permissions-20181225-23.6.1 >  A `p9|{N;@x [raxqw Z'Z4ے*M@ ^3,\Q#@{uDwp:'Zl&JSR |16biweI>+oI?G]٧1Y4lg Snhj2´ncB{eH l m`oRQ "U*/Z7M%XptA4 Q'.rt8Gj?ԯ3ac玆~@&6\(ikH#tV'0`jY}0srW~L>p@<?<d  = )JS iL p           0 ]   $ h ( 8 49 4:4>7F7G7 H7 I8 X8Y8 \8T ]8x ^9b9_c:d:e:f:l:u: v:w; x< y<@zGPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxs390x PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system.Tk1W6^P9;@큤`0`0`0`0`0`0`0`0`0cd73f4760679880a45dce3c9cb05db59590dd96a4598a64a8a09e1ac03effb0661c722ee39b8cbf07c24b99c9a866362671c5a984607616229b6fab62f7ec8be254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3be186e053c2d66276c577c08ccdc467d5b4150a19c0bfeccd7eed528e80e61d42c0b8419b68f4b7b2ec821478798185bc1fca31a07a1a0d447ffc04046566659cca17bd8420c861963b5b65bf16f8a04d3c3b26b424a6779f12f27d091eb1d7cf35eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181225-23.6.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(s390-64)@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181225-23.6.13.0.4-14.6.0-14.0-15.2-14.14.1`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shs390zp37 1619781937 20181225-23.6.120181225-23.6.120181225-23.6.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:19442/SUSE_SLE-15-SP2_Update/2eed20ea58db96220f1f12b01d779edd-permissions.SUSE_SLE-15-SP2_Updatecpioxz5s390x-suse-linuxASCII textELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=725304b154327a1d820dde56ef0346973bf92f7e, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R R RR R R *|}O;$9Rutf-8743e0144b028d44d41257a3b069b4e8d6d737b5d7ce3f08da56385d1fa7b085b?7zXZ !t/KUP] crv(vX0-ȸ=t?)pƈaC~KedkTU*G+b[Y'W]c)Z4$Uv'Э` )FZ f 'Cx )c #w7Ӏ@9O"7(jByqj7*SERsu W`6n5\V:ՄqYUS6gG} E sj$ /8w+}e{9v2ֶ7){ ߈*q[2dy,7| 1s2k#ۿ_bPx0O+l{8Xh_Ӷ``V!p2l=PQc:BVNg_Z JN7Yj==x?t{oU-,2MAiDO͘ d^uUaUPY~x#] mn҅P`edktjAQ :Q{<0 sgKFS0pu9`h;!22)FT2^ 8|Q)gP\$`3-ݳrT{4Aʻ?vNji 'ѱ,c=,A.M =&~+PшbTh}=sD 6䦮jkuĻyOj\qݶ@cGi&ƛ tu&k;'S-çA"\[73R;l̿E&? N*I*AHQj맂&eiÐ~ u 6 nnHHAeDzӀW4OɭR^C2ѧVN~J=6yEl?