permissions-20181225-23.6.1 >  A `Kp9|0v?z HU󶞑( SP:KaTOp #2T(= "E>fI2h<޴˸e rlv&NncH_qկnZAdĦ"6`ҕ- yD\v[@RԶ*qriAvmn-4AJvxf2;"(0~er76O-?{Cr9# !8Y,G)vywb56be899e8c597ff4545eb2b2cbc858ed543e0a60ab22dac8eaee68f66265cb99350b2b07f9c4ca1c4c9984729fa55a8efdaa856 `Kp9|@Z`? K廉!GVu~ifGLlB[w™XE?R^Qe`UNP8ð z;@i gJ\6! b5 <uY:1<^062{§ M8ma}#\`pt8Z!Fnf\:ڵ4SdK6?ab%4}w™!(>Q$GU0؝+- }}ƪ~y|X>p@7<F7DG7X H7| I7 X7Y7\7 ]8 ^8b8c9d:*e:/f:2l:4u:H v:lw; x; y;z<<<<<\Cpermissions2018122523.6.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.`)nebbioloS*SUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxppc64le PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system.Tk1W6^ 9;@큤`'`'`'`'`'`'`'`'`'cd73f4760679880a45dce3c9cb05db59590dd96a4598a64a8a09e1ac03effb0661c722ee39b8cbf07c24b99c9a866362671c5a984607616229b6fab62f7ec8be254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3be186e053c2d66276c577c08ccdc467d5b4150a19c0bfeccd7eed528e80e61d42c0b8419b68f4b7b2ec821478798185bc1fca31a07a1a0d447ffc04046566659c117017d3a22f542cc0e92cf755a6a823bda799b8bf946fa6d7ab968c2120c94735eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181225-23.6.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(ppc-64)@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181225-23.6.13.0.4-14.6.0-14.0-15.2-14.14.1`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shnebbiolo 1619781673 20181225-23.6.120181225-23.6.120181225-23.6.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:19442/SUSE_SLE-15-SP2_Update/2eed20ea58db96220f1f12b01d779edd-permissions.SUSE_SLE-15-SP2_Updatecpioxz5ppc64le-suse-linuxASCII textELF 64-bit LSB shared object, 64-bit PowerPC or cisco 7500, version 1 (SYSV), dynamically linked, interpreter /lib64/ld64.so.2, BuildID[sha1]=ce46edc20afbaa3c01527e94fd5236bc12eb9731, for GNU/Linux 3.10.