuzw%6#;4O0!kC=LFs}bx_N3n!rg@2h4@OB2AfWmHFuO zlxC}d%lJQ@skBy##Q#T{8Zwvik~C$qRpwErVXG*1@htvDY0AW6IuAoT1&c*VBJnSJ zrgSC?|8Hrk*I3a!%-t!I-7=3lt=TQy!~DObDU;nYkDrpJy3IvRdZxP6%8~5_&s3-O z^Vj@8r706x={){<&s2w+gg=dc&NBs@MQQ!X{Il+<z3SEz<p1HB(##d^W&ZD;sl2)J zH2*jERI8fy0{(BFsXbajr}2OFOyzBqIs9KdQy1v|`e)D7`P$D}{2!&M^Nc+^jeo{7 zl{Zf$O0vtG<WJI+iF5Qc{twcW(NIAje=kjKH|CwgKO;?<td%+3o298{bGqM2QznyT z4*y$eYMUV)_W}MQY06}`%%(a_oTIb(-$+v?<7GDgv@~Vp9Od3g<!v$40V;Ix5}VAJ zQ^9RGW#Sw?72JkXCR^rIa2rl-G?xedXOls5D!2`&Hki|a|Jh{KoC<EkscLh&hh3J% z+*<B>&b8U~A<xO~FS<M3N%uV0fA~4vE8Mr7W&Bt8tN2aA9~>X?o+;c6Hv3ilzw80~ zpna32+WsxeqqZN|K54ni*5$pyc8<eueaU){^M30trxoAD7V$^od!3uX`?p8j;O($q zFZ#Ia9mD>w`MZ5j`fhi8+joWYkZ-;B1xF?B78Qgau|M?;XrH=gigj}ZcBg0fdq0?0 z2%|%2s4z|uBZ&mx9Tj)a6`I*abAT@3=+Yk;+ce|Ak#BI>wGCKvLh)n}+*;iC=ZJAH zujFahL)w;w#AdBD+^P=*N0^&Y+yT?=F|O)*iSnp@e+cwdk$8-|b**@@ngLfllm#Rq zxT_oKfsb>#nbV;Zam6>-GYG6qe<~7>24nFE_xW;ho0=blKR|!t!jEniakBvOjUhmQ z!CEs~76PkSBpKq~w?-V$(&OTw2e4#fh8oyQPn(b<wW@0st^yU>JD}@ubDJ(pR7AjP zRlz+N6VIpY3{^suh74pw^|7185dbQIQ|btG;&LNh0XC6jGRpH?tz-VVke8CHcBpNz z8_%g$;D#^_iZxtmmN5tdu~f;}Hg;JU=p4fJ3}bHVZ5vGu5p`1}9vKRYJE=6fwak-} z5#SYY0Y*5e-H(Co4(w2|g=dRB)aot}=#g+SWD4CGwOqa=Ww$ECKNRRC$Xq&-0I^gk z#ND3|+f;$E3x6W<V%?J|1@o*$Xg%(7qBz_Ohr`@U_O;wXZ9*0c)QFc;!NY+?X-qrd z=u?a623N*2u`Ay8fr0%!Du`8{;<y`PSL#uaCxzm1et(rXDwjehhK#1>n9E3lFfkGd z@%xlHI2>5sx^W;qyqxGiI(rTstqsKa2%0&*hl!|#5%(~58Bn(|G*<_D)djp7Kw!8t zrqLb*hI|+#jll%w{tr(T7h;(*iX1{EM&e+Yibc6!`Nfmx@-17MBUmKycvxH^R-unF z9;p~n8BL66MU1=eTug4hd1Meog~NgL$li2&4-k^%l#uT03g(N<g_VxeS_((c4T=rO zjVTTO6XgyZSFvqCzRN2SXj6DFtiaiHBoy7OOU*7@38gjI4ML**snI-_V*<Qh=vUP; zu~IEt&psprTzW@|Mk*Q!ukW&stwmQ^8))&fOF*`^ph)y<3%zUa#`T|iNeobod_f3B zHk>N&XzQbEdgTrgl9wqtqe-I3jKP1bxSy7g3=`_^>FOrV$WC~iWw-{0pY4PnM`R=* z<6hRm5GYh*kwooUF@1!*n8peax*cd26pH+f>o-?#h$O(n1m?AkXNa}(jFm680mvz1 zD-tRL)%CV@rK8Zz;b@q<S(}*PL2H8|NR=yKgP{E6hyl}B6~w6st&J6cb&>#AYb2WB z9%B0dbyLYEBNWthf#K1?6!E$yB603JTdZSFxm_f9Waz|;Fr6lZreLE*uQ+r%nI-HR zk^3A4_fQmC`L6k5IhDmO`_WB8WI;iNlOS(PCb)a;*K%$}B`g)srIa#apRH|~mX7Jc z81z>n8s@u}WBO>Rpd0}oVw(f4287jgovyi@9R<t#Uup;(L8R|g)zQ|8!J(ajvJkas zMVwD-3S^Ny8IMB=RV0&OS_|{NVR5@Gx-=Y3f+Y|8E1Cxo5SBhr*tp=vbr#W8#-LRb z@g%=10v#>@hH-R?S%r?4-x3t-p)HO=Fsty;@|%@eMx?Wv+BVY5DipN*CZ@hvTaJm) zRbhbTYZr^F(QCF=%@nQ*zbn6Cp%^F0P&15-s|pz_U%gV?j1(I4B4KL^*d-MXN<O;T zI%ZeoMs~!jp-xoj7x|SttYh;~^9dqCRCpEnGh7F_P_gZ<RGd6ed0xLl5<rD0kYD1t zh+9#r7=8R6>sSyy)5?Sz#6s4QaFTkbS*fZ8ASsT{$)`~L@e3D-VQox-O;_>tNw%#e zxv!iimXU%aTST>xh>SFm3{|o@Oy~$5WuI(Jke=*o>!oKU;GTtP8s%Pu-Q>;p<JEHM zDU^Kt{0psPXXcAL8k68LQvWH0g8TwSe=0&hTIt1k3Kg<LK7i5umVQM44~LUtyE0p7 z=b*hseZyPR4|_4ia3&Pj4|Y*l&9q5`5+VMIbFfFlI#QK5G2$wU93XjOwN#B1dLSU% zSRD~iD@S7${E)J^F$2L^3gT<cuEaNl&a5OuMYr|Piv%+M+IvVdBd8!96X5;~CnJ1c zopsDQmuI>XfI;@80LGEFFUnl#vfY?xl!i@|XIKxxXpDrTb<6^hm97G!LKk{_Q)DTE zXtA9!rR%nnG(J;6gbrgWydnXS%8kHIj2DC0<5(k@@t^<1(-631a7GjH4QyMaI-4t- zTUaZx;;>x}jL?$=M$cIRTyQv^<bE_JTE{MxYhg&%{4TE1BI>?AP`^q%i4uoL@rt~I zj7DsM$|oItpHLm-5}Q>m6Z2xHRN8OIAF6<*kceD>VO$_LqH=v@Rrv<|hbT<xo2VS- z8oh0jzgJe0$=xr{3z?j?iPDl*0eDb(5tvSf2=yH5Tn7_Q(C~>pz<Lt8bQBHLK8)B0 zXpoF{iiB-O+Y%URgVAV=`!wDE`?x1K-&H=J=K)ubGi1Ns_6^%6>rSg*oF{yMe+Ym4 zKm2bjH7>Zhl!9$OSBLeI--watcb#wf6?o1pQ_d8_lb<lu*Q<bXm$UX#bDJ3}EOtF3 zIB)AXpMO*l)peBded0YSVcXk!^?1t@{ix#Abc<T2HO|nZ%oXFDhr66Tr5K%=>C$yc z2l1n)Lkg5M5DYYrqz4r}P=(_hEXuUL!#aRzAI@<YIXPAZODBJWLGz3Z5ri5GP9b?^ z-)4PnqcDAY2cZf`2jk!erU>l;^m*OZKPo?P>>VXz1R4gQ^1d{II!EOP0r=Q|gOQy& zk>w?p7ndq6!w7&*>dHLe^LXf_!pYYS@OcFM6ZpyX@GSW=PIfEaqA(zv;7~Q$D*&d` zk@ywRULFNYw_5fCKQ@rP+|9KqYG=D{>Y5>@8}aE%tOM9v@hAOcJ<+RkI!`O~P}6*i z4U=Uwds!j(ROI#Xrarbkdublg8`g;%oGopzLGX-FPy2M@#hkvl7e?O*?7(AIg1Rhd zoQC8z2sP`?UgG7(mUCP!HwGoBe@~`c(MMH+P-u+E{y<M#U}tJ?GdP}8!+I%bk%9ly zI`Uv@FCOBeZ~0Nci@uEmeJK!Mq|)WeyNq&`v^-s|<zSzZ2U6t#aW0L7RDFnGUR|!* zm(IkqqwJj;-uEpqzH+D^=^ZA+Kd>tZLYBT%uz@)-NC%WRYc;SL!5yTRx+d!y*)5QK z?2EJX{;neB$VV^qkpRmc{N=+ms`PL`JqLS(x0p(pz*R8A_wU2@XtqzrcV!QGxGvhw zCoVP$&MYsS^ASf3QRL7roGSi4QW063^2jQ!WP)@?(pc{>uIWPy!wZubFG3(B+S&0J zxKv>80qLMVu%f4vevx+>9PKe_vbRt;NPr`zP8vrl3nx#=CKrT~<^1xgpmNbNyqw;p z;ItaYi*11oO+aNf*R+5moj&l8emOM;-x2iK0}aHNOMOj4Q(bM{R=gdeM+yh&Q%z}2 zKOMUtu}v#ktJB>BBe-3n^1wK;dsRUHZV_$9cS?~*FjevwlJ*>2VMss+ma`5ANn_HD zP<lD;RM@kx1F8Sbb1PGmJ?P<Tn58%{Gn3Hi|0=xq$J7Ya_u!5HaC>*r)whATKLXoZ zHh?yTKD21!4CD1L`_5C=8S~Xci%n1XPX-{JXa|OI*iEaEIlMp#xVXX_aLi#m;KHpK zI|F73pk3ZzNh%Ui1!CB4MzaTs?coJR&~dz+fG3$9@nD|(F{qs8F_8po6glAmNM<NI z;vthM%4Om+Gv&HL+!d@QhX+A+5o};|*n&6JMTc|?t|M`DExYo<l4~CA>m2AG#T;)O z8lZzZJibi9lNgp6?TNY*0DRw<)6e`JCdRXuilgzw;Z83;%b^3X&S^R*N*PtC{Qt@o z4X$9JGU^&p&v5&yvNw3tcQFYv0UAae{C|8*c!2Xi=l{L`asLnf5Bcx*-{!y3|3UvX z{we=u{)_#c{`38f{u=*T{&N2k{~W*1Z}Gk0`xEZ)AM-up`?~LT-)DRu_PrY?2v_=s zeLcQCzGmM>-?_esZ@KSupX9T7U-bUf`?U9`-tTzt_uk?CocE*NYrSv9Yk`B_UT>Rs z2VM-UgP*4}ybJJZ!0CC}^AFE&J-_gL-}6n+U7pW-KH>R*=k1;e&n2D#Plso>XDfIK zlb)bwk>^y82k!`;cmKitg!@N$OYk-K7u=t6f5`n#cg}sed&u1d?!s;E4eqnuA@@@E zX>Pw;bp6ZqXV<S?KXHBAb+7A7uA5vpxZdM>GhP^sxc0ePT`hQJu*Ma2t#Hl5O9Q*} zCFkFqzj6M|`CaD&&aXIcc7DwHKIhfWtn-kw&$-vR)49c2>8x;`=?pk$I$e%e9M3v_ z=lG@L2aX3FUv=E-_@v`Hyg`_BT<REfq#Wlt8XVP*)s9t;#g5qyuS2l^)BZ>Muk1gz zf6IQ4{fqWb+po93%YN8?g*|QWwqIy(ve(+rv4`!;>~rli>{i>qZGW*nW&0o7qqh5O zU&b4SkJ#R8dy8$%cEGmZc9CtnZIf-SEoLjT&9|Lwb6Edl{k!!U>(8y<vwp*Rr}Y-= z$F1+TzRfyr9kupb+pW8-_15*)gmtBLp>>wkjrR-BiN6;gho8oW#Jk1Y#2dvAir0u! z;$`B+VyAe%*eKSBXNl$F5^;{`6D|KAd)EOTM{)gkc6RUfy3Q3hd~!GTNxD0oBzI(4 zmb+xj-Pp1$oh@NC>m=KvpL_yNfT^bUlF-2r2)!AbVnawE5JD&k2@pCVgr5B0%<Sy# z?wzn5*@%39?)&Wd>Fw<9+o^A6Ucq1CkMLjcD|jD%9N&v?!B^uQxD%g(Tk)~D0x!n1 z@l+hbWAG5%3tPqSAlBnM;%njy(9jOY&n}6g2pVIr;F~#o8Q;X=^Z3^sK8Nq&a3B5^ zhkNl|96pP8a`+6sgTtrs?HoRZZ{u(ezLmq>_!bU#;yXFqj_>8L6W`5Y9N))b8@}Hr zi3nKt;TstdG_Iv`4!zP46{5HB1spz)ujlYNd@YCj@HHIn#aD6oEWVP%XYl15K8-Kq z@F{#LhkNiP9PY*!bGQrd;BY6tg2PMjMI2s?FXV7LzK+9Ad^Lx0d;^DV_!kU<zPB`A zh3HKj=kN{O&f)X;Tn?YZXLGm@Z|86?K9j>|@fjRGgTd^CGzSP!k3p-G!KX09xo2<> zK9$4WxP!x;xRb-}_#6&9@mU<k@p&A!;qy7fcpHPDhlk(h@O9kG;h*p(4qwBK96pav z=I}XuB8U6%2^{Xl$8q>9ZsYJ7yoJN3@n#O6!mS+c!7Uu_#!(J;;U*4u;;kHR$0u>v ziI3+nj!)sR4aXRSu;sXd!&mVd4*!6U;qZA}$KiAMSPu8$S`PQ(4IDm;*K_y`uIBJ* zT*cv2cpZm(a3zPk@mdad;nf`O#1Rg+<Bc44;u;R)xSqo{+`u5%IZ0|AgZYr8HUiMX zm!|RzcFD$}g#WEV^gaHZ!*B7&9Dayj<?t0ekHeSoTn>Ma=WzHuUcupWco~QL@KO%< z;>8?3i`9_;;-lk*occ5_<M1h5%HbZofWzHb?O9&56EEV_?RYtdop=d{alDelHoS_# z4D=E%=5QCD$>AzIo5KJuQK9f8p2Z;8M@ed{20I@~Z4VwXUsBrx=>JOrp0}?woI??R zqeAo|4s-ZBoXg>Fagf93@pKNK!$)(t4^QK8FP_5Tvv@Lx&)|t1K8+`E_!KVSa1YMs za5v85a2F17xD!v}a62yKuoJ5d1|qfNB2I0?GZ=)p*f^8J-{7GfK993Gd=C3L+=s_= zxECMA;j?%whtJ^A96pUlarhJ-$>AP6g2UZdEnkS&jfZjSF6`rQCmzG$cAUjwCmzRP z9OrP@hShq5Al!H`qe7f*JdneEcmRicaeoe<#r-&Z2KV9cY22H`r*JP0_h2uFyKx4G zPht;;yReJHC$N*lowzTD+wmX{JMj@5#_<pi+whSb2C$n!F!GSpLWN-1*r8I<V_5C} zPBaGF85OkS@pmdjk79+xN3fMauyc~s4rxaZV~a{f4`G=>FdviD@yv!E#G*<?4`9UM z{aD~|Czd$86JrL!=u$e1!)cN_Y=dQ(r1oR5ppn$Z1?CizTD}UpPgFaZf_94kQJ;YB z6xE?kL3fDXb84%oex`yl#cvtaiheDA$>F`?7aZ;szvl2x@hc89#eXqqLHCHCa=1$T zCx@BhXDSq)6xA`+BAhM$gHdJlEAb-^?-oDg@GkKK4tI*5aCoPv4#i-DDxJxwU@$3d z<#4>D4!U4GB&q!ktV<-d$w^Qo@2h#CNdC^@9pZZ&-Y)))!&dQK4l~7f7{ur{@og0f zPl$hIP((M1uQ7<wt>T|KJV*Qsg95rme1pSI@hug?6W*i{oTuL`zRuxI;-44<wSLSV z1{(gq6#u}fzYt&H@GS9F4m-s^GWb2ZLHs?3*NZQ4*eSlu;CJXc@pl|vEB=<lv&0t} z{1#m!{)WS=#pgLZOMHPrFo=}ast{cz?&I)EaW98E#OE0N8eJhi!{O!P(;V&)pJnhX zbeZ@RhnI?b7zBGmX(5MRiS>EmOLU32Tcx6l#V0wuNZiFBSQJY0RERDVALkH@PcR5p zE10!k;S01wd`zXH3&ck`JYRf-!GEIj#0NP%OMIBadhsC!KS$?^4{&&nct3|{i}x}3 zG1@Nvn!~fidpJB({1u01h<B?{*dgA_;76!a+{s}=yo1Af@lFosigz*iq4=O&#Nd1A zB=JHHPZW1>c!GF7Isfk^v<mL!uBh`%$ES`ywtdP;)=OY*IY|Dk^f|2Z){Aj*A}WVW zhw2ww8SmpDPV%S&K>b;@s%cqHeC1HT=-RP}ewXJ^pNu6B3l7*1U^d}SW6rRp603^$ zPM(^UAB2mG)Bt}y;nX6KV>mS>0c|TtXj{`!X-T}7!S6^Q_h9{wz#YsV&ziW`A*@oH zgWhoz_<jeKTVJ}sBR{?NK*O1)ZxU_sjCA{|A@d>mVcA!8#XU}83Mt(f?%S?cfhj3w z%2Q>f<%`pl=P>n%g(^VMGZ2!IoIjC$Rq)kJVkwglz?{quQ6kmd-s?1ZFg#F4R;JrZ zA}z494^IACjQw+E-0dKz1u5=FVQU!TYbVe9(v-;|QvvGEX*}gK$)@4!O5!eKw+yFv z%Gr+!Lm;e%#ELu9HQJP3emEL!?4-EEA%Gnit)qzUEI=I+=;Xkh>ypiQzfW}r8YJqC zp`U8SG3E*H8tX-yBjCd{NVqoCW2`c6hgn1|fw{U8FlaKsm(OqeA5k0uMmN<NKC*pI z+y?3mgQ$7~GWuuiQoVtmWT+t>=7Z8JJ>5MR#Rlj()Y)q_IaH!v`_ypT;GR1I=YL=| z)EcG64sfai%3Nx2?QV~1nyNuk-Z)t01p4iulR$lfrRXNih$~JZ23;m3MEbUu>)K40 zg-IN|!^sxt!s)Znlg!27mYF!SZH6;4roy1_R+{R9>JycyPk{a~e_E|hfexOwWYO$s zx64oGr|>{$1l=vV?@JDy`~wZGGPXQ!O$u;R4orY!QBYH&Nggf%uB#}h#%P*F<>e-+ ztsTcLs_0$Yw|%UxiGV1k9+&D$%4a@cRYmWlXb|xwZzSicL_8n{Z0uRY3a#7qo}AW` z9p}IW^;s>2^c2`o#cgpp-Q1R<wRl+Ow#vA4fFpbKe`REknn(6+BjQ+fyt}Qp(aAgY zUk_tSDd@PYuY=GEbTHG8ExeH}ifm~nN;>46ofu|qpnkW>kW3uugW3x@k%zxPgOb@d zlfTt-d17WjFtvb&>+2%y_?{RK(P5pa*@L!@$^^)?pvzHRyP2#!;oLrlxq<~pvcAQ{ z<?NPP&<SadY-$C47|`zlr5L76&tIowFQU2pKZGs6JK~~R;JmyI9f7R>GlbcKXAqpt z&vLGIthaaAij`-SlPxWBD}Gh{2;C;^h79}rwZ%uI>rvftx_Q8=BeClEaH`}VA^`>T z3rNs%p^b#7ruo5iR?|)Uff=ovBED|Q`7dUvAJn01pBx|NBy|Bxxn+IZ^`6>UEJ6|` zY&vmF3~fDKhteb;s?|kuQ#Zzt8`}A7)w?pZcD12bj|WS(jbL_4tW!uQtRrE-RHp#o znjEz1$WUL~01^^tA=XAWc7KxZ-e9j411|+bV~^FuGn4yHdQb3XnVKvb!O6h?$neX# z)dy7Ac0}9<qV)i(Pc_BZE6fU)5M-5xFd#zo{NlxhzA+0L8~kL1tE(j{i(5cZ3c_+m zstiUkngpnB6PTY0?TBdJQS~ZlQOu;9>q~)4?Yip!ulkCy<Ksg?P`8q04-8m(Rkt!~ z3;+s<KM;cOAl5qF9Lo;DiluD!Z1XxLZjB%56gH8T86V!aeU(lKolU(R6mJE4MHpP> zHL}n<#CVO{TFwBAIsMS4wZiFa=>|pDxP?yj<WXRQLlt?6HY-)+rNbDQ5flAdnDHUz z3v;#t>V0HngWOcuV9wpggVk?yZ4-&{LCFya(^XB}Pw>ELF!aHCQMD7IPEKmcTe;8x zjuSvTx1L15CjMJC6SjzMY4KLj^QG=k;PuB6S0&`7B@oet^tr|c5KQ0^r9gz(cJRI9 zVc;dhF!l1{gAf(q3j^XZsM^1kbr59$l$Gf#4#DOd{RIAnQR0sx(tN;zciNk2t@6q= zjL0SNA;#URP>Kk?zul@(0o_Dyiw{mGe{{!p^#RKtFfR{s3MZ2W9fMtr75WCPYaq#G zC+ym!+r>!RuC+P)N8YXIo*biFLnc3)elwN!O#x_D#|I`?MEW2dMbvSQue=VVe<(8I zextEjUrdMkD5yJfHsvzX%y>35^H?-KzyVRVL2&DD+=5SUg-T`t8gaE{EHo7u`sxjF zGWhyvL3ZJx3&V22U0f%jCHY()jZ!v^pS>Y|ghMD-_b~PQQ4o6)6u@EEi5jPZLBe{f zRQ*$}S<WuuR%6!iscrH8>4u-YALWFnJl@YK6p><X_x5cM>xQ4{;Kl_e5x(?GQ@+Cv zW|6I0#}eaykO-+uF}8O2Nvx6on-<Iph?kF{N?`}SuY*`D(K87BDfNCkZJKiKrX;58 zbO*Ys)ZJp}r-qNT<5z?s;%@}}jS_U+?g-eA0j=@7rH4JQSeJU{;M+Wz%Dt{XiobE) z;X2VZ#qzFnmdomV-g%|7!8yfxu7WI&TKCxS{x%16*YPW8g6_|s;enO_6x_%I&HMj0 zU+fqg9GUfPj|ie}6r^hh*hidQra#;zJrYJg>Ii_y-%ZW6n~9Sx$i+QJQjwlqqefra z8g^Y{HAF7<!QnCy*s1q`@ze-!PI*~&A^a<wRmQKt5&`y1D#3_wJ+%(Yo&!-LnF|Lk z3xtpYA8^E(5Qy>72p9~)4kUB*#x`g`9LO3bP8_SiAm3Lod|N53P2kbf$@b;)@^UH< zh!ZTo5Qguk5yZT9a`4tSh78Zs32wT=>Ox?pi~D7oJuxlO|5{!ZZP^N`JmdGVBU2wS z--RP8)%c2iWlpTcwh(UE*4y+2;PX;9>8bn6YIXmw?<k8nq|Aqp?r-{L=JSm;R5hw7 z{o=*b3x|p0VpDA3NTYA8&2(3C^_rB@p{|pDAwUaDb)%v0E@TnQTRyB^!FS=|^qV0H z);$7jWTp9yR;H!27{gv3YbmoDl#P(D(eU+Z%SzECC<i|ubr2{T?8xce5JeOg;SuO! z(Hde_OvVFs2SME~09lr}U4%UaVi`D0JZhp6NnvZhThXL|#o@UM=*5}(fZ>bCf*`p& zNpH%88F*5f(m4=PjzYSSvCo;`2Y<sc3@gg{G0_Gq-EIvVtXTj1fnv}+8`(TFaeeSx zXSDE!f(0ZL`Om*YUIMXlJMmo6olys7&oq83dTuB}-<)8JdElFj0!EjUW|!&}OBT&j zdjSjZdLZf(;;5L*M$|jH{dOwOaNP%f6h=$+AhbC|<v_*`HLNOmIQlT%1aBT}m^u^f zn)U<APY=myeyKnK`*G8-V19nmeGPTELmB%%tbqEd=|**aNUMBGU+0~sG<J1Y%B*74 zPowuc0t)Pnq`Wo#&IrBZh@%wHTQuE4wE=aq8XKqG?ZvhV$QvJRnDk)k_<@ke<Rw1` zIVK8))Ngs#F!bpdr7*R`i6=(QX&EbT6m!@he0ks4P(yhis8bkP^6Eiax4poiuhVfo zZ$@Dmh|t76Jdsk!8__@6`Tr||`&QRhh{%^=yHz>cdV}Q}%M^K-^aw<)vx%8#lJLqQ zpBxVF11saXupMWPSQ^gijwcIqD9hNoc!;X4Q>}w(y7gw^I#7gTjxVX=fi8l&erJdu zU6GpLVIp-3N1z)>^pUe6^@B4KqFM*;Tv&WkaB>S?DypkXfzZ8;dJ;6fh&cEL=aS$y z98UU8d-K)tU{V=w$-yYYrDzKO*vfFp=$v%NuA-DW_ODnJVL_!U%E37d*}tr5sjrJI zjt3m%JeKbE>2*koq3j_#d>v>*GH*EgIy}_p5C6>`CTEcIXV~D2t%&C&&sOv*Bk5Px zrLbWPEp2mT{IH+Gw=pKk>YpzDtHJwaWy7LY&?+PvfR*v=wB5Wrh85;+-rhf+<simS zCBl-v?fPxtV(MyI+be=jR88bnZ9fD~eyMh{zP%(b^4`z4pd#dH#AhU|roneK)vRf1 zT?aZ#-Bu$z1jqRFTg?agm2rRC;_uF(YfAA8@$n9#EI|9E-U(=VV=HmnL?tc5?uAj* zI*bjvTZe^|d%}E@_bzP#*2l*=1laYV$A|iW<+CA50(D7GC3<z=C-sYmkzJr}PBY2l zgzkJcXLuF_IbrM?I&}Mh_)!i4_G$tGIP%ilDjmpfO_~os*u9&dL?O`~D7pb<ES$CR zu})zwDV+AvecSbJE@3Mgv`~EIpsoTsCWl0!wmL#wMKecN>tO#Hym~iRR*|?9L@B0W z!%s#v_P?1jS$VPIGL$h)mt&IR&a{IOcTy&uA6wiB8SFNRD>{?%|2AuUw5q4l4vJU$ zfrJW3{uvOn3T80f5rsO)nzr9{9Zj3Y)WwVLUM6L!F_y@b#^c_QXi#*K!$U-{oS@P~ zPBG~IDjglcnR{i!=oWG+0-g+s$Mrf;zJjw65;6*$9yUWXF6M=;vI$fbnX*{7XUlHN z)6KBLX649Ed9*_dLpy8FiH`ymK-fy6wmSN%`0qB8(pAYpZ02-x-0NPM>ApBQ8P0B4 z(rmI8D~peG5<6i~vjXE4{p_H+wDd0qZ_3=?s=DE>m%hx6H3C6xs8>&7wZc7!()I_+ zuC)*Vhc-xPTwr4W5!T=kfV4wU&-0UrL&WoFD>w-yI)rd0pk7if4Pf{LAsUnpd%8U` zhDpJw1!8E2Wc}{}6&?4L?uo8K=R!xT?M<bZWvG0eyaK$u?L_CGF+_vsAbzoh@uH;5 z{l2<&aeBRp8Kv{d*-E6^pj~`u79Z7(^;@Ih_P4nzn=YBjq5*V1H;_d&UtDKvi|cGP zJ9J;rXEKyiBtAW<-!r7Jd};a8KvsTMx6B)I{7VD=!e)r8MD*HV<qcji<3r+wPT_d6 z+K3nRZJ(_xy~5-er&>QIJB#rk*5G3}?TTY_ZDb2=v|!!`&9|wtjf~AC90@szCSx^; zPe=@6i2GMiMuw9v?Ljc}&w_y(4rEEQhp<f0F{;5^EwKqFTNGI!lfx1c!bJIML4}+~ zX(VDvB`k<Qif8~=tjq+526F?l8aIUT(oAd)$@WP$JORu$KvNw07t_mC&&0=2tAz*z z8w7rV4cM%sW}JkbYH-I&)=|cTI>HU@%Ph7Us23B4AV1}V+()L9Zg<r~u+Y-gvd+$v zv_(+E1qakK;z!$s%-JsZ4ar>G*c8a|f&FlPVXhxs%U1BMfQn)$xfbv?T`^|)^5U^v z3vC`$GJJSeR#yA!_%x>g8^j<>T8%DqiD*vj;ECcPNmcjNFnT~4=|@wwiw;{1#kY<e zfY!oMaWx$#iMLdU&`88b7+InA)`3FtM)iTjx`bqBu2X5Knn-0cG%{VF8YT*;=D1Kl z5Pbpsxl+H&hjOkzG>aN2u`(zr!+=o|pK8!-hIll*7WiJ@el(lm4pp;xN^<BarbACS zE1cDxMfL$}Hg9W;Pj<4+k8Q1e+Y5EW(Gut|B+M#|1#m7t^S|BwfX9%)HnjiI$dYOp zBQPqWV~-lp6owgfSOCAe5Ri+^#o%@sqBua{Qm|vHhgLzy7|^9BVb?$|gw{GX%U4Pq z{W9<BbZdo9`EZHks8q+dly}fZTML64v|JMK!{82>sy&h`+GE-1L2lwX;Z`mdsI46+ zEHvv+VUXc<2P4ev>c(bBk^{`P+3`tql^GJYZ85Gg`E9x?*N+F9bOrhTpVg_aySpph z6QFs;kjgZSLfd-9Cpw8232>?nE&&$m`fqxrxOB@1vh@P0+GLjesq4t~_%cQ<)j}3} zIw_zTY6Tn&OmHxTZO~QJ$Mi63^XaPN&<MoI39qoOsiyLPC1dk_z-Z}uqI75$lw)=A zg5(BD<N!BNN*B!Z=cFjhAFd6QoS+{h)b+JI+G_=TN5zZ?#N}-x%A6JRwcz3vYW$$= zoIJX@QbG1vE7-<ml${&3#`7IQo4PlvKLt#`+DWQn6Vs0JCL$*52T?9m{j_X57@vkl zTp7<xyZN6Y=ID+zOP3MtSR%r(W6aIDSvgt3Z1_Jr(vY3AHD&XEO+4%rmeJwMWwc=} zSLKA+Gsu|>sMEml9M$dA7p68N!G0gC@99ptx=bGrPF^6Yr{O7;u!bjry0d(XsYM-) z#8*!o!X)oy>l)^IfaI@VM?&+e`=so4y3imTH8YO7J>z$8av-}aYH7``Ht(r`|9`<@ zy+-it_4IYWWWC09nR7FE0nD@ql$Zhq|MTzX68O0UelCHZOW@}c__+jnpaf#MHe&A4 zZnXDU40{~Wmdg4jv)<=0kX>7;`v{P8*4H+}{w7f<A!|3XFT(Djt_NVZf^3FrF5CFw zo0^;EA-j%{2hQIrH-I}7*wJHqBGoMBYJ`L+t81)nq3-mWATBCw2@y-B(sY(e%c-re zQ2|k$xh=~ECYF6WHW}0=&Avp+Q$oU#l^*v(_HzulA1ekN`YP67Cr)MH`0WQP>>ymq z=xfqk@9bEv=X}VBzSw*l(J5~an?9HNGUzHI8U3W6U<fkwMNG00`=Z!5!{;o6FlxR+ z*ySV#E~?KJy%8B41dt;tI*h=$(!f-RVTYA$xsoMuIoY~xg>An|q8-u*vERYHit%~c z+0QWadHZl1sIm0jw#C2&-^J2zFVd3y|G1whPHNA$f!1N)ZLRw&r1VOM|4&P9m^k@p z1=IyiMiK|8EJzAX91n9YEPea7y9_1Y^^OBA>K@)=5W{IL2brg%bpG_|r}iP||NVqc z!CmjpbQL?FaeVDK*IuLCtQ1;TS~KKZARgRWsUN-#SBc+<cM6?i3A*g?NI~tc_%dzd zaNFpE**Hu&3i~N-90u9Oq3&F_q6|*V;drRN!mtZTw-blMS+>79LeA%7W8y0u!q|Lz z)EnEhU^e((FUZO9heN*2;ld?;IQb=R+L|Lxt>n-ZwxCiD7(wqL3y#}cvNkks&W1sp z*nUK_iK9M$y|%}h9c^Nd1&?o3$qI6S?jLAm_@i(xTU9eWGh4kfO*L_y63z;YVt%Nm zP)^pzmnY9Chte}jP>$%HdIUrb&G%DPM*lo^zz_NnCGn+(W7TjdrSkW4tO|F~l3pKQ zl8)t+#~sA>WuOa|7aLg44W(?6?uTW#LuI)<mF3*56ve|s!15vk%i-J<!<qfC40ot3 zFHFbsp)cjwns}Kue6-I#u;HV4(V|)YoD^mb+wf6f(9oo9yMn6HfE<+#rxNOELj?>D z70{WhHdcU@8N_0yMcG~%FLe?va5&2YFH-uWhP2B;-Pw`05B^hF9g>NMt3c>ls!k*8 zFq%7QCDp~zTuFR^q2&itW3ue0<-;Acx?)xF`3_+rIT!*_La*Rywn$aY>vi>YsL%Sk zqp=U3owYT4`6l8Bz;Fz-K0Ys92TvK|bTz%dQ=s(2=(dURx!j|4Rp0jEx})skdGiZr zfoUU|Q`uQeS8mH;!es|I5V!<ZJI!R-LUuUV6Nmx_DB{uW6Yc_+2-l!0sKx*oPa?E~ zB2sOX=p~c&5~z@{Xacq1vk_eA(u?ehsvn|yRR@I;xTZdqX^QApTSW1hE054m$b#_f zu$%(ljuU;nw?yjdD{HdUlB{jahT~gurUiqCpX$!}iSR&!)Ms~BA0c_(`(GRpXBQJj z4b7x|WPFZOSVDROi9)kPS9{cSr3{P<>cPJsIQj%F?^Yts=nwMvsVK-WpezKcVo^{d zY#}bb$<7umJVDj4fgI>T698>S{w$(|3#w?KD1PY5qdR>G6vdjfFV#NOP*9Qh>|}pR zDw?LuQ3unX(kYt8=EY|@glX#Vq_-t83{Pn)p_}7(_ga==G}4;_w#7>v!pIO4mIoDq zZedGBv?da1iK@b*kJ7-e3(!&oWs;rc1|O?1-zFsh(Dve&vehS5u&2`}v7vr>d}exm z4)dPpPjrl54tuvX$x&WkuCwFCFd_D(<yv2~tT>R9bI<{W;1*g=+dT0Z;FCI^YVe<E z)NU?kD^)UZM-4+c@pe3VxxcJ&3(=<cPj4H|oE(7_FSyEuEvH%FT?_jEOyW^`Ow^!6 zuE{;BaSGiFr%I%tsS8`*#0@a)d+QXdIgO}8L(GA?N>D^58iXxXSwz1N)<INlgl&UI zTfs5_GziT6L6ZTFy6+3Ud*}Yk)gqhT#!86HkED1F!wp&gKaApn=R?mQJWqP=^jz*a z-P7V(>zU^%@Qm<exW9A1=YGlknEO`u#qPMf$$gA_mOIz&b30vMx&G>U!S#^qM%M+d zQ(Sef<*pg79M@o%;{2!cE$2Sxea`Eh=Q>YvZgehp7CVE^p-w04F1+J-(eaq$Hpiuo z(;O|1O2-1nB*z#>Ux#S_#QrDyGxmGz*Vxapx7j21h4v}-vG%@pWc$eWs%^Jzr|k+` z!q#f5w9U6ou#L2NmG70mE5BDBS8h`-Q96`O%4%h{5>_%5m-TDw->kp2K5V_oy2Bc? z)>~Iti>(3c5Ub7dh2_td=PdVIZm^tZImvRYWvOMlCEGICqR3y!f02J9KP2BMUm(Zi zdU=IhEC=KvvQ7Fz`m^+$biecq={)IVsZLrcl}NeLFew9nk3YbFz`OBX_$quRZo?b! zVqA!`A@03h{7U?r_&f12@pkc2@l>%{TqDjA^Tc7I8-0V`LBB(fqFc~KQ1n7Z=R#?y zi00KcY=m~TxDm|@cst90B<e`wMsH`Snf7=_=K|xcv*6bG#%#05t@F&Z$Gn|$jkFTs zYH#NpGwpJ3=WG*AeAL@H%Sf9kKJ4u*G1DILcFr`?ib=j=GwmU7=L{ol8d~e^EHcmp z2x#f)oGuMT$&zyR_H-5+DZMf}j|NJz=$zuOGCHT3NOyZWryB2@p3ynQl<5Ia=VU`B z2fS{Qkpi!qXt>QmUN^x+g4Y!o?}OLnn=;*>(V1r;*~R-ZI>RQ?qKwX56Y19(ogo9s zCf=CQ88ngZ^>hY+lq@_YBcn6NkVz5m@pNVzGFjo1vy2q@WWV7yEBWN{CK7z|IOBcr zx}!{)HfD5=HIeS}c8)RBJDMu)%;+2qv?S|jYKFISlsVg--p-Lm+7$5)Z|4Xz?RIbH za3gK9u*2Iq%uKt$+nH&iiMM$>eP-IN-p-+B+AZGBBaO64!lmBMAtoAv5*Q3L-KR}D z+S@tEob42E=Rgxpyg8$DfbrIey)!zGFp;3P`kP2l5&cXgpSQCwkdnOyO%!j+=<H+6 zHUXaB+eGT+?d)Z|bAouIx6^B;{nFc+VWbs^zwmZ?%(NRaI^96i6-fRpZ>P(cEnmFe z+vzmY^2F=BoeneYT5qS_OuNS0X*1KV_I4^}+Ew08tC@DCx6@*#UE%GN%`_M`B{S_Z zZznd>piPKo+9lpjWTb_~i@lwKnRbykak80qp*L}onYP25IMGbIz?(S1OgrD3INnS< z&zm^TOgq<`XfxB!@g}yKX=i&ATg<fW-o$1z?JRGi)l56nn`kl9&hRFpW?H8=(QKwA zyopU_+UedzlbLp!H_>ROo$5_Am}wo}M7^07_a^Ghv~AwRMl-G5n>f}?i+K~ZX4)y< zM2(qtvNy58OgqV&SZ}7C=uJe-v=h9EYBTM4Z=%XfJI<R}XQs7z6O~3<uDI2kSZk(j z@g^$Fw9Vec8Z)icn^<k8wRjW9m}yaOVwIWJ>`kmR(>8e%E6lW}jKp%oOj0LwW+avw zNn&G0VyS_&QEbRaEHRPlGZKppq+`jm%8ewkE+etXK&nL_WF$b6)5#vS;>L^wNOA_! zu^9;v<aDIL;?j%+$Z-ZzZAJp*I2~z_Sdx(dG0s3*mXQD{&Oln9kpLl1PZD0tNPrBd zCy6x~2@v6Qq=Dq|Ai)_(@GKDE45SSi36S4(qygkc5Z??WxDli`11XY`Ai`U6iaCPZ zNTfF%i4?R^d^<v{_9j4l)6Y#Iag8?t@|%Gsyy#7U1ZSX$Ro(=MaC%x$Eb%5lh%?eE zy$KNGjI_1h1jum)8hHl@at4~X&YJ*HPEQMvcYrKsq`^Btm^0Gg9U#paXyhFr&KYQ8 zg*O56oSv3L$^Zm9BW<-e0V17&hCc8nK&CU$$U8u)Gtk6iya|x&bTr{|ag{d#f}N4J z(whLu&PZF~O@M5tqoKj13_!Ru(w2D>Cg~0uzc)doyJRbXdzX6?Ch-oMzc*nL?*@tR zJd=1gh&<0E-VGw(YZC7UiA%f*lXy2Cz3WYw#JllgnKxk)@5YOZy$O?eH(r2g$0Xj3 z7t6f~BHrn~Z5(-rNxmCL-eHpO#)*r(2_oO=?<Mab0-l~GF7zgdgr}n&MczR~JUxxP z!zAM!B`zTA|G~mLf@h`sYInYCk#nZwb;tSk`|PE*cWfux`Y6vTmDaDUXIY0?&a`C8 z_sVrLk{04C#81R&=sdXbf8qy6>8)^-K7s8HHX4u8%gX(EJ{BX?R|r~;)LuQBvPJk~ zoTU?1Vq@bi!0V*0cn$lQqvM819q~cg5Cyx~o?<o}8y}AXvxQwTo2zFQJPfL~GCjp_ zZtSRdGw?g5D}F;de!+bUxZ;Pym7d}@6w8Tk0&bbHe=N1x28kzdI0gYL`$eGB0RfVt zwHuf<Qcv+5gci~CLoFge4tQ#-z}O#7yx=&eDpE~-PPV|`mCe=ssH^Hn>TZFWcw_Rs zWjNJbDaZ<CrGz0nnDdrA|Iz~g3<%ujhYuu*lTbrcccsB}ww!XRv){92rn^!TuTRHx z%Hs|J(>3wBbg$}`&Pf;L6YCY<=n$rOS?63vkBLbWfiqbWDhkeSi3_M`QA*v=(;9zE zV-x5^`J4C+nmUso9Ap$^fzN<yI4rDgtcqsA*(ul?62B$Umh7qmau2B{KT&%3gVkSi z8=Mb=KNjK`v?hLRx&la1h&d!>U7PMzDM7^#!K>ECYm%=@Dr|M@tI}#et&eX=_o8mK zpR_M3iLW>GuKfIzcCw$|1$WRIUmuU8vK%}N%53Z7)#+Z;t!|vQY}UuCQePD6mN(?| zN*e3q>(agG&})Olmc=WR>Ryu$Ox<hxlJa@}oRp@QJnY@FWeXV#h?=AyP6$E&k*HU+ zwE4+ELDVcZw1T~M_U7C`cCH`%Ayw$LI?L6}n$0*2M$?IkJe&|#z|nDSm3AeEx#|P= zd=RRJynq}jS3&e-GT@ZN*BTmfAduonc|Q#q?ob<YMY`HJ^zEx%iLY@ABV$YsY#+-G z$h$m#XX7g9LPRHKXX_5w58&+mFrMOTqDS(?{{R?DRR*YxuTHki(gSOmg^Opc{1IDb zPS{VZJsO*9kE6;)=7tGPo$4SGZx-NSYeS@>I9dgV;Z%?zZFGJ7m~<^GrE49`OqF)z zisi*ufjGG&t-ubd#}kNvpo&<;rB5N~LbvGk2YN&hCXB^~#a9C7{;oJL@DW`^aM=o0 ze9@lbvcN766rPsO6g}T~KKI<>xz2N$=X}o@o^77vJyFj_*G5;BYn7|qHP=<-n&b+3 zKJdKldCl`8cnjF&dC+sW;|<5}EiMc8RC!i;#(9Q&26=kBzjc4^{=ogV`!)Ao_b&I{ z?pxf~xi52{?>@u5&3(K(>fY$Ca<6iiyXU%#+>_iP_c-@(_aJv~x5JHH-?~2clzZlS ziae7%A?Y^hI*-GH-7mTybba88x{i0f?Rw4iqHC{fm+L{--L6|)*SRipo$orswaqoo zHQY7G)!XH8VduBb&z&DQ-*&#{e9^hrxy$*W^KR!Y&TY=)ol$4V@vdW^W0&K8=XK7@ zoaZ~wkS?+G2OWhf=PGBpbFQ<<Imz;t<z>r0%M+ISEVo;(caC!ocMfv)b~>CQ=r4RK ze<Ob;zbC&bzpNB13m|6Vb&iW2XF1v(TO4(u&#=@n*KxG{X?wGMgCox|&fx>y2D|+~ z_J7*{Zhyo6qSB@`C{@aG%W}(n&^*YujE7wnN%lxzOCL*bOMd`8gD0e4OJ_<7=ob6~ zzl;Bbe~b6v2XP#q4f+KQxC$@F^YL_?kH_Oo+z&gjAbw##(SC*fVf$V7U)s;JpC-N~ z{$6}md=%e_Z?GQ&dK5G5lk7S6k@kUhk6p5TZTr~vw(SqLQ*2{wLu^*tbG9dJzqZ|K zyT*2*?F`VbIM!BSTWp(cn`#Rwe^S0veye<@yrb+<9#rmBZcr{&&Q{{KUe;e*Z?#@y zz0i7w^%QHX^;m0#b+L6eXji<iOjNR!5y}9?tzg(W`ipg+^$F`o)>o|4thv^stV6AR ztahtlsj{?LF0pL4Y_l|2`dge9B>zkPz5J~FsQfGWCizPFeED?wM7desARi+yls}N) zl4r`3<dJfYJW#qux>dReUn;&2pDv6$z#S;*B6RHmX8k!^kCcF25=Bus7uiuj9%z%0 zC>|@cqYV@d7A`~UDH<qjM-i6w9Ara&4iz+>Ln|7`p#>eqp^V0ID4{VNVl-NX!V72= zr;2E#rAm0HM~dMPyi}185>FD*^%R^aqU$I)K}6S5aJ-1Fp<s&_T}?~XE?k5*Q)ClP zL9G;Rgwn5JC33d#59H+VGvwg#Q)K7x6J+D?W2A8S5wcp|7a)XAH-40vR^eSFsOTNx zKNPhHe-r+#qQ45?tLSavI~Dy!_?Dum5EH&p;s{&^|NJ`)B|w|f$wP!!X=$G<Y#08( z>VLcNwD1atPYEw`xJURshr5NB>?fkP4+B>}Kk}zj0<5-A6)qBf$zUAdFMvNV13x4` z_S9{{S;CbJo+Vr;T*2WE;c^Zy5H92JeBn|K&l4`;@Lb_y4$l!T;_z(YLJqeJJ8Y7O zMB%Ik;Q~f%7tR#U=kN^SJPtdBb2&^1=Wuwsa5jgh3EMe5RXB^o4&h7=<H8vnZWBP2 ziOi7gFq|c5SF09I5l*MQuc|>fje>Qua4H4z$wCJMLxea5t2YbVDA;_G(9Xb#LX3eE zgj1|AX`s!=pUl$ZPGV`>i7efE0!z0XPt#Qm$I-N*wT-1MTUi?2!qVo=EZx+~(xw)c zHb!Z>Vn{Phm)CEi>9U$8n%2}cvUFnuOOLH*X>A=%mu}d|()Gu(G*Zjb>Kc|-ZD8rT z^(?K7uyk!TODn2ax@H|qS68z1n6)fjRl(AgYgoEsHA|Nt!_sA|Xo{DtWa;7+EG=Ko z(nZTyx^O8=%a*XTbTLa8l+!fOZxKri7t*wFei=*Wm9lj10+!C1&(hiRSUPJiOH1ak zbmnZ97SCeoj1ra>&1C8HVwU!sLDQUmMKtYm^mLX^D`e@^qggs-8cQcnW$C0TES)%+ zr4uHxv|u7j^Cz%0uYjfDe3s_su{0EBX)u?ife=e`f-KDrurw=&rT%P|j?ZH0I6q7K zji+hvqsFmx>`^ow-ES;SdyN^x($S-7nmK9|O}!&WvUJ1<mJT1z(qY3`nwd${BYi%W z4jD?*jG;%e^vEGJ^$Z!z(*A>J+JEpsmJS-g(t$^?bU=TW9?_4c?tXn~>XQ1<RP5WE zrG0v_w6~X~y)szp^{_O<%~FqxrEVunT@IQ`PCH8-HkR5ImfEZ=RV*yE$}F`=ES0fE zvLS>;84{Za{{Ik`z85@Sc;5HC>3PZXjOP*0-JTmgS9s3zoaQ;fv&pj_*7jwdV$VcR zHdq7<@VH?`{+0V9_g~zvxc9jqci#&u{HxtNV0|BRZ-&+VTK5w79QV=gu=^<YP<J1< z&Gm0vzHPkgbJu&W*ImDJJq0!cJ6*qkmHRoa4%cz6Mpw0Kg=+!qFci4_u3@hJE~g7Q z{{<`fx17IsKI?qc`77s5&a0dkI1^w^5Ovl#S34IuOPrIP0p}=KnP)g<$2X2o9DjAZ z>UbVj_V<Bx!L^Qy9A`RWj?IpZj<t>@jyaBLj$FrB$52NfhmEer-?zVMf64x={V}jO zxW#_8eTTi%ezNjs<z;2B@|be3a*J}cvP0=qPPVt&kF{6W7u#psr`kjIG4>($UUsYP zJKJZVA@Q2+1+Ywbz;=i2dfO$o?Y3>Ut+smGI@@xvQJ8MawDq$&l=p3d@`ci()G8rm zjZ&`6Ql=<llp#tl#cKWD`VZ?H))%c$gRR0{)`3>2e9PCCk1cOop116R{fFDE?^%Co zz1(`P^;GNe)+TENyfPG9Ct9<uW!90FKUmJPTx+?=(r(#esk2mqEyG;P(U!2~D9ccb zP5!t1IqXxsF8@w`N?TFa%4;lr<cDF6eUjWFPnEuxXUQSi3RVtd<Z`*!A(@JQe#p-y z@V`+4RE$F>3_<&-V1-VAEr7i$L?@wVIrVqw8BP_^)0`SZPpJ>+hxTydDQGv(dLnv~ z!5VZN+QnfTdV<}xr5}2nq0Rl!W9;$<v=u$d;TH4=hnvyE9JZo|6iKv+s0BU9Zr`*S zJ;1K62jcx4M$vs7Hlts2xC!0MU<5UxdpK-Fzv8d~-Ob>!P#AYHSdHq@P7dqPog8jN zcW`(tx}C#XbQ^<}s0Q82;RbXIhwIVJ97fPh99E+n+4oe6h%FLOC8|Qd;Mdoo8yK8{ z)}pI8tUyfOM>EhGbOn3BjDCoT`)D~@jhMKPiqJ8LiTeOoAtvqvT#1;t4{!xy;y%FT zh>80EmmwzZqop;7iTh{{T8fys4{!-$;y%E|=v>A@Sv_LXKAMfn5tH@-E<#M&2e=S1 zX&+!2V$wdqQpBWvfC~_l_5sdE3HG_O(L8iIgVWJmbQ*_q(5W2GMjaf^LUG2;^nPd? zLnT8{JG)$nN>Gdu3zwo(81ZN{6P?UqF*-?w!ae9j2B$$WpTO>#R)~)0#3FPYhtp9T zhlOY>hex9=3{Hj3r4|M!1B_BAe1N8+W)7#IO&m@}O$@$|CZR?SC!z+*g7AJnRL_Wi zM-xyThXrUOhxzDO+F69ZqgqNs*(ijn84My3RWTR<xQ@Xr6hxIA2GCjt{U`@jP$*mu z&sf7@7Fx|RjD@dR#^3<hsw`oJWEp~T7!kw%S{8>fl+B<Z#Lx%|h5rBx!&C@8Z#aYh zh76eueh<*c;6DNOV(@c-UIzaG%eSE%3g}1`!jp$^_-{0r!|%}`20s(NLjyVd77bwV zQ{fwQ1czUv{v3XV`f>Or>dWE3P#+GzK)o6KMEEDl;P7+gVen(%*UhT$V;Q*^@jc-~ zBy;!y!W_PjL=OLs5WDL=2}z9juJ9hRFydP^!j}xaStI<5U4BD&OZbArH-&$)>#r9I zpEKegVXxpHjQGkB;WI}3t?)bHZ3dqeUJ(Awu0Od{_!}cWA-pL3mBGh^-wJ<W@KND6 z!do0ZFTBa&bHW=O?h{_;aIf$u4xbfX<M0{bj|@H_{8{*#!$*X#7`$J2L->@#*M(0w z{FCr8hp!1Aarj5!Lk?dRKH%^V!uuS)BK)1hmxcEjyifSO@Ggfh3GXm?ukfJ2W;fv; z;Yr~|M!iSaCH#)VCxqW}__*)_hmQ%r;qX!6c@7^Dp5yRgflaXR+=ql`IQ14`ABU$1 zPqXsBM;7)n;@!dn!Y&T)7oOnoKH+f=e=R)5;l0A69Nr^5!r`xkhZ(#@xJ!7D!=1td z9NsD1&*2@yeH`8{{F=kt1U88Zw+OciY!Vf27VZ_EVi~Rx?iO}4cs0N$8N3p5Kg8e_ zkef}o!WF_z!rh#Dqi`38zZ7<I_zU4q4sQ_d;P86kb`Gx-ZsYJ;;Z_c>5pLn|YJp9- z@V2Xjn>h7K;YJ28M}Bk+gO{PfXeNh)P%(p-qVZ@IhvU#n4v#`BSOr}?1TAO8i-gOC z>p8qkxQ@e1g=;vxM7Wy6i-oJ$11_o;u2oTg;Rbg3LNpdFWpD=?gO+eO8ZG8<6e{O% zBwEDa1!x3X$l-8Q#^Eqj%3&s2z@ZP#=Wr;R$KjD^E{8+V91cY^ONB5%&t~v^G!V_; zZ~!Xe@CY<rg)lJ`GI$>9kB;WBADYHtUo@4&K4=Puz0qV2d!b1jdeKA<GtdMMJ*a>~ zH_GSGh4MHQQLYMs^)Q3yA}0zF{r|qg0>LxKeYxvHSB~=}#{&+leV%Q*vRlcp=2%Xa zcS+w#A$+2E6Z#63K-M4l#acV;PGM}Ulqo%!eAboC_Xoqi`Lzw;lZEM>5RDC{%}#yp z%vJ-wQFp?6cRt_%l!n$;{bP+Mitq54h7HVVF}Q-Dj_P_ui-LYt%->;4YCWg<?pz<y z2L{CyRpHAwy%DsXdyL^+U|9J<hC__u5{Uc*VZOi%25?;6)?*BZVr3mx(zN6*n-*xp zgVT-1h97Q93&Fh;DBSsyF<yG?n}V@mhXpEOZkL}FAa*GbS&ir(lD?93TGlffL!_+- zV#OUYaJ{KZu5$>V(Fiy8pq(5P$tpqVAC$E=fODoESI{CKk`pWHkl;fa*@u|TD<FrS zO>oD>bV0Rm0ADJ^%S%mdlW$RDU8KjFQLLZ?!)Gk(sy+flN6uLMKM~dg6JQt;fp^t@ zD0SQn6r}JD&Qp8F(J8c<Ktb%74n&5bAzhYsK4~CSBN6(nYO_GXRxfF&s;i7fNj%eP zL&E~=9UivRSKbzdn1(&pxdZvJK!*SoqM96~sgOM1;u;cu(O0+y!o(8YX5JxsssjY_ zV#V>3f$1(sq(C^?dzsl0>kcK&jjc`KiVrN23Zv1+D&|GE=Sn{un;1U{K4evwjVssJ zg$Oji5&YqSK5tK1t3lt$jpfHr1nyN`-85|{l)f64H8yVqzkO9bHiQO3vF!K>z<P0) z1yAOJD2dg^o4-1f^;n}1#*U634=iu!lH~x1+A!Y0@Io3mw?rVl6+FsD!B}uTh|ol% zyT`sE5X*`m2j5WC<u~Nes05mxI%mGeIL?U`#M^-56^!FlnIT{p+EZkP9-X|vG;=HP z-lefF$O+t>6f8-rnrm4&@17~_a?qeZD!v8y?b28mWCJSj6HDlFSfY@&+(UzRxxXM5 zjBf^R=cjKO<^KHSEU#l*6)JnGjPuF*zn`#K@RYi*0grwmXM^Kb`)BsKwlkEslq~BB zmfe<K@;cB+m+>m`GV~%E2bsJ511ZA?Wu-2BOucAPp+710&8}|(^G`B8!<a>abM{OH z6P{utI)(z%fwUD28S<GCHup=}BUMV+h|TCY68Kc5q13_!2`*Aq(*SW^pxd;93(VR& z>gE!JRaj|)kv_QoCnnkKV$Ur3;XCqTlRJjMcT{#&-eKR;*1CpBbLF~PwxZWWAUfd@ zH<vwTy$}3{W1~6-1OMT!_z$u6l5E;N)nY=itd2pzsVe=XwwPd2ZYu(t=?&U^+*2F} zW1~9;Cd<|&YC_>dYz%doGK=k=^c1IooY?q|0l;edS(mW-6LN?^*okF#90B~6q;0ma z2A;s0ZF2t%OxT)9tLT}Lf^ZZIb@T_8)m>*(`-Kbzz9KNPr2`)9DmPa`h^kib^A2%+ zdr}@NfNs|h*iPT=fNhW%$aoAf*TKtiAp~LpPv(^E9%;;kA>g?04{@C5o6jc?wzE$? z^26qFPjQ?F14SR;SPi0++B9HifNr^f*uEL0i^k?2YsF!h?|K8P>E}Breek6N^E5Sb zrJ^pK<>rHVZnUKl_F;N@ZIl}u*3k?2AIAm`)0hnWhhT%gwYdqF7(KU15emlgJG{VU zmzxx!0Nu2!ZD?(5jrx+?Dm^~Rg#xju9T~uSRhI>v10oyvGH(MT`AP^|L45-KgvRMm zPOPxQ17EPQtGOkVe)X*1vjg$Eu@&};dS)F!nlXHY8$P18t7-_Q&XD}r!?f?-W8V;* z5F6Ryf{#!aGpU_5SiqXkOgOFS!TuU7h#l481V&YNXlWQF`|WHycTuFNv6&o|_0((= z%!l&~2XLzjduh1MgVCkFsSdhl%TM75G7t3sg~_NvK#!mXF&BL-{#Cq6JWg68O@yd_ z|G>}VoAK#5f{Sn_=&zS3Bf+NoP0&@p)Y@iUY7JR?Sw6A+#&WCWWXnR!2>B~{FIa9j zgWvokqz}N3z1_3Vv%|B}GYYH)?grcc9M^NMi(KnnVP})WWqZXoRym{FTM7SD4=7b& z?1Q5t(ddD&e33s4C%v0mYgKP<szeQuNI=yA!ev21#y}R5RU0+%71;_*w`rdT!a_3~ z-P4nM-W~Ae#R?n~rp=#koH|OIU|mi3)3l|Z_LQr-eo7vDN-b=YCzrMCfMpSlX_(~w z$`Q)&K}KHkLJ(F^A2m>XbA|#lby|ie_!fiX40sVt2oT|rYABF0ngKzCsCcCDd(C78 zWbCvLDS!xyEpQ^IhP+Mn{)n&6REGB_HzTde2%EuV(7h>L<<Q*h96L-IJ|NvQlCi}q zyLyP`Icd#swY-ds1hVq8v=`-el?NE+#WAC+Jh{m{MP20yCG*VfDo-$(r?jg)fn=UB z)0E6|T04syn_$@vzS{B&13BOtDcZUoYNi&Xa^gK{1B~mVlHwTu9O1b!O6JIv`~Asa zHmYMmbmMphT+5MW(4}L!3EER%+<#`xyO_9f|Cu!pPQvBmR5nnTY~*n^hVTEunr}Fi zx&O?XcQ>?a|6GJP7ry;JSZiHK_A66*|8OZMTfLCj|D&}Ifcir>qFpgLdgg`T4BDs7 z_t-g98BX7>?<9rEzPcpcBcKB%eY;_=Pkn^`ExJC2hoygpu1Vv5U1iZe1}o`blguzU z-81rFbkr(Q{5svBL9%F7SCy^<k{r76Ykaz=kP%Mn4KusSp>=`su5xHixldO)v<5sd zHrQ4S%80Q>L)2wh$}~qKAS~5JA+}#t4GrWrY$iD__AOaF6ZUpU$T!gW^0h>^wvYf# zEiht`sD0}iTWV-{I2vG%#blz>D8!ko^tDuOh>~2h7SEqYq5wu3sv4_djPX@RKu?2D zevo1L{CQc!(3i3CwjvV9(QDvtI*d^;2bF@7-1@r4EsVKEku9*@#6r`pgCL$8K+OPV zrY2SQiA7C^zsT&>9D#kP247vIVFPdrzR;>R0uxz2*uI2tQ(Itbo`(#C(CW>RDi9uF z#ZNW?NZ>o&(<58qD5-^LPG$`g`?crVRs*+jtASgcw>lpUKB`kF<E)d&!}Qr~nFR$} zt-cQUA+ZG^${`4_)Jd|hsulJg>U}i$AiWsPBCBV1P+rTkky5SnY4P8E5D5{!elwh= z1G%-Kc2jFaeMEBvN)u`#k_{I@>kV{enn`x@tyOhoD)5b2*W9=TqI8Y*ZK)w8QOBkR znxz^lwze+ngClQp2aDz9Bizt>CxIR#TiFH#$xzQ9P2vYa9e><jX*-^jTG0WQnr|~i zCj&=-<&9MvA=F$-A@Y)GBk{zbK5J^LYJ6nOYN~AlHK6KRsL~c#u){YdpOWRHF=1H) zf>6w`xmpd3S4G%)?Ei2Pi-oZwTa<JokEw_&q3Qb;RW@wU;<?ReEccBmT3SrJw+8&7 zz=YsfR=i7^K!p&hl*Vx@gyX?vRYNgWLZfVkHbhD_O8bKkIww(s$nq7|!FDR~j||>q zqm3-eB(#=h-xkn7sieIWgjJ}W#@3cP@Y_grj!8?>+9kB_Vdx(@3WRkv1(+{{=ISph zUo;a0_KgtvlQ=4@+DJJ@pQXK_dNUDPt9{0Ji$vT<--Z?NRbzg`x+v)ybOX@zGWr@Z zv`$$8chwq-7JMzL0Z8=<)g%raD@`pjUc{Hox}Nkb=<lS*u)Ay7z+#!BWY(IctqJ}m zWKR#Gnb$)^J}CNV#g^KZnu@s%jawQj^oMk?py5)5@aKFbv&j6Y0wVX3Gx10Ts33s* zMNrmds^a`UG<1TJSz^8~-(S?+7>)YNVce|%$K6DA0XQ17yu5s@c4w$S$z%%wov4{t z!Id;BV2Xk1gU0uxYai{#fgvSx3V9{c-59Qz-b`w`g1L?-vD}G!Vt&&J6P3)_W;S#E zFq>3xZNG|QsKyp36X0`svBsx(be@t~XudV%FNanI**8PcfGRmW1x7L`DE>mUHXWBi zjZ5(N2vwslb@)wAa{fP5SSffG!ukKluDENU^98W5KhklpV+r`IyV>@jt;}XoF0-Bu z_U0LKMEX`bR~n6L#s7#q&|9b#`GqIo_B6jp$F!u2NFK;EHz~ewcbf;}A~Ibd)0&Q{ z$@g#v-hnJl^7wDw(}jcT;*Kfcnbk`-{%T1qOie`MFWH}CRu%`drektCmNij`KkZ<O zrVExq(_#{ANTt{3EHCos=J=MuBm{>DQ6GsmNVW}33uw;GkK&S@vb3RNVzPWPsZaI^ zda;&sbTH+U?_WB>4<l4P2pnv=9|f1}8#*SWdy}@FIdpG|P3$Ouib${8311Bxu4Ri# z7Z(>To?W`YS31)-d%?`oMe_^kpM{Hki;Bw^^Iprj`mt&xSg@fZKee2KS>0-}UDZfl zx;JSHBmV7&qVB`#-gG$Xeso7J1SeKc_GW`*pamzUYZKV+s|6(|8qI@jVQYJCM2G-Y zYZ_@drScEVO)+^v1$#k-_JZV`$9PGGGH&;Fgf#EP+p-VLdvVdC6=nXMlqx!0ezkKZ z_*E@v>ZEuX$TAg0&23FB#I~fVrY$=skeZ>qd|t)kdF2&FwN2pKKWf}xN*2t#%C<;z zMRE|NuBtb51XEiI>{Obor2B2MUFirUi+{+$6u-9U=RKt7il2EmCjuC(&7rMvxkV>| z5^75Ytez^CfW%luYA;d^zO+GSD^kb&px1QdBukx7?4j<JdKa@~Nk_K9<$5rbQkwgj z+2Ic6)x0Asm1*6M46mGnX)0YX9oyL9*V;;Z)q%B@^5XJxe~z|?#MwD)Z6y!HR;q+v zkvxb_dK=F*^iwL)LMz~REUg6jAJ!eJTl|jkhB^vQ(6*oWSL~;b;0{_xYdXe39SvgV zw=ODP1fX3dx6SzT4x*BR0sqoK$X{4C8>EUg9Y>{kL9kmgso@2Yj<LyB#${^|k-9S= zrIW2oI>s2vJUAg`#@|nw!yUBDBORmDaonxRHa*9qOdKDqj2@i8g!By^Ba<9+AvD;% z^-EVG&xmwyN*RI<qB#cAzbTg8F&u=@^tyfJg`nHV*QQ)8syx!XxwfaYEeJ=TJ~=FT zqHa>)f($<;^-01`Y+Oes@H;K7iVNshPSA7_i4}4oSSz=|`K7tz{wR_?;l}QK1BJyG z5O~Ue+WD~aF6S?umpjjOo(jJ5o178nN@uBahI4{53w+=o;dFrq{4X6JI{xf<*|FF0 znByMD&5o-a7dR4*lN?b;jbpWAk)y;h*%5Gzatv~0IAr@b_D}48wZCeA-o6WB3f^YF z)_#%wOnc0}*}l=f*1p6($3D%TYaeSr(%##y*uJ;@!}hN2PqyFM_Q1Zwowgfnm)g#@ z#cgf223wWtQ!oF(Jr&x<GY@>!|K9t`o61YdGs+{%-O7#170P+aY03%8CS|>{N+|<R z{(7(VUt2%6zHR-3^*QidpVrU4bt>pSjIj=}_Oe<n-&sDhykmLI@&edOJYc!Qa=q%; zeygS4vd*&1GS5<I$+L{J_$+-bcKJW@Kjpv6Z^$poPlF%6yX0TWm&@nMr^?66O>#tD zDVNGK<Oy<?JX}6Pc6I4%vD1CByTx7WUITFyX1S-hgYMDp!EUeH0udBGb^Q&ZB)lMt z(wEXlYD|G$(*4pM(hbt3(m7Ixbez;ERZA<R1yYezAo-<XQh&)MiTF$WA^tOd8SiyH z>AK%_J49Ew*tH#ED{OT&Kpcn_u2NUAYoaR~KZftcx8iH@MfgnIj<>2&2^QcPcp}cm zBU~dP5`))efjA7GIp4(tup3L_H{z$_-^4$PFNk-GH;Pw)ck=Va)5R+UqJTnwmOD7= zPD-7Kpz@&HN}XJwMdGt^J%>-ojqLiO=`!;ng%*Y6O)4!YH?fQh#b@MWIec2KWw2D- zEmv^(gj~t)DxEH`RZ&Q;Qc+M|$1*MupOl%m6tqCxD6eAI7fhFrQBg=<qoSa^n%y&B z+$A$#CuqL-guIMhpFdq*s-lq0ysn`6L7917LGvIZbAN)0#fN3)!3E$$GV|bqip1Z_ zs^_q2XsygVmY}KPPI(M_>s0Yhc@%rW)C_qvBTf<TkVkTOyF7xy$>MD?^GSs!i?_-? zPQ67QszPChJe<P|<Y5d>5^t6Vst}zb58`m6JVb@UrSg%Cg-J)tgBcOR(93-paiUM| zr=s5S02TF;k5EyD%$!sqh(9m)Vs}pve<^#}^$ES@J}T-Z_hy$N0==BU;SI8f!LWFm z^eKm@N}q7pAu(4=FkZ%`k2rOk^dX1s5_7c#8Di4=oO+7%cMeaM-sA8jiMd*WyeCS` z)e^uHq`&bD$4h_Z@Hpvh4%?)^FbEO3r9X4HMS6?F&C;73wo1(V6v`D_q}Mq$D*cJW zX6ZE!H%Wiwut|EA!H`%bJ<Q=6=}{F5FG|dn5(<jzB<3CoV5RgR%McXTN)K>YB0Z!+ zxQ%&LLIKFj{3iiiE8W8~1jGu7IYI(ziNt&@p#a>*JS8Crcq}pZNB~z$%smpoV<hGX z2|ToYAl=CxmIJpjPe}-3^-5PUDum;euHdjtx>|+kU5WW7LJ-4Ox{^^L{H}B<hYO{P zIV_VdQz6`TxeDR7OBg&#ER!zeaDlXg!+FxVDumlEQX$-SK7(V$qoor#oGL{*oFZ*f zA&N_F9JWcvaky1d$GNd+m9&LX$A|^eMh^3&4Jt$nC3PelE#^wqtS^i{Qd-Zhj}n8D zI%<s)v!yjE6-|~Z7#u13rBx~f>M;zC5XVT&R}vZ_j*!&hW(3+JspHWIv|B1u^P=q% zbKL|kngSB@pad{eDp4~CJ0#|r2@MyANX(}Zz`+u8WQ2ypbB|_uhr@HHaCnC_fy3<* z^TC9M!^0*q>M*gtq>gjL(3{eDl?o3Fa=2T{;c&aed?le_=uBy>N`;4IF_<a#mX2ib zNO7*Tox?uTP!27Us6zA~{4WmwjlbaVJNyq0_u%h2+>O8Ga6A5w3WXi`YX*m)e_?fa z7=rd-bzB;Pc4Kt}8iKat&v@R`usZAvL8oGM*ck#3Q->%Bu`T_Q<sB?8lWyX0sdOWU zB@*)*h9JzgbOWP8bZzN+4wp#Ra#$k$LWR)tu48bZSSnq>;S4Fp;Y3NDkOzuksfJUt zq}3dbla_EeN>b;tf#Q);KBo?n!W<5iLL9oKz8u;lD~F0Cb12|1RfxX9>Ht0veSy`1 zb|Cr`zriznjQ_;pNB9pMet=)$@O}I;hwox_@Ejl(N+&Yv0Q3odox{K57dd<n|Bl0V z@$XeAoPl3r@CfuSeu2Yx@NYQ$8-AX_{^Cq&n+nli@xvUxjUVFhFIXLZ`=jUavz+=I zewxF5_$dze;@uoRi=X818T<r?Pvgfqd<s9t;U4@bhr9739PYvoa<~)k;&3~DhQm(0 zhr>AD%V8Vd$6!BkzH}akv!v5F%#@~aXqOxuN|K;L^gaG3hu`8)Is6d629l(WN|S7~ zTNsk-R1}mqvV3LYQ?fb)mWg|0bzCf)BS%=yvXES(qM*Ei-7`;oTrTBsqg=+W&kM<m zRTPxVRTPjHvW#=Z-^i-N)w%QKc1D~fJ|@rOaHBk*-83s8tD|6v_^3RaT`v)?mgjPK zxjcu#nc^dI35O5Mv(zHV7q6FH>|yz{WH-x@CtfEzIlNX@3o=i<Mz(Y6)v}Glt7L`4 zD`hK(SI8C)FPGJhl_y>%OPqSCj5)kSR!70Gc(IHaH7s5vt2~Cq3ng`s3yV9XfAb6% zNZ)gKzVsc3=Sk|=7#7c!zTwn!Bz0^Ii)Tw;aq4zS?dM_fEJ+=H!{V9J7d*omlG<Lv zVyE;urzRwIP!5ZyOX@h9DfW^EvkaMHhBQ!xFmsIHaJMv!!|l>26~c7kW6&qMqzn$7 zl3Eu&ctSsw3KLl$4!283s1Tmeo57(l%bd+&A1RYVtE86tQ1IoimhVvXZ%M6yq3{Z| zVu!*j)Y=>hbFkV7hQcc>WcigPR|}pSJWZA-<Oh_go+TbHMDKgReVTi!wH<T<9)!qy zInKX0Z?Qh=obDXpc*b#sb%vu-u6E?vzqIdzwfuCu$M%}_d-*HNOyyjq&UUly1n_?E zRX%|A_I*~lJL|ch@BO(1elCHZOW=RG1eVCLL4!o9BS%ycTbQ;@3sn;w4~oY`i_1rk zK-mE{F;pkoi&PH|bb>(}xe62)!OEq!Dw<mm@)s0@&~a0wdh$?EorMGKdN9|iBX@v4 zanuLe%W%dGDz0EIOkP-9#V>`!0e?<77q!ioV-Aq(K_v`wP`_c2g?Wo&j8P40P_>1# z^6@@Ukmc-v@^nojsIoRT)V1Y?!~RgX0JR=3$2O=>W7^H|;!1<U88B1Z3_8%2&9Lh| zrl`DZ?0C?stgCGEfm1wCGBjq65L;}b6bmZc@FC<bP?IAp5p7H;k=llwaL`{644{VT z(iT<@U6x=o*ad->azktVI(XOya9Rfi)Yu#i=LY?`1qEo$RH<>0xH8h*SbH4#PW8AN zUPsN>i5V1mb$z5B%)@<^>!B`4iR42F^iWPNTB+5<7SKdcE0UHERZS;4+Tbb=ii{|4 zLuD{`CAql)e;^b@<&&k2jQ@s4(C%c$Qq(b*ruqm9tW|_x_Dqs1Hx%**f<d%Mdo^uW zTrC`m%h;ZXT6|KkF)u&YpBoIL(xas)Ea;$Rtp^QcC|Io)$k7C-m{SdUrZ~^|YO17) z%(=lle?e{#P4Y|g)i%hrlYP+UszG;l15xZI#aGu>kQegjh4Rq25z-{mNI*r?Uk8mD zRPPs;L8;RAM4B}eC>k?Lnr6sURJy1fT8e7)8w%w4gZV);Dnsf$NCfT9oM3@JKbR-H zkST?M0J{8T#9p8o_-F<da$qDsFV`Q=DG)9kDNTVVb7eQ+aU)SfSC!rJ;QcwFJmJF} zsa$<O<*_-!bhIPY+3+=_9zkPw$)b7DU?>Q_Q1g*(f)vr;KvieK5`nZL(1eHP1Ri#( zee2qM5K!I+&A2%f$o1#v1cc9N>Cy6_uc{^vg4OS&`s$!myD?e-xkJIA@Ue+8V(~y; z1NzK$zA>aI$3i1*YHi601^l_W`A7;$s|F#pcERICBh(2fz<{X)@!!%?Qy(Qvse$eD z^YRH#j-a$mYZ1_9h$)4?rL8GKTQX5Wqu)ag1jD%@e>e~n-qyc{JijUeot2u@sf`(& zZ9rwyPMaIbAx*)?M#QDi!r`N9BiRws(?GSEwg~zaQQw%#4baVbGl3zX5}FDb3{=H! zUu6quHgAlM%?D0`p?oACC6xg4?4c1~edShGAlbA^qR_Xad3iZ7`~`)7(;ly7r5WgF zLZheEu)Y}v4DcL7SclqEYbB5$hBt+UkBo1kTsKF+i~+b+yGt0lH*|4f$0X?92!?4g zibbQKXbuAbRWV=hOB%TOz{a|^zO`Pp1IY>I`@`Yzl5x^pdatjwiL}Eirp{j1*toH^ ziHyf&un&XQK|yXfSSrW7YG!6pp^kdd%DNV?BLU+Q-Rq!Q!Th9+)@lS4=wY;oP=kxg zx}1WbKOD-LGe#<Ak86P_<^FY*!~=IJ^j9+O!+$Ua<>bN`lsBzLjuo+-Y9rG|5jx1S zcY_ZT(&%9H1Vb1)Oqz1h$3i235&%t9b?RfP=b<q4mvC@$o>Zy6Cqh~SOru1@zY#cB z%fd&$bxc#F2`p>I=Hx?@E(jFEOy}bFsUCdm8>?GE!5!uodOv(l#7{m`t0H1DkTeV3 z7-^%;JvUeom@c*H9!4w!s)&c|wxoGWl$I)d%7(@k=s(&sqv3*pKO77XE0JT!_zX5b z0Xyp41iJUcGb40tT`7@Sh#2EUgE=q;hI4ahUnK$njAF!;h&57XutWMTD5LwL)VWE1 zI3GsMfbd|lk${B*9pOoRm|mi`WSI8p>xg}XDiUaQAIK{JU$}V_XUQ?lKBd034thPv zDUjRrJmP?|nlx}|AJE&u_5zIG!CtBoMiH>>@CS4A#%tfgCRu;9ay^VWt*TEyV*FAE zg2iU2@&Xv%!udJKsWnhze@Hga0C{#GKjfE68IN_~o2CUyt9CP(H-MoDX>Qugk{5(l z7RakCl8#TGyA*~_=8T)wFe_T$7&5CftB0{67~Y_btQ#neWzT??<J(*bMH7V?2nN{T zyj*EDyHrK`AerK!`I-t$vy=)z-wuRAo|STJG`p*^2`Zb+CkA0hKc<7AqP8MvFyo<T zz`#N5ub`gwjk*BFC(<m)`u`-nMv%^unxt|mPa1%~!*AjzAS&JC*6XdOL1g#&)*NeZ z%fBqIS{|}o1+nHLmRWF`?Ui=PUqW=bUGh!x*>bDAN-mVgc;59q@43fwxo4Z_SkEHQ z1dmTS*JE{m;(povu={$55ExbZxL3Lh-D9MGxii4u;G3>JuG?G}xQ=(NbIrjwxdN^u zT!QmGutB)bd9_mEJRP(UmOGDjj=@`GkJID$m*aKEla5;)=Q-LOYw;RoE9e_!Ir`ea z2Q7oW_Pgwt*iW%<urIKO?St*u_JQ?V+l$If#cz86p9AsjPq#JNmfEJ+MnF`)&!wBC z*Ofmik1IF*FRv|r=KZH!0!JvlnK3jNi-Za^txJ5A;X+8$+ry*v7s4S;cMXrwUkFaf zDOb(fai76TU+P>yq>79MdedI<mDG!x#+~@5)QcJ;;!Ea>I*S_dk<^QtUZD6;>P79t z(QT<0H8nT!_SB0>ZhxmQfV_bANbDY<^zKWorHDmNPExlO+YPq_wK5aG)n5pPlf3^+ ze<2jo6imfW^cMmF&A12!3~vu4ZQIdm<CP>|!e0$na>80Iqh+QmTG^md<CS3Yo|UF6 zN#6RJu4uK3!p18(+S9~h(-o}(gm;X!GXWY}vfzH5dQqz(@rKlk+J}kPr(V?FDc+NM zQTqt-Uh_qr2Cw))>c!+^?@zs$eC%Duiv?MstYkZAOueYNb`T#+y{J`&_-g9KWbxIe zUQ8C>v8fl6#aEYlG5MYKsTY&qd8fWfhl9zx-q2qN29uxgNBsqmWce5*{@!>Y$@+`> z3!y;r<<A)|6eJ(@On(Io?1+~RgMFR&FwmK22cYNWYJJ%-F6Jc%OyN5H8}dS0EuqDR zCk3>kTy3~P$LmzXg&eJ*gtLtow68-C=r8E>)Wus37sA@3&^d++xmtr0?lWFU7VRR# zg^>0rajE|M!a?o(Rv76Tw*`g=CBGZl3>T7P1iHp}Az8Fm;{}Z;)ULmfJ0W?;JH`vz z=b=%C3;D@A+=dGwt#zWP@j~)Z^~MX@hl_@mkef8-oMyN|_u)4fFKCSr{ZfA+l$@P~ z-xx0BX`dmyYP_HomGH9Rf^Keb8ZT(|iVR&Klx$SOMaDal>=qd=<R;5-vhjk}Ezv3Z z#skY7-u3eg^q}^A0V7>|!*nBEd(M0VJy{hQM!J@Nj)9(|^_Kxgy2ek9k*@J`q>-*Q znzj0Z0E+<rz2Yy77qk)*Z`402SfIUmmf?ovNGEg}FKDk8t~OlA*LW4KFkaB!Ej(<z zkZeq+8ZP8%cOb8U+dQo?H5lk&?cK`^4+?AbAlz-Z5K6wmbU}NAcn7>f8{w1F4!Xeb zq=5DjVuSI5_HJ>3;exK8{@r*%y90e-cz2TCs=pzS?7!$y!-ZsBpcjl6w9iA+^smqf zisKD8B>T1KGF-^j8jje@a6u=G4l!QPS`IR_gFsT?MPm$i1d{JqOYHwMAsi+6>GQjb zU9Y=ZT`uPhjz=6z9Zvi8_Q|%FY@N1Y$^*(GYah!^mI}~bzgc=rT7r+q8R8ys75Wr) zKycnZ@QB0w+t9JrY$XFein?d>1V&pyf1%;*3Cy=fbX3>{a83umAufa4H-mS&l8!Y7 zQzM-W#SO^zV;lu{s78aU;nP%uG-hf9E~#?5Wsn9wQ__7~O~*0GQshRJI+tyn^MkQ9 z>cT#;rejs=tGa15+r_I&I#wF0LMOHI586*vz#VE;tVm@#)Gf<BII>z=;3qyi{5reh z`s&!yj^#=F%?Sr)zgaYI!D85U=kpQ&y2E9^39YDz`dz9h2QNyR;btJH8E%3T6ylBv zOw1dbiFc@)mioGyj%BHZsB<~SxjqDqEVjO5X|fPk99SV1E}pf(pQBA~oSnl}h;UG1 z9AmU{gq?i7B|9(6BI47ig4nf__-dN{>k>m7*Db*K2kfVf!yRh%EKXNFnqbTycL=Jd zq@&!#v^HDux9pecT$SlXsZ8sf?(xSR0;bz1b}WP#e^u=y*65I!+2#<OrucN0>~NX^ z4jSM{4?H=wk?4Is@JPyBRM*3HJ&?iq8ywHnS2jTZ@KuqzrAH6o9m%&YQdLQmD?nAF zg`8qhT?2A>LykUua9~J-(!n#x=AI8u&g;Pg75FSw?;ze%h@U3#iAG{klE=Uy5qU$F zd4%{;ED8xfk&d!tMKRlC;&HHBtt;2RG!HyHC0#tgEFI}6HNOY;D7$B$o6e#*(y_q& z9_m5ST)+p@@X~!xNymIcSJ7>k@V335t^#+^t`g~(myTmiM&*y|F2|9MxvB5b?Ft^c z_smK6o|N&syWdmNG22)J$<-SFl>OB}0k?Lam5yU=naUs6U5;Z_9VN-xul&GfKjy9F zM-w6T@2w>%Ou&h3MOkGvIkBuL1+6!5W=Z6UNXN`{#d#Qpl;U*nISd_VM!NT;OpV=b z9+8fsbnnrYe}}9YR(DKKHp3+c(+pF-`LGFL`*j**bVfqG3KcWYG;orxw!^}7<(blz zx?68G9Y-hM!xw3xtZvm?7mE<G{?C%j1<&K2n5Wz`#{I4PN%uKmRo=_B&(-0ob&YU- z;5_I5+WQjlwyr9F>pkg8vewtqHBGA~Z4xK(zGiJ5+i{%4v12<)x73ww*;c&Bkz_m0 zrpm@Ljr6*gLZMJ7YuP%5LMg*mmZ2?_vJU%N7$^({hGAwHru={Ry>}(O>nA6fv=;ww z?5|&Qe0-PRJMX@G&%O67&SB?9$NxBf;&{8`h@;)HqVOm1<8Ldp!$-fu_GR1swga|{ ztuI=iunt;_$Ul?Ull_*LEkCe)(ekim5REVWEJ<KV0!tG3zafG1remaFnd>4~4UFw! zO1X7w*S5yG>64V%>ng8<32JRwr<V9tG0b8KY??-q<sbmlLl|s<H`*ISpzVln`UI_7 z>8e9iADDw}qtV3uFgeVeCY?WhoEEvnRb5q6TwPOzE)m}Ris@sNTkfJ3*cH_P(z&m> z8AiOt2U@yzG<MV<*f)LDiW2c<F3qjr6>?J8GCf6m9&u^@2GmONY}^#KP9LH5L$0#2 z3K$HRHLEuJG+y{9!jt1jM9FKdm?dfk`Fb0=w&_XQz|_^XFr_W4s%%o7ESOzs#sr$$ z05W?yNL|-*BzwoXd3u7j*m-p=j&tx<n>3T<!Qj9kd^l8l+T7J!r^gjZJ6xL6#5uZN zlukz}oV~8HnrfK2R-_+LlMJj`sfp*BNT@$rN^Rkb)=fufjTQjFFsiBULZ;Usf?-pS z2ep#w*?@rRsJVGMOiK^BDk|%WE30ZUrK#b$R)YpK&$4i(ClN67Mhx%1Ez^f-^$}MM z>@RC8Ynn!BAU9t~iC|6*Z_x{lvh7n0t!a}m9aX||t5_<g$7uZn$^fb=E2|$ybbab{ zK`k~XLR!8SSZlY@_paHe_D+Ws8P~dM%Igr>7H=J|7iQ)9u>m7|STxhl74&@pSYhJT zD>l++;J0#YdQ|CUz@@pMC~tDH++Oxik0`w_ch#0v!v?pa6S)!KRf4GUQA82#8OQs? zfmAPS#Dl8YHnpbC`dsL#5^P`ty)>yLB@s582KR259;OnXa@Ew;6_?eO({@*=-^+@u zw(0kh)i^c1&ThPEdWg1i!c__1nle~cDXqYAACapAXVK2~=|c*d^Xu@nRp2HI?a<wd zVu74_($k=Uf5<h{LE6w^jAH<*tfCFA?%olKL|0QO^aqb9XK@QW(z@wE+Cqz~9G(~z zwY6Q;Z%Z?XXAiHQ?a}nqS5FVn(py|rwPhIi5M!2j(lbqHboF#UEmzN%Q@=iCRiMKZ zqjb}BfR+rpDym_0U0&T0DCWkq@(uOFfS;OI!`hmfVB^>rZWy7_OQ-v2?bSeEhH0z3 zK^+*XKhVbMUi!xYS2Z>IuPWC!jr0-$2sqm#3Kq+w5&EUVv!!&phgRO}f+ad#mKsA! zxOgSOLS{};r)Z2w_{>~6?WZ-WUF9&%uc)ExktUst{H~k6MH$~$x~LOGMR{367!hz` zXRq4GH}7j{q-il|u8hoapx$9Fm%CTZbT{q3+f_q7f@;gPDO0naXNv%pA6zq3-#fLb zZPPc?ij!Df6^Ajpnw@p;mrNg|ja-cvjv29f!w!sQ<}A`UeG~oLG0a<V{HUnXM5#I_ zWc<+-&lKtfz-Pjs1#!0AFnuF!X3A9uEugZjq8(EuhNN;JOlLUdxtMdC(iq+g#tH1g z@l7);_N~)5&{je&&A;ue{o*!GUr!sr{0JBo)wK<<yPxM2knyt7o<@6y^6Ben<$ao% z>ge~H<+$Rfi4U;GAQvtkNb|L+nm$15+~_LD$_5uBO)pYDA{-&1bLB{!&Q;k@zjk^* zt=0_P2d;!QSfiAe>Vq#uBt*Tc6pT2RhmSyX&GbH6xWQEcKY_{$3?8*GAPi$LW*1#I z-9?MGxGLaORaH~RiuPl*g-XXYyk)wRmL73w4uN!VosA#i=IIVvf5@fz1k(Cv;YmpM z|DQF<1)kq}zU%p-=P}P)JxR|IPr$R+v&FO4bCJjF{=NH$?x)=!bwBLB!+qR6=-%hv z<}Ptx>bAQ6<oXFR`hDE>F4sM-m}}T|9pb}PxGr}UI{%D#0na&~biT`ZxAUa)kaNGY z!CC5D=CnHg&GBQz4*ZzoVaFYgV~znwr{fyOI>$v05s?DFU-(ajA1-_=A_Ptq_7`>* z))$r*E-!T0|I_{p``7KCw!a_o0O#ycyWies-)vuNzsPR3{Sk5fz5@G%ciZl>P1{1Y zgSK6^I@>DS`L+T?@%z5@Y3oO=4_oiDp0o~IZ?NvLR$EtECGt1&8=O;o4$=DFMCM3@ zbdz1Aj;tc*6O-j7cr`p@`IzOMmU}F5OUQDQrNvT%czlxiWn?w{uKA1R51St{-)=r` zK4d;%ZZubzeP%bjCSDZ(S^T{CnD~%*yLenYB<>fti6!DP(JK6#@MGaw;R)d#!kxl# zVNmE2t`*h`7Yk-sPyEpIwCQov+wcks3Z&F|<|_n&#^J}6PglrvsNex9C2>5_ETz0W z&nl%nJg?B3a)W2eYHy{Ka`DCNQp&041x1^ba&SBfrI6!MD0ZF)C^n8~S}&!n98V-t zis*U0qD4wscpmyN^E}a;62Z%QwBF05l)x7gq?Ad|>k&R6r3!f7`=w-z<B2A3@+5d! zUHF|+@`S#aUo4Q4$2p$xHz|3H=e_Jn9yMQK$~1R!jVC#!=WO&OkLWq8J;_NuXO$;8 zq33MyCda|a44ad}e|wWrj`csDWJFi*1o{u_Iq3heo`e3!^c?gb(sR)NC^(t^Ptg8H zIM!c1$zff+<L7&lLwe46p5!4tNAf0vx`vL^wg)-ZU%bfy9qX9zU!G*YuBl@?yvYDp z=s&&5J{{|*@MBN1S6A;S>h*Ai{==K}>sV95kG;uTIM$!N$!?DI@1Eq%U}Xluk$s-z zK|Ker<t9A`FX2W#XO%a312`FxA2F@>Ca>4Cgg<$b*Xim_uJ<Gl=s9S6zn+7(_vsp% z6#mVV?9vyy#hdKp3jI+^cIXHFEy7b$axc$&NlLc!ygx|EHa)MK*4@MNP`8!m{a#A$ z*7I(rb$9VR)ZNMRe&<QH=pL-K(v#ew=Tvx-&3aC&H@RK+@U6nXdXi1LLc7sWqn?9? z8uT1Av`yF0ZsE6{WWBD?t~K7|wYoyPgkN}**Kn*CJjt#4dMmxjEnK1Bc#@lSg?6Ix zO}aumY2zC?78>86uZPC#xI!;_lC`=*Ef7JCo`VOj)>Uf}hP=rtj`eF#vQk%X2Vhp{ z3hkgU%Q+Tcmg(yOW+_+bSDs{vu23@?FV+=mrj4)XSZI8mz8)H1%N6<;PqIi?XnUnM zxkguLyYMq_ay7?-5LR)lUwV>P>zZl;&Z~5Vnkded9P0&das|iwxi@*Gj@3vp_&C;2 zJ;^J;%FIm-Ri5PKdJf*`ay<uw`Z7HS?|2zFnYpP!_=z`psgAXc&X<>PtRH!k7jvv1 zO391#-|S7occkQn9MANyl)QlB2|tjM2+5eOP2DJbLrR{{^S&=7Ij!pk;d@e&)4FaD zzAGg;t?PP<h10sOr&y@gm3e;C^};_(Nlxv$PWZNz<kYU~gl|bnPVKr*_@<QP)UE^c zIXJcJfbexG$*Elk`YR<lwQIkrM@n*P*ZzXfOG!@c+E3?DPVL$+d__u9wJYn{_6yH@ zlLB~|abw!mDkV9!3(@bSB&T-m1C&#o+O-c*PEoZhtBZYra*ETt_5sQ%PVd?$JSUyv z^sX-2$5DNIU9^uWjz{}|?v>qd7wrSum!9`!?<weC*^k><={*GnOvkE_PC)_7uGuL( z<vj%rOjm51bP6h%zSy(gQ&7UPi*=v_Xkj`QI)ECMU9*FB07Xn!3>`ob(-(WjdkUIZ zcCo$a0IHadg$|&LW!FSlZ0QuVF+J}~-cwM=va7bEHK=1c7FvTkmR%EZ7rm#Tkm-u; zlukh*(--@q_Y^d;>|$-`poe3j1E^%#HQT5>pp)rpLLSh`^u@m5Jq4vKyVxFd0If{N zs_>qITBc*6G3aI4jUmXlbPAf8p7(k0DX3=IRa?;kR5Kk5PXOI4yC%Yadrv_-(-lLf zP|x(mKIc6J{VcoKZgc<zO~*n9oPvh1;dKAM!gLe0|KH{Qsr!Dn&GnG0#`$GupW`o% zI~{8ZKT~*Jq1*m0`&QdGtuI+;t(PLseZcbHmTy~zEi24VnD>bH3%?fXOwXW^c6z~Q za?<}V{S*`oC4`I_N0H*54I_?ovxKZD-cK_@Du>F&nPXGfLk=ZO^Lsl-yUX0Y#fuXK znY0{-(_RwQmA;8;n$E7$M^g>aTz2*Qx^^_}>1t_c>AIdbnp`Za)QZaZ+SwQYZ&LGe zaDZEoxT72?_KMS3mArd-L91YiSI(XU+Ezof^$o@4Wxj^CJq`OhIw0A!q`~UyXxp6^ z*b1nD*%O&Dn0912H}45!KbC>n<3>HD{m=e4rftSOHP0T?S%ubQ{Hj<dr?Cn}4aIzH zVD{*I%;)G9VT^gj>=ZnhE>cEMwg(e6Tuxiu4a^>y52y0gaXOkrPxJko&dGq&_{p1R zCv<NsE4srOzAe;H-qzskxFP6svi36uJun-c|0b$4Z;By58@oc|p5p%5NXAmL?aVAS zRd<<r&;6=dYUXyA(OU{P2Ks4iCFFi&!OPT4aRakqBXPb8b3<VEaHc2b>rh!TPgG~~ z;*5L)0<&XA{k-Ca$<4DN-Pe;90)>si)68|Kp_$5#8X-QXFWy)(BYZ#Q@B%p}$ryWq z3>)=xPH)<%pMlw-Oh0S|tvWZI(ReBtm_20F(>XnnaZiESV5TSbl~ld*U&+AiV5Xmp z?9OQ{7(da#?0`{E>7|u@ENAoG8}}5L?a%a-k=-l)9mO590i-ByQWehP2Ha~$yCZ`E zM3`*X;#T@J7f+w^$8$<b%$j6gqe%Qp`^%&uZl3MaO+*_qp7cz%r<sUQLsPnXGXl&E zidSJVXrArSVXi&v1f{5<sUCh{p06*x3ge6J|4W?@6?p#D^F7Zqo+mwzcpmVa@=SXA z;0<uCr`U5T;`jXtCj-y9KjD6l`#$%Kd(3^%z0+OmzRE4RUUvN}Vg@|p`k3n-uDe{f z!fNCu7(UdvR=OnT%kUidj`Iu1DfrORX~2>MmL#wwfh7qnNnl9=OA=U;z>)-(B(Nlb z(@VfJv)jB}Fg0i)QB22|duMimBV;%Q&wFQf>RG0f-kBCXtKjS2nH_qTN$}1z>sbYH z&&+nPvO2ubJJZA!y45?=sAri@cxM`PtU=RJ@60xiHRYbEH!l-R9msrxyb`9#3*9r< zW-}(x+cmmM1EwS1nXMda(mS(-V@-HxHgl|T*UTm~ZfCtk-7_1rJ3EXz8+3L0O;PVm z9mk4zXKFcC*gI3hu?~A@s&%Y@Y0NuQ#j!%(nM#f|>Y1qkDuJOqMBit*u27$8#5+^Q zv4*`fr5tO>J5$234tZyaIabg+vtGyYn+Clz>p0eccV;ce>i5nRajbxMW(~*cbI+{K zma-qCY!z3g*E@4H$Lev-TxDKnVngGk;F?*P_4^6@z9Q@Q<M{o`tly8}cVE`;lahDl z3SAeCrdzx-mvgM{LQfy^L(dg>Zt%2u8WFL-#Iw?KvB%{R-2dVJE%yE2c0cR>jQer- zBks4l?{(kiKIx9Y2jHN)!`<xO>@Ih&axZgx-4@qhTras^aDCVHoa=M0ClJ&B?XLS> zvTGV%Gs7;wYrkt3e4T1s>s&t91@I5}oAXc3Ups%~{D$*O&QIcm;62U<;VCfZJnlT~ z?04Se-0R%#+~h2CUhTZp>2+FQi|~@;1;=+C&msE%#~mMp_rMz*vSS+22u2(|j_Vw) zj%|)w$9l(=jtd<QM?vAA3x9(c1>Y)s2KEb&7d`@?g8K@S$PF-Fc&M<uu&Z!q;kC#S zu(t4u!q*^*!OQl4v;WHeL;E-EU$TGF{+RvU_BY$_hNr=C`(b;({YLv<`*!;#dzt-e z`=xddd=CE0_B-3pZQp_4!Be)6+1_t^o9*?sr0rJQxb2Xw+ty`kv2C?g+Sb^X+s?CD zt$(%t!TL*hB0O*Xg7r!3hmcj_jn><(Gu9*45o?e2fOWUE-dbZ_XZ2Yxuol8I;ZNk( z<VWNi<V)m}<T3JY@@8@uNswb?44D^hAZ?_PY#=3MCApZmh=3dnzqR}n))>!PK4W>@ z@`&ZFmU}I?Sx#Cah`eyn(qU<~Y_^nJR#}!=ycUc3FXorbFTjW4IrHaWyYT_@+s*fz zQ|7pN!aQWY#k|kF(|nD&%3Nf=+<d;-CjO83NAX|8ABbNQzbJk}d{lg=_<(qa_*!vF z92I-T>%>-gIMj;k#Vf@NMTb}*{JZd?@MGbd!qdX1gbxev5gruo7Un$v?s?JkW6w7| zPkTP)`LOtpL`&}(6F))zO4Co!A2p|CjQ^`y5Cl_9e3EF%KV#y@iI)5`CO$#5<exF| zV?;~-852KBwB(;L@o}Oh|BQ(rAzJd!nD}9$CI5_xj}a~TXH5JDq9y-~iH{O3`DaZ0 z5Ye*9#>5Yjml((okl!)#{Y1+n924J1e#^Lzkl!%!z2rqkzK8spk?$tIV&uEXzcBKh z<d=+m2l)jfA0{s_^6lj3jC>pU86zJeKV{@w$xj&h7V=|8K1j5*#xe2DL`zB>6W>I% z4979?0rGuT_KoCwjC=$6E+g+JS_<Tt_<EwHK#qy`k#DmC_Yy6aaZJ32e3NnSCR*O( zn0Ob_@*c;;JIU8rfjh|ajJ%zEm60-ej*%(y6-Fk>ml=7AJj=-2$TN(59eJ9ObL2~m zOpt$K<Sh9jBVS9jyvH$dhJ2oJr-_!eI3~u)Q;d5n`79%2<TH#sNwgHmG4TY^QXt2~ z<3!8I921WbEhBSGJW900$T4w>Jjq%(LO#yON%90EC&<SbIZi&x$S8T7krDC{Muy3U z8F`pI#>g@94~z_vM;SRvKE%io@<B!plMgU*h`gVXhsgUF86=M|a*({2kptvCjO-`x zW@Lc8i;;cgos8@y?_gvPd6<!Y@^(hvLf*#6Zt@T#ZzgYL<U#TlM&3joWaN$H&5XQ( zyor(5lLr`i9eE=o50E!7azDABk^9K&8QDedV`L|}mysRh9!BmZcQdk`+{MT?awjAA zkUJRJN^WQ5ZXz>s7lHefI-l(%FzHpv7IKP_JIHN}Y$mT`<aRR0$R?6d$&+FunN`UX zVgq@tN*)upkr_tTlW9g?OX7^YhTO`?tt7_CE#xF4H<J^L+(eEuaw9p$$PMHuBkRZ% zBWuYKM%Iu?MplyvMplt=Mplw2BP&RRk>w=J$TD)6k)>ozC69_FWQdU$kWq~ko+2X} zX}XmRGjfQ8RB}ozCjE@OfCL#Sl0l6Wenti~(lkU4spJuHJ?UlSI?}_)wZzZJBGS#s z%SeEcW}@W}KeCeCqB1ANHRO6mt|m7!@-lKWBhBO>BSmtPnznm#CAmRmPKc|?K1Qx0 zos7JUT*pW=IlxGf>{lC@SV_86=D2t@X=mhBq>Yg)$sR^tMmiX2CVN#fDy|@{jJ%TU zVx*7kV5FJsRy&IxBs(=~C23Lr91*V|jf}jU)HCuj(#*(Zq=}JcvR!Q;a*#A=)Jn2V z{c~7cPPQ;|8M%g$W^%1sG<=Y3Rhfsy%gAO%E+ZQmc`2!5q?v3|YaKpFHmJ-o@j_C? z$O}jXBVR+x8F@Y_(@2byN|g+W=aKb{lt?KfMN*>n5IRVTRpzKDk#&spk|Oo*qX)@a zl{q4M$O=Z<$Qnjk$<>TBlT{jNT2HRh$btvRYPGGAm1L#L92VVVIU`+U86$1vN=91A z<%~3wD>M>q`P8<CSCY$A=8)(lmom~pUc*Q$xrmWwa<N7N*M%C1wk}cI8d^y%P??9s zLgHbhowyijBj+>HO1z9T6G<b{)_H1MhgK4|%7lw5aWc|M?2IJD%19(P*GS;9X(ZZm zsARu*38`h|#iWLj7m;d}gf}W7j5HGqBSm6nq(B4}SnuUTRGB@Z$?`Xi6h1&qjC?;S zP)WFqTK-2Pg}+(;%E*^3|E;#=cUoRnnYRdkusqMmmn>gn<WrWft7NzEd&^fC`I6;1 zMm}Zvs!HB0ykvQnk-xJ%!^o#BUslPRgdbS$W8`-%_iLo-VT-ml-Y9(Ea*xV||BU5c zm4u6o<!(lP*K(Ii!Xd_TCnNvaa=S*Nu{%@}UN07zk>9eU82L?0QYGQqVmZaguUoVQ z5l$u+ZDoTGibY%R;G$xgRm;Mw#iA{faAvV+%Oo5^EZQ0de-X<GwJh98EGIP*)wBf> zjwhCw%7x#DMO)6ggfCkr8TToRw%)<1#G);T@FlTm3u346tR<|Lg|CMts=mz5ZI%f3 zH*Lx;=au=N+DA<MoK+i#F{JC$Mqf<)tW{tIK4aBJUrhY8RU3UV@l!+_o-y&0<YmSF zzu?9K_pjXhTpw|5ceXm$IG%LCcnjY6BZVvNkK3CO|NkSl?bye5TQ`!V<>!`4^B2Sq zi7D}N;Zb2$xX4svI=|qZXhi?hoVZG750RD5><n!<P(!hY7)q?n*l;jI`g1g#&28H5 zORRwL?D_MIXKOPSOYwt=D>G)4&1YstN$ueg`ir;De$~t<YnY!vcdHV5nue#zL>{kA zM;_O_3A($~cr%*Bee)%Lj)sl7CB7zcMPWe^l0NAYE@WH@)|3}9sSPDAHv)D}_E5Qj z4JDQv^>$7cWx0FvB`(V`@Y0VreO_W&df?5JpUuFV7cMzZ15Y3Fezy{Btb4nb>J_25 zqEpHUT&ZQIE=CBVVl_xjaRfOCK&#F#NFl4lFGDP%p~R&|uj!o3rE<Tf`1-^p@XfeJ zHI?H$NvIn{McN^wtEr>4Wl#QmNfb2ks}dIjZ)r}v<-W$I{VfemzTIsNyV!@8o}we+ z-V&O-w`3qRQHszyhY+PcQW_3MhO+#RN+V-+Wi-H4F%4di%)=-Vp!s&``|^i-2UlKM zs{Q2}gd3vK`?ge<l&=~cAL$8%w@{qr@pXxdfOCr>PPi1o=Veb**MYW<UB1SaPWZa) zX=>=o3tR=vio}J6J{EBB%33HcNn8N4%1-r}Hf5Vt?(Bqb)B)s#R|1MDQOI`sC;YE~ zbtP>X*&}+om6p5l0d>=s=NnljUZY!}v(k#D-~MEvWF#032TG97x|BvaD(yqiG@6~7 zh5$niZMisq{s)Nn%fFqov4_q50S+b3o8KE;TV9>sRwSex?-@CISeHWyuMwnkGNxWg z0G|21Rb|p~vbXojh`TxA)(w-IO!8IM(P?aPQ9~OhE+gD&DYE8X8Qd!pPQw@HM@YMY z%!|Wy5fbR)XL+2dmR0BGKal&ywIm85$_td<M!0mf?BP!%OPb+U6Q<n=`KvVKRwQhO z!lbiZ`u)Yn6V|kLGCg@V+Q~fFdD2ew9!6@k#7K8Ni>;|T7_ICJjUYiwaXJv?P=Xk} zi&sklS)Q<9Q8}Ov+H0~Gl`cdq)B-g6>Jb?=6b>F$gF>FW(SBCj-MY5tEi7?Q!VG{d zD!}q=fGpx;W=rx4EO=}OlWBAwr0Lfr#PradsXm*bnI7Kk3(eEeEKl#)=!$Oe%$>c1 zff2u|Ju@vi*jJ1&r+vZRsJ|yjmFr>z(kxcvTGHfFbpQXPDM91^eaG_!&p&t`^xWnd z_xL@no{gSWp7Y!<yI+J2z*FuIx!>fT!`*+kdzWJS?{)pv^=sF+T%W~V{~M7h;IQi; zEdQ%rS0aDlU!1>me%<*g=OfPhoiomm^G4?mXSMT6r_1qQj$b&whU|jxbKLKkafBQ< zI+`7ojw>9F!v83Iq44>_e=K}Y;k~%0A1S=Pu&J;d(f{oBKihw1f6o3SVi4SIKWRT? z-*4Y$FTqVbLF~UD*`Bd|)b@7U?Y5(~ep?6b-PhVKv<Zm(_dV+ut&dsXVm)P@z%Bb8 z>qhG;>v`m5@*?>*d5V0HJb*j(Fu9rRBsF9Oaa;ak`K9ISmQUdZ{q>e<%c$iB%XUkJ z<#L?*{n`98+?PLTewX=f^GWj|^M3O-bBXy<Gr{fnkHlxhkBV<c#J{6rzt|ye71!b} zTo8UId=J?X9~0gpoDwF49$}BLQCKCMXL{N6qUqbFr%WF-JpiGne<Ya;VHFdTlFWs$ ziixKrd8a=1LrlC)l3RG*>m(ULtg>T7#KbvCMi?tSFCobYWTofLN-`o@>3Oe}WW=)4 z^JXL&(X8~mX-VG3^Wu_>fL8i)w@NZXTIqQ)Nk&X7J@2F>BdC?0cS4d8)=JMiF3E^% zrRN=!WJI>o^Nva~LR;y1Q<99>R(jqMNk()lJ#SKy5#CDAn~-D#xYF~+B^e>E^t`Af zBgU1U7m;KHxzh8(l8i7{dfs74Mw}}>Z%mRA=t|EENisrR>3O4)j96EC-iRb4+LfL+ zEXfFWrRNPvGU8q7d50u<Ezb)|auLrPlw<_G($^i3WJJBv^ZF$jVXySOfFvXCm7dop z$%uTV=k-c5LSN~5J(9eF=lLZW!LRh?Zjod}ztZ!%B^lwb^t_uT83C~Lyn~XA5LkNN zO_GctSbE-#l8i7|dfp9^j5t_&-u04<Kv;U-b&`xoSbE+8N#;Uf#l-!R%!R^=iTfm( z3xyREyCj(lg%uM!C7BC_6%#uonG1y#6Zc9o7YZvTwo5V>3M(eINir7-D<<xdWG)m| zOl*~8E)-Tw+%3smD6E*cOOm-zSTS*@gv$d?E-jL5=XpCMnG1y#6PqQO3xyREw@We? z3M(cyNir7-3%Bi(%!R_jwYwy9p|EiOF3B_$R#xn)V`9A|bFr|FiPuUp7Ypl{c#V|e zVqqN<w@N847S=Iwi<IJGVI31UODQfE)-iFDl;UDx9TPW7DJ~Y)F>!;G;$mSP6YHcD z7Ypl{SSzKtSXjrz8Yx9%Vd<W?T1wGiSUO&nl;Wac9TO|16pe<ZD_0?<xNum<#BwP` z!(r*ll}RZY4@<`@l~P<ltfQtODMbTfWtBTBULd8oh*(Dv`zu8wVr7>z-72MMNUUt0 zSR$nk>3LJMk08gRebAU#S#_sGQA*LESlK+`XHtrbiUorODMh1VWtBT3UM8iuuvkZE z<XsvTOIHq2c4=HJ9dDhK;sRqG5!ZTCTwtst2n@^x#yTPvNhul_E33Il3WY|-((wR= zhQ`wI@VH!TtVwaTH$`J(WkrgcM7K0Fmagg=DMe#rW$`9xw_I?n2`T{^97|UY-Ez^f zU_RkZanZ3R&@GLQrK`G1N^#+_#%Z^E_2tHCx9vRdYAMym^RALodw3rDZPoK&Wg(?F z<u6M6;FQ0pc%?T*mA@?MMGtyYRQJnfp$AU&i;6xe#i@P~`edBy7ooj!s$WE0CZ#yl z4|W~i6jlAQx{Uw{)%>zqK*A}05fL$(ImItbd*u|ru(-^dqKaQubK!$hiqrdG6(XfL zy$|LeQi{|24%03;z3(vXg6e%)T^vRioZ5F-yi`hYY9H(dq!g$2^@|rvDNgO{7cY`h zoZ1IF6Dh^1ePeVA;ncn{I)!j*-<bFsDaEOMW8(Qzic|YSq9mm_wJ#(hU^Z3zvK}{t z$K|v>*t19}PV0l=iZ?~IzO1UFsLCmQqoP+zaZ29^4I|DeeIqoCIH&ZD&=<rheIp{m zh;vHc2!b4^sM41OWdy^F)A?XZBc(W<Z<s>ibiQE<h12<lDHKlU8>Ub=oew59-W1jO zvY-qD3a9c7i!Ld}seG`gky4z>H$<UuD&G)=!l`^i6bh&E4N<93l`jj*5TI}x-;n5# zQk=$jNVL)Y|HTE57r4W2v+GIMZrJ4C>kMLVenH{8?LW0w+M?FaSzY9M%bOAVzE(_P zUwgS}2o>`A6R${Y&O}G!^E1~M*Z4Y-_GpqG^zMt$q|3<2jN~|K-V%25%T99^Cj=cp z#Y+>LfLaT&!QC5nA_Cn8Ujxg+p&Z`fzCPHCBb$67F5eKZOKb#W?WEBFa-FZsKZ1lA zRKmC;M1Bh-6&mgHH3p(;GV8oyuS0~w4ZvQn9zq&muktm7agWuj+&TN|k?~^+&yY93 zRq-{6IsmTC3AobN6&{a7Cqv;V(x2e)E^k;X<7J6jU~SHc6?fp{V`IZpINilbc~+{r zykV}ufT#iH1{E_mYjo5jlX?d(wSDzSofL^sV;SGRG2D0t@`9M+iEl_$1MrQ8fZKP| zX->-`Sd7bd>QLybr&-i6W%$~M{iCDEk&_qj6dOiJ6~JqE0GzZ@pqgelobdNf`C3NC zkWwm3?)k!8jdi6Gm|JrR95GF&BGJG|TJDON^Epf)$V!asik#!RfsSi7OnePADOf+I zJbHbf7co;j@lA<x06wUSnVXsG_Z62{`|5{b-lHTZtRL?SMtv|7LTbzbUxR;4yT`~2 zdIem3ZK4eDjU&lYOBTQ%kK%@qevqyH@KC-!Lj_BGTcQ+bhm3^{v>4RmSivWPN=i+- zcy|OQg2=M@vs>@QeA0`_5PFGX)RP~XQ;b82lKB^`)vwky{ZOLVsJD4{)US-4LcAxj zK7BPgz4vUcCg&L<=ILs(((r0>d+>-d(I_{PYZB`gw(+b?+jur7*6IvSD(mK5q@Tt} z0yQ)niK6*0GRtg-?Ezky7dezzW7OL`@UKj7&56}|DIwV;6mVn)?qiR2Iw@6_Yf@Te zg!@$*?lXmnt1;YFy?oYkHp9JQlkY%hS95X0?mb;Fv*aH)PlNxAOhz^-=}RLUOG{rZ zl;!2c4N79j?oOD=rVYKzGw`;BLzA$iWkDB}cTe~K7Z!{cc=ov8;QF!4hrR!!4xw<f z{Z`wzZELN=<OyQ4w3{CkUlQwt*O{I(`B3;=f8whX9axjJoerlP)^|Z;fvpLQ46)#M z1bRc^zWnTTC=x98djVB5N}Uh2($^6hRuk<aW1ohaADD}B!~nFF@tQ<C(C#x-U{RpL zw;OqQ!&K{LSe5O1Jv}SQ+m4a~gHd%GkZZg3`EoAzwTFg-z)cktSRwZY`o@u$GhdP} zk5?x40B@VIq#H1VTWIoWD1p$lecNgFYAqWz-C5=bHc(+Ww*q!f-L;|`UtE6xg8>IQ zts&U?hQj#*TTzV@v)w>zd}0Re7D*-=VUp}?Rp$yV?`yucHVUA4Rbp3WT=07vK(6q$ zkN03C<7h-xu4(dZMZwPFxTv7t-%jAp>C{kBt{c#uNGYGkZB0cvju%>h*Z2U6zKJp% z{UYIfzpv?tvXvax_U?I_GAN?>#>5U_*3NV0j}06E>-SrVQ$TA7hI;{=s7?g27t7bj zh_m1|iDsZTKAxmo%{t$KAa(k{eo=jlykV`2uS#qO*2<il-dap^BO&A!&ok0moUk_m zsqqOrm1^dYPh0xbL$i!Ua^9p|gQJB;U>`AD1972ImpOP+S8Ww~(<qK|0s%UI&@(`! z#2&+-$;)F<kXRBM@D#=x9z1<&ecM9gbX$c()i8#Pa*LE7v;Y&YPHY2O&7p|XlR8_9 zH|VD6meH~CD295zZ@+*G3R69R8!Jo@^9HJsjz&g;igzDf5c{!>!3~&lJ(DkaZ@^jQ zwSaAWRteaZ^in1ZcY8Q6<`1h{U(0ATFn}wjJYC>Xa2PJv0RCRXiIBRnZSd_6VO{aH z!7C3#hc1<Ys4~z)y`kZJi5;s=MPe&}@5%|hO4Fm*l9~B7^E8z}m{swT#1^2|6juK0 ztjAmer6gP&9F0W%!^1cpX7|+j5i|f5nx8J%QZQX${)OjR&pn9xU+n&)`$_j}VdZ~; z>pQLoT-~m#oj-NH+j*JeJC3^?*E_C+o&H;q6YygD&k-lD-}WclCv4NsTMDM_r3Ife z38uSEJ565^UMJKG7O__Ni|{z2%a!2tVAfV|{cr1gt^2JP;!NQL*#=wt8Otuq#n;+! z;j-N267)Ib=*`BNT(^joTWz>yGHl=s?wG`?W*amz!|Iu(_w@H`Vs-9zunsmMRU6XZ z`ReyH`r12M_SZLn?r7N2(gh#ZeI1AlpdH;6ytvVZU9cgZS|#UOQ+t=MZM(0ny{SWW zEKXPbb*&9MJHx6lEx=qF_7CGiViXn;*_+UU-)yqsR@9(gEA_e6x%#ME@664!aCEz^ z==vOWbxTqD4hkRYK-fQ`T%9rK!qj?O(bY!H?A|!<Dzo6XjW!%{7~{p5(e6Zb>e7Kw zcnI6^-t=XzaALC!->GpU6+ljX&BMN~!7vh&(5I%D({PWs+KL8pR4&JMR9(ZU(z9(m zqFmK8!9kB_?z8FEjs@*S@#Q(1t5qgrs&&xoFZCXV&K&zjdxw#j1-E(lCHt%a#|^o* zJVHFzw}Lla!yYz$7&Py(Z|$%Z9nOKX+F0<-;n4V4L_K7RL_)nmWob-L(LyZOX9Gky z288B<=U$&aty-_Nq#aCTZ9s*Sw&Mkt<vN$FuoaaXz;12FF-<F+qx>wj4SOZxksMXp zTZ=2|R6Bv~7!cVA<Xm4Ls?e9HD!(0pF_>>;*GuL4;8CvzZ+v8I*dK&3!u$_cNX7+> zoHm0;qd2RTbCD6|0En${J3Q}0uyeuLLyMwY^#}d*^dWorV1erM!D1ta=%Gt0{`^c* z!l?z|SE<J{X*~#<G;Sx-Rc~9Ms&=x|9D-gls+bjR3-zTHDdBYo@!*ym4~`?2GkDOw z<Er70fn4XVu|e}NoEvZsf-NI91j_danKlL^y~CkM_F<%u$o-w*Tmm&B0T#M~o=~u{ z!Dhy+*O8Xh>|R?@C<i3n`%6!MthL<%KW4JXU~o)1s!q4~+9n&eorVtyt&qo*tCgAD z?+^z9d@Ix{B@JL2pDQUSsIy`3WdLJ0P06~=9|;U&0)?4ba2U?48G{z_eG619%T(;d ziG*&;CO(o2GJ0J2lv#Xljjd>dF<4j+jbj^2-{-c#pnoEmIXD&X&86csVcXLln#4lW zba*^CrWhU3Rigo)W%je)lWT=;!X|q^ZtihR%M@Ym#zefk%2rfugt-aoD67j|@QZil z`U09@b(EQYeeHv=nS%u#ca9?7nM*Bbg5i(BAy?aYl<riyLoV@-Tq}JOW^RLKvbSPv zoQb#RTIrjhVR8?^R@ijqoU?ipJ$>Hp?^T>?VV|P6sS#7TRs+<lP-gYeC^RzOK159B z796IYCOVeGFfAFtE-l!LEzmFyIq{`)#}eYH1{=-@48AIK50wrR5V}^6_c6|tMHRB^ z%{EmLZ(E>^d2-WfiRtBCd|j@`*^Rp>-k2);kciF{>1GQ4eS-~0(}s_OxhiYE^kJSF zf_|HRe{;DX0`n7lZS<?v(4<Xp)4hv{1$wW|GF75VrmqthZ0X)-b4@i(RNrdE)Q06v zz0;!SkrV#(j$3@~78_2tjUTz%cL2skVXUqg35M@~Cij?!TGcc<5e$b$>2!lnSNrxe z&pTah!!fUM*BJ9S<TV;{@m%vUp0&c)G!h68;8tl0H;@B^*$R+&>jK?j$fqkR6J=Vo zvD_aRHZ7T2orAE&>hDk2JGsCsInC^UBFF3xJ+e;IBO61Lqu43*Wl!G6OKe3&2I54u zTCEzCt~9`7IUWqfG4-n2s-FhnQ3E@q>mAK8&!ZkRL8YEDJyQKMU1>_a|36vasdXn^ zPrI&gh8&L;{-JP}{SMm;wrcA%d7fNh88Sa^c8LdtdrUtvtt~j2OU*ueKJFBdvJ*=x zewN3%^OBYh<rcM9IR^CY!0eE{CZ=s%79&0tg@PL=B>l``(24?;n1?j1P?E<G9tm2D zx_@EfUTn;j@$v-Hhq6<&`SPV3-FcYvX~Y0IR>Zd_kczY@VtDk20{Fbu9R=n<{nj_F z`!ZvGynxKEeX*rqUWQB6K0JxBQ3HLFg(sXv2aHH@NS2DdveD<*&<<r)TO_wZRTv-3 z%dn;}a5&rpoUOTV!YhSp{h^VO@lnm#IfCN}*tq8F1{J95Fo7VgYmNy71+rBMsC3lu zmg;8N3dN$12nq?d<+lK{vCjkw)MTkYEIn{O0oULJz8ipzPv8N#T2Xf(S49`0T4p}Y z_bDJ4x!erInk54_N237TlyK^&L!8fLg(5<v#)E*Y8H>z^T&aT$twXWT$=7sI33J1n z0N2>u5YI#RV|oea3u*<-0d53TV{-sNg|$9&jlk9+bL83@=pBSo7#T@x@rylGlvl=A zByIrqb?U6lnYU2v*zx)MsaaWHTH9T8lohzpy&fnJ=0u4DzO?fRHiOwq2;FGYYtj4( zxg7AXTM&L3TchbYP}c6U7Yb=K7#+`_=MP2z)rbxNzOhC`$H?E2MnvJjkZ3>f<}f6J zs}gmtQg3?{N2R<>9MmhRD!w(b4@i3r$2BccnSJ1cyD%ux83WbKDR$nTpc0$GE<Azp zW)L>QxS-Nj65sYfpsxoyXnw!~O1vr239Q;4g<AoERaG<K))?_k2BU+SiTX76VT(E+ zQk-=Ee^J3;fv3a$PS@{TTb#3wZ#k|iJYs*^eu-_^`WdU21TCMnTw)H1Pa)oa7_sYK zgW_lXgO?kFz>KX2+i^sc^Q31{MWP^qMc7GTH8zr_B^EeeT6DB@N<9Iz##1Uq`*$>@ zQaBh1$AQ=QGhg^9ZBd0wp~QWOW58NuxY0xbgY&z^##kFKN*v9MR&FW+#)S?I7aMF1 z*3&6~t<ELToF|owjkFqPAxD7J_$&ls&0#sP*f^_zb8;b^SoW2(-+VeELtK^dm5B-9 z)UpuFAEp%=&O91q119x@7za$_*%Sr-o@P@D2eWAucyr9A)Z%b^FfdI0&|yOoP%J6( zqBOMv3TCPZuxjfnKLlvl9-4v%#wmXXU~4cC!np@RJ-t)Oh*UE;84aZG?-q9+034jj z90p$FGZ{#~%C{#pI*e;-Y66(|u|R{}j4d>7F>Pf~B1J~NHr<dM4X_acR^vlZ6j0BP zko1Jw<z>On*M~+YF(mNHHHjh8)ZdXx2>F%6X>J5~H7j*)V!%C#{))eIEI2%@MfFmy z+43T13JU{cIOo7XfjZy(>$PkXs70M5C>}Ur3<0pQ69x*@8UTi|h!)u^Uvj1k$05Kr zUN``|CL1<qU%A*auEFjx2(ViWRa}6r&VbEW;N(lR%Krbtf?Eqbd$Irjqid^EcKpz> zvM_>p`vtZJ>wV;3NVVmd`P1e?@fP7jrvEavqVOyD6K|PAf~2A;!(%Jzph8bl@VWPd zs8bD&ys3Q-4l!{trWuQ=w#A4w#%}uZB1;8oe9hcz@G!>87#tcFun}C;VM?LIE9Q{1 zDaRcu_UUJ2n7Fv80V-ZRhulv&mSUhjoi*fQ1BNH+oCLte8(sj;X@a@fNNeNebI4(p z!&U@H&&2L?u|e0w>*kOO3mz!=nP)%*&}U(6y4cvO<27?`U^fod0qkdN;kww!;pR4n zL|!>A*@67DX0?lrxH7(W&I!ahk8~HZ<y~yB6%;M9k}ZIC0Sn?qM_Uo!Fjok)+BeAE z`(iYlh28R^gD=NNh%{<Nnm@Gx_%pPYUUcMT@#;BS206EBqGCTo8|_6$9$!C)EOG3l zV!p^1w&-4LxNt?TnL~EB+(YC{?Z_7$c^xE;L~#p9I@{!Ip7r{o<At@^9P-Aoa|?r! zv9Qhjq60>d+c{*FW42ocfKO|wzv!4@Z#E|YvvE)*%p0fm4_I`_I4qnq0dnrk<D6az zi;lH2zHY7nShelH!H`(U7h=)jRup0{e>r?-J&(fo{|fg@?svFH-Q})7xgK*xT^o?e z@3YQ?bC2^P$G061I(i&y3ZFr4zH1Ae$jCQhFS7m4_Hk5R`dN~|k_46{uq1&c2`ouq zNdjjmfgC=nNPPiIaTdj;0bX7M=`_~tY+ra&4sS<PhIyVAwq=JJrXgMFfgHY{w9>*? zqQV<<`4M;F%vrsYfJ1JpKiZ4bEHrE}{Q1L5n4Pq-c)@FLLC^|^fhTBt7tVn@#{#`H zHv^pi)hAYi37kPF3-){kGr4?*sqw7lx&=>XEkXbc0^mcQHpMTPuC&3>*}(0WnzOP< z4qTmhuDCrkh%>w@B5*NI!@Kn+7PP~}#d<>M;xmfbk>wWEJ{}$mAyW%$Jw_vfSSkGZ zjaRTBMo5ej4N>Q1C9A<%i1s90z?G;>^BX_S$T^W?%(ZtaS1btKKm!Cf1|q%T;25RT zPb3`4<x$;<F{gru#R;4$MwI{;nTnIS;!Sj7oTY;UWwoGvY)qEIL=I19fQHAHniHaa zARN#SaA7=$>oTfg1Sv6DC}71689|2A-9>ZD2w~nb^#WlQHYHs(l3PY>NGUSv1=#F- zI6^pAD5Oq$au(9wi;@utFDE#FWF%REg@wbpA)jVI2xGav(pHQJrNc}}8U!Z7y=Pz` z6Zz&1^)}q!8+@g$bRyCcTH%VhKkP@;$MN1MBGc$&ZQY+^-bKtHj1C$Ca4Z~z^KyL{ za~TaRffmy8etquB)X>zg1j12*+62OidjSGTrz_u=%hSIV<3pRDT1F=@XN1C;C%$*5 zt;lcu#26jagAa2WO?-s!h=!18MY!BZ6yY@@>`PArxTn+x|0F}<RnoxBbV|YWoi2ZO zuJ|LZ#g*lBe#1rdcxXJ5?OHMKjor1&2Dc33PT{SSohIwFZ~x9V8&bI#w?$uiI^uYG z{mc%k0l)OnID(*MW{Nwg{r?7sT;Tbw=R2Oy;}qb{p4WMzo?AS-J$0U|JYM%--M?~w z)BPFu``vFqRKPL!P3|4;D!0$=bp5C61=sVge{{Xab+7AI*Rbn4SEH-Ub(zcN{FC!1 z&M!NkaK6KNr}MaT(Anj@*16t!vD57Mz2gUtFF8KqcnDoC{VYjfNdij}Sdze!1ePSQ zB!MLfEJ@)1wgkMlTg+FOgx$f>A$SsWh3du6OShYm+B?HC#l+7^w~IXQDd~2B=Y3YX z-Nf@gBi&xW^FA%fF`oA+Nj}N*J}Jp3c-}us@^PN`2}wT2^PZICqdf29l03!po{;1t zJnv(YJjwGuD#;T(?{P^U=XoEI<S5Vkup~!#-eZy+=6U}h$%lE~qmn$v^FAcWA)fa^ zNgm~SACTk`p7(x99_D%PljI?u_lP7P;(70t<RH&`k0cNBymw3T0MC1uB=_^YcS>@A z=e<Lc`*_~NlHAMl-Y&^KJnwCi?B{t8N%Ac`@2!&D&GX(O$v5-72POF+&wH~Z-^BCY zB*{1Oyay!t2A=muNxq)vy+M+%<9YW>@&TUrdP&~T^X`-6eLU}8N$%o#_egRl&%0Za zJ9yq*lDwDa-6_fKJns%kZsU2kOY$C`CrffG&r7NC|GEo2?e05WKXjEi!`PjB3U?y@ z-#2Y5tb^n>%Xcm7%n|WfahWh;`lQKS(0vw@G^`=k<+g@6O^DycwT7Tz0C(+za2E<J zyy$S@`ag&Krp#W7Hvv3tIO9bJ47*ljNM*J$9A0FGrl;BnY^$YD$!nA=niy#P-0Gat z1zMzIFggHahlh(QT?!|D)g1D;=I~fY0i4{AM+fI!r7bqjnt0V562Rv0_5)5_6)be9 zn=koRWAt9N(CAIOfo7$$PoK0dwv^!mI=6D6(R-R(ip9oT9=~yJg|nb2zATp~7{X>} z-$*D&{kX|f^On;)R~pl3kAEak>hJ3d(=2rKxO-R$c!ld^CHP}r#tvM=kYBN8?n=B4 zV`q;}>f+kv9~r|HGC*tYmdX=02Ds4Pi~3?HFgSbofZRBuA_~+g_sF=oRxZeV^RERL z8*yE{cJ2xw)`IA9%M1|Xu08wGr43?Nu+tc!z2o^y*ac*Oe)&Ssag9%*2Qg4+5cf!g z#_(3tt8^eiWMDEs6Apx06R)3J4(LOMu2?8QU9n&kp<S$Mw`9RU1j${fcfXd|C4dzw zPwAd1#`u+Um*F9_7>4tQ4lW!q<>WDr20&KDH_j~s$b-2gjT}hX<C|(J2u`4m63zA@ za|O8AUuPv;_AUi_W0yTV9&CTI(eqcLdGnvA(6B$a1lYG2uTco-ob8x}n0mNQ&V=+| zY)O|_z|{X@z%@4Y$MYcQ8Z})~Gf`0G5R*x;H*X0GDWLe~xr+d~JEw$c@b3srrIhRb zblL{wT?uENC2x};4RASkA@Cc=527Mp*v@Rx#|X9m_u9q^JkNXX!=1n2{vz@KeAKl9 zcl8fC4i|o;aIgLK_SGn`^s^*^B?&A^U`YZ?5?GSJk_7&j5{OsZaer{Zw6#FEp}t+o znYYomVn;MO7CJKJE2i5k{JTTRSx6J9jz<D3=>Bj;*I>Zc1G`RNaAbrAw2TIPBe0zw zP){9#5o*}ogZOqsS`%Sd;M3xRYWhQ;KjK5;N(2`K0ku35MB+<z&)E~e$x*-u?RUxt zgIC`aY$SdDOhBQM6~Z;6_I*Gd7xk#Sy4rp1$o4&gLz*yE?9|gH6)>Iz2Mg#hqGoGS zdhp?S!bq=4likttDw-=?t=)%YV0a)HJFgIS#y8maQYkIh_1BEU@i5K$h665o;MInV zZNr*)_Ko#Xk>DYG{{DWb$GAX7S2U}4B-9_B^oQ}Z=x`*|7wm@>Jj$sS=MnrJzaq)4 zB7iZ58o9`VN|Q*G5uO^O?crBH-hm=5e>55xfxS9l^aYdxFuyHXVS1^@zGc3onwz?m z$8B%x>{6xEG)gUn)s7LDaLPyj<il(9!@6AQZE`R`EtfTR;0V?E1ATZIp7<vFE-IbX zI_YdzY+tFtGzHZZ4u`^OR~>;#oav~tp+Un3kdhW=!gx|84>3*9J3xP<r*C)*NUR4# zV(ct>{Cz%TRe+G`+l4VT%0)_ia4rGNNyMP@(J@A|q4`1eVj~5^V_K04H>;z-5u7ST zX`)qtFIs172KE9S^t4HS2SzrUiYmZ`@_ySm%I?#b9YH2cA3NggR~`lFS`P$zIx+Z> z)^7x-LWqvXo*h}`0=@vPginONW{d>iXejC%8%K`GUO+0DzDyZyGrjtbcDL5=(AgBz z+<I!W)U!j$kBpaurw!AQMcZsr>L_n9iu9^@t(u6Gl(LX<9}LnV-u1p<zYm{UFfzJY z8F-_<zF<VjMH`Hk_*%3-Qb~^b0_sqq0|SS;_{>pJYZk+W?ON4&fLc3KR{EBs1ZR49 zLBo;IMjzW;1%^lbgCzrq%Rb&y5)764OC!p;-{?SbfDW7D;m|<w7-SeJT_Nm>pJ#8O zBl>_&I*rPEf|<H+TR1dHhma~6Z2FbQP~Ri{dyn>aj2t{ylnx&J$K<l!H{u_{x2S#$ z0pBnVfAOjHQyX?)UkLxBat)3`Z~-68@`oaLV=LmF_89#FR_ZV{gfXubHzGYG2E<PP zguheqDM6BXYV?gjuu7`m-eHXR(5MPm`wX)Rs}|xK06JENL;gOB2x%vM%9jeS0tKUH zORi3$bj)iEU$39O)t-Q_S3P;6VKIBA@E-e==}*a#O3Ul#*wq_tfq7qs@<>VwB%k^) z^jlri5$LChFav!>%2No!CfmRnR&B=wOGP{y)#_f*Vw*zUi{?vmUbk6wu~H!nCGzU3 zV%$?&ze1?pVVnG4wFKX)5$$_b8oK1nCDGW{s-(JQl4vNkwau4AC^QsAvY25^e(*G+ z7Yf?kC|s)E|HJ>k-Th|QZ(W<6cR8MSTu>OaKWZ0jd#xwPSIJeDnE9*b<>G+wVZmyu zFL=fL{c&PkkF$~-C&n$*XH7eg*Dib16x!RzRevYneyoP<-XT9XJHQy<Hg_!^V#N3` zwuL&ju!pE04uqpP=&tX>r4?o<diG5xEOjnHaKk*ETLB~@Y+Qq<FpgZ<*#c)i%{?d2 zAuA~q1YOw*tSz}DPD2M{WeZZjoCf3?q6%SNFVR{MLbzgX3o!38KGtlZxrDR5caU3t zK*`QZ7t4GNZNwofncEE1THs?YmI+=3u4J=OH_~jjxZg>;Zm|WocQJBwDtK`Gx(SH2 zDA)#w%XNsckl?0xFmDnr$9>aA;MEdL7~q93Ggfn|XXg!MS$y@}27uJU@9>vm7zV!W z!~RL!T&o+id=6RIXw(6!ahyMl5X2U13=}IFW%IstAhKBdTrIVEu;iK+5L%2X9idT0 zmu~5!_cQ%LMZwJe@b*I2#%Jft++^o#u$0#!hF1;VfOY{ge?*rfBLOxe#Sxkc4l{Fa zpbxrl-d4WyS`3-$1&0jvYaOAQeE!#w@)|__s{&drRJwt9X?SVu&_~q$P}_Kv9yLJq z#~wD1lSnz$Fe(AuIEEMfGL-}c#n^<a`gz7}c(GRz<Wj4hs{mHbSjRxfa4ipGtKO^Z z>Xq?K_ix})-{m~cf8~|&Epz37?$0@+=$Gs)Pjjk?c3^Xm-v_9`VpE0(&;lkK$R3Hp z=q5eC3Bl=rEr+sE3aB~mdQsx<>8=-WfVU(!-UjTqsKuOeR!~2IIojV7q{~Wv))K&h zqF)TWT4r2+C^V=p_)s~cz6K;erC}ae-tT-tuB0+vzmSaouEqqy>(l+e==x28r_Oyl z{#p82lE9J#mL#wwfh7qnNnl9=OA=U;z>)-(B(Nlb|NkWrzhbV@QE;_(Z??AqmQm5} z$Y3B4jo^whjDK)(HVU%`dh>)WHU8}Dq<`jj)0*W3EM7|64%BzHmnvn|qBv!Q*+dl4 z7E4DEfG`j)?WGN=-IQwmbZ7eM&eSa#=|i@x2JD`-!=L##4RyG6_mBJ?9K_be8|StG m>ET?Lknk}}n_X=WhDTHbEPBS4eLUNOXo~~+b2w`$uKj=bYKV*g literal 466944 zcmeFa2Vh&*bvOPV2oL~)2UwOBS(ar%vS^8xKw<;hq9{tDEs7LDSzfXNkst+&Bq)HC zOgoPApxDk%n$hgE8EvK$XEe?DH>=sRiPMZ`I<swNlQyGi@_oN^?tKG;6e&A#zWyP{ zjKw?Nz31M0?is&xZuZEb!c0CiRxC~CW<qi05=B*&J)w}Icz>%XN(ukw@vk5M2Jx>G z{~CW(<3HyAfArBgaJS}lDQ%vWN>B^F+p{w8P3=hF0pEGe?|sO3aQ?Q<k|qV36lhYQ zNr5H>niTjGQ$RnhxmPY<uAbjHlRG()A1TrQoIOLm-NU`1;qJYMdPDd{Xj7ZFFdFJR zJluPrcPMmtU^sO6=%GVfLT%ps9W(jTRBqw~%5Uf%>N(gwM86)*mq$v4>6t=t%Kq!A z++^PV_nF*y+5Y#Qfy3G1p>BLAG=2I6eR*)GufKcfrqK1hH-$D8Mmwl;Tdmot!kO7T z)jTm)$WM%xLq`wy9XZ+?+C-n)60!}iqpibtm-5*^F@gVxpR1IXyH~DVtKJ(o*6zea zVd^vppBMkJt!f?Do4;RA>p3$wU9}YJ$4kZ8>Gcg4nHHka;@cKNEEj*jdd+0NTWBBE zuHG20F*iEFpXVjtKQPqWci=EB`6k)ABQ(^zzjvtja8GYmY{>epVDF5kN`tm{Mc-dU zH?wC>Oy>$Eb01ZWzpW#BS?kK)wW?B>8qMEPJ~IKK`b2JarpSNieJG|Ar6KTtZrA!0 z4{d|<t;^giJ37>R518vURUDPIsJivHNY%<!mo-{E)M&Us)MLYfx|Oqiyn6l6^_CFz z(|GZ0?RfSyl8d0aSUh`YObi~sy*nO=eHFPzBgRm(jMg;TI<{Zhx^kdnp*7@>+ZNLL zdo=JRv6_{eg6@?oR;c%`;MJrW^zWrrD@VUsfO*!k!*YJ4mSdJ@Pd4~%E#EwwFO_Rp z?R*^Ae(tL{IZbzdUd%JO5Hmi*3uqo4!Gh)Rw}h;zU_;R`wuEeh+!B(L0H5A?N$bk( zE9P4u8p??%{ahY&iN$CSw65H`e7*))`xA5?UBTao>UxLIy>jzrwc_Qq%T44bPZmZ_ z$N|*+)ls#gHHEaeve}8L*-3+bo8qyKD&pGCTTKrqrcaMlpEz58pv6vq>&hdW=bKt> zXVIEpw1Dq0^U?4hYVhX@{@47|q(GAbO$szA(4;_<0!<1uDbS=qlLAc&G%3)eK$8Oh zODGUf9qsXvR5BV%XVTGJstxmM>i_>s7PmQ#CIy-lXi}g_fhGl-6lhYQNr5H>niObK zph<xy1tbN6E$v>r{_n!?-N7#tmjAlo?}EPyek1s^;J*dG8~k#UWK9Y*DbS=qlLAc& zG%3)eK$8MZ3N$Iuq(GAbO$szA@aIo~OU_?{LHhM;@N-{f5I>hy*5GGAAH`3_JB=T$ z+Z=&!D6QJV^qXLCL*SQz(}A}JKP!Ggzij?#QlLqJCIy-lXi}g_fhGl-6lhYQNr5H> zniTkdhXR`Jbm@1kR*#nRp`Pr}{?K%(I3rUE<i>M_sq#z+xhhWOr)CNxxtaWEXl!<h zGY;gC$6{_vC^tG9%Aqh!87+_}j#3JY6sKlN#fdVdjtk9BEzmxaii8vC*sUN~Teov| zwPSy=G?EWZ7pC*bEszh*6hkAY@*}51#o3ur`g|8glpmQz#)y&P<aBWg<0?mz@o+jB zRbGx>4sUe!tX2;d$3w%1koKcEH6<rAmMcu4Svi%;gyX41TkyHc;~FlLXN&Xt)sEgN z%54)G$(LpdV>EM`S1EtCDE>1UPotN#nn4%tf=lmRt@acrCy`o)h(x0e6~{s+b5kIW zMLp36lFyW9%1Ca4Yy{;HC^S<%ou4X)`Y0dBbRIvZW+vu9)X|Wb>cm_$5({UdQTp1B zhJ#+*FMVO>z-n~}pDz_gW{~J+BwsEU&gN^zn8DW~$<zu>`M9!8d4>{vIQX963xa2Z z*9DV--v<6E@XWwSAgnw?`?~fzEwAm=R{Ou^f4BdI{&D{yf7IXVdyntwzJA|&pS$f1 zZD-nUY}?@dmUqUR@%+T|dC$0`*ZqC>U%HRE{jG0l9d!M|^)lBU*QL%MI$!TR)ADf3 zn_Bib9(FuieYZNNZc~F8!pCWH+x)G{YHgrBmdJ!tiPXMAnb*hM4cY9WE?RM!2%+3l znwy>}j+b)Nr{+8z>fMVYP_x#fPJx4)XyHz`$1>?~EEy#}lLJqn6ihhUxrvGV)Oa4r zVy1BHab(J~V>oUF9Dz`|aA)4WjDy?U=t*CuMRA0qnG|((Q3tI!h2upZJie8C+^l7y zsc<SD?VTzUXPGHX=20Vm$8@124n78U;V+33y~R4ww`aKfUQHg~KPHEWr-{rrY4JoX zoK7VMXo}^TB4%?cS3U){UBiZ$`RH1TMp*G_sTdecJb55LmB*Cxp~6&QrjVNmP3Owx zbHx&JWSuL_oT^$K!G%j;Q^iRnYB^Ob5l1meMnq&DHd@5$;u4vdD4rvJUdqp6;c%nW zeWWv$q)D96lCeZMkx2EUZyL;OxiB>znw*`ODTKyyBbZgqY<47gk74py#ze%N#YC}q zdUl$)XemEaKLu>EQgM2&BTlVpm7?KTG)>#8rlGlEw#2CF^;$9-4`&idsyaJe%8!DZ zGCQhncXO22Uu#b$;^9OrL)Dq1<KhfW7Ds1s!GIuQnQ)bbnPvvbiIrJb&*}VJ6;B(E zaNlZsERw>xN|=4;Lt;s&=keO*Y_tjNN9@)v?zKY$iw(zOX}U-09xCN;$2E%o3(sN> zI1OiU`;YQL37^cBvAqU{2aS7-8eqi>V{^#WbGCqUeX2MynlE)8@8sS$V||mjJ)_;$ z&6p3JoU{4}(aPY6LU<_WOJT7YN%p|v(;bTcRqY1xnOnl#{YEX5h(aFVh0IMuo;iz_ zBi4OT7{O*7FP5;OC(GD`2AR+^_HiDoiQPt%urEO07Vf-7i_tDgF!SLtG~AFh!rbU2 z29B#1ECg3<VG2p_P&r@TxtTW6q!vl1Ap1o27K)R3x{$@DW-+T+f?z;LI9H|}Q^Yx# zlUu*se=U#1rzOBq<B{YbCRjkqs3K?1E7Q84E#%J;4GTE_=5_)#CvuSHD2o#4aVl2= zHS?vt9W<JAS}Gn1C)4R}KBi`)Q~8N$<cZpX;g3wrGG$PPGg&1C;?mf4@fXLbjXa@_ z_6SKi5phLaaNS6>l>2+Zg|lz(E3Ro(G%cxRO$ky;Z0Mn{T`n*k)>JIIPp~bBe0lIe zVpotlOLQ-p#2K9}(N;14jzoyqYo)nu8;GRiS~?vI$CDY^6P+Bh>M3jomi+{83b9Ox zQIrc;^DufeGz@1_k)iyVSzg9ckuIUJ5SAJX3kHJ!rcsqCJ>mpLIYFC64k<qc@q1#D zMtcsTI}R?7j7Ccb6{PFm-`%sGhB>DtGtn?kq@9DviG(Ke*eBS;I44AJ{5xKpnL&rf zM9Q&s)X6a|mX6>CO=Kay)-Y$2{pP3m5avf$hG-eOG&=t{hIjJ8CQ&rKmO9I6Nt}#G zBGyCnz-ANT@bomD2a9EZT40@6k@1;Rw_L?k3$`P2HJpgX`)6lnap6?e$8Cfz3{l?F z9y&w)IH!{s26Ugo*}_DAJYViEjhsT7zL6Qo1FP21sM@t?G8x9d_M(m}si;?rM3do2 zD$eY3gl58g9YQ^BQJj6;V!0iwsp@GhiC!X!3{}OV(Jrt=9t@Z-NL*KR?