libsamba-util0-4.13.4+git.187.5ad4708741a-1.34 >  A `PJp9|;TQc ?X$")bbC7@ԑ {[u\ e)xwZZ}Wp6N!`E C<7 jl&!/oߢh5:smRGcT-g!^8oMpY[X@Y`BϯJi Hx)`vZAxcTJ`GA<5%*KBu8lИ:;|DOU`6}Y,a*6NK&N1hvh [io7133e30ef6061b3e1f602697c60467d6467235025e773c8e936877766d3fb3ae132bfa13dd45991d0637f000f37b25724cd77a53>`PJp9|U'€(ytP۰Gߔ E?knzCY _I JHC`|<=Ϡ Lr6 !=Oڅ)FZ#I yM)_#jv5|n`D%ERC9W*0?.̍^Ƈ?*> +SX븝EZ|wp?ܲXb^""%^sPLVp[x@Fym 1r^ >p@X?Hd, 1 P *AGPX \ ` h  (89 |:U>@FGHI X$Y4\x]Ӏ^ӪbӶc_dԶeԻfԾluvwpxxyՀzDClibsamba-util04.13.4+git.187.5ad4708741a1.34Samba utility function libraryThis subpackage contains generic data structures and functions used within Samba.`Iibs-arm-2SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/System/Librarieshttps://www.samba.org/linuxaarch64`H`H6303800308bfb834d4e1ba4253e93b0d141e07c10b0baa9f3e350f73b3b49ed9libsamba-util.so.0.0.1rootrootrootrootsamba-4.13.4+git.187.5ad4708741a-1.34.src.rpmlibsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamba-util0libsamba-util0(aarch-64)@@@@@@@@@@@@@@@@@@@@@@@@    /sbin/ldconfig/sbin/ldconfigld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libgenrand-samba4.so()(64bit)libgenrand-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_AARCH64)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_AARCH64)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_AARCH64)(64bit)libsocket-blocking-samba4.so()(64bit)libsocket-blocking-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_AARCH64)(64bit)libsys-rw-samba4.so()(64bit)libsys-rw-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_AARCH64)(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtime-basic-samba4.so()(64bit)libtime-basic-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_AARCH64)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.1`@___i_@_|\@_{ _l@_i@_d@__ @^@^^2^2^^1^^Y^J@^2@^&^&]]]])]@]@]]@]nU]nU]i]e@]_@]J@]B@] #]:\ڭ\\@\@\ \N\e\e\}@\o@\\\\\4\ @[[@[[%@[@[ @[[t[#@[[Q@[Q@[\[[[{[z@[r@[ @[WZZZZZZ`@Z@Z@ZZ@ZZ}@Z'Z@ZOZ@Z ,@Z@YY@Yo@Yo@Yo@Y@Y3YYu@Yg`Yf@Y7Y7Y, @Y"X:@X:@XXsX@X9@X@X@Xg@X,XƉX@XYXe@XX@X@X@XWXAb@X-W Wv@W$W;Wu@W#WW W@W~D@Wj}W_WYZ@WYZ@W=W(W!@WW@V3V3VV'@VՄ@VՄ@VVIV@V`Vl@V@V@V<@V<@V@VjV]VI@VG"@VG"@VG"@VG"@V(V'~@V V7@VBUYU@U@UUAUĝU@UU@Uy@UUrUq@UhTU_@USascabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./sbin/ldconfig/sbin/ldconfigibs-arm-2 16203308794.13.4+git.187.5ad4708741a-1.344.13.4+git.187.5ad4708741a-1.34libsamba-util.so.0libsamba-util.so.0.0.1/usr/lib64/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:SLE-15-SP3:GA/standard/b5c3032238a4e7a6b51699004483c0c4-sambacpioxz5aarch64-suse-linuxELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0be52a25234d59e62e1f37b2e813f3964d9f7d56, strippedPPRRRRRRR R RR RRRRR RRR RRRRRR*n8N\>*Uutf-815adf1445c974cc9f123c6085a09a43fd678132c1a5673b752b3d5aa5c9dddcb?7zXZ !t/] cr$x#Dit,+b \Xj` L3& ;R JjŖBr7^?Z"-(bO)-+ }Qfi>~E3XjGۢ~_ks}qb)8R$lEZ~BZ$k6c)uvװD0#L*U2G6 wdG&/g_Fm\ 9Yp@ PG7(bNH-tPUftݏrp/kt}D7R46U)Aaү.. ,H3^T\`"D i?߁Z؛M+uDpAsnH[K2dm蠰pof {ηz%{=h -oԀ;ޯ?!a<1QpYz2{\ecfz€ |m,r=AuqR/Nm6?'U Ug (<`lXڀa @9Ϲ^L8kK{G/ GRB'$ОSC\r, TTDLl;oHلisf/'0SuT= 9LlFUNyMň?wPuoW2'>n 7<0 y|4Xt`7OEZl9,y%fs5Qx78ȃ;Lf$ +sK{.\Vbؙ+/ 3\fgŷ9rt}_ږJ\3o-y󥇢ZvArJCM&!.cz{kh*hGC, {;Ed@rH QՅ醮Ǩ>pi~#2*z .A5+"bԴi_-n7МFF8߿ ʷ @_Fiajp:Ǥ q!*!.,Gcz XSXą?D"=C&ENꚬUI,grTR|)/eK;jÔ<ZЌO}H2%q],l:Q_' F y!̑ RW7f:U[)_)]ULD\L3 wcy|azZ&1r[Y)[`Tg 2 ߆Lze9U$d!@'U/x%pn+aKBٰ,WWI;ݻT\qƆ@ ش_p^3! <kEFF9HC$۱TsC,7nSpe?:~Ehwן=3#ֲ6޵<zXVh&]Dj]ʑC,R  &i 94Vdڭ"WL x\]u{VAQSjq|SaԼw1j;AQw*CȚ)IcEV3EYbr?ޢWz7zS菜NS,~>q,\´XC=GF2k{5iZsc}?YPY<9cȽ9Z@YQ>RmI+{d@p&:ܭ>Z(C5t#Z9j|#uW}/V8g0dJquΙ }nj7K@ 6K@$|}T@ZWג*v -[Ys a`B_S\-B=S2 ;oi^&R-1{H4s(k`d!h¡Iݖ>dX}*\986ܡC5?è"o;UFS ]€es\diuD9MO=\b8@jeUʓ/Wz4r23c>@eː'X/y*B,ōYS-|0楹`G򼚻1 p,"cPzj PM^@|@dZZXݹ1Xl҇A57YXb}Kn,~7XA}kP I<%NPPک붫XA1?3`HU )f(|+ &?@&– +Q&rgTYem,HZ&6k6trPgʔDn贈w]V96A#;J/ٺLZ&Jwy]nRqΰZVT5 k֖wn]`LNRM h6i{K3mOr iewK(`S{@@!?,RvΊo<u}HFA ꙰ :%ijso ;;YCb,EnZOyVۨnj&ZU pIϓ  1tT8!8Ӊwf0J]@NK.{ⰨrkЖ:{PqI1sL-M%YL]7K00XUk[#FԼ+f2Z1Mm&~T*=>a('nvfnφm/qpfr!t]=x0(fع@Qw+|4莆[,fJeZ`#:頍Q܈A%-su9}IV0r+iwQTKUb_8G`tYdbԾ~D*p-EC&ͷ%Q*0뎹Du~ЮNgI4enD72ը睚YIrIg4I|]"&1Vg/LA -~泌Nr N]I-Zk)DfQB]cۻV8 u@++"NOk; dh߹3OE}O~n(kPhز@!5!mY!f<2&#''@/>e8ћ33IV3'XDPDyIwzÝ/~1cڋT2rYa7f:Qr]=0ώI/ZNTmy*h$"UORc.W A8[?Q*]rNj`t?6Klb"ɶ%7&ߗm ܤ>W xapˮ99yȇ)[HM c [0iHkfX 8 4֦U5J<@&TK>MIL(\e0*K~gF)|aV 4n_JwD%ubQ1#E| TSU  W3ď¼DΧ5&JcRiNfMԘDG 2x@j<ihA`=qZ~\>!8WAE\Z#ywjC/L$!fni^{*fHZ@~OFoҿc˶bF'Yh]PA=׉j+nJjI SO!;4]s4siP_HSGGxHgMHDnUצh|D-ohAxe!W7@WI%-v/[F`'B5>j_IFMvR>F,T6 7;,;g~YɯeBRK4)Q+He$IFzV#4ʙbPu&#}p!+)ϺO" b[wzv Ž`!Nj}%ӬE߰$XUJQRNiu\@ 2vw @?6gJX :b<"sU6<S:dN.KD?0S ](D]ZR4.bB48"4sMylcH.@#~m(!>gz#6, 7oH&E=9gLpΓPZ'ku BE7iVS)<7L^񬧊"O ׁHMP)i_u Y:b[[e"Uvw _^75ajD#J$E V1H-1`cqDU$v7AaYNQKeSojUo4WkӰOH-au|4[E*8k$m;!>YVsZ<Rq޿٤KܮƏi-蛎u]Q".ȋbWTqJȹgvjlb@s6} QݩTE38@^1{MuX,,4TmMWe}ykYS Xf1yް uQnI@gh"xb<"lWg'3+͵ŵTFeaHS [V85s4 -0ܟ̝Վ3ٯI3S'v{HVeFC/eBQ>aX)8cu5IFfskσ  [q(iFB5:0g:ujtaR 1ÃF/a!XbۙPY0-ϩN owaVl5r,-xc>q?:JMs34lgGiso_8yc_`53a8Cu 4i֫δQcZ^.akhRRDmiMt@-_mIG4H^d`u1O ,]9j|V?k{Pcd Hs__"! +(Ö RW+~(RǾr քoUlr+b\}RY٩}<գ~U2{u̴("2t }#p7Sr;~L*UpE$"F_C[:oer.+a_ɽ EJ. %Qb+?^~SAPCֲu1eS=LdL8`]$"A؀3F(LA}#wnG{y"L_F4QPBD~W//X'vrp,CըyyE'iT7 uBM8aR:N¿,Rﭫ$ɥqJͩ;:}PAϱc1߇}Q R-d_  +0T\KSoMs׀ɬk?jw_ojTeKԟyfoRJlgN]9#n4]zkIw ꑓήŢe]ig '"Y)HmNa ڢ5~h5 ΥXB{'(^vb2T}"T4ȳJ?^e\Gu3Jßw&| #-CAw)l5}Rq_)p|E'UZz\]eDKhC)%qz ǿr 橐 V:s_ ZA1AҚCQ/'[J󗽃Yș?= ,pT1rDسˀ[#jIWoO, kɚA'j)HzZ7ZJ@CA9|OepBTc*; fa/U¬D]*+ⲉ/BW3BgoH1^X·@i;[9 ^N0NTj ꬘1ѻa*I~_l;B'K>΂s?NO"^bDAx;D+,r͈fBR<4i|v./J&D/؜hRO5#E5o %%a+GFrkB#*)Fy( Zk]}PC+_ΘbE[8y{mZ9' q>* N=@G;H+\$)Ɏdf\uNS(G ]հ_҃b>A„z|B _Af+*.>1-<풉n6/ !ruvЈ0SŢ97۠jKft81 МOdyBA r>ÎC&t7ﳓ5i UuDԥS湇x`FRMxJT68Gz^2HHY/6fXƗ,smB l7%#ԺͷD9(Qsj^FI(mh~ ;]C;Q󉡇eNy-/G7Z@|%]N/qV*3#"AZWir3 7嚻M eY^ aUףb>T/2ceO{1Ҳ W.wBdjI _&tO0 ctaڏ\ e<*,9H50G Iz~R3(7_X Ȝsl-X/; Bq`k#͛RA^V<F, oj*(G !ӥP\ 4w?$ӝLTRCAJ2ctSzc@< |7G8Ci!Dxӟ65sUR;ۅ ; 7Ԓ -<`ӓڠu˲ծQƗz@5KVb[U6VlKousPHv<4SHG}g "^$e p 81@r~jpv'0ݦ]$^a!a!~If}GBlJYUApqVd6F=lIMnIŷY7ď˃Ƽ" ZʹhmzQԦ@r F`PpZ@"ĖǞB]-3rM2-N548n.:?n&^ό1KdrۮQtJ1=0sύ^ՑP14Q?(i^rÐǍ q$p{QL;k8nb0ԠL/&+ё`F_aB79珈́КLJ#&DVd*Eh1Ila[d!*~m Hm4'0^$nvCؐ2N7{F+^^ 26;\@V~T-0 0/M( uH# ۛ1T ZR"N_|/vo$&[wa44*tt)h-IJN?VUXi:Q&GRԎ}(m_l.\YsOӳ៧K4 Ƨ axp\醄7)yI{DPn&Cm)2gX!9/Jlb 1}ш1Լ}FaNOcp{h:kҟjtsDj]rK̆Prh w[_1/Iٙ -CTM5zKE5.