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RR R?vlEJq$yutf-836e57a548b80ea786c9f1444fcb575165681688392410b809f749a22663a5db1?7zXZ !t/Xe1] crv(vX0-ȸ։Ot_H{&/rE5rvAHIV{u6E2$kwr3|#C}POM߸O5='4 Ssh !&"ᳩ?p24h L?i{{^I$;j候Q&8, ,'.u~wl`spk!{5֊v('WL߇j+O%a <~a|X/E}n 8cl}-[\\ Ap X^\FLŊp )KL /={VU9F?7gtsYE|z*SSìbuERJNYsI:DROץl*G3Iy6yZ00zea$4͌ Eb (6aˣxw~0'6It<_Q–SwMIwq054x{HЍnxr !Rwxt{"$d'U`F\OvlǑ`/O-a4 R' U]S}0 C"g5a(Ŋykd Sv׋%*HM`9U1PW\-1V;3*kZ6W6mfI cD 'Q15&^έHw ͚Hi[h-lֶ\毬4Nyw\X&KֹR=z9VW 1BaJVU*dY磧SJG-ƕ/[ Ds`.o*am˲]qv *Ga9)jrf62֐_g: 9xPPDqܞuPMbG 9(b \>FvAU!uíquGlȍloL~>vetaO+kj!&…j\4<+sKz.-/UB~%bpUr .\ JJJ`.4 RC/S-u඄Q6zp ?8 e\Yv_q7G[2oM]Ü=/b*>g ?Y*ųn2Ezh@)/B>iL򜢹J&75z]k|ƈg|Q{[SA / }+ 8̱yוBɲH|e*YVpHVg1Jy'{ljX^B_g q>lIP`zx/0v:$ 8ŕ`C`d_G(~w :E bl(,){ qYغ+Hu:RG.ü4#VCH|!GӜI \ \[-J̈́(,D&:6z(`%fHUAzQ`ֈ44QX:9eQ:>~ӂe-g96Y>|G9O+Bnob-#}`wKGjJ5 <-~q)! }_BzBeϸ!\RRucxo.=0%k= UHyþ4[NmVɪdQy2dq̀՚ M)B*j/u9 L&;Рܨ.k.T3j U/cHmѵG/0 `qTϙ$th}Ync,jdk9KA,P~0۴AFBxM~\Kt*oUx3=k.xseY<0uA 1N4~{$aA2}*2IdtDE`2E?ϖ 0g/wp>EGY[vFųo)I{g},``5d9~ԧ^$Scca$|" #Ȩ"I6okjY`}L~pP(aN, :V`]"GFn) #ɖ2seW{q )ϫsl1J9Ի-uX[Lꯌ!g/,! |`EU%,Z'ͧ"O9 Տ43҂z"hڳ)2k</ϗXi姃.,Ķ{ˍE{TؑXWAW^ JE'ZY cp"neS{'gŜ#kɲ֢"iI_]9Ufb5} 肺݄09 WOVR),}Ҕ^~b\XESX=W6(^'MYQQ^="鮝0}gF/$˄V#QuE%`bb@fc)J9+-`c.mZ 6J|&u須A<ۇ5$*Qƺg\R3-p i Q@#4O$ 9:*l(ζ0_ϓJ1vsOӗĝ*< aG&ndiC߯QGꀧYT}tV>L y|Y!۶Zgx!qS;ct#ŃϡQP`0L6j&`Bkx~uqFl!$`!htz(:Վ0/)#7L8M$q@Ȇ m_ !K`zI.X%vxq29a!Hrim_tOngu!OMgbf:XFX3- QڼO={~1O&$?)s>~I"cKhY8f0 RQT2?eK}H8r#p9+)A;ǼI }{"r͉eq/(b]rvtAK2q))ya. aB3_bӫ3 6eiWfzBo$4ʛ>$]7Y\^ӓNjHvqp?SyZLZGyg\>2.|~+fDj$23B>6џ`X %fqgxiO■!1J%YPumT؊{l 5muGܔcO3P0JV|g;@V:.|h3p7Y*HRgЙ!\7 'k&݊-Sƞ,{}D-e{n8?<#߬v2k!sR{DW/r^2vD 5lЛz60%#64r+ŮN=42Ʋ"{^;Ƽ![3$Dz-p$Dͯ$Z꿷rFQr|@v(wYzϒ"RA*FL=7jHzڑ0 JY|^Zgd)Ygj<.X+`gf%!Ѓy@T8&8N@#Np|,``B#>Y09Y=!'kS :΋'d)i ޾Cx#ǣb^i9(`Z@]Rhj ɯ Z9!4킵@`z+uR6DD|zSBvd"eH@޺ Y$  o9(^8g?