permissions-20181224-lp152.13.1 >  A ^븋/=„geU|u}D&6! ZAN΢`F[P۪Yc?~X&ohǰ$|':R;e)F =0<+hphg$<c W2Hh';=zRcFt:s}cke6Vψ-X`tYB']NPA07%ECG<ؔ0KV, M,ٝ& ̺DX,Ъ3b_DJ9Ɣ^^ҲZJȧöy,x>p@;?;d " A'09 Si4 X  j  |        E r   T ( 8 29 2:2>6F6G6 H7 I7@ X7LY7\\7 ]7 ^8Pb8c9Pd9e9f9l9u9 v9w; x;8 y;\z;t;;;;Cpermissions20181224lp152.13.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.^cloud131openSUSE Leap 15.2openSUSEGPL-2.0+https://bugs.opensuse.orgProductivity/Securityhttp://github.com/openSUSE/permissionslinuxx86_64 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system0U[1X&_j9;@큤^^^^^^^^^695fe6b30c6f66604218b2ebf6101892df83b7d9d43f77e36962e21814c56c6537fc973459f3d8d2970e432133eaf3668de44ab808cd46a376f61c3212fb4d3e254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3b979fdd1e616df5124d1e63c7c0fb6ef767615103647cb2fe97755596608ae8329f317fe3c6026d1b88c25db3acacab70fbef51b41ded56c8282376e4925c1d9ad0e6466332c8c466d42eddefaeafe6e7f67df604539928a7a656c82b5eab5b7735eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181224-lp152.13.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(x86-64)@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181224-lp152.13.13.0.4-14.6.0-14.0-15.2-14.14.1^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.comMalte Kraus Malte Kraus Malte Kraus Malte Kraus Johannes Segitz Malte Kraus jsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shcloud131 1591664611 20181224-lp152.13.120181224-lp152.13.120181224-lp152.13.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Leap:15.2/standard/4f806b44abe6d1d019d71ade2ca241dc-permissionscpioxz5x86_64-suse-linuxASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=fd7102ef74c1a07ee4e42e0b582980452f40c72c, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R RR R R R9WyzĖކutf-8a6d72c68c75f81bb52f10999ca9889edd680c4f1e2d6445cd86289652e72780f?7zXZ !t/wW] crv(vX0fah,E~.s@U$p <]|m)nI`>[8AykyuPEDwN`ʜ_c:nX XZw_ΪIdۭ 9-/_`;Ѥ "WQC|u1Ga 2E{#6{ ͑.h6[q? " @ +qWä7m\Z6IЀ N(oϘ3"u~]vC_gr(So^UKPqǀiЅ斮,;UiUVt0 wھ UVv2y^rg3Hwjނ-{ 'mYKƞؽeP5ᤊB+xh2 upQ ݛ[B_ d4EyN04k$<>*BDwҹL\1~&D;.2qӺ۽2@ hڢs'|d8yg@e~؁}.W4ShD4wH5K,`<hc~MΎ,jRSX4=ӵ|3SyrLF. ö{‘U)hXMw%2S._R ̶<"uцcDiX- ٛk+IpS! 0:inoy%IYpF>/KϜQF#Po]cvnJVh6+sòPhB`4 sC,_ڡ?Xlh>՗?c*XO(*wo=S[{gA%ȭJE%qWoλ$l<{᫦,2>^g }{j sRwF~;$L6L \cȾ0T^1iN&۱ݵl@^`zHvx[5H=MYR $E9(o4/&8{?gy-may;]1 `]ז#:PJ Vq+qpFMbJ֟uD:SEx5m_'[\TE:vC08W).HQX]E8¼<_3mSm7 kc6Ku5'@iT REdRy4r*T\֨=I<2Ia[{{GfIwt%0 4O 0F %>v %gUFiI0r4)^'OGr#%rKASV69D UZ&F,~k_~k_2woo i&i# ,\=iY_9r6]0й[0U4d\.ݫJY~ߤj~x2q6dEI̿Eїq \_GÑ2fzjXA7mR SJJR{cõ&zy<.Mr>)o^p0k,9>jlzCg6;Ɇ֌QX[ѻ Ҋ;E^Nj\{$n2UWdվå*so%ޒp@ 6] S ;vYMw;ڲڍJgp upظ:GۅA+p:K>wEVdcAs_^ [;FjE`R/FkWcǑxWC2hI{QmONk ꇭ6\Dq,k w#QJK-i:=rF0 E6`-a/{c鱸DQ|\ 4HK.(+Tu畨ǻ`L]`~6DWy10q-iɩ^Qb&8?YƃԈ%!b""3aUPsħ\ԹGi|鿻UImErw,Jr*! k"h#5R $ /nrs:U5ڼ퍮w`9O>E3;ܜ/FN7o#b) h]-n~G_{'xdOٺ^!Ipwy$m4DSNXyY!"\cWNBE: %!7趀2ޣڰ9VS?w"+=0~N=kD ځYTᴃHR4Ji}Gy\\h=NcjP]3Hί$AO$ [>7 ^|o\9kLTѬM*'<yD39B+Φ(SfuB<.l`bHdd4(9R`y.یZu+}t9$ا{1hҏچyeefݡS3H %yc[3Ha Dhyѣ XfkC-wALB*,~,|aӴ5hço> ㌚j3J\DZwe< ڵiNz)~#ts)u4eO>u^TyM=Fԥ) zcmBdSxa1K$=%d^(+.?dijcklՇ^ u0aLfZ}%rKR:|3)gŞΓ^4f`_w?&[yڌ;Q VmiQHTShyL.zP@#OLŊkS~x!PE3Ny A7J_+q^4sE]v*6J륦=}O34 0ǂaoJe{nKg- jA8Ӻ(S] zHg;TOU654˭DۀLIxyɜcdb/BQa}'hG_D5w6Or4GY)C'h_LN;ډ 6H57g] :9vNY#nkm7-F'._z k9&'{NK[רs?V,xIri `d,S+Oe d|_HQUJes DGPȔ)W(\׽p3O+e 67a_N=rn' >U8Loti~<1h>W#o>#M 9Gji`(ꠅC>SdXCίdTwTŒb1p`SDcl &]SY %\]k)M.ͷDv!udzCހX2:RܣN<7{jekm.&4 Ddȵ@Y=+'֜-*^'2왂. kI˭P6EOAE\o)wK=2G6q;uƞ(P0d .H@5Zv)sh*-iӺI7.M4H$pDFL/a)$Aՙm|`ʳGwSR#챚xKq]Mׂ}8uLxYCWvX/5{w؂Q} !"w(~̛`bM8ss{&BSaGpFY[zkM2<^#8dWH('M,q),3/ݝ D'$СWSYbBr#{iO3?r9p''ǞGhra5]{팉 9 6Y*0,Jc:5fecsس5qY@\A(I۔({ȴob/bvRk('ޤEq!ΌRf!NFSGL 7B崩n.ڗ@:cgZQ-fJH_ڛjذ 0p@X.זa~X@vF TR1TSU}J('Y&mHݿ>#k<"Zgj.,Ͽ-k+ւvo{'|>pSǫ[_/w [Ƣ@ES ::&ew_I>?&$c;2lՖ5rUpHS(Ra4MQQ0Z z"g.c–b A=wRl1W|s,hf!TaQ*kGE䛇)Z v#Sqލ?zP"s7 I|;{\&vS!`T 7k&#D(0[^&OTpڏ_S)ߔW|,e|KՆBo)q`!qTi ^ ;Q N-0dOYkaw`KB&ZH8` >|ty*: eMJS7D(i4Pp>mPJ~ cN\whD7TL?YL@x=S_IT<)c[XBXBE\&H )hjUQUS#o`QqIv#l {@vyRgfU:r2%"8lX"DJLppy!cg-s]F)hH FV4g)Nɂz;}f1 [ h Vrm[.PVߩKweב$CcBQ7+S-;x%d/Hj8C@+=Wvk{L8ĖBוTfUԜeP?m7qYLcBˡZ>=wQ!nn;Ugh_sdD c5T |ѩ>zIVOS1Y!:xȞ>i%?Kós+}'VNBU fwѐ|EVYdF