_.S=!-Hk@߳-Mu phP@'SPbF#axxJKO0c?\>V(5NeJ B)jghVaS YEEa*^N!QC.Xy? F4NJ@ÿ ˑt2\~N-ncR"bް]- FĎ/sԔ=+{>/Se67v0նy YDڥq՜̱ͱʂAY+M( @&G[F3cs@ƻ}ԛS[8zl+}ڸ𛫗;.P!wHUq)~r{9`gisԼGdL"c+KN|<崣 g}^Z+\c X.!&R< T䔮 @|Z@Jq ceыuPzzB.Dj#5v&ӎ@s;GƐbjI]keDw Bf3z`U y=fZ.hXy-Ta 6RGo%]xpbYpjZU79c QM:)9ڹ<ݮh,aV_o'ɔB#!iccoz{"Hčrf"s u~nW+>GP\u:\c_"Þ v9#@A^Kb z"i؈<}=/)2i/^$"iUG 0'/XFeQODp_īX+8/lw{֭ꡥ\τF@yUJ @K"pJf\ uJp?>O(/b]<<ߴ}V!6zPE(&$}FblȐVIcܺ~^_$BmbD.6 lJjM[ |ħWFɒh?*UD"Ug`[`dH~$ ӣB h,"1/$6Al{JJ7Feӊůe5vqNjEEx>QOb8>[݀3Ju=ڴrAlϡCRLWi}u˂U ubx)2eC_(𛃦O XԎ:Utj*sc&+o52 T?'(<˂@OcG f9A< 2:> 9[3sdcK-вK-G SBfĉ=.qͳ`f#ħUԨG.# l~},G\yfaU#1 ,iAf j'\&lYp6xX>1ŕ̈́ "kṀP+.OtV_o^QߗXM[A|GK93a/A˶מ(Vg%?;OB <4ɇ̴ipU{ketW%ܸòO_L$Z#;3=ZRUGIJtWpCIȴ{{y1 I.a] [Ua d+ f p[(c8w67 nmY_0oKc"i'W6GhK=ո+\3X|!kEu#ʙZ)B2\iUvQ@pCf.m =iit Z@Kw[Wxo A1e_tg+D~"+൬_Zܿ53CWa({O*cQG2Z:ǡ* 8݌ Ѐ-:; 8bo`2ma% 4#8KGoEi\,|6#|=R/z86v'R>JdGڸgd#80l="?iڦ`YTDwW'i_SZ a:]q؅O\M9BQ4|o\{|\z쯲OY|禕k5uf?j|.nHU ژD<ۀ]'CL'Z8;=qƦ~RޞJoǃ#0_WY4#"]7U}gL=d$3ҎH[s98S> H5 ?1EK&n _UK}]nhV>ݓr7TPJ (87HQ8N$q]fe]t?wv6PMWRs×w~)IXM lCG<4j?#1wbT,VٵdR ]r7>V#!S%iG\:`XEA.$$&„# Oo}QE3KP,x3ET7 Z-# '?X'rAy' `0e6a~&ZWXp-7wÄd^\3= \-1+lMH~A[~|5ȵlv?卪sU=!Qw@mº< -dx [8ptQ@Bh1XCE/I햟ⳣKN)9:</ NGFׯXQdjl*.T˜UoHDW P8xcᡖ'Zc ;Ҷn!99!nX")/ZwA$/ Y$ {5TV4/ՙß?QM\)p}n27")~'[ Y{az) +ހУу'>uk_NRZ*Zw_s{HcC/.2:h0`VD3Fuyp|Pt^.= L6 &b> ,!KZ24E|9 R$\?,D!Ju UB9s CvSS"+v['>7ýmgTSo !׬^Xɺ&ou?M* Io.1T+E()Z43:9ѥpR]eݗZ$='nrpߗ= @5JL"CX&Bg5fwqTI f̬Bp' ˵u6a2\T n/*6] õJ-J!C=ط@7.aRUkfp̣mWlJFxk#zJ^7S8cXϻ`DN­>IEbUFFߑt/O?BWA*)y>\MC"h8g&E|UBXb0-|I<]0dwKRϮQJeXm39IŲfEM9sDDZ]reHo~OX}\H%!mJ * iX,߿e kVq/Gj2ru=`kǶM޹colT8)+~KH`Zf?