ëw٣N8'%~_W%R! t5)5z9q}kK /Wfĵ:>tz}++ԡd.8%q̋bUڅJ|8w هơ^ғcAD>V&r'ܛ:s.jG/1P0$;>>b:`?b^g)o2p[lW aPڛljٽ65FՄU—^$Z,ʄǠqt,8ڕI?;ÍEyͶXSЂ׃j['PȊpb 5L\:j)8).yF A-zC7_ű0֯7vyȄc'HA?C|jP"u .Z1Y1 +Nݯ5ŔD"6h-KBkY͓!" Ύ'uzCO;nAjRQR4+gL?h!F #_cV5p1$v+[ {<e>Ά8 nP ϞH/_TGJ/Aa:GMWH]SL!iY+.hӳv0%%~0eep3~KzSP }Wp·)mS 6ʧ(31K߃ih#p뒘Qi IQuTWL~B\1F#'ҿsiFhd3x{fȫ>-F+*9DVeD{m;wb \!sqIp-EQe(BԅXlXUîaO08+ѧt:`2(" łuP$F9/é_ vfೄEST%=#n<:Hqһ`coӯQEc\AF'ܰ rYg T>LPikmؕIP[NV'+z,>ݼ`lW$#kL ^f`5Md*pEL%"zDͫz!jٗpg!g1Kϫ["]ZsS-m!V)ǩ޵A%ڄ>sS|-YW/dOzR濰dM`W.tc[26H, w=tY⸋ zså2 Ô[kmW<R<5%|R5h+SH]4mBCm akItn"%X[Y.簍P*:* r80!1KrѮJhl&caI- ^#s!<6RD8CMg-8IbUE} zr hȰT1J:ݮn[JvVBk\-]2>jd+AxRUrdO+yUHf( S)=`^oF[W˧\$Nֹ^&HbiM6be6&d%~s۩$\p' .*uMxeN {:U*huN[os{6t/_}49؝'86 \칅ELno/dۏ2_Qe~)Sߩ [XῩeIL!j˭V#u86^TJH]CŒ(mn-zf pQ3i]6~`8%E^@O rdE,<pt+P6TWεywTh%z5XpI8,º`SEisƓ GRL ! T'r *YrkŨ "R)R4QF~5:)5{Uisc(cc`FĮl,yf2uGvdPtE! ۘIwsNo[of޳y`MOC┊#3 \s|1>Qb~`IkN*q8 vpJ A4!MeVBY(yKٕF_D h)lz?>9OH@B`%XJE=јhlFzB5=1w+Q'Ed=~ ѤڍMuHtx`(²@FO7%pW+рnF.ᐟFN%-M:}&٤SS[RH(% N=CƯ)ϲx== wlg?r& k;moyV=^nm4ɥ.͌O륎sZDP%G¢S }+oz;V6ķ-o¨16BAz|hzwQʺXg&j*m'[Xt؎O[4n˃}1X+̧XE(7%}K"0Zg +"JQӎC])?8| f_LIjw`J$ RhdcQq.wP-0Xq f×*,']Q.&Qh[gD#g͞sl?iDsw,'^W.n&E ˵ z*&Q3{q1U t%:@+\Lu_}0+{n9 {ya7φy 7ʖ._ۓ\ƾ h+7u:hd9$5$  :sBy0fWxo=W"!"6B Ku jjFUBB(p$/h} bE[p(p, s]= [ъǞ^Cs36'^`"2Ba,xe3ìQ7|Dݱr%zWμVz<) !mh=]m&t^L۹rNqڲqs<.u y$ HrkJ%6bX2e<[=f \NzS*yU< HMwt6ҳ^܇P4j)>sT yc7{$ڨxzt8ʄ3RJ8?UH[.!*`ʣ۪H~2`C- 0 z,T2|Ar~O Mhni*wt npoZu!Dž?:n_F*G`\Y]$=%fyү6*+6S;>ӑ-܇ֹsZ0n +ϰ8Q+Ag焾F(Q]k#{ KɎbpe{XocsMJDO ;>,tCmM@[R͓cTTIH|ixQZV@RVNeOyس]zrtcH_{i~~|Ndv}|7o1Cva<^!ьZC6nB[TsC]i3 cԄ*if uYLc7f]6Ji9Nxi\G'f;)G{9;hҰyQ>/+@w>Vͪ"2evϱ'b7pj3'Hᯩru`OW [Nz+z ӳS-jtA;JZn.:Uvjc>nPZ2}%gtCf\ȹڬ5mr_2nu,{eo`74xfk&"VL%:g|D eA8M[ePbg /nEOù].. 򰥴秽uh>6pMvI#EcP;R@K!Mǘ[8j;3P(68z|M#Y8RO)\c| $G[K:vvfSe[pJ2 Ti>6}C $嘵%|DRo"ő/`xk{1PYHm+pzOY.@P؃PmrB{7AzR3#Έ_EcH`IҴ:03)&Y`qh˵yGS8|wa$gWT3}Ux/E~ՅIVщf?LO'FqXDKTIO.Fmô}$ZI 9/*EQ? --J&+l}Yn8^tz*h!9:o6eSY!)1F$S0.bJk02d`l 0괭} XOm;kyӧ(_|7Ϥ;uc^9v/n8iA ^c 5T~M/gP7S͡`(6MU=K?k6jUumSTaA^ ~Y Z cW.