_qh7R1mi> zc;FS(x?hWC65&`T!5^BKux^u59$NrvnC$bqRZI_;V1>~L*RLksXnv$X`QOB~NYV{1 z?;_u{<*I>qTrTFApi3+vt^_ehspf&p%dS?fq^j*&0tY!ANzqr0fvtL+D2igA;9S^G zW#<Yi8qlQLaY6MYbQ#rO-5yDST_hve$z9mg_8vpasYYB&XSRmpF`7NNd=<yqbt%;- zV(%xziAcuQ*x<uL-{nnK9Gf|p11qIFL0mQE&@%CbWDMIrn(l!NK*tiC!e9c|TtYQ= zYf;>!$z-bPt^?uBjolrjddJ(N5GkVZIGw@~bXCFy%Lk)+)yxBF--WRNf2utmhg6cx zfPgqPBvwGSrp%XeXjSsVfF@21_9OUABz@r%L$kL!!`3VD-A?x_cv30hqe0xFrBi9F zee?zrUPuHj6~S~!Gqc^fxa()2gn}JyYNJ*?n$*f^$IPR*cYC@2jS1XSsd!5E&y`Ib z9qKfVa;7wk`Ga#6rockR3gfdvjNj;?F1m5mr9h`dui!@{nUXQVx(dqM+*A<^JV9qQ zDH-?}RXmx4F#?CwR6NOEQXC;;2lm)-&*1V_Vs0BXxus6A270ZFI_zps$MEG;W?z1K zqBsY(H&dK0P87%I?5nxPNp+WRjKwn8I8n^7s;jG8sCcWE03XR@lGe@x^T$O20qJbM z-0q-CJDDpdQyJUlqYZ6tqBSa23xgmmpYGaKU9nB=QT8kESD^dPIo=+;DY!j&dEn=c zUj+U!@M6bH0yBZ3KqRnC`w#6i+8eZcwGnMl+o7%Xf6M=7|1*{M``dgU_r20L<xBWh zxBas1HLwI+=KZPT6W&jF-{w8--Rt=;&-*-6o|`<|-M@3c&s}owX#H*LS6V;X`m)xW zTQ|7A<9e-Y*mb4zTh7-yZ*2KZ%llf+x2$S8tbRj%gL)?h_C<H6tE{YdrdK<5?UENd z@mUt9bL07FOn10+Sd@fB!_pLQ43NECoQ0LC96DKqPIGd$Fd;-)A?nWJ98c!A6Zb9U zapU1yfZ&EV5Lkp8huAnLY*Hkm@#cY5Np{F*1ZJIhBppsh(&~$lK;hWMOGeF>^HAV& zXH>(oAI{G}IX!J&gX&vXI5$%P?PHQGSbJCBvI#aphiz}?Asmm8LV&$MdnTPBZ6~3= z_8MnDHQ!epnI+*#DF3vmB_W2<FU#uRCY-mdcJxf-bEOc@Z(#%*0>;RR0$sp;T?19M z)0tQ}7Eh=zpRW<RoUf7c&)b~i#+P!{Hv#YUu~Km|G%_K~B{Rhm_I-pjw`5wqX{$3& zO`*UuBd)sBiB}QhlD1J6AIs@fGMvt2lz%zl(xb3v8cj(7C?Z`qlL~Vi&y`pafKH9E ziyIQB1y6)P%_G?o!URSqX&WklF+n=P-(#@b#L}^e!!BLJ(Acg!3r?6DMco`pTwq-+ zXhNa@L2<4)Lv3zm23)rs+LRv;-C3B%v7J0w?ue%1;Ur9=|C4s+jNZgKWXmcsX|g+z zkb;YVbyaSdh=Q-ilFF-hI8QI4-6SsJkwS5{%)Q1yqf8{CylQbDrQ2e(2yHGChuJco zQeHXa(pNP4D&JeD3Z+qq)+KP5iNeWJu2cX$YUWYfrTW5c&H`48sW}C`&lJr=hW-8| z#7S7uscUJ?ApskCUJkR#T{JyeoQ0OjUo_g0$~vCMdP1ogBkRq%eD3rV7A0R!U{|Np zQME1UJZ?<qWML`?t({vjmpm!hCyd&-?da%4)6kt`G39}7=Q$d3j!b{XpoE2q79EF^ zjSRG%h%WY7#bd--lTYk$_TszfQwT~X3*hx8-$Oi+fMga`zOc+m1cz%Qf(tbrORLWc zIpeDxd&PX`LeQV(ImkrQB!a1T@5S&Odnbyx>LKPps*{|AbS~OYbY%JH;jSQA1Edv) zu$+cykxV9(e`C6cF7kIk-K2BUg@Z9IJOk#oAA`P8PD0LzCF062uXpKg<ICbUhg2?G z)5obcuJ4(gb^5I#fZ;*TO=aK=0gZpP!#TNHU8-?G+9WpbcAmjFsx1>jB5q)sz@iH) zNLe;l?_1*xQ~T--5hq165>?)NnR7KtaW-bB%XEy>>6E%>z@-PlrOy^&SP~XLOn89j z6grg$k6`_?Rs%$xT$MJGh(Mx`M%4`|=Lxerc0oy1Q?g5@AmlbYU_fh=iDSDYlFDli zxpd!ZRSd)2npov2;rQ7iwkf$z#7hNYOF)gs5<}H1Pm_r!4Sg_`i4KX2ho=NzPt{g} z*jE_I#6gi%T>1C?&U^TVA`hB062c_Lk_nvv>j>d_g7P%<E!J+?CY#;Y7XuBU87gml zoU=<)jmwXisvyk<=T1zi`u;G5K+@bHBRblhyQ?Ze53#8!QjNLfR+qlHrrIO7+(~<2 zXUuu5=AI^z+jx(G#v{FX<rG#q9Z#xhahKTUmJb~qhKWP$80Z6|bh%)NIiVI17c3R; zVB=yoJ0SJB4Ai(pEUI3!(b>%-po@(?d5r~y{>z>1pn}avAdLfS_}1-4>oCS-_(N@1 zEtye<db7iZ{#1^@o|sOgly8d3v-u6Cq7p7z!`VnDe;|kD!(Bk0LTCk0S|jT8H5jcb z<XiGQLh$5^-Qe=k2#!`Hon>w-s+l`_afUr<6ztGdmtF>8cyt#KrA@;>&dj4GNh@y( zIg`d*CrG6<W>Sul0-H_@M4VZS5Z-9(0>Y&yw6*L&_aIu#k*twOlCLMFe3y9~HK_G_ z(;AJybx^<&WaD<#f+bRka0G|#;VZ%8)b7E)u5<a5=5oSG8;(XJQ_G#JNHH14V<kzl z0HhM?6E1bG<lpVxhr2hNj7QXa)?rqtmX(suWNr!~oVY6CE=xt!9G_iN!{MD_)k;Ee z%_L%H7gB>T+f+u~eYJC|O;f7Ucgbi5gTL~<wazHlIeOp#wrKcR-|)eGL*2(RU@x&` zM7`@OXBU+Z70RbW-6RH-X{d4BtFT_EDLENjsPMZ^hTy)DlZnM(QjI3nq)~$<$|;yE zS#g6#1qOtxH=`!xbO)<sP6!I4fCG%jVev^OBd7TC-?a<Y0$g~)R-Z4Guxds{&;)xT zrTiuP@^|g(o1%M{IH|mXA<>w=l_ZV{v}xs;eE1>#lQFe8O;Zb91G74L#Bf7kqmjTF zSKcP64K1FX^$`CJJ7fw*oLDBQyo~R^UAy+uMFuj#p+ww1Nq0<KsjP(nqFP#t$*9xt zd!^Hn8&+dyd26+CsifadU<1ddECia4&@nRZ;&Q+^h!D_6Y4g+DI=mslMG7?YE#yZL zJ{zIZlws7JF@zc-%Q>=kPQYx0Zc@oKZE$s6o7$oDDsNSsPj}{=+nu47pSHZW<>@WM zEmtbPP~IB+e()K=iC|wa75Giy3xRhBUKh9@76DcJr1nf$^Ex!Q|9k$A!WQr>|Cm4J z_xQf!dx!5n-*MkYSOXqtyUlTZ+ZEo=dS4D(z;>_ddB5i=o*wt_-S2SU?%vt@o7TT? zy}R{T>oUhnTwim&)Kzr#I6mk6FGr6fr2a&Gvw8+YQ-t<!TZTPOFsU9a6{Nx{i(hCA z2310T$O8>R@kt`r8)WPZyq{4>^<PRsl~AdJ#hIO@oq8>_{Ppu_s?A?B1;jNi4QZo= z^2kIHI}&pDDMHLlV4ISKMQl#2ob3uHg%S$~s82bcz)6inlIp8imo~I?GF+36HWPxA zv`acvEFMX~1Gvf5zk+1vUF|ShiEokkD9nEnOSBPEmprrhFo|`n${5DuC^%3mnN(jP z^gn4`%!h6a?+44vhX<q+j;@fNEbbgQnDeEHxkM%sj-;c?$5<-G4r8k%wZngtJ`o;< zTh455G>bspj6)^=XqWQ{?`+v@C_e^<2e-hWFh3aeNyDa%{1Fx=tj`?G4l@|avW1!> zi$G(ECeq4>qt2uDPtfQ`?ABAW1*{8nr6~V+g>$3Tg6Wx{`v@%ZN$rq0aT0AtRm0>0 zPMU~Ac#Fi89|$F`suqbkQusnmc$6UK#g*>^Vg(b9)!{`VKQ4%{QlHvS@;~nqR#_j> zHc`I3+1XdS<%r$d%}FV8hR5RS3l>o~jvFL{oBCZWyBJ%!synuyY$ENZgI27@!~=aJ z8jC1jWA)T*zwiN?ktay`O0V;7Yc_mvSp9`T#<Cq?cICqO6yL76K!u_T;{lj#1b1>; z`64SCHm7Kr>}(@+)(EA6?E_gMa_3f9zEoQ+L*5I`>pGS0)(w0M*jmCdHbGoubPkUT z;X^DZTWYm&w99d*|LH_ry>g%PE}ABrj|4cQ+9O8ytkfbmoh)H$`BH~rc7`(u)}@4c z>lSCfIew!Po*;M~J8o$h=`_|eliAnj(p#)g!Zi<E$y9l6YUC8$C+r6zB4N`{Vfy2z z!k7`@Q!G@3$TCw-k^40jQSLuTJsEVn80WQgf49rEW+D{Fz;4+36WTPwX3rTYWgT{1 zoXi5yvPSb`IpB0?pQe*B^%?uHV~o)(y%%<_W%e-7l<R>x+q_WhLWf+>vf3!@B87=^ z1P-VOq}A1|_886J;ANMP06j1WLYNxOeMJ^W_&?bgK<4{Y@`!y8F3$TSJw|Tk*Yex! zS0$xhSTk9NqfKyh=ny$d$>Ma9nQwJ{J~=bk0JGz##Dxf<^(1g_;bbDB?qYRkffi6q z=nG|b3T86u4%n8w=33<Gz9pco)D=VE6oS>2fJ$Pro`MWiglWgltKu+Y#?z6(9_O67 zT`zo_3)y@U^M^iw6GjS>dikRv5{#H4!78y|0SgrxG?0AL(}1J_F%0<_ela#ki&Gme z6JCae5Awc208FK!0;H45-^5|rR|#Coy_D%Bj`EQMFC}b10R~GLRlx6N$|-0y@kII# z!As|F0~;z^V(g97XK#W5)B2J;H}<VfcYib!pJUAK1@W#D7wZp$?Kq6uqxqAw0L~e9 zff68RZ0w3f$mg3>SMoJ&*LUoCQG&dJiJ0>DqEDd}fe#D|*Db44y~K%l<B;(*mCPvb z6kFe{Z3rP^cUd}N3U&_|O_aZ5t!rP6b!?DW7t9A_m;)9B(#Eq`Ifbw<ZOL@G5z+#B zCCHRf-mucS4l_5))3Afa(f>QvKxtLQ@39Vs$5nb_U98KY)X?NCxl!nHDfPLmwA!ke z_61QRtv*lOX!)r*HdT{mVP}R!nM@>ed?yUD7~mK*!co}w$MS3`fdoqb9~PE|IuszR zh~W&RgQv4OcPXul=Srip^)A6d`O}t63%m6+d#yogob&9yLp`{~a70r;!$M+K-ahEk zml;D29i)p#0*!2jFWv@_aY=r+`iAO1F$XP*RnnPABmp)TQ63U<J9}vj$=b$VLZf!S zo0N-`ud=y*A2q7B^d`ZKpe?K2mpGSWlml5hkT4G@I$P&#n2tG#I(eKBORJ!OmeX8f zLDVPhbQYlnR@JH&OW{DShlI%HmtN}Js2Qz=_rG;LY%lng3B<5@>ZKdMg-rrh6>wdF zC6fS?WjDHXY;RN`F+d_b4;<~=CsD2J%@lBV(x(6<V%5d0igyN2;^<1i94_k!{3tQ7 z;m1oMo~&JAA@74b!#EXHM>Tb;l2RTZ{Xf+5?Uq-zoNeg}emVH&;1h!b!N&!@9(YCI z*1#p&`?P0iXSA*U|M7p-|8)NW-*0@M^Zk`C=iBXTZF?`g{u{mjt~}uVkoP`shquM^ zkms46UGAT{U+uom?QQ*z`YXpP9R2DOT~n?BSBLXgEiY*qZQ0tg%<(nHiyWiS_TQ(z zQhk<s8bew5kM6yd5iNJEkTE4kp<vcp_6*OKZ8>ok4G9o_o<|<hLZ5U!4R(`9`seHf z&nLQ7x=kN_e{5qT+tC7nLe6Xj{FlHleT*I=C{MKqnba7(&dIo7h*t1Y=A<*cakm4f zsoVV4G&JZ$(tz3vUOAE@h~gytj3lR%yaX({K);a`)VM=Ea61zyw>1K1B>aMXY(rqf z4xF_lrV;=Ux(W9MvET6ZFw4T1$*vC0WjVLEgv=sLNdR!iU{51#El|j$4}%Ibos9?7 zyN70Yw+6%+G#CT+xn!xgV>flv3lJTcW{iQxwhMycn@0S?&RtY>Qj=_cskg(fozxs4 zI2bkon#>A`iB`2dQUJRM<BBD07o?Xetz0@y%7q=g0EAU#ai30{1bo>VkY>P+Do9YU zw!yc}21mG(?cJJgMY5bg0%hDY1!D-FU)U}`l}JPgI^HWIH3)Tp2%j<=kqEp9|ENS{ z6QxXk7osh866_F8mD7CWiANSDCxP|`N5y|LP8L?Fndmf8<){`<L!ik3fXiDP0V-kB zNQw@y71#|-XzKEYA~o5rCF5jv&KzQ8gPjI!$b!T6RB^PtW{PTsHR&R#^&DI=NyQrh z7=&*incNRuMl$h<IT#pke5CxO*}k3v?Wc(5J2mN8*tM(i$=*Fq)y`;$Ey3mka8M{u z)#3<=ItChmFdSu=B1@30NZB|x#@lzT26%fo9*xjR>E7Gj)3qNzs3EbrE@`9|Xl^)q zApwhRDcs>hRF{qic-CZrmC15no;z;Q;@}pkRC-WYd_tuC8JC?1z?9x^G3GAl1g8HZ zw5f03z);8GQJUoJMiQvgiG<OU(Tk9iNFijC2aZ}7X?_fN4@rbhm8{=C!b3xB5j)Hx z2GvL%nULZxu?ZTOP!1T5hXZ|d2!qG<0!bN`8yJ5HUAONf4eu^34*X{<!$AUI@xXbS zpzY8AK&DbRV>*@RAmUEKWMM{%c68>bmjT2(fn!CPxz_eV6qet_$$mW5-;NDJ_?@^h zhnhCGoZzW$)F^N%6^RQ5P(@=hG*{si1Vo%%`4nDiVAai4g6duF;@ffCZ8U^&EfIzD zD;34MaJYw@+}K3^j>1VOrr@hI^6HOVbDY}lMtmEqAp7Q1QMTVg^$LKv1J)Buit)>? z=w_!-mM%**s+O1z-psRCH2~9L`vPy4$76JqttnW;>UCz(AwNz?GScwq8Xg6DB40ju z6Aj~Zdn!qg1llpA<JHW`e$MEGQGn4zZZ2Q4yW{(Al;<Lvf_d8%HyEWRC1VN*4wrLd z@R_p~G(7?2MgtnAkI|rV8mulDRO(P3jzn7^0qHMLh(i?Y1FV=loS0TQbOSX63SD^h z8u<Hm9Oe0HB#eXQgDc>08{T^$;#fkl!UM!N@M1W{OwOF@9H!RT%Q*Uxm>CBIG0ZUP z7;Z^|4CPB3vsAwuac&F?=$3|(dfY(&kUY5(#_|ZkFnf>Cch7<Mu~qG&EOLhic}QLy zf3`pwhOdh=W33yY5hbzR89E>+QH?6teweBhI1~lm`lZ3^QvKBUgqDdxd5_1WutFhx z%-4+d!QZgNC73L*^C*6B^&x84p(SCTfrEr@2{eM^7ADnl=k-)btP6nBNIVM;VcG8> zF6AZ&hel^hM0^fj$0S>(k$4QS0re*1Zl(T6P3q!0A>UF^Bp(EV4cbgn*Y$CaE-eB% zCl=*c1&CFJa&dyKYo@mhoR4A~i62!drZ#8#o`W=-GKUMmAC$$Zg22zFHabnX3d;ow zz=vB}xZfdh!RW?)4(`2v-~QN+1JuK5gwY}7CzhVK2Sx}>nUF?wl82PpPpwA~GKwob z&B0GO$hC;%G^WBKqc)z0Su%<*-AgTV_%7T9;vy>Nap4Owl1=>_xR3U{D4|W$`Dt9) z9pQb{uwOHb{?!hKI^RHN4^<yP5DTF%l48B9$;mrPu(OG|jeDtnx0Zp$C?1O%^(~`= zS+ScccC-^JBb|w4+3#ZbFM2Gq$6TB84kf9)SaImigz|xw{|@%4`-1C(O5lruHwK;* zSgrj=`-pa*)~Bidm;1M=CH2+n_Z*RyFSR_iWt-!djt_YL)^odOmHP|s7rRHCKXAvL zCFeU^KiR4S-T$wyx453?ns5!d(#p@37pv{6Klu6J)7!q$_O~tnt-PbH(ssc6WA7Wi zXT94zKXA-BGLBaDA@$|z6V=_2;@D=fpRkYy-~-krHvK#s<$goXV@o8WJjnhjaUU$U z-!T(r44u4qBalyEpHnYc?d(7T3hLJM4nb1|79ytn>~iPTvP?iX5g`aMB(40%Dj>l` zBU*YgaD%DDQZeP{jwdKCg>9#D40N3fKn7G1Y(@6q5P}8qV9*$2YLt!o#{Eg29*%^i z<5=ZAD5t^l2|sj}eO*Qa#(LOc9=KaA*jv?InZXy+KuNj;;?(K^h+iwhK`?<k1fm2w z(kZA%#A5*cLEIX_v9m*c9f%rbsM24~+t+D=VbR$$pnMnVOZh9;8W3+63~^>A4#O8s zTp>4sm>)~PCBFhVAK-R?!j~byKyiyHPi7~$F|{(lV3Ro#9&YSEL~1Hb;m|L;#tQj~ zQ2>SEGm0wTVH~E>WQs5&xYEmX#Y;@Gi4I`58=E~C-kC!|K1m=_7*6jMz73<Fi<Eft zQgBwEEHJ5$ushk?$kop6t5u_~8bMZyxsPWQWA(|IqG$(V(PRXfg|st{t&E)k-wJ+a z5QR?pP=ajamdR5@L^9Ecymn-VVbC;$U5Io7Eh~It<bDBiT0O&lC3#&6c7>%jL$zrK z86m&;e9e(yb5&eDCr>?RaxkmF!cO1cM26cgcy&fQ$i0Ht40VQW<MNv@cz{!z9}%*t z9Ei9yiHb=8-%ogcpj=@vn(F_zxYKCy+!R3$Be-NT0Dk>+6%Z3@m1Zxs{mE;9zIF7L zM{?69uQD{R8?)Isq*$b9Py@`OdaJN*l#2j<BIU&y1bkp&dE&%sU<6y(t|m=!r?(@3 z0LM(^zL0o!C?XUz3DJDU7L{P?MI;&G{!m^g@W4i6kQqlC2E0d>I76o6*eaaaM(1Sf zk!!J7*<DKiH=ZK+h(Q}x0v=_fku*zfw{JcOcCgmxq;f_|j_I5t2OK%4-jW1J-5A$} z<wGe?_Gg?U=7O2tC|aw1hqECP;J^i05=3eaO5qfzsDx-t`LtwjywcU81R`|Ei7xgG z3}v&^z;Kf34`)tFsH0JmJTqzau<#4Xb*biv8?j&Dq<{nj&1z<@3p)mW<Q#EN@Bw(= znSlt!up9>}3Tl<|^z8`60U4I0?nx!_CWgWo{LJF=WSHxcRyw$$kXgoH`6A{k1*2yy z5mViY(lT6qfSZ47QlLqJM?!&<E*-db<51e10c7qWZw6h)Y;hk&b`6px*h7Hps<y7} z^4SDPVh0>6h<%8wZys^!2>o5)6X8evjp6~9t}<U@tPDa)mT1qC2C<tt($E}gl^Jke zYnEhhYGoHfv4}T{G0fYz*5oX0)#Ft{@O9aN!y(Bdr3wO(hhP*~0}Am$)&}L<jER8s zN2(w#m?eUxfvZo%W9s#zE*;?nvJP%#d!`GymX_QmE?jB1WFs&5@)*qG0C=#^mG3I^ zB1=NKfm*H}yw-WZ`Ud1O%TWh|GudcoC=4-^N~t$+pp`Kk#QsbmScU;qvLd2;Nhwy3 zGRV@XNCxI9ilwTq3jkRHArr$4{4na;dqeOIaL8$OF9+ZlHAt?7so9oCKqeaSaF`{k z*%VRulAy<Mv?ENIH~==~5K9dxG(qu`fZ!yfDOF>1(|+Cp*wz%xkf-jbAxXuCI%^ln zH{vcQC)FJ@DL5pN+)DL#BK@DtuqeJkmm>Oru)vk+q6Pw!?3Gw#ZyQ*^b;{=y`261y ze0uP<pd;`uVEj)9x>Q%dtNj$(|C^xyk7+|%(EmRFi~J}3F@M1K1>bq!E?=PS>ut|$ z%eFa{&v}33eXsXU??LYh&$m1u@aUd|<I|oM>OJnyyI<!%scv<zYW-I0+gqQ}nr&V0 zdf4@9U;(x`|Ht`J=RL}gokyI`mQS|4v*oUq-7Nvf&mB*4tW^I){oqA#rz@RXHHQ&0 z-YpJN4=99aQT1&cQEvD=47H(epZdnQ^QP5~L(pHO|5ro?5Y@3p&|^wP@>Q~@0r5Jp z%th4K@M@tm(k1W(8|s=Ci}fGNf-EGpF@leisj3`>P?P{*?`6DeBoHdp1BCnO(Cvts zq%}8Sfwi!6^bRH|!RG2qSQ;I|IpK7Vr1yeL&`}R<GL?%PdpnRXj<XeXFpdfJF-Nio z)ua!R=|uuUm>v=l@dU$yaE1Sg^9(lx{+sl~i%(1>Qy*O|><L2x7%)q*e_&J;Vr)cn zY^g>JQ35_YvGX${37`#PiKO}*4u2Y~;vt6ZNW=wa)Ms+gj{F?%C35nP=4B7cD<Z(h ztBdglOULmvt5rjJN{niQv<n@03}!iL*Q6Z*g9`GD7N=sc9Yql+mFKws>b3|*6GkJ8 z+ak<msw{G%m6K%UO+?j^<p{1-$@x4sJAse`NbH#z2C`y9F5Yt_y-l|X(}U4eX!J|Y zF(xyWUCU5Lqpx}W6w;qD%*qOC6NKG%#n{n0tmnuqwKcj$6t);lLU}5~GmUOwh`@Q1 zEgCpR(}X_H#MMqdIt^QqEu%0+pa3iwX=DV)jmX0)23vItVA*EQ<>AV;dyOoYWRmO_ z$PclNv2n&1$&4?M)*~Wx-&%CKh@uF=Kq4IV7@J$nMsi-0*iUrQ!BJqEq1^>QK0~C1 zpBAaL$XKej?m@;~wYK$Q9KF&<JQ|^x%i0dWXS!}2%;5$$$wZ40!-e@c)?8~Fz;8<w zqdA)`q)R!2iKe3&^)j}P)HXb{zc17k8rt8NOuz(*Wn0eIdtJ4Ci2gKt2DA;c�HO zk*l`uby?DQSxz!r81C&999SvXewGQlgwgaOeC^U(pI_*rAS)*fWf#0Cl+Uv8V_Xz$ zAt7%tdFO#=fsHc`YeO=cRG!D?HKQVJEV>FvHLjN5aMO{o7+c5MrieNLCN!qr!ZDzO zCgeuKIAbtSVJ9o^6G2vBv~)p2MjM}<fZdRiRv^}&uL+>+OC)DVnG1_fxu95_gZ*4^ zLF8eGrqy1y{~CQ&+big9<;v{41>a}cg>?%ca1c}xQICkB;>OF11tpWj#9SQlU@(6x zKVrr(P$NxMZ$ijt5{4X2A?6wu;^)R752yo+O0Oz&v8JO4YgY$2hQe_DQFf{+4qmmh zvpHn34oB0eyZK-q7CAJ9DNo?oOdB`0GhMPs4>!xk?`fQD#C?|G$AB{|`GhVUOx4zb z#KFPIB&BXKfP4(0SU_!`WAVq3jiv?91$$FI1xt2twR+*~VAf7)m`_jU<-3Z{+){dj zmxIsT*2NBlIj1#E!|Q=Lahfuj?o8u=i+%*xz-a@w=xiDJ0)<r?Ivxc;;0&-(N9kfR z$+&VK-v~yF@+^tm><qEO{MiQ}LgwSjd5$77>XY0DvlvI%j)c~qngzGx&AQ%-H^jw) z=p^<lP>gyqo>ZPD90^7*Fs$OECTKz|J?TxPe$Bxl(>dN5l2Bh9YY9z2svM+yi6#@O zgGG{lBi$iMX;y9X!r&8?Gg>1fE)HW%-N_P^*_If#$aaox5(i`rsXvq-3K~IRD<Ly{ zmUW9QtlS-)5}s59+e4;;$_5r3SN?*{pZ!=eI8U*Yi5*oXcC8kjWLn@PqqxzEygmT< zfS-_1DBW)y+kmUFM;IylbEoq_0FhA?>~sz>OJ{-m;AFkhmMqmMsFMUU!qU@PVY^Ta z`y>QL3XqJYlgj5gD@;G^sgzGhqG50ji9rx7ip5?lfe(zP6ioy>I^v5dRZ%Re{58vF zGGU=iUw9cKzoB5@L|5|yk-Ts@&lcspU9c&QpfKJBz`w)q5>sOgd8b-N!bO>baV1|4 zRKRdnf-zQe`xtx^v2;Scg54HW(Nx5va1tgEE%;J%2-cNo@dzOTMb$1g;!+39GZ&ZF zQf9+k&3+APOScwzlqTljFae*ADlcIngUX1@Us(N8UWjNqmv{r9djG%xzsQ`IoIyAm zS#^s`?~py=o_ch$Aj{OsT^t}t)1qtMytR$xlSGvHKCj?tA+9X+R@l<3mr-UQy^?J= zwu;s|3DGv8hHLu*SxE=Bs3S9dUamPSN~-0Y!@1r49e3V6;NIb0(fZxi2U;tfq3>bW z1FnM0?fiG=m!0o$KhW}Pyb$n-z^?+Y3Ea~1fc8P{yf&;|t7-mk2SWaWKkEB!%Q@d) zBQBuJw+tBozSQ>Cw#l}B@Bi_>$NMC2x7Y3Ytmi(@?v~HByrty@Ez>OnEgKv^aQuy9 z#IZ&FwfYhD8S0R_L0zVNP5Hp$b$|Cgi?7?P*`&aq1qI?dC&WFl7V10#@S-<BY~Tx$ z!Q=+sP$oF)Gc?fyI;T>-Yq^vi44GkxlE=P*Y`4xCNQ=uQkivKh#jveh5P*R`de0EX zXcn<J5NI>0{cO2}ynxY63ezR|r%6^LixmC0G-;91UI<>4;l%f8CAPFR3F(~rG`w6U zTdB>#g0WqqbK2A8K+<u%7=CqyuF!ZlBBwehFz7MnO6tht?_t>6s&?p509r<~81~8H z9c*nPQ2?oAkUJW`?1JDR!EiNtn*g^>$#j(*L}y2<?tLPC{Tw1kfRKzNFDfx!>~8Ag zm?l+-MX4LzPvBJoGLy9io4$ax;lP;-DjbQssEb=PB=5mq%~ZwU(AKNDfsw8|e=aw1 z&7IVWaLF9(FVURPbRfk+t}&AVbj(pb<kuFluoTzIsMQAHvWYvyKx9;|S#{wU-pDy> zmDQvkWTU`*8dLjOYOxcUqp?#GvH3DHEt{okD*(PEd|{jtP+c}dzgi98ARFbRiEdw+ zemlFIqP!v*89M^J5hTjOB$CO^gbq*&;UkB-*aN{xXF^y&UghMN`-)j?U`2`PoEZ4X za;bnA=YM`p1<h_L@zxHu1APXNVJs_wjK()Zo3MmsgtI`27vcUET7N>QE0lrM8kv1p z@6)fLsoe#bEda{#=t014YRq8B7=TQA@?nA5sdF$30CFJ2;91H!3bm$JZ>MhV)?|>j zxw6QRu%sAoeFOCaR4$>k5=oh9@WQD9)B4raFb4!aXATuuV4*FriI|WLQ;kxM?$Fm$ z%hQ@n8+yT()yYQF`a1DpnLYG^&CT4Pdv&DPXUw(GJT6LWxn5t(yTc6-G$Z^BC#0z$ zghm#R>|3K>MMDZ}(x6^zXYbZI&Hk(=U-J@I#?l@FTd#9I{<J3Za8WKVGqM|A5QfcP zp>rmF3bbPNhJ<BvMyqvBwBMmg?Sl#}m1MQPisk@-w!mCf1F^bv&Xj)yaDHfv46LO9 zHa5~z{tPIHI5WUaQm7+oI2}85PMDu<m!2c~+69yx`vL3FIjMdx2FvNr7Rrd`f3p%^ z^i7)7ImLd@M)C|HEii68SVd%%4qe*FA4XRo^mTyKwwN+VQs>0`JsYLP(J(cd+6|FX z*d(iN*u6TZ<3GMpTG<wBl&ku9;IgI43fJnKqd&Ycf{14fS!9VrMgtPJaPe1le}&G8 z`mt>U)VK<Myiw;A`~Y8zYz6bDGuWbQw1x15kjOfBf!uW4bw5=vXh;zW=e&r_>7q-O zBZb&&3`egOs#9e`7}R}yf|qF$Y1J!0evbgM72Ip#t1~*kf^cN5wCD6+(C}mKl>IuV z^S=kwWH-&=#kzS0bdR{g5M~CDWh&i=MBEHzt2L}mP*kSn{1NU-pns7a)X4Z%LSn;m zpYG-!TX5mP_Lz!D>4XJ|C8p&GzF$c!`qasa`*nUS;2uPiGMd=nx=ThQqd)TC<4;0w zrCoG%xin@PvcW=jPe=!C%D*f7l}{<bp9Q}Wd>j1#NyPlWBk<I~wc0ndd$fq=@c+>N zSz!Oq`v?4C-%ow-^F7hGAKCtY-1hdib8WreUwJ?1eZBH2@6)^|y*oU=^1RJ+#<Riw z8|3(#aVON?)^D`F4bcDttwGmAt|z!IbN<}<3Fk|llg_S|pS66b<;932IMb47@i_j; z@fycjM?(Fj`Z5gZV*aozAS*>CliNq5a7(4r>KoAIEf>@6BHG;G($}nZP;?4x^ry&` zR4SaDg}IaQ1e|t3r2a5K2l6#YATl81!CnQ`0{;n=0mZ|B1wfyQsc%BJYsIUbk4hY= zj7uHkc!HzTtZv$Yzm|C)rv>jNgvm=rzXXbf@LYrkj>i+q>)8*w#17c9DSJ?#&k+;D zl;}bx*@D4R1jm35#<LqSL?FduN%cB*_zhE9+;BA+g}s@)p2jMl;+%cM1W!e{9?Z~4 zEzFrukeV3|Qt1()iIovkioB+<jHZ#x`*Y$O6m*L-XeDyWacTfu>Cjmd@KZ)pNwv&S zuVJ&Uu<fy=jwpD_)@gcx5Ov5-AmqiTn6^YpEpZB)VNQxjL4}C=fld`yz7a%%6BQ4E z$R|OZY}3t(=vJbBtyP$$dBiCz@8|TVS<_?;VT5Ymi7Ye1%uVu$Fd;|PI0I>`k^o?* zUN{SY%pRaVjnk%7wO>N>os10-K}!aS8U(e;;J52-wX6MtRUuI_bgGA8TB2{u1BTwo zc}bRL5izxwJshH%;jlESq`)cS$+)_I+@%AkFDkJlM2=FvhQrl4-H}EC!E+3KgP#R2 zMC7JOM-Y)kc_?#}<i3!8Rys`libEVBw8&hq{6VsfQ^>l{ArH`rWdbb$_%hPxn2E^Y zvf{UPfvFoQfYsn$v&v{gAj(d?mTmM)43(1sb_aGNyQ(^G+xY|a=tUrW{2;sBsJ$(s z6$)P=jAI~N(bA@spl}d)=x=1pf5R4y8@!GYgVX?KZ#alUn|eA7E`{vz6G+A!$3jNq zQRU5x<jb^6grdDDzC0-o5k?@h^qUy;F!WaT2tlyqB_!AYlz2{T%I^lm;%VhWwe52T zhJ8`()fcmipD1u@W(Hj&8pFDA$Q~o|TG#MOF|`bEm$6txy`A|T^+BEiFi??w&KN7_ z&LgK7%!A6ug}<LF(`i71u|m~LIgBolNmQ-)2T{>@mkCMKaJXX1d-(RDzBZmXh)}bQ zA-V#`3U@HQ78p6*285w0n6qCm4(|HJ&pwqQ`%6@vU`z%LVm%?);KIu<p%-%bN01-( zG`q|UfrII5iz>pak3d*P)p5>!X4Dcl3DZ$Rq>XxGRpJY!4jY*RI>;z~{Ys?$hls(D z4a?!9e1;)KrcI{|XC(0)ED3{6tN9hBTFn4LqX<X4*-BcUmTU=<7Nrt{AF_*i7EnGR zxQ?CFS(zVz!bOaCzG>u0TLE2~9L1b#L*&XR$G|aC$b0(%#usG`=15y|5PAD@NYUL( zaErWXir)eD3q66smJ#F-dm=+)xgjnDOJ}DG(x$LW&0hT*$!Ns=!LDZt<R-8SF<!EV z!DS2>XI$-Lsl)7<76Fmb5SwIHoZ9z0=;^2^-Yxl^<OK2)Q27wc1L>pDqYxxZ8kUk6 zCG){ydXRnb;=9&->TM8mO3I5EY$NOATH;qvFqa~yc%o=e0vDK~Gh`P8b(Vo0MMC6g zO8FpzrDby&U(Q)dk^Ua0MUZ$OBWYy~WMa*C0Z>m?OyYtvwwmulBy@-X2T5?EPp)z% zHQYHw1lkA|<lq{4H*g6N2iGr2t+)mWxCHDYoT~I}5TQHqKCbdshPcSCY$*?wuU~<% zU-||IY>P7@L!-M{7R^!^owZD2?TDAcT1W2!0v&+~#+CmTU=3+3$#+R3i8yQ`HWv~g zS%iRDpp6o?-02Vo5vj|fX#!DJl;nENae8XQVRQ$qE3Ds80r-Jwvv0U=#RD{On-`|V zE5sO@@d;$cm>Qp@Q!jZrd7oi{Q?HVYTUd6`>B7BdZ#aOs0rLy8vnbxJK{gw8?QJd{ z@4Xm9wa?gyG9VBl4y|#cz+#HXG%OJdvDjVN{^7x{zJ5DUuY=^W1lW2=oHjXB+fp1H z2BeuOOPeeKobT0wqgqvA^%H@<;#5-3K)fuit{3_A%n{R~(w;P~?Og5qJ~AG%fQ(^g zzyu`@A$J^}-5X8exZ_=N<v)dNKEJ_Cn$(o%XI=U#>^osedxXv;>6yC6AQTzru$?S4 zius%ro|MHkmr!2I&mxhJ&3G2+uP?zvNh&!iq|ahjYw;_)92q6}5MBTr3Pu7y44j1S z|9kCI+EcX~v@QN$`akV|iT`&0UjJpjZ~30%oA%w{i~25U`+nPN+s4{9cz@!37qb5K zdzX8@@A-n~WkCLiJgs=^?+*8Mt-o%4f9vC0{jPs@J=e9@)#iN2sXIHIftLSlc^6*# zJB*0`FGK5p;vzKcW|coP3iRllW$DZc`Bci%-&mm}idXBLkZP+YpC>UrZB_R`L?0p3 zR#ubGy3n_3E-7-)(6)x^%@4rD^pn)&7`y}=^=}y1tk}^883I7!y^oB{F`aWs9fRM2 z<E)I&E*O&)(@%)8Qd(|=@ZNxn8MzoG8x2#CD+|X}FVt++Ib~E{lWz-klakeK;S?<q zvA*p}ol{1w)1>jivPN94-%2l=Mvd3AZFlHVo%2VX*$SbS^2?iv<t29%k;Qan&X<@T zAYWT_ml2sUpx;chr=*b-te-JcU{+(FSo|?Dt5PIv++#xL6jQgr_s?1P_d!yF&;coe z0F<`jR!5d3^&4p*$2FM>-<%*Eu?svsG1IRfV_ULMi;9OMsNo}cS749MIi<?TEW|IC z^bqcOX>Xk*bWS>jhk6k(f`=)4kOHFS8B0?6YM-$@q7M@V?rxW9{7njwg-eLyi+TmX z?!UTK&kFYhUVi5U!6Jd>Bgr&u?>?yy(U5!F<x_w?nAd!-1=`yU>PN(|kmm@Fyma!B zV@NmagEW*rW;w_@bre?JY<G5;&!64t%ldYY&iScw7&u!X7jLq(Por1o6jpa@GN5d* zaXi`u!wgpH{o=XyItBAK{SeJ+<R+P4Kzf%f_6u!eo{R)i4!?jJaJi10SHyDak?C>$ zI{Nlaa2K<xu(%E{(fg>?a=2*eEyxr+e4BO7MAgTO4U@*gc8|2qS*L&n5D&WG0Lmv> zYD4je+u2`$N$H$%>I7q1@TQBsCH{N<H(<JSPB?W0AOe2e#cDY3D=<1|nmWc)!rLxZ ziv`|+N$8w!>gaO$yo=Rn{+D1tzTNs>qUafoUcQ6{i^#V$)7LJY^HCL%3XD}rxsr=l zLAUFBXb1%e3Ty>fn(1JZ&iQun1i3JpFJM-`O5a5v>cUEJv`bwS%zAw%RRI0~#DG<c z0ej}{BCVS%^&M1c9lZ8*y3+?{;fh2Ie7?L!-%cfAcxw@&6p7ZppLs~%#*7JB@Px&T zh<)*9x0t?_K1Yx-z&p~MQWK&9*-h=>mJtaL7OL82JwuK9IOi{df{c4W1SQa5Y?o-c zT~AZ(otk`0z$P<<pr)HCNW*%H>h*J?O2nhcdKgLL#|FCeB-KBH+=u*%fK}hvwqiUY zNPxtT4SIrFtlKEx1pqKaJ|s}pBBjTv+6n9iig!xN8_8V5d2{A()ML~T*%ieraq~YT z7ty0sGs`>(mI=Av7qVgO)+5y941_W^?uaI2+g+?xs7vpn9>7FI<{8PV7f4Zat=>s3 z4rtP1PJ2!6j(V$lQV&z*<C=WoS0I%x{2;Kd>RWhAmyy7hu#f3(#`m$|+O%xQxD3u5 zz~(RZV)0&sSq2`hNA_6zetk0y{vI4_enwSF%H*73>rx|&8?y7(Kf}6Kzm__RV)O8u z6xJRyj0Su34yu8)hr(aFL`NylRo_Hi01<*NV5gERX%I`=DRA@J)qk?Ead6AE`bKJf zK$CU=X@01xY}yLi9P5?c$`_Tu=K?Qu9z+g+JG2it-mZ;mUgw+rUu-?%dZF6of46_u zb*cY=|EiWlzJGRPeE0f>d~IzXYnyA^>zMU^)%&3L@y;iC6Ri(<e&g!)e8&A6_p;!+ zmIpmA_IN#cwX7a@{2|ci`e)^f>hIJq1%Bsjb)R+bXt~GzUG*KFVaLYS=Py<3Qjaf$ zbh_E4BVXS!^2CaGBLbWv`4P;J!V7|x6(E@^zapeu%E2e>kjNhfTqf8To=Y6TQ`m@8 zfuZ+7HWrd(XZqdD^n|ckG4vU}M(i=%4(jF=PQU_=<;vSa!`6GC_p%2>DtQ#1g##{P z$4NcGqVgG#7YVa|<55#U&VT|_x3d|R^w&YgRbvDMx`gRX1o>ywO&gH^4FrH+BTV6F z!nuPhn^Kh1T(GayjT~-ktJE_vlw~_D@1i)EBOY>B+Z{hZmOg%d1EN40rX?t9>Py)N zPJ}?T5d~DyNkz;VC;N~fva^U|D+2Y+2c2rs1%doh>JUdXQ)6BjnlsY@>Hew~gj8TF zuR;p%Xd&!T9pG#y)EaTKi1>s3y1G?uDwC*s$eC6yZ?wn6LvXxP$Y@X2%Nkc8tnQQx z8>*{#U{mf7NlTs^J@0{Z2I{Oiut^3<iNwPOSgR~huw^_TjU7Vq$*`CE*uu?g!0QAf zBMglcbJzvh5{75W&P6Xgk@pKxdaCEBOUJv~GF+gL@5;-hF)W6#nG}XrBlw+vX~z7~ z(+!;6)QENNpm&-e&#BIuVUWIOq;U*wqFy?L2^I)nm{!wji)V+jtcsv%q$^W-Q5KhB zRpw;fZyu=GDfj`AnpK#$C-5}y>@=N5SnSIL#mvC+`xKE7Xi;lV1_L9JU~y^-x<c<* zU)rd4v4nOXo)IW>I9M{R-p^hl`b16MMAqX>CM&Zjs^`Um9A(S*qsC|MG*3u=8YwLi z1`RX1M93f{8Xg9m7<eq`gBFsW-i(eQ1a$5$mp)#_02h&TX$y`%fah=~fM1v_Nr+e+ z>_;ZHB7Yh?isNTNVLG>P?H8sZ$SRH~L3N5FD2aSkhtkelrRS*bxf-_bBPq&l?4`On zUn)|}g=Ge+c|TMfvXDUN%$5Z_DUwicHfeW`-k%V|5KM^lH9~#R!J=e1z~0Zu#OjE_ z0cIekX4$+h&lg+;xjV$pM-EZs@+o6PWdb2$y2|f4(Ahe?T!W4cA{b$_!N}pP<#);H z@n}%2L}FGt5><Y|yWVO^zC<aH3r>pNbQ-TDQa+=Y@)M?qIVAoJ8wIg*xg}@Zw47H` z42Z&8fshB~$Lyv)2EM{KAheLvB&txx4Ga^BFv2i_DF4dLYf+|0X{J=Z6=-YBRgKF+ zD&Wc|_{BBZH*8t-v^S7WwwzP+tRQ6w;5!W2AR<wpy$w|!q3kJ?&6oUtbclsPiZ>t9 zWYC4{tzJ9kex#{T>H&G5%5W>?1q_nGHeE_Gb|Z!RX6N;S*Ues#WyJ>Qc`as)k1Q{@ zOz?dj2X@l&A~{h)JgVM{kx$C(78!h~rlh#-Ow+CWh@Web55nx=_mufNi^`BKQ)>6( z>eU2c_(~<&N2U}9pAjDPx`)!L88^YeXfG!4RK#99R>)MA_p|Y|7VH!Rz$=s|1sDz- zV7!Pl3Km8WNp)}+$CB$sA~-P-mH{Q7!f@n0LU>M=aBBG@<q#^zkRBJRUc{6FE~sZq zom_dhwMi&6jzmD(;I;)LJdxbVkVE)$1O=0DB~!qHbCM$Qwu#&&G!>4tmx<A9`lF<8 z^yUNPL&~xNgc}+4N~lb8LHJT4wZ+_R)%UR_(jny-$t7{d>d^-myfo#D9JwAmzRIgr zTYC|&d&svzPO?XzzKCrgv**i{`iBzE<Dz?+5`Z69t(m>KFYu~87=Jtnr2%<+slyA3 zm5UWEq(~7K5$22Qny#qDh%FJkDhfdFMiB?keP3jjewpaM58@o<UBB2rix#E9b1x`L zKfr(*o)s9sVbaHus7{S&TSTDCkhSLk!`i6b{FZm}2*NzC{FAsBNl9YayRrK7YJnlV zXn}hkiTjnt{R2pdycocz@Oar2U>vMc5gV|9C`s}l$5bpC-6V3R3F<%sL}rZ=9-D;R z7AEl&T9kN<l|5{@;Al(DPKmz(FiMG~%k(}~3aNg!Xjtz(%G;FS`-4vk?g?HR_@UYp zcrfsUz;5ji+Ph$mI;vfw{K5Zs{=e{_@UQo~d>`|@+&Akx;B&UUS9x38Y}=LIS9mjc z^Y0%$PxjmZ<o_4lFL3v`9jzZ~y}k8dYYe#mFS_3EdZBB-^LNfqI_I1@=h~Kc1NFZK zum8Q&k#&R}tJH_p`xd|L`YQa&+}$fA4v&mh7X#xX|MT7oyIxPU%aq^J&>}gvbq;wk zgk?b73O%+b6!uiuVRvAw%v5RQiiDBX=I@kADjT~jZ#;hqo5<W7t0U(wE+Jl(wKI91 zW15b0Bs6TwfT&`h0dia)G+XtE?XvS6?u6)8cB7=(U4LF9%hFc)yG-NB^q%K<COncS zo{W>RHA{XZZ|8X*eeI&2zC)J9(cR}cTK<gI=<T~j!QKn!y}T?vcuxoHHX7|Q;c1+~ zed$;A{EyRz&wFUL{Tz1)WtWckLOSutc@e^thL0giJ_hCo7qW;f_UfXUkygC>JVzCs zK|nJwW$DP?LJ_79q?)u#C#I1H!5fgjio}qRz!CN{l&m<<p-yWwys$&>Ss3Q9!{?n$ zTkTPLJ1pOMo`a(YjCZ_<9<}lXu|iXYKX~3j6t_P`b%Ff5q|r5eit6xrPB$>Jbx99M zv6|TU47H!<WCaw04v1+aW8*iVz4e~$rImYV4l51n?%D-QW2VBn21eK`4CHIpz&?;v zxiD5XRN)i@ady%`EZU0)d3ZGkO^tDRg)<7Q!ed$Rkfjp%Brx}DE1V=C3ZpYUWfK9C z=jee0$WR$R);D}`-%$6lqm?^(!B@kt%GT6J$!4;%!U+T>am?BLLF>L0tI4hkXB8*{ zNdw<xJaPc(3m_0f4&;}ftL%Z&+E6V^4pcb7z+8J;JWnAn5vhq-)=0jHjXR~z(r8=Z zxgC|Ww5r*5`38&uBU<3K7<=>n$}Cgb2f!4YCLf`Jv#T;g!#TokZ9q!Q3Cf@eXriRI z*dE^4T;YrdeHZ}8Oj*HF20874RXZvrK8TtOlCo-(AyT%OKeTFRg%gqBo}ieLcxtIH zlf)|1^!a1FfsppOTRfUZwgGxd6cz_kzlb5yx=W>Nq*7!WQye<rrV;bm!0Npr)O4Z_ zV8M6-a*3JH@2X7kSH=N>VEdZQsqx3R>D^G7<gc&MWJn_W2N#NPTx29oPi2BAK8Htb zIUqxba4cUfAr51I<#z66xeRKdUX~sa1E<EG3O|Qj#{L5=JD#A9mKdF~xpIoe(x=Hl z#Nh>_727NP*eG1)B1j}_4?nW0e;X@f)N6Nbz4|DU?Ug*$1U^D!7p_h#O#7FOg!7~% zzM{e~OvJs5XTf`5eK(&9-&SGt<v6Y)&OTh-^#w8(cU2gNc?2&V1I!kW8*lpI`Dd_c zgBgg}8JLsd>R4A{U@0E%6A38@5-RwN743Or<?*~R*Fg}4N)(OsP`s!45c(r|GktG` zah2zAy8&&UVHDShCG5**JPj)oE>xsOsk3CSsxZK^9qUF>Zd(r`PRp=B?yCS|Nf}d8 zNV<q@heqT%WF@<?n+>~IHW4xy+QbjC;(<9fjREW5Q(-vf9Hc)^+Bzt*m?8vmDH&gP zRTz8;Tn_oFBZ(y&-M3X3YYF~@VE|PmkcKrp&@xiX*~loRXoV4%M<tmubna{_Z{xVZ z$}u7zk`du%f!$ZiC2SF1Aer)}3L_$WH2Fw?p`*bpT>Ff`<_e=A`v4W-Hv){RjUN)& zS;^9PCN=3mAn9W%euo_u1~8sx^bDM%)P4yr)m@b%^!cJD6XHUegp4~`?R>F4$w=}) z1az_*AYT<OZq4~-WvlvC#TRS)L)%x{9&9_^wx?~a_nUZ^?^)hy@342P=f6Gg_l$bh zxgT;r!L9l3X`O71yT0Xmi!0;&gY#p)UpjAgZbU}EC$;Qx{K4@l$4eYHIM%6O4gP<@ z=LL@i+XMd=cyHjjfnxzx`>gf~?MBV*|GNLx{>S@+)fzvBfIpg7y}tVQ&A(kF1$rw| z3zsiL?7zr|C1MrU!jB>C3Hz*RgI>_T-CbeTdlsTT9ve=}r&aCXVVTC9aikEmD4>h7 z;_}%6Ob$0gXNA*;3;+ksZ&ip1(C&sQ1vYE=ir@$$H=fwe<w%7!=qz93FiKngwRzp@ zyDM%wK4+jl@k>#LplyW-T<D3ZofTG)C&2(Y;kwC>7MZ90P=(dwa=U!3(HMb<B|B^8 zse#FTzIPt&fZ(GQp;ZH*D17@DZMdvP3PdWbTm#T15C9f!Nkngm6*y9H@FlG+m#K-3 zj3gJE;dtLbw)N%8s)pwwQDJ=<n12!CYKFGTtA@n)S(50h17g!UtIxMAPe5x0>RmjF zO}19PP^`qs)y*)H8U2YoyWJaQIDeKeaMG~JO7JMA3o!HPY=Nj6)>%J4uv|K!O|Nhx zM>U3dM1O*@2$*3qnh~fyb2_;a#D%l)sN!5va#*;;VISe7bK)HV3JM($-C39hENSv& zxdVNsbyoFr4Cg}_E1MT6qE>kA$Ui+#+-q3poPhn1GXZBo#=HweUHWcQrW-EzAL*A9 z`W;NIJ|La(VnZg?H$DZitP2cBSd!#<%!fF-cQL_)n<k(@PH=VNRP<C2&}ZWzJZsP~ zte@l0t<n<o#6&bc@8^i7^fjy#<>Iq^{SpdjB7TPU@9Vf;Kg->^p<Y4!jK%h145y{h z2xk>~mZ8xymOw(e=Lv`0qt6nH1e_7_IP?`c#*^Hq)frS07^Z4QR~CT88}%6;&^l=7 z96|Z$g=A)QHZ&Yxo<x{xED;w|HHXy&&6^%lqSFs7Fh6$4`xD!Eht5`q{BnuPuvi*X zWkDbZnqRK7)!}N`)hX3udOzVq#79=?Y*1(i=$fAi<|4_6R_jF~X9p}JuvTSaTxO2< z3Vn)7H{v$o*F?G0d|_0dq{9B?5*T6)xG{bNgWRRFqFsbC#b6MVU5wFa7Xc!<N@r(F z7vSprq5>lh?Jq5C(pd@b5#m8AE;25{9WJBGh4F-U$6lS)>~kDOkW41TT2)uXLh&hq zbXv2Qgz5maIV;*bd2a)_G9RwxYMoW=t$@*k&goRYkq{p&&WbRP>a1YzY)9@ApiW|z zeV<fjJijHMN3&bkI&@aGd-<wK$K%y)s#PEGsdWqTsx$f=AC2o*(6eii<fFlHMC!qM zmV-A`Iw%-;RfUb!YnKZ!XTrQ-aK9X`tl{x!U`ZHH#7GNx(UI<ZDpv~j5r?`9nMA6) zxQmgP35=1hojI^JFb{$?*w~W^oJ>_#Qx_Cf1E!oba<ySkLCrDVy5Q6}0Lt<cIHP&w z?42lYs&Jx5D1A6h$bWwbEf^~S1*;}Q{^80hW8TQwhk46!B4VDB8B#p|$f+sP{-Hq$ z8I*Piv?)dz33L%n2Dc|tvW!4Kznlg=$8s3VDvRz<_-<t$pm2qgNA@$MKZ8+;^Z>Z2 zPtM{Q1tJ)R0C(jm0^l*ANab<#)vP8T<EfQK8$8>St*qdguf(y0i7_2Ngv+7}QUJ*U z#3d+CExnep$pn(hERh|A2+Z-z*jADQDK%s&m(f5*H2Jts?LZcI4(OW7a%#F878uxe zGV$7`=7T_+E0<EmJ|xk@?U~HfRjhgvXlrE|)y^ZFgkSint-a8rKwXtfs4W@5`5Aeb z1c>zVa*@}1)qC?>E9`a6BkeNGGpTfSi-q6WzNW&S*WGYr0q`A9&ii6?cZJ=tvmgM; zb})R~hjngIuMfI{>y)blzb7VD3jQwmtKc(({}KFg@CQLX`0e1o1iu(820t78c<@8e z=ieE8F!+YxYl0ht_XqC^&ISv?k>GLY_(y`_;OgLtU@+(nwgi4(|IdOPuvyroK$8MZ z3N$Iuq(GAbO$szA(4;_<0!<1uDbS?ApMU~qo<at?;!`fe&&j8_@$>Zkcj4#l_fO*I z$o(gSad?*KPshD0@$;7Zhl0;luHxU!_v6_8l#~DHeG~Y3<i5lBId~sEadqfEikZE- zf*;DkduQ;o_uc{gyjJhP&+xrb{M>vqeq4%wtN&bceiXmxI^T_-Th7zxH=TFk=f(;- zNY+(`@pDauKGI*g1V7j61^m29r;i`d6ZqM#(-b#60YCQU@#FG6_;K0g4$qttaCbWJ zm+9b0U{m0ozVB)GYyaZCQ;Yll!TWX3GSBPXoo)Ase^9IWr%8b(1)3CSQlLqJ$DRV- zN%cK{+EEnr<K82RvZ9h#95*B3X!isH)3=4zb6f>5sC|PWcxmJdSnG$2#fkOu88ph3 zFin}tMJ*#UHv2iLOvbB=*8%{y7@g}3g@Ag3V+@Z}PtC{-B-dpJySnl3;K4zo1Wq6% zt;!*h_ZWKVKh$*{Uck<BDrd6_+yQv2f&dpM31<p0I%4i69#eu#%bn|;Ye3D>5icS^ zSLiL(Gd$2Mav2T|WQWDXdPNo;egK0VYg9xTlPOMfnzEz=^$u98@oRzn$&YrfZ}}hZ zq!L-;%8lu}ym;()g+5n3F!3Oz@HAVr4~0Wnyx@+PGK#ZhJV`ESShXUAT{4JE2{mTm zzMGjXkzdd9@$v5`ks0GueqtK1AelV{SRw-Z(8~q6sX0J0M)ReKIm$3HT`D4lHv-PF zsFZJ%-i4bfV$MJJ#}$gVH2<tT?(NWB+8RxB9PR_<GLZ;Eq(Wzt+3s*O9kMc>HH_e~ z<Gy$-c##Zm++<}$s6sCu-K4Ma9w3qxt4Y>_oIz#4ZTk@!pPLyuCCGx!Hj)n=9o`?# zFd&HNLx>d+iIW$SvyrnCncG!5K8X?pBMHqQ6o_hZ)^2QFxX_E7b_LiXyf4XX#1-I) z1V!kfr-@3&dk#Z9KU+OS01ZowusN73pTao+g{kLb`IA|AC^2^FBNam@SmHF{yU>dK zum-do0e75HN9MQ}%YjjmLlfR(5$9t)Fh7alZ_W}U(6JIW*3lUnK+tmDw%zl<S<}a; zM$W+2h&=k%H|QuJ?+0>Kz)^~gBcF5=JC&2`Q;FHF0FCkaF&=-z2E$~C+%o(hor$mD ztgZ$1u3Ya~(at;QSa$dT{TuEXx@j;Ri5mN$g*1fK*Lm9WTnzxQ+{}scsXX%P+%P*q zu}<{Zuk8^<E1_P9D~GaF+33#k&A=)ZJ^ugt&lLlnj?<0KZ4XY)@KE>RY=2)i+c$7H z)H85+f8V~|!^3^uhx&$Z3Uwde7wS7a+<RaMe=}&R`a#X>4|_Ta4f^cs4sQ)*W#nNW z5`D=uD1<+tbJuO8594iRc1bGe&^Av;cY`hm`;i$Yw2!jR93bTFR1OCsv==vy+5GN6 zpHc(Se%zIw6|1<n?(7ZO8`7PL&X`$$Fz}E<8uOp*&#KEk%a`+LdXDwt2`^(Lj;{po zRi5)F8^+>3v|_a+oyw$(bw)e48UrQ^fTEDi;j#FmwR}oh?(iwW>jN**zOSYH=Y3!D zwX}76pX>Ry$LoGt>sMQ^biEyK^=)vJ96swGb&K*5<yQQoD9#&|&p#GJ|D$~q6Z-WZ zt@A(Mj`NrM6dZ8;S);GveH!hIb;gZ-N}+Y-ZCzdCg_%>cCp#fGbqyRNL6oX?0S|hz z>ujPk(i!W*PvoWRirj%{vKyjdyPVQFIjVQ9^eG(&#CM9-a!>csa2%qV5H@hLcF&F$ zW<o>2A|YW{?LbD#rIAibU(-2WJlh34&+SNQRqmn(KEqb5SXX&kh*e<{VoJpc)IcVz zTsaR27{Q;fUdPXGp=38$Awi#aCOf0o2<-Px8j-%?aTsxQz7fYly=TFdLx7jz`JwU0 zYM3!>+YJ}mUE`NoYrIbKqFATNJTGRAqv0E3^zwknVab;eR#{QhKh|rT7n<Y$_VV#y zqcu#{?z^R&)5dG4Zwp}GA8)wtA(f;<Hdrk1oBco`LXxcB3bmv9lN?$aoZhKn@V)a5 zK2<Z$(0=5Hq}+gy)qqoX`+dr~onpLehKtkDNC;`T(%rEWdrK5ed}3k37SH9%)163f z)^+aOxiEB4;)daw;&d3<&bp|lE_6lzA8y#6KJ4==9eQv+f@MM%ls!Y62w00DAmN(G z0SmY+sd43w$BL>My{m2B+XmYt8R|Yde2~QRp6=m+p-_MK;qC*y{rJUWHR7bc#fuSl z&$kW<a~+`QTB_P(HQa>0+k@eb&o^AC8F|i`a>3p6Sj`}=54vgRyXTui%%r$X1yQec z(aVW{M!P<SB;{C??P5k}s%0$f`lvA_Bwd8uR77a=V<WckSoDa?I-(5*8wquf=B7DA z;leENPj$CMBl;HSLT5A@8Z6?;Amr|cehvbU<VW$i;bSAf5{dO#3x?a@aD#XEz`QUx z)O$nUz|m~z(7*v0Ee;P1_w6T+2n)tzax7_3dMDJ<c`k62XF}PVvctXop`+Q}KZ^lp z^q9I3mD8c4hqFg}dU~_j{YMW;N_P)q3WLMh$BN2nG7~*fEi1wA20t2neefB;`ws<^ z!IgpE2EG>fhrnM2^uS1<H?T3_)qbRXMtiIF0>rc&*Y;=|G>`vB{?Gc~>VLlfod0J3 zPR9d|=lDbZ7T*tipYXlO_iSIuH|$IKR<-@E?Hg_HZ+m6i`L=x9fwqn|AKnc7ocFEX z=Xqzn$Gls;t3AK>e9QAe&#OK6dd59{p3NT3{WJIH-ET)G!E^4L-8<Y@xs}%Mw0^kt zZ(E;&tb&JHJ6kVt{Q`Lf-|2dh>rU6Lu3fH>%i;W<^P|q!IiKd7a2`fN^Gor{;Fs{u z;7eMb&~jVLo|g43PR9=%pLCRwpJ1zFjYCzxuYO#8qxx*TPjF7XMcu82s_k3R&J-y| z>ZcY)d#F!es=iTg3(6SFKU80qHp&iF507j}DWgpNN`0ZJ5U5|S@72`!j?|Z#8vkH@ znQ8Fr#|KxF`OUIuMa{xZ4GK+r^u`8-5o02UtLH&$U=Bz9bbX=uN%d3pgEc>yT_XqU z5N3@;XVTJn)xHL$)<+LED7C(Nph2nmS@pWQ(nP1Zp2~L{l$tB5JlvqvTvFxR4NA>5 zRld`p)SQv>tp=s$jFfLQC^cuKe6OxFZd;&T4NA?P)g28=&7Rerb)_+De=8qtP-;=* zeGN)2YJ99gsYQ){Xi#d7S$TDXQgh78C+bS0oz|#6*PzrI)t4KTTBG{62Bp@hzSN-9 z8r4^7O5;_A`j!TzW?R)+R~ok&`GXBgt+w8}QriluFK<w4(n@V@P-@ajbu}n8X{CA^ zl$x|s-3>~uF)MYYwiQ&>2BqexlqWSPwMO-dYBm>*gI}AYI^CeDH7G|-DahDqm9D5O zO<EnRD;tzrZ68-xYWLw>)u7aBySA=0ZXHl{RfAG%d9P?tY7$ai-JsMW<eCPhCLz@; z8<bjOzPzp!*QRmTsF&51Ms3V&LxWQ5yP*c9R?q8dN~2hO^O9Gd*Pzt87GBVx)Vda4 z+@RE?v+|+_r6!$~r#2`x>8!l0L8&=k<s}VD&G{<NuPKdm+O7rVhYd=tp1;_j)av=G zb)`0@qI{%5sYQ(sHYl~I@u3E#7BxOlb9~{~uufUNK~rnU|5#Uw<u^8+^0QhYW~<e& z`qKJBv!(j7+QN+0Qu$qdq1jUT@7lt&)l#h!xzg5XRTA@TK3^#lL#;*1arN)(3$1Vd zrnb;7awX~uP136!^@ZkcQ7@@4w7&UYwS^G$Ov2w=UubRy^^MiiV-#1WIiON~nK_<f zeW%uN?yGHR^R%q4FEc-Qd3~Ar!BzET<_GVo*?67NgvFti4>u^asPp*-r6zflhZ>Zc z!&P3@pwt|&^3M%Q%^@p4sw=gfGxh2QrDj{Ty{^>8zm=CZD78lQ!Um;g&&sdsN+Z^x zP<~vy=uw+g{~z^*7We)|eWA4kzpO8`R^UJD3#|qCRehl~)1THCS`+<bTX0x;vbtPR z?^pjOm<nDV_@BVH)&9VT1Fs7_BQPBp4rJ8Z9m9ducn#oT?ZevZv}b73>OZRA)`qo= zcBQ8HzvutB|4shq_-Fh#`gcJ8cl!R-_i5jQzUTYy@ZI9u?Yp{VNAMXfH?^D%zP{zb zmglv6MvXY$==i?l<1G%yvw|O0mpi+I-*ud6S?hDR{iyA8ZEtUTVcVT;x3%qUYj5*< ze+)~(+q^IE-r>E)yUV-I>-7B4^GVMGp67VVo}-?OXSMqe?uXqUcE8sBH20)?&>eR_ zuJyOAUvGVX>#JJtZ9Ua`J!}QbT>t6%vg<vrm%E<i8gZl@SE#>tZg9F={@u0T)#36x zf9Cvx^Y5H5a^B^<Em-udP^#$_hpuQ6Q~hmiA%ts#!>B*0F2qK*n27qN+Ctk6sn*<q z5K?UWO|3b7Txt#J3$-2F8SUrm3(XCu{!?`!RBhXMKU-gDee-kmh31}8KT}-@re~cU z^^?_w5Fu^U{eEqsjeo1(t1q;^`Q7?L^LVHa*B4q-`F4GwwW8mwEwtZ_->5CLUGwVK zYYXjct>&JBie)2w%}K|a*eF!PK&a3n!q02JX<yG8xdRiiwaiwxgyGBf&5zd?THpLg zbs?P=i|{paM;fEGXnS*YODeQl9;+|3mh8s*LTf-b)fU<be@lI#)$-QbLP!DT*}kp5 z&>HRW`a)~8L)C@Y@0Kc{zOBB{)CANw*B6>siTd{XLhEF|qrT9Z%3JCSt*Ja%UuaF` zf%-y=d~dBSv|YyP-_;jd-M+KF(CYSG)rH9_)7_=@h1OJ-)fZadyuQBB`sVW5LYp+G zcGeeK-G=K6t!}$&3*#0FP|egAni`|JwZ72WCh7V@Yn!C%3$1OEtS_{-$+r4Ji?;Fl zLW>BoYUv3a0r#1ClD5}3wMZ1HEwmq&?)pND3VZ7dEh_A*FSMwzr@qjl!tVM)iwZsU zg%%Zh>kF-U?yoJho1M1Q7g___TwiDnh-~XNbqzQ+8y~;6zR()brfR(c8{Xo^w^ui$ zGIN^B`TB-tubXSjY`l1)wo{vBMtO2=LmPR<>&r~)OxBl~#5q%6X3k=|zRa9Np}H*A zxz(b~hWawI&ugkDNbSr%)eqG+%vdT!M}3*Ole_E7%#9qaFEa^qu)fSB%$E8xa}tUA zGIJ6KYRl4=wi&B0Gsn5JzRVowuKF@_oO|la%yI6nFEhv4S6gQDDJAR6%sw;qWoDo0 z+Onjzexdp@bN$xVmzndsy1vXD%li5<b1YZZZZx~p{NegSli2D<>kG}%s2{5@G>4;p zqINtsme5;YW{!1xZCT8sTUULVNw=-_W#)bg)|Z)6ysW;=oJ3E3nK{lH&mF5=W~XY6 zg^x=u!hHY^;nnjvg{x^wAr$5()q(0l(h97?U)L8}<EhdANeH)E{%dVZyEEa3ZJx5y zrT$QHeA98WW3Bo_c+3ketDFxzUj{$=x|Sb#Qtscn|K2_4-qrelT0h$Q^wuom0lwyX zm22D;4!$bb8(bCmLE!a)zCf$?DeW({o3su7m;0~tuk?Kx?*yKN_x}sthrEB`jeCA# z{_~)xtUgb@NnN3QTY33BbP~Tt#p@QV&@5ae1=1d%!Rq4-DG(@aJ_$CIpT_HvHY}K` zFAzYKqL|9*3B3J{Fv8pv-Xx(QRa4A+lI}oo<G?&0O(ODesxT>Gq7+1Dyn}{3;s#WZ z1JmrmoxqZE4B)VMDtb$3xP;GRz*`t;HH56ggy=WNaL)q6Pl))ZKExV~m+1B3y+zox z&8APBC&CL9i-+uEY8aY{k%-jSW`9qfC%TJPU~6ayF$*>#5@u|?l$#74LQpT@v!{@L zeW-}E>SlN6V;%$~G+xk*=x#qcu&-q$>FG!}ZjuaT=MX?ViHT7pL$PGVfj#v)Pe-nC zt3+sU0#S_=roqW)c@6rJG8U<>@q~i_zLl*pKc&mlvAJ<q@mOeZwuCo<>;t}kpQq#K zJoTd-B~qB0rPyBiumIYIvh<d5e%u=Web;+BM&{`xf&k&^X>2$|!y>Y@b`k3Ox_7G# zr&FsDm4n0K3n2cE&$kh?1ir(xIUzgZcR6MoAt)BrCNrLnosA}t1q4nUnyLIm2r1Qh z5v+z2dpv;rHP|9qAoqLmOg+N>ChR@PR|3sFb~@$h*xI-Qpy$O)yxrraJfC~(ySLBB zYqCIFTLZ??ohl<V+WcH$ei~t?;S?07XrjjBa3GS|^wj(`irbnZA|7$?_ANHP%hS=< zc#7DO#=7vv5W&^eF_vTV5BUNcLe1~=AO@<z>hxnrTyQ5ov)j`#4{OaJDg)bzGF5|3 zmGCNX3Av#GKjqVElI$5fJit~q{62OEm|_X33J~6G58g5xKYjkjsZc*+s|f8XnK}p3 zBfQjX{Is^K)rIpXE%HwL-&t**m8FaTDJvrY1$dk-jN&>pu0Vsn%IoL3xu}Pv(F3PR zXJm32X(f!d_)kJCQ_>3aJS(sB|Euzr|A%P3-_vnZgN;qoj~dfQ=!BFZc*4ENL_b?~ zw3VM6^dR!7{(Mk35nDG1Rvasg&x*_jwkzBqsq*o8cm#E{Fic#1A?};q4aP7;5#h!u zC()%FoP4faFxO1|%m2&XcfiL{T#awJvRC&OV}orhpNni{`y^daGsVcVYzr63lH6$G zES(CLbV4WDh`xLHL=QED1TZzGlLARdAb~&{B$R}NB&3s`5D4iB$@hP=b>?=@B`f>* zzW<qDa-%o9^WMCj^5)GeE4Yev)^Eb5fntz=aeB+p2&Cu@H=<-q89Bg+Ml^kM0r3Jb z*D0$LNH`GZK4VPlo7%aGbFER<0<*Q~`5ohs9A{t<1PAaqZ-Sr>u+j`^D~4QY?A<pO zkUfBkny?nTU|<k&022Yw2u6uzh=u+J7{Dj~w}UvrRn%DbEUqxaV4=>z>kBNAKzj_l z`MbwunX?HAE0DuQ@s`qGzOFDv7<`@mC~ie~E$|NC%RW$GpaI4M4YX@laupq@hi1VB zwiA%@$Kfl%;D$gUNXTkWojVReHHab8(*@GL&$^AeaK}ihd!QG51ho$9+k>1TeLph4 z#*=Q~r@UX9NvzeRSCB+iSK;u+G;D$T;M@VjIc`lGh$QNCAYVx?<tpU38fJV6BztDC zv(DLPXklE;4{P!Vgi_hh!A4z)5pxwe*bw!*P>dM2HSsaoi4n#R%m4@^qPC(+Jp09{ zvGuHg^GRwB(@U|BvbD_1OfNqf{Cn^NK`L-dpwhqBU*mhxx5N8w@1W<?o+V(TA9H`r zz1;Pxs~>a#ZH`|#E_O_}{*Sqy8DbptN9Y*!HR`_qcIN5t$w5r?ze<JwWgO@`&g`;` z>8Pg8?L0NxKxD))&^2ZM4I--;2D@hYsFMW6pK7ig1p!Sy*i9jqntU=vaR!>=+AP!1 zTKnjZXm1)33U<X&0EO;2geZWWA{9Xio_0XUg49f_?&%s$4bP#tep_{~?-T=#79{}g z=kvRBC}^UVQ3Co_SRu02p8|+ZwnAiUTogcbk`*FdSN-37A!|ggRn+|buL6B1m`TCR zMW&7v_dN#@c%s2f3}(qYb;R`5n-O6)MpKBW&I*yPcb_^$+()QI`~T9Ywy(yDoWn6^ z6J|u1CGynu+jHYV^*d%J2fK)zI&%7=W<>Rdeeu*G@`ev$I#rp8!LHJ#ju_v`)cOMt zzJq(BZ<(3s`oprVEX_xRY!+-y%~)hhBBCfgBPc)-Z151}CcquUr>e*&25ef4ThFQc zRQ<;TqS=a2qV3vX<aZc$)BeSlm~1iFdY9{4WM&@bFfnz^3l1FAVzbbSoWrrmE-)j) zEGwt3-+l9~5FLgw!zT}l!C@<MbStkZ?Dt$NM7q7f)FFbU@gR2Z-E)is#k_(C3KMyU zdZ4I{^bCO1o*ayT?ikcZV-sGcpPHmkVDtR{j}87S_@m&n!Fz*~!E=Heg4Mxkfxia6 z7kDbLHy}Y0#kGN@fuR4->{9x-{_p#r@qg5RwSN>m08aLoJ6`wueSZQE`&y>e_lEC_ zY%}{s-vhqunM;{l=~o>m`zGii_WQoGeQVgWe3icG-uJw3dSCE<-1{NOG0@BW!{K+7 zdpCF!-q~Kp^BeX$&nuvNxWlu@GwAp{-RbG@EC)XTj(eN?4)-*7uj4-U0q!bpl-tgo zLht1kb3ylC+&^GG;eO8jp!<6FdG0QDw|lkY3dabYb8MwQ<BqtGX8+{+m+NPY!}T@x zDEb7~$6U9#E_S7u7a_7h+%?<9IDg~JIft0{oSp1+=I7269QQfrJ3WqffK~WEJOE{F zOgC_3vv@^3u3K@km*N$%nEo}{3-F4XxIX*XBwmq->kBM<HeOMa&<`?f7hVxF%r4n8 zXL8e~BQ+8O@iL>;)q4C%_H_J}TFB?E1`uXX!z-d#N45|Z34MC9okT^Afun=@Idv?~ zJgtns5UVzrxRI<dTH1hDBpM9d>+p)&guW=VEsl4n=^8%$7k@g|U?9E{uc(b0oV_BC zfkw^c_$!d?UT5G6ydqYkp8{D4uc(O`AN)eRB948FT|`B_(bV`c+%!S|t_Gh*@fTuo zgB`<oMNNY-JO}ZLSc8FLCs|?OIESb(Bn@@|uc(O|Z(K`M#0(tgkrf7WcRQY;@Va=t zQFlF2flZI=@QP^E7$hk3$v^Zl@c&Z*=SW?`_#y;zAqB8Dc$qKY1FOy$KViJ3+8Sf# zxQU8{F%1@z6~+QHm#om6Vs0lYjPb*~NLCmhmL@8qI=Rdzh>B{Xe@~MY233`KMNN(V z21|q-u1V-Khk1#3BW57~I9Z|NVD=Fe#yn?!MO0v`^n9{H?>X}mvce!&z$+3B`m|x* zCMxQTrhZIR#EmcLCoA-(ST9i#)rS@HAW?z!V<B0ge{;4RuZSBfGV^VsqShey`(%aQ zbLM+Qg|Q7Wza}e;5A_GK!f5J?WQ9&H^G~9}812m8$O>bL3lSA@qp6P)6)~fO_mCC( z_h23-D~zTdBPy`(K`xbsT);d^yisio>JO3?233!f6$Vwek`?+WVLpjh#OjTv9w94q zUNKLS6-HBEBPxu&miY=<VKntBSz&zIPZJfj#v8vOD~wU{DWamr==sOU3gdfxov4WG zIM}85>WT>fvkAD~5F5Z7iW;+njS>~cI?en8Zz*cf`bXl0xXxO(ny4@YTIL<10&D7B zLL`DL_uA&cI?0-99Sid_qNduIoGg=9WAOcd$eNhG%&=@;jnU1Y=hYZ%@1MyUY)i;< z+5|;|q2HtLCGDtDrQR$0!{$nzeEL>%r9KMjyUmq4sq{VhmAFscK69nf>_^R&MzeR3 zm7s&eToQZCmHLFGA2wI&ET^9~SLy?v?lM;z>^s|BX|QjHxzgxox4F{j=bibLxS#D) z=1Qa4FPJNhW<Qr-88sYV=m*V}1`{4IR~k&na~P@z=PiQ?d(Cee)PB}nX;AxlvJ&|m z7|m|-I^Uy~((lj?FZ(HolvmHP%rnd+|K;G55cO}G|0drfzFD4oxc_i3ag*-9x*v6) z?w;j(+STm*q_fZQJBR34!?b$aTrSTJFYmg{zu31k@X3HTDDgx5(eyh^tMVVchh9xP zspqNv2g{?M|NluMFG^p}0>iL%7G`Ztk(y|DEm*+sPQraNx@(prmySUYX|S|KX>kA` zCpilDq(%nQ6S4&%TwOyZos72ZQ+E}x{q1Oq#KF*6c{<#ZNe`0NcK<G5zzarl2{1JV zb0gJ6T5Uo{xECy!Hp!=7(j*&RjB92=Y8oY(;PnH&a6v!OJ*e9TQI8fdwt^-gNs4T_ zlpM^n(4y{WQZ1&;iJM}v@McI9G=h97fM=>@J+h(#t9Z!brPF?U0rNhD7`Ie3nJrU~ zbZ`|J>t4sI!%gF0fDf(}fE@2SSVw6#gR)Im9yJdaFjzy>K$5e;v>N<aHnPg|ZlE42 z)D`&d_2JeLNHT<mQAW3X)0yzt0NB(InN82oh^Y&=j*mssy)YcXrVottkpXxH?6gu! zvaYdy$gk9m64+$IBmH0iiHx3mQiEWGF$%GFGvVE-!NE!m)dd%TMd!FRCa|o9JQAY= zJHXIQjo6z(z6i2)Xa_h%fOku0vab&+af9e(Veo%};J)g_fE-FNG2l;#-ku&z_f6=y zcYzmzoPH_KKn(S=#xTa;00T`+SJnfm<cMTHT0hP&WSI(WCBX1)I5Gq&w|WO;@0sTF zz<>m7M<6agOdaG?VvN66T$fNN{44w`U<ME5C91<)!PXC)Ix^w)1H(H}GwPzC5k%j= zpRW(bjuWzLNm~+Ji_jpzY!<2ifmC`<s?g*I>~V-654;DvKJ<A=4+rXvGhp&JS$|QO z25B%cO%BS_9*rMJb*7{OGuAV(nbW@+M9P=Hnbxb_1>7glC)0;<c=fpAc44um{Ra$U z<JL<pc>JtQfk|b$FEyM3CH%oIuise1Rh(`$@0%hqu<LDa?QCvBF`L7!t0BqM>eluR zatP;eV`sR%xua9-8hxM0dn!&BXIt(A$RP}tXJoe@f$V9ikrezN_;@vfs|?IAc^-G7 znWrW&1XIpr7%g_m9f~b(H)8zg@G?mLhf)rrC&4-q67iw*ZOA`s01Y58Ytp9&^%59u zms@|y7_xfrPESCdI(ZM;-#42852Fa;k9nHKYQSz5@NZ1_7`Bxc!6#bLX#IR5ygE5B zh)7;HoZdZ*Y~;a13f~8NQN3cIH8`R1w%79`3T1gV{uLfa31pW$IwmhNEmf^(wFaYA z)wM=zkot82yIvTGXn%rm(&&rpX$<hRVsH5VLZPJ62mfzB#3Hlh;S6M>Yf6r2pBl|8 zltxS^_WR;mPer%nv>aKGx&X_o2%PPJEQGLJsw;%<G)Hh*$>alxD<NN=oD2`X2Bfg; zPNL*{a&AWW1ZYsoNeaP_3x-=JlkOgX&jqVB<R%KkcpJ)8BAa0K4YaPIaS3@Zli**6 znt|6527O4<Pl6l8P=T=ooETA)86qzim43twl<h)a6ks(U(+9@szCxZIK#cBy*Eukh zg7${H`$u7=B+bI9-@^2-YOrK&v>r_0Vg4cO!=4nlWR5~I7PK=Br*@+;iWsDSq#yWy zOQBTZhwyI@CQ8N<a{?SGQ{eC?FAQjt9@+u>u`yXO0@TR@TlB8fV0r|t%vG=y^bZf5 zJ8n!$>b=ce#cu0W4qRYlzp<eK*q-5&Bj#(i^oaeMEqCLXx|!>{9qkKVOojK?V{x&k zVzby`xf&$uKm>vX8+wU2JTx>utSyD%w&YlU=D!gR!cCAPur1sVf=YKkBsfToF4s6T zoEqDm9^FZ-mfGhV@8T-9TCbG}@W~xb!%n>_J%l_O)hq<fXx4Sh_WH(mDY)^S7gb$L z&5I~F&~%Q1bP3}M^;)Co;=&s^xGQXI?%dkizAn6~r2~>7ZiF35dyoEY@Nbj@ybNX6 zWHY)1#Q0a1oOT#5%GRU3dtm|pIS^MH41r3WnQHb#V=#OO1_H`-YyEE<S8<8;%&!5L z(RA;ad`3zsT!rP!SPbMbsHA?tn6A-0R=D8=NCev9>(Cp{6cWIYqm0UfRq5_=G~>vF z*E>i6Y-HLff2+UNU*>oD-txWX`<(A?-xa=decOGf_!j$u-oJQ%;C<fvu-DBtv0nB( z&r6=HV=wsh|B<_&I}2{yUvgjN-sC>U(d+uDYoBY_JJ(g^{5Ah2KFzf8wa$AT3HGzW z_nc=kFFTJ5eld8Z<9opd=7zw(A)CN%Z+{@>|Aqe^KY6!q{b5Sb_dN$1xpLW)h{5yB zp4tHt3MB4@gApXMl6P^Gp&E7z<j6#%mu11Xv|Mq?#arlr^9Ne+jX(pIFYj5-l`CGY z_{(h|5WsQ@GgUdsS-yHnJy)*eO2uDQ-JDg6KdTp+&n38W#Z8)caR-u5nv&@M%)Mk@ zv*Z(OTabYaywXQ|;aI7=^;x#?`w36EXeL-qLWsXo**`Wks2MbMBVv^7zp2rIRHo7} zA;PMvESk|)F}5elmCN2##5dmG8)sPZws~|Eq{+3gW)7mGwgsEm^$lEklPn6zwQAbp zl_?O{wt#d6ZV_luSiO1jO0HZ99)Q2uv1vWXpeQpMdarF11QD=;D$vA9r*P$pZV7K< z(>PKtz-cxK39o^Lii~DS!-=c8a>a)fZ=kh9mLSkpVUV&4vV?<AnPoF4G;!ryO-xw7 z3X;zo4IH2^%PmQ<d>!P5f|Il1WUgF^DS-FLvKje-yt!R(ISx>+aM-3aInL_EI?Hje z8j^0M$KYG2)7#=r=FS?fT#0;wQ@k2U%9}x3lSFzY^CC3e5+7`#J3+kPAEnF-)^9>& zlF<PevHKY<4$Bd{s&zwH(Z+7;=s3`btzE&DD`5ff&XQRg_p=5v_qKB7Y12rPMaoDA zoT5MtgCzAa$i_a}Cr^X@&LHMXEnK-0e1oJ1iKudWpxPXO%wEXtalb9GHEX$YB@7AK zQc6~lf!eQQY`hnxF*`s*%mbDSFIwM`jzj;ns^n}jHkdzIGpRo<M=y~N^P6Seq23rQ z85y+7WUR&-v)3{;JIZvXI|hd}XLW#rWM62-VxF>`Uu4oWOB!y#?}{;#uz8kjU)$N) z1`J2~IORBov_A&#ESScgYq^HWXF23G2P-hyVXHQB1d;ls8as`EC-i-)4ZpT-z^roK zBP;ZKG<E?|5!G!W*coJne&xwtOjZ~~MF^sdi}BSsyxzFTUWqqUpU|)GnC}o3hSdnW zil{K|#F<~>6?F|d4(1KA!sy;bI8k-_3+yQb+<1Nt(NLXH(MMM3-DbXNDVS{;7#$l& zL1;A3a*NN-{Ks;}%8C~4xNqpBtwuNNTF;dan3lE8!w~fWi4bs_ZBHqxVbC4HwhXHq zobY-qrz?BxDz03KFCi1FiX`$#mZ!n`<OJ*y`=^Mx(Q=ni9s41VF5F>QOGM1?)^X*1 zroMn`6U1AjVxN#VZzYb<0i<Q--zRY8N(>sJE9*f(85rqDI~~mN0(9Ke#+57K9`JY3 zK^wgX*5!w~S3FzCl`Fw6@CK3EdjBhn$C8!udq!9Wt6{;wrIm$nxdEgJ6cb~hZ&<!M zkg3U&V=64y*>x$1L!k#kvqX8{X0H4K)7NVO$q%{t!X?xwh^FDz9Y{h2210nG6pE9v z|ILwk-g0ua3`5w41BuB?yskH>)!<$4+vhvY*XXP83EqErf9m}j*yG>o6}_F_#h!n{ zdH*iYm}jl$IIz0^B6kV5%>5hpC*0%iO8#T~Hr^Hd7<dV+0S|#61nvq91rq*$`XBRO z<3Gp0#=p={yFTN(*){5FbuDvwoWFEF=e*N-k@GZXo%3kNA000_9&%jnNI6zI=Cbdx z-vb+j8`%-`-yt1zX-GF-`gb@v;MfXb9R4r-b62vzD`r3DbJOLpBFxr~&Nb+N5m1V* zhL}Q{*uwm)z$4YV6&CZ?LXQ}N$@W5z=<*Ts!$Ob5by{97^oSud?XY-c{YHq0XFPI# zfkzChVCL_I9??6^ZY%VNA#}ADdPMIuTUF>0z0>U0LXQ|dI=av!y4=P#n;%)Zxnq6A z=rnswp+^jXYF42~403x5JhE`1{u#ezex$K;?P(FrEc2B@j~Ix$3q7Lqh53A;M-09k zXZgrRj4#Yxg&xuQ!rWcx5q-Qc_xnbvjwzn%tGOygyQ#S7ft^PfZa8Aqv1ns;O&9u& zXs5m|us494a3eTamHs)taUxfxh&mR{B$Q?}nV?IFJ7~Q8p<1p=(Y{%{9M@h}Rb2XO z?4p%il@bxm;<c#q+R9O+p6ya}o?WWWQ*VO#a64DEQx;xKO+>4;&LjB`bOk-BE>&01 zrRoa0%478%9qp^jV-0$ftgkRt)iI?>LVMAL?&MK$LA?p)=4Bj2VnJ7v3RNI^=f`2u z4>Z&V5B#t`#%KrurL;^JY*`;|!v}s=Uz_I~m<WAIqrQ3IhxNscjvkl_eLBxNaKrk% zroI3VPeV*D%nD-%>pyVI`f@<Ms2?#~+nSp6FU7o0!1a&9_7iZO|IC*OxXx?lHUh5m zm3fPR>nvpB1YGA9^AQ5BbB1|SKk*{^4JI(3Azsis%>35(TdL-em!(2xjx8t}A#Uo^ zvaxM*XLw8F`j%Bh`gZDaz<G=X-a-qh&O&yg&?5$So+$K)&L~za^oYTlJLYlI7syjt z7mga++L|M)w3U-hoXX8pPV%ty$}4ZQuCXB^>)T+#(o8J7b`Om8cgc1;U3i>8xbM)K zqV8<q<|&6?tf{()q3rC^m6Kh^gYLCLfAdH6+&txy3461)tKh<~zxeeyH%|`bOJgtA zbXhLD+Dm6F=jJKbVc0u~$hHmZyR;a-UCqdo8~O%xZfn-*q}SJS^OOrB?A17IP{YWW zc2}wkS?)k95Ox`sR1G2Z4=XBTI+dW8M0Y0SZM=U4H&59ZF;uWAz%GW=vfTslN|$;= zw8)6nsN=lhcy68|7US<n^os@UL3;jXu1ZlmnD(H?>IQ8SQlcwr2)jV1(`6vF*h6mF z#8oN7%A(bJwN>@rUv5q2oE|#dqQzfq<*LT9T?x8nND6gIi==s{+%BoAwP^RcR<0^l zsNGtnU2Vh<rsOukhE`T`Ve`Y-J%1X2C1F1GRf@li=Ym%U=LS9zX!d{Czti_0-}SzQ z-cNf^_59E?;$gWDa+U5cxwpCAc3tM;oL4&+I_`HYgN%L&<}=KR^fUA-Xrze$CL}Bl zP_vxo9pxR;*B|Zv^H5@z#Uop4BE~&q1Y&H%#8IwrBF)3yU}ihq2T@=qBnS<pg@Y?E zC@kokj7E!b^}2iaZWPfMNp0v?5nxQ=;1Utg27z)g0&&8VBT7`b38~r$WMTAMUsN?* zho|3I6e0~bmeJzy;;uCJ8}n>AytpG)xR20S!-6PjJjb#l9o~Lpag_|*rg43E#@Z4y z&#~-QhqK=)2@Bz*MU}J}jmIkN;)H}EIL%ZdI2rssLUS3#bTZ-AMZCkw-+l>;^0Yu+ zyOHyot#MTw*-{@t+jPXZih-rNS1N~YszI`}PZ`A$?ff_WwEC9kNGMd4il|)f6GCIS z-u)MdVhB+zf{Yh35#3r^?iC6bW$u-&70IesDG9<wfusii=7`Sy%W7H&t#`Sx^hgA* z+^b^M(YmTeq=1Ol8S>sa(mbO>829W<g@W8WM?yiT%%92*_x6Jf1)j=BW^dEn53({# zWQVC|5W~vUGc1juHXsgRd)QCUP(<N;HrkW-_Ja&X6*eQYvq0?!8N?R0K&GoMrk0H; zps=}T`r&_SksWJ^>@ZF0V=Rzisl2DQXEQ939j2a5w?Kv^b(`9r9c_Wk-hNqd=ub$~ z09l?4Vlzzm!Jpxdvchd=iboF~w_t_)h{#^({6CAnnBv=lcL#nKX!Kw1`@XN-JLL6v z?(-bYJ;JSa{}`g^@vi$_tDHY^&T~BN*vx*1-N0N%Urf)UPT%j5pI)%v>Qbe|h#UPB za>bM-s&n(4*ulf^$U9?d%SU%+w7YT`+@dS{(z~iaibmRrOci8>+8I%t@?;0D%t(E8 zb)+V4Xe*Gna59sE*!9TSbHThSxCTS<a#tWnZ7}sa38wU-;c?_Ab`o-8tP`8X4L%B- zWeYLkzjK#8;vH!ao#J|skDC?wxEzy@4?;bxk$W)mGSc*cyj)P_e4)6`&`2#UsF5=5 zPu92#Yoww|f&y@JjErJQVN&9$#)77wvg`$5wmOa^#TLM$iZ9cYLskM$o2v2jP()6M z^c+o~7|(EZ3ui0w1aU14&NG#7nm<DiF&mUd&yks1h`6M<#*#&LHnvzEi<07MOB}YO z$UGc9VzYr`rt+z);Zxhe5v_+$T^-S*E})aNxXM7IkKBYkG*&~mM{F_>Vf`^p$wL^r z7X9fFS6ZU6^Z6~&G+Lsub7-+dgA$Xd^BrTFElJ5d2*iL0c}X;d{)U3fr|B4dsLN+8 zG6)_>D7c8RjzY@Dp%ild%|r$Vc8n&GlU7nh=}XM(oE`R>Co#%gV#Z;IxA{24gm@yX zrJIzsG)+o7O(^rFvh14E=@H2*kLW6j$P%L><Whl*dhl<KXr>$dlqcjMC;AmMcxL5g z(mm2d*NaQU<v{dFg@~?0*@clWj~c=RjNy%F1xK3NI<ZEC3^9;}t^kW`w2ZTOBpBI~ z6vYMV)32|OG~qSkA`vpqK!U&mghS8^HP51)q|vZIIMS3R#JC74YanlI0ZQX}vrl0x z0wU>MyMjN`WXE9~*8<rmC}igeU@$wQ3Gg@Q8wM{9efDLFMQk)7E)yXU52WpsnQTFA zT**7$sCYeXfPgY^iCi>#;{jKQn#sP*y0Yxc{4IQ0@QL8Yz%K$~V2=Muf4lD^-rsvG zJui4xaBpzCxoPgl-0NJwaz5aA*KsZSk6A<im_83o!;|oz^*`68j)-+l3Hm<dfGb3A zdmobZe}SaFBhU#rt+v7PQ{c3Eh!NtB=u!`wpm-uF4p<1GHg8SyPLi+<_5+JHSgz1O z#X&{oI?}93M0><OgEjiu$KLgt#Ssg}=%M*u*&ozNvDN6AuEnuu(~^JkNQylcIBZ_K z<_)Z**lmeJH&WIH%^@7=&HdP6iNnr$-i#w@iNlVn#f;-@OB_>sqV2N8F{LM3w|Ew4 zeAg(8$zn|7doZTN+JLau8;~Xv$Y>N)zJ=|Rlj50{-8E?`Yz#kfxp)SwomCB1(k-l= zhZ2TP>->??g(BL-rQ+#8y?P?flg-h}zrSdsN1EJ395$-c_PbHVz%%+l5gCs-*|8pR zyD<*2jcSTDn@Mq-fd<<(?4U8PQd=!?OzmpB#S+I<PTO8_vw;KCYTLm9it{be2p$a? z)aN~7r-2Cj_O=k26|}u#hk*v`kDc#g*`HlvyP*g!oao!MYgsSoh40a7B3dj82)PSx z`<Y&GlVuN0m=0kvx9p*P@vYQCi324LlsHi0K#2n-4wN`h;y{T5B@UE0P~t#|10@c; z-#MW8|6hUp|Bnma8C)2+Kd{XIF@M7MX<vu;ZSPfH-gBep815t7T=zZh#jb~3Yn*R7 zFLBOx>~$Q)KFF?QzQ>F(Zu$<ohPuL5U&Z4k&>dCOSzgOEZborVP;RTy)W~=b<aPl& z@}d|`$dvR-NdKfds?3#*QR~3B(~jyf3XultB63Ldh#DwEcI*WGlNpgMby@*LNZ*v# zBb)B@1rWjgv>DOi=n=YAH1%lezfnrsXdu#*k#+VWPgv<zQxZ5yXdN=}*y@lK9?>Hq zCx#YfB358mS_c(&M!RsZR)LatS}4{T+-dD6n9YO)jtp9-HJ5mMUVI1bmX(x{7el^9 ztUZ4;(+z`U<-t&6%lF-k0~{DE`Z1OFph?Nf&A{G=%J0X7gxn0&8Lf>4d#;EFJr*V; z<bGhnZEM*&c=tf$lVHMa=Q{on`i<NaOt|d~okPHld>2f(?U+*>0&e8cV8X4(q0?5m zL%DuA`0tIp989=vUHu$9Zt#3C<F<9NcCfgUl9iW(JqxG&H6$rnc{#*wiEd^b;N)Oh zZ*9gV$g?#%Ujl~&4TrWCLO1j<!iRT&f@4AcAc@=BvkqZmf}4OD_Ys<yVCiqhtp}|< zygUcneKYPOv>1W`z8Uus+JL~E-i-T*EQTp5Vc^yzZhNws<sJNl6gTh~llh2jvbN6b zrI$+_C~=^~ff5Hw94K+1#DNkAN*pM0pu~X^2TB|$ao~Ri2hjchF^&zC`-|@Fu6JB< z=ZnrB#}keX{D=7J;8%lZ2mT)TKwz=|ZvS%MH^CmD(Q_3<0yy6(I5w~%^Ar=Hw^Dzl zuAREBx_>`)ZIxOoaiGM3Bglc2c&?$y)D))CN?S^5OB02q;t1FZsX<oq;xTnJMj)HK z5|0TowvVGImBq6cLe%t#X<&<LNT7Sg*|Zljd&Q;1VJq(2x}&z_euFp!+~00#sRjLw zM#HNhtl40C1X2NOnafdL<z{el8!zgoh(>$GLE~HKL$un~1)!x;zgOI8fyiFO0ZT*> zRP7x29BNo63$JE<HgpaQrC??ZclVE`ht)hbMKPj7zScEoNtD5$fD+LWE=g^D3CO>= z1+Ees+gecM&Sl~y#wuZEOdR~Dm1P1Y&W6lBz?33|VgiQ5V`5Ca80g)g%&YuW4W2L( zVQVql!Y!HfU=e2&5C!46E&{5p!*ij2HK1hZ-6_bbU3_92#4hndG$t~@<T;{wOe7Mp zc8#TnWu8I`?<9&+oEd^BT@YVvEFB(B?G8h-ZZuZVFG||oqpWpuFyygRcmMFfx#LBO z@`mPBA|+m6-UjLqgFT{nz7?LSw@0MK39v_ORHnr|%pUQ8x$LwH`Gc`VM5$Bdkjj?X z@lxV>=FZxSxo^3c_lmoXMN!|LY>En2n|MmxW$uu@KueY#N{QoUJoaoT3*Z?u<FT1T z$eM2%D?GOB5v=iyTH&!}b76%?KL67%QhZ(TrC@vDH-Sq7VgIN78+|YN`n><~-VD+I zy147yqpnMxk2qd;%wo4O=g}|H<<vz}a;~5^PDwMRMt}q26124y+=vqprB(?S(+;vZ znZHw8D34Suo<zNPChSrbjY9?Y;dosb@>WLDy^$U0<bXnv4yOh)8`EQ{@K}Fx4E}E* z6Yfr<lmg+A{)r4EBprmUco6cMj!uM=negt^;9zC3q}zC%xB_;^ij=ZxndOXlO;}6c z8rI{FLjcpBRG3T)TC^V2h|6Kyttf9Q@P%TvASrdHCoth?Rcd4~Js}H9Bk93(-$b#9 zkJXADuwPefEkt~xHY^9y3a?5JB?pGXZRx>*?ul^oaBq6FJB36!L*#qk^eRy+wt;j| zv8hn6;?*cvZ+9v=h<Xr469<ye_Y90G0_*#*OYv$k4RT1und1dUSsX?gq#zj`*fBl^ z14}(gz%fnkUB_4&1yAox_Vqy}9*byMcw{iy4Z!i?9?(MQ-w>ond1MxEWvG>Ak3-6r z%_0hQZFvN#3pWmqrAFZll0qSkhsKB1Y|EK&TXL*F^WStg+|<(1(H8E9g|WLoIRecu z*Um4)sWB98K8%vJ48Q?q3`+)m#P@|daXrX!6_*rRH*2cH9cm)xNJ^QlJ+Q5fBuAAK z8yfTG$y}^;sHR$658`6s?j#_yO>(qncXAYx`o8bGlW0g;2&Fc?1g(V9K1_`~Pu2{9 z-pp3&Oh}u#B@t=tMtTU8+XY252Nh8tsF5|}Vgr#ajj1)F6w&~zE*;vj4l>o`56nYx zC$VDO#h?M!@>Wz8%v)j7$6KF|3x_MK(*|oKsc^Jg;b^806vJ9K4Sw449<k<UAJXEg z{L~P|?D5kY(OH-lS65Qn%R5XcDf>Woo8J+8E-!_KI*P2E$1$6F1#6C-57CuRnx-t^ zg_EJ1Jyi~M5P}*YH9DFe%|ue?b*Dy<N-oofVkDb7Y3p!q-AQqEFRbe;kW$KO5053n ztCItRVGu3X4X1Yxhhd_RrBne-5lMPcy`n-KES{j82>4&4rnB=Y_62r6e=A=PI)Gn; z4&Ye-Y~K?;r?=g62lr!ci96-G!}+@NM8|g=Bg%iwv&`xAU+AmpMbsetcToR=|8zJG z>cL_><bRF6y%=~)I1hpY!KbJT58|=I@`zZDZe^l{BvQET>>M43>^~rQf^?q0qaP`a zN;E1iK=&|_LUhJz!kzuF9&H32L#9|%#%j97qhX0w@4}B!Zv9{zvUTehZGc<9Xk_Jh z1|nw+bc0;iEl#t<V#`g?ghf0?JPK|m)SN{pU^f%d>aLdI%y@6_K=%L~#k<sq9*Z`> z6(gKkEv^}@cRw;*0<<dMQCKxy9;=Df8qJGMq5z{It&E1eyF`d#0%uGJqcRq52Nlj} z5B&6uE0<d60M(uvNso?&*QACaH(4<wt<*s`Li_7RZGJa)4WxE23pdKCmIgA*WG#Wx z9Sfcxk+})Xt`!?a9=fr!(ATH|mS;vlegWlXTJ4fLWHgnBEKk76yf{-AI#B~j(1Oqj z>m+FKK*As##2r~N6K+b5B)f~1Rt(Vu`A`Btv~@ldcp$1O0wd|szNBUo0h(lGcBtQ= zD66GRoLDXTfqXT+K%N>IJrN@(K=G$+G$vMwKA>4mf@?u@l%%;mH3my$G2=N!!BWHv zB&%1<=G8K)>6B#k60&CKDdtp+c8ea%?akIf+q}Kih#YW5&DNOrAv;=7M6Q;Nt6SSQ zG<LSMZiI5%=Faez#`P_$WI$17jZ79ui>vI4f+^8u93>5n&6Ha=q(r9`9$QCNE6q@! z=rHgY8WUUnu|692iL4ouz33MOR2uM&i*_nFOSH0HvuAKXD27sCyQZl!wDD)pIL^{; zBEYPo!gN2ye~@1qd^Wf}@OEGi<o^4lzs2`c--J)_J^(iVuX~0(40j6`ao^!ixL$Bg zbEX`RJ65ybWzS(=X9no+(EZAP)IX_jQ`ULT=(OD_`M>)8omrHCN>xo&$mbr2m{MtL zp2Pe@CQz9SY@U&!<S<-?p^HB_|Ln}7R8%Hxc4vD5Y-}@Ce!!2jGmElHnMkq~<YIpe zK>4Li*la1>3uEKBgJJ+=iZYXAYtJrB(#|Z(29?JE2vV89D<8^@!~U?HVa8_jP+u6E z7|EhMPO7+;FPJn%VqhuT+|hxAlE%%QYnwNAwluYLZqM)f5jp;WNoEXeWV0xfleKA1 zi)=C9-W<_sEuQ!!(;~*Rkiki_L(XGwBP7xSGlSNRO`F@>fwMZN0o2*vy1pn(mWk@i zqJ&WDh*u;W*e@$>S<Hbsc`VX6KGu&;D2mAxx;4zAv`{8Yw$}1Om{4-4JWMfrH=)*; zVEsPu8s3-fG?QcVw#u5E{%i+eQq_d|$F%9DQ3w@^v1>+UYp<|I)tAMh>}tKT8BnSa zCM?XZf$1;|(Nq?Tv#SWIwUsu-{X}F-Eo3^J7#U0VjV8go4<=nIYYMZA@Ys?ctnrw_ z>>@n2Hco3i5M@`J+M0k5nDQ6UL)oCM4t}XD7D3m*V{3F<;pxkwXt{Yyl}&f2LSq}n z%r#-M)gx<6sVs_|t76i|woS7QtFh3RMbUFjJ+d_xtb5d##bW4c>q5d_=tgTysVo*T z*Wlfh&!fI979H2<(P3EW`m-n&u6d)dCBa)WuP=**zSTO_U~dt!#)RzukE6OM{xpdG zUl({Okn+FhztO+M_pEQ5_bspFr9B_?EajfzLhdtMk2?S3+~l~AeVc7$uBX3EFMt>K z|4%$cLY}&Pmba2^8<4Lkn5d!ytbA1iS9k-%$W=^p8C#X=9e^vdVrhqE3dKqZthXwV z)vejs13gg<3hl9exYj#gF+x;{&tJ)p$azDiN355?5KQyX&C_S2C&Der*l<W8w*&dH z!6gl1I&8N?;kLnKagr+_(!^yF@-DX4#kX}tz@0Fikw*kr^=7(92NcVn;xHS?5tm3{ zi>4(N&gXSUq(0mRJ_>2%z7Xz64$HT!nPO2}FUBM=Xw%MiW@_sUw*-uAb$}F$>N>~` zf?S*%EbmWYOu#j;Y=;<b>>EwVI<TT~xK^x?z|u}T>zg@TgN=vI(d2NZH#J%;#@4`O z18cp)lP!T0n;IP&P#j~6MQ;Ko8(8=io@{Z9-i~e<3q|wjhEW+8t0iP5sAkeI4~3Yq zl(i3JcB1ucps%<bj=_jX?QcZ9pRPiI$I*TX)2lC#_3HI-T(f29QybY*A6b<gOGaQv zL>>_!e!vN|U&55?1}a<Uj)JIm7zY9am8}Co0aO=DpqD?e&A5r7)&@%>qv<5@Yga0w znS@vEidUtEtGeqWP=}Zq=|P+Yr}@!|-TkT2RKJ9&>W#kIlBx^zwO{J8VymsQLIG60 z5~l4pQbgJ6Re^*`n4;f6WNWAtK!oY|HAFUVBnuz{?Y?#zHW1mGX9W;}Rz4q*%{&GL z5P?G7jL6nmxBwzd2d=TsrZTPoB1{EtAe#D7C)P@!0<YL?Df)p0lpI||U8BS4Ue&Y+ zJKhvURzZY`^QFx|d882K^<gC*&scJ3q&VU#P+5=8|I?{cD1JlmhQMn9pMQ&Qm-kCv zk7p$};eO8bw(Df)HIAFuH`yBIYWgcQ1CJ8_#FMjNz*5nz^fK?V2+nihliD#pGBP-U ze7M2<SQd0P=y%m%DF`N}sUo=w%k+tjSul+$V4R7bus$p+reFiRlHfNC)|=^Za2zhq zXGAnYC&22aVxZ7xh&7lvubuYSr;^|zo9Q1I3Ad*Qi`R!(gIJzrpcB@n_Rz~%z0!%* zprk04Ij>9x+~?9jsP%m=dZG?=DcaCLw$#O>whpe#!B$B-<e8@^c=CgrG5AXlfYZ1! zHH)%vBIebK<I*MIA}v~nG((TnfYxw$U`SKA!Md+#E0Tk-&}ab^k~;<=ngXWi+MEF= z4OoNJm~_j)aRd4c-$t_&&!mtObkRCqBSs|TYhrEKfcg#5sX%y!PQj8XtL#>$!F{-B z1Sf!C<aAP);J8BY8WgBw7_?uh@XB;gaopVy|KehsbRimA&Vmai9Li;V-TsHtrt#z; zQklLFrVGT4lTa)b)iB>;euKevcXxUmOc)?;0?ZYNsL(x_&J@jr8GVVU*esz4Dd!ga z5Y>pzOiI%^A;PsqRol9-$z8NLP%Sn|C{T*Es}1TZu?Crx?Rnd8(fR>*26D)hLf<2b zByD9+)7bw$AwAjv%Mc2TQg9iHf)YND_M+Z#)Qe|GyU;Q;ry#eH1fl4jV9u%m3kG5P z+C1Dnn1l<n-U0Xn8~<UrLDM4&DPb*(CXGhx#Ha*e-!#pqc}W7do6i2x6vT0AM6oZl zD?fDmRICXQt%Vf{#U3fRB1IvPs&-X|OaE&|)8iu<`TnvolSy|g*~yE?eTdv7p{OIL z7aUxPLL!jiKv=ZTkPz!6h%%y`_$|f`76%po3|k?HjU2wIXr#x*DhVQ&6mWfltpMD$ zz;|;1MI=&(zq*tbjpSIs@lEPj=1R)Z!~T`OA^7>=j6kpd@BTjDKYV9<U-l+FfAZ|% ze$QR(`kU(!*L>$Cjz6#yY!!2*@*g)(`;Slx;D0#2Nhk2XOXUM|!0}BcdElr1k3AvI z+jESMs#2HV1xoZ9@Tm@ieMPJ~7HzC<0QYC`k<k`m&8xZ#R)H>K<?2F_H;`;wl|QSD zD+{IBszYyb&7K)vYMK(=WM|XX=6JQ~Vx)U_s&Z&xY&2B~KBZOYvZJa;w_?du!5fwR zV?%@I@0sqUsuZF9B2#CpV@h8!Bgld7gX~$f8alTB_jhKoKq;Cxip_Agh3)lsX5mUv zQ-2%SY$@~$V{_jL22BP2iGe*3exO|Sr>$!02N9$z)1OL>Wjfb)gqsFN;6@7RB+*Gp zt_^pf+We8!jb2pVON|bsGL^>A!m6sE%`T<QE~U*b1*6=iJPO3QdmvIl`F3TiZd9sO zf{<~5?1;ZUIRR8@@*oI$@?-WW(;DxR8}Bk2H<Rez15pmjRpGh<Cy}&_p8~ST22G@_ z*&~p%FWO-GG6$G_(FTR@<$EBoKotr*2sT}dP4lm@x=xvZnlec-{+E}UJR%QexjFPk zJ*QDWDlnM;4}f=OK?jh(GSt{Jf-bx=?99SJ-Hh!ptwX+(sHF$_iFRh;_?l0c&8yY@ zu>lMHtu4nfdp5xP!-fR_H?SQhrti$c5zfrXc>XeRC|31_`{sLzT5y0*yfX`jnS6q5 z-pCdv$p7s_7;|8lYbMOropfQsc4n~vh}tNy>Ag`H8$Waq-vtX*Xb@z}KBF)};<79< z5>*ox<(+Af_Zp-kQ9Twro7*?EY%HD&piGUpFpJDYt1LAL=m|*i)4ZjnsX4s9wP{`c z<T@gT&N3C^(kwCzJ;{<zaJ_`1!^Y;$t*!0r!mC<3z(sLmb5mzg$d!qKwc@}|c003R zl9@j-ZDvd;JTm3`f5#ORx7huNdzI@)uJc?+IUjH~Ij-P02loa387TKZ<=^JJ-}^i7 z$zGqQnY)JGK;3qLMQ_Tg-G7|2rb-Q!I8fri`<DY^tvCmkay6J<-WCa2<zg|o`^bPP z5tviJ)rXq73mGn?hrv6$IO=wpu5R%-Sg=*UFf62@EuqsCjj30hZD7&-IHNYBVp}<K zc8jwNL|AuhN$jTXbc-`BvDk9gx4?3&B^Fy2za}ibA}B7k0f2oPTO70cG`qzahOPFz zg7LjgN)balwR`t&WQTnYvcrbo0=C)>k&JrL6&XzT^?@?1Tbyom5gQbyP~wMjure_c zQW;jj8enbrgEC8^oFi&xNkslGxJv2Kt$2zf*CDFJmE!S0_fBgu6rQNj=tl8*kR}hs zp<jlgLJ#+V0goD}vNN3?EZRC2g=7Vby^!!l?!@$sEghZV`s(UPO+37-rfvOl*((rt zr&+MEs!^;E7eU8WL%4hom-S$s+XNjRg@B61Hk1KcL@+P}V%2L=GqI2#sTrc0K%|&( z<Hl9tw)U1SjZIK)Z(7^Z3Fn5*?Qld>zt|B?jM26}QV$^t7XtCB7S>FBog9;;xvewY zx;ot2*4(a~Ad5wBT~b_NEEv<2IKSXIZ!1K94306;1WMn~JJ1IXIlbb11Bbru9)^4r z;wEt(Fn=Aot+5LCUK2Iac<e|bD?^y#s!=)-^u0&UkR&exuzaCKpeP>*4x=?un7d(! zUaXo7w_wqW8zP&*4ZE+)5U#p*4~+G9$)W7Kwu}#=xWGFGzyJ=eKJq(Yz1NU|jL}6N z<XSugERbb%E_?y?pr1GVVP}Bgv)$*852%j8>H?cj+7Z!9AY#PDVi{0dQ)oXx0jfq) zU??(J)GWLpRL29ZMbr$3L_viA@48NPKJDyu{LUfqxA2w0=YyvQ-VIzK=L6(?QSTnl ztDbUhxBDgSKk_i)&XIqY{wi^x#DV|6IRJ~x!UJ)j&mwM+&ATt_P$zvBVS{W&L@a;^ ziyEW_Z>hI;zg7T|McAPF!x1IM^~r<yj?Ey9<;5_vdC_IvYj@*8Xwmynte!k->`9-H zVZtgHAPnyV5AjAbG4+QdGNHH#JX$rmBTq_#3zORL`sPMB*P)|L%lhUu%|(%r5Fz4H z@QBs!!_0(&rEPOtqjH8p2bxuzJ6no$_yTHc#0qe$EpW<(`gpjpsR_snH=}UqP0br1 zE@rVf8yBNnfmSu<M4lQIXayG{HCBphR1TVnZjhTH`9!fuj)B$(`S@CE5fIIYzpa}g z*yx7Fjg4!H%HNpSxfxmRBhlV`76f9W5Hkf`;dXX5uL8PJX#9@w)|Sq-tq>i*WfclW zySk-GKAneK+l>IV#l7)Oh|3_fX94vB>Q%U{b$tuchRB+c)~4oFMN@|$a{5qs(7ff{ zX1rnR<-HFD2Q?uw8GRm#+Oq&6i_oC<!pRrdu=*?_gW9}CD9|G;FsLR5MJr9pY5T0} zN0C9*`xgU|Im4iROnq2vPy>@KJ%0h-VZlKSM7Ff;)`-yk|4gc#;+une13wNV{F3h# z-%M|>=TjaZx8401L;zR}R{t+JX0tn)&oCS5pVJr8M^m4KR|@<)D+{_0?Q>u$GvoRD z%OQLYA~V8SS-2=PA&A+Mrw9b8EV|HBC%vXuv>AQT>N+QtMOS(zJhq0D6`sB<y3r#R zu?A4Z+Ol=3i)?8CO)Q?BT8@m3ZuLx<?0kCA6Ix*stFmylr)5UUlORC{*O2cG2fkaQ zy9SCCqXAI_MqqGHSYVHZ2i{MiwGcUATm{#S1%&i=#NsCKL5HyDvM02bb1i?C9}%T1 zqDG8n;f_*sgU%Zf@POe1+A;)L$-wmxyo)m#q>L|)=!<9qLpyLt&_Z6AiLO&3UO<2m zIXzslm|G{V%7UMQ<{N3I6Z|<--Tf$0Jw&-2AKjH27=$3A;O^gq{LUeAU@9s5n=6&Y z2><~6t`$$rf-^%!Qjy-x{iq4!*Bjv9uP1Dj{X09llf(EO=n=gJ1o~^lMOl>BQN39( z(;rvHi!ro|HDcmoWfnXvG+#(FrC{-@Iny?w2ta!H++tB26BlQBgSUA{XJ9@Uld4{u zYn50E#iBG?4O<Dy#b|vSj7WVSC9Ff_z-}D?dR4!xyukpDvF7MR#f}Tr09jD{K(cC! zVkWs>-~Esq{%A5YHVP?J!SArB;gjoO+F{uj&16G>U$h>Nj1EAu(ME`NGl1@?f$X9T zX881VK(QAXt>%j~Q(PO~plu#XoF6%IHS8_LqPP|o3J*|RXSs<$mq2?t0STdpU|{S5 z=^{N^oc#__0{a~Yq+0KH@Bk>QV4s!)=Nb8bHw-`+urV;J)Z?%hi`5Bne%1~2FSXRR z0sV0Z*E2pk0ujN7`-(+mJSNs<AzNhOkOlFm9KvH@csxCx!DWhKuX6DyI{(jdY^V4S zfCk{J!3Tp^2UiBp@ZaN~;Y)aTc#rj5!u^?hkUQIbi|hBUyIs?rFFHkMo#QRXJ&x_p zUuysPUqk=7{t|q`N-036te_>>lybn+GNsLx8Y^+Y76;bsi4wlrH8GPG=m3!t;0@VV zd(EC|qNP}k$w>SFEx{XVOI1Wm@mRHK(>Q?tc&u7&sgi8TtZhC3P4TGKQiNzJR&Ubs z9-t+7L#1gM(Na8isC<Gq<d#Iwo~7XOuVy@1io5)S4QwZ-Ihg{Vf7D`^abUG@`d>nH zD{;t9|L}&=t;Ku5yu4f$hFb7$HI1fvKvV;ZJTS^0?}el@ePF{0w&rqX@+s)0fdE25 zC<q|vf`-7<X|Z_^Sd>p!jIpInTRS?}p#Mc0JJ)WERGUVKwbAA7)DFXte+)!A=vAa| z9E|3xb|s=!iOAN}j;=-s&a0+2?9xu;U225Ps_H~u_CuqlE}}lv1@d^;)>Lw5S6ecZ z*_|Hk>1s<ulN0Ko1fy~+U`kEQ<Y9b(;SF!7EiEEiipLLm^2U`ZC%X55A-H8ki*+eH zrsEWRcWAK7uzfdw=jnUEth-!2W!8~HQqO-k&<&$9Jqr1Kr+^|dq>S3GiLf<$7LeSI znFiefzFRz|EKB0XJ;+R39m?H#L)mnbT7;ooZyw6}OxQGz=1qFIt8qB9J2k4TBWLXa zb8xjsSvIdnrVGv@^r*qyBYkp09PZ)1R2NKI&?=|Kx>k=XNr{jeABD0(!HHl40NZfO z4PZ4yHA;gIi#pe*U_dG@8mosg39uMBHG9DJyF9I&0k;x!q(3bm{bc2=Y))=y6}2yy znF11<R6KJ07sYJdG(s|_IVA4bgRVlAk)QSDjT6&4ScGvBCB})dM`gO?)I^G}WfuzG z3q9{@9_~gtIa58*Q_zE_2Gw<W4zW_yCJuF7hBxGvX74!;S`y^%JiWE8sY#b#kgw6~ zJ+sMLU7kd>=kJ-dpKw}@)lns!&&tvC&J;{$Ib9SuIDm6fdhlQZh3)tKHG5_fEQnX@ zl<PMH2aqeP70GLO&#}-AB~HY-7Ey^3YE+`(3{sw_x|Ebb2h)K9Z`zXaOD~r=P~t#| z10@cWI8fq1i324LlsHi0K#2n-4wN`h;=un34xs!0`P3xE-^?!wJ`>y$_<ca~Kkq-y z_m1xb?<?Mv=ii<iJWIGQa;Lf9bzkY8@A|B(-T7Om<ecUB1Utrhm^+v_{Z;x*>Ro8$ zY|Ab$wuF+v{_H8BDa-fasJ0gg*xKWvKf3}@sW$3bzFC{Dp#_q__GeEvqq6CyR1nok zW>j%oJ`vG^s7^GairM>A1yP+~h03HlJp@;h!o6B<MisRcuci<xX?eB*d<eTGC#X8- zh<PS&5S%4JWcGoKbshbXB}Wf>2YP!Y-6RoPW=Kw|8SYMY_ou>eCl?-0?+))sbtlKc z(r>IEa_xZ55M5=2yFu-l92ka_HEOyVXc|T634<-*P^L1x5n|UUZ^*O^WWqZjR2a%y z0?okd2t%dm;yg3jT{%3E8LR9|@2Y|bEGWiUrV8u~cSaP_kfnW9W<&`pW#oq*O$~y5 zUkYw2QS!Y7^QsVepp{(#T4&^!dJ@DwT{JvCv?Dco5~3%Stv5cD;++GT3+#ElCn8&F zBiO~*1o*O~vUT}*qLsDwyk@Mtb5hybd_1T>w!DC>`%`0uN7tfjn(9NDOV)T2W<0S< zTOs$X@x-n0m^AP9`xCRmW4gGsk0)w{$JSbB&9`bRJcnT%R9WG%<#lG=pGqq{rt50^ z-zQ>)XUgYke|DLHN0U$DmA3j*V0%qv!OTY!g)~RU#MCcw{n;f39<58TnC9;xhw_OE zbg4fJCO%r13{<vOp8}}B;S5E6v<|g^cB<;|)&aD;WisLQ1H(J9pm6yeKO#<YGD&^e z#Rh*A&tmXwwI{q;duaA$AvC1+B@9fq=8H8Zad{RC?3m}c1HFd4(QWOmD1;*fV?g0V zT2P#h4N44##?COZKr7Z4iPiUI!2&3sPd4{UYd-a5QA|dYcdo4+rVu7%@?*ku7`}a9 z7MbGYVX`R=TKB0x3nnodCT(Sj+mkyBtStRmFnGyFWpk1iK;?vUxR3ulI*s@9|K$J7 z|AGHC|1<sv{CD_Q_!s!+l`8VEUiz!Vff5Hw94K+1#DNkAN*pM0pu~X^2TB|$aiGM3 z5(kbj2hP5(5ip*1Z7=-)mTOSP+0Lud@c*q>*24d<zWhS?|HLGEra=zSUw7GRDA!~? z@c%KfmEm8b-29ac{58yfm4A|dkiU}uBY!LZGk}!-l{ir1K#2n-4wN`h;y{T5B@UE0 zP~t#|10@cWI8fri)N`Q4>tGm$K8me#?ts>}DSwWz9=C&k69DxxfcgtPlU@gZ)+&GA zOFc*Z0sf4;9W+gMl#N3<2>&zwouxFihuPpB1ZaoyXEpP>Yc{g~f0=%gf;0b5`B(X8 z`H%B=@z?Vre=eWoH}Q>pH9waR2LB!WeejLo3&AIY_XlqY=7QtFo?u6CWiT2H2l>E% z0&fL=5O^{0*}wyV4+SOzy8@{|XP_w%3(O0I{Qu+sga3#Aulqmef6#xc|8oCsf3JVD zf0aM(pYIp^l<#fdk9^<oJ>`4I_hH`^zVm#2zAe6HU&6P*ca)FzzT^F|_a*Ps-iN&( z@m}ej@b-JRdRKdEybHb4yo~3Mo}YML_I%#+i03xXRi5)b1D<W3HJ(~ex#wsP%e~9} zlzWBy0{19)J9jmA0e23!om<P*af`U=oWuPm_s`s~x}R}B=Dx#ywflT`zk7>&l{@AR zyMwOxT)%~Uh+lR+4lxg}b6xBjbe-l}>#B7vbRFfQoPTis!1;pnGtQ4XZvsz<5$9RX z_0Hwa<DD~{4#&HWpEzD}Jmq-Maf>7CNITAOv^Z)V3mpRcZ}vCrx7laeN7!50J?y#c znQRMN!_H#^%s-f4Ft0LCGY>E~Ga@s@Y-gI8C^Lug(0`$SN`C`BkNKY<wmRlA3^FW3 zIgr!TC#ZV`aU%)4gStl$H;}N~sk;SnJqde|x=Rq(k+9pSI|cF7eAr$=Y{`e+A&6`9 zVYdt78WMIjb(<irCSg}m9}&c65_To^VL@C)!mglh6~rbIb~*JSL0n0~CaGHlv5|!3 zs1FL_DfzIQ1#txl+e6(Xh$oY<%cvU#@gx%VLFxuUJTV`3y&#^D54%nfm*>MiAczh5 zuxkaeJ|A|CAlBu>t`@}FeArcjSd$OCQV<g)EK6M>h;b5j4RyI7#z>e*O@_p%V=irs zt3E2ni`4+4^`X`~91^RDhkB_!A+eGGrKrn7VuS$oP+37-Mq<2_k_2&SK1>XWONdvy zsY`jW0zd{8J7)3X@g(FDUR+E-oEP)rA`)^DFP4*#3wd!N3Aun57m$$id2v1onc&5F zB;-6^43m)Eyf~MH?Bc~T5;D$<b4bV-FCIriGQ2pOfFwtGaTWnNdzcqzl8|$G@mK=V zHNuO>5RkLdyf}k^oC)nrCm}<;cr*do<>$p|1muiCUOb9`oW7G61p;!~IlLGmAlnCE zpCKUI`gt)(Li%_yKtP6idC^Zmwx)Q|M?m^}c+pEjx_Qw<LU!;XM?#Xk=q4d&^P-D{ zbn&8-gq+2T4ia)EFR}z=%Ne}LkdV`PktQLh@ghY+w)2;efNlK6Bw#Cl5eeABUq}Kr z^B0hSPX2rXu(^z%AOUmu^GHAkzncJbmhrntKs!H906NO}F%qze&k%t2GJcc<%;C=^ z0d4#U0oYW=r%AvZewYNb@<Rlmt&ATe0UP<91faEyKZgX&;Ri^-2ELyFY%JsZNWdJv zmjtZmQv_goCEr5=B78RqDC2jKfOUM51f0sBO#n`b^IasMg+Ge`tf=JABmoir3=*)G zKb-)aT*;qC0wVl&60nBfMgUG)&2J?E&HNSuaN;U{GYM$oI|;xEEBOu*(8#wFfaP(1 z6A3tlZzBK=aUNtMY>Q}E!Gl1A0qWyCNJBW_WFABz3{V&6K@P$JC-EQzVSw5bd60l` zKp79>4-Pni2iXS$)GX&g@WBBMJV-qlAW_SM$b$pwd60K7K)jX*VFw4)@gV77fLJXL zVh#?d;X%g10MSYw1RNX?;X%5=0SO*N8w^k#=RvN)0Wltg8VpcX$%90L1EM^LGZ>(< zng>}12UPJO$Y6j-B@a>z4v6p|!r*{qJjgE?VA)b0gcl63bP10n7ehc;TEUZY%aSr4 zi7mzxOOEG}&|&~8%6KHQV1UIu2rL-j_;Mbk6&$dLN1}@H%HndK6jT;3<ViWDyo@Ks zl=3+|DW#Mz;7K86VHr=#C=2KFq=>R$9#2Xr3&K1ppv*7hN%>^{9G(<U=FjCx>119R zPYNgV=J2F!GVeH^6iw#N=1Iw<Y!*)nCS@~uQZC_-<w>#Rm}7WSDmi8bPYNZ$={zZu z1drxPkz~d+o|H&t9L19Y$qa!f<&i*$C&iHf&y&&!1BYGWV>5vu$RZx&>-&QsiC};G zf*^-re|v)<g<yYsf*^xne{(^QK(N2zEK2<C3WD^3)jNYAdtiS%f*^Tdf3rc5JFvf* z07xAkk1or5*<aJAGe4*Je}V1)Tl_EiAM@V@J-`e6bNo~M6a1t6ef;eZ8{ld_%byQA zfquS=-@<R;SMewCF}?zH1Jl`SnZL7lvkZF~dp_@DKg83_AA)}izQukj_$K=d`x^T& z^K<qEN0noC@O#b)XPW(y^BQN?QSK0euLi#s{6g@F;6uT?g0}{*4^9Rz3TA=>!DMi2 zur;_QxFT2=tO}L~X9tC#JMizoUqH|Bi@+O!Z-K7i*}$jS5w<t*2;0t{5x9pvnOz&W zHShs8!OmdA?2^D9)*rYakO}MzBm-Lmt%2siNr9R`B(NYbGr$L&{(t%Z<o})jP5<}& zFZ;g)x`~hbAMoGhzr}xzKkL81pYad)yFg2^&fnxe0W=jA{<;3?exIN9{mb`9->-Z> z^nDw27SH*f^gZU==iBSM*>{ys^zHTy`BJ_!eI33Q-wI!iZz<?7X8Wf3Jl_BD{>}Tg z_gA3Hc-{LA?{nTKy^neKdG~s6_Fm)N<GsLpu6Mwj^ltaIde?YYc<a1X-g568?{u%v z%X<C=T8>|Ne(3p@=S9zRp3iwc?s>p-m**DGHJ&}5i#+3=Ay2nwyJwT9#k0aw<B5Ro zW433S$LFEBzj1GIZ*p&N-{M~6p5s2peUf{KyNA1#yPms(yM!Berno_FhjWv2jq`MF zoAV^Dm1}m!ofX^(T-51v&UH@bj_2lb)19>AZ;rP(KgYWN;ds;WJ;%%Lx81*ReBALl z$CuncaDU7FHOD^3?T#Bkm-1=%BaSN^mpI1V_c)S{t&W}UTOCb~2FC{X_3kU&qI<V{ z$ldMU?rwEAyH9f0xFhZb?wM}h?R5Ri^+(rlTt9Wa?)rx7IoFe}$6WhddtJA<u5o2u z6Rxx?<vQKf;acZvay7WBT;;CWF2Ut?zU6$=`90^$&M!Hic0S>J$a$CZ7DtU^nPa}= zSO?4u_Mhw@*<X7cG{gAV5m$#?@~}HyZF0%Y-00e%l-Pb(i(ER6O}eV&(roq&SEX9o z;fkoGKG!m(1lqHua%mPkw?r-Vxhmw+On@D)mik<a<<hYLTcnhjCtc-o$<3bYTCbKy zT<eq)bG_?Sxx_)KRfXN;+9;QN%)_pBx#VTLT$@zbjjqi~3EJyaVK=$9$R$6#vDJAC zRbf^lSwNIm*k5u(YJ<Pz236RH-CtB;A9g=0mo_l>xt>%@_qsl#mL79`S}v`J+E1ya zdtFbcrN>;4%cXVfC9Y4ZrHfskP)f{gu8+&5Q=#@_YUyIvV@e5XAC*fj(DEZ{=`q*C zN(nyULvm>?y!)V9y4dxAQi6BymrHA)cAr|h*!5AR1hx0crPa{#y-JC_$aRle>UZ5O zmzv?-yVTOft~=$@DtK<MTxx=M?@&wkx^7oXkGXD>ODow6T_2H4e�E>1ydl*J(-# zKHPS-G~(I@A7;ej;~X}SjJch8fW1X6-Ot{nmiDnXs--*G52~fT?9FQFHueTt?cCmW zuJT)!QGVx)%1>;9Hm_Gp_p{fkrG4x*YUxh)I<>Ty{eW7!jlEiKV^iy}@>@2d{LV?s zPqZ<gVkgzo1MF35>3;TdwR9(YrCQp{ULn8PwsBDTEmKByD^Qh_pJ`?8XR~T)A1kS) zJJ~&IX)k-3TDpw|<p3zyTQ>|Szhyg>-#O>VPi%xXFI7wTvlpqQee8v5=}z_%wX~PL zSS{VgULd!zaec4yTh_1q&gqk%*g$`sQI?za^oxwL+^nNtV2<a25@uZ)vqUM(VU%U( zRQhX7xePkBj9IJ{<}k{l(?WlhSs=ICLMNGpa%nC76(%e{wziC!uN3Am^W?fU^p}}A zGH6X1Ggm3hVanvX)%2H`*=i}t94D8W>F1f5@?*_q%q$tSihhncRxUNsUu0&;l}+W$ zF*0Z+{VX$GEj_~=E%*DBmM-Ntezsh*f_a2h#?^|oXUH`xD$i1WBWKFLC$HJA{8pZ> z{6<cbe@|MyP5Eu!Dz|hZ^GUW>E#1TpsHGd(ezkN1+b2JN;;JpmZ<Dg1p1^#9P05fG zR(2}CjmkE%9BAv7-(Jq#$@a)~%TL*){Kl0fx&fX^%Fi^wGdtwEh83;KZ@f+Ztv`8# z@*7tc_&Vletg<@P!8=N?>rPrHKT{W1Hj7&3qpZ@;+7nNeYidtetNfO=$oOiQ53<Vg zU&GwQDl1D3b0fP=t-XQWDnDPde2wzkuv)H3K+BtDNTPm~@>|<1*TkVkg#+=rm2yqI zwn_et)ix@>HK)i=Mw!Q0rEk&1NpelJa)t66Iaz+9nt7B}dRq;BRQORHKT&?BI(CBm zOcn4>;Y?MuL9VH)TrSsC0wqc>E1_=+M=GIj%Jx~w+`uY4sjRM-->a;ulYb+XwaRa# zM)_TqklS0vJjAY2OAoS2pO!6EuG5w-iOJ6{t%%A`EP+|RLM`3To~V}gu?o#gpf^en zmoR%-rSD6Quaa9>QdTWLT>&j9{iuMor%r|KV{6sYoos_z+RG~RS1gXmEmV|M$~DKs zH;SvJ``8+_bT6BbpE`cgQsuW?SveLn_pvegnZ?Y#tkR3c%sp(i{M6#|CCcwYWd$jR z9#qLsmqQN}eC5pTY($0K#x9eeFJG`o`7JwM`JJN(ISZM)S*4|g(2}xZErgbq$nP(N zmXzlg&R;0Mx3EkRgciWlN(&3%X=TM)0N=S>ermzI1<G%DzTD1y<}Ow%-N`Cz*?f3U zS>NUZ7G({a&)mj_<u~WgovZwo%~O8ogyojz0p7W4X)mj+Zu6Ks*f}cfc2-&4=0Qud z<u~V*l_|e-<|x0%DNoF0Ze?f5kh!y!wXux(2&*iAWl%R$t}C0RJX1Dvri@_@^C4DQ z1&^b<=!a$4Z2Bx(kzZz0AEY0WVYBEn=?CP}O!^F3kz|ggPp9|Euw$58SY-u0=9pt- zJjcwKA=k`cZf1EIGGp2_<@czglwU!RpP0@(!R}T|kF&ef(oO97YUxIHLM`3Eo+rOK zeVwwBO+PiM{9UQ6kkcc|DmcANSr>We^$ht5{#b<%LHME}xwRn7+-Yj*M)oMRbOS5M z&j+VZSALH^TCNGe(?PX#BO6dlH?V%SbUo{npAUpW$}i8$HGX;@{a3l<qd!XjMJ{>i z`{+NbrF-c=$t4ec5B;uO;^@2SKguOHeHZ<<T1wLI$eWk*VrrjKxQP0wQn--1PbpkL z-K!MNr|wY-6V%;G;XLXtrLdd2Qz`7C_9}&O>JFtaM%}IyGSqEyADAGh0zlqi0s+q9 z0lR?fSg*_Bp=rNg{_*+bAFl%Rc;vr0PX2Mb<sX+z{&70xABRK!VOjZyVH^&R$Aj+w zpQUf1_}|01|9Spn{B8W@{1|^Wzn)*tFXoTt>EIvW=Krg3O20e!f#8L3I^Pm(3RVZ_ z1igX31%4iQHSqbsLvZWAComf53ak$_1QrFR1t|Yp{_p$0;(r{@)Yrm!x*yKcEB#ge z<NO}qUwv=-UhzHcd(d}_?=s)HzO#JmeD%JCKEeAR@9(_d^*-<Yxc3h4Ro?TwDQ`QR zhL?F~dR?ABd4BBqy5~vHM?E)sE`>AiX>iY<@XQ1K$v?SY!U^{o?h)?8+$1-~CAp1o zf;}GY_-Xea+;6zQ;(pwHm-|}x1@1m~hx-&bbIt<({29)gFS$PFy5DuPOM>&|8Lk$% z-(TPgIsXmu4PSRY@BFy)4(C<Q^PDMXyK{wenR6zv@lSBO{|(1y9s3+NIYh^><8;Sb zIB(8(@a%hVyZ;^bIrd}h?d+B8ZnlTr1UiYO?6Itqd6)Sy^CI&Z=04^I<`QNQyWjsS z{U-ei{WSd`d;<JmXcFmmja%5$nP)?jNV|)Jo(WAN{Voprd}tDBcyZ8!p-H6UH9)5^ z4}~U?mKO(oL6`(RFJ@0bOUzTkB&d2x*yn^v(DstB&kK{F@FihShbBSi%NU9=S{evV zBCW51bsO_kXcFmtanR>NlSuQ6gFYLYM7m!b^kirfX@7ChXM{=6|Ke1L%%?+>paRCJ z5L2N^Py*wiYkESHpav#D-JwZP1QVbgp-E5$6QE>h5|qIN=<LuWsDlYmS7;Ix!UX87 z&?KmY3DB9LNu(4udbF8&AT){8!Z_&8&?Hg}<Dk8vNu(OaLHCCyk#ZOZ?F&sJ^)L>) zEi{P~#0IDnVMHoo90VAVk{Aa8Mx-XjL4Xk{ig6HNM5<x~)Pb5u%3>S@%_DU&4ua;9 z!WaiZ^GIckgP?h&G&VqRdJRn?wJ{EY=8@tU2SM{lb&P|cd89nXLC`!>ALAh47g8V_ zAUNBGCXosm2LVQ;M8-jY5vh@J5MV@#WE=z-L6uB^03&FVF;E-A2nuBa1Q<c5On?9* zsFev2U<A!F0s2&E5|qmr2#&>}NzgA7AZQ*`%mfIU2Q4!Jg62WdOn{(6plc>T&>@Nd z!J#>nyCe^EXDD}Z9%yeUcTpbb{!s41JkY*S?t(nfZK2%x1ZX;QQz$o)2f8toJ1-A( zLnya95A;MRw<{0ycqlhcPUNfOLT(H|#;2vPX6_VnnS9tIq1<TRt1Y42xdZ|@|AulS z<WpBwhH~jVP(;WLlkH!{d?J(^%6n{0C^txgu3RnTc9L&i$$T)BJ16h4=1^{cpzK7% z#{N7Iu(2->1Z?ch1AQ`-OA#PAV~27*1PG4Qp<H(!2zarB0KuU;luPD;;Hk4o>aT!L z(nWUi3iL_N%7=YClshx;)ssWHGYAB5C=caM&jWodlsk<8!2vy#+fIPs93IMT%L4(& zw&sC=V_Wh-@If{cAULIma-9SSj_09V2TA?qwL-3)?BwOlqoLfUyvJ%nxi+FPIKhW< ztpo@T>Y?1mJP@?CfdIjwJ(OEdfZ&WC%B{--LBCJU13|xA@<7m|wIr#NF!<Nxfne~j zCObLFJRHh3=RLM8lv_o#56Avct|<@nU?{hed@;8~$bm41Pv{)tHArLl2A-=3<w$7^ zR0W|NDUE@CAe1AeF;EnQa-=l2gn_jUq%myiT*AQG2ErHy0zE<~2eKFeg62UKBS6qR zNMZyCnkOZ(3e<cJ@zn9meW4sFi5<_}8_JQA7^osbIZ_e>eM2Y*k{E^&6c3>s2x0{2 zo=^@1F$@H%hfod#F#-hCgCItLZV%-^5F<da%7Y+=fk62X%7Gw8fS@f9#0b#cp&STe z1PGcZ1u;-fgmR=H20DsRjugZ|SrN*Sg4lfYA}NT0k|LBN1u@WNgmR=H1`3Q&jugZ| zlM%|1f*7bSLOD_pn}?bw1u;-&gmR=HHV-vV3Syw%2<1pY4D=bH94Ux_8Y7e=1u@WZ zgmR=HwuSj{C`Srnpa}@&rW1??#YZSd3Sywe2<1pY4Acan94Uwe8CX0>K`h9?;z0^x zplJx@NI?u#A)y>8h=E=qlp_VP0BW8T!~&>!QV<I;*Yi0L#5~3}&s-<uKn}y#iA$Id z2sseMNZ7SP4kR%Wc8!n&QH+FLE#yEJBVktwIS|H3*p)&Kq%jh9g^&YrjD%e-<Uk%H zVUy_m|5;kJI{(-63;9s+z2L8duR&&jhl3vqUKSh)o)KIdOn}wDKk#=r{l5};DsX?` zrog3v!N9h_sz7z%xB%z>v;QYx@BbP9z5eU`7sA=U)8FW?^w09UeD8v-{|mlP`R?{z z>pS1q>udL&>|5fS;bXji@P6O>W$!28<bS1imv@JEqj$M?k@qOie>}hSe8=-e&!e7? zcqTm=PnTz%r_Qs$!*l=Qeg)_LFTkDlEnJox;m+hv1>63GT*&>N``7N*;5PbU_lMk< zxkub*xYxQ9VAt<={oVC**DJ24;M9MU>r$}l-{xB7s&*ac;+%hW{>1rpu<5_od7bk@ zXTP)4c?z8Qj|GeVcN{-(eAV%|<4(ubj`JKnjyA`Mj^iCiJ1F+|?04Dc;lzI%dpYDn zIGbJ1*0T%Q5c3}M8|K^0v&<vRt;`<gT;@!sg{fiYf$haV=wHyU!g>Dz`etA{`X^-b z2F*fxjgTb=4Rtg1bs?KKXckc46ta1PW&yog$mR{2`E;|8%^NiH=v6{CZ_tG4CLx<Q zXy(!@g>2rSDWe;OEJ*SAK$=6JB1j;{<FMoC6@mnEJPw;lpDaiq$m6hM>5~KrBzX)* zeVF=(Ab}{4!RTY?69oxmc??F~h@Jys9)r;{=%^rpG*7}#2uUE$;~Vz$S%L)OJpR~p zdbuEtldz*vb9n;&(R70#<q7oD=z2jy0==;!&_|(nL82#Nb%KOMdh9s?J%?m^0#++X zc|v`Nt`Q_8)ML-_=v^e$6R?CJ<%#t{^c)iFvFCzxT#yDxSO7iOpAU-(QXdKPqvv|_ zVby|^B4IwdN|1U;n3t{;q;3-Cp(BE{gM@MPGC@j`FgFZ)2?_XEKiu?ELCTZxUFf+y z3ExF85hNtxWA8fAb0FdqFuFpJK*q;m4*GaO0wEuVvFKfp@(CEdSdc)>$6*Y;NRU9z z$6*v*E=VBgV=(G}=!Jp=l0FXm54}K;K-9-zpcI}jNJ!Q<`a%7ho+n78uur{5hXn}< z``B~;qUQ<{Nc%YKpLCfZfw+&u{z1<XB#`%U*x%{n1PKIw9QHSQwjhDTkHh{-!`uRq zABTa{njnG9kHh{<A1g>LB<xT0F@m&~guP485TrFE>@9k_Agv~0zo(BDq-GNKEc!;P z@?i8dL24plzoU;5q?IJ>x3nNgjU?<hbV!hp?2qyEO_~=Z5dLx4&*`8bf%H$p0)hnM zKLJBa7|8zwjP?r>8~{j|PmtgQK*GF&1V;cI_A}ZeNN@(gVLzogL4rd74*Lo179=<Y z;IJRlE<u8001o>R?F>oeIUqwjLK1ln7^T^eM4kiArJ0aKo&!c`IwX<jfHX}B5}X5Y zls}~YN08tkK*IhbNN^G$VgD8+I0}%k_XG*f0yyjq>R*BchXEY+ed?crR6)YNhd#ye zB<#D?-vwzg345LTn;<PBVc((tDoEud?Az2|1Zg1&dyV?DAT1za-=ba=r1|-<KZT@u z05de`)HnMD2~GugH@-=|D@brGz+taae-tD*7vQkZQ11v591L*SE7aS91SbO=_A>Pc zL4u<J4*L}KmLS2|0EazE{a%pZaDc;}p?)Vwa5}(YU!Z;~NN_yBVJ}g?5hOSt;IPkA zzZN7oAmFgCQ@;`<I3eJ$7pPwf5*!go*e?VL&ImZ{tJKd02@VN3>?_opf&`}o9QI}E zXMzOB1RVAy>ZgJP=L8(~JoOVnf`bAMdye|CAi+rihkcFuks!fQ0f&8&`k^4fSpkPV zMg2ekW1~FS8-kQ4_&r5^Uyw+_kNP<EJwYM`Kk8%DcLj+Q{HVvM*9D0b{HRB%?+6kp z_)(8g-xefN@S`54UK1oz@S`50z7>){@WW2amr&mfi6Hk8pjQQv6#J;pQLhLhDfUsH zrCt`qJhAU_>Lo!W#XjnB>KlTXC-yxK;;=}Hebgsm5{abP2e20e5s7`+TKxd^1wka` zKI#GLYl2A1ebf`wR|S!j`>6ZTyQJI)u&)RrDfdzP&~v2R2e2;-A}RM#AEmw|h@{*{ z{Xh2J1I~(KTNkhD?!9;K&<PL}92`VMz=4U(AaRHyQHCfW3^N;MU;<1a!*(Y#N;0B? zIiez<pkhMI8BB0g#4P5V{eRun&2;rSo_p{6pZm^x@6P;wP+xt!s=B(myLxr4RcqZy z9yj8=+()p(+lcdWAGw}9X2f~9k6cF{HR8P7N3JE07;#?iBb&_r@p2!yhm1Hc_mPcc zml5aXK5R37(1`PLAGimMI4}2syWfcOav!