}ѣkk`$B<@#2˹xu/ԂIt|2g{<ּ5AbT&h t^ݶ6ky<,R[㲀ކR %BeUҹVz~&?xJkqj3D*eWsHpM"9ȸG(AWWQXA+ Y*:A?WB^OI ?J) :h}'](ҋʐM"_?wPjHʚ>86}|G8\3Wn'#>xK1MIJ\ cy @h 2c= =K~&f%ĵ<+:'ZwvBiYZYėS~:A7JHzm j3pŽEل8w5C+v/l(v.:DYZaX>#-e0YJț8^pREMP@|1)LF˨;kw!trZGqCk_Qھ&,I^erF븺}y[AeiU#'Ol`ִIP _κuF`ܚc@t FHެYC3E٘xP ߏ P]F%0sS XηnR3RfyTex{A0>jϡ.hgʼ LPuȟߒVr+%JjcW+~/L}ԩZW{FؔtE:LMw-Z/8\vkR(SMP(ֽpbqơ s*ao߆jO\NC[)= =sM] _Է͛ú ,+}&wWL|V]%7,ZJ3ѬUv`` 0QM8I6D\;E?.ueVld(S=xeŘ P qq.$EgXC% n>zE}'6RÊ*QWm9~~d@*h}c$j0hb^KD=0;{IÈ#5ϧi :ȴ|V>x.)eMC᳾Y,gG0xBUUcA f޼UԼܠ=Cj[HKo&AC'=; _@x$[ymVxEs+XJlu$L6/{vM|ѝY^t.dUμj+Ӏ;E_a2 qc#S@Wm/$=%}لd6KI4, AI 19)O_%AF:-i`ԺNpTZ_`4֙i7Z?0/KH6TinxBj,-/ء[岯G nhټ!MpyҦC8TBEIjc:qr$?Įy}O_O@7+Inu{L}<:?pA KS,P|ZN#2TvӾP,Ta>ceUAd{8fW u+*^Di\FXq|<6$c?LOR ʧmPFFet+׍w_RoD:Y[2=s/9MO_--^A23]ی+T%ET?F-OO@u~SOe({uGDR` K[嗁YpE^Q6\=0sZlKxb 7`~A Ho8V&KygPe;v  1BL2cKLdyk.E:/Ji1NbA%fAc$h-[BPnYWux}<)Fʞ|b)ЂB`͌Ms G- gG`S/hE۴$ѣ4I{@I4G#۝In؀jx^ 89.X˟Q';cn(`r|wС n!䫵AO+EgnV9!3|@{xpvs1۪pAЛVܒ-LПke2ݾ`p)AM練{N39K1mqG^ITwϼ(l+hC;~+5es=+~ #H< .cB 89us$O$wZ˝rsn/M$l7:}ye{R'-HKɳ^Fq`Fk772%? Y/O>Lx S6Y1j"_EՉ֙ޏ,}C=:~Ih|O>H-Lo(te40]ኧYYd[7m1{M&f1nQ7NY 8>|%(.KTnOY?*3294A/"Z:"nh-'EBS®P j[)a7Z_:,5%.H -b--W" F߲s̟H$=/>W=..ȗUc9pj+[.ԗ Wyđ=G4.7+v!y\ Q׽\((XOUx͕фǿ(_fČ$brWzE8ldo8F1kѱ-T._H5=ECx:*#KJ2uRPd St$(+:wcbC qk/jhy&_Zt1?%ES]=Ykj*_ߒDñG[9 lGCSX @6 RN!=:)]1Dtdex3PJ "_UpW|x!>i|ٌg쉮VvH^tiLJS `1xK:n`?%f+ũ̯~9+Mܓ2#uTk)ўHAK1m,57/Rd0AߕX,rV M 2QvIkU~N< Ejl ÏT` )8}zz{KB܀g.e!%Sj8tB((/yJzaTVM73J\5Pw[C'ejr$rjŇk!T wj A~ƍnC K6^wdʚUc= NGX&x[wDcsmxtVKGׄ{+ L-Z긇f5f6~"kdϯ=ڣ xB'DVBfvo;1>?h%vS9AoO`Z-諳KD_5,ٍbXZ!o} 0Bb9eSL9Νq r,8]!z8U~_6 OTaGsIo*u{ץܒ;^x̼#'6G; 'Zn&ηx*"MϞO]V#?$|ʞub#[7.z׿aXs} VT`CVQgTI%`G3䋅Q@3BHFlUP r 4w*'zň?] 0ŭ:zpMJG{,F+d"2tpU&`fƁʧ]op3a/{(.IimF2+ }*X˦}%+iwub>& X07|=_/KI*=- tq*vYqVmO jO[}K[-E!<r $Ϳǔ=uMMw|帠/3env{f1輰3 tgW ̒$ZQ? |, ۃ8)d]n7t¥b2:J0-kZn)E{"Td?dc%~!mB*f@ Y.0*b'vS0eH eVƤ5r҃6ZzKG nC Ϟc$u:_LHj}1\?Ѯ#~5sNR8C@wi巇l82XªiQsQ *@N>@OG h!t UNB^dR\V8h->LZ V:ar>|mrRDM d4j?"#åv1V8b OP' ]#pkv$5Y%䱡B<1K<{M3ac1 }:GA7";p+Ι#-_z^8n:m2 x\Q~Os9% qC$Հ0uJ Sx cĬOO{%iR S 0^SY+&{򝺁A{䭦+ႄP'8jo*坡u %Mp{"aOEjUXbw $QIP:M9Q }um&aS%2)=FcY7f5AP8PpCrȊӟF".TNT|,eVA%:7Y*~굝J,XBzR<0izn; ?M.E`_0}޼-А]Oi2BT<` 7wJn~dop!AsNǃ5]SHr8v_5Զ&\jbjRypbv }u&! z$h. ΜF0$?v_G44dķs@{a"V=TϨCDtȷXkf81lk"[b-J-%UZNm-,ά RaV%=_潼15gI)6px l/fHRϾcFJY9SC۷39;{# 3a xS)<^$:0=FH']RӅSc-w}2R< Zd-Qgd&BDIep vdݎj['؁3[2 k0N6/rsJ@{1ٿ{nAd(>ȃK|O2D|kLiW=|?=UJI%[ 5y3.>XbjCk4lU cq_FD6JE'>3) ||8ޤ `|F߀ d=$M#9.?<隂}F,7yarKh&za|Cm uD3:8)žc0>s[ܲ9C {ǿ%eŇHѢ Y[)/]u)aL+}K=aCtg0NT( uBmM1ZoԜ%/_D,9D_!f&X%r"PDU Y?TИ*c:~I=%G\:3e^T}r֗Wvg;QiUNi&Bo2R R@Xc85_1%$p umf +/|;7ܾVmtCǃ-(nTȂS&^댑Fw9b B,<ȩ]^}J7Oo}=Fs} S`$G+^R B:`0C\r@Dx `6@Ԏ\:>M̀;QU-܎YrK_iG[=ǭ5%ˎ;Z`KuJ%e=r%I"Pϙb@%^ÞO#<Ֆt]k'Z^/6f+"bW69]%2BD^a'=aR ;3p2YJQR 9.5LzP'>~bXTm%t7fH2գK"ZȻy8} SFlQ}SSQ0r~-r/1ڞƉ5Qz D!,*ޜN7v)" r "̥Я cY îE~^'@GC@A f(H,y|aWP*ONJfE3xxyPtWUB{(RAfDUvz7\p2Q j6nC ,$0 m~Zo4^.oa({\<GKBnkq-K-hMPp$8*fݍvC4X<:NQmVgGbyc9lbq,]<:DG6J~AZw~~|'\Ll~6{"^.<{P]%"!lW3߁[ޅB#{:K˓+s,q{|4B>2dt4NsյkS0T"j騦:@^I_8.;oj6S5E#H2̄%|"`AM;686R\0߫ !"}>屘zd&Z~ 3.]q%dFcHj3dxblx: 8O'l[f`VZkgq/Pٹ:(#''>䅨5QY (^+4c0A[Z/("v%l"h{I$JA3)h0l Ƚra䩰d w{k9iV&8D +k;{dS v^m5:ѝ8΄բ_4j/u&6X{ڪ=;~k(ppl q^-k./]@KseY# ޲a\=}nJdv`fzKt(FnawԬܳog+6-\ϧVمfͣdl,͂l=7!{JͨˇkEKnl94%^'@Ȅj0Bq:(o^Ż Xm @+~~oL K7eXLq6>"Ú p?__i!S,Lqڰ;D:Hmc:HSRynU(A|s{w6xĪI_Oppf´kꗯtz"ŮrqjCG{T:,, x u %NA^.KqB{M& .w7)AJB) lHuG-"_c+ufb)n~Z$N/Cڥ M"V(;I]GQeQ'{QA6,ړ+ R |K[\L_d_1nU(-Um!pܮؓ8OHn hO GdO0gtqv 5ѝDOH"?' ,M`V) "dLL 6?)^%+g =ZQB#n ~K$q2n]ݹ#RVM# `F yWM0>Of) KbKOk,3,p˖FXxp 1%MxV3VPT.¦!vbOXooG,7]$HcY:lZ_?/ ݘ+a!g'GG-.ݳݤ׸B ŧ\3d㇬>/6~HPy1Ps\9+e%ͼY^vֻV'!{">e _ f]g ,@2S=d|C@h+95=#Wy2}W+_ gfn|-՟LQp6mrg9^@fv2  6%F\Eӷ0(ڥP]kfҳJ0'"Foחem&l\OQvwcc:`/JJO$9rd/L#R5hkw e)F,^FћXӂKI4 aQˡx5gt(Xq(E1P= QUqʋ0Gd Hjax=@`Z3Vp:yq-OZ(ѥP%{t*$K'W^,JZA9GI3•5uc%+Q%-?[[$Vuc-'.C\n mPL "3B[\ݿyĥS'aTOBC"t$.g3$&9is{?"%K\~f_n8o {%ydclwyª 9 :y-hM3lpSx q7I0aO#{շE9nj>WUsU#7K2 KG0~Xk$WhNI!hzsz|߮v6W0xP-)FdžޣՄF􌤑{/SM6j&fJp,rϫ_Ⲱ@|1J-ۯ ZCT[cI>,,O3џ_U}B,hj=:F,Dr_Y jqU0>%7zf87@zhEY Dwk'cAQKSa͸C( |~Yxd#zsKc~(  ~]|퐑Sf濦.̓q,4YU9Eg4ڣ/e'fgW;.v%t^~oeaCG($ўmM- 5})ap I]:х'W9j?}Jk8W+y윁ޖVLevܑ?molnjZZh3_7N w*.x1;#j 74@ }.3H݃<̭VLyv=? F6&j:,w3z uQ +P]שbwRu$%<_ZƟn l8,<*9Ȏ-'w| AUrO K- $(pD vKG &;ᦄX' 1ࡌ1 .A?XlNdE%Wq>\Lu̔8sAkI;BRUTGA#zv n{j׸XbI_.s=R!~=SbVO\1O/ÉS) _cq}ܷ wQk@K{˜7'UvMZiJF܃wF'@3 }u֨^æ)dg)*Пf ^jݿErzMa'fu]dFh ^Z8;Vo_CCLY7`٥P]aX}ѨsQaXt"үL9R_=͞edE`RӤQA<>i eQ$ڝ~Xgd7tы!zi[ (Yf.pTZ6"ĸC%Ny]NN-T|T1{.yuU"Wa|4AOKyzⳟer?6ʞ/KY~H|A-!>y{@cO&VCM, bܙ3]1k~ #-tt> )q NNr!nYa }m|IOV$V#PXtw)C4=&gin"J.dL5. bҶEVcߠjlO;a87]xnQK|$p 4*Yjq3S[,{sBoşkohbR,D񤏞a!0ҼW0yAko.+Q,*MįKS5i͘{Y+j)RPs6j\FiJy_ X_[/e(v'q_ ;Iu, TVmBV=֨Aw&ȢhP 4~lcxB0dqT\- _䖁)?1!:&m$J€ϟc*H*5-x&[},DDGp&{öPEjֆ˶%2NsyH[! R0N1oܢu>MS@vF_BpO*.fde p^g%kbt;*Ӣ\mawRPqM ɳ2%<{rڼm?dfp 7g$FaR='0@d/Ȟ|UHOR*(a>!74SyLVXHCA\D2I}cV/AGSDѠbڲw乔g&SpV'쪲">*o-\KH\is߃ilK9L]eޖ1v@6]"uN%7>Sdth%D&+LZ_/pCCXwGƒήC0~5dG=hz\.]bZ|9+¸Smɠ;\ػ'Ix[_dh^щ([GRs afGէ?[mͩLGQ t+_ї@uib~&I Vttɲ{oml8&gL[`ĹVQaIV Ӊ|43\jhb>Zm%+YLmus'tB _4#0sj[(u¥tiK l^`iBB/qZ#Di/Ym# hvp.x8M~)LoLcxFxÐ򣪩|v 18D~<ʥ$"<=GpXc'9=:K[Yiց^Oes_@(TfO~ME" t,_|_dm8e*K_I,꣑Wtpi]%@z7(@΄Dҽ]8U mK!x4Caw,EKoK<-f>:R ^ө^wHj.k/+kupJ ȌJSxҺ*GyEZЏa/:a8deʳ(p)} B0T(ܵ(f᥹@2bCV^s{~DӺ9l%,c) 55_XbW%+}G6N6V=Ec_ kfBq6}#y<Ÿz_d}8#oByxf^+Z2ɮax\$X:gcr$*HF(9+xjSkpn/ALlܧͩ.맹ɮ)Up`NEgJjPÀn$ұb4kg@ޤ˽A6"њ7NXc o-kJ>I:O~Q!I,O$AɻMW0?K`Y@ɩ,<3Ÿ/maQJ3u M̷qӀII;.&膎 ,>jЗk'(U{sњ Y_[Ce ɩ MR1^1qLF>Lƌta$_ TL;+<ڦR8/t#c!@M?cfe\2LxMf3H1hBv"K(y'>+d 1,4%/4IFæߌ|Hȱ- Es#1z-Ub $TO<38˴+" zK̫kPDp, 0;(T$>lթ*ZV$[0& KyOA›7q85ët<%ၮFd^ P˽O/],y𯈰B%A3@@i  V}KUvY%=}G^i ME}C;GT5(9 VWN[DZ 3\ܲ j:.g#oԡ$ BE>fhMMhʎ yOv>U+vD+F]r;d1]<@HCCfy Ծhw{9ZQ! ^Wl*v{Ǥnb)d(Z/Uj%p*"c7MYQl9דVYl鏜k/+# 6)1Xak1 NKy`zAeǴBi|u-΋G01Nh}Qwfz6L^-W{VhJ*7 A )ݒkx؜xV Hh 6F{&"e\KO25^ &ۺrTt)]ѦOl"Z;cLH$21l ; 2J"q\ A-}ބz1u 2pPOެJ3_wN5ҽ|H- z%"-m~^FC'}ԱWw:U=ƅO~؀JRнHgҗ /Ű'Rt[ah)3A"8arf4c甋0↏?vvXApDPaz䪶!:pVA$RՊMs {#Tt2ԣqRoɥͼ^*^- JttG*h$0xY6FF 7@͚B} ntpXH>-j2.Pj[|oDK3Kߨ$gK+ 1JYaacq~p6Jb>Jl9hprΪ{ mSARy ʬ̯N+6Wvl\W$ iC*nf|qM^6eM5KL}_aV)-D6>r}$d[J(4Gj:LJ?&\2Q#($_:ZzWTR |\S_> -7h˸1 K,#_ά¸EuH^2".jtS:wEnj2{L7_t~ ӾWjlQ, 0Oa6=X2~=Wi% b۶\y]1koZ8X_ ; - 1SyH'C\ae6TN8Xr%{+wOd/ZT O~^Ƕ~}Ob&{y'^Ja_N`В{xX&Kb,FrV')< T0\d{`fPb8)/Ď"v"}0+Jn9ut "Lܶy@#GՌ}~J|L؂0͐2h{~%5{d/,wYpLX^Q|۶񨦮Ǩ5C,q>? 3ƝzĎQ 꼔8(Osʩ9b!̏mgC9:ߥ['rG?5X6$$f0QD _}ë3qituhn83]$b4uCdֶZR1_HZ`LAכ~}djTrey'k\I{>0֕6a@**nJ}&砧6ZW }9hk %C.1n&+^0uzm= {з F\4Iqi^sۉ3!MQ;|8dW<^AbaӆsPtZf;[g^vDW8\;;wDw߈ohV ֪a+!\@=+ip8|<R_6*ytI a@Zzm(5~w{FYt86ZSmkQ>QetjˌL%y ֳŎx$7qK#eʒ0U1\A0mʠu0]^[Ď2ׇR)^T˞" X(& dYG`f<Š$+@D+Ѓm"4Wge3Jܪ:5n O+g"o ~Rurt 1w]mLg  x4Gko#eA6 Tr,lZwyȗzL_#{$k*n$QK!5E{E&݀cdAҼQMI?Ξz.V~1QZcQK^ϿQķ;1RbwC픣de*.>D>-QI[V[_ѶMV%1f5Tm Q*F=bUKQ?rGL"yNNf\/OaBf͞Qs-hTZ0ڦ3Ӭ VY2m[U'I(v;Q;Vp!Sj?cFFMع%OBÞ!