&[S_Qgrr(K?R>FO638GlH% 1hkw,4I8FhNjI9"۲lpq6.l ґf!y`/m N n =;,v@cpʮ$Nl!-79̈-uIdb_ۮBoGxώR#BSZV96;#Vs42y?^0W-@$4TQ]Lwb)RxSepMA&ߩoT}\SgiDQ0Ϭ2FV@]U4^tB|JHy|(%IJ$^XZwLW5)F},p} |'7e0V5< VSơx=$!.N\J^)!uXϹq:|pm'(y)>2SI׮.qF ] NSv@>;}qMcZ(.fk.EY۽qbhC:Ng1[j= ,y@QuF`qE` D| BvRq2x ೫c#a$ՔUIxӢ_i*(& 2|͊^IK*L]ރ93OljKڮ0Cq.Q]µw &()YӼs C !峗^;_H/o)BStÙbSQw\PS&zmkH5.WS5NR#3Ը@=uTQ,٨&KZmc0<p.9P:nxg!{,6FKrD 'U<@ `utQۺ[x^)[@E'eExRkq4,Tc0چ,̲gfBe\0p kL^~X' ]+˜;)*D%u(/DşmMW(N (vBH` kFRVß5xL1=˧+otA+l-UOAut}n?^~"8%$ϏBE"L] +/>.,Rt[=Nqh1L :]03wmZWJӄ"4}i4䩀oj;IGʿwJ2,38P2ˌ0軶a> owwF wDEE2=.xK+v%hq)0/X{7:= A2F<*x@XO:Rr2Tyy5CnzǑT^U`\^!sp 4$Xͼ>;! AZ1`Le/5YT>2L̾-wʺֶB, (4] ak0|\]tDEoc Y DP`>۠h~zV#'j rX\`%%Qar{>lU@jNN(v~,AW$Ph& 1ܿAC7myqQR%F|icBzTxs+x0ȿ_bLEsjC2#_XaqV@!|@VQVdX*:+dѷ2'GAσVQH8? 1 .pf9fMLkzqt5n,WML&Vre!壖w]  -j[gوr$]%q.X3UI\#J N0.vR4*3_ / (bqdՍ6CBgsNLJvvj%'U6'84< jj /D̨Lqf[c,Y1$_r7/pxul]ɘ^!Ln ;fU8QkCŰ\YТa[cLV\˪l F41G~C2xlQsy\GhS qYhVG`O ׈ФhGL6p_1[Pݾ yz%==226nb!MA֓[daxzS8ki3w'[5sßB)%w?g`]M@#Y+3AR-*>|!1q ŧO*inU gxI VI 6Ve]?9"6Bh+q%U'mfmr ZMZ*?TJ;m >Wp"*3/@'IBMbC9CY0wH8yu$aub&$էDZS+*矖PӸze?skB6gqc$eDF&&Pxը;2e&ZTud@]|-]|DE T#Evp~o8XzaGA/W{_ʇ:Nw,Ɓg!Q6!'?K:u5poy,›H &џ3!_f>*n-ˇ2G 2LN ] C*/?ݥZ2}J4w;bKF-Y =/.6J6Ս{q^X"z L\@[Xeq}7nj磨JFA!˷zkdk{eAS > pDL[dq+(u\V@%wa )8P,sU\)ɤYQnčhN2T&ġ)3vY-л/>o9GFqdz!G|sJod.-3x;!< :ɠ$? `[ Oi~K2W廑"sRR^X8c(#U ".Go.2Oc~ 'nfv{d,}p 2^*"! Rmwu_ YR3:_4&閡ϊ~c*?ӝ<>W}iYh1=2H&wM{N jM9;Q?Pƒ7lrF.77nlb 7WMTͶ(%/3Z- )BU]Zm K̛9&<Őzy^~fYfvc gD:Ι҇([\*: qv:濩1U) C&v pbE\y3E ($"r3ϜYW$H_U y5vAT DQ;2,ܩIs+Rs)֩_2v[OpS>U Fl~cc2CyYd6 lFlP)b4^ _"ET _҇v>3k0=,,0 A? p fGpo0-k sTY^T!*G~ 9WX?_˞0hVX'0߀]VN6bGFy\ɢM Sv*k2߷sYF2ʾ]մ5q>%&Wm[$/"p刋 ϹU~iܒS"׆b ;UDVVcpD/[>5/G{iGMT@ƵuBHj&í桝 aЂ:==VSshbcꩼzXP"X{*Pf}jGt0K3;{$ |Ҝ?0k R6N=N j\>y/dLq XGUA Ëx+.~hfnz- P/.