rNDx%Gk#FUCYDs)N/c5yĚ-~11O*nHbc| %@ԑh3hj}-{?XM;Gk*0nAq,DB=6])/%OϮ(Bqn} Mbp>V JuWG|ʿ2JFZSfG7̮ TkuD7d ^uxUq+&9 \dMq'j j:w4^aD+A+A/+G677E0uu~޽'Wf*>afhŃ\AA~lho>Ms{e_VtWODkzbz+gNjzfBlE:${]T)f$~V""`kHѰ{L3/Gm1~  \<$<e8"X@H5e @Ǯ[O1v 2, ވL' ~8f&nyC[M±~/77m?'1`-0J/@Q0} YSY ĥe4Ff01w2'Rʛ\&H1ζdϬ~~JfU.GW , zIosէ,mdm\C#Kx\f7c(_Y[mlI S JND^"arCl>o4x ý,ցy-߾ᚧS>n"}JNrQG jĈdU̻B7),pAAӞxAG n4 0Y$ yZ8^֨</yZOQId?9PEprK_BR#[hYþ_ bp xIh ^)FGA}E(며 ;4>_R#rFd] +!*p+  fa,5|w /n|0FkSp=eKH3) g9 iZ,1|YL<ÉvoCE].ЧnA*8C)jY&U*v^ vO<Kž/XH,=q+A{5~,PFq>m$ /ѝ!w|CKl{5xd˵\dfN<4ٸ䴍,;#wVz3 qOAA`ݏ<o- 9iV9/=7˼nq{v dELrk ! ٭q^^SJ^ goA5a/%6Ł9_HT<2 ec%"'miXVو`ƒ [!׋N-AV1Q @dFgL/֫y>-3 w<7k/8 P4!pcMZ3"Z ?܅\,cEL|* OpǦh<9dGNKnx{,$\3ԺѶ TaݎjD؞6ʄdio_M)Pv[cMcJp##Sa4u TQ gvqX Հ[fKY!S ߻]g]IJuޞ-sـTu?~qHq<\ z:]B2QLx5:2Q$~HCcNiLlI<uoh$eb=FBK:G+)T`TCTTnTבpK?iO,ԉOn (_ܬg}+V52oã.JHnhJVh nܹ,@;_  }uPGQKV'[C?Re\һ- H Ď 6H  @t}_N:3oC)"E`.}?rH0u% LAXs>b\l|IB\ YO5Lv Έʧ{޵9j0{_h*1u)mv9z{ A#a΃ِQ,ż;+2|>خaf ö\ d WoxX8z'_PR_.@TeKӪi$ .VA֮m9]KF]Qe{|1Űm1#n!1"LX[a@#aS]t ǢbB3ϚV{'$[C-lhFj4Mnt$9v`kM O:ĮBejf戓S!EdYP]PyBKlYq.ۖ=Լd^,X ++z& 3 5{9 O>9t9Iʣ g6M{3=5Dƹ}f1p ʽ w,KYgSB@ϊ }|a?k{{f_0c=Is_9 *N09u|n$k2:f(p1QkmSC{sJq@|7m@aQ7k$mI*frɘхLqw:Au\pH+ . ;{g-:U/`X(!c@,hK2ylttVE`:cI>ĵ ?˗<-քgKyF yY >CFp?@!N\S<WȓrM ohࠡ.ʂ{/[a D @<1.{Z4]b^Z>#\Uɇ;XYH <ѹ%'տgg=qHb}fEG/w[z+f"dWtN` I6lSq]{BA *}A%察\\|9rS!!h89ܣ cKv2 vX2Ls kaK*O&))Ը/ GT.AOV{1< =jW xGKg&vA"1QABa:+pckBP5BCU-zWj vzk)(Y1%7q)ZKY։>0g.xi})+56ĠykpeONR4T\I`p̝Fe<,-5idsﰦ鑏>%NݑLƶe 9 CUsq$yH[:(gJtS!JJ`O86V~9Dp6h>O@>Y ?0;֦*wRk^>5,`C0Q:=ߝ>-|ZZׄy*^EI5=ԩx #hBk:*I @7{(J8L3%H E [Ag+հJ v(% n^B,#1`Rpю VX&Tɗ(QRqY]oX"4W{(XBR^ ۶0a_۸ y},/لRұzHE޿R)ZnPDJ"E~u1J%^xzv3qu2m3E6%ݕ#pIRPD<<k0f* O<xnb^ r-F1Ko@Nvk, P尞0 ZcUFJ=(nSyv&f9h2EHHf!"]o~ d"#Ò:t@{9q`V{O2mVfSUqMg`T-o0>( q-eu{,>`Zm1 HAbMF,?ABX'#ImE4MSGQ+pOq^Gwh8- ڀizKZx9sS9| 26ʣor(83Umvnra@r%)+`jsJt @jSfꔬI;ѝyOBc>;ϟL OX*8 b; ԵȐ"& MOlsНVuާǗC Kc`qGRNNb$pc}z[Ե;&YŊϡrٔr)fy\}#G; L}u^Ax?3NwUm94Ƈ*7dOXq+Ai$:fY(#lp tׯ)w+[!I6"eWNHw~4v,ι͓Y݃%y>RFZ3b#o /cE9<\&n%6#(tQo׈ aMW2]biN9c`څksswN+C/#XŶ%8X zahHdD hؗVrP"!.