*zMx2-X!0j;Nyxa%wJ|oV{ec<jj;=J4k zZo3iZ<vwuRj5sg%f!k`tdASeVJw}|D`@n56;=J4k?rtN_%YESPGUB}42kuTI&dYt^ zHXCtX?gMv+5%<V__mJC-xJT~0humhwdASdDZ#Ci`x$howixKz8efN-?jkrhdyNBFl z#65D~J><ra@D}YU+$?E7!Snz7+J1Qbe?ogmyH~qIyH2}YyGToE%V7^trOnbNYolTJ ze+oPToTO!9&xWqa>YwTl>gVeF>VDYrKXt^G|1xzI)(V!X3)DI4nd*4;G<AU5Q_WI4 zs>i6B>QjDIzE(a`-jaGL`<NxavRSzv*88iKvz6trBdCztNd~M5CMYA6Vx>^&u5?n` zDTWe={0^)APb2R}-iW+_D24Y&?vC6Pxhk?Ya;{VwSs7`F%#F;9OpJ_#)qXEn8+3}a zgNK1Y`1kO4;ltrW;WuG-@MQR*@OJnbxE9t2tHR0fl5j0-_NRtV4-X6X4d;csgpUg! z6%NDmz>lHNL+^#&480iI6M7)DMYvhmD?BYcENqt=rFpPz9|g<y9@xha5Pyd)|J9*& zq4PqqP-CbHs~3~8elZv;7};3EI5yNGBx4=pJFH|J#9GF4Sk2fGyeoJkd={(?o*P^l zYzWQ`mcnzv=-}YsDZ%XEiNRxoErPQAhy0!VseDj=O@0m$7<bBd$v4UyV7-5iyaIL( zbLE-xM0un<P%e_YW8I^ztjoT@FR;yjKk#PYg~0B>j=<)?b%D#^-5?%V7?>BB8JG|_ zEzlopAzcFP11$rx|9Ag4{*U~B^S=yV2M_q~_TT8g(toi(1&jL{e;HOsM)?Q&3;iei zJNR4s!|;6YJ!~W1@$K_H?R&_#)pv{UYTsJlIan`Q;G6B6>Kp4D0zU{nd?&zGLiLH# zPtxboA?bDLIq6a9Ug>tMpj;xIFU7?D;)_@}*(u&BUN2rQt`ZZlm#7j;#fjnwaR7WG zbQQLV$BC^FUGfj%Tj68jEn?Z>REl58DJ+=?EGJ3wR-6A-zRE^F$?I(Nqr93Bnu+qw ze}6Fo_BeJ6hHP|#{Ii8Hf6AZRsJ;BD{cDE&iH+LI?^|e^bhP}I&9#!>v{4KB6&tDY zQx+<h!t$dw=a+Zd$S2>+JeXWBd?a<WA$g2^&fs-mkGCOtlzhe@-e=@6gPVl+q@x}9 zw$#>v&q&AEkU;));6vmS2Ju!SA2SI57~};8uNDqTEo_Jv>GKT22?lxAfg8y)4!nju z?ZB(aQw(kpF7y3nLpqUO<G=~@Y6p&|S21`c%I>fs`I#<f@N(hxz!n?Q(R7UsVFb9A z!OKwKZX423^kN&Lz-k8JoPz9f;2QFv16Pv=9C$Ig-+>pAoeo?@?CxAjE+qFk>;=TW zLYI>B$#%wKEs~zgAeP_gQU>8of^22*LSdgIJ8-WQaNsMF--hHW@+5;72>T_;f%_z% z4ao-b1cT=b2PEpieUj+Fy^>%<EEeuz@H}C^_@@K+NyLWa3i3FE=L)Zh_7yr;*eCws zuzN9so1S-Y4wsYN44xyrDgNTXed4b+B$tuL7(82eL;T5suZurAaG&_I4aueCQ3qZ^ z9$_$zK78lEec}%e+$(->L$aPc%wS4*Rs6<*`^0Z;h-J@*7);_UzINbV@hb<uB7SK@ zavs^nAbfj}dl)=RcwT(hh9p7maA2G;W7C-Mxx`F{W5Op=p7ppw)TeA3j**wipBA@L zO!{AANVwI%-$u9iU$@aFKbsO(3LE`zFpj<<^t0?7SGE_J9rX${^0M{g3N-Snjc)O? zIb?;f$-mF$Hv0E6L|+&BSdFY`FZ8vj<!I!2hOoKjB^#~tzi6Yi{udacuL;aldzrA= z|D44wqpu3gAbT0zC-kzorTFz(hUi{_8EG%YhJ_-FTOua>&oD$^5tsq?68zfJ;uh1F zg<Pw9i~9)q473;6C@vD?el`&<61MsuvC1#PDekt>M*m|B(U*j5tLmZ-0<+m(2m{b3 zEoxzethY+l3$I9*FhnJqZ=pJ2r^J56nha$}T_AiTt+9SxAUrCqv(Y2cT85}V+0~wp z$7_|v%}2S5ZS;tA5kpvaWL>EhgVF^SS1ZcWc{U12Yy(cMut&O(al-A=`3zA)+4)q@ zChQPZ*aXMATt&<27OU7ivC_}FJdc*qyDe@m%CYXvrL*W=7FQ{LF0&mrmEtEdvtF(g z-;?LqzaErl+2}2KnvGtQN7(2^ncV`F;`1`Qw3QgylkH#k$jl<WQhZcqcHEWXPMKL6 zSBg92pk3}h*>9t}0$<zcj=;w@x;^lLjcy3o??v(20K2Cv#j6AC)~ggR3p{9-TOYX3 zMiqXxQ=n2D?PmjCNlWRS>{mLIZno}%igI!R17+lV24<1-7$_y@GBA_C5DYfN6*CAF zktR5kq#2k_QdWy|glEJrY_v;cZ+$rZA?%9G7G4$)TffdmxzB9$gvew9`28VwS<TI^ zA?$KRg_pz+tzuE(S&<DwRM=zh!i)-!iyzs)J}5GA0-k~hJGpZ4A-R?HYq{{E_@0ek z5D(etc9Dr4a3n-FTO9lXk=raZOL$KFn~gSz2dqxbiji9wXiILjKxrM>U=^AvJSDQZ zW~T6jxYy<$6koT|10tK)W(qsSeOA?(3&<4=)Q~H!QZsOZY=W5~JS4J7XNK^g$gc7X z;Q{ewtHO-=<Z`RRnIPDtcc%D~+=p=())#E_G;T=qBAr=FF0-iV=p~zIrVCGsPutuR zB9p47<5=uInvP>VYgL_ILoQ{Yny{&1n)tq4Vbz?5GVIQpCSD%c#W-A=JvMq=eB4I6 zMK&Q#6CM-UgftDudctaWS`}e42yBu?HkVBm9ue7GHWdT$u+_*^;Wk`N^K7QhBWo?{ z4B=ss-R&?z7I#@co-voKvA~o{vf3&It6=e78$BRyx6%FLHXH2}x7uijc#l<eas|1V zfjQ(N3rvcV3#~%1MG)Iq)Wm57T2*vs;#7iFHWQpd-~h-3Q^;ACsr|&sF_unR$<m1{ zSUO=jOUEy>T7_w@c(aXe5pS^3&EoYo+9cj&qmAN?Ho8i@&T3;q3EM<5q5V>p&sbuW zfbp$(t&MIGud&h1;?*|VByO_NMscH6bNsl4EN#EY`UUp2;#D@fMZCgBH;e4vE5Sw= zcI%g5qs*07&63j_O#S~Zy6PY6|2t`h`iJ_d`ntMXy-VGI{rUCk40Qx{<#&W5gkSLu zzgKx!xdUJBXJe=ROl6dEiqctWrBHbM+aGx%a!=%%$oY|lky(+^ky9ckMp}gb2!9%W zE&N#cPWbveJ6s3b|I@-f!^gu*!Y`o@L$8D$3f&gEG?WO{gwBAMzuZv!P$>9A@KErD z;Qg@tUyE<$xxtCSfx+&<wn0Dq`@JncBi}1uCtn2beskm!xxd^^J{n)a-vr(XJQvs* zxGAtM5W|=6q`;s+kHE3`;{DEl(Epr&hyMon^;_<*@Q?Qo!1wLZe#!S0y!t)m+veNk zyAW3Y<@lQI>+9-k<MY9%-#bUF{u9!CX}UB5d)iNwTEYh43-NE_)8c*NjpAA{Ce9Nl ziG##!vAr0ESHF*heXs(!Q`jJ!D>MqTgfT*2p{sDTAknYr-{{kHJG~Y|-}Gmsc!d_N zq;DH3UZI8e;#)?FS7_nA_%}UeDzuuk1++9`q<DQ6ULpsK6tB+$x8F$d`Ydp7YANWm zTwYC9w%1erxP{)8^bIWqWtOYZ3KW7W%e5N3g1)Y&pviJk%js)+>J*NG1g58;$8wc| zD5j^N#&S`Rzw{KeSRA!iPeF<0q9BLqDd?~`>J=?zs<4_yXK^1bmB%yaJFmck9H*sB z1y)nFMIH1MufJMEUouj>{t9pC7mXCJzrx<G7mO6IzrrrB=k*lySFWyN!>^u#`pQLN z=dYH6_R7_b5$&}UbXRUBLr+0-<*J5l!deQ7D_5b@Pz`D;H-l<WTDhuW2eF=l&dNn$ zyRe>u%8H|&(o)b^xtcl^jYD7MX3#j)Rjz8-ZmgxCt#TC_hHCA32GyXca#h1lWIY8% zm5Ul`_6d3_j@qN8+Hy?|!8L`F%2j9xeOymLN9CfhNm)xlMdj+$piX)U3MyA2>|fSX z&`-H2>|fSXP)~8xBSxwvr*FV!y@!nyubslSy@!kxubrZ2&|OA~*G|zX^g$!VYp3XB z`hbz*wNrEwz28Xj+9^7S?le-ob_$CUJB$>soua4F`-~K?ouU)yy#|Csx88(~r`wGb zubrYLbeoalwNrE)-D;$G?G!zo-eaVA?GznLw-_m2J4MIPyNwjDox(CmsgdHfQ{e70 zQoMEwt08w9DQKr$x*j?bb(2s}@!V!3xsvBjHOuk(DS9fsLr*S8xu&O|4y!Seyn2cb zqqiH$rF?Tk>1{@mS5MI)^j0IutEXsx=$n%s_0-4o7Ci~|l<Tg-CPqC8?UakcZbm%` z<&=xUwnjZ!@1btclTb~$N@1g;o`hz~MPbLIo`hn`MFsG5C83w%sB4WRua=_y=q4k{ ztEFgPy3t7TYAM=>USlMAwG{15uhx^MTFN!Nr?fSayjF^yLa#ECyjF_#q8p4Pua%-j z^hzViYo%x*y~0THS}EF-UT!3LtrWP+j3lp>0(YsA<h4@ZE-{k4RtnsDBgt!}z^yZq zyjBX_S|f>7Rrj6Plddt6yjBY3RvXD_-f|ZkNnR_3au*rNGx%}^bd{0hwNkWzUT7qF ztrWNmj3lp>0(ZWV<h4@Z&NGs{Rtns?Mv~V`fjh@YmU#PewvptuQYe=;lDt+5T*^rD zS}AZzBRR&~UcyL@_HuC}Im*kOWh6&>xtNh0;pJ8u$<w^t3L`n(%PlvOr+T?%Msk>! zTWTad!dn4dVkAAnTLE2cBt61g0bOJyP2sIcON}vDXe2$-TLEn}k{;=;fHoLOkMveR z>y0F&H@>|(BMJG9=N1@A2yi?%-$?fHa<xVhG8|tHQz3*nH<wSVjU=Qvo~tsF5aW1m zo{@wc$8&RyBm_C0t2C03<an;aNJ5n3xj9A>!W_@dHj)tMcrL0ZO?j?qoU!txCwYMm z3r~6y0-dWA)}8bu<T)3G1sOdFagL*A>PcRj!<K$M*^MiO9sPRJl;)Z`f$jc!(iG>K zDD3vvle|2KZU1`Gl;@gCVgJ98gh1y$$vk+wPC}&PIC_SWgiPn=a?ElN>Nt*0F_Mt# z++4O<4sspG(aA;<lAW9DZkB^+$8mI$k%VyP;>ZR%(MUqP<GBe&@>nl7-bg~gbCsj* zXo-=8gy-hkn#YBV$8mI=o`jI+ez%;A`vyXuyV%L}bUg_%&t0q=ib2eC7wbmH>Pg6X z?qXe0%p>P@rDKdFFXus-fX?x99=V*3Hj=!Y2b}`S@p2xyjE*vr9yzZI9cd&za$XlY z!bp1Lyw3DABk7UzPNc()q({!{L{ANcr_l~@Ixp-Nc0}4ppGa>@d!?tOUD7?$&Hj`8 z8Sr->@crid+V`RFfbXU7VR%}*-**?R<gf5u6ucsMQ7{=?43Bn?h1*7IBju4P_|hK~ zDT-u8j#nls1K@G5t8$z+1Xcq*u$$l*P1Qv8Cs+&|!kWT!>Z9tt@cp+*y+l1<jj0Xr zEpR5H3Y-eN`Rja1e1li}X89&Tx7`un^olG5epLO+ui=No+X9~j-VMAKcosJP+XJ@+ zHU`$iyWGk^J$(324~z>83-k%(1WpXJ3+Mq~SPK1&eF$lIFPs{QM5zB4|CiVW@FsTu z@5Va7W_b9&%zvRj?q3M60<(gXf+K^)h#=4{m>E1O7?S^l4*nCYGwhY0l6T4X$T!PZ zK?8p_)*BYcv*oGsSa}F+2Zn}whqHwXh0FXC<X--H{+a&M{Qdp;+V|S0@Tj;?dm1(s zTeVx@OL1-JzR(>~NBE~xBtiTUdkEfz-+*Vu?czpwOT10GN<2@j7gvhw!<rD6)*wp2 zFnBnu2)!5CqV`q3QeISo+U)Sb@U7u>(%IsPVjnR_)Wvq;PO1_4HvEjV4E_dw5xxw) z5xGgtg}21VBY!BR@K$(D_*`ke@TTy7WNG*ZDJq>Ijgbap6{9<17ZiuC4P7d{;OiMW zD>N6L7aD!tLc>FOp?;wmq4B;<*e{$E%J3Z({5li}{ucbu7YZH-z9jt_+!MTC`VN*1 zH-x@WTB)6t{mM>lEW1OnwlgQZB0SB!QxN^($;g9|S9}*Kcf!u&a%Gj0P!=g>C<<aL z>E01Pl@~KL)Ly6$YaRHhRK?&{;jq-*fuBlQ4BjB#FDo__K9){k@DtIHY@OD7q9)zW z*!M(Tx{bj@U~hGxD&68hMY@^6ccH?#$%bN3y3t{8mu_(2Zs~dlJ|<nq;6YTo)`qCI z$zgAoHae^#*?Qr3P}bH9zk{;2UickoOg6Bx?}!oUN(SFX*(+>_vX?vT?b2lqd_}s{ zhSWz37=#@y?cu;bs6Bjd!BpHHzPDf@elja?0A4}Pu^}$N*)}A<(rygyM}ahhFm0y& z9jMTL4vf$~4h+-Y4h+##YzS>}Uj|_?O$RUtdu7^-L6|AiA_ifdObZ!=Q8Mkx;LXC@ z(n$_{M(S)s@&vJ!pfJ26w!##)b;Q<(-YC2ysjMul>xiuyh4DE(jj^yfr!4jgfvGtr zMN1hB3v)V*K^T_Pp$x)KoDO0T=HYZ8gRlyx#SG#Lj@rs#*bow1s|(XcVym8E(MW7{ zG7K4stz_ORd?sbH7GQiy1qNYrNhyPf(LtVL@K)iyz+E;ZPZL{*49iAhANUsWF*$=3 zxJCF->gvGvq%ID8Te7eGEy6RBeT`wuNNgoDOdW}>roLJDL^_dGyBQW2o$Lp0A3EH? z=zVxN>m0aGs%LO7*czK9-%<PF+$#!FHDh6<OIt7q+gxfe_=NDiWM7vjgm0x04*QK{ zUn1D-Qk}7TP{6)gd!XaAuNDk=sm2OCF8m-3ap1R-eGMNMwn&3*mK>z^y|EhywlC*y z;XBE`oV#%d`+CFRm)a)}n_e1bEj%i=kREWLA=wrck79~>&|xL%ej7ruzQcyJCAIs2 zEeh1`<Rijw(qvWuW-jy?24TfQk7f{t(zG>$upy=)2Ogk72kxgbgD|@#wvEI6xX3w- zh2br+%^h|Me@IgqyHogGI>UiaOH*t}KBH|JgatWm&mauKX*&k@;wG4Hcj6UX?@C6$ zf+=LK19wPsY>1~TGbjmEfGIoez{r<HDwWv~jm>u8VX54K`=qE1$=CEa24511G}DIY zdZ`V`m(;%RUljh7rZM(Kv^&Frho$Kb+$WuBL-GYZmO&V&(>4q~C;TdvIPe!~oCBYc z#@mp5M2}(+cImX013#cG8H6=BjWGC>@Ut}5f!|7}Gk7O1i#_?lGMh?_-7I`5*^?h^ zv#H3~@5E!JrybZ%dWyks#WvED4h%_8F!+twR@&phW2DC!{9HU*+HFJV_aAfEHqxUG zY%M*);Aa@rhixbxB|YT8khF`z!??lkb6^YUUI$9jb_ceSwmGn+w3We6QSBZFwve_s zP?GL;pds0F+b5zV-O1Qba6@foa6e$mhU6F8mBBm3Z2|kPzEk*0vR@;I#5)6@u>uDH z4>S0kcw=BcgS*8|ffpUPG4KL|?}*m~o@ek*iORPz_%4*D_BiY%-_qk5i_IIfBZIHt zR<5uiZn=4p4dmn|<<37xtlA;zq#$MRARuwrO!;ev&6K}la3^f^zHnfB**>>-VUhQ? zQ>~@E&#Bf@-pk-Ek|saH;CqrH+xNq6DI(kV!){5I?fL8mDInW3*B0^az&EVg7U65D zj{~2P`r44ZNdpYtjk~(H4apnS&){8PPq86+o%$Gri*VVV&vuIs%l6~6TYNxPBM*|W zJ!q`#A#uBG56MAsd*DxH1S$OIqxuhjWsSWHwYWW79TI<$FJtUMz)KnYPW)O<GYETX z@`?j*A}>4eM)HyaZy+y1pym6!Mf^>^niV)C3G!xTKQSHq{>%UDLx}rjd%8LZI8Hs* z)15=&EAk*#_8_4Bs@n;hgaM4*38Mu2YQ76ofgEitY5n(|b&mFg+}UaD3Hd|@x8m9C zVMFpP`PqTbke?XD?g8?V10NtCI`Dq-fdhAv_Z_%{yyw9C$RP*bOWt+hc5={x+sHc( z+)C^x05<;QEr;Dg{^r2D$pHu6MeLaX_WR^bhuuuxaNr%}bqC%~UUT4W<W&dWO6-RW zmiT0^w%jx7yT#AsrL62h+yr+pxLZ6dFTvRU<@jPR8tuZ$Vhb8Qi9zf<qxPu3Ci<i$ zjC~E0&2k4Gmh7XwhHJ6RX2}oKzCzfOMmsTfA0)8_-2VSPi2irAcD}X{*8XGQ;otQC zM-ch%4fS#LZuKhlTzsR?R7a{s>Itf@{HA=Oyb3@3o0Th}|F2WdR8E7fen&-%{1*8* zvM=&zWHaLZr6UU>(<8$p1(6OBCH!;vgYe7n{dX%o=EvbJe+nY~<%BcfA^-c(yI4oq z8M-mFCbR<H@F#?dLs{_r=Y#kAw}MXxx5MZCs^F4f6rS$;2D{+foWi^PoAMrc3!?j- zCpW_H-zd44+(|Y9zXv`Eyc&2E*6&vY(t!n76BrI(^Bn?;|7ZUPuyx<%zZG8p;{Iy? z6#o!^4pupWuxx+V_q=bX??&Gm-wI!)Z-TGbmjyd^pY*l#mh`l=UAk6UB`v|1^XXDw zsf%=!M8(g=H^n{T7I^$SPi%z!`Y5rN*hw^m-~TK7|IhX)tzyF2M%tsaiV0~W?NM6A zgp`r?D6L{b(ny<1tENRl8WR#m+M~6K32`Is(OSiXvyAi-Z{3)Y_GqnQ!b&5}YprmM z6-F9bEB?64jWpC&Jh#k9LvO`%ON}%XS3I}GNJDeQbBm2MR98H=$VfwX#d8adG?Z67 z*Jz|Y+N+q*V5B|TtC&!4q&?cJm{4b=J=&|7u)s*0+AD6H=NoB{`YI;W8flOEDkjtz zX^;9UCR7_~kNOIZB8{|1eH9bt8EKFDDkjV|(jN6yOsF){9`#jBs4&tV^;JxmW28Om ztC%p`NPE;*F(GQCJ?g8NP;R6>>Z_PgW~4pptC%p$NPE;*F`?8*d(>AkVWyFu;vLf& zM%tskiV0^LX^;9UCQLWd9`#jBm}aCs>Z_PA)ku5PS25uXBkfUN#e^wF+M~XT36qVq zM|~9&CK+ju`YI+&G}0dRRZN&*q&@1Zm@wW*d(>Akp~Ogg)K@WKoRRjZuVTXKM%tsk ziV0(lv`2jv6UG>6kNPSmj5g99^;Jw5Wu!gotC%p-NPE;*F=2#}_NcF7!f8g@qrQp> z!;Q2@eH9Z<HPRmSRZJLWq&@1Zm@w2xd(>AkVTh6TsIOweU?c5OU&Vw$M%tskiU|Xa zv`2jv6N-(rM|~9&1{mpH-uth=k@l#sVnRP7?NMLFguX`FqrQp>eT;O0x4qs*+M~XT z38xrokNPSm^fJ;O^;JwLGSX0A@pDe0k%s<?=Xx4xD6n|0z(_-b#dG;a8Y(QF%QMo@ zVewq9k%khB=W>iRv{*csZKR>b;<+A18hR|A>u#i>$l|#yBkj>-#e|cMv`3Q_6S^5` zk0vW7bT!f*O;$|kVx&Eqte9|;k@je^VnSyl?a^e#gcFUlN0Sv3IvHtRlZAKQ2}YXN zWP$5wq<KvixZ{nqN0Sv3Iv8n>CMzan8tG%a<8qvlHZ@t?d#1gS_NcOALWYqxRasoQ zV~zAtUap;yHg#ECxwb~yqs)p4#~5i|nT7K>+DP-tEO2d%G_TA8*V;()$}Dh48EKC) zD<-ru(jH}2OlWDOJ<6<@(85T2lvy#sFz{{0oyST+H_}0#TOnu$%-y+i%LLU(2fUnO zr2SqlVx)auE^MSFFBdY>qL&LAX~E0MMw)uLfRXmdf6D~Fk@CoY%LJd1^2mS71j$Hw z<iBNtXrw&y-!efkQXctlnLv${NB&zT5F_Q0|CZ4|jg&|JTSosdQXctl8U5WzdE~!k z^fx2b=s92dtC8}^e@p2vM#>}qEulXfDUbZOn0{fTJo4XS`jehA<v*7d(c%mv<q`iD z(;tnLNBmnvztB^r_~)v+2vt4O-y-^hk@84?3(cyg^yjL&5LG?G-$MGmk@5(Cjpj*s zguh1mossege+~3oJ!J}iu0u575FXjDfqrA8JhETCc?gf}S5LpzQ>N_aYOWs5c|^Z@ z`jwILh<<hSOC#kG{T7&q@Q8j3=;ubtBl^vzpBX8S=r@}lHc}qZZ#MnZNO?rR`ScSb z<q`en(~pgmNA#<u9~vo-=vPZWGEx(8x~^%i#w_O%{c7k3M#>}lRnvF$lqveThN>Dv z<&pfV>H9{?Bl%UCRZYpyRkaFLJ%V2qea}dF1iyLoke)IHKUdXxsOpjX=FxYJlt=EH zYaZ2<`&?D$qN+#in@bNGDUaA!N#F5d5kk<uGnaY#X}>UFW}5$+N1%BGnn$2{1e!;n zc?6nApm_wEN1%BGnn$2{1e!;nc?ABiAA$bK_Be+=@ks&_s(o#q&;XX0u=%ff1e!;n zc?6nApm_wEN1%BGnn$2{1e!;nc?6nApm_wEN8tbV5wQ1oT!pw2cbfM9uhTt5`&v7s z?bROFwrMwL>*4jkK`YnB!{2{C_U*UQB=tLZ`QNAR!H)f#)JxT~)rIP8brNC$7O5w} ztA9xOMfnu_zn@X=S8i7}C>Owwf0Z%~9s&C*SxSbYz;plS*a!Z6WEXY?Tpd{zSrMtm zzJO7YzVH>0ft>-rhd)Pbz!$N*|E}=H@WtU6{PNETj|uk=_kc%!ElfgRV~4=Yp+`eo zuv>jiC>~l6Dh-{ET>?3w4k05%u}|RL;LE{BgIlmuU`;R{TmYZ?r(-XFPOt;K>5JIM z|GvCWeq7!r-ypA-Q`j*Ol_$tU<O1v&XeEpA8F(o03U&=_30xak4Q~ST0+Rzn0=a?X z5I68=|A+p){zv?G`ZxH`^*8!w`N#PC_`AR>z69S0Z~LCb&VieJ>wIxvt#7*TG+!Zn z;2Y8((qZWhX%BoUY((t9CDLrEL>eGvNo^4`;5+R5e^Go;yj8qZOp5cd&wm7V51a_E z_k!@H@HgQZ;XdI8VU4g-m?umYh6wq>34%fYpoi%jxLo|7jvx~mf-tDIrlGX5rXK#y zpU@Fwf~WTA@d+O4aUBsR_)@!d1eoBd#}veuXh-R|XjN%Lv^<ufBDO?3DmZy^k&eI; z?m8EdNA>s^j@m{Z(c_~%)Wdpwl!tmqkB{_FyY%=75A~oPKg~nkrp1SYqDKZ{n@^9Q z>M8Vq9v|kR?$_c&rFMdIHi$QKmKGo4W^N_h_4r_}+IF&2iw|-a+C=Wr;sf2xMsklH zFXpNt)`=b;;Gyo*<NZC<y?VT#he8+ndZ=xBypM<4s>OS|`*1b6O^=_#6}pXV(c`^5 z)ZKc#$V1(w#|u5woqD{dhuW;i3p~^vdOY7l-LA*;IO-~Ls~*qwP`Bvu91nG~9?$kr zH|g;n9_mIt-rYmppvSX3)b)D&WDj+n9`EL%uGQmRJ=7*W-o-<0)Z-_4sB83iXAgC? z7C+H_HO?lNYVl5PCS@`wpjy*ydubaz-jQqQQnEphAMc^A)Z!iZdewS7(^KdQJ${^r zx?GR9_fVH<@eFsTl4O-0Kb9-Bid>?{+j*$<dc3WNTBpa4@lb2^_|YC}jUI2~p;qhh z)*k9&J${sjx=4$+0@XBFt7`OkORi9YT&Txec&H2XxZ$DB*W<c}I!}*l9_m~@u6n3* z^tj@o&er1*50%#AVGotk;~@`~)Z#(+$R|i#g-hb5xwV{}rNjfS$+xUViThpoSw1!H zlQQU$A@RkOxa2C}%TVH?D?fdq8W-FZ7Oqs|lp|KCal#SH)fkswrmp1jOVt%zeu=uA z%P&@!ars5cQdf_r)~HL|Ki4#>i@AJ*x`@lys|&e&o!ZFd7pM(fe!g1I<!hBX*WssR zC<|QK$<@kyS9Vf`TI;S{QKi;!`FUzJm!GRvarsJho;yErjyjji&sHnBd{nLA^5yCr zE?=h3=JK=DD3>o)%enkawT#QpP-k)ZGu2WqKV6;4<)^7LxcpT0OfG+hI-Sc;QKxbF z$?8-tKS@2qofjvlQ@H$ibuyPPQ6bti-QMCj6>^O$f4T~x#+4tdLZWfy$EXlzT=~(8 zTb9WwR!mXG5p8l>s}N+GN*9k(A;q}zBUOknuKWlU@{22fnhN2?l^?D`a&hHPRUx*x z^21cfEUx@e6%vapKSYJN;>r(JhjRHr>JTnJP#Nqxo#NICWRxRkm)%+&=q}xAfC}-X zsr6R<Rmdi;d_NU}i7Ve%g;e6o_fa8|xbnSK$Rn=&DQa&n-%Euk;`+Tvg&g9_7pf3K zT=||VBoJ4=K!y0>%IB+)JzV)b6@rH=pQ}RZaOHDUh#anbwhDQ}mG7ZK*l^{$tB^EY z`79M;hAV%v3K_$d@1~sW8tzuDRR|YNKez0vLb7n>yC_{;#XGlFAyPE`+~On^@`Nkj zS%ENd<YIO>QSIdZ+32J~j%X@woS;IAaOFFy5FuRo<5kEHu6ze2)75<YOyxLtHbaHf z&{SGKPR-!*?UiF)#kCBjojcn`g`m(>yUnpGqy$&KoeB}bm2ay;K5*raQ6U_-@<%I2 zxtdp7E3I5vMN%OWG?f;PQXvnx@~u<|1Fn2a6_S7}-$I2L;K~~+WB^xQS0Mnn@|udb zzbmh*c=fyT3j7PX@=`<%a`~_-bNP@O;POG$&*f#6d*e$1#r?vU{EGX1FZmR_?t@3< z15v@tz9}n&<hyAnX|n*^|8KS1wd=JF+B)q5EvYTj>a}_PW0ZMHnKD%=K_tFGN^d1k zJFLB@9l%P#v)XR$0c|V3*<baa;U6m>*2=W0S~snu)=q1w{;Gbf9#-E|52()~cEDD6 z`MVzR1J<b*s7b^HtXJo$W$IM;`WvARQhTd;YBxj_Xs5PR!>Wk50^j=H^6f>8xrcq* zeYg9r)k?Gx+93EN$di7NzS6>)=(}9qt3KenSUIdLL*#+?lmm!F@T{_1c|h5U^@r=R z0<jKj5J{yQ{1LQMS}I{hjQon&frlgSMGi#vMxKrAjyw?A8oAxC`F*}$@eTh`BpF#2 zsgLCO(&3N7&xLn~cSf#{Y>2FjTp&-AK9tA#%jHw$evx^RvdGj(Nn`~49QO7<;F}Z3 z3Umw{6VL)a|F8b9Bi$k$5p}R-Bpeao?cgilGXF4tKYsyY40M#&${P^*;QH|8h&-4G zFA7(MOT!bxBf<mxABOh&4}@0uUkcUv_aGudw{Rw+5Qaj3hQ14Z5_;P=U%t^Dn@?Wg zJKcY`Z<=qYueUGT*U8t`r}-qr1zaxAmfn<JkakO(r5$pfe3G0Yw~zyY-vVC;J`5ZP zycF0IxIb`L;0Aa`xG0beED6*E%COEcDljlm7@8BBh82~eq27pF*eTRDq=ls5&%rN) z9|ZRYUkpAT+!?$xc!T5h@h`n4o**A%MI2lds0x%K@`BYiVhcWjHIxJXmk?*L9DWx@ z`v>`t_qXv!{M7e@@38Nn?^WM3xZ>M<xB9N}7x}ZWnsP2YG1U3yNMA@lOYe&xi37z# zkqSQuhlN*#gNVfV3=v*E;%-BFpT5U0i!|r{9~%MYw`47O+VN$$79pv!7`ujs9bblP zXvpzexCY(@yZYu>u~6oc1f5}_W672DObfLo7t!ggfz|LnXgf(+4ex`tla$r)K6rvt zz~^{+T8(g9w*RNqh_cneDIm~H8={Z4r?S=PV|y#kOkIXx`;1#fPogYb+Cq9UWueig z(TnKoR=JZ}Qx<ZlLo52S)y-D)LdxO`wW1eL7IUZ-J)g3`L9OU{^m)77xs*i&YDLeX zEPz=ndNyS-geKB7Wif;%(iCMegeKA?ebTBsktXO9Hj2|d782-L^l__CD+Rj20xJZ1 zr3ID?l*L2BX41<oW|2Wz*rE^u64qD^1j$*n+CuX%`ZL+!TnsmEJ_ml~cs;uqzS~5H z{lam8crkp<*&eYjhBG?i4DUe!Z&4};3+N^x#K`kWoZ60m&IYs{|D*tI$3IEH16Hj@ z@*erwMu*5x7HS~xk{@k!ko;hycgXiPdYgP_p?VT`oFuNN$2o2x*VFcn55M&^!}095 zo*wHsi(HS}pqO=ZJ#LPH%n#oBdck%Ow~k&X*gpQ&(PJD(nd{)B()P8r4o)g<uUhLc zs<tbwwRD5fhBdnut}AV4a%<tb(sqHi7OpD`odPW#Pnv7t#j?O*4Vv#jo#r`Eqqz=L zX^sOGn(e>{?O_c_6<sBCw$MDF6D>3ssFQ^%f$Rrp4Pq_XzP>Id-wG{QL#yevg6_Z# zf@a-Hu?)hZXvN4yj=wFeD#PE_xup01;;d#h9BD0dV+Xqmu|I8>a#tbXr|p>ODtOtv z-6^n%*skBMLMZH89rhY>ivzDFH#4|_-YB$p;0;2C19Js?LfAmF1bafb5{|6<vjSJr zwvPMME9l8|JY%n*-Kg!!>k8VHj$^mVWf}Bz_B$2?$@LDrl3eG&E664XUQRYT@G^p6 zQl`(vOREV2Oj)Q6xq<zB3B6uu=fKW%v;$A1qa4_Yj&$G&bc6$`(3ZjVxB(Rhc62<d zuBXR49#z-V4vt6F^)%D*sEV~vauchDMNmXNCuGF`;&t^_W36HplU&UpRxim_4qQ(* zIB*@g(t&Hq6%JfOE_dK+V!MS~MJ^_`TewxYArV;39L7~OWIZd2RY$VUfftaq4m_W% zao~AmwFA#37d!AAa*+eiCaWBnCKoy|MJ{k)lAQ0rI62RHxUfEGNBS$Pu_OJ>^4XF8 zd@(!HpD%+Ta0{Nj=?m=;XbV@`A<!1CutT6NTyBRzTeyscKwG$!g+N=lgoQv`xR`}N zTexVM6*_Ec4GUjZ)40US*EF!OW;OMTSiX)0C#zY|$nx_WSXx_erBgEMtaNhq0xO+V zG2cons%lv}uZE>_t65rEWu+76%wy^7xh#!Vvb4N{rDbziI%_sdOQS5ES<ccKWh^~& z7E7m>vUJ)^mQJ0)(lgFv>6Ga#oji@Dlcrj!IN=PIj-SHPlF2L`H;JXEPh{!X2`n8m zo~5HptTd;197|iDZl%Se#<Fze7?zG0&C=6Gv2^%ImYzC-rNd5R>CoXU9das52M=TE zprI@sIE1CG2U}@&>p@o9YQR92_Ah2>zX2@m+n=R<`mwZkUzVQIho!xGv$W_GmKOG6 zY0n~-78J5Hzb8xc3Rs$(&(fScmS*R&v_}q0yJxdBs|QO@?#|L~SuAaRvX!>%+Kr`M zx>{-H)?KW$#Yrczv~y=G?Qr6WR%&$W#L^Q^U}?vWEIs~smUif1rR_5_S(<U2mFmZ} zXKDKkE7dZNWoessR@&y+wk&OT3`^S{&C+Aqu=MEGR;so>%1RZfm6ZxdwPb0l7A$RP zu(XBFQbS{@j#U7N41%VxRE@Ay30tWY39&RBWNAodX)wT2+0W8|kEMQzr9Sxa4pJ%# zJ|scG)c<c5HxTV}ZNK&;wEx#?7vbB#LYtrs)Uve<Eu{Vk&Hu~lL->Zj5`Ov@spabF zYCkngJys1WKj7Q@CFLP}b6>8c;RA36H2%GnE=n84hp+8-BQHYVe>=PYo)c-rcXLUk zIMO3>9JKwvg%5|{3_lg#j<4Z0(Dhe`&j=3-=Z8Clwb1XOPeZSV9uM6U+7wz9T8gjI z@zC;j548))!S93b1z!s83f>mHJeUsF!(acHU>|q`Yz_VXSMpnk2DnqcMZQc<%MJ1@ z_~!2~_rMo$IPep`e)mGRe`nyT!1;m2f!Trafnr1i%m{@1Kfx#9EB=T5cR;s)o_~>l zwts?uus;u9rv@V4e}%P(=b+uc*|*-8K%DzCeItBD_~LFM{V9DW?MJMH?b7wqYH5Wu zSDFNm`Z-djq=>)ZYjvOaC?ec%@V=g!^UWjhpBe!j-alMc6*NZEI-GyFse4QcDugE6 z54y#qpha*|%jqgT1w{f!U8Ez}Bu{P95o?mCHmC?S*-mg2By@>j#+h`NxsBefBhDmG zEzuEX(oNk;8}t;k3$8BQO6zq5ndGTDGs+}SEij`@HW_Hp`SdO`%A~tcl-{W!%A~8% zJbICaAd@a;F5O_pm~>aWoo+T`O!CwnW{gRmsxo6t^3+^2#w1Tw>M5unTqjscZ_`uI zKycKpDxyrf26RSiGsdK=pSK|N4`NKZYYn2eXoxZCDm2l&qEJS-njS%KRuN#*)%1wg zW^_q+nSpeKlIrGKE045RQ(fJ4dV_#gqUnO40^%e$Q3#?lns5we@b#x6s$>&^k3bbc zC7TF*3#tey*+k%zP(wgTmm;6uRAt7K<d{ko@g!Y6xxor2={g;<f#&K6C&^P;I^s$4 z)Qvg<O7heV8UjkX2DA&MW;{uEA$%H{@g$oHkxMAm5Kpp+!Iur58R#yWt^>h$yctfi zsSv>@x`uF)E(RaMS_&$RCaa@A%reko9AWV42h-BUz#%XW#+x?aGg?C+$);+Ee1HcV z`V3c(@PQ3`K6jzj=Cc5$hPx0ss3C-;t0jEcX$T<cx+Y|Oy@K$OO-iV`3^f&UU05u} zXowr>YUF@<sbSG@<h;m!^KO7iL(?s`u~<XE$fhFnYJws@R}r!g2ZEC0NFA~l1k@Zy z2zm+b4k$XB&WK(@-qaB!lB4KG9Wf$#>KYv(A~}k@rXxZmN14$ISMU_sXU2!*N|C)f z;zRP(%PPV{Hg%M|n4uvyr0Z<2B4_D{4C$&xo~Ku72n^X&i0sA{Ls&?6p<VP!Gb|)e zU15fWbW^v{%Qb|BY-);L3cEB!g>)67>j;8QF7QwYIyv7%A)F+vAzWj;jv$<5jfX-w z$!eaWm+6QJ$yKBXgEr4ik$dPRW<*F=DR}RGMMFeLSLfH0?Hb}iHZkOCa-W`@<E}>6 zl1(~-LAqL^Yw3C&u^>5$T&*D#WK&ag4NU(K2-3x@Hm}VrcQtYqU8f@oq^l)RYjp&H z<f%0}VnFiLY7HSEn_4GWu+$I$(#2riQbYJh7lY+X4Z$B>3|299gno24jpbw&ksq7x zGMcK<5cV;H9<d3<I<tzPk4=*>mYY>Xe00@G;Le=jIuec3RSJSVHa+hrwbl^m(KRE` zvrf_w=8<DMD+uz~RHs8L4FMiqJ;7SGhVYIY1BK&go;hDbXh*Khc^U#ca?H6}5)x9= zIbzLQOF}?$GiPfE>F8px2CgBXBgdq)B&4IJT38d;5X_Nd5*k7|aty8uj6$1gVXa(4 z7)SS5EYHvp#L;!7=yLM3ju?&{MOW$w;mA?s866QEISMZ*1aRai^VWa`Mw2}pUEW$p z^hUlA?qHZ<xE|W&bcK%Cjc%%fF4Ymbk*AiZh}`J9KNhuC5w_7qEX2`x!DtR$tRrNj zyPY|7k&cLsJhf0qz($^GR1mMRoe;FGifMz2SdFfOEkGS!ESe3O5|J9+&CG^OiAaq+ zRcA(O<f#Q_q((OtrSr{5jXYIrMr!0KJXWT7<On}>u6aFSx8WMza$0Q$YUHUZ9f2Bo zYMzcbjXX71N0>&Qs?-ss(M^@o3LQZjd1{W17>ztNTStgSo<jIbPFg~o_j2?5|4Di+ zwZ8wK(ze3_V6_(0s<bKEP%Tf()D-m>^&?pRKdRoTUJd>IQgx0x9$Ncc^*A*GUHvD@ z>&hNz-LF+HhRuH^qW%q5a+KqgNaW|phtRY?0(<|fBIidIAv)l=$N*UTw~YkC--X`| zzYu;Pd<)_LBw*=3Ej&D28158q8K$8xLvMwi4edZAfVH7ms46rC8tMGd@gXDlNAPg) zjo=f(ZLsjaD7Y+G5u6Yl80--|HW-wDkl&MEmLHODmoLZHf1Ny29xeBgyU49!+5c7G zt-v#Z`=Iq+bHuJcFK~Q7^Z(}m#Qz%N0N(At1~CAa`YYJCKix{N^>_5^zTbVH`rh<C z;oIul<Xh!i>Z|Zg^bPUl`#Shk=~wAv={0EDw@BAW7f4H`InqRFhy<_AQbhb&{7~GB zcz&D3E5&of2C+;WEA|z;ipPk4;aljgpBL^IZWb;PQo;h^Oksr3Tj(aV6T<XY`Z0Z# zKJNNHR1-5@vo^G7L`}?aF>^^mMUYL`lTs?^h_K0Ddc-t6)<exw5MQ%to?a;^h^^U_ zUx7Si-6IA^%aK3Ym0yND#M~plFEY$vn(m_xrZe^AQ635bQCoSaGgZXWboGBQ-ZCxR z57}fh8Y*YNi|FQvhRTV#pr-0cSnjwU#X<B89WgX{YKo2!nmjdGM+8ltnxrCtrmIsE z@zjO5GQ;UaJqb%5*YSqa33?L7JRCJ%O>*MySWFLouFMEpq9=VG3L#7-4~1~0qK86g zQeNsELC5GxUg{k|N9##m>K#Ex=?Pxy9YIIx30~?QNKexfywp384%ZXB)H{%#swS4X z$7*0}HQ|<d>97nvv4rb+F&(BR7P~7IPt+5OxH1FiP(8uPymSB^q9q#L_r?ISO;2zl zFYQkUYl(U^b;Rh2_Ak~GyvW<14$>36$lIR|)DyhO+n=H$FY@-M1JpzfZhYq*0A;tD zsCE(1d25L(cPIOq%se;K2ZCjS7j{3Q{q#hodjt?(tgoJ^@KAm91Sjqy@>p*@!HK(| zPEiw4*YJ`LTkDB(uB8uXFFjG_p^EebFYbOo3zbAET5?{@<O4MUDfY<e!<Ir#K!`m; zz@$P?OmnwOb7`KIa0{_Chpf^PXShcs2j9dAQ-*cMm1dh|CUXpgpu{Au=^ivkPfYYs z*?M9EM`h9OdSbkrBG9+$2~(IoA|iw8rYB5k)=hO)6A)*Qd}xx(GPJ~4cc;3TmlE=9 zQ!N;GbkP$KXqzak9dy<ckZ3vTL_GnKmZLi932xO76;IF;5Nche*3*u9f?M??(6{Od zh_zg)4tfG|Ek|YQ2?(|vb)24nWXn<Q^#nv)j=~dc%C=1-1JedA!EJbgS%a1+b`1@B zg=;#%#n7Y4m3o4cY+;JiPET->EvUA7!jx>A4hNeEJ;8~#SZO(0PjI3ws5V;S6xRU> zOeORLC)r{>2G0Vw><8*7J;5#efoi2EIO!HtOFh9!x1d_+2~N5NW#|b`x&@`{iCpe{ z)>2JR<aj7mPjDhGDk^${6LCRBv_yCJDZ(B~OPDKv&Xa>OcuqJ0m%uzqPjCV*sF0rE z1YA%-HNma_`Ea|N>wiw$P<zL<1Qr0@%%ysQlWqxYsq_RV-GU0}2~N5N<<}FObPLL- zCphUAl%yv(=@yizCphUAl%OSGvV5dlWVJagreNfB9c6Gka$BALG*8C85J>(o%Rnw_ zs`ZE24kV){=6ACeWTPhLH++*P_;tXqDbW*cxC{I>`BP7DG7|Zk{Glf}841+ydV-UY zK>emCT5@fDMSj&2Ej-jOdV&*^$d}}2J;8}dpnlR5oR|daM?JxbNuYkv6P%a?>U%xG ziAkWo(-NkbbYzIXHHQXEf=$df=Fo6r68VCBt0y=y3Dh@Q!W5H^wDdXlLM6;)K}YvM zKF6)WNl7ru_*zeJQWB`I^aLj*f%;NUa8eSeFZ2W_C4u@}PjFHasL!-`%-yN?$oqPn z6OzdL<YO&v3Q0$#4f4LE$2l1Zg+9{b+{z%R5B2y`?gG9~KG5QjlbY5PV5g?Vu{P*t z4ry`7Nlgsw*0eapBsX(Vi#PJjJ6ar4lDo{?Y8>l=M_$`7Yt!SLj70uM-qPcoj0EaI zHI5BZO;_bWg&MDQ6Z<Rlcnx=6Z;}IgyxK$USL3FPbmZ#3QLM$?A`*EOtHANO?jo;b z=y6^^+JQCRI4>aWAaCe#UO?JGUf1KifV2Z^yzwa4r5)r|J<f|rJFvzZ=S8F)SmTZJ zBGL}>iXJcZwDqzcpUF}8k(c!N3=j398aG!2j|{>i6ZQCXuFUh~1uf342tJ3!q4-p; z(6i(@E$)`4$Zo7l#HVnDc9Ey_IMxJRFV$V-$&m6f?Ic_%DQ_vSC{HR6DqDQV``Y*- zKC0X#Jq$bg)zIrNRce)TWr{KydjN{0-q_K9JT&|fg+_jmZk4Wyd<ISbYp|(*B(gnn zTV!KoedN5zO4!m@V2A&>$goJCNKWKLSjFoRU-*~sm*MxJ`+orz_B*6(sgr3DFSTVh z@scL~5?(A`B&J{yP!^sX9u*!WmWO+ZQ^MWD9mQVZqr+-g4E+@PJaj17E7(2QF?e)P zh3@|+!~#4dzaDx6F$5nA-50vUjA)NY_Gg6}5z!t|>=DntA0pZ#j(w<w*xia_|8?*~ z@#x?Iu_G)B_5>dY-YxtXyfJvC@LKTVU<#22Yl3CL$-z;<fx>gbW5N#kIr&lf0{LF7 zFl>@9k<WtvfVuJvcn~;E?kRVZGv%X%&4Cqxy1<;kw7}_sp`sAT37i;c7trMafm;Gs z2i6Lo%b~!Zf$tEV@NHNlJQdg_913g=oGU7U-r`{YSJ*-D3v3bg`(N}w?%%0>uYC%C z1K0a6_pkCN{8j!^|3q!Ae}sPkb`x|xVmJSs?@|9E?H0ssJjb8uZ-Xd?uWP-1*ZO8+ z=ftJHxxTY}7x?b=HENpH7WN#S)Gx4tF%q#23w>GA57J@jp!AINDy$dkuzoQOu?^Qr z=Sthe%f&Cn_YvK2w|JfSg1AH6EDe<;afw(fY!WUNE)+*=%e4jCZ0z_Ls}0fK(e`Oi zYY%B#;V0r}*V+Z3WwAz~UK5TLg?||CvZ=gfRR>j|(9uSf!to5<kRfys-nAQp7E?Hx z@x5CMT^Ty1wa|s3!qx(dmT4cA^#JNop*t%uqP394NT~0GV;F>vRbZB_6v|b>4q^(m zoWMfTn)*1Ql~vYM#0f1Kgt|>IShF))3(Q~^@!zKlw!tj)UqX--h2l$)S<#KfLVz6> zsxHBAk<f7oK8E&Y2ofuJNru2oqD^g<Ah0@@(2W8!iKds(YXo~#E<yb0Kb-<s(?4uT z_R-%RxR?Isz?bQ->{u^m&|eq{Jrw=ff~Nk7{=^^@Pfj#@D4ggIjNL`Apx-kH1rz<w zf~IDPe#;;<O7t5C-b}xC;0^RE2VPIVbl`QA1u~}V=w<YCo28f1&n#$ahUj4%B2@aP ztN>I&^b^KH2Sh(+EObBgBOB87^h1Zents3_lsxo(2BF=d?^)2)>d-?DTua||;2L_+ zfvf2|?4qP<=$i~BGU#j8&!(z`zRJk6PNI8l)S1GF8J41Sc?R9h3PJ%uAG0A{Ngs9C zXXqmiOX<T78>bK14Ya1a9P%vspi^`OeSkqM;M4mZxP<OxwHCFeI~ZEnn%>8L#u7cf z*MW=Zb_Xt`+Z@<Px5|<b6lepzhgDy&kZxhWV$q%6?ZA3^mjmnQoeo?;H#3Mub;``D zX_VGdW>yVYLz!8%xq41-Wo5ByPMKLXEvHrVW`~_enUyfux%5Vdt)$F;87tTo^m@jY z(mC`x2hOI~IxtE%Ik22=Wam>V&}$sBj9%@)S(KRxQ!HK5OBp+u&Y+h#@Jza%H88j} zW%j-li<6Yu`<jcAl-c{5i;<Ms`vRUpnY}OI6w2&<0VmT{tl2?y61|W$JF$W?b6<+p zMas;50VmM&Skd8hJUy2c9a~M$VI-Ch>Ddk(N7D{GokBS;2m&2J$I_$&$IyfWN7J|i zN71t!IFiN~#PT0q>A>N1g#%Be%UKr&wx-J%8kRwqvY)ZAN0%_Ncp_cQNUY@1MGhQ7 z7ut|)qm2w=$&NO#TK$V@y+aP7bq*Xz7dWt(&UfGdTFW3-*k~1lSX!g=EQs~9esrz_ z`_f7W_MsIFV(E;|ao{O*w$%l!mC-08u|`JA9au!m99T$aSx*T0fR<XExx_`MF^H8c zdWH?jDms<HY_OAU2zCmCSiYi@9GFcfGKl3WI)Oo~F43_JVpWNbVGzqGbO0MKUxpng z+O+VugF~Ai=}yRKeB#m!tCsm~OOLf7p1gJp;%k<+We}gSl)VoLKICYavG{_cAqMeL zOOLi8`IEMB;2*TL1AnJSIq)}XzcBH!O6?csSL7Gkf)&8WDK#AU6V)B~Bh?)E163XP zJyjg|9gQ%E4@nwy;5Sre5MPcoz^>%yJ}3G-KGO($Cz>B)<Tq9nA7SKI2Yx_)VYS|u z$nT8A_a0#{Rr6zrus53d5k$UbMGsVvuNc~2LB3>_@VP_S`;5Fv_LI-q?{5?n`*ns7 z8*-SDuVj!<StZE%PN;GS_)e&D2=-2>a!B+9TgJ?N2aim20-QspcY>BfmUn`d!~K&J zw0sxY;{+|=MILv8mhZy%!9I4}UF0#cmqC0?kxv}>24OE$f{!OBVmm&XoQUoCSaKq^ z<0Hw5*p81QCt^E3ikyh;JIKpU#CCiHIT73MBQH7;+u==#JkAabH&Nt82R=+*aNtAa zc?a$y&pGfx@~i_NAWu2)etgxK^B!C|-A0~q;92AeHhSB9<Y`929TQ<MU|5>mN7xG( z@Ls}Rz<}GyLr&RkWS0ZCk_Q=tGbO@ayExR{WT(U4MRqvwPQqTiD6pB_>#%o_?GC)1 zuoo|ZpDD73vG68En81LINB0mWFu>I1Hp1Tb1P+wQR#x^Zgq^>~fj1NOo<@P2$lVTm zBe@G+-u+FI_Wx954Txz-D~w<e2DHLy48m|$7|tLJW`$E7c#$y7ft!S(4%{FNv2G_= z#0rBM2}@XEkOP+p0~v(nt5EE~dSQSA>xBLeTp;vg5T>m{Uj|{)D)eCxwyZ*L24Tc1 zoWdZCSA|{<yhA8*V3knlz_~(C2UZFN48kZ?$amnaLf-$>JE8f!n@6B|1e!;nc?6nA zpm_wEN1%BGnn$2{1e!;nc?6nA;D6ExnD+l+c`4C)s}HJ*a!RBk{ABpJP<8Nf`5@@# zzvdBW9)ac&XdZ#)5ojKP<`MW8jzD=dOpa=&;4dS7OmWG?l8HIl-E+I=mNb;sl$X|( zS2Q%tuRo<nk2#eM6^*mHm(^DH7&EE3WNZ(!Y>!!0wX=FG%<qmWJ@9{zXibmo#W_V; zXe4V?X;o!eWo=`9_v-R^L3x;TDPf1H9X-5cd}dL0c2+@N=E8!p<Fkq~2h~>3Z)}Lx zWsWLsD66QfnUgs#x}dSLE?OO}X{h&hrmViMtb0vmeM9#-wF`TUt*f0IEo-RnQCC?% zFRQw=rgV-~tw;TQc95(xgygBKtwM=tRkXA|npGbytt+eO*rA90OaFz@y86o6n!W|y zb55*jtezFE>udHaKCUc6y2QhO)$zj2lKIiH%Gs4=nS&6OXHIQhWwbuCc6R1iv{zeG zT2-|qb9gyU0Yyq@RYfz0*UYZ1t1fN8vHo2rRT%Fv3m0S9U!7CW%#tPb4bf`zG{!~C zYU|4DGe_4pRF*~mT|Mp@?^KE&=lxZW3o^&nRW2+oTk>!2XF<IEO!TwUU-dH|w|PxH z?uLKYK<3BC%rNg~-(U4G?>}?nVzg_^qV@IWQ#!V>Zhmcj^xyV`=EcXJX`WHwug)kp zv$(OL0?%c`lFWu$r|bWj)BJZ`q}=$)({UFS|J51gWR9)H%(^5K6Er)Y^2WM<-xbJN zF)d6w^ku!x7+*U-Cp$AYJEyR?V8+0@+Ii8M8O3Gh-7>=r35H47JFK;fO6%u$udSQY zW6`2TS@YRkp4Cu0KdS+66SJirXv$2p{$YFZfm1PB)&Fp`N(N=+W|l<fm)2P`t~sOG zbDKGK6YBB48QNG=X3oZVSv4&2_U(Vmd&cbKzwm|L+*I=jG><^@2sDpC^9VGLK=TMR zk3jPXG><^@2sDpC^9VGL!2h8mpwRb89ySSu?+VWh{i$6XstENCeiD2nSQ|Vwc!K<a ze4#u|R<UD!OW?e~=)h6_&;1Yiuk<hUPY6APsCnD9{=V6W&vv&|E1f3gNxFCtyT#8% zB>R@|aW`A&B?Ns1^ezOR>O+3RVg7sm@)KkIq#eQ(X6N<HD$2<o8Ewcct6MU^p>|GP z>HG?;kyqE2H&$VRe0FJNRc3v(4C_`^OZq0pnANJ4o`v~Y`MCvHmdUJdz-qd=T+>hy z%`C0+wu4ps*_Cq|*{aUa#AvgAOv%a3&B`q*98yz{c0EVNy1%7K$Sf<Z$($9<Y@Cli zl}F1nYwI%WqVuat%cA9-6Qj(Aij~5mo>{rM`B*qKSMJNqu0(6BGeL#&(uUI9#7MK` zB&9GvH!D9c$Lw<He5_q9L;?PkORG$!Ktn}!y{|jz^dAm<R^l|X<xxs*UT#)iZo&Av zXerLVsuDec)}pK~+EAZaTAx{ob!2n+x+aF3<%cP`g#}spMR_Impkf4TF$i_hIgM55 zKkIgR;?w{N$9pLS+4)&{`PoC*S>aOD)K@lCE{s}dm$?Z2&1~v8E&}>so?T^mG;>xh zezY!trPr|5&8(%!${Hv@%yrg5iD71+N;~CX%`UHyjZS76&Y%vZm!dPJ){3Cnin$_~ zSsg8_D1|zwx)@5C$_D6iaAqA7L(NutDLr%0*Mhtf>x5>Nmd$INUw`E08JQSjol;QA zEhx;w0ik#?H7xd-*JU~ta4%I>&#$e6TC0JbrMU#y5Up=OQFE}Y6~e5<VDq2_oeFSa za|^TCaAww_Y;ASs!qTe7X#Jq3TY5>S#2~YLUnMuYD61$hdz7VoLbK+fO6!(bmjUXi zti(XpZa%bL+1a>9t-HkT2<w8o-ONO>Sw2rG$ScY!EX*E^o6a+8tr7#wBJGr%o_Q$J zb08a;;}iW&x)4u8&#az3i~9Am&%wNJo$mBY^fL=h=$wN)y&yk(aBXHyZ9`^svALGd zI@M57SKBzJBJ<So<Hu$~J2nf;w@uGn??hj-fl4J8mpCUUcT{CfWi>9X^}I6unfdgZ z3$N8tsP)VnHnS8Xy#NE)&^OV?tX<MMFE1~vsHo_l9KLw$@XQJ0M%Hsj_h*s-o}})H z5!R`8VozbNJ*ZgBb=|z~Q5~7+ZC0r7l#j6~%Fmq`t*e|3wSYOtKuKUd?53UoJ-6=i ziYTTC^xeEu=9ez1sx2*dH`goC%WN)+i<F(!voL2=V?(2*@jKF(IdfoMz-m2Pe}?vS zer*koQ-5-z$gDd8b@7b!#0_Do2g{;$rmD~`UKd?h%V20NDfkcP4sU_>iJs;$dMJ6h zMYu?L{rZiAf;6+Z9{QSkb2jXdC@>2YD7m?LSv_+K`t^fm2lHYzw6Km6wL>DGl_}_n zM)Gh!G1X>Gv<fThn1V21CnxgQ$>2`K$>fwQsVT$lQ)Ar_mDSPAr8sHK`j~60YUk8< zO5~cw`zow>?#S9XnGI&K`XlwM;p&;lG0TlQE<3*n-7~LmEheBwbJ@PK2I^u=<Y+T$ zHaZ8&sNprH8W@+qD3NVeJpH($+#K`v##xz@igobJ(mAD=Jgp2`v1=Tu+9}b4^^H}{ zG5dC;lsN~Q4dD<4iSA~(=}KV^hOQ{@A0DEy#=H|S{Wr~d$0xGPdWCkqe6xLfHf(Bq zMB-#?QVS?K(53gx&b8hz=1b91$!AuT);DBf*1~L-8Lg|suwwcwufnjHL)=)ya^>u| z`m97Z^N^#IB1{xL^Lm<%MHiPv=bPujYMPq7#+piV;;dRSG11jJdIn}*^X*npQc=4o zb567dPYYh*xOXt2Sx2h3uYXf>(0!X7z#I$J|9tDkbL3F<eG*;Fj-1}PuxEZ&L3ZId zOa*ANA#?Jmk>*rkDHKm~uFvGjL%MKJeTT$JX7vJvRWCAYjYTb-b_EO-qBS^+6B3=x zGQAbN3bP7x3MQGaldLLO3b2U`lTk%&dHv|biPkA9N>Oe$WR4uX>e=IOKC#x6cjVbG zH>HGG(6(hZ)HOmcj;Wxob}=T2y3CT2F`4Djh0u(jnCN64x4)8?1JR){*LB=MW5$)3 zubA4#I;g?MBu=o7tSR}~cwy({6fdl;EXO@<UINTJW9lk#D`&E!TZ8PHOw8+rGW^@K zYoeoh=wXWa%F53#D8ZYw!F=)>@p5GyK6N~X%6eitCyqA@7hCU@{QRD-!nhWV){B?P z3K5N*?43~lD&H?rXtp}3Q%{^zVO{|@nwSxBf8ZSe6`T3SuVD`m_ZmGjk!g)emQqxd zgIg}Ysb7Ehu+J}LnrAd+if5)$x7rdXEu)3{%#%t+jUU@%_^9HsO%HCDk%{B10|b?v z{DQ2!oNVU+Cuf#d)|*rB$>s&E$73|BcCl;dN+u4=tS_spoZrCaXLiu(iS|}=-ISjB zJ+tzA=Kg1!b2Wv-nPP$|o#BD5nbT-KRrW~{B4+>9U^ny4BhWko{0NLnoMKKujhzZ| z3$wEG@}0La<gIGF*KBcWR<vPJGz#JHA4+6y$*v~R!Fs-j9MuzF71>4kCzX_p8`>pv z5?&IR@#jZt%B}gj22+eZvtgcsl+0$?lT8`L{934l&}~lIm{-g>nPp6Aa*_F7GG9w* z#%x;goj}@?Lqxk5KL3wbC&H)yW6JfB?;<(jn?gT^HU|#`*T}!f{R7_zj`vUZ-QYVL zG4I-l&x->Phy4zr6Fq>+|40AD8`EQ8X~=A&k~xz~#t$?9WeplLdMGZL*Ye^YTZJr& z&N4rOEuj<UA=dC^&1uAEDU1+vdgNzKiq4u*+;n+oI1=iN@vLx<?A$C)sF;DPF=H?m z0BV<*67h^C!MCYOUY1#V#?Z>D=!_wFli^z#W?VB)HDxYbzZnpla3K2&dWOrwuX{y9 zb=9!+=n!ey(y~vPH)zt3g8U-y$(AjOcCW5%sEb-=Fy@C^kMihjd{UV=Pkj&6uv&_X z=}}?Q!?vRIS!S4-Fu2LIEN&pgWSe#}5P6TB^{C2vyiuAy+j@A9+%(LrogV**Hio4~ zawn8qknL^uKR6-Ou!m*@*HX{CUjN0GP=gIkFnwB>bQ;90fVvHW{M0a`z9Nd%lEJlQ z^YCCgW0Gn8mRVx{_IC#}tFc;;b))s&n}(;X>8Bp7#io0U9nEUdKCR*0Y2_B>|J{-P z`4vYEc3S<@ryhA|5<`wWG{Xmv9-oz+<88I6yKYmef5AhOm&J@&8<zaT2PB6*AmeKB zfDCTBaqYnv#t%kePj9#Xqr0WBr`3|ukIee-o#NW1hoY~BbrT&mX6&Frg-%yHj_y$$ zFGvr;Jyy%^u}SWGY*1ZoeSKC5=5)(!8M8&^P*}7@u>dp{AMu!2%(uY*|2wbgI5SN1 zXlqtt$C=S|oEhHxF<zV=jE*m39WQfte7L=gm^m1x*7y<|Gt2xS#!1YM)<tW|qW{|N zJ4c(rjy8iG4X0us?Vp~+nDn5gM<IITQ79QwQj(Qj;9MxjT>Zc8QRs=;6(1nAHUIEQ zD6pOc=cQm>t{LWS;k{h;qcM<sH1Z1m&g%X@cr;Lh%@c*`VqD<`><UkDU*Qramz0=G zxAr~r-*a!W1L17T|L$!6>2+<H9)PZoVqGtAcO5TtOxtzl_w~PW`Zi?*yV-v>hxg~M zO<~@D_1d5YyEdcK{hDsv|Bt;dfv>7K-@bFUd+vTuAS|+7L6jhY><g<Qgb)n`vVbTO z0|W>J0!aXI4>30@R;#UAZQWa2wQ994b*WmlYHeMr)vB#ptF2pWt^4{tbI#1YcjhKw zDCqZnKl1<m`hR^m^UlmW%X#mad7pQ6Y~mJGFE}neBT4H4o4C2@^k+H!7-hSmarY)m zn6q<tvLD#B;^S4T*Vk{VWAk>FU>kg(l9%6J<}FG%wmGt6CI-LW8T^HbgD=z`VeT8f z%iZKePwa=?RH%a6gLa!$k-U+*J7%D{>}GbF&|K$41HPqwqGA8j|Kwzdm!^}OGN)sD zd{)IhgObY11>dA+P#{d668bSR<`_@Qa2x}^9XkJ7jBmJX8WjrDD61f87vIY?LJ3<F zyn^}z>lr}%=#GL|b8Y7UACcGxS?V2>cI3zYnY#J-2+04LzmxXXn|x<cly>Ban(~r< z9qmn1UbeHm7IfssC&{wJt!L3U`I{@p-g>AP<opunYi(MF^V5n?kY)9C8*9tquh&*= z!%s1OD#&I_j$oDSjF@xwHSLQMOjEX`X|V2jc824gmv&?cn({ISJ5nfNw~5C8-%0vh zcK*NLhHeR69y&X8N@#tkCNwuREi^jh34R!SHTXpE?%>aY7X;4=ZVj#s9uv$DP6&nr zUm*M6GlBa8*9R^NL<22>6Y;Hodf<q_P-F)9m;VL-!^j74h5u~-$^Ny-12Ee^*+0y$ z`2OX4-uIC27rr0)dVJe`t9*-m(|w2gQoLV!-}L?o?EOFY{=ggcHhWikkM`yv?_bdK zspoaiQ=WS~Kl6OwvkScZ$9d*^vOHrwUS$3IoB0RxSLTn+@0zEBkAJB-*PLn|VjAxE zz_I_R`&RcA?z7z|yVts_+()^mxJS4(<6YxL<6+|#<1%FYJIPpMEH-8ulZ>H;OMhE` zPJckZQNKj*(p$lxU#=JEhv{MMb7cB^TDw=fPP<S$OWOjT`~_N$7D1lBkHM1vgnE~H zje5R%rrM|;tIkt1)X}P`ypJq@k14k+S1IQxrz-1}YUL<piZVjc$h+i4@-VrDTn4iX ze^%G2+BiiiZ`iyMAN#ADTz^vDwz^J{v8S!BlV$8Jt81r(sk+s5l7NvPs+!fcL&6m3 z+b&_MYISXsFxLlGSF3=zo~G?<kum6NmNB$%tAweF)wM;${z&yT$r$u)mNDqtBw<uv zql77MT3s7O>?vBu1{p&g4Kjv0)=QX5tgdwurrd6Itrf8+X&v=4hC0^B80uIpVYH4_ z0tWK`cdf2E0dqZ}d|`E+C}FD0>Z%p7$7x$u${5;mf{dXpD`e~|tLu0XyF>ZX>N-xw z(3a&g_K4MWtccyKd~S6u6EJd#@~G9dRL1^eb=63i>kX@`TEJY7(Xv%C_L<dHDPx~n zT}wplVdcM8*J2s_#OkULF!BTX+#(tK*y>s+V;@;v<r3z4)#^G%z+4YeeMid})>fH} zy=QeT5U~eo*-{z9bMr;)0s35tjD2Wz&6Ba4tgd1a`wcBSSH{r3A{l$%>N-lm$VIg5 z92rCVW=ojsFILwq0dw6%$8x5OVIIs7u^Z`g(?#qCiWQ33&nZ?QV^~M|B6hv<Z>uX$ zz{rKPY_5#`%j(LJFysg7%GSn__?~@+@<zA|Iba3o9jhx-DCznYtsz6iZl)`Bnv7wk zPL(mN)N~np)9RWcV%I2twYrX!G1NO*#$LC&(qs%Xcan(xgz7s&#-Q(T8N*7QC}Yrf zn224a{L|{1AYxZ4|FF8oi`W$uJ5<2P1<K1-S46^G_gY=!MC|*t&0}Q@Z5|_Iu)$~v zbKPxqjS{i*l-I1TLj=rq8LeZajG>MZG6owA7cg=@EjvucP&QS@{%&;*l`-fWB4IA< zx+wzY`l0eStIHBF@?GT>t1B#G=Te)7B+T`o)fE&l*VW2PR#!m4$T_qhei=hQd@_cW z@0GC^EhM!_^nA!Ut}CrBQ@~t()KhWG*dMJfL&l!6x^xlirDZi4d*13&MXZNDr^p!U zATsuX)#VbgZj|jjL&l!BI!_m|F8bVQGWJKSQ}X`0ls{RWlK0n1%Szr~r}Ag3Q}X_z z^f}S{b48WstWMGU1NN-dDSCgd4qA4b*uD-0?UTH}4%$A+`#X!4mAt>RlxM6?$@^=k z&q>~2JFP?V{@RtN!kzH`61LNI%A?^<IDZ0kceoS2Ujnq2J_XlLfSwF@!t)cLhr*q3 z{1Tvg<*sli{5}DCFx&~ZPk<f>cf#uvpeMqe^%C^Ea3_4egs0Xh*M>Xc@(Ix6;ZAsb z0`v!~Q*!vuRDN%DiVhz+OS#YL6dgWb_gbBz!w2jRt5bCN$XUpY+6jj*q1si-W8qHt zdjfQ^)hW7rq#ZA>PSM>1c3ZfUx_cz{^M$lGhdbfzC1^X58W+x<0NokxtdXFH!<}&T zgs1KZcf!*XAdDRxy#%P1s)wH^Ku`}iPk`<Tcf!jPAPf|oyaZ?^oj~yM1n7})CtSP) z=mc6LJUjtHjd1V;2pxidCqTaqcf!3BAan@cT>`XSIVao+=Pm(SL2E3LAk0s=cEVGb zpYZGi=r`d`ICcVbzr+6*a)qV@PY&D|aQPSbF7&?Wo#JUV?=?fh&(nkdanJ$>EpX5R z2Q6^W0tYSd|EC4o(%W+46i{15zP#dv>6uxHL~;=vnb>E#Ne52f1WlgZoVJX%Y&4j0 z%JtLWOq*>fokm{ZLO8ywS2e9|-BH*4?QqJ`HfOfwv}K{q70%&vKW)y4H4=@dx3hV` z0=<>@t=T%GZAx2ad~!%+inM3{7x9D9=Cl>GWuU#w9Xm_yU0j}?#W}fRSM=x&S<dLU z7<c2p9b?m`!Pe8z_Bs8|5fFD}7ep$y)H|_*EwM`~-^$#uTZ1`0742QpudS<!(zCg( z=iydbW78IT=QUE^u(m!@ymNKqx3d^&vtZ}+f$dzBo|PG4Ev8pF5d~{U`+Pfgrmbn4 z-!=v9ZRvkr;E9Y#F=B6;XiVf9-gMj8h~Ftj%p6X_8*S24Cmirw>q$o2)V3qhlahgE z4EPfp8`=AX1|MM$bRwC)wI;VMZkwDyVkvFhm`$1a+~SG%eiJv9#5iL+x^rHAOT)Tv zhmqB8Z~$r5C%U>^p(BH@1TP4@g~-}*{%8ER`98-9{d(V6?^B*Xc*dE}n7uer|FOHv zc+^POU)3+tD|B7^hx(~{f;vaJKv}4$<W8~`sX)8-%`qzLXvK|&RC_XP!Y!6eTqjQ& z=sn+ErbV3FCnGyra9fI9SD%r1TZ&$jqB~D)$7hU||NFHmra6AG&(WN8f2y>jS-859 znK{^N$tYoWv!r7yG&z@s8>q<!t;o?++Ob7!QC94J(bv4-l9|P?)i(*6ata4~!38DQ zRhi9#COZrt3n_sYdM{UzP{P)vb-GsW+m!q|rABpZij9GNH!F6N%)YoivZHZ;iCEOy zim>@e)wbrfV1S4eAx3d$OGC^4xLjy!u4S5Qx#pya*yicjh{p97xlp~{CVyCn3v)Ei zWIr^@(OAnhCN;)A%yr_|vG=|{Gpb{QI8L$6#koS)Ak4O`yx1^)%@u$WY~HRHG-c-w zHn0RGn5K1trrgX}lfP!0P=aY%D`+an8f=?T!q(I_vIC^;(;A#t_Nad1fC^X~5c`eg z1UVtB2*F8=qoZ~{VrIdz(eiadf(E0mtYZzjDZD`jy&+~~Ia{KCzN>j(r`o=i8`ZHI ztxt#miCyBP6SS;jmDsn;jKS`#nJD56VrmCC&8M-e&%^r}#5`vZmu_oB<UNf(wuccn zBM~50zXo*5oJ->C4B^*TR@!l*Fi#PvKS&P%CD@Fw6*T4K4^|UOIL11%V<k4p{_cs# z%>$>824*5`WoH6^#eUc|<5kc|K~_a#_=n@#!~?)~xjMk$&0`(yI7fQ-mc=?IO_>9B z<$oVy9dptvL1<9Fqqd@PO|3&IV^6!9&CNVYXN?^R*|L|g$FhzU;#$cVbd*3Qim-`v zyfBgS3kSP(q6E`)oS+HJD}$WeD8V!>mo&w;im&-%$j;-vJ66z?pPMv8_Tprrgxx0W zd0Y2w-`mGhqdJzM=?U9qY+Ri8`BI@{1v!I#ccKI{c8#DZyKu0+F-q8)&giJdMpEd! zIuA|!O;WUq25lGD(f^^rp8s3)231x|l_mLDZIe2xVw=OR;jv5kb8D)~(+@jLo{k4< zb3lTYxs-K;GV_CkreSsLQhsGg(Y%Ev%<h$f-9gwRw{LG#GoSw^St4ixUD+Ttp@iM0 zwj~{l<MwNa+0TimN?JMx%6?!v={J688kp5sw359;?k(oA#qN|>d&~8ua*+%7)E{*J zPWhGcf|{bbmCu#`xPPf`P;1p{+-tv1y<Gji`keYN_xai(T1eBh4DHw2E#7KxnRm7~ z+dIiS#+%}Gdp`I42RHR!@I2vp(DN(L4W6q!7kSS1w0lnSZ1Sw~Ec29miadFqBRvsM zD(>!oWxj8|;r^L>y?dtlSM!hN!{*)QFU+5qmzd|8QS%gYi&<|TXI7Z=%tGAhpJ0wK z1E%8sDD<ZGvi6MjsQYdArS22lnab;Gwz^F_PwUc7b9Zaa+B$88``*yj&|39=ZGPzZ z(Be>uI$Qf`XgcB<4hxM81w(4^<KR2NzXhKSJ{G($cx&+5;AO$@1$%;L1Y3g*h;OJ0 zE(p#FW(AK3jt*KuBk)<^-N0*s=L3%i9thkK_<7*Uz=eU`fn9+efyO{xU@6G7jsiQ- z<iI#YK6w0J`v2?yr~fbhr~JS5-{rpvTnT0BB;^U^25pJ<Blj!r)7>rZO8<}j7yHlg zcOW*R$-l<G+`q_Q>@V=A`^Wo-`~806`_T86?`7XJzDIq(_TA$9sWwslM157gP3=|3 zC>MpU34J$oYUmzqM(8E?pWLPH!x2q!p0CSyny=Zn&bPw1#5dnJ!<XTk=sUz0@@d{r zy#MmP>V3}pd&F1V=Dp5)x%d0tUhkRSZQc#uT0}&=W;|~^ZaiSzVf@^<(zsB$%Ghn} zGIkh^MxC+LI7SQ6nPD7d<QkKWafp@h=wIsp)&HsgMSn{Ft$vq&lm27<V*MPwLqAz> z(%0zA^+kHIUVwR1t2`L`K)Xdx*T?I_b-zxu54E>2o2o-Mv%O#Wk84=+Yrv~1ibBHb zbLK)@bbX+_u086YLG>APfrEZX4k6|20rh@!EPvn+W&wLZ9i#ouK}|A+tm5bw=9OH0 zz&w<TH@QFN;#lo5TSOb~Hd7oisNQO-j%ccB+NX}_Q*Uv9$sf4c{kbi=J|?5dB1im4 z9jE=CiDVRUIz&u$vi2E!RvoQ9Zi}exdiNU+`U%h{nMlTv3jS<F`vZUWr|y>=(W_qL z{;MMf)gQZGaGw1{Jyd&wKYOM78IC?;PUYwo?ms%{r|Nj^DJ~AzI7-Hn#r)ax+&4Q9 zd`8BRB^-U<#EnimSYGwNW~U<t)%VP(BYM=|m=P{!XpVJ=hoqC$4r;28n$x&AP5Xq4 zQ#EHSNKkW`KXp)_M$Bt%(e;@+L3^5u!!@UG#I1g6UgSLMR-ZR(xcHP=66#cDB+s*h z$UzJ2)dJ2e3Tu-+2AfdYBoEsNREP?H;BeDf(U`Ln%n$jq5%a%}sA>`OJx2^`qs`a3 zILds@5lwBl`JyelKGBAm&N3!$ZHW0N=K&QWTgD%1mdQ2(j}|uB2J?XyGTD9?*1YDg zc@?U8qa(UC#k_%u>Mu>!bhr9*_rEwgS^J2KX&Uc^I!XJ0qXF%GCMxe}tZ!~|Bsr0x zuBS+yBN}SD_AVDEYpnAIHqZYs6dL}`L^7GIWFj=wI-;&>8f%%3XWwF|^0f927w^{I zW+F)=E0_okCpe-;CXwSEQAOu}&P41K7jp4=vzm)fne({#kU5EqzcdLKf9_@#tJuKV zxT)yS-}wWRv{$(p(Ei3mH2oDOk|W4+CZdtYIijLGrM=8VayU8G5s7-Z#wGzF;|Xh| zOC71PecweUl4bU@uCLTo&3Og5zJjv9Fq9ldmOA2>>Jb{7Twjt2#Mv8NU#PE{8=MEe zP%m;j69(u+?KzGP*Z$1KRPA{tl0!+ABYv(Pra9Bo^*P$`EJI0zRN5j*QS)>*A5zp@ zoz0RIHCtyRl%h`7>-n=I^o?9h)z@<|Mc>55kiMCTB%f^MVkT*JL`yBv7jki)?sx~p zQfKST)RsC+XZE$!nYv>>JTOCNuM10^t}|0xYN5`0VW|Z=d+AwfzRuo?7W(GAnV}(9 zU&JfU){o)hWZf|o9vGpsk+;-T-5D03DLR{;mKxI8{Iy6PX<`~kCfVYMVYOJF!Ns}y zbS}=;9e)V!!z_J1M`!9KT%4g7b8)&pmy3n^QCuw0=WsD!pUuTQeHIsU^_g6ptQT={ zgkH+URGlrHFgjGm(U5*L6G<*%;}*im=Q(Id)$~FpD(~s}TzpzDU?RyOja<wmY!U?3 zBK>d&4XQ`!6S+8B&*tJRJ(G(w^$ae~(5G^7x}MI(Lj6cC7U+|?n6IaCF;8bZK@ekn z1V^*=!?-wEpTflvdKMQ`^=Vv8(Q~*M(sP+evWc_wNDyPprhP!2qYrT&2w>74%Eejw zI4;iA$8vFoKAMZu^-)|b)JJl$Kp(-ye0?|<^Ymd{%+*u5n4=HnVz!>b#mV|1TpXcC zxR|Ps;bMwDo{J%U0uxCVVT(6_zBM?g9~}yDah4w7;!NGo#TmMni_>)v7YlVa7YlUu z682*i>Kx6}H7@4r?A7d7b99BH*}991lXa7eBlI8_Q*|E~Q}i$wL%PL8Oi#i@bZ8wH zGss#;^r>0eS4>pi)xKmRnMT;w=2bJbFC5fMrjj*|7*_vfo*w$4%g4MBj=p5B#7`s{ zebGEN^hgr=Z}ZI12YdPz^@(}Dqt~rIWTv4eu9x2bA8(Fug{}{Eh1P^3!PkQq28#oC z2TlQ1@L~SP{TKSn{3*UKeOLRceNzyje~0%RZ@o9mYkA)FJmWdlGsXO^d4pML=0nNB zzk?PyXn}(kIB0=`7C2~u|EDc5x*e$!0!V_g2;9X@%}CxL@QjUUM}~wzATuy~Hh-Xn z(c>Q1o?%lMPqeA<3ktGr?qY{$zJ+GjK^~qKkf$R-bITN@w@J>KW2dsP)q$5B4EuGf zL3K<ii&wX#wj)bIAaEq=6%IjGwNJGx%|+^fg7ln>>=K&p9v7?X;{5uQ36o}fXhQym z9S)x|h>~%=$;mncdS>a_^$pE5{YEnqb4)6(TAa49J>9Ov7s$y4mwRr3-7}iPg=(R> zE$k}no`H`!vZ}dhM@xOPL(0th!}0(`nl>ZfLHiV2-<Uu?4s|jMvZ|1`2)PT80;d)E z305Hs5LL6fscB<Feflb#>8+7#K|-D_;LmKp*&!7{2HJr88Y9|~c!7=%r=#X=E1NgA zeKIAio`wVuImj1~&p0J*I%zwH&e(Q4SHiSF4pM65XJ_&U8gW;9HNC2x(Qao$sKNut zbdXy>8{M*PEpms@R6)4Z+S-u5x(?}dU=ti?(mW=U+U?{B#R>V1;z<v1ZGz^tLEk9< z@Zs%;)21)P0E6vz8@;(4C$FYiTtF8}!Ir7*cH)DI0PgG{`4UT*(}<)h$eGguUQZ|K z#w0wB)ESLC)8@1vMti<|Vpd)Tu1RM&2{tJ4J?`DvmqKY43LL-It)`@^$O!^eNDMTw z-A;HgOUSigr+5%kEi7suZ;xvLsTQ)4bSIaknE~Pd>PDL92B|#OQ*!V|nBA$AP8<w% zLIMaUKU52{wzSkQZFg9~F;Q}|)3dVkmokR$`f2rSp4%nuObbXvz%yCcU@R35rblDr zHk%L@^9#2RThgrd2(?KnjEHPMS^1O^Jg0pe#f}dkqg8q~ZM-uKG)WKg$uzV^HrDT) zhUtuqP)LBl)3ubhJDCZP=pZjEJuf#_&KW+MJp%a{;(2I}h~T8!J_WY(AMk`8YgtzG zoc1wJEAk7F4=FpRxUs&jnf8F@pQl<H8)!bIvS}4|ZXZ4?D%(fXVy7X$5YlTD6kq`$ zN&@%Y6S%0I<Q8a50v)@PYG*An(A3l2PR#lfZXZRJ4nh78EQ!3_W2>r)+7F@7Htcao ztCXL~NN^*?Xy3-j1{jx4f1b+d*!1~Sb9#lH`NU3Dg8gJp`$(!|Yakz4%P^>PAz^!{ zvuU_7E$N(0pVxpXKvQI4f?%pdXj&p%p0lS#OPkU@!k%f{0^pdVnN8@G`5pG=5=$Dw zZp}N1g;s5AXhiZUn)8NUOK(Q14#+cTCL&z3p($-(E;=RS8v?fAddw9lwMP(@JJ;}S z1vD>CW&3cu5vhR!<cva|7u;fi5uC>`R^Wf7b+smJr;QD(kfaJk*EER+O#nr^i|jad z(yTR2P0cOGv=6hDx&yiS`RQ1)d_#{V`*PZ48--{2!0KP$WM@i2st%g3Y*PKYNL6K7 zT7G*fHFep<yew?oS=oF}_rJ9yUeYgW2QeHSXykNB&(6-N*+MVD37v`0X-sLDH=Rys z3WB!XHua(HL#Ph=Zo=v<$dBLUid%VndkTFfpFNY8@JxJ-EpE5yLpzVi%*_FfV&(!n z`%L0Irukx!_oi{1ohD%0<{elh*jf3i!nT1dX^D%$tG(>XbKU7OC%Ip8U*q2FPB%U? z?lZzTFZTq05FCeyfa?NV0vWzjd?h~9`>5x3Pt;T9@tAj*>-2l{-T3Z!j{g+@QTRe| zZ?HD>Q1HpnS)mH8UYnx6t^QPPQnQp#mES1!$_VmTayh9dV^CS*|Lwb%ROd-+3kAjm z0z?c`EGtSch&Z(2v4mE10#b(oONu9Dn6$ZRb2>Pzks-k$rp0!Q3`NZ?Y5abOuhdLC zq5lf<5lfSpUl13YkzY`%g6j#+FcId`Z$tB>B9Zy^^=oM6I9@g|(?oD%zh!eHMK#q6 zN)}a@6&F=kR7MsSEh;K4SqOj^_7<9HMg14fiCGBSV?6f&FX<^a)7JH0GMmP@P-f)4 znwTpyPryjI``3neQahX99!F}AqvXyr(`NLqoJOnK+Tp?BP0)nQ2J3jEjC@v1Nt!*G znUTtp^aSIURV?Dg$nyga2(lp*t*OHvk93COWaFjvfd^zS!IRot6Tx+u2U2qp=U6Dc z-r}Pfp)riSZr5FN%(P?rS5d&D^NRW1UWEBl_V}jeow4$F7MN+X`Y)d!DX&Lru*iJ& z_O|z#SixTvn`u@37sMQPepev6%TCFK_necjtr)q)*2UriU3UyH%0<Np<18vJuBcg5 z-OmbGYHW3_-}f!%>zABorq%S*#iAMv5A(w5D;#c65%y*{E^)_?+legAFw@feS5gqE zrtfS#x@k)+D3#PKG1Hp*FObjbsjOe!gkLe0^=pu0i?)F7gq8I)A7!MJW>&LbfxHQ> zb5F!l4N#TRrV2Y}=0p~kR4y#5t}dAelULJK5m{DNy`Z9|I#M=|Zbb9xRs=kP?Wq6t zQ{yGB#b4j7dw&uuYEFM9KzkA23yyx;oNC(cMRwD8SIOI%X4<p?N+Rg9WNBG(Nu<1@ z_?TFUw~jK?77kDXVV4z)ifbw>VTM?>fT}Ai%3})tJizj&#*HklC@(8s9w}NhFS59@ zqPS#UO(j~-h@PwS%!$t0OT0Ns6VX+1&$*wwqiSe@IkC=ev0RL%ld%({mEetNZ;yM* z7NMrhHo=rnx1U5sUzaCexp&}+O5cEVLBu91y#zib77#ThVZtWt-mY^h%(RXDjYUm* zE_68#GW9MU?f9`r6E)JMh+KFr5gvrX?d$r^0GlHga86tY79g^#A|SuGZc8103dJ|a zvj=!BpnNvnpY0!*vDNQ%Hnxz5V=89S&d7_d2Af+6-G{-nV0VDGch~~vnn<q$RF|0t z--Kobk=~kuA-EpbZr`o0@9ce*ePd4yu$+r&1bM=q87Vo5X6}u@AV^>qbCmkA2;LBh zbF80zuMfj#yJ-EC&J;^mBCRaeOjG>D+M8>p<@Y}q;Swx@n~6lvXn?TQlIrQqIqRp& zJrgOodi-~}yv~pe&}*A#VsFeBuA7TYuu$~tRG{IUC}R&C6s}(k(22dXLAY)jU^m53 z7h<T{_Ecqmg`q2mr*Gs_mjr{yx>~=niODL$Hev6B@=7hH@A*o+G%9MU@YX2BOJ`9< z{DsIHtq$;00B->JV9TqjOBP0Is!IATtITF~dqj^FW%DC7i>hjhi}AvkUsKNNFT#s@ z;o|DpJ0#mo%k6KIDNfIel$R7$RiguCOUuejN=tZikAur+zg?5Nn~S&H;-X6Sx}P7J zS5sXUe_t&RmD-t-_b@&7%p~KwWnhOdn>u``D^jv(enn-m@RR4*0o-~zA#);Ch_%Ph z;h2{j+ksuTVj-3FZ=Ec>0ECa<_yL43uGCZIc3OtnVbU3r!)z?AY1ED%T$}LDXk~A< z`dC@l?E|ku`_&Q8qK5boy64&N6QnQawYzQ`XxBui@pFyl-!5{zzlHebmG~O{B|ZNi z<9gE-xDEH!yKvk5OkbXNxi{olX+CbYn}zOwyRURFL)8E2`YZYc+V8b_i1|NWwUkE` zot#c`Q1t(iztX5B1cKxaIxGw&oZysbSkRP>+_%h6`??WWIV_|^jfM~vG|Pz!nwaQY z?ajA~)fCSUx2M!`P#32raO#PN4YnN>4aOr|;$eejixw}%*G;)|2Q0EBKfR1**RJKC zw~^~AmOe3G2yUU>iKWiA2c;w$z@Wt05C%<Rz&Q+}eqnHPvIiSQj1o?~(5R>nfwmi+ z!5xznXq%bAlP1yxo=D=>PyVWjSq1c){KTxnJ;&N+W=ty@q`uOqSL$d|2-99dtdK6* z>8Kv{U=}m3q9YP#F@D0}=g=O0q6~5xQ+<1w$Md6Rd>&WDBD9=&oc({rJQfqr&=Z>4 zrS;9LYOC?f9t(K$I=02Qg~7=ibgD~~a0X{&)WG2MM}|VbcE;(hVj1T5Llh#_jNEGt z+v`^E#Q*2H>yttf%c45EnGmy&D0O+1_A&`GQN-z}C#s>N{qb3VWCy0jM=6#F*PfyO zQ<$Zsv7e5qV#hKDO}YR&8z*$QEUHMl22CoFnZa2lqC}imICdJ`t1B;?g&{}r6C@$K zY<^BG1UI&(_srLW686BAb(|shFKManZ4zWKwwE?v$LW{^j8rN;aVuKd(A>HW-}o2T zwK|8>|NAUpDr>pQq-oHW-f<e5v(9-1R3tX1+CC0jY~L<8x^8=&lb}7}Q~Z8dhISoj z9d0nx#_QM<fk0`;sluohW({^IP{LV`%R5eq@5MV~d$FB%IeC>IFrQ-ZR0If6w$m=- z7!)iztJWYXUjrPGx{dWscu(7%EA2R0FjMxRw`Y`Knsy4BGV=#(aFlQiKE30lxWQ+{ z4PH)D_9iXP17+~c%yb-r;|qzCkTd4L6$<{FeNN7f$(bE?2zJQM8LZod5{@0}I=08` z(C&%b!Or)cwA~#jJM2roZ^y^2wVi@0`#7Ywn%-uiU+ZIDkKM_$N;<ZolPB04OV`L) zCml~Gb4G+B>CS&;vHvQzCqfbv!T~eDp1gT6KO^$+HX{2k<(8peE}g`+AX{v}SsHVQ zW<>Z~<y&d5n5vY11^#v$JJ2c<?K-bwp>u6)V7t=a|6y~eD|BgScJMF3Q-h-dzX~k( zf9$`&_eY=GJJ)lb`4{t4JaF*upal+E;GhK#THv4s4qD*<YYWux3d6S?$-Y|_RV}Sr znmILhY7))Zx`x*E+g44*RmW-e$IWT<(P^t1n^sNRo-;LLYSuLTFK#GL%Qy+Ysg`D@ zCtj?ax@pbIUHJH&I?Aah;M9{nHT!?6C@T{cWvAnsEGlTr+J*1hIIzRtm^O(3{_CDI za=&x+H<Hr;ho5an?h2sQ>~m^ztM_~m{!KSGyRB%KAI)W-xuxcU8y;7eDvK6XEi7}c z;?Up!&SjyZ^0I2@zDwDn>XOn*{8!SqsBgmNw2f^GcHvun+74%?$jsijo|6}`e~E2s zaDqH=lOy(3o8GA6NdrLZ>jZAJd|O?~%xgPpmlu6uEUnUj;Bsssn%+FP8=T+hq@qn+ zxeF%>{cH_Mzg`Ei2MJrl%3buNK;C<@rY3!T+4l<E{Z{b5?4nW+@Lj*39wePb?t2gP zek({iCffH3@WDQ*2RT#s;~=a3R<Iw(K<TG~%>CH|(r*R(ZIJ0TqA})oU7=rx&J4Z> zF1#NFPYLD+-U~bzxF|5ie~-VxKgsu;??m4eU#j;b@4enmZ>4vt=f9o{!RI&Ld>us( z{vEWyK?@wTz(ETfw7@|N9JIjyXn`udZTKh!nFTjaqoM6Aj&kcZ`*vGoQY@UAUFJxm zm;CFtH#Mw5Fy#iEBH2MMPJDBIc2;^pel|&+p*28d!={GTX*9?m0sAM{M?jR_d;|i2 zox7dTB1B2%=j5d$EZ^0aqaDx6Mp|ew`g3pdwoR*WcLu)#w{2-`LX0~?ED`P5l9QL6 zUXYdH`syfc+bCqhMuidD@|}?e=kjN1bKREpOUkFw7~e=^-A*V$ST$m5ZR&t|O;uTW z1?d?D1ue(vZAWkoo0`@%#Ny*nCu=c{nZ+$oJBGGp3$CQnXBrU$8|&g4Jc^^LmT9!B zExB1a>3JF1wbNk?*0y-x>(*>)*gP#BYAPBdGdBz2;kn08&}Q(W_RTIkz?@MU<l4qA zXmad@SY|t{ziA!qal`5eI)MmD#C9S52UrYNBLzs~&J0987i4CT#Rb}G7#W2UVzTYP zZiIzJ(6WY2xVeG*QSA43OKwg^dTw4GY0J~<(4wzZkY3nj<(7@n(nl%wWy8pJ7E9l> zIRjs*vNH-?=M2-v(SK#L$%*>TAtW0!fjB`3_T+H_)u^>;K!B486OG<nzoV`(6QR&K zIR&Te(A&^Jp%6F}>YC{=t)fg6D2!lXWTuRVXJNGH)IxV#nvfUB=0%tiu_qq=C(J3z z9ucWqi#zg>rY)^VZb<{EThNNB83>op&dT3Vp|^$52gJ$SbP4fb`$kH+9%-ag6LWtZ zt~S8JxO#{ltZl$Njz#5zabsgk9wOcg^736>M`<lkw{9~IKIs=e#CO-9gh8}do1=1V zbJL~>;>nx0*%8<*N<1IY+hCG#eNe5pjf`mk%L0smikb22?d7u>G4imfs0V8mkvnlt zgUb2y(sJ-aI5#uf_0cB1?U+3%jcJX=)eofIVTrJxw`0)}Q4VgBb&<;X2p-SLO3%p6 zbA8gNx0UUe+Gtw4#^lP%X=T~@SpRvhk7sLJF>jo4*@*=MmI^zt)ZRJh9@MgJ6`i1T zI?x@EaU*19p?pqm!$@u7C}lxw>lV(z;jncSk`v}>r{G@(7dgI-&O?MdvAA>BkBhaP zgH|HyAm@(P@}UD4Af4@iMximj5O4^jXXoU*?jEikI!Y<shUp2Smim?gtor=ieAitw zw2h+(3*)H=(MQw9ZCj`oP*SuwbS?>uB$(P@f!K-rA?bNJ898l!eU~qxG&Yx3+zkZr zN=pm4AJ!x*aCWN*Zerjr(3D6E-XE=W+iq}zC*yPqYaB8IY{DR6z@RkO)AdSMxLnE9 zyezz$vUBrhYfb2(6Nrg-O9Yz-I+DO7!<M<Y%OF1qh!!%)N%nhYzRh&AZF7T7+yFim zP%bn(j23uX(ybqDXl~lJZav*_9A1-*yi738<ZY$r|Gy#~uF%_|=RyyJZVX)l9>CVn ziJ|gP0od}b;FrO-g3kpX4E`c`X|OMNQm{T)8JrWG5*!)S1OEy9CGbe#mx0T{hQBjV zA6OEY6-Wb{2=Tw;|Fi!=|4sfM`n&zx{B{0?{zCsmzvcVF_Xara@AF;nyU5q!+v+>P zSLVz09qJ2!q5d`Rlis_%KlOgk+veSb7=#jUCh`h+JRf*o@%-L%hv#a~xt`NJ4W1fL zktf|V(xaRI!QF&M%wL+9o4d`O$QH1~L==aaY7+N5?mxR9bl>Fup}X6?&0XhS=q_|m zbX&$3#v8^n;5WG5xX9=*wi+iGW#F_w)ClOG=&$Kd>UZlu)xW2=>6^e{U!rH~V|0)9 zf%b~_d+iSGYVBO@G_66a(TcQmZKS5F|55*<KBE2-Ecd(Booc<hM4hFksi`Va-ckOn zJgD5H{7~suwkdVUk65ToR4noZd4oJd?jzTei(qvAXZ7T1;}ke3n>S(yu5KbANVR%$ zMJ%X>tezYhOR;*gWo)+9lO<y#te#96n`QN6$k<G)XPS(qT0K)`Y=+g7E@RWJo+&am z+3Gn`#tN;T$ud@8^`yyIzST2H#`3J5BV;Vs>N#A-imaZAGIo^JbC`_5&J#o|K<zwU z#$e||Wej$X$QbNAPR3y8u`&ibkC8Fhd9;kd&ZA@uc0NSLVCRuC20M?CG1z&yjKR+E zcoOGdK!u%CWej#6Dq}fT&kz}#WA&uS80>6`n4j7?EMu^9NXB62pp3!J0U3jx{W1nS z`(zAu_R1LS?2$3p*_1KZ*)3zRvms-!vo2$>vnFG(vnpe-vm#@#Gm$XmJ*&qhVc0ji z&k!-t(puf8OPKPm)qR?Xft}XsK2^j#YKGN)iija?h1GqsjHOxKJ7sK|)qRqTO|`mr zh?tw|+b(0!w@t<-S>3HN7O=WoBush7>TVV>gVwQC#!$x=8B4din<R|t+bm+>q_?^^ zNtp7q)!is#cU#>XWeoZ@h}h+{eGM{(_N|w(DOUG789UPIUMpb)wyGB~u+>}LYh(;{ ztd=p9T_s}ytGiCZs9jDJF_73>-L)bHvU;m~rGQbYdaL^c38Q6Kh!_~_t?uImjDQl~ z>OM}uz*Y}^%Vli1)qSjtO|-g~i5MvBt?s2Vc9_*&BVwPa&{r*E6Rhqk5&M)rS1DuT zt?nfvhU_j@_hK14)atGfv5)C<i)1WfbuSb#B$=_g%SG%%b*$BWjEs%3x{nqy<kqpe z%S7ybTJHiG8)bEuir9Z?f9K1X*Xk}2vG>$NtnPU-hPhEJV(+LUtnRrIrrc+B7fBec z_b3?~W_8aIvA2~ktnS$oM#p@XjG@glMeIJjqq=9vSc=s>UB<8<6v~)obr(n&T{HP2 z_7<%}^#5FMsi;Hr|A3(m(f<QB)an-fKVU<wZqfg9y-Dj3{Xbx+L-hZEp$^gi1BQNx z{-5g&`kd(hx!$1rpXmSLIg}OsKi8|YEu#MiENpd){-5h_^f}T00~WNpMgI>N_9oH) zbG@QGXmyMJpX(LXV|9!EAD+9`>K6S!V85}tMgI@j{Z_Z=|G8eKb%_3->t$Mp=>Oq4 z)FJwRcn)nA{Xf@BRG;Yoxn83BME?)ZL7(XV;W@w6E&6}1zfygo|L6KE)hGIYcn<nR z{}0$x;cobUB>tPEg+g%u5};<~j&L`;zXWKja$mR`&Yu9?8}5ehCqVC6-ID8fnd%F7 z!}UveYztKe&rg7$431wSq<X{M@cR;=Cgs6!H{8BNNcDuf;q@g#%C+HcIDLtbYKFVv z^9hjK>K0u-*9)p)b&D>a>jgUfMVHU@Jbg}d`CQM_=OmZ!Qsru^TXOj>Rj#tSC716~ z<p!%;a``TGeQb3}F5iz(N0;RC{YX`;F3IKlk?SM+`~Oha>8?;sC=e_S+#fi}e-pU; zZt?!Zd#UGfPpA27bDNp&e$9Qcdx_g^+-)3d1oe&DU$qMS{>@X~R<0n=k+aD>sMv?U zwz<(P+;5m@U%T3Mj2Om}nRFND+X(%@Wx~X)igUqqi`do*M1rlwR~{#JDViz7E@cin zNhnG%O&Ox5?4-*!dy9nRG1>E@)8dwmheA6+KuKB;lw}8sQxQ{DA{q=I>70PEn#%H8 zu$6((b#*JV$yC86c^OIfgZ5$*lwg|D1x<ySN!Muhq6sBzO>M_Sr^Ky$f;exJQ*$3E z>w@!jV8R5^#CA*>B0=$q9j6Ahi#ZiAGt7~KVY0FZYZ#Pp4C9MV9w7eKIc<qkJM4$} z)}+om0k#Rm7M^I@05RbU@wqorgb%IjHd8+7{m>e!u{N$TIT(0cbW(iM=+dM~ihKVy zCQWJd2w@`R4LS-FCG3f?DtfrrH7(oT*z1$1FN$ysnU#T4oY*1Tp6M+jl;0w`OlfqY z(A=DiBrEP^L8Am)0f$MNk^*M;s);4~j!qCX6=o&fHr$IQlwfTdFKEh54&vR5CX}!> zl|&DPrZ_iBVL{UE<UNP#7Zxx*5kb$OW0hH`a%ps&(6hWj=jTQVyG3pDqGRK0szO{- znMs!aHr7<87&{8?DV(yeNn)=VBU*N_Bb4uqP+NI)ble`bF?%>Us*_%v2h1J==BSPb zsLr!r@gSI`G0t$OTIw2W=i?FuEJOLL>)DJOCD>)qi;1nJwzB9Ual0&!*~QL%o{?ni z17(+ibDw7vIHUtL_I;AtrnR*-n{mVlCkTPYwpproZmD;2c9%v+3d<)qH)*2pZDYuF zwwShQ(Ghq*vQU8~iTo5boB7$i%^qtHmUE_v<Hj90K5p3$ugru>VoqO6EnObGlH|8& zaddcmBo|5}nY3$v3nS?;9n{80av{#nS2r|mYq1BCkKr(33=1=pCgEPj5G9-~kVI24 zhBKVdl?jPsNasz&X~%vTEPEERUL`qNbE8A!qZ0oi=ltAAnw|%2R0bfQ5Vv4Th2pRa z)Ryo|ENr(KBJ4JWgLQ)onHPLSGzCLa=L|_%;*d~Ux507m#$s>2KG7Smpti&&_XPtJ zC-+TSPJvK|YqV>rEA+SESHa4_&4Ee&bA506%Dh*2-JbR43+B0InY-0J#aM5QMNW4^ zD^gEYv&gT>HZcEPhJyY6l|~l{vm5DF2I+C2ggqps(S?$xq$R$Wb&|!Lpf-239D`Ei z3`$z!pp-N>BW1$^>^rz-vTi>t6<c8~SD0k<(&#Zlr*aCDXi4_cDU`6yv#Tk3G}fKd zsg5|=31jXPctDa2cc50`9)FhZjmPg>Ci)O*YK{f7(|XBOD~*;3gO`_+^qp!igNG8% z&RrB;5Z^S*Vy`lL@G`$SXKfE(5%B#c@#|MHZWc-AXe)}A4%mr|Bod!*WzOXZohYAI zv{>pyNpwEOG~ox*V7Dvw{SNMTN!%E5_xl^B-Wlktn>d(XgB_+cI!~DE1=)i&3`#h2 z{itYh+%hu7XwrN3TbU-g!ZfK`l1wo=SC}OQNjvIZ7Jh;AbG&Uyv?y+i265ddf8G36 zY#~mSuR+jM5<N;VPX1txlh41O%n_zsW`5EhvKK3(gfrzl(b;(6_eTghx4v$3WWRoj zq#6@>Ym*%0QPEjwOpW7x%u4h=Fwwww&O;aCzS@59LxefJCpWNdcyuP3x5Q~)VPf-^ z*zpUoPsjU@L(^7F*$JI*(oAuZv(z>rIs;8}sLt9-5}Q_0MX9{$=ad8k&Z}RG%hDjp zrvCE(MDkftRh#s+rk1HsZswTibTo6BW5GFz&7?1!ga+={5f)!&dmQ2k(ZT`j*zfGa zrF;5AX+PL8rarNGpj4#llkGSpT7YIQbnKX$Xvdfy&@J#EGzY4APQ3{y3GQe<n$_R0 zhXvIO%fW`f|45E)g)zRrWDAXo=AkM5Z6$c6BZVH#6N(&#``1cPU2ChZh3dqCOtMs3 zG#AZV?F`^Ci34b}`+<ZX3G`y@e*3qT{qYCxv9U@t2e0A@PGjR=lZqBEE=iv!|7P8% zH*sEi(UvXso7Xg)G;LmbiG4X={`!mG&?of!J9>YBqoUcd7jtUG;^N}i;qQb+(~7)q z-8Gcl?{d!s$Nw(lXk(22C;bO{xgOFU)plvq)OXdWdW@<oH!CM95pw_j{J;ItyMsDt zay`ADBrb~=re|eE7PBBS#EY?DqJ}zT2*&G(28%fPFPDH8nMU8l6UXt1Pfi^mEfQ6Z zyf~{@H_;5D_-2B5HKZz~>1`3%7bCwRr&OA0TL)-d1})K2kLW(98BoD#bU+!7xWP?{ zt&BD4<N<O?(IzDpi0{Z;8*<dqz?k(7TOyTBjj`NvWM_$)wygg~X433!HjO#{ztg6H zw45|Rt`oE?vmi-JVrD+FqXA<$W`Gvt)0&Yn*fulGB!!sIM(pr4I3~e~vlF$KIGjlG z#y<eEw0`mN*p3`BcA66@K?!XnD2~=QQ=h2_pZ5`wg!6IM=a}uc4LqEg39mrvka4q> zBJgO7b8vvO@ut;I7NmHKT9IV)_yM|}6JZ}8rcm}J#87Qs=i~!h*o2@hJMDI?X)Oa} z;G;duj?aa}rY%FJU#x=F@tM#(KpH5jgifv&M4~lwGs(u;x{&3}?8mm5k%f#oiZ);_ z&wLCOb~-XRm3D+!JgF4ff=ofh1K0(5CRr4-vvQc4m@S&-n`z4jD7)t+B23H8Q_Qr9 z{i!LRZfBOH<H756{bYc|JB!OfI8{tz@DO8{yu-MDJka=;(~L+ZNU6tJ!f1A)BAOwu zvUovRbxCn`VuC!^)dMZRa%4xMx%o;KS4S%5M=FrR&`AUsYx-60c31vByhsMJayd34 zmbWVA6(-I*YUJ1gaNUU1L8t9Q?FWk-w7@|N9JIhe3mmk-K?@wTz`j`k{C{MW`hqL; zLFmoUOQEMjkA&_C-5k0m^uy41L!F^hLt8^@L&t{}he|@zL({+rFftSjslktf?*#uA zd^Y%4@V?-!+J@k@!OMc*3-$!h2(|_rf-8en!3Dut!K~mB!O=l0XaqhByc>8e@O<F$ zzypChwA#Q8fvdnTcy^#Ya8h7XU{zpQpgd3%$O{}9h=4!9>;KCCzW)vXU;TgdKkUET z{|o<5{FnI8^+)}u__z4${m1z$v@<og`nrD}cm<~VC-_JB1AfK#k?(EaE51MZe&@T_ z_e<Z;e3$yp_jUVD_qF)eYboFwsPvWkX8JOHhx<nP!am*msW!>`Z|~o|fA;>t`y21= z-s^Ge;R0_T_y@LoH+oO>)_9Nh&hh4W)4XH7L%gQv3(tF=e|TQ>Jn4DJbEoG<^>c6% z{J`@a&sm<Gp3R=so?|@=J##(zo+;{oJcoLQd3+w1`GNVS`I7lGcna<@Z#J(ne`tQ! z>_kR|t>#+ucyqB?Voo=wnTMGp&7i5eKL&Hb-`vl-A9LU5zSVuL`!e_U+&%6ya08>k zz0zIfUf`bP&T=2&9__Z=hVhy4uJM}jg7Jj$pz$l?2IDH@2gY}dvy7d_W@ELn+*o83 z8wEzXG2R$%_zj|esK2GZtUseas{dNQ1xyD&($CYo^wacaeVx8SU!u>~XXqLFMEwvw zq-)wI+P}0{wdb_oYxirnY1e6&YumJHtxTJ(Wou*97qstdz56!j4wm{xEa24?MIlqQ zBRw8ROw}fP+>SU_OY`WCI0mA|A2{6n+!2Rq6U|Q@ajJHh`LQF8(8ik|aCD6MPc9x} zzRJa+=5t(3F`snAp_*kr?ubLQkog#YAZY&95mPm<d9Nd8kYmZ^OmuypT*03;%-gxB zo4@3uX8wYS>SyM~T>RMlE*C#Czr)3M&2}!nW1h;zH_Yu^eAQgb#h1-GF8;+lo{N7n zkLKdz=5#Lp-pu3TZ_OjQ_@H?h7w<C<;o=>pkBhgPCKqor*;q_fZ*afM(d*p*;NrFJ zzjN^_H@B~PxtrN{s`^9s@Av~3xbNiR`R-e}xW<UJVYM-mql=6YOjMpVhBJ{YBbPD} z18|umPEk)Z0$f~a1i4slgqWz@Zupr<mXHfPnnDyZWj(pj0gqH`4K@#tR96~aj+PtD zB1b|2v&fNTG5MaO;K=pl`_7}2QOe-r2?n#+WVPI2b9yoqu!%gGRFLx=1(Vm4^PN&@ z>OagDE?(?@n2X2hA8|27XLCMH4e6h8G^l^fMNR*NiKLvI&BbHLZbv*qU9Nw~MVHQ& z$`Ryf(&wOuD;MeSGm(^$UPqir77$QU(B*oV@{!JFz+t46AY_rE6Vzq;TU^Z3|HZ{z z{T(ij(ErUu<vsmPF219`!NvRZx0y)hlPD8iPmxYX9Ir0b*&-gV=ILzejaPH^*ZBjJ zbT$jet0Q!__Qxyt>94T|ND1k1#6#5u`d_)2r@z9*T>WJ(j?n+c#bNqim<VMrF_Fw8 zXE|a-t<l+>kEqr9vmDLSU*KY{{yY~)=r1x6%KpqmQcT#|AE#F7PdVr~bn_W5=IT## zafJRSCPKp>nMmf6U5+?b{mQ(CiyxY7<j1Nnn9Df&3pblPW7VIzSvSY3mHO}b1B-RG z2aZJ>p5SP%&Nj)hurFKMW6_2`um?yHX>-IeXv0sq_@T)r7hcNdQjY$@&8G4gw1Ex4 z7<GyMTmHae{UI*q>5p<TSAT?yBXqW>j6oaNY8gY0B4;`ej7HNR;9{=+8!nE}ALQat z{XQ-Z(b@h!8p`fxD49dfaKusSDkGJPb;eLGt}uo%kyMe39q|x6o5IC9!{Xu!V+a$m znT451D#=Am#AfybM;u9JlhYk>g!+oPnu|}HrCj`;`*toa)bHS8xqc@Tm0#(<Vj`JE zPIJWJYPo(J7mv|zWg?kLPI1Ix>a%7!7mwC|%*8VOYA(*!Z|34G{U$EX)NkbC4E^U^ zoUUKb#X|jBE*9uN<6^%4Q!eJ|Y|;+Hl4f&fn3}C$#UGfgU&qA}I(w@QQ&aUDIGUp0 z!o`rz-oV4i3~~}fNhaCph^gu)=J&YxzR5PRRQ2B`o4={*zf3mrsp?B+Er0e!b2%5E zGZ%63Zj%jcs(QVfZEdOQPu*-UNmZ|OvlW}FUg2izI8{B*&Dxu)7VGD8WpnlOxHwzC zoQt#cOSw2x{}C5w=$CMDy3S@_s#>VC8I`IQ=oj(_^7RY2n5TcAi@AEt4wH2@`%<yG zFXIoS>ObUSihczbL;96WR4&$;FOy29lkLtsE%gwx!}<52>K7&(!J+B{=6H_Y<o<+< zv-R(AahA?@tD)*looyOJ)fsvZe_*=K#%d^f*~!rYoxLuGs`)zG;fG@Nv;BD}CKTIU zhhjpp?O~`oS?}T+#_GGcI7Vl4U?|LRHb+x+_9`5zrs(HzG^C%)L{dmvxtK||IpPrY zesdfb7wB8KI9q4yafmugXDe?AdVDf}V1~}->=1Rj&MY|uJ&x%u&{=Im(Bl?fEKhId zVy?cGi<9;3TpXb@w{i&94O<IC&>^<h41rU@X8jQ5b-jrdBL#$2k)r<7WEH2Vm$=zZ zoT8TMY=xw#^YxWZu@rT--pIvS`UWn})El@sLtn?m>H1nO7V2xbSfH<_@&9*_zJd7v z!okmj{|r7Iyf=7V@WS9(!7afR_+_6Hj0F9Gj{|=XJQ27na82O+z?p%@z_EdOfsDZD zfQjGkFZ&<!-|oN4e~$lD|9XG5|0w?y{6^P&@A_W!J?y*1cbTuxcam?7Z!vz4Px2vj z#QV1QIqw7B8@-o!yS%OV?OpCI@E+z3dp`I4)AO|FUe9&NIB=F{i)V#rfhWfk@%YV; z&A*#Zn0Mhf_4($RW}|tmInT^6N1LYmefP`w1%12wD)%|=Q{C&`)$XI*Q`{rm8h$Uo zXgqA(Vq9kQ87CQQjK#)GW0En{aOrRB&*=~7H|m$*7jdh8B5ptw=!fZH?Q`v)+SA&- z`2BmKc9yn9TcIt`a<qu%S3g$&u0EmOrCy_+ub!zks>iDH)C_gBYAWw5FDs8Jw<}jE z=P0Kt>y>KdC}oN=Lea>(<VEr@xrJN?lPCRIy%P1*1W@7hO4L&mK+V=GQBO@!bFJP+ zfmVi00A)_EL_GyJ((2tHKlh&1D^X8P08LG=L_Gzc&+3(^r{E}By%O~lJVvWmqMm}2 zX!T0eQ{&Z1R<A@o1s~Mvm8ho<rS(eGQ-{)eCF-d|X}uEl)S<NAm12M4np(Xl$k;He zSEQaI5n8WAJr$w#iqunh4)u!EQzSy`6{)B2T#eN$QcnS^wt7YCDKd`MD^gDZL%kyP z6fo2)Qcsa_v|f>V3eQzpy(0A#fq!ZBiquoUP=`o81q^kF)Kdfwsnsh|PvN;rtG8UV z=~#8K)hkj@kukL1qs8aO(0WDcDLjXIMd~R6C)DZ{si*MV6029Fo&tt?Md~Rsn${~) zPXR-{BJ~t7)GJa?5%{ZCuSh+G=Z0FnBJ~uoAy%(QJw>ii%dOtoVt=ntE3DpGGPcO- z6{)Al6=b&6D^gF95mcW@Jw-++zp{Eo>M1<8(CU?_r+%PZVD*aBQw091)hkj@0XxR( z6{)AlFi<h|iquoUQmkH)dI}iYEK*MagY8A?DPXg#UXgkV*i5Teq@DtnYW0fLQ^00e zy(0A#u<2Is6w#)`KzG+GQcvNzLaTSO{9J+6D^gG4xqPcvq@DtX`65zJ0mFO|si%M) zZS{)OQ^3lsUXgkVShm$GQcsaoYG;vp3K;AxQcnScoki*?V6d}DJp~MQ9xL`YmD+iX zjKR(#^%Tm&&LZ^`FxXk7o&p9ti_}xVU}uqf3K;AxQcnScoki*?V6Zc&rxNK%Q>mT7 zJtbnrRxik>L~O3r3-&1iQ!ci8K|hs<4W)LL_^04_TD{<(5}$*eK|m#9urnB_L=1NJ z%NXno4l40E*x4&%urpYw#OGjV&`^mO>@4z75qRlVugF6M40aZIsDQ!FA`cZX*jeJC zf+uhFN<36UK_S>H@lXv_$5_1*4;5U0t4HFYg2QX|oG$hQ{;<_^nv8+s^;8)H#p@|D z28!2{WegOrJ7o+MuP4bEC|-BS7${!1%NQtLx5*eNURz}h6t68Z28!2a83V=ZRv81u z>lPVXVD(7;AATiRJ(B;ILTxJfe<{?alK+R_2Ud^d|D|A$=#l)t6zmZ_lK+>2J)%eQ z|5C6Q_elO<3igN|$^T2i9?>KDe<|1_dL;iZ1#`DY^8ZpWcY7rNF9mbANAmwtFn4<- z|1Sk|w@32-@XN{Sk^DdWgtB@h|1X8kUCIBmsGTMM&!Tpg{6CA@S@QoZYG=v+v#6aV z|Iea!mi#}9+FA1dENW-T|Ffu_CI8Q&c9#4<i`rT8|14@}$^WycohARzqIQ=2Ka1K~ z^8YNg#Ojg!KTDlw^+^7oMeQv4e_?88$^Q#eJ4^mwnA%zL|H9PHlK&T`c9#6VFtxMf z|AncYCI2r>?JW6!VQOc|{|i$)Oa5P&+FA1d!qm=^{}-lqmi)gkwX@{^g{hq-|1Yc- zTRoEh7gpz5J(B+y0zGGs=>L%rI01Vk|1YGx7tq^XV_m%t|6c)E{HOU}^N;d9>9f4^ zJuRLzFznZv!`+o`)40cIB@No0>J4hW@)P9*y-)uc8RvQih4;^2X|z#@{L39QO%Y1i zk$<Jpje@4EK@&Nk1k<!Z(lpqx#;igX^tmOvDi-wFenc$jljg%s&-lg|GLSd|cgWW^ ztlQ=!udvBh=GB9BW+$aVtBv2#tz~zwr=bWHYZ1l*9uxb<aV@T}w$cCs1jr>QvrRSu z>0r_kpVd&mqcplsuwH)tU`b9;!inXa9$g!=-mV!j>pA>A+59Rm=gQcpK%JcQW%a9s zUh><!F;nb;zsI48L|l1m{kmpEQ_!%j)f+k4OTA!+%*?^^J)nebhh1iLjo&q~&51+X zC9qhOH?2da9D%;VF2jwo`s)#h^rJ>L@8C2g1+eW~gOb#M`)hT4PQ<yt9ImTxY))hh z$aN($hthxu@bRpxuPtdo`X758+2f<X@AB9?=&0y=OcRHNz>d_4tri-oRT^y&CQ(*0 zz1dy@qfx@H5S5*|f41y>(^49(6MBNoVM#M=&wO+!VfUmodZM5yCp(EXV=p#A38tx5 z(3G1K3zLgY*S)kUC&$(VLX4I1X&GnrD5<Pm@J(*?4xtz}gj#IWwIU-8-_!ZO!u+c@ zQXV!$qcC%vAebX7bFjn@C}C^b8C`*BP=^SzZB$}3=z-s8%A&`k7pZn|=ceLiC7Bt6 zrck6sm_?2gERvT@(6X1Qh7!&MsfaF*Pmuc9yUg(flGqLo)Vpk7JOPJDrPd~sU09Dq ziff$d(pDNhHr}P0c$dl-Ri|epz3dKDmj>cJiE|D)@xc{#PB}2nIZ5hjtJc>wV<|YJ zGc&p@-jz90SH7{g%0OKa-zhXwT%ximjV=}DDH0J5a&tuq#}f0SHE~PCDWn~GqNM%c zKn?1i*rec(F)!8L<jNL;*{5n@wM_3*8m$&>l9Mzg_p){~a~%JxG+HHU${p<Qfy`X? zdtgSiGH%^j(mead2yq6QXCfC)F+%=h><iB1SQ1?lZ@$D~lgwrKtxOK_4Oms*43<%c zWW2f_i81S1WiG3d=wgg+0u9t)eSkvd0vr*oh#Mz0HnwGp=2xUom>{pm17;k`uN({W zt}O+Z8ItI3UN^0>q-fs45_=r!`Tt$ytZ(xC{}JD<zAJs__)ha}@GbMr!+rd*KA-nv z<o|oh`)luY-V42FdAE31co*R2eZ=eceC+wV=LyeUo@+ekd(QMU;+Fk9Plji-$76nI zzKR<Fcbh*mFEG!-jrx`5F=l}|(M)lF<$fC(03UMS?7r09>)zpB?XGaoz`gk)##hE$ z#<Rw6a9jRjqtj?HYK>!zd}D%v`=0tg^grTe{I&W8db{4FAFr3{+4?x$r+tKb@Q-VE zYCqA=)6UQ~YRj}@ZJIU;5eWZPUs8Xk-lkruen&k;U8h#5bJQc%;i{_qTX{kGt#XTU zxpKC03hn^ZD07u*%4o$yJ|wS_C&=C8XXFAH9)IE8IHyWTIZ>vr5AVh?RRXj?JtMpu zr&I!TdU!VusS+XOlJIVvQ6)g7v>=YC1PBFjLX`;7f;gZ`faWV#hj-(ADiKmo3-8A9 zlmMZrIGsv>N@$HZoDv|^h_k5#Xdcytqp1X_nAV7sDFM1Fyc-8o0(3)oH_oLJpt<U) z)^6!oYK3~TwOcxtTA@y`c1y=n$E!Q6-O{ntaq217Zs}NRIn^f}OD(7Rq+_XT)ScFD z=~(I-^(1SzbS!lZxzpM$9ZM~vZIO<pmLi47Zs}NRDL&=xmX4*Csx8)T=~!y1y4~6> z9ZMaJ6e7E&W2qWihjc7eL+g-^rD|v$(y>$xtwTDNs;2s+W2tJYPdb*Wruw8~scNcE zI+m(JdX(MLu~Ze(qwJQBrK+et=~${txz6g7j-@K0uTMIbs)W8i=~$`~`ue0}sY<F( zI+j{O^-0H4OQ=5SSZay7&FYhmr54k&(y`QHT2?xiTCBEOebTYiV&&&npL8r$LG?+; zQWaF6bSzat`z9SrRnWdk$5M-^KIvF$5!ELhOD&>hrDLf@>UyhBI+pqg)h8WG{e<e1 zj-`G=+b11M{e;#b9ZUU$zy{K>R5`6fI+iM@bx6lj<+KjzSgKsP((03rrOIhPq+_WC z^f~ERY5{#tI+iL`9<lnQW2sW*A*)Y1mYT0NTYb{8R0+kTW2rgHh2cINOC@Z7e&zgd zA5NtN=)7<r4y6(yb!)f}XHo*RCESN2sYFP*F5HI`sRYPJ)#E@)fS?}dQHc;$kK-r- zf_j`rB|=m^4x<tvuUZ@K!&y`U<WV<<`*0MM0GZ0U;Xa&1B|vW4E*wM&5ZZ-vs6>di z3&&6bgm&Q+DiNaUaR`+N(ZQ6?pk}L0R-beRHCs8?>XXi(W~rO4KIsf<ChigSNoP<q zm3yr|=?rS7y2<L3&Y)(hjaHv@1~miez51jxs2ND_)hC@n%|LpuKIsf<2GXtdNoP>g zmGiAW=?rSRa-P*Eok2~f{guw3rsIx9pL7OQNcBl)P=!>VbOu$ZZnXOH#Ix`Mb%WKH zD`NS|_2Ir8VTc-$f2=QCfHtZP;l3;Z+CZPm6rcumQMfNdg4T!orU}q!wJzK@Re(mR zE5d#060|DZH${Thh5JO8Zj|zDxKDKH4xze4m+lZ11x1%`Bz;PB=|<A0M3-&^eM)rc zMkse!eQ@a#?~r7xYpg!_bONS4YxTjYOT;qO6;>a-IuToI^}($Zv3jcyew~0(eQ@j& zu?(sYo}Gw6A6z>TgFg6n0!H;o&fQen56QWks;;*BB<F6by2$F2oV%%1pXA(OSgk(E zxkE&X)h9W3qtrU9Pjc=sj8>oI+#y26>XV$iLugsaxjTfmMRM+@;7(qj<lIeBS6Y3N zbBBODt50(7rYN^teUfu`B-JN5cL>0<`XuKL@p)FC<lG@7&+3z$I|STWeUfvB&^)V8 za_%OpCs=)wbB72$t50(7uBP^roV%;3T_or3YJ#zpoV%+~wpViQu2PS;dL`%XD(LH# zoV%+C?nsKxo$F$HM^bX`5D94YO3qyx?kDt0&RrVL+<PVGE)D4_dnM;CO+C))m7F_- z4O+dDb9aR5vU(-w4$*^FujJfasUB<fO3vMt%12hO<lJ3JaPL`i?htH9fB%nlo#F~j z4gNjwf&UACrQhqD<K5;x(({Vv0?$J8O!sfxJKfU|XMVBa*YDRp)o#?*x=vC5h%5m2 zDwin#B-`n4*nRkG+tI1TzLK=(#=eqNl~h%we}gp0dFfT)I%{a!-0$JHNQB(alT|nk z-Bf3POqtN)C`xZwlfI=HN$gg))~#xw+<NKYe@bu0|1@o)#A>CTUg0xh)}S*6qJ;Au z?$}Ou%!s>oNJdOLS36*zn)Yl&G5<z!Q`5$VdgMxLZEbE?wXKz%IZc3ZK=PJe$KkS0 z6IK$AZwC884#zjnC%Mv2k6`h<%)zQc3CH4NIt`p?^+)uJ1GLR8bztfP1)s>!W}kcg zPh`Xix@!g9$>-vsP8|&_b2v>i6OY{3^iAMl+YkJ?{j3S6&NzE+X{Rb$KP&0@U@srw z^RiezkWNL=l$D$GseCV*P{J9<d7UJ_a)j#xi@wQo+MIMcoVa_#@7757Zul83I0Eao zHMZ6kV`HID*EO=E+D?~Xk?cVq_@IPi5nuESOq>#D;-n`|oW)?8+|ks$CQ=33#kzI- zgI$}etYs>b=5cBCbfIH~nMr4(dl_n!usc>7Jx$P*Kj@ofD8V$HDrm|bbV4$eV46-5 zG-YKCws$Du3|nFJ<oHA`jJ*Qvq!Y=PL=My|V1SdPg!FfFo11pD&?6XU4mpi4i|&j! zKAxBjmw2!WlT31;8lN%nDio84@IDmRtzKVWyR5!$BYmI8ZcUsdjA?GxU^gd}V6$U~ zq-n6PtK2O1;)`w<G-VI^-U3RnHf<9%6%4j_*#&ItogZzD4|@D$xwvxq;%{>66_fqY z!Nl&mb4x2F`rWdAr+iChaow6VbT_WRJ()%)KOrtYw8VRoaPh(JNz#}du<5(ko`~6i z?XH50oOTw@iaop~(Pj*9{O~h#&?npMVEc&ZR=h>(oVSRO{EXfk!5gF*elaEV-Q2RJ zsTnC6_9t^b&i<VW=xrvaf;}+lw??<bMz4KZeCM=BFX<}Tw>Ns?j}UwGs;bIstILt0 zqG1b8bz5*e--6WS$TLW9@y7dJUbmB`du9yMY^d8dMw{aO9wYVp8@uC@vDaBE-gc=% zUXO;>hVAs&K7OnXw6%77Lmf?+>C9+k%q(7Cw|R3t_mHBSg^epKJE@C%aU@W}d0Q=t zZi*Rh*Xo$zoS&@U+;ZRZuPt${mz=bv2^k@<3Y;IgOL5nUQouXjqc_+}#w*t-<_Tt{ zSsHvSP#3z#oM~p7hnu6!u&D>{3oH%Y?EcjKZ};DEqW%Yb4Y=KXz55FH1@1m~n|r%^ zqx(d6jr(Z#9Cwa8%{|sV1d#$?81EVXK&1VX#zV%P#*N0+0x#XM#zJE*&fKRMhZ@5S zA7bx6(BITw(x28J(eKf3*00fjsDD@Q)KAs7>T7WdzgREnpO-GU!2f=Xn+|Mr-~`-; zuDqmeP@dLmwQA)NtxUN`o1^6@H-|o;{Da^lyj4rn#)9eaO>Ky8hGwc?`0w)n*nhGA zxBi>d_tbx=FZxgRH~BmK=Y$UPmZ?wr7x|0*Yy8VYBfYcLhy3IH!~F&RboEX@@qOs` zt2g?d@jdE$%lC39=*?EI_WjiNBj2xmw}e#hB=rZl;n3{s@|_1p#L?hAObxsnyjJ~= zZ;5ZdZ-s9iSQ4$k9RV+R5-(HF@*Uy}`6l`@z?^6Ve(wJY+=<^)cltDSv%1>*iT7XX zvEEnJh2H1Xx!&J<?^pA^*Qry~L)BrbPjx9DC~x-9P&g1jq0LU{_YmBmc*}g*e8zm# z{Iz*Y;4|E$xD;#(-R9|Li@Dx=x%d0t-UK$p+XBY~jtb-kCI=!8J7eI=z=eU`fn9+e z;D2~L=^K#4GqIBVUP*Vv739|n<8nEk+>`LU@}}$1g#Szyo$@$rF&IS;4$%z8ih;8; zgRx@Z$jmswc@`&S#tK$UZ88=(;)&{+#ywnYF@DWN^0+e15o__lU0iH2?q(wSgEG|- zSK<Li{WD<C6vj_<9JyOz{6x#iT?!*5I+on2gdAnd$gh;3BQ7PkD}G0;A-5`CN315l zR6LGYMQ%|{N30|_D{e<zLVlqbj<}fIr09-VL2gtuM_fd1P!ulKDXJqbBtKV(BbJlv z$yZ#gQ(TUCG`UUjIpP9x9r=Qbb>vG&EG5^H&m2CQ(#_;^2b_;vEuT7K3Hd2uBs9h3 z4kh5Ab6lU0j~#I~STO$Oh&V7a<};C8O5Slq9EBOhTx>MvGEuqDDB<G0#ylpHACb2m z5vN<mY%Y3?qnM~XXcTerT4N3q$q&g}j)+4nV>%blH)e71JYyyo&oyQ+kz7LFaQZ&| z5b~x2;v~z+XQFbxQOL#fi~=T-i^)G75hq+m9uvtA$UhtrXIw@u6Ujy7bw|u27n0Yw zcmer47r#$l<>L3q-?(@_d4-GTk(asnUGfqa&n185;yL6mT>K7sk&9=O7aTE{>?Y51 zv5)+ji@oGIF7}XTx!6q@2~#fVBF}KNlRVAEDET87JIGU9Jc~TZ#dh)p7k81zx!6Yj zz{NAk@40ved5nvvlizXiH1a4HPbH6V@f7kf7f&X?<>F5A5EoA(4{~t_d4P-C$#1y0 zjoi=0R&pN~Tgbg!Y$j|c$t7C}+h20Y7Q(iVT+&3?rjkoGlRKSaIb;)IJ4p^{BzJIh zBe|W68^~>3Y#_ICaXtAZ7uS(nxVV<w%*A^03rEC>pK%xy!HPD4iR3tPH50*#_G3rP zRM#4Za<SfsaB+n(o{7*fj)`PBxsr*{aFruwK*Ja=)*GX_xWX9gh#S=o<KIkF{$sFp zz7b3FU5;L2uw}fF{7qTNQ1Xg$jI-P}j#0`TaD)1=na;&7gDtELYNzoAM>`C*G&i6I zw#+vuml$lhZ6Gfz3)r*dCFN+Rh7DtsG6!r>KQ}Mq;*IVPxY%j1HQ0deu$9?>?y%+9 zfXdj?ZGhTRR*d{rneT{e$=k{bF21E4&&4;D;~a6d8a3F0UX3c)f?lnjWv~UkTDizz z3wkyAi&EkgTZR3St?gB6qrukpD)OQ-&v~Fu`GLWfd7W~O!IpU)c|n=W9w5&vMO^%| za+G6{I=@ovfK}@2CgZ@WgvdCsDj+iQtwj)<*sH4%c3?JZgwg-wsAwdwDvP-IlCs#T zqH&B;;eZ=q^vk(;qx(ZHb{gzmu~Ka@*aB*Vao%?xz<odC2V9(BT;zzj-Dh0rh`7{e zT;Pbf%V&I_ixZ6RIU;V~8Rt48F5MaDFj0Bh_zp)~jI+78-PrAjxKL;GIU?@S8NEzI zu^x`L7~NdlZge>!?#LOPOvJNMj<y&bT-<J)<%qcdX0&thDq|NDVTU%3UT2)?h`8Hk zoWaGbjMJHjXHVnkb;hZVh<j_sDO|kDIGKs+He;tF;&PgC5*M#Bb}&(GHMVo~=f*Zi z#Kkj%ahKt~nZX#%aLvqM69%`-3^rkKsm$OL2G2G*8gPZo*vv$Ay|Kv=ahc0l$Hl9R zwM>NGdX8Rctl{W-V|BohHz}96*(SJ&{9ReXP%OwQN1UMr%m*BCspc`+rd<P(ZQ9ik z?{cQ+rZGyT^Jt^`H<Q)YsD9tg_UuNr+jx&Z&}sbF5i`{fOg0}fAhP+eh5S=F)_I_b z{6ksF#n+W(j<{L*h4BRw$?HlD7hhAV9dW7pXOs1(2I67|t%k_f&=&HBvfM#S)hA81 zqD$2$%-QT&ZKTQej}2O?`8?PAn3>~<HR@w#HhUIgmLryGV@<X@FNKCz*s~DXzBEI< z*BtJkOVztfi#-4_?1<G6L&0aimb1T9JHq^mS8;^-CDZVK+Pf0KHj1mgnptUA+Lh!b zm^)!HM-qtbI3e7Zb0_3>0^v%KZP`{LTaF~#F#%FL5jKY<nNsKh1zaf51`4#arG*yC z(E`0o3$%rDmHxCq3*|1*|C`;Nm3Cv(Bn}W-*_gaHJ3Bk`=6W;lLaId_Xky8KH&biq z4bqb)I2qs{!_~s1tq&2yr<kwR(Jx9rHo;{8A2h+m03R^HMF8&)KO`6`+ryXi@uZs7 zsi7apUp2wW0I$cl_t^UTW(FuL`sytZGb>_(P)+om9Ux`G!9s@+elq;M@D<^7cxkvQ ztib2r1EC8-4WW}lV}tJo9}9jJp8C%Y9v|FCeM@~*y-od$dX{>Ox~K9wJO%i{8MXxi z^7%rCxP>mFi%6OK*QnU#cJ+Ge{fKx}zIlc~PDg0e+ITdXK1Q!7GBDQ-d&Q!Vayo8! zbl7LtB^uU7)2WK(iA20&nPFwFLwcr1lgUI<Z;y1x6OqQ0-qjLoXwebIOmC01BUoBv zEQtte2!fYR6qQn?&xJ@H(ePLa$tbf3Y1E_Z8=}UoXsQa)Wv!53G1!YlnSng+fAxso z8g0M@Q!LfW%4<(1IuREP$sKL6bsfAeNyMQ=7`29IH6G%{rWitpAv^n4L!4dH=@aTr ziO57&UsMB@^M(aC%hDK4M`H1m4pA~gAvb~bik>n)gb-qFi8N}8n;ljmWH4&NGIk(m zRfSk_gp81q<${aC^(j^(7Ok%qRjQm(w`{h)Jh2uRYX(Kdz3BU%6YPE}0ozG|o=X2L zP`y`kl6^XEX3=?z(SuF#L>C{tUGNiNj=g%A-!>yq9y%7I$q0SOLc}#QtQ~JAqv?)h zn;wt0HK$v2NS+$j;%SwRP;@a2_E<cQEbBTj$T12r(i5%iY&@Zx*^nqIJ-Qy3?NCaA z_@YAec%Ku#v7IgaB(wKU^RH&hhUBE~hb<eN)XW=&Igb(@2>7QrBrstO@_>Hr5NKEF z^Y|3k8#+?yM611|G~=rD)4LMTr~Na@mp;jED}B2}fe|RsGt=L}*2}PaMl<QUzAVxP zO_RAs)K-0FqE4SM<CIyIQzk>xU~0|LQzn{|dqq3eOU&kO%xt~3-FVa5EwS51Fq@Ou zhS}bqG8R4^t1#2{s{-GVjwV^~*-q@QiFgMSg<``^>d<sq8!?t+1TMvzn&?Q!V{PCK z5EGp(sP@*5g`tA}IdGit;0O);6eZWlb;B?WE-rzoi#4n@2v466Tq8``z6K8ejmFLh zm=fp~EnR@<q-$8H+eDlBjaQUbA+~+r*umTl@)>A;%sCJt^oukY5n78RjyfU$n<S{1 z1)(d(2OATGtW9j|#kRs&H1qA4vER}+QMJY$tll=iRw0+0F<V{2N!#L`4vdt=*0!OS zjFiRJ_#pR<l*N{U($<l(*y2}u>14UQ)(A1{s_v9yb(T`;QevXHk;=4HU1{G)S!{tm z-Mn=c)2o5)D}gQ@DNCX9Q%1^CsLQyKvJ~nvccd(~iX>gJHI<C&PCnA2l8M<08+85% zWfoj<(9lR(3Zr1oNLlPrKxd4Ur7#L6jg+N8NcjZ0{4D1vFk4jPXrE(D6cohC8zX(8 zK;+tyvJ{9sVYn;~dwsfim@G4yhZFll<R@EaaXJ2>t47LFDCK)wXEAl73S>=<l%+t{ z#7J2R<1@|l|G)3KPzb*q{(bnz;ctbn4QIm}!Y$zy;pvF?w_n&FdJ~cUejfT>=&PYi zL+6LqhE|4VK{`Dy6bQZ<d=?S??h4)%yd3uf?ZLBx^MgkQ4+?7P2kPI{$JGZAx$kQA z615vK`<AN5s}t37$jx6?o=_f8Zd0y8Y`zX9qAXO7hU8ldydQWm@Y}$>h{E@UKqjy* za8_VmU|QgSK+yk=|IdiIcenp0|L6QY{#O5K{#pJS|5$hcctd_h{+WEIe7!s<pC`xU z6>_ayiCB7G=~d}T=^^P3=~`(3_6t#IDI(`hl*%QK?`7W;h?jSp?<(Jgz7Agm+6YJc z4)$r@_q{J7Hr~D7o4sG~W}tg;mUo_an)d*25RvfyEdENoTf9m9oY*6_il>RQ#2Rs| z=%;VcXXwx9o%DJ-NYA4&x`NiyO1d}ol2^%-<RNkg?EeQyH;Iy^<ajcXloOBVWzQ3y z2Ryey@_1p<s;*_5oQ6*sGDpk0ELJmQww85StY*k8E$gya&5)T|)@8ApAv3hB%VIS{ zrfXT3#cGDsYFU@XYKEMoWnC7l8FHeQby=)t$O&5ZOm{nu*Rrr!EjH@PkmIy0Ojey~ z$7)&FtUA+<(XudFb*3GyWns1IOgl=;!fe%<cBGbt-KsO~2rUc4RcG2XEep$4XWHRf zc9}bEs+NWAsx#jdEeqpSXIhPxh4rd4ZL*ey`KmLmTFb(I)tOeMWnsYTOsmwguwZqj zP13S3VRfb*re$Hn>P$OS%estMGi0Kcbs4c{$OJ7r+x_l%E$cF3&5%R1tjmZsLk`xm zE+f_qIY`U8j94?|KrQPsV$F~WE$cF3&5#4MtjmZsLv$_cGGfh;{k5#ih&4mTY1!l4 z?HH?NT}G@KvY(c98L?)_zFO90#F`=dXjzvLYliHtWnD(B8M2p_bs4c{$evo(WyG2x zduUl0u{!&xT+70W)tR=tmYw2G8>3}m$Lh?to0f$kt20g0van<=PP-L`!C9EHI@2!J zvan@!rlqtjj9Hy&Wm*>2td2C#yIL0Jti@^F>>IFWb*AAPFlcqAZPv1|XmzHYr)3Xu zrmd$LEeo60;(Y7rrCQcy)ViJyYFU?2>w0pfmUS7mcCqqYMy*{Gb#WQBcG0|+bs4pG zvGQC-t(~kqmr-jcD{nt%ojX~1E~C~?R-VhK^=8j2TGnOMdNccm%c%8cn$xl_qt=^g zR?E7KT5tBeu4P?Dt!Y-C%cwO?2ehoqs5MP)*Rs1g+mU8<b{Vy%Sa~j^))c)&%estO zQ>;9fQEQ5o=Q3(dvhrL;tw~m%%cwQU%5xdDu4C`Ij9S;RcU?xU>)5+4qt=@|FKJny zv%NQY{-$MJMy)q_{;FkNMy>5^+`Eig+bPDq%c!-TUZiDRMy<DaUeK~Gqt;t6h6Y?l zt+$}g11_W1TReZ!23$t15FKg*=Q`W5#q%d^z-83B1<nHoTt=;1K)(T(QR^1krwzD_ zTDOo_wE>q=>lXCofXk?Li|2W5z-815l>lwPWz-5GzBb@8YK^n+CY|koj8z+O8MQ*M zKpSuwwL+Uj8%Q|ch2Dua(B@9VH(Fh3tZi|38osgCnFf6lZD5TnjeR5LPQy1^+-d#V zK(i~2wZp~#L5)NkaPfaoIMD`N{9laG%EkXd8$}y%@qbV%(FR=nAGAxf0T=%VH4|;X z#s5LyL>qANf6zA323-7KJsedGxcEOPooE9t{twzGWdq><iu`SyPi`t30Q=`ix~6OZ z+@B-q>aqbae~zRZ%Lc&v6(`Y6WdmUSijvM_#e?&6B%ydPevTv*55CWlgyO;W6(_Oc z!Sxj-oeO6q17P|bNuMnn0MF-0y0mNnEMIXFD+?T7QPKu@x)=b%SCn)PO9H=Fl+;ao z%LW*`=UEVITZ`MX<q1#jxUvDp?G-1D(*|73UXEO&4Y-)S9JyK>a4~y1Hi%rzUe5EY zvH>uAMHT5HAR~A^M-s>gR<AgT_LL2P(<@FQ-_!<NjNaLB$ur<$^q{h<4Y(M+)hwTj z(Szo$HsE6Ppe&>fxEMVs@RkjL(JQLTLgso5e4Zl-uE)UUIg;Rd3|wAO60}pw2EgPw zlJFvUJVz2<1dCUcbTadj1`f}W1TSe|@QRa|UpDY}MM?A7i(u~@Nq7<5U2zh75zJjt z(mYmG@OF-*Z?N;f9LNgchR_;F`Okzd`?bocfvkAF<JTkFzeQ)(61a;{fUXw4wTo0` zJE|e?z8#rMSwAWY_y#_zl6PLY-WPXXS*4On6ev-kM1c|ob~y_4%<9{%U|+k`B@?zK zTRbAiM`n=y;r6v|t7Oxzc6MxiA*RcmKFwirJoPABa>pzGA54z%hGB9%r?1Re(sqY9 znQDbN>22)`gSckspp4f=T!(P=<MSFa`NK)QO^&0E)j3T+ssXWMzD?%zg&bWsZK^Gy z=N0}Bg8*-scIPMc1q<_Hj;rfz)ec_jM@5GJ&{>5r8{F1>d8{=G<teib9et|ZhD|lD zHrQGRpKu$T-d+%*2Gw6ZyQ9s}Ns2I6ZboAcgwryn3tkC71eK<?StZlW25hVbmC!6} zjWOM_L|f0^eF_|6)R_)3j)ewQB)vM-5``N3{JO=9m_E9xgRP@5eSV}f!nCX+aE!t7 zxPt{iF)ore--a`PsHPS=yXa9hD;e%->Q@`u-9~f_R`OO(mUg)<pj4p}1xgesQJ_SD z5(P>WC{dt9ff5Bu6ev-kM1c|oN)#wjphSTZ1xgesQJ_SD5(P>WC{dt9ff5Bu6ev-k zM1c|oN)*^`3Iymf&)(!7k<OvV(HeRP-ItcZdi`DUck%Dy^WyIj_x^tIPVpA;E8^#U z2Z~wWUcR7@c;E8A<bB5bJMSa%6Y|gH`(X7yDR@9|kDwa#sBgmd|7rEN>ci?i>K*FW z-~r$=^+NT0HKo=BrmHRF9`X$N9eG6D<UiIw*?+KqAAi^{%J0ap$j^E2@!sM6n)hn& zW!?+D=X+D$7Fgjg^Um=e=dJM`;@#I<=Jks2%HNT<$k)o3%NNU^kvrry@@jdxJP%GJ zrpgoKvGQ)RB)tdw{}-e`NWYXGkiI8<L%L4-f|QjuN$aInsa`r&S|HU*M@WZBIy?dd zeE;^n?t9Vql<zmbpZM<f-R`@=ccpL8cY$w%uiY2*o$g!gn+YEQRpB?ne?{bgN5c<= ze-Qp=_{Q*6;Y-7P;d8_5!cE~b!b`%l!pFd8!a?D^!=W$@y&ZZPo)aDm{WNrM=-Z*M zhpq{IE_6|7V<?Sy0IT5Ve=a=#PeDY2{X!ai{{JiZ4;G;S{uJ&<RDfF?p7kTaQ-ceF z)5Z1hJy0*6DlQbKi${u+!~?`VL`4+fh2XFBPxMjx5d8uDCcTkfMK7g&^jx}*HqkTG zL)3lMGS#cRtNdMg9=;cTuH2`5SGidkQm#-gQF@e4Wvz0yvO<}!oTwbGOjO1xV-y+Q z7+wqfCGf|<uL2JSz8|<XaDCv5fm~p7pc}p(8v-i>3&q1kT`b2)z$jp&!5A-3(A((^ z^h)}o{J8ux`nvoh`fo8nXVP}Mm`3U8^lthTB1is&+(C~fUn5tO%j^M5_YxEfAunyO z^G?_vONW|XExYN((nJn!mL_oUJZZd`6-*4~qmp8Qp1+gTCJ19u$<M)zWO*@$xu_&t zsh(HJDh|F(&N4yRdP<ao7fHlFTksnVG1FkWE}h81{Uyr*D-6}8<9X^>={OGVCmqYd zeWhbKxQ}!+2ltka;^1D=ksRDpI)a0HNYgl2E?M4OGh}zk^5&W$V<gL)YliG5)$qKU zG}#0<lY6P<&2=-mhgx1@H<LT*Q&tAyGt_dmx`{kYE#I-5$am-yrnB5lN&2{%wU_*W zS{`zH$=&q3JoPSWIdJYJ->2U*Q_u0dOVVZm>9NG}?F;*2$#NnK6JjZBW`*Uj6tY0i ztHknbn)3XEoXt~TAq{3(sj<XzcM3aVNj0Ct%viGA1aBmJki40?5#Bj+9NeA2zL*f= z*+|9^%hmHnvKzUCr)tD<?R!3)om#Ga&m&=Cxq99}Ld0_QynzIX<?49@QHka1c>__1 z<?49@2@uQG^9JH4maFFtL?)K2=M6+6J?4iu5Fhyr2fbt?2Sswe33hm1CzikD4vg0p zGZjYO((WA0NaYp?nvUV%mC|k&==mqH+$^U(uMx}JG0eK9GBd+QvW)zcgG<RH99%*k z=HO!T5C<2LpKx#?u{`W<Bnyb;VRs`rnOGinH<J0p^2ofA%p>>l*XEKRac~Z~mxHs( zJsg}xe#pU@<Odv_LGI?@baEF5Yl$`XHj<NwHTE`=6NxoWH<A;GHBL9eW6O8=YsZmq zbMRPl2M3QK-{RoW<eMBkirmh@Bgt(XJc8WH!D-|h96X%d!ojKJW)4mvTR2!lzRtnP z<ZB$PCO2`girmP-N^%1SClSjz@J4bNxt^yUO0MJJMDi65P9Q@Z98a$0;34E14jxRd z=HNl(%N#tAT*bi(awP{3AYbC3PQJ*&{mB<NIF5XtgJa1R9Ndpw&cS`j=Qy|zxr~E* zlh1N+FLEgd_auYXlHKWfgT&0_PK^7t=Jf9zOV*f)8we%magY$p1^Nc!AscwAK+ds1 z&%a4G2R|U|Iru*5;^2FvlY{>v9qMtyd-hKDKL(g&ST7zRzixsVvOrqP!ILG6{uwe~ zvic`O=1JDNlp%8^Yqf&EBgtBJ;O0oOb^v%clB^X7PK~4nUhWLZTK3_>NU~OVcrKEx z9RLoCq}4p{iP9<#o*<pY!Q-VfIe46O1_zIoPUqk;(rFw#T3X4$qoh+gc%*a+2ak|e zaB!NmoP&o;bsU^3E#u%6X(<P5q$M1jEG_0>wX}$XRnkHZR!R#vI7vF0gNI4;Ie4fv zkAoAXxg4Az&Eep9X*LHBk!Er5U}+`?50YkZ@IYxg2P>pn4jv$#WP<DIZ{*n+=-cUJ zz1#B+N%0acl@8|MpmY!iGtwazh+Y0b3-r8A)^YGHlHlMgBxz3b^<zo9nF#MKlFq@5 zRKdZ`(g7BTV)wT|&zmI9!B<F|SytCr(rPBcbBnYe2Q$(*4sMplS|G~W*L<rtMy<V~ z2b|DtW@1m2+G~D}S_{=ilBKfw{zfuDB@SLfeH^@)dO3Iz6*+hzr5x<1goAz5!@&!v zz`+dpHwQP94>-7qywAa2@*W3!$iF!F8S*X%H<EWacs_ZXgXfXAICw63lY<+`8yq}` zSgXKBcs=_kPhC%5<6swgm4lt+9~|r;f9GJDyu!g0d6|Pr@)8Hvk-u@U9f8j*E-gV` z<X{{5KMuB%zi=>4Uf|$b@@EdNA<uI#MxNtf3wf4<&Ey#lHj$?}7$tw=U?X{ogAL?K z4%U-Daxg;vz`?W0?>V@dJi)<L<Z%w3MIPhendEmIJcIm}gQt^6Id~fR4F^|}UvuzO z@+%IWLVn4?733EjTuy$@!8-D@|FO-g)Z7vUN)#wjphSTZ1xgesQJ_SD5(P>WC{dt9 zff5D&Cn>=E|NX)9pb&m3{CN2O@U7u1!~KW?cy@R}_$WxS%R=uV7T}|ydqP`6pAT&g zwTI4x-1_j49#VsE2cHlA65juB3|<!e4C24949*Nr4(=C})z=~a|Ec<2^*S}Lo~yQ~ z%hi+AN$OszsQg3uqw*8wTgo+%Jg-+8l_kn?$^>P1MF_kUcsy`F<jhwF`UB~}*?|Rt zqXGv7$^st$YyRi_kNO|<f5(5L{|o+${O9`H{Hy&-{I&k6&>q;sFUfDqFUr4{ACd2p zZ<fC-=j9$bDK|hTV3vF&Gy?XP1Jb{wmk<x&7t%e_ZPJkRS!uJ>AvHk{V6Jqubf~nS z6!d-I`-krt->-f5`M%}5-gmjL&$r&U#&?Eqf$w-<m2ZDvna|^W&HJ49QSSrZZ+ma> zejXYM=Xlq8&-5<zp5UE~I03tPMez;s1@Uq5A@O_S*TpNv0r7k>Ax6Yy;tcU{@nA^n zCHf9z^?#s0g(UnIdNs|{9-5?$h#N4Q9!V!4azKE*M_wjRkzbH|$?fDT<T8>WourwZ z2I1JTWD*$%aihocn&)}XZ_#bmkD9L)%L%EgT{z1#hyF^<pTtq&PWme)f1+6KF`lks z4^Q9^k@uHs{&<ce?=O}7afQ6Vj^$X4{zA<k!?Sv-7<#mg4l(p78x7H)EBPY}ul`KU zA7MYNqCltF=nz8>x6xDRPu2WX8$}>eH9y5hmov16qrx-v5hXvFf9Fj4h?=kF4?Qw{ zSj|^)RCtFzq~<F*>OuHuB|nM38lyi}^M~0Fs~CEyjSew%qK!)QK{Y?YMkzzbb5wYi zp@-P$)AT_le{kVD52*Qr_(M<;=z%sm#Lx;G-JRaA<`3Yg@Fqi{a$)tepWdhD_qWk8 z^haub97lyW7&_KQZ)E6x9Q9mIf28F1EmZ1WHNTJju!;iR+eU{Nx|faKO7Btgd)g=> zzN+~>I4V5H&~h8SkN!}}@6Nx|NPnQ_$MA=qa(cI#-_1tL7^>MQ;>W7_G8<jN(6Egn zj;xvwaa6dEeqYT8ZS*?&JteR5&&KGTYF^<FL35x18y%u|DtUh)?|0R_Y(K1`KqVU; zqTf~WzCzybsClpbu!;f|ZFGpC)J8+}+iITJs6_8j^Bx<e3>7$vA#{hD+i0UtGxU6p zdKCICHFq9Ig<BYUE=N5f`b{;r!A8f?+tu7THaeD}-8Q;Ay-m%n=O{)P&@PU8w$NME zT&In$WoU<u#u%Em(HuilHhLvPlN=Rpqqi!#bp^_OL(R4Ghv*TY2^$?^Xq$~n^cFSO zYNM2)agKsiK-b#n(+ovOV{49-)0@>?%tp)T%}TDNP>U^UuGxNAMS(Wi=n&na<f4VV zUsrRD_QNU)w82J)7+P<m<LKAaT*OAlGW2X4EvGlBxz#pW#?VzZ8lX3-xwC8(agEj7 znKp{p#%k^i8x7H~s=3oSD!fjwS8}Hns(hWATge}S$UslE(IJMOVx#5sD{5|qjg~QV zxs8_7AvITLqh)kR$t^2<=UO$l)P7h+fiAJpA%-sIC?@JPYHm>xdbOHcXrq6kUsiGp z3I$)K=1%4h(Ey<HZFGpC^K5iCdZn71YoinCm(<)G8%1zuH8<Nv5#U+P&9YGhc~)~X zZ4`l?)!Ymly@7sF$xY{#QW=KL*4$1Nmet;CJ$($tUTcm%;eGlAHD_<O*sMOU<gnSA zub#;;d#{brE7TnJT5H@^F|@GR4l%T_*&^_`nk#I!d(qD+xuVVXGBsDc*#a%zY=IUw z+j9C@HCNbd%jjpd9Gp@YhulCMbu9<4)J18+=gDJQ4sNN7)2?7?@Jn5sb`yC{%fT^q zQJN=1a#{|ashw$AEeF@s&a?q7=L$QLA(v=5SJ;sZxme4&!j5FfMOw}kb|gbC)N-z{ zBN@`K<y>J$GNez-9qg{l1zOG(b|gbGTFw=ABttf9xeE8Yo3xxO>_~?6YB^Wfkqqh4 za;~r=8S)t|=L$QLAse-vE9^*yoUi3vVMj9LJT2!6JCY&iYB^Wfkqp_O<y>J$GUOaB z=L$QLA>CTe6?P;;)@wOe*pUqB(sHh_Bj8}QoGa`|hID8-SJ;sZNo%>?-1JLnInAAx z)N*C+v~^l8>`rUfav^tGLdyl+X>D3gb*HszIak<`42f$wSJ;sZS*zt-VMj7#jh1tT z9m$ZGmUD$2$&eN;=L$QLA<bIO>#j?amUD$2$&jd)bA=trkVY*>-0wDMIak<`45`<0 zuCOB+64A1*up=3Aww85;9m$Z@TGkbIBtuqdSy$MR3^_~7y26fR$eCK!6?P;;&d{>1 zup=3Ax|Vf?9m$Z>w5%)aNQSJ`vaYZr8FH$Yb%h<tkW;j*E9^*ytkANqup=3=T+1fi z^sCdd>)dI}v~0UOZK;+`xYL$s**16DVlCV1PFtj9<L<PDTGkbI1e#S^))jUnLr&JR zuCOD}wbHV#up>~q(z33wBhbF$C&<#jB?^=%P@+JI0woHRC{Ut6i2@}GlqgW5K#2k+ z3X~{NqCklPB?^=%P@+JI0woHRC{Ut6i2@}GlqgW5K#2k+3X~}D>7_tWA%f^tg}^@Y zk-kT~s`J;k%KQ~B8TNOlH#?l(=|z?bEK#6Dff5C_fdZS3?W<RXGX!C(uxUnl@6o5% zF41e_(Pa7<y<$cpu{IXfPmQHp5D`|di#Bv5qx$T4q`6{oQ&Y4p73+*ns#p?1^w-X4 zMa8Kt(Y9!3G^t1Q2J_8^L|Zx%YfI@VmN|`FdaMlrUt5hBu{t8Z#!|>_#gEm~iM7$T zNqQRP=&`h(!dK&sdL-Tz=}zhOQN0~siZ<#UDFmU_BW-%Lts&Xno<>qbOQfwW8n4o4 zwWU}c(=7-ki*iu3QRgPqnSCo2O&bAc&HANKPosjYyi`X+%kcHAs#u;##CeR~W>BM} zzN#V7T76EWJ(*bF&Hk;7u1~WzCfZWf_3=b~bt~Fk9cgS_jD+@7L!>R)5s#*-Q^^MN z(HaD%txhDHiwmi?3n_lZ>;;qfjP`XXY#9oxVny_}^hH#mP7rE@-m&GqGm5)!4!R>5 zYtWaV8mxtjlaYpaw7BbP5#g8h+=}+bNSaYCsz=bV4UD8_fL}e8Xi9fQlF>=5w^|d8 zv8Ha5unoyrdm0o?*u?JEL5}ulGTyCsB5JTvWTA_IM$n1qeS9RHj<&Y5Si*W^)aXMH zZq#Is*kqm_O-Htw)UMYoYMI1x(0bGAzOz+fHJd7%CD&A`ZEugq8q8rmE13kXX2wzt z@dO)<#T2(E%d%)^EZSv~GSQK2h+-@@M)gD!k}y!)BhAq&eO_yOJlYy<OY03CsdS=M zj~Yd@hp8%k1_m3#FJlt%Y{tCMTcd0`#8R!8P^?QjkqNV`qb;_sBWe|qj5bA+=$vRZ z9=4@pO)->%>}&`$#AED}6Y7(RE{uYSdRI#<9@XQC=4SQ*mZcE{j>S`YqRnhUG|A>Y zs}1I5qu!QC>(TY?31gxnzflwRUI)q>bw7`8Iu-Sl(NT^r?rH2>t(enEDDPcZJe%s4 zF3{(-t-<8LSk)^>o=u}%EL_8JTNe!1Yjx}5c4dbd%7P$%unn6-DNBh0B?^=%@LxuO zfM=r+78(TcG2#pVB6yR~pgtj7t?sT|NiP@v>V1r~d!8VV^Iz%o;eLH@de8q5vK%Wn z3qrXdkm4<5Mlz8~>2)!%T6G5d#J1B3GZ!z^r$@lpPBi#T@xb}=2E4oHw!FI}noPw~ z;5^e4u_e{DGj_lzrD9QaZH2gR&lvy7D68jGXJIpAN$g{ZWVb$@?eVCF`4V`RNIkat zM*F$J1K@d;uFtbr6L2TV=(-MMX`H0DM%IGKHd$`42&^uRdK1`%l-`)Y{}?9_YisNP zf0K-*)~2c|;Jm+8IQ>INH;PA-<at|DeHJ+LWLqSzFN>P(GReGWOkRP^8=RCenQeVh zLZ6#Xw=Zr3FKe84*rs0LK3v#Y+{cSZJZ>F<ScA)(<t}__h4V|Za6*XdV9k?J42q^i z2l%E~n|^AvzAn+Q7Uz^!q=V5jduCa*HG$Jpl)aP!&xPX+m~w->?H%=CJ@K90dyexj z#D{vvJHIsBIB@B8=_DI(2Ghd}?Mkx2$T+k5NW<FZq)`j7jLpeNt98yYd3tbs@u<Q1 zfJ3d17$+_qCqP*}Wt0nkRA0_G*RB{EZw(M|ofv3|)^^4}8mz73L(%m(ou%1`L+#6Y zRs?!HtojE!t8dJj%9#mvqSEK%%wx_Sz0PEtXS1^BwKc?XEKIbS4YN9`D09lpY>rGu zxp*Sd$cAbXTy=tVb2<qYo1J@%oT*6$Bg-gbCFnSIjZd><C_6MJ6Y)4Q*LUL(%1)%1 zhrEH2!chRt3S*gAGm0U-9k2Er>^}?i>xsGOhw5U1s9fIN9@XbY(d?wYForWbpY;~C zq7fW`+0nu}C>zH!g8=Q(1{@F?42qz2IOHW`?7YYb!AefEl5yn2=>o?)V>nrlKrS}s zFnDmz#DW2W1buG`r)@{8wmoa_SU(QJ<(nFu?Vq(^VeMRukixygf@ox|IZ*5)R98zB zO--^xE?ct9cQBeU#5*vXyZMMV<|rtD6^+e?NqVe_T~)+VY;2%}HmsfI8X8OE{AN8g zpWuFgEtHXl1~%hy*usm}M8StT*xPA-hGeHGmXt`w&M{7vRk(h^yYW=w7@c25MB}ZI zmMZH)B9^GenU`I6fZ~<LL9r4?wo2o$SY07bR2~<<y6wa)<t$O4M1c|oK5hzZ2jjdf z+7vhLDow_jzNRh}j@!}t9w*1JcWe{GUc_`8yND<R4;1=$^us&zy?Jss8nFW>hb75a ztHo&=2L~FuOSoWX)@;Yh>ec*^Oq6e$;oQ+JCVe=$gu$o(_X;BDvx49mvtz{kuYGH> zymXkUYf7N%;yBmnGoxwaylYNZ(V_$ky@pe|P=&uU@izm1wfNKV2S%FR^a~OE)#I-M zf2E%i1xgesQJ_SD5(P>WC{dt9ff5Bu6ev-kM1c|oN)-4MQ6S*?HR7(nCxmB)lEF)r zZwF>eH+p|5-cPS1HzIlK-{WwvcpUw=&_;83^`1{rQ@5&W&+<UeL|m8jbUW|VisfSk z)kUUM(2;77HN+AfDJUGaGG)XRlT)u;xIpiWMGEq2Q=n$asZ9a6mD`Y3C!^_(B-DC~ z#BfG>YouFmiN@QRJ}=Zlaa#i^9Fu-E#n$8BZm2CnU>WabVnoQ@AS-TV^6w~<$U%h> zVzjCX`Z7I4_}x}b{nRI%=kL+bRncwjDF_%%CF|nOL|?5~w!rM2nF&*40D9EJt2(ou zU9oH)(^?3LhYKI3;qnnvw<qN9nYuF?KX>`^B~bmqSV>~InDX!KrUre>J736u#7*9= z;(J6>TLLN*4jrT7u6NAinbG<VOZ!7#XsVW^EIM$lAC|*V@wHS>n9{wWuif5}YGD)5 z)F-xN-xwoaU*oPICg|BM&@+~;X``XVaI2ZE54F9Np>NA?d1h``hn6yLMS<Rh{uH`( zvr8dpUMo{lnZ@+Wp<%WlVX56ibpv9o&PYSIJ`=VE=GdNY863ppi7qyRW9(f+`2vbO zP^pJbic5(ddk^d~pbiviOSQ&esL;su;w^pnNruK#yUt8vun|Egt3KMubcy1;CdHea zp<rZul`BX!7*;K<QEYfgrq#u&#rDft>!C|xSV`dXYoLr|ls;!k9rSEk+Y@crc~Qh- zd@^Zdn*?<`rhEq*4=A^_b)Xtas4dx6GqB7+8;wsGiZ{N%2cE@S(YTbbqZH^l!Vl?C zd9UPLfSFPtjDo;9En&t%MH*Mo5;F(oa;9$=MF+>gAvGGRR2XToX48BGT1QxCVMGMM zm01K+5@Oj~4CO883Z?XDgqhg@z$8e;z!jPLYSwyf@JB6BFY1Oeo9<Ld)79&Q@9t=u zKgsuc;(n%6+uQ1*H}>~BW(&hq(e&C*C`cMQtc*Ejd%sC?OUKP%ISrz8Me8jSCs3}S zv1g|-{Xi%>#v`ziNlwzE>4qw%7YDtzrdTu7xQtc7P#nYrgl48;KE}1)__ymuGSV@a z5~h&Zkk*&8m8LzBv<&QG>2B<-<3mJv<&&iL$NTMs|5Ubr)2+J})@#s3h5Qz)J9I8P znAV-yrI;J0u~`bnPU+Y=rXDL(#RM1Ij>VbjBDULaGaW?CGOUpm;)Kv2g!YfKg)M#v zm&<$n!?e%PF=jg9W~(re%>ic4T{cY7jIBo~TO-g`y{>M7KEY53oQPqwHyQ;!mXG15 z=NLoTvUjYrNh8=C8fqE4h?OCI=3^jF=@TUilqgW5K#2k+3X~{NqCklPB?^=%P@+JI z0woHRDDVkWAc*fjEY1?buZEuu|0aBY_>S;b!&ij+!`<Pv;WNVv!zYBR!+KZ?lh8jy z&xd{+dNA~z(2b!lgf0qg2(^Y*g%*cS3e|)vLc52&!8e0{2|gZtICxj^=HQouxnNH) z6>JQy2+j^38JrN@I~Y*^rM{#-rT#*_N4-rQQa`I^)K0ZoU8&Afk5La($EqRa-^xFf zXOv$n_bJ~}u2(Ks`jqv`8s!XSfpUUUt>}uTkib6!&j)@RcrftYz)gWK1}+Yq8)yxz z3M>ws6sQSQ1jYnJ{~P`n{Ezv6;=j}XHUF3Vm-x@~xB1WZFZECNAMQWczlUFz-;w_+ z|3Ut#e7Agye6>6%_sS``QC=a>mXDMt%KONQ^q%yx^px}q=^p7eX-K+E%1E73v$Rs0 zCmkbAlEz9Q-@kpY`kwXu#&^H(4&PUOSNJaUo#R{UJJYw&ccQPxSK%Au^LpR({>A&a z_aX21ykGZT=^gN%?@f5m_Ac|z@E-0x*t>^U65keI6n`&1BHkt5EPh$ciJuYIiS^=g zbV})`M1fBO1=LFwJ9PDp;w0tL0FQDV6Ax1__1h1t7%JQ75JM#!Ef)_}FZJ1I8AH7` zI!>IZUMkw?ScXy?mBb0^rNl-lLp>Z7o@J<DqfY}J+{jVSDdKo_@O&Fx!O-(;bU8!M zwb63%5Or{ajg~R=92?z3JXjg*F0}q2b#T4?uu25lWurq3?X=O5c%VAiVWWGA73yHx zM%Rl6sDmjRl|)?~Oxh@A=sJ#~xj@@(^l64BIO>@r?ynBEaa6cd++P`N<yBtA9>)1Y z<Q=CDuH`85j#CEL6!HR#aV#c|RR>#mR!<c}n{9N6p-na#68BRFqebYx%3x!mq<z%E z2K!-^2(;cthZq{M(Nn~|)xooEbOl3K+vswJuHvZhjJTIFcozT8nc`mR;F<iPM;7-~ z2hZTB@Q%2LI(RxqJ!rKucp85-Cho2duCyOkG4xa$9b)JyHY$l@)WH=tN*TJGqv$N4 zbvF96I7S&<R`||t>floT5JUyK#72i0y4Xf{7d3To5l4kL8M=_89=}+o4lc0KF=AL9 zJei}y8w{Oqqc<{i9!EWwi(zGOZlO{kb#RXTuu23v+eU{NI?G0H6@%*FOdCCxp))ut zJjc-KHhQ0^DucEBJB^~E4xYpxddkIsI(VXumNE1M8$CtztAoee=n94&XQRs*dMrnU z`$SnCJjO<^6D4KvX#Uxl=u-!e;txS{phw#1kmyqek0|8zs)N()hgEQ;Jb1W`4vAi6 zaB3m1s18oCA6AJ#Yix9gp_6SiBvN&-+D0XjsDo8DN*P+oQ4ArVlWg>9h91UIk0N^1 z!9zJJ+``a_9QA}mK^>f6qvPnm)xq&LI+me_*k}#?Kpi~TMkh1$ARFDCzON1*$Wh@< zhQj3!A$7G2XL+{J_te1yY;-L{bsLQ_bblMoF?5`bUdhn092IV(?<s@(*>t7<QU~|t z4?R^3-N#0U7`nHOO7vZIa4#FB4BeBX!m|wB!$zNGXgNnc<@6nOaCaLmqwgq#V+yr+ zTOHiZepp3;YBoAV-&O|83VGjB2gCNmDhf1YqeBc0+UPj?raGwF=vampw%Z!|hB_Fq zpH60IVZSY>ud9QF{kDvuh5a@_|EUfZ_S+D=1`OK!t?)X1RT;#7>oK}7M*pD>7Pi|e zh8DKlA%@!9EeQ2@b<o~!J!L@ih3&SSzM|#}+ie+rMag5k<==T(%@=mtDhjl)+YT|* z-fe~Z=u2uIyRA9Gfc{O*+uN=1C;C?<kL{Kh{GysK?6y@DXkoV<VrXHv-HraAnlJ3O z6X{>nd||h(qc5oWb^NoQWejb%(Zvic?6!*-YVWq58|Vv4-rj9hhGDlgtEjN7_Gatp zV<@&At99?wKdX7{wifyfeO}39yER`ulVR9xd0U@T^M%c}iUKWcwnGfXW^2vMIDJ;l z7k1md=rc+lyDcy2X*FNiY^x~H!e%?f(86Y0PXDCl?adb54iuZM^_?5(Q%WAYEid>< zHE(aWn6y9(o9z%ovDsR$meW6~`ND2n#?ZoUJC6QA%@=mtu?#Kjwi5llnzwgb4`pa! zw|$nO*ljJMKF!dj9QB++pHTBlY;*-f3)}5-hT7XL2L0n|zOdbvF|@GV?m-_@^4M;9 z>wl-_?cElw2U^%|hZu_8)@pr-{#MNww%fhvqiVje-L9v<QS*iER-(UF^M&n}GPJPW zKFiR;cKbB_bwE5=P{@;le17oB;Dz!x<^81VeEq(&e12~$dD8O%e)o6(ej1J>JE@MK z&YyNtQM+O>|K-i=oo%QkZgx2VTw>`7>MNii)dr0!xJvJ6jV2A9LsRw0vJPmBb#}y| zU~Bt$Zh`}7(>ofRNb|R$3uid_Hk`P(86f<fwK0V&I5F#pN1!yv6tFtr^vrO0*3=Pa zE~H^#V0r(Bu4<!cj{v9QhBxZ8p$b_aO?O4%NDcb2F|%OftA<fXQ5tgw-<3!j4%rMf zT*EcCrMW)IbYz!~rI}`=;ndF3&BIp><vUB4(r{}IZ9c={C3Eb|st9L_^f~YMJ#%-( z;rnT;(?UPg-nR0r#C#|v;FJ?etn(}f<c8K}vH8N*=0&39n<^~Yc@&r^GqpUI)2Aho zbPH3;gu}vAByLO%`l_^taOk#u_fQ#knC>zcLmd(RFQ+rZrj>PdMxo+<J*vNhsRi!u z)S+A05l_e9_+4LFIh*M|RxXCCeE53js>HM4elixdj5jRBRznjNkrbdzKFo{eU}yTP z?eI3r^kgv&*`xsm&GHodZ_<~fr-kgcHSy!fHLM>n%Wb7z3rC5Sa8uu~b`1>1m;!x~ zT@Q}a<96H+SVU$Xr(7mi3lhzT*TG6Hu1}b8%B;#Mlc&^F9zJdI;YXOB#}GdO4pZU# zp5<FJg{fw;!NZo5DOEK`R@E48C8J%;_dR{%a2Z<oZYN#y&<RGQ3S)6vh~+lXXs*i3 zr^Au&ZkuC<C#?RIbEphkvBRfKIcmErW~|*w1SMdGen~icg-7C)KH&s3VDdza6^xzw zXiEgolgtw;GcB-m)}aawH>ilLVK@v;b;FBls}%_%-K~$uf(n{cncg=SrkWQe7Qi)A zM|)~Kqtke}U5$=s^g$W6IRqP;^V=F@W=;eoU<PZ3B?Wt8pzUmyPKd6Lu-FI3=;y@R z^~!a6C9}f7_bMA;*-?2YLS!(Pp3T*fb~rbUR^u77Z({!*zNVVx0mv#-UHDp+QT)Uz z!_};QR7cH}8ht_vzBjqo&91Jls)P|r!w3Rm1oD7;sg||`ip9LFW+|y?wee~tNC}6c z2-nb(ZjDc5bYZTjpu^uBL0}Z-0JIe;&@0FAG5z7PVFO|`Mw=pRA;91s4+D^@R7YFY z8qlOF*&3@#)U!YYRff-6Soh7q+x7V7cw>`vW^YKOu-&7WkzZo{&;-|_(eW6c9|XTi z)_xo_y!4I#c?t}>|1Ow`5JYzH3UmMcztE%Gy8rfcm|lR#I9JMfun%d5X~1Hv%uO%` z+fhH*SVqhp$8u+#VulBRV^;a5!(-C`0rLv`Z717r;k?`UEG9l!0I=9BR0?MKWHTPi zXuW6Cf5I=|r2qNxw2cH{@_$9RUkH)lfy!3{t^SMUTcjhsFVj3Z1<9X^pG~2@)}X*l z`R52d-Q~TriUSQ4bI}eX;B7YMFN*I~@JL@2yvXoI|M6P+k20<fENN1PWBo#4D8%iW zn`n(P5Aul2Wd^jWW|67l@NS-}w%=e!P53XbhR=h8r%dKv5C9fvTeT+DdqiJc6~NF> z6?*n}g@@W!mcEGWHnDdWhd)aCjWX&IIQAJu47(%h(&p3p)~d{IX{wM}=c1hZ3{+?F znF}Lv#!^NbhmEdf(JW%!QE=uIOe`)i42xejcA0UN;T|1a81qhHa<YbbARH+~^$9S@ z1;#>If!i_;OvY6L)^)JIP3&yO%EB2IE4f(^csKKXGa}Z6Xca<d#M0wgL@!wQVWWuX zvzI|MR5xomW2<q`f&AlHWg^%nP_kjvg$#?A&6_iC5$-3DDcKc+sh3q7GsfPB)oGGZ zYs(Orl{a(NqSIhITpKqcVX&BQs534^h6x`A`!mCk(ug+)TSR7c7i;K71I8N-u4D$0 z%y1g~yLD^QiR0t0JGgph_pMQ}NU~{}DDOS8c%7Wl5=pX<fH+qoBw<6#uw!X<f<<Rr zv3z#rQO1oH8#!r2>SF{nNQJX>J$lI)A4PXd#!e5*#fYAcG#frs<}P2jfE{%ZcMXB` zz}O@B9WKg@D>&{{<r5~QMG;OA$29Ft^~F?#%>gBQr<M0s7gKU&rQu(qaybj(2=2{1 z?y;kc5o}?&b!`DN$1IA5P}kkslxSlk4VIlOPzN)+MX*IMZR{q<86ctB5gdUL)v)el zM2+!SAUq(4b^C$2mEw^s%n)}t-(up<TVk5`!hZ4-9mOjR3K|4-kiF-$z7~Z!C$7P@ zLGPSms=HX_A}U*v9Y@)qLQuKdczer^gj6)&ThJJ3w>f%e<5u-GD=hqIjj*SCNMW+r zv3qdm#TKJl!$VN<H02>I*)_>dYwc*_N3L8Sb+oW|T3?eDV72Ek7oT=20+Hyo&d49u z-A_?p+MEF91-m>j78)!*ZGhPfGvlGMm8XtP1h(MgCJ-TN+Sq}|Id2NVAxBHC(eVTP zzRTHoC*ivLq6R;O(5B(?-lfF@zt*_V(U(QgM1CzgGf~H{=W1#yr`8-jW#VuHh2PZ~ z+q6}VVZzURNr7;<g+pM>G&abT5t@i!<y94Lp9l(MnxZ4>Pf~{%Vr|5TorL2ZBD}ye zNIb^43Hz4S3bu)3-e}2Qn3AIzq-MJf@|icMGZQHX@q5nbYb*r9Jk~*bcKJG^ZrN<z zSgYU`j2(%GA@wdX9cQGHO<S+2o6hNLP?>Z08e#MJ^4`V8?fY;^S<$@YOHWB|hDC_o zeL`-wOZ52)OGsHH;dBgccK#0ue-*-qgr=z9Q2rQr%|B0Wke2!8dp-1a@>9=4c=%uO zgK4}$Va)H=yaP59c&90xV0YCCY}B(*O-D!eZ0tKn5!PAFix$t~W#+v)yBP-;!Q#xZ zt+G-#<u^4`Dr=6KGIdvNvsrmocf0B{I-^r2Ll%KrJ4sOA*R2RkEfSnuOagbr;)UHv z*;Sid9IzM_T^Dz>viIb^^|<YVlQ-OUd0cVMi%%Pcfr7ps&gGrU&0EoOKFmEAN;BhO zZm<8hQ7(h_&C`zGRT*u^6_pY0ajUDUS$$oq!2Byt6{6+6b;YA*L~7PWM{qA`oO#_I z7K;dL^RL!M$*$8NFXW}giVlllm`wMRqa@&HnN$1tS{P5ffzEL$_H|mvmsol4#9}%^ z;AchpE2gOXG|YJj>%xkOHw!PaLogHCvxtOdS<KVdPTXV*!^@CjGD#`!MA^o`{;kF( z2kWIoTXli!te%^$HS~F$bO`o!SaiU6I<c4z3m|J9L3Um=MmQZfch27W50dmz4v|8W zMtQd7?Q;;Mr@k+}t;=%i)3Pk5+{^N&gZomdP{%f(O=Dbl6C()RhUxQV(QOYyyK9Qy zcG^%J&6&<3I2Uj_hhtM;QenZa3_kGq;`upzP-?7pJhtA}J+{-DyCdt5QD5dS%?_dM zZ0X{@b%ooqsl_dIDR%8*?P9gFway$(>fPAat_mBC8*E7Wnv2_1ytfqgs^Q&s7qfo$ zp3GQHxG(%viSj;z-Mt_f<>Ea@7xc9EB@}k`ZOoq)#XaEWvgaZgGSh8DyyQ>Gx?ZTU zv(2aUwH2;_YKq%j+t|s(K#i=0MXDM*eMY6$#i0n<0iCUFUMY%RLFI<ObPjk<frjSQ zLg*pSg`tMvGeM7fwOXUxt(*~fC-AwzME?W+l>C--r0)@5%Ig(-kk$Gn`49iyDVGL4 z)BH?Bu-6sGb2&nE;!3i$z4*}1mg0(qkv20(H7<plV#!uq5F<W3<0aGfJBDLni<h){ zZyw~_%5CI<av$S2A>fQOHz%WTN{fER&1hpR)ewirWhM=cCt~K^D75gHNRj!AKaAvY zn%KUdUa!9uE#0)YQ&(qMw2~?I;R;os!Swc^&1XbhN5c_Lo{29l<ySk<C-;I2(V7us zo3*{c@oKSP4rE|bzb*)u^zm(pN+ahau-TP{N9aj<E4(j5bI;IfNBhSck-VYwh=U8> zvjnT4knv(;L6XYl%<S{Fa1@f$_Ktc8QBiJWeI@))BWieSs~Pwn8h7F(@jlP1+ef%k z?oTxZYULD$y-V-B4!)WpXf|%F99y~b%8Jc+ag6saVfyGufK}!+w#o#ZbFU7e0oYC1 zyqQdT0o_u>PB7SW<7&48!f?zTLsQujf5W^2%I#1VE_w}86eIj<6+{GVC1E;ndMngz zi{3SL4@}t=%imfbYcm~SLrKDX-H@QODkRM+V6N=ryIT0p=o<csynUFAOW3V?+#=fS z*!qGQj(C9N5w=;CZ<?X5?jA{|@<|=jF*Jsgy$u?jNdGPGDIBr=WawEH=s6m#=sC|l zWZ(chX$bmL4$(go+mByaxg-J2_h@6~^zQMd?aeaF>VQk`X2+uO#tA7)XWhOE!LDQo z>6n_1DWMyMtL{`sJF|VjV(hGtsT{yIu!H>5gr~QkDxaP=j+dd=z4aJ0Ci4;_EW$jd zI)Op6Ft#3>{tQ#U#TYZ9-+!fW!j89ff?PYyw;kN0v9KNDe@lQ)<2L-%$hdddsx`$W zvQyB~1>Cc?cxYg?Fl8GGF3K|e>~ehr^1?J2CC2O<O$Y>jyd$$~o7%J3usbkk@t>4K zx3@jRM#^^Z@SvF~CSXm0t^XzL#Iqeg+x7+H#>@D^>&jc(`Guop9K-%ozZZ@)#v#o3 z)Zf(>;h61cN>SD$WW)n^f76mMEoQ+7T3eY~w`-YwU;U+UWKk*G3Jyy{>uXF`72m-$ zW!tSe;Pwcv+fEuLWX5(UoXfcNg{>rJ=H+c&3zTP#@4?y$2Zbn%*-|a8*eN(BFxJ;l zpG|Yci3(8*ReZee_D_=6jo4pXwQp<oioP4V+=v9ftv$ANzA5sG;c5WN;Pj#!H&Iw# zn~Hjogx=Wh^V6_g#a4n{WAy(E1_CVLed$LKnEYQA?iE6>gp|N*fieC{>9@WYy{~%1 z^k<%X@nBc~={dJwg8UA4wT!EDYGQ7`Wo^;5&DJtdHh8$@TQd&K9rcFQTalOuXLU<V zl&VJ5n)>S22<~eljg5=jigf4;7dYFib-!fZJh%LEv)u1f1)QO#3Y!ls?>(dVZfYB& zLlrgJz6&h{i!v^Q8%Hf+G~!+Ha9AmJqZCaR2Ec!iH4gi-(W^Yvm*bkU_k?~gR0BN5 z^*B@mPIC-~BH6OzOg)@xz_9n@c<U2U0r&{+xQ#X&`T#Cnzg7KWK~_1Vn0_;iW4vA$ zhnY3hDVX+YB3Vo)OKv;LRiYq^9gP6YsAV*1*4Z&edeZ$=5xUv+J+zFsLHxxQ(HIPw z+tL%k5hJWzYjl`aS1hXDiAu-YJV6T7sxH)XWh!M<)7kEpexeBAL=3ToL(OAZba-B* zXkFZu`j%IhaZWbl<Y;T}@_vsh!1n^wg|+hDX~n~MdIxhbV%vTW*Ol8NgtlVY#-nY` zxIyM3X&&FND+U7*7P1YO)zBx#jWxpeF}5A|T8ulc$6RVQw1q8$Z??XSddV#s6scr` zxd;D;g|_GwlR(3Zj_dnjED7T*V+=V2s>6$p3uAIP{p+2!QjB`KI7SZ?B{y0MEMTY{ zt*jgQHti#vEIZOXcC@k2ppNEUP~LaGVT4d4^ryB(LC5qVv32{l!_@_jsfPJ;$)m*o zwnvGbHse1MJ+0M!=P3eicZ}8T=;BS|!|r#so)|l=l{+@^jSHyZ=YDUf?_5<lku|Z0 zy11V?vz8k+jY}5SEgx=IEWV333|(19rjp3i5!;z$7_Pyv&GBT@DwTzs-D&g~4M#X9 znufrNUC=sK!+>;z@B!%)q{Ad#DwhKAY5%(KMc-5KYX1}8-M-s>H~6mf4f-zdZSb}G zqQ298i+wYFNBgRL2m1E%1%1T(miHy^Gv42MAMxJfy~F!8@73PRycfdDeahS7Jqv#B z=Xj6v)_4!`?&~ds{=mE9-^J&}C&ZtN_le(yzxyHa3h@%LN9+{Wif4!34gDkZ=g=QQ zzY6_0beDJ{Js@;DVhvms`fTXJ(D|WMC>B~BS{|B@hyzE24htO++B2kvJi)huF9)9s zJ`wyy@PXj>gSQ252woMuG}sqBH@J@ek^CUo6g(riBseR0Ot3n55TX!-f>eE5eOY~0 zeN6qSdawFz_3P?2H0PhJeonne-KeJ3n7T@>Q|GG3t5ekR>VB%G`jmgszmSIzo8ZsN z@0DLD_bYcQw<upxKCcWYy-Jr7S0c(O%E`(}$~5IrWq)ONafLWvoG6YH$A~h0pT0&P zq~E8v(l64@w41ik2D*|iq({<8R6(H6H^^VfpU9)+MsgLo)PF1@6zt;<`$fbkct!CC zK0v&K{|h`B_;ujNfx7~?1-=^iQXn751kMR0#KY+xfyTgTfkkw>{9Is0;HW?)A|UJ; zPy-(SoBqG~pQgVe-}L|1|FHju{%`qj@_*U?S${vGAte3H{xcB|VK%*<^aVshhzE|1 z<?nFND}RfFqI{bP!hx?mWP)(dD_?DbaLp@!*~&}*C4Z5FZ_98?Ym`ghlCvEAhuq7- zm*ourt?MN-5x%132dw9xNNpGy=!<fPSqJ!PmD@}ZzF6h8R?X;ha+HHl%V(P)yqn5r z@zf{f(>eG%c^(IUAs@}bpUKlW_+$A{4n80sXo8p1AIbai)O+Q<P4HHFkGvO8y;BZw z@Vm0a!SBeT32vdcN^hB94&du1cqPDp^1R=W{?5TI(hD5?y7U|euah3*;I+~(Ie3-y zunFEkzbM^jf_(t*;Tf)wzQ@7Kq&rM7LvqqB9L!2Lb8tY~!of?VuXFHX>1!OkNV<uG z7fLsBuwS}?gMHFhIe39|JqI(=bsXF*eT9RYBy0F)NUwA)PwkPe;oxT^Yfxv%M#&n~ z8FIdK70+;<bR`GRmA=Hm4U#qLGvplU3p}-3`aB2MOIL8POS+tcozmwx*dblU!L;;Q z4yGgoQeaakLz0p;n=)jbl;^4KQjUWO$(mys(k2b?)K=*d4#uU6Ik;B3h=XgS3pp5* z`Z?GlS!+UuG)ouo)Fvsz!Kk#EgN@QA4mL>E<j#<KsfVXVq|b2hY-uA0S4-z}aFui( z2hWnu<=~kTTON$YpCO&Y!PBK~4xT2h=io}Ii-V_1og6$xvgUDytdP<?b-9${V4alY z;4*0)2bW6i99$wLIJj7{R)P#!B(;V`&&|8~#dxWHj=cqON&Jf0n+QANmpOQlY^{@s zP$B<?r|u&^%fa1cz6^@H$<{K6cnI=CJVQu+&;)O#7fV$fOi7g-ER!a2&@WY6pyyrb zFcZ9mZk7ZKB)9wiZGoP@_&(s^3zEkKZ>BlP+5>K;S!qw6nvtwc;%3k5(jHc-=M`xm z6Wl`keD82D<9pWv$*aD%IrxC@UmU#BXOU!!=Xu|oR;uSuzV}S<CeKTfwd366`J3e9 zsehHcCU_(5_F3!MjdZ=wTF-9ueBWoSXE)H4Z;hGv2C~H$<KXqaI0vuut+hbUExr~L zyq=!vqZUXW^AQX5Eb>{@xeggDN?u3L@LH6-jy&eID0!V{q4$0BwXe{XUTZJ>3VF-> znw9FA>wVP(hv;JO4>-8Udp8Fccz<Yto)f%xnc%f_lK6idJWRBP(Y5qY@vl5}qWGc( zdM1c3nBX;35v|4iYVr-yS~9OD*NfJgdNsLDwAR$Cg||g(A^kEXqP2Q{nLH|5YwDMU zw?u0py^4yWwK!fysc5Z;S0Qhg`QfV&@55RguOzREr<kc%l841pEl_w-Tw#J=ByWq0 zIQW*hkc0me7h52rcq}l%FOYwVCvosK@k9$0o)k|o!OxRd#AzISSUkc4g-6B1P4Eix zw0M983ipV*30_WK5XW-xDRF-eJ}i#2K;dq2KNI|%@DH)x1TQ1ci{%`APTZY?Pl?vV zxeP7d!%7t%633X}XUU(%eNFIE@{FjN;2>&NW`V*3V%P-p<S8-8!6!v)g~^jYiUFSb zu&7#~@D<T-f;mjR2RL|*@5dax+GnjLInS?r_xnZSA)efEzK1MmobM+lG|))DVL=V_ z77MDUH(OAIZn2=V>DMi2HT{|et)e$s&{_0G^UIfzo2j)gUP7*+Y4iCd^Jvn7rc!IX zTug4KZD!)db7-ptRnc|}s-)JQc@epst~C=cnoZ*tG>cjj|3Y#bU1fg!LVR(x`TW8Y z=vfvtm7Z-r?kBg<WoBak5wy;NrqQM5<36&5&NdVKs_0w`s-$x)XcC=eX1o9usx=cY zIFwGepo#P(>=W<(ukMyi{vQ;6C_wlBTs5aG3Pk;7(jR<_#24u!<Y~_z@Mu^5>D{Y; zcSY!8!v7VnyXskxy~lOP-VIg9rbGv{lAy+05bIn1(TneT3J+~TIJ^3Sno5+FmNKmg zm|qiS7htNgkNSQGI-R5S#%HwEtr^hk=^vvo%>d&*&tWRHjr!Fe;nm(~uCmP9vm5?` z9D78c0L}foDFSRr3~}ee;!92LcgIx3-P+d>x5M3K+$r%2&rPS>&FVU?@_P5_*AxNT zY&8O$yE!Dg+oI35b!Tt4cH1s-(P`-D87g{C>O}g>RAC{bPA}ZtIBd9ZF$$k|dL4Yp z!)cnK7Ert@@PV*Ba?wV(4L96uK+;(sfn5yT>qQ!1AjG^;;VYx{a=X(=y(4$*CcR8@ zIf%T;-yh}*D80}|a?CeFL|QpB!E~YwkK(4)s%|YtE_KeL;b^bL))oAGI2E_vO__!w z%sYVTZz`UE^Z7>8LAr5EZ}<gAikTB3FPL^JlRaAr%!B)Q!^VplaU>J*I5NW(UKH8j zJ}e2ZR;H{v(%ufkCBryj)Jy*8G+GQonshYDU@O5oI-|FyKLpJ<&GKyF=!=nUWnncI zGZZt6vzX>D#dE^$lTWoHi+OD;k}mHmOZ$T=6N14-Cfry!R#D3cpmI6PTDiT36^3D0 z(pbYa3gbI7?uuz_XZW!<Mj&^=$c7|_S2EF_G{U~HkqCX8$~5~BEblttVHL(k>>cY7 zEQw5~nQ`dQ!l2}n9+75+8DT7fI7VVmv|lw$?x!*pO^0OB%06-!i(%G*QLcTXn|v(Z z#)#f~dynr|RN-W{$@H9B-s|ucXBuoKlHL0BWTJ~jCn+8@e2=kp><sfxmb>1{4V{{K zY$d`V!he=hO(Qd;T#Lo513W1kA91Fth4s%^5E~O%6&a@*YisO)JzX-ES_|`@QPQtS zS7ry)Yiu%bDmX_<tUplDJ#qM=bK7PV*_srM5sQvHt%;-JQ`g09F*L6&cAI4#&~ak= zNIebxeno&Gk})kD9Ess_m?_6MqX&mKMJj4EUyMiD>d{RM!%)gvA{~9YY43g+Ou@da zoxR7q=D*vg^~`9K;VzQd%PpL>yjGvEDA5L^XE-8{F|W{up>iD-PKQDjCqRX@<hn~W z7hcnME~btd=tsAl;WjaoyZ=>}&;dF@kUU*N@I_hitqq4gU9>Lv1LyB2egP0%A^iFi zuf$HRz@}<H)CkKn>zsB+?r~eUm4|mW#rY^NxpX&J^pC-%JN+BY3Wsgu2sp;DLw0$r zK)i&JJUAO&$}Sn`U!-FZinH`nqQHM61$q|wnYn83H20ck7-Nj&F5j3PyP$u3s0m#v z{PMr4pL)DTT)m#doc;45j@gaAfsN%(^u$hI5CrcwyL|X>B7dnZB?^=%P@=&0P+-^q zyDJTodi&<Vxb6`T?mfs4;YazVF6Zjb{ln{XnG1v2OiF6JP=N<}JH!?24x9yc;9iYz zm1JB^>1NzboThm|2Yo_AGRnLmAj%H{haoN~Zm(K#ugPvInOikj4zkO1l!%a`i<1a7 z!#$MYsc}n+M=VFg@))+&H`vWrI)?i#7M=n=$Pg|hk&K;V`bsj4&)5^Y*r-{1yu@>| zt1;^)mEEAhi5ya_2%>t0IIbrVU>6m*_;r%WeK6aOYl`9%o4c4#`d&iB#SD}GpDl#` z777LrR~IUW`+p@rCcW!x5I;w*^_+-Dqx$JNqyK;ryzX=NTDHrlq8qJU>Ke~<O~tF} zxZCPo)vsH@GkPUgL@g$!WpM?V(JcGdj4r|gY+;xWclW!TSwvz;GM9J=!_KCX6<3&f zA!9=y9>icuzSb(x8o|~*76y3=vnYvZEdbiB826^Ut3HZRZ(I;}>n(^hW%!cXnF6iC zo$zQbOhK_Fpp=8co7(&LS4|C%O&#UEwZ#(r6<C`P&=<lOd-2*46%Q2iKep73Rs^sU zR91N3L2G4RV<L%vShvGD0>Vdbn%_UpkkwBWHg&mV_58h}J};h2_D%5rUZ;*ap3>;< z|9Qu--gM63G5upz7M26o|L}<K2wnv{{Z6*d&0A9J$+c)Bu=~@}!(uWnNJ;riwt81G z!Cbv!B|zw}!VQ0YqOlt{`_NZlUKLv*Q-uOR2d4Y{x+T@M_**h}34el>1Ka>qHNb$d z=!DfpY6jNJu<(mPmWy%9JUJo|x)Gh+44`Mq>7Xw#YWdpex`B!9EvnX<x^D#~DMz>T zoYudeVmb)`zvGCRyBJ<9L51l|F1@m@u6Ta!?2UPJhODUQ;wDy2xO{LnuCsq%Mc81e zeK~?K{6|ZDY}j?}@E19pbB|rj&4pP{N6ULx_wS<$aA%6y7IX>QILEcML(}1A9Gf+t zpnp@wH;=;G(&%TAMXh;_Tj_|D_wTKmQ7C)-E|$bte-^VixXdsAFf*qDBGRT<Gn3cb z9z8+mB4*5T@X5G6wp7*CEzl<zgcyBP&Yi}lwX-Igkq4Xt?Y#^Oazmi)n02-F@U#sT z1S~5|gQ7TSUNMpQa{q~TK8uq#11Di<>$OHBOtr$bxUA^kQxWE|#l@}8Vh8D51_quv z=q_&D&R#orM0Jl>kk`+#cJ!RyzemCQkwbgM(jXmKNpDwZoLNa$M@wbG(Yju(zufQu zG*#H(a*AX5c3PCs*`dvtzO&;Ihk_0tnOyj4`<1ufXu=!pl*as`vr7gujznT@Ec!|F z1ZMMiMIA(8=YPdBQwTm4l$CVg3jc%hp_1UO6;C7oL~`k88z`{pu>MIZQ@qA;WpCGU zWn29B54ZXLSGe>4WLI$(^ML6iL8sR-<a_J;4^x>*05~MLKyz$U!v>ZZu77rgI1`^J zd2LFKbi8QnKeP}s#i4xc*5m^|Jg+p$2JReg2Z6rqyY#wstfr39wCULXi9GICLwWCk z#rIRQ7A<3-vwh2Cy$+mv|$^yu&z6u_FibA%kPAapTSuH_Z~*1$IN)jBCObKiNeW zG=`zq$qGgojV2uzd$AN#W=9EaEJ%srtudB1LUtGr%_r9VxD}EQY$l#r#hN$eI44`0 z?uNEJzdSc}-}SmEi;<K{9HSdt=`q#S(Rgd5rOI-N8cS3oIy#GsfP4SSXfl~dRw5#9 zWjoVltRC&nQ=w0Hi2Gp`b#!0vA^j6n;Z#Fo7aoBe;fxGkehKV0TH)<6sV{+TfDt-% z7@n>ISG<sxut?dFHt5fvV`}4qe@~*LSX2nc5wzQ7!8{~}yIout>^y>u^5(VOZmHc+ z2c<Uc)jwV}<EHhtx|U5wDdzjzP+Qk)J7Ftlj6J5s$({{IF-uj`;G^u55a<Pc_EE$( zFl;`IQlJyf?rN+$@tV|Cv1*!gEe561D7zG50xF}knMq4ST1V`$Ht2{ZVG?AF<8=3^ zFLeszcC_7;s!cIY&e1nL3;PdIn450nMB>yWE_TsBOh4?jHFihlqhoD#s79aGfA9#G zQ*QBQ(eAvn&mg1es+EWb)l%3viW|47tp6Y=L?eC(j7-ie@10k?XVjT47THEI$_OGw zgc<hmvhyb0e+(!x%0V`|yPTC)(3R=krUZ`d$Bewr8MLhbz(Q2W^5PyD{=#tP;)TrZ zf3(q|h`w`1U}K_neJZuh6UxdCi!k>!=;m?#6{>I^GmqXp!!^)q3-)ZL$z#zCyfZR% zs(9HL)<n897VR>w-;M1a`&>7(!%JEB<;-5XJ=P9MyLl&qT@p-(T@Xwm=i&+%USZh< zev&!kMb_wg=2Z`@4IU4_Vn_7WD9kF`VkunxCm1u-$)fy3^p3U|MEkl~7h6A}8V|A5 zL)#ygRAz7n>*jufVPX?aPGt2(HNdSP%wDrmoyKU|F#HDZ#%gEoPdeK_4AzM8XmIqG hVCFn5gHaQfk?s7W-ZXZCn60RnA!0L3TOFdd{|EB-B8mV2 From 5088266c2529a86ee07819d8d0919509547b8204 Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Thu, 17 Mar 2022 21:19:06 +0000 Subject: [PATCH 16/26] fix index links (#178) --- application/frontend/src/pages/Search/components/BodyText.tsx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/application/frontend/src/pages/Search/components/BodyText.tsx b/application/frontend/src/pages/Search/components/BodyText.tsx index 02dcd34e7..e1167db79 100644 --- a/application/frontend/src/pages/Search/components/BodyText.tsx +++ b/application/frontend/src/pages/Search/components/BodyText.tsx @@ -64,10 +64,10 @@ export const SearchBody = () => { </h2> <p> See the CRE search bar (beta version). Try searching for - <a href="node/standard/Top10 2017"> Top10 2017 </a> + <a href="/node/standard/Top10%202017/"> Top10 2017 </a> as standard and click around, or <a href="/cre/482-866"> 482-866 </a> - as CRE-ID, to get an idea, or <a href="/search/session">search for "Session"</a>, or an overview of <a href="/search/>>">all top-level topics</a>. + as CRE-ID, to get an idea, or <a href="/search/session">search for "Session"</a>, or an overview of <a href="/root_cres">all top-level topics</a>. </p> </div> ); From e98f085282ae7e9276123e3272152867e1647785 Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Sun, 20 Mar 2022 10:47:08 +0000 Subject: [PATCH 17/26] add test for root cre case 'related' (#181) * add test for root cre case 'related' * make root CRE filter ignore linktypes 'Related' --- application/database/db.py | 23 +++++++++++++++++------ application/tests/db_test.py | 22 +++++++++++++++------- 2 files changed, 32 insertions(+), 13 deletions(-) diff --git a/application/database/db.py b/application/database/db.py index 7241c638b..3c006fffe 100644 --- a/application/database/db.py +++ b/application/database/db.py @@ -1057,12 +1057,23 @@ def text_search(self, text: str) -> List[Optional[cre_defs.Document]]: return list(set(results)) def get_root_cres(self): - """Returns CRES that only have "Contains" links""" - nodes = [ - node - for node in self.graph.graph.nodes - if self.graph.graph.in_degree(node) == 0 and node.startswith("CRE") - ] + """Returns CRES that only have "Contains" links + Implemented via filtering graph nodes whose incoming edges are only "RELATED" type links + """ + + def node_is_root(node): + return node.startswith("CRE") and ( + self.graph.graph.in_degree(node) == 0 + or not [ + edge + for edge in self.graph.graph.in_edges(node) + if self.graph.graph.get_edge_data(*edge)["ltype"] + != cre_defs.LinkTypes.Related.value + ] + ) # there are no incoming edges with relationships other than RELATED + + nodes = filter(node_is_root, self.graph.graph.nodes) + result = [] for nodeid in nodes: result.extend( diff --git a/application/tests/db_test.py b/application/tests/db_test.py index 1e5924e41..537da494e 100644 --- a/application/tests/db_test.py +++ b/application/tests/db_test.py @@ -158,11 +158,9 @@ def test_export(self) -> None: collection = db.Node_collection() collection = self.collection collection.graph.graph = db.CRE_Graph.load_cre_graph(sqla.session) - code0 = defs.Code(name="co0") code1 = defs.Code(name="co1") tool0 = defs.Tool(name="t0", tooltype=defs.ToolTypes.Unknown) - dbstandard = collection.add_node( defs.Standard( subsection="4.5.6", @@ -181,7 +179,6 @@ def test_export(self) -> None: hyperlink="https://example.com", ) ) - self.collection.add_link(self.dbcre, self.collection.add_node(code0)) self.collection.add_node(code1) self.collection.add_node(tool0) @@ -245,7 +242,6 @@ def test_export(self) -> None: .replace("'", "") + ".yaml" ) - with open(os.path.join(loc, groupname), "r") as f: doc = yaml.safe_load(f) self.assertDictEqual(group, doc) @@ -1169,12 +1165,13 @@ def test_object_select(self) -> None: def test_get_root_cres(self): """Given: - 5 CRES: + 6 CRES: * C0 <-- Root * C1 <-- Root * C2 Part Of C0 * C3 Part Of C1 * C4 Part Of C2 + * C5 Related to C0 3 Nodes: * N0 Unlinked * N1 Linked To C1 @@ -1190,11 +1187,10 @@ def test_get_root_cres(self): sqla.session.remove() sqla.drop_all() sqla.create_all(app=self.app) - collection = db.Node_collection() collection.graph.graph = db.CRE_Graph.load_cre_graph(sqla.session) - for i in range(0, 5): + for i in range(0, 6): if i == 0 or i == 1: cres.append(defs.CRE(name=f">> C{i}", id=f"{i}")) else: @@ -1213,6 +1209,9 @@ def test_get_root_cres(self): cres[0].add_link( defs.Link(document=cres[2].shallow_copy(), ltype=defs.LinkTypes.Contains) ) + cres[0].add_link( + defs.Link(document=cres[5].shallow_copy(), ltype=defs.LinkTypes.Related) + ) cres[1].add_link( defs.Link(document=cres[3].shallow_copy(), ltype=defs.LinkTypes.Contains) ) @@ -1220,6 +1219,9 @@ def test_get_root_cres(self): defs.Link(document=cres[4].shallow_copy(), ltype=defs.LinkTypes.Contains) ) + cres[3].add_link( + defs.Link(document=cres[5].shallow_copy(), ltype=defs.LinkTypes.Contains) + ) collection.add_internal_link( group=dbcres[0], cre=dbcres[2], type=defs.LinkTypes.Contains ) @@ -1229,6 +1231,12 @@ def test_get_root_cres(self): collection.add_internal_link( group=dbcres[2], cre=dbcres[4], type=defs.LinkTypes.Contains ) + collection.add_internal_link( + group=dbcres[5], cre=dbcres[0], type=defs.LinkTypes.Related + ) + collection.add_internal_link( + group=dbcres[3], cre=dbcres[5], type=defs.LinkTypes.Contains + ) collection.session.commit() root_cres = collection.get_root_cres() From fbe92bdbc4d1ea7043d817a39477f6d536bdfb86 Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Sun, 27 Mar 2022 21:43:32 +0100 Subject: [PATCH 18/26] new data after fixing some typos in the import corpus (#184) --- cres/db.sqlite | Bin 397312 -> 401408 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/cres/db.sqlite b/cres/db.sqlite index 9b104ddc552ed47039c5215785c0d6f9359ed755..0a82160593f655276b337593204c9ab4351368bf 100644 GIT binary patch literal 401408 zcmeFa31D1DeLw!*UfTOfaU3Uc9KYC>ZN*+`?_Jxm9a)zZTb8Vq?cB;rT1gwPw94+v zvU2vVb8tf_C6H1Il%|xMw$N}>pn*cmUCLdq@}rbeptMbCOaGtmytnVY*|&}(+o@>( zt2V;=&YPL<eCIpg`OeJu$Q(VKujJ(EVred0kz+!uAd15EvMdO}1wjxd@L%mGfPXk@ zf8c*b)4$L1PqfiFd|$w|OYk~AE=U3Cy@98LKX8XVFLK@4^3RTs`=@IE=i2Dnc$P+* z;3fr{6!<?*0pBL^F>Q$W=ZjV}+G<H^S+{Yc_)x5pohalcOS$nve*R=x|3_=jXkYhO zpFGxm;BcS3Nr!Kew|hO6<%OJlynD3gVE5=w+3VRfQz|YlY?23$jP(uljmk%c$K)f& z4j-m6)NBav89tI38|_9FdEw+ZzGD5$Bcp>u-J>_jhx%@kw`=Y0lu_J4jhQM<8<oac z_tb{mKRntuIB<lj*J^jjqka8-qkTtu`ZCmzygfhlOpW0aOH<VUvuI}VuJMIzz9b(z zGI;b@UmgD54$r%V$ckp^j4RNxuA@VIXh5H(`Qnsms*Jya+<eg(jIu^kMuccIT~w=K zfr<3$e3?7oW(`g6l&PJ@R5sNkI-f7C)%iC!#s<vrH**0)#5{NGiv~PUKY7M5yd8Uj zu64s5qL81T%AGFXRlxo~o?WaI+23pwtaHY~;}IH_@wZgH$=9-O?OO4nwQLrtg#Pn$ zGe!`ar~Fhy>d$BAxD{8<O;+;7dGjJHFHSUoR<bi?^H-;GrE*=xsT`Jlexbg-dGjjg zmNX61+$PT&Y$O~*Sl1h9%|5Fw6dK-6SwkQH(1!v>A~bf&CM0*t+8{c-9ozh_b$iyH zZDOd8@d*76_#d;qV?}GP`Eip1t4D!It7~1~#<TG?2^f>CVgGECo))vKhw%RodR9)_ zTh^^vBc9n?+l?^~4o->#@C-scce;`*&1Vba5b`GN$t2p$;Chi?FUfhSOFf@U=+5Ww zT4ej}_;fy3m@4afiYk6h=s~i!J6!8_t$8L6q<zk*bcikMcI*(V9!8XGAvZUXpB&dD zblsmej#zbtL^!S5`26BrjTGBs(GG6+F^#*fh4F=xlRObj?O{lJZLW1kcbsiV^^Ha9 z0Cupro7kKV^`i7s0sr6pX;Pp`fhGl-6lhYQNr5H>niObKph<xy1)3CSQlLqJ|05I# zinjLHWHJ$nrqZcMHtEH<n&<!jBa_=4Mw0?f3N$Iuq(GAbO$szA(4;_<0!<1uDbS=q zlL8tABzwEZeExR=?v%bqrG3(WNdF@Jll1rMpIU|H|1>Gkq(GAbO$szA(4;_<0!<1u zDbS=qlLAc&G%3)e!2c2o#H+)=w4>_7@2iwU`0Z85ecyG!CjFt{4Ce7~p;!7)FfZjL zfADSeXY;2?fhGl-6lhYQNr5H>niObKph<xy1)3CSQsDnA1%m%Ay!;{#PL%k@F4^z6 zYrU;+9>L}&b8>ldHaC}*5%-0HqI69b=PSASN?9&W%jHUGak8>l%1y~r*-AE<h=ro@ zs7P<s>6@L(w)Nt%a!$@JER>3;@Xcgtd7)CADP<RC^OJJ6FjFk$E3<QDIX^GY<mPjw zEQN!ikSw{W{QQiZou8tpEBWdCBr8eBBcW6x)s5zN+~`!US#Qf^=kt~P-H3~qFXUM4 zg1KBJOSs6>rQ)2tI1dcV74(g+X3$N3S_U$cxpJ90$d~0(?yki=29Qi8LXl)z_&FNi zu*Y$7y?D4dBj--Bp_Uh?fkPhuE-cHHA}S#YK^EcoDziC6UMiNRa-~Ef5emoC>rsC# z{<Hje_Bx8|#U7pni)diJq76?j7pE&rS;SPJfluX5<$-4+oe0Il=}XA}|A6oTLHdsL zKIyllCFxcv9Q;M_)4}HjZx3z{JRSIhKsgW&xcxuyKjDASKjDx1*ZKa__j%t#zT>{j zz5nQanfHV@;rUO`yF4?V4eoEdZ*+%Se$nz+%UvzquK#eo)pe_@&H1Er$=T!hmE$)Z zCmeqJ|FeI<{(SqCeXs3{w%@WHwb{gviKoT&Kw^bIw;gB^)(4awfkZSBiX|i6#;|kp z#Iig*HUg@i%+1RnMrj%Jlo!jnQYcT83o=j1SvBwwcyMm9P|3^F0N^W?Mz?gc=C=hj z{<x?-H+Vg3+#ZOABVg_%HO_F*P(VN?^ArNZ?9?0($I<}Lp2~r@5q|?8=gNEcyFiAy zKsc2Q#Z%z}`68ILL@R;XU|divVO`CG$+Be%OjMko$}VezEf4KunD_$mbSe}JCq}TS z@`&G5WI>e5#FwY?xh0|@7+PM)mdi`vOrmBXTduIxi#0f#ErEEs(t*8%%~Bv43x^V^ zRCl3JTrw)n<_Zf4+O!ksPZk#0YD9w+fO2u3%|#aBsFtt0j@mdGhytT%BEkrdHAfLY zsG|bb<V+4xx#l58NL=X4NG@a1&hB9Y>Szy#qoH(It$t2f0ipD)goSCPEw}F`Jog5Y z=~yTnOP&CI3J?J@izx+pP*DS0ZQezn?Fz&oXD~@an8rC0E|bN%IgCmbLXk9Ut34h| zgi_&XkGTxAXEF{_%-nrPimLR1)bUU%7UQe%4753^q5!X-P%@s}w=a{MgnZ>u7))q9 znTW?i$!Mgv2pU%)l}_cd1(HcJ>Xg6-#(YjKmPp{~OaTc7kz88d9jE?g0;yCq6icMF zmazJaPiMiw;K~v)WGPpXF}Y=u)8%}Oq0tjS#ZWpK9#ust30O=v{vX^4UaVk2Pcy8_ z6i=)GEDOZn8cMnOQn65&BW#zjl1R1^W`r%t1@t@A-`x`>G?xR3bR+~JLW~A%h%mK* z$a6Vx9M&DS6JinkH&d)&r_u*fjz*}F6M<+d9Kuv&a*(n-^|c|EYx9_!+8?GmcLkF1 zFeF#JwkKvMX$!%uKwcFKY;V-|nT2erQtpEEVo_kGawobNkv0av;GtL~OsIDs=<ez2 z$1kc#n^o5|b`u&6BhF5??WojPWc$=8eM_Ulnw-mH?*jD)J2fVVh2x=QG6iu!Y%F(= z49eM=Y<?a~esP}0hpq2!CPNA5uDRlrzM;z72YZJ{JC1~Ckc-=r5wLVTUTdk=$`qCh ziQ8p)qEuWWgu15kWtD&AY^9Q&JX!83&QIrO7S$bmXeUF>7f2@Kp>R4}qZ+!-6+#o) zGGU`3#x{0&qF9+lQ}VG<AdhL8&Ld(G=C)j1EKT<AAoT7D#2~4nX(lELIg)4#rTi)E z`w%h18Eg@gMQr!#?3b4ztLEhGSh)+udGJ=bqw`v7WjK(GVi87|9ItPMD6I9FD{twb z@Am{^Nvy<JtTu+aI=5_RL*0h04YLrA9friH$Q+Hq{5-obQC(ihO|p3?khC|?5-45n z!U`;vcW)yUW&-g@G?Yk2FfUBtYlE9E<WA=&@+5~DZ}6RL-AZ-$2hx!gWNW%NH@_^; zV|QQ;)22I>o6ce{Rh;c?1os5O$uPF1C^2YHX0)G{u_hOFelo2VOd+=w?8Lr@S;cw} z;j1Eo6oW}?3q+k1l^aPUK$6zi-?N4A%?BchXebp;sC3kZgq@9Ts$Fy0`Rq)N$qKIX zgPYkHL~KNH$cIR6vVamah$8V)jl?Qm#AD^$Oer^`{*5`BTCC)A<%63Djg#%k1a`$F zaV}|#brWb_@3hjPr(ug-&Xu}Lle37@$W-FNYZy-UKqQ$AMH0ZNOe?%H3pUqe*K{^t z2$i$bP!gC9yikCe&|of8G9i@>Bp`$m$>d=OVd&I_n%YPzEJU(QYR4RgstO5`5%NZ= z7z?C`=TqT*`?}4HM&clKwbnFrl5iZm8N@o44pVfg50y8yIinecUV}}&GJDGgHaw}F zcB*(JHndn-#D>p(&s2XMO=B%~%KFx-FX6J8b{$s{R(*jm1X4H|BTd|3g>nu!GS!Mi z=XLAp(~|*B{a&Hc9=eih4+SFN8}JV6s8CSnht?J838%o++CkukE7+i&s-_tUv+qGt z6Md$zteJe4mvFWzE~4t`g(8#UJmMXft7D8~50A%FrZLub6}_n|*3qZ!fjIP}R5(eW z))2emGPNjz(+B=D6R~qG6%AwKiH5?7<S1AK$|m7M6HltCX*tu>UP|AuZx1J-jU~d^ zb-S<uoAnrZ4SfN2O79BAqBMG(sJMl=?-Kf=h<%!!T1=H|YOcEa87DP3?Z|Cv4~ZzY z=t!yu2Q#8A+Y8hUXKO2cu|E)rCqs!uk{DW}J}F5C_jXJ4-EHlWNGueI#Yn16;=>a3 zR<;=$^#~VTc`y?&8f0Cy$6_%MBn<*$X<z{qq1IANUk$agX_U*u0d-k`AE6V4Q|De5 zB#Mm2z<R1Yf%GL|U+VM|62pOLoGFC8`7(u0hFY%4kWA)q*Vy4qEjnpA?xXK-38a!K z@Ji%39iNwJ)fS;p(TApEH+F#v>2mWk+r3n)2OD;p)Ewe4`W6J8S5;#iLh=R3uX4AC zwZAQn%{UoLYVEU+bES%^S>(!W6K6+nItS$EAy*9bV4Ito=!QC+1YMz1P12zlh!xPG zNz*RxZlMpMoW|*BozRriY5H&iN(Y^IbUM&(Rh%pqm>?bN8M)R)b-UVAQFM~T{<lyl zE@RWF6c>tx;>@ynqOWk$x9x!l6hkP&=J~wJK}BoYqtP_jErM~HOE=r8bXOpb)t62u z40eTf%akUpvU0nPKHAIF&O|b8;#iLJHi-0D2vmVQh^AFpZ3q@R|8EiQ7lOYE_6Ob< zctv1`Kjizk@3p>!cfj*4&!T6i`xS0)%lBLEX^FZ%>3YEVxZ|gehaDU2|89SoeZcm9 z+o;VWeoy?MI3|XLPoSX{{S2J&3TxH`@U!7$&xt;q_c9eQZniWvTd6FRcXxG7F6BC* z`jm2=P`taCQVR`(o#3%5yHKNZwlY_kIqnnIUcnktuIbJk&m50-raKe$t<6AoE>3iU z9lC~3bZ17o=+mx=LUE$&RJ=3X8STRFuH1ZA_;e%^Ivx%2RPCIb+H}k-Y+lDY3LF{C zjLGRRF>InU+PSON+sv31nP{hFXcvymmJE<t-vF6NClIQkvt{(GU&W2D299!55sM~k z^`GTbpoTgXBi7NUJ7e{&UHIq~&#+Hu?@=dxN6#$II^*TpT&_|c?Zd=$m&@3Xm{P~e z<P4S7qk&7vY(=dFk(MiW7MHT+1;%WqqAqH2+-PxJ?Txj_20d_uqh36sGsCl_9%`u6 z8>**XyffArsYiPy)Qg6W$3xxhWEq0Mq?08v^5L^GvOZTchw71`RrMS&^6U-hNM&Sw z`9?Y;It$l`xRPNvUcbt=K`>2LWtu^C8rA7Hq^z8&(2Wu{wh_AffTDn{oPByhJY;k* zUh81o=)l5K%EUpRFx<{CtsdQeA~QD7A)m-i$Qin!AT4rC-DKr~MeOKQ9_k)Dcm!8W z_1t3c^wQE&2wU2n*nLAwxrq?l?a@|9+pt43)E0zcq$?gmXXD+*fndDW@wnD;7j6i6 z0cn(^LfS{;IQ@>F$YoECk7zfC<0C~V@5}1C8Q|6p&RF%hpJM|+4c5?Xe?tzkG<V?~ zG|<PPjN5}1qKq2qQt!2{u3d&ezIZ&prRS_0K+5P(X*qzE(XFnG4)e-5lv|dEj3e@e zuLLwWZZv4+{I%V{WLU){WyZv$Bth}d;7SAM_KUJKO)p4Tovd98UIW+jGat1qv~w_P zEUIZM`y0)?E_N^8%+Ktzc9eKd_TrO!4PiC85@D6DUp=cJtkPCtrOUdb+O_m}_k4K? z=O(6YUe}1M&%tiBWlzJEo9v80-_-eKW_KfWEX;Y~qEESJmp;p9>?@gNi#oIlv%JeX z%lekogFF72+&H!>9LIB&@qW{D6lsNQ*3*s1Y*CXhoXlHN4QD-pS;xHB){Ejvo<;rb zXKxg8ZEzPsKB_GmJGd&74fR(^B!Ej%mDndZi9K6XZ>i`$;uyQHsx2+KwzSF@0mB}x zpK<gv&iXOb6}=yeL{}b&8w~AR2}4^Hi&bFg2*=QddRZPHD`n@)3&j$y!^i2>3sf1` z?n3|}W}nX$7*o^v|4QM{1nC=6B6ucvRp5((E&d_j>+!PR?fFgjkKFAoPqgfJy~Wk* zR2=WI|J*)r`-sgazCrY&(yznMK#bdz@t{^)Ahm7u9Gfy~FiI$EqdsA8o65ttvFico z|3xwpz@4Uca4Pp$);pW{5bl3Mkud4jYK0K)xag!+4&i}6-3hafDcmSd6(`G``6Asg z6!2D2u5?W%L;1M{B$~i6BQynDl1jD^sy%S3Vkgo_>{$5k!o`jf4f}+SA(a3{{c<A_ zlTRgjx<k9<K{7d@M~{s93<jEL*LY<M&C8|9PO?_$oGG5_0vYMVQSK_`%O^v|YfD#o zfv!(r-czGi7hOQ(ArA+WEFL{JU&HKzK*#;;-Lp8q7gBI5GHOiZN_z<@Wk(l~-hVcv zV?Y`Q5bfEh?=-#T&g51L+n6GD`h;sV9s8QG;zA@WgFjN;u@Ih()#r!tUOYdH_tEV> zE=KE7Z7gPp`|!HbMQwF;$HwV@&(@;S9RkHpHl$dlCzO_v$nHpHXfTr*96ll=K}r8$ zZ{Lxz!S2I@V>ij&M|#zqUZeP{9=XZ?iCHHcm4iDmh9z|jck!%>@<>u<5>R{7COZLr z)1iH61P{E~$z{2_f~Sj#MJ&YC8c8InT)zWD$v2#iL0WYg?dE=vy$jTA*4RxrfB0UN zF%XKmYYhptfnC0mdK$0CXC)FU96BBeneWnZW2Llp7y|m(Sp~GN7T4te1q$exdP$NC z(d9E48HCg~LnfSa+ZzpC*U@SyT<Fm6+Xk_*SLKlnCb5wiKTskAw{i7)Z(Q4@>M8$h zghoOY8V%c14r~RF&NbvwEVn3l6!t0llee}#s2X3cB%77#<$B!yr({M{+1idlBpME) zyC;;C5BGKB+8BAKjt?G2=Fe3@ln_yNYyqN;w=|R|<V@d4_h|PRiRa;dx%b%EU|(jn zuuUi(n}O|~vyn9>clRJyX-4ilf<%@*eM8tvRtwjd64?Y?2UT3_whd4=8kf~|RMYn4 z-rB4CYM~sBD;?K76MdsZ-{E6OJUi5Vq<dgh=^ItXWWUg%5Pbt16f1!vae1U~bZBsF ztgjb%69;GH6N6(1hmVcPs+Q3|*rRdwsN8*Q>>z0#DrB{$AQD%0Zp0L5T3elB47Q2L zBg2OWdsN+MWOTTvulE?<i&hQafvdR_Q7mjZvYg{Ygc|DRwxQAHX4zjabaPX>t^#=n zRHmsX@3ByftwtP=NR8`;&2U8?g)L`ks=PWB21d%3^}slCHjJZkAH5pMFn53@%gkz_ z8QpZ{S)cgymvOJ{X5o<VO98h3%hFBK9_jMnPlF!|zB*V5jt0ZQHrwgIPXeC~JR#mI z{L(fRcz$3oaJm2A{1x~C_;8r{yzfa{)R*@qy<heIvG*n30q@nG&wC#C+~7%g*15mt zehK^m){23ae`tAAOQ|L7`WM#+UBBTv==^u*tDWQGzd5gUe8lmXqXfTzcHAv|)c!(y z#(tIU>ta@XEo=*3CA?R=V%X$Jt+(k`%cO}RZNcj==>Fjn$2w|q>_9KFA>a%e7VniE zvGukCF!zK7!ZIEHHA6)*c7(Bycz4usV!f@KnY5F^Bg~~v6;<<XV$R_#tbbq$0)?y$ zqYn62gvGfl9oyF1dWyx9`5c{cVXhLvJwYNC5wq7g66&Cs<*jU-iz6x6y(h!s?W#8l zZgy~4AmdJF3ce=;#|C@L%nFQmd|_5{WzBk7{Zu_C*UZ{s{~3;=;Ye7#ZMS0vSmCH$ zs<+l6+Nw@2lLhijA;TnkWeLMDDw;@%$G17UK?59`G=odSsF~Rur_%T?8W(TC<WO=6 z{H$?Y!6=RF%?UEEO2)<IjgAN#`>_FNT4N#F1bRoiPo$G@^+|-q)0-T-$g4#+hB6tx zXjU=yjhHRdCzuS?luI-6YP;T1Cd$KLxdc-olR=rRnMIdj?n5@ic->{QNh8H&Z#o*q zRZdv=X3~*G2PWe$W**6zA~J(B&2%xL+B#mHLN)4_StjM=8$<mi7^sJaHGc|RN5Bwv zgzR8pQCV1yr^9%%jR>DhI>z~WXoIL68iRk7UcFW=oP^IyIxT#*%W>3PZ8SHXgOPqI zq`tE1-9%x6MWgx*<6#56gPAdAkY(6W=~dv;5Q@Z8!e2!k$IM+2_LFAIE4>C71UBPo z;V(6=H(6)J!58UBOsH;g>?Nw246<q*1Y&C559#fWzWR@7acMk<4>g~MRNkp@U&0{- zwvkwj6LkFG>wrU;MJwD-CSfwpoDbC1Di2cf^95M$qX#lJMO}3%6_z99MG}b|jyrAv z5!jM}sTUrw(Fktt*cut^8fJ~dIEyaw%BgfT6ph7&Z|rj9s1jbjnYmo;j)$!j7?}~_ zYR1saM!%fGw5Bkv-x+r*5s;u(mAqz{!7*E(WMEuk-ZSu=AfkYU%SF`)xL9DmIUoZ* z1$VOwFa(B;JieVGK8U8G^GBRY0I1F8VDPpGBev`mzNI@ivMpoA!mty?0AZWQa;$3x z`SSMMjC^-~0jBkH6XlKw)@ve?7JjKRJ!_2_*OS#GoQPmbM=m7bmI|%GN`5ZKD#jzQ zdy6K7C$57_oQB0S)Pwmk{N##@<Qg%Ri-JbDHxz#V*>y@beN#n9zjTaD?vuhBcRTVR zEkl-U*B3Oy1eh0U4h|ELxRbc9HHv6)W1pDlb}ZKLolrLlNDRFmIc3dYU!XhpX>xp8 zg5kqFD3~k9!4j!dM06({x9Kgw9RV8+tHmrjCUTGtIZPE<6%r>!Qt%FoMum4Ca4b<R zy1mqqQa1sbA@~O|Pbivu;$8Eo@aP;$gcHJVbYM-{deEq9tZG;z)9lbybu12FgGfa9 zD(mb(p$OK%E(bH&{N4KDo<2q!^?s1*W>HQ-WF!)C;S+3>Y7@EB*p!GxyTFqR>gv=v zjvOqpD<p9EiU~hE<WyR)1GAo0OGlU$Yqe=n)7LPneI{2-^2JJlV!yb~F}Ge^sWY7B zL$`l}BLqC^rYA;TLg9$;;Y%IsQ3|$NTqx5DNTrhE-eIRAVPia1L_%!Uy@pf*)jbqO zX0W+cP4GD}MuSqXlh_);EX2bwagId9O>8^Rnlt;`XxlPd)-X&hsD`v@_<$wj3E>Y8 zI~Cu0QLR^FY#AoA^QxY*Q)L=5)@J(=A%H0*VaMJ%$_wODn1X?PG98)T?&zrv3G$L- z1sJ>LC(|)dBpDMv+3$FODFx)9q5DuxEao+SG#DCANX$irX)9#PE@yfNqo5&7<%PGi zy#cy~NzfZM)Z||ULswh7V?PFHe8d}QYX;n{w>p&_b)Q|hOQ_~(dO+0!%_xxZa4qLJ z5w!L&lEieTVhJ&>%3BWYgJW<+Q&|HdWQqhZP|VV7G2dcr4yT#dY9=$R`J|>{z#flA z#4VRQ+A%tlUx;R@e;M0xy0ImYX;#f&#<b0l`oZiYF`dj4I1C4}R6Hqse=8I_QB!W= zl}O^7cBq<gjD*4H;nYkwB$4)6tqg;BHg27oOXyxjbShBI)UKFYYHh^o7684B{I(eT z(2l`G8aSB#y@x#hN~)N|o=9&yCiw}O4W}_u=x9D57|G8|GaIJ?#lj>DQ^GrBsNUKj z3S_}v8%a4r_VuawWZ01bhHyPHgfnZLcC^fJH`KT6GHsgi1oj2&DSyv=+o?jmlM@kq zlIj1Ny2(*L&Rp5z!vDJp5=VrST^G#qYS#MY2)0Qa7Z%vM(2qY%Sv5`z3DT_MQK-!I zXQZ0$9)Yns)H3lprd8|hV0$<GPc_fb<kgNYQp`v3QfD%ujloVGE)QZ%JF|?G$lrd> zWEK{U!e=y+5Tms(n8Jc*W?T-d_KH}$I7Ow!h&GxLPNl)tHU+=gnHbze5{dAgY`5CC zPdh_17Jyz0TGl?qkTFw9;nh1GhX~`rdD>fO_tUl+?7_N6Vgk&IbA#|wc6!;jua~?< ziwn#;cq?3;wHN`Ie$r=R!n-wM!oHs=h0ykD9!g1genis=;dj{{v2Wi2686~QWmO_3 zNDjw@2ifVQk!O_ZGqrI&=G#+mjjtK$-$_cXZF>gpaxnRXFeHrtc#ugdc$-*~y~ENH z#<r5Dk?*84jC=}vHFgH352`T?)IW$UOXNdVz?&?ZNkUN%r{m&AdjH=qyjYOlARWfZ z|D(ajf;R=P2|OCO)&EofqyGKAFX43G;r)^K!`{>0VeeMYzj{95d5LGtbD8@~?&rCa zZdc3Sx4f&R(sH!L?)tE6!8PDo=lrVkkDPZoo_2iDaf@TWL$?3Y{t5eo_L%J-ZGU6? zxb1grCv6FvSNyK{RxvLogrA~&_2&*nWNt23v?s_z3&x<pd!l%n^mV2{Vn*RN4PX}- zAzv=iBf8mV4Pq1y>2Oq@&sE^0eo}ROHH*muia`DlO94$SIxm$f`T(_YB9Ou%Kaxrg zPvgj?ixBcmnWuXn(}@!nw%zwrokh4!!LKcvI8uaD%d+M+nT0AztP63C^8|A>!5|O; zVzEs2jSJAdG2!L-ebmG)0W2c8cBR#qZLJBCGFf9oA_jm%U2Z8`*m^J3B9Bd4pkb3M zcDVxPm?S+Ar-*XLJ@g%%<Dgwf(lPP~Viz5nL#N4^s2smrMI?zeAB(5-Ps<1bfK6;R zKQoJy4LQ-~fj;yb=0O`?rdpXm6dvx$MA}3FStS6_sJUgS@AU1bsm5NoeK85A3$8i= z*tSHUtqs5>I2238NIYM9ia_fT69M{jI!z*Xda=;ENYKSKbOs8i)2cHlj)bIx&q492 z$O9Ba<mh4MXrlUFlAm4e4Afi9^bTi+E1EA>68^K%L{xkH%GD~%+c6hqIP4a(r4BYJ z<SDJLLnb3s-I*zHs(WXdp#{o=ozlsE79ItG0odjS)gBuc;y2I|#w#1vJRE&zOU1<* z<_4&G?M6z}#IZmOH%G}dT;|E%f+8e@^i_|Esp;+%aHYKEE~>I8kcg2S)ri6NCZ?A_ z%bqPxl{YNVSD}Em6V-1}R~D&w8{Fog2qqH!@a9s_6}iIl9rKJ%k$`sOy!dC?U31iX z4o+!NNcWm6EO7@8idk9#b2y2SuRl3UmY8V3sv^oS6&P~kU>Zayh^Dy3G)bp?x&~nD zlH`e@XtQ}BQ47VHJCwsy88bvBxS>{qZA@d?QXGvC^eCoe&sRG4pCp{`3Pf=%gY%j8 zs*ml3zZ;;o%8L_h8qprPD$DA%L;Ic7z+O0zvyF1!zQ+6Lb$R;iWPq;xFf+$M6kSAt znQ+R)08EiHn3wP393&>W;dahaZFsfA#6KL>V}bw&O&!#?LpqM-O50}W`|g0IB%WQ1 z9GYfy_XV^g#swZ!4&<ocB}i3_GFfxwD==?)$PhIo2@6r8-f8IQ)71tH6KSVBJjGD* zAP@k&6jL<`nbYDF=~Zx5qb}moBF?PDRkPSkDSm+#?1x?bTr)`+CE#$*6iJm5ypFkN zf<DOyv^#~BT|^|aRCzp*jz&W1ShP=d|2~;pu1N?rJc~NTC0r!nJV&mb>+hg?9f1V) zAH){{Kgg&Ag#pg`<<4;`q#y>6XkonY&@Du5;0PI$EznI8@#Jh4-ZE1ow=<HpvDJgC zb81bC&!XK@Qx)~7Y2q=udnhibVFl=d#k8l~a2spU83;ohMI+3y7AsiW<F(s3a(Y1w z1dyK{rI~-H9{0&m;;z4yMpI_Ks<=?hz^|RwFl|dPxue_Pa-KQ6f^pRuWg8T0bL7CG z-u~!yw@?dMJmiE9Gyk)-z;p~PVh`=W6AY#F%~X35@m^>@Vo^o1(BP)D_ypR1Yr5~p z-Ccp*kfd&+npyM<FIzPvMOihifIMZ|Jf=ad&n89QzK~mh6zT}wNEL?ysZ<;uqqTS| z#GULkPWwC5L`DYMPC8G}=fm*0rt5Y*2GMssIT=TxE7+hFmbV?J@4EwO+<?T$M@Rj> zwq3KJLh6Ud=)(^9wc@at4rkQRE`$dZ8I$+Ma^Dzzcpua-^2n|sTx6OQU78`r2D@sl z;83k@qF^2(Anx%@VJ12<)Jz{-*yACba)=M<l&A#*VS!#K>=8u@+B-_0&LLP27EUzQ zOJ1a)W+6X~7)dx}LL8c^BDzP2foT;Kmr7Inj#72FpyPyqxCEKS1-7F=Mwch^utp@) zPx7p`Tsmt3xAG&5!6~W@f+i%`0@U26O?n%Rj@^nteS+2iey2sp2vYYI+hK_3Si~W9 zqO_}|{IJ$loJE(Z?Tai##KP=y8DzvR4Gopn5wspOLX^@%rQt8yJ0~ax&MCZQQ9up~ zz>uGt0}Dgp#=luaokFo(89AZ}0>n5Y-GwHAbXgE{Wf$;lI5bVS4Y3w?KwqVkwT?Wd z2pwY|&l`qD=k7_p>EB7hTD|GN^Dt|^4?7jR*6-2Jz~_nhGrSzc4iU@T1UZ1K-(-B4 zI8j}asuZnP*lA^!mB0;zVHHtsAdJ(o#DE&XjxJ*;Y#HKk)NW)f@>SykRRr&p%LviK z;zZO)#u%CyYD&G9R~3Bd7Ny)GtsDr+`c68NgEWY77KkPuPr_{r>Jy|rGv()^rkNNN zyXtiZsoqHp9@7{P>!T>(Dr9k?cIdDSLE9oa2B<d867=^-irA{IqRuco`{~m|0UX<L z4Z@`DA~beLTbS#C!})qQ_p$j8v{Q^L_`_4njBKX81q4y2i4y{l^?cYs+CRA<4P(8m zZLvKXPC~54^|tl5TePgLGK11Q*`Oza3Cxo6)*jYsM*wlV@D`v(^uQdJR2{#R3(?$R z!LhTyS%%S~*50>h((w>OM^059$+LJXfIAbN|F01G1?f=m@xb2&lKwNkFZ=AU{eL-P z`FUDi;QFfTD(4?N?{s|IvCsZ?`wMKR#J37h3ok_#)6c*abtWekudZ{NoTOD__sb2F zlbRp@1)7qc#Sb{L4kjFpO~J^57*;1-NJU(DX%BU)V$Q)(QU)#q&WjDLtLTHM+%tO9 z$k_0}X!pp$!5;Zg-%T<OzTF274`vRM;T^NyUS&HmhG?~IEeyqSN>?L8G5R7Uk1S5$ z%}+iA9TjJ@65?`cF+t@XQ$Ua*1QWszg>^NSoiS@L%boHd_Ap$h-~edSY>5BawHXv- zx~W-UM>Hs!6pL<YzH`-PH?`@~vs&xu23$&D4g9P$Q>iW-9Q2R}6e*=Azks`OxW%$4 zcdYb+9M;k1xY{OMVyR85|J24yfX_`TM|N}gU=v~<Nb+HdU}Z9<xd_f)x_i?&YaCwm zwZ&=0u%!(cYPNfvS93RiTXx~(;v2MJGSJG)$Q6f(h}A+wNR4EqZqao<Hs@!Nk-LMC zH@7u3bA#P~s!l`>sV6g@46Cx92sx!Q0Ob45hI|sHgwS`?GX>q2_9HkjSqiKc!pZym zjcxp+x{W`Fa6O*S#>PL&+xT<sDPume-IdNpu(W(m2NZcbT{yz|6fY0zeJ8Y4C_$xi zM?JRxBUb-lgS67+1sgOrE=765Y-Bt<y4pt6gpsn-1B@G68>2j~&jX|?v~irP>E3Cz z2pm`TyMgY^+1Mrq8+sPV@SNPUS|f-lBQ3=FEoU1-RHwLR>PgCUo%Fz!|F03(N0n<` zm=w(^qs|T=JOoWqoetbDVDBtatee#$e<Z4eoyHPvfNWUqo`Rl6UbsBfR}JN`veWTQ zYZM*<s)ZnN3J5%zLr~(}>e#E(bSqIi&>d>X;Ba8r1*fOJ<AcM;GV<Z!0eBT186F#~ zIby5|kqIfK(*~p)Z{R3T%bA-pV|_#Nu}t5u1;S}1Dn1jHQ}VGRnPbcus{hzwjndt4 zg&7(d%d8faQ<PI-tF)2M@>%IWq<@uuCjEo-chcWVUzNTn{gw0y>CdG1OYfH6A^oBB zd(!Vnk4cY8FO(jV9)Pz%S(=k(q^xv{bW9qS2BjWpuauG^(hjLzZP0W<(EMkU0!<1u zDbS=qlLAc&G%3)eK$8MZ3N$Iuq(GAbzvdLU<B>sNIR3~!{J!mxFn-_q$QJy*>5+B# zed8lO{66srehJ4PF5vgr!^iP^^x^CA`{=_R_&xma8vH)|(0%xQ=%E?>9(<?|zxyAe zb`Crw;&=Ch@MstIKS*xV`yNc-_nrr@!0+Uld+<AP=63v!p6S8wt}~nQJ9Ng5-`7^D z*0$;a{N7Tf);3ig_$@2*_`O~k#_ubXIDTKQY{2ieiVeS8PT-e2hF`ubY=O56LElTL z(nPRZ`c_buULSldq5ymcwodE)kNb}Xe(ZZm;Ez$>{Ap64Nr5H>niObKph<xy1%CY~ z5O}+d^q%HVlLG$(6bQUsyzJt4bF;G7gM-3aWm&M@3_tTxc)RSDH<`m2!{2fe#`kzq zmP2x8vAm$gMj=~vn1YlyjTMW9O{1#w8*IE`Q>+%i!W;gva0Xc{kry%f7pnd*3_gdP z(B#Mumjf;RDlAOs1$#Pw8vhGtRfNZZTO7HzE|iL}t)3%KL>OqoA0MAqik+M6kAfmc zdfgqz0viGWTU}({Q9Lz|W#{0qf)H+$^)5?sOQ?%pIFYgZ&$Wk8`)z1w_r30p+ZG!% z)PrntGRUBX@6{gJ5vT^JQFG*=0>c>CgwDV^)a?JeQ)V7faMYv0pkFP28-l8`{B61c zsPGOTFf!~$q~rz&;88t6mMyvyIeX<VBeGC!0Qe_iLQ|nX{0sk#HY2;;u<o(8IWmNp zUx;;wm_i7ZQ)yt^V;cxg3iMzr+#Yw|#PY$LStO%+gJ<A`f@bh*aGu-;Vcf<T!u~o` zJl5sLnGlKO%@x(?WO4?sVkfnkD3;VZzmGasUgbt=HA0xh_Dvxll^)yIMlZ)}_zx&c zfgYY*yecT&EbPHo=lQdFpSyjC^=>vVRr4UJDGlLdq~=3vV8SUpj&3`nZUpPIQhaCx z)>K2})KX)Z+T_{k$h>{88-`=nYCS^;g~06E;MWNrMhF&goR)R6)`IXW>Cc3L^Bi+s zwVun}NRmg0AV(g83)K1$zo&jkC;PMhT)M%H%v$>FMLQ#5V|HwROzh;5K1J1Uk$x%t zLi&mHL+QK72JmI+b1L|(EjJ6A6lhYQNr5H>niObKph<xy1)3CSQlLqJCIy-lXi{J` zC@}P5x@bB0!n^VN`WMi@Q_s5}zhjS(;lR#^DIWVZ50X*9x-)cjd6|;2NnaA2(jSls zLPmN@`UBYie^+`B{%Za-DbS=qlLAc&G%3)eK$8MZ3N$Iuq(GAbO$szA(4@dBP++6i zVYAtUcZ)XhedvCG{VC>cA9KD(!rxbW9HPy3tL=48a#sj)2<}q9y+%wq{3r;ke|p7_ z+WqwYZ<BsOpWi_5|MZXMPm=;o3N$Iuq(GAbO$szA(4;_<0!<1uDbS=qlLAc&{GXt} z)-zXQ9PP>piU%M{KchkIRsV<n+5Blzph<xy1)3CSQlLqJCIy-lXi}g_fhGl-6lhYQ zNrC_E6u3^cBzU>#5O;WO{X!37UDzs)0moMR&+M<W=j}V~F53@npR>JF`ik@>>27IE z+8TU1_}SoZ2ag3^fsY1GAv5C|@u>f+{>S`x_}BZs;Cr6$7E$qC>HW6%ecp<9pXXPe zFL)mGobX&Oyu<xN_uJhC_dfT!mVdEbDgI1+s^w+27q{Hja<%Kr!aq7guHSMEy4syz zaX#w2-SMcc-*KZL*gt+28t-+?t+(~fv&4=_tWAlVkoyf;)mhfj=~8h{rhq3%YD(!s z$~lAtDb6QTNJbk=iu03BB}LT{_=Mt)aQTna#EFzqlqENv%4G`_O@t+5rGO}PAJ68I z4HD_tkwIm9PiCY8Ic!7ma7-+8IgYNk^{V+bDeE}PFUinQb1_mH-eaSO<48XmiN(b6 zUdKK9_iEP3x=i30;v~}8AtK23iBfS1>6AKHdP>AMNk)+MIvN*my4Ep3<6?R4_^jlJ z<bv=l<w_iB&eO@HnAz^=F+N2Cxk6=@B}A`%7>&j$#jiNJ!!c-lhzv1^)k4`vS=xH7 z(P%OiiYL?JQOsHAS!S#O_;N@4deM|#aXFF-hf=AibCZKj4;uzeZMHB&NpNT9$|<B! zjmM&5|3*gy<YG}<DAo-HqM5`jCnE`@pG^yITj#jOTuup&V~K?DryCqy>qR}<OGS(J zl8Polm9(qfv7bs2<7Pg$L^<5KB*STtIUP=Ky$;NWuU3{fSW7oNnskg4VpQ2kI9jgc z7Fc3tM3O-s@l5aG9?UJ9*<>gdP6+QAaVl+ky@SYL9V$@N86<F@oXu0r9Et)&fo2d? zhvNAdZ6h^Q0l9vW){wFrhABaEEG&F2?zjc*Wh+_ZOH=xCWQLtwB*L<|K*?wVybu$< zEjwabrR*e;o3hy>m3JY5jOnRVSlrj@Sc4CSGfCuqP9(y@8BF_MH<<eW-Jq}|V~7t* zCoY3hETg$5Y1AcNPJ!6SiY}I;juS?O^5kr8E=$vK<IrJDvzE`YYdW7ROeG_cP&g40 ze%SALz^F2x#r#sT=G<M2If|7;d6g;kF3rJo0n&iPU-ncnkF?V$$R%R&P!fFe$YH1A zTQAl`9g?Q!3R+TZl4Mv_YJxU-qKNg6<$P>(kg*Xh^a4qY;$mqsnT&_R>G00Yjy*<O zNXv~R>c~%hDqqOW<YGwtoQ%af4mp(;191c}%FVF+)srW4h$=*hs*%Y%S3>K^f;@}V z(FmG@M8=eue0y$2&WsLrB#`wynhXnXxZY7VH?;tv%#z!x!Kz3w$e<o;0!x*p7b{Sf z$#fj-7>S7X0jDAw7-y%ZkU6<X1LFrz>!u7mb2D1Y)AAJZu;<FrG$t?_*}Ttjm#G<! z^=Te!NYFk|?jlqmI1qjb`Hm5w3L@S-{WoNgSxMu8i5v)$s|hdcGZEzWO@))f52l>T zE*iTk%ImfQbu-e1q8iQ%5|Hwat22ppIgLM%))3p5mOWgbiv-vbIqAi|Ya9uq53@jz zhr^+8I3@1i>gc9{t60=Rh%L@j0(KCxoQy$kCgSdpV~90G(WXdhVsoR((uRj^c?M$( zV^)%psMyu*Sk%A9MoV8V&4P(Q2bPnS_FGdcB+jyx3ZRJ?q)H?y`gS>T^)1ZjvIsqf z%+(lrd2x=~paGZACVr=pi8+=`i2=4PV?czd);Gy8@MNgGkekd;Q&RN8au^&BQ7;Df zIf~R1Q#2S+XRr_{opiQ<^s{ny1~Iy@3>M1})>t^jInX;-PC;NM(^28!osL6Bbv<7# z?P-)$U8Q0omSVUihG?xqXP8`E)<rL^bdBx{NJEXNZrhBNkHw_tte#$+XEDAa$!I8v zo$gy~-=@ZlwusM7LcUBX=+p6}@c#YaZ`Lu}OU<9K6}z2yql4H~i_V5*^VodKsaOO# z<if&t6OP+V^`Y({WpBPhiLtR7CNTr@oSvbu5=~>gkWGKv=eW;Qi$=*75;zz^*|H_j zk%^*merBG{3$}U2q)gzYqv23Gl@h+L?%ArM1+Jlevx0=dYQN<)vVkWf;d^&EX0T@) zU)7SQ%d_AT?2U|)geU}TnejFh5vUC5I1@sqnmLFd`hIG8K0Akw7%SyYBls9oLu>O; zjzL>U#be@?JFz%wUDq@_q6ypZRgRs?rBaxRbo$0Yr(!3fP?l~aZqGtGEY6pg=O<@N zMP$>2u%z*UcjtjQv;ZKpNV&~tfC-~Z5;{~8!t?nDsij)K;5Mju>iSqLmB2@O`gn*s zmM2)JNGUg2BsGLGqbH-0L@%bP)=qJnBK$4ovM1&3lh^^U<gj!)%xZCw)0twJCg{Xt zs@kIti_~-wKod`l_zPLa@<_^D$>s~?FcivgA}n6f?O4+LF68IHQ^?g^f?5wOD$5Jt z5ZY06)Dhqinl=;i=`eKSWFlvt_-W!XO72R#CDttkjAPQbQk+D1K2piYdPY+5L?|3j zv_u@o^qJ5!c*cGeOvNJh{DWi2s}4d<MAFGn0`hbZ(+hZ=pR3V5GDtdqIR-g~$rg8E zv-IfW%W3BkeKc5Z>V8y0>_<kXS%f+)LP0dI&=_>DSSmc#<5<?wol+x1<}f>xvm~tx z7@I0bN%mlzxl##)n}hxU!38!&D7&zD*%7A_SV1F<0ysNR1Vyw4=?xh*nZx-9yGKG? zr!Me(8DuX)orYXqSSXgT<9AKvAeSNjz|ZQTCPe$CiY~=p#M-CRT0E5y-V}qTDk8|E z+6r3}Q;hjF<s(m$cXAR!qf#clGZs(Xz1`7gsxy_F&Mp?fI|kE*lXOss-4k*Qs~?g~ z*I6QyIow5=wAnt6{Ul0TS3K!w`y8P{Ur*&G7H4EqsfeHuj#G<F0!PDX>>UYlZM$PH zh)I&NxWEJ}nqz{D1VtP?5RXTN_o;2FUxAKeB!0B;m3_3j84J+SBbi7G?^TbL`qw?Q z&(oH~WRH;sHW`Lw#xC&WHf-R)0edoO0-CZnLgE0rL2*8f4LqDo3orB9j|$fbj|#~1 zR}~+XdTecyBlzdRhlBk%=|2^CIM5$(`JeJX?C<xxd{6lv_VxQ*-lxRRdmr}pdtIKV zJP&*NZJ)Ot6+Ul!)Z=nL<$l=R?{>93)pBRcwXPqz-t4;5b*=Lo&eu3^bzbH8hT}Ej zQL)W_v;7;6TOC)~+k{8$-?jg_{Z00HprQWkcMrF-aE04XWX1+MWHr*G7U8i*q=7|n z4V8y7eVI%soT`OHw0(1h^?OEd8VQB<kczgs71me#kLvw@?7Zsh;WBL>USa+2v4clK zVWa<dtgwF1;Ui<%%XR!;vBLUl|9XOY+sjv2U!}j%|C#fuZ^R?L|GerO^e?WkzB>QL z`2WWKCc(ovdB{DihIw5HBS-hhjIHaZ<vVDSVv?@t=e&kuEQKGQSA9JXz3|%es&7nX zeuec1kBl6LY_GAh_|x;Mua95+v-7I2v$FW=^Qy12qWHJxRX?nc|KC=~fsB6Pl*WPT zU%T|yzJEU07=l^6@4V{k3rk$7U{~?ixl#O^^XgycM)6P1tG>Za#arCNx2<4fQ}K^* zv%yJ+u)!(UofmFK{V$$ZeS_0hy6Fra=^qYl-mLT1k5}4%FE%Y>{K6YoSif&{^q_gu z^q*IKoqocjE3Dr$e55}VG3a;0`P4V9t$pWJUte1`+j-U3*M{(q=T%={8^TJJ9!5Wt z(z9lz{gcuYHe_4RdDYjIPVv9btG*$detur{b^43%Kd<^a{l))0ulmML_sDtG*Vm8u zwH4Msa4d7!Jby1fulk0ju+sIb_OH{=w&8sG-?F79|AfC-VSOmwH{+^8ufI}FMXhh( zf5mzAug|~m%JZsk%>Qrg(++*&v(uH;Lx;Y8cb!*tefsyFS9N{$A3U$>I`L1RS9P6s zaa7;D0=1%hWTY?DTjLz@;}jC`ez72k9}}MtpDz}q?;#4{o1_;=1?h+smM#hYBKYOt zlflP>_Xckdb_d&op1?l_J{S1oz$*jGfm;Ln1DgU){}272_P^c#sK4Sr;ot4w;1_(~ z!(G9fd@t}7d`Em?-zDB(c)#p@()+mgUhnPR>%E)24$lufpY*)h^CHi@XT%frT<ZQ; z_gCESbHB!YzxxjN0rwW%A^foAQ!Q_8c}dGc%V<ly<ucdPuCKX1;Cij=H(V30Ue{Ka z+xa8sUpn9Je3`T49CId}mpgum8-@=#UgxMfrX2l_?GCT~$M(<I-)Vojy<$IZPve61 zSGMoiK5l!H?M1etZPb>qT_OIb_-*m97#7!vdqql#$bKmI$Ho7#rpYk2fLpDF`uY}c zw-)OBBTiTg^_3}(t=DpQh%9#pvOjd{%jSN*B9-ZDLQt#~b&kK=TG7xY-fJz?M`?S~ zTBwgw_zi29`Y0c;mg$4M2aU1}7seQk3ym8Z6zYqozd@m{mECK_Rj(*i`K%g|cxS?t z6h&xIst-l{RfAG}FyenTDAoJ5iI&oMr#>%YcY{)WX2kssO7*D`_ckci=SIA~L8&pK z-3>~O5hWXx>LU_+Ev2zeqvanpC^cICy9T93%RjV~Mmr5^T-Kn}poX_WsX>j)8<ZM2 zyBn11I1B&Kpwz(mN=s>^)4*zTgHi*lt_GzBR)-su>R5@P2Bij8;kr^J0O~aARvMHV zbr&tAF;m?K8k8D!@3oYgX3#d>pwyt%QiD>1R;L=28nn8nL8&p`<p!k&&U2Ph^9<hA zpj5|7cwd839V^>RgHjzU;nfXF4Xny_rJ$pc1xS3Mr8Hrhqn9@*HCleDrPRzDuWL|h z)O~}cG-g_%uWV3i%<p3jN_9$#k2fgQDJj0TL8(qj@ih%f4V-_|Qi_dJ*QcIuDUFz< z*;^Wv8vVYpL8;O56LqDOWy{#Ezto^q-xq|hG$_?2q42E+r8=F3Z#F2^=`4JrL8(q> z;d>2A_3;YdZcwU^SNL*WX&7n8^p?eg4NCQv#f}E0ddp(OQfiVa;@SqKIyJ;#gHoLu zVrzp^180AOQXOZZehr2@&3x5nscX)$cAQsLpyL_K*EVS_)M;VM)fc9Xn&ParP_HRY z*B7RYnl_KMP_Joo)fXmBs?!Utg*pXoe`qb#321whwNUR<w2afFu8Ci&ubD7$+PkfV zdY__VEj0QZuP=m>SQ8Y&N3DfAAK6HwHD%n3V7t|cAiTv|s3Ro&zO_(CNccFfL`T43 zdY{)?%k(ZcSj+Stx7T-Q;#%R!I<D=6o~+9qaZQ6#oj~H&2BkW-;`RomI=;f+Hz?IH z7I!o#)rlk?v6My)#uopuL8(#qt(H=g^cTL{pj5|7_<Dm<qva_}sVR$}I8r|e5!0dI zCTpQF2e$-p%-tdUw;(-+^ZxeWhl8hrfx!O@+#gu$f2;p_{*Au>^1Z@$$opOItG!{* zCp@=%*1CV@ex7^3`^uJgwY<1xi|hTaQRm+~U*~wz@e0Qd`$z3J+9lf)w!PvP#XOq* zb^n=BY(4>N4L=){YxFa+PWahMWud>7`^U=!+Aburul!KGB^S>7q}&CJM!gu2b<& z$m%Zq?#j(~g-^qf_joka&G`#-&P~lIVxyk)E&O8kBsA(tUpyDFrw1B!q_4w^*wOus zI?``4E?!3i_jv{6+9Y;3iDaA6q-8LZOSw+iqm^=<#nMa{nR&se30Bk0_^jN88lAJ1 zxx(zdz<9lduk_o6i-+>eJ&kCi3zm!6(cO(Y(zVQs*U_eBudsO?qg_DHAe@ZhOkzl4 zC3o5<z*2~2s(NB2*T$9^EiPrt3v4!*mX<=W=c25+p{3kJsAgmvs;I_Up&7C}!itY{ z#X~Sm8t+~pi&tiZHJ;JZ(2i?HN?owF=B0p95({Y`jl(!^`~=J@#}5}LPmT{SR>p^5 zx|f~Lm**HC4J>gC88cq}YV<w_L!t(2Xy%l4_Dp+qt+k6F=oYOVrHmueMeL|z?I>+% zG#9a>a-)u(gFRwXsUhRzsBY+gGj~~$G2N(Kyispn05a;%SicI5r|W@Y9eY}KnRBvd zTxHLB>#$7A{o)O4(_BLulW@^zbfCbEDjBiJjB|_%HPlg^w2mrmsK6I*R5N#4J3^xF z+HvC|c9d__(Q~ld49s$Kkce6abB;Mc4RsD?8eweV(+d}T1JfMF(S)vM*T{bkj8Q|y zIM)bc{b*Ec?ZPpZr?3`OZO6RCyA8&fnY5x3GZxClLuJ#%S(l}*BF|*4$e6BfE*>&7 zcUU`08oI|t>}b4EN4gxkcpYuI9pqKjQS(eEu(Oz??96SA(6KDM3unB6Te+nIXOVhI zb&jQi8tPKH#fq`%3hN>g@aD4;(6svw+{BN|*eGk5oNHVWZCp26$CY|6HV!)fe^Gpo zfV_X-kv<PEfOko+mmZZA=`JZN9hJIa1F%sF2LCJg<KWkWp9;P=_@>}v@D5lEP6ac; z1Hnj84oZPv!6x7vflmkC7x=@#s{)T8K0q!o7U&5?1J?vv{r~O%iT|7azx2P~|7QQI zai_54pY|W~_xfZ0P5w663jCArTfV>YeZcn?-{ZdL`%e32e8+u#zPN9*?-HNr{i*kF zy`S-Z(EC>JZ+l<hUG~m;Pr&ma;oah0<F$Ey=J~egvz`xm-sX9Y=Y^iTJ$cWKo&itN z)9$&{V|V}D{T=t`+#g2#f!}ez$bFCdPWMgjgYJ}jt9z~6(elqN-);GP%ST$?(em1s z7q#5oGTU;zrMD&8BDVxx{|VoPuehFa{fX-hu9vy)cNJVWyAHaNt}U)hT!Ql_@M!py z^GW9u&R00A&IRY~&cn{#&h5_2oDRp&9p83*#_<8in;oxmJnX1ACLAM<eU6=uD;;k8 zzuLcV|APG^_P5(#V}F7Dw0+t>W<OvL+po6!ZNEgsg)hT4;g4*uv%SQ2ukB9TjkbPU z+_uTqD*j6RvG_Idlb9y$M^ZA5jiPusKYtRQG-JhyK}i|qAxTL&%0m*8GQvX+O3E+~ z8IY7CJR~Y9Lp<beNjc0x)@CH-5DyuZlpA<RN>T=S$g-py<RNP$Wq^lVA}Remq)k%# zc*to<>E$6ylG4LNPD#oE4l;JLq;&HTQ0#ghazaw}^N>YJ*~dXL82erxg0Wx6L(tA1 z9#WB%-5g{T?d;+qXeZ4>3X+oIA!SKPa*(4XNlEaKD<mb(L++B47zY_ykd!D7!CXXm z2<9TpLogRzJftWoojhb-QbHVLcurDw@(_$`2M;+ZDc5q4Bbcua9)kJW&O<=wZ9L>o zN!iLlhR{ws4?#OycnI3r%tP{$vWbHnMmyK=5VRxnkXcFD$U|l%<!TOc2<>d(A!z3+ z9x^Q{>v>2{Qm*76H%v*&6+9#*DVOt*K1o@}LnbBVG7d60At`Hl2sq(V9s*8S!$ZIc zm+%m9T^kR{N=hpSIe0tv86E-*gFNI8NeOU}0o3yI5cK8aA>)$b<skj2<>4VWNs60? z+$Je49HbAc(#1otDxEy!R!MR2kXt0h&Ov%H%QhZ@Sr&N+@DX^(jnV@gpeG~U&jU_K z_wj(^(!Ctuz%l6_9<WBbn+IGXE%Sgj=`;_xLR#VhW6~)O(4CPMdBCVt;Q>dbG7lJ$ zN*v(&Vd*X&a70?*0Yg%e1MEL6&GUdOq&XgNNGfoEeJSZA4;Ym0<N--3&jS+DEDty+ z&G3K$X_^PzAmuo~-jp=O0|uo@9*~qKctAqR@_>WV9Xwz_8s`E1((N4Jx*q8^9&kXq zl?QZ7xA1^I>1H0#E8WBa_Vh?M@_+-<2_Dcb9p?epOUHP?erb#YBvKNu(j<}+uhAqD z60guCViK><B%%_p&Ls9pyfzb0NxU)>PfENl6HiFIDihx;@tRCLCh>|){5px(V`6(G zUX6(*C0>h(B_v*niCrP_I!tW0#H%pTl*DT=(WJyHFwum>>o3t=60g2QV-l~uM57X~ zyhPIyue(H260f>Mk`k}EL=qCOxJ2R-ueU^E60f#Iq7tvQL?RNev?Rk4ud^h(Bwl4n zc1pa)k_<__!jjx6@%l<~hs3KZS6?mh+RD|}O1!eN;cAK3RW@`;ysENcyTofM8@EZk zqOx(T#Oo;=+a+F2*|<gGwUmvUC0<F{xJlx5l#SO&yo$0>mUs<i<3@>BP^7CRUO$mG zNW6No?kb7bPS&lLc;zH`rNrwd!8H=EnglPAc+Di(Ch>|%@Cu37OM;h6yjtR1C-GW| z^D>E7N}OvYUMC4$D)A~wV2#9UB!NpLULgszNxVK1Xq9+%Bp^w=He$nJmlIpIKoGi! z$2f`kgV01wfBS;aLri~rgU~`ue|v(^K}>(UgU~=sf8#95{p|`u`!JO|gU~%pe>;NE zJWPMvgU~xnf7=4kIy@fz<VffLkBKiAq@PINkUk|nDLo;*LaIs&((Te=X}7dpx(x9E zejfaG@H4>=1m7Hd70&*Z;6!jFxG%UfcxBKX_}9Sq178SyB=EMtZwH<qSi;Fa6X*_f z2CfQt{ZIRU;Qx~UqyBgJf5-nq|FVAu=l&jl#DBHl=X=`scZeJKVc%PQuSQgXvhNPx zkZ-qdo9|Mb`G4a5y7!abcYEL9eJMN!@;LGLdZXTrUccwx;WzL_&qr|Hf86tkXVEj^ z8TMS~>F`{J)BaE0-*kV<{ip6Xx*vrX!AbXx?ml<az0vJ&`S+F|w0sdK{kOF|-ttIG zr6t>Pq-9Ub_Lj9RHrGG7zTx@{*PpuH=z0|A{FAO5;ad=PZE$&=|K|KV=NFtGcD~j5 zYUjhwvhxn-5Kj5qoR>O9$4?wzb3EnvBgbnUFL0c~8UKi5w_~g068o?0KeB%rRuFHu zKW=~6Ub5eAzrmigZ^A76()I(}7i=H0z1j9kTh%siyBVkZsO@T-SNvD;yW(fW_rd?- z<#fDnI|JUg+4LC_UMzg7?F`tThy88a8LR*v_T9EKSOjL+i>NNv0T26&wli1?JnTDd zXRsQ0*tgrxU_qE+FQoRcCU_Wd!Ls0C-)cL9m0^axfa+p(@G#(l6~e>*rtJ(?2@m^b z+Zn7BGwk`)9##tv`$pRttQa2l^|muuHD=iJs4i9x5Bpl%8LS>2_SLpCSV27OD{W`6 zip;P_s6A-!JnS#ps!-s0*x$5Op~LgAFSk{p#+zXeqrECLc^>xHZB;1qJnTztRp|3( z*sFyvwpF3h^RO?pRiV}Mu+O(uq1f}V&$U%g)x$p9R$Z)zeWtBisfYblTeVyd`^&a! zsUG&}w(4Cx>>(QOLOl%hE7rq4*;bvehkc^0I>*CaDm>LzE%2~2!k@QRPeObfYbz}L zL2LESI?!*mR`YeBkGEE5IZzi>oT&qSthG8_2YN$mHCG4vXlr$f19b|&*;<{f1HG=b zI#CDu-PUTh4)kZORXP$F1L_q1u(e8u0yF3%Qk6dzgoazIbS^MH3JD)>t<uTB4Ej)O zmCgoc&<ES9I31WdrYd}(t%?Hz4|{)WmCgu8)t$m`w^r$tU<N(jT0LF|dRc4rSRLqn zt<^COv_p8WRLuZnY`Z%;TC1aVA3fPxJ<5Sx!k@NQN9sWDX{`>|f!^I(JyHkylh*1` z9q5l+tB31Af7Dt%R0n!jYxRaY&^ueJgLR;Hv{nz+f!^L)9jF7nt+m=;2YPF3wT}Z` zON`lD2YOL!wWkjBme%S44%9(h*j)#Dd25x96vmu&2ybky(xJi(!kp2u!VCi6)4{?F zdUI=)jur-JJM~D13o{5k((%F!dSz>s4j5(-n4FFnX3(2jt8~aPK--8C$vV&zt<^*w z==WQzaSpVV@QT%efLF8*1WH8eK)=^o4cCD{iLN@(>!oTZKnC}o_P16;+(+$%!_GPo zWWtU*5M;u&b)eU_Ry*oIztdXXUI%(jYjqn3+CmF-YaIv+w7m}WN~yX9AOra=M_Q|! z>ppt5RNcgVv>6iT8t$Xb!mC=VbRIEgY_srKYn4tU251w}fzBjm5axnTC1wzKgw7>q z5X3m0Ow6EHv{vbCVt}rp=IL}|2BCR6pO`_9wpQtcVg`Zfp{H@6m$p`+rg5N`v{s>| znLtJ1#jRB+X(o^?V0}VI<3KNLtwKdJf$kJu&{~Ct#(|#ST7`nffu7e|g?`3?9%-#Y zJ>x(Rw^pH@aiE7<t5D83(1Wd2=w=+~j8uhcW}5zdN~%IJGeZWYD%3JFBq>#)l$jw3 zsS1_M3^^!Op^%v&15y?0m>CjntwI?yA(R)Yh+D>eGz)~FiJ7X+;&lvqm>GiGS7>2o z2wumagP9?C9fJmDh77bS(7#OG&kBm9K>ad(G=pn*C|_m>x`*mzhM;>WUS<fohuUR^ zpnE7?W(c~6%4O<)M)(a$fyQO}Xd2x^-!encJ+v(|1l>c|GDFZkG%Yg(-9yhZL+~~T zEz1mvN(yu=GvonDAq~rr4msdM3YG~1d`Q1CL4XgbS0)JXA??Zp0Y0Q$nIOQ2bSo1C z_>gL4g4{1Dq*)n|Dd0njl?eiTNUt(MfDfrvCJ68$t;z%eKD<&jb)Te=Qf2z)UP&RH z%79FwcT%ZL5cCd>$_zp8(5K80^iJB8sTO)CWy%BrHAt5-K|l>srA&}}B!x6712U1K z^Z$C`UO^fO-iz1!7XR(Ow|M{BdzI(io|Ep^yHj`@A9Gb;;lJDQImg5H$Lt~7_iR=1 zAH=Zm6sld&&w#RlH<w6Q?8we#E|G|;W+2K{_4X3*LcB1GooMJd40u`0=McgzQn+)N z@hd51y-#Sriy0m(H}xP2W@WrQn?qRF42%CPXDFcMC<W|BeBgc<iBn{EBl4oms>m6t zVljH5*3`xjw=q}lG)$8bJG@rZrFJw<9gS-pjcXl^8y$_SxUr5Hk(4#cl|X$+MLl6g zT@A9RM$)d?F<%5k$wZov%}?eG^XPiCZdb0r+-aur0p@}M>q*!p)l+8$W=B!@U?2c6 z;;v%K29(P=HcQ1UO`n6!P(x$0byhYrxh2+&d{%&I<ScA<Qn}2qZ=ZbD_U#A@V;P*m zL>Jk<J;ChT^;q(Td3%&IZ$Ge1k!=y%bezoLjn6aS>A5T;?0~YCo1&z36z7;C)X=8r zQtK3%d?hd96zx#fU^(T~<uqhoPTV;4$gY4QOgIbJ%09jz8NhW>qdXB<>%zMFTa-(H zZnuhV2Zyd2*j^KI7h&D2Qgd8u(2B~fN}Ivleb0`$)tGG-)5zzHxzijE_fgp7@q-AY zPFZ2P5M|fwz@e7*AR@5F&8-|aN7EMD-E(j=YOt1+wTk2u_Npej$}P<G40}mY%WtC* zxZGp4Gh}oLA<qfo%#lxvS|c>6Ze-<9G#p8HmJq@jfyj~bquiM<lKWZ#p_$8-u1Qpa z6UtN}7h(aU%c0!q$sEhKQ`VMQu+cKJjPoK$!hR*-6FT-2<8Dyy(*1!FG5J&?(-Vru z<$i<?r%=p?=8H@7GPaEh<jTSVEaMPQ9-)<|say^EU0AN)RVK@&$xgW2R61vhr@BB} z^8P7zmGb42AtQKwS9u|g+z5%7PQk8Hjxu57;3P!3ST<kNrO|f37Cd?{jBB^fFV0Qm zN_!ce1B#z#i<CuFpNlP0s*syfe8!e}g}P;uzqqBnm5@J;Ei)V%LbT|~d~vZ%x=upz zg7g_xWE6SQkBo)Vau4FJFH%hQp=<^DXb`@d^pSiiM`5qat3qnROBq!>exXD0oelGp zoY9g#$UWc|$}&WO)~DqWB=Dd_A;?iO$l}yb=UL3}K_iO#YK<zTbSZ93$H3VJm6S8f z$cZvX;}}IO|I$=hK2k(ZgxqSOoK)JC7N8tE8_Ed?v;3*-<nk&bnozD*TtHOyCseGg z9tW!<Z@|1&W&fWLAK>Y@GORd>r=4e`W$f87FKr%_z=@XX$YP1oldak^jVU9FgND>{ zwjo7jP0c|j8)R<KaDO)ATrG}|DmxWB7)evJtc(<qM~aZJ%PhkQ8xYcPtlk_%=={G< z_`V>u1`h>Z9@y@Gx&NSV)+c!1<L&T#7%%KT_wV8D-0u9o<7bWy_I}&*#6QR9|EqqK z+mtxX$sG8skqQw@$#A?46{nFQ3z>3yp!v)r%MD~FGE>YVIaUSvH<0gzHg<Vo7D?48 zu?8|~A;%!j_SrHLqZA6AtHN{8EMh5TzY@a$wWEktM~WrnJ}vncc4}>dheX3gMQxW; zotRf`2nl7k5+woLbCx-ZCgoo2Y0G6zvx7LWWb<1s?4wB~qeOuHiL+rJPs%-|B67C% z;&=v4Rg(dIYUUSGmVOO~6;DDyhcT?9XB$>5OxxllG7PaaC$xBm^5rS$e=H%&ui=<t zVWp^aVNACzo`un3U^JWtO8E&Wwo|n|hxSVvUIuA+kT_>7J2QjAZc`G*o$^8<JE@;J zbmkn>QcbR&ct}>)E1lS9k13?dHxhvHl-yl_8jo~?InwFpj7)FxNVYOtKA-W*J%gFd zh&&7NI60eLK=Zq`Ll}~5R+fsTlUx$Z)mpsqlyX=Jfg>IOaT-!55tcK>>B<sva)om0 ziUlL&kn~Tz%ptz8F6h-7Pa=%*?0ly2#CORDv!$v3CF6<j$|*aHyM_(wY1bSP>wK>C z!Z_@P%*z+Y-5KRtqaQUEP~04O;e7gOe7ifKbZ|ET$(SXS%{guYP(!<i+1?1}3%Uqs zjI-iVw&DJewgRk@9p?K(BpW=5JAjM$aG<t$_BVq8Wh+NO<m<Gow{yhlNvm-ua!R{F zK!dq1h=7flOSx6qvf?|>K|aq#jRBvtJI`21RR=4}<3>uc+U0WX(sO*YSjdgDOvY-= zBkj&}Ge0A#6-PfvsnHLVOO#Ex^K4TY?ZjE{JS~BTF7V1TRTJ(ZHOH}j)2A)8YYaXy zgoB0cR&wKZmW7s3WGu9zHh%L$V>)CggS^kr?E|CH&x+m`yOoVV{2mqYNi*VuwVaE+ zOgEH=C+L<HgFseEme<&Lw!8?>54GOL)!xR{-Y^ucw`Y7LEhtwT>ooW5-X_!}V3y18 z=WLxOLm9fmDb6=srU~wCg3Tq~iYu14V#e2A$M*$A+$K5~Z980>Y?8}`xBkC!+$DWq z`lR$$>1FmO9Ajdyc)$4D;$KS@=|<@~`^W6xmSlJZ{4n^J!FL8<5j-8dHF$k+3w!~7 zjLZOkf(QWj2JQ&-ia!r*5BTi`=WmMJ94~gh)A0$%o9)lH-C+B=eXZ?jdla_tGtL{G zdu$KdUT+`v|C9d<{&)Ld<-f;&yT9At?sxnC!S@;8yAXYF$#=7FuTS>by+82&1>yj_ z)LZf%^QOF4dj1RE{~z-_;d#EN06%~zViP{?{<`}^uv>W0J>$N?9dftA%m2$Q?`?Ta z%L6SFEq#uZ{l6SnicgAJSpWN6KXH8?9{!KH?snbgy51(iuK#Q|8+;5!M0_yr+HK$E z3lUV)RQLp6h)}1d!n$akR8tSOVS6KAlL~cdWBWb6kebz>#%yok3#q2go3`JrFWhCS z`5HdbCq`)$)`iSQ2}1JLc3s=61-@Opikr~=a(yA*M)azmtuHi%rnY^?TBz^Mw!f?| zG!OLC)<UDtzpxe>WBG)&(CG8et%b(4)J1iTb(#X7**;WX)ATHD`(S;c$*jQkRlYE4 z4ux#{llnqaXj|Jmt%U|FyqzyhqFG~{Z?hH}6nd+*(4g&``9fkpqwo)`9Ht{A@fB&6 z8D0KueW4lIZ&(YBF29D$$`jAQg=Kx8rl`TTA6W|x($<BiWh==jeOG-|(;Bq>owd;5 zzVBOUs~29*SEQ9~(DpsniaI{?eB@b%tlp~aclc%za?I3hU7u8_H)~sOt!Yfz)%AsD zc`I8Bjhffg7b1AFE@`${3k@P{wiX)Lwpj~}J}>195h==u%x-(oTBvKTwg;?*y4q}e z*jlJB726}$LSvl2VJ$SqSr@aKur<bcpS7kj&T4(3DJ-GwdDcRs*%w#~jb>lO7beW9 zRK$m@h5As$GuA?*PrJ2H?^CS979!K&Td_`1Q=#6h_<{OnP0~&LNPS_<NVg+?%UY<1 zHWR;XE!5dW{JOPJXA|)&)<T_4#J{!{>TDu@$69F6_Vd<4g9xAHg#siWw1L_(6YCTr zR;m})ZIKjr(V)W5>N|~^0$KmFwa}o#)7C<R3O}(H8dUg4YoS4ff3X%CRQPvmp}}GQ zQD10I15%eHiNdfM2t8@7X&_X$XR`oqI&I%$t!W_iM|>d|-e7s*F>9edPT_<6_CPiD zW{2u4nxu*F8f&3mQK(xhbk(NMnDCPNnkE7XueTQJ1QP1B4{FvJNnMTrDl`y!1wYIv zvMA`y?zfidt@hTJr46P%WG&Nq_N28;C%|!Qna&^;YnhJch_y_|^A>BFKKOEdnJL)Z zjn*<9&z!YP$8*M7rsH|1wM@q|Z!OdDT&ypH(pqEx+pJ}Jn|D~t^ft%q%M!-??Y5Tb z^Ov@k>A38(mg%@$XD!oliPV>wRHnPEWqQ5I`ZAN?wB&$`8i53}s{Q{7K^hIdC1?vg z9vHz%e4p>dzRljR;%t4Bd#2^TTi)F=<a(v^o6aR?$T4OAF3#=`h@Tey&!AN+5oH)} z5Qo&epgJ>%?qi`iEIX$175Q*+ruL==ORR<LWWKUG7J7t}vPU^WPlGDbb<gPdAfmnE zhG5i>2;FzH=O0)C=tG&oGhvMzYnQeEBld+1IVG$N0e#IrtO5FDPD4ajjl<-D+<Z=b z!df+)qp)c^44nJUO7aMg^JuPu$8y|!ts2S^Soj<Q%8f02Xd-Hlf$Uw7%&k_>!iUg# zK)C_8vb$6YUt_+N?VeaH<GmL~tQX<Zl{Gd_jaluz`;<ZBPIcY0yHjO3c8wglwdM3& z-KoO#^}r&`;&88uQ2aCbN&VSlw6D8&s84(3ILJM6q*A)lTf^@h?{=ucTAEY_@SLDI zy{uE;G@*+aT41fcmAohH!lPz{hQS7)8u0dmRgX4YU710chRc+SeRQaMY;gDp{ylPR zOg`Ryc(9iNR%MMbw3L|A2gHX}#Ot;Xm^>xq-o7J)-G@WN{h>_X=<&gxK6zwxc&x97 z2C_PM1FM|UYdjJekBRy&eLj=g=rM6X>EZY=n$i`rS{LWwL)2h=m{Sfk!r0Q>O4zUw z#>%|XZHR#Uvl9VzX|8KSd#*%4_^kd+aqdOsT+d524~gpy%GMqXO;>rf(X52BjUNoF zmni#n+MbC#JKFXPAL$Q;b$zvl&2vWEDEUxM=VumGjbj{}Bi@h~3dLnI9c%cGr6x%k z@6Y48namgG>BXz8JK?a@DH(!RV23$wve4IL^*(NmB;xutLv66<SR<&xTAESzT4&Ov zm)DxR@R?LX%5@NXnvF%B*y|YzLH{%p5f&Gf3RKSWst7#72MF(ZCWNE%f$mJ-;lU$) zGBMoXz_HQQ+gX5c^mb)8=F;kHsvla<V>0WUO?Po@7fq~GML-QrG^Y)=t8FG1C_oyD z=5{58IgB(`5_&?Bh&)zWgkuS;++Yj1D!hg*KN3+kD@h<4Ivb+VgggcxB)F1Ht&%}K zxp^g&Yn24h+;cWG<7uqh`Es#@b6BCcx^~y`G@bu%5I!zQ-;+Kky-m7D+8z8^@Pom- zf*S*04!ksQo&Q(<&-#BKQTuQ4clf@KXnhsm0PY6<&HJSHVZ`FU!5i|rJs<bH(R19> z=KdS^tK7G{+grZb^2(Nc%MRBM5kdbx=hM!QIDgZbb#8S0*zr-v^ARmC>=5i<vA@~= zJbT9OuzmmkWAEGJqbkn+XLiroYxe9}KoC(`kN^Re?0pxxh7dv|AwU8s7cnFYL~<jW z0P%iyV{5IqdaGJ#QCn@jYsI$KR_#@-cdfS8-t4{AYFq79+uwI)&hDObvMKV?x4eJ+ z^5Mfg=h-te&pb2p%rkT5c^=!7w$Iq|wr#c=+j#mtdKKMC>!|}oeZarP+DZqR<lF5_ z#gd_DECsO`?9L3dAvjxxTjgPe3E@&NtX=qxr67WC1z{T=gyBUWGwaDN(oSI|^!ifC zXeb#;@~dnaTvzSy#C7?zF!X!*jg@S0W@he=xiB__(O5suDsZ(m)4nTPb)we53aIwQ z(y357o?hM7k6qO%Ezqj7ZQC<lLo>A%?1friIu;2flChdSy`3GfAt+QKu99}KoyStG zp1r!4Hz$#ZFU2U?Ris6{2otY%m~x_F!R`IM-7s_<(C27-S0}L9`Py<;NT)BFiiMKl za0}?o>|pnM5yKFTX74aVv5wB|xD~^$H}e95U70;FeVD1$32KwDPmd+zx?$NsXE&HK z)YHDRzqfGyaiX@2y;|*yq{E?j8qDv9RYb6_AJ!B67Wj!;t#~1tOokHC)arr(1-Hlq z4<~C&*$WY04BeNAL{{mygG)tB)oR!qDPIzA#Nw$Ht*xuYU1HV+@QeT}&+G(k343XZ zFC7nuQi)VOi`52e-AwibZ87^Lgw6r)!;z((J#DbtD0X6_w#bR!HMb9Chhp$TfdRyJ z?_lxv&i?Mwn~Y-xve9`3^+mi`&~2jHLRQ@dABYG=Q;~HT31~|nxRUK1>~CjX0Lu&3 zfAA>*elnxI$=U*zDWX%K)<@tn)*ZclOh=ln&1Y{k_+p7ThFB7JBnKJ3bP2iNV0&4q zoy^`|=!?f<p?ExMC@6^j>D;b|tqW=M*n3UBbR-o@Cer$Qpj9_;=8UM@)7CY}E2`Gg z?EN*qBy6A~iA3prvuaYhKR8WGu^dxoq|z}k7dZ-SGv!EXN%q=SAEsX@7RGA`s>r5b z`yiiaU{YU}S^0t^=)9I?jkUq-0Pf<?&=M?TjV}W0+(aa{Xpyn4(}Rrhob+s1i?cUd zeBo#sf;z7AxD7`0p}{^TEifh6;N3phg?<@mYu^RK8kS|ZFN(tBY-E5OOy?lW1Y`b8 zaNA&KR|jX3VLX7$zRo^A`l_`kD`AZ<8cwt3*Y#vk0z^+A9D1~E>+E7fm`%hYTV`ny zmZRPmi^M~bScHv6ef-R<t-`qJ?t@AUD!bZtWD{DLy}ZR2Nku}@XcXr=5Ek1kBRse* z1DTgGRH9L>nh*M{4-o<}D^fLGUA=pQy*+4LL6(T&nhkF29oQ)v$|V4s8vT$skOuQ% z8-*);ym0Utsd2Ul;fOMWu&8CymJk1|KDRnD%eA?T`15^;ni-0u<GT9-z1Pe0c1{pN zJJSxi3_|xJEGvdW!(=VQ3W{LxBv24Wabb)x&M||>CE6VJM%I_Y8?jh?9q(^u+11|> z#8rMK%1eTgcWNkzWkTmRZ>u(&717Cyh(=?2PZpR38)BUQvaU21T5R+zZ5GR2?@K4c zp)l?%gNxgG_nBVq>fF}f#!QiyX;tjyvoWUQ*ri3-ef<o$SPC~8+%^=1O@0>+bRoM3 zd-k?rHR!;|?Sar8WG2iQS9RJ<R?NA+Bo={qDuFc+Y(p;(Vi5NA_4Xr6H3lB+bug46 z@A%pg%0h4kA-#9@^s)shlTB(fSUFp<c*R4>ctR{*gFTo8+@D7=Ymmi51<$&=gzQgg z(^<wgUp$hA>}Nh_*ivSYg0SQ2=^a282r_Vw@p)Ts_qOZ;t&-*3g`trM!Sw!+IlGH? zZA`kRv}vN^bSxdhs&UBd+c4QXdVBk`OSO|&&b{a-h?8if31l(Ss)aKENT59sy1fuV zBYK+a7u=M5r8bpME~hV%!Wxha>y}=Il>}Gj!3w5{WOUO!jOU%bT+fEP6!;T@u7Qsu zYa6N%nV69j^2MQ@MB|CInQn+FOy)MWM0I3pv>^L^&=-b~N+lx8d)XpW5J1dwmQTcB z@8AFvavjy3h3mMbAwN}{%*wzL3%@yVKf$DEUk2_IdSI&xbEr(uj)9%WX(zImX80oU zbSNGT<D9Y7qDk5b?8hpsU@@#u5%yz8XSTf`NA_JqleFW-uaMA~p)u|<1I9tRLk(>b z`*jT@Gc>p~v=t_1A&1&}vQSSLt1%M65qK7WUePsFwLm+L<!Gq{bK%T_lY&8%h3OW$ zhw&BCIoQ_Dt?tAUYc%($(k8O(bs#nxN~e;G7J*#$`G(6T?