(Vrʸؘ)bWd^' (9Lfh.ZTk|%x[ȓW\ eﴢŢJ &^%><zUaE|No}O8#hΕNTj"( L(Yp-U$MMj ʱ5ᥔ:-I#fz8BˈS^Hi/ԮX5[hݶ3:2P]b=юUti/5 p>ԜoUj5 l9ЅRHeLKف٤Ĺ܇\?:b諲/ҁDB&&Mu:X$+xFphb%]3PYp*"07TfUbTN9$+B>R~冈v̓TO}wrrgX=@w@jSTЅʴqL}5Oa>Y-E D@)e㷷gWm}PIhݼzb>^XyΧXþjE>w (u/ጳ }3A}p 0WM2\p]z^ _ijɭ\}, zڵCq[͈ /ڋ8Vk8oKcR AbDl|ަq ?=)뇐 e {?,>3AX )_ec4SLz (̤ wOܕN0Z5^-wFB Nqʻ\ S9]!]PY7z/a&w(A>aԝ/&$!y!@wwGCENJU8 G:&a|} WNĮy(KM`]tf3oZMƽ*(FVGLQɗV%j~M >GEJΆaQB=!jQ -BQyhXR%vIsz`8G\y.|5+p㋾ORsTPu燇IȕccR/o*ÝHz@gYƼ ~JWi)8exO@WH! TREٲQ<_):"@/XiU'.D pJ /8U8"|T̯< ҕyunUiΖOIo$ yawegwSxQ7oٻO qgL><ӧ\dBԮi#Ŵ닐Uod*U IY纭{?%/zz9:ϭA͒_&T>Z锸'Z]oA3-ЙEZ35.UT_^'.kIEc ,xͩBq)PM\ƃc@X:ynl5]|nhPM3|wbsDHv5uh(39bfA? 9p^.pm4lMJmqoɲ6tWd4~OVb )eF>q! uM%Ŭ&<1e 1@FW]M-=EA5 gN Jv^vTIJdɎh{53_ʆI/+| KSGN7 &wT6|+; ʼnP>P BG,pZDLI;*q܆/̷{sq'& q64fh5zƏnuO1Bf-n=] E/:R-B-&@SB%wMh_zƈ~[M&RҜV(i{TèEgD?w[}p)hمŪ!f71[T&]Xos!)bd" تHɺU oqmAQ/Ŷ4C8kB@'=#-g%H9hRz^n\SsLu0،P;Y&cœ##gw매}FN|=`X?Eܫ ԏ+w;`:&,߹qgNNJ'~-va=;{DfL 't^&=䚋I9 gH ӛ/ Fh@іvqsmg6Σ61 `KTBZv Q " 91z̀^It7Dk%gk]RdZ8f{"guslnl8T(6UgI'Fw4t`1Nfx=s>ֿWC8Σ7fi X\ c7ݡsw]C%<_հVDh8?_]nmv3 Eg`e m/3f4j. '3R {jCCݱa1tj׵uE7:;.kv-%J2Y.t/u]EٙC z@Vh l-iv1ݯmØ5DrK!+)ќSoɆe!zͻ<\ȼKA){06}N3J`_;~[` z, ~e{z1N9 ,]sꚼ#vl#,Up+x^|2)?3y"0mMV9?iBwdS%Ud:ZCwJkr#TX䜪ќ2YGG+Q#CJh҇më6Z""QՐCKzŸ[5M8V/&t]e;YW_^Ҥdtuk9wh~jZT7Ux/|]Obv>jR_ <_߽> cŝPɅwԦ99,hڇAB\AB3קF:f H=b֍-`jZG~U L3=NVTw _ FFRehJհ_Ϥ  ù)bo3&~(S8&'x~!˒X>mK/~FFK;Ҫ l<c-;4%|Ifɹ'wgurpYT'@ִx%c m.s9 梾O?N;0Er*s&óRPv!^3T1~О#L[GFK`FPd*Z+9Z'3B_Yеݲ*FkofUKý*ؠ49<լYd,(榖SD԰0IW]u n?:-VLm}Ur쯟Xky 0Oe7MJܣX!2oz]m KwA8V9L٧=P]v=OP"+iWCս̉0F% |#P9-<#'A56Yggh_~y,n(NޣE(T.I^QsC }w4dtzRA rR֝#?)v 9ȯƦ!ILjOl`J8VsCĔWky'"棌q97*ٕcg(DPgK1 PeVӷ'9?%<  s-1Zja,Xcmۨ4CÂU}iF`7C ^ԣ@{}q5fl- n9ܳOq3 nY :{NiS /@dOeOQphC֑>{|B|7jkG{РxB=&yfo~pwt-$h:;o tk|rqC(g-z6d)] ӏ_⊀9=~eʈ 1z|t$20#d LKGgS*E5 /oJqv$ q5ҮHfZEYq#!qYn޻ s3sN#TAƭY}s9G)x9$}?ܴ!Wžf7|{)St(+iﺈm&VC;v?1O> \:h\d,{x{"46˺lp="ި=y=ڲV0Q!J0Kڴ6Vy_\mpƩ mcsٻY-FtL0mG[s'̥atKwXc:cX~!m8foeّ]9å} kpy.sAq̱B(cI84SӶ dňϭ]o@ȝC4j0oLͩL:)\>7Oj