{f=JD}n,b Ѯ0fEUd`ch5'B/u `[ HFgB|-A+"xaϔDel{HA3%8UkAG1YFM29Rͣ ?pjm>*YYmVOG]&j:"U}Y \qܥg?p0,rIS4&ԟn + p@]}Qr%Ά@"ijjߎ=Y߿]|~e^5<5'pmщckz}K'btz]jʖQF Vm+SM8[DAl~P*ܟ'G /k uR*kf2ކ'"-hF‹dbvV~Q4%QE!Eu$M76+F/k;WbzB͜Cn0$08Oˊ#\`GƬntYglxj9O"ӻD'tZi^' 7Ke{F,#1E.҇L.IR!տzE6[FDdH%U4IG>ʔduAP_E/n26VbWp`/i\uH\5<0,Kc,͘4e!Lp0?37jFң nLt wg!{ZCJW.=D}+ r6ߜi]ۈEXX\^d&I/ ^;R n7A&\NV7]I}A53ad%=Q 49]^p`hi}7hxdo4ҭ`l7VXwӗ;1BDZX$?,XnnB0[Y9BsuSu3(.F-0EjyP_FW.a _meZGng⫝4El8"^64܃<`k( '!*@Y0 9܍ y?5)MWHAY G$d]>U'#ȷ&ӳ^x*fP.b*dꬃ;^pUwC-^^5ϰ>3 Pg(9uy l ; 5pyh7s8#~8M[*AL݁yUHSg^Ƨ0>CqvdgS)',mĢD{97jVa |wFX,6GJ)Z,gh'fڲJ@QTz;,;9跀L%Њp):hjD^]`ju 1Y6dDG1#| nb!1e9$13mUtʲ!"R`:N8cJe 45-N Zg}:(ke"Lg bcQ-wϥ`2)V}d[W=\J3pj/5?{b0%Ue(eV!?AҜ d,Cd?w*`xzhwĄhf)7tPzh\f(T~Xd: (JQH*BlA<0.Bԕ;jY=Յj(ǡ^dkt&{du}Uam{ ڜmdO@MtA?/"JIakjw[Tc~/EzȦe)P鄙ivBw `)g>X)G(]+y]4ju Rg?](5WJ\@¾1e`E?iqH]2hMa`Ѐc,D9{)Bga:Hi S{wϕ`B81H0Sož"=ד,k\Cg> alµxV0Sn"2mײD\tf[ZYwvn'p_Wc|+q&?\K:&0-ɿq00J$aZA``@Aou?1RoQR38Dq h4ݽD8kޮ}8_s]鵌vTy5 Y&Xh{./4EFѿu&n+Bp]M˶'ޝرƠҴ43XHcTD7.2$/'`l`݊Jb%ri-)KwWc8=SDF藈A?}Qu;q0dmPv'Z}jTTVmnnkY1VM'uܤfCSuWuC}J$>Dz[ɾIa*+B5v粚JMKhM7_%^8wVv"FV?OFptYP۟ ڣ|dPL zcsWK -%L7QlwNtdIt!p"h[_fzpAcw#pOUSҌ"x3ɫqd<[teLZU#O5v0 S˹% z5ʇ%§⨠O3>Q%GaQ慠{NʻO? o iP|{5Yg 6:4@ ˈB!L]7p4>Wa5puWr eeJ%Qoõ߁hDX'oߎÛ`KPP\2Z=wON@V=`H}[JjzBV?BԕL6^h|t&[lW($~t) ~yF$™P1J3[7*CbB<# ;Nͷ,!(#gYSc^Eb}vTo@ fk/롹icc0&GSCkf t J'fu4Q^՜)!X9 ^lSo4"| 9fģ^ mϴ-8CsI꾴 w183nHt c\V;nCiy\B" i[: ofH?0J˙(rtI9tR>4-=6 .h[lD,,>ҷH3Aa]ULÌW >f(r23tIVqey}^ͮdOb{JK;5qcGWJpQo<>*:_]=mh9F:ȸl>)5cb>]Fuł22 v<~j38 9ulA/md'̌@g~~]?IԫFxFl3T+|KyJw RB*Sl 3B.@{:W>ZAy+ fJsH%hG־`=0P+V2] V|nu)t-3z>=eo rh9[&Ws΢|8$W|+3ܭryOq7Dj?%SI\ޅ eQh J<,,bW Y|gYt&r#-{ jeߧ@&!b[*sV,! fM5AE_lrQ6#&h}{xE[ϊ-yY>e@̃: 7#ɠHrk:IuB*qXH/yOP#ZVHe;Pl0.+D)/&P-]ڜ<+n :&j* g"y#uWFX}n›LxG>3}Zģ+Qղ [HȍגʰX<2%L1l?&`2@ ~XB|uG=s\l?d@ܲ3SPRRV]?=8@=sܷ GV4.>JH&,od`uk|TG1-Wf%AMvذ:U@a^b-$L&E=1yғ?#Y\ӄt5с~(-=2GqY vE)XKf⚒0+6D,)!h'jx,G0%p@g_^k9ֶ1X4SJYvwu -$ =h)-CHm o,HYG7_۰*׍txmF:"=F`K.RK59Mk3&] {ePʄq1A@LJTG7J1?K{k0nS *(Hԙ}VUC$e)\o&M4).?}֬Dj 9+0;rX>^?E(uzR Yzw2ag`)6Fc qT?.@k:vSFBܙ" >y A',4_0":Eh-x1e2zii;PYU.**T4jΝX:ąmNi¥suߌu- T7F!5ys~:i1g<Q& ~D*Չiz~7t n 3|'6":eկ w YZ