(?EZ+!XCt_HF{oVH|=o zeQHx9c0$na`tb^zm&i6to50?w_a)*HEVq&M7>$hAL9VK>g_(JS(lwQYHlDp)JA)ON zN+uu*pqGlzNxc57kPRsJ)RvYx4L$6#G|oN}+A$(u3`<EOlF%<rm)1ze?yg?8zL=KQ zrP?@_Z_A8G62v7UFm{F4h9J7OmrD;O&pQj1Kwx5p<=<FLl~-$HSs`mMFQBC*Vom6Y z{-HVeddIZKIh^iwJz|o;h8DwemWEha7`8LQI9vzG4Lz(@XcCMwXpX7)<Fo*K8AB@u zHyepCJM}5{zzj`gKh{A0BtzjO#JgE-))|2^=V*TR=1N~8%+_lRV^J$>B8ERFz@Yui z*A(_TM0z|KN`(`Roe1q*T@-6Ud>`qbf%Qr_$iYMs@>LhFt2G~=<pC&`AUcj&&ewK) zR^cBKutN9l&CY;`XO33*MqpqFenZ$GZG+h)o0<Kv8D!EA-{sip)-tVv5p=dMo&c9) zi6-dT5H?&+ppY))>}(HC-8l$Gb746Z>#|-OW(a=cbuQPuteEq`&3GstiLMsfI7W(o zTxMzr^L^2_12PUn)Iv|Q=HX5B`;wSv>13**yRVCT_psL6#aLG=2TKUX(DqI&4MhT( zPnB$g=H?~Zu_%Q@D0P`w0kW7&8MZJLw-?9?K4A_)f7sc%V`qpdp&2F!3eAjYF4oL- ze0fP@OzPYk>>11s;=?R=dIQEXy{<=Bw3lm6!I}hH%fisdAS=)ZuzkeYB=Zx4xym{R zGN(v6XDaKiHok3Z!w;E7nu8UDJ!3QxN~WWAJ={|W`cfQoZo>d>gPsN{r1N$#3w0F} z1&SjU+HAEZvjU(>vmu`<QlA}U3JzP3btMx6Bgm@^Y7)y48k>e%kc>msU25w5Wz8+B zW@oRA^(CWNz7k=ej?-)mHNzKACqwB-%p@B;^m4M0{M-i5_zm!e|AgZzm%|otG&^7R z?)SEO{v!2yzDhso`8fRxJn^65sq@VCjB)?Wz2CjbeVjveT_VNk59veF9WE3?PqIH| z@3POf{lM1Yf69N*|8f5rt_}VLeyZH6WR$S)9p3@pK3}t~#y7p<Z-@!df(U>P=ZTJY z9rrl4JD{M+-<J=_z0%us9Qh6%CO3%#fS>UMgr58X4+Jc)Es}Omq77m|VlgYu0j{ht z$&eis_9*x^&iXjm$6Yi;qp46hp4hcZ*6JtO8g}$RgRaJ+!rcB8<ya=T9g?c24I5+q z$f3=;Bi9wfne4Eqi@(m*9W49MWp@M{mp4?UVyG&eB!8CX62F1^NmA7$n|Z0!*H3ce zR4FydR(2<>?~=)56Qn7VY^8m$zA+|`N^>VlGbT~)H;Hesu%bq=a3vCn-fC$LsyyT- zMc>Vk`#Bj{JPSe+`nJCDPhq7`rsH(h9$DLp4&W|yxJZRXFqqiSwo%(4l_4OR3@j*( zd?~>MV>1wY3hs}GE0$uBVZWfG_(r8|J99qN+cyw`?ueO(z8#nwPUFlXn(AtnH9z|8 zNClQI_{haeq-=2*Y~yD#nSIbxnA|Q1CG$~?zTHVd1&pV{<WH@#HnCX3=mRM`+5jrZ zk+sX0RmE}YjG;i@?UJ>I4^ZeKN2k!NMh?%lY<NOR3MZ1}FVfpYCiA6Tlc;`qgo)$c zU4wm02Z5poPZ(@RmL1%V^96Pe1tkNA9DPGEtgp#<c*T6FvpBjw;Kqq<*s$9ocPx|6 z#(@8y?S%Aw6!{z>G-#M${~xq)V3E`dks)pdVXcCx{$BJgH#UQ8+{HGbe9kc)iLLPB z{5l-Qv1u$!2WzFFV*d)sf;Eu2*BaQ_jd2Z4W`}<32&%TJ+-!=A+ZY{4NRSq~1lpAu z62}G1g(Q3iz@-&a6L5OMoGq{gH;svqjz!zjQhTxH;>jKpA<I^^@KMOM90>ak?t&vL z4jZH7#pTlZ#f<I!Lwy6iJNn!Dc0$L1gEw}-25ALlYa5i4KK#;wbs5djDd>nqu_a5V z=*rcy7ATfuRvZpX1JqSXaw(r?&`#L-MM1bi#PKsjNSwm#friTbs|LH;hBE!h1T=|c zc&br|7rBhBH50Zovv6im&2}zTVeG9_=_uWu1j`FTUq5Op^b@KA6ZO8tehlnOvVBl0 zLN`y8DlsDm2Kov+n>fxHQi*wVV_e!a$<~O2D>FyCdpicZppBV4@`a()rz2t7q*cf{ zuR*kQvTYHT%u?T5rHhHIIl(MWBOr42^>ym58H&eM9YV<zryor1&ah>Ktvl9A<|fgj z=~&{FCDI_4NUj^g9R}M_iX9Vk0>qRC92$Z5S*G3h4(`~=SS$9KVeGOZ>14JB1=vIZ zhqo8kxAEjaopf%Y1Qc)Dv$3hf&%q#Q`5wF<`!+0w*sZWZ0_7qZ4da4OgnH&m&4p4} zE3oh|_a^vk%sdydMH8EmfowX8y=W{-oySTi;dQqC8pI)5TSpQT3?rPp#e19okj0h+ zs%$EOW7K4n{Qfv-6Cz7tL$B}R$j7(_!!s2ZOYA_Q>_o|%rEDE=+{o$*<LDm82jq?E z(qatAY<pWD)Bw@+!s>@@V+>nRbP=scOPQjmK!>6?*i>ap8O}$*Aq)jJBGAvB{al4$ z-*-@d_hwm}UChZw33L&|xWR~L{fUHogfa^|l+U;GbHKcg%p6t^myFpoPOg)&NYe^g zvzH2I4y5#P%7%T2eGdx4pA<VIW<rchMSX{<&+iD@7fD2>?3A@yb3sM#Q_O=Kx@bGL zIH<oF-$V2Xizi)NVIL2H&CUebQE6v)cc!Bg+bO_%A-b_}X9wcocPtrc=Doy}xYB`* zeu_i(hou%wW&Fm5%D*{Y(GOzC4Gpp;Poi8UG%XT1uxjt*cR09~z!=Q>hqVL@Dr`)d zQjXK3P%09hxJlNk^pY^)`ZL^U99~#-<&YmG@Lez*cV*F1#s<+9e1_s+v2*(ns^tQ5 zXKxoi6U|LR6M<%5J4b5Li)Ls2g|7_EsplR{2lkZ#lLBYb82j<#W=eJX%f*ubGsR&j zDdA-7c<YOLhnAWi$KhB!o;r4hgq~$QYHe&`ob3@uJX|v3{3e@B;%h-N?rD*=35@;i zyQ(q4_0#Ae#vk`sITJz%TMx{8{rISgZ(#T)wRED>Ho!h*WHGyO)D@#+xe|7GM;-e4 z2)RrMcDC0KX7OQE@R>U~WwS*{3^wK<KeBP0pr)f?@;(=(yh2Vn8;rQ>JrJyC3+<Z5 zYQ7QU3m6*_XgwPx@RijP1sB5U^x#HW!+u4SfHkD}^@`PLo;r}ny+y&uzY!EqbFiOg zlO<ctB}D@AE*Xx^JQ*6PUUKP}r>&#Ac;d@c0Ml{FP$UrzVbeeDBx!yj>)N`OR&myc z-q_jOkxg)Br?IlO;T`rp(QtNOI1fZ6oj40%yPR$@GjNE61w0u%K?*^sw;Y)1=V;_g z1Ri0(>c@g9oXp@Pk^C!$Mc2H|Vynam;RThhtt*0a@pwFau1C6w_S)Vj{(t!2@xST+ zrT@qN@A;ocB*3rxAI1*;Zo~upr2ks~W&RKO&++&BcOouetN#@L5`WS^$3NA7tY1M) z`)}L7YJb!I7yGOB=j?abA3&6Vo9ub}rS>6vgMA62+;6t8wfD;PcGd2*hwLZWC)$(p zLcc@#r}Agz_sTDoA1N;*zTmf%uPP5JcjK(!lgc&9B}!g73-=IqDqEHHN|UloS)jzF zOQpQ@aVaAWNxf3Nv_{$_#U#XBk*cJH5|zA&NjOb8UKyuUD3b3zoHx9I=!CENUh+NV z`-bl!-@U$DeK*3(;YGgld;`8S;iX``uhF;EHxHk$D-p49jL(Jp4)0X_w&EuhFIPN; z$c0~&H%ULNxVz%h6*p8|QSqUQb1M2Pc2=A&y(m3V(OPjz#gd9-#T=Ys99w}nklw$0 z-}e5}`x@dJK7q)F2fcTAZ}NT|wiLtOv%G!Y?b5Hjo4sqjE4+)maqld6G#Kx#@Y+0o zMZCkGdtURr<ax^T4bQ`#2jJu2)1DhWS9>n;4CB;gz|-aF@ND+9dKwW2ae*i9nd6z} zIo>nQQ{j=^@44S`zv2G5`!)AV?x%1Q<6+zT?g!j=x<Bo{(S5c168EtC9QOeHBXqbo zyIb9j?q!IV7<bQcPjesd9_OxbORo1^@3`J@{oM7M>m}Dyu5Y*=c0J&_Q(l8OiZ{Bh zc3lEr3g@^6TwSgX*Cy9mSA%PbE9IK&s&pOi8td}7sPnJRw-8_Pht8Lr-*J8oz83Cv z-iD|V*Elb6=ACCbcRP1Fw>sB5o1DuKb1~|yat56foQhL+yyy6n<F}5VI=<(47WYKH z0#6KgIBs@a@3_M8VMJmabaXk|9UC2M94j1)9Z5&XG0ic_F~;GR9+CegzbpSvejTSp z&&l7GzaoEL{v6JYu9Yv5bMlbfD`(`GJWHM;Pmq1GUHUsbS3V<sQ+inXymY&ClkGjR z<#9{IEm528WZPcp2QG<HTg6!ERRN5VzR!QFu=Ppb)1hAJ74hR5>17?YNBS;DdB;jG z31E!$BLB^cj4$X=uk^h5agFqxjvADn<&eiVAU&f)iuAM&Wu>P$<hFH4-_fCd=}BIQ zOO>ABD3@)w^f*U3$4cK8z!>RU{5L0R|E3Q0O5YGas?yhW)C}osI@BXQ#-ZbFW27BA zR4Hxe&?K8n%IMHosY8dRO6>w7-<P)OxM@-whmJ#zGjwRGv{i>rl1}H)MEtr%ho(xK zb!dvTi9^TY*Np-qS4gMnxS(_@I_pHs9@X&3-&<#Y#<`M1GwhE#=jhNQ&MFR7+P~yH zo<kw~ole4;u{kBL6hKs7!GGIiyG35ALpRBFI&?r@#$Vf%l9vl0D%bMgHrj5M7jdY< z{$a<R9P$FXgF`idZs$;?{X)lW9NK96q`X9jX2^?qaT}M)H5_%C?IwAF4jqu^>(Hm< zllg0>rR0Sibt=l3r$hVYG>10WZj@vEwGEr)xBzP9lmM2>NdeTz3I6ta+b86x4&5L} zbm)3H%wKCAB##JSBl(&DHjqaJkR*?Bpk;u3SpXZz!vbg_UlqVw@)ZuO&5|z&po@G_ z04?Mp0jwoo;=r1I@}K~AlLrJaksRc}>OS&$0rZl41kgk77Qk3?zW~ON`vedm_i~`Q zo7^RUE^?;;c9A<cu<A^5n*cVF+Xb+Jd{zKS@;MGPb&^{Iu#wy<fDPo+0!Wh2aG-G~ zIUs-?<WmCJNNyHDlHA0BmD|aU0?3e02w)@mqyUm+KL<|fAU6o0oqSvXb>un$q{#Ig zXxK)s6+j#Lm;fe{D+Mr?TqA%n<Z1x~$W<IzaR#|e0H>2H1W-pV=Ro~d@=*btPA(O| zL~;oSmY+^87QhyAkpNC3AK^gVW^$nbHj!Zgw2%)AU@iF&2bOIl2+j%#y6iNf3E)(6 zfdG;O!N4e`wHwY8>H2d;+HyWmm##ZUq^)~JI&q&!$DS?HF=vT1FvQcEmOUa}J1EjM z10r3W<>`{<evz))Ez+hwo-S_e73s=ukxuO4>7rA%i?m^vNLTC>Y5fk7rn*F$JX55J zPM$7o=n(0OHj&n!A=2erMViWpG}$iF#5SHTsM{pcWgA6Wd%8%MZV_qCW}eQkJx!!b zPZep+29YjVFVe;9c#2P0BCU>#bZ$(fp{PjbL_|6}%+ti8W|5{^MVf38X=1HNV{1ej zUCq<@!j&Rj&>+&(Dv>6eM4D(6Y3vl9#^$dO>B-APnyeRTV!22s*6}ntZ;43L3q_i$ z6=`y*NE0<8jV%^wbP-P@sRbfU&KGIoWRb?_i8PiLX*4C$NRkV=F!=`U)S=txE*-jt zp2?wV@^vZ}z-sa}DwaLOc%?h_UvH*jQJhO2qhhg}OCF_Si9^g)Dwe&u<Ny`R<6QD7 zDwan?cco(SM2uA`7QhhsDisT0h<t@^;u9s*OvO4mhde~r@oEt>m7c0YH_#0_bOl|{ zAw)r?tvd8Yx|SC*yNb4O)GTrb6$=#tf>N=Z%_5i3W&GDFayu0Z3gUTEu_#rMo2gjP z5DAourLc-zNyYk9MXsQWdES|5tyqF)lFw4H1kEJZ(v$UHucBfdn~A()9YY{an&Q9C zAh%M{8#Bmfs92Dug95Q2O((Zdu^>$cEn%KxI=P8f>(Es+u0vPS7>6psZ?W80g5R@s z+$ZTQ9okQI6@c7GXX?1CXoy3IcS&dH&<%9D4qZ=A(xGc<C1>fhRdgChAz&q)qC+32 zLH^@O&2%b9O$7%|(4lLnP&cNMtLY>icNLwiLs!xhIfT%Y^f(>5l1|j2kI`dw=n6VP zhc2h%b?7pB42KXgl8)7(kJ2%GoKK!HOQh4QL|Qphq|;`I^rYz`omwf<Dbqw6JV~UJ zr}Ff~S#w2tVl_`ssG1|vnX^TDVu+^`j-M>jNhfkv95Y0o5Wqh2O#$pBLiIdm5Ba*l zw2-F+u$FvB04XB$+GEBNq0JsMh6ru;m;m_}ufc!f6p@|~<f(Gp2_l_1QKZKnE7GyY zi*(E+kp_<Asc+mkk&YcJ(lLT#zCb`ctEx!-e$G>b38rgw=s~(#hYr$a9eRMS(xK1O zCLOw;HtNuQRH&j3axXna$K694bm(p>)J+Gui`MJ7JE@S2@`MST4te}|ksfmlPi=}K zQlHNuxhbuv;EC7E6OV@{ZZ}U{E}l4@JaIU9BFj9HB%avqJh9m%$?bM~@Ih>q?I7|0 z+5ZM?0A7U^z_<Kg@ju|d-G2c4{!9JC{<Hjj{_XxP*!QpW*Z9-^YX5Zq@&2)X55DXF zRe1~h_a7=RDc@1PrhEzh0B;**_dZ{VDpg8QnV=|&jJ^4ve82Vm)b~B#v%YWnz5=g- zcld7hUGKZX_hDRD9KgN5ZNAfdt8t+UH<*31eN%lCeJY|8T6X6ncjlw-%54X+FMr(o zRqq4d+r0<8*J59u_YQe`y&3N&?;2P&EcC{_Ro=<oW4vB3g@wbLo}YPM^*rx+-17*c zA>8S?*>k<;3eSf<=V3>FChkJ4$9{aNXP&3pQ;FU97}!Dl%l&8fo46hEefM+jZ@a&W z7>akgZ+2hjz6`tYv)p~|?YK3u+Fj>9*<FqO_e8hiw!>rLo37VkIq{V1G1r5xJ6s1` z*SIcrosS)NCu}KNTq|4)T~XHz?6w0ghw~rKx1GOmzUq9|`3>x}?{?neyv}*4Gw0mv z?1F#84bDbqjWg+-jXm};PLJbXj&~ftas0^fqT_MwukUx<=GgDJ61(ej9J_JfVv}RF zqt0=%qZ&Kwi4MhKho#1w*j2wGKP5jVKPcaUJ@qy6#q#;`fZQpcF1N@l<b`rno*^GE z2QZ}mA-ygALV8ttR{DnYCFySI7U?>i&*Y@NQkT>wt(R6xOQeK^@Wj$M$!-6q{ZIB^ z+ka?(0jEU|+wZgAYX5}&3j2ljv+TY04*O~LRrXqY8mB{3?Gx-3c53^x?RU1H*uD$f zkVg#rJpuBGv&;UJv%w?TY&LQb`sJ4jAfaE>LGmy9g#!3b`d|TkpB^lL@6iVe;6Lc+ z3*g`B{RQxE^u7Z4S9)&&{0qIO0REZYT>#&ucNM^Q=$!@dPxOug_(yts0sI5~TmgKW zezpL<MQ;<}1NQxn*L09ZZL|PJY(xjiZ8n<#KTpH-pE`(@_Fn?LpH|cNbP(A01$dwR zX2)-Ikj|xlFMuKXHyy;g{}AB4bPoM%0i2EdKb+O~&{_1|0$4@g(LrSUvjFd=GwGiM zco+FK{geRjq?71R3*d3|#|6+!f1-or_w;84@HYCo0PnEh>vZcNJ(hmI0D9@G1<*}@ zpo1vkhXwF9s<ZEQI)T0{u(#9k^rZsmrQg*-WcywLyp6shz|YZR=nDnVM_&}+XX!Zl zd;uIwpA+D1_Rl(W_T5Iu&}Vfl4bW!<cq>)uQw7jZpBCU}sGokP04nrJ0e+hL=o1C7 zf<7+5Td0?QvjBSNH*^rBf4czQM!zM%o53@e4pKLLtN^;`qdJIeUoU{S(XR>cCSY$Z zfN#=I7r-~@Ed}s*^yUJ18~uy`50Kx|n+o7>=m7zKiu?+f#`u8w6!|6HUjTnWZ!Ca6 zr=JkuCv6j?x&k;}T2=s$k)XiZsEzEOYuB0n37cD*DSrP1&WmR0AdaG{1b73mGYX(n znqB}M(li~!yOjdGp1erUDu6H0p#u0k-B$pgqk9YBvvf}Ze1;Adz^Caz0ep&P3*dKX zzW|{oN@GMLu9<7s`~3=9N#7E`UrxS7y9Ia|`5FCq0eq6)PynBx*B8LY>2(6Ul)O%_ zE`UF#*A&1f>9qp9g#46#tN{LmUQqy_q*oQdC+L*|{3!V`y{rKKh+bL%pQM)y@M7{q z`jG<o3ca`hK1nYrfKSkm3h*Q3HTvNK_yhW(0{A4oNPriSSLtv8{65VW!0*vq0eq5P zD8LVsSLpc#@MU^l0eq5b1@H-afdD^5zDv(3fG^Rr3*eI!UpUwjaUpq<?k<2&(7por zIPEQf-=;kR%#&}@E&=Aq!*pW-{4zaFfXrd?9}3`f`gQ@FK>sMf3v6GKb?#hX`+|I_ z7y}nH$RE?874l^|l#;L1p`?6;4khHv`4V@&?Thk-I`jouoVA?aAd91#^H<2?80P$x zEY5Y#Ps-xV=KO?w5zlrWD%W)AL0O#0oHte$=Q!t$k;SRac>y`cUpm)zP(ELW9+1!F z8v3~#<nuV{9NXvRvvlYa@;Us+b2i9lbJW?k`{jK)bf3Iehdv<>ap){8XFn2<?Ou7e zfM`_i=Y^crA@31DN*)wIQXUXMLeBEHhiv!A-8yu)yo>)h)GK!hV7}ZZfTY|jfP~z` zfqfNpF3&bd2W{sFh&*mPmqP<|z$RKWK(4TfhGc2hwuk?kr74?eNS1uUCK{3@H`qio z`)R*Tkk(Ik+xmHqe!MrRLpRt4IJBGg+4^*-*Vdy$JvPyp-L%`*C2-_`Z8s-*ceAaR zqk74ubR36zY_lbS>%rl;D6ZQ!OA^I(+o~i{T$gR8Bu+NE@SZ4mm;IYgu}j}&|Eg2$ zf_K@!>=gUlUG{@cvE$rj|GYE6YujbN$LZ9e+Z=z@p<5mA>d<E#f7GEH9Y4^a>m4uX z&~=Vyb?9S`uj|ldj)!&VV#k9zH0-!lhcw4c0<z7J#0kwV+jMECz|r4H;)Lc*axoS3 zok>1IRsQRl<Ra?Vp$}6<hdxAoI&>ke(4k@K)uBA~aHx~yC{_y`T6Q*2mjG5!SpfA^ z5<rT&1(2jp0VJqH08wh^1??mn`3FbsY@kE{E6Do-s3-3UAVsMFlH^|kNRWT>{5!}6 z<Q<OM(LnwtfEDD=0;nhN3Lr)PE`TKYs{j(@FC5r@K6yg`4djmkSV7(rKt1`r08->n z0!WfS2p~b;762~da3FIY`MCfZ$ZrL(g8WJV_2icVNRi(OAW42BfCTxq0HWj<9OyWg z{73-jkRJ-5fxIq&739YPNRgijAW42IfCTvo2ingj-xWXu`GEjdknahgp1dM}6nRYm zN%E=y66E^=h?18%u<b1Jv;Z2&ivn0do)bVlc~$@^@{$0O<OKmF$nye-l4p4LwAnr< zpUzQjo8_$nSSq&(phgx4e`nY}D{theGd9cOJnxL9@)m)qkvH>_w%Tr!*Xhtr@~Jv> zK;FP#+nSP36F^j6&wo4JcB{Nvhi;Nvbm)LAj`~hd$*uhT)1&el{@WJYXJl~-vBfq+ zZsI>~*(|RTz*4!HzqQ%+X<3{+Y{oaIQ<(k#WYS3d^OXVLUA{3DcUElkzURH)+vxeM z=XCeG?mOIdt{-DhT8(|@InMEp&GLQtrn=s)*^jk7W!q^xp8NyZ`JXmh>w&8=Jq(>G zBKG>hF6L~G*+dxZ%1TDU{{aVNr7D<X8QpZv=vW3efNcX?TXtqL1Khzz?gXv7<Tt1O zaQx<sa2N7_$!|_Pv=%p>GJCf+cXe!Cikm-!ecav7x*iznig+6x+^bIZ5H55Yv@ZBE zIfgs3=&s#R7r`~(7F-tWz}?Y;pOi!R&|z6Pv)i;?CC4jcg~KzrRWA8vEfjbdUUYC# zb3II?Yq`Y@+?_ROXPW7aghzDLq3A^xPVaWDvqW#f`%1*%CHj9rFU;UZMxD~uXb87i zwUW8YEEk(C5h+FM61UuRV=i2g(gW;?DA%y#)x9YdY@SE-)qf*aEqtIPB3hNU!%L=g z3Lhv9h=B)Ja|k(}s+kvB$1eOKHhjSg#a4EycPo$Gy|plhnN>XQYg-#oewMKy=P>%L zX60Ac%-hP+!>I)hTehPI77Ai5UYA;Gn6J`y1hv+Ehk*Ocp4>{>f5puwBSxE{Wk790 zP;2q>i5H?V5!)IjX2PQMXi*xCX-TaEr0Vg*%a9rkt}7X$7ot~}M#fR2Jld|cmuCNj zl6%Gx{?ZOZT17^<XWXuBE7ekzF$Sml|0x+$ueF(+Ql;h{ZoE0<;9{{|JEKIhfiWZ2 zg(G52y|&dvZ!B5#g<oLFA>=r6==7dmmfoTh=R$c$L~pycrED!n<VJDCaH-ceTevcU z>xbluSd6!8n@aQ=2HuGB4u>n{7PoqBqlx4coUR<60)ZU7BekG*S}7`AcGReFBL+5K zGeT^Q!14>*7H$)qDF%0g?|?{pF0;>ukw8apdv<PTZ#5Q^F5HyQ4pg_#3*oM^umcJe zZi$Dwgs*^5x3D+HdZrJyQ%h_$OpXzQ_i)%+W*BTR@f4Tk50j_Jq0_s*EWIPjJ3@Nb zndptpJ6w-=$f48QT9)1sjvbGPUTuQb0^LPlwdNaimq-|1CQG)B%ug_L88KZqI|pd( zh!3K$pj580lq<S2nusP##cQ?NS}dq~Xh4gm0$<Mv<7;&Ay%wIQx#I|aOMh*K+rsF! zeb64Q#Qs-Q7)B+UvF6`3BWZ00+s(`g*1)L^Vy|a~8L((h8J_>Qnvv9MwAE<FuCjU~ z+L?fZKjB}F*(8{p#23O!2bl>rGxs=JeUV`M|1Z%?3BLY+&;Jeoz5W~h7a`8y8U99m z>7V9TmG=<m?<M6?<xb@~WmxG$tiKgX9N+OPe1FB=`saKP`#$Tt+INAk%Xg}8nJ<i6 z^e)_>{|Ro-e-XFlufUD@o%kld1h?dm#SQtlaXbETe1SjUy~MlE+u>d9UErPR9p@#U zH$30N?e}|e@BJctUq1ui*3-D<uHt_CuW_^eQG7|i4qwsxaEpBf?ym>k75H-gbJugY zt^QfuQojKA(@%9RbA|Dp+~s`7`4i_;&M!JY?YshK7CW7-&Lz${PTUf4yzO`m-@+eo z9B^Ff7;<EAyL_Re%5jW?;>-8<<!|C_W54_nc@W+To8)<Nr5upnmwqFCS9(mkOS)dV zP}(hRks9z-dy3?<|IPjj`}6j%*gt2#2B#t2_=a6)kJwMJyKV2<erkK#_9b{V{Fv=r zTc>RuJR62=6Kyj61H2_XK@ZZK!19rQf#GIpvdz}m*~9F%T6@V4$diHLRTdmQF)-X@ z#cc@;H(GJ02ZmRgaj(+Jf#FjuI95l41;^@GVa1`2dMoaP!0>V_ZgXI`&W!s$t9O|N z$Lg)M;8?v&t+<VW;Tj8$Tpk!+V!_c(f#Jnw-1k_$i!3-+??MZX)w{roL%s8@xYGi| zC!29!rl$sm=b3S@&^3YKv=z4@Fr2dD)(3`@X57n+=7a^uXpUQOjOLgXw=OUowc=U> z!x1y?OSC0095&;=Le~a{tF1V+W3B~9ZVe2FEI7J4Fg(YM`xb2u49~XWRt1J}Bg8ny zze$?{!&PS7cgbym;h7d3jRuBiSaFSk;pt}F*Xhc@aHSddA}ep21xHT_44-7hH3WvI zT5&4^!&A(-muP)pIB3N!4-8K><DRGK!0?GyTwP%J1S@V?VEA}5?m3osk`-4Q7(UL5 zTN)UiXvNh8hL1Jlo@M1tu;La3hG9)+?2l(@DliP2Dl=|LV0fGv_Y5m<tQCj6W30Hv zf#HA|_cY6^T5*fiVLx!N#w*Cbr*{U173*sY1H(Qu?kQGWg%yXUd9Aql0epQnHSH;S za$wkP#=Su21@Mj3^xk(^9Zo9_&2?CD$-uB|#yv_CfnmvtiwB17R$MGFY%}8?U_+N$ zaBM0ND=reqpKr!}9(nWUS#UHQ$e(M*-Ot`T$AY8Pf&AHK+<ol5vn)6|H;^B);zEJ^ zJ~Iy2i30h(R^04BevcV<536I)f}^tn`2j1gDv-~bakzUF$oHFZ8l4cx@3!J*1oC}W z-1I=c*NnqejX=J~jC+Jm3*@`axUVvryDT_*QXs#}jQawe8pxk%#Z3w1JFU22AivX$ zdl1V)euo8zWg)-ag2S?q&scFM1o9nL-0^{YyBT*U`F$Y2&5A?Y+AKIaDUd(Iit`5Y zTdla`0{PR;xG&O)f&3OT?haP(W-AW$ZnEI0JCNUK#i8EQthi$X`BTlf+gTkOtT@!M z-hyM}Wt|m=I$Eu`@qv7c8TUEr3*^^YamNJmYs@&@BManLTXACpd5ijo>tunvMg6;t z1_F7D`gbe!2l5v650}mYd5ijoD`$bcMg98>RRVd7`iDzsfxJci`!uZx<SpvoEsUoY z_3suo7cA-@uCE317WMBI>Ivj6>fg<*Jd65wGb_)c{@u*RfkpkhnYsdbi~4tvIs<u& z`gf2z0(p!2caX|~yhZ&xNTopDqW&GE_CVgE{vD*YK;EMM;XZ00Z&CjaQWD5p)W3t| zUxB<u{X0nh8OSHhW8)xsKajVme+S8XfxJciJ4pT!$XnFEgXHglyhZ&xNd6YcThzaU z<gbCeMg2QS{u0Pr)W3t|&w;!}{X0nB4dgBA-$C+DAa7Cs4w63w@)q^)Ao*h;Z&Cja zl0O9U7WMBSc{`A|sDB5^TY<bq{lh)RK;EMM-NeR_Mg6;pycx(_)W4g^8-ct<{kw_$ zE|9mVf4KA*$XnFE1LQY>yhZ)P1=v8|qW<A(WFT)*|8Pe#khiFRpCZ2q<Spvor^wF( zd5ijY8CwG^>fdGLi9p_>{#`~M59BTCA1)oT{r`CK6!EWCuJZlT_xXx9D-zx|&pqy6 zxD&2(oliRhjyCyo(!0_!`_;Bz+N$Y=c=`Y6pO(l;rSDCa<1s}4NZ>;r`*z39W#9pa zAB_p8RJHJ1vm<j<4q+Hw+Vq?qgzMk*MiL$m!iybqm?4h9j?!@vD2;2eoDGzg56p!Z zVwMOsg0T$A{8k+;2FJ8nISR7N$K(Lnk$AABb4L#jU5@hCM^1}2Cr3c-;<BH3*&DIo zGUjKyMjY-o!L`WIItS&{APUg=pjVHGX!*{|-iQVb(U}nQ^C$*A;p8Av=6N8ve56eF zMkKfn-lX7EGCKetG8h&u@R_z3p68C%2uAdqxOOgR)@NQBCWnhef_Ua=)+ptU8r@-p z%RHwvI7Z60|4ZRAS=Vc6?QGC{TG><m)s3NO;hsWE!Dke62DiGub59#QrLXRS$MU1X zY(^S*eHLghFF0^9CzcL27o%Yy3Xuq{aa73V)L={xfnGg6rDbg3E(@-*@Zc!8Ggu6R z5^U^*|Fqg6c#u6hgo7;bdEe-K#vPnUfns>4ZGmG{?j!zaksFO@%eB3rH(Pc=VRweY z!CFN4>h0#Cj*QHPf2~?L?}VGruA{v)ayqrS+8(q-j~6_0#2~~m0$hmog*gX<3=}a( zjvDi|)!JYMsnX=pm>)?Q2TM7jVhmisKjp&zJ+zgh)uc!Y^L7BeP<|~!KOs=IK8Uc0 z;?Bh$c!S6HtbVwdKU#_kr%GF@WkI+8#n!ThvNsS{)*xy0t9~rTfw=Ule|m21?d>`` zLY~tY*7`l9s*;bVV^%f5@f_l#AXq?fPhxfB$$SYiviYP{)it<}xf>1F^<T@h!OAf& zSPL(A%>8}oN_L^qg&R`;mGA0|7Hyu^2VyskwgMx5UR~|FwGFMO1#4C<L)_nn^)<DC z*Ve9RU=e`V!5QDtB0i0!p%=uLj}DI3rC1=$+Pc-P!RF<`=GAq2Jj|m-ZwmJRq=7CV z{$Kf@@jvL_4}1Sz{<W?({*(Pvop1Tw%G=5-@XL3ra+xydd>LQ=Yn55b7~kK0uftkk zz!$Cfd&NB!gB8;e8}LT>wzGM@?zzCT+*9Fx5itTf+_POS_?G*O>rCeb&P7g#<7@El zHeP-WcI6x8iPBG`&q^7(KpJO%#eSoGwSBzp1>0q|8u~B#4LU^rKpy({2MzS4fB*ac z_OA<El?}cVd_J47EXXp;f-JNu?g+g!k;>UN*q=GY1w#pI=ED8w!!eT}zdzYkSvRt% z&i(-w0|PNT+YuFWM>#6!+8S47%ZRLO?^Dufi~jt}mawDIRoOYRgdXmj6?f=5umpE> z!gDE$4FW|O{*bYcf*Wtnvmm#|C=7mjS*@$`G*%cjaun-E5AM;xk8dOMan0_|=n)3W z6*2~8Y#2chFN0nEgJ01aJ!+K*oL7bp+hg-wm9-<wU}0Paf=zJxi?D*_8G7PMSLKc} zIa!o3#0)}|u~XXiv>_-`XCF#x>%l&a`xh-k1zm%Ftslt^_=~OW>_gNwJ@igFCX5|r zXbQ)w|Gr+^qpMw&yGOL4MZ|S%VX?v1>hX-wnLAi8zEb?1a>S5NEOk|`8(H9*MjQ+1 zK1>f$1bsT?s$4vx2<~;Yu#G8KHSJ65J!u+IJYNlhY-O{fald(qt8&eV3fI8zE}Cm` zx?8s9r^?RC)w&yd^c{DhT`sHbrsb~6EhFk~M!)xVce6=UVjH3)!gDhAL(I0xGMm0r zb`&>(f*{%s1#+~u(|d>9m0HaR3iSJq#>)7;%%X<Ch!9ecyC<Goy8hT+`l-51F$D== zJ1*j?jD3)bi#c3n=X>L_n$-q2{rdq*pTy|m%{7gZm6@SKOwpxf#V3#Yx*@X-7r0ow z1m=U6O?o5Siqt>9&Q*E#i1y+tDBB0XR*p-~V6zBMv$kNqb%@zQK6R{X>{wCihPrtO zXRGV4wgbi=QuB%zXKkNc;i_yKK?jd6!vcKa=(!|?|J{VM^_gl&m1>w;c0LFf$LnFN z0w2&!IF}p9_m!OwrAc7uT{u-Ajo0*vMXt)G5p676OgSnZhbS32CswpJH71HjDP_t3 zc3Bz3WG4b276n3?Dw7FU<@^x@b7%VNxNH8h)m>bcP7y?C1*FHQYuB&J$_s><-Nn|L z!p5`=o#eLiIW1Az%H*VNWtWC!%}sE;&pf)r+5aI1JN*{AwV83rG<j=Hkv#s5w5@4& zRrZcxaxIG+7;5Q6^s&QS><%=zD%;DKhi?oh59dKx{Fwq_7`Nqk^UZpFPFfn4;gPJM z+O-U@I6H?dsG+QsVxMG~XY*pmuI53n$_}aYDxF7WN_O@N=lyI+;#Pg7!mv;xQXK*Y zlq)Y$cDO9fAauhaBtdzt*{skN;uZsoNH3!a6>?Qsna_#>SM;zp<%kcI<z@|cu^((1 z>_<d~O!2CExdQ0qvJ+JQG^u|nE0>X68Fy9A8!@zMSTMR^Ev8G^Oixa5jSYxQSPP2s zn10HHFIp<m51H^qa~=AYQLxX8#tLf+Z8rZ<v>~Fmn0|<qs=mbhL#ggBnCdQ?iO|=K z_;k_4hrVnq$Y2LUUNQX;E0y$p(+|;7QEuZ82KzYjQ)At!Qic~y_)_DpGZmC7R!tr^ z{ZKN5BCnc$h?lC^VEQ3e<Se<)RClQ>_8T)G7ErN|dQ3mWiwXg~oqhigl6}O#R@v|S zg-`RPDqgIZ>;1O(T<>`JqtCei32*W%-PCo1E9rd0c@ZK6W*if7PyPhy3V3uo({>a6 z1WloU!~E0c=ceJDWJ~!|QGBY12Uqp>z`}|Jd*FTp>Ugj<4q^w0NKD;F=?sn$*Ooh} zWQtTYXOGM+j^%<*d>E!kR&(~8EjJY>$D6cCU{X2L@Mwx1_6<P6?8c``*ne}U2e>6r z3N?{!-HA{$Z5<u3F~N3+$2ROQh8=J3MWD<6o;e5z)7ie01*K_&sY)M@D1<m$I5%J$ zZ78C13nQt}tpCbkAifbrQ(9ea3I<ASH2e7Iyx<BJ0Hv43zd_9F|D!hX(RrGj3&O5U z|8!Aluq#V$EiA%Yn-Iab5I~eIT~@xAc2s-!?qx^oZ2!!y8%q}ONnuYmYMI)^++?`v zC>XeL)nlvJwjIVYRvZbXo!!6N^of$U>I>x7f-TopQ9C~d;(JNWojVc4)e5;V+elpN zq0e6qlPFQ**20O-NMh972_>V`mQjsPM;J^Vq0woiWNOMn#b6W2w(42VpiJ&~NS=v; zKSkT!xg$t848c>@FGWLc63jM@&Of5XWuwUEy_va)1O)kj%?yv?Q{9n)Mv4!HQ2nYS zh~~{{Zp$54Mp{OXh-j;{#DX$$^aTaqcEW{kJJ`)Y%Mw9)xq4VS53^3U|Bjer#I@y) zEz6>!0#@MpVf3q&MfJG}CQIBXLXRJwH8yhS9Xh@&wIfEz5m4KaJEl~}MB#%W439BK zQb!~W4=mwO6V4mjJ9`JSa2ive8)srlJT<~x`w&+3$ibPiJvX*QaB*hFkBs25R`t0t zCX!=`qRv<tC5IpxIXKB3xj>0z1CNhLnvCReM@}tU&5;c5vR&yn@g)%%(T+p#1vzxS zC}jyAF<%a2e3vEIXC^p&xMMF77Gtj?S5cPW;@+SzFpi91ZA#8tS`Y_ET@Z^~l|r>g zxFAMD2+IfmVLLLVm2o?E02zdY-IWb>b#Ci#V*&AW;p8dtqNtlk|D(EjeGZ<}amLCt z^IdR_l`d^13r#-6P(u!#T31<WkEG|Uf?td0oLC#n-?PG{H+=pdWkKY(2}Udu{|!G< zj4UmZbAWE9`eOrRxwe28a1&rCJCNySA4d9md)RSSLk|nw*xNsJw1`gQuCWZF7mh}B zD%i*a$S)u4;ol>%77ZLVYEx|g{|bGa`2XO4-Txvy06gITwEt?{0vPajz~lcie;i%_ z#`z`X9p&fn1Mp2m=(|<9R{4;!N7=4yfG>cwGE+HLalsqFui?%Aao-o=58ygP*xTpZ z36B6Pd}-fI-?2V7?g{+1;?;^LD;}!29kKK-t~jgW%!-W_D=X$#%&s`Tq5?h#-}L^_ z`?U8f-n+c};hX<lZ?|`gw+UYPL*5g-KF|B`$Nxjm)1I$*?(*#STnaDzy`HU}X3t{y z-=FO9!}tDM?jO6KbwA?1$9=&4F}LR4?QV0gao4yb?kVm7PB8x9`l;)A*VkO1M`XLJ z5!G%05$#&xGXSS*u5m8A^N-G-I-hes0<ZcvB6i(5&NH1Gou@eGIcGS>IjQ6Kjvv5t zz(GW)yBz-WI~^Mw%N!BMi4HHk=Kn%|L4HKOQ@%m|Fnr~=$<6WtxeC$eWa&@1<M6cf zkaU}LwWLWsh*!7*-UFsee*1g&-`HQaf8BnseZT!;`(AqnF%lQs=O8ws!}ce5zJJE{ zu<diUkJ~P^_1m`Enh>ULhHadU(%;h`pu0x=soDnV1e*=>c%Ti}mdO{$H&t!D1@#S8 zTW3LiUDaAGsIRG7iv{(Vs;#x49#yq97SvsSZ8cD|M1(`tnk_FqqH3!wsIU69CTWt* zwl>4O?sS0moL_4+V(uhgRJE0+Y+oc_@oT3TU%G`H^lJ@9%+2JWs;w|(J4hZ@wR#Kc z%c{2Af_g~R>MW=)soF9N3RKlvP+w5Br54nKeyzqx)&X*tsx2|SbQgI*)fQV&pI5a- z7S#Q!w$OsQPt_J!Q1`0Zd<*IxRXf>&x?9!enNXi1cdA<2g1ST1QWn(hs+P2%KBsC4 z3+l6~7Pp{oQ?-}{b*rjHEvV0^TEv3-w5o+Is9RL6+Jd@S)#h4IH>q04f;!;W<`{e9 zB67W7n{C8=h+$?STWKU;KS9;1Oa)y}KB;OmEvWr|ZH75tuc}SAymX_gRa#J=P_=0m z)D3>^BqLE5lFL<Xs_CW6$#tqW#e({{ss$~mYgKKs1$B+8ooGQ_t!gJ&P*<ti@fOsT zsy4}j`k1O6XF*-z*Cqm0;@{<cs&=gDrD1ZJs!gz<E>*Sh7StuGc8mq}QB@mfL0znB zV=btUsM;6{>LOJOSWq8UHPwRpkgEADs0;m?V(g4zl2<gJG>H~uR*2+$S_KeP7h-ez ze45wrJlo-i*ZLD^Q9?V2=7VeYQVz#>pXM?=Pv7U)oW>mc$OVe#0H(;+edjBhY(ku; zXp#wWuA<pZh;tOpW<s2;Xw-x_OVNl4G2}bnK-aWB<vioheS4L2P0xFjb4<^J%Gsvp z0p%>yb5<ELJ@+g7OwYT0dkxi39q-#?c%0Jf8#Fuy&r}ACna}J|vZm*5rQh`2rR+96 z?^61V&-PBG*Yvzo=`lU;P`XXe+m$ZUb4J-^dhSrpG(EQ~ou=n)zMY2V)UEUFFh0u4 zcH`UY+LVmx`3$AQ^t@GRH$9)OY%@J?QQAz;o0T(6&zqF3rss{y>89t?lr5&`Q<cr8 z=MBmx)AM@YMniMf$-dJJkIQ7`RO8#@S{3LtrO`gFMS((NcwVbOn=w4EQJ~5go>wc- zV+_yD3X~Yb^C|@zjN!RSf%;;2Zd9PW7@k)u&|D19rzlOP=LV(G^t?iW%3^rGUOC0| zyj*E8J=ZDFRSfShQ=q6Ao@*6oDTe2z3RD!sbBzN1#PGaCfpTJaUhG?HVD~s#sWJXM zc98;|r1bjOg}%jx*XPR$l#$ZUV-_gTL=4aKeG3e)N0JIukkZe|lNIP6hG$8E@?m(M zr$F;CJf{_?9fs$W0-dAu97rfoI1JBmL<cuM#}ud<hTo$K^bEsu#1}D;d%}2M*!VbE zfpSrLdvaKTW?^`)R-jfGp64oaOwS=@w&{6}0)4{p{%i%>gyDIX0#(BBT%|ydFg(vx zphXy-XDCo14A0XQ=nsbHO64Te^E3sjgW>m+6zC0x=cx*m2E+3d1sa3lIjBHgC_Squ zD$o@S&nNhfH?Yq?!8ghHI9`E*P<ng9@d~s9!}BBsx`E;OI0cG<;d!D0t-$bntnU~@ z@dzh3&hY4y6sQ8Fw{6EL&;tz5;}j?XhUc*gGyuc%7zN9};W?lvre{_0nV$U!{ce0; zQM{&SpTZXY;-W28AW((z*{irr&mM&PGyd*YOpCtcQcP>U<n&2~=1UHr-S{Z`u-v<g zwcCAI>`RX}w*UV&y^i?bMC`wBWA}fP|8oC%umL#LU+0hdC;KauzbU`M&i`x5J&5f0 zQDvW!QPwJpl{v~p#epb(Kk+>cAAq+bcHf75Sw!ty<6DGyeaFEI;GZjgUhzW3qlnSB zAN&2i6&)38Di&e4Ke58)eb@WC_c_GkyTf~(_d;*KcdNJ2JI_1aixYJ0^I!FR+jG!! zi|1pW^F7_3O`Zl%(sL4g0lx44t@{<kxW6Ae{L2y7zSF%P@$94S$?yjFH`gy+FS;Ie z-G!S9AI9Fk&DHE$;Hq+s$Ikw3=a1kI@FB#dzuKuedz_n`E1U`ERHq*?=zrsQ+3|J9 zecU79S&ki!R!5CvE+Wml5M%yl^7Han<-6n?<&Vl|$vfrs@-jItPnA{apVAwMeD}EY zp!6BT&ORxfBn1%Z?sxWA5#{bd`)BM|+RwLl!871;d(0lR`)q%={mS-|?J?WEw*9t? zZF_CoZ7sGX@C|sJ%}L*(uhZx0SLq$-4x++ugke8VYv>jgZX?X7%__V`m{FS)IE|QO zE2yEgM)t#FL}_zP*U^nC{6!dZEup8Wa2H`lovOlHgc-F#&6~7yx`eJ*^Cs;asC8=I zq@4rRs^rHSiE24h&0|iMjw@(AZBg?k-5jX3YTl%q1GPrU`;8?v^{RQyPD4q{>1s8P z32H($t9i^(6Ka*3$22venpDK2GNT&RJSMB@t(7XGCYe#EsCi6T(_0N{9<$bfT1;1{ zc}!drs$R`QT{oeYt9dBwCRCl0w;3C~SXT1Xh*&mW%|m53WLiX*DLH8ErGc<$vYI>3 z^v*(BtLDzNpqBb`=O9~QUqcs?FQ_@_?}oA$&>DXZDtu{sM;EM9b5P<<FD+4X`z)x% zYHqIuwMfnFv7i<zIi}JVNbr#BmE3><;l}Y$E^8!mKEw1IG4mLPY4*ka);v1jpJTec z0dulH$FzF`W}ZLSW5lFs+Mnw-V^Y3cmqEg&Wq)p$@r@Ks`g3QRF$sUJ(~OBLIi~3s zTG>s8l^oOc3y3a;*ls`^PxdRhi~(^RxkAlB-#2i54h{Qr?M6malYjYh+l-jG<X>tI zYQG`dY+9}6p!u6nbJZM_e*<b34XL@)jVSU-I!DcIv7lzFIqU*T8S&OEHHVFW0d*s- zQga(EsF`Z+Gz)5mk~<Z|7sMI4VZ1-L!PuJVB&X)qn{r)8r>i;a3=GwMoK~tiYz|DQ zX=)Dp0~6{bHHR&N2{l#CVV7V)T}!8^IcyY6sGyp|UcrRId|PEfov7xTET|LI95xN6 zjK{0Fl@`<_HFt^yb(}wEI_tcab@U1YYsj_a1%IyIfT82bel>?ZgrU0qbfTKWHo}BD zR?T52VL)9&C#X4WCQPXDYHq0ob&Nk}I_bQI^$vCwhJ07kacXX{1vOU9EwZ4-sJVp} zR6xxwu%J{mhi!(bc)yy%PQ!#!)Z9D^%BSYA-!Q#Zq2{pVFrmC^E@?q|{JDgIr{rqJ z_qZAJf||qT!%)&y)UD>Q|1hCkYA#|yIh7o?A;sZN?HKOWhO#Na(PVC}8IxCYAyYY5 zQiqzue#B7Ql~h)9vn?n|&CRl)>}n1h6H`W;n#112graH=+Y=Lt_;b?@WRWWwTPn>M z4996k%=;wo&zTN6-($I^8sB-34dN+A%s*JJpb_(T0v2GuVj$=(@=rBq(xAv&<b7P{ zvb^=4nlouoc<Uc(Zj$A#zpFWHU<}3op8QSCnUpB<d-7K`XHufbo8&KQ&ZI;E^=CCV z-c;6`<XtsqQljwIJ8I6PL;>|DHHUqTfrvNBAN{#8Mn?RBu_j=|yv<l+QliKk<PT~N zI~+qvZ;-c@96R7F%GuvJ{5hO&7WDw~J64cMhaw*%Z>c$x4h7WjRRr=hmi;mEri$p2 zX4D&M&ZI*j<L}g*NrwXJw@S`oB<eR<SJ~F5xL)rizwzgwKp8Q=_UE8Kl`wnAulzY| zfsB}6`g7O?88N@`=b%6tF+W!{cIsJJjt9|x&7?n(hsn=W&7?m8^{ApT{i(>v*Uwb6 zvyF(Ko~dd~c`7!7{Di!&Y9{RosGlm@K4Z2Yuk&j-1}$~SYvgi8!%1kVs_&0iwLw$K zUnW0MwE+w2$EudKpnjxk{T9>@RSoKsfyytF*HjJqlL_?$Rf7U$LcOYL(4b7H@2eVA zC==>?s@7#fJw#qnHK<XBw;m!dE83aH7Jh58szHr1yz>q6UB3oBs>GKU$xEuX!}QYE z$cugrs#NKvr^pMcmNC8b7<pdROxhHAj6A1m?UuKmRkdvv)HAAP(x;H|X;m}nQ$RhX zY9@UOsP8D+>BjbH<NeweBb^#lJk6|3T|u5yHM25x1$jc%%*xai<Z)FqD^pjHZ>!p= zCept^zQy+cCz1oiKLlU@=PAed?)G(5{G;N&ilz#?_fy{ao|inAxWDV3?%L^+u!BAU z@#E*puiMW-^uO`+e!7bM7McGS|LSu~O&4uqCF6w;c+mzq^ouq%WiHyp=Z?5?br@Hq ztQT$Ca!bnAaU>VrM%J;oY#m2(FVb3vc3y5#DKw({a6%)FU?;!&#V-gOudMIQY%5*m zVxe|m#}?W#2<!6dJ@H6&JOl&Utp-De(iM5#zN<PM)g%86_H!#Q9^(*^AN3%3#>kJw zEU6F!w=%odt-`K#YtgQ?Sc5)V7MA7mk=y{Za(Q@LZUML~Y+x>$_`$f`uxj=CP&hI_ zxS^%BJ|v!^`crM=s#g4Fz54XO)&r>!x8L1bvfA5PWOanI8okPcOu}@z3ziC*j;-9X zax1fh+*-7R<Q$(LEKKO5LT}VWFEbcDy2M5zq1vua++_o=Ix?g26_&CgZYeuDUmJ4s zAwf+S`A3Y9L)=xwMSgKFwk>yZ*;(-)y{zcW&4Znc?woOk!A>R>Dw*Y$2G7=+FcPl% zU}GM}O@>gBDPbrxdZDnCNsnSF!|ph-`-TN8o8ai?vxQ;Z{=qC|^pcC>XsalBgmFrJ z4$gbVmad>iN_PIm8V_Ng5h<*U$+EpV;uh}_tc=>pxdd)SR?p*CIjyd@YD1AU9II^W zgyWl9_*dy<?qU(V3Krl!nZ3a*L`NB8sQ-?22BS@zor{<5bdIDx9{a!Ia}zdm@ff`H z#z1b9xPn@S+$hFvPZo|TYTNqSz;)a}6^`ZLR@OR`{##s*N9%G?jOYNTx|78l9--14 zN=}LK+>wiv#&glCA$COOMrCgAx8=g6YKr&FBS%z?RYhpaRhO;fKdDgG=jNIPNwjD< z{6PgtR0Qa2%Z18P`=1mf^|?7FYUA@p@Zu1o1Ub0Eu{}4tM6JPI=SZk6Yf4w2n`I(7 zmKd>K9)e`#;3RkCs!AjqM)nbrJknlgdv0c_8UtrWaQZM7gtDB`l-!JxJxTMZ_9P>; zZmuH!&!c)KLVJYEnM?@&onbuPH>jIeZqH3G+w>6>9C6d_xk{)xx}oby1~n(mqD*rC zKL}(GS8SaiwR|Y&@`|!q$w?QZOO`FtBe}@}@(8g%YX6A6+5d?DQh$rzuH3AgsZ8^| z?R&`A@0(xoe#O@-w2EaF4(~JGk9*g7kN5oA^ErH(54r#7zRNw}UgY{M`J?L|*N|(0 z^PhIR?OEqRXP5J2$NP@2IJzB^<R|3o<QBS(R@tt#ZIo5=i1c0QM%!`p$8`S@9vwto zRT1vo!t4jLwkE`aNDl1m?YFSbzAfph5>7PCS!!C51)D+cqBOWXlj+#j*1oH-7~0je z3nm>Wz}cTU8)}L&>lx<Wp1IZ1U5aIk8P7P`1#ggLGakbAwS8-i3qDrMWQCjR59IBe zygypyD50RSGVd+i(`kn>5G8qUu?q?WDyJhFJP%eju((G!&XWC2Pmj>iiVY9XcU1`= zdL#13OImYnrhfnq9?TBmZNCSzxwp5Gb;nRQb9f*eyVUJ#H$`r!j=8FY`!I8*h{nlW z{G)TAMv73J#SR*?(p4oK_KeIEgHj4>W{e_u*+I3Y%9p`bzpFP3t`*A)%+ovDLU;|7 z$l&Vc#s=o6l>01guB}^UbW}Py>8cdt%V_d`YEz?uS8V@a@$q(ES-)K@Tirgri|XLc z2I}1*oDB_QB3^Zblkq>Dee@}p4z7l`hXHZ$6V%TfioMV=+NiH#?pHBaJ9`FU{A=jj zV%GMhE||%cnQ}FV9>ScvGpEve+yypqny_Pm<LsVNNDh13GFO%Gb~s`@&0`a-;JcC) z#G~~Z26TZA+k~*IDpZCJ4CHjMwX+*;qz2l$`--#8Hhzr@ae+q?&f@Lr^{mab_reY3 z2aF0#UKqW^|5<=u@_e%kzL(3=m;hOa8!MMQ2NAWhe0g!b&G0o?a<z!PPP@U@jy#L| zVZy=Yh@Oh^al$tE#cmSpD{}n!h`#h#r}{c92zAT|5rHmveCR@_PFmrDzniknhr?`f z3IRU~Z9V#u1@S5dh@~9z%)coJF>bo}#D}LbQ*OgnuRxIP&4oGxEQ=Zwm++)+j3qrX zY&3Zq>=S-xN3ah8G)%eI!b1zDUCEybc`D(mN{zydFn9gapXmbuT+SB>K4z4e%?Lik zdiI?b7aZW1;eIP-HWLc)4x0_`?Ht%ylDPH#y@P$iZ!MPg-gZGvaR}J`qcx&66ffx# zmVskeMv-gKKw`nQy<Hh`qE{@S(0aRXG|AG6A=ii#)qWO&qNu|#`BVdEyO5OG63rE( zv9R?}EVO$^Q3<fRL9(r_Ti?*Ut|i#mT;IGZxT?9eVR=JsO>0B*s$v7667T_Ioieq| zlJ~Th*1D$Px|X`Kd2Neyb;NBMY_*VY>sGa_tF49C@8#<n_4;dCQQGR(mO|Z73=*vO zM^>E-HrCa^i8}Km-q2WAUsuRdIf@p7=ECD+-Rc_QyPG-kUbe2aq2zRY+9-M(G9r?b zL48@?)w?%X#}Mt@!%LxNy9Y`t_xw1L+*q)NH#JzdYI*b8+PbE?Rjq}5C#Cdk*7*!a zN=(9T&tNdXJ)N%96tdafkOSP4^~ma?kfb7LRzb;KmTB)~YE*GZO&v`RpjJInQIpWB zORHb8YS-wzibjL02e-jfN7s-}L+3VrKFCjAizPUra|zeLBSr?|a2VO$vJ*}MdUh0Z zIz|(JAUw<>05RcT)T4x{d9l@YdGtPl?5wSAUbm_>*i^Hsrry*?Q|euCZC^$XK}DQr z<uy||^<z;4Cg?=)vLf-)XtIZ&rEY-FAZRA=^vgT1n9Dwzf{a`#jF4`qC)PZ+I#-qO zs6B$gShtD?;9?&k!r;K$Q-9~S!2tukbo8-_unW4gMx6IHwe{~Zbdv3jGu&00ul&@7 zP7e?IO%0gq%fNCjYl0gZT30l$YYjFm!^|kkpkVXbV9mPL6%1#VO2N^z60igTXa*55 zXAd9n{DgEZx&bHBuU~MrrLPJsw*7AO@rXsW1!4jsG1$uJUS$%Gw(mlvs2*i#AfgQ9 zYi%9GTkXnXT`w)srQ*m5j~yb5G_Y>%S~R&>El{m%n;VM-JjA~LFCn=9{{*c5xB07- zx0J_}yOkzog6~=1HNG9baTTvse59hL!ULaxd%cUjE_emJ*wg2U!{Yu)_eJg&chL1? z*PX7*UAtZDTqisK;e6DYaZYu-<T%&imk-E&a#DI-x?h?vQTvnj`|Mlnv*6`FZ>xnZ z`!jSuJ&jHyuYmx|Uro;IAd`H9zC<h*N<@-%J?;1|5bPZsz)=nJR|iSZ2d8$dbFepq z3(Wo?KgMC(H0%!9_vE^qhm~=zFBuJE#~fMC<ZPh`2txQ4)VFonJ_t2zLs0})QIw1S zXJmuzPzy5q2BJAPD`$f*9gBn#sW6ia-Iyx<L!oRNf)Q=kJvn59nSJeDgV|05D;lcF zxkLlv>1ZgGieOvUzALz`cd(~}yDAB`?Pz21#dwwQq8{vpgOlxSLD-vV+r^e_xHHK) zSsBf~bTl4H#iF7CqJcpc!mwutv=dHe7LJ?-vf-SAWoYq5V^KsQN^M{s{JJ_(3%+J@ zU(%V5YUGDjz#_7&TicjjoRe9W-M(ZZ7K-8!UMxq!EIwCtw*|3X9vJG&RC89K1|||w z^B{K%*b#)+=C*}7iIvdp3&*3OL?Wz9`C<dRnaA<Ig3ol&Tl77SZo(N$W6sX<XDie3 zbSM>x6etkgsUOs_eLMcaKVknMTz+)mn-F>)-Py%r0vIFYtjpP)C=Ol|Q*pE?mMVOm z&QxdgwsF7K;?OTRv(OJ5St7Hqw`-7l2NOhQtHL=dcpJtjh{p}Q#StQUo@?D*!I`X_ zDlrz<<OnClH#U+=BDzdmUwH902Hb!+!vI4EdAv3@_Ik2xuRb#~cgNgd&tUg9HZHcK z^L8_Ty4k8_%`M}#^BEbFeW_$PluE{n{;T8KdF+QxzGN&ON~dEj8P*txbL>x<=NwiL zpC*IccQjbIoo!xI+POU2*myD)N=L(uo$%-u%pwvLmv<#1%-KN6fOZaV-QpRsbR0f0 zaXO5T<~$ecoD8omWX=}M4#Lsoz)l=wz|rndu)VFPr*{DSz~SUT1}@~f8KpcsTHYUQ z=bymwfp<=^ogwXPMsWSuBp47*MD^~)lx*84*j~*V#+#4@nQOGO3Y~x!CL(Du6N_|l zKbL#p8x!*)*nvHAH<K&;ph)j}^v90iS)F~Dz1`b*C#19?Mnjt~7EU2rV1zG%nDm_2 z5D1L1VlOd>lR+_Hafq~|vnQnOV>z3AkqBmJD%JuH1WPZ8oQ#t0wl1c-cWHY$^$i%! zQ8YK%u%icDt_B0UxEmRLeuzqY;1UU<X`qeG%i#9@-flzLf`H&mcoSr+JZF+F;pPO< z!nMmAs&;96cy;x@R4f$=r~d=hv2a{nBWr6!ZLQiMuWh0)9))C$#17dw^iugo6=w0; z<;$v8Y6HAjr!Sd~g;LSzQqZs~C<LHB*0?;`F39@#3|pdQS&wCXsZ=TyPla_FxA8K? zz-5JX_3ps>VWCbBK6a|s&k361OQsTtj+Jh~CVzlUG1dtmq|-XLW3}sL!E4!)1xKyA zU&xNMwwqD6Wo#mzfcTDyrWVPn))!1R_f69t6Jvqa$FgR|#v)i<!jaNq!G{KuXb?xt zhc};(9l>owSev#52RbwT$bPKW%d($@)in}|rc=w=q!X1))Oy%YmA+IW9f~HS{3l%u zP13sAZ&ki{B7y-Xek;;@oYuvDoq@F^97@MyJZDGm-kz@BwvMp2i~ZO%HVuMf(P)Wa zKHPO?3jx&Gvx`msMcSDxORp~i#z$j`qOjmiWGfpJi{)mEURqe|WCgT<++-*jOV)IB zh!q=A@gTnVqCU_YY-vWkiN3ZWMrKso$+B$lC2@x*oG7kmr4^N(&lVR^NUKa&$6{>< z%e31UPsYKPIIE|&W$kj-?S&IVCKlRzdv|qabno~)j)}eyW~176QEeoiM0Y}C!uwbt zc{mEa?rj<1nBr6zN>ME%G9|E9CL+=G_}sJ|?P7{g4;;%f2C-^QHO<pHSf-3G9FBxi z@nj8-c0vYs>lTttc_(P?EbkOwG?Bn68f(q8@9gPh%iCgY8~bH9Bu@m#PhkWe7~~O3 zj4n_)F*8|zRT(+Myu)>6=V@(%u2eD+N~P1aT};<NbFyq84?rywJ&hm{1`<WyxON81 zi`6rlz}Si{V*-?ag=76}AR*YH)5TZsgtnDs+v39n2*tvQBGFjknUBeV;I7P2HOhfX z36Wli_cPF>oz5kK*B41fL&*fsIK-M;R0^0@!4@O#*DO0D2siJYOf6)~Vv(?d>bXSQ z!sy6CQ;b5@4cB7Y;&>b_Exf^GFuotKZ#??wfzaam0GpWbofp?O3l5~9utsC?TC6Yq zL8w8UI8<VU@TEA|P~B`~N48Ge#Il`>nlWQjsUim${e0~+DZMz8V(K6N=7S?rG4r7H zW>;$)IY$B*RdMXR!U%1H_6ApU?%2t_|8<!>QuA4ktr-SqcZnTfaMw^4;t_4@97t%V zG1BTPp__y-8TA-<OzsvL$VNIo-DQm$<ZA8I0x7X17U@J&+pbJ-W;=QZA@aJ0s)7jT z(%Hpbk@JEw;1AzRfVm>vBp;_3WXw%@ccwo(Tid`$Y2Y#;l1Q^HL<>80Vv`F?y>Lfb zn0F~{J$oDK1*G8rWA8h_<0`JU_s-nyO&1#s7~5+b7lGH>s$FAjkY!mGF0w5bnk{5$ zZ41ki&`KClqgC4gF`<P{fItX=gccxl5^%+oFCh>@3!RWgOCW?K|2uc??C!n0>k`@U zJ^%CRN$}Cpop$ET%(-{ob51N8(IOus7<vMhCf*aeVW==MVgq7{%T<+V$Lm06RnIa$ z8^L(MABo2ob+kc9?E7X;yxTQxu+lI)$QzA@RfXdpIkO=Z!#zt`Jtw#W*ukTrSe<%# z>|;k&Sp$zI4lPIu8(G_fR`t}eQjI5sAvf$MRjurHEN8#OUORhXosS6;8mG=-6OuIG zJ!sDwKo~OCz%X|pgja=7ISj)idloZRjXQugW1(mr7Miww`Bal0-NYJ#yxC?J>siE} zZg58+p8(#<G{Gc%$NT57fRg@N<mO;!9-ElTI&A8y1Y5exdumz9dUpVuOBkC=PD#+} zcDWQSWGWB^%X${Ff{Wdu^0>A%)wy7qMesqc11T~!?4T$S>RG@_tWbv(jKs1{&8=Hn z$3~YknW9jnXFe;mY*;87^Ou+B^pB0Aa2be?z5kDatDtuR-upMYuXX(#UiwzV+gpyi z{i6^sZ_qZ{y20|gWvux@^9Hj;enfV|ul*#%sJnn1BfTWGN#jv`AO9c<ctepW;08!U zp_~^P)Y6^-E)6y20WE7%rvSdA1JLemyj=ijd9=?&svhtXL-g+GkRW3Pfi;QLs{D3> zQ}K$1&vbbC7a|%eilrvC(jc3?jzt^{Xu*gRsgn!!d7mS15~-64wUY-n9I9-pQzz<R zU*+LE--zA7zEDDieI-&S6zXwabwlkjV6MjlH>%|iH^f^-?pa)W@OZ1@kXO$RqfUK2 zfKl|OI<-P4;8-?yiqP-f2pA<aT-|aAnC00(oY@SnZfH=>0*KL?)H3603Fk>~H<;~! z1_ex{mKM^9At3<^1sm^~ma2nJoKP4`jL`MDxz05thI+79;mbtVH>x1PV2?Ak1m}pB zbHk4>KMkE)s*B}&kRLUpMSFITXjRsWl&g6sNsm9Z7~NURWm%is9pq`*`xK#j**~=n z^bToA>$7P{a~-94kFwb~)}$6?*F^>h8rb*eRduRXx0G`dOl1bS>xF?58mf0;fi6e( zeU}kbdjS?kktFE2>dowy9Iw;e+PJO*XtKgk&aY?FWW8!g&Cd!b2ezKK6Ya%mVuY>3 z0b$-Q9S|5=0||ZEogsUn<d>U<i^t5we;wh*ncqaP=k(NZ8Mnt&_ntZA;Yw`|?0Vxq zUKpGEjkrC+LS!4W>WEj@wVJ<i)i1?MExU74S50-QMz{XL+2moFY1sApLkaCDotss! z%uyPiIu!LPaFq6(lBz~>tey#l&n4X82l>@>!nZK@rFBX6rL|7GLBa=dBwJ;-cI-X6 zvVo_|Rv(0T@;uAFu9X@J_N++FVPoVzUOoAKJU}UE@6Ed%V*>|6v(HNyXPx?$;+q>< zpgL8h)3+dQLJY4ayD{BRLe;m1)a<OjWwx`S?e}@x*@{$Uc3+sjhx>x+jGOnSxWD#= zV*aAjbbhUHDQ#STDlT1dji8Fpfj9SK=x`IF|2^*gp7$K@3UACi-t&9UMV@9)*h3ND z?`HQhcZuuwh~ro9n&5oVdB1bOS>+t&_`T!DjtgYjG1D=IUSR*b{Vw}jyB~4(e`mYV z)^01aeoUXU-f2D0T4N<Z0}NUgSf<fMbT}gGeQ546pJYB#{uiR?{X%Y$EBEo|ga51U z|0FO32~3xpM<VWvpY56WR4J0ds&{*9kbPH!o#U{;{Q`4fXlo7OGifjwl~x}muQis% zZ4JM6$zDU?J929hfK&FRF^bRa(MV7_rBd!5Ni>)~F2?yWgfFJqV(Qm&eA8#2Tk%yl zdpi)vl}|Vjl8%qaC$T!zD<jpqYE-}Cv)WY5MD9IE5FZL7;efPsrrd@?+PCyZUE*Z+ z^;r8rjCS!AG0AWyxB}deh{xi983d$-ljX{hM7z;cpH&-9!nRx8b_VttfD`~!h?>5) z)ZBB3`Xu|q6jmF{Re>8Pjx{KQK%4PNnPC?6pQcr?06c*^S-KzGd*iYv8jSkkm2N_u z{_0Gfz!b2zDBvD&XOl?^6lXYrc*OMM68XT961%Aj;Nx#N7T)NWYez~r=y`^7fOpva zDvn3}#K#e70vGQGmdT6R)M`(&J3KU`-p6JzB*!0LRmz5ov`o^(3Gy*&?F@c{I~H8@ z`fv@TC2vlKfoqCK<DPZqo=WzZn&yvvZN`k_fAIN-=3yA1p@qIAyV+Mq&Hz7f)nWI* ziB?=)w5XS48=<NABHzd?I`*g9rHhy~vtUj|7^(>ogh$DK*8L550=EYZO^|<6B7)ne zP$X))F(5Bvy<q7ieXU5m3WOC$4nb|$M4>n82lQkZx8UXRKnDVPqCi#M(luQz_>hhp z;P~m&p!^cF?{xIum*k&{5clDXX3fQzeN%7XXi`=uIv)WFB3d4tG~e9g%oc6azQN;S zRYlt|QLt-EEH`LC6B`(=_IQWTJ-|A#mJ%Hieg`*GomSC}hHNp+T%vU?0N%LpPjr;y znkf*9uA3vDmt8X1wU)g%!_6VPtI*(DXo_9;v^Mc1he3dCFbLBHQF&#y8h`<^CAwNQ z<LgYwk`F%?3`2-v$*<~^Sg*QL_yrdyY(B6_#2Gvy5|E}=$X(f1u>Lo6wTkU&HI_#L zN|3X3&`)uHh&vpAARLimGvp1~8pNP>2hq}yU6On(+GjJ&uB0;};lK*O;e4w*aFYl1 zD{EqTOreT!D_1dI$#SgM7_Q+0a$SD&SW9Kc<Esf$(25Z=xrVTchR5Z``~tP?7GwkN zQ`u#_CL^t-ICiyIFfJW15z8;T6>75w)QPW*Azh-87*sYaDM!jR1s<D?>-<d3Q3m^q z#-);Jaw7lP<La0`s<-T!5}8p09#kF+O5VBV9-0+g#iE*w@Cs;08P9smZ{~cHYi8Fj zDGftg%gbX^tK@UkF8o)wdfKI+={M?@Esh%X3X^R$Y|^+xTR4DQzhKmK`DnQe&8@?o zDg*I|Cqw19-V4P{Ph#2H@ptX$=t!*XYQdc`bDU&;6KorU{vqG6xanmR22e1ABdTx^ zesnSjRZN=2+rpMAFblv|wseQFr~wQ#ZC4jqEysUmz?*sv0C0;r-eAE5%Yo6022GcR z<P%0pwXGRw*185{y2UcoAMI=_Oojol!sb0MD6c?~HMpD0ZXN19E8ACdw}tK)AS^)k zou{sfg>CR;>{hSTvGxJ<WS=*1xruA@By@@G;>{iSGXuD_V^zR`G8u=QBcbTIWmpwb zP6b-|>~W!8^a8;Gut2<fj2s+E7Ha2Vdj=uGuU&(tUoJHFct=VLx;neqeRb|=bw_K? z{xB7;Y^{L);V8yM^69|xtW6|CIN~G0@F-R9_olXJIH2l%`JQ%!&124Jwfkgt9I~^d z1FO#;55y3%f7wVPK$KmrT}g}&TPogZ`6i8Pe}3#l@W~(^4V%*H1}jP=yBN@yp+_<Q zm>Q-j5H(N`<>+uU7B=<Ime0zzz|O0V1ZEK7sTzIb)^%aWQEi`bSu}=*`(h9V1`&#e zqoxZnYInAl{}$}2VMZmBYL8~7hgkzzR3=OiSO!ogRmU38T@@+{>@OBoNIGhqJPnE< zrdD@igd>0_#mc8~5vh3QDR7o!=ED@#gj?3i5i39<VSU8eqK8N?jmq_?5;MjOH3mvq z>)X)P(%I}=gPC9_yl!np0bPzn%4;UbGawQb0fQ}oZ3_)J9W+o_2<spYQ}ozH<{pJT zHdMR?0|NlKVfyVXc_XV2&<Om$jE@JaQA-lYt*flf2%obyAca&sOq`)bVPXD2wRB)e zmBFS8z+Q?+1H;G2;gQmOK>l(8HrPXB@o7L01%|1k#otwJfllha{l;Q2Kg&bXl!N67 zYAu*Gn0DADBQP}q-5R0p&#ZVG+qsxMmNiV+OF#&?kWefl9ek)fX(V9}GVt(PhDi$o zL>&nQOxI_+kUf>MI|Vl=g3^)f{{La=Jd^iN-rpko-(B8oy=mnBJH<QS8%O5963<tj z4?Mq7qyJy)Nqagyr+DTg=ilL;68Bfg`1gYQ7l;^mjr-f~)7_2kMeZ5yBitk0vg>2l z>#nDPCAh_PiR(Pqde;g>4+tR7pUwH1^G#&=d(e4{^J3?@&QqPsowJ-%orgNDj!zwL zIG%PqfVlq`InHvdb<`oZ-;s_H4vNfvuh_TR@3nv5et~_Xz0qE4pKhOIA7=ZH?T@yX zY)>Ncz%{@rByIJ!dA68syv++Qg!iq#MlQeGtyfrkt!;?-Uu_Lr$5@?~&n<6Tp0hk` zxz%#1<vh!J<ngPtlp)@~)%>aX4fE6H2h2Y(Ut~VZyw+T2KE`|`viMQ?uktJMR{37} z`|<_yM!8Y0g*U?_c^Lf<BK^NapQLxvYv>?N(t0|N#^`wJCI3X6|6h~G$?eGC*Gt;S zNu-*D$r$34K9}B>o|7JyZj~;D*p&f?Jcf|@fGc8GTG}SrrK!q*-N<`F8L;VjHtBI? zz-r_@rVLp0JgfAmGGI3H9#IBlJ<lTDtqf2j?=EG47<msX1Co*VkTPI0@*Y(B&(rhF zXrupJBkwMy{~ROlPNn~BBkxS5|12YKlG1;sk@s_@zgy3fS-WQ#d1!Z|k@tYof4Y%} zHoA<w`<4DqJ&#HaN`KP8Gwo3NJB+-`mHyKVJPB>I8+rFB{cU<4VdH2u@-U7KM&8eq z{uU$eUZsD%k#~>Mf2y7*u{N5GJhZXS$ip11HS#b=Ym7XMEn(#SROxTh^Gv2~N`Iq) zC;dd}U#;Vr{w;l1>2EOd?oj$q(ewT#ov-xQ8+fdZRR*4PyVAc>&-+UHvC@CCk$0QY zf0CZ}AL&O*|A~6uKUupc7<u1O`j0pAZdLkM7<oTb`j_i@U$Xj^8F{xT{Y#C!o0a}L zJ?|e9+FfGg{XpqoY~<af^e@u$zF=i*jl3I`{)I-~4NCt4J@0b~IzHdX`@YgY&&a!8 z=|4`-`#URJW8__@^v^Z&u2uT0^}N4H*C_pSjJ&Ir{wh81GwCV?hF<QzYx+#OQt7WW z@~%+&XX$yLN_M5c!pQrc(toU;_X!)vF-G2HO8-nF?^30IhMxB^ll{>~UWd{@-N?H{ z=|4)(`$)Q2>7QogVa>#iyo;3nn4b4XX_L}lZs3_9)2M;R`WG?sE>!x%M&1QVe@M^! zP+F|?2aP=Fc)-ZRc*~5uZ!7&%^}HR@xk|s^$m>)3rx<zIpN};1QcC|3MjrO7QX?;| z^iS6FwzGC88F^@TqLGJoCm4ByO8?<T-hk3S-pK1$`p4;c+gQ6}jXbpLGxE^x7$Xnk z9c|?GD*dDMyshjkJIugiXW2*tPeOf%8hJfR{~>zbA6TCcHuAou^p7y|&Qtmi((^uG zWe+s+&Qbb@8+kZ;h8cNhEBy!PdGDLBUnvHj)LznG0-lty!%XkjD*ax=W2Wnsevgrd zt;ucRNoOhjE<Nu()~wUOW6d)2FQ?h}(5&A2GrcEaWHw{bZlzyu{h8inP3WyZ)4Qw* zX8q+f@h+Os8-IB045eRh{DHSo>DL>7rgvBqdgIUZ4r_uLe>qLOQ>*mpZ9f#<ru6A; zKNLN^qz|^Al(m1m5VyP!re7{g>MH4j<(I?iL|F7b7=F1dsk5XHc3%!FX}YGQ4`!c^ zb#+M}tiD{96f5b2(Whf2OZvKWtPWNeOun3_I!vew7GEw)>L}@h!KY)LR?-K1FNbxS z>4uU%n0vV_somQLYfs7w@wD2KKG=G?huTW|VCv~uttEZ1^mMEZN}t})GrcXfD1CZE z54`nCpWe^|?^LBvZ|H&7tn}#(J=0s#TBT2K=$YQa2GOTC^zhs|rB83@ncie&^@g75 zO;*-m=)EbeDd}T|URETg-%l;+V|HE+>y23@eay_uWmS~)F)J^Zb+XcDF!J7z5=x)J z$a|gj!(imSF0EAh3`XATQj^kWF!ElL#wdLTBkwg<pTWp`O&YEA8H~Kwq(-H08M>TZ z2&UJh)k>ei$a@tVbDzP;dzH0eF!ElNPEq;{M&7GZz0zke@?Md~u=oFQrqfN{E4}kQ zZ+p)248xne$91Ih9OU2|VZYzrV(YhlWxd9_*z%F(BE<fG#@u2ahg<t@`C$40d6Cp2 zBmK?N(WXyO$sYf7_fmj1G#EUhuPm=y9-SH;8b&DWUmo>q{(bna=g+;7^sC_m@TF?% zhNkLXqJy4919_O)-9S%JLd8xbdZp|r1UfQ0HLtq80MZo%^H=wpbUhA7@-Xqc=`l*E zJzkYMFAJ7&t8xzlnl+>@<7#R-uCs8b0pa%0)VV;o&fuu53AqSYc44ZbmDp8-`Uib1 zy9~~3&%m~*E*m1-h+FMhnK~y6*s0z#zz&b4p9iYnUw|E44b`x?qXnbq^F#$uSQWI# z##$rpxwMHqyWm9TMRwl{-P29vs?=Ep8VC((iRv1tN}UO%&IWtl>!8D0%;8n3?t&d1 z$|}@#v^sT$ZuLdNd7dJ>S$!y>P1?qSUCmp~|NW$$Ua*0oxc%s4u`1P7pn)NR?Q-{z zRjJN`4eYboT$M@|Xkcib9y$?Kr#cMkk|+J$stb=#y()ED!LIHzb?Gsu+Ob({?mm-p zH*3{rdmrxBtiD}r*Nv&R>~>wZH`{d{Z1fx1uERQzC38EiU!Le#4UF{$T+}nWV_oNl zmg-ciPBqH+8f1+U+D@{efNF$><m8~!;+`p~maHdOKJqw>NLC!*!`w+!C=5oK2jTsi zko)0KPbjrM>u_N7T&qN2#f&n~(V{i^YE-NlOvP`k+dW65PDQV$7sIfJ)qt@KmG-}& zv(tL&Q_V~#lIZTJ0%-I|1b!Tdh0CwiE7vu!@I}cDz$4*m3sA0{OdcFb!f<GS^0l=y z1X~#(MOq|?Z)!dwkwj`8)|J6MH$EiuxS&Ok#4>BK^Vac+pPsw(A~HY+!UXd;dK%J- z!4!sWF|(TMwVLs-2rH83rItvoDI|oUn3e^FkVqx++bJK?9#*iOHL0fTW+`6Nf<rs< z3pP}fYQ+AY<0u}?cMICh*^gLKe1}h@R_6;RI3)ACV4oTOKTcMgyqmojAoBkR-1Xn! zIoacLzwf@)-Q+F>?*9tcTGv?TADwqQlg@I-myU-WXF94KZu|50EA0(-YP;Wdw(S@j zwLWY;0r%_ATh6u|ZT^>ei}^d|W#(b>OY&th5)sn(=pFPlI*k&tm0V6%lQQW`>6f?z zKUo@U`h)4-J^pmS9+d9ftH=NE;crp`MN%{@ScF4)0iqH%7(;&2aFIBeC=$|&7{Z!{ ziUc)AiQUA7rokflAQrG-@pD*cCiG7Y&DVg?x#DP|fg<5dQ4DD$0FMW5r%<`FVm)Qv z^*IF);Jzc-hO7!LnI@+e2`q{xBP?Pz544t3N2a8|_!uz<+0g-jf>1b_VpEEwa6p40 zHDoqJpW|%LsUcJL$l~MN-HaSjBnE%Y5`>x7#q(`%ZfRj~N`Ug!5HFe5ON;azRm4$6 zql&K26jKBHXUa}45|J2XV+G1qz-1r_glmp&Oe&%qsG&T!1_q7Iv6|_`B7wnCE}AW; zff;iPPAD?JD98d%Yr~xj$X-isvBMElTMhech#re#EX{^dN}6+jMo{C6gx^Q;P@&>l zZk0^=aYZ7sqdbDw)~J9sKn&p_%p#d-Xw8fnUm-$0Elo6R$kaKuh}y9_cO4*}`WDzq zn+wDluBm|9)oH$>HL6>NNLZqxBr9}qN70ib8xXeGTev!?;O?sNO=h4!LpA_rz$G(I zn@$9hR?`U>f_9_7$a10c;#q)PdI-)}xTl^XQQ1)s&!NK*)fyJvm=?!fB!dFVBBpaT z+%keM=SRYJ6iJqX!q8exLNJCoXq3Gp2;ti2+e+6KmMsE~tAVmJ6=*$Y0OP{rx2?oX zSqs+&J>LCH?Q)i^MWTdbkcbA&YsdF+nB#2-cb0jBwiMe!)PNgHs{A>^&55v29xgs1 zSW^{E4e+di|4(5_n2S%yZWfPR<dCmi#MTb~P%umN3J_CB#}o-&jUvc!0z9k^tDF=o zFnc<UF0y-}0%SbNB*B1WMc7Q1bT-res3J!MibL%)#p?hDW=D*!>|sSB-lHtfC4rfQ zivp&VWsF(Y&XCfXhDR2OI*-B;^;FdrHg39y7BK=)n&&JLr9~QuOuL5^2^f!({4^IO zS*J6l4lWY>9i@UuMWD%v=~QNCUVs;Q#5YZD$j;S>GF$19Y>6388deLwB(Wgc*rT#C zI;cp76ZSk(i)3b}GS>qtsb<${Ys@ua4%|gWaGvLy$r5yMUnOi3>=$@BHg~GgpEGh8 zUgTh5J=)E|GOUO_Q@H?(qf!^lExXm}Y!b;@<fugz$eh7P0a@@^kvK0kc)RGmWGP}< zpnS|XUyUOyK8wNIp|d+v&|GYlEWj$!_Z@-vm^G7`bkif1w$i#nlfHl*4%`h;xKrW_ zhZb^Am(NR*BU;`Lqv9-JXT*kfcpUh+C6LH8EYTts97e0Ik(}sx_)5j%Ct@Vb8!<C% zQheAU->izds`)hwt5|&fIW^VGcp4B<*7R_ZtsAWek%J6T8)4F9CM(-(so2U!IW3Jw zh3X851F^jwk`^sWreeB@lFSmzT2J#4i<vpSh@z(du={_X=?;^3ndfEC#lZ51T$^3T zI)Cl_w&NB=0PMF<w=K55W8G*iv&=I8#=Oq#lc&>XX&)Uyp2J)Gq0&#JM$_L>!PoFp z-8)|Q{d`&|?^<X#pI1;q{eFIG@3`zIp$YsRJT!HP_gE}?R>;pH7AO7CYaR$x1ssgk zbvqi!3ktEDZli?OZC}A|=ZRr&E)a`#yQ+5#x}CkCofa2blewwibwrqHajny%3v_yD z0bvkowy><LdPnIxz1Lwyw5TGd_8wNS)B8oz)x9Hi3Q``)`_{S}1wjc-)`u4CcHR}_ zzEF^!hTcQ6w|2FAacdXM6XQ2=Ylp?ESyw8^g4q&yOE3T}s(KIBE7abuf|ytZBMQ#U zkS=qJt%6f~4=UJL9&llws6lh@fmt=E-!nC+SUUGae;`lI_nR6-S$y(rHrRS?;>!@g zT<E}TH9rcx*y~|B!yHUDwA8cB914M?E=>t_fmQVm*Qvu^pFo)dXjs7+%9F^xn4wd9 z4=B*s(12=1ci^5iy-HRcPS`Vbn6<2KK4Nqj519R>4!8-KrA1S(XHJ}rS$&AB`cS`2 zO_osKwx)hrEBD_`G;wWUF`kpEE>!oH=(g=>G;dqm&9;pa+P3X2I6?bG8+yumJ-B;p z=68>ab$5@gBAbYsCRAMzJWBT*o--)9FRmf8jnpF-DQ~2n?YyFqyc@}$Q+nN5om#Lr zI+bT?eFHkhLvZEj)B+LkT~#TeO)i}_O$+8NhuvrsN@&{TETBz8yI3v0+@)Rzv`K?7 zjL+33HFpPJNc%u-)U8-smb{g0n9@^w?FB|WL^w>b!?nBDhQ{)+%R^bKfY0t3cDbj% z*P2}j^Y&~ZRH}jK^7f|vwh)4TM47|a+WNZYrbKpU)mvLE{%l=iM{|2;eU+O032&v^ z32V`vu+#D^q}?q84t4JCH5Zzup;*FuK24K)Wh{yYzQxw$E((T%&ZLyA;vt^2KrH(P z<-xGRqJete0Kgt1E=u0k>M)-!#mMCnJqfY-syz40cgeTNSIZa4eL(oP!q@$Hd4W7j zj(J}|hQP<X_sUZ|UwD7yz0P}ychGyb_cZSs?@8W8-YV}=-ZI1sIK=DmQu%-6PvrN_ z!^}4GDZl_62S56Vxzu%pYm95S%kKQQ^Hb*s&exp3LPo(yWE1@xJ&Kk&?{VJhycRJ5 z2ApR(+novLiOyQ*Z09t@1{m)=*y(l>$LEeeIo@=<h!_D+IPOF2!S6dRb9|fr$Z@VC z=~(Aj=~x0(!qJYPW1?fEqr_phe~GvO@7Q0qKWl%|{&V|J>^Ir3uwQ8Jv7c^V@BN$i zL+=}&+kths+;hI?Jj69<_N?;MdFFa%ctV~@o>87*9=rSB?$6wRaKG;UwR@ZUQTIJS zL|p5>*gfDr8(C`BAXm&H_Z;_hcL0fw4waqm61Um)rR%S*cjyarkbL3!v*#DC-?^T1 zJ>_~3u@iqFk0tlJu5^9Jm2z#Q+v(Zl&z`r)?XDJAgKIfG+%?a2tSf4-w}<UZ?KSq9 z_R029_5<uz+sC%|Y+u=4u|03wOg}`VgNNuLwwrBN**4MZD7E$4&akbpZLqDjmD}dq zD#%XTfwm)UKI>;ThxI>*fba+F>(*PX_gJ@CAC(WXUTht(wj(>^S=L(XiPmea)2y?t z<E;l<r&`^J(fB!ijGji`^1MWDusm&f!ty7}o0b<X-?v<5`LX5OmisJ8%Sy`<%ej_y zmZL2}%S6OXD6v%2d+8eTl4mEm-29IDWsBMTrTMSq7v^WpPg0Nh=jNZ#H_TU<Z!%v< zFEOu|AC|Wu=Hsj8(TM+eIys-5hmS_mPx8MUIb=eJWTxA#vp6Y%tWZhQ2Oy8-<oonN z>nQ$!h5p<+l5;<&4_FW7Tr>Td^*~NaAcyk@J^(q4lkb5%fRmrmd#rB$td-tvb#d;e z^e(G|lYgK;wGvM5q(8Arg1pW0B`5Eb%+jNRl%+=mNu`HX5(D~y<u9C+K>nFO@Bzp_ zaq>Nof8-C?=}ndoIrlSqz2z-V{)S#>d5u3{rq@`0%Sj33OZ<TkK)%Sy_dx!JKVYMm zS+;QQC-f4_Q=HsMzhik&kQZ8h&dGP_1(pXm`A<4vxs8+W(|*g3IQb}j+<F8jAC`_M zM{)8&sg49W`E%(I>2*#%AdQpwfJ_faV<l}s4@f@g5B!1qr7_Y6f*dWqC&*FKyMjDS zdPgHoJEZqHd7osJ9#=`pA)QM{3$l-LeK2j4Qsn!ByNPP5u}$hDH}V>`NxkHH@xb}? zV9teCFVTj%U1}gd6c5}@xf-Dd4df2~><(!X`LQTANNy420J&L^{p1IN>?60TB>Eep z9;p05#nj#|{en9Avj_%49fEv<+Bs>H9;Y@zK1QvaM4%695#%G(%t?gxpt2zEqEwI% zQ?AOAMS6&GRR;MWHSq@!se}ASkav-P3-V6#FF~G3z7pgl@=rnjobbgUA?6182j|Mt zUE~WvK0rPf<RtQULEcaP#z}<HAfIWZX$SdKke8EB!~>Ja$AY|%e8fpa#vp$c<XuEt zWJLNI;fqWn(!GQ)GLZKWZIL0^1>rg=N$4ckNsxCEu9G0oBwXb{P9j`ALH?9*^^_2{ zf^hYeu#=Iu)jqHw6+~OH|Ca6`Z*nd|Qjp(kB#ONuxVIB+wIJ>U;j7#9m2?|<l|O(e z6XX?6BDe(koglwMUKZr7gzp5Ve@Z_j+D?GL5k%VwzLahud?zq{Dcww7;KdLfg8W*L zKOnyn<W1y%IEfGt<at5fNS+hq4dhu)BF+POMv&hpI|X??d76_5=0J7`@;b6zkk^uJ zoJ7P1vQ>~*lP#P?d<L>vkXMqY1bGE{l9LF+Kz=F6?~z|{5+N7J6N0>q@cqH`iF7G> zjB^oJfjlb64x(+)A4``IzCoK1Jb^sKANUAUsBMlPNf!}qb3}v$qHT_UG+jgP=g<BT z_1-7Q3(3y}c>%eXlOJL(?)Gr{6{vMBCx0icBy$CMGMOXDF=U<~N0S;sjw00>i5iaM z<jc}YL^}*$mQEzI1a}On669!7sgWo)TaXu#3QqnO#f}!_31qq;$B<(LIhxGSNYpTs zlP^gtNL-N1NlcK7$uv&BC@mvlK`tdBL5?Bif*egE8i{(NocxV6pG*>Dh)mW<)2*bG zlP^fsWUL_P5FaOhEgeS=7i0|?FUYxMoJOLC37q_uG>zCf`9D$>87;`!WRxJ|WDF;t zmnz9fLCzwF3bKM6BFH#7jFZnv$C3jDc{CXz$T&GzkTG%)C!dv$A)4LstQ0511vf^9 zaq<~yCMgl*45I1IGk8|9%S0lkXVwuf|NBnqXyOv&bi$7g(@yCq!jBG+al$Pd)6*br z{Mn~r_FDy6PWaJ*^DRwo<J=uMEPo=%6uDiH=aQdt@<Zv{<W50$kh=uAnB2q3KS<vq zR|@hxa)ltzC0B70!5zr=1bGg*T##pzO9go*xr~$VOJ|Yq2(q1AtdXW0$R&cjo?Ilz z>&PZ9r}t~gcR3Sr6v(#)*-g@dY$q3JB<i}5mwK<3oX?pEjX?SYxsmh=vYiZQBuWkP zQt#H1e$GT>19Gk)+ewc`V%I-UkT;MNFZE6>`4(rwO`oh6<a%<dAWtRDf@~)1I0@H! zk`UxtvQ{IplGbn%e)gnEkZZ_ljl=_uyxreVB@LVjS9r3LGv7FwtkS4i<P?pnAoct~ z_`Q=81-X)(q>-reWKP17oh%pRYO+j_W5@}D98FeeB#Ir+N%*ysrGh+#ED>ZqS*($G zwvLmpNUO+vPTmKTMcdln!&?F0uwZ5X!WvQ^kR*^n{_F=J1Dt#hWEm$PrB7J>oJ3$1 za+4q%$PJv_3On)|LH3ZV1=&EZ(@6B}T25|}YRMEqE+j{Ca<jC69Kp#arFmo`C!dg_ z#4N}Nkp&qhl#`E3hf9Cq<YUr!=}#JIx>fo!Cm)rT5N$w@N{fjYkhF+s1A5f-Lo$^= z`w9-41%ezy7721RS?I98X_{ub%!D}qKXP}wXSuC-W4+3C3i*;eO3ov*iG%)>cG7^f z#a<_El9o${m|n17ZMw|<uIq5;+s@ORamRn;hvaVO9r9816Z7B9KQVWi=b9z^2-|ks zg|=$Eh2CM^V5OFAmXsyn{fT#j*Xwz~bCu^n#|e%@^KD?pDFSv`R0YgQ7X9kWgrzlr z!RODml`boQJ3;w~z@2D-4>ijpu6tUO8=8UR%>pCnaYZ0rs3dG`*$5w@HANsGC>#p= z<}@@mGmwqXh{m9EcTtXEv;@FsK|=>i;2^F`Xmt^!4QmgmKLn}o%oQBNLSoQr5{OJ4 zRYl+@s3Vw*r(3~7u<Oup6-D4DtYkUhm@Pnuu|Uu&xC-IN8!|W>dTbFa94i|2tpIGU z!#BG@%?Y1%Sju$ynBsE;q)k=p>CMQuq~_FZ5mS_b+t8Us;Bc&I%n^$>UZBYtyO4CA zTIjAEvn|iwg{1WWcObLY1ALenaAon<gYk?yv7n|#Ojx${S%3|nRA_a~$LbOoK0gAI zs?ckOI6`b)j$~}j(K+&Q5%}ez`9OCG|22Wof(9m&xd>kJQ4#njio;j4JBbjnncftF zQIfyTu^}m4KBN#8WPDS_a8%tBePZy&j5tjHELIJ$Q#$BWrY>j&%j&BG=#l6YTj_*? zy*WyKFjsV@Pl_$``3w+<FXzZITmbcK`ndSi0R>o9xok<z(i40Y3upTlEvZ>vQ3-lU z<=mR3Rh3JZ!2w&Sk?Esi3wAz3j@K@%tXj0xS3Ad7yQoUTwq=U`b+N6qt<X3ZsF?pO z(kxG0&}9U2POfWi_bov#1W_Y7wg|v<5hj4Szh)dERiPKF<(OhaLM`#UT5=JtWM(t) z-=hkT2|J(I1Q6v|J2aTf%Q9dBkc|LotPTDN@YEDv-!(PP=o*<(Y{{ULa2i^NP}4v& zZfro70_O6oDOyHSM=!CJo>ruv$Ti23Sh1DL_E{me>W(%Rh@G);3bZvgtLVRMkER#X zDD)@-6gF_MEEqHn3q+6>VWG1}aHeZV6+3cKPmb$#Zr9j30(Hr{&5&uuwsTa%V2nvz zCv^xh8HE#v_lD{cU;v6TH3}lOxq7;*f)F?VOunjXwVG&Lbz#qpCsqXi$!f!anhPZn z)nv++7u!*A7zce-0JZ~aiX#o_Ob}FjQCAD%-3uklF+k=NuO@?@&9!2*$oSm*Av42t z9*nGFAX*%CG2ilLHQ=>SZZQnH0EXDRh3&KdkGMr}(Ktk)HM1I$FkX;@ekroOBPMu` z#kF=91q0cFb<B?;7jR406x*oK;%;!{i6UNJ=xoHd1P(rG#)Vmlbq%LCw{>JDa#699 zwhE`sqPC4#Q&mVlqdMWM3#1Z>?Q_RkTWm2@0emjhCxhp1M1q#A`YkLbCs<h_U)6?0 z2X~a1-@JC6&KK_JU6^NBMVW%?05W5pUhHH=bAg;vb?XrSf6baqxuc5B3d-$fR;Cr1 z6}X<pHD}e?Z5vy0dNt(=H9pl=T3TQ;N3obz4DMc;4#tWM43FcTNcE!4jdzwQS6&1^ zk8*G~Rm-WbKg<;|Qz+U)a3t0i=pFXI5X$j%0zA$Gj7{#Us%DxH?ov>pgwA}zU|6n} zVrL5Q(uszS#&x0(WKOXeK@SjT0x|GWy%zG`H>(XP%`-)-c2QIV(pNKok5=ZiiLy-@ zcLy??`GT2?3_P?)16_=i6zmwzx^iSXR$1)D7Gr`}OJieO7XSe;G$7O2nOrQH#YAQm zHvsUOhZ4!ehGs4N2AdXx?UdsPkm*td$N#@(@?Pq#@x1D}#B&59`fqeQTsOMPoe#m= ze}nyX`)d2awkg)9taB~@##_9_{D}M;`1E_}rL=}TBYh~fnqK=~c_#F@dy%(s2FI}X zET~;kQMZVlweT8Y9!uKsnXJqMg{asVe`i}ewhe!~DBy48ZX!v%RRe1UbFB%<IGWlT zlT(}9$`Y+*?42puS=Jcws|jin{zS5|p*`VeDH~L9OLy<Ad{9bwXdy550y|W(*VrL7 zCSEWs^hF^5_ZN0(S26K`z7bGe*p2nGx>$yu`dTdHHAudqiTBui@ea+aV~;UE)xF2) z@O!~&c`1Q+16)E0Z4@&LjUsOn_5vEb7o(V=A4NECZR~CoVIIA#yZ7iqqsW7y?T=CP zH1<x<s`?(r6XP(syy5OIRWFvWHKNn<TqNDHCG#_YSyfT0dymphR(U?4em9ea5}L|Q z%b%>^)I8|j{+O)p-gu$5^Cn_{v|ZgB(@AhzFmK4akswNF5-cw?imyf86TQ)F+akcx z5Tofb^sB!D78!h|8#}u?5-hmuy52~3S*_eN^eK<3nm3#KYgz5;1VIYD+!I6%(}(bN z4Ql?Z`b7w4qWb)5Yb&hN3}jw29)i2k43y9`Bb1#T5$kw}(WmzK%y;$%0Yt6hKvaJ& z5LJym>&wPV-Ukrvyl}QgoOX}BH-PR`^6ng&+nojYn#R6S!9A9JC*B9WVKvrgYs^Ew z_8i??mepqS-e_~)$^K1fb9e95LVESJm<j88{n@t1tNyd`sllmvt9)<v>~jC|xSze) z`Lkccu<5Mnor0!Da+MLATX1OD{(_OvPVGH1+fc?QcxWNlin>iy_a33!UdkhRzInUZ zUQj~aUe@%MX1kpupCO$*g?9f$?_{TG>;yg$=A~`z_@aXMpjbr^ajdl*ti~;}@Va2{ zRY)jY#!8n}1nb$q**dCwC+S2J3FIxe-G~MyRMDK;J25MooEaU8tHv&7bb_JVd9Fvh z?Y8jpKD=PJhccr@yUpJJAC$hc>->K&c%Jaw;knY&=V?c5z`34?$LDdmzi_|fe%}2E za08dQzvXUmAMc(GEc{_^o9i<~4cv+Be>c0n>pI)D&b1WS_9?D|U9$5d=c~?b&YwAN za9-#<!`b9q<UHCr**V;40=ECRj;9=VIj(i29i5I-9P=G<$Kj3=`&af4>@V1#u-}1b zgMIdP`^omX_K4kQciFzMy#rMIBeoyeF0*~h)?z!}Hrp1k9cHsxKePVcy3_h|>&@2h zTF<twvo5tBYn=j|yNnzLuL6niGs_K@3oU0@nk<WeWuI&rZZVnvWd5!BDf3<CYt3nM zC;S%Xo8#ug%_Z_z@(1z@@)PnM@|Ez3XqQix=gJY;C%fnu^d0&<eT3ddFQ+|p13iIO z(I6c~?c{IdP4WzRklaEpCg+f5vW!#^KRJY$rH`f8r0vpu(v1*#{*N-K&p;&&M>e)W zeFiG<wkv}bx?~aHZBqvI8K}V9stoEgP=U8a8PsQ>0&lZ2sLwzJ-aE>mJ_8kaZ!3fP z3{>DfsSN5fP=WWBGN{i$B@IIspFw>FD)9Q0L45`)@Sar$^%<zZ+oTNYGf;u|j54Ut zKn31TWl*1i3cT}`L45`)@Sau%^%<zZ+o25VGf;sC+3Pb<fd|>^Gf;sC+3Pb<fd|>^ zGf;sC+3Pb<fd|>^Gf;u|k}{~zKn325C4-Z7IZdQtrOKc_0Tmv5QyJ7Jppp(?qSq&& z0uQ3sC!hikqSq&&0uQ3sC!hikq93bQzXO=)^$Do(97L~AKm{H|uTMY)9z?HCKm{H| zuTMY)9z?HCKm{H|uTMY)9z?HCKm{H|uTMY)9z?HCKn31a%Ah_06?j)FgZczi;6d&6 z38=vPy)vjzKqV<m_WA@=;6e8K1XSQb_ACKaHvbEFki9+w6?l-nJ_8kaki9+w6?l-n zJ_8kaki9+w6?l+6%Rr@T7qZu<pu%&Iz0LR>WUo&_h36o9eF`e@AbXaAO4kNtug^h+ z=iX2T^*N}(vnzx898}=Ft_({0`bwCbSq`e4HcBAp0euoGsRVK!&?lh+Z<8{BBvksc z&nN@PLZ#>JR0fcSO3yoA89*K?J@08{0EwvdydBB_GEwPyNVtkrRC?ZaWdOOT^t^4# z0FqJZd0UkMWTVpawkQKgN2TX&RtAudO3!;u89+iRJ?~Xz02!(DyeE|bq@>dGUQq^+ zlq#3!h3p5Al}gWp?2(pA&x7psd8s5Xlf6DK6?l-nJ}(t`ko`JieUQCAFBP7H?Dcu6 zz=Q1dd8xpI?Dcu6z=Q1dd8xpI?Dcu6z=P}?jD3OZSz@Xj{qtgf8DN>IbiCgw11vR_ zj`y-MpwCT(HXwU_ZYuD8s|@IKQ%N2sdwp&y@F07AZYuB~dwp&y@F07AZYuB~dwp&y z@F4qT`aXNGzYOSeQ{g$tUZ0x^Jjh<3n+iP0UZ0x^Jjh<3n+iP0zSh_-WWUhJgX|X= zd64~lBkv_;V4jipqB3xtk@p*AphnMgBk$J0Tmuhzw+5;WJSnCO%rWvXmsLjI3(CN3 zJ<rAF(qR6%*jyUSKNp)zgZbxTb7?UDTx>24=AVnrrNR7jvAHyue=atc2J_Fw=F(vP zx!7D9%s&^KON066VsmLQ|6FVx8O%Qy&WZtp`R8KmC~B0|uayCV`R9^;r3@I%KNnj^ z2J_D){f{zWF#nuP_6GCM$z*RZ|C~(r2J_F!WN$G4oJ{rx^Uuj-Z!rIyO!fxz&&gzO zF#nuP_RRdt**Ba__6GaU$z*S^|C~(r2K&#+WN)zloJ{rx`_IW_Z?ONI(o@QS!Txhf z&np84`_IW_Z?ONI(sRmy!Ty8)rZQl#{~S#A2K&#!WN)zl98C5G`_I8-Z?OLyO!fx* z&%tDGu>TxP_6GaU!DN4+UiJ<qdxQPwV6r#Ze-0*lgZ<}VvNza&4kmkp{pVn^H`sp; zCVPYZ2Y*s!z+nG5nCuPqpF{ekGGMU(;A+a=|7V+iV)DM^y~f+@^?Ux~dC_x?r^<7H z`z?68&vW}+@8dnb4nF%gJ1gORe~05d2Rsby_rjNcf$cNfQ?}D>0EOBl>vroV>oV&^ zc#^+vdDN1&oM0Jce%bsz^K$dS$O3SWe2sht-kp8)BYGn}i$=+_<Ti3PnNLPYe?|tu zCdqI56FRc1pQBT?7Sl-gdUqro27V|6P>Bz5l7Zq=flGj;bT$KhaVAHmoQ{i&whn-z zS`mw#JvB46kQHxp$76ASJRSgUg#lK5jk;jTZOGWeVUi55f-C<dqI-AxIuX-7l3Ktj zILRFdm;2+vz<l89^@TU6k(Lq45{NM^$w^E1jMRKqY=gTz7V$?yQPyo#+L>TL4<HD9 zNTFk>2hC=qRL)7wW983tW61tcJXY13#D$EZ1dwLz!+Fxzh>)|Z6TYr?1~~%grme%* zk!WveXiPLsN*%{4s&L2R<^E780w5!bu;9)K9}o*n3@E_R3ZYaDdvb+4776(y;UMcW zqE2=IH`8QjxS?e&uyLL1HYEM2xvbCvcPJe4heOe&DxkGd4F=**CK@{u=w3q-V#O~Q z!4auy_I$NF6pQ*J@vsVEWr6dPn70Iay|#;^&{>bhrRK1QV_J_w$mq!W%YtTPd(f1s zvf`nhY3?X4d%}@`_7tW9@KF`?!RqpDM1OONVG@A6WupVc)VI0~e^e(xjs48wJPf+Z zvH+}Q7~9I!Y}S{C2|;|g49B>1e2pBr-FzlQ)WE}=YJd^n1`!fB_eO1es*=?*&0QWu zU!(YN&qlpk4U?SAD9`-VEOkhBcPJVIDlsOsmW!t&QvkZu3<r@8Ra@0jvOY6F3M9!S zsw%ZVRlypKPKaV+L$LstxeqQdO>G-|@XhE-BrCJ)p?gB=SoZu3cPM~06Ao}#6RKrR zHNdSyt$A(2pE`!ui;u7VKma<bPLHZgJ_wg}A-7&%Y9@O=?2d-x{#Yz9n@x*eYQs}A z*drs|!SXO3Ddz#CljBlHGj<HCq1<0y9-lc=8-qG#tvfSQ)7eAICIzAC(MVu6(hs$D z`Vh*i4VtVz*|`qj=(X#7>>AJq6v^t!+%-2nbrh?h*&V_Z2ZJFE^OjK8Yik!vZNye@ zySP4NTJ3AVFi(R3J7=V(vC?&u!q}+d@%S#9N8U^yZuXP9){jlaS^1<pf-%M;q2)*- zwx*l!6(Za`1DT-*s<t9!CIi>2yI^}mcS~DCQ$;Gqs_1e@Lot6K9MLXSpx7HWbhV0r z?yD1>8xsliyuH0e@bCl=B%GX<Dra>hFi8P_c`Ue~s}txpEYJqg3AS?-E;}U^Wo74~ zEY?Ul6hg%WHYSksAQL|yacQ)Ow4qdlJ-)(S9*Fv5;V8pcXZ9wviK&A#5MutbmD$Qc zwaL+`Fe_B%4u|5Hr0~p{OPZ7GRfi|;ZZb9%Vh=>!p-|Xg9*oYM2{EXS1X+0A*i?`| z6D>z2VdxXbGa~gy22?*K6=2WIb3;=xm|$IZYa`UB6>D8R7<^~80kW@pleM(1O_rz1 z*y9Vv1R`-X%l0ZnxAt|h)K1MT=O;F3oID919$pK;U*`TKo|?)EE*=v{Ha4iOm^4<Y zuVF1v_*l*O1+{25E}5dyl%Ew{>5c*HQyvc&EZWt|W)9nRc8{8nn!?J>(1sS8kJ{N; z=SybBsBRn+Qb+RVc-MmLxlAwE-pOzR*p0`fj$qGWpH}-3Vb5vnI{VPPRH?eDS>3@P zBot6j@&<M&wl)FE>4R@YCw!2S*v)*2jt(4Qh|}EE0`Wm?zOGjOTND2q&Yj7u$p!8> zHj46aIXkQpXEY}G>7YK#P?gYncHFmgFHcQUTOWm;mz{3Wx^-<EeE=e3l{I3oP9|Bz zch-`6PO*iSsSf4@>i{f*=EmlBs6RR(no1s>n#ek`cv7r9;*SPmORyE7%1$4P`h=|_ z$+|IF%;WLLSC#5k{o$zztoU>{&O(1I7+t}@7ycHc7vY-}a0=_%nvx4shpXLpyW_al ziG+f>wW4lknf;)NSpciCV11n(U2v*uVl#CHHjWNoU0p59zt-HCn3x*R+C9b{4#F&m zg>u@htX)#a_HG``xHdITZQ1LNV3kIK!HUz{nwy~48fdk)qZ#V#<E^U#%-JZ|NsawV zzsDbu8q1olcC+Isg1p8E9N)=S6_Bu6hvzPZ@YGc^Ddl4iSEy%31UIJHhau-K6{f<? zms3+?)Q(oU%W-H1;*rU9bxY=y`c`01!Jyj{tqhC}qYxEq+X~hu4gucK6t+~^Vc3k5 zg7rJeTjIa4V|62&8a6YiW>spm+L+%Rj|ZVnk!-*67JNHE39MyoV$AenY4J9wrlRWc zmh?@oTd;IdS<QlqMcKtwIzKf^ZNTmhMxy>Ol8R{qpW<t3PO@!v3Y$=LvT1eO89Ab> zTVCx;szKKH-pd<ZnL13Z?npQ8ko}SJ(4JP8Qx%$HCIB<fuvlBycCi(s4QgR(q*}il zr&kEJKxR_QGCj=7W#hU8_CZmXKf9weW5dIN$4tm$Q-`v7PeMOq{#Yceou+J#5||`5 z_NMOEh7DM}>OPwg0p)yav|Nwakq=>2)Vl-a(1)n72iR5$vsAP5)U}P{Qw5+jB|0%N z$;qjMS;0zoC=$ThP`5Mng@Wa0(OZ=ZQzOK<17S99t)G~q#ujFF@C=8I=y7vSOm-}o zoHfe^gY||3xG_<gI*7I14U-qIJ3-Ou-PgyrOl>3crw(Mbz$#}J9D2o72FqY|*IFN5 zSQ6+C+ZLLzf}rey6s|*IySRhl2!PJ9MSN?|96#90%8p;u02?_oS#_yl>c~g9W3c?= zu`oQF*O#?-upA!9(UkDPDC%g&0XaEiFKI7nrECQ>sJlp}HkgZ@FoKiu)B&s`jqW(s za4Z-%cBHlr)2+sA&h|trJ29oOqQ_uciQ$bYa~O)PcmA9jUzu;ooSGw3CG5c(Y$-T! zqj_!2pPjoBr=`5?=>&|F7_*0rJvy$AP2X{KwF~ollq^emSlPwUzzC)xuGs`_U7gGx zP?ydbo&IEdqER)EU}a59xp`~xKsmRdRPEMEw8CFPH3(5O*#+D`JC3oJLF)ML#FUGb z#g<+U12P<~Qi13`t*j8k@pX0V{ePtC6_a<R=Pr-p9zguMxroGPawP0q?9*(I+LG4K zt#{&mei`27FGh602>p=!i}a9b(h3y&-~7|vy9zi8L!i#^)I3<m-hh<$7<jj;cV!k_ zR<k$YvOFMAVGzy6#A^0Vt@?ZdO{1Pf{<U3rfh{{d5-f}OS0q-~S7golZ1!ah16j69 zsARbgD#?~XUSRZ-fp^JC53si=oebLjq(ZY4GeU{>%Pckbo|v7bJq%sWapHLxqWv{X z#c<-;z~wMh>u1+4@UMouVpDx(M;maDEI>m&kFScIK|{2jpaUr3W!@;`-2jwOLPNA3 zUueqm6nDQ&*~;D(*(s~un}wAJ;N4$Sw#$VT)h(>L#q;yl)pFgsis$WDyPGABBJ1v5 zR%nv)gs?v*Dbc$$+qS?YMu!FuEd)vIY3;4cDns+$D8tvbes`%1`bE4Xv4*(|?`jcO z^)AtAM{IAkBPO(Cadw6TD1B%-S@y!mXpwFs3dZtwj@_s@N@yEVZJ|*N1t_`4qX3qD zVG%6*tOP#6?^9$wtFb;?V?LIBWbXoWW*G<P&d3GUV~2sKtoF4C&W|Dz^gck?>o%`l z1)1&{(K{dATg<yREw_7%@n(SNGU79;xVupw@u?Bs^A0I|Ug%7&OW-m=eW{q5-NqZU ze=1Wet~XYkFS+r(^U$@GylYjtUBmlDrS^W26(E8|;3@&WqpYbRb+ERsUaLNP0@Q2O z=XY~d?{Vnn3f|3Qa=WR%qGUU`PiI(f_w90u$M@D0kz>KW;gyqxfZqpl%v7J-z2??> zR(-x4hxN`yHy3a@Mswwusb}9Vl1#O^-Q(?M6BzVZd#ll{3f`^K+-|YYUpdiT)ISYL z@6-yjZv%N<8QD7rT`9Dcz{tdH6LaLpi{rkP5~{A}_A9F1rKC!GtI)khE~$CBl2R>S zH8hzoWBKmeUKX;gciGu7y|ZDTjOU%*!@MOGix8J(wsF_XZgLwpZe%X$Y)AL+<|VM) zj~77pt@Dhs*?#`P!I<BQz5kCgJz(;V_T1!|=)TQe?|ja=-Z|FsJx2)0`#$?owhrsx zt!G+8mSfFN0Sn(EkE1`NCzCGeAJREe7)8H{pYGnX@=yLDItA_NyM1-<nR@#rytkQJ zaLc6GFWrSk@wM15-MwcNYCF#q+aK=-@Xy|uwcGd5Kbwal$a`n~uNKA-zmC9vO#6tU zW{zW@>+9Kv`|Lrky>XweSCmNJSB>2nx{;WsC|!jn>ud4#tM2X8k0QFa?;OFXc<D$M z8bzK^_KV6L-`kN@xfy%*s>na}<h?TQFO@6ysYn0Gpb`gU#;DM=<FrC@&D)jsi(FfK z+p}`rn^*As{8sx*uDf~#$MtjWQm#{P0Y&B_e!*psc2#d1)<e#R&pfZ!-7M;9B0xrK zp;^n*w*4_{-Mt$MwVgMT{n2*M?B15F#vHh3E3szboLc|*@%zLo+LO(n`Lr^yfO_Lw zUya)?ylb|uEn8AmF?&Ikw!5#_?Tewk_ESX(wWfyNQ!yKwi}Ns^jW{xOXkTM+^ST_c zvPu=xq$VM5HuQFHckz&xgt(!1UBTYweNo#B<uUda??Y>gybo2WaFDqS4#MudhW<XJ zR#-18%zI<3?p>o3Tx43_d9|DMjuP55CkhH~DCV9~aJ{bHCM+)gBH3@>)5W!Dxjzt_ z?psl}wA#-DcI0WtH?cWm<IdfjS!y%=$v55iO-7^&@WhT#L)8paFU1WVtnO{pX-|11 z&t}_=_Mn8SJ!kf=&T3Egi!Hz)8fZ#LVlS569)IlY?rlKhc~_}l%X!h=drG0UzaHym zRd0RvtlFDv++f~z_)RPzSd_U7s1jfggMza6|A(b-74rX|=AGbGJpb~12#<hYdVcD; z+B4wkK$g7YJmsEo9*_G=_j~SNxgT@?*!?|s%H8Td5!vuU?$L-H_;=S^u4i2jxqj%n z#C5LgRM&FXEZ0=mp)QN_6X)yB9nSlmH#s*s&vdSFE^*Fu9^pI)+5P_F_?=^m;~vNL zj`JO-J61auI*vjnzXR<5wtr}U(f&*OPwiLR2kag8RrY!In0>t6Yx}3|ecP{XkK1my zU4cA!ZMKta)wZy0jLiwe!rRv8tPdme-KEy^tm~~Std-U>>qx8B@~Pzw<hFaj@&n67 zma{BtEp?V-EJs>KSg850=2y&H&G(wWZ@$31(cEaRHBUEBG7ppgBmWWJ3s1^-!hc~< zPRggq3*@8ZN%C-6qJN>U&~5ZSdK0~fo=uzSa#~3PhydUqpObgU|B%PX?c_?*N7~8B zWG;yiA8|=vNbg9`OOHrDk}iYTO-kC}j~XJ=l(fMgHALb{+Tf2GA~7Xx@J9`iawTo> zM-7pvk~a9G21!Io8~jm&B&?(j{-{9`Qql&0)F25e=`OuLOppYWw80-WNXnFS()ip| zC2jCW4HCbSHu$3k$&`{b{86Q>zf-H}yCrG3qvo>6ktJz(qvo(SkRwXca7NX!N=wr4 zMa^Ngu)5%in#&@SOVaQ}&0(#V{#cTRBWf;-Oe#sk4^_vSSdxYtY7Xl#azIHMUZ^_O zgpxFzP;*!#iLE3JA5<M{SV<Z#s5;iTk~BO}b6KXBOVV&a&1I3pOVaQ^&0!tNs)zfj zj)l75eX3)PFG<7sG>3HvD+u3H9Sa5Fda7fMElI=kG>3ICD+tHaTow~F{7!RO#HXYU zZl?iqsFF6god!%VD`|t<X@HDT(gwHFGGbHGb$T@`BcqhG!R@q+9HyiVZl`6e4TIZh z85yml4Q{7XSsMno)2XZtgWKs;)`r3DbSi7Z;C4Edj8xJFw^Kipfx+z*Aw!h3!R^#9 z{ZUC9+)n+h4TIaMpB${D^=_x8>&XZut#>;G?;s_ucRK~|KqYN(JB3;(X@lG8A!L}6 zHn^Q0LJm;U2Dj5g$Z#cXa65&zC~1S+>A|c%gWKuBtUiO=>A`Hg2Dj6LiK3(pZl|Tv z`%2p2c3MhYO4{IdT1rZkw88DP)O3-OHn^RZ60edrxSdXBZG`puH<`6za66q$JWAT& zb~>50VQ@R0Ox#M^;C4ERwPA2Ooy6KOxSdWSP9<${JDtSZFu0vgA`T_3cRNKgJIsgP z?bLJ)le6CK6wld}wBGI1bTuohcRK~os-*R9r>3h}eR{W3JZDkT2Dj6R#H^$ZZl@FB zCYm<5olb<CXxiX*IuWkgX@lG8MClwQZE!oCNMt2#a66qysFF6golYP`NgLcwCrB%l zw88Ck0+CA6%<WW~-`u($S7b}uq{Fe57`#poCphs9UZ>-w|0rpL*Xej^mXbDjosO6O zt)vZJr{maj!}RJmPWqRU)_a|ru8^?p8oW-&!h1Gt@H!m}Pt>%*>vSwUQPT#m)3K&& zl(fO?bgcB1k~Vmqj)iw>+Te9MR+^+B`<l+1d93tLC2iO9e5`*qBM<$v8hPlS#lU0z zGaGo)ol06Z^1f8k)X4jXk|uiI7}gib$U|RDMjj%YoM+&nFM|dvZw!leVzBbYNEa%D z1}krj^o25Lu<}NuFM|dvZ#3p@&|u|_#=H$0th~{zF9s`bwDh?$Xt44|OMh1eyY%B2 zE&WXyG+23~SYHfQ-YC`=gOxXm^~GT2jbeR)m6z+)K1%vb8HAaq=Y6US!p_U(9md*) zp{M7eU08a09@>Ser{l49Ve9F5(kIFwj6FT?ugV~-Jw5MZWf10GE^j333+z2T4}F2b zr{|$Bu=sR5))$z3I-c~AG6<Vb&qH5e^yztjQ3hf4<?;??eSz7h=b<mK`}92Y1%{uF z$NB=xPsfu6l|h((dftFC2-{E3`?E3#<1d#t0>{=MtUo>PPs*Ud{2Kw2X3${%jgUT6 z2AAo}9>nT1n12VEE>;E&=HEfmACy6Z`FD`?LCGL9|FYY&>AI=Ppuze(kTqej{tlGh zQw9yz-+|J*C4<cR%c<^iRA(^$hU3s0G#G!wacB)1jKATCZ7^ss{)V%eG#G!w5!+zU zVEhe7Y=c3A@i!c?4F>hbAHuRB{*&JL18;|ecAJhh-EVS6oOV~AE9QLJdA{>xNiw}D zEs_qi^^;QE^FJu{nC^GC&>7T89wCEd9dgW@?Za%(*{`#nYz^2?uzcix%d**4XX&@p zI8x>}t#6tiGGAz3W%fDj^5^pV@^kK69Iwe&*k6+;%gepDdB=M`x8CM?+)?i7^-QBz z(VZMbaD-eva!=p{>^Z{Sev7z^YcAzd^%yxQ9z`y?(-SRiYNnGo+<9WrxapBY<<gN7 zs)E~u@MUJsqOo{jSy(<HQxxt+iL!>KCivzgRfjkpD;OSv9n6I;5RLocXlr^QAlGHe z!1=As-_;HuGM1W!d6%u}f+uT|dA9`Mu^Ng-Oh1ds4WdA1C~M#|ljKh7SwA><ZNj-O zjBldBV9@lBW8~9v%CV+!SpoO)uI3iFpTk8BZf-4Y+?R>@_cXVwxokqwus;$FneHu< z7mM=n4Ma*bMAK*fd2oq>pH4?&0~|VAx=RCaKn}$NrfX)(ZJFm8@Q%e<fSJ>_ngLNz zA~ALCRMi7T^^o^9u1mm$r!-a`f&*;1X~$@}j1^aX?0{a;oJE6iI55Uzrl%tEN$k(e zJqUx)oVZzcRG--{j6{uPpbDlOeo66o*!1s(<{mGbJFQf8M??EMpdBZ}2PfIQp}D1@ zqg3@&X8x|+bq|Aslh_*MU*bOCEe+j?4(0?JiiSFa@(NZPL}&0?gqwvLx*#D!B*1ST zex{M&bh(-JdM#Y>S+|+D6a0W#5C-(TshK4xV0RR%C!?>0DPJ-agNte)VA^84)#Tfi zs)x`U!aP~wUcKwE3tET<spcee4|I8t%Baqns>iD;m?_X>B!fX;ndU%KGcMYJ035mk z!RdZ^!AP>ZfDT&R2WjrHauS_aH6K1o&G6{O9Knq?M?$Ki`kB8JV?yDX(=nW0{o!!L zbcebsw2WxXMGgMn=v6nAnnj3)cERTm;WIGN?GSM%B0XR=M@%n{kjJ8%h_=w$%pCDU zQMjo_!lt*q^01N8()o2EEW2nlh+U`>Gp9OT7W8&zIuS09m^ROV+Dmm^?JTf@FWI#^ z+1L!%e+Ix}u_E$Rg*((HqimH0!;AfLElR6#9hm3mMwS~1ewr=J5tm7NT?2ruP35@7 z2?fISIZvy>6PTxZ`#LD>`b2j&AVdt#!5G(yiE@RgJJ*F#^$EhtWxlB4P;mKLbI&mt zs@ezEB-^mKD>}BO++~H)HLk;K0oID!PRvz9D-W3fC!@|pSrbpgsTRjZfoW6YdW7RF z&PK%a)pU71TRm!F-#Vmof=iNbO`;*$%u)ei<m(X>g#~0$Rd2OAzyRW~L_)EXj)A%q zFAG-|9=igXg6&W(zi8IH*>gfMICH{%`(*7nP(yeidW&yzWvS3AG}qFwHW|iUXfPZ! z-K}k#opAH+Y+yTcndY_XhhHRuL#TP+)FxP92JVT8<drc5d<lhPrl*gTYuJ+4JoeBV z)pt`o=j-flPq5%Hu~5|XKl9B!cK$FEJla{)jA%2NC?af=P-lxdnCI-)>Vs>$_?W|R zU<_lweoS2v>e}9;KqFdY5^45$d77AhV`!0b9(P2loFLC&{p30FI@{L6NjkeXM6lV# z!a=EN5)>};6n0WL6RJwg7A|P<Tw_pP#z&n*iWYduGe2kMFYm{yMLq#+GTcEt8NptN zGgw+SR*td~EGCRT5{VY1M5=JSY?{2Q-BSFmQtsw$kK^lL9CHZmXkHBsRwuQwt!;gC zg1bsV_&Fm^mdE4p6c0+xRq{Ea4jlT>h{Rsh5{4gpAR3j{WqQKy<y4R1J?=>yv1>x1 zfV4KFtdr{Jwk10!!Am!>rumHBjf8E(i1;C`QI&Nmn@_`tH#D@uVVn6m2cZL@SWHSx zk>_F5nV1g+<63CZFQmXcbB|R!otQcE-vn*Y0zXKl%gsHb(DFVC!JtKSkS4j_HpzVa zi4HX@7R(B5z8ltHM`4Bz(^?i(r#vdP^F1URQ6NA3fEJ=a8p{_#_EAId0T$5)(Fr7< zdS=$KcuZL<j+=HYw#0^p7MAK0v1Kp;Vbd3|X55g2R_%Z5E3diSOCwjBdydRjx4TFI zd+6G)1q_f5)3&xD#Uapw8Azj6nS1=%u5y!47bfMuikhGWV~|E;Z}_&@AHLCl<8mX0 zsrl@xTc=3TR@DmAKEbU;@LCaC1aAP$Iu67F(pg92Y=u=L^q7Ui(R3Ma2`r?AFfM$E zn!s(NrVz9+3@vQa))$T}geyVRtIU3gw}PDQkQo@c+aU|oh3%%XnVFy<;Z@2`@)!bt z1mhv;)EaY-Su-{fMI+h9BXwoYGad+y?^M}vQm|#R;nf1zrb5B+O4V}UCmTYvz-(hf zXlY3>3r~&irXG~pvm}WZ4@5zO5fnT+29a`$7bj?w8p({AINV;(?s7i#PtEPZ48?FP zdZM~Bur})|>Xxd##B#)0)z$?8@-P|YxI7Qy4e_NO+1zs$Z>17ZL|CW<?e!%S6Cvk? z0hXPJI-y1mo8rS;BR~JNmoyeogtgJp*1|&u@u)o5jJ5vj$_L8viWCb?z%-8Gov4^q zQCT(z|6%b<SSYJ9m{}}E4}Zm&!c65>t`|Hq%M$i1+j3wVX?gCGu<2POkurx_lA@&7 zWL{{lr2mlrj@$0vd++uB$a|fadcN@d+4Gj?CC^UJFFf~qZui{ax!iNU=R8lRrx`ea zI%EQv;R$&rc@Fa^9t&~;?vNjse<t51UoT%Or{#0x4tXu&<u8`!$kW~bbbmy@N3G;5 z@1XZ=?@8`=-M@1`=YGolp!=upAGoh{e+L+XjmRR<;9ib6OUEK+(-H15?%{5`>))<V z<p6z#K0q%(zQO0cM|nN24_vRge&yQgdc<`%PzKi^&p^NHOjnz$$#sHjp{vprclll8 zTq9gAm*o7r^N-HoJAVV*!Q;q0aGUdb=cUfH^BiY~bFK4a=VJO7=N#vBXTUkZd8pIt zlpX&77U6AVBY4K~OUDC<cX%UwAub?yI=<!Ta-8a@cPw?(IA%J+j>(QujsqN4WGML9 z{+|66`}6kA_J`<Xa<ly|`z=5#Tm<ilZhNb}(SE#rfqj<uZ{82RZ+KtuZudS01j7`0 z0{tbugMN$7B%8fuq}M*yevsX1H`)GX`_T4=?FHL*+hewSk=@`r+a<O^+u63$Y-?;M zd8=%TY*n_SY-P5?ZHL%Ave&!DMy+31|7?9rK2(<J+w`}HuUJo)(lGg$yhmOk50R_L zChsNQ)4Yq!aqCOSjPMKV{np#9H&`#Xo)3IPr?uI-%35cgYn@>YStnT!vnp1L<)6rv z@GkA5qr8V(erI{k@|5L4%TIxuxRRbq5AYsh`3^EcZnU&m8Z65#^DM_&qLw2pV~|O~ zZvMCVQ}YMr*UY~%Z#6$+zT5mm^EKx0n)}UXn%m4x<`c|*^EmSev&$@Lo3TSCgh<2a z)7Ckh96|519wf+ntzJ$ZK<}}7IH}OPtWNR3omMj^htb<D|KX$u<iEuOw_5%#$RAoh z733|Jk2vX~H(UNH$QvymaPlyEgXMirjs*E0Cl8?4Ti)j62zssMWlj#GS6g1-qzB}$ z#RFGao)_emmS;G57`?)>lanJsKF!Ht^m5BKPI^FY<)n*VYT3-m5%glqFT}IowLBr7 z{jTM4!M(`xnBZPyd6bhQ=qAfUf;`{yGftM!Z(Hu=B%+Mc67fKv<z`MEL{pZV1h>cX zeNGOe-?CiKNe{^DIEi?=G$hDp=`2A$Lyr~YPI`<WpQbYexq}`p$nEqfL2jed1i6*Q z1-XUB1i6`(3-U=C7UbP@x*#{v3PGMvXL1sOSm`i9ZlwnZatl?Ugt7m^D&RGYpgXPA zqOzx`rl|<OO5L1`yDnMNR9u<Kn*REvFJ+lO;FJC#Q$cQ#ZGzk^TLpQitSLAy#ALh1 zMP(LF;);lVCCE3ZruJi`EwUuIn`M(AH_1eh7t()er0E)}Egakh(a$*-S3p!-IJo(t ze-qp-^h-f*rvDJ+Ci+i}L}g!a5|=qtTV$i8PpP)Za6Lpn6%TBtp9pdj{Y)cK!^fOF zO!|a=D9DegSew#c=^q4l3;nYoH`6}}aufZFMxwGma&n~f5!Dv&NYwC_;QocaDab8U zTj(RPF5VT~O;qdzsO%liJyiNL{hc7U&^H9RnZ7Q_P4xGI9Hg%ba)7>~k*Mr7P68ky zYfA)}3R%-%Kq+Kx4FP>2Yby&N30Yf1z(&a08Up-5*47Y^6|$!G07}T(x)>q-iT;+i zhWi%!k{~~%FADN~s_kdEK%u|pT-=+`UkUPk`WuZjT}-tN4>u-M+vRXkLZ9Og;C_TY z%Soh?p^pmkZTg5H-=Yr*@>#k=kk3$U8^pB+)wV(0Tu^Nr#DxWYN<6!r{!)<J=r07h zl|CWJE%b3gZl;e3@=5xzAn&G63UU+OF39ug7D4t=ZG*;54%N18Bw3-i@&}Nrh5lHO z+v%Nx+(v&Y$gT7zg4{yy5aechyCCnTcL{P6y<d>$(|ZNkM}IEJbLoS2nMgP+OX-g| z6KO~2WrBQ`Y8yC`w9uObcPG73kWbU^3vvg&UXa`AwSwG6uMy-{dbJ?8(5nQwnO-T# zC+X#ayqjJp$gAiTg1nM`Pmr7F4+MEWy+M$D^cF#$OMl2o<N=|5f_$B(1o<qzSdh=q ziv+ooZW83v^g==Ipce>oJN>pGx6!m9x6(mDZlME$+)Vogc{e>@keldt1$jRGjv)K! zC4xMcUMfgC?d4>N^cw9D<g4^FLB2xU1o<pIPms^ha|F4Qo-N3y>6wDuLAwRHoo*E5 zHhQ`sx6&>_ZlRrm+)R^#e3G^c@@{&DAUDx-1$jO_OOSo^TY@~7_HfcG{f^cP@@2Y8 zkiVrT3-VdoBFJaxse;@|n+5qaT`R~Pbd4al(<VV~qm6>xN>>YV3vCeOW_pSspQI}V zc{fc6auZ!I$n)tsLH5xNf;^YDa?*pfJ7175(s_dX4Lwef&(aeF`3zkl$enb#AfKj7 z1-XOP335AKEXZwiks!CyT0w513kA8EE)eA1bcrB0(c=YqK3yirK6;`c&!s1E(k;C} zs|5KZog>HwS|i99t=34>4my{UF6q}aD#%~ah#>oDr6A9xvpI?2{&cJ$pQB?0`7A9H z<TKPS$enbGAfKj32yzE4736k0Ns!y<L_uz)69l=19xlkubi5#+qT>YlB=rgMZaP_z zo9I+Qo==YyWFHL(@?09^Br*xm!vy&ZJyei8=^>o-;8jEu>S1(;Rg=R=keYOc(XH0$ z;@Pd%qc}O7Zm~||<OsUiTFyxqeafnd`XKtGRTK3H`j}N4yo)|+)dugPk65+AkDw1* zHK`*j0Ug0BLoxz-kRZ3y;haQvFnXIHpQR57@)>%cAa~NA3G!)rk05u@yB)B7%gA{q z?_=ImyoY*T!#n<b#QuNQeHGrrN4eg1-Q-HRhC5%h{>pis^Hk?ScrU)v=5|!tZ$>7* zL-3B;WNpH`;uDrDEUlJ9&3`c8h@5%b<SxVse34#BSJ4B>PI4aJ@2-$mN)!GIL;HV6 z5$VML9sT(Ktrzocr3v>ax0@`i!FRYgV#i0rzSE<1mALfsRf&+_3o_s4m<NlmMvd1h zf`|+MC)2%iZKW%VR2K0qM7&mfl*Glh8Vk2djS;Joi+D)zq^L+bd>0jkeM=cwLi>!y z!i%Wr1NKd?Mx+N26_Kx|*-DQo(xZ@1yMA7Tn{oBl5jSI^q|`FQR$5)8WDsGAa2d{W zB;$$}SK}23i{71V&J2Jyue6met}HCp07@gaY(tA0<(6GcE@)0RHRDS!3;wzRXajt~ zL{Qe*Dtttx+uLwg(k=RCy6ae5>4GAC%S24~&Cx>d`fAi~!>C(SAgy0wD-F*p*uBs+ z-&_{Iw2j?A;$BqiPgg6#+vnbq;u|coeq=^0jjgtoo>aI`p}23+lG>$Jl}l?7m$i0| zkNFZWSx}+=TCvo(q^fSI=o;zl@!CsI>KR$Mb1~l{eCB3;!3b2$!$`Bs&73Hk$))R9 z;9`yw0*0pnAI_1HVRds0yX3`JU&Oy}ox;LL<F1{DIBsjlS8;rcZ^%uyE;=NQ!@wpK zp2|=;CaJNlJGm#5c2B@o>MtUos1Lnv#R>tsLNsi;zYe-vQCJQU-y9aS8fE6Swry<n zp%5ZCbJgKfrOSVksq;INZKb1%bRs-CTq+(U@9*-#VD`aRj<S_j6syr!S5;TXCcR?W z(z#U&m)2C)EIlF9#v|+Or9C5ylnwcEGj(WpHGq61p~vh7n|)1Rm<tJ8f*9!<B#fb) z00|Qf(N!DJ(1aol1^J3e?5;Kj$-@13vKinFv|Xv)q^r$hGss9psxB^(pbt6jn;Q`g z9;+U^9x}q<)*v(Gblq}WX?Nj%2BX+ET3Q-bt7$~g2ZSy|++rpQfa)+>s5&amT?v`- zFK)v4hZU|j6xieOvpW_bxu9xH26bvg`s}dh)Y?inur{Q;lLR|$c9RC?Lfdy)e{loU zk=d!#>l)GPiL<bU7VdL!ns0d<hU}|_;MHBfqZPMn5NPNBWA9DiqbTqH@tN6~y{`cU z70{JKh_EDkCE+H75W*EmI0XqI*&O5~2M|GJlik)mVm<3^t!J%TZN2Jk)!Not>)G0B zTd%6EM{R4Zt=j(H&pb1`GqW3kZ-n&!f05S<p3i=s>+{^7=b6vZQP<I`l)!z4rJFx1 z=L+%_dscQ}Qy~3VABIGTWPKZ(ZF_h(`FusTVx=556q#Vj3rF&EHqM7Vsdqa@)w3Kj zJ1|<%1=k6(EqqUD+Sx|9du4iOUt3Fzp2K$zl`ra>>8XG}3P|&yTh(~%x019E*~Rch z4!(gP_k(YJM7(Wx`%HztW7nGVcIWPSU!nH2B%Pn@^Jj_jO)@<fXDl%1Egz!$gG!4_ zsFNMi@wCg**|~q?{Hz#)sDP(5(|UAVCco08vDo{1hsf>slvZt8y|%Kvs$})jic-(= zvP~YGASH`dR8%iriCxB1vTCtsWyz|N@-p&MDRYe9oaY;&MLu*>ujHM9*i~0@F!vUl z^X3harNFbQZ0&~1s^y-=71gDct5)HBQ!;Wd48=W^cxPp}DtR5q+f}CTYF5ijNzas( zc#Ct7U+&M>3ONR5t~swPS363)MbZ+)Y1-XGKKa&TT{rX)u?QtI_phP2jS_ERIyFim z4hXOtO8z#mdNR%VbSNgQ#0$H6R0MEwM_n)Bha_Q0rD}HLQ2k%x4SGuIcJ|^pklaH^ zdufInVcs5U^C<BK(p3_1P%4Y;S<&2pouIF-HQj9HUqN$TD0iRvQ3f#+kNt{@wJHQN ze=IfURS%KL?^y>s@sb=P>1Nt)vWruR)pQwe4c%RSAKB~))z}GOVh@gkR6Hy5DOOGQ z5VeEr#02kXlVpZfV%X%<eknF}eEDvb&J-Or{~UVi;D~N*mAwa%V#rb0+l7-T-IPy; z&Wt@g-F8oj;%f*znv$9OXPG%~L+;jK_g-7uMmhm?!Usq#xH{?hTMX7!vv+f!oQ|_k z7^0XWb$9067ga2wTmcb(RcK`XQDV-k9HMZ-9Li&rkygds1y1rZ_YCG^qW^y)vx<R4 z{v*!K@Uh{t-(q{fw!r!iYm=3+++`^?KWlC@PcY3fJ`bOMCkZbJt-?fR6@MS^Ff?+v zaf{iS%%!y75gnbjmoPB(;LML;_gdmD$g+ZR*z6_vWve){gk=pF0oYwtgym~8o}p@F z+X?xQfhM5FoW61sfDu=ft3Jt8$0S^r;Js*9b9i^8HhO%zL;5QZu0u-JE<Ftbe9AB@ zhCL2jhlIRj1*E0qGtCZYtVa-GC9o`w;Tqyi0v91{vr>B-qQ_+{betsFFDe?Q`69@H zuP^dSrg^+8sFN%hF^UvM$J&@Y**0m1meVU)hr=y%mXj@^q_@7ghcHEoB`1BC)^&H) z&1}aKp4r&3D<7F9WrqANcoFkvq=)jmJL$`WR}tIE?}EF<+U_tsFpz88q?08nVhHps z082>j2=hWSeWy@2aq|dak%`eUpxjF>fo4;V9fkPZ0)1_r=?zR7_#;JSab#NbSWsC+ zsoa^>zdmpsct*jS2Rc@BRvu|meFY8CW3nfmZ)TR+l|wOylXKFQM@MN)_=EykTh#$f z_#lV8PQ+X!XBGDqknGlw3<sWBGk<q@W?OSlS9oSeS0jY`Aw^aX*<#{-3(QkKa>yjR zvPp(*GJSDh0m)7c$)R9SU&n!ZIY{m5HAEe`NdD@3IkGis&+P37X&k7ms%q(xJnXdQ z4Yjt;lyeOXfn>l69bVT`10DfPlr;L~QJZE^{Mpu~4lpRlA<rXgu0hF~mcyP$;ix53 zk>YxyXy&j+KbPx?zNi@n>H>799H%xzEgx53fn_?mq%4zk6;Tt0<yfiiw$cq{zJh`* zb8QD07m`I9m~hmXtG|XdFuD3GVu=bi=Hv?6VR>siI&qlz3w%W-K`*iEro8pnltB!( z2fo5;rV;;$`aK{w57g7q2^UE1`J}x3l3)!9zpT{qD6g5<5cSnpbb$Ut4ypV4qJ~WO zDOTA+!<%jgYlk}08s#$kPx#<?OUi6#S$WRguLm$MelUhK{}0SIbv;!>6su}hQkR!f zU)M%i^tIkhCKxUK*d4+qqPL$|8)b6Vk#!giqmD@Zz}cB`TX&G-wqn&<C<Ex5dbq}I zC{x54gN)P`ex;<8T%+8*YpR=SiOMS-uYt32_T_Mxhph1$I5TG*!`bikbwoA|?8}VT zf<qavtfn66@zUPli0cQP{XeVVVV>cC&$#~W`n&5E*LAKdTo<~Mt^wCxSGTLh{(${X z`z`kCAYp%@J!v0sz2|z<^@{5S*Uw##yB=`eX}iOAqj05gfve87*)`oY$u-V3+S%=F zan?CELqA}gbF|X{$^XAQ-gCU^c*XI8<L8dY9S=C}bld`&|0^69I+Bh7$6mZTw7|{d zX84?3?kIItyOz63U2|Lk;{@Yq=U(T4%LZM9&zygEzUO??`HJ%e=g*ywJ0Eb~35|s7 zoL4w6bSCYa?bY_>cAM=!NGV)oOE@Pv1J32nQs*4!bm1Sud&29&%fd6l6R=8fhj63Q z=9pvux&3i?AD`}+1P9}z9X5x-{+a#n_V*z1@QVEf`(Asuy~SP!Y4-m@n_!MTV4rTE zWFKcAZM@xhgYgRE`Npps&op-1IorQ%AKBi4Rl}ETPum_7;^t$_C)&=o_1KziTW!_0 zrM7uCzip~*yiK%TW-YZA+f3Hat$($?ZGFZ1to6s%`>nTIuQx9<FEHc1&$t!#2$ve? z8U4no!m)xCwg*4v|HS{EHyA!Od|-IP@N2`<h94O&HY5yZ8+u@GaI2x(uoPAq{D!H9 z@dnXg<UWJl#CGes)&c7tYn^qYB>(>`_hZ975IFQ&CtAl^?N-+EiRC@ZYnGQRPgx$p z3(w7#HRgYrKQzB=x!Q7}<s8eIu(H?)>5e6qIhF#;6w3(~mxVXqX8wiwTJvM(dtq%c zWsaD4nOn@;%<If=n!aY*Yw9$GO{bYEO^Z#lOfyZBOve#@0kg&QAJgAW@0xyRdfxOC z)AvnRn9esnXu8qlG#QNlGJa@$)A$=`7Bm}28OIw<!soES_^j|_jM44F^}=Psxx#?3 zM`#na3mb&L3U3Q5gc6}pm@atuAMiKvR~fG1K9XOaxX+mBnMbHEg#-`#;g=>j8u|aD z9*_i`m<w0~OGVKDax4`^1IV&edJG`LQmHiN0_MLg70d$oJUhkM%rqa74l(mA%k_!u zw=6u%aaQIswpW5IOh4NrL9^I7>`ob)&34MrEVe^}irHeeU51L-HmSH`fo+vgMQkD4 zB10i|hYSVTW(jIzqHL1{wE}9Cpz+LAY=Z=yz?{d1X-A&V{DrkE;D@YD0Y6}^3iv*2 zQNZ_DvjYB^H5u<?h^!g@q*8Y?e_{n0dY9!TXczMiYmlM0Sx$!j$g(o@7EAN?G6T$i z&Fk3Bw7jGLf5kl@$(S>dG0gAj_(hoWnBP(GJmx9pRR#PR^NIrgl=-a!{)G9Bbrt*O zS4`8<;{LaKfR6S#%w^226#N>%TR`LTuZT`sYK-{?a~%c0!CcB*tALj<-&VkHGE|=c zDKBQIdIP|V7^>a?@Ir<vCjh*Fxl+k?K68Zvp2u8Hr~EfMnae0L%ACtkMF%Fz3^JD} z*c9_k1xzv*D`0}TNCD#vRR%z|a~P^30PyP!RbBx2HHNAa07T=IYy-@>(kAC+`k6s# z@1D`gq$FUvkx5E%Mkc}}B$ROs6PJKf_As!Ti1T6(v!D68gxYg9^EC>b#l$FZCKIK= zK4yRddzpR;oWVpW(8ugI;RIqQcb+YUox9JX;jS}j*t?I0J$q@`eFhD?`e?Xwj}%TE zvs(&J?${-To*lhXxTC#?hHc$6Z0(|9%T6gYG<VXlse^`%?KEs?qhYv}hV?BptlL4u z?afkHwyueWLZcL}t8Jj+wlEEA>S?&Oj)tdir{R`b8gAZ3!