}7u#dzj }8R"`}Tį2Mkk↾$: % a ށY C)Ka[m/.#ғZ`|]';X%sv: ω҂Ǖ i9Ad]z bg1V zu(= V%yjqp |H#WhBƪOB?Sk b;:y+nta+@H}mwvpMN}ds,?|4:kp#Q O)^? eI~~Q~!%'qc.ҲoIXAIȪ<5ym`<"k/P"?gCs|~xb&c?Q_nHRh bfPǺyfe[|}`/PW>81sRهX*$IUPhUNRE4˱.[q1d J6eK3ޟ@I(Z@oE5;uw-h @֏^f˄c.NrnrYSv\0cZoaL2; җ1D:}*4HGdC|*n3Z6KABv(='%fl^,C7[DrHBI)M\Q^bp;/b 5Ldp/tQ&0)M[!Է<P}kT&w}z&z^-&/HZT9}Fw6*h9Ҽ 6W|3BtriD;ίnih}OЄ ev0\z-]%!7z<eraׅ!$6/ >{G`Q eS'g5jw ?۴DE&8&Q?o;?j~ ?ZA $uٺ§M5A7W?  nt44닦vY_vu8!4fRykBvǔU{^Zo.d=|~2g͹s^իP6?ӛdM0b\w*VZ\K(!ƍT k޿"$@o wVT͚RA)i"E@ 25.e.wYR̛3Ֆ؇\W4-;=Bh̲G>׸>,xMo˚ ՙ:|>ShQ-&qޑlA!%CԜeIl5+Pvn-udtF8#09fG \'6ވ 02ދ {-/cu)Fi=:7Uj^ϱBA'~[Ȋ]'~$X41!,;%VK1ךb˼ FVijaTN"tb4O?M:\ygmiمVn-gpydcUי_ H9+[񎃉xx+Fa0D~D~G=ֱL 1]N+[3R9a?ǃkז Z lWR' o<)`JZWv +av8B3YM$pkF $SAsQGi=D/*h| ;쥁dLѬ~M" ̿hNRK`}XJŎcG ɶ_QGh ' Re-}M`3* }iT[O,?fơd8Vđg^F.ŕ :},ٓ/+k艆\u?Mxق<`!ngRQyvMᏰ?\`kNIX]:Xs I˱hxjw!Ź&M_ Efh֛uK]xWgWPgޗVey8dN [(qq<Y4H\:*,{-%5V=m_Kʒ~8e5aFF e0,Oa u|HdKC YJ؊~է /{I<IVPL $;+Yw) zo}Y@7)]72E>Ċb {hzH>6‘i7q}`Y;~Qq7pD,zVX>/]Iּq𰮯r~%(%'"Oȕ0sB(`u;odMg-#PHġ,ѿݳ+뤑/X ,f[9rd7Y9 vC6Lv,ґ觜d:P1.n*"mdZ*u;s @_qݐ"ɸt2bK8Kk i !mGɞ#`W;S mQBqE2^u)G>g,Hvu;tw Kk-Pnd\n`ib&ãUDYǢ56ɽ1 M{4RXHIp'WvX佡#0(#!"ɂ":GIs[wVzȫAϨH:_1v89zmNq= 1V M)*Ф]D PGPO<{pj$daz!#Re"C3G:%-PDa#]B"3,cuĴq3b)!5ᓦ@&xޭVG(fcC<xZAc:'NFsTsc 7DڙC;MWv4\)Y|gQ‚Evt3rd' 1%:(xZ9q_?atA,74yt{'=hL۪`pw1K}ƥ>_ ƒS)xӑS+n~UWK.ݚ&vw ! ̘O\޼cɞUX͘lXm\fd;8\ñD6FB3R瘤NO܈݈Nr `IӈC.̭[Mm ,>c5kO T 4e4|Ə3 #t.|XzM&m1V s"v jd m>9Dc]S˧l3sWX2_bO#c1b{7 ȻN%~mE1Sw]V>gh) ZN=bܣ$k"^8m#+֎W'~b- "CPJPTyJﳡ ֩f?1d N񻄟+[E'*XiG j30}+M 7H$ĹYy7@;^ STn)ִ(R#1bXAVPANCB;jxZSf 5+g)PMܮ5b6_!nV+.Z&)vXI`K;׉jVWr lQ0,93;~mF L5& YV 7 <&+%]~xE]Bq݉2j5V$n,@TFڅR:(>BK.FV2|C?˓O|ѬNkX5d:H͹4i j2 gW:r}sqC}I}/RiP,2_] jfeaۮ_V/[0ɿPw$-O{A5%XnBuqn%zU|Fjg^$1mMpeY9R%A+(iCk31-rq}kuO^=ڟ6CwHw?AϫZL)dtK~\" B 9\9gQ54^BX{s]B75{(gjo+{*V _N ڔH<  Ĥhk[co+Be02ʐpcTx*jOj%/psC衻D_6;6S=FIrLĿx4s~3QRx[Iz?E8M5W1h~&9T!s':*׸n<Yi%rcwN{w yv ݫ|0sCGxI@ "`ʱ;qm/W}Ǐ*fG!ٯWa$k Ge\{@ͽa~/b{.%}&&M:0VaT^)^үc#c{^4sc\*̢>ehHႥy>ka.eFʶog>f:sayp6o"?( ]ghSsTId,6~jqmӨ ! IbQPm7i͏a7^Bٻ] <rc>IeqWgf#mTPՒVgߺ38YgGɹ5#YơUpeэVt [uוk郛7xkMj fW7)5&(y{=lY9*=q,_^CUZ,r5Go]`3`%a7zo䵡B&͸fͬ@mFX#]3 PywG+Ʌ?%}>~q\8p+zdK.QkL97q:@XqCk PUm5Xox hM=? }UQ]I(G<շa'{rTq|R! ԙܩV9 ݍ{Q±KJ V7tֱ4 e/a)0S#(Q3x-:VAd`jA ,7G>gK)F!o-d ʛv廪jeĢ?iXo b࢈x4nd{eh&eFpx[6\l{_ҬTܱ,P⺼I=]4 FXw_ _c3-x>XU &V|ðՙpm7zl0츝L -tɂ@Ҝ$Aa' WtTnJpwPi~rԭVzŚ!'2!*^=]kŋ8 f!C8vzrOgb *T~tqC@_{z(:1%gX^kIXDV`A%I>qL(H&O (ѮA4;dL %9ɷXj#s"'+Ë:7o=_)r[4@\4}^ݎv9< .C)u$3Ԯ\Z78(.KeƷW& "X&Z?:G)+8e iD] ؎{׎$TAߘmf&\'2[z֭եu5$2W^s&eYΩAJq/]lTdG( 1Z^<||bJbredM!T ;:(Jzl>&_P GJк&F1(!!Q{<2b~73H^j?S[˂eӛsaeQaJ8d-ͰōmUmy;#R0"B>>hoY_t$IxodC:%kzvh5OIUS1޴ & 1q2$?.֛2(EI{V:\z,R$ڔ_!ѥGV |K]+j^:{gzBV=ĐpWO7^ge~AzǢRw^Qz _3){? )^J2VAt5Ӛ _ɨInjey 3X_U5M:iE7>KoOS=L }EXu;즚Ҟ7@VYEpy-pJ6i6(Gse@s(uXω*ef+;R$~M6}3j'0f4 d@=:FتȟID"F,r:%3 ԒD~jP_HkNXPx_T^lK1׳v`ں66mRRiJ=/@Re?rZ-ap0sZOrځ'MFUHcjlE^~0b;tEV3bϲ幞UUd:* Hb$@|Β = S-G}y* p ꩆ@6i(+jJabrHn5icflJ9a'E;UWP#λlV;.h%6{vetCBG,b]PpHry0 R3R>< \.ӎ.طn4<75U:Bso}+=RjBl>mywpm`Z⹫/r}4>fɪHf] Gӛ4KG*ltzO3HT.A ^y< Dh]陲=4K.HoOL?0ìQ2.mN,-y&M~|jvvVkyL3D'*:bAC ;6?&i*α eǬSD((NPLlK$ s~gĐ3g+4Zm.z읱{xW1G&(3o=WaFȂ}`qĞ؎F?L?>u/F-ȵ-]{]dA$R`yB.VXS3M 9fYP2=h9#pq{>Bx?4b8 hO QD0O- B7֌; ]ۅӇ*I2/XuVƠ~QiXVDXJ2DzATo%,'y p>-(VEF&uGD)++wDJ0:tjDDWR2E"K{ID7^0ZuBq~?]{YDOfc/!˛ ʄnAJI h 2K~N{ xUjDu Ʒ=6#G};tRIv6<$Ҏ~ 20هVC;zo&U;Cg(׃韰oxȀh(r\- j&z(ޕlLx M U%sѺ~;19WAi1,$/Czlv"rZ$ٸǓߒ5-m!%Zw蒼M¥#`,Z.zǗ~!=O@_c s 9:$L‹;޷bȩ8-ܖZX#rzW:HGFuIW- #r&t{{>zubi!ISA)pnkOM:xNju7a`V-J?6ce7F'cV%5ƃaykFI{Bڗ\됚F<\yU!ρ{.1=^3[$~jBzq]S-J0Pⷰ-6eb(:)Hm0mBplOcځa#U!e7M: v>Y%P0^*>Lwb&C[p(aC(; qs(<pƠ:GD %6˱"Ȅ.{f_(b eO)G6DfUOydf :6}D@A I*u72 C)֫_JN($Ntp .\iEށZZ֤E ߨjwG%sO3(ۄ2 1}N!i˟B0c^dͦ ykAo>vog4ź!va]11LPÜ7Ys!镥l3ps 2m0ITIzw&"= Q[]} p%>u+= UЌo e&\SPmBZM? a}7TI" XAtsOh*ErwY)pa?؆u;N!{NrD~&cZS1A0DɡƙպLrdbN.$ mXK-L];GGE 3wY\bC`*U=̂vġO3| T9~2a0=,Е?/<4Nywibr `?B$ XJuGKydi'˩(@Onw:YBiʸ`;oWe)љm6+6=OȐ6HO|EIk,䵈»B|sy)vER !dyҹ2p?IM6S8c~$ژ7Ӝ6T^w/xW'̏~<~wG[A*!$#0xƒf!Uel 6u]2ŀ3ÃqtAl{xFvX.ѐ3sb)K5I8"z3/mr]zlbhL s ԀYi4ps⃟UPBGG^*& jQÊq: 64ƇfNyXbq`~쌭^0LnۥA󗦌OGsh t~&{ɣks)^r;$w$(ud-)4l 9G`^4o+CV!kc[/Lf&Y)ֶֽJx1jyzN߆8Fw0LƝDxe ZU# y (@x2T(+@MY.YOؙ"wrIY~I3úg%\6ՍOOӍ(q8YOdn>'JEO]E`o_!$Q&͵lXg5m4Gn.p['{1.--=6W+8Sc6 WŚ;*䪇_rL+?Q#KYL7b׳pn+@yړ遧3sKQ@dN|%q̣ztGSG E{/st_3ص,,D1+]ʁ#⏝)QSQhklw?6GMNu#`1P6PB0u>B_Yjz KHpPVl5:[6U:S]Y2qd|5^i?P;}4f8J+cwNHNet:kKQi?[nd5^cn`# #p~ bm^!Mb ORt1{$]:LFZj:{Z[ CկY ^U9.ۜrІ1|+6dt x91 d1' "NC.A VzmLE&E_3nΖ􍬪w/>:aSyt=q|:=)*EəB⊘žrM9&QwodkZJzn3w(hf̣s0rܞ=8 P]e&Uo929†ޒ]!ed=X<)o`XRC0RTG~ fK1W&1VN$rm=<'$E 2tPcywS3AQ{| W/dor1I6Φ;&ypdųc;a22EH#`<4+itd Mޮ^)`?3舖,ߪ(k)öኲ}/oxg, MN@ j$a!7{Ԁ+/p_wYk^KHbEB04ri'?ŭkHݍ 4QfPAҼEQ4OjQxt+!0ͪap_k~Aub^܉S 'J E'%ڹjM[;09,7BT~zSHi~@nd4R?HB_ ՛\4j\B)*˲[hjDzL=9/N:/<}8>@Mx@3DL")Ζ@wdX& }LBxU /%~EZNw7cjRrj.S̷wC]̒NA@ذd:$%L7$G",O}xw[jl41u"dOE}D΀d5$篤a6ٲy1;co8Kޫ:o_4.J!,DYiN5BULQ͓kjIa '!E.G?!cpں85}]Ȓz"bobj%@6-4ٽcHN$"~[8)Q˕|BXr]X{DcD ]WE dwV1mD2=+݁+hu7" ֗gaFPQKǟ+%c dOl{{ls#r,~nv-zz)g͍T/Ovԗg4\sX'  0ZZ@6;6 maz ʲc_< iT48)} O{v}0,2obCkQַ*LvwuKLv zfF ℾ4Z uO6 F0OݯyM)btGfI֥a<ðj8}%ͣmqO~y*: pphep 芳z{sg!L-U&HA <3*! 2Hz9(p0_EAAn(y=㊯+mrZoPMmo1F @rk*5(ww]G0QPXt]cog#H(ťCSMx; ޶BG ;z$v?a8/*PM'P6K<;.bwBD3;48z:vLP93&AQ,^ Unf3me`4* jMJT]B@$%7?cab39N{ͫhif3Odz. ͑ XC)](-TA/:(`P9"$)i&be%/8+[IAN0_}) AЂml20~쵕cv ~Qd}]@ )Yuȹ)Fmc{Zh!jV!q֨_LA6p/}m6ĦX)ا;20)V[`#},7Mz^ѦNIӁF{m͎CmFؓ f@zgZ鳔y|)wu@.b18/U7~$i#k&C01?`#2sڍW۽+jV#IXz;Gz.E4xs)d ՕNQ÷ OoJq-ϪW l-kpI<+_}1h}wYse(OMz+ -fbYަv:TPz,DK[\V#0 =ߡ `}}wM[w:a|$S.o TY\opHNb+{$*';FU@]DРGuJǐa]itfAZGdӥ:luw;uTJ5ALtMvdMv$8]Ѥcő䷱7 %6-sq#mR )n{`Vf|w4qRɹR$δvXK= TG}48Yv ЗI:d܃O[ɃJz$T6Qn6JVRuJY@nY%?`wߨwX֐;qdqXS- ^|+ZcL3U ^ b2I<㪆\@∑ $sGrC7li֘N$%X%eCY賖D;c8}&VI̅y`UEP߫{(*Yvy+pַh1 Jh?R2)DZ{KI-cށ{L;z/qs:>]u!/Tj"t?WKZw鴀܉-rt5,ӟe?j>qc(kLHġp;[t/!9"#hіk1EI1Sԥ] &\*k c։Ҙup&4T@ڮU!5+m_LpGKPRI(hr${/[ E'sm. l+"eD̸S)g7A ={*Btw$p2tC.5oOIti~I\#c?J4^zoH*0L.=0 ||qs,Gn{5*"zojww& ~bS ?sv,OɪMp _jflxpS5R9yaCbJ8khv 5YP5?pՁx$y@ K`&TKa к7`Lu2XiyLֲa)6&e_9]{NJ;q(:}A|QQt]hT~zʛ& \*!]Ƕ罀-yxG*+xB]͎.['͚AcXңVGl(fGXҀibt oB3]GX{xX؟E)$ƀBV\ 뜹pm6Wjt{ydg(+~J"}HYϮ#b4(rn+AϰBvs($o蒲 '1#3xJ|ף!@#jܾmq! 8<:k: kET jl] ;Y3Js8W: Fpۜ@='jq)Q]KV~0'G}qߩn&uЎB#BLw :!vh>̴]+.27. thWHp0/| wes}d;',^"5뫏bͱ\-jCt/zviZUd"G0%AM% ,u:'< tioU&MۨJD?uãa;RxY\yj8_Ǹb"%ु7+g%)s {fbCm1sndQP{;顷hmln孅6ٰ:M["#ĽHĻk@fzg.H}:g$ .Ph$̽8Cw;i6{M>F]T$zr J|]lQPNs78BܳTMJKn?d{Zҟ9  'Ǒ(m=lzfb a)Oo<4iU S3&ǟNo$ٗlt#G(kGQy~ia sL4BҌ$B \r JPCC-Jy֥l_WGgwW.@/HI}3-:Lve$P 1MgX)$ oΣfn3CjUyjIW`{E.rMCHVu7Wpעu @1` 6"z@?P)mF U_7TIy1 Α]V' 飢wv0GA߹Mc,X! ] mP ׍@w{'DxuTzRAMJU"y>z""s"=L]JUaʼn֙ 8`Tjz%#۝߈Ɯz.oK\?aTce#3ܯوOWybE'HUK@7B'!l?I7>ۓ[78wS?