_#VLxM?d5H=a(z4O?iq zelrb))1+{*ut^G!S-X*j)f;G7wVsA+*3oeFS{hbX({NQ44OgzA;fmEXTwY1TWvggd zv66;MSJ1G0ISrRAqhVPE4Hqw^VQD!H7cHS-Nf`|nE~epvQW^@2q;T~75*p51D1~!` z1yVR_?tB`~nJ0z5!nsmdIC~Ba`Pnp_HH(JD#WXA`l0q?5NW)-=hJhdr{Q(;K{8Bh! zjE{yV6-ePp1^G10pGm`+UK)C5&~V0d8csizhNtGyFmD<Sr%k2d)Kh49$`l$-nM}jU zlV~_;A`K^=Ov95sH1wP#h3*qiq~U}KQs^2xo`z$_N#WS>C(v-*@iaW)I2s;5mWIcT zkwT|%tQ0!<W2BHfb~Fu-8AZd<A`M5mX(+mA=yuZ3<)ER{PD6)H3VFMghBgZgt!5fp zOf)nbX=oB?Xyj=q7>vAyWeuEwzyd~-VLlbQ8MSu0tp9(3q^ZBt)quPGYF8Qb?(<!f zUB|ne2e1rK<6H+H0SlZ#XP)y!=P^!;<3D%-c-Qee$Mcp&mLkVb91l9a@3;~7|MMI% z#~F?eN4;Z{W0j-SQS9(KCOXDC><$(_1m3g1W`D{4l>HI=UG|&pSK|fZ9Q&ELmp9o@ zw^!NA?Q`uu`zg4SyX}JQ-?qQl-h%DIXKat#erUT5{sk_vrEC$~F8DIsW?N@lW?KLY zhk3RWZKG{w>lfC)Ti><*&iaD&r`Ct9cUr##uLBps@4!K6_*-s=?!#r4b1egwJ(f0E zyMG4J-Z%e4(%&cA`!}cc_pdfzXg<e$rn%ePWL|5oFwcjNf@!AnOfmRW>@d}vHYs;z z^H%c&^C+{)^ttJ;rngP6n4X0PgF8$&n4ZMFd6mgvI?m)Uero){_=fS<#;1)xGTvjn z#dwYJV&mDy9^9dow*y57{|~~8#)L6oJXQEu__J`A&@DVH+$@|aTqs;E{7g9KD>|i* z7IU-*j`qNz^#E1j?Hj}XMB@I~KD;wLDTC}@_QwkLMfM2={4e{s0uHc`$pr}Pj}&A- z`=|`EXRwb@FwE{|A6CF!>_aqHkH9`ip>BbFfJWD|z3lx8*u&nZfZgm56|jrF*UWPk zj@`-LL$kN<VP);IIv{23vO2bty_4ptV>?(`(X5VbXTMLe+u1hu4h3vwZ&$z;_Ing; zL}%Pa!CH0)OD`8}E!)iAqF|fY?<!y;E9<@0vJLEaD0V9wW^Yo!diF*ItYdFb!0qhy z3RuftN87WNW9jXJ-O6rb>Fokw4NGqqYzg$&=#>KC7M5Nq0B&Zlqy>}+EWJ^%>)6xS z%V`A**-b3HQm_lzjV!%V0NlXRD+R#yEWJ_yT*uNY1;DlJMYP!J9W1?3u;pwuOK%ha zt5|xY0Jw%dk0xE&!O{x_y9CC2&!rSBVJq1|1zg3Z6mTV*RKOK%LIIbvaRpq)o}+*j z?AIx{fL+RdO##c<m;x?gqY7BY4p3?q2y8!v7LQ>gG<rU}nB7m2^G{;WrpS40DSMUz zE@ID=LFQg|9|h;4oA=UObJwwFD9D9up8_sm_bA|ecDDk~V|P(-4&KnZDL4yY7X@dq z1#CS9^YQ9eN5Po@w^MLBo6puN;7oQK1y5zYY>fmmSF<zNtqM4uJ)I^v1yyXI;26B3 zl~c+MV^~=gmBHJdtUAju11wcrWxfD7nU?iANSLI6&$AOL_!$zMOu>Hx^ic4x07p^q zBY+|W|HAx-JxKw-U{6%Q&)EqI_!&!eV41%#|7OQg?1#+1*b@}+Q}%cYe!%>bJx&2X zVaF=qKUk`Y%6!0l%pR*?|ISjaRAB$cj;7f6nZL4b1^kG0QSd#`>ySE!dC$l?DfFj8 z)<~f@b}*k)==B}UXEe)e%p1(V74UWDUo`#?>zGd|@>SgN|4EU*8N+-+kuNYWGVfCG zY36z6Z5sdNNz9)q@(Jc8=1&xSjCp~1hk`$1o@4%~fX^~-Dc~=eHx=+1<_!h>1@pQB zKFz$QfInycK*0x@H<|w^;G@hJ6nubrjroTH{(<>e0e{c@T>*c`{7nI0W&WywuP`4e z;BT3~DBy3H4;Aob<^u}e&-|KsUjcu`yhp(wG7m97r{KNJlg!Hs_+#eR3it%`D+PR< zc}W2uV_sCiA2BZ|;G@j*3it@~O9gzGc}4+mW1dsMe&!dn|L-+2&r;;w%!ABN74QLu zo{G%f%>4{K6#?GI&{GlM51A*FwD&UfR0Q@O<}r%Bjk$|?Q~~c~9#Oy_Fb^x>_nC(j z@DAod1-zZ1ry+A2^F8K%ioF%JJx#&uP{~siycXckD0mH0|A>O$Vs2&V$;o^R4`Dx4 zu-|3wRlu8>dlc|H%-srj6GIPAWV?~MQ^DTA{6GP(XTGn1*D-e};I+){3ixg2dkP4G zD0nq{D!YY(SFy*lOBC=pwv2*TvU%)g1)Rp7rhrq~O>}@RAH!~>$jg|k8G6p*jqfUk zp0fb2Wa!}v@CxPzCGF+R^|XM?I+&YeXe>jIZ01t-6m~sLc?mm(U8jJP*|iEdiLF+^ ziEI@Gzsa7=u2Db_yIKKHVk;H!M0S+|PGDCm;COb00*+&sE8q$2G8x29TcLo@vr8#> zF*}xBtbk+KQUyGgT_l6p;Y%oZ5sc_BRKU^f0tFn!&R0N@ou`0qcCG@t*f|R5WM?a& zgPo;-cD7gnZETSOTG>Jw1nD6Ke4Y(b@IuzY1{BcD`W4W``Y3n-Yh=9&D6lh#{Qr37 z3C8)cGwCdGG}yneUu2(dd(5`S=Ca;sodc_Ov(3LW*PBl;-ERD^ak+36{{g?ya1r-= zt^oe)o;Wnt_wb~S6h}i4Ti!%v%XGrkt5<q`Y7y{^1{1`+VPLzB==7#lDvqceGa)T9 zBN_zl)M0BxPkS{HX;+L=FAh^Ht!nM2BTFyHiJTe@fZlnz`??w$Vyhtm-y!Lx!<Mb2 z4Kp$V?W;jd#2@v8+Lc35Ta?j;Q;{vJ;^<|qj))jOs4jvSz7JH-8j9*dD4!AScTWjC z4@g#=N34enBYDvR&^l)*T0^S&AX!d;PlS=`*bo+5K8PK1u|cymJ$V&#yI5@_MQ;#` zZ6@d)a<K(e^k(Vf9qFwh5GjayL9Hy}o4u9!Gh0~|6l|cMMwHn`PK^Xh&5s!|<I85m z0aWIXbRYYgqSGPoC_7@FB&k{zL)B_n&X5be>x;dMp#kE}XipK3@zGN?LehR;mQdvZ zgrt!}5(I6E=H((ftGGjusr3y(bW?O%uBx)+Fu#JTBBP>HZOlB8?tB|6H<VPbCi-V^ zazP9fKrK+R@LZZTHj)gem&mO93W#bZ&5+hDgDVhU@yxDpZ9Uv@)OXZ%&us3<hj2SF zu-)C0Usp`>5Is{b(c1As$+N2uM!=!T)6~<}+7vw{R|gD7etGD=o|3Dokbb-T3i`Ss zIyqC7qG9NpIjmOYRQ76!PRdo$u;x$BiprxCHLI(rC~KY^V09sfG~x}>le0<o4@)XO zxAtX2)RU{CVJ+jFebW#<DZ8S;VHxccb5%4Pg@W8&7ugV<kP#uDb8sT$i`G@IID%@x z*o+ntd+}f_YoK}5T&LFqhU9n;d|g3Fo@gY&yO%Wm%A?~o6B&+Y^c%ndCNgr!6M0;& z(fI1;SHC%Wf}NQXp?qL}-T}0?=)MXsF5R>9^WoR5wg*m|!acB!0yU+X8Hs*XRQ};t z0!y<VheS}8E*ZK1AIq#^T&tW3$FCjZ?OSaZTVI3bf2H|CSc*3oR|<Ww=Qq}HBG<+~ z!j3`GFaL{_M3;f1YNp4cPKOvbURd~&xW9~=JvlU`i}(thdEmdBnmavJ9q@mVHII&j zwzfoKWJ<IGjqnZGh+^7^C3rtjnNvuQ$&n(o7&nBaAXL77<>+mg2ZGvuEsQ=@g^4M$ zk)*aL;*FMPxa}O&7D`q*T4AK3$CH^LBQ_5TBfZfjb|x=UIpjnL!F*mjoDEV-EX3#l zy+Xp84a_mgh6*J!gDNuw#OO^uF`p(In3zG#BuR!j;4K7Zsi00J*%cVEhKDdxWnVf{ zK@Yhx;9*TZ5<H7KYP;%3jNl*$Ui_s52Pnbi#B^f2WU*yYM}6Ad%Mo9>fynA;DVbWr zkW&lyW$88I%cs(sUde9R|H5+d<GF1S24VS-P4bbKE8@ft+YnhR@VQsl+R?4HLU+VR z!WSuvmVoM=LsDHp=<E(-r<Wcpq(v@os>;!&THGVH1_~mj(S>M82W^P{0R~6!m%oGS zj^7b$2cGj6pcxy68V}fRQqDA``~OEs_szmKG#|9fFO1nI985>)X&=$g55<u!(RpMW zf^k8IV?rbc#e{>P2KKOK<yQ@2scl_*T`PQ=!k{jGsOCSh5vXYM%XY>_jFa;fMSRh@ z7!dhUGDq`ZqOb{%EwJKB%+8V94{0yqM@MP__zJNj%>mIv?nto4nbVG9c~?hor)-I{ zySoD>;v{P>Bi4{mWOj5m8nSuF$rT)m1zHI^t8f-Og6yg<7%7U*0`;=FsT^|$hWK)s zZQB56w=g-CF#&s|&oo~kk{>Mw>19K9JUI)x;la2|nf@a^>HU#~(ISxCI3&qFVyT)K z*OGW-<*kCOR_SBd;<Wjq5u5M6$joRV+E6-V8ww<2gK1N13h^UGaRIsiKg3?dxZZcY z?0Uj=hwDn$Ij$b~0$AZHhP1!i`ML95=ZnrqowqtKbw-_?&Molz7j$}@cE_iVw;azx zmj64BiyZsmxo@Lmv7^8--eI<XY=7PU3;TWc8|>%X&w?KP2K!>j>YoVx{D0csv^{Hk z(Dof@>F>9-+BVu2!}H#F$mIXS`nvTQ>jT!C;caigx)Xl(R#<0Sr&^DJzWRsouJ=>R zJ(lY%=UL9Ov|2V<$}K@i+`G(Qz*pX{&5xUJH(voCdEMq3^Kx^Md6L-;Df)L!FTvB@ z_aHt0b@;g3W?E^QZ92s?3Q`R3L+|{@#vd53HYSaGjP=Gf(78X=IM!$o{vx~z>G->a zYoUF<S7;K}Lg(BooB$n)zw>|Kf6m{_U&nug-^(}h)%*hZmpu+1_dYVbYWS()F2gm3 zlwpsd-muy**D%d+jDg|a=U(QX;O^kA<j&!GxLR%%H;0?Xjp2CqZ|rOAFWCFpo6z-H zf9}K_{v?)L(cIpGqjhb^Chi({Vzv(TEq7v;2DOp9+MOuYp{{ZzihyF%Wo;;RB?`5e zMXp3hiz#s>f?CWLcOn2xhNcbNmF|RJgIdpB;ZFE;sLS1n0v+lyF_F)o#AV82H*pt< ziJ3Yad!3l@>TukpVq%6Cw~_mXn3%4|T_Pq<)#5gA-xL#hdfdfgVwx7Wp3pK?ha<F{ zqQh|)iis&&+&b<8F)>+>J6}vp(&Nq(6BD(#wWJ*<>v89b36B=HkQ)>eCuwojY@?Vs zQHNum5)%`2IPNSlF<y_0i-~c1T*{p|0l3V(VV7<Z6US?lE#;D8;y5j?ijXo^ha;qn z(cuUw$Let)<rqCKAtpv^acf8&qjWe@hp5AmI^233>Tv0C=eQG2;8e|By~v$#=ujnM z!miD^nmfy#u<4Sm5ffH@vah=n7HzUhRAAPjP=QICvyxO`)Fnd&f<D>T+zDQrY!xan z=uoJD)8<^o#l!@w$3@)<Mw@lzB6s|39jZi(pQX*Yk{fWx&(tN`B*ypYll8mfd$q|{ zpn@}WC{)m=&A9^o5#OUrwnmKa)+dX&<GZxUmZO4R9je3~@6n-9Shu#Y<=j*;-lfOw zcgJ^Xvo1pgojMd+(4oz_jI^L#mkgD*>64x9j<;%)RiJ_v9SRlf(B`Zl6*TLTEfnKT z`ebNTqaJsrJKmtpT86A)ZL%`bA@zFPJ~3XW#VuxT6yw|VxNF6Dtq#ZS7315qxKh}{ zh}Y<GXNd8wTHGR%?sPqFk2}5vIMsTdJJTKCtT~8gbGu#f(}2pPvX6GfH)%1W-0_W? zY<8~G9p9isb-3c|wfWY#<Lh*ZcDdqfHHmDfu3C#hbyb>dHd5Uh9SYU0*5*TXmAXW| z?)WMV%F6Y)<12M2r#rqvhw666mupZKuHGGArbBhP;uSz;I?wEO$CqjnnYo>=c)2E# z2~A$2#h}S$nrtT0<i$D^np~>Qhw2vT5>0i-OLVAqF}_ecJLYh0?)U=j?3m*g<MZ{& zTE+N0Ep9f~BF5+HaXZ8~_%$^@GmE)GjDum*;w~5C;Mg=cu33zOWz*uC#5j01Ev`|F zgKJacikWM~IQTXVjz!Obb5l?J;z}_N)=isizZeJaronLy?l_n?b=IQM?l_n?4GN=0 zn77QZvqcyP!n>(ad1740x)pI@cbu?ps$_*IpKxw!)F?5oW84b4dNHnJ+zPomF|K3W zLfm#Su4CLnT&+7!7&lcF!3|<u$F~K!ZDL%<w*|NwF|Om=0^C+HuH)MR-05Om$F~Kz zEn-~9w*|P(VqC|!1-R41xQ=fNa5yh@d|QCqD8_YsTYy75bbMQYTQ9~5-=^ZN1Kc_> zu4CN%+*&cNW8C~)wHVhiZho#xjO!RTKZnCg$GG{q)nZ)7xcNCuJRRfa=T?bv9pmQb zR*G>Q<L2j9h;bd`=I54+aUJ94=az|a!nmp0>*p%OIN{thxTRuT$GZ8saxqR=H%+=F zVqC|&`MEMNPIxy>y2T<4aOiNQVqC|)`ME`6oN#ZNyg0IT?3<s%AxqddO}YhQobYcN z+<Y;vW8nPUJTb0g;QZWNF-{mbP2M@;IfR4L;AWHi|5)a9#x=*;=Xlt0oPDG1HtT2B z3d;r1V$U~4VfBBS(8ON@3v{L2MeJLwkNF9bAKYJKv^FErak3<>IBTYVc!E4d-u1I! zz`w1nw;fI+r1wn-D>g>A<*I2|a$C7;!pm9>o_NaX6OZmAOZCAxSUIAvfrKImxo!o? zxy7E5;D1TTm5>ve9z7lOF38!%Riuj*mm$Qdn%?`}5$#?=4L&h!0lD&5Pu+|_g3KqM zindM&dwNRnF|oUw_?sD-4<m%8$mHl|5G_l%WD{LP1zaGB00%MMX}>f_x^s&ni=(H3 zPWe+vHl6r<6Rv9_TS2R*y0>drxEWr`h(DH6@|ii@)dn{W<nuC(9GUO^=<mYF+~_8> zqjsn{9rCR2ZEX*CDXs!D-#?_+?&><YdK{^bA)r4LIVHLg^oNF`KS1Y8W@?YflQt*~ z;0=BQD3w2bWX~Al4i295$ktH`k?O|uWBf=_?2k;1uFv$X?mH8j1WW1iH_D|{bYi3^ z^%dYKSqD;cA0>p;FLyC`q_+<rPV2RxH}`1`QNL_q#Oj_dGAl-AryvwX0?}%aEQ_4! z<}VTyr%ylf)m`oGZzLrNim~jfKz8nB2eP4RNA}}R_|^$)oNJEAWF`cG;x%7JaiM3W za(Ga&KFN&`&X$p)xDXq~YEUfu=gFQLX@7PV?YqETbaai_EDqtks|2aJ&pY%!RPAt1 zOHP_39Z~6&TM744@Dc|hjFJ8@8id29RiJ-5J@0gTGUyLLI<L2@6S}z>Z)!($cavy< zgu+TtIi!R_fcT0g(ssQaz1?s*s>oEp(bUN9asgjtesl#$uN$(1;Tab03L!-cH`frA z)eDV}cnb<3>AoB-XvxVEk>SxuMWvYzBH*jYfPuZ%`Yb%+Q;6LEJ<LkRb&qS6i+5h> zoa6Yd<2?Jf?S;1YZ4qm))n@+0yxjD<X*aCTRSJI;_VQ2ioB7d(?-&+xFF_|D#!i4e zjFr-ZKsd%`ZsFAVP9g65!@7kBz3U6TDu=Coxb25y#7l>)1(~U5Sn6Oo>xsfqM|M3~ z3NDAD;g+kONPQHpGAgG?GpYYzJ%Ydut+ybn%^7`^-Me=aRYBs?&ifU3a+#%Z2Dl+y z+ft(*mi&TXc7n2Y$)PZ0b|fX5aFlrK$Qrj{Y53&o&!#9Gb}02^v}A`hZbK-XhNF8k zRVn_ag2Q{_%H=<)DSAex9;HdXnOTl}4rMA1(WJ6yA2hl|X)-nw_foU67@jY89_OR3 zrJAC9a*=#E^h5Ckvm0A+ZYj^|Qg5)pv!R*zY=m?t5rrY_1yP|LDdm2Nq{is3O#dja zqrTzombu?78>79sY8uwM%Uu%$K6@|_xdlGaYCj&ssw&sQS#?F_Do^DSPsOSwl~pTC zq@N{gJymd}oi*Ezgf^8#TVu34yPy0shc#n!_fuoED_2d!(mWlirk%NJIvis^HQEWE zcrwdhq1LJ-zPt#}*^Jju$qEQjMN_@Q5FJKOHPNcf8vKJ(Z<L&c(F%wI!*;w{cJ<UK zJXe<1W4{>fNFTTZ`3I+uOZ>ij3$li2<PKb4_JLbny`pCAit3uu=1!Od=!VK}cW*;O zb6qp8gQ|{MQQH^ps>y7E(&^k7ZO@)5!}O?{drm?Dw=L8C6Aq>Ovv|po>wc|ot?Dr3 zsfpzW^m*FfFlHe7eOGgB&ARq5<%Poan2mVM4YyML>85CFrq`8&Jup1={UHwa@@R`j zRofrP>dgbFY9j~LhK}yYCVH4h*APTUTB6PAxzb;EaC4=)th)M0^2UYUYOogICUSZY z*D}Usd+=(2S)k-tU)$A86hswudbnL5Jz8SETEKjTW*w?s2;`8)Xlt|)V>FK5P94(6 zS0Copu=oqV&%53i@RqEuz%6WRv>`_Y{$cT?nhL_vaAuY%y!EW%Esb2fb$PU2)93zK zSttI1*2S!le8H*9Me(o>+uRgy*HL_^Ji31tWzvcL{{ikfhOgt7@Oix5@E61LhPw@y z8ur4wT!~?_!NmR9^n1wBUk@qz9gv|fFpV~T0{Qs|jo&i%8^gxs{98t!ajfu#@FpbZ zZx=3x-28T-!u5{p8Q0y=CKzzFxT;*U%;&p2F0=D5&R;nna$fIDnU8^=z|)*1!dQ3- z5TQ%(2gj3++n`CX*HOp+z_HBXa~uyZ0DrPSXTQ%}gZGHIeW!hsy@cN{6xgTPUA9kb zzq37IyTx{at&e-oya!hP%WX4lV_@6=E$h#%KY+Kr{nkc!!wXqq=hpO@<$d!Kv)A$h zf0^Ze%eUd>uEVn4GS4#EVuw`!f6RY3{}#UOZaz4%hNG$ehkM{SGj>mCGjiBG1I6j* z5$^5rX1oZHh_uzL^s?mgvLn-c9@namRJ~|%7iLFhioG;DGE?k%`bgDno;xEuGQB5p zd$J?b?PPDuj!d8O+>Y$X47KNGM`ozKL>pN&Q{@Dnb7e<nigjd1W{S0HhAZQyo_kXr z5elTYH|{lcgnw3na$(?}RYw&1(mldGb-WqQvgIiO$Jd#dCpB68nX>LxNBBdTuK$5L zA`nQQ&D<^O2$c;SZoD=k{b0iuX~^<rT&uHn+L#Q%%%3$e1)+4eu&3){(qqo9)5iES zdA8|dGPI4;#iR#}ouiG(I3DLrx|s9~VBXix03rgG>Cx`&$jkuMW=EzQ#%;@vOxMZn z%#KVqg6q;ps<<L<S9WBk*xu~OOtJ0SNR44WZhCfP`aP1{mmQfN4DRCW$V~T5$&So) z-znLVneLmWo|qwjrj3`YBmDjhA>UL-g!~yI&euj{2>6CNB9QU2&c!tm#hIdFW6gMa zR2FM`u5x|q428jTr?XcegS6qZ*zgO3=`|eCWXNnF%+1<}^dPXOX-e{?d#Y8FLDdLe z6H$=vLFQs@M26V=)e$Pzo@>%XgwjQ^=V>B>=?#Z@SR0Y)bEhUEkS>ZFrEXuypKf21 z7N4fJTvJe{-K<L!k=X*+Z)+nmUF*<Bq-kRN)e*s2nH+CxBht-dXJ{gdGC7XXL<G{) zmffR`$Q0G3jYv0~bE|tKn0fzRrOBXb_zl{K^dw|&Qbz<brxo*(CZaIi4CW8oh;&ym zuWBMxTmL9+M0#A=Q?(J9qOQ_LWXP@1L<BQ^xJVn3Ua#zabyo!f>7vRscz?Qm3$^%k z4QsUcbU9lz_{>mfhA5CZJU4057o^wA@mhSEp50n}nw}H2`1GXdP<I3_QEB#LyEY=- zLtMSOB!6+b<_($*nJtjfEO~#1g=KEk<S0th%3P<7NY~9gu8qjdfRrYpFr9-PtD&|q zJ(<qb;6v%U8#D!l(&NV5r-=w;YPeGyk*<MjK^5t(KXV?j7iltNtk80r`R&il0nVn$ zp<1VZ(nh4IW#7}(oxz`>&fv?eU-l7AL}n~l4IAn!N;i)sD<a)IU%CTXzosPBy8c)b z5ll}U_7hD+h6!c=t&K=eTJ|ALM269Y^BLC-j90jhadnzl;a}zju5~Wa`KI%J=hvO{ zO+Rvc=y<@<?I^InVZX)on0=A`c-zlxSD6NEwZe6_LhC=RPg{3c7g=4FS4{sg78zsa z3(Ren?^^c3&!1?1-~5#MKGWj=;k)8d(vJ4P(H=P31OMASuuh1K8^^69l7^n{9tbB( zVhlYUE%@Rz!-M~z-{6ttY>3&a&L*M@0kOGmBIS;VrrItjoxoUacTaO&cd$6%EiMkQ zyXWz3q|mS@j4y?4P&{ZQIl5ri)&tQ%d_45@;4_s}VRM}l6$<&h1)(6jYo!pejpH^n zg-Hs@OcRn&<2;lwV%>6kSI2IAgq-2&MKv-xZQ-7#j{0sG32W^OhC<#zsF>~AD?}RQ z(uf7(MhJs?YI{KhL>H-!7l>)@s`qr(c0p`^T50v_ycr(IbJX^EV1ukjpBOgLVL-H} z!_y%(gye#$UP2OnlOAbqF9`X)#eN^#vWVYJ`(el)#OLJtjy6wwZ`*eCN+WE9p@TZQ zx<f&~H&|TEZl2F~jN?uVcXc$MLE0&Q2Sj!0?|`K0ws0E+ay_*T7z@%PMKBc|C<w9} z(j&1OGF9?GO8w(Oe$V#Wx)xX_LzmTcKz*pEd3$p!bQgj_pVt@gv#aOwEtLND4u~dG z<6kf(+S3fPkg`$IU66DEy|he{Di{cOeSSY%xsdN3$F0ZQXy}u=Cf(^oI|4$_+tGm@ ze1Rusc_j(m&f31#j@tU5ztCG8^s~iYex*E%_SA(ti9C%5v!=e43?dZtNC&j`6&D7) zg@HnL+GKtX8Rq7mu(uV{(Ibfk$TNaWOmqo5<rIE_CQ)f+RW-(17L*LY8oj^B&rWjl zqsMU@tE&tA#oi)+A@lsnd<ck@D?F=fyI`9cbacV|DhMem40=Na#muFX`FZ2mv>Xs< zZ1F%oPL=~IMEwPU!r29UwOqYKVpq5xf<st8_4#NF83<zfu4+ZMKj8QJeMPKs79Un; zXn+i}C%mVJOao|6VLm`9sot}_&jT4e59VQ4z!&ru75JEsq|TGNL#m3H^Y_TjlsX$r zp{2VRsRMpL^PY|{tZ}It7&C44Od~y+hgsIy+fxwmd4s_smJRTm$FcI@cEc9|h6JJk zp4wKT^3v1P)=h{aJ_V#cDk3!5{QQRWgs6k$FxHW`r>`?CO+_M{Beka)6D<@Bctbuv z^G9_xr2M)tRvSbPuu;)D)6><9v6fa{Fi=2df`x8r>oG;q=;koo8=!Ncv?WalsTJLx zX|;`5r^+nB8m`4m!MJvIwDw99t+uBJYoj}_2$c8(MJ#tJUk>7Fp<z#3?H<}8`O=Vd zV{vvD78YRt@-v@FOE#TUN+2~8b6y&ThAymlDBBRyF?#Z-_=-ZPDa8C)Ta!d}S9oVH z`chdfA*@fVQRb34Sf4ERSr86uiMu<<N`|39vbr*&86MacZEovr^R$NB8+)1x{6*eS zDAYWiUoPeK^mdYYSl1&N5^nA2XzA@F8!FkYL--zB91Ja~6e6OWxV;&qU>BFRt?t^^ z9?x!!x4JqEYgb2SpERoB+PWs}I$_CHacyfsvELgC6l|Twm(k*Sn%lzO?X|>WaV4a9 z$i|KTu!%t6(}&l=CLvNvQ_7Ppy@^P>B&{22A7s*D`-Akew9n~MNyU==PCDG=!=hGl za})?+y@dR$3;9~Po-mmWI0tdaVPhlXBlU$xYU{MlaA#+@E3cpkQ@Yr<2}hMf$tUZ5 zwRP0@VwK{6kn*EBVJ~TBdWbwQ5=`eX+0k0UebRIf`isjJ@qMbo(97XEVo|sc+dF1> zdviCI6=??kHFor1{iMt64i)>ncs2Ex3lUaZ1|2DoBOfkdOk8OP*B@+k9rfXEe*w0@ zP;jxdR>=vDO$-f|Cn=7JdYp08`-rEz5A(OJC{%<^)5koNnIs*(J<<kG#zQp}q`C4; z#<?w3=Rs@aGd(@_zQSU!uefm4QXyiXO=;_G#i|FRfz-P4h{3*kGQlxFu-f4p1?IiO zT}VvY;`920g$vVdp{Jy`yS4#)POt1g3>#ftD>#E)81iClZ=s?B){>r}+Vzl`pgvNz zuc+M1S5g{Vq0ZBT-fG^3J-U(ZY3YNd(2rT>D?GK7-<vyiCALm#yqJzK?OM+?ax7y4 zL76uX?_ZE`^i4m3&!c5v=6H71qHDTw0AYjmZwvCL)2KSK2FV$X>8tCo^i=X;ZTkWN z7x>c&L-MF;_Cewe$)FM@2P}`4CnQs%p}Db_3_(YGVNuW<^oQ6LME>6^T)?;<bzR_U zbj@}doWFEl;9TRhIi7%JzdFaM_Fvj>vG>{M+E22*ZoAj^4O^}4B<ruN=USIq{$kl_ zv6+8m{-$|@InVS@(@mx((-`AR@JT<<IL;^tZwNP`=%ar}d*Emf9PNRlJ#bJxFsgr_ zks0S0>nOx!8=Tnu`D+&~F7Dq;kaZ4UF*w+wf@(#Dot)o_Hd$GFBi#3Za{;FhTzg$} zC%7q3{~07}z)|cgBB#kB7)GeC1;>&R{~g`mN0J=x2n7qhp~4`ltZnQ*secc_`W)o` z<`038>UHJixC3}MRIFXPxT<8sy8hiJq=<}j$j=I2(IdsY{#~TzHi!J)K$x6Ed8U}( z-%Ij$I0_2<xNj7c(>ps(MNfNpH@HRBOND$P*B-%@{XL|Bz9~iE#0!FfGWy7(u%($B z6k+vbrj7KvrsQt5deq$hZc<|Plp?Ur7}YZQ#?#c?*n~G6%8n16ePw@_)YCSH{Ae=F zr<eTxorIh<j)KAvxMY92fpX7)873U!wC;|Eo_unX&YRxfNpe(x08FF8&|28mAPy18 ziwDg_Up87h8j*8ue+Nn3;_wHGy@6n1CN;UY$~n3{@LQK*kUh<K;{Xrc7_Oh!-%hf( zISPyLDiA0vYnN_59rT3(j52ER5CWxp8Yz-G(NjwH_qUP!8>9&oEGQ^xZSB}i9$mV? z-R|m;-;}^ARg!U++1tAQR;iDR9EHAOs0?A$F}%2yYUc*-@VF3>$|dUS!(iet^wJgU zAl|L^_P0p2G&<xbC}|{*)U((6{vA^76C6baA+YfN>M%HBy!Ux<o9=4f-iz_XTU8yd zn9cOoM_w>g%LSL$Zm`hdI-<r;zz#%0dbzZ}ne=#{qp-NxTTtvH<xZsQWumHVvR+h$ zlbf5m@Us3UQp%Z*0N&OLAa^B|f{Q;y>%)go&XWE{iJH;HSZ#iM??O35wN|>oWLkOv zYVf+Wpud3>v=j3f1O<Ymps6)WJGy(Ol3r+N-Xq=izNAUh`@^J!3WpC5IsT%ewdCDa zzE3NSZ>w#uZIm4OPU){FspmO@MFp7n=tfodq<5N*_No1KBwdL<9bJ9WEt^bJ%+fji z+eyl1hd+cnn=e!q_Uh)dw1ygR|EE_2a^J&C1$o8kXg{I9mgJra>I<-K`AX@;pm&Mc z{o6=nqa#G#41zvw(P7W_FgjTMB8m%7dpB9Bco@s?uOXS&ID*)taV#zF@U(aI;HF2U z<F(U*%t$=Bo!q~b<On%@xY_#)$$2FAPNx4h_Ma}z?~@(m4F%tXONnoX^kYc*x{Afv zb;xVTAwTyP_HQB8*EkBvdt#AK-ZJIOw{i&JvP)ie=-WGef?3qRnPl9J(^YyfCa2jU z*M5BeX{3-T7;x-}p;=2Yo0Yew#r>N|++OTkcsKF~<*uY}8=3cL>0t}>)wL3BAkQ@N zJda_{lO91Z|4REel4ANC#oz)01^(68DoMgRJP?r`PHLC(xGfciaX|ri{=k}6F2VEr zH;_^~9P<12A-{{y?q5#|!2Sp_{Gp;!T-&qW6f%!=a%)Iq(FR}tI+A&v+)c$~y{ews zYVkqAi!+8cNPgH3_OB&*HamPc+3-Rs^F`7ks*@@wJs`a@sat<)e>KTg4&Dc!5(;rf zNrURaQw;o{<55<k5qfQSV(6LHUqup^I{bKM2>3C1Xkw7iipi)>I=z1lNm}9X7lNF^ zVkKz<PFt{ax`OBRuO_M69P$SNGPw@rI|8}?Phy%G*QL(yJ1ZRjbzI`exBtX`ru|sk zZMHJ2$#SKo%KVP`D$|{&rN(wx$iGim#lOk#;b-zD!&L@9_bzu97i4c>=P@s!n4$j~ zV=5P}RNEDn0EeZG;)6Dd-&>;jP(*A2##BCBGc~29Aru=6hoUN-yQXk#qF&vj5N%2e zlKo$5%B9a9vBluyb&70T$E((?TrEE;L%UL103IoFSh|!-ku`FWS=y83F^@+3WL8F+ zMQQN?^ktBPsvO2to?bIUl@=CKiW~k=mB&uh&|GxLdR53lb>Cue<*MjaDKz^EhNtqM zdww;>#%Jc2Qq?dOpmNtVIX2G9OrpwSj#U--&Qn}KKGlSvFs4!gEsvd`=|z>;urgE! z7<uH7d-3?3y_lAlQpy|t&^N`7%k-k6Vd<Zl7KZ!3)HH;$VpD8vc2%nW`wFWnkB!j` zg-TFcspSAefgJKs9GgvaU|4E=L%9r(tdAX&QRbX=aLSyeD^{(=mnKEhQfb}cQvAiK zQYvvsHP!Hsly-vb^QX0~7g5GZ*&pRj9G%^XDn%iM>O+~%Lrk(rLu^#06E_`PCzh;T zy2@LSmO50(Ib5BHYnS$1PWK}|UddihYj8WLQTno!uvj(3stj?#rYOV4M9mym=^Q8x zIKUi74taRoxrS$0C-o4+Qyz2ah|c0X4oGxRCfb=zwC}KNT>Z0S4!8lV>ldIeJRzbp zEl13iXpC8b@vp|K5P0Hh=>sG2SW69AwbkO|Ydt=l6W3z&UM5{2=-0M(yuxe`*VW=B z24AVb8{?uReak1`E6LY>a`Tk@)}aidr{}@FzpZ<wXBEUWXby=MycFT~Lc~%C5?2~B zduHl)h`J+WI3yU3*)s#B*rOWewx5d+499HxdVDj%aq1g>D4R?!_2O{Ms;{RIY(Ul) zd?@wgYEOC0qFE{`4WWZv-^d{?m2k|Qi{fE%6S*i3$4uGvsMOgMvWMF<;g~U3Jz4wr zaO)|L3EC0J=piUgIlyKWD3(><V|*@((+U_$al@rJQWrC1PQU7dJN>BXmaO@E*iOF# z+DgkX6XXzFU0Yv|7nYhzNNTo*<q6H@>ds*uSh*&&)p!<L$i*1T7nZ+S-m$!DdCu~r z<pIkbu=m$$+HTrlT45?N6`H1-Jf>q!R`|~Q*!U;o?~N}Qe`<UP9`tT9UTJjWOaH&& zIqxmuH^MW*<H8Sx+u%R%5+Nl-%x}Ou-^J#H`E2u6bG3P?Su`6>pP8O8-Dmoq@qFXg zta+9jgk3_5uuWJeEHn3*rwR*%ppYk=D2z5Yo5u@g{tNzZ{5$-s{By87_yB(ge*=Fx zJn%*NKE53`3pVmA`9*vYKZ8G+AH&;t#_$irpACO7ylD8D;bFs_uu^!H;R3_g4f_l` z4Go6P@Xc3dm~F^6OtzF+W?S;1|9`y2X)%~THGg0@-oP82+`qUFxo6<D?@jpbyMepH z^$B-7cc1H5kdOGe>owPVreC@)a>ZfU;JdDGxz2KRySBQTT-B}$d&)K66>v>(O>>!? zpSwm`7g&SNSDkM=|7w56{<8By=S|M5oKHHR!z)X-v)Or$^GxRj=BJ$toFQk0v)Z}U z{3EB$$-=MVvCdP?_c-2gyzF@2@d<aH<A;v#Iey`I%n@~*;ke9kuH!oMEsoWWC62J; zG)IT|8pjC^7hVPDI0{T3nJ%@SXn&K7**~=Z%fXxeXd1MRwqI+%#D1IohxW%!zcuw+ z&Gv|W7d$d<v#+yUZeL(uW)Ir);F-~EA8q@a?H$_}#wOdV#%^P|vC4S5@f28gm}`5` zIL`K*?Md5>wkvGkw|&iao^7wK(-yWgST<W$!{$PzZI<mc_;H+Mo@aAf->`mQ{nYwv z+i^C7={oCU@aA~0_1o54p(&Cy`=Kqe%(_lL7L1kWIF5zuIN>-7!jBmL9}Ca199uMs zze9%H{OvN7$A6C|gj*T@Hi|49&EG0Rqxf5BG<?VK-&Mdm{$>ioQw;wd1+3+7qPc<_ z_!}t_?qK*EC<rew{PhaBj=!9O@Snn8rhwJ_r3zTZU!s6(_-`uUYW`vctmH3Jz*YQ( z3b>NLKmk|q=PTfH{yYU-#(zTrEBJF2a4A2ifaQEj0hjPe1uWy?h>rBEpIgksuL%W9 z`EwL-5&v}sEaAVVfD8GU0xsaA3OJu1P{4V7zXHzXBMLZ&->-nP`Lh*p7Jrrk7V~E+ zU=hDh0So!P3K-(gprDTn@_h;z;P)t?pWm&3K7N-17Vy0an9uhp;7q<-0lj>e0?y!f zQm}wKiC?FHC-56&kogV2o`U(@iTr8>oWNHr;CQ}D0nPkc8AP@<6r9OT;8!W&cz&e< zj^mdrpqa0fL1bG&K`(a#zf1v-=PMNOIDUx?vhVRrWf0lQDVWE(`62~$@gW7Y^TjgA zzQfOwLFOBLAqA&#PTsG84!%GE?R-E6ku6BUt=#>BJX25S&JuP|?CIPsLbC$iCNxoS z3lcOc;4MOf0^TZwDYzL4>J{)7q0X|CF_R}_it-vBHceH)2TT(wI1P0BC^(g~^D`CD z#(Nde%1@U;(48-X$Tow5rx?yL{y+vffuE#+Jb$7B8u$q^$VT~-74R%xrr{J8P7M`o zE$^Y=6prIzT!t*GDICk6AcO1%ejEiSa}0kR-CZW1$RAIUli2_AV-@f}{IL|QHr#KL zi>(4ESGESAOk<<r9+O;x*KoH<F2QTK)8wWlcn!Ckj1(+3e9vT1%KfhK3kp^lzH9uP zf@=VNMnSLPCgVR9@J8du3V4I@uN2HTe9QPp3eE)h76qFOR~cWUU<1HEP|$0*()e2i zyv+EV0$yr-hJyKqZyKMX;7ou&QxcqSd`tn)H9nw#3FF-qTy6Ne@%t341b7DpR{*@7 zg3AGZkAlkp-bO*MA!?L2a<3s`yoO@o#f!gA0Z-?zRlqI$w-s<RpH6!k|1AZ(iN9I_ zH}Y30;0FFm1zgWxLBTriCE=F}_@W>;zK(lA_=R;FlQ;BN5>*V%zRvIqld>@wo;Jx_ zz$A7NKZYil$bP|(R=`F4F%&$R{hW6w;Agy50iWdM*>W=bW8S4;&*eo5RvUh5noq$h zfb%H02H;!@dJR7|$s5jM!=om7F)lVdVv<*2GjombLz=dkdsMjBx}O=NYLpDpHPP%B z?gGLlBWbQC?x%vhSesCmJnBs-OCI$m?r}jL^(NLYe2<pZ<QL>YZ{mI;+)B%8<em_2 zkwKL8T?PB7aI*qFE__D;pA=+HpwTbfs33nV$P=gmWyzdC1Im&oPy^_aCr|_Ek|$6D z=#nQ;1NWF9PoQnwj|6!FZ9_JB0&U|S5w4_d*mj~I&!27F!-C9f)NswhWt5s4u1S!2 zjT-JD;S!o_t6lgejo->WC|s<74+s}ga5MK^VLJukXIaRXLH0U99=%Q6rGmVb!kMxl zZ<-sqO9XjL;W}A3m1f((T`c5L5RQ_CX)=hy<c)hhccE|!#jfKn5T+>L`NCucJWr5! zV7NRMCQ|HL?p#6McH!Vy@K7xL8VmAHSj{{o$U9**4v`6R0xmAdJ8(6Z62{RUS-M4# z_hNV`7UWH{3I)iUW)%vMS5FlRkayrJE+NRP2M&e>c}=ZBwo$aQHOMBflQqaDFQhfx zIf9GUyLyq}l%WzqUVZQoEZAk_8o@?OTFrf3uu^2@BEcd<C4!ko!|AVJl96i!c~7t8 zz9tA1xoVNX%TS3R@AL5ED{wUXDlRIpG=AkGfsvsS{=YJ`iT{EoT*>wGpHt+DMf_(n zRKow8M#I-G|1TN2hW}JSM)-eH<nl%QCo)vR|3ik>@bU=)ueto+X`bcWe*SMXe%T`a zuQF7^e?+6<5tsjqj9kNis36bgKcL8pMg03RRKmYUqv7P1|Feu-$p1+}PUYWKz%%)G zXnfg1{%wkc-&$Ti$;!BWynK?uOD+E<O|Y1`mVZMAxxM`B6oe~U{xt<WgO`swIG*Ky zPqB-*J^b%zWpiipuTmu3jPj3C<QzBuh=Oe8AEqFDiSiFA;12#l3c_<JFCTxin9KS5 zWh~ds-=~00yu828;u`sTDHhH^`FmuL?d0#K^%ht1cPYsI{GBq$HSj;6@kOKg@00KU zkFXart`A(VxPFRz?X|A+TxY^&-$qv%?z0}3)A^b6U0CgV+<AxdYG=yX=WKMYb(T2u zo#UNW$3Go!Ii7bs0?U0@IO2|7j(SIxW1(Y)<2VOz|H%HT{ipW3?AO>+&>v{DuZ8`9 z0^Buiwoh$u+g`LiX1l|7l`Uc0ZL7Cc*%sJl*iNvStRGunxBk-lko6YprPi3W+gfX_ zw9d0mw~n<MEFW2ZXL-tUujP8nd9X3iWLak^v3PNV7tDV%{~p!`?lE6$KG%GPxxrjz zo^L+YJl1S5{l)Z(=_in0_?9VU+GDCWtv1ayO*0*1VvQfbis6rq-#1=mj2m|uw;NX( zXXC~@O8AfPp73kDW85KJDV!tp;B8`sP%KOq-2CVKyZnp%kNDg8%lH_-li$iO;|uwT zyvy*p;a$8rJZiWVmJ?%!F4#_7W+*gF#CyWOxwpCJxre!1xJ$SJu7lgmm2*MP!`azS z;Z5;b_96CWbiejbOcGDnDo2gI+&f}Y=L)-*d)uAVxx()Ci%Fd;>|XAVVv@MRRu$L7 zy(}h)FKi9&Q87uJVQX-Yh)JC{>>ln-canI+R=HH|LAAsgwkGRaVv=~nR^hrywK{j$ z-5jbV?yxoKP_51%b~mY3=MTFZ)e?W$nyhb#Nu5LNE>bOVh^<Q3MXJ?##O~r=7n6<p zbgzj?;t^Yu_YY!H=MsA-_j@s^bBVo^)S+{Uy_5T$J4sw(t9ox|t2;?NVyjVTna&~h zPVQAPsdI?kNm{0Jh}}tQ)j7oO<bEwCi9>8vD>}JX+(~%ER#)2zO5hP&g90URiLK4~ zTQLcz*lJt{sTE$awYXoqlW>czF0P|hOu{d=Hra2)BphR_aqXmGaE-0Sp$a(1*5XhF zyko1YXh#+Bj;&4hD=`WG*lHYDbTJ7B*;?F-ViF#*wYV3=BwS>xac$i5ViG>GH8{3Y zOu|XF2FE=oCgCMpi+ff~!cVpq_e(KZuEn)-zYvpfm90+K%01#v!dbSuxvgj}oMmg1 zJtHRJEnAIi;eO#x!e6#JYYVc%U$!>c(_&KRFnb60gqS1_vsJTa2fR-wbsn>KkU609 zn7xC0TukabX76DA?j-S;t(x#VFwJxhvv+Vm7n3@N+0BF$ox^P0IK-sRVK%NFVp8WY zyP1%pbC})CJ>^d79A-Cz6rIEDX6|QVQs*!m_Y^Tn9A>L}1s4`ENjzq&afB4&GFyWK zDa2>C8b^ACIL%h|N)t#SKC{)yxSxng;xt=@!!<`t>bzz*5>j+tvl|I1I<MJ{q*tcu z%X`wD)OpQr1SvYN*^S(f#iY(_Hf~8`Qs*@r*CjEj^O}u&lbF<b&Bg^vOzOO5<0d60 zbzZY^r4o}mui3a;iAkN;Y+SO$q|R$LZd>jo@tUpb<!vX5NuASd+`q)6&S^F-Vq#L~ zG#fWEF{yK!jjNeENt|Y@s@Q55lRBT-xU7juozLv8+yi1#=QA7cZ|)@VnVl()*<a*N z5|`O(RE0Z9JZ7s=h3+JAn5{;I+)3guTa8*OCbjOenf=_oVp8ia8@T&iNw~{qGg;3r zawXv`TaBr3CE+StjVW{`;V4^;3AvIcEoP}Z2`AZXW=5aQ-Rn-mN45s_Lst?mvQ;IW zHQJSggKRZslq(7M*lLXEPQp31s-Uw-+3=06LEYm{z%{lCbtZSWD{+>ls53XX6L<yG zB)ZF;*r!45!xy8(UQNDz$Om>#m2V$+r#k^|PKDabUExlEnbV+t;7)*<)1bcZN`RMB zHSmmjR|1@z8dKy-fR9sS3S9|sacWG+od6G~D*6m;KMC+~Y7}>eD*+Zxm9KA(D**;h zjX~L9-_#hC4dzW%P#<@@D*@h3ov6c|0PChn^gS`5<J|DzEGBfE8(yBpgpPANox4p; z=r}jLMT-d?=eC99)p2fHxLd`9j&s8^wV2RxZktJ7!ntLpDT}8SR|2e?s$sQ@TnTV) zYD|eM0lrO*+2T%sYg0A8mb=-N0Mn*Qv<(G;Wm98N5EwQ!1_gm%Qx&w0`;IFCeod9A zrpTQDx28%|!+qPG0JEk+UE@lCS5xQ1gaE6iNpzDd0ZvVoXe$Z_pQcK*l@ty(O@l(= z;L_CjP&k-0O`;oJ3GisDM5m(*z@e!zXfXIQRkqW)sqO^WGY#qnR|4FbD&H263EoVV zXbT||teFM{GQpXt^MOq8Wtv3SyAoi_REajDa4==6M4L(BV9GQo6b_zDoezbBBhw_h z&XoX1rb=|$B6kA(m@3g}+|}*`*f9+Xod9l3gSyt005hg4Y7^)LE2c`ciTgIW|DVh( zgZ#g1rt=Bs7RSeqlw*<oxArc(**3{~A1vtemdo&^+-knYyx#P_so(f>;{>6V{||p2 zv&`^?VGH*myPf+Px4HkA*n+fR#z5%c1T(0kjx4E$!zP&V<&HYE4s~ShBDG78YKWP& z)k*>ylOUu>Ec|$z>)~Zjw$37%X7WNO*GpA@h%95IH&&YNm;T*{(l19&VCBpEMJugB zb-=o7N)(Mj>bYbRjATKC&zn}SYl)R*L|F19tNQ_HM`ShXP$Yu<-t_^+*NQiz_64nv ziLu3yU>_^FJ5fup7pdjfTVjiHku)p;x}iymOo)|0ZDRv<!LmTo%&6%mUaq<&A5~Nn z&O-!c(@x000{snD*)^K7vlKZZuGm5lD7($`sR>k6>sF>!6Tbq=a;zv?r{wxeT2?Kw z`Pn0cF&vJF<Ip425}TJ@+b{(;hpsK+jm?E~JlT1=&ZjVOKo{_k{g8OZD_OU8Y1yi^ z6{QtxH|d*xq{LeNfyk+`IUslroxnPRE8y+j2Zw#$G_8^szY(EUq9qcD%?7nAb5dJU z>h%?PN-I~DuB)m-&!&4CsI^s<D@KHDiKxcdtjru#lzbr8tEcEtw#nQ|K8>;BTs0jQ zZL1=USZQI#<gg+KdH}If<dF7*##muC&BN5I$lW^=W1*Y}2$6hF9}tbPU^Y2{!=c64 z6bqmx*?m`fS`-X#C(PaQ@|a&US}KPp2RT~EA&pj3%$JksVV(K8iEfM)WRFBBGg1oW z!(TR$+E{*ufvY??29E06WVQRSF}6eN+i01$#o-2Gj|{Gx6@!12duxo%%+;NTVQ&b> zyqTI5Wr@J>*uq?r&EeRLT=jhADgouO>6+D}@(QHP!2|4d$RVwsaO~7v6c3B{$=x$~ z`g(j&BN<lD<W?h@maCquMR6!gG*>;1v8kDQl&x}@YS=?<I;Z5SX;>}FT~jzVB~z2K zN``rP$~70r{XfrPWLzJ)e&>41b)V}-*M+YAt~S?cu5wq<b+YvR|4;Jw|Ert{=Wb^` z<kd@^1<nc5_y4yYFF`u}cE^?Y{=XaF|JOL?JEr6Nzft>1`{=KuJ#e%Kj`qOO9yr<q zM|<FC4;<}*qdjo62afi@|3(kE2Fm#f99t?|p<w&QxCfR1!(}kc^X`E%EsEXi9$2hJ zF)z9YN_D9Jx(62NPy?=k5};HS3hsf0x<vi%fdyI=dxm>pz6KR$ce@AX=}^0z19SOt zP^g829C)u_dj#je95tdFwawOKs%LxM1G99f9```84%O`*DAJ+290P?Y+@jRB(>V}Q zSJuAAJrLC7sbhD#2Ld`&r+dJ!Lv^?Zd^%LSd!Rsr+RnDQ2l92OR`<Y69je7O;00Bj zLS-Wv&l#FTwd@Y}z;qp|**$Qo4%Ory$kU-3-2>Bfs0R1IR1In?8+H$zqC?fY2d3yy zb?$-5I@EUez$6{2);Tay-OF1!_rS@zG~3(*9v!O2F>n$;j#Z{cpXf0ChndKH&baP! zEpeUfywln2_{=frXtMtsQu~W+H`w-DpM#cupT#CT3`zPnSO9p@d=>vYNZH%@3k?FK z+E=oFV0W@pQON(t{-(tmtxO(#4a4M3=96(K;Mo<DzQ#=p<S8Fv%3}@MN4|_(&VzmA zE2c($T4LeM!;bP*+&{c${h>cOw#4dl)t3IAp%8y4PjExmRvxR<_EN^7yHe2spF*iU zmzLP}TyziXp>1fo2duGLyztWxvoYb|Uihi#ihqu0L-pEn?-4dq1}j=QKBmitwen$6 zS8Zc!2!V|`l1b$5+4=d0>#M~7&6HYsY@22lg)+{&4{{bEhxDKxIX!lI=F3g_p^R(V z+p1FK;p(FUjAT)IB$e@AOYJ&K4eTEk+mLSHfbUQmnDu>mgc_(d2e(499$&LW_WT3W z>OFl@ODDmb7;#kQg}odvH9G9=hJ8N3R16Cqg(Q3Q5XqVr+x+GGx-Y%2x5Q4%-e&@b zZ#UkQtF~c%co}+E^TamdgZ60M@m3g6Nz>rKc4iLkmRL<TdBgnH{$=EC9fG{{F5eQ{ zl1<PsKNSv5P)lrmuG$XMSs9rTTL)>C1w%@!_|qaPYs;!uR;(I1=^7%Y;*U&@tp&aL zL(=Q>EG}DLQCj9%QCYfN;hU7*^N7eS5juU5>9K0iIWH%jVCx_Sw5n|FhRUktp2Zc_ zkp5X!R=RdX$d!nh7^})Dbwb1z)9WB|d~6Nm^r~r_=BVZLmQ_PqYy&(?N`3_-X9UY? zch!Cc!g{1+806euBb6)}>m(&-2@#gZR%?!Hf5uCCdh~aPXSOx>bcJWaD_%Y^cAj4k z-wDLW9q|N!9MT@&606K!fUrQUADyp;S#61}%B~H<K8L5aiLsSKjI)aOZ;7qQMN)bm zDE;|Wb-?oM+JZBOCGs)!?phvOrkN&%zO0S)0CxlAkf%vSF1iofz%9)=aJBGk(WuOo zmRNZ%k`B|sUJ+Y@t~^%S4cbaKl=%t@4z({y7O6AI_x~}>-Hhu5=dI59jy?9Lpr3!5 z^?K;q2h9DZXG{}~JB7Oij$dK8oO_F#&bA`)NdH07^GxjVm2^MMHdZ^!BgsIwHB;v) zc*JV}s|eo@5<jU7nzEXX$k~L=epX~oY#+!zeW;@;5YW;M2ON^4Q*4s3zS|RSBpy^p ziuynx5{m5w`D=zE-#5#%z5}j-J(a{G2qCzu9qu=XJB^OIj@FSP+&3%YkDUR+mk&vJ z(6hRCdn??Wmq-q0Ri4qhM~v!VWM-@nRLf2u^pm{ATjYVSk1j89kqie|u$Np7UtMre z9Ud8yK@j?R4=7$q`#GE9!Ze8>9nM-juo?}gQ`8^ONKsuF$&c;M^s`RLy&6L9vpl7W zcN<ApgKQ*qBeoI=L6PFvE|4rMmgFG0*t52_jrasc55w&){Kmjp7d!<nh6in_yGN?G zeZ^3M=mqUVC_$igK~E|6IrtAJcYjX_Jn8hI4I@TyFfuLH1A>ck?;aqS?ApEEJ#g*a z13yW4ju<go1CfGQH)t&%l2%+QdpkSfIJ>k7x>~A@Zp3KzV?uO+=F*(IMpX$c&sQ~f zw|Gj3SAgy|;*e@xC$119v&|8DBC}#ULGb3B1g~D<#Wp8<=k#{bFK{?l;P;wL=hdyX z?d^ER8j<cMv|)yHf_PcwOSeZOK?rlAc~@;+pQoa&6AEgoejh2CLpWDDK=aC>Ivi?K z)C+;q?@~99<TOD?1~9MNhn&}?WL~GqEhWzO8nES&`|yZ#Goc6UX&VU6&7PL5^ZG)b zl2*dh5r=vuz4gsK9z55=<!qy;w6?Q$yQKU&BGgO7L0PR8<mXmaBTqvhzqbcEs`w=C zSy|iFGE&P>q9w8@)&go<=$zIa;UonnbuUivUCl(vSUS9`!n>N`z4nd$7b$!ykxu9u zA<kN&u_d-6``#NGo+iQ2PY5ls=3KQMrst8!_E=N;+e-hML;1Fnb?+acZ!3ZH$0Oop zK>2{Qq<N3D(WLMHKVr{iT<^PHc0J*`!*!+W99NHPn`?!u*frVZc76`)e=j;8#p}SO z&Zx7~xy8BE8HAmByW>;X{(IK(pyNA^iyZqMt&WY3#f}2Uc!$~kvHdms)37;zz5P7< zK6?`^|1Gr7upejVZ6DcQwf)p~m+cx`%C-k~|5n@P+NRl#u`$;7tuI@ju-;+4(t3`y z$GXkB!dh&dY;{{cx4dh4(ekL}R?DT9sHM}g#j?~Aw0JCb*zAAH{H*yw^LNY_nfIGp z%^S^&%?0N1X0z#I(`%-uO+PeUZ#vJk&(vgEYg%ZUVLHyl8$U9>3eN?18Lu&>jC+jr z#?{8T#%ac5jEwNU@Urm4kT(Aw<!|LLh1Y>jeha^p5Aq(~Zur#jmf=~$gYYqMkzv1~ z)v(b}0p9}C4dY?;@4wtf-0QIW_XKwjcN2Fhm*Dns?OYAFnk(V_+$8Q8PGCP_-(i2l zKE*!3-pXEuA;6z~a1MVg$5ofCEMvWfbM1q((?7?OpR<&o%+rQJ`(Ux^XUaZUl>Yfg zL((=_$REo}MYR|b_Q8-6iGuMnnEpAI{0yXjx(#vrpg;W+wzKVnzVuHRVzv(!q<_K~ zvwbi>{SyY6?SnJZKVg*FKIl#Vgkfge;0%Q*JNY$T`DG)&PE~%Dkc@dsM&>ia*X)DS z(m&rZ#B768m9$gHuTzv?ErzIlaEg)?O~ud2>7QfC&q?W@&4vN{;KcOLF@}EI;K`Yi zBKAQ~IuiDy?Sm(!e~u+TPfY(DZP;%goRI$MH0&1#b(W|08O|05iRCGk{g{1*v&2E2 z>8X8&GsQuj>8X8&ed3_b^wd7XUU5)odTO8H3~`W{p3>COCl2atPwg}85eId)r}i0k zi-S7bQ~M0N#6e<vN>g61I7p07X>dK_AhABB!F7v+#Qc;7*Ch@T`%@a+PH|9cfQsE` z=oAOF2B?7R5C>s^N}IP`9E1rfEv`)*gb^w&u2md_87eKVMI3}7DlKk@I0#czT3oX@ z2wPNIT$4BmV^msPqc{k2R9akvI0%DOT3lEhgh?tbu3j93O)4#}PE5fll@_;MOu;IZ z7FR2#V3$gZ+a{)9m`aPQ5mT^CrNwO(Q?N~?#hosuV4O;e+aji5ol1+_ET&+dN{c&9 zOu;^t7Pm=E!9tZ5w^2;NMwJ$~K}^9)l@_;NOu<f-7Pn4J!BCYJw^mHSQk520Ev8_r zN{g!!Q?OR0#jO!juvewUtrk--Sf#~PiYb_^(&AQ$DV@!#eTJ1{N@ufbpJ9cV(%G!q zXIL(#bT+H@8J3ADoz1F!h6*vIvstyzuvARxY*y_vl#3~y&8mHdC1OfvvudBAOiaOM zm9`y=#T2YoX>p}u3U;fsxJ6<LmaDY55-|nSRa)FaF$LpQTHFFL1@l!}+<Y+w16Eqx zJTV0eR$AO#F$Eh|THG8l1tV5k+-xxgD^^<EEHMQ;R$5%Kn1UfIEv`sR!IYI2S16`n z%Sww2i76Pf(&B<*3g)b|xPX{~Ju5BFFQ#D8N{jP}DcH2q;tIqRj9O`N`C<xIt+cqA zVhVPxv^cMrf?+EyZibkGWh*Uix|o7(D=qF+F$LpRT3nu(f_W<~Zkm{aeJd?)s+fX- zD=qF6F$EJ>THF*d1shjd++;BYD_2_FBryduS6bXeF$FtUTHMKE3Wlz<IFFcusVgn+ zBr!Edk2_IJ&DP^4h^bk6+;}lntjCQLQ$>2*31X^Hk2_vWh4i@N#8gm^8!M&)dfb@* z*WQ-^wslo$OM2GRlk_CjO-<+;#c7+kvAjD@(x$EBC2<ocj^#9IOPeb8v#mt794%hD zA}6&d*k&txDKjt(Ff3DswQMb0hovwq1C)V*pJiIs!cfZI;s4Hk@4iKTa*{f=Qixe{ z@6%h(J$F0zobQ}dKHE@ut)hIkzVO;P<+F8#*H)Cz))rnnyL`5$@LGBKY^3noS>?0U zh1Wvmv+E151<PkIE4&scpRFpqCYR5yE4=0}pIuvc%~w8qY2h_*`RpZy*QD~<iwm!L z%4gRUUK7h_D+{l=%V$>?UMnk~4HsS$%4b&<UUQYtUQ~F^Sw4HA_1dk1qkOhN{=3EX z*Yeo{`ESzof910U^53NE>GIhE`ESzom-5*H`ESzo=knPC`ESzor}EhX`ESzo$MV?% z`ESzohw|A1`ESzo`|{ZW`ESzoyYkrr`ESzoRQYUy{5R?PZTW10{5R=(vV68c{+o3D zrhK+Q{+o3DZ~1J2{5R?Pb@^<8{5R?PRrzdz{5R=(qI|YM{+o3DvV68c{+o3DqI|YM z{+o3DynMDm{+mDy=h*`JZvru#XA9)N3B-q-Es*~voG&b&Es*~vTt6$HEs+1l=^F*| z-#C4vK>izdAqaYb{5S5pulywi^53}Yr{ymxkpHq2KD$8v%ThGl0{JiN`iT#x&KAdQ z4&e*J%Y^-|`Oqif{eM+R48AV7FYvp-&cHeHN90NQBL9Q_WBwh!zxY1lyVG}t&*S}= zcf#8${h#!(^b#rJdCK!3&f3>{&J+Jjd;`waD-b__%zb&;@5??`mMUv@?R5p6pLM>< z+2Q!B;{nHQ&TeOw(|v^m>n7m$E<NG6ioNfRY@~#*x<)kII+RirQvK_u72yRP66{~L z54Tut9J`@KWBQJ?u5jf_O5uj$Z-Ew{EG2Om(G1fA^3%eKrYhnLTCU$ML6K)m3v`bC zN3zi2u`IXI3@A~C;!3(2c&%gt|Iquo6$F4AFy41vtyHz%{(Z1ir;_8!C|UIMR_xy{ zL2GOKeWpb;>^+*oP;Ca@)DM%2VtjaCr&M*F{fi0=N6aK+iVa704V|8AH%h?Y+0s+r zU^1q*$J1lUbWBGE2zztey_AF4=F#U?24dG-iv&%yZ95t_Q6CcL!(HhlJhV(Yf9Ii1 z5+I@W&ut7ZGL#*EIwV!Kj@Uoh65gH7M3RG%gEZV=`Wqcp5@{o+GVGS=a6iUXDjgmh zhPf5S*YJRnh~vr>QZk1plte;Luk3h#@rjFwaElwug}yGS>VRDfdkLD^HJTpNQbH#O zHM34SoJ<*SHAZW6Gg@5aP2rv-@Eo8W?Pc5^$fisKy|+!OirPKe71;zDpe==&K!x3m zWiz%o1=s&INmb4E@7NfQj>Sgk!v*Gc;m%&E>WKYAShh3(M|HR}o*E%2hq^vk2`az= z33n7*eY#ARNR1JyWsjrl!`CV)eUa5?@9jNO)rdWb&H4%oOAu^USif2aV4*<tN?Ov0 z+3oQZ_20OO*|%+wsy5lb5H>K?a@U;%7!<EDETh7$S4uEb+6?HfNF(ew=-zlTo5sKx zQ0zE;%T*E(Kemq}&Z3#6ovGLmZ7!CXC`?^0!6t40e1qlrcA6$w;dN-1Fj;ICcSRcN zEzkBUgBX{?I`b!Lq^hbSU#$bEBM$6|iAUqj5`YQzM20&Pu?Y;_5yYmoHZ5Chaq1$l zOS^)QwuEshG)M}W8@*LIxBchpH->w_g(Tn_Ko@jrFNhsXD3<o_$*QmpV<pp@o-Q_> zK~+n*GZs%o(y>9-*ZqohI;R$C&<1R;BS|b{HnZ`_Rta!6TlT?PXdWY2KWQQ8jFSP> z+yi69djLq5U5F11@q;ipih0LQwo6rei+s2dlxpFG!8~d=mM*%6ZQs0C2&30XRk0#3 zv5rvFMon|H7bqa>t44~iWmwTWQYoy!+wo|^-1NjE+`~$~t8;g6H*;D*xo2-*_}bQ; zUF{Yx2FJsT^!ag?@WZVV0H8K~2cV@DMp*>@>3VvXCbl^X<j*$9pMAZpyQ1A)YBW}O z33PU~Q#@8Qq3^nI>#laRsjp*OuPHohq?pvx2B_ZFWOj5QW;+U9e=Wv@HZ0%(a3!-T zz_(h*F%k-l?82d&u*mJOWkPd3dMq_Sy9l=ZG;H3+1Q>~pjo|`Ff^<8ej3ts&3|KR! z$|ZbCI(~AURCT94kDKfC?JA<shKV_e-9g8zvW-{WgFDop=?nUs-(9@-n&C&X3yhBJ z?u<k`dYMZ}Pw(zNxM?6VuKtG47N@OglhO2NK-;^DttOB`v9l|q*zeFUiKG>;;rKvq zowsUlE^6ByO)Vzy1Vp5f?5KwKNQZl3nc;L_Y-k89Y)$nK$4P3yq^}N-C1S)^wWHcu zN1@u697`sWLsK>3HVn|7@GvB_{^8gdmZr_&G+~dFFp#$Zq#X{&Oz+cq_nw<^cxtn! za|7UaNyw({ESfi;gr+{!22Uo5oq|RV2+C*#=^uD+@$PMc5TWk*<j9EfX#a2uyZ<eg zJ<8dgfFPW<C$WiejM!<Iga&DL<RF$<gRD`2B)|pstHzB1ES`zv7!AQ%Fn4$~ek7~t zlB6?UeCjqeE`n8cHeD?NmSj&QPE6`hF~BjZgar2&&M0T&A}^>1^HUl2Ojqr0w0WGs z)ha|;f5DDoQW6GhU3ed)u>_qocE(2!n-&26xNAbi|KI8eZ416G@b$n-dBp!ozu?>L zeUtRK)a02F|3h5mR?0pEdv}}bHO_B1*E?=KMezSz^~?%DU^FCX0TivRCqnICM2KHj z_&$-7yL9Gk(A#Ja*#SO^5M8Rr0YgV|CNC?Y1chqKT{%+@O8bja3ISRdxS7wGS=Pa^ zyg!jlV-+b`3mS9lX3jzjHrYb{TKlju!ovd&WWb(vD$2mYSpVVD5DQXr9Wx=&nl46b zGtMYDUG!&gj*e%BF-WjN6Bu+`Dw!QqbumyeCHqw|U0;@#cii+vnsaMsf@p|_bS{{X zV0x3m^j@VunKD#X%S~!i?y{KxNZnG5=Z)dsWP%Gme5jOagf!+h%*dd2Z!u~cus&n+ zCe$sbl`Z?NB)ydkQH~yOz#8ob<@RedZaAIRXd)-qIO7Ao_MTyYEH+tAb)AXiMA#(S zlxBc{Dhy{Y$S#UqZD@wTIjCSTKmyQ~?otuk(44ECkwC5HnY0kQ3jInugq(1<x<DJ} zj*^kwm}{Ex7~{f*<Oa<J49W{t!itmXf);Mmv1NIeIV1$3`6q(zqEP}0)Jf6dm{~iq z?DW>>>So-a*WLjI^RJ<fyw<|d?RHEuD0zY_c}q4n>T;WB%0RQ`&#`c9Kqsd81#0FK zCNXs<0eDw5sk}scHelkLASnr;-rhZlK-wFPQ-JmCu-u~qzF(KlxIk+W2^zGvV3`|% z(!Ai5v+R_%<TlPYL8-lm9dXrg@?kqQcbYMBVwGw<*Kf#eopFHn5nE{k4vnP4&?Hc% zrP2I-I!58jp)l<xPKxo-{`eS<jwNXZ5eavWJJAYz2@l@Xi|W*tb-)lY@QuC$)M^nr z3Pk7ViCdMHmvGQU_Wzo)yB*Rs(n`<gJd>Vk@p17(VnW>D{-gV2?pxefxSeI6D!V)M z+0b0*+E7LCyTN}94hB7ecLZ(=Y!CS4cgTu-ng1#Ohy6$W+kg*vhi}}s0jT{?dMCa0 z(v#B1rRg$B_z&S;VY}dSeZiG=e$zSc+~N4M<JI;Ce0WrDbT~Y}I7M29Gp{+rfioO9 z{W(xX1=|yawO6$)0<#c~_5%rIcA$0D6j6ZULCEw;4SB=xD(!HFA5zuEd|PuxiWpz; z_;Jp*uIeok1l@(o-=1z*pb7yp8uUlE5xe?|sL1j3M%@FRPOGUHf+S>_L4f(S>ZC`D zz%cNJ7MyA!UXP{X5Vp-G1^waP;t!L>G)C$_051lK_Y4kUGGDs(6ft_@%er>IYn1Gj zFudxY>?vZe#8ZGZ0YF5bBTs3~-?1C=bsBnp(19Z)0cP}9?Jk0l!mAqTB$ooN$YiQ? z?J8n#rTYo7LRR%Gp$SZC(FHx$y+eXZ)waJIVGT3;)gQO_cNPI{5J46dg{`Q@je-V4 zcEFYyx2LUP;a~(ihf)Bj>{Mc~0H%lIV@zFUyzZI?sj9xn>o%%m8>k7yThtxdU0p@2 zW@u4E3kj6Wsk~PigH6Ny-1Z_9kRop^9ty(sRFPpwj}{He;QDQmX-iKPpxhQ}E?iF* zgUI1&M8H$+Ot7kI@mJa5pkq9i$Xd-?(PEH2yr$0d8Vt?B_)t~_Faq^5im)kWL#p%K zMcB8v{ls-s5tIsI93bS$A~85zHx|Lx;7Pzhip38whSv*<3@<#76Cg!<zz82hXgJ*h z;kuy+a0-vW7Qjq;1X_z`Q{zfJfyD%hvNjmqu?mjx)r|dUtVh=uS_=J2)I#3(ef zs#CjpS)e0RwBH)V!F62`un=B#yzmvS-xR@K;8|#~t)VaU1#o|n<r@!?-BCN<wGrA> zPc5uJys!8dG5Gq1Q%Woo-VWZG=jpXY1{%J2yp3{i5wu-TA8mDrt&>GBVQ^<)`i4QL zR{>%+WySkCUVJmKM}E5{sSjf&3eX_ol@N$PZLz+09S@Pjnc}#+$g%(;an@HY*4Upk z!w17B8xUN_iy9@UHEi|<m{s%{L6~OKGx=(%>Js~Bu<+67HvuMQieaxn9~Y1ohhAxW zC~;WbAdSPl<F1>)U5`C24Lm_LELJf3Yp*#Gw3p7?V@1XeXg|)_aU3o7XcUW-F5W@1 z>rchUNOUk(nWo|*B?qf9krHc#^}%9BdB}tithnCNB$R6Njknj;Pz3Ra7i{3V#D$o4 zSADT9G)jXA8+DR!yDGQ|#sK|ub;WrE!OD2fh>)y5TC3Xs?{S1$gVTZU2EuaI|FD0B zFXp{p`is=*xlepTyx5&A`)FB6h`HYHeA>CwanG}Tn1He#2`YJ@xdLTMS1&r=Y_5)u z(R!~&6SM3Y%c@HuvT~6bB)lvV$p|-W1l|1%TdD7F7Kwhj3El{688T-Uv6g}078`<L zsn#Nj@j<lQWVht1W{`%HTgw)Xj}2zB3*^n^CUyf%d&uNjM2`s`6V6l{6vpABRIF`= zHQ{1VYmd7CwPZils4c{UE;nbJU~5_fTJ1wwfmS+56;3xzEH4#*8*}wDm7sZtt!^GP z6K;0_%^K3BR75xAI%igcXbs>}U?2n0%x{C-5+HmHpaF*agf5BlFn$o#V<V+%NPQj5 zsbRFl9?n25S^UVf+(W!Rck#?B&|7aiT!2a2#3j?M06=BOO2SwoBiAr<5$NnLMknyp zz#;ZqVXsk&ZUwbYsi@wF1>{0dZNGq^S!T$tNqUX~t5YhPTOeax0GjQiC4y$imwJr0 zDAaEx7?qOX4Y`_`^FgqE7+VmmqT_HX0k%brk66mUeMAu8E$4w^4Z~0%Uf>3HIHR+% zL2)U!6{0A&e&$?|tiePUlH922I8~B4#;jC>xDi0Z=Yw2(pds2rPNGcvpmVrXq&5Hu zuo9%&0|7uP6pehs!41q%y>vq*6&sDGM@qK5)i>rUXPyVz*Q={?!M;tjLsdi`Ro!r* zD;0y0Smg4V3Q&1tQ7Y?o4wFjH>N%ms7B3x>>p?!k*DXRmOarR+h*U?aLoM^c>W8i( z6VGHx_fRtK*U|ZZrDMzy>IuFn@MNG}zQ_N#|8n0;yg&9{A>HHonP-dmI`=Q#TgqN4 z{77hWy$Buvt8x1?{=@!tHP~ez{<)`vfHm#9<1ypYND}Jvk}!yo10mrm5NwZVqdS_z z`yltG0C^mt&32*9U|FR`MiF+fD?zh8K$Grhf_-p24!0Y!B|vRX%Pj(lmS!3;f^hKM z0+Q`vY;;E>IYplq>}|wudj)9SV!L7ytqtLh5hbN=wmaiP!)8VLvX6!au=esrSql$O zo!p+}grQknc3SJ9E!hlO?Sat5+By@h(P6~%9ULs#+Caz2O`z8PI7!r=M#o7a2P0u4 z=(X4GboW3(*-g&k@co+@#c6&3GHywjOQht&GcBOC%JxW!8(K740VggMjiiX&V2suR zu^TiJl7jddg(R3M@Nit#xka=9eA^6Sn~O2DStAyw0|eoKmA+JLZHCsP36$DvJ<yaU z&Q|q&TPix6KxgA(bi&Jyb$=;?je}i{xivElpi@iTw{Vy?Xmpkk9u6|e*P$L{+OMX# z;dEL}i5#q^b)dJ%YD!Rs&bX4GSo4V5VGY@|ypx|&^Hj~$f>v!`EgS+2LjiAWIKP|* z#BRVqs3|@W2%TY~(lBtAW*q=IkOw26*IxV5O%M>o0ikdK2{YlPA{Pm5W~vt(w-jAR zAF*njvQp8CBpNg8L94yG6RcG=ML4=p0xT2Rr6QOXvC9@4yQkG62Ivmq{~s4uIYLi` zeir(^cy;I-p)Z6U481?}j?jIfSBlM{yF+(`(xG_hrcgArJ+vj%5Lz3$AXFamATz-K z1|JK4C-~Li!@-XR?+^ZS@ZR9dgEPTfktIM0-Vodq><nHWtP5TeJTDjumIeM8cmf#% zz8&~-;M0K*2i_fcOW?JExxjQ_0=WYY2KFJ=U~6DQV0|Dgt_oDZv*54DBk)uCd-B)i z&&eN`|4qD1ew%!+{Bn6lzEvKB*TMDjZn<6FB-hAmkXs-iyZpcR|HA(R|2O?#^grbP zfd60oZ}Q*czuSL@KkXm(-{|l4Z$q|$djF;V^ZjS}-M&Bhe&zeI@7umF`#$aau<zZz zH~U`WoAu@3zi=4&2lo1|@m=L>@>TgR@~!Ym-lx64@jmYTuJ^0nhrJ*5-tT>@_x0YF zA|t_+chuYO-S6%8ZuPc!tG%ne&-41d4(TcBXVUkj|CBy2eL{L4aumE#dWDpiZj+8k zgVGIBkJKS;mTIMorE{gABzXSd`K9NFo^K&*!6!W*^t{va51v<fUhKKklkvnoH+iC- z?Vc^32G3g01)g$`DE=9F4E_g^7XL&1jQD`~9`P;WYsEQnTAYC2Mohd`-0_UnGiM$= z!+|p#IKu(X0biNR<#J|)Pk9>E;)L)XPnlXgB)n1lfm%c+4e>2%5qU1edwKB=@eRCq zyZCxuyiI%^FWxG?mKSdkU&D)2;;VUaQhXIJPKfvL;<)%qUd)QG;Khvia$Zb}FXP3O z_)=axBF^*Tn25v?)HdXm5D`OIEslyW;l&a0#k`mh@8-qB;){6kkeKJixH!X$!{S}M zI3yn9#X<2XFDl|RFAj(~UhEfN$cqQXJ9#lC-ocAEi?{RQ0r56oyh*&37jG1A;l&q- zQ@nVCILV9Gixa$fojA^m`^79T?h`Y-c&(V`#l2#R7yHB`yciY7c(GSZ^5PzGloxx% z5nkLaCU|j|c$gQv#Y4QfQ;hTC4sn<luMvlMu}d7}#qFZPi`&EjUhEY6d9g!0$cyb_ zj2GL)n|X1ocz_pM#hZBXYVk&1yh?llFJ39$z>8bN>v{1C@j70-T-?u#o5g*+xJkU0 z7dMJ~d9g+8<HZePloy-DUS4bx_wZt)*u#qr;%;877kBYuo!HHbwc<`*tPywcVnn=# z7puiCUR*D3=f%s!ZM;||cJksnv4a=aitW63so2Jgmxx<=@nW%+7uSea^J1lV6)&z9 zujIwBxP=#2iC6IAMdIbWc%itN7cUSu@#6X7MqWHmY~jUo#SOgpe6g7qSBg!%_&iZt zu5J@5#0Gx#9I>7kSBQ1Ic(z!}i{)YsFP<evcrhea^I}k3&x--^GG3I$Dqi%9>v+*8 zuH{9qcquPR;w8N35ijONQC!1|Zn2UV%f!{ZD2QQRbcw5Y(J5Y}77=h>yihG7&b)Ym zT10qx@qAu<T0D;z|015ti+>iM&x?N&SMuT?#pm(jAH)h?{JnS%FaAzk!HZ9cXY=B3 z#d2PJQap<ne<Ox?@qfi2FaBB#@ZzsTnHQfB{k-@~(Z`Fw5WT$kb5T-@2(2y(y!cg7 z<i$Hgw^nq%P%PucG0~$I5iQ;Qf4ulr(aDPsiVj}9&;3`e=o}MWY7v3b-GAoA$K8M8 z#mC%#<i-DS|DG2gbwACE54r#1Eps`sg*LeVpkB<le(e5VUi^{!NnU)^{X1TK$o&*A zKIs0f`hrY@`#0*vwChLiU-IG)-9P8WN8P{X#fRL#;>8EuPpB_QH@JVHUQD@u;Qk3O z{y+EQy!d_hW4!pN`)9oPko%`<@rdht?*HM%|91a~7r*QNf4umR`^W0XjwIYa)JhHR zAE-Z%xxVB6E-(I<``f(usQdf8_$~K;^WsD9@2M{sOSr$Il^WdtrT(0BecSyFUi_B( zTfF#?`%(4QWWxPT_2Q`OQTKoH;<wyi<Hc{fzru?TxxcPHHJWgLRlPXk`kMO@Ui_;2 z3%vLh_vd->Kir?wiq0|j7u90I^=0>Gc=1c_f9J&q-4Cl@NF>~!RWBZPeaZc4UVOy; zN%i-`3HPVei-%labbo{wKjVIg7eDR(I4?fr{)AR^Hn=~g6&?TJeo%eap$7Ly)r)c0 z7u+A<#m~Fn$BUnFKcM3O6|(=oI`CK^BB%Wy^h>_$y>FMEkQzL<i(eNj-HEb?geMXI z@2K-Du>LDtI6UEh0iwAUN|EbqO%G8*y)NoKX$~&GteR6I4a&W}pxxfsiyIb=XusUl z0!>pp(+6_xP5(sh@dC6jJIVFAD`uh~`GBoCok%{Zu<*-HKUsl$LBGA-g6KbutiVK0 zu4`rw=$*3XH)7imBoi(*2Z0`?NbUr>f{PwGj;S$7wUC9B9YYO)TN>O5;;z(_!$J=l zV{e2(8fLg(X5mIouH{>m;n;XQsryYW>qsF|fRf$~TDxtRLD=WXp$+JZa0mP!S*%*- zJ=}&M>ZLNo6H!pX?*i5KDtO$mF?=oMH%TH-N<YhLQOekmL=Ozz-5}WB(2W~fbb>Y5 zQ%Q^kL<qb=c7jrSZxGx7{D2XrwTCC>D505_Xu@W`14P?z=D2}U-mr0?ahF9))8glA z>qn^=-i$z;*MN5WK%Ahx$&Pjgh!}~p$iAhbya_P+E>La{qX*^i0k)10j_E5E#f^Y+ zZ3o3gp<IX(*%|9+N#l`6-Wp4Nd6(vnNCQ#3ZBc5?iHk}J=s;g1Eaaw{PEf1O!2)DA z-2q4+{B3~g1SS=s;NcnHlT9ENOzF|74fU9W9Uxwdm1aYH9m}|tF)w};bpi9R|8NO+ z!iKtB^Gv%zc>#)o*uG#Awq}vqE2TldN+Tu_T@X>*K)8JvQQUwKmu9y;#DzHwEOV)r z4g|H_FtgQQ^ui&6pq6~eAjwVx*pr-!a6zUtam&4qAjD<$OzWbYHanH=qYMot^Uk7v zZz22tM&}cb(04)~3cWIv4DEn@UkLsn_z76^Zwc-XZU~+e_zi6K?+V-<7!Gs<Dg#c~ z<Ub+5K^~Q_mRG=A;3NJyf6U+H_xS$H_g>!--xg#Ce8l@&?*Z>6(l4bqOIJx=&!e8V zi9dATS=J@I!S%FjpYsXlCmiouOn>0~qN8i!@6NLqUi&-0Qg<@#AC{sHN5!oU*Y&ME z>|nGxT-laP9*!%3D22CYGGn_(0RltjsG&+qP*~Y9N`b(_nPEhP$qXyTErYlvjI42K zCBp<f#2!HgIeJsNrc(G|?qcr^_);!j@F^BfInp;ZhF7uRQwS0b!D`g{IVILV93CTY z3iS)@>`9-e<Zvv`3+)F;Vv|ZD#2LIV@M-nU8G18?TT&QR^o;gX_@F{3SS_oaG5{*y zle@s%K~yHKR3eBnH4Bs>3ta!O%85=&aTDI#*NFoU9Gt_{;EXbv(cd2*4IfM*ygy@8 zUmw!4s0}1iM-+s^&cue&VcfO7uX`t@w1ab7k|5TgsXq}@Lp-q?_IK|DbuY<Pd)q+W zbh(APt=U1u{s`}eC($6nm#f6}Dies;ME#_MDHp;JG7I3d;17%Ql_d^SZ46JQ6y%l} z4JVY*AyC^ttgubBCXB#8;PwQ9Y2X$XfhQb82~N8Ru)#t$7rb4WMBI}MrT7B1Z=P=Q z-Uw=sc`Ven8cG5!jg*mHf|EWTN5U3*x0dM$T+u!UdT12Xgu6x%i<W#<!u?r<gc}Jf zEF~5Fn64p7H;u3wsc@X%M$L_Z>zWT9#jQc>$8i%bBl8Zjzi6*W@v!Q(EHDQK7v6*0 ziJpFB|HLQP9ZV%B(n_i-JTXk1K<XVt${k|244`A<38)uF)fT{|8P5|n?Cd_8%!HLm zH5eV;Fv4G*#rwdu+;q%~bSf3c+D@2j;c)=U_bCUX$^OGiCcS`(oHJ92WNZNaIUL7a zieV0q#VP000L#yZIgU0OZ>dqUd#M8mDPu6D20(bfqK4FYF0=U4xi)W_rctPX#aLsM zaBmE5ynHEYPe#M*+OCDXR99b*z<`??s#Nyw9V2fDB|L>xT;bL+_9Qxxx*BYZVNj+J znm+@srrCT5<Ciqt`f7B~MN*?7*(Y=MWBDv8Ia7?yQfSlAJIQPYS{`s63j~cleOzLE zR|+$A(jK(IVQm6jWFu|S-cDdN4<pqO5_@7UGm3?~Y#$gHr?_Z{U$$o_<h?^`jwJPg zmo`hZU>AJhAYxEq)uXtK1s_wNdf=dR9iFnT@-@RqcEU6Og)*heO?^*M!p5zGG_x?@ zX~w8eQviNUk=I-!tyUu&BJCAa!RVWo)=iPUw4@y{B)$WbTIIlwQFyK#Fvo7ge#FIC z$Kx&1YBi;!=~WvKAm=Cra8eE+iWI_MBSB$7E~-m5NvqXBpQh(pA}mi<gv7T42un)Q zr$EuV{n2O@|Dto#MrpO0;@I@$h66k-#sO?G*q)3CfBJ*rMrk!mq3bj~*nD7XihBBh zs$fCunb#hFXzgZcwVE)~^h{F(yU76_wCX?yx-kQufX@9LI-M?ev$UF}QZ;|BF+vHf zaQiq|gM1En3sy2yTA&&`A{%rfarD8Y&{V{nNck#hwVHX=L}Yy(bpkdv<n+WN2X?9} z?4^eGi$Cu8`Z{T~8Z^!Pd_*73{6^>7tEDaFETY-&eXU56){{yi1&^xER-GN&Hu0Ms z-#-4$8~M$ywa34?h2QLW^LmX8XHhaX@S7Ws|KetTuk!?`Xwq-~^zo@^<TqCxpNa;4 zuhSoqwyap3%k_2qZpTZH|LS^vv-84AY0XM&NV*M;v{dRoX|B($lGd=V8yOroG`800 zO&PFzMN3UXjs6wam%`dBj3ne68gUCJ!}UG;chsA1`C74CjL&?={xil6kJ`OsLrr~+ z-ifXctkxJ}ZY|xSw>Py$T5~?JtniKo<DSdy-qH-7=(AyOu{-oBaIn}N`cOWn*d6)+ zKCjpvdTVwTyF>4sDKPEa!uC>Ij4?M>>?JzuN9>r^47Qp^L0hqV@G(A8qQ&lMGVbXu zc2A>m&-KObX)x}&sn|WHVcBxAHW<t!o7#o{aGG6jQ0@PBI6_;4Zwx#dxKKXmzu)&e z-%9V0^nm2_TqnN6{b%=%vU`PJ3R_%vJHPF$a@=t;C(gz1MIev_v?ZFUra;ewv<XF% z&n~NChY<qB&S8*R#L5d&PbVuc$N{~Fiqm`C)UwOVV33123vtkEA7=rkUKXbta&-n` zF3VpJku;V-uKF||%*#!3Bk_26F&>{*V*=K4U|EJhuRWFp7HUklt+6!1Z;UFGYdm2| z$iA%XWyFBo!9~ffGsulne6f;+QXz5)2ci@m4Rpt8v_cR$FnJ9a>@Bcnw6Rd$NIsZR z6;lY{hG;b<iU&Z%fV=%gxr-ZGn89;F82^$i4nz)|!w-U9dnb0>fIw|#+fb?K+<;)a zG0?fk7L)=y5qWsA)C{GfyBVYR=EX*@?itFAiRm<H4@<LEfQe*)JFwX3J)PDD&|9Co zVdf^;QI$Kt7)Y!EVZl>Is&Xv}8dR*L_af~m>Bx7*MwHsvzyMN-q$%XFrT{~fG#2@> zBx47n1nlP<W^P1x*yBKek=umrZ-kWPAX<xd%vy-N<0af>h%n$lUI5DNaUi&1Ba2KA zMT(joePNXGW!=V!pj^w$4WL+ypjWWX;08qRH>Xb74Yo7d(|Rzy(u@;O2GXxzjC3Rh zAkxWXfUwvY<ZO{)Bc&JF+LejYEI455hFt5+bs+t)?Xr#=2&Dxh52^QHyU=poKrvXY zI{a6&MszDcFO(?DGtrn^J+mK;&;l4P96E?@535cILu-J@CZrGD2O@7Q#_2}u_|}xR zDux#1lcL<vQ7`xGY^3x5InGx&LRSTk;rzc!KH`7K_Y2>Z-d6(uf2C(u{3h`K<7M{? zKNr@xrf}n#zh{{Px&A!Tcf#CLPgbjLlcnBbwh2eVy8(zwD3!Zm5Qd(9T&b?4>{;Uq zGqdoKGz7ay_FxUnxV5*$U<93<qJJZ>T+>6aoYo#pBoEe(Amj&a)w^*amPUS?6v3vq z!n|3VPW7ulABv5~YLlrU^NVWr7ZpAhJ(AG1@+zg2HiyvIHS{8&bSb~5JxUiE7i1|N zLy9WQkdkh>ASBm5L%BVV*iY~-+Q5>78A{b&O)&~b)DoHf&GxS@02GE`q}THg@eb+- ze`^paHd8Z{9Ir)t$u5_!Me4T0k&zfr_*9!7+gMi@X>N?bV8miI*1}GU%tlHit;8US ztyx{G{c@FNecS?N-=(A3k%LNV3mDphE#Y>wqsW%fg%b(4OKH-anzE}itL8@uUkl?H z7c5G%C4)vJx4jLG7%A2n$Un!kAGIc+Ey9M@IsmB@stnrPs8`yV2^{mJM7whrHnw#$ zx1tsHUJK}}CJt#^XaQU9VMA#aZUL?KQPM#xg$sfsNSxB=wGniq^i#GGo)%M}Sp(KD z)GGsfY@VCQWjDkkp_WX61U>?TTr)EXsx?mw8>%TggppjK9YYu}gVL=iEIs`MD7MFy zQk&{66!$8FI0_DzYViQ{c=gOU=+%Ns+Hkmz^qw$Umq^h?EUSZ2Bnu+#qodOugwLD6 z(R75O3zl@qLJ5-rsrDFukP2LJyAt8ZsuE)S87;Y<nKUUi-0J4Bu=@ckR?}rIo=I&_ z77HG-p&3WjQjKWfjUzKD^nhlTvS|{c5JHn5NmHPAtjvJ_P-fSX5!`|yb7avWLqStV zkT>=;*hlI&0P#NtYBlYs4SOklld&XgZcd$X%E3{>MTGf9CPBD;JZ+i{EGS_F$`(>^ z5z4D%L!t?4mQm2EY2$2|4Ckg4*1CQbTu0-XK*_j9DTZ-|DH-XFxh*pzAU#%eMX_$# zMgmt&Nd(T9v;hrt{`Wh6<_KOSzt8uS^atrY@jmxp*<HdrT#dN=H}p5%k@w3E;Jq6i zxn#w3i|Jqui?S8*Z8}o-#DGu7nYyxbnE~L0zvsgKGdRSL>4*3eKERtE(Kx~(@RpPN zbSm$Y9Wi3$baTaYt%;HQBkjt;>`;UOQY|YZxfGc-6*^mY#z*2D@=0jg=+wwya&&4f zOZrWy&{TC;fer&YRzg0<EU3a-s_On#1gcNa>&X5PAMH;7_YUPI(5r-~)!_K}gziP4 z0=&~ecu$49dhnf0e@#`*Qq?CWHlC>J#PrC1#zDqF3)ge|^IpHBRZ|OXGckQ<JDfRm zRg0O)r&=A<niv~?Ci)=txt#;CF`Z0n+iuKDeg}}m^^TPV0}8GZ9K1?7?Mduv%>Z9) z8BAI`EBm&#F17PcjqYpzq+)5{bW`3VQv<Q~tgo2vF!kO(ObliUrky~u+NgSWb5H8i zMLS%x5e<FMsA`T1s~#TP;dT<GSpfF}z|zyu69L{1Ulq%wG5jKy$}H2ceFh_)<F3gL zZZzJ?x5>OHI{@FWcT9&WruUfmror%!3*a{`<$Rcw8qUAOmHpHVQI&s;eX1u`dopd| zeeU|a+t5Q_Ze~43s*U5pLQbC+4Q)%O1{W@;N2l^-vf}`atYd2{rgxi~hpf_Ray|$n zwM1$ZCTuJ`StLkdM{V<@<m0J5$=ntO;^Wx_yh(JQph0-wz=B2-kY=R%F8DaWKP^5$ z(=<NHituk5g`-mn^FIqmuxe&I&jJw7yeI~<3354tUq~#IQAWl{r8&UANWNe+cgP3s zppuzT6x=q-U(CMBBu&$`F$gs9KG8i*REMDvn4#cJRjs<+VVzCzGHI3Z34E277i}9w z4fK;x4i7PsU>S-1OWr$A&DiE0XX-c0&_233FKEm0(YA`|O{UJ*ydn2N;($wzs!Uc? zhe*@-)|cabSh;Wtp&nMfADKH~EDmoRxX!4~6X*@&gh;&(+aG>q@gyMez@ej>mUHx4 zCY;7skuo5bn21fK(WB@Nm<I>6^&P#4lUizOjNG%xw+-pQYcM*kKANgGOSsTOQ}fQ` z1d@z|5jJd3=aM^eX<LKZ3rv%*kTa^K_oj#PE?G5@O<!0s-Dc{&ZRm{@1v`KxiyBze zLRPtVY=Gtr35GFDqJH8irYLn~TDRt)vqs>eIS6k#+^43PN5_(Ppz04hr8!l?^NY=7 zdZp1r_(BYQh|b4H)VWJU!QGR(5R+!fTs}3^MdOx@k?!bCd8h1vUuUD^n8!L%7WM43 zn<^?ILggg<=-^iN_v7ff#Eo!ilgZRm9ppA^nM`#4mz@zu;Gg8f@ZWcOgRuF3#QoK> zDxuxggdfiQ8621v@<;~C&MEPV=_=F0V>mLJ)q#bFUM?``EB1+aKrV6Y7)!(n>j6xU zY|p5^hL$liE$5L}l(9jnn7+!y1~~3DMTZr*kZXRl4fT<x=DMa0Rd#X{m&56)Lk)EJ zX9g_@6Y$_^si`LsV^l#zv{SfFF7XJ<+h^fNE|y0I)7{$9e20l2g@}#rG_KgN;*|CA zsRC?(&?5;;BadF3KS$ejkFKbgHY*?)v;i9@k4d0<`r9<K@?_!^@W=#Qf0K^i!aR{F zH4PnV)p!o^QG_O>p);mxgTs_!l>#HE04vDk<ckmePMzxT4|nP%1v)q_dP-wB=eMPw za!P)MpJKE!_|O*9U}XNvEZj_3_g4<DgH4t^CzJuZDSFCU`%KmzMsJjot#j{cYeRSC z&o&fdji!e7#1Pm5(V}QIi6v~tVM&`s)ak@oS~Pt}zFc<P&a^~R71KkeCYg5?BZ3An zV9{)POb1_#F#M^x!TLc3)?&;I7PSOWFcqiDq*yH+i201du8+i~aMnwV(Qy*OD>QC& z$^m?4Fg}TYrw~R1AvY3JB+-tgk~lAqq)E7&QbQMDN-lZTUYgirVwu4)gIx$6z_?)P zfm||wmY-DHZ1U_ibwJ@tz8!&PQfWZl`ze}&ndRChf6B(#sanzvimgrFn-3Xko_bT0 zft#`m7h#g^Pfb(PM-uU|L>3y36J8}ukAVC3O68-0d@$h1t#vrIIdYgzW~HlXYyb|H z?oY6|2KLhl$M-N|C|KjJm^)k#qk?0nW-EFw&bA5VV4B60F?s<&(e23*1?FreU8@~` zYe@%10b<g%`V*w2fQ_scY`UbOj?XL<4c^uqN>4ZE15B9<CHN}qVX`}$$Y2a8;r$U{ zu||~0ZZ+@>kId2m$RqH3X0GeJ)`V$f*qb7~3f3c=_h`l+3Md5h1Jqg6t8}PG4Kd@= zh%~aq3A?n#io&b30Y!KCkQU?643#~$KQGIUA=(%2I$~v9A-|$ZhFQM=$s?VUGO!rS zVwxrr!LC%3S(+4v&`e^*hX{}EW!k_rm_#9?@C)Q976S*0EhW4zK1ekRa0CH@ag)XD zf-nZf)gbjFy$juf$5^N)db9exs%crL)C|=??FC~WsXs~5i-kLTTe~}=9eq{wMt1*N zA|{4D!<#{1IEou~_jYaT+665nZc0tWaaE&6RmUwxQ#GSn)3nk1+B<e#2eGh~KpUgb z@{Us?OsG9=f=aci%1{Gj+LJ`Dk+pIyYjA{COhl+krPpeqmhiUId2IPyM;*_HG7WM6 z6VevvmGJq0Sjdz;?ESv$0_U$?AM*5zZ+E`P_q1b=G~>QLG!p!2@cOc@z+JAR{;&Ao zW*m+6Qtq%9!e_<wh$U8$YMJ8PYaIuKg93-KMU{SIv(FN3j*Sx<f~r;y&|Om~F@B9= zTp{2Y92EPRof!68Qm>-#SWF#^KMWZ*1lbd+!V|xeLR<fKv{-m6rtgMp41gyjPO4dv z^{z*3qR(|nQ)uf-OH=K|Y{Hc>piQQVwwW=UN>Xa0ch$C53LhKt!n9kF^IBfT2w)NU zNDNkQ2M^V@sWXW<gk$nT=IE0px--0v;Rs;a7Cy3G+J^5~!#wE*)?Q7Y&%Pvlcu>mX z-n|x*I^Zaf2y>slK^A5XOX)rykPOB}W=K$p)%HP!9wO-wT2sK}nYCmri?HS}7ziKm zZgDi}!{-DGxy!vsa#%6F)<PU08i?3O-b^HwGG!O1<HY0RAwnPm=3=G7YIG383wn0= zSzu`(dn(?$)Dxue-dxmsClSBKLcAJIsvQw~!Ov^pA)y|7;9S6zrL+mdPNabv)Mja0 zpXp{TgdX80Z~z9YX@+1L3?dS+IuSA{M9{+(^-kDvNT#QqP`ePu&a*Z{D>%&)Ewd^X za0Rzvu}ra0`gFf($e|bSzs;Kqp;3yZO~vIbg&RlAx1iyBdv~gB(~N2)TG*Q?Xb0ch z+eP6f|222E7tum1a{DY_SAqTnB}Ck;2_woRq!PCHsKzV$okjRV-(nZ&BD4tB5d2pQ zgE&wf9*G?Wg9vm+El<!yrh^bMc_4}Zqo`%^(Sa<K+T^!EG`(wjr}qeGI%e(VE(BzT zL6IV9;W;CSZ3=KU)!%|bZK*8Ss+kTFP-oD9j?=T4Mr?njO$J0@oU+bSH&pZ`9CX6) z*&j^<2SZfiZn{B>VOY%u@fd}hW0w_phYZjFq4dOT)W=Q6DmH4^SGm@tpP8pd6dVdu zbfP4(NLJ{W#P-YV9r*kqj4<~0Z9pU7w5bN=#VdA$k`%kG8cZaXvUqD@)ky_oQ8$0V z#)1*ZKEXnDzAd-OyNBk?g_a&JV(%eQ?sT#62-63#z+r3(R?0j2n3=a{ceKwknb{)A zwk-OI84F<sW)?qKlQ9DMWmUvs+<D_>iS}IUs&2mznbbYRCE=BqOAsti=uy)a#wZs4 zal15uXHS0n!%!d5wllW-{Zp>l3sZc>v^99>cEqEFzZ&*SpkDB=ic_GttXPOtruEU# zhQNinp`ziHFyX(3w6UyC7L4t~+AC;E)9vbc083;#4DTsAIY0!}?EdPKsM+l>Vxb3t zWtPb!)-~^w5P;r%f*V$eZkxV<O`D_rmciGtv%7UWHWR}v%`6pc+CaWg<z9|mASFDO zH}x5;ir5Q*e+SF>@<<CYG(cGWXaT7vK^**wr)e7j`$i!MtLtq%1EhoYqxuVW0a{eG zaFJN5@Syfue8_?eV*8W@?pFg*j5J#5<mNC3N-Bww*l>*omy9QCfmUPgV5373hI5Dj zNfBXZk=jb(3!~n>7<C0RlL=it*z*yz7poNnd^K#RI^Zx8q4+`T)3H$uG^nJ}M7A-4 z4Wx<&Pw6nDJx$?;F(9#RRtld#@mbowyPJi!fl`*u($8S{JW`?|bjm+FeU=xtql%+# zmNB^q@PduYzg?t-a5NY7k)Em|H)Uaod4d|6l#|g?G0v4l870i;0^S^{QI{$aviXQ@ z3-cG#QQZU7xp*=n;%jp*CUobVC&pri!qq}ncdJJlE!MIwJrdHH1%lR&JcQT5><4Bi zn;s^?2<w@#E<z;y=UlljcRuy=5{M|!L$V%z<|Mt2?Ef$G{DUL(o6wI!{~7vh=!2oR zg<czaap=}iB6MSDSLmuxU1)XaY~%#^ZSa4B-wJ*%_(1TT$PF+Tyd#(l-W=Q$+!|~Q zUJ`s>&=dG$;AesF1Re=|Jn){tn*uKj<N~Qcf1nRp12zQK2A&`A%72o7E`L}4vizWY zzx-zTmGUupTpp75%U$wjdA)pr9Pt0u|7-sb{9p5b+W&t4Tm7%`zsNu3Kjgo`ztg|P zU*lipKg;j(J?Z<g?;E~{eIN3@-S>LmOMJKaMtlc+J-$|7gKv%R9G~0!d+$%Y-}ZjN z`%&+^y>Ifq%$xJ3y#wC8-cE0ecb)fKuTT23^b6^~r7uelN$*9Df>%n%q^vY3?US}k zo21L6^Cj8ywC4%W_dQ?ne9H4aFzC$R84jG`z!?sl;lLRVEF%Zbn%_~j%IVq}A3Y2$ zO<!`a@MU@anz9O)i>x5dy~3CL^Ic^XPF6iEJR;9;*ME#qb(>yYN!3ohx<dG(Jl~;L zgH&zTs}~4gkmuX<>iJaNs#o2@=jHiUz3Qau)x7HX301GstB+CjN?vtFh0n?JTl8u# zRj<&id#HN3UR@#lyF9;HuLh~QNw1zGJnWy}Xte&b@_dW_V?;o8gI--p)n>ga3!jna zoAm1Qgip)!je0dJd`g~g(5r6Ylk$AMUUgEnj#trKRBQF>V^po-RcE{KkUSsZRmaDL zhy3%^oaD9i<9hxh?tM_6zl>LL?}PsND&t<%*74e5;S=)wT7IiDLe)$4>Po6!qE}_% z<MRB)rs~K1^J|PZeN>*W)PIZ!sIJzlE2$dRt5M-2^86~j+Dp}o^y(g}UdXGC$At&{ z^B3^%Tp~Om&!5kKbc(`<<@xh?)$x1bL-PE&yy_ehKIor+K7aJE@Bw*#rT$}ts?XD_ zE2&zcSKY$<<@s~;s*|cKcom(6>e+hrG2#9G`Euhs?~~`x;y;3^sD||FN~#9+>e<4- z$@2kTb^Mm9GOs#4!h7X;zg{gD?w99%yy|$8s$RYNPO3_J_07Wl{&|l<)W6E}BL5LY zq3YJFE2&zhS0{w`$n%0;-AGjzuR4B8Ri|EkM0mG<-od{U5#A-w-N}D+t`OcS&)uO{ zgH*j;uSSJ`k>_sHtG!gcRj=-$>MgwLctm)IJU69R-zL1>KR3xgdsujzJU79AMDtJ` z*Q+aqxB2I?#=ZY6&t>!<BLb>vy}DBPXa8Kvxc9B{+!6i9h=A&tUR_Dmq+XSUf0E}$ z^{QKVi##`?SDjQ%@G6E7s)zOJV^lrFt4^=*W_d2otB&_lb(mM3vha`c+>l<qK==oF zZcwkDPgO;))(UTu=LYm@4ORQ~>e<45^4vjQ#rQ)t#;eXl!W-qeoAv52RS)RZLE(-5 zxtlnvZlND<<UcyTLDd)N)%VlAH}HE83-`)%*Yh9IU8r8CS65PXzg~3<Z;<Eq=~X9H zujN(n5!JnV^)agU@hZmO>*cwqUJVMb_s{hjRJ=}}+oS&&5m4>Xt1E@q`R8^U_r6x1 z+ok^)5m4>ct1GFxQ?Fhiyhfhep;ynRs<GSF3a^&uu-j^zZw*zA?RJImDtXS>Zi7@c zwp&TKN1ijbTUmIeJg0BBj^7Bc@Xukp<@@-{<vC-wjR>e3yX{J<>bor%^)h)*-))^i zsv5iP3gM;loUz*mg_rv0u-o$Q%+vWl;JD8b{BYoqe3$>I@2%c@q<?e2zU*Vdw_GoD zz6w8;@GqCnU+j0l$iN(fj}K-wnJAdmfXoaF@oJT1bRfkE*BU<q_j(gX{zP40O^+CK z?oX$gHN=X^8_KWoJCLf6!4RV+OkOYL<^rSyP%~g$2@Ak{+-(|p%G$RS{2?cosMU$J zG<7<fuaq5a)YR$nis@!kTMIMY*>vQ|;K`qrymzOJ%LeG~grh9hstmG6fyeTz{RA0f zBghPnwl@nJ1M;+kfg7Y@u2{wnJe0$l9|~-T=0-+Ub9j`n|12h*4iSAeXUa3_L!wS6 z&eFP>bMmX0lWM)=Md=f8vuSE**l5>zFodhw>yGbc1Ct=(Bga`RKP|i@qGMc133UjL z2kYNKWjKc4Qv?$s6TN0_#n}`X5e_6wPXQn?Ldx$kgkYQsuZ7hO9zHdyy|Ftzv@5w2 zxk9sJK*>Q#z807iWi7#&@D3eTKz6ljMhD{Rok+$=NDzidpkG*Zj26Ll$|PcSCzQ?M zTjFEk$dPb_&<yw<B4wtO$YqE&n!>w>YGW*MUoCzktv&tQbO<psQwoYiOs(;?8ut3C z8ivCOZ_L&sklng8tc`rfn3$NTNwV;(EV3$_vxrkVJetI7fmE%fD`};cJsJTkVM0Z! z%HhmNqKf!JF->9N90Jw{)@W)o0F}%iQq8JK_#-f5KpBh?G#18$wE$Aoq_d+nhrpAX z)JVK0d5|K7)-XU1U^6t54&s|@nWfZvdw((wM|QlX_(RkWgD|ElYnKdHG&Z_t#oOwp z{6&5Tk`=P0&Fs5PhAyyicNBAe1ff$Y04q;&xN!3*>C&wcsMBYe`O|^?g|Y*nk$Oi? zsF*g3J=@H%k%eutASh1`L~_d5u@re>o092FrVxN3V_^su`V0INx`}nU+4T(OcmP8T z<LI-wyf39;j8210YwPaFpYL}hwbm&n2}m2zYzOOL*>-7Nh=jEqr45n#jSY>bYm-&t ziFTdzws8gNI~#~<D+glv^G?u#a_TwaZPPtf=s-DrP5xZ?qrm<Pe-x)RZb4B?znvMn zzyfSq1q>9f?j7-rO~XrE4}eQvsy7L1JDf-uj(34GNqheJvV#ByjSe^=o6kr^nW?8U zwLqVMUb2N4nD}aNQ;oZFBB0bI@^5MGBqkOZiw?(7Sf-xp|6lD0tqOeK|DV2ZcsEH= z&ycv*eU<QY*N2?dB|Q9}cAq}#$=AsaK(`V2ZjCiG|H*;3?S|IrgXJ#i$YqRFLGUX6 zU5C6|hV67+z82FTh;ugm%~=vmW8Wkg5Nc{M%(-2coCLn8q&zdV*qH5IqkB_U5B}+% ze2q+kGyLxmzQQb4LN`M$F_AuawVGhI3^H%W8EvpC$b`;3y9lPt4}Wwz(<3aB5Dw5R z4uVLm&5k(ghcfgbgv`mpQ4HrkcB0eVa#X*50#3qzo8ZkQ<*mjUVhnJ{#1P9k%njrt z%-g;Zur5m=DeZ1GaXJD`>aKkp!e+zQlD2eF7sTl+^3}2fJ{CBV?5mhIM}xERvM@DG za}lo8<q#Gy?Ah_TSR(t3W9u_f<mhbRz9!ajGMry;sH)7-<_aCl>F_g@Ql2AXE~nP) zu9`cTzs&E5(>jAWVfH9j1A0MsO>Qh~VTXRMJ3a~Rkv7lFhZ!z)EwNjdCP^{sG~z5h zdi44EDv0yvGHGCob?z5><+dw>NU1u&1o!TazSi)%UCB|Xr=YfqlV9ruqRqi4Q0cem z?|A$9p}z2~>YB@58iNW+^<(B?ZU^H^V&L!9sWo?NejTI(4;{5I1kDkONt>KR;$R^7 zy9Ti3A)^iR1vBlTCv(19;@CU|r=*^)uEMj?F;9N2>^MRr^BCmR8%!F76Ldc_E#Uen zJmZbVLZ~cVAYl%5+}|#Zl@l=wPk6_%eVFws_a(HfQrNdI)s8HrbGXht6in_vhS&%> z*-qzRw=Nrd`pF{UmpE&dwxXM6y3uUbW~OK;FfrYjzr@f?nL|x#{wmP~0ycnUq|i^M z%xpR}!BGsMWGU)LMx~O{!fKi~YoGH6jtd;So$mX}-tPFe?`p?xVUz1!u4&hGE;;ys z`)k2@@8;kOf){wc<rxe-7I=5y_CR;w0{QW>3CI2Nzc^j~U-`qnI_ZT{r{hr^*l(7| zwa4o6v6BZ)TNo6M2Es|$rz(Y4ua&OC2dtis77>aa7leOzu9L{2-g;v}q;&eaaCh!T zU#<nW=5DumhG-^4a*QKcMKxWK`jw*4uiYQ%Ng^<vG7#B1wU+CTv>jM;Q|zQ2cwJic z;Np8Y^X@!#p$*bVKZ>0n(I>0~Y3_~iIr*%RajZW<P0CI$ZJ7l;JNXThvGwhC{AZvA zJ@%E_Q?IC!VEr%nDDtR~`~6lrKJJf3)jL0)^Lr5rydt;C(orWGJBE!l?cmBxBTESu zBh1-3^Bwoh$5``j@qVXpf?e{rdRv{eXF;c1rZMSj_Uz<QFN81VGO8o%3QOM?i9E=< z`ed*nr)R7|;hsjR8*H*VSo5&?>Z+rq3Scd!^asNGaxd^A6lKM<brELK1)zZG>M<$B z*t|keMiv^5bTH7;jFXxMcj+NMC~^e-#+2mxG2>uzU<$_zSnJ5cpG8uuX2E%`iT2dC z;(tBcd-yN#j0GM5p)@e1xA%4LtThF!&>lvl^f+`$8mIu4c4q!o^K<an1r$}`6P{N) zKKR_56txm{iFGs5jC-96<9Y}m!fuM)YYBg&(qVisX_+j=tchyC*61+2<kbP8#m3$m zOAi;smjFnBh5`%!g#bDf(<V7uDf}BK{p}K{eNH|)UFIboA3e8#$w;kBPzwN$pdD3s zx>n3O7AYTDM^z^4{>)=M-2l|nJi<u7<xw{C)Gb|8w5l3|wWG-hyR#Y|`Vkfo1ffb0 zd;@?J9*%r1bGfG&j))_#$Csz*F7ydRx8d&oX7#Na7zO%Q2o`Fb9twdn8DR+m5NRRH z5^(`2B7EuCFmvX9QQE=<Taix%D6y653?%6cB<bWJNy3}1kf2g5SVK=hp~yt8e`#Xp z66*q7C~t6GCc=5Lhu(Q2LW-7QfIaX+yJf!cD*y)Y54`?_?q?yR+52C$Q9@|aLKf`V zX~3KyH5p+(SzuE3;LDmNn0*Q!)V2d#v=n>lzN;jFQtY2P4kU#=|Au-A5atEX+XI-{ z6K}ap0?4P}i3JcJcI&;<9V}$bF>3@c^x-18Tj<G3&8l}MTMGqWJ4W{ZpyP**;Jtx6 z<yZM%?i=?Wl<xApTl{zTzm|0ieXdFT_?-SbdUpOw*#Y?rR(l{t%sHg&g<?D9=W|F# zra{hOs?Wf&Vd=^>jjOE#1EiWTbZi#IB+}V!@vFFhoK?)Rc?-|}rtUb^Dz&A-Q$gtN zK~hmHz@=yNSNI)>49UD!%=r<H3%;jguNoV2VY5#&w-uF6OQ%lXl)qed>|;|cU^R(F zF%(F9*40koq5xM${%RJJ(X2AnZ4Gp+WPzIq6wMF=NK6Ht5YL*VzJ=#ps)1iLVbLia zEE4u00*mpi8p}#ek4N{99E?+lS5Sh(Xg_e@afFb9mWe1zsT7qMaX`98jayv<3osn# z<TuM|7Ra2pV!G9&&u6CuBUq@-_<<SonTHNt;<9pT^w`@G5ssRuW(A0i_GS|b@crX4 z*qk>pP&l(Wo2OjsL4<ooTt;*^Asozk>+FW!5}UcS)ss@ywIQS`;)Nl^BAo^ctPy?r zjefFeG90uS`o1uP>%#tDV$+NsJYi#%=@CvK4>4<5H*(kITMR3U8C+toBstC6rV>et z91YW8Y25T#`3=mOuhDU<)xk|OA?-?r`M55gXiigHGy4J4#%VKQL7F#;#;LAr(3dT- z%a=Hs+3L!hX64Dse6!z?CHwqdtLN4U#}_t@0UOw}Ca*0PczB7tIR&PB*49Gf{j?+B z<R{}jo8#sjAX*?`cJwl&Do6~^33mXMdLrJSy{JFHV7}4sfa;qGP*!lKwzad}ZegBW z4mUe(G68dKJxv3ZT<b(QH{alQK#y4OKu&TqBvV`Y796zA+FH{b;0-@n-R%-*fw96b z$vjOd!<Yiv%AA|?^|E6JF=rY%TFpo@2#5<JecN#3WNbjscHHk%#_4CW{i^&@1EX7b zOy_^UQ*s0w<*R+)_c=ZP&*OJbmfb5n;;P5xznj15OY&W^V=s+0^0_mo{$WdvT|iiy z0S9FjTwb3^c-T`mJeD#MX_eAjsz<)H449)U^V?-Lzu5GM)h(GAMZTBpz!tVi@?gU- zvs`oPa1qSDkKp16l)!S_YKKUM-C$JK5ScdlJy>5alJeoS>7{gQnmWtUHMyPnZGH#v zF-&wYFP9c2wE5U`sx>OlWNm_@oV_0`bVQx@I->myNuodXY_@1A(`i3BsOwZ(`s!#X z-vRhAfJgAgxV>V!%XE@Ib<iWzgwu5^&(4fHE)r>pGiPZ>k^LH4YwMH>&LSNPA-gPH zlG~GSH!>$ym^#E>ZD$J7ZQ}E(nNb7Dk;yc2Zl(HbDIW+6CxFZjL$yfBMJ~_uZ>=&3 zrybI&)oQoHZ>mridF;Y`o9wuiPFly>ti!C;lu(C3A5F**D+bz<c+2**H6B+c7&HJ; znxVTJi%n7Dk+cTuphP5N@iCa2Rm(E=M<5CG7a^m{cIe=c--J%K2$lc{$^g<zQQ8Bv z4nNy3)-fcTp)Ba}G!QB*)-p@>8AEEqIKup^2|w{ZgpMW^P%WZ?Fu*s$NNYd_4PdfP z%Z^b+^nwh;aA1L*iJSo?!;;rPV@OrDsX#eNkwr*vNTKnOi6KdzL39J7gl?o<DN8<p zpMpcCsh3T@v^4MmJ4RME_||W=_pRqD+s^nT)0m#FtE@&RC(|;gr*F)+$`0g~z!3ro z%v(&8nzqm4*(Dav=*m9yYN>KfEOGTbHODk?tOp#kF!*RPf3>V?a*k%L3hBL=0f;&R z<QM^oI*X@@GVxkp6O3Gncug2GwVGpr*#%Tf0`l!JNKIIcgJR5cM6BsgDFkDSg(+Df z;<O;e&j{QQX^tX4R0d(eNFR(TiV!cmQ`Jarq(N`+D|2eZPjp92Td)><gK#*RI94ev zBm}NOs)}SPev4{ZU}!@6MSm^N5TPcupgZyCAR0p}g_e^9SG0&OOI6#Qf>nd}9hQu) zfn*B*7%RrnuKZQ(Sl;M3I$=GQ^T$kGZeBHX83gzJo%LyWshzqs0f=`Db*5$h()r)* zeXAq5HE@IfcfRc?p7}e&fioO9!+|p#IKzQ695};)GaM*22Xd?OyZnwzx&rvSFt?`- zz5tm6>0w35q=A4&VB2)KJ2nb*KKbE<+0S9v36)GV106*yH86~`ZhCWVtqBjfdmnk} zuzS^8k%|*>D>ErYfyxQ~I;mQmV`3TgGqu`x4jA7#U_4thGH~>=e78)7OdJZ%wH^w3 zmE*fan2vz@A>nVrLt=>s_oYew%man&F-YTUk@}}&`JFNu*nx>%X*J^X;c%SJAfl>C z8)$om!$?r`K*G2(7*COt7@e(gpr!M*`U;j27Dr{$k^zQ=wDE8%;VFl;yV*UYj>0_v z@x_J^{RH_t)wA_LJl&r_s$9~sC6aOGcLMDqGTWx07cA|WO6QaTXs|Fj*Pq|vM{0G| z9Aic?Sj;g5`BXg}O_Si%Xpv8i+Q(v_IYK^}mS!H^oWDj^n|ZV!Nv%yPwjy~(7q+uf zSMdJLXB}PQf?#y%2^$AYk91IaR7>yqu(!#cBaYBFLaTz`^Bf7hRequWPyY43%cYk{ zd!)6c-uljb{|pDtaNrCF&T!xi2mU5FkZbZn?yi`&26fP7Nwd^VqC(~AAZ81X*ac}R z1mO_5!o!=Gr>(Vh`@46BxdTAB12%Z%glNrV5IKoS@RclZ#fy&Cc!$85yN*~~$qS?2 zMU@Q8htM5Mz<@TQ45+W@&@#zWP|^4R4jbxSID2H%WLbla4#0R=##p@4G>mSUY>Hy? zA<F{8o#AYvgx4W=J!*8?Ks+aQn4x6xWXr?RWRSAD)4PCQz+)_pJiS?cUQIc&PN^BH zK^ptDY5bmIQEX!2&R*ndjCS-<4h^^{;r_Km42Ax~n?Ychk~!|~?b_D0t2&&-O{s}E zu4>eb!m%l}C{5Lj>hy3jn;2m4Ywy@~-Lo70PngY(`Y8M%V9Sek*hvIGWCLF7$-;gw zb+kj_9l35VxnEB=7c`f}4vX|952I_%fuaatqz=xVaimEJ$NKvzR1<nUIyEww9G$`# z0bX<vh!ZkFBL*aTnW9UPHJOkq{mh(PYc(#zXq=$eku5tu+Mi(gpU75?XL#^Od_s@F zt3q606UT_{>cMw1{WVqa{C#n*j74t9t+zC1ABYaOS_lZ6W6XeH3U$W5hJ*ho%H&L^ zI@qZIP*6xi8sU|ocNiT)qpS@wP&<`EetL};0Pl*U6Ba7CxzcP$W`hGi{M{Ljg$Jiw zyzrH&IGQ~klgPKyfKX_8>D4j#_s6+P;i0P~IMNiv6F5OP8n&CgAG<Z&Su3Uk7S3~I k)Iw)gHb?=sH+i5^VC`k~UKKuS7e;~8%wbY&R0yB?|IH6L82|tP delta 108016 zcmZr(2YeO9_MS7ld;7h6m!5?5PDt;KB!rew0)*Z>gx)(`ZULp21%_U1V4+B8f{GLs z5C!ZaD0cMed+76T!S+A9dz0J^4}b3Y?l)&=W@p<svvVfPUTL*#U#krvLINRV<i>~+ zNO*q4v#C&3YfHN=ru0HK(PPJLYj-!?THG9N4W(3^K?KJ(#H5?}tz(<mUGzA9sFj>^ z9Zs>Bj8GE%|C+Fh*P*Ad8h_@qYqPk)LOjAymV1Oo1dE4>ROeV{lj8ZZ5XxRG;DYVh znR&@sSve4miG}icbAij;gpapF`OF2=XHOeHVdlu`6BZbh`jwJxMEp!VBW@Arij`uv z<9Ejm$6Ci|N3#7d`*ZgB_H4V|_AlGBww1Q=wp?3l8(81BuCflchFX5Id|+8<DYGP) ze>NX6cQBhwFPZk6a*e+mPZ-A;;|;eBE<=QHL6|H!`P9$(Q~UzHjC-D2%sJ`vbU6GB zE1?1`<WsCcqkkPs<%K&sL5X~RM;mA-f4`$06w66FOQ1-ev~wa9%J1X0KrY+W3-V=o z*D%PFf7&$(a^+#Wvmr;`yn7vF%h7vsAxj>-rx-Hj?R(llhJ0yHGNj8t?HLSda*w@z zAys~2?+`jPMSi*GFi4g|dkulM^1@z~kR-p_s~xnF`QAMsQLgS?4hb^rT@3N^d%Y)w z1;-hP9owaP?C3c&$3~2vHf743sWqcV&aRm@wIWt_^r?gxd0?MHh?ckXnFvvv`gVXw zxntjqkd_h3o~ib-IkP8Bn_07P?3jp=qeqXOH7hq<9yllu!sJbZ28%(V1`=YAwWnui zC*%LMpA9MjdF=2ewHZVHrY)Nqlsw|?x>MOkkTZt22@d6zJ)6d7WaK4hXQ%h+R$b>M zZx}v%R4VZiv7h66hu1OO{)_#PJ<@jCHqBOHi?*JzZnY*`zO*c|WLRwG$IXLGKbqb! zjly%e!8qB-89p=2H>3)$2}^`#{Ih&}?sx7zZZa25|E62$3~GYCkVD=iK6yVMMmtYn zk9CAD?2Afh%KqvI{a_sH(+MWPSa!Y#G-FXu^TljKduRz`G@_t0^nuZAeP@V<Q7p0> z`n;}CBU$S%5CbDvSr_O6!{v?pnz21yFkzVD+gx^z;h7CDAsEV9R-nfaExXwj=rWjH zslXx!v5ZPI1KG|>bQr+CRDShm-Miwier#)3{MDEJ(-qH8-;qsOW;d*CbwlQDdkAJa zzPDO%br@g7j#fY`=*5<G$0{au$6|Uacmh<(`zAGKe|HBb^w3hHdthpJHopfJ)J>_^ z1n8<dl~kcqCF@y*2^DO66^y5yyU5E%bb-!l_2oMw`aq}pI>=o|TA-s+19{@eKF~qU zqp(U4X-v6-<p(33&|bEV>H=lj{u4&^g;F*nm}@D&H)<B%L=~gEKs%N;3!2GKjqU@* zb$L6WNZTWGOdlv@y;ku}<(*^tLjkL5#kZ6#V>fKQ%kk~Q$yY=i=s4ggwf}10VEfay z#n#rk+1k}oVcuvKOrM(O8s{5D!?%WI!X_b+e}$jNeaiLaQt4}S32h2j$yfLQ+RM2| z<+HGJd^&q25)AUYW1qvD);+EZ<Z1=q8P^Z*+^q3kAe-&0=9{thx4B|@`j{3pCQCie zKgLUVBikpe#2cAS*orrDN=+9?Q=R42HGS}IzFSiRDQxE~yzQ4xJdJns-I``{*GYZw zuHH8(7Vm21_pM2N@y<@0{3qVo_?unm2GuksL2cLYKD@z}Q9XO))G;Gxj&Ymg)n;T1 z5@|I1PggEgj++_<adO4fQxGe|w0~&l82RG#3cS(nGqysMn*Zq;)pTs6TsE(nJZNq; zM97EdZh~<9J+}6pC1&cfz%kN|oFMqXT_6q=3&mEB`;Lo_?T*=w-i|bfM6TF>pl<tR z$c6XF3H!75N%jJJkZr52k1d&eYyGeF7VThNZ5?3w!}6ZxsAapQw<Xbh+x(=tFP&`8 zH9asLHqAF>!#$JLc*Q6idl_38J~8Y!)EI(=Gr}@jX%@QjpW(xJBR`k#z)Rd`+%w!v zu8=-})-aIXqNlKax_><cw>_jO9~45{wd*r-{H*M(oaF4BELbeh_k_bDImMj;)8&!w zU>GAWc1OZUd5?R5FoHfoqVaJME<ae-1YEM+9RW+^U)=?Uf!cfOuXHXrEH^JFIU^$r zx;NuPLTLMuqbJRoJ}W&ZGdVXm2TJ8P)<!ie!OAq%RfrIIo5u?u%dNdRhVWc|B);|j zSx4KLv+~lC({j_vTk>je4!kK}@TS5w`6q7%ydlT>(j%`1^YJ0HeA?7;HRI>ZRG-&b zSb@CsOtLJNFAkydJYTqxe3!^~M7+xvP06?NE4~`MQrj%gf?M+N<@xZbynXp_m@NOk zya)UxzqBHbtv?NBb5=S&ax=2Y6Y{bZMesN#<ica}|E(y19&*|vWd>_DKNRbE;{?7+ z_C8`V94_PMg}|nb*`~~l+~n-E?4|O*9!Z1`<mQjIH@xb1euO5Nv$L|3GqN(t&+@uQ zyTY&Xtw)RSN^ZF_6kd`mS61PLxMO7wJSpE?*$sNjVXG1huXW;GSk&5+kROqOZJC~z zMV@QHr`qA6_fCYoZq)%uk#kmO;M=oib&ufqR(xy-l+7GHp=S2j(X;Ud=YI`_$~RZ% z!{@SfO`M@xt-L&<ceW`fGc7qgH#bq9y~blW6v1bQfINaVlbvgghN?8a8Y_~vl19s= zYfbQtT(PzUzLHn2ZEctugAESybDLVV%~sAqR>s_DK3}=U{?}_YBR4NOCo6~ClcjZG z_?$>v7nzV9iG`tm&#^OSO`AG(?Bob_&zji_vUBp1(=+oRODp62mR6?BoD6&;rcIEy zuS+zrwtQEt*QYN+xH&s5GdU|eo2-@ZuZxFTxz+k8*ew^X4+W1raD6!RlNYRC;fhkE zQaL$B#1F*7;!?3nY~i@=*y9-DaN1wCud~mv=i`I%Bim|QXX|g)>(;&2k=7Ec!E)9z z!xC@)&OFLoVEP-y(IQh<lVCiF@+ib`!QeIwG6V_xgs}q0f5TtqALFO-ZMl!REu0Hq zt{u6i^bS2nSJ6IBD#0Dtj*o<3Fp@9HF?^!NaH(#NEj<V6K-tlA5S0e%%io@pk*OSN zhpOseH&Li~yZ<WJUHKzi@`eo~VX6Gz4dr-e=5EZyJ9^T__IO7h-k1#w<u5nJ!vfj1 zsSV7Rb2nwfJbB8dbeJpe-4xemj*@S4dm7$wnYo$ORb@S!%~q%oJKlfE8F_iVJ687@ zH)nE(S@M52b%dF6w%ikD$SdUb_^7xdXTUW1PdPSXs<KbAJst0z^z^i{o)xL{#*T`Z zHFoCQ8dOEWQ{=MEA$Y3|-8>Q|$>%l~z(o1M=J`+~&)QN76XfGtVrj{Ec|qS&7$=|U zI{?PYP5V{iV`x~vDi|#v?$-lG$$$0hh>xW5{;4oRp4C4VWyJRWLtvQvOaDR`DrXEx zfFbhW0V`mz{P}<)7$k=etbl=X4Q>a>wF4`mzx?;WJiH8Y2Sw1LzVgRgilL7jv^5o~ z<%+Edc+1V)+5>vY=eL$aPg!8yQ43VFD7@?EvLfg%*RovbCjX1I#@D}TTPjq_dE0tH zg}iDTN)Y+|ZDr6|ZneD_I?4UE=i`fh!}dIU$zR!?0_E~=+f(t?p0FbU%H&=<;)|4v zFqn)aVpqow`&afHn-{e>XDKspGTk+q@p0eEFj)9Wcv=YOmvBFDSLg}&7vz$+$Z|3g zub5aG6<qi3=h<}BHnpAhbuil6*(@Zo*pB}~BV~4=jiuYPkz;D6j!#KRsWl(`!^p*o zv9j@K6?RkJcDP17QijzS_DB+L2S3srw}V!=a653t1l;yt(Hpn@Rutj3&x#n__F6%4 z+hh3%+*U4Ep5|SaN8q;eatm%d_~ziYy>B3HOMT_IE%9aHw%DiaTjXno+XA1GL#}r= zZnIt9(P%QfU2vP~RVtC}HQ~06rv|qPp3b<9@g(Cm%A*tz;hv7$5O+0hgWP$zZRL)@ zZF99pW>o5I%Eyg0nA*Q04$EL3f0Q|z*za4{i#d)m@n!1(tKj&{aaNpR8EliO^(eMO zjs>+_|MtQY78;BG1A3SeYuF5tYstR&mCqE`A(zh1O{Xo{g12diFb{tRGg}PbTKE`Y zJ4SB`cMP-x;^C(TZ4tVGfrdFUiB<mKdKhcB2_@|vx$LbLq4in>dN_Q<f&LBuqS>WL zT43%bt|OvYO>*%J=b-#?QLM!gnTrz+q3;m3?-Q)Wjz9R&uwD4Odn;4ZruI;~otF3S zn3I)Wr*&W_+y5?vDF>g!?%u{-h7T9g4BSp6;?+Fm%<FOX-vs<^7O&!#46U`@I4@T8 zU8{6(d#-7M+wxUP$2V`Ka@H~*QO;)D70OA7^i|=urB}IHTDYr~(<z826;mz#SNu{u zDZVSdhRyo8*gws}Q%cD_SVT8rI_YZWDNv}+6z1ZuLNygyz-Qb6B{f|0eg^&T;Lk7< z4?ufQCwG*3Qt@ZSr?>b({P~0gUx*uf@-5@Mp~%I$`zxh`_@m;{N&HbwS1#j@T8<mR z3K<somUJT93H&595rE#}Uq{VU!c*=x_cHesw}KmnUWMW<@i}}Y^c5o=A3N4Ky4e5Z zlIb79-}VdkW%dd?Z#!$7Ve3G)+c@hL>*Lm;)_BV|_+pqsKCz?-L(G4hFPS~&KIUY4 zIuTxi%}_(DX&UOdv!+?X4k5{uVf@;7!8pg5V)(;w*5D$_Rm0p8bin>j{~%~<$V=sW z;p?pQI7G4Q;b1bHOy;{I;XDozY%daUioGU58|?7>C_w^tc!HZilBEy-CowCBPvi?# z?bzBT5QP`@2JDq#-|hceLL{_jam^rtFH7h9vM!+z$}&Si!mdQeP)NhR!-wGz59`>` zCJ+wKvKvjXLwADRYXYGLA(k(}mwU;8AX8p?ZgO5)-cZ)IDHP$pHBBK0j<bDDp(lLE zeryU^X`dKUh(Mft(-4X;E&uC_xK$zI@4u?!73sNYs0%Y%u;k`g{#<s%3B@pj{osVr zFpc$+Ae9@1O_O$)i<EDeQ`nBzp^zU~!p~qMn`7U{*CPQ;Y*=&1fUnuc=Fkb2vk#j? zH^b;?z7T7>tba?C38*tNGe@wB7SI*;u`Mm2)M)4|xB(rK2Nswz^0H9or4M3ZEukHZ zXG2?Jc3-lVt+2P3!6vtYGH|fNtsozq>|QHK1&Or^LQfy_1wnVi?IgYe&&-)x2s3A9 zXQAxLAuq7MgP;WNvUb6cZMf5sUxFUJ*3djhUPfASUT!Y=NNdg?H!97UnVgfJwvgQo z#xi19a0ry*i5VOMZJ`5uGz2P)k8}~-99Fk=pF&f17P@Do$Fh*tc)gUe5v?J|&{|V( zZ*9#s<)xwa%*pP>K5C8KzPX{$)zGt?Uw{>Ou9(YVe}&@36T}Q*(8Ca{RqTgTkZ;OG z&6Jx>o?<)0AQR@Z>tT3VEnvTe!C+{``h-Jl)6*7i0x2dth<IM~zyz@z?y)8j5L<Q7 zvcl5IVlcmEUSaM;52C^~&<Up3Oe;*COa|j?#udgkhVKl|7$zFp2;T|2gdsv}{x-jh z9|8&F9@)XU_||y;CD41^Ic_;OVPjb{zPqWajNOffbXNK}-;#2%Op1hdlryqks^!?m zNNnN%vYU$ekV#Q!-e<iO^E%t8m<#NtVrtpO2xZSmCPhO#0~dmKN6Rg4t~vW88j8ZX zwyjOggVe`oS#`hae(5RrU;QJrg|c%t>$)Dylx)*}+-}XADLth8NM+N%qz1OAA7^GA zlCZMsPbn6zP}-E;j)k?@l68Ip+Y<+G2ondJs)n+=vFN=w9^xP;z~MnWtcD*nV)tqg zDcR#sJ-~^S_N@P5U`OUERa(t%M&L0%ub4D8HxWd<WK`U36m?L@(|-J-B=~Vo8^qse z{O?bLgW}by?r~B{=&v+r78|~oS||=Hs6P%J;w+SAXg?Mv0sb&*Kg8yog<VR5Qc4q4 z=2Ssje1766&qk$jwm+d9!bRm&Ww5;m!A8kh?Z<D)V8<aIHR1X!C1Hd1W8v4-#(XJI zYH8EXR28e77ht`<ris}7w^>s39Nz=`hU~=@XxB8e?v&N&UF_&me>!8?`BW%%(OblY z!%~I~c%MbnANl6ouQ=54hT)K5sG-CVY2bvfgx67Wtrn&Vy@ebhnE#8v%U|TH_^0@l z{A5@NL+MN0N8F2i2Hi)!bR4aKci=uvqIU6f@sjwI_^3Eh>?Wp&PRCD<cO54k+Z+qA zU(wDH;h^>}UG~@P2kooulkGk1Y4#?zpKb5snB5NBV%soVsVxeajkkVny=;BPy2d)y z+7nJ#Gpx-lzgRxBoU!b(EVYcVw710I-FDA>)%=`!oq4*sw>it)!t|Tzmgz;)9@8?@ zC{qVhoXKST&iIz`dE;i|JmX+vi7}en%Xy4OE@m88$+hJi^p<k`IR0#E9ujc<r=?`1 z<W#fC>Cl?JT8Iz3?df2{VYYik_&8aY3!(U8*pmaHh0ip;aq=5(9QyRbiS@#V9$>2q zF&`^Ch=#pdf`vGXu#nL#v<QbRMzR7lVHJ(D$PLK9J$nOvgyDuoq~*r4rb>02bk3=} z2%xY2pfXa@@v!Pr>HqzY)cT8r{>tvALrDK=A^ztAsLut=A|<abhnf1SDQWd()4v{0 z%&yy!{>e5fhxh|KjD~)1U<XUEDJ%86D9@nWx?P~UabiwNR$U^!&K4A7e&<+JF}^$o zvLX1Z@WsY^WTn*KALPl06YE=s>}5BU>|SO+6yxhLl9}6K2Q{3PwL|h48`cibnw>3H zOa#Lb{7{r9r_p47p>I(<fUJi0hS>j+n$8Xv;Cm>t1d<hn+MEqehiGekHBkulz?OmA zY_ekBW2+Q1j0I&tNa&=8PfdM`%wTI2m+23?)F0(!_E`orwbcJERDQR{QA>r6ORH<! zDGz5+f04{$d6^J8IIGctWu;^{v@}iqAF1_)(&Yb<TAx47VMnn59KwA|G5PF!#pE(e z7Tz!&vv8=oFbgcrA1)u8owd$^ATcW?tKoJ*k><&Qc_?5WU<SamR@qqlCJ)shqoMXd z|3_+l?a5dFBelNvSiKEc09N%d8unfR7W{EGIB*R7JB5#DCVYStw`r6|CRVw=1eo?e zQX5K`&PL^6>wJ`hWnIs~&ecqI3-d(n_!}DbtHS5!K<gyDH|tI)On4~E^pyHr6DG6i z%G2#QdrmPjyQ-L}r|#v#rvPuU%lQ!6{Ov|LD0gZOyNyYS^%;>5{)bcj^-0dN(gLhu zWC1j@)*mgo#TFwAH`orvv}dQ$432J;QCdo7z|kZ<l&U<q{R7<~{*To9DxzpkQy#r7 zv+>LfEyOcpV3U#Pw_F*I2*JT@9K!zDvDy)3KW(38H`sRDvaD}dM_FodSUSzL*m%Pj zWmq5_7iROXazAkqbSb<CQMjA#pS!o4vynu%mG!dlE!fWs;S7#z9a#j&1hA6COpPA# z7az=iSOn9}+3qkm!Gu^XA$AF@02e#71a87owrnZ94NKUM?{dLxstY#R+AVGv;$ZtL zgf>#c7>B$4BFtwB+y8IAmE2+eL0HKC-BJi*|16}f<;26&`5brB0w!&yLGqCWn^B{c zDXE7S(QtY3!dW;hc7I_l_C^#|ereGrm?QUG{65T9N)M7tm&kPdEJn-l`_D`^84Wwu z89$5NE5k2M(^*M-<fpNNikZr!a{MMVMg1Parj(<@WOk_>Qzo(G4rnGe4Bi~+fXb<c zo$UZ$o$Lv(fvabM=<dyj19YpIItf23_L<f*UUc`;GjXE3r=H0d-Bo&Ks_5>aXQqhm z?mDI_L3DT1GcGK?tDeH*EA<Q(U!iBP_%3=TPjq+IGtr{Elb)F@x;yHa9tked-9b-b zh065|R;az6!3ve>8LUvLp1}&0=ozd~J3TW=bh(RlRPzp^yGYNJi|#@_gUwi=XC{j7 zd_B`tbm!@rCZao6&q$)%m7}L>M0d8HnIO8e^vrnCovC9=yNd1%J%eqQu4lT4?le6! zPIRZbbW{l*eTtsJqfgc|m{D6jGgfpb>6mtyPa8dh`6TL@p`ts1cLiSg?Z$}ic%4)6 zXwe;~XM#j`tezPqx?^-q(MZu9t!MCbMClnk9g%#vE8xZ}!t)WKcN!tO!}ZK?(H*8^ z3WtgAP(6c3)>_XD5#1p=rT|Y_Ffy)&`@R6rS&-fdo4S>r87#V6>X>}YsD+-ve46VS z%%_>286>)!DvYcCv6F`xHPJccVMdak87R7)dS-y=7IjQ6=Ht*an2%l0^cUSWm2uTQ z^>X`(ZmZ5Ir?2R?=$Qo3ZPqh6qT8fr`iO3$j>)bT-3C2_SA(E2F8@O}8!rc5?}S$a zr)Tieqk5*d=ms5=RVBKKp2-pQH(6FMacRAWOL^jFR*6gM8I=eU7wd_h;vyZ9Q6(<a z6P4luJ<&s)uOresi1YMBxj0u}we;@d9KB07akh>~>nhID6Y=6qJy9vn&=VEnbRCh} zL7Y}cxYSo(Y8P>89itJQ#VI->rIR>WPc#)L>4_%dL_HyiHF_dQoS-K<imvfGCb@$+ zPEVAJWA#LPag3fQ6G!Wawx!}IJy9Z#)D!K*5q`p@z4Mcb#o;=aq#$vao+uKB>WDT8 z;t)MiAP&|O@!}vo5ho7R6ZtN2fS$<{`|F89v7e4eOc49(i2|{Yo`@H#^+cSgmpF;} zqF>?E-G7OBqF&)7=8AfOlaM9q^-V&isFybh8KPd@B;<&CZIh5K>ZMJ*D@)W%oA^vo zuWaHoM7^+yPZ#yNCO%En%bM5(Q7>v@<3+uuiH#FANmKv)i;WTWk|s7<)GM0URIx<Y ztT73qUeCnDi+VK^6DR7$OiYTX*D|h{7*VffVv<F@l!<OD>Xl4%yr>s4(Q%?)#zY5+ zdKD9$B<e*>RD!5#n1=UHRJ^FyFi~-$UcyAR5%mftDn?AzwMbO7sFyEMiK1S;L?(zj z@#2~m887O^OJtm=*DjH<qF%a0#)t{JawDTfy>5w&67{krJWSN9mhebX5iQ9L@Bgqc zQ7>A;B1FAr31c4*g)`ADT8jENev1~O{)OM-)ahZ+4Y&*VCB!%a+9w{i@4~Uj`Sx-4 zKKAxF9vNo0*&f*L;h5wl+cDcd+d3SVoM`KB>%eA?fcWSumXnqzEE{nca*}0$r6W!) z49CfZzni}?ziU2kK5X7;ew4j90!r+O#uhlo@V?=W;i};zODm(H!ggVWFpIS~&*vs} z;L^C(oQeKS@6v1ZG<||@po{4Q+J~0XwzL)H;Xd4k%Wxd_;nx6{<i(?)v|f>r-Q*L= zi^3(4TSG2MUX(6+?xN&H?V{%{NM2MgdhU+oMg0=Utyc0w1w(1WrAStjk0dXO7`@|d z$%`^3kXxnfj6z1wVP#Os=(&$2FKQV*cT4i3nyKepeWsC>N`@$C>PeNu%Almtb011x z6g7d|qsqQ0YxEpe26c^|yD525+32|sq~2Z>H-Y3MN`@$J^xXTB7X^-<dr$J9kO<^f z;J%)v?D^5q)P>qcpY)F8L3yL+-j+P5a00pIN){+`^xQ?sgE~jg-IP2ib@bc~$%AS~ z;p$#7IENN9oU3>Ak?WFYPGjyZ$%C>dFhfS(lsu?>^xQScgW^Zey&-u}{{(O@!pK$0 zgBmD+MDB{@K^dgyE=wL1LVE6X$%9%*&%GvjP!8$2S0xWBqCn289Pq?OXU0pg2~im7 z9WO{8)JA&lyyQW36v(Y5uSgygNP(Q2oO5~<jnr`Cjwkz_9z`XolqT`Ull4xIB9sE% zUUqsEsnkG?Q}$HEQXut`)1%0xKx&uMqv)kT>P4qVQA`cgShCjXLCxgSaXXwIMK%Sx zZFhPU;S@-nb$S%(6i7Yp^eEyfkUArJ^y+C$snes#rv|4n<OP@0qbR6A?zGd>w-I$p z@}P<eY}jSwq~t*%rRPpKJ&KlU$Za&);`AtLDv;Xj^eA#lrL^`RO;$NQilPd1JMQ!- znyP^sMQTNlUR8~XaC#J373g%#=~0AL10|5>ogPJ61yV<y9z|QZ0=Xkjk0P%Esl!f> zBCrCfLr#w(u>z^*oE}AF1yavCJ&Mc<q@Hnl6rmMJJ&o<JXstl*pwpv>tw8F4)1%0( zK<X){M-f~N)JWy(R3uj*wZiF9L{}j7q|>9wE<feM9^MG$T2z!*gWCwQ#_3U{S0J^= z=~2X2Acdz*kzaunUj2#y3#6WKdK3xPKn+()%vPv|_u6o!NJWPQx@~ZJ6eSi&;iaxf zu|VoEr$-TE4b(8DEfhHxNbPfa6hRh9?RC05iY9B|hAK5vR9PT}6;pIsAcbwA2(v(H zx6`9Yvp@>lLJ?<y)K1Y8D9`Y{I@jj(C<3j)Ylu<_MWO{#_-s%_S|Ekb21TX?Qrny! zMW+Q)%;`~-S|GL6>50^+y7$ju<wlLrxeX?GqlP!4Hi(`uq#A_b;1Z`Nw2_l6dRpt8 z2H~S8MCUY!Y;t;n_0PXSWTVp)q;ngnv_z{$6rPTjjVQcM6xG>qj02S?Ix03Dwa)25 z!4^ObATG=w1)Gk;{86vzsMSsn$~7H@mp-aB9ktTwL9wQz9(8(9ss&I}$Rkb<Dm6c) z4zctnc%PzD3vlaCmODKt)B>mp#OL&&PSa6drw3)4j`BD?DAIJ4+v!1#rlXdL9+YT- zLwpllq6ZaPz`32URP>-e3uKmv9#m%mOuxmV2c=mcvk0f==$VD02W45H&jK7>R+xtS zzu$b(y;ScsPjsU^3*2q4=tglC$jlMlD9r+y*`gbTSpd@)N9ItL1u{5}kD?5j`Yvu? z90x>A7U+Zn`6$Q&nS9ZWax9R+fqWEWflRdMMkyA^%o5!w!~&Q;SRs^Q3R8Fg^}!mU z2n%$=3ZVoGWUxXgzycYp5X!GW1}lW(E0CEfx>0%sFx6Q6L_gyn;;F{sQFaA7Veu%s z0vRkGC08JW#iQT~WUzQeZZ$j~s%MC9MQt@Oy|H*jYpIO({_l;&D_SeS35!>xRse&= zD@rSX!QvI66~JKeip~mP@N}Te3S_2>Zbf8iKI;9~3u~l^tcKlsVTBZp6~JJH6p0nU zV1@Jws~1*CQCI;!SRqAU1u$44MPB)tf%yLIHBEG*ysD#=uWSj*N6=6*l!%=jcO6^p z*X*NgS8Ohf0BB|zYyQLhyy=2zfXQJzgmE~7g&&0j{3-khnoqCOeE1KD<Nz7Eu`Gn^ z?2ceBtipK6aMtqxevWRr8YdKnvB|696a4hrbq!SF44ZZzaWU-78ki0tENLxFgkZLH zEu6-g5moEp63)Ck_bi9;RT21s7AK*dz)V{**L2LZ1-mjG-J7$l8TeVX8T-!+*n%G+ ze>{&9&$i8k?$CsNJrn&TB}!}}e&)p(svkgPD`z9=VDHRE($0F`hnB4G9AIE$Kg@wu zI41||hx6DDaOxDZ17KnO=Ru{-Y$e4_)%oP^!EFB;tlw+%U>1HyE|?D!4MzOhT2jU~ zda%OTTe)1eaI`ShSdKw1o!tgDbpaMBFesqS*_#WXH_ksuFBXE?l0W%2?D{+0)WSZ= zc}knN!bk{lmS}dIbM&?UU=Ou*x29MM&EriQjBjH&T8glY|A<fHE^|w{P&ygTLN74l z6zS{ODtYYoGgwNl8WYC~p2aV%II-?oIEu6P(6na5o&y;twyEtS9K!a=WYvdoj|?TO zi*0&~_A<F+-RXEB>FoS2+KTyh;-u^R!!QRY)*U$vPvLwv_Zze|OS!|hW+h{UsrK^Z ztUUKncM9%PHify<a3`EqdQnJ5Vl3O(8$T)U*u<r&&ZhF@%xrgoyDeMeftQ3Nbm`AF zDDCC^gzv~)KA3LE%5nE}w_%Y!c*l^44nyatnaVF*8^K<9gU+z#ctYF>_(i?1yIN`M zmTbZuehvG$mY>T0Sph~N9(QtSwa>fFw`0$J&P`!&Jpv{nt|8^!`ji_rIL?y4bv0&m z=257|si%&WPy^9yz7oY7#V)MGYa~*Om+P<!X1XkV5b;8+!2N;YfETHcJHV~Rsos}y zvh)VJA7Y_Bp1pozz8ETk<16}rYw5V+ION#qnBy4eD0W0T1pBx4H|@{cx7ZihhuX_9 zAl7XA!FI!T+_sI5=cn_};B@S@0`Ol7Ve}PvpE}{cG#Or?clc^P2geIw7p=4{!g+FK zwiuhy`knPnwr2x`81pP4IO+N`_R0oGNi!xGt%iRaZgNw(EUuT~I1D#1!$O?fS89kh z7=&+yYr+u>Yn&qt5DIa=_+tO`F-KHJ;FKBqFa10zB{75b*n($l+D33hev8+u-Xk+5 zr(t#m*M#lg1R<1jvX@mWvX9XY<m`=i3YeS4SszZUpCZDUA5N^FRf2bGm8=v;*<{rM z`*sVoj(DKo2j}-R%<!SV@j<K-D^<h=>)kSO8dLqO8Lp{5F#{9p%cVcFyE4w5`icFe zm>*g2W}LZqU%y9A;ItL`Z#Dyc*qd0rrj2J<WndHku?HV6;hVr3K3+eCMV-XgQ1WN; z`Rk#|ygvu4*aG$<E=6Ceau5xTm)tlpU|tZH$c}D-kZ>;HVW);1;@H~FN()D`XV8Xo z5sjS#=H_r=Y^8b{LRlh4hzw{ng)cX7q7&_<&qztEZ+zOVaUxEVs+;3ON3+tc*y=;r zP{j;q3(*vgYP<(FYW*H#9!_j1Yb?8|<THW&TQTFAm7(d&5)?Clo!*FN?b|3`Y@35K zMC+$Q(#!fRmBjkFi}WIMDSKaKyU?&(oA3qnIs-@HrH6N_pZZ5%eK@h<2+lL-Hq7xg zmaLd-tP)MwTaEV!n8QtPFyA(O9TcDXcpDr8N(Hul2cAfrXZ)OMTe2%Vu-*RD=Ybbb zLrcRi4<|O%*U2JwDjBwB#j1^AgLc9p*vL$~pmpde{Y8$qd&B8%$I8$Jwz6T0Il~qy z=25l{P2o;`k$6!w+`8n6hZF0Yh&;yrqvW%W*>*!n_cVR^87cV<*F&~G8zrsba=6=g z$GntWHfb;3ozr*YRHY$oF=n6N`C+g63v}$mY4xpE#%|#57)Sp-nv^k(J#!nTvQ<2k z#@6CKtmht7E75yU^i16Y=KR4AxiuW;poi1yk8>P5x(6%LgIz<D->b1_z%#vP<FxFC zD?N!t?8RIXSrM9ksSkVBpPuB0)9ULI)%bkigwpzZ_Y1ZYZ$X^8zf>{z*aoG*QS3Q1 z?2En7bWHti*RgRC0TTmzYcu@j5XX0pWf<lfXS;2iZGFkgTlQG`m{*(4rh&$%3_lq% zg{AxpC~K4Gr*r{Lg)7)w4I*<;Zsqds2oxaCJ%GocH>>&s#^Uk`C;mXm(3Ab6{HkJO z|HNNC*pWYBw7tUJ9VhBlYq5wd@-N7C1WeQ`cXwmY|Ao`tx+<nM%btr<U++_4im9w` za*n&qUCB!Rf%CjO-Ce=<x1&L9_CDB&(M-<$@G>s1aD6}23Y}2hbY$+QagyQg$6y<D zR43}Os>e|hcVJ&V4jw3H6P|$AabjiKlUTJfrP|He`X^CAma@;DM8RFcfTCbqf16Ka zx1U03+fGsK<1q%}^a0$XNYn5w4x)xHWam4fDBpDu&f%2!Ay1=9%0Kn`(||GYO5;|L zXNh<YmtJY__{H&rW3Z!{{k+|apV!*pvMYCOhix^sbnEZdYu1C-#nxi0)$)Voy5*Q< zt)&8^{y#QvH4ia|n!YeSgVXp!jQ=(sHBK>hHB!S8Lq|g^;cMXuVTRCIaA0)t34S?0 zluzaD+=tvsu7<1PQrqA+wQq2hhMjaMZH0RO8pe}UKofEY>(uyPDmMMt^)wxuo~@@@ zxPZkqG+YTb^y^14=&1`cKaUXtomu7c5P?&7Cq0kxW*ynq=P~T41N-=SjMOS;LC276 z&pI4Kmohe1F{Nz9F^n`TVF!=lN+0dmo5vssoAH}t7*kfnjJ41MTd-d(WMSj2u0_v$ zcBmFVcjlpz#pttK#vR8Xs~nbj9OIy~+1TS4B$LI~9EUvA?5`e&L<}bR&vD4WZc5Y% ztY;b<a{@h6+13*nF_pqDo<PrJ_U8%kLR+@%Bu>CgVpmRLL2cN-PC|RUNmEW?<rCQC zQ@BGs+kOfI$Ku%CQ_vY=S;A@DJ%)`ujq~ZF+0N4#=@rFpDZe6FvlsB#BiO(fu>TOw z4!nRz6vkeE0m`vMXFY>Q+nS}F!J9LLbw7jCc!Sv_#RRdHXRv~;*x56fSxffd3?yOy zE$%D^p)_ZeXR#8^*u1ll;H;QB5d-vb&6&0Xs;jfzP1%vNIRCy0`{pcU>l0Jm5^MV+ z=IUg_UW8D6Vz66et6#)=IM~4#vAyi<?H3^hyLcFkSd0(Nl9#X(W?`FN!s9lxk6wZ< zqREJ1+iuaGlY{YTIXD&m0+ewTZX=uhGIYhx=PNH`RG7eiei>VnXT|5Boy$T`lQQrT zj1llzds%}m-<dC2Ocu8#kKQwM=Rc>{`0<8JhsQC_(bbXeXocGUar;Pngn7AbldT_y zD2HIE^CQBShTlx*O_NPY#*d9-ghzzw7;_V1-4DOPOL!5t<`cN@`E}eSZl~crT-2hY z_=Gq}Ocd>o<~I#T94Cddj@^cp<Ty(EYP@k$aCwRdp5p2a_@KJRuDpil@+O1pP=Kq) z6kUgC!?aR<4o1@bxhae7c?*m%i#_!g46+R8hmvOM9m3@E5NF&mL~tje-~L@y7@(Jf z5rpaa?DuPMKq%yEFqY2o5~P@OaoLRAv~045rM(52HXw#*qQu7HKgO=&Wh=6MZ(_%) z1$+4_R%8+zaUCNi`!jYOLR)RXG1CxQf5vmM;d5~b4$7`whfKqw1il=LNh{_;92r?@ z$r-s>5YmpHfmK?zB?JHECZ}a(*O*g?Q!7y02H|QL&}n4NWQ@31Rx+BrAU!J`mk!9D z!lqq<Lc`PQnix#V<64<>G4>MIP{14K))5+uH%{3Fh!T<~3GU8p`bE6<E6?NA{yQ6U z0p{XF<&Q5w6>5{Di}+0Vg-yPQ55nKr`HL`FdVpo?YQgC1cxClq&e!mIpU<jZ!y9BC zd;fJvHO}@&GM*n;XiCq?!Nri$2e935;8f^BCSAb${wOnC#(>7*+5B)k)>l}fDK8^E zIWIG#J1f2nL587O{9tUD;&d+FoR+Dq^pS?|oo6p$RS&Q;=P}^*9J_NK<5pj0nRvv? zljAam;pMR4D_HRvZ15F)Wb9$PuRuqGJ%z8rybif(WK>>8R&s7;23T70(IK=`&E&BW zbEZ$msCkUF#MKXS$xkflDg?FuQC)CEO`m{k%1p+f`gCQzjO;YBo{hMQujKn|@l{;Z z;XiE25qw>pJ3@nDmprAaC^Cdk458hojgJ^pGi&tBv9s~)<Y6#pURFBUsV%E<`3yvx zGw@2tNK3<T!|H4Bq&d~XanPOqPMPTjgjQ@8SBcB;<uX|uB@PgKh#kZNF-?raE_XB0 zirwyC9X~j}aNNQbzg}~^=s4y$h)Y^*!5C(*V}WCuV=RWDRXZvjrH&l-7G{_DqP^Ds zjD5d-n|-}~g?)*AHm*%G%09^6+g^#&K?-m}NSwX3y@}n#4&Q~Au1&U8HjizgZ6?kM z8D$$}>usyFwYL@6GHh*ZQMO=P6Pv|Gtq-g}Vc-07>n-cs)~nVFxDwSdjAnbxy2H8& z*BSFz7g}dpCt62Y2U&YtE3NIV1sLJh#u{Y}wl=X^tkm)V*CG4P^10=f<!#GV%LR;k zJ7#&t@|b0Z%d*L`%HqK#%4S+7Vj$cAOHWG|OQ|K#l4eP;L|9r`ocIJH=HJZsF+A?B z`9t#!^JViZ=F{e*=7Z+F_-<WiUT$7&o@JhB9%&w6t}=Hr7h~{Tk~zv8WOka3xT44Z znZC!j?=90!(`C~+(@E1I(-WqhrcI`m7+B|;XPRmnYZ_vzHdUI+OnIhMjI#?hH8WXF z6xY?dZ~VsiiSa$-HSREmcb_&MHa=<Gg$wqqGA=XD#WlA^8wVPzj2(?d#ta;!2s1V} z+VI8x8xB@{g)6JQZMbZB*>J+}oZ&IUHp6;uJpG-UZdlIs;c_uxuaq0gg}AsTTnv}Y zo##$-S2>emv0)Yl)s8d_FjN^j8Hx>Ah9pCjA;{n~7=^!u{}a9!z7TE+H-*c>IpL&m z2(`mb9Qjx&EEDEoY~xrA#H|)8g)$*eNEJebW`b3q{O|mI)E1xc@A20#=J5>wJb#ei z%Wvh^@;=_Rh@Z*V@FV#Cd=I`OU&LqfZTLvO6)*D2pwN%pH{2cW9qusq1h<3RfYJ1e ziJ8YPS0(*YID<a~?PquTgYcRf*WWEucvS-#!X*uK7cQ#%bfe!37gVZif^c4?x)#u{ zgjY0(IiAx}qlK6K)W3w6RH`yTcu}P)(f=$V+&d%#-v=q|+`AyelyR4gg6h{jQ@Emm z4B@f{x(l!4n9z{g^X38IQmNhr<O>btle-$oBcEy@fqbcfc=EXh;>c$jh$f$?pw~3= zo(2lY#~R2dA8H_ve4v2@a$5uO<dz2F$VVoZvhqQ%X!5>F^_)tsYhVg_O9KVu9S!7@ z8yZL;?`j~Pysd#aa#ICWlZn>kRR!dl#^e+2=&SOGcJx&V<V`Ipp1fh=U08fo9J#7d z(d2a%^q53m)<6N#PFat9a$aNd$SWF1Alhl|5l=2^OdQcpW{+rc&VO#c6HcpXmC?cr zDpf(h6^{GSB;kbC{uSMYld4-qrf^D4>_YDeNBrn3;g}zNDLk*bbx9CvH4rTvRnt1t zZ-i(3=qurnAAKo2r@D1c5Dse~T6k7X>qNg6o<iiJv=jYYIOr!Q2?tcaPMN~fD%BCM zt|$EHOW|=p`a*b2b?cZQJgHJ0FpvFy^qH_vMdkFauv2v_?=I}pK$fsq1DV1e6}ZYX zgx#upd-|!c!;d}@w)@c?VVmk#I*uIGKv$w2dTAG;HAZPXIi@C+j3wIPmUJP9G^PVN zqJeUvH9)&D<e<v58%mx=-~!sN19?`X%E>b-C>~9;W+)y-p46Bi@{|gSMv^BqFoNvU zz;L1+Q&Cg$xW+UgTJsc1WWUN34kOy(77iu5HD(A=o5V#61{3WN3%U}mxeB_F?W$8j zJlUaw{6S>12D%cafi7f=2I9$9732*h8#OS1Y|ubgB5NR?Y*ImPf3j8s{m2>>xN^Ia z^%@mV)~O(;FIlaDKIBmi<dBsbNFb|JkX=n4(LitF(EtvcYoIAvp@Al3xdtTSGva*? zS-rH&J*$ei)s(Cp7g?qzW%gXG*{Y?Q4O*hwjH*SN?Xf_!l?zpy-hHlSyUo#ThxwW< zpQqZiuCp~;Ia9M0Gc+4NOSP$8rm5DI+Igx*beOK%lulDL+i`+sgK9L}bh2ifOwz10 zQN2Wy;lJGHDwEt{yk^VCX}0}X&6bT(ZQIh(nk^Zn*>)q1%JT=3ibtqKQqeHY1`Stj zo5KE@Ef}KN{DGRy8=%>Qp_+{!tl79hs!c5DtJ(bCn$7E_+1#F*P3WiD_&!GE`3s40 z)hdyY(@nG4T{W9krP<6Ln$760+W4$W&1P0;HlvGX(>rT6t&?hFQ%g0Q&{4DT9W)zP zuGyIOE)7JNsWv91NVCZWnoTItY<xS-#uaNerckxfZSysol&#tLJk7@CYBnfGwNY)- zHJg~C*@P_3#=9~#5SO9Zm^95sr>ZtGAz8EWZ8aO0q}kXunvF@+Y;=NVqvBN?9vQ3I zusGF*MMP^hJW8`+G3wRR+C^*lw=_um@z+%pLMQN7{Ae8ih9C9kulZ4D{!I;$clfI+ z3dS!>uldn9{&hd<%wJYf5FN)~@}sf5raXdZXZ}^>@cG}0j^Q=I(F(~6s$(m%ia)Q` zv}NmX&4z@jwnfX9nr+cSv(1~Uw{r7|<ctPti1sdPK7pLjnDOMe209Q;yfiN-FKSF! z0y(RprsM?;G$Gn6v$;f0u|1!_9G8ur5sKA%+30bh)Q@U~5_Jb#d!d~MnhNbT&_pOx zovic)A=i(N3k7~uE99$g*7ic42AT>*8fYREs!rJN7jpdQluO9+!`?!+ip=z+kl{xM zg-jKh=m{ZB&Bf#t(pAccwN3V;TA{5U9TO7$Xp+!I-ND#YNYy|SAw>gDAxU+@sfFOe z#iW!meR32k{pbi(_|akL;zx&|vmZSNo&4xo=;%k!KnFj18p{3XAhh?R1E4jSK%T;t zgOq0ibvQI@x3j~aLbZ#Ygf^6Mh9(BHfe60}|Hc(WZVT@SSB3M!Y5dywl(1XajO&Sb zgatUhF<uxZ^cA`Z<wAjwE+h!yLJPqz@caW*-e2RwIB)Zp`Iq_Q_%(DN>h3kXNBmX% zLHq(2rMe-$CcY>h6Ay}e#DI<<hUx_L1Y3(uM3duhjNkqar!TzkxaPRvIPEx$Ly<ci z8yqVfiybo^6CA@GeQ{W(%#rIzc0@aZ9ZrYA{-^yX`#t+7_IK@9?XTER;#$#<VaITt z-Dh8DpKc#-A7<}s?~0#ob8&&cXnT-dv<tRBY(Lsu-`MWh-oZH%=WHi!&)FWcZNsnu zA9fR`+s4_3U?;H)j`n0>7cs)t!e+xovmRJ~wBECRYJCrb$}d=7upYG@u<o|X)|FP5 zb&hp1b`1wutE?TZh1fAnv_@E4SZ%l{-UIrW<wweJsjWNwI2`%xifb$O;pfxmT$Xn% zS1ji&$1P9eD7I{Q)UpISh~q6oEWL1DqC)H(##(|cqJ_smg@2pBz;5B2<_qRixO&Qd z>=LdvFEh`<4&iWIv8%$|&YWpZFo&9(U}x}8Trv4;)5oS8rdLg8Oh>RIxZSkQ<i*8U zr{Lghe^WQ?1Ll~LOv58g%}o~LKgOSp-(m;w9ph!=OU7fy1K9c7h>IUBGEO&+H4ehA zUk78pF~t~dY-O}#$M09e_qYi2`?&JVE7<LO#<170*|5^E6#H}&@N0E%LuW&gA>9yX z2w`uJ;N$YRAkM*Y^f&qg{hWS)VH4-+Nuu5nOA3UaaLqfVyRald_%Bf}+@<s{;b-j2 zY{9<FMt@&sX@c-Tbz52>{H}p`;WrJ$3BPI}U--qJ!5_l^sc0bC04@D!J+$znb<o_8 z)<TdUt$|i58bH=UGe24bP0jc&r*r^W4Nd&yDv<nWB{==)Q4m#xGxEUhN6W#c)~erP z;54uZs0J1SXkY<o$KG!~`A1{sk-s%Cm;9vx*BtVvhGvsLRM2-8`L6~Fh}IT;^T{t7 zlSlqf0|`WHufFj_Yo@+&L~EwL(d1{<r_W6Cy#@-%j~d7)|JFbr`9T8-F7lIx;>mpt z#F77~pn3-RN&^MtI}PNMZ#0lczSckj`IiRb$+sGaBlqeS%G(dOHTX1*=PUgXzec=M z2L*T+=WZx#@I4J2yyu6wz}^RSa6i1S!GpLO+>JWugtzLT0N4ExcYC`I?uVNiJb+6_ zU8{pecvFK<;ldJcXwdZ(F8Fj+!%xz1zQ7N0)t@VM&<d9|_yn%!@md`;!|NJ+9L(@) z9W=ou4L*irxEJf70WN58KL~KH4)XA_rLTJU`?2!p{WRGRuV`=|Hd_}z#P&H`2PvHK zL)`79I=CNR)ZkunkM;N(l3e>?ug2^lU&78h_yz3H;BN96Y^#HJfz`oJVQU@y1h!~! z7ahzWs)K|0=jz}<{#gy~gb|#-&9~DEeg(29Q^<ByC#y7%?WlYn)!;T{eRZ%SkMmcR zYhW8~&oA{u^j)Sw3}b=Wb?_R@s)KL9%sO}#X4JteFue|5cEPkd{5njngRjAqI`}F~ z*5DQh=KE<-#^dl`CF}4j%C{PeQ6w;4gKNkg*jNWI!R9)65#%~}0X8Ynh0CCk+ptcf zF+dB}*TGA$L4&Kv$FRB%-U5G9VUQNAtz$338V#<*9Q+Nql6(k{)UlUfr3N1*9{|Q| zDQ)>Exd|?R6JwMWDCa|^FT!#SK0@9H3|3dzN635NZ*2^q0{`h)LEZ)b=~zMDfhC&n z3i38Au7j7rfBP=S;udJ^a&iOatI&mO!Crzzb@WA8s6h;1g1L3@EtpdWFTp$wVh|8a zs)H9{Vja8yHFfYjOwb_4^1wI^V)P00se>m_{iu&>7k*#+mmfvIcYY+n_bOUK{}g`k zqdx@g>9{0c(4K%x;sx!&xg<`wuR1Np#Wuh7qX)u0^@+E*sh~Y)7dH{Khv8yLP|CsU ze-Zs%_(t_#M1K>s$LXRj!q+Obkp3!s?nj>r+JN1{F2WZowSfL2-1VdX6F&8$PleA^ zG@t$~e54_0E8J4+F~6_yi3SpcI|^{o`SHSSjfxXKR^8{({|fK<(NDrVYT~>Rf;Koe zudVQ*#>5NS0N}hh;eC~vYl8%Jw^=Zq&eagPK<BAwCQPHVHAGg?IVzd~Q(bhrAEwh8 z8X{ZhEI-;zXR2sAOrcZ!XfiG<uc+qf=r_%eHq)spng)~TL_eBHC-_kf9q&gI=r|3L z9dwdfXV<h+TBC9}y&fDYnoOthA7}`BOCPFe5}nGw??+R3t#u~S$^1JiHxd2bRZ$I{ z#NYIziTn)>!N2&oRfH4q!Rkj|upq+oKY@5~y>{i0CJ;B6{Ad{%)e25<fk6XHLD0Yw z;8myb<YgG`NBd!{AFYQmDjG*#f{}joA`JJV{V>XpcEJclSpHaY76z;2SaJpi`qASs z$d7iwP(RuZL;Pqh3{%k<8pUfJ42%ea{u)P4Lq9({1%1^zk12%#Dm9uMhblkX0=>;R zOhM^rvKe~$$yLx(MHsRLJ^bhxbW?K~6#?B<Y9x6Qw0<MTE<uT(TLJA<G=e+<xqh?< zw9erOvJ3M3+*&B|qcz~tx`iXiD#%yK;pB19`hCO6W1#f~hogkldWsl+1UY`cHIS{M zVYG<XF5+Rdkk>9m3?qVcEtTwpG(Xx4sVW*u_JG!D9O@#wLF*6>#TvHpC+~zrKU#}l zYLzA$O4dNKiiXfkUOVeU;73lo>4%UV5T~V*?GWon+aSh|7=D>kav4JKuR{3IT8Kx4 z=N|)jAW|hUZU-X#NQO{9+5q8d>klr$MPij)Faifc{AeQttBHe3p|v*i{Aq&ACwCV) z$8JY1&Vzo$UTk~UHr0CEYPJl<PE0B;t-8?E!g$s2wD3Tvbnt7ryWAn1_mK*N$<z3u zV?6IpaZhLe;Cx+nEtqb@<*4pY6hhdt5d1Pem9^VWgW3CgxdhhD&QD=!ttl_$xZAs@ zupe8~OV-I2T!KrTuG5_L61XT+bdS_BccOcewo29-feV*!JUxZ252Hq5B2K*-tgYAe zs=%eNPs8YJT*XRTrYoFo;@wH^3Cc9{!!Z8TKlkxfkAFEP{3o1KFqZWiiF4JL{)DRr zk73spYBY=7hE&Rbp`T$CX56)_HqH5?kNI-8?myg=Ce`K1_&0FeBXLGijekbbvt5MJ zz!^nt+#}fj_qZSy@qe&c7>?Owvzs|MH@kK>lFPQ!siv~zj7)cqdl(z>3(ou*s!aw; z`4uZNM61E3U!gBf7`XQ<PM#U0C3pS}lLxYGzu|()J^sK?`oAhfe=Tw7?}+=c!@r|{ zUo8vk1I(fi8~Fe_8<n$q1{QBI(r37#=1O*a1Xt+#*>Klz&2ZZAgkb}I$D3g2gY%Qy z8d@26;XaNXT*k%K_6ci*`N9~Xr%;5W1kD7(f6sr&U*eDA(z%cFv+*-rH$IP#;ho%{ z+&%7H?iKDiZX4(0rgKBME;#o&g0o?7@k@GxzKDzRZl=rVWIBL$plP%<HM!ttxQp|H zPQw$h0TxR>i~tRcC;b?PNInb!4diaYV9AFupgImCiG3Ias^egg<m=j)8z}iO4z$is ziG4(&6(spE610v~IVHm`jW}o}`7jhz=Lh{IAI5^}xdD=|qn`UvDFdTH1N}ZEmt2w$ z<3V+#Qb_y892SBBp?bfTk`E(7^;|#6SEA=WPzuJF&_KTrl!L>dP~DmWA1DQ5Sg6hs z`ba(u3)OLCrR2l7P#p(-B_9Tc26FE!1!H8Wj#CQ8(9n9$fX)9t&Pj4}w5bcr!hq2F zG&QMO@@46{7ofM~!-&v8zxSZ4<in6qJ=aU}VN9r=>nZs#C^V3JSE(mPg`$FQSlQuS zrJ@)Xs&~W&!nja9S0(u{FjUX=kbFsc?i6&Fd>9%U=yw*nNj{7Xt>e^d@vL$r2@Rxj zEuJO&Bp-%{);X#iR7yUK4-MolL51XtZOnC%d>A1b=ywr1OFj${4dmV-`<W!rrp0X~ zAI631lAx31!?@5u?mTpqeBpZTCT1}bvv75gd>9TI=zbH*B_GCv>bdrk4<kYYxwoNA z@?l7*o-37n7!n%DU55<GhcTggu0---P^j)aUWay)52rW<I=-ds+`KVYEcu!>=87aA z28QbQEtGs185+pFspN;Dp>>>k9^Zr<$%nzAb)<66-h_0?htZ*Wu0Zl(cxWJZP00}B zL-ic)i}9g)E?@Fl_1qhffzK2S5e;;F1M-|cj1i>`F=*tCfs)VE*ezGW&w#pJuPSxH zDAB;|t}4eSH0H7;9|nq|Uwu3!xe8g54`W3GcfJ9cl8@@SD@q|4FB<4~MQJRI7}axW zlGml@UWQc3i$S9eey(XKr&A;^#*H?R3YRQ-F>*AJJ4W_PUW^^panM%sV)Uq<OOm`8 zKN`qAuk4Evq&g1TU<EOTG>|;1IL>XvL89cHqvwt&ezO~KkRW+6mNYQGBM>inF`6`x zI}CA>7vo74t}dRG9EMoQixH)Pj)#;&Fs4+;L5$?Zs8T%_EqO7nG?04^qMTkOvb5nr z=>o~=ousF*5AO6T!KHz25t0{!O9OMm0T;<TLC?JeVUiaEOauL1RBDVNraBHnCGS{0 zcLG{VUJNtU-Tx;bMDk*!Y2eN$AXxH_(sRf0CE&$i(?GxD_zv)5xT%iAm!x-iW3Hv- z#gNlFKlT1U4lN`vMxEA?%KeXjOhocx+^L?!qr<>c9S6-NFNU7#IYIJb@Ts0_CV4UZ zG>|)q@oAD5BTxg$r<H>HHRiD3zKuBGByXR_92Q*Nm}??=d+WJ_N*TQrt|6YA98}I- z&qj_QN!~^>?;v0yjbz?Ia7x}rGVcHwC2u2{hl9S7H&Es&>lERbujCETc}nx+*stVm zB=epGo8)aI^PU8&<ZUGLo&dAtZ6xz>d|2`}l6g2fEV;ambl&4&lDv&%9u62w-bOO- zF)&EpMluh_iY0F&nYUkQ)kZQ8hngj?Ci5Dezx#ogysFM?P&WIN3>(S3eM*LnWZpjI zT4*Hm_5qc=jbvUefaKN5JbeDv0+GCdIuDz_mi!}mbM)6jE%{sWW;f>klDv&HUoH7l z@;1_Zwd4=U+eq`(k_Y(wZ6x|?$?uZ4k?5->ze!$2^ff%Au!6rz-bR|Qmi!`l8)?2; z@_&-Ik>;x<KTBS}=Bt1H){_59-bSLYmi#1n14N&4Vb+o#C2u3mS4-|o-bR|Qmi$NZ zHqv~x<lmB4ulZb<;SZ9xk?5->-%H*`qOX?xOY%lFZiVk8ZzBa*OTLx7jT9h$caXe| z6yRRvItpW>MOx{?uMm>Ak(Ap*zL30)q};RQbIIFC%Hg*P$*V}YfU~ok+?BkIl-zFe zsnV$pCLV%+QEP?$Eqj=4l=T?S-0c)&-eUR+|77qo{IVG;Ov4$Zl-tAgq4#N5_!4$N zCi#|laFC)CH^yVpg2I;+&|VmbaJ>NkkcLU4QVNkWvSo!x88qtCLfYFVU>v%n#i7s9 z;?VmQQ5S|JsDlaL7SW!-v4UdU3;*DbGQPlyF(Y8^RyY@X(H+``9ZkdFqVn#^`R;TN zQ9_DpsoSNE7)&dn8+muOd#Mti9>l(N(mm9@L|Z!i)F&9<_p(H1QTJjkRH$1Mx{JCO zDN*4;Y~rUhoPE+xn8NNi!>H;k_GU{O${zcaMrwmB3M*u~lids0jL&f#;`XOBN(l^C z{Y^MY9s`+z@b7WOD&gE(CPKP9%RNsSt-)aX=5!A(NUp3u&X%^ITZK6|t}##>cS&uD zvDdTN&6e~CMl;}np2B6x@mDZwvxke&ioY8~O~MS^XO=b=GHwr-r&SkIcvqUmG@NvS zNP>SjbR##P8^LwvQn=>yPx=LY0~;uh?!f4b3&yAMd-ek32pVqejNh@F8~(zH%WvXj z<>7dyzrw$4HA0a1>--~pv3OLRA*SFIgfpf%hYu$jG@-rh@7UMad)fYgNZUo5%lI>Q z(bm!WH+*S*Dc<U{cC(sI-&jt=0sMBKZvGWVWoymj%rW@)Ooo#W$$o-n8D2Gu**}rE zj6iif{<RhS6FzT8(e{)R*ay+Hka9d56iW+&zY6?=X!+^&YvR){*?;0OEb4Ri$}G$y zG=XLY9}o1+&Cjokwj&?2s8rgH4Nst!ZsT-Lx%Gb`f?UugWY-5il6Q3pS@qdsq}=XQ ztimRCGL@!f)&#oYAH%FG9iGuA)JILi7pz4bU0@kjVTv8C{?Qh8t_N4bb|m2yU!b+k z?@6>RhDgP=r9CjJX--?}gSG5ITe<)Pk!B~;JXpgHC1bqTCH8qT?Hv4fU{U!Q4MkP3 z@)Rm#_{;|>7$nBA4RL5Xvv(3{zVa749>ufaV?~j)2y?=dQiidJWl?k^YY~m>V6<XA zqw$9C%68$IG50jZ&d_RGG6OnMvV|>cgJ)o23>}M6F?VCIQl%^?mX?`2nPP`(o?=(7 zh~0{%MeITxU4)@u%i?KY*nVna0?h!7+S;9nk%G21Sk`{lNil<!Ox>1@DpTw<EsOnY zp<_?7LwQm~lW9cUE>=0dcI<Lw+i&8aYP4;Pjo_eaH_K^D5(WlTn3fqA;*uWy4NZk- zgjW0!z6<v^w}tD9BdfbH|My@j#F1$jVHC-`Gd;=d`U)Ihz5fV4d<K2W<KOL?h(n)k z+4_mJGX|VJKLro)`-%AQX`?-ef^snO>aQ>^i*1;MfBQ30V^2)NCsqP8OvdvUuTi5X zBNfMvD^#pDm?%xbLyuwOryv!rWIYaJ($uliq^Y!@EwbUESfxD_k8~Bx?8sC)8l%-z zzqo0%+Fs@f$AQyw|G?>^(`a(wz-gf;j7@)@4`u())^*28O}zcgOtO8m3B4U~^rOh# z!EtmrdX?Tpn)KewNm=)9?{+}};e-JT#RiB7sBjik6zRnVA}Up|*Pj&>eZRBW97#Se z|M1Ln&rFgh$?TJ-eK)4lEhuP9Y@fX|a0OM0H)l|VxGG}<X_D~CR^Sgm0x&VtC!5)# zLtZ5;-8s2*ZWDT!b?J(EKzf-71VXhbEx@xOkgWO6rgT24;Zn2cTDVhR&Y}}h4OgWZ zo|-bou@^VPu}h0{s>C0@DK}1dorSkrP9Kw3%8=QV4Q1*4r)+3OGg!TvgB3D<GZF~j zKQ^ajQ3@xwfK1R($CwsSXn+?B7RuaP(s2nV?Rj#LyW7*Y;fks+cq{mA@Ka<$y#~PM z$AS+AmjJQp-eB)w8)QELmMU-?tt&1DP6yry>;gW<%D~dV^uUNf??9VCqd-a^=)dj% z!G8(Bv2Xczqjk(`q&Cg;k3w2gJAY$;HGjx2`F`<T^?l%b+qc)Z6)jaG0G1ttjHMi3 zM%b6?(|yGIi}$Mc1N2qhi$tY0-iUWLs#f}WbG#YeR3s=d&u^aVp0l2JJuf3Q=@C!V zGatn%gFKx*S)SS`N@4E*xv!yf%G&^e+6vJ3W$vl&p(sDebXRi+TsK``x;{eY(F?A} zTyfWY*L|oVY3)jLl>`1&_!s4pauTU)&niVI7MX!UkseC6QVZMrzw&o*LLZi2L{Z2? zaxN0F2FUH@Msg+D&3*&&^ci-5?O^L!KHShFP`8rJYO~TzqCe8l>2bOronF__WppYW z(Vb}~twsanCixQZSqJfwCjV&>ej<me;Z@Qx4Gnx!sK9rgH)isTxzZ}>sD=(ccGeLM z9enJp!&+p3jkQmDR|A@cRcfDfNCTXPo%N0u>6>JQjYIB}-qwJqVHZ270aC-xdP@VQ zhMo1M22c$<Yo`F!NTH<UiuNg5q=!T34K31LP6=DCd!KYb;A)`BK>zX6#>^W(4rt>K z2wV*d=Q(M=7U^PJYQOZl0M@VwZABYL;A&VnTcnpX;A&V;^CjsuEz%+E;JvB=TEi~( ziUw>AJF8fWv~#d<T5TPyeHzd;>=R!W@EVr$+7y;{YQWd9O6`<h)BvzyXYJL1uwiHI z(EzbwXYJO2v0-PuphcQFSi7`HmdOeyp17UT^BQ0_tTUgGp3{J{VQ1~o0JLFeZP$Rb zVP|dA0JULfJ*!0;J6O+Xz}m3g|0krUHK1+SXFjDx8ah}{YQWpDOKsI6^&PA&S|rWE z+N?$DIauLM0&~N1M+zk_FgGlmsNmGbygSb`FRuY}!+Hu_dRznOhMo18K;5v-o2~(M z!zvW!(xVz+H>^A^ZPb9fVP|a+z#Epc%17Tq0B=}@R!ZwNAaB@N>oh=b*jbNgkxC}Z zxc@7qA`RdhcCob@&^PR?H5%YI?5u}1;BVMjtF=g32Wyo;;IL|9<qQo794YXom247u zXwL}<4(nQZ(t{c>IP9zyT10cOmTQragB8~zs)H5NB0&eMFsuQI!@hoj1|$wUE2<&8 z$<E3TMZDJgktan|)U;FvjIXhIjguY-M%-YKBxCH1Ab>dTjPFy_h=Toxlss2TI2e&F z5=u%i!Ytzv3sfL*SSBo3rUHP&%2=vKBpYLiYCFV&#p*Ka-@^;;SC?8D3v$&Zw(%l$ zv2DCCc)#V8hR;xQt$&^|UtMGy&r=uL#&gvL)^T{o9Cf~xF=Mtm&o-W=&b5ta2Ip9g zKP)9U+cF$FJvhrU95P9rX`MW2nmWTao*GuC+Za>SX}0lXb*gndc%nMRHlCnPwvETD zlWgO0>O|XktUAFq4&SGaw=u@3<80&6>R8)&lzN|SJW?HF8;?*&+s5~*qio~h>PYK2 zJop}Ugq1OPn0l{mJX9TS8xK+Mv5wgwb(n2DP#tO;4^W5L#{E@TJ0;J2crNRw!qzEa z%w>I57&?}59~D-PWqfzAzvUKZlneH=4s%qPHg}|RdaE#NEaP4(Y??dca86GZ7R?<- zP7f94jAh(ig)L(lcT-`>SjJsdm@$@d7qy#h+*$2v8+TG+zLdy^=jL=&J6jlYb2<cJ zx|Hl1Ipu;KEyMJ3Y6q)ynf5B|m6GM=mT9NLSh0-Ts_ks!HY&`NJAV(CX|2LYxx*;a zN^NZ$w^U)CSpMEZg>7OPH&<bpSjO2ZtP;z(nF^D{GR{(AkCcqVbIUYUVU3h9=9X!q z!V<BJGgX)&mT`s(8^khBS7Cry#*I~2AC~c5DohW{xRDCG!yJca%q`PUh0$R$Fm4cR zXwi6?aw@EiJAW=+Uxle*8K(u)EaG*`sjxBb{JB&;wXSVkHwf#Z<o1SB>!`3T?#S!4 zRah35aV-^Qg=Jh*g-u}@*HB?mSjMTr>X!AZRu5LQ4pY>sR%xwqH5Eq0o#|TDU=@pe zC?#0gIxNp8+)YQ4a>a-5rtL`h2-zluehOU<oeI4QMBpMcZJ3VECEY?<p_(C0{ZIW~ zy?_=CFR5G9l|Tocs18Ii&RuGX>c@xYS17?b6nrtb86LC6!O6iP!Op=Z!PH<V@K4~I z1T@Fqz~;b1fn3zr3;<|wqd=8_&;O_YIvOq<^zTBWg>cM2&p*b0H%e&g`OBiG!cV@> zQ6p3Adj|C}5#LPT2wzXMO{ncF<^9k5z4rpJyI=M`iI2=>-l=Ge&;?BqQoX9@Z_n4B zb7*(E+w(XYAT02V_4M<!Ma4@6kAjcOE5H{%0H@%3cRos7M!0*pv)#4ay6a!pcVX8j zuEVaE(8^#nvYRHm2D>`C(p@PoAF88npfc(ps-iY2E0rb6G-a65MQNhcP(t!Q@;CCw z=sK_$AD64-rScRs8t5b=svrm0Ei@N6%MP(UfH7Xh7PCog5bMAi14hJ4|A3$JefkD{ zj&7udaM6yYrTfs<G>w*{3`imu$w~A`-G)YwVJ#o`^v;JBx`vEY^Ko0LX^N0e<wE(m zu_a$xWGES-!JlrO)sft*!JTer4cFjJx3lii;7qr&!X3#l4bF5cuOk_%<=d=6v`ZPH z0^Y=OR)Z&Lz&5c?>p=!<fHtwS25CSxv9kuM`C7?J==e+ePS*fyVioF6250~^v9tPX zz%;S5`e}ePv9tPWKs2$l`e;awx3lin^1TUGIQb!uJh|Q)YNG98y|jF{jn#ql)bd>p zRu2tWCf11^NOuiTCU#ag6-Xu)1$HQ>0>vb3;dD*WfMH^tl|#C!fH1Mh<P6q;Ut*PM zPr7J%uoErMP<zrjl(!VqO#7C!mjK29ThSuaj&us;Ef#B)*tDcwj+S@7L#m?&6chWz z4jMpA>?}-#?Py!Ry$S@AJ2tjY;%eS}3&RVCL0)*C^)%ZG)?6#6we)}n;1bKq(s!h- zmN(nMYNO@Na<E!!c`zvNoRah{X{7<P#KsDfmTKN~i-x6d%V_{Cu?l@dT4=y4v9p?M zd9W@mtA9hXgL#v&lGpTze52+~vRv;}DNoItXkknNBMgj^J36W&J*MW3w=gP6=u!_O z^UiV5k*G;1Z>&{EnS_P_PGY&;8H5UK66>_PNT$Fhv9mIOcmR{rvU($uF2G4FETk|u z7T_dy)?EUd#Lj9Yut}_}M@d70O=4#?5ZEMlSmC)ybFQxfoaD|!E^SB&0h`2fJ!#@8 zfGK+CM3MBICXh+2taWHu24oUDtF8uM5<9Doz$HntjBo07q_zMiv5GxHY6)NxJFBL^ zC9$(=2wW07D^&w7iJetl0F&5R)dVn!&8PARsVb03>|#(wcZ({dN2K>dc{az}BjWa3 z9dBrh_?SQ?u`cu&sUlEG?5xVzOFG$jMWm8|C9#SXk%|J9#LlV^0xHR!8zdEp8w6w4 za)Z{A@&c5^&ceF|lhz^?UQ5afR1zz1Eh!^VN$jlB0+htgDkVTk>?~b?lGs_A041@r zLIRY;U?qL3Yl$jQN$g_5P+pexBG(GlH??uZdj^ZwazSed06bvy+E{)8Nn&UD)Vy>o z6)yRici~Pqwk%GV6bS*3<c^lX0eT1QU(4DL6R&_Hv9mk^j>OJ#3pf%x%O&7Q!gijb z<-sDhtuG5a5<829@@!tWhlOHlTh0`<6?i6VSvW)zS5wo%k^U32!ZmCxF)h`~`BzMX zkzDdqCf$}I0*J(VM*ky30}zRwB?%-F8%z36%d6sGh5r>;BzCde0*l1T`bGLjK#|y4 ze+wuQE9+<JmVhF$vu+9~5<BZJ0Yzf6kfAeI`dRu@V3C+SgY}1iBC)f64*`nAqKe;y za&#-_SD_ruHti?rHvvRqUFj$3*ARe6#7g0$_x?w?!~jHM*@S<@vtTo>q}9^@1PY0D zrPb0e0)@oR`dOfm*jYab6cRh@M}b0O+y7QeKL{8S%LRTVeXRk7#5(b7>3ab~VzFAJ zukna7htPK#a7gU)zSRIkVrP953ImEHg_Jlp=SyD+C=wgzOMygU;mnh62qY34=ej^5 zv2nf-NF+ASH5EuCcYf>V;#Ng+aV*Q*_L_86i`Yyn={4z16;LFW8*^on3M3K><MJde zGT*k&CFzO=Bogb=m!!)ophzs!F6ID<By3gpr_xFlP$U+a^C=pDNUZC;DqYedcDw3T z>7oWG61&vr8n8(0tj{!nk=R+E!l!GutX`EaXc4<*^{VuV7J=)|qNrD;^IBw*gY~f% znP_9ZBAwF!Nn)M&igZ>5CP~R9hQ~?o4%Q+z6H9tW`bdD1SRTX=qz^S<l2}(dD19J6 zNi0Gqr1v#|l30b_lHSvRN@8c7(Ev-5WEu9yTheI_z$A9DQ(DAsV!b7u)PPK4mpY+E z>?YP*((zzq7#=k9mnEE{0-5B_gBO-oiJqWsr6W>kUl^Sm8=)=m0d=w3T@3}_LQjo4 zXbSv%U_sz6e89hoC~+G^hTlP(!vQ`WohqL8j`yZ{zVW=^ne0h--*P|ep6PCiFYLEn z`L1k)YF|S;;C5)+_YOMqRY&yo2{x2`L-w$$^ctB?T4LKjLbuWhw3bweW)M7ekJ1K( zVF<rh7_3yMY&)O*5#sXS&!aWbKl80w$gOymYx8Lb@(dpxfLQz4G?hGUNafCk)KfgN z1T&D4lt!gLjXxkIsRot);167u%NNz1Q;(8my!s{7TrGNCu0dHQ-}@N`FU+CUU1Vt| zPud_pdjT!Sr_ZPLmEq~0v_{4__7rlC=si5$g#%xiPg|nDdxFkf0QzK6wbSMK(Ems_ zl}_+C7QoALoWFm8mM_}8tTu145J@7(_?6FbZVxY_GJk&|kVMg@`RAoLboZ-rB^Mjq z(~~yVI8@49B(n_SVTvOq#J}H4QmJ&5Z`ovWwmeCyQ|SoLxgaNGs-pZWp{#`biAA)U za=4i%tp(qki)#tYrd5=I13bvEN{r=Pq>KzOCZ}D;Q^fik3Vkpa3hl>t<<d@QT$)(0 z^_N0ReR!k$>5t0&%{^)Dc*gx$v)N)=mE;P2SK>1l)4FJ>ItJIvUsz155u}WX`*UM4 zt*-QL<4Nmo%&EQv_h_MU8N-*LuWK(cKS%V}{tQzOd?Tk)*2B2)Y2V7VDeInCwCIh+ z)yM+=pBrl~UrN)_{yA~sm%bC{-c_iv37SBs3jMZPM(;u==*02AIv`hbv-Hv4v`8>< z21V1CbSCo?_o`BuW>ePKIP#P*#gQxWm0=X1u?mT2g@0Wr*Q4}b-e)efHIFZ!OPk?> zk)GAP=*cr}$s>GsL!{BHN~KwSzBUpLdq|;vYLVJFcq7;?NCTS!{o%ffdkQ@@+;5`C ziss5vK2T!v^FWCi!;phVCJ-w1FjEVR|07NFx{AEI{kWh+mW$_6WSZcDN)mb=6A3-{ z7Rxh$+tM^6vLLS$*B_&Qq2aafaiolNFw%P_KTi9j>-B-h=@-af+VTXwfUei~Z-PKu zv2Iy@VH53x*4I-mvW)dL&^~$8X1bMi&1=n{8V#XVh7cWtM6H&B9*b7kiFqf+U|#cW zmF}Yi{jd|P^s!(yD}G=s9Y@g>`^I?W$u#8|6X=*=$Gj%Uz3H0Fz1cc}Hn!*9WQyFI z$IveOjfpsFy0KoBNm#EjpEil2lQI8g0P-CZsZ3ob(^ZK!<~h={Qs`)CWoT5Wm-?N$ zPo1td0f5Vk=mk_aa5=C&Fg{S$f6@OeI=R;KtLW7Fgm03s4pLU$^ltD@^EUUE@_g&r z0iWS8Pb&|~U)_h%2emO;-fVJpRW2w~(ELb}pO=@QbLdI-2poEK>2FA=>`jBje-cgH zCz6`dkJ7Via;mV-c|m^p0i;z0c-;sx*Zln62<?at)>|TYP`&(v2(~Q`m-FzPyLp#9 z><lhmm<P2g{9GO#f()%j`4C}zbUy80Igh%~?7CVo*>bt01#{Cp!cXVZEQ-8PIf@4| z%-crkM0;=TM#v7`7e%S<Qhp;!2aqMaMFDN0E*4An4rXLzqE&MfK4vki&Zb4~=T8+- zgaH%HwYvtho1klRbH1m5cH~pvCY9O1$RhqgAsvht_Ix4jjrXs13|sGfJ}E};!TWG1 zhJ9}?|2Ib4BB!%WoK_k-TO6o%FgvSxqs(TRi9W=0=gpimX5#qDky+wzX~Cvh890pb zxABY62U>I#uN0Xn{#rMfj&9OuJDiv~Zsx)nqQ`N1WCq_IhlZx}YjN6^)s9RnYB!(` zjZ7_?FrXHVOeuPBKqie$E_!nSQtT!beKVjYOOH(CHJ4+~1U`5<ZpwK6;Bx4H96v2a zV>w-c|L)`2D`>0AW5l6TgPB=bjhZ%XGI0FZNi!zTo<DwWJJjl~T!C4m_<N8eBf0-U z>;NNphX-jkigE9M5D)2ae&RtW<sKe<2!9*KJ3WLaVJLs-A-sG;_~nNnIhdDUiP0cF zWhL-}2J#In6PxdcD<RpRS6W50u;cb!MMszEE6${JFg>$*qwLIP=(64*(ucph3bXF! z|67Gwy?Mjcv{^5)+0;N|jSvs@R<El~f=>s&3WNhq(6&Dh-KM7cQoXMt6-)6v;mJbN zr+Zz$xwgC7Dd*AVtD(GFuFE>n^{B5+m)?^KkSN&#Z~bIG^ElqWNj!l;b?P`C&xs;W zH-+aGu@oau_aI`{N@gT8ZvyZ8GSc39J;LhpRlCV7<PO)*8!vK=cR|ICPtmJTv3{CP zf{GKFb!BSM2K=X<*loW%P3w~};*Vu`ec)OJ+vknO{*aU0AG97yL*E?)2A~;Xqk8xZ z^5I4rxp6lIjiTuHu*2NTAA66Emm}W1;YQNl@cOi-aTvCS*1%1vvxfHM+lr8B9bJQY zL;0s`kjOWLcUX(*gZZkp7!Bfoi2nxikws9z0KUBl=iQ&{kKkhZ@wXlUv#&_PE6uB{ z!z<N?&svAcck=`5=p>~#k`9N7tmTTl*G&M1K^vliJ0m0F&+Emnt*5K-+cujc`MHNU z|4FFNUa<iyb~CQ#s||F(`uE}aZONii==;!)&`|d`p&IJ{)H9xt8dh5()9;hu@?f8! z1Uqa`U?%eSeEzfkeTZi~?qBb^?w{_j>$?Qd^F_$bs{o+$XT6i$^}KaFe|Qdhay>l( zE;Yi{-K8oYDqEF&rIP%c{4UzI70CC<E_6eVCVzTfs-O{8r1cp}e&-#ZruE#93{WB! z(c*m5!(BXC8Ci|eGc$nQ^)#(tYP%+vtxN{=$?2Qk94*?jo6P68pQa;_GCKSjTy0JM z?KAjY+sr-B(sb7>qaXb*J>|Q+nb;IEGP3Y0_I--BEIYQeT)8so-+92m3G=6=XNxxG z&FAsn&*CW`$z#vbUPw)S@F{Gh!})tp(Wb5;ZRMG0hyG7G%kVbOZr-SQ^K{&vw$IUC zuFgi^`1Gde8=skuKQ&3mZ{gFs@Xog3XP-^HbaWf-LYDLH+wiuf^YAw8kr{mVHoV;} z`7hgO8*I&ux6}4`d}nRPwq2fY-HyE9vi#HSv<^}}$qw28*`AGd&=&4e$u9A!gIjr; zq&IEUtXcMWzGnyR?E1*)i+|vCv`=V)6M^QWB3|t|7)o#R2gQF!`E$?V4A$~1&tY@Q z=B0PS(p$<q@5G^(@WP!qt%ZF5PFPR}`Kae<J>I7o^A(-C2MOWNQ@5*X3weBHTD0Y! zhTbgnb#IoPfgfeaJwOWimFF=zpKH5lC-;iGl}HfUnvqZ2XJ%xJPWDX+t0}jrOnXnB zF?ssr`^Q%wJ9GN<`7<Vu9V0g2CTPT;p509PuCd$?^I9ArHPq(lfS;AsL|S8XyHDSg z=E*`I`ld~rW%1Q7AdU57e&q$)A-pwlCwq6vY20UE-}Gjgjhbhrml0dk>tvaDs6Pq4 zi;VlnL-EkO&}ejyXc?*-DvcQ9cj|fdkh)uaOpU2?(ekgS+FY%zmQp2jmH0GxH25+) zzpp}saS|H)bqF>_r+07QkHEFSnZWCTZGj?ecvAyI1D(QwbOabZ{@?vq{ipGb@{E6t ze;I!F2cviUUFh2GLcjJ)=+wR+J=#~HIr{`(e_vZ)eP1~rMZdjI5nFuGyUDx4yTE&& z_ik@XZyneM|H3->7?H&nJdeV7o8uXYj_S=kH2|x4%l##iR^N0#hqz*%dj^cUR$Y*@ zTGj1y{o%UiI^%lH^{i_x`s7VPRI!8WE>|U>y8RCct0&Oo{7Ge%a=$VG7!qxj`sk}j zd9yKO=s2=WM{6c)SqmDE)zb?_Y3`j;7w``1h4$K9ARWD>7usuc!Fy9LwAbds8o9a` zRop&uKrb}PaVO81I({6=jL^4iuU=@c#szPWUTCkzg(Z{mB9`!y*YrYr0WQQ})eGze zxWt2H3v30rGhqcq#1bB|TQ9Je+(LZ5USKb|1us=Eu$SCoi4U+u*ezCHWY>=yCtYAK zvL$X(tQXjeY{A2__99#G_Ui@qB3t4@Lx}==ku7nd__JV+JkoY!T+(X2V7C2aT;d@1 zB3mrDPcN_+*%C!uh`q=bcH!GEK}`yISua3ct@RmD$V++w3Ty4W7xe-Z)>?To*I$O3 zWT6s!F)fjW_U*;A;6eNLVp{NU1@>ZE@LtdhL@}-9v1HOadV#%`7Jce==>_*W)I`X` zdV#%|7VS!(*9+{$v_v8+^a6V^Ej-3Jh^3fTJh&1k`=F-($a8vuqkQ&1vO_Phm(LPP zw(A9s^4WiRKe5EWWTjp()OK0Yzhs+U;3$~=mprQ%I0|NO^Q~fu+vFL&z)>T6n>?)- zIBI175r=Zr$o|8B5lj3-p41B*Rk42yaYt3`-(;&^;HZlIo9FDu61T`Yy}(fjdy8z= z3#^5(C@s82Ht7Y9I@p_hjacF)c|tF6l)m01kLv}F($~MpV|sz3^z|=(6-$KwBpdYt zN3rXlWP@JdD0cmmaJ|4$?D_}lOA8#uu78mAdV!<Z^>=Zlj$&7|)X@vt%BuD8lz!)t zVqDg5LXnR8*5Al<y}(i5`WsoR7dYx$f8`%wiSV!D`E720N`57H^&J(hKay2?fuo}J zM+v9vsA&CBoRXuW^+)oMUf`%`{gFJV7i7v|+hzTLh9Cuwiq;>*i{q$h{Xtx#qoVZ( zvRp54RJ0x=xq5-4qV*Vw>IEegtp*;mbWH4u$&%LOPY8H<dV!;&^_bW`92Kp{NL(*) zRJ0xy2X<7n9u)_6RJ0xqiv!zBTBV~TrWZIWT91-Ky}(h?dXyCC1&)f=BjUi0iq<3I zz>bR6BjUKIXic?jdeRYb#Z~Rk!Vykh!;^Mc$XBud>9F|OsO;d0B^;Hohj~9Nk@l51 zwF-9eugC*>fus2KE57nIn69Jw$=7J@@YiIqUZC4&eNFDy3p6|LOR;*$$y=lss7@Y! z6oO9PLcJhh=iQJV)eHQN=ko@cs-elGt+&XH_IiQcrjc$)*cR+I4S3iV>^6;bgDlVs z>^6;bT^v^_IhO=pH+r1nxWdA*^fbAS<Jt`zh~e7o1`c@h^a4_{o-mH2FT^qI){gWA z4iOdBj^z+vwAaH?yR`$kxq8&mZR86wM~~V~AL$y75w)8>(lv1mVft8(aSaV`9L+|q z;b$?LG=oa&%de5yS`>DWrP0P*=^ZT!Gswy!v$QCzAPZ}bv_gx*2(q%sOf3o<$ikW} zt<$1&9IQv65m-Q0F_NK0VF1}!Gqfn|9}5dj9<?aU9~%pcO}DeibS(-?$SOsqX;BzL zcUa+>Gf|Qeg&}l@HxmsbL($1#-O=OB_F5Dskxgid7KKG*V@=kgFo<ldNqW?7521JN zL_M0chf4H+l}ym1c7q6l<Mrr$_GjxV8K+0>_K<Xi+^0wF_K<W%G@Y{BLy#M*NA31d zSh_4GJDQ7J7Ly&;(Pc75kJ_yx=@J>OMTK>AM^VznCR$YV7O}E2wWu(ZtSq#!5_Xcc zPu4{;N{>1WrO(Bg41(Yt+Yya%(ZS4NHGNJ->QRT)^qFYJ<*=GQ6YKT6v)&l-zJ4aU zl{svv&&UYzHCj!y1E`25^TInHMS<-*fiWnt-R~dd5Bi?>_4G~wvQ{<s0M{zzvXUkr zlb6Zm*eTYRK10*URq5YEUx3!dnLp4ol;-C1oSm#}@ydhr5Mh~l%Y;X)BBD!=(Y&R? zcT|z@nnP2IZqJ#+a`Kk&pT;VcibC^txbhamW3<qKK_BrbYgrVUKhKqSKbVt?^z9Xj zw#<K8j<CF3KHwc%h%n04r)2=%U#AM!4$&QO4!}QGmcMrhey#ToBMOuLE}T*G`I2{O zSH9*5oNDLag{yWhuYDL^ra6W;FYho|vkm$SLC@kDN9brYUc`T8`L-iiVutZ&*HQd= zIv;oxv!@xXy+`2-oVxxPjRR+I`7!!MSVRo7B{;0!4dsUFsJ|jlI9F{O{5|*r8u7Ob z{1@1bV$+cSxc?!4AK%|7Azca_G{t+$yB1E#GM+=80(?&E=taN6-3zsz`&^@tal1&# zl5fZl$fZ!AIfHd(Rp>Fw;b46e_<l99N1CoGDG6dY!jsmoBmZD6D+fO~$)VD7B4|^I z-~9-y<C@UlBWi&O$6rwkoDIxN5j$GH9##0W%E=8VeT8f5*u#Lt+`5i+Ri00T`ScAC zKluVF>z4K)R@N@ZSRiXXYffT(#(D$+SOf8YN+2U`z&rr#jhQo!RpW2plq>L`pOt04 zsz6S0GiegyO_h0Kx#ssMz1-}{>EP5hIAPBEyK=^XQ98-kz`85#`*_l(bFvU_#w#0e zyu~8US)QkFWc4XZ=<nUgx_TN%QoL#7BaJ!vOfJh0Ze;oLAP*iU9H=}W`6z2aF)g@( z4OZ5*^Q84O_{vLiO&4pMh`}Y6|LIY-i|jSReOO-RuRI22V}-<J3?HB%5ca$gg1ei@ zwO#b7zT(tUpMY}idYm-_yeh(wm3a7Z2FW%;>lOHGj|=6rHiBul9%nV+K}|$xn?Au( z$ra;bra!?NkYD+hOSrH-Pp}knnWr-x7_`in{z2+e>5{QRg41XdtE&7j5wuJk9Bm<5 z0K^>!Zw(m3#5w%ANt{C~Bk=d(KDiNPE&1rpYy<!f6M^7!n^}GGBjSC1$PeNIEAuD* zlB-hILc|X%@b<+rF1@*NwcizsfMYh#xG8smr#%s@U42u|fZq=@TaqV@b1QvIuAyvA zD0u5^+^*iY<a%U_h)$R1D{mpTzM0QDhoJ1iTXHL9Qx8wt7@m-Wsgg<Q6C(6no^O6d zu6Z|WCibP8Qn7>#d{y154hhZ;97N8%*Ix~wf}Op$y_)AKPcz``dR>pZ`Xe{}2_;?r zT3#$?0CV(y7Nm#hU=%5zNAZ6x-o7uJ%BJKu;2(TJOBYv9VLlSf%&!OUy3sH-mA}?Q zscP}A7q6|#W{~3Nuh7Ck*r$9VeNV%ZTpg+V5k&l_21W-40YR}Hz%kMSRRg8rW4jIP z#IO9H`#<m>@xKmWjAxL{zZ(59a{V*>V*!iN8$P#ee?xyNKr#Ht6!;xTiI;t6k=y^K z?<L=MMB&!@V!kD)C7*z1v3-4=eJy>BeYJcQePPwdfQ<Nq_nP-Sc8a&X`@K88TfFPw zm<xO7c_({EdIxyBdE4M;W(D0s*U_B@#)N@40o=hP{sf!AhO@rdKUyOD{zbNpJ&v9s zfcj&z<+8Gm{f9E}Z`dWk03Ks+$PJX!$~#K2^1QOOgR&kFC=V#}5&IjZ3{<+qMb`w4 zO;eOoiW{l_zsO(8pULl|w){2pUU*vGh!TK&d67I_z7J&pz2qFZ8TTAy4Z@+2qW-P^ ztlj|3<$LP8>Z<@Zc}m@YI*L4XA;OgRsYBFW322jsYN}dJ^~2x!NASDgmEbv)^S=eJ z=Z@f}U=f`D%Yt*^`y2tZ%dWxJ!3<zsRt{<aHMte|DR4b-0e;X!fmcx8|73uBGre`a zRlK^_6-HIW&uDS;spmbE-oFYD=2M;xo|T?F&qBc1j`0lk^z^hx34VP<J<E8!?tk6C zy1#Z`girG*swMU!gX1w2;}@XU#7y@%AVS{l?&xmrZse}vE)P6N0w?EpXbpSLb;9+Q z>t)vt#7m1%puf~L$2HM)udAOc+{M)jwG_4C_Y9$1>`kD}e1Rv+=*W&wE}*0&+Rftw ziY9>x@X<xLn%sQ4$smuC;q+OPETB)BWRz|*$y~bKAn~n9pEJlXJ_+eFrbHoq+LVaX z9VQv2yG$~VCZP-P{Yzgkxx;A^+u#JrqKd&q(?TknWF~bRBw7?wYLXe0_`->+J5JJR z@|w|kk)kCyMWFxWFzQXNKx@h!OtQM%I!Th7>|2xki+yF1&8W*DPa_N!GRbCCH_1#| z$|S=XR5R#Pqy-I_WF}QjGJ^&U673(U&m^;{#~`1BOY&2LL`O_o&LBS_<!Mfml-{MC z4Dvh~L|dBVKq@XH3@8EgmZj}Xb_LodNn&1GlUz<)8RW-gAZ=!n189~>R-`RVvI5Oc zl31a+L7pT1Xr@W_r5PsKGfbNp^jXq}HZsY(X+x8&NYhQS0=+9qV&TRH`4J7t6_X^I z!K9jGLs}zAN?U17gG5_WTG=Gq(@KH_-opo^6Rm2n(cqM(m}Cc9B}rn5Y6gk6my{Xg zd!!w$V3KWVd6Uef$@4iw+R(BF_Y7%G%a~*<S{f*#<MC61e=n8ShBIERj-rI&q!>=O z7*dDvx;<u+5&Eb}4yR8fNvPm)gG9erTE`^2(b@)y?y$6$L88kmt!|KLvq{j&TL4I) zxhDD7BpZ?2VS`5RM)I{m0t%dbnIzFaJ^6gUPFu@K6pz<wD|x0NfG)VSzDf3^X(ri& z)=iSq7Fy3B(fXG*HApnnr40-+jGl+&6N5$*NOHp@E0gOcS&4jMkZANsu9;*7a>XRe zlglPqj$BHTK&H5AkmzzpUNuRHypklP|44CiCqOGZvfpIiCi_hCAM&zE{!Lyo$y?+_ zle|gxn&e+(k4gSXcAMlMB)MOq@f=BRXy`Xbl3UkHVd+<r+}zMzjwJU-G?gRCjS#)$ zNOA*33pw<*O58?tjw8u^7yaT$aw|ofIP$b9@Eu9+#xJ3a=1G(L4M}d|FX9!#(~F&e zN-qLF{%=F#Mbd!WN|Lzy{}|+6QlI>lB*DFDkb6iP`6Ee!`=>$frsd@1)3}?|BfllN zq%Qe2NkaB_gM5L6>yZDMbZzpBLGB{8$WJC&ll+(@G4E%CL^D(JgF&JN9ocA*&ylj^ zGm|VsE*K=7YjllCj;4<o<X5z|EcQpS6T)dnHze6;#m`MLmnIkflJ<}vG`L^VcJcy~ zY$y*k$qI7vf&P;E<xrA~U#o{rauHo^k_+idlbj!>s|@-EZ6c3Pl0XzlKHKo9(U{4d zN|Pr6UmkrZ$pseAa+BmVZv2MbXirxd%<DMy<lnF3)aRMphVqaE8J4co3UcxtzK(Mb zCMC#xns1WxXr4(<r3Fb6=YZI!_{F^5o<<Gk7vxWt+&kb`qsvV09Gb+Wfme<`kmO>4 z2#_bl3SYFR$&CnZF}lbQfOm~9PLcpH$u-GG=@R3(*V@zj4JJH1G^srJb?7*gJD!d; z$#L{PgM?Ftjxx#n!gNfM#@0I8ATN{q=tz?sL+?$J5Ex;QaKq5y1_>Vu1>lCbh>N`` z&@~cN6AIXl1eHmL8G>+_(19j7gbqrQVXQjXpy2_beNFOS+Q%d-(g7w}f%Z$1nAYDQ z(NUk?ZIbuUUM4w=_DqtH?QM`3$WYqFB!|$h$@d>U^l1;1U4eE>l9<=sAU`2PXa|!V zOxv4eMcUaUE6|QUk|$-82w|_XFuMQw(X8na+80&JT|;iz*vr-S!9S5P5CH(74y?cR z0DrGM5D4$vkROxo`wK3JvA%NN&jGSN)>|1?@f1&Ev<!UAeXqMVa{gY1_1aAN6&<CP zD4i8Qto#k~7`YDnjdp{Fsv9XKZ6<l4!{jKHd8EBkfgO~tA#LiC5(*uV&VV{$e8-|C zV*@JvD?V_WQ0cbu1&T(DNJaifeD+o1BcB&pyZemfRMC}@N`H&5$_o6c%M^dPWu)Aq z|6)z$W`-xNF;6`UpU$oiX+@;pAsx2@zx*Msq0CRD_Tq2lc$JT66(r*&(p~$0M62@^ zpWwqb{t*&w=NKQXhd#oL*(Ed9pT&e(#%Jh(s!C1DW{Q<7@mbZBYLv||zSVc0MZ(K; zL+Zz~v=+QUi4W@f=a9cO)i~U=bF?~qLW%GEWlX8=Vv`d`S#u8Ob>$omGl{>Aq-*|( ztkiL_iHUFK#2;5HN-Y<gkodMwFxG#Jyr1#L)%)E_4Hp}Cw<m2f#~;fSZJM9uCijnl z$0Wq{PieWLwC!DrUpr6BQu3e3vEG4fGk77&^RXVK9%c6#2d(H;>QFXDTtWqY#;YKS zd9?5vl;_KQN-fGp8DIS?K0|`fNTI0~$SX@^6{8tgRsPER!ar~kx4iY|A`!f?C#`|_ zkT1i-$TCK58T<p4`BSQbJnms)&<*KjiG*oPs!4_jHCEtD(9}~Qrn8_Nf1@p}MG?79 z=nNe_anJt~XV^;K595uGNte+^0#pj>4v^i~P~8*!IXD&oD?<aSzlQHMUt8~Q-bKKE ze9?Upkc|o;8QUp`<SX(xeA1@Vd^9l~CcT44@`2)?dNG|9U({Hm!2arN6A70`szJ;i zZYAZ(aXn@aw}N*}kJ-bm;2qUt_HZkBNAy_RI}TV8lP^yW>oI$4Veqc&vDWtZ5SU-+ zF?;M4yhD1-9(x7vnjW+F7AEBoz>3)evEW7Zm^}~+-Wfes5{Nb8mtd~aWA;cac&GK4 zJrWDvDLrP7#Dcd%k7e4gxEwjD$LxVv$eqw*_CPEt7Z&QbM`9re_1hz{;6eTNNGy0z ze@P_P$lEC=)Nc>OLJsP;2V%iHug4IGg*{Tz?itLFwU~&+-f`rUa@F;iJrE1At9r~H zh=nBt?c3w9;6eNLI4pS3z9kMT`k#Xd?b`#f;6eNLKrDFBzC92N9<+}@to1s|3hmqD zu#kiHQ=D>p!+Ojfm4zU*Z;#4?2kqOVvfx4c_Ws1+LHqU)EqKtrJwyxMMm<(eoXnm6 z=U{HoV`ZIZh=;$7lXpdrmA3QB2=$k8@}Pcu<d>8Y>bFLI(f=GwsNWv?1rO@Chkn6> z`t6}#@SuKs=odVw-|svbs9!{WEst9nJp198J@$*qP`^F)3m(*OkNtuN_1j~=;6eR& zV!w$*wlYHfBJ^uJ@MS$_#C}WqpJOu9WA@-Lc$f5;J@|{yN2uB!`~@$n7mDDo<shY@ z>Oy<)7jmogLR;`RJQK{*dZ9h~3*ITc&>sB-Z-rhcqQAC-oYV{L;a|v|&<m5{Uo)Mr zG*n%P=&yb5ahx>bzjo#^y>PyhcT_K&=j0vH3lRdg&poUc&T;ZC>V=2_+vPsj3lRhs zJTpFuvp%F3A`EO7{7f%I9N5Y$1@#vq5Nzi`{fGqHc~Cz>!FC?hk5I6M7Y67o)Q@1W zg$W+ik8rS^2lXQ!Z0AA!2ngGGP`^DQjP;=YWJK7!C8hA77mjs2G^OyQ7uqAjm<;vX zBf{W8{q~43cu@Z+=gEAk7uqAjkh`E4ngQW(GT*b5P`^DQ48c$ILVH9QP`gmShzMIA zLR~!lA|!0%LH!~oY~w-wA}DO(g>|8Rdr%k$f%*s81$FWC4|MXNetS?DbD{qJPC2OG z5)>A{Il54PUx)pn3-$MLPKNsLcJiS9-cBCW-^<B6uNU@o@;=rJdzieW{h^a{dSQ2y zY5bIHNEs^Z=HMZ`UD(yZ1Ncp07bg$5v$K<TRxj*i=Y_)Jes**)#r<@cgdwq;IZVQk z*v%X!VMyH0cFy&1I~^urNZd}CgkkH$5W){fVQc4P+)sx|7!t3O!z2ue`{^(VL*jNi zOu~?Oo9>u|iTofSLF0aw*o21qL*jMHa-PgbdZEK443Q7@LWfBh5^s~kBn*)c^g@S8 zsFE<$@309~p?-%+s0#HvOhQ$t-(eD}Lj4YtP!(^J!z5IN`h`ho$<GkT*LoprLhCJ2 z#p@(YLd!d=3iUf|LRF~WVH2uC{SKQ@73#OxgbDjk73#Mbh2s5Gh58*fp-S-dJ8VLg zyssBJY(iD2znb%;-_r{nHerzDhV?>+Q5Y2Jci4nMp?-%=7!>Mv*n~l$euqsM6zX@_ zgh8SHgiUC%|AIpO38V0iMGgRRy|AqPN`gZD4x2D2)bFqfgF^idn=mNUZ?y@9{TCGK zw;F{B9@Ou!34=oY4x2D2HXnyg7!>Mv*n~myj$Y`n2?ONqU>KjZodEq4I)G^RkWg*) z8})T{Eux_W03DlxLxb+X=YgjXbPk~<`DovN2o+EAweo)BJ?Nc@$gkJ4$Mb+E(-U;x zaKC{7We>D+yXJb+^{6Y?)yY*BMVsqTS5ZnnD;LQ#5Rz>w%j|PtPL5#N^cTd8$7=wJ z@SvCX4l<fl2h7LzH8~Yn+q{1Kr*zgHC0^+n$ZhDuCuXpAsP5X9!MY&{;O7jMh9c!k znXD-ax%y<X#wg?pXR?MU<a$1n)j}cH2bpXFkO!JKVVzO2yQ~STjbh!Wo3Oi)DDi6( zOz6mKHf42DmfN!_Mmc<OQ=~_<=bM_ca;V7N*A%O?<)1diNwndWvsfF_nh(puNwne{ zvseezCw-p9I-<^}dNbCFH0Sp=V|Sr)=)q<<rDptKGgciHw^y67ny9!{vhiONo|X-f zOg=Oli6j|(O*U(Znx|9Q$b)Ij<>ok-yLdzKUn4%SIgZ|t=Qd}(0Sj=nIZm)X|Fb#D z^wW6X7OXA0|F3Sr>Y)4o{uWF${&%-z_0ae~y(R01l!LsM&_qqXyCt+#gI{RLrjb<M zr4@sQ`L<S2K{ftID>jN$<%3&edJ5mx8dp?>f7=>oR+-mqgX|2X?6kq(D)P;3pur0K zMjM<&d0w_H%S7k>Zf)5hlwoaZi)$#uFSNzcOLN+eH6o>WdOIjY=hND;47AtZBt{|r zX**U2DOW0g>;an7M)*=Hlb%v&nEHyU2Nwj+2YUF=AY;MfJLo;*oq#%@C((kwv+Hlv z$gNd+$dlOj%tu$zQe+)LGA`>@^uG5<@u(4OD`mO)Bl&Edl_~yTdv@EONP}u7EtEn> zLQ6wU)vwek!T*AXgDVl1j|MshC=#IV^;hz}>I)&IVX3#3=PIJ`T~R~yrhADy2VD}5 zqfDp;x+EM_;!1D%C%IUT$o=ICcx)fXV_OGNq`uPg(n5L-#cLzrYWs?8!R0jdq-BW~ z|9tx;8sh8kQ;@-ONTi(fSKdiv>L4Ac3_mkYL3R5<WWH43pPiGlQGkZLmI}Pihw@$I zQN#b#HbXR7*eIN075I-C3i5<DboZo<5{W})_=>Ygec?t{(Al$c4YJ<wa;oR#1}@ei z;ps~VF8NrlO5PGqH#p2DD79VeO*8$d4F7F{@WQ=eI1+bE6z;|YhFfy_d93+5fA~C3 z=r!SZtHdvyNBYdGhI29SiCmq$!ja5Vk^84A9Vsg|&gIfnk)gETkXkiO_$>DsKFikA z6(mc&EY`|WUP^RwNSxs63vxr{#Y84fVmxA|l0n&CBN3_Ur|8VG$5`OjGo(J14jRYd zpW^&>8(z;3_sD6K<p^yei?10)tzN=|xBo{O8tiCHc>FU=c!9t5nLH9GE>%C5hoNaj z!fCqtbGbe=1Xd+}_H(%%x>zLqwR<ihXRPr>xeAWc>!Q5FwSBZFZAc=ktt{6rAq{D# zu|Ps__(odWO}b7)W*UHU*0Qp^=PBBcqGT~~E(sYF$XB6wz2Oe6EPy|1;~fW$CV=Ap zw1vJ`eJCFXY)azzGe3fk#~Zif+wwHkE&Vpdla@2xNUOW?k=%#8P_*gP60(Db*Roz@ zmyr~;E*(u0@J=T(q#72%@5tI4i_9-#H5yD5FP$#Ulhj#iAoxx&8y@-Pf!hAhe82e` zdV07n%hzNX*@S(id2m$rkRwC$=kZ;0l~3fnrulP=r_5KH5t=`z_{jyz{UB!Zs*9A* zY5uI@e-<e>iJUhve`ay<5@j+`^JfI45t7tIin`0@wctPhsnjhVv`pDa<VdId>3qRZ z_O2Wmn?H?@3cBjRnX9<@jU`Gc{=!jZ4WDqIQo6Y1FjiY$-<Qek1M>PhH*Fa1t+r6> ztCex)w}U?+E9V3BI(<3#OmIyw5BWHw5MgK?tQRbUJRDJr_)*}kz|O$q0NBVy%Yngx zu7M_jS^+IU67U))kR-LuzX99LEVMiA?QiR^@2~84BOr0zcMd^`7k!(2t9=jnrul~Y zy8E(xb$q45NQ3&xdj%;_Z+LfjAN3Y`7b0dc(Ayrc8Y$>`ddu^r=e*|_KsBE6tigUV z!!rsQJ*_?UJQdOP^bbI4oN>S9-syha9S0cF6!&0vH+KtnZFf00b^YqP?0VmIz_rV@ z(Y3<07#TZ5@za^*N_CY|{#AZbK2uI9;Wv~Ql+8$mTBuAy8dQ5F1HDgGG(-4az9^rN z_siSx`x=#JAwbe!?j&c)b>-6drTrP;8mHNtKxlf5#n@an4mnsktP!h<&Gc_T)O<qU zrTft8Wi8+}X42ub7i~lDLij_Yg#17*krU)~JT&+xtOWC4V0jrCEmsEQ^zKY5(LVZe zhuKqKS{_(lszjt5?X54jT0Agr>eF6<<)~OruA<Z4f#so+VKv$_uv{$}R>d&9JXkXJ z&>nbjONO!-`puz)(5;U6r`2ATHqx$v<=zqzgh=(}b`O`dQNr8cHbqD|+D%_>ac(70 zA~(|Rf#phxj4ovCjxEGyaU@nEQl56vm)l)h5a}FPPD(^7(N6kuyEjYPfRl-bOGHAn zV_1(bvtQE&+942MS|U@C=IC*U4=atf55yOjh<Io_J??N{rQz!{?r>kFk!T>ksAQTf zra4ejkq0n55MN-*K<SW~Z#zMVEDFTum53l1t;gp&L}=SUd`^i7Qcm>vY^O*Ye|(l4 zE=v**+(_Cw5T9w8(aIm6A(#BIRUkgy{3D*tmVx-Rl3|Fp(Blq&R6W`}5T9ZZ$=2fz zPgFh9FA$$}=Vnx*S$f>zg{nuJX>s9&vbgQ*Rt?0*n=4BQ_Umzn|EVr*>W_~#PySvZ z;cz_Fp_zgB7_mq=@wRzsMj$@AWYJqRU5`8bO?3!#IMS}eI<#>hKEj*^z1*e89iFDz zVw%I#RGT&m#P2bth4HR?Xv08!SjjT77!EaucmyyUQZl?w8|rbpS4mn&Dh1+$Oc9(% z13m6=DAgjX0`UPQB4ufPJuZAn*01DR<VYai&y<n=6f%A7S6qu64#fMIBE(12^ti)= zR7+YHi1#iLDMRZ9;=RnF^ari0$1Q%N#8+}HS}zdqQ6jTL$T(a^wFvG|w-S*pLd4-M zss${&co$OyTBxJP9gd<}v{oSA$rO>0x)Rpo4j)lXp{WifGAC$Fe>}&0n8wi>dfed{ zswvdg&YXZ94yVz!WT?|rJq~w})y+^-Xt8xdB#g~oIzg-Jafc_Urch%`a~bIwT1}5T zoIo{E*&KH`fojr}Ks?)=1|?M0;|}*vO<E-o&q|7f#ZOITJ??P*)DTK&Vp*n=9(Q<s zYKY6uC=m(KihA7P@2MfKvvG-thgQ(z4p&dOhPci~B{H&*akzPEkjsI115*SqM1?@S ze#sD7H+tOR+o^%F(zwI7Q-hWd#Os>VNPw2p<8>Tf(o}KTwM`ib30QjE;?fb`n^bYx zHBAu`qGk2C!<myRE<3eEq#7-w#~ps0RB_eSAQCoy?yCwJhYu%}mJY;IN|q^0bv^Fz z-lWn}fp}$81aB-v9FCh*ss-W|OGJ?GsmCooo5cH9U0ing5*Z}4>2Zg<rn<Q7vZe^0 z8C8!vJT=wf*NQt#mg?d<@0cte>JP;Al2v5t$NT5-&s3+uK)l3e!QJ-jaffTBIt>Kk zC3Xw)t{~#@%2X4VRARi~rS$1>yYWJ*iAxHXST95uGIr|)GPsp@td~mEtH&+Yi+CWa ziA%g=yi}qdJ#IH%NHyx#<3?1jqzy$i@^2uHPB^BiR+YN+xFaA}jVgh-RHCkORMul* z`&LpF*BM(@BBBeCrB0C}f!LA~5kEyVaIq<p^wL+wb;j;5kqJ?%#~jv6Ra|GR#Cnl_ zrz8+tSTds$mGsyGb5+C7T$TK%#~j8>Ra|zg#CQ=|0=EOPxh2c!<hCB0<6Pz+J?5}p zQp9D?Dw$S}{H@0vA+{9U-WW_6(-bCu2Vxc*hTPI)(;Qy<6g<H(hb5CDF1y5%kxr1C zddy+Tq@XH0Hpza{DWotEn`j;#)BXy?CX@`3-KWPAku-~!G==;Th>bI4NG0-nAO<TY zdH$uzZ~oYQ=I>A=@@pWLFkpoJf}Gp`1!8yXmmB04e{7T~doTGV5F1&tP$lwnAXZ|u zgpmmRQy_M)<<CC`V#7;@<;eGX>>m5IRU%&nVt4EnU5E^Iiu|C*909RP<U2iPw_Hf2 zF!@%G4YE(JNWRiz4*R8|^q?La;FSADj|n5j;=!*-zSd*?Y&_{PGFp#044Dez7>I|3 zt&=N|FZGzioT)%==rMahOezu!_OcxWi8~0MTMQeqHI#?LJ=Vi1hdhNl#*GoBDG!f( zteaC1c?u2_r#w9Fu`W(I<S97pobn=1p_5bYgpbvf+DV%wpp9$_l=koQPw<DE`%`?k z(KY=)>7+Lez#J<`5Bi<w$zTJzn=VCX$(!!#fD`G#I=N4>Gr*|a##Xo{2DiFedqT=T z%0chD%22O@uVyBnlexDie9<H2F2Ql`&9W+O_RI^t6`G`8Q}=sLtINEL)DFSFJULUx z&uDbtn7P;_=8g}}ojZA^`2j5Pi@7M7o5ZWkW=$%8SW(Ujk^yL$H^<SvsSfWuo29#6 zY$wk~^QOl8;QRe~HbVy<eseaQsT+CP9Jq3i@z@;J1Rvb|z#O<{=WzdAI8IY}o4IhD zzRM%CS+??zyPcG}CMQMdEHA}Un|jF2dEZ<tHI)y`g%^4Xe<ByI>B*eWgE#pse{UWu zPp<N>=E0wPh*zHv?{ynKaz5O%J^4f8zmEL1`S2fi;8*9fiAdM$zJRroyS9_(@?HyA z<)VK!R6?^<=7t~r@B%o4ck`bYVEyAfeIYLVJ$~;(xSbC0Npo0L{T=rP$)8k>(eZ0@ zPq~7(X?A*}>?Rp#SJz+>tLvHIt1P)8#V_8E73T8y7O{@5X&Le$T+ZdY<=TAdA{=fg z-#8ck<zBqrJl4q7v%cIFe|{*FrFb*5(FU-26S(<zEW{;t<yRN7nyxOXa#m%!zA5~o zn-)PGow)aYxW1e4X7{t6aG>Yi&jz#lz6JbXj&he`EVsHPO9^H*%|yqnEK(~lTB-+k zS1lf0!bU>tS7)(m@OzTktP)}Z_b!I6{^lzd<Hl6w7Z$S-O0`}}#LF)(X7%~SR;*kw zqiI&7CK>6ZIxg-cRyxY3Err&X@n@E@*6uljl}HNCu!r1@r!T`9PUkI_vF->{<S)bR zt;gS5hO6nq|6B&GoZ~gatN{J<c7)kr(IRmkYhU|0;kHvzZLY3R)xcrjWN*5Av+Ibf zhcX1<H!0}Rd0e`J;~tPB<D-<HD^R`ycr$;qP<fw5rQ(NUN|>-2`Dhc@g*D^v*CM{6 z6;sCWE7xfiPKK~1IMb{ltaB(bGk>XH8Y4*=l2kTt5Z^jRsmz-%SB}HKzJx!}4=S!z zUT(t=4rFQSpnTLz_e;uV@T*;w8vN^5lzu#ag))rh-(P%bg|Zq>!rbDS4=LFo78P$_ zsSKrZUg!LU#XrtcIuk6rz*sgol#Q43=H$;W&Yq*pA#T($qp0gJcOPWExc?U#@K#ZE z)fN0Z_%mPh0K1Fte*k|#Id&}`c$;N~@AD4v_VVU<n|T{}t9#3OeV+dSa{G<vlIJ7O zG0z*G7d_j6M6?DS!xnpH0qpi3PajVwPYcgoo|?cU3VNvfPxtrktL~4HyLr&P4?V;- zyB~2c2lVY+_at=m>kr`a*6s{<9d~87hTP6uuAf}jT^G<)?2zjf*RC+|in!|`SH!iz zHPtoRHOSS&)y~xvsJK;KrClE7Hu{WxrF@PKvqzNIl|9Ncz&u~AM3r1X<c?K_D!r8s zfXQvBq@wefA0EBm<!|N7h?gCg-;`gHx64n+Yk`iwM4l~AkcZ2C<<4?Txv^YJt|+TA zV}G&iAJ{c^9wqT_v;Ax*+XD3I73={vpG{$-*g)2uwPj6MJ(j{sF*m^3f1zK}&j5UM z7|+ZgQIX^dBNdT7mq_at35aZmNuFWFCV83}B{C2=#a=eKCz(+f1MUfC)Wv{2&UTvu z$CyzJ1MX3_%j6zmMllSyhuKb}A_w$dX4KPwT*Zvy9FQxRQHBFD%3d*-$Yrl4^6ilw z$&6wd0$+h_<jsQwpphY3mRw<vnB*Duv`L<3Pnu--6f;U>kN|j+Z8q5_*d~)a&Wsu? z2pnUNncSnysMiAb2r~*tKptjBWeLbbY@I2)ml*|J;BI6_y$Q$-Y&`_<+YWjad&(4E z!M2!Wls#jTxy-2lA#hd5MtVQe<1VwPA%ILdmS>V@m{9-&fz!+=Ljie;8Koy6PcoyN z1muY@GpbBLA7^l#qCg1bF@_HjgFMQRIB1YZSfNQCW(6j>m#r|#Rm>=W!3rzbN|PI9 zYfUnj6`3Ss`GO2n<evS;zA)IO$wfBDBtK`fP4Y7~(<IL@qjm(-PBWv<1mr2U#1uHm zj4}~$PcWm51mtnH&=fevjFKL3kFxN5lYNBEGs(kju1OwZvrKX?GfGu3Zxu6&T|lm2 zM%4<)C^L#(K<2WDF|8E&lo|CWBJ+zGg(f1miy4I`A_MLWn`R21W>ZY^6q{_4C)q@k zJi#WI<Z(96B#*JNCV7<IXOc&lQSE|59A-wf3&=yvsA~bamyJ&<vlK3AsyS~3n`Dwv zHr*t1*$jh(!(L9_XL!No<bwbolHAr5@X212l-a*YlH6v$n&jW?M}tHL+V|{&$v)4F zf)?b5eaw2A+;gmlNuFUwfei#sGoz*n<SAwp)qp(72AZ-bSaL@|vKccfX&`Wn^)&^K zvOdZEN5@Nix5+-tk}sGJ1sP>Gn74`zH3e2Mqn-!cD7(kx<}#y5h-l<2>uhi}XuFF^ z4rkp>GJ|zZlBft`-3%I@emQwN;I5XF&qRo3%gJW~?khRNlr1aQG)c;CB}wuT%QDFi zSyPkzfMuHG8P>rhPcu~ZVE>^=z&gd+ne3CSjY*zhtxfVcYiW|lSPPRp%9@+x5teO| zhgma|Jj9xq<X+awBv-K<lMJt5$)_d+Wp*^#xvY~xBEg8In&f+|nn|8vjZN}2Yh;qA zSVNOM3DYmJZy|?@rJ3Y$R@Wqtu{t2d{)?<AR@-DBVYN*1FiWZ!nNO^S$vwoXo8(?r z&m>o|yG(KgYhaR5mTr={EP3mY&BUr0TqG=oStXM`#VVTQNmkw@Pq1<(d7PCo$z!av zNgidTO!5fRP4Y0)O!8e8GRZ?MXp--+fFQB|BBP0wHQB3JWs_XNDwt%HrI=(ct7?)N zOf^XODdnVIkyXU}NiI3alG^}Ur!t?xg=>fXlO)MoEbKAqH<{ZY;jowcBuVlHbD87; zrWhn5A#!qO^ODyYO>)U=jF{xBOft#6Og70qj2R@Ni1Nw=8AfEIot)gl5#*4Q?=$?s za`Fj-Lr_kt*h5~S$#)H3a`eCCYGe;hZgOa&N^hIo`80W<Xqrm@Hn?bhO8+#;{q*<b z3y<EZ^rp$)L;o_#RQiWOqE9LP*(8V4-%K)<{*ok7zn9!z(fgGC&)}k8DgD7DU!vce z<cst>gA6M;@=qpv4^3{%h^xvE8C-+_<wYjhP)_c@@PW(8*A5<1Ir-elSnS)RER^z% zN$#d!o8$}hhDpw+UnTcn^fjel8f>&FrC%gT)PY_%NHhwipBW_DlhUgu`7pg^kP_KR zFPY>DdL>C>h06&Ni965Hizc~)er}NehROe!u^Jpy+vq1rHhGqwH_4Usf=RBRpBf}u zi_&u@`7}Lik}K%P2Kf(pihgL4Ptp%eawYx9Aki_DzL%`X{F`i{XH51=`o2LT!Y7YT zl4LVIWs;ldNt0YhPa7mUgwo?C`8YjhlI!RRgG6gkdekHzrAG|%Pa3W-_cLiARV7KX zksdb54fI`;<n)k1B0?tjN|IzfecL1%ea9f-d1b~!j6(Qz^k9-p9-(iUWD$K6B=%p_ z$FHTY8*H=$rEi$zbb7!be<f?^YbN<Hebppa(^m`<?LBF+Nv@>(O!6W6vPnKjUrLhF zI=bH=(VX)xy4R$a)7>UHo$fKop7ce7{GPt9bmR;Fp{WhUS9vLEzN8LCbD%%{Kl{sg zPkENPH{w&UvhsoaE56Al&?t}?21xVqrPW=I+!HOs55BB?iqw~AX`b7kU8m7feAEEe zRgR2|>U{qz$|aT?)r^ngHwK80;$SpXyx~<PL}*myJ6=;hWnH5|UV9+xMxy~ku&JK> zC}+!}{%x_>70CMd@&n2jH0mv$@rKe13{UZaH<eDvzZn{J^X~^T<n*wpt2iT~Fnowd z6=SK-2BA&Qn5Zmf*X1+wl>;=&iW^0hr%63=y_(cr3RMoi8|)Ss;h*3u@OJhb_k>;Z zl=<ue{ekR~4olsOw#unkv6ivonZCG+$hc@t-tn;VC5_f7Zg50tixW!aQ;#ZN%lQ?e z)r;F4R~`kc8ozKtxlN;0i$6K3xB(v%P2tV@i7Txl7Rv?RV6<{TWTG^YBBX5IFuvvq zr54}(hEj&tJ)_*B(Mr7Ld&<Q?WNx&g9|?f)WR&L@3m|i5k8+$wEAWkbm9KDe<&Bfm z`U@2gh?XmkzNic$O0=wBn#kWSR7&&j3Y2nUmY<h;S$VFDkDZrN=z9{o<;nEF;Lq^g zi!b_@<Tpa+-Gf6t*sf5jXMgZh`d)B%aA~lO>nnLBvS!Z!XJ$sAjeCuUxZZLf@iIIH z4P<tnw0P-lZx#_$ZBVI%e|QdwRJ0|}`%tOpqAgs{N;RRzYJB=;Weug?qMuKf;pvx< zCH3srN(h;G3VyWH`S!EQZ<I2=>70`3rwt-)yi4J^iRAKrkKpcU4=SaK&YoQCqLTZF zRB=sCS-$6e<owZY{QP-kI;Hh_i;t8R3a#1HGmQ7WsHAfLMJ42-sa__v!l`ESg=dw< zl=kM|Y*O+lifRKNDm`7a8oV>ZaNdK6FEYRvscS!GJ$`VrqVO-CQ0BYHttDQR29Mf= zcjn<ol%|x{;r9sqX6i}z09r#F6UkqGO1?KP@uH&f-3JtxYv9b8)2Qzbb4I?&l=-fU z@RpF<S)Sp%+9jm||L7H^tT937RW2!QDFxEYB_*Ar%y-o#C5=+G_|;2rI8k&b8}^}6 z7uFts{zK(KN^bHC?<;ldli!So`@Ez+A6$eCG0pqDXSMqo*H%{>rH1?_a;Ut3Uuq?t zhgx>y1!*eKa7y#;O#mvBzKeBY_eGoVlV2)duyN5$j$EfqzGD}AQH~6ZX7IgVDIY7* zbidSxr!K;ywfSr15FHccTc@Ig`hSz#^3_wRCg+up-c@}6w@P_}^&1)MpL>DbE$2zm zhQ;f?Q_x!=+JJBTUims0t?!qnil=*K*}OLV%6X+Rf8z(`DvhQUZ~0LfjkkPQv>va! zn_ZCe-O;+m>2E8`F}qIj>+dL;AZi!?bV%t-*8i-?HA2z=N!_Hj4CVy-`R98tdrG;g zDNiZG;8)s99wzmq0l4Nya-?6hBM<$ld_c!XIoXa}-?GoK0dh1Ynp1rJPbGy0J4M^0 zqgnSPUdY1dSbC*9cp-TsqU{3GC~?ktND0j5Yc?op#TEWm>Jhx=ZTVl%!6n*;ci72t z<@}k^*2SIvQGUUhwkpp4S2<4P{8G`D#a~`g0HYdh!MFT|mvjAxcvzmiro6<aMVs@t zcCzo~$oyzFANqyzJ5<=rP~qFp3l)xxW)=6lu8bsAMT<ngd#e;W87ixub#Dzm7FdA2 zJJpxriFk&*qytNu&o1wJnbJPIZUq-$rn(eASi$uI9-hB=t4gjPDJuCJRCb-FK;*bp z*%hVa*Ww4NxM~tgTNOW(;)1V}w&s_ry4q3NkXNfFmdYwBKHa1lO<*sSlU7LRHkKOf z960X3>0jfU<ay4MBQU6xo$&aLMsLeqY%IM+_ed*%L-QE4KRAS+fgyN)jCOJPb$P!p z@g}AJ0=%Nv>!bhwXLEtvvgH?ez3Xg6f3<qiVO)QjJqKs{fv4FdGMLwX2I?KeXFh|` zK>mps4d6AN#i&1j@L7!d@pI3z$w;<uw~bwr^TtH`6yNf@#)zA9H?O{3{6dY5_7>@y zU$6<$UVO@SHbKsB8SPozMRmP~+|Sz49>sxQl-h)ik9OxDZO6tM=@sq9-~UxPg$=hW zZ?%KLA2Kw`H~*$wVBMpgdGQX`UCs|hI~6ba9lm0>cn9AgQ6zf~4X+6-OMpmp4rB(Z z1p-jim;R5EAoc%0M*TkDR^Liru5Uc>R@(T|d}VzEP3tar4}14|pYSgC&i9V-_V%{$ z*7oY2+wcva^StfZ<=Kdqm$N-1Jl)ZGEfpmUH&Mj!f%}ax;OW=7Bkt*FwALAp-xT!u z``vZbb=vi+>lq7*L}OPK_;-I-t|{*+2bArA@rfwYflS{Sai$c-3s3G<`Lz71{46}U zVR@Q-kK7gY4>e?s-DcmhPuO8}!rROqf@UVdQJaI#cxVnt|Dxd=^h0`(zCh7%h0dWP zX%E^ASa~YBMZP2-lDEiC!U-C0YAZwp(UNo4D??x52q5;NQ}q@9N7q{iMsfV_<GZu7 zb1sV$+%*s(!6mo_cXtcHJ-`t{Lhmkz!?YBN)C(<CX{l3pq3yd)U7&@!mwunU*-38q z^ZVtWdG6V<mCU|&<~7d?3y7)fheOGe;h4F8m{N2gipu3fxg~L+S=O<BIFLMH#2o8~ z1C*mi%&~qrKsjW@D%TH_JAns~$Bmd{`LI8E)QCBj4<r4_V@Axee%Q~<=vY7OM;<X^ zj`hQySoDn9eWf6v_;4uJ8?wQbC+x2pieWchDpMsKgUb}8g)6os`^kObSkELU9U}bX z-cYQEy<qQf44zXdn#6u`HWce-%j83QaGgqN&xiK9*oyhg=HNUPNvX<bwg=~_)PiUa z`{!(#9ty|cK9xdw$%Eloj)NK%j=_P-mg`J7mTjXv<hDpS1}CbNY##DJD3%GT^7^^M z;TYVgQZl*8{h?TUTP7Dyx}BZDNn^)cN->vt(rs;2#ATjz8+$>t*V>lLMGC?(I8@o{ zy2psMv_I@U$lc*s3;V;~BW%Q)JF}fOV$B3su_d}YIc3Bgj#b^sT}I5YRjwPt2*e!T zRo#?*M$EBQt{b`2h&f!Wx{;GctbwgF5y;4$Fk%irtFF)^k2$u=b%h>z%yhP@yfJFm zUPi2rtv<CYMCxM>hpVpSj&Q8Dy=a%J;TW8*Fd<aA0j>+~n7L6dmBPI+{jO4}hDNNq zz0oe@_HfMfy-LZ}84Z}OSE*DLBUZ&;GSZpcX2c9T*_qsG#2h|YoyaXlEM(8uiQF8H z1?_Eg9B9NGTjV;Dn~a#>UNo27XvBODXNz2N+=w|`vU15WBj#}yK5E3=PVR^ib2+&i zj2LrrhmDwC!3k%JT!InQ;h~jFt~X*153O8+=YmuePL8y><T@kf@Y2d5*BUX!o-c=R zBkFL~${~>hMs%|?<9;LRaM;Qr`;6#DXTH5gw8Cpk_*dnSJw|kcGv96_>hRpkA-jy| zI^;`r_RS$Xjp$lu;T=ZQ;l!0g5=PYF#FazJjp!<8*|-s1>EvQYbVVhXbT-T(Q6sv% zk~AG<a>zACbeWUeZbX+lxiTZV#L1N!(LyJ;&4?~`awQQXTHqwN8qq~guGok!baGpa z=mIB)`sO>i%|>*dliOrO=bBuKvsVt;Xhi2YGZq=q*-mbQ5uN4a)*I28cCG_iXGCW> zxwS@gdJ1Q5iS0nv7}04dWRhELM5j8rRYr7*lUr#-Cp)<nM%3XT)`2WHq7$9@mW3lx zxQV5_Ru&@wLlj<OsT5fnj>1VSg(@IR!cn-0*{H&B6dqzJ)FQJkIEbZEWN|n;Duu%N zFH|puqp<E$vMt2>E(+_;MlA|QVcexqb;-DJ6t<m>S{RPPwo9SvkOAQ+EIS)DJ{*N% z2dcvUsYB+4qcH4Jvnl7pQP_2<6j>0C!mLZ7(#-l{)!8W21)I)B%@0Rm(xp(f&4Lk_ zbT$qpVbR&Bx#6g3&{ewB)iO((7F`NuUTa~}N%O51nPWs@(WRQh*<_j#g-KVzna^Lg za^8r-s;eMPj?6ZqFzZseEHc1|!mzV*GmR)rJ3BYSh{CqBab_E^?Q9&GWkjMd?^4N3 zvk};Lb`Fiez_W8`1Qwo+GaG@4XXD6pBMK8QmCG=%0&F~R755)<$y1Fe%sg90_(w)z z=h-;35m<UQj!ZG4u=P?n<q(-{L}BdNxk*M8#$F{CS&EDkjVSEBN^+@M*Srca`0U(x zBkHjD@GoFQO^dJcNkG{NM$}>Q;h(^WS|*>=gsDSNU&LYZ)iEn{n0$52Gj^DKb;wvF z>M;4*!htjDF!|b&5k}N*@~Lgf7$a&~d=>U*TLteRhsoELj5eaC$(M3=ZOld-HeVaF z5r@s!hKw?zrp=dH)@%btUkVpd+mMk))U^6iGPX7wG0nbI&TPbC_q8U&%y0R+%2!Hg zQt)W7V_=lOKY~8*^*-nw?)eH^uB*9UbkB7C;Yzp~!*8k)A}}u2RXS2TOs*gb^BzV0 z3ez69(BhWcR`VaLBgk~&f3!Y-?Yy=Mii&wPK}>y1+Y2YcAK%hW!C~^)+X$Vo{D21s z-us0%=R4j(&SmD&y1c>vv_0xle$W53MF^%*?_JDx6!Q7+YKwRYHYD(`-qps#iL%Fg z+CJW?F0IPHd=H!K7xEtOBmV+^`}>$Ana`_yfMgyo`T(Wp@@LFnb9lQCk<32u5gg-A ze5j34X8|t6Obh~dzlYdQeLqI#>B+-y4MaSKCvMiN)2;4p)6V?yG5i2&@yu;gdCxCM zCjT`Z`{V!ai=y3DVZVL7<Jh%7C0TItacwLDt=@fHdq|&zSS0Cte_U6CpEe^<9J*0k zj^F@k%Ja0Gg#HTs96AxYF?2mN9O9vpP*G@Qs31@fm>rlL7>&KLeF9wr*`Z6J&qE)C z&SUcHsnElrdwn1K-ev)&g=U8)huVaigz6yv=ii7Maw+(E@Ppt>hyr?V@B~!yuSe|k zc(5c`gm|C@!P&vd!O@5c+9x=uE24Y12{ysD+^P`F*WjV|b7*vENT^S!YbcxENpB4K zLR#>A@L>q)uSCeu&jTL>&Iew?*4>8#_XbV`ZVX%xN&R@BgkL?a)sDP`E&31p@5RpD z5`U3@B?2dZjnK(Y`5uD)#Px_Q8mHH>nwS`x?VpTj3`4M)zbi!V-(fGab8y7Fi{0dJ z<8R`xgOCV5Z1exq_k;eI{-gd4;>Nt=?<cnfn{D>o?)s>RanujGe#Zd_#P_yw7`A zc<1|aeQhGXhQ8`PFC;F0@qUZgq~{T-cZqwpdjj_3<|AlmN7fb(D}~qPpY$^QoW6_6 zopVqJD5q{r==`L84TXR=v}d)4wQbr?OzJGrW@{6)e66?EQERI;(rRcvO(DM`?8;&9 zqu6A8s~L5Hd_vwPFOtW#(^}+a?-Wd5_4ju5W_X)<)4U=0(EN#DsGob@^=$F9#71M6 z=M~R6&l%52&oR#dPaM-)i#*e@4SA5KhbP<pAp|JjaQ}#{$j`bThAzj=2$Q<gz0Fg_ zb;fnlbqt|V<E|~P)!2SK-8IHF2y<E&-Cf-6-A%DcIq25r;$QMJ*UPSRuJ2v{bM<s} zaJ6<da8+}8T?(5GIgjhu4pzdJu$s)zRQ)&oZ3It!T)$7hUB5x!3$27r`U-u%K1Cm? zU(!F(`|DlxW_pI6Mvoz4JJ$}9i#U0u4gR%TV0*oK{N5)$H>j2*`fk;$X6k7kis{ou z%2suL64ixE{JbPeQ+B9x#Twi$)uW14XJr>ck+zkrOKl?|Q(H@@tHSRCd8yh`vYIMf z6_j1d>uPgv&~y?(4x%<=vz15C!v`a7s;bx&t=^Obn}~X25^N;u@gyiB>aiqPYp6$) zee@#m<(ee&C|lIkNmPJySs+^739)a#gg>f234c(%5?)b-uY|Hwsd8C$OZt1&#V#s& z=vH_B_*<&pZ#4w0m1O;^G06UxM5_>=?W%>oQ2w>h=gL18`b_ydiB>Ab%3tnn>SSF0 z@oJysDMaci?<EgLlpTt-{JleYUa^+HcPP&(){^!P<ypmA^WK5gzPG%a)X!1T1#uq@ zrA*<<t)k!C0B_;L&T1ngB}ziML9hwsfO1&E{mLN;_bJy)xK}wS;U48W33n^kO1Mkm z67EzENVr4UFBF&)OO$<r+^Uo-d#&~Ltx8<kBk7p3Tf(TaOTufEof2+Wc1T#JBqS_V z$|c;U#3d|IFg;*CKwEKXvCABf@Em1}f-PEjf@UvKwu@(JmaZU5FepR-KxjP^)Kj)4 z!PGTMNfNBttZWrvlTs|eMrDf&nbkE#5s_}#EYkIxM7nOHNY@r6)5%LVB-16U*Nb%3 zI#F=R%C&-6u|}lJSBrGnDv>T-nM^0vTaipB6fRGu;}<MTrVAD?6=}f|kuE9}>B7ay zblm&`k<MEr(zy#oIw!I~fZ6j!I%}RtXU-Mrj5#8mK3k;IW{Gs_Op#8RA=1gyMLKDk zNGDDe>4YgF9X~mlYGWsfbj(DNMn+E%VAOb#jvOb_5o1L<e2hqkjZUVSHAaavZ)7sf z%O4@qp~FQwWSB??=ZkdEP>~KCBGLhaMcRK*GL7W*8z_jr14P=Vzes!c6KRdU$uy%z zpJZCCS8tK_%oAykULx(@Q>5K`h_q{Wk#^}O(#~B)+Nq03J9akHh*~YTlOS?BinK$n zNV9W9n$<z1nb{)E$P#J$Op&(B5NUdQk+y9o(l+TLt<g4_R&Cuzq^(*f(-t*aA&sbN zm6k1&M3ojTl4+yn&6BCoteHrgHWg`;CL(RzSfq^_CDZy18;Z1EgJc?RP+z3=>m}1r zy}BZ;Stps+teYm%I<;Mt_j_Ec3(cZgk88)Ms?mSVodtbc#Dm4bHLz!91jhyk2YUr` zpfA!OSS{!YT=jJHv<>_m_$KgC;7z{b39X~+h<_h6CpPobPiQ@}8~CdEJV`S_gi(6Y z`-Jy??+Ncw?|yI08-bwEJMNd<Pq-g&pKu>_?{~-C5gvR}%f?QH30Q^d?P=tx;qkdI zdKCAs?p5xE?rcOdAMGCK?hd_>dhRN2m+N2GPYA?z-t|00weE4Hxk4_={$!Wg=W^Ep zq66IuHIdz}GFK5cKF!4vVn0_GS9{k8Xs5r+63I;oTiIH+n9W4U^C7Gk%jv>evj)rq zQIVfv6@8??sXtfo@?NM<W7YIW@jBnEuhM(afAxU~wB*7%R!e=fUIj~|R|qztVi{W9 zSWkU9IpV1s@%ntpg6d}VMajOY3P&V$BeFj)*<$rMs{&{wOLB`Uyo``_lPbK7)CKAW zRd^Wzu2;{AQfsjZ^GN~M)KG;xkvd;prwVr>z_qIBPK5RS`3O!YT!;WytB<%T@ep;D z`miXze2pqxiPU)@g)0%@N-IzZ;0go^N!Bz^U2eq*QRk|WWmcdN;H6fe5Wpp>a4S+5 z;c^I1A$5*gXax!ZTx<mj0W7crg#a$H0)+rBv;u{wGjYNvMawhM^%D}#OU4O_;M8WK z!P_N0N4-s)(M)2+3BmE%>Mip4EGtfk+85$#M+Dnfovw<PG1zJ9VNpTf8mf2~s}t0z zs(2TxebgzccozdsR<DbQ8v3Y{RPizfJy8`eW55Zjco_qZSH;U%9k)OgFJpDEI!?vQ z*t|W1)v>C07Xyw_cZ)8JC{)F(SjF<RDqh8aqg3%K28@hU#k&}Igeu;}fWuYsE(RQ? zigz(!z8V#+4N`}y*9h2K9incRaIjh?;UKkC!hz~G(VgBk)DnRP)Kj-64@cBIb%0td z*t~J-7E!2|+F!LU4FsLk%@(WNuWk~sC$6-JV4?QRQ;Q_oN8KP{Z*{$ddFna|d#P&$ z>;Z#vl`v$~Zon&(v~o%9p{|gyySiM$Zt5}tFJk3qsf1nBCCQ#E7i*}6g8WwPtS*+Y zlUg8QM|Dy1Uq<;>U6|w$PAFTQW1S>?NYvSa&IFt#Ae8OYnG$BI!fR1YS2NV<Nme<8 zN~THJPMs?9w!-O*7qB+W{Q=_QvU+NUAT?Ok?JO8kiq-Z4D}YUt5MG@`ZEQjO12z%x zDl#+@@L#}&0{#M6MZli{4FP|Gebqoh1zsXabM7b9Tu;KQYF*2a{7Ly&tt03km4DPU z3IA4W3-|-VxYv^KPqn6mf2cJi{9Uas;csd+34c|q3U~$XkYNdbRzm__RwBh}P~5`H zx*8DdH;4eFOL$4uB)q5+3BOfUQR*A2QbB&Le4{c!ezHLMU7!mKl;6bRkFnkGR|zjD zzlh@>Me>xN1^YfM`kw^*zk14#f_y`HQ~6xL7nRqQPsQ=4$0=V5@|<#B`9i=alsA;m z1bke1P5DH^SCtDAzM_0A;mgWLNf=QcS6)&+l=O?r2NJ%Zyf5Hc<x}NP2_IAb5bz=8 zW90`4KT@tp_@Q!H!Vi@1C467`PQv$;OA@}TTolj0@{saB<y%R=qkJRagUZ{=*Al*^ zd?nxm%EO9y*D3caPb=pId%yCO@}`96ls6=NQh8m%CzRJDd|Y`|z{vf|W6CR%epC_f zTU7jr@`7YfC@)L6MR{J_g8OylB|+Y+oK>EZ@FC@#gbyl~|L(nrdijK8A5b2b5G`BJ z|Gmn6%A<llq1>Z9EaBbCSqV=o;+?9TP);ciO7<@0jD&Y84@h`YxnICLln0dO1U#nP zs|c$=ISMGO0_6rJazc4T<T$L{q1-3o?aI9p-lp6m;jPNu65gVmmhfifl!P}acS(4o za;JpHm6H-4Q%*>DRJj8X?_cFG_NCu0=^K>W1U!U+Zi;}{Bc@q@3G1l+1U!g<TazVh zqfU~rwK`GUqigG_69mbXL&{AOUa#CJ;Xx&GOycX5qY_@L91%6}Lgl!HYAQF2!v~<k zHBP|&YD;yjge}xD5;j*yOV~^uCEz}U;~FVp6Lo|IBM8DZT+)ryVG=e}^CfJc4wbOJ zIz+;H>R<_pI?#d`s|N|V7a|gUC9JLXk+7E9+k$vW<XO+(9>^8+67(MI3GFFib+w0t z)zt11R#m%6SViqBp`mt>Fsyc#Fr;>pFsOEvFrem2IE1JjER4?Q2)JAItJ&s+cXef$ z5*i#l6!<QX;os~#3qir5o*nLI++kM+iy#`zKQvq0gs3=wr~{N?yYuS0i&vL={YtB1 zo_8H0^ECV#;dXm{4p-_@4`2S7R*!f3Lfb=1-QvfUpjMx6n5`FjM&zewWfzYqb@3k- z>1m?e^<QfDkx~ZNK<z$Os$;HrIWG=E`SZCDLg!xCtS)h*R7P>1Qp)d!jspMoYwaW} z)sS(#$asjEJKDd|R*_O-wpf=h{Z`xSDpk!M))RT^yR>}1<f55J+55wW+Who4=<_u$ ztucQgNSAptbBp_Ji&QrLtP70~>!26%U6(ZK$tmu#Z8MHe7PW2uPCKS<;tjvo&gvUM z_Y?H*-)jfdBEI9Y_LRDT@0yQU{bVysuV}m7#htdTN7jiPk7q4jN7vf$&>NWTUnge! zkG_F*fwks>KwUoKO>MWjhA+#(HA?@Fw%{kHm>oH<(GKSAs-dh=Lc@c{0)GUu{Y!i& zy+0z>c-;MoyPazzdj`^rvoN)*Ym>3T{=C{oS%c}f-n2Ngv>`v%17XBxX!M|3%8$8F zJHiX6@%EIiWTo}ZlgBK5b^a)&ce2uY_&qcE8*zqjCZ%=xWpn-F;NP?^Klzzf$X{iY zky6CL_R`w?3ZtBrrlCv@zq>kOfcyVJzDHdY7reH4hPC-nH{DN4Yw=S>Q0V>FO*tv8 z$uXByo1gN~L!`8ZSyNrU&`bA`((2}q)1<T-zuN~H)6%MDZ^Wfr=cmU>X%+rS07YN@ z4N;ng2Fzv*^M2Ij9|!1RQX1x)g7gVe8sa@e^htMdUTF|DEEM<Yv)^ep_u<L%<H_n= z+^jT!W0~Su?x$Lul=^w`OSn|Y2m6yxwVkBYXFgeXCM9~isY?_@5nn<&sF%qX<OtaS zMUF1;fBi{&6?&D|XmhnbS|fZM4{$egYpx6U5IzX$%yF)4R~2l)e~q1F5d^kvs{f(C zgbC;s@Vcx;FJVG{Yv|?B{?H^uK>r@=7e&F0z$*bBm>0<LFY^T;`P<5^#&I*v=+m|M z)Hi5H{ctjfR8oWX&NpaH^^gc${rc;Wz&#>xm#I2}Sl_@u7_K+fFH~sQ?k#+|t$Iu- z^}agURM9=kKOLsm@@C68<lU3M`Ki8`wqC>^8>TnLIuEim;tvehYw!JUz7P7)ONYae zz2|V<2LTHc@4Y(H$D8B0Kf7I)tZ9hIcEZdyTx2^{=!1mB^1*sf^%Z{iU~FPI&zB6< z8~ZxRLZm<t9VMY0;xmWnZJ-WqX5^=a=w7H^B=LtspzzvI<gaK|)p@U>db%1l`L+;% zzJ92w^Xuo24b>aKsrcjMPlK!Zrs8j7^LGt?@C3ykzZ&Al<b1gJYi=_~4Zb;F_Ygc^ z(R^HpKg|n)O)>d;0HMNO&DWbivctT5dxy;QKorA-yzMaE19#;l9yUyG%m3}IA0q1S z{Q5rnNkVFz8Pr$rfKPzSXCnRdnQDOK75DM1#BjVdq!51B8a<mg9H5sH^(TJo0BmSL zsPcD{>EGNl(A<=e&3g{iXA;8r@qzkasHS{BQ19q%(AnK+fT`z9__28e#j^SIL3$_r z(_K4A&xX+O%Y*bT-d?%xMtLGvcrZeaVcoC$V7)_sbAV}}Oj1H4F~D37Yzw6MU-vKY z*Y`c(8;jMYJ3J42MtGR}de=_O)`a!B^l!SGw$K)m|Hyvz6HHm8Bhc8S-Feltxure% zh+CntJ-#X(MM`_{kz;8!{&-b7mXvnqHLB76q_mqLwQH~w=!c24ra4S?O^(k$Aa)M_ z@B(ej!w=FWu0H7<GUk_d;hU?|1*Ehy|E4-!$Vxlm|8_Ee@(})2m(`#*kkXDkT+_^u zyMG4S+EJ5^A*DG<{6|f*-41+sEqXgC%|7#2Em}n-rCB_fMi-LO%rooLs0Ty_-&V&Y z+Vd-Q=s;51PV_LpE*(co)A{u)p@05FLpZR1SeM>UO55_i^~`K-_>WIwW5o~k=ulGH zTKpJUpAO}}CeV?4M$?}BXlKNiD{aYL4a@@Yg>OLTk<#Y;p$2q-HovqPx{01QHG8}N zW3#i6K`+AlZkS51C8dpd-e?Ti@BK*|@uM{eUI)Y+ej9OPAI=^j<QwtR575GDqw>-_ zd;K57;p=r3V#3e+ANAkEPd3z#o593e^I?tj&XGS6|NV2<yRKKTVD|sHzUJzIv8pA! z$E&zp>>u_c`-*)4q2FiNS$2xuWG$zyV})!M8_$NaJeJGau!gKU^XmWUzv$oUAM5A! z=P@UDkAACuNZ+lO=|%c7eXc%9AFlWHWAjcsy@_5+4}^j|ZHtx>F%?n*Ut*2*b)C@P z>G#$e<x_A$KSgh*2k9<aN;lA@bPk<JhtWQ?6HSLZdQBRjMEe~I>z``xXfI)Z*F%B3 zur_;bU`L=Nur9C!%g7T0!vp;ST>|a3C!jKNQai43IIeHi)>*5Z!>|jcyBXWPX`mV6 zp&J3_|J(ng|LbJ@cZ&TCKaelU`;Z;Em)u4UV_|JCxrQ88%>5Y2KXwX3a$jqLadeix zI%!-XfbffYp@ir3rAhl%9o1VGQyJ>0Y<;=KW$DXA#*yR&eUXIE>v$8Ib56s_Gx~H1 z&*?Koso}l#85YXcXM2*dN!8(5`Ye%i7<pP3rn)+e6zG#h)?vN%DHh7sr&%aVpDN1a zlc#iHXCvnEIbDPbRr7o6<3!H<Y+acAYJQe3On$^vKBt?ew>iNFKX+YxKL9?Wi|+@- ztA0bbCb8h)t_y2fg>SRoQZ(CxoYtF*7J7vB7J`KTvffO>yY!|4!V6g!QzP&*KB+g9 z><K;6z{1LYy@`bT^u_|hV^~kKpt?n`BVmDF&w|Q9y}sx}*Is&ELBb7KuP(?g4fPrp zs;bwvP!+wFg~ED7OqL)*`fYj@Q5<f+x*;-juBunFP!+wZI1CS9JuKnPdPu+=vYq}Q zVHv$5VJQ{g`}n`!M!%PA2^HV_YEFb~rQ(AhIg05;nPUt6R>BDVM#9ZheD5RgCMv%7 z0XNbwWria9g@haE=Mt``p9u(GNcyRSYw0J}1Rp#f=><uzreYQZ{*bHaN0MDhKa_9< z{XoLy^nD4J(f0&|%Nl)D!fEtz3o7R+zUR&Vi!3sWicfUF$V~dMq-W5x5)Pn`SP<pJ zr@fj<W>WDH4>*I~FEV73=~R4-gB?J{2fvz$V&ZEZ4rSA*_(V5-%c%H72b@C9k8$() z&rmPX)1tNvloOxprh61UB3L*;(ZdpspyERqpVwbg@p-JmYl_|=GQi=99+Yq-y;i~z z^m+@T*dYrl@Pxij;MQaWJs{yQx?jSfbhiajj$07T?G+G$+jOIZJ?KgayVK<sRJYOf z60WBkBwR<6173vSdwnupD`<#Q(*g-|>3j>SBdIl}K|q?$5&sb_>eG4RI5eZFHGDz$ znNG7<wHuu-AY`5CWDA0wA|SMl>5z!TO{q2RKx>(bNdZg=JVQrV8PpwAOdx>Gq=O{e zhz_uzvY(3S0ToKWRD4$h)}`WOT7?)f6<_gy&(Q9oSOikRw6nm_H>P4HK!wII?JC&D zq$agSJjm_Rwib)pvLt+lW=Ob$itlyITa?pQ7K_T-3D}5KrS%1b#ys6&DG@;AmNt+y zqr`&hf7)*nUe$h;@E`3b37^&emGBwuZwYs3|5;Gkul*??G&D79n1KGLW(`pFA`t1Z z#v&+(YCp=%+cj(afn29%jXx0l)U2@z&W-d|k+&`xPj8oS9KB7#0o0tp!oL?B9O=yx zj-xk8IF=r_#viyv(pxMV|A03N2%&$vPr|;mSi&yUdOt%Koi31UJ33XuHgv3n&8hWb zgWNOiDA_tRN5V)N&6XJY{}OtrOF}o*B~-NEEvWvbS%W#mNHuHBg?^~^vCME;`%uE~ zwRa`Fr2S9Ai`qMY=J*5EP|X@gp{Y+di5yTL)jpE&TkX7r-)L`2__g-71(mq=mVl7& z)LxhHEA2H2ztmn85CH;ci3Qa!BHE)8f37_u;b)pP64!)m%!`tJMSEVtm$m04d`Wvo z!WXrtC450UC*kwjlM+6sJt5(<+T$j~_=8Bn+GCP_N_$wsyS1kz+@ZZ7VN82g!fo11 z60X-?77(Ey=pG3N((Mv9qCF+_QlEsBMidJ}C+Zgo|JHtx@H_1TSc{&d#VE$Tk=goU z3uWonU^#+3r(1*J2=c6MjgTV->vKiU5!w0z3uWo^McqTmle$!b!j?&Wgvc;7TOVVg zEPb?vGWC(7&=B$(v>=mf;zRQFt%Ae`Nqwk<1$w?XJ}^_a#zSm^)CY;<*f*&Uk?@c{ z*cyMZ`%xbtXzY&E2U-^eJC^i-sIB8bJt#6@%aZPw@VIVWOYBe5y^=kudn7!fyCu9q zcS(3yXBLc*L%Q|<g`Gw^l{pUTnuOQs)_92RM7k<i>>|>wPUesU)Ee$`$bNcNX4psn zm2fZpN5VbS8YOecZu*xs{$LvrwT4M-{-J-!%sZ&{|BkIb)EbGg!-xJVGsLO&%;b<5 z{aLb6YK_m>yhE)K6?){fuE+r0ahhg9HS#QND)BS4v4lHla|`0#(NI9hf77spernwg z$dA(+7K_(fH3@gnS{6hNRRu(p6S`BvYP1ocIsQO|n_3qhy4uvb#E{{p);)k8IJIsr zWWT9(M<FCmtp@>0-;|kOR_*jTO6ca$GImZs>+TU68#3V7dp5W|*u%9Ivl0)(CpQDZ za!$A&_xJYKMqI4+hh2SrGxa&XT<`DRm%VGey%8kq1J}R$AFMwFG#7jB@N9(pis8Nl z;g1Jh`i(|d=Qrliv6!g+GlzCp*Yl3KG+$lKOLJ)v{H@iFv^Sg9gD!=P>&#&^GuSZ` zYN;6=)JffGA-LCv(+p3C4w>nh*;$z6d9owzhCS)$dSW8u-;Oj7vDSLx8x<kY3OmuJ znCjZoi8im&JWQ+BArnTA&dBPN-Z3jzd7Z!5i8f*fg!=4{=8g*GJ8pEQ8O+m}&P6-E zYe-v9c4mk4jv1NC&wOKNRC<};fgG40`JgkMr+&_RccD?tcD>w%wq{pFm#<s{_w4kp z)UAHcbGsr~)P6p*EA5JDufttw8_4;-&=s+m2J_n8XiHbm1$uFxI_lo_*H3n5=b)*a ztZw{7H=66}m#-HG>Zp5;^m6BP$WHH&)hUx_bf>*tjR)w(DvC@w(#4&Xk(-{C(;<UD z+?{42Ak^jVsJaX9(Sr`etl0J*ApQJo589Gtr_<pmG-7-scWxHi$;_R}jh?hm-C1e0 zRULKg%DD{-=B{tJX6EX}t5)V@;2LFQ4du&v(wx0_51SN8Hy@47+BAhG5HDyn&84-q zf3yqQIXE0W>AK0a9sa@jt_)XI_8UY_A7Mw>RyLOn#N32IpVEJa-_TR=8rrF^)+g(E zddtw)p;trqhYrE(d{JmrsB@^Hdw0kcyb^pT_-ODZ_>Hf0R|`%G<^@~Q--6-59|Hpy z0?!8S4D5qH_^iNS?e;)spjJTfe}fsa2mMFg)BV@@m-#37d-+>xYxNMq4*rJC15f)- z`1bhL`(|j<-0OS;eC>SI`Rfg7^;VkalIw5Jd3S$zy63F63x3hpATHrJPj^pKxLEy6 z@1P&K-^XVE+u^1<iSRct-9a#ev!yAmIZ|s;%U!i<a{8{%_<lLro#iB{)-?4%R_Bb0 z1J&xftJhAJ$QwOw^tev#vf5Ql^^*Vbye61?e|8`I`4=~#K?pGyflwdg*P6*A{Qf4i zGeVJF!LJT)rZ$nA*`cC|U~PBR>atUr85xyFy!>iYS}X1E)RI{_IkF`Ajb}8&@hhpv zGc$ALam=|DHNz^y^UY{5kXc!;@&!KyK4-kW;hc&SQ-|A+WK~=!brSy<Me9^|WXP;& zGlyq3r?nC1YzUIBU)e8TXI#F@?w|R;2P@8<+{}+O$F)7U8`t*5=D4=^^Y=h>eZW~L zGv$Vy{l5n*Cbr2#Jfj8f$~`>aOqTLRNUA+yFVU%8cDr1DXs=o;WWvh6F62*|r55pz zk?<x>sKNhgO#LGY|8Mz<Ye7z@-k6-M%C3BzdLS#S;*OE`d3sCS(YI5N=VVo0mGgYM zdHj{s<Jp}myZHj&-ICUfJX+Iw&Q(0;xg9DVXWL_*TlxGeH>OsYn_aPbppLQClv(kJ zOtlrrtUTu)IKX?gg2?|)KCTr)7oOyZf|5D=!PEjd9V$<0l<h!v<wY8o+H_7<Mbi`Q zd_~ipc-_`mBXqYX0iM?yA@^K-erq~-X!FztI&`c&x1jAncEw##SK1F$^c6da{zVhD zZ5O3OX2pL;Pu{K#9X$87)Z*E>6%8uy*$-5ls`8HQKu$%4s^5N~;u;|4=SOYuAaMKf ziW?2R_fT6}3n5Hfwxt=hb5k!_c2-4?GWqhhv}Wzz_QMsm<nv=~sTpbY4KrE5)pR5? zcxF1SHRqPpma{rnK7zNUR+iPNqOF0p0+r9K60;wuxZ285ekWQ=J8V1Nv7#mAQGUTZ zUS>O<TX7sANsV?myCt>`<y73}@jR~`F44VwQae1Rr+9fgSO-h^qb50wztfHmf?d<F zJsmu!Cu%S%M(BzP)V8TDXI9=e60jZUP;m`N72ARA%4NHH{MGg}b52X!@yyDCGt3pH zM(~2cQfGRw9~_le2Lk?^eUD*Nliz!jx0~lJPt4QUebzn7RgK-wrei_j4*CQgs}*Ts z@+_IG{-Bn^JFuE^2PWQUVC7^6KRTK&RHyGfT2P%g7()$p8qXYqlb*^)#;{Xv*BF?2 zQ}|b7=pt-M!z$Dw4E~RdMTUu-jiUwr2^A7Wi1}zr6dh=cv3lVVvX-|RPaCP@`H=Cn z0CGfU#?x<LLLHrevSawg38-l_A3G7hMu}yjdneNI>c}&`Nw5YXN;GgXosSjI(`GV^ z*P4PPpKqCh{6qPR=C2`qL>TKs{io8=csP^zE)x&pm~9+{7zRmd#xyzxaRc6~re*Q3 zr_p<{z?kGuO~=;5xuyNgU-Pj5n<QTjo2zYocteBEC#AhjQLisaX&zrz#awRc#ow($ z7tAs5K|6i45_&RJjD2q{v3c(4;4W;As}guQP#RbmXzIV@-{oKI@8bK{_lfVgZ=G+1 zud(+NFZT}jdOW8+S?-tJ+&$i1%XQK9AhhONvH!6HY#bc4KZIEPjR^HP+H}08wW@55 zFr`kQW*|2wGd(9eqeqW1z590Bx|!brHF)??eA$mSuDQ|7QX8QSa?^8iJ0Q!<`70Z2 zE#me2<LYnVz53&-uIJbGN1)Sn{N4T(?xno;06G#*5(NVggmg8(V*qT<Rs633_y<_Y z+YW@4yn;^}h-1t7bpugu8Gmme?SPkMa1e##Gha1`Zo(+|(;zxQUCf6Jrv0#)a`#|5 z0B^?k5c2>#DH{)g9lwCj8G_2@^F2do3w0hpJA}5vPRcKa(C+o;nB8s>$jr>ZnPv7_ zy0l>7-1ON?m&{u@zsuIyyys9n1+)0Zq3F|0e%Dai1Vhf7L+K=SI#181o$#2>%cp(u zn4ZW-nA$1)xqJj@oy>#7(3wem%rKniM81C*YMH>_97eP8AhO{!7Y}0h;j}Ft#6`nl z*^lA-hogt1`BTGbcdgsjQT%j<)@_7&i=R{zO6a@Ldk83ePv{8tSFQ`q4UG(S548@} z4AI~Z!H<G31RuaY$(_NC!3Ee&&^y>Jm=<&eenFhlSFo6N3pP1M0*et#yB{Am0~;Ot z_}gQfqRaQQ?}G0o-x+L6-03Uw&G(J=_4Kvz)%0oJE8Y*h&w20l9`Tk#)oPx1v^US& z-doS>^ZeoY((|V0acluR=-KXB1zoG*o^GDjo|+!&{>gp8{R;l)Z^fpAt?s2zwi@E@ z<ZkY+>Q=B=`GM;N*8{E_UArR)ZLk;{1_ruvTul(K`#*LG58hK)mAsy9XDiusY!~Rn znj?CFitwW!VVmC>L@n40b*rV=-Zx0k#j>M8ufp5nJ^CzS6da{H5T9TXqI>tHS+pSy z;(OvELJ~X;eXFC|4s9bs5sbq&$aY#Cgdq5tL@tn*$b;l2vWsja3&<GKi?k)R2*sH6 zk@|vqzj_Q;9I<N49l9`!pny~EkcC;KQKQ@;3$sXb8RZUHm_?d5Tpq-iA*5$2_E#@z zVw5{{VHRl~quikjvruyz<<Nym-TA!G?2FgInSJp%IrPOL3lmwWwl&Hfx-bhhW|TX0 zVP<Q(QC_JFlazLuZ8k#fjm*}xaJeZ9lcK9LyS`EGP=%ST5u;pn=-bSKCQ-RV7G@SS ziQ*1fm|2<{j+?45DQ(R38}Uu{uFTXFBkmA|nMwXL;whpqNqv=><Z37mRhSe_sm(1z zacIJ%GF?LPb#|sjC=NN8)I7~YafrdBGM&S5NWr8iL2M>}hvQI!5tIlfwwe4JibDw| zrQjxX06H+K3_1W2m{bNGfCNk`gAPCdCY3=4mVl|;DZk0=0MuWSl%=n>iTo3aL;WSC z;Kr(<IHX@vnJS_9B0FP*;|r~t3X%#t8_mk0`jXP#M)FrU4$+qss)+m<ibL}S8^S8o zor(sA<B)u@<@zHWpJSsokPD$W^j=bWwE^Xz_L5R=1Nl81pJ}7klMCTEv|dtjttY>Q z<J0kE*|=XraVWi{RKIR)C_dHB;LbqhB{dK312kSzndag6Brug%eVy7i9G_^X$S<Kt ze1fgu+P0y%DeqGGWUoc#rn*ZCgUapVE^Eopp|~mTl9FjgIBwT=SxbI0;?Q<U9Xe)2 z$T=epaTgm&t{8EsyV$uOjX308Qn~47*<nr&Wg+ll&-a57hr&xLH_a>yiI<3-MB%~C zjF&_4LAF!N&kn^+jhD)k&Cd$OO^KHjCO;gvE4<{B??Z7@;iWRu&}>})zIF;Vnffj% znNX8m-eoBHE)>tRWg5~l9Ji~x3?W~J<4|`=c?5=#FG6vMyQEY;B+?`t@9xNTDHMmY zOG>W6s2#d4DOC+NYwzNqP<v;4IaH1rNL#s!p*R#>Dk_J*%phD&2)a~IU~tNib4e*T z2!cOxsJYmvZ$oj2xuldEh<-xKB_-29v!76Mu~FzJbX-I^G5!riM<L^4%k@nt-cII9 z4lM&vJ2YHUG7T_mhlGobLhVp+N$J%9RNmT=>FZFuRWehBzD)n@a2(<-DOL3+pM~Sl zZn06g43KWIQD24PP;N<Supc_w)Rw8A*-@yrq?GGNz6i$~Bbcg<`#c<PWXsmq>;yDh zQgZbrpN8U)Y)NUcPlr$(f-R{GZfZR{gC`qWEvb2Mn<J2FNvXRJ`6L`qvr)axp|iGw z`Zye~<)A(?;trLTDdb%v?oer&qTXo4Q&d`#@82opLnDrb?$ohhGC6O=t2((4jJU%P zn?&9>;toS>5_!*vI}EXjW@j9R*hKZlh!Hm}vC45;ok;#?#2uE{1oDm%cUWQ*$lFHT zVTny3Zy9liB{tqX5r-u<p1f(qla^TJ`_J^NGU5(PY@9mFh&wE?amv$1++m50Glx@$ zB{q({V#G~LEal|Jk=Mg<(-f2Ao2f4~B;Sa`6idyA<wPUyu*AlqFENKDHWqz}nU+{e z8)MOzn8Oqsi@wAhrr22WD(XwI#Y|Z{XxA9A4fYDhn2oG=aAqSg$5I;}V>SYV%+9?W zj=?0WIAOFgIy)SLO_rpjzU=5MBL<@^wdiPaE*yhVW-Hp;h`}neXL~6egI$)IZ4_F7 zVP>Py04%fAlB3W-BnIQmmJcn!IJ4(_F&u+&mYQuOT7Y$CqtF7(v(%FCKQv-6(Cpmv z;TSA5QB;h->IhT^6D_s65vUF(T53_OW`|?2(QMfU8!^~u_H56FV=&TEvkgZBu+nT4 z8kp&Lo`##(9Cn&5AFjxBdkgTO498%nrDhw37GS8^sH|`dmYR)1WiZt$x@$iF@TW9l zu+}QbB=>YU26HX7Y(83mwPvGm4lvhJOTyDK9D~7T%Z65AvDvdd6^@NDgK5iuMYK8; zEx>5AQE0(ow82HwoC|2IPBEw4h6Fzi@}N6#G?43m*+0kkmv5J^B~$<=c!Qo>JU!fR zxvscMU1{+4ovZ&1{rAPtk$;d5(>VE-bW(jUqLvY;O;P<=mU63FK^ftDx6#F<49d=> zw2(kZ1v@3MBjgsU^Btvhj~d~P%IKYl*7#Z(#m-`0x*fB18~GJ8DdH2a!9>@Fy}OTA z<7ckHMBRG6bAVdgUom+)zjPgMG!$;+{i8U#R!r&bd6jhMy{^Ih<{Ivbp@P*WzeruR z_mhRy`0Ft`4zoZ>iK-_WVJgqm8Q<GuUK(F?nFRR{ahj&CNak!%jyjj~)#aE!TgE>! zlcl_00u?UdI}`X-XinZ$<Gvl3lv^zDO?P6A_w){00~1EYqj2zp9jIgx&)kXgS;%{h z1a)dBX6ELXE)W^Ej6jC@0$()oJTun<Oe5Vsk|rR?)o~PBoNZ=UhzX-h<}Yk^G3PD^ zkEWv!j8N&U_Wq+v==;$7p%+7ELwAG@hGL<$p*fhl>lI25rD56f7u?uagAWI93+{*D z)w1AJNJDfCHVqnqtAXz^%lcyAOyH)#?!cD7(!i9!pg?Y*Nx<-5#XR4;{%8F6_>W?~ zu8ThsDjAB<oNAw?OIFQXxMU?H6T&4!z>rEtc|BY**iNaN!zF|4l=5b{WT2f=Nw{Qy zol=TJCH+Ck1|w*(M!2M(BiEL2NnbmqZVH$5u~E=o2$%GBQ0s#wd9)5uN6lS4bJg5A z>e?E?l3uCA8no84vQPx43}uFJNsme{Nv#c+bazl|!X@1t)apP<SJdv2&8-TSbV+S( zIm&dlm4S{!xTI4B1p{-XDd-R`=~%%DYDKst*Fh~0m*m)}x$3fTNe2hDG+dJHpq7M6 zvd}Fey9xP+a7m__DN=Epp#u>v$*>iK9z?jLy@M(Um$Y+Gi^3)84r*bzq^*sDUPQR0 zjf0vWj+C@^aPz_?tsK<ca7jxCH78ioBK1Pg#G}^Sk!N<eq?v=76)0(nsaN@UY$lOF zNs|;}6A6?wPWinNzZ<3eF2e7IDZkeu4nqT58_=%^m(+Jq)4icN@QdCKnZeNTP+zzn zw1bFUtxzBoA;I5+-{D{R9jMqn5xhTmNAO5+UoaZn3<bLd_@^Ef91!dl%nUY%bX_>8 z2mT6N349TFFYqd)=^li0!g1^vO9ZwC)?(InW?&o?^z!hp-X_p6P(9%F|L6b3|E>RH zxiQ3loByzXkAJ&=qkp-7o_~seWW?X!-_@VtZ{|<)hy6NU4_AC&_}=rq3O|O2Qe^1X z`3ilrd=q^6zTUo$zP7$bz8XHCPx1cdy@XYQx4lAG<_^pP@At;NTfD2ii@ejlW4wdC zy}UWz*4_r*YFJ0O>iOC8jprlJdC&8nM?Lp=ZuQJR<k^GC;f<c<o_U_ho{^sZp01t@ z1V2dggfLC~r~9(|bN9QLDn92v<38y==04z#ySKPkyBE2qyT>3LLJvsNNGY0sTtB+L z!sPMmu4i0lU8mq7a-D03tHia=Rmkhkpe-W1Ss5#0%itt3i4A9cS!dRcHDR?NElA)l z@}2%EUVty@Pw4mScj!kDBq0iknUz@En5vJ`2k6}pETOqxM-S^d{fl0qUtm)CRr(ZO zmv_?RltW#wn69A(2#qn84yHX3K%o__PpejH?nNxoz0=yw+Cd2KZTtV1-Xj;u1@abo zfjnmIL)k;NhkgxR3|$Dl6?!4`Sm<8u5oS56MYM<6KXQMHaMOx7k0w28BN6Q^v;5d1 z+CvO}Y^I}aM0=1~Zfp_l471$WBH9DYa$}2V_cP0lErLzEmK$3{yO&vRY!U4qX1TFN zw7Z$*#um{|Gs}%FqMc$tSWbfx?Jj1y5l6H;*=5;@lgx6Bjc6y>capt>U6Sy2c2UCH z*tZhi%D$2C7WTD-H?yxKyor5j!H9Mv`$E#k+2;}-W1mTQlzl4U5%!6MH?Rv59%h!S zZbUo8K9cP9>_Z6;vJWJ@j=eA8wd_61X)vO3X8H9-v;)lY>y2ppnd#S?ydC@4+Y;_& zZ%Md^otJPovwV3Y+Aj8nWOp*lfj6S<V3q@KL`$$&Wrj#Odqv_nds)I5dr875dr`t` z*b5SFXU|Jm#-5X~lszlqHfH(qMzj+4v}Cukrz9+9=Kv$gv)jU+lyrnWA>n40^y@XB z#!bv}>y2m|*`qQ;5qm_!4eVhF*R!({u44~LxRyOA;Tm>E!qpM>fW)iV{SvNZ_er>d z-7Dd8c8`S1*xeE?Wv3-v!cIw8$nKJGF}qX30(MfuMeKwLBj(vHWOqn<0lQto`Rq0c z=doKQoXc*Ja1Og!!rAO531_hzC7j8QOE`lalW;maD&aI1IU?~?c7udd*kK7LvqKV2 zV%JMJksXw90=rJa@$6a&$1yJ9Sav|dF>JqtquIVBjNtS~vAvQW$@WM%g6)=YINK%R zFt$^|e6~Zvp)4Wc5Qc><@jo+|VP-|ZK`bWWKo*s70J|n4aeua5!hWnwz|C4;Rx02o ztq<EKV3F3Fl}MP!wo2HG6-(HYZIQ4CvzjQ<y0gua?Z!3<7%9@avW=4N!ips9%r;2a ziLIBgBU>k7E?X;M4qGE(2ew+mY_>|mEVfd@OtwP847S`Fe~YyCY?+`pXzf^mgw@#+ z3zBoJ(1Pj~wphXfwp76NS~{C2VRg1pLX9o3Ao+~Vx1d_U774g6qP1nSEv&U+vm|WI zW=hzKO_#7Pn=2t@mTUaFCTxZv*J>@<L<w84$r9FO(<G#9s)QOd_d!Om`Fd>=Hc7B+ zv=(fvgw5G#3G1>65>hr^LXBCwBG)uwV+6TcYsN-M*pv;Iun8L`VO=&#Ldr&3563F4 zG0PY9Dy<P4B4I-|P(sRv3jg_4Q`uk(HDQCq;gwng)>p#%EKkC^Y=DGySU(9V>n|!; zIW@xiSg;A}Esn3y>ap$;)?qy*q^y_7x?(EpA;{%gUDi#)I;@L?X{?iklyw!QmQQ7! z1-VSC!8%wlqE%;ElCH)wC9KLaEQp6CTfn7S71mZlgSD4XW9>u}OQ*7QK`zk@)<(iG zYbA~^naWxVvQP`L#wNu0Td28NOG&#}GYKhcZb7vzYidE|AZsBiD{R7=2y(F&Wc4Hr zusRaDStAKutiFVlHLxJ+YG`d5UfhJ$6>Nd#XK51pSTzY<tfqvN)v_QuR>Oj*%-WP% z(1cYNB-{pANJ0+_Na$u&C5*UOSYpZy3!<_r;w%?6VL?H{kAV3lbTN;FjJYI)<Guya zF}DR#mruZXT5Z-*!dfiXgt-3mw3;kO&~O=GOhU?Z2{lF~B#elj&92WhL1J-V|IdQt zPNqtDk|_dWSzrIxg5*E_9|^DOe_PjoreD7**cs$U{dEbi=x<1PPJdIt>Es9f6$!8C zuS$4Me@(z?<cj{1gqQUfB|N9UEFcyy^!*l$kau-%Vf9AcdR0y)ALx4pi&YJMpMY4n z(Dz9Ao^HJ!u}q=w5-b)X^c@yNWjh7LQiPt6@NK<Z!ngFeWq)G9L5~R<>kPW}e#Feb zZoTKQFrZs+Kdc+*r6Mnu8g%QWi4_LjdTC;kUbkLon8VjMiM*KN*Ed@b#jMxkSY_JN zx-|r1E?&1@Zez&H`dX2B49Zz=KTP!N*6R`T`?~dd98F%*SBSire%Duthhuba9V!~i zaJUB!F;%)5zH^>(Sr1VJy9KOAC!#&+BBFFed%|TsIuY%0m-XmGw8xnBY+-*JyPBLv zRVFLJZ-Qe3_XYa<^ZhNMmb3)ly&rfBy-hs#dj`OB@jiEd*FO*{@518x=Xy4Mrnz<s zk^}V#^lV5?HCL^w+>Bc6e*?;z@&h+P38J8^2@l<7PN+8K{|!;AhdNdYsT5BwYs5dj ziGGA!4f)aAXo1$UtO5V;D6JpJY$ZL{3(D&AWw&A$vc|1+0x7F!{y=qglhyH!5H+D& ztCZE@&)p8c`d&>iKYD$hHj`i3f=~sudTWT&dJFA~7Scp5jc=zDNm*_FMokD!G`s`_ z^d%8ek8eJy7JBmfq-SOoH!Z8h)9;|Skg}Tm$I(#b33t#bfAD&!r36pVm87hOIj38l zUweXvNLh8>Xg;aQpEyBFNLe-B?