{}Px¶xc4f6 mq?%d@$WscKeqtrC_;MT(qI؞ Nrs/-Uroz1/ ƹZg_Mėtx6"o4R*I7΋;Jh9/e_>8_ ո&Iyg #+f]Fp_ ;y t}ݡW@_U_zI(5.?@=v>j*ӯ>(r [PZ{4DTCd@l7C+h^:W ښmjӒ{CCK}#0ѽ%zQ~Y[;i`GTMpI^˖w$,LNuHѷo/ea.8*m*`4Ru#4cVD]qS@MDywD}v7JJynvI.n&72KA2o>Eo 259jC*襦Fҭ7oݧl.5.bp]6A H~k个"̧$З)|NeߴWRy*Ɲ?B%V!dxCB%F)ecU0.!j5:5̑޺sB1d|Ԇ3zvjz9ү]s]"C]kh|nԂȘnzѷs;0Z,G9:e/-<>Ki˶Ka G 1>[CɀAÕ_n}#w7l%t47"9~'lԙldCKG$]v=jCʶbq{t+=D1^`e_%C^kpl{-U `q!{ CkI+ƢϟWjdMprT4=&¼ mcګs{}l8Lb mt Z0.fD *-=*\%{B6w!8 V˵zYy&|r]w_HC4^,фeJ,c,8u Y 6h jz )A}:$}@ĴQ"j?`07(^S̺$= S B+?FY$#1M+aҞ=-6R<Ta |u U's'C^3%L 1՟hbvS5n`6\xcfa֯N*.G: hrg#Ik^=XU?~C,rArxC_fe9g؟zL~ߐRTp95.KϟLB8ZTy-J~K^E>QàTe`].-œ6ǿOu'ct XFd%Ftuj]/iќWY(s y16٥}IiF4pԅN=K@PEvaiGiVd@#Ghs|uxF)"egyȩ@lwܝdYw", xGixI( s(Յ$Q~NAOTGyzmLl*k NMͦ,6)+ٗ@Mh^d]C~Zi׏ack%kw 9 "뇓 6 >=(8s]& ;:5O#q~|jq(F*8wS^(]*C'@EƁN| [4ٻ_/Nkb(}j%-{$|SIJ T$/) 'ԃCBBee&9.n}dW)$wzO_|NG_ϛjH.d^XBFT09כ1S5F>YMjlflA0o0R = 7(;)CTQXݻ3E ln8HE}2]-6ZeH9afy>TH|\ӴTewwF|n IPG˖&?%^uCNyd%e*OچE1(&m ܽ@HY`݂,mfqf23 =zhW>[]D;M\zd%4 ¢ gxl(}6?ܮOL7tF5?X[d ~0r̈je~ͯ]\bkI[s;~F*`6F6N%Q˧~G砌tS 3ib@Ī栌.Y=X ~A?Po<[1? K}qZLGXJ|*ctre0ݙ?e2ԳgGv=AGL,c- 3tS$<+r =?|9w.HcnUI3Qs L@yXxي©S7_C7>AffR3s:  &'9ox%VQ!Y*7"F|+]kڊVP25~/yT`>ÿl]N|:VfMͳ.9hSs]/^K쿴p}}VܔV4n~q 0jHr8N&v}OF܊Hˏȉٮe ¢$Ͷ,IA`7PUZ+)P8] (̮?A = \X%|85ZP`F.(s=1C #IG.-STTPU:q1kgUW FE "U]ň=n妓_= ve)/r]^R}/Gk)`pc~Ѿٵ&㡧}/PO#?l߃8:)i|SMגɗ*gxr&H 4=V*xdv>?|7l;xA(4!&{X-k 1yy倖7c$:c'#es-yv)R5, <}s} )ukå6Ƽj̲K9\=EMCA,Ij N8spJ#&xKSG2c4I@pG]~zRWY=[o=oOȰ MmݦLe( >ÎJK@Rҳ5z`jFXQ2ݷ ;n*¿cs4+b~bL?֐<%O)clm{Њ+ADYy%n Pјҭ䬋.7h`~W>8 GBD{D5ե: [Ȕ,\Y85P`J␰pw{$@Ы pi_IQ7ı m3&|#~rcP|ld}`'*eVLy7-SvNsс_K͗Q>|#(2pU[=E44} 3"E nͷ Evʸ0{:쾍 X%'vDZ7@) ӺUk`1M}Ck(PB?$? b[?fB7T,Iˎ4W5z)o`Nix:, 4̜[GRFQFKowa߇+ HtkM&%̖>a&u/R˿pdLG),{ˆvêPQq:/lZ;с^\ A{<]DЯ?!:'FafGeke7A0mNv3<1ʊt8dcĴ YdZ4s>A"fZ1VՖpI3屈,9#AQ\gnh!g”m\H[Kpk|Sݍp9x6@>$8}8/-{ GԎfډp#p[ˇM|5vO_:R"'q} Q[Gu^(Oo2LʀE%('StQVl~3X[s߽Ѡ£& %hY*ݲ˅`3/ DB0qaol;E&tn7 `h{zU)u*"Udg.q3(VO'e4kU!NAE﫫n4k_>Vq,뙢=G6;z&Pv09] ˫np2Eų0 /?d6qD;d^Lڹ>qe v¥ՀeCYqkhA0RJ%b{C n 4F x`w{L kHu,ߍ_A S͗t0yԚ''j.wY ޸yl(nAB"+9l_"=舺s2} v>cz u 70%@mޝ][2xoCY g^Jr* ҙ(JudHm+\5sVlL H1q+q]q6#&B?r=VӚу>svepߑ#TѢT]##FD5]AOf7RoL| 2N w9#72C7ɞ#V6}/aj1I>F-e@?*`;rA'?*,i# &ICсߩT VGA*,wVCH73c}M[">B\{c^|@IbK\7#`o=lzʁ5 ƦUhQ;ىKX%0qt+tȾ`AA6`I-w0 ,xyvb+X\'HUD1ǯ htF*WoEC̬ϑ⮚ȾyNcmН.0=cv&,H.d*Yc(|xG{1ӫeV79SDc*x-h{ X!3g5Y昚r;%:"/ۮ`2y3^֘ҵƐ$Ɇ/䂩UNy8CB,?')ś#&וmtCχV7U<3/KrM[Bo+ f/x7:i>M&Lp}YۋQgOVt9x B% tx3-?y[%Bj/EL VvsƝrܳf2VIU<ُ'h-w]g: lEJ< @yD)&& <=+mk"GH.Cʾ`&0آ۠֬ ixnH#{ƶSA8V&1>'Ч ?/D7*[olU&LzgeZ6oizPvfom AGZ8 4bzC)D-F:24!ŵTl+4"#&?HNkUU | H5I:nlG. }.ZJcfH]?yH_ޣ~R9W!bxؚLl6 /H^g.`ybyY\~P>tU@)nǼ4g [;ӗO7Cۡ\?kKSz:x zXvgXZ絅$%YtIyvp3iDZ@1%.H`US[ L4Kj }niׯt,DM0Co KT+Q@Z˵ at`~S^kLD{`c]­u|c-yOr85."xD:m6ad.p*8AxpcP`Iu9OdcRqZyRzFJ9V|<¿ wROlFAX_jgSfiR2_q<Ɩ89`Ys9w]YꊆH-jd-Y4YEvv17zoXeܜRrE S8,@: )dZ6FFX|"jKba9މ j vjHR6Húvj Et0X@.fo _ypN/(*h^2}aM"ǀl2߲r#w<2*HU>jbop͑Ǭ81$igЎV1T%\^FR/F%՘& /ʝ BҒB7rQW[,hPI5>_DWjNn8-$Yl<(F:u[AT#)~,loK|*х=%ꍋwY9Sml3CW~BeL 9\W ZJ> ؔSxخ)`zm%Iq~773xc-.'}i:5# h0WV.pXΣM }-rW-SR4#d79 `ʮ|W^JE(ۺ+:c>Y`JMS<\|5(`s͇4#xrZPA'$%$ڧXa7Gݔxx]ʿ3'^ج6os7zEQ/vp]ZR) ta*tO"fkGr晏'B7<$e\uu6A 32=k C6~GAvxGw EͱqlY/qZ?﹎ņ{MUhe˹p `''(2gralDʥn(K:QoH Ӳ9b^Pź9i#̓Ka]Ą48XU;ڗ'A~6rms"iN$޶-6n30Kҝ,|T1<LIs0SޑtiX(6R`槧 \F^ȴm6$3Ja l}! ߣjfQgh#+ՕjւF\Md,QT)vjgYMA(IHQ.>&S[ , $?f5s ޭ4amO_w+'OA2o'v"^UPQRea"jr~)ڎBAS+bXlNռhrnH7˟rƈ!d]$,\sĻA8Ei&ҟA&F'`ge x}'2Oh3zްar]tUox6J>*8LθCϵfmO:*;#*09߶*^{H{ 9v !i:pQڜ's{159^o_ WȽ>np_9iiciBqHE봰 \C&U^z44u} Pv?'MWbcDLWm݁`K~D?pە[k7ğڻg(끥~(UeSfj/{9I#ӾM#m2쉋Pܷ?pZi:^dv\r|QS#PE4jt&g:ݐ 4}S!@n<iAvOfw~̅ݭ?Ji._*xRiAŗ,)˷gvłpo@zra؅VAk̅$de]qc/DA 2Fi۱ȫ.-a[a􃃧U2!4X;ۛQ2b'Ǧ{2i_Y< 7Q޶ oTŸ0qT`D`"& PAp?o =[C@2&e}&IC ux6L)Ɏ9@":TB[k˕I%l:l:U:[ӔmQ'$*ΓQEqkQcj/3e1@6jNP yt-{\wLINɓ8$2/0wo moѾ" JZcR:/Xͳ( .^>@1;E%iqv2J œ휍º~^ c$sYOe/kMa J%/Qq3o{}v֪B%fH ;oP%kfB !|tE몽i{rF9;Qyx~U$cnrd׵:@^IL3?cQizvȆ;9wp!U($DcKjtwvYӡ$#w`c7M>;ٻjjPXX 8m!~kB k!e Oԯyv@ACc` !0fB?KN}I TJwQ.2vi-~wb\d :NU#uͧeZe>|݊v9:vy;'հ k ,|\sRhHҌx<(h*qV0g"))YpN{ ~xW~.;Eqo}'䳓weg4.k%H?H4NE0XݸHdg6G2l#)yr O! er~VEJ᎚^{DX$EsQLzөS CG|)b6Y %GJ"(t,bo"ďo)!%iJB@c,A-+7sç?9%mƨt4ЌWf'E`B3Rt [}A TwI$EAƛD ) ` DSՁD K9TF"'XR`&+[Sy{_NT<d` ~hKC,5̻eঀR}߂rԐ AbY0T}*gqtM}v񿥰T;Tj6r"ARG-gNQłCmH8A0EGubC*7&wJ`{ y% !T|cҫ8>|b(E #_kl (T Y]{!:ԫF ]jD * ?IMȚebesо:i^:l!G2>܅_}ȩW{\eט)TX..Z^Ɗl(MM3&J01U[-ɞ~WDE qWi̟ Br0Hgr:z#!)c}fiak&͌9Urd~KD>8ghUax q)R~ lYST_0bw)><1^ܑ).09&3R\L޻wHϮYGS"_~9lGz!e?7?^ӭ^ Ff>g.l[i&ꅦr҆\ H7Yϖl=*~oQxH: *\(I*@ 6iZk Fne>6G=n9);મxK7:+5^>ze̒>p@HHVEux_r~H2N9J2醘q)T0&8TR8 fѪ4WEe_ zwgV/2*P4Pe44)Z-SK8"XC~ۣ/PhNtt%,򁷢uUwOnoe+DY:h5`:z,Bxܥ^DSR< } K,+,=}]ab[9"{$S>/jѹgLS&"!]yl3f6g"o"?T|mF?m@*`umi%ˬЂ!5 s4`+asIpBTz|L|WڶCx4cϪHh?o}7uUx͉T p+fre-z . bٞ b:7J0De!`AwnӴDˬR%KX#ġPH5ᬧ{eʵa\}\~${:5]9 w1!kurue$$ pڈp7Cf4x 34*j >0up֘tL yS_R=;px#}Jko߫omNfi&_Q.I n j./>^eOb S \NPtse18(UEqzAn`~Uߎ gYV ȯAP9LqLù3OvUa%|T'2ACvPs]%YEU]:6Tκ]*.+Ǟ;6y2̵<=tH ;j?qWHz+Fx;jxXU3_HQI@yJ/d~Xqfi꽘E #y/fFg«НM0mzfn"R~:aa٨r47c4 C%cA3QrҬ* -so0[n0-[PK;vΓ E|{#i_(F #B@Q8jw􋑙 㖳̞J6F\(s ]-!ΪwNlclrqp$PV 8g L9|z  "3B 7+Յ8YAfNUlThΕtEʳY,]Swúq5UP%u4֤0[`(GS<_&,T ܎P-[\ɰt!w`x=0/#Ko-% |u$u[:G$ o*q@Ni}P%GH<;KkɀDzW;= ܴW%X] !Y+YB)R`5CFj7Z Ml zxbBm,ʒ !C4 8Ď)=\f-?'&{n`U7&In ;np2? ("!! <'e`ӢT)t${$o/p b~YsR'E1}+t@Ѭzl?qCέ.}v߹?,Y^Za fh+)/kA>> D3; '?s/2ȓUKzeߴPSM/)RLQ-QTQ[q*#oLkʢKsD{@-N 2z}DopY\w/(t֖zw D\jRk1k"PzӏwBJA:fQgGQ 1e6iq5%Eշ* ;\> j6ũNMWiݺ;{h V7"ֶi9K{^D{H{ZYqӌ&dmf|G [@h vu=|Q  ]7c\&=Y&DN Q̼nzڳ>4| !J7G1%.ΑC +Tj6?F#5-ـV'TČ޷]EnbAQ{3?xaBY%঴)IG:G:ҶH߱[P|@>^M/j_sN]excLL 䙇IG0\z kEh?b6P䕧zs濍*XdNjkU};`#,6MxМM=1y {G[Nά/` v@B!|/QĄcz{CB+YJ^aGOeۅ?#G)2TE{C| Fhp̞xB+ȷ$lZv|zpz;)iI.גƑZQ eusf&_ |Tb;Z>1a#X6_@=NX?Ek i 2hjoRvLθˮ^KSFA88݃Zp_LÓTzz {o3L}~wV߁$cawʠ) l f,د|Ǎd-+bGhb*~[@y~kMOduXۺDޥ6R2 =}TWtdwx-P#CE▏ NZ30˴4E.1^$w3aFH zG/0Ӥ&c?Ε)X #c1}`ҁX]Wch&rPwڟ*3#o~UܤNmwHi^D0-صI,4X:ԕzL7j8O$*$`%yS>n֎*U&AEH^Hg`.H%aB7m { sGrp [&~?vG+ p"YlFm?@YC@i8:\[F8llD=m}Ҙ6O%Ѽ ^8oxmT" .EvpTDثo)C)bP1TQoFB>ncR?.d`Nr!QG>}my)"ha;Y9˜ pF"C[1q5Mv]]+u8_BHgյ\i2̬F.kmkXa(%"#OSDS6 @OppᮢbA hԂIwCP@,\Hٶ.h刺> 0K㑸*G:Ɛ܊ nsdC>~`!'A 0Ӣ:,tRQuB GGEAx 2E;DOBH["5LHNcDDh>\y`qDO=7R4;SXg삳a7KpM>#CC=w٨mOӋO lJT~fEt*TU5خ)_3Tb&$؈g/' LnL]F;Ռ~ҩ,t=?N۷aī1p;E ($"6 1VloL2Y^ϾNSV>##).ͧXK66 ]%W'/KV" DQ¿ : ޯUnY Ms](Ɓ^ f 9Su n-5Z 6d[:$ 2oH?otBV)/yǜ !Z&V15K jgXTAXOی aQD1+tA T `0]>MRt,_,,7TGSب/2S-`"77Z>D}YSfz{$ǃ~M}R6N}.g @7$F%qSwe UuYR~ג 9∮9n\NBMb2"gC~+2[&Viuyo  p #.F}/4D:8[<}8&oLୌ8\;pN FBP{RB5$@ lv321ԎiNg@j^M/*0z؝eatL$8ٚꠇR"inm;@_ى=":i$B$;2)-M2ŀ=._Tٴ =+9 ֍![;[scZ|<| Rj$q70 jSbTH3osUM)$_ QyQhF͗+y?M]6Snl'b أAo Ҋ7pNi(l BI!mop> tt{Y$aHjQ^OAz\`4`{hɠXEľR0(!!