<C|f%Bu3b$I#;&Pntch!gt+?AN%qVS#!p1G)-$< zW{4WL+)0C^ENmXf8HM<dTamBIU1p&mUwoHYQ$Ua}CP}|2*7=lK%qNaaJ!NM1@-wIC zAe^N~uvH5&qii+i7NsUa-36gJ%Upb3G5w8{F*7G7xOG0GgdQPfkb>VvcharZ%Cs}X zw$N&7#C$-`s%56n-MgV@LU)G_hoYg?p_!rlP?u2iP?g}-;6=>roC}^pWP<IO(V32D z1m+}dIPg#4+rZm_CozL_9UL&12c}|*HYd;suCaglzw*E7f6RY}pCh`!QbZ6K=+E&t z@&^zn;7i{daGX8i<GvE#QeR{;_LpS)8u)zJ1oegYb?+nI+r0ZQ`%>tg=<VmtgcqL2 z^PA^0&#RuZnC#!<*$ff>ao85s4$~_PK6oD^yu}0V<L({q4eojFQJ73=?XKY_@W6ZD z^(@qUZ*aw2Yh1Hj!=TsO9AZXS*+m2~IEMfR2QibfBEqJz!O#L}%z}tt@D)^gAH&4S z0e!2!1j--%^(?(UM)lw5XP72An~W{FnJ%K^Xm8q%rcnm{q>r^1A<}Uio_8A%(0P>B zLu-xT1B6_L0>`uD9&!VTku_u%8AiI0=A?>xRlTUbqn=amQV-&?BfzrtXCxdBBoQrc zB;Y`jx~3A*Vn$-HlZzUOK~C-(BLNQ*d)e(q0zM=*E~1qg3AmBiNUhXJ^mB6Cj07A> z?D<NJ1YAk%+*Tt2XA(PCY$V`KV&}FP3HXyl>}149^mJz2Y$V`PV$Zk9NWiDW&TTXj za4NBLMMeT{C3bFuk$_)`#fj)|5pBJZfM<z4<2oY&-x52w)=0p)#LlfT67VjubE}O6 z{7dZIDkA|06FV1KX(ZrcVkcJ^2{@V9x#dOzUM6;KnUR2-iJe<&B;aRa=av`=IGWhG zLL&iJ6WB8q?rHe4U2G)aY+}z?U?kveV&@haiPlbTp^<3i<Q5nSc%0bF&NmWpIgwn_ zJ0haZGZJt*k)*jy9?|9+iDpi2j*)=hi9O$JBLT+~J2%TnG<I?`jRZVT?D=NkfrIaf zot$nY8aTOWMgs09_Iy)~1RPN8+!P}L7Zf`;*+{?##m-GK5^zF+J(+s>CmIR3q1ZD{ zFcR=Xv2){%gu@XfqKz{W4o8%THr7a_IHHKFI>tz(`k|Ps!x3$?k#IPoV3xy3I2=(T z+DIeea72k{BaDQ@5hbDxHxdp<l!!LWNI3jZB3ix?NjMx)BHB<R;c!HWXhV#I!x1H- z4K`pUI<CwhBjIs!1C2z|5he9X4=@tK52eC83Rj`Ok#IPoM6`ZJLbq3lNfsmFa74ju zi;-|RqF~y^NSKZ&DgR+bTAq=xIif_Cszq8aBjNBwDbjix<qpq*BCUr}?(jsxB#lw- z@I)!nx*6pTPZZ4B808K}lp?JQ+HiQH6ltA}a)&2Mk=Ds5cX*-{X&sGnhbKyrmTQ!o zo+!36&N0eOR}>r9!6>&}Q7XK{i?nQ`-1J4UWy~_l9nL64TBcEMI-}U~Wf<kAH;RpG zZ<IUSQ8uUrM!D&YQkgHJZqTY5<qm(84e-4wH~mp6GeRYQi&1Vmq@;3MJEMG&om+1< zve3bqZI~V@DP`Adno&OAagW!N&x~@1PYR~0jPkkm!t1oUM!CZ&Wu57(ZaSr;G_p>E z@4M-hV&mEv<uff#dIzo3T8GOWZYk^Fus_{dwv|zCx}~Jlx7O^7>6c>T&==D&#m3=; zQ$15K^sJ3&EyCrdXG)5X$Xc{(I;PmlwlvC3&y*ByjoGflHD!%?4NTV*TRybw@J+$Q zS-5-*@<meGU4wQ_-xOQf=0>^0Ic2rk?nryS)n>aRoLn=be7KWqYLpL4;mq-OwT6cC zQ%G=_U^B`c2H`5R5r;vD*|%`HX%MEI$EvB}a?>76rO<-I99*R}G|C4!p1+mmxjD?i zm1eUJb8w|r$0&E0gP79`mz(BbO1mr371J6_rO=g1V^G*%D>dw&fHjzU=~tM|_H=S} z!sVthm{Q-0sYbcO7Q~F8QSPt>G4*GZJ8Z$_8jTp`mBwIl%g1sJZJ4%TN*l}3hQkzG zuB92}4pR^lMn<{A6r88kGRhsMAZCz^a$yQqzJD;wXp}ol!DZ%H;xGl5nPZ8=6kMiN zGs+#N;4-bMQQqEu{g!Hmft{8q*BS4hrRIJX(-urQ;iWiXhb4&FOrzXk31ZqZTy9!| zDMgo{sKXFkqJ@oeharerOryMo=^d8x?^bB;^Klr0h30eMFa!(DJx2~hun^l1%1uKs zr7wke)*N;qW>SsvN;^<Ie~Zn|IPAd1W?velUaO_*VzVy}J8-et7l$2)8P;&QX$PkC zWik5VFasBB0X%<6JFwC?!Gx+&?l1!j%)U6xzyh-`4l}U8?2E$;EHJN&X$GeBr2u^q zR^S8~t5q$~d`7v$3S6YQ&G~^^P`wYX2-3jWz)*N%?DH?gw|jN(t)5R22XB?@DOZ3^ z)DK~YT1N;GzfbC`1<L)H$=XDVv&y>h5%<yiSXo!-p7!H!<YGeRj~ldxratr%e_ncK z=i*LfU2tr?IQGu{kU}o&Ed23yJU|bSvQFH%3C?*v&(PhZtRsKz7z9QyouSu}vRuCV z1b!TOkRD)VIZ0vFkzQH@^OIUT9(l-|#_5m@R2evHX3rM#)aTC9gQP6WEStvHJxuqL zvP>R6rq<)HuO)4TaP{k-QmW?^w=T=DRF%y+q)U&`ousTi|FN!|RjMB$*?T`)>*g~a zq4Oa4nwect*3O(3!c0%Pm>zoSF>@-aEwBGL{R}f-ZOoakR-~*oZ+*<1`f0^i9W!&c z<ew$e7JS5UlW)!s9ycd$nw|07NMoucqP<!P4GUfiO^=4S1*d%kJCC;@{84MyVuWOL z>m%r4?TXfkT%*3KHdI#Q7Ua?57G<MMLF(GP)faTPI?|NuuFd1?NkdbEy3n0BCOx}2 zw`_zN_cDz?v!1l!cYR4$VGD3l0lV8*^Z@n&CpE9X`-&dMX5ggE^p{1X0sq?+8*l#& zb?ZZucenU<NB~URNE(>}xXGC|NT+uw8^U{BhbwmNM$(F>e@j=Jd)m#3xktW5-Gj^< zn#Kz+((Ckr$y<n8YV*V<bY%D?WFBDN{xp8!5_;dCFaM6-uJ=nmFUfp8H<MO-L#rX} z{XM$T7Y7RYvCDV{+8)w6nu6Jd?$LSaop2}nh%<lSGTlqcdh^WgnDh(2P22FDSLkwD zoL!bD&hpLEQ1&kC#h2YpA0=fy`KLFddxP#VA4})~e}#*eoGR4sg&KHScOfOd@sQS( ze{e5FkWl)9(jCF+=$8omxfkA!>A|0%0<;a2X4M1l1`Y<M2b%dm_225R>wDL?+c(kI z2(w;C;L2JHfhTYE%ya*OV3J$?GnB2K_R3RO?AwE=J+F{!NFLF(j*xb}A09gGaF<Kn zd9J@*w?m@42JZbP)*BO7CAu~QBF<YbKwx|q)mjoQn?Gs(!1LdnXdU=}F0EGbzk_Hw z;>R<()?U5Hm-}#umo*^J^7)p(=0~oCt~F3E@rEB`-t!YTgy*3MkFk0KS9PtwzP_!y zRWp9Ku0a^49;w2V?~*Fr%UxPc-u-*DOg5Q1-B!^*zSkNuvN7M?YCcb9IdNIbWTa@J z2Xg$&4<M#%vV{f^yjP1wkCOzn?whDv__DWg3Q6KQNZi9W7pE~m-|XI~)ZLv|i$A`M z)ZF{et97u?+JyXc5WVgADHO5CoyU`u{0TvH_zsqv=UHoS{FTNmUQEo!pFD!blQ|Fz zU@jrCWDcJ5h1Q6WsQB?+P;0DS!)F}9RY_)T6Vme3?YuCg^;FA5?~?rUQ2&QYeFoD; zs@sH;d9v4sA@;A9h{`@;T4UE%jHygf_zd$x`^K1B-Y3M55k9S<dWV^{i++2qyH#iN z8rR^TbkOS%1kFv}*}r@US-V%<nV#4kOtd}xsCk?I@o4q*-96o{hVUmL2)_R=t(m&Z zykE8Wh)#Ms({?6rQu5ekbZLjUMHwpcCCs~yM?lr;spSISX5zRgU*OT&sWG0RX?6I% zZh8x%Ma>_5a9xu1x35XkiSjGI`vda^_;CYvYFd3<BxFkC&ui#$S<1m?1P4pS71<Fs zCC<0;2+_LZDkYzqWDV~Ut&zHw=e>u!pCoRtqSq!`v3aFB;jxeh>f?z(=R3k%+q}KJ zK|pJ)Z%SUgMsE=~Lf6pi5p5&i^*{69BB0fT2RHK9<c|k%u{S`JU+a*w-h9v1P&O-} zj=^}~g+K%UQs3!hl!Be^FWfn<t?({ypcl~lX+WDw_NpJNt(DCfU<V^`a@hhAIQgTu zNqsS>4jPr-p*W*#e)8q>F4YgheL5M)pj_9l*XLrCS}8&f?0tuH<r|s48Xncj@z&?k z55TRuS8a?=)7~d(d)KckboUvN-WjjbS>~&>HlOX*52-Uz^}X1epL~hE>OrCDVkp|| z)vv`a{iF<chEKl^TlJH2+s}W1VL3VCqqc0k6{d){!X7`gt|uo4R0Kh&!FvSsW9lR` zQo+sYMDw+X_iGS%g22;4`f*y^wrsrU?zNv_2p?yT$`~U*r91Vps0m)-w_^mZvyx<) zgJL01zD=`np~i>{<ylVZ?`?J05(MDDqUmV!awKCdll7!aGJ-`Hyp?jyJ5p0wpoB&R zZ-#(ccYmqxZC_LGI?oH9+U~`!CtP8+P=8XdO_yrtuu`=GbL!QU1-K_!<~@ldt%d{D z^gVbk%vTm5<)^FZyWq~BS6x2^cYcJsK7ohfa1H%NJO_w%eNtU-hK#r!LkaFc-M#<4 zT9dz2OJAj~HGki#uR&Ma^J6tI$ewx=7i-EHyg~Cvq-WuZAbPeLGUDSmN#ms2xyfgu zBdg42(s<f=EI?hT4@vQk#jVO#nysaAy)L@9LKM8_JPNL_sV{NmrRNm4DO)b?+f(Op z-;(7zpfbeSHY>YoR@SaQI<{1pK#$bdIsE^VJt%CT@1=O{7V_d+c*~x6i?lZ5WfZ#c zRCX>-FIy~%Tz-o*;XA(7l6)t;{|e0a-vihckPQ00_-(x4e;{aLp?Gm_*7V($8M4Kc z+P^vQQ=o@G0lBay-j!IKQQUo8``OnlM=zp}Q?E9IoKpW(^OY^QBSYQAgSJ=4#anMG z-`C<TuGPAlH+mJ>UQIj_A9c`olkHVa3++C#y^81}Mz;fGyCI@@{E(~fB-_KhxTAhA z+a5w?$+#pn%(3k#*&Z|vnA+UeSwBLy2h9J4H2!R7v%D1;V^=ra|DrBtB|c%pB$-xS z^__5~N>+y$E;TrYy7Z*|!k2W@U1Yn5&-e}h1jvkv-KO1ehHQ5wEtupZg@LY~`H<i- zHxRG7b8+r=mMoGy`hupl;2-xe&s480gYmB(-_cWFL5tJ3Q`6W@;}{3`lkHm4zD*WA zi1AN!1Qom3c7i@8qqfxGZxgKvkB!xrxcjAN;<?za%BP)jjFJhsX`8E>FmL@@12d$F z=v==n)5W$vUYw!RFijdjH}0n3l3*sZGwunj3UtQ0-IM+@|1f_|-#fm;aF%Wfr|3es zKl`!#R)|<0m)#G!H)7L8C$|`<U;7(MPuGjL52B~kQxEdx=kW$W+?2+ITxX8{wfLrg zXdAX|241&5^SxA!|FS{tPm~gK#IMC)C{mjunlJxh6Ut5hm)6ybleR@NXR}ReRhP15 z3d-X7UW;f2&uvosvdB~rE<rT73gwZ_eE3QfFEnE&ZQ{qSLZ)S%c%cq^)3jRFiZ^H5 z|7a_HP4dmK`#;?3W&c4{Y_<6^fZ6&M#t^cKtH0vGx$qxth}}5J_w&PVn>DNuW(gwR zx4`BbWa@&=H^~z~SeT}ST+53$q6eouFzyK#R|o!OIC4Pz2>*slwO_on@_(cC^?ifg z2oD2us0Qv5ZO_QwWMGse(J4TyF|tS6REX^npsg6$J;aT{HJRhOAk83T7s9I4<U4<- zom@N3;j*)DKO-yE1a47PUnIN(Q`ae5U-Pu5jUA4eYq%L0I~+6D@Ha4aIA*Tlcwp?X z&0L%722U6}923`YMKBU#QmJxk15OD>!ZC9V?*t>^n7M|_w~=tnT*EWmNH}J$;R9|Y z923`Y1~(G6iEB)4z%ATJIA*TlA8sTZGuLnwHxiDSYj}(s3CGMeT*r;XD*K!Oe8`Q2 zW8xal<hTlsnQOR}8wtnEHT=tsgk$FV|8;e~zfBi$9B=Qw*R}i6dJmlJM^~7z$=1%5 zxfOJ56igiGgUzB&32PKGSX@UZQ)9$jzE8YByp678w;y3JK^z7m4^UzZ@qvj?gs_Z> zPDA_yFtWtQCVoCWX6QY=?_Iv%e(&0Q->dJtHyF*ivdA?U&bcZk*YM%4a%F*QL9cN2 z2weY<*1?R<l|`-v{faA#Tnl=cD~ntUy2zD9t_A&)E8I)@7`YMj5?96G8m+QlaAlEe zK`(M;k!vuub7hfhK|klpBG-a0aJ5dZ&1oEPkMmq1xGs8_b6nxU7sZA1Tv_N^(6d}w z=o(D%Tv_N^&^fLwbS>yCS4gglZal-)I=Ws*>w->mWwC2;&~s(6Yp~LDWwC4U)N^IA zYeCO&wcoyRo-2!8gN104D+^u=n&ZlX*WkeC%7WK|PH<(xYw+ZA^*FpP{CB9hve>nt zpW%;DYo#ac3H1g~!%n`I^7qQFmxW6A1t$C}{`!)mzLRW~H9N=Y&#*AdcyD@xo-_!B zX2)%o5KNO|SBZp7niLD`oBP>mBDbQrsn$cUu`@(IV<gFj*IAy(Mk9Ov8Uy__PZ`MN zWGvxsmJLQlfA9v*hg*yos_SQGiQH_O-|NTbPn+f+jT+rnfKu)OS&vC<H72NM$6M?N zA~zKjMt=BK)a3i1nre|7jqJXCfN3HldecExtM4v3O~{ds6Iq8P-w_$s4-dh73<+2r zIy!(?YW2bZyFg@3K60r_r_*c!^428Ak-cdMM#HibgLAR4F2s?cN9p`FkTBV0I0JJa z&c=LlLqQP$Q>)Z}$C>uYr=TE>AgxlLT5(!Ycw}@JBuf)nX~K9`Rvv}%L{qQE;wT56 z@Mk@tCD>;BN{9r1g2m6b74_u~O#h>$*Gu~XQ-MZ*7Uq*4zy5TZeM3mM{&$vT2-&9> zr{I%$AL>II6P-f(#w7cm0OMK9u_gj%`PNP{SW>s#_;ZHUdI@<M&T3_o1YYx4p4}y+ zQ4i0tCcUOv2u$zVJI$Ua<VoF?gD`B8=<$E3lR4I|-=D_oRakikZ0XFe-EQe1)n>T{ zLZ-Kn0oYldD_a62IRxjt5r1FFC%!unRwkS~PM98n?MEfvq~`>TuO7!u$|Uy1k3P8z z-d0A(`#{Yv9cGI}b{j4F@jY;r;YiYTgUm-{S78~~J;-K=+-VTdKZ9(J$W9E*yGG;- zsO+ls$gj>uec~wg3=++)rX$LS*hwN`A&(61+7OQA?WjMib;WORpYFpf>jMhfD-)P7 zxJ+b+fuHx^Me*8hs!j~Uo0HEWj0)>r88%B~o57;}t4>&VmVv?(BiPT|FjB5ckFPpW zJ$?)Vd)nNcG7gXPwt1X`$JhnG+bCP1sNEDres^jLOT$2FZ!8{nqw-lZSYGPGFB<^O z6b$P5Kb%N`+5+e7a9d@}kl3&DbPL8fjrjM(+OTaDt6vFX2hoZLp3wH-c*O%4K=;9z o7LhON%K_gx$8C^%jI5t}2le-Ec$!hu6{mi268hE=mh~q71IW~eYybcN From 0bacd005a2840a39b71531d0412c6cdaf8faa33c Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Mon, 28 Mar 2022 21:33:52 +0100 Subject: [PATCH 19/26] misc_tools_parser_init (#169) * misc_tools_parser_init * misc parsers works * fix git url * lint * progress? * test template * add test * finish test * parser done * add readme * improve readme --- application/cmd/cre_main.py | 6 ++ application/defs/cre_defs.py | 1 + application/tests/misc_tools_parser_test.py | 78 ++++++++++++++++ .../utils/external_project_parsers/README.md | 30 +++++++ .../misc_tools_parser.py | 89 +++++++++++++++++++ cre.py | 5 ++ 6 files changed, 209 insertions(+) create mode 100644 application/tests/misc_tools_parser_test.py create mode 100644 application/utils/external_project_parsers/README.md create mode 100644 application/utils/external_project_parsers/misc_tools_parser.py diff --git a/application/cmd/cre_main.py b/application/cmd/cre_main.py index 4cb3d615c..5ed9e699d 100644 --- a/application/cmd/cre_main.py +++ b/application/cmd/cre_main.py @@ -16,6 +16,7 @@ from application.utils import spreadsheet_parsers from application.utils.external_project_parsers import ( cheatsheets_parser, + misc_tools_parser, zap_alerts_parser, ) from dacite import from_dict @@ -366,6 +367,11 @@ def run(args: argparse.Namespace) -> None: zap_alerts_parser.parse_zap_alerts(db_connect(args.cache_file)) elif args.cheatsheets_in: cheatsheets_parser.parse_cheatsheets(db_connect(args.cache_file)) + elif args.github_tools_in: + for url in misc_tools_parser.tool_urls: + misc_tools_parser.parse_tool( + cache=db_connect(args.cache_file), tool_repo=url + ) elif args.owasp_proj_meta: owasp_metadata_to_cre(args.owasp_proj_meta) diff --git a/application/defs/cre_defs.py b/application/defs/cre_defs.py index 74a97ac55..3522f420d 100644 --- a/application/defs/cre_defs.py +++ b/application/defs/cre_defs.py @@ -215,6 +215,7 @@ def from_str(name: str) -> Any: # it returns LinkTypes but then it won't run class ToolTypes(str, Enum, metaclass=EnumMetaWithContains): Offensive = "Offensive" Defensive = "Defensive" + Training = "Training" Unknown = "Unknown" @staticmethod diff --git a/application/tests/misc_tools_parser_test.py b/application/tests/misc_tools_parser_test.py new file mode 100644 index 000000000..cf37e9110 --- /dev/null +++ b/application/tests/misc_tools_parser_test.py @@ -0,0 +1,78 @@ +import copy +import os +import tempfile +import unittest +from collections import namedtuple +from dataclasses import asdict +from pprint import pprint +from unittest.mock import Mock, patch + +import dacite +from application.database import db +from application.defs import cre_defs as defs +from application.utils.external_project_parsers import misc_tools_parser +from dacite import Config, from_dict + + +class TestMiscToolsParser(unittest.TestCase): + @patch("application.database.db.dbCREfromCRE") + @patch("application.database.db.Node_collection.get_CREs") + @patch("application.database.db.Node_collection.add_link") + @patch("application.database.db.Node_collection.add_node") + @patch("application.utils.git.clone") + def test_document_todict( + self, + mocked_clone, + mocked_add_node, + mocked_add_link, + mocked_get_cres, + mocked_dbCREfromCRE, + ) -> None: + Repo = namedtuple("Repo", ["working_dir", "url"]) + repo = Repo(working_dir=tempfile.mkdtemp(), url="") + + cre = defs.CRE(id="223-780", name="test") + dbcre = db.CRE(external_id=cre.id, name=cre.name) + + expected = defs.Tool( + name="OWASP WrongSecrets", + doctype=defs.Credoctypes.Tool, + description="With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques. Can you solve all the 14 challenges?) -->", + tags=["secrets", "training"], + hyperlink="https://example.com/foo/bar/project", + tooltype=defs.ToolTypes.Training, + ) + tags = [expected.tooltype.value] + tags.extend(expected.tags) + dbnode = db.Node( + name=expected.name, + ntype=expected.doctype.value, + description=expected.description, + tags=",".join(tags), + link=expected.hyperlink, + ) + + mocked_clone.return_value = repo + mocked_get_cres.return_value = [cre] + mocked_add_node.return_value = dbnode + mocked_dbCREfromCRE.return_value = dbcre + + readme_content = """<!-- CRE Link: [223-780](https://www.opencre.org/cre/223-780?register=true&type=tool&tool_type=training&tags=secrets,training&description=With%20this%20app%2C%20we%20have%20packed%20various%20ways%20of%20how%20to%20not%20store%20your%20secrets.%20These%20can%20help%20you%20to%20realize%20whether%20your%20secret%20management%20is%20ok.%20The%20challenge%20is%20to%20find%20all%20the%20different%20secrets%20by%20means%20of%20various%20tools%20and%20techniques.%20Can%20you%20solve%20all%20the%2014%20challenges%3F) --> +# OWASP WrongSecrets [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Want%20to%20dive%20into%20secrets%20management%20and%20do%20some%20hunting?%20try%20this&url=https://github.com/commjoen/wrongsecrets&hashtags=secretsmanagement,secrets,hunting,p0wnableapp,OWASP,WrongSecrets) +""" + with open(os.path.join(repo.working_dir, "README.md"), "w") as rdm: + rdm.write(readme_content) + + collection = db.Node_collection() + misc_tools_parser.parse_tool( + "https://example.com/foo/bar/project.git", collection + ) + + self.maxDiff = None + mocked_get_cres.assert_called_with(external_id=cre.id) + mocked_add_node.assert_called_with(node=expected) + mocked_add_link.assert_called_with( + cre=dbcre, + node=dbnode, + type=defs.LinkTypes.LinkedTo, + ) diff --git a/application/utils/external_project_parsers/README.md b/application/utils/external_project_parsers/README.md new file mode 100644 index 000000000..f3fcaf9c9 --- /dev/null +++ b/application/utils/external_project_parsers/README.md @@ -0,0 +1,30 @@ +CRE External Parsers += + +This directory contains a collection of parsers meant to import relevant links from specific projects. + +Zap Alerts Parser + +This parser is meant to parse ZAP Rules, find the CWEs they link to and if we know about those CWEs, link to the corresponding CREs + +Cheatsheets Parser + +This parser is meant to crawl the released cheatsheets directory and find links to CREs from a specific cheatsheet, then insert the cheatsheet and register those links. + +Misc Tools Parser + +The parser introduces the "Register Link" concept. This is simply a hyperlink to `opencre.org/cre/<cre-id>` specifying `register=true` in the query string and providing any other relevant information that should acompany this particular Document. The CRE application will then proceed to register the node with the information provided and link to the CRE identified inthe URL. +In this version only one link per Repository is supported. We welcome feature or pull requests with more support if there is interest. + +Example + +If your project is called `Foo` and you want to link it to CRE 111-111, the you can add the following in `README.md` located at your project's root. + +``` +Foo +=== +[...] +CRE Link:(111-111)[https://www.opencre.org/cre/111-111?register=true&type=tool&tool_type=Offensive&tags=secrets,training&description=any-description-you-want] +``` + +This will register a one birectional link from opencre.org to your project and your project to opencre.org. diff --git a/application/utils/external_project_parsers/misc_tools_parser.py b/application/utils/external_project_parsers/misc_tools_parser.py new file mode 100644 index 000000000..6c3d6c210 --- /dev/null +++ b/application/utils/external_project_parsers/misc_tools_parser.py @@ -0,0 +1,89 @@ +# script to parse CRE links from README.md files of a given list of projects +import logging +import os +import re +import urllib +from typing import List, NamedTuple +from xmlrpc.client import boolean + +from application.database import db +from application.defs import cre_defs as defs +from application.utils import git + +logging.basicConfig() +logger = logging.getLogger(__name__) +logger.setLevel(logging.INFO) + + +tool_urls = [ + "https://github.com/commjoen/wrongsecrets.git", + # "https://github.com/northdpole/wrongsecrets.git", +] + + +def Project( + name: str, hyperlink: str, tags: List[str], ttype: str, description: str +) -> defs.Tool: + return defs.Tool( + name=name, + tooltype=defs.ToolTypes.from_str(ttype), + tags=tags, + hyperlink=hyperlink, + description=description, + ) + + +# TODO (spyros): need to decouple git ops from parsing in order to make this testable +# although i could just mock the git ops :$ +def parse_tool(tool_repo: str, cache: db.Node_collection, dry_run: boolean = False): + if not dry_run: + repo = git.clone(tool_repo) + readme = os.path.join(repo.working_dir, "README.md") + title_regexp = r"# (?P<title>(\w+ )+)" + cre_link = ( + r".*\[.*\]\((?P<url>(https\:\/\/www\.)?opencre\.org\/cre\/(?P<cre>\d+-\d+).*)" + ) + + with open(readme) as rdf: + mdtext = rdf.read() + + if "opencre.org" not in mdtext: + logging.error("didn't find a link, bye") + return + title = re.search(title_regexp, mdtext) + cre = re.search(cre_link, mdtext, flags=re.IGNORECASE) + + if cre and title: + parsed = urllib.parse.urlparse(cre.group("url")) + values = urllib.parse.parse_qs(parsed.query) + + name = title.group("title").strip() + cre_id = cre.group("cre").strip() + register = True if "register" in values else False + type = ( + values.get("type")[0] or "Tool" + ) # this parser matches tools so this is really optional + tool_type = values.get("tool_type")[0] or "Unknown" + description = values.get("description")[0] or "" + tags = values.get("tags")[0].split(",") if "tags" in values else [] + if cre_id and register: + cres = cache.get_CREs(external_id=cre_id) + hyperlink = f"{tool_repo.replace('.git','')}" + for dbcre in cres: + cs = Project( + name=name, + hyperlink=hyperlink, + tags=tags or [], + ttype=tool_type, + description=description, + ) + dbnode = cache.add_node(node=cs) + cache.add_link( + cre=db.dbCREfromCRE(dbcre), + node=dbnode, + type=defs.LinkTypes.LinkedTo, + ) + print( + f"Registered new Document of type:Tool, toolType: {tool_type}, name:{name} and hyperlink:{hyperlink}," + f"linked to cre:{dbcre.id}" + ) diff --git a/cre.py b/cre.py index 5086bd0aa..fec0b945c 100644 --- a/cre.py +++ b/cre.py @@ -125,6 +125,11 @@ def main() -> None: action="store_true", help="import cheatsheets by cloning the repo website and parsing the .md files", ) + parser.add_argument( + "--github_tools_in", + action="store_true", + help="import supported github tools, urls can be found in misc_tools_parser.py", + ) args = parser.parse_args() cre_main.run(args) From 6a282b4420233d9407e4da0d23cdeb7565e31413 Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Sat, 2 Apr 2022 19:13:47 +0100 Subject: [PATCH 20/26] Update Header.tsx add google analytics --- application/frontend/src/scaffolding/Header/Header.tsx | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/application/frontend/src/scaffolding/Header/Header.tsx b/application/frontend/src/scaffolding/Header/Header.tsx index ad3c2eda5..11509d917 100644 --- a/application/frontend/src/scaffolding/Header/Header.tsx +++ b/application/frontend/src/scaffolding/Header/Header.tsx @@ -39,6 +39,15 @@ export const Header = () => { return ( <div className="header"> + <!-- Global site tag (gtag.js) - Google Analytics --> +<script async src="https://www.googletagmanager.com/gtag/js?id=G-RGH65Z6QWE"></script> +<script> + window.dataLayer = window.dataLayer || []; + function gtag(){dataLayer.push(arguments);} + gtag('js', new Date()); + + gtag('config', 'G-RGH65Z6QWE'); +</script> <Menu className="header__nav-bar" secondary> {links.map(({ to, name }) => ( <Link From c889d212b173fa7486251ac0c1268749c7f6f515 Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Sat, 2 Apr 2022 19:43:14 +0100 Subject: [PATCH 21/26] move analytics script to index.html (#190) --- application/frontend/src/index.html | 16 ++++++++++++++-- .../frontend/src/scaffolding/Header/Header.tsx | 9 --------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/application/frontend/src/index.html b/application/frontend/src/index.html index a5fa74a51..a4ea0a572 100755 --- a/application/frontend/src/index.html +++ b/application/frontend/src/index.html @@ -1,10 +1,22 @@ <!DOCTYPE html> + <head> <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1, maximum-scale=1, user-scalable=no shrink-to-fit=no"> + <meta name="viewport" + content="width=device-width, initial-scale=1, minimum-scale=1, maximum-scale=1, user-scalable=no shrink-to-fit=no"> <title>CRE + + + +
- + \ No newline at end of file diff --git a/application/frontend/src/scaffolding/Header/Header.tsx b/application/frontend/src/scaffolding/Header/Header.tsx index 11509d917..ad3c2eda5 100644 --- a/application/frontend/src/scaffolding/Header/Header.tsx +++ b/application/frontend/src/scaffolding/Header/Header.tsx @@ -39,15 +39,6 @@ export const Header = () => { return (
- - - {links.map(({ to, name }) => ( Date: Sun, 3 Apr 2022 23:52:52 +0100 Subject: [PATCH 22/26] Make db ids UUID (#191) * make migrations a bit more resilient when run locally * foreign key cascades * make database ids uuid4 * lint --- Makefile | 8 + application/cmd/cre_main.py | 8 +- application/database/db.py | 35 +- .../0d267ae11945_make_database_ids_be_uuid.py | 300 ++++++++++++++++++ ...27871a6_change_standards_table_to_nodes.py | 18 +- ...f052a44ea_add_cascades_for_foreign_keys.py | 87 +++++ .../versions/7a17989aa1e3_first_migration.py | 32 +- 7 files changed, 454 insertions(+), 34 deletions(-) create mode 100644 migrations/versions/0d267ae11945_make_database_ids_be_uuid.py create mode 100644 migrations/versions/455f052a44ea_add_cascades_for_foreign_keys.py diff --git a/Makefile b/Makefile index 85ee61b67..1620fe3de 100644 --- a/Makefile +++ b/Makefile @@ -55,11 +55,19 @@ clean: find . -type f -name '*.orig' -delete migrate-upgrade: + if ! [ -f "standards_cache.sqlite" ]; then cp cres/db.sqlite standards_cache.sqlite; fi [ -d "./venv" ] && . ./venv/bin/activate export FLASK_APP=$(CURDIR)/cre.py flask db upgrade + migrate-downgrade: [ -d "./venv" ] && . ./venv/bin/activate export FLASK_APP=$(CURDIR)/cre.py flask db downgrade + +import-all: + [ -d "./venv" ] && . ./venv/bin/activate + export FLASK_APP=$(CURDIR)/cre.py + python cre.py --zap_in --cheatsheets_in --github_tools_in --add --from_spreadsheet https://docs.google.com/spreadsheets/d/1eZOEYgts7d_-Dr-1oAbogPfzBLh6511b58pX3b59kvg/edit#gid=260321921 + all: clean lint test dev dev-run diff --git a/application/cmd/cre_main.py b/application/cmd/cre_main.py index 5ed9e699d..444cd54b4 100644 --- a/application/cmd/cre_main.py +++ b/application/cmd/cre_main.py @@ -363,16 +363,16 @@ def run(args: argparse.Namespace) -> None: elif args.osib_out: export_to_osib(file_loc=args.osib_out, cache=args.cache_file) - elif args.zap_in: + if args.zap_in: zap_alerts_parser.parse_zap_alerts(db_connect(args.cache_file)) - elif args.cheatsheets_in: + if args.cheatsheets_in: cheatsheets_parser.parse_cheatsheets(db_connect(args.cache_file)) - elif args.github_tools_in: + if args.github_tools_in: for url in misc_tools_parser.tool_urls: misc_tools_parser.parse_tool( cache=db_connect(args.cache_file), tool_repo=url ) - elif args.owasp_proj_meta: + if args.owasp_proj_meta: owasp_metadata_to_cre(args.owasp_proj_meta) diff --git a/application/database/db.py b/application/database/db.py index 3c006fffe..5fa98418b 100644 --- a/application/database/db.py +++ b/application/database/db.py @@ -11,6 +11,7 @@ from flask_sqlalchemy.model import DefaultMeta from sqlalchemy import func from sqlalchemy.sql.expression import desc # type: ignore +import uuid from .. import sqla # type: ignore @@ -22,10 +23,14 @@ BaseModel: DefaultMeta = sqla.Model +def generate_uuid(): + return str(uuid.uuid4()) + + class Node(BaseModel): # type: ignore __tablename__ = "node" - id = sqla.Column(sqla.Integer, primary_key=True) + id = sqla.Column(sqla.String, primary_key=True, default=generate_uuid) # ASVS or standard name, what are we linking to name = sqla.Column(sqla.String) # which part of are we linking to @@ -55,7 +60,7 @@ class Node(BaseModel): # type: ignore class CRE(BaseModel): # type: ignore __tablename__ = "cre" - id = sqla.Column(sqla.Integer, primary_key=True) + id = sqla.Column(sqla.String, primary_key=True, default=generate_uuid) external_id = sqla.Column(sqla.String, default="") description = sqla.Column(sqla.String, default="") @@ -72,8 +77,16 @@ class InternalLinks(BaseModel): # type: ignore __tablename__ = "cre_links" type = sqla.Column(sqla.String, default="SAME") - group = sqla.Column(sqla.Integer, sqla.ForeignKey("cre.id"), primary_key=True) - cre = sqla.Column(sqla.Integer, sqla.ForeignKey("cre.id"), primary_key=True) + group = sqla.Column( + sqla.String, + sqla.ForeignKey("cre.id", onupdate="CASCADE", ondelete="CASCADE"), + primary_key=True, + ) + cre = sqla.Column( + sqla.String, + sqla.ForeignKey("cre.id", onupdate="CASCADE", ondelete="CASCADE"), + primary_key=True, + ) __table_args__ = ( sqla.UniqueConstraint( group, @@ -86,9 +99,17 @@ class InternalLinks(BaseModel): # type: ignore class Links(BaseModel): # type: ignore __tablename__ = "cre_node_links" - type = sqla.Column(sqla.String, default="SAM") - cre = sqla.Column(sqla.Integer, sqla.ForeignKey("cre.id"), primary_key=True) - node = sqla.Column(sqla.Integer, sqla.ForeignKey("node.id"), primary_key=True) + type = sqla.Column(sqla.String, default="SAME") + cre = sqla.Column( + sqla.String, + sqla.ForeignKey("cre.id", onupdate="CASCADE", ondelete="CASCADE"), + primary_key=True, + ) + node = sqla.Column( + sqla.String, + sqla.ForeignKey("node.id", onupdate="CASCADE", ondelete="CASCADE"), + primary_key=True, + ) __table_args__ = ( sqla.UniqueConstraint( cre, diff --git a/migrations/versions/0d267ae11945_make_database_ids_be_uuid.py b/migrations/versions/0d267ae11945_make_database_ids_be_uuid.py new file mode 100644 index 000000000..35b187480 --- /dev/null +++ b/migrations/versions/0d267ae11945_make_database_ids_be_uuid.py @@ -0,0 +1,300 @@ +"""make database ids be uuid instead of incremental ints + +Revision ID: 0d267ae11945 +Revises: 455f052a44ea +Create Date: 2022-04-03 16:05:31.487481 + +""" +from alembic import op +import sqlalchemy as sa +from sqlalchemy import engine_from_config, text +from application.database.db import generate_uuid +from random import randint + +# revision identifiers, used by Alembic. +revision = "0d267ae11945" +down_revision = "455f052a44ea" +branch_labels = None +depends_on = None +temp_table_number = randint(1, 100) + + +def copy_tables(cre_table, node_table, cre_link_table, cre_node_link_table): + config = op.get_context().config + engine = engine_from_config( + config.get_section(config.config_ini_section), prefix="sqlalchemy." + ) + connection = op.get_bind() + nodes = connection.execute( + "Select id,name,section,subsection,link,ntype,tags,version,description from node" + ) + nodes_data = nodes.fetchall() if nodes else [] + + cre = connection.execute("Select id,name,description,external_id,tags from cre") + cre_data = cre.fetchall() if cre else [] + + cre_link = connection.execute('Select type, "group" ,cre from cre_links') + cre_link_data = cre_link.fetchall() if cre_link else [] + + cre_node_link = connection.execute("Select type, cre, node from cre_node_links") + cre_node_link_data = cre_node_link.fetchall() if cre_node_link else [] + + nodes = [ + { + "id": dat[0], + "name": dat[1], + "section": dat[2], + "subsection": dat[3], + "link": dat[4], + "ntype": dat[5], + "tags": dat[6], + "version": dat[7], + "description": dat[8], + } + for dat in nodes_data + ] + cres = [ + { + "id": dat[0], + "name": dat[1], + "description": dat[2], + "external_id": dat[3], + "tags": dat[4], + } + for dat in cre_data + ] + cre_links = [ + {"type": dat[0], "group": dat[1], "cre": dat[2]} for dat in cre_link_data + ] + + cre_node_links = [ + {"type": dat[0], "cre": dat[1], "node": dat[2]} for dat in cre_node_link_data + ] + + op.bulk_insert(cre_table, cres) + op.bulk_insert(node_table, nodes) + op.bulk_insert(cre_link_table, cre_links) + op.bulk_insert(cre_node_link_table, cre_node_links) + + +def update_ids_to_uuid(): + config = op.get_context().config + engine = engine_from_config( + config.get_section(config.config_ini_section), prefix="sqlalchemy." + ) + connection = op.get_bind() + + nodes = connection.execute(f"Select id from node{temp_table_number}") + nodes_data = nodes.fetchall() if nodes else [] + + cre = connection.execute(f"Select id from cre{temp_table_number}") + cre_data = cre.fetchall() if cre else [] + + for id in nodes_data: + node_uuid = generate_uuid() + connection.execute( + f"UPDATE node{temp_table_number} set id='{node_uuid}' WHERE id={id[0]}" + ) + connection.execute( + f"UPDATE cre_node_links{temp_table_number} set node='{node_uuid}' WHERE node={id[0]}" + ) + + for id in cre_data: + cre_uuid = generate_uuid() + connection.execute( + f"UPDATE cre{temp_table_number} set id='{cre_uuid}' WHERE id={id[0]}" + ) + connection.execute( + f"UPDATE cre_links{temp_table_number} set cre='{cre_uuid}' WHERE cre={id[0]}" + ) + connection.execute( + f'UPDATE cre_links{temp_table_number} set "group"=\'{cre_uuid}\' WHERE "group"={id[0]}' + ) + connection.execute( + f'UPDATE cre_node_links{temp_table_number} set "cre"=\'{cre_uuid}\' WHERE "cre"={id[0]}' + ) + + +def downgrade_uuid_to_id(): + config = op.get_context().config + engine = engine_from_config( + config.get_section(config.config_ini_section), prefix="sqlalchemy." + ) + connection = op.get_bind() + nodes = connection.execute("Select id from node") + nodes_data = nodes.fetchall() if nodes else [] + + cre = connection.execute("Select id from cre") + cre_data = cre.fetchall() if cre else [] + + node_id = 1 + for id in nodes_data: + connection.execute( + f"UPDATE node{temp_table_number} set id='{node_id}' WHERE id='{id[0]}'" + ) + connection.execute( + f"UPDATE cre_node_links set node{temp_table_number}='{node_id}' WHERE node='{id[0]}'" + ) + node_id = node_id + 1 + + cre_id = 1 + for id in cre_data: + connection.execute( + f"UPDATE cre{temp_table_number} set id='{cre_id}' WHERE id='{id[0]}'" + ) + connection.execute( + f"UPDATE cre_links{temp_table_number} set cre='{cre_id}' WHERE cre='{id[0]}'" + ) + connection.execute( + f"UPDATE cre_links{temp_table_number} set \"group\"='{cre_id}' WHERE \"group\"='{id[0]}'" + ) + connection.execute( + f"UPDATE cre_node_links{temp_table_number} set \"cre\"='{cre_id}' WHERE \"cre\"='{id[0]}'" + ) + cre_id = cre_id + 1 + + +def create_tmp_tables(id_datatype): + cre2 = op.create_table( + f"cre{temp_table_number}", + sa.Column("id", id_datatype, primary_key=True), + sa.Column("external_id", sa.String(), nullable=True), + sa.Column("description", sa.String(), nullable=True), + sa.Column("name", sa.String(), nullable=True), + sa.Column("tags", sa.String(), nullable=True), + ) + node2 = op.create_table( + f"node{temp_table_number}", + sa.Column("id", id_datatype, primary_key=True), + sa.Column("name", sa.String()), + sa.Column("section", sa.String(), nullable=True), + sa.Column("subsection", sa.String()), + sa.Column("tags", sa.String()), + sa.Column("version", sa.String()), + sa.Column("description", sa.String()), + sa.Column("ntype", sa.String()), + sa.Column("link", sa.String()), + ) + cre_links2 = op.create_table( + f"cre_links{temp_table_number}", + sa.Column("type", sa.String()), + sa.Column( + "group", + id_datatype, + sa.ForeignKey( + f"cre{temp_table_number}.id", onupdate="CASCADE", ondelete="CASCADE" + ), + primary_key=True, + ), + sa.Column( + "cre", + id_datatype, + sa.ForeignKey( + f"cre{temp_table_number}.id", onupdate="CASCADE", ondelete="CASCADE" + ), + primary_key=True, + ), + ) + cre_node_links2 = op.create_table( + f"cre_node_links{temp_table_number}", + sa.Column("type", sa.String()), + sa.Column( + "cre", + id_datatype, + sa.ForeignKey( + f"cre{temp_table_number}.id", onupdate="CASCADE", ondelete="CASCADE" + ), + primary_key=True, + ), + sa.Column( + "node", + id_datatype, + sa.ForeignKey( + f"node{temp_table_number}.id", onupdate="CASCADE", ondelete="CASCADE" + ), + primary_key=True, + ), + ) + return cre2, node2, cre_links2, cre_node_links2 + + +def drop_old_tables(): + op.drop_table("cre_links") + op.drop_table("cre_node_links") + op.drop_table("cre") + op.drop_table("node") + + +def cleanup(): + # op.drop_table("cre_links2") + # op.drop_table("cre_node_links2") + # op.drop_table("cre2") + # op.drop_table("node2") + pass + + +def rename_tables(): + op.rename_table(f"cre{temp_table_number}", "cre") + op.rename_table(f"node{temp_table_number}", "node") + op.rename_table(f"cre_links{temp_table_number}", "cre_links") + op.rename_table(f"cre_node_links{temp_table_number}", "cre_node_links") + + +def add_constraints(): + with op.batch_alter_table("cre") as batch_op: + batch_op.create_unique_constraint( + columns=["name", "external_id"], constraint_name="unique_cre_fields" + ) + + with op.batch_alter_table("node") as batch_op: + batch_op.create_unique_constraint( + columns=[ + "name", + "section", + "subsection", + "ntype", + "description", + "version", + ], + constraint_name="uq_node", + ) + with op.batch_alter_table("cre_links") as batch_op: + batch_op.create_unique_constraint( + columns=["group", "cre"], constraint_name="uq_cre_link_pair" + ) + with op.batch_alter_table("cre_node_links") as batch_op: + batch_op.create_unique_constraint( + columns=["cre", "node"], + constraint_name="uq_cre_node_link_pair", + ) + + +# WARNING: The following recreates the entire DB, hence will be relatively slow for big databases +# Necessary since we are changing all primary and foreign keys +def upgrade(): + cre2, node2, cre_links2, cre_node_links2 = create_tmp_tables(sa.String()) + copy_tables( + cre_table=cre2, + node_table=node2, + cre_link_table=cre_links2, + cre_node_link_table=cre_node_links2, + ) + update_ids_to_uuid() + drop_old_tables() + rename_tables() + add_constraints() + + +def downgrade(): + cleanup() + cre2, node2, cre_links2, cre_node_links2 = create_tmp_tables(sa.Integer()) + copy_tables( + cre_table=cre2, + node_table=node2, + cre_link_table=cre_links2, + cre_node_link_table=cre_node_links2, + ) + downgrade_uuid_to_id() + drop_old_tables() + rename_tables() + add_constraints() diff --git a/migrations/versions/3c65127871a6_change_standards_table_to_nodes.py b/migrations/versions/3c65127871a6_change_standards_table_to_nodes.py index 21437ce41..2a75e1b35 100644 --- a/migrations/versions/3c65127871a6_change_standards_table_to_nodes.py +++ b/migrations/versions/3c65127871a6_change_standards_table_to_nodes.py @@ -23,9 +23,10 @@ def migrate_data_between_standards_and_node(new_table, old_table_name): config.get_section(config.config_ini_section), prefix="sqlalchemy." ) connection = op.get_bind() - standards_data = connection.execute( + standards = connection.execute( f"Select id,name,section,subsection,link from {old_table_name}" - ).fetchall() + ) + standards_data = standards.fetchall() if standards else [] if old_table_name == "standard": nodes = [ { @@ -63,9 +64,10 @@ def migrate_data_between_links_and_cre_node_links( config.get_section(config.config_ini_section), prefix="sqlalchemy." ) connection = op.get_bind() - links_data = connection.execute( + links = connection.execute( f"Select type,cre,{standard_column_name} from {old_table_name}" - ).fetchall() + ) + links_data = links.fetchall() if links else [] cre_node_links = [ {"type": dat[0], "cre": dat[1], new_column_name: dat[2]} for dat in links_data ] @@ -131,15 +133,17 @@ def downgrade(): standard = op.create_table( "standard", - sa.Column("id", sa.INTEGER(), nullable=False), + sa.Column("id", sa.INTEGER(), primary_key=True), sa.Column("name", sa.VARCHAR(), nullable=True), sa.Column("section", sa.VARCHAR(), nullable=False), sa.Column("subsection", sa.VARCHAR(), nullable=True), sa.Column("tags", sa.VARCHAR(), nullable=True), sa.Column("version", sa.VARCHAR(), nullable=True), sa.Column("link", sa.VARCHAR(), nullable=True), - sa.PrimaryKeyConstraint("id", name="pk_standard"), - sa.UniqueConstraint("name", "section", "subsection", name="standard_section"), + sa.UniqueConstraint( + columns=["name", "section", "subsection"], + constraint_name="standard_section", + ), ) links = op.create_table( "links", diff --git a/migrations/versions/455f052a44ea_add_cascades_for_foreign_keys.py b/migrations/versions/455f052a44ea_add_cascades_for_foreign_keys.py new file mode 100644 index 000000000..614820b66 --- /dev/null +++ b/migrations/versions/455f052a44ea_add_cascades_for_foreign_keys.py @@ -0,0 +1,87 @@ +"""add cascades for foreign keys + +Revision ID: 455f052a44ea +Revises: 3c65127871a6 +Create Date: 2022-04-03 17:40:00.616539 + +""" +from alembic import op +import sqlalchemy as sa + + +# revision identifiers, used by Alembic. +revision = "455f052a44ea" +down_revision = "3c65127871a6" +branch_labels = None +depends_on = None + + +def upgrade(): + # ### commands auto generated by Alembic - please adjust! ### + with op.batch_alter_table("cre_links", schema=None) as batch_op: + batch_op.drop_constraint("fk_crelinks_group_cre", type_="foreignkey") + batch_op.drop_constraint("fk_crelinks_cre_cre", type_="foreignkey") + batch_op.create_foreign_key( + batch_op.f("fk_cre_links_group_cre"), + "cre", + ["group"], + ["id"], + onupdate="CASCADE", + ondelete="CASCADE", + ) + batch_op.create_foreign_key( + batch_op.f("fk_cre_links_cre_cre"), + "cre", + ["cre"], + ["id"], + onupdate="CASCADE", + ondelete="CASCADE", + ) + + with op.batch_alter_table("cre_node_links", schema=None) as batch_op: + batch_op.drop_constraint("fk_cre_node_links_cre_cre", type_="foreignkey") + batch_op.drop_constraint("fk_cre_node_links_node_node", type_="foreignkey") + batch_op.create_foreign_key( + batch_op.f("fk_cre_node_links_cre_cre"), + "cre", + ["cre"], + ["id"], + onupdate="CASCADE", + ondelete="CASCADE", + ) + batch_op.create_foreign_key( + batch_op.f("fk_cre_node_links_node_node"), + "node", + ["node"], + ["id"], + onupdate="CASCADE", + ondelete="CASCADE", + ) + + # ### end Alembic commands ### + + +def downgrade(): + # ### commands auto generated by Alembic - please adjust! ### + + with op.batch_alter_table("cre_node_links", schema=None) as batch_op: + batch_op.drop_constraint( + batch_op.f("fk_cre_node_links_node_node"), type_="foreignkey" + ) + batch_op.drop_constraint( + batch_op.f("fk_cre_node_links_cre_cre"), type_="foreignkey" + ) + batch_op.create_foreign_key( + "fk_cre_node_links_node_node", "node", ["node"], ["id"] + ) + batch_op.create_foreign_key("fk_cre_node_links_cre_cre", "cre", ["cre"], ["id"]) + + with op.batch_alter_table("cre_links", schema=None) as batch_op: + batch_op.drop_constraint(batch_op.f("fk_cre_links_cre_cre"), type_="foreignkey") + batch_op.drop_constraint( + batch_op.f("fk_cre_links_group_cre"), type_="foreignkey" + ) + batch_op.create_foreign_key("fk_crelinks_cre_cre", "cre", ["cre"], ["id"]) + batch_op.create_foreign_key("fk_crelinks_group_cre", "cre", ["group"], ["id"]) + + # ### end Alembic commands ### diff --git a/migrations/versions/7a17989aa1e3_first_migration.py b/migrations/versions/7a17989aa1e3_first_migration.py index 7f4fdfb07..611359a1f 100644 --- a/migrations/versions/7a17989aa1e3_first_migration.py +++ b/migrations/versions/7a17989aa1e3_first_migration.py @@ -43,30 +43,30 @@ def upgrade(): op.create_table( "crelinks", sa.Column("type", sa.String(), nullable=True), - sa.Column("group", sa.Integer(), nullable=False), - sa.Column("cre", sa.Integer(), nullable=False), - sa.ForeignKeyConstraint( - ["cre"], - ["cre.id"], + sa.Column( + "group", + sa.Integer(), + sa.ForeignKey("cre.id", onupdate="CASCADE", ondelete="CASCADE"), ), - sa.ForeignKeyConstraint( - ["group"], - ["cre.id"], + sa.Column( + "cre", + sa.Integer(), + sa.ForeignKey("cre.id", onupdate="CASCADE", ondelete="CASCADE"), ), sa.PrimaryKeyConstraint("group", "cre"), ) op.create_table( "links", sa.Column("type", sa.String(), nullable=True), - sa.Column("cre", sa.Integer(), nullable=False), - sa.Column("standard", sa.Integer(), nullable=False), - sa.ForeignKeyConstraint( - ["cre"], - ["cre.id"], + sa.Column( + "cre", + sa.Integer(), + sa.ForeignKey("cre.id", onupdate="CASCADE", ondelete="CASCADE"), ), - sa.ForeignKeyConstraint( - ["standard"], - ["standard.id"], + sa.Column( + "standard", + sa.Integer(), + sa.ForeignKey("standard.id", onupdate="CASCADE", ondelete="CASCADE"), ), sa.PrimaryKeyConstraint("cre", "standard"), ) From 2cb5310af63f0acedd3659f689c47f9a3a34e7a3 Mon Sep 17 00:00:00 2001 From: Spyros Date: Sun, 10 Apr 2022 22:59:27 +0100 Subject: [PATCH 23/26] coverage improvements (#198) --- application/cmd/cre_main.py | 10 +---- application/tests/cre_main_test.py | 59 +++++++++++++++++++----------- cre.py | 7 +++- 3 files changed, 45 insertions(+), 31 deletions(-) diff --git a/application/cmd/cre_main.py b/application/cmd/cre_main.py index 444cd54b4..ed1a6be51 100644 --- a/application/cmd/cre_main.py +++ b/application/cmd/cre_main.py @@ -89,18 +89,12 @@ def register_cre(cre: defs.CRE, collection: db.Node_collection) -> db.CRE: collection.add_internal_link( dbcre, register_cre(link.document, collection), type=link.ltype ) - elif type(link.document) == defs.Standard: + else: collection.add_link( cre=dbcre, node=register_node(node=link.document, collection=collection), type=link.ltype, ) - elif type(link.document) == defs.Tool: - collection.add_link( - cre=dbcre, - tool=register_tool(tool=link.document, collection=collection), - type=link.ltype, - ) return dbcre @@ -327,7 +321,7 @@ def print_graph() -> None: raise NotImplementedError -def run(args: argparse.Namespace) -> None: +def run(args: argparse.Namespace) -> None: # pragma: no cover script_path = os.path.dirname(os.path.realpath(__file__)) os.path.join(script_path, "../cres") diff --git a/application/tests/cre_main_test.py b/application/tests/cre_main_test.py index a2ac238cd..f0447c7ac 100644 --- a/application/tests/cre_main_test.py +++ b/application/tests/cre_main_test.py @@ -39,6 +39,7 @@ def test_register_node_with_links(self) -> None: id="", description="", name="standard_with_links", + section="Standard With Links", links=[ defs.Link( document=defs.Standard( @@ -54,9 +55,15 @@ def test_register_node_with_links(self) -> None: name="CodemcCodeFace", ) ), + defs.Link( + document=defs.Tool( + description="awesome hacking tool", + name="ToolmcToolFace", + ) + ), ], - section="Standard With Links", ) + ret = main.register_node(node=standard_with_links, collection=self.collection) # assert returned value makes sense self.assertEqual(ret.name, "standard_with_links") @@ -68,46 +75,51 @@ def test_register_node_with_links(self) -> None: self.assertIsNone(thing.cre) self.assertEqual(self.collection.session.query(db.Links).all(), []) - # 3 cre-less nodes in the db - self.assertEqual(len(self.collection.session.query(db.Node).all()), 3) + + # 4 cre-less nodes in the db + self.assertEqual(len(self.collection.session.query(db.Node).all()), 4) def test_register_node_with_cre(self) -> None: + known_standard_with_cre = defs.Standard( + name="CWE", + section="598", + links=[ + defs.Link(document=defs.CRE(id="101-202", name="crename")), + ], + ) standard_with_cre = defs.Standard( - doctype=defs.Credoctypes.Standard, id="", description="", name="standard_with_cre", links=[ - defs.Link( - document=defs.CRE( - doctype=defs.Credoctypes.CRE, - id="101-202", - description="cre desc", - name="crename", - links=[], - tags=[], - metadata={}, - ) - ), defs.Link( document=defs.Tool( - doctype=defs.Credoctypes.Tool, tooltype=defs.ToolTypes.Offensive, name="zap", ) ), + defs.Link( + document=defs.Standard( + name="CWE", + section="598", + links=[ + defs.Link(document=defs.CRE(id="101-202", name="crename")), + ], + ) + ), ], section="standard_with_cre", ) + main.register_node(node=known_standard_with_cre, collection=self.collection) main.register_node(node=standard_with_cre, collection=self.collection) # assert db structure makes sense self.assertEqual( - len(self.collection.session.query(db.Links).all()), 2 - ) # 2 links in the db + len(self.collection.session.query(db.Links).all()), 3 + ) # 3 links in the db self.assertEqual( - len(self.collection.session.query(db.Node).all()), 2 - ) # 2 standards in the db + len(self.collection.session.query(db.Node).all()), 3 + ) # 3 standards in the db self.assertEqual( len(self.collection.session.query(db.CRE).all()), 1 ) # 1 cre in the db @@ -181,16 +193,16 @@ def test_register_standard_with_groupped_cre_links(self) -> None: def test_register_cre(self) -> None: standard = defs.Standard( - doctype=defs.Credoctypes.Standard, name="ASVS", section="SESSION-MGT-TOKEN-DIRECTIVES-DISCRETE-HANDLING", subsection="3.1.1", ) + tool = defs.Tool(name="Tooly", tooltype=defs.ToolTypes.Defensive) cre = defs.CRE( id="100", description="CREdesc", name="CREname", - links=[defs.Link(document=standard)], + links=[defs.Link(document=standard), defs.Link(document=tool)], tags=["CREt1", "CREt2"], metadata={"tags": ["CREl1", "CREl2"]}, ) @@ -199,6 +211,9 @@ def test_register_cre(self) -> None: self.assertEqual( len(self.collection.session.query(db.CRE).all()), 1 ) # 1 cre in the db + self.assertEqual( + len(self.collection.session.query(db.Node).all()), 2 + ) # 2 nodes in the db def test_parse_file(self) -> None: file: List[Dict[str, Any]] = [ diff --git a/cre.py b/cre.py index fec0b945c..27ff3b849 100644 --- a/cre.py +++ b/cre.py @@ -9,7 +9,6 @@ from flask_migrate import Migrate # type: ignore from application import create_app, sqla # type: ignore -from application.cmd import cre_main # Hacky solutions to make this both a command line application with argparse and a flask application @@ -34,6 +33,9 @@ def test(cover: coverage.Coverage, test_names: List[str]) -> None: config_file="application/tests/.coveragerc", ) COV.start() + # Hack to get coverage to cover method and class defs + from application import create_app, sqla # type: ignore + from application.cmd import cre_main if test_names: tests = unittest.TestLoader().loadTestsFromNames(test_names) @@ -131,6 +133,9 @@ def main() -> None: help="import supported github tools, urls can be found in misc_tools_parser.py", ) args = parser.parse_args() + + from application.cmd import cre_main + cre_main.run(args) From 8ecd747735fa71e156cd3d85d7c0211f17dd0123 Mon Sep 17 00:00:00 2001 From: Spyros Date: Tue, 12 Apr 2022 19:46:48 +0100 Subject: [PATCH 24/26] Improve coverage (#199) * coverage improvements * add zap parser tests, start on adding alerts tags parsing * add cheatsheet parser tests * made zap parser also recognise top10 tags --- .../cheatsheets_parser.py | 17 +++--- .../zap_alerts_parser.py | 53 +++++++++++++++---- 2 files changed, 53 insertions(+), 17 deletions(-) diff --git a/application/utils/external_project_parsers/cheatsheets_parser.py b/application/utils/external_project_parsers/cheatsheets_parser.py index f105fd898..405126a7f 100644 --- a/application/utils/external_project_parsers/cheatsheets_parser.py +++ b/application/utils/external_project_parsers/cheatsheets_parser.py @@ -18,13 +18,18 @@ def cheatsheet(section: str, hyperlink: str, tags: List[str]) -> defs.Standard: def parse_cheatsheets(cache: db.Node_collection): c_repo = "https://github.com/OWASP/CheatSheetSeries.git" - cheasheets_path = "cheatsheets/" + cheatsheets_path = "cheatsheets/" + repo = git.clone(c_repo) + register_cheatsheets(repo=repo, cache=cache, cheatsheets_path=cheatsheets_path) + + +def register_cheatsheets(cache: db.Node_collection, repo, cheatsheets_path, repo_path): + title_regexp = r"# (?P.+)" cre_link = r"(https://www\.)?opencre.org/cre/(?P<cre>\d+-\d+)" - repo = git.clone(c_repo) - files = os.listdir(os.path.join(repo.working_dir, cheasheets_path)) + files = os.listdir(os.path.join(repo.working_dir, cheatsheets_path)) for mdfile in files: - pth = os.path.join(repo.working_dir, cheasheets_path, mdfile) + pth = os.path.join(repo.working_dir, cheatsheets_path, mdfile) name = None tag = None section = None @@ -39,9 +44,7 @@ def parse_cheatsheets(cache: db.Node_collection): name = title.group("title") cre_id = cre.group("cre") cres = cache.get_CREs(external_id=cre_id) - hyperlink = ( - f"{c_repo.replace('.git','')}/tree/master/{cheasheets_path}{mdfile}" - ) + hyperlink = f"{repo_path.replace('.git','')}/tree/master/{cheatsheets_path}{mdfile}" for dbcre in cres: cs = cheatsheet( section=name, diff --git a/application/utils/external_project_parsers/zap_alerts_parser.py b/application/utils/external_project_parsers/zap_alerts_parser.py index 8fbe02155..cf50d7b89 100644 --- a/application/utils/external_project_parsers/zap_alerts_parser.py +++ b/application/utils/external_project_parsers/zap_alerts_parser.py @@ -17,10 +17,10 @@ def zap_alert( name: str, id: str, description: str, tags: List[str], code: str ) -> defs.Tool: + tags.append(id) return defs.Tool( tooltype=defs.ToolTypes.Offensive, name=f"ZAP Rule: {name}", - id=id, description=description, tags=tags, hyperlink=code, @@ -30,14 +30,19 @@ def zap_alert( def parse_zap_alerts(cache: db.Node_collection): zaproxy_website = "https://github.com/zaproxy/zaproxy-website.git" alerts_path = "site/content/docs/alerts/" + repo = git.clone(zaproxy_website) + register_alerts(repo=repo, cache=cache, alerts_path=alerts_path) + + +def register_alerts(cache: db.Node_collection, repo: git.git, alerts_path: str): zap_md_cwe_regexp = r"cwe: ?(?P<cweId>\d+)" zap_md_title_regexp = r"title: ?(?P<title>\".+\")" zap_md_alert_id_regexp = r"alertid: ?(?P<id>\d+)" zap_md_alert_type_regexp = r"alerttype: ?(?P<type>\".+\")" zap_md_solution_regexp = r"solution: ?(?P<solution>\".+\")" zap_md_code_regexp = r"code: ?(?P<code>.+)" + zap_md_top10_regexp = r"OWASP_(?P<year>\d\d\d\d)_A(?P<num>\d\d?)" - repo = git.clone(zaproxy_website) for mdfile in os.listdir(os.path.join(repo.working_dir, alerts_path)): pth = os.path.join(repo.working_dir, alerts_path, mdfile) name = None @@ -72,20 +77,48 @@ def parse_zap_alerts(cache: db.Node_collection): ) continue cwe = re.search(zap_md_cwe_regexp, mdtext) + alert = zap_alert( + name=name, + id=externalId, + description=description, + tags=[tag], + code=code, + ) + dbnode = cache.add_node(alert) + + top10 = re.finditer(zap_md_top10_regexp, mdtext) + if top10: + for match in top10: + year = match.group("year") + num = match.group("num") + entries = cache.get_nodes(name=f"Top10 {year}", ntype="Standard") + entry = [e for e in entries if str(int(num)) in e.section] + if entry: + logger.info( + f"Found zap alert {name} linking to {entry[0].name}{entry[0].section}" + ) + for cre in [ + nl + for nl in entry[0].links + if nl.document.doctype == defs.Credoctypes.CRE + ]: + cache.add_link( + cre=db.dbCREfromCRE(cre.document), node=dbnode + ) + else: + logger.error( + f"Zap Alert {name} links to OWASP top 10 {year}:{num} but CRE doesn't know about it, incomplete data?" + ) if cwe: cweId = cwe.group("cweId") + logger.info(f"Found zap alert {name} linking to CWE {cweId}") cwe_nodes = cache.get_nodes(name="CWE", section=cweId) for node in cwe_nodes: for link in node.links: if link.document.doctype == defs.Credoctypes.CRE: - alert = zap_alert( - name=name, - id=externalId, - description=description, - tags=[tag], - code=code, - ) - dbnode = cache.add_node(alert) + cache.add_link( cre=db.dbCREfromCRE(link.document), node=dbnode ) + else: + logger.info(f"CWE id not found in alert {externalId}, skipping linking") From bf1ad2656a0d60ccb9a9e8917ec0e11b0fa95b4d Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Tue, 12 Apr 2022 19:53:05 +0100 Subject: [PATCH 25/26] make zap alerts have the correct link type (#200) --- .../utils/external_project_parsers/zap_alerts_parser.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/application/utils/external_project_parsers/zap_alerts_parser.py b/application/utils/external_project_parsers/zap_alerts_parser.py index cf50d7b89..94c6d0401 100644 --- a/application/utils/external_project_parsers/zap_alerts_parser.py +++ b/application/utils/external_project_parsers/zap_alerts_parser.py @@ -103,7 +103,9 @@ def register_alerts(cache: db.Node_collection, repo: git.git, alerts_path: str): if nl.document.doctype == defs.Credoctypes.CRE ]: cache.add_link( - cre=db.dbCREfromCRE(cre.document), node=dbnode + cre=db.dbCREfromCRE(cre.document), + node=dbnode, + type=defs.LinkTypes.LinkedTo, ) else: logger.error( @@ -118,7 +120,9 @@ def register_alerts(cache: db.Node_collection, repo: git.git, alerts_path: str): if link.document.doctype == defs.Credoctypes.CRE: cache.add_link( - cre=db.dbCREfromCRE(link.document), node=dbnode + cre=db.dbCREfromCRE(link.document), + node=dbnode, + type=defs.LinkTypes.LinkedTo, ) else: logger.info(f"CWE id not found in alert {externalId}, skipping linking") From 43b45024ed2ef1e5b1e9ded821b746d5eb7f6baa Mon Sep 17 00:00:00 2001 From: Spyros <northdpole@users.noreply.github.com> Date: Wed, 27 Apr 2022 17:27:30 +0100 Subject: [PATCH 26/26] Md export (#201) * added markdown export option for standards * lint * requirements --- application/tests/mdutils_test.py | 68 +++++++++++++++++++++++++++++++ application/utils/mdutils.py | 64 +++++++++++++++++++++++++++++ application/web/web_main.py | 17 +++++++- requirements.txt | 1 + 4 files changed, 149 insertions(+), 1 deletion(-) create mode 100644 application/tests/mdutils_test.py create mode 100644 application/utils/mdutils.py diff --git a/application/tests/mdutils_test.py b/application/tests/mdutils_test.py new file mode 100644 index 000000000..0e7b9e272 --- /dev/null +++ b/application/tests/mdutils_test.py @@ -0,0 +1,68 @@ +from application.utils import mdutils +from application.defs import cre_defs as defs +from pprint import pprint +import unittest +from application import create_app, sqla # type: ignore + + +class TestMdutilsParser(unittest.TestCase): + def tearDown(self) -> None: + self.app_context.pop() + + def setUp(self) -> None: + self.app = create_app(mode="test") + sqla.create_all(app=self.app) + self.app_context = self.app.app_context() + self.app_context.push() + + def test_cre_to_md(self) -> None: + standards = [ + defs.Standard( + name=f"sname", + section=f"section_{s}", + hyperlink=f"https://example.com/sname/{s}", + ) + for s in range(1, 10) + ] + standards2 = [ + defs.Standard( + name=f"sname_other", + section=f"section_{s}", + hyperlink=f"https://example.com/sname/{s}", + ) + for s in range(1, 10) + ] + cres = [ + defs.CRE(name=f"cname_{s}", description=f"description_{s}", id=f"000-00{s}") + for s in range(1, 10) + ] + tools = [ + defs.Tool( + name=f"tname_{s}", + tooltype=defs.ToolTypes.Training, + hyperlink=f"https://example.com/tnae/{s}", + ) + for s in range(1, 10) + ] + + for i in range(0, 9): + standards[i].add_link(defs.Link(document=cres[i])) + if not i % 2: + standards[i].add_link(defs.Link(document=tools[i])) + else: + standards[i].add_link(defs.Link(document=standards2[i])) + self.maxDiff = None + self.assertEqual(mdutils.cre_to_md(standards), self.result) + + result = """sname | CRE | tname_1 | sname_other | tname_3 | tname_5 | tname_7 | tname_9 +----- | --- | ------- | ----------- | ------- | ------- | ------- | ------- +[sname-section_1](https://example.com/sname/1) | [000-001-cname_1](https://www.opencre.org/cre/000-001) | [tname_1](https://example.com/tnae/1) | | | | | +[sname-section_2](https://example.com/sname/2) | [000-002-cname_2](https://www.opencre.org/cre/000-002) | | [sname_other-section_2](https://example.com/sname/2) | | | | +[sname-section_3](https://example.com/sname/3) | [000-003-cname_3](https://www.opencre.org/cre/000-003) | | | [tname_3](https://example.com/tnae/3) | | | +[sname-section_4](https://example.com/sname/4) | [000-004-cname_4](https://www.opencre.org/cre/000-004) | | [sname_other-section_4](https://example.com/sname/4) | | | | +[sname-section_5](https://example.com/sname/5) | [000-005-cname_5](https://www.opencre.org/cre/000-005) | | | | [tname_5](https://example.com/tnae/5) | | +[sname-section_6](https://example.com/sname/6) | [000-006-cname_6](https://www.opencre.org/cre/000-006) | | [sname_other-section_6](https://example.com/sname/6) | | | | +[sname-section_7](https://example.com/sname/7) | [000-007-cname_7](https://www.opencre.org/cre/000-007) | | | | | [tname_7](https://example.com/tnae/7) | +[sname-section_8](https://example.com/sname/8) | [000-008-cname_8](https://www.opencre.org/cre/000-008) | | [sname_other-section_8](https://example.com/sname/8) | | | | +[sname-section_9](https://example.com/sname/9) | [000-009-cname_9](https://www.opencre.org/cre/000-009) | | | | | | [tname_9](https://example.com/tnae/9) +""" diff --git a/application/utils/mdutils.py b/application/utils/mdutils.py new file mode 100644 index 000000000..569c9501f --- /dev/null +++ b/application/utils/mdutils.py @@ -0,0 +1,64 @@ +from python_markdown_maker import Table, links +from requests import head +from application.defs import cre_defs as defs +from typing import List +from pprint import pprint + + +def make_header(documents: List[defs.Document]) -> List[str]: + header = [] + for doc in documents: + name = "" + if doc.doctype == defs.Credoctypes.CRE: + name = "CRE" + else: + name = doc.name + if name not in header: + header.append(doc.name) + for link in doc.links: + lnkdoc = link.document + if lnkdoc.doctype == defs.Credoctypes.CRE: + name = "CRE" + else: + name = lnkdoc.name + if name not in header: + header.append(name) + return header + + +def cre_to_md(documents: List[defs.Document]) -> str: + header = make_header(documents) + result = Table(header) + + for doc in documents: + name = "" + if doc.doctype == defs.Credoctypes.CRE: + name = "CRE" + else: + name = doc.name + if name not in header: + header.append(doc.name) + + item = [" "] * len(header) + item[header.index(doc.name)] = links(doc.hyperlink, f"{doc.name}-{doc.section}") + for link in doc.links: + lnkdoc = link.document + if lnkdoc.doctype == defs.Credoctypes.CRE: + item[header.index("CRE")] = links( + f"https://www.opencre.org/cre/{lnkdoc.id}", + f"{lnkdoc.id} {lnkdoc.name}", + ) + elif lnkdoc.doctype == defs.Credoctypes.Standard: + item[header.index(lnkdoc.name)] = links( + lnkdoc.hyperlink, f"{lnkdoc.name}-{lnkdoc.section}" + ) + elif lnkdoc.doctype == defs.Credoctypes.Tool: + item[header.index(lnkdoc.name)] = links( + lnkdoc.hyperlink, f"{lnkdoc.name}" + ) + elif lnkdoc.doctype == defs.Credoctypes.Code: + item[header.index(lnkdoc.name)] = links( + lnkdoc.hyperlink, f"{lnkdoc.name}" + ) + result.add_item(item) + return result.render() diff --git a/application/web/web_main.py b/application/web/web_main.py index efcc10908..b656f349e 100644 --- a/application/web/web_main.py +++ b/application/web/web_main.py @@ -9,6 +9,7 @@ from application.database import db from application.defs import cre_defs as defs from application.defs import osib_defs as odefs +from application.utils import mdutils from flask import ( Blueprint, abort, @@ -49,7 +50,7 @@ def find_cre(creid: str = None, crename: str = None) -> Any: # refer database = db.Node_collection() include_only = request.args.getlist("include_only") opt_osib = request.args.get("osib") - + opt_md = request.args.get("format_md") cres = database.get_CREs(external_id=creid, name=crename, include_only=include_only) if cres: if len(cres) > 1: @@ -60,6 +61,8 @@ def find_cre(creid: str = None, crename: str = None) -> Any: # refer # cre = extend_cre_with_tag_links(cre=cre, collection=database) if opt_osib: result["osib"] = odefs.cre2osib([cre]).todict() + if opt_md: + return mdutils.cre_to_md([cre]) return jsonify(result) abort(404) @@ -72,6 +75,7 @@ def find_node_by_name(name: str, ntype: str = defs.Credoctypes.Standard.value) - opt_section = request.args.get("section") opt_osib = request.args.get("osib") opt_version = request.args.get("version") + opt_mdformat = request.args.get("format_md") if opt_section: opt_section = urllib.parse.unquote(opt_section) opt_subsection = request.args.get("subsection") @@ -105,6 +109,8 @@ def find_node_by_name(name: str, ntype: str = defs.Credoctypes.Standard.value) - result["total_pages"] = total_pages result["page"] = page if nodes: + if opt_mdformat: + return mdutils.cre_to_md(nodes) if opt_osib: result["osib"] = odefs.cre2osib(nodes).todict() res = [node.todict() for node in nodes] @@ -120,12 +126,15 @@ def find_document_by_tag() -> Any: database = db.Node_collection() tags = request.args.getlist("tag") opt_osib = request.args.get("osib") + opt_md = request.args.get("format_md") documents = database.get_by_tags(tags) if documents: res = [doc.todict() for doc in documents] result = {"data": res} if opt_osib: result["osib"] = odefs.cre2osib(documents).todict() + if opt_md: + return mdutils.cre_to_md(documents) return jsonify(result) abort(404) @@ -157,8 +166,11 @@ def text_search() -> Any: """ database = db.Node_collection() text = request.args.get("text") + opt_md = reques.args.get("format_md") documents = database.text_search(text) if documents: + if opt_md: + return mdutils.cre_to_md(documents) res = [doc.todict() for doc in documents] return jsonify(res) else: @@ -170,12 +182,15 @@ def find_root_cres() -> Any: """Useful for fast browsing the graph from the top""" database = db.Node_collection() opt_osib = request.args.get("osib") + opt_md = request.args.get("format_md") documents = database.get_root_cres() if documents: res = [doc.todict() for doc in documents] result = {"data": res} if opt_osib: result["osib"] = odefs.cre2osib(documents).todict() + if opt_md: + return mdutils.cre_to_md(documents) return jsonify(result) abort(404) diff --git a/requirements.txt b/requirements.txt index 7a454a55d..ee3113d50 100644 --- a/requirements.txt +++ b/requirements.txt @@ -64,6 +64,7 @@ PyJWT==1.7.1 pyparsing==2.4.6 pyrsistent==0.17.3 python-dateutil==2.8.1 +python-markdown-maker==1.0 PyYAML==5.3.1 regex==2021.11.10 requests==2.27.1