Ϙ Jm;s{ /E<]'Y"SvWZ${q8j~>Olv~)X=#7lh:;$Z/1V&g* F> h~TE~_S4Yiu;Ċ~3v<'JUੳzdpEp{#ZvD2JY 7fo?btrX97߮)//EyM֧w`-v{SdzvqEA7Ha9PC%uH\W"6klPb5 9{9|Mx\RG[< OnѷIWIFz,߼ZEV7w{I<* E2 I;'Y{veCh.\>x5^n1Nkdϙ7x 6H57x N⼫)ִkg% "[M:n D6<+cZI& LeJvd'ǧE)1|*(?a% ?dL]Ui|kqoJφ#{M, =NX9)]XhcC JRr;-DYlQu[/!nq.&(L--6DNJ33)U7NcǔtZ\QȦZyyP4,e.% %MY)v7`B"[]1_#8gi8AmrC%A^[y.Rd:`1{]+;Bu'$Bʶ_IW۷6dnh$eú7=)ߪ$N2 s ~6kh%A2甄QC hAc v0 ێM2qwO;ķp UD˸瑛ZՕl?[|{yH1:O9l7\YicnS j/[fC-;S粛\+PM8.B((~ {< Z r̨7C:u r' idAeܑ[CtZb"xz5ikMQ1B3p^&S,'aOKN%?b: wep@zBB1_b`nH\"&;3Y娭vs61z(G`IG+kHGV9Xh!`Zv옮(hƢmpz'49Pe.UlXEPLQ>*AD[w5H\Y%n^?Exr*AGꌀ~P*U GvE"MM_,61<[w@#"j*y]/J|K3D|4ņGҥ5vuW~C0D뗦bw7v /VbϷgQwܕZ0!E+3=96%Eɥe:VX[ mDP-N%rb$yND>R KKI~-V;p eQj(oͫ<''t + - ͘(xȫlRVyDtW;]#7NUY萚ɿ7X),UX-RK}mFT>$rB= je/4|u%^%Hl Yw;݇86Z8ΥԌtm˧Qh󬣥q !rufHq+f*l2A7羃a}č|mpYW5m@)zbv 7.֦B;J6h V%zZpL_qKFm"kvmNV1vmPFІy.,PڲjiBPq60?tPl{"J^}FvеNx9šfG{x5V4&XWY_d)8Q 7l0#hg^eV"\IikEΊJô J%%=Ns޺ZkyC(Ag홓eONq8l' (S6FPпBju>IދyX8ވ||ŖBt fM N2ʋNKٙLC@%VR'QvUZVcawYp¥(ѢmśA[l#qS $ΣuI|` ?'8--)='O0|GCR pPh* ґ@3-.su B!| :~.յy@ :'}B8 SǗ f cm#, T"HO60Tsy0bԸTy0`ظ"_CE&" Bw'v%'%v!ZʘTAP rG02 29>FuFh bHOјwT<èhx:tS*YZ%F5yXÔ MU5qX % #]Ʉ$$?N uW&^wt/KWZuO\mshHYIg/Ϻ=p*ʤ+/Ǘx%Qt;ILS;+7GNյ<;""3 F,L{"gĜV|Bptj{`1̩PG5jO_:CNF{a0˩{GMEM@YKiQh/'?Gt[o/_wDhRh(,SppbrU_s/r!D!E/ZGtqE$<>~T|Qع~G'K{~Ĕc?+ 44ANN8xL=+Du=W`ȶy@@0ǍBP6Ctw@2Qf `,csZߤ/HV^UJ5e} $^gɫ/àGvAh>a!a.UEX@[lCAQ묜&dĄ97 t`&-ؒX|FQ!2^%k)Kcx^c ]8<eA+`&-Ox t>g!"$t5ZtH:Cghv I. e$rBu[RbݣO5Q \,>ns T80zɷ?eݤ(=~7D=X&Q';RȮ [`,Dbn}]\<o$_yh=_WT=_iBm5/-\5WwHAR,r(N# +{/ 2SudV^Dd" $7?*Mjq+Yda %,n!RD&|B۠R?`٠msv4̍~M^ E/*9|̫PmyZ#?eaVjψl/ZjcT{쿕b` KM!.{OEVK'S@G'UW@NSlAv, Շ>YPA1{.YG kxag j]a,*JG ȗZ##1# 7*T?VypR fVG3[`'?{""M}`+GR8*5=s ` >m3PDۅ4,D=s(35b9Cmm q+E1.Vs}QH6F$t:; EwLJ+mckK`k9B+AyUw0ikRF J;82vvwoc(r *bXc%4+27‹`.^ӞbyC:a4=d0;1ES/&9[Nt Oxn\0O%_nǀR j{?@m0tZ=ES·M%]4?1Ƕވ*۝_rK;2Ú`.眽Geޏk6?=^#3fhs=+Ճ`P*Ut0w](PhJR%YAM(Ry|}Y֯ڀ%JaJO$௵##J3S&sbe+ݥ  &݃xI3 HƵO52/̢,@/&CX6R>GW*@ms1@37.;CkN)^l<È `bi@.ZюЁ ql1|jL6Sϩk{٭:iSNJ Tc1Ot ~1< <31BmE @eERm>)W(;,MY#+hൣ?CHGu[$&z*9PWZZh``+ZxqK$a!1/ADgaOԫb^Cj;09q|䆶SłT.S"ގ=⟘'r̰w I8 *eä 'J6[Vrp\eT*I<<˷f,$b؃zj5LitTךFiZwyk \G\G>֜sҍ=uEm늪g0`M96G3jk˰ڦe+XI-J=ڲE;>0+ $9&vf\\tmlQBu6C` 4Y;aqb-$ᦉɭq\-/މw=K,p[u6pfqޝq8K&]9d7N }]'^R>R .CN;"u2{a'RrֳMi''+'oZ$$:fZ%Aݒy ExtL( jmZx"S=/[\'K{Am*>}`8Ok^v$uAݣU/{ OϔT(*` +RCGpʟ]݋9j~g<8LƅXMELi 'Un%^ U.SŇ 28zSקS)dy 5]jU 9ɶcs L|=5wJ)a\ƪ_@_}ј2vmzb%e#2!7HDj6_DO SxMhu{3lʜ%ûEzhrJp9K X(^u1uV+YBOwBSیIvG )&lZ@⦏[{agg==QW 8{PSr`@cUY;);]ڜ5#:_27Yh%=w8%||јQ&|!#2B` a>׎ދ(b|a+퐰} {Bm5NG'8*Ϸf"oU.эc!"T)o_ n⎊^1Z6`$Mp̕,hELkC8@5TZE }hB_n׳CWKb q3?"]Ā+HƬ"uq~ҖNˌx_%dJQt$?̎kQӕf(eUjdY?7r2DaŊIt$^*"R+pLKt1gة^g,ЖO)%eL>0{f& %0ڙ'e,#Ǖ["h,diӾ *@/Mbz~OdXqy7KASqͫuiy7AAИ*83C6-FV>-:v̀2Fɍ#;7D#],R&T(<bK g} %62]ԅ8ڟLUސАn2{HX䶗Y֩&7qF46WZ!,g}+j6rѺ&NCSA%1`|">:E9-vc T>tϗ-DU{e4-<<.4'|<v0PYME5 k 抔*TkUg6gc]fRfL6=C>t(uo d YA;̶@'؅B$TA[W*Fw38MWAjlmw&ųSM^>:SP^V|5$tv F5StL%ZoHĹd*;- !m\ڝ;_D(-l+R^ƙBk踌 NKvKu.@׿Ղ5q 64ۘl3 ]qٓ||'{`K.PgLB~.d)p`YJCk QXgT59Ib$S`'bRjf >MSw\.p Dq ]&\|(}B/lǍ60NX=gY6RU2a Ǎ''8T0>2:Ȑ=k*?Q5AyieNE/BDTzYif;؀Ԯ|:T͡'Ͱ+?"G->$frIȩ]9==" z#6JlwZ } Bܧ<0Hw|lͩE;DߺKK,>V>7"QŚ-J*E'KF;ŋ3*j eTN}Y;Gel(7:I(8ړ黔b f 4E;etDp>AiEwq$ƍhyhm/#!J5uKȷbqGkK?dh)I]C<2Ά~f6 VSxFW)9sfq<؛(E37,kD|@&O ~r5[ۇgq|M]57tyAu] ]ѣFvʙ:&(A+=^$ ?ݸq$)@Ȅ`P&yi7RQ*&:,7!W% RvMJ/ Dm 9! }ZزB%]/D+ ][ɷ}<5Cd)39 NXIߏ_%"WDz0ɣe||1t)49ikȢdG?d:4v&?VLfܾi"~g?Ma)&>; fQAr* 2h>Lmr`.PyX`DPH@uH[u2uq*Vv'yv1@p*BJBg z;Db]N܆{PN3J%Ը.fR?LxE>ߏ}ÇF:ͷ,}Ol5ӵdI4`jc= gWSt)ڃB$Y-"Cd́pYQJS-qd ջi3e‚21\ec;ٴ/Q%$mn nS*+bSQ} ɵijfq $z]f{wm+ٞc48ke 'iհد9h:?mqKa)BBO%Y}gp]Q>J륦p$}~0^4)k8/ѣaq^?xH*Ry)B?^Nd6+gAَ. Bu &n qq^P7Vdc>+kq&LR1`A無9W\d i.?g8oP3к>T3E[͖U+ifEh+0 jk)k}ڜƆKDVm7`8` ,};:HdZ7!7.=:Tdqeǥ2!6l(`_kJ?33cHׄ O#ƪcm 6F8`/$[Lb ft=m|J+xfO%jT%c|?u]:fP<(X_ڥ6M8eWV-WQ)NxO[FLpZa}a17AB. lR [Sļ!kúyl89N#/T_b>,3MJ~._mְ9k[Sf,i-[u!l[m;V0UA 4{ù O<@kdAqXHa)I F!xJb3_>n%ۊfAT(tUAB(!JT:_-ܞ)ynU?-zJ7·A..ZӋq+!ol~8DנM(&ڊ%B=z "^ ̀޻a#OrH*Wb4͏RoV5 z} ͛lixZe_˱ ~g,ʼhdп*􋭫 LzLVR{3 -(otDaWG"tN4mJG/7 /HɵQ~*x5;uq<_I2#>r«*9)s'v`U'Vf1AVP**>N.Wa6FS(jh Ql|[n*J:"_ H?4_ Ze=O!FNb]̕";>=2TRE7,vx*a]z~Z}&"ޜg: D_z9y* Fn|fjd} -aKl]5FzU}rzN>_ӎO'$ox u6&Ɵٷ deK8"CN}7OqY ?QO/{-`c,doҗ9hV 6̆'bKFo靽Zׁ瓟?X8!5EXQn3tEwkd*k.ʘcH /nx9OC?f`K]P +VdTU+$¿7y ̸y/J ( 7bnQ ;ne8&dш>ԌS}fm=%7,;!bH 4zW&/cd (~Ѝ1kd>K!z*!#nT">&vDc _TpT*YNEDQLj bJxƗ;؋EF)źu 0rQͼ*$񬖎g8; Y4d~iZbxKX DU7EKN9f6E{XrE!x7##0#VC7kvń:?zqVnɺ?INj-PC*gLd{Naek+2 YhVRXZз4 f?̶\$5g>2DpGmng*]و@Sm p_9ak*iNW U/5ȲfCЬt‘pK{k^w5.DAvotbA7$rDo68uP곾RZ5LsHBR4t6%;tj7_^I3}`Ԋ̓#Q՞1-wRwZi/Ug͘eAO%bzT5I P̉sP8D"R'3n< =,!<2LQ PqQG3-݂ϙH.p^(D@RY9nǟyd\OiexdJx'̷yONf#tyΊmrU]%TBzbQ#^(I.]orl(yEQP@!L2%!А I4gG`dsveR =~ 0MtSl3TG9RcpTX3tgx@-=o2U:f׌!M/{ ep@I8+|tSf&,aa ه3@!uGUy{^JuKq<3O].w=&6 W'rk`Ǣߌh"g.*B2׾̟/֗WUfUbƕ(䇈R/!S "rxlN7>: $CX@WVT6k'@6 d { M &CR,/7.?BR rI/g!0d UH}Zӝ 96PIFGQrMݪ3MWO@؊8GCEz7>/-&.`n{ ?62lGaX`\}0Gk CF vm^| 6`S4Bi;C-J<45a! 3M|ń*ݬɸD/J;\.'MU7?tH݀HerzABRS&xCs$]O/y_ #v kjjAa4Bp@/8^,;% ɮMo[]| ~ZDZ-CUP40r3Y5Nvl09%ܬ׭ypSa~g?3$a [4din*Аlv#l ``tLLm=FI 9µi/AkFv ֵ1mko] _Y\X gFI?QjOc޽cTKMg ,}LGuvKYu /2yS^)& UzNkϯpgZҕ}ozB8j(آE;5 *4ߓ»MJV;~| Q;f9~  X) c y_,-rC2 uT'KVlp=2sGTO}^,Д}7l^HupO@LUic Es4mXp/4# fBL/lz=aHJZn@lgZ&ABے.PY>hZ""CBDĉ:q! G2F$43t7JeW"T;SGJ^ͤ02?O/T"uTSW|\XSjƸ)Yw^^7FJ:\mC#icZj3kamlݩrr bWuMt'be"!mF+.l+2>/uv%TхyZ!7$ :KbV?;J]嚽'L k-b M\}tYQ N$zBY3ePbv{< Sˡzw%{^'h9s門]O_zu)y0[wȲ x*S FQJNw $؞,GE=ep"|U,;l}`Rۮhkg*J̺XM2:~{\` Āyk$oIl> z α/󹣲2̮}9PضbsV?W9b)$(aT2@/lݮ =%Kw$wW}'Pk).dc_O#cݑnUx|^E2ۑYMyvΝfOflWi`tP߯SVx_miE^l䬲ݢ't}u#[y ^m牠Dш#8&yH)swB0S„?O{j|SƔٲ޵rҨ޶ӲtUx=tS&K[sRrׁ!ޗ]a6޴5娴'ķeއpVv$HJ*KxԘe3a#c@D B*U8֞vOLG5@~NA3`&lU,0Gd[hv`k;Efu=Dsl]&Uda~6h$n!'ܑ=l$N?J-mK(z%!:7Alj>Jڝ]h Y޺W$6OUM,×[MH_¡-z :EP(*L޲#(VwzxaI^ͮXaE]eRCz)j>#;>33: E@d;DT>3-J䠒+IS" 1= (P. n7{(t>=lx?ZOv?ep1/A5`T1WP$$q%KGTZ^poC\Qso7OUt5ZzxC0 8xb *No ¶ArR+S2!m'i ^a' (l>j0Fjq(HAšf%ƀ˔&(Bf[~<5RKk8* v%2Svbaw:CI6UdƠӢ;J([ڗOacۨTBxo"zEuDg Iw %B=ny鷳bWV'dCP8oЯIw[nw@2ss:ɰ_}@dN*e6fV`2S ƗsAe̹ zZ@8l`sM6zѥ/ABxS Nm # mBuf$74@'LxE 0jN^cR d#O:I*fDh'1FZk@\6F$:=2$2*P3Z`9XZ /kBnZ- Op`щ5٧<ȁ(~*q-Itz喨CFlNZ1UǓ}Ejy`uRUYkuߘxxi$4`YWu3F u;&I@k0eGq[w}>f*ZQPTAoVixȪax^g5# O8wje!9^H Z>'k8Y /;~NHLfg`h0ߏf4`p˲G_HpQEr*6> 6Ux3rVWֈM! 0v+_LhLCB 9>Tg0~ э 8 IPq0dC6‰@vfuw;\c'pT?EoXC.G,゠2JrțѠG٧2[8/)Xz(v3!1={mWVm2f8rU8xk}iMϦ٧ F~)o?w חa 봋.$q.44ةy6o )t48/7MRJ|Q+85a\0TruGڪ p26z.oqqLRǮ^ s޽Y\}7^m1~VS}Q tTaU06@tc [tCA J ]B'=6{BIWБS[:` mYQ}PWv׎h$+th*b*!#5g*'9P8g0њ2E@'%Y]&j>Mxp:_׭s UGU8rԠ_hP7wDJ> Zt@2WHِdΞ -O0)Z^I9}aRwh[כȑ䄦i>;1…ͫI[D0~ ]R]4$?M%CUKbJU`rgWFH_:b!KeD` (s1՛/K&a 3&VD0ឆO.!/DN5h\ cd1=7歆Z3܅5 2PDJC\VDw2j^9p_J S}aX(5 clyLӫj sP9q+"{#JƠ^l5.&_wy L5 AC֐UMrlp+?!P^}7QaoJ =Pmn:w|l?+?Vk"ٮg $W.WJB}<SGY.O^KX 8gk3X8)H\ xC;5GMVmR,6F#)<t;m75, rӃw@>+ HQCU x}7TG*P8S쫺8'C&Q+\S*#_VvִրcvH6|D%![9JGQ-mDڬ?PE2$K/x%{v} -ޱ^i%=jr{/&-տCXxp>Z6TOJM3o#]W3+VV>rbudD<^gg Jw'Zx :sd;]b<{{C|i~A66uZ(8(zTӮ=ۂKXXexBP4"tk'``bwge[lJ(9]ƦF/ņa``nf+8i* o~ *^Y8w"pm L^ / cYb'BA|Fa7LdY؊;*o|N'* g#}7bjsλ,EL8wK?[UٶC Wa$`zۑa3S&)BGܹ$"nPiFE7ECBu(1(_X4UޠT[4:T0DV/¸KYy5EvMylt "j82qͱ7B=瑐'F iɸ#=1CQЍqr/L+ Zz P-8^1]E}\i OܴqDzk|~ly=aҹ8?8ΙݑX@t8`^Q/7ŏ`Aܟ5nXqS;|F/K2R2e47ޖbثw½:- gJz{ 8dh59`F}}3 d.k03-IJ!'ZCͫ!S)N;TNAGZo1vSRB bjhR0/dAf#4L {1?{GFS+SvCҞ=£=YhAs>i}oPuA>fI.:CYitP20"/~ۊ"Zh [r^KLc])}B(E ,&IV|i[*5̮Uvݸ, $2bL0׀yhYɴ) l̪^:WM3C3gI?y Gb}{ހK{` L1Zs/_4Y| `}.QmY I /Sm|OOʼl43ȭr6:vUsgXv?EY?ߜSuB?}$@su*ph:d\ohIVuC<:>u?kjL ܙ ܓC>JuݼS:9)d,uE4~]7V2=a),=xy@BA٦iE'w&\5X |XVU8V-CSsFN҄Hʼn~r5˭\[4%x`GWd(p~5'ƐL]j^$d+Ҵu>)Tnd߶a$"ꜗt47T'6̷ӿH'ٔ,TZ#r`=]qM# \ AfQHe."F9$<j*'r+7إd}6W5??,Vf+HAY2iDϢ]kȣq<0 4'-5'%2u3ȀK1hmt:K(Ch@%Hv+p/m|?0V0 ([0`:,,v^3ammUs:P,u~yÛ1D9ȑTwnc*ҙ_kkF0_1S,iQ%lA&RuC%4re'~q'(Pb|q4BZFhbVƀJjAob6[u.};mQK=Iţh3<an?MlSZP8!?Db'4 M-Db**G5*#hXț;a;psX2OU|÷gZ'lX$Lh%:I~`nRO%J86+ځͅ($/඙21q7NG~Mǘ5 @ CELzUgFdԆ*7օTӢ^.k9(&=\fp(er XW K]~_T5sps:Dzp'8>Q<=ADaf@ ȭ9v 2DF)yc2-i%wN,pԷ~ _w׳y_꿒 n^Fvyׂo2\rL/fϺVVxWrmaٖ![Yؙ l@G}Ԟ邘.O% ՕA ,jZgS:}6K>YGqZVLx]g3" Wt.+qmvPa=[(hn%Md(ڧ,G~q 9J!<v$El%gb_xy7^t/Zp:&GP5{\> 豈1B{),[ )P#[ُ~o?Ъe:> T"6Bӵ$C.u4AlIt$w2F)30,k^0Ҭ*;T)H ⭐ [qKs͢B7r>D07S2Wڐ`,V f3 O UR è;iMԕ<@2:]BӐC&9芾eZ!m|0$u"K٩i(r=^`P||n0qEn#"<(Tn>v.j;l-fyQ .ciNL&lP⦘@S¡pia>0!5SS[k wSFo7Sf A 8cUA-]iJ9f?'o"JQwȩ#_7^dpTeV\K\@9g[y<!W1Qk4p=>Cbqj]0!p|VNvO;%UYUiT\拮z=Z jd>=dIkViC}3;??Pw?,c~VU,,dZj@YU'O l>Lϐg㾯tuA]h*6;Ō8paVW{~Txg#WyJ^Đu<{h|1~Aey,9MeW9(#+gbH/΅żBa*8}SW/HHbh9 N},c%M=blz8iv<_eJm.%~ls irs(G=p+hוf@qL6 yh߃k8ty'ݐiP.+ W!"VfX9>_D3 GmM(dр&6uQhAL4TQ~M|zX#рH† p G>)U vaH~eo8xGhr䃱+ 1B T [ P4[G/Ȏ%DQ)P bM 伵>/ʮMy> 0~Yhk|eBqyei~:[S2Fߌ01EM@uHɤx밁  MֵLñ@kL:[^!Oݣp4UO y@g(8戀J%UND3oQ9,Q`_(\G YmLv~O5>< e̩uFC43#j*yN]tFo)v0ăͶ=kTkU>n+):#ꄖXрP>Uڠ@@)<c7au :kھ%y Vhr~ ^ _MLÈ8ArŽab/ q^ۥUyz{p"amLn4պעJYF̄jZ 8-m/;\t;ɕ~epL83p#5jzo^4ۤW²ݶQnjߖ`8Jz78>A7lթR [#ӏW\NwBㇳZ2ʥkPQ@Cqcx7P bc jNJ!k1^1q_rWdBkD-7ǹm6M)ȁF2~>\,fV~8V$҇D UL38cFb6&Dg'g&ه>קvel:D6Fdnȿ5n4KRT;wlH^_w[OKOsR`i:MYPfvi[ u7,sГ=;s9 r> ߀z<3ʦotˮg)HmVm /Z*@Rp#oc?\wG8 §4ƋiIe͕FO"XÜ|#}4il(jFw:.o @͘єBQGjY-xF`x?Tʲ7Lyauyl/+j5h{a>шVZᇥ"sٿ7 JEd͚e*G Fo(aP:YfVoz֍=l4Q|PwarIPGARa/)rM Al |Wx2BqQ!zl3Ŧkyr{e0>tZK[zAҢ02[ũK|CZ'܇X'%\zHTL{p.?px*7J)h| Uٜ-f@TZy:Xh@n5YڲZLPj/?^< }5u M 2 52.~7Ve^Y܂n8,sqR;HM&YT|oXM01)r]Ez -Dt F,>I ;N]c<a>d핼oNͩMTJjm^?aGЩd|OM^P H~Ps<@kC, az(:9}X&jK&PDUTbC C֞mCl"=LYBߠ}lI"[fn<[A`{S VkTf[P%|LU DmMt: iX$R\Sc`ď~al 4C)n4q,|瞇}`*> d6ʌ\n1JZɚysw_=ؗ8p罵$+*Yc=t%w`G>L?9qS2&ϒ7V+\ #dJy/r'Uz g[H FB0L:n|ǀ pz|N#t8Y~'LhЮJ0v'2ܑ9έ cj'&)6c$0 fΆ}@B}-2RB[> 4~~t_FēGEMG 5}ܒ)KzۉG >dy!^ٱv҈5OS==ѽS1X{{VQ8iOXoCr?M2T`쪺d=n iiyV024r:bG=) dL¼G4.!alerӾ˖=Aٔ.rxA]R8I)|*WBhvnΖ"UH,}4WSǕ`NIa +]`O6~Y< M.)Љ)l==HOaٻХΣhܖO]Y^Ж"BO!pm_:tPc _ag'2'k#txͿ|^{xfQj#Da{r(?,ӆ ˺p*YyƵ);ܶ7£$4hX0NC_wylBĩ_~؁BDpYJA׬ xIYrHY`Duɺ"(Kfl%٨*?l]i;x(1SofϢR:52(Pȧ29[:RنV_MnvA\k<ǶiBӷ'=/[:e$OAG8(Oޯ1?vt*KP?Vvƀ2%_z)UU4~%_n5~F WtMM˲[tMZa%4qκ0Tt]ʟvs:i=yNϛoRVKiDOzaRܖ|oG$$0i+p~FtB"XЁ[G;ݣ!0MBGV(D ;eg^BHaP $pڋ~Lθ l@0 J^6vu)`q&)kּw;aȴ^QkQ*Cǜ]#6%n9T)샀32;'PR8cT>Dže7zJlgɨosk"EwojK6R+~έ1 *-vMB9NmP7c$7"ڱY=5¾2 θbro\pP 64Mxwo(^>Dk0RJKyVx3VNA+΅0ّq1ЖΥi8sf#DB9u,Yf$zXݽ~;/ꯃJ(5fZ] Tju8h'_Zl5 ȁaD$9 A6'-G'=.) |Zk҇^_YvLxԗīD7HnqX dyS6{i{iК0^Ѵ M+h9Ĥ&aBL Bf,EfoXBSI9ۑ>;.0+'mnwV,l&tfpfa|_p̤#Kv..FBT9kuØ>tK_P\L\CX5e4[6=av㥋 b!ee*sܾSlq 6O'G.&%;fZ[&Qs̹uMb +V{Q yep(YDzd/V^ D-:F~:4jE):1aei :&E&-H#~mFVІ_>br~:P7+3Cd0'ob=|IᦔK'p[(_qFQέԧd&(y1УXF#2xbHLE !Q߻-χX'pɘoG7!$mAE bgwRXD˕ uv:` B^};C`w_{୹{X- Hc-h{t`Dt{eľKNM.֝ ynY}ZxqܞWdN̓hJ={QG|[뎯c1}}0vhYd"5^-{5Ko@DEǘ Vy^@^+ &o}_ hp'PռrIZ(BA 7g~q~Wg&ʘ~| &(m>4H*ME h[<d4Wu;rٟ3a 0wtO3U/HF⪋f pZCCQ[692x1lU׏$a<7᪢9Ix|2g}̊PH0nRv{NG = $*.M É*hS={+0mɄОKϟn]Q9VKҵ߰($='l>8Iַ68nlvsbrO*ݟ\̔.T8O7_QUN d%4=ApRA|ڡX`%ߖNOGCF‹fӳI#['ؒ-$E+Fʋ:#N~_c[UǭHe%D2'+Q'yaPJ0uIPxEfKK[Zs a; >i|GUH|xu\31Wpf˕z\jOjrTq+.\Hb$C9Y]ΐ4]~ k3uH&|A7H4|7+%8YZr?ZLR$zvn G8uyk6*s42]E(4) &$>OgH.@E'Y9hߡEÝW#s.9*$uH/\#0C Dx "֎H?KwT$ꀑi5O!n9(zf b;kfECK`!\*`np㖩oa~ ue<Ñ!35y\>P6 o`W)ͽ[[=z=-ʶ7H=NMl:q'2 y Jƒ l?>/tگyw͘\Yd\{a*bJ .@ TD\in6S&$>_*j􌄢KFL3PKD#?X$"ח3 ŋSm]BEC9t9O )"e>h|T̖0B NY/6xUZ!cm $'ghh1\+B p\.dEk֓Ӓ]I_I'_m0o|p45IjlzS Lc$O)H<_Av*bJRl#7ɗg4{P]!I0efLSS!"H1t좱"w@ ЫfF>MB2lİ䣝L +dN='/# E;,_~{)|!6cbn  ȍEŨa\j %ǭnjJޠVAJ?I}cQ^6py_m*⁺,kq1{^&5 >@q-ǽБ,\3lSsĈ|/ Gk:*MB蟂ʛ#VQ>%A:%FrM,†kXwh#-#H?!_,d \_%V*\ 7HMki9oH:nFrY ;j P%͕k3Swc3VB0PbAmLㅇUh/IrYj,NeN';#4%` 5X")>:HBYfx #9HMXϹWI:eÐcתxd`h$_*!8* P1-t!JGD^̀nX 7 ޕڵ~^F|d+ Z]!1kwJE6ꄹH 7/& Q~aY#x;?5mE)-jPu1 .o Hh4',oVcrH=]{:=zj}ҳB%㶜-8Y|ޔ3ô`/)z̥$/:80:1VQdFi]=}aŸUh6{ '["*B.^2c% o^)k@(iO9:)\=߶}< /QzJsfT,@ #JՂ̉Fz8'??Sp9HuFD{w5Yݯ|^I/Rɡ"\[A+B@gysOƐDB&m.pĠ,t]hL1N+mĻ՘[n.9VӇ,A]=u +Y 76eلP TZXfWIP`8IIYPkD.Kr<+q+P_":͟;RdksFC%*L pc5;Z)Mxրd`<7eG{_H7DѤh/v6.X6Dv4%\`eMNO'K0_xXieIc}5)6}r m$@3b ^&( DQʾJ/1Oqm]vOD٭+r8QO%n[AaA `x@y 0s?]$kq㋳@ "FròVh3at Ć.D 9Kd5'9(gt5(ȔiƮl\7= &qWgXPTy  Gen. Ɠ`ʝGyP?8l?S+qLBW~<뚫P%N&mK$]Cknnܑ`j03|VټDr\b@ (?ዷH 15K@F_{x^-kH'Oc*> L}$b'څ6{]ڲyz(ĺ!v%\'z݋kt-~2Q8tp7Vzmu 'm͔%>#Dg$x5SN@QZdJ8\ ղO~3t:|~uaY̪/YqE5?&K3gǀmN>OA"`:|M U۩H匙>lJJcwi{dgka/_=\nxLœ0KRZLjU]#Ncn@#gYN0BZ:d\m4DtpӦNKВا..?] MZ%-$rޘl>=;\~?>QS4?YjQ:y744_ڭ 4Nf#i]@ hiY>2|TŇcjħТ3Cl1c=[KywX2tL9ah4/"*{=栳č` v4~`>IƒJ'M Wr=8c*``~ԍ# o?ƥ E}S5j}]07-$6VaW>z27J @S.&ʲ*6ϐR)erL;Z~[MYƍRX 6z2jHߒf+@@oD)/rVg@m\RdK \J?Q,3iwI+>Cnn(( Dy@ I[r0,2sP% R!(1-^aM"ܺ*8 lQb`3OGhv[ꏇڃe1s Cxr6ùۘ>^rEjhGI~]ܻ[46NmssvzIUgo(0XtAty/'bKwzBGkwnR"҅Sy2 JƧ-eAkn_W,c2~dT;(y5NvC/faղC$_|} >9~ٳf nupXaTy5N-pUM|m i"j{{1,O76<6B9%'CDZ/91jy~y%Ο3|Ï`{Sb9k(%*)0[U6;el}]J?K4TQUϠL_21\HI l;6RijRP1*4K$wpe*5ZIPZ37|L j~nYr'u[4[S[i_\"i`UT qw Yg'IKAՆ=TlV؇f„燶_*"LWX1=8/Qn9,2Ênkst, vN8iEH3. [cE' q848鬰W˦|`1Cb-W4UKk THp_Aq gG5T+C5]I*8qB( 1ճm k+ 3H:$QQlk^t)$[_dHHðs{zMGojZ&C<#VA@ν69iWZz($}$*a")k.rCmhhFæZe6 %6KN{ʤ9a #VM>0WL/9HԫжC<.CXꔃ y"kIHgG`SH&[kеg=] )aD!CP{Ve>??cnȕpcuDF:~ʴɖ QB~cOI'3tx)&.SӠ5#C&r]gെKҊ4Ki~?G*.Cnx&*|h;}ع9<|b 9M+^yHM<%Ȃ2Kr'P}]vzoȐcֵsUq) f8WJ!jiwn֡E(۷aiIb{\>z&'ʏKJ p&Hv~$ 3p;3Hhs#LGh9d6hyT݀#D 5 ˻?T\L6'ijIc?q ? BcqضJ2`̐ ~phguC.NևeoO9PmpHxG):|Z (_T-ΦO&V-`ܻRP2$@Q@̦Ӌ-aC];6炓#R+]1| C՘O^S@_,*$X=yUZ^NoRG2 Pտ&̢b޷dUDz[%%Ѵ-λVa-qeT8\6z5ˉÈ[H]'sxR5`.m\8AT3W[K %/mmβB 3/;],쒄$Gh0%؅e{O,[Ve퓦S&[ ]eG@Y,"iUcG=W`t'QaQunmgwUqڣ1sP2 PR2IK(VNY E^ŒC;Ih|H9d&C>K#@&#!Iͪ¹bWZ3v3+C!>&U$# $Sĥx]d8_=ECCm|mV6'1h{]yK"Sn8Q&J׍>OeI/WdlMωᾠ.dQQdz3=@Xq1Srys~3mdbpE͗2LtB(nzGQ_o92scc9^ʒG͚=^)JHVQFwK[1/.!DӧT: !ELNp(dӼƑ#{/&%gIq6bQHgwc%xXB4\^APILBk alFCވ>6/`IvV.f""%lk i:KY?ِͯ}{4b0tvQg+ ]|ڸ~K˅ %r_c]2.$mO5Nq-@@lhs`"K6fUWN0T^adeC^(>D!~QDr|$ ':#A5YUQٺɪ+bBW=_ZwZ^&=0ƥ-^KB,Rcnxr&*XM#{xIQ)ʸlC@1'B6bpv~V*~0yt  X=nN]Bot UㅅQ`G c G6sE# .u=- dEpNb1ٳbK WF#Ù]UYxc bc 7?`/g5俪h4<'yĚzgyߠf,7869S7AYN!/R Eh`IȨ&V5X?:{ IߟRDX@4A hչd ];5媈W3 Q ˇ@Z#SWVQ <(g!`5kL콕{63+Ȇ"&j@ P+āt11݅,I6lhuõ}5UV #3]~{\4#GD!e%}t'BL0ь$èp\JSc~UIJ뼮%M/R9=)_UyB[lˣpLmy|hrJ7&ZqgxuΆ[*/WN;S//&K&@TB+|2 %˗ϋ?h&N1:?)58}SCw3La&+ɔn/`ǀ Fw@'T%\~hA(A '3bɴ80_5R牫cܮZ?Sї풝ʠCD@-d~kykp{0RSY6&̦-g]fDj{9ee)Y!@GT MPms;+Tzp4Jzna-J>9{ >VrcH="di,¾R4?/RD6e#bSĒ"ժݬ^oˢO Sf,X+M|gILJ>rOX&ĬvSR a7OBJ antjW;IIC)QEn0-wKǸ/ C1K}Rt9҇!JhP*F&'QցM yV*w,!$]cЅ'e`s,_ۺE~ꙣ6wrAbəM_鴾foRmܧesY:j+Ѹ(0G{?uLcpZC=7=9p3?j]bSJj=~Q<@eWxJPv/ɨ3K SJ",JFĻYވabΑ|HȃxË~ `VeU5.3JG3"(of@jS>}dWwvbj݂+|4:cNXv9 L<+rKvF !uitaeLz",iC߼Poϋh2 +g Sk Gi쥅!Ĝ&R)3d/8`-"gNDwWT7voX% piT0Yɂ -m>+Xb`ƾxDU}@%S&t1}=_HѨŲ;!V,$cӵYHNQ(O& m&3>ܒƀ፡bejg!_xGgU sk/=*mpQSz?"=vnA&H#+f5bM,֯ 8SYTm<7s7gnSt+'WNnΎdWqgF$d@`+i8XcрBma*8X+U6dܾ1O!b?@̌?՛fb+0cdPI!M Ygv.Ggn!ӘJ8vH jE{Rɐdn:  v)S.b։j>!cʼn:hiss lq.F2lt P>\afRa#m_|S]9IZd, 5@Ij`g`ict~U'ؾcFC|O~@9V1uDBbzj5z.;ګ]axGбjYDaJT|7P860مڧ3OEeVdˠҖٍ.| eTlSEf)^) g2']wk` ͑$3]gNBw&Fx1=be3eʍN{oZ `CnWN5ãФ-cݓ$&X]A$dJE; ߓ ZdN[)4@&D%:[-YMn¿->`Ml;X+f=UCVo6|ȖlMtEXjgڟܱO*pԧe/QCr&ՠVU C{ZmO ڊ ԛ) f j]쿪aL,n\  V2>-tT">(b%>Bwd܉ !Mqv"/*:j/Jnd~\h|wXB^afG:e^SrpZ7`fӯbjSdrbycO!8fUcp\Mvs>D~\Xf*"zmt:~ X+v\@FSJ n䄉=muS ;faBn/hw(96+ذ [cU7|LG r~3-FW9FpѼ4&ÓjzW4n3YquԜ@Ǯ6U%lks} 8~!!S+_ imh:HZYec82PӀ)x385tR;TG+rT3nTOѢ"NuBiNPWu׸> )* u@E.]>kI~ppSzT4y 4P@x [P:rhE=Qjcɋ#q?M?i'X:1o\85 de; e1֜3Lv|^,n ŗKWKu!#`Jx"Q0pXsd7^Gx2Qg𒝆:@ϭf^sf0fRz`-ٻ?P"ٯC@֔t fcLPJJbͰp=tq_گV ({kS{#[Nez܍`fsLG^,A4XYO%dz+*&O O nh \\C[Ꞥ|;_ #AoN`@4`#s̞x9AyݽCa'Z/0${Q6}6k]\2tcH kOOYVtY[ <0:H`nV)!r1\tH)vM5uR|``ur Y[=fS>1A^dqoٷGA@l8E%~:yU 7.f{bY=TBY, !pa5"5s҇­Q>kֺ1*;ǥJ_.fvC \02\-?Ó.8}i@kȔG=fApTM0KHIo مmòٶO"02F^k -Di-DQeT4VZ>WK/S؍eW&Lfo`Rݢ >-4o|Q/?>å 9y}[sZ@e^=%[SKmd3ZN&aR-siغ\}ƋY ҧ>Oi׋L~&~'˿sYdKn&̬&Ҟ=lZ"S0+ e;2#I2"ԝpCmToNQe݂[VYa3s7Ll:Y"t!^]1s~MLYƟ/ qjSߠ?I`OѾM=}V(MJs^n]"u͛ KB̾ڵ*m*Md2l! } `6d=UcO=~_/_J &Xzgd7m=$iqChuGDY_*tQ\8?'!6ÒH !^jLW,:{J#j$}:@pOD$@ YbW9_1:(@ 'G,E!K˦X0B97ɡiEEPz6#.4w0&,"ÞMwz!"eH,~$Km.Y+ > xW;?ț&!r#E9ӭj[Hh=-ʀDF*<DA<ʝW@ءdP<܋sQ,XH xl!5$ -#7n+9DN'//!%.r@c#0ؓf&8RqQqKIuDYÎsFV][VcFg6O mN~XG񱛐 b,W_0Gx-e>n.Q-}uǐuõ(MF; 9 !Ϫl2o޽wbAٮU>#g{h_{;T~F/oӧB%2'MۤD=0b4`7ധ`xR> OZl@KZ]xOǁL 2+٤qWhQKL\Hv}_ yY*M)XTZab 5d _'7O^\CAC<(\k)xG>!M܄a+9a8tpNZPx~tKЮvcp^AE IBf΄<]H,_h4*tWw-n#Y ϣ# o^x$ aٞg^=R5\Ŵv } ,H\JISv6 EC0k9kð_9f'z_qIꩦ7g& WCI}%?Z5/`QqV)%g3f [*kZ ]XLnԑdIp)R+0BEŃNIhkԨ_ǧ.5}@UE!cy~Ҳպ}V3~iש&qs$@зf6. h@00!hLj)}3i5"4h8tbp" [`6BZ PN3?MX@4vMjZ[* !LǡN~4@i3 ǒ` @!M*]:6Ń{($IPP0C]MHx hCVY/|轮F`_y—ɭoG A_w4;><@uLIϲĢwaY}nfR!^;~ùO}ЉQG`.œ=x<#Hj~n2GLXbI+t%<),HOy *?EQs>4]qs.)\C έ zMpI w7(Tj?X[ѳk <_3Sx~81uv9egxnfpۧ^iL΅󠬖7LQUv(k0}ɶ#P,]w?YFJA!\jbŖBO4@Fϵ=&@+~PC1I 9R^l]ؚ'MWqpm6{\% P˛8csǀ?mzVEjUX 7U W_[xU˝إG(4dvf3$^ HsRc+EwP+h?/Lvj>ٔOtDRV#5&7kSsuy;0?\!dhh = (&}Irm)@B,'(NJVjC"b>E䰠S#]!( g)8 uxƄA!ݰxs'R` v IX()Q ض?j22K2vHŭ}{:]0CȤRՁ[mOˇ%LYTKBd5e!ݤJ^C!OȹE<'U.YA&U+o#svLkIJN:Ρ**~M(R ev\SQ=0A.VD1UvRdz@ `DJ6^GB(qez/@bHIG۳ŔO<_ue ;ՕЩM}tQP j_,DűѡW5Գ MsNN!\z//wԫnXұ&$? E@1w$1 pY eC[]z +~WI ??cj 񄽩W{VfTƌ";,N0Ix\ X-ޗ#^sK}iIewpؕH^񼞨yvx=(؉i'87_uV;RR WG0Mm+p$&@?,4`kߝk;]&mAi#-ϏΊ&q0HL^yAsY~|2郮 nQѨ,GMѕml cбD QNHq4$/Rso%p:])I\(:f(ZجXH&hKR-B2t%dgT[CU~"D/=y^gY.db78Q/ڎZA`մ/6QR0WVHD@ː+G|qNe/][[-^NfL%J嚈eζWV|~~UgJ8as#,uyAR聸8 x4h~}Xg7*|ӣWl-{^?Zz0Esu>=:<:=g <) B= ΄Fyl'dK{9dr%FJ1jY˱z3%~ K1q7e<-YE% ܹJ${$ }7;UhENDeqL708_QO leֱ=;Д{8(Z2ע >¦A.|P1!@_2%mY9N"e.\A(́6"2BKa~C KogF༯/Ad>=G'MLj>7M>EZѻNQu-Ƴd̺,K!+nZ"wyEJstl((-M>]9 VxԈٶpQJFg-xa hA? Sc IZZ q^h`6uiI+js#MhS!vpX\){%U@CQUyNnadV@h Qz#>%CuBỜܾg\K-$Ww9;0/tޫ&NP2E@8q^C靗i? `rQFrNE DԄ |Cj>0Ϻ]R?;{q-_'] )-&~K&/] umGC6KMUZ2PW l D=Y<=x:YDq5>!?$666h8| pL(NԫrC޼%ȁօ _71Q4/Sqg0Z1*_@G]_1#I6*&[D"6󭱪_JXoLR^o7@ ߈TO+xZg~E.?U;fnA"N%snhgpuHxS70lagĴ#pJ(GӶ&=ɉ1m!EN]%tW0Ion̅ɉBcXa8vFPgP8(Z?/!*&s39s^ɑqe~Io2$!ƫptY-ޜ~w7]I\VgM¤ L]PFֻMt{{^7mVI>9@Z1ҞU7< M)\iQ-贈eŴsm`^?:I*dI5߼,5&z`{P%լ$ܻԽJWYdO 5=XRTwf7\_dT/'! q+x{:x@i2!J3zϹ]`FG Y!w;J!fp+>k %3wKK Aa=;ߔd]XLPd*>ϖg8H6︛⻝KQ"(eٵ>4\ K;-<ޒ"} fWZz f(4f/8/1ƐKRkivqoWok/T:S帻zAV( a߼'&%~i8ҥXGqrp^'21y_ؓ*:1R~!ֱ}z,^vX T;Sˑp$L  !/ڗ#7mnu+(Ь<`LS1ZWޑA1J_->-yr/w׭2Y@Z"en{z>C[V Yv6wo9 soKݚ֔Yӛ)맱 ٞ_%| I avĘۘ3%p{07Tl,hδӯl#]æ @Hf@XYiE y Ez1,(wSb,Kkb;7_y^}'D .Mͪi(vN7~n:n( 7mi'cj}vΆUB $*SQDf#jy˲8Q#%JRv7SL͢vծ__#޹xqb]O6BʶZ&av\;q}I  '@VVkp# t=78 @51u؊9-Mw ޣե KMJc7XUzf+`fR׺{96)ܼSJQ +!@r,_\54h]IW㳄'3tlFv$[/j0 7TXc =Tq .E<m$w-{%m NC~ۑrDq`56r[ֶ\tT?iŢ#M~+U;#7/`5LhQ[ f r (0lCFmUr-F܋Ti9 4^йA'pV?T̏a[Ü/;r;E1;Z)>k]Gtl (`z0^KRtLn{'$iҨc׈9M=.l#BC&Z_;_GqHc~&ٷdpmFA!owfWKǾ!NGx}h#EGCB?I{T64dչsHoOJ[!t'ІYVe{r+Y/Z< z3A󻛐9м_K M~kՋECm/"ݔ'3Ǯ'>iOa[Zs0{Pεu?y0P Kmb͆w6|Uh ӽ|=[/l-*ǃ `9-!z'Ja:_f&TrcWL sb[2aW' QXA&K*ƻ_ AzAg*V;lN *vqt+btw,rcB Q88+fƳY(8X7}KB8O]atlf[̴h6:EVv_sMfΠo7TRbW4 F -ұ1RO>XDR5C9ϗ :硘 kA[$ol8rjR:g 4%訌mHt_e>I4 FnK-Dz.IzDIjNV]:Rb\$dp?4 WArv_Fyz*uZy *RcoS8e].Z妙T$Jʔ~.2ӊ3=?i~mHbY}cIAtÍ"41~QV'o85Ii*A+RrLJ|]rdNҕ|zJ ũl[^)rQ!-S?h~[%Ϡ}O.6X`Wm˶GlO֍4H Q .| *Wlz[,g8s2µ)>FIABle R5 ̿%u0 +=%vB?D)~AW?mB Fcr?Pn: i(& W7:ە~H}43+ъ.nUƨ$bdW^FR!.,@sP"C C|m#YuaZGdXYRQ&agp;~=KVuͨү=tDXIsO-=8]k\%J4s+-H6V)1A;!&}U_Q3Glˋn 6.L0ccA f.B_Zr,׬}0@ON"Ngjƒ%^XO=+iZȵo`}GK{Sas! ,BGO'h]nB,6̶mR*~_7!.0xp%73hQgAZVBAو P<h>z4#<Ʃ!(cpA[ԩ2;&'N เaהѿыpeMiqWᛓx/I4|1e GX5$ w 1c)VaQm/-0US gV#KX)PG=D8c7; n׫$YNޥ+7͑P+[fy' j:3-xLjԵ5I9:{GlӮ|jUȔHMg 9MLr!_cg} d25 G Y~Dږ4Yl82@z>T@|lntӠ00ud*(p}(&wk MesW3h^ky.|E-hV@)NLl%lY&vWDH-hM%50a WBN7?P%es4+wQ];j\g'>ȈU^;2"غYM|g7mco-3TʚT%`/wgmbqg5鷁5/N'Q&K0UI>5߆^Ʊ'@ןzξ*2t,6 k{O vYHvր*C~ j#bKټl"/,ncm_Z\!9y}2T"fh̊*h*j8#@1˿,Rn(0MPVNpI[ooB<4#&@\-0nLy $@5 ʕGpG? <+ 9]kڌ5q6fq?d}#}Lzw>__'L>k7xs@]DU(|m+q \lMKq#,D6߮YzcJs"]ē2?+>*Fؕ.ZIzkdh<ݰUM#D{ v[@13V6됈n7SI~3ftŮ; 6G3h%.y]y]M&f_5ᬩ|d$١XэQ8+RQ1!kuy v@q@?Ѭ;GEnVY* KJH/炂킙 /sיvp=^C8g(iu8wv/O]n g =Fo=CSnÓ`4`ԀQAQ2;P,G"]#Hh R\ԄLNHhͦJꨨ{Z+.]8}V5x.1g!YKV5閅'v{$,DEw[Vm,[a?gґíJyxo8p!-%xW$ d@)Ty?#1d$Ƚ.Wr:(B"BVuÐ{0 gO CVwZV%ZoJWhNR\TO.l3otQa߄rYA} -a/et5kQʶkwSMd6wI@ɎPz:!|?>m-{Y%#⡋'z$?_&30c=kK(Ϻzp(z#(Nxǔ7Pvl)V:upS=7hMi-AN8N/ r!, 98+7~^I.tNR`eTK_|~n2r?%NXD--̠X1GVrjbiz)b_mtiM0Wp [1ұ^oB.ɴ?"flJy,XbȏwfNz^h % 74C5"`!Cv~;(x+AX+%qsbpyAKwW" \ѦS!wެshZh{xVиQ@l(['7hї Ӳ X_%5;:605-w@Ab;ƈuE?aM =v81#={hAFY9GʬȚaΦ5GYZ/JZ;>'󕮮;f0An>0wGGV~sQʀ `AձN:qR<0kht!YRA4A+C~~:7sB3XKfx? {Z*" 9;#p-fɸ#j栗[d:g(ӫb-\$}933h߳lbM9@ٙYHc@6qdoH`uaK|jq\Is ᪻7B<цg wZxoQtPq1IYjDv*}W8%y,3OT9Xf:,eeq ɤO2ml 3d3F([CJu\Cmuz6\ٟn6RY |tjг|!Kc,VurE|'9ƹQ2,{.3A\IZS=kzS?ӥg9_<ӼKssj+bP4q瘢VlЇ:x;س]jg؀}$EhPv*! |ځ~^foN>q9 Mg>񪘉 Xp:tj^8`ч3B0Z:3iLby*Ԋ`uʱV}5靈dGe4ϘZ~/flDܒOR/ڭe]>_.m$Xm33KxLe4(?=>#ɞ na/DT ::ģf1|IebIY"zQ<" |0 # msRHhۧk򕾏^ gwSk &coy ZB;I B9Xa{=(nNKJL-A)Խ¨Vݱ.H.!^pC^b,a&[Lr?"4z֮k`;:2 0Li`@cUI''nw6Et ([_WSp#zm)X ka-& Q寎πmMXU %,s, `I\@͇b7E,8g5{) B ALWұ_z\{R0h(ݘ((YS ; Ĉ1E̓} tMN 57?fT?V`Bn gr)2@y>+@R$: Ӄx# іϛ-&L :QQCD9al9n3𤅀Sb.n%" TQJZe۬hy8 ] e?わ>NeK“'G˙ereoee҆4n@.!5GOtkY\~R@#Vmzw]3} :3ocp{lJ6BYWyiyb? &%E- ByJŖM8$X3␸08!]G6k^<# n}ը>.NU6YyNhD Un}\φq c俿kMI1[fl!ރ:Tف btxj`٪X>:ar6  5s^jKM|D]huz\)B#>)Ml4Ukf!\B*ic;uB!qIÇ҇xmZDp?V:_P`&M$=&=E+$f2Π-CNan3:[[Wt]Sޟ[ !K]tZRpS_^ !}tPĐ^A*1X0JyqY1gJlz9yg 5G2'`UmnE@$%?hE&qՏKPta_p>tC`k}\EWh-凖#4fxwAez ~ Ю69#{^ ;홷n2asu h[{QHLM`̧ԍI=hX`(zf sKjt%sqX7Z8e[{$m℅lB bwu|/rmW5xzidˑ~ Ք~qU? Ka29h!/\?L75 NⵒgAJ x~ 괔~,\HlR 2tbjKgz`wH%T]'{r :? [q连WUtl7W7퐅R3}L!◠_goU09o11@R1TVG4h;"w ?IS\f)Fo5Ww)XM!:@G= eL yG HCұ󬳹]@R~t+!iR [L>rfSR@4h\ "^H=/[V-CM*nH(0<ycW*Ed7tP 6+wBc?Owbz^iR9R K*';J %M|R3t3LA x{9QY}{~t ;&nܛ$JdV'2 JsJpvYo"K+ڌMx+_Fй>]f*<Ȩ*|4O!EtwFpk/`;#>k>=y qsQ Dg;m@\Vp!e F).5/g`mm*C7j# &]H#VVQZg\1{͐..ᒑqAr!%u,nvn/x l?%IftqkboeߺWf>[kR3}uϕGߍg)AdfADtI-G$)/]|CEjb[d Clz@Tp*rKLKŔU&"%HG7bX2(S=y+)pK UP &4ktH?[%CQCꃬ+'e[w&y~%i#]愩U|f 9MTIs iC&ʐysUr 3*D$Ipp\[Gl@8D)rh<ul!}3YZD=/dV p&(xѩ|v QPL;{X"ғœg-^MjaQSgT"gxBot˱g -[Éxn/1 0˟0;}V ϭd-ě5 E%H }&hM0V`pLC8;"_lf6 KeB0OFS;Sw֙ޔ,bZʑ}[?-n9ըY{S$ܭ@ Nc\Y>JJ_U!W\. Kw`Ooa+! 0;Mx})~ >&cIEqcEjbGXjitSdSIGcǫcFh;ݴ]i\VTYIHU!ڦwxuůkM"-XBSƙ;lޔ13"HJ3M7(vx{s?m2x" Xjv`}ґ+dk=ԜγAwe^d}8$P}.`f]/ V&-ᡂ1NQB;)$3X2QnU؛m&;P¦ `2/w =);&s½-G^C=_:*)0]2e쑇,,~ u2O>U;]PITiQJ| ǡkp!sJ}hݺC1ZfB?CI;PK#\}. %TDx}i*I("'`dz.4}WzzF <U+.TuF=T*׹т/$0dJnt衒$9rIg !d)i&Z?2"ܢ_ ?enAtVy͚DZVN#ö3'?seB5eop$m9 =67-@<8T3 `R@PZK"Qwczdɦ@#ɜ&WZAykO9 7p2`@V7ALCU p/.Q[*\wj)7p\C,F}.nP"/Z; h``**\)#ͪ[TNI]^]ܥau SsըprzsC vq^5w^&b+<|缙d|16I<7MBXӶ>9#):@Ј5fp )ǯ$X3P8Q\S}v>x˫*yInGV;$TT`uʭh,!%VIqj@v?b`̋`Z! ГL0܎}~e*&'R~ęϋPqX[Ϲ0=!% ҦnDS9E@n/Hx~fÖXCF=d<U|YeS2l }-*lU\*FӊP8L1d3[iBa@^`4apr& XW*!b,K`K ©lL \,@"DʟRi縤F'ceK9Kʂyq Uww5{'deUcv-"?_(6yZ_~Jp66 NH C2]QrWgJju`Z@Z5UE^WkVIg:rRVYCFInG)HΙFs^ᓱzGhz~Zϳ\{ғ`/Ly%2dvs1l%MB"C[$N*^E4r&a'+XF'AV"!:UlY\ F4ָjS݊MbV;hF#SrzF'GTSvZ͡1\A" ~І݁syfUdA0Up: ̐:P0p0kIR,>Ru."љh;g>EeϛnY$.=^ $T F3ܞçBTIYqDUJҷn v=%9FNv ̷#_DZtlf/'lB>sȃ$ox\hkc'Nj"pިh0Q  mj?Η&iؕ!/_M N)6"Y8p)R`Q.3bbi{+׫9-GfMs@e!I,-%ԭ>:)Cwɦu>6xTԐthVZQ x{]V~ Xf7S4;0ciǖ<c0YuF90}xp&äJ+;X>GpU{pW;bAP9ۋ|Y3 MSҬ~,}8*Z÷tOoI<_.gtܦԝC_|琍1~s!;BNL!)`/bog,R Z9aiy}vǎՃ(<_7S;!Ӊ|xն g`UܭnWiTzn&#nK}&сD/sKy̞~fZhhT1l^|mݚ [ނ#{i}[}E4]`dG|Jne`UEǶ+I|lq'֟.5нCTԞl-u"g/ h ۿu \/9ZGZS6$9rw!)Ov-Θ3µFB ʙ9bsqZ eְ H$z; p7HzٟH"Ek MtԨj:SG**F %]}{fΤR /VLJ$O*NJu+ ]SL |8('tOͰjx_'-w *Qfj̥ d5.{mD$hi<(ˮp}^l!b!3xq&=Z[(\7oe"vt0Uǝ3&}غX^ _r$<#8!=.phZSGtvm`#3|k66($oEm6v,: ݐ+kb =Hm)rK̺Op՚D%^Tئ} fX`}p`: 3bJv>v5t B坻X_[n\rp#Wr A8]C;MMĭ=NN2~5 x?%|CKg9"To&+(zOZy1NtmW,(T_ܸ?N%jH(kirofi(ҥ8f &̢2%O&0H+ 0io۽.tڻ58 yP/Zǹcn 8zm̒d OIYKgD*I R nP=BFAY|ø[V(6ODiC@1" ŠY#@,) (ۈq'j\fHB_pSq<JQ[~i8f՘%a$t5 ƲH69A,'uo%i͕,/'AjY " ?,_Xic ~mh5EdLGJ^=jT DF _˵qs<.U/b0dM58 K.<(6`` yEp+lpsO)/1Tpc & սA_Vb_q}=)XOveԧ X"*&+~,_qdz*Qe)rG=smcqno!U"Ϩ55uN%3h7"YFb ~PgyQQw+]IKl$y{4/ƁnMA=1xĭWMUͪ93b~_t0 dɱ^j%[yY^_+߶LyQShjciͨmEyQMqt}yX lp 쫯vc~|4ȩ-iWFF2R Ј`"mÊ$HpgUkR&EąRhvaGdso!rkqĆW{ypQauzy]7YGCCfMZi=@yeHJ*!*nɋ 2jbhXL)EQ]@ZЖ? 49:3+h冞ǏyfևTDݿgo ˍh[.^ +p[9DK1k'LU}|9v_47=]9"RݲKC"F I \eXG8OU`I,dW {'ƒ]6'`Kߏ.EGA7PeyiJ0+|ϸw2ni* _bĬSrO;uT~3B eZ>Dfف;3Yf4v6EIWš$y5/XW|u3 䰨 羱rҧcW}Ha?㹈;;>>v5Vŷ]&Jg%lB@n`p~L9:&0r0!(@؈@Ew  D7!rHrM4M?_xr|Xm<+LFTsʦf.K_f{beȾ`{^e)l- ~]^h6jkz dw# 69 z$A,Ά^m.J/`ܮ/F>"m-cj%tVq^(;CxDVvR;Quk;%\-3=>Cؾg$ iS7=. A$Geڗ;a'J*T+- YC|n駲_i4jĬW!N{\|d*D&xD 1޹ъ2'=(Xl0R-q .(Pei#~plE@ kbg ڐ8k~>l(i+R?7􌻨M* P(K"ewL|",m %~\Fށ׫tA#F Yt*haX?֐cIh'+Ay +SH80Ŵ^HSYN)g5s` 46>z<)˼(N '/M6\L¿kن5H<} )\*#/ cνLDD: nȐh71&MDUH9!`] t&7#JȁbC FDv;j:+̷_aύӠvM[_sS>cM21w3cE+Dd%*Bgf?pW 4 ~jvs`;A PjI;NlI)g|np_Y@#xۄN@ΡeS8.LF]B1yPB {΄`k 5>mrO;wۥsF}9S4Ceb/,J<%QBF>IM,kʉ@Z0=4 `AKۣA FGۨq2[ ,_u vL 2x$-{=md0Ղf_=r#0즉 zs'Pֆr^5;( mTG]cu>x!CLa}qj L&)/o?~CgW>7ɚ)>)/}I{;L K@X UDzHxOJA.@>$$_:5\.74og"~ŐDpV{6)3z_[ $ӓ! ЀZL6Aʑ*E jDk"6CK2\;aAo`4 W]FJ~Т?7[u&(f֡pz‸rmbwj-AǑDUvmd1*s&1(,։M&4x;K(M2@#S 5&KzF7p4]5VMi6Ʊv +Ys}3?2W{㢒 O`oRۦ“)b{p~O:[nW55"lj R @)F@Sb4Lib_A4GYn( IteMScɇ( :Q>^GW,<McˍZSʛrͽi 8y{eS䇳0>C[ep+"cC(u{Rޑ~'V`}JҢJzޠ̌E^᭎c 0,]wy$#ez#[5`YI,x}0a+_NLq5B[7(3oO,I )\PB:ۺ/L 1 ou' &bme%g)]~eJ >t}xR݆8^|J>2Ŋ@kKSB& k?q<*H1C%jwf(kڞgB5YlSr fO!lSX'U'  aq)Jl Rq@̔dr߷6V`Rpx p=*p26- _+I9jF(qk\flFT'(ȪT,NJd0U2ċŲʭ{VFSoWҞSlG Yern͵A86br^,oo~; fW;{=u^~ux X{c?"O{.k֙z6%S[ڼ%!7v3X"8mWo|-tltR 9s;@b 4ca+%ǮN:8"e0Z2+SqU8)R*tz_?KyJD.^Չ. -5sbWGG>̏"0Dȋ e0?HS& ZM;[/)_ ]g_x8' YW;_زyHr8 :?n7غddeB6)WuI>^zcZ^-5try'Z!5AP"mR>'O13ϸxڔ/Rf85~vԸJ Ucg9#)M%1`G͵wDž_5f9[[2 )YL=Mò҇}_>A0ȭޒ.+E>X*s $F;/ʃWU~#]:LH 'Bn?*we}*ni[(kN߷ )qӸ,cIB!]J{QX5OSؔ EE7qRu,:7g'*#o:0|/NISxL.㮝ԕ&}hzwrl)Qs qhm no.$Cy!9N 'v(_Unp*YXw׊w$e?u˽Qкg33Җmd QVkbsl+įmtbNzve|˳~He̔bdzS!~Mk[urfzr/:X@ei\!+LX* RvZQ˨ 3P#+_`Ō]+ߥlꯡya ~N;Xٵb6ى$gKh$5/8js1Q* [+ u+;yK mmB EZz( NOyc=ݭ*j [UfӲ\7ı0wgܲ,b=)҆sM?9~ۜziϜD)fv՚Bzjd:ɇnz>)b!3ŪX#w)x';~;F=\$;-pl3č`kԿe{0Jce#,ά[z670'ŅC'MDlrTbƈ+/g= ۜ!0뉸FFp;+y،a'!ld`BSKj3%vPQ؆ׯfirp[VM>[ZM/bi4͑ /ֈdڤMZŻ=wĘ}Si_~\4)#_߂'x4'+8 H\ꝕ{>oR1"8 1HFe=u` ޒj4գ t"P@Tx\č:Cb p]?t:L_]0V2&[;A u<{z)>KП˲}cԿ%U0vszQ&U"KO}r'0FGV/ $!6~g 7C}ެh#C ꚧ`oTXSW AmT~2%2B5=HbAN:} Rȑ.oz F\a(M"%ftwÖŲgOHw?A ~3yYW̄AlM YFM.oP]73%Q[cr.,'3Ha]sGM1S z]]fziIw*ZZF( N*Lu{v_;'3-?-?~ *c1ԟUF& ˒Q 0`PEzX'ɵ?vC}e#>&-dH6V'M63X]v(= 7suO77 "v~>ko:eeRJJ"dB:z^MXa%SBV'm{aVON6ir>I"6,°+}4sfL[QvZPFѮrG"Njl'zxRp#G[kܘ Y] ɨ'Fq&GH}wS\X9 H,raNiTJBJ뱸Jb잎LS)#^I:ZYnn3%GrQOROB-u6[Hm iMz] !Xux6x<˪pe`#(:)H 32a2e*j/ɫ61E1V Z]r cM6LoY7F5Dm d?mF.>4A6Hg:v?GNN*}/ň|&7dc"2c Bm:Ra= HzIV]331:.z`XXl,7 &9:^̞*k=qrs  7sf8E/;,kOó5^ ˜tf S/kSu}ND~'\+y0P#b)5*ɻ)q*?U PWlu,D{)riS! oaIs&aXsF6C*WMk d=ЧENfRu6 MWs5g[Jy ,'Ua::'FRq| ~yICW y0$D6A3hJ%#c/4}oRew>Coc'b@е-!-ew&+Uƞ+}1e(ȅI!H؞cܟ9pHt 'ug9~7VqARM]'LN+py Ѱ֥9Qx Kr@K Dÿ/\0)Go Aa{w$-Kut-_h4>*١ήvX)(u^i(@h`PY(aϊt+F(-e%ծt^Q!?a逵6ZتZkKJQI+/ԁ:o@7Ce<ﺛ/(ZڷGT|I. T)= D =D#ogRmA,x]a%yRX4.eƿX? 3za@贮it)p_9҄ >:н J\Sugg-I,1Ik …t| >hzSw/323vzhU"~r>#~翱PPu0dR'ןOH)=hX3?ї>0W&MCZqrޢqrB:՛@83Okۉ):U5\oφi43`} A@فl`Xl%yZ4⎴&O})*5Yi#Қg>owrYq{swy0[38X+m$/O9~8X'b{z=P?se>򄣐ɱrQEK7{yHUg^/)v'bu(Gm} t@ DZ) O0gevl;^y]ba)B;ᵓm 2|z4F&^Q/ p˄lx [~/ؓg͂Ё;5Lư 0Y蔧h }E8B7*U{wK148Jbn9]%2G\9u{t^]|בo @Cbܱ+F4&X0( 16bidL_Hn#PzSG1tո|V}OClKEQY  cv)sO{sxl&ѓb6+0c9vo ]szI)X-rO| e8(I:v4wԫD;*1Ŵqa7}.uLpt$}U^?M _\ 9QgmrC_5Pj0bJ!A)_ 3|IN4 ?rR ǖeUreQ{u$9K C eo-Fd6U 1. խr2,z,xhH愁zoW.z/?E2խDһm @ݲ^`7/ࣵ-"* jX YZ