߭?Qũgv1#OؙB{+MLolYZCO,o/N VI_,n}!u\ZbHfo8. cVQA a 3@`%|R i]/Z4K0|7TEYOQQkh=٩o5f‡n,Eq3؅+c-93L2gN"~7eyv25, ژ,'iz{K6d B+D 7yYS@•ox9M4_I>6΃urRZV0نpա(3Gǟ֑xqEZ×f;u [F&->Eav7?V B{:&,CgZ]Db&Dd<72/[5Eؒl8Bk 57'ҭn2܏[qrb:F7MfH/[MYa`=F K5 w6*nA8|O1>422 ->n\z ̣*CFރJXc(W~.v]QRN4뇥~dV 1B"fӟ8^:9 oSԈ 6JjW|~ն:_t@aw"16-K$<*@#̌}@Q3PqMFuluM^*xʑ<;a]{^4 K/K|A g21\qdKR4* 750Ė%}a ͍w_xerU+ %mk5WYRݷ_]6W 2}<ɢ^ T[ =skokQJ<ZFt6< s!%g1Lf'9O;)0 Lhٲ?@I' : @E1ʔ qc/Z4ue㉘y0o*sνc+ּ.(>U®N\U<{0]-uSbC3uhoOP$!BIcx.بWo(*0Oj`<>X<+mW+?#CHEc ww|Kܺe"x0]-|بcf84k +n;_/=whɬ_dQKT(=?vFŠ6W|lDKrSѫg  =pDZ(џ2 XHNZ[~~N-;/|$GS%t';;]5z~7d6_Ci-}ZOhYNh| /0FtLfGV+u'qgDE*H[B\/e=K62 &s,W('C(%4ϝUKS;tdQcλBK(OlMSz o_}}rY 3\ngC)r&cFiC~!&6:%v]H3}$x/0ՌYŋ0;Vo!ScZGWs &tA2pT0:ל `2C/umQn}Ng@P7fAԪ/PQ 'p$'RC7@ y"QB`RfQt5t%?55 6ٰ-T}4eA hkz\v8ŢP'Q|y gou*3uuZ+i )ZU4t|Bu_.{šh"5BoL抁]9[ܝsWRtr݃2gwՔ(Cq\.=*U4ܢ#)"UvjxI<:?e; lg ![F8zE8ͤZng0dM1k(Pl1llсaeN;WL9>a޵+H!{i ބdMbqË{`U K~٭6lU>ZAҪ[ڡaV;Vf+:r繀e.Tj'r4K?)%HPw:]Էoɿ݃Hn` /x#z5,! CH0E/V< 0W5':m(":wy;/.Zśj'&ѯ\=w~h&n$rMfRw{"nX]+f0}Yy"F>|8Ʒ=ʧN~s٣*#ף3 ?ͬAa6H헾iʹUTuhQ]<,ѕbPoa!HsBR1QN(z5߲˅wNlqK{D.s VƎk t" 꿉c=ܰ} r?|,]k}8 o`"ܞ|Hؙq1!Zy>v}Q;E@_cD􋙆lcLېNw`ItckfaDhw̟ZS2"t}.K?n8u)?Ԛdui; R$M>}Omp2< [S 3*C8l) )!!:gL+̇`/I៊a+H00>1[E̘}RR%V PF鏢0oڪ2SZîbA{de@)3'6TrL@7=qGYZym[ZR$o .!ef}>U;YKgAci`mH5h 'ьp4}}i,Sh'llkטKia5+ ๊#V9MG|G6޷J5޵VB!g,1yGjľm#g'R$Z$$ߺN׹U`8O L>WpvwvAn*' X#q mp)[!\jjX{Ov^`$!.tqUMx8g7-#&`ePS:f%O|WW^s{g˿m6["h'_[?5 gdtOKr ]IEA!Y8E81 gh7`U[Jy.ǘ).뵠ω =VbŲٻ͛2$h+Ҏ)z TeڀXpY5v{ż *[5nY_@47jMM Q$v_މKN^5t=ی{R{s hO-pb4&%kS@z,ؖM1ު6K.PE@-y$x?X7(+fk_d7Y֮ՙ1@h_{E*~!}ʍ &"'Ɉ㵿9,$@d\iZHʂ7lNv {# `/ˊX=~4mu7IS #?Qb 'eEL3Yæ >X%|緁`Ga=Jk ƒH_ԩ S9h\P%YU|k[hJy;OmCLuh+ti7i U)jŐVMބMY\ɤsIHdqf v[-d9W藥Z2+Č97mj}q1r} wt[$1!Op˹Өj_JLhpgPg.#hʘ#|N:7(ei2)/b'ck#x;yGqV,Y!!IDŽtV7 -v6#R쬳ŢL!x:̶Ӳ5r"BҮ݀W%M^(rf7U#B FӮ )bV6\0FXA-FpkA`#dZr<-Rv.KN9՟ǙΡEm M L)/K՟ҢpӋ^D"ͮ6ܞ `$="ǪF2v=C#}jPSTFdw.rF z@!# cR4/ȴ*.8'%.L]J.yKO_-Qc(b5g[,L2keA`cp8Ԁ5q?m!$J=E[854vQ`4x{ݗo^: FJo2]8,H&t*8[?? 4an7ZK+\TMF8x(7qzlϥ{DxKs6egau1BYЧ.Lt02vҚ"nGm4`BHMm6c_֫f&;_hq%7;d›*ȘRi_gGoO2Ξ-rźʀ| ,LtT Vycw~; 0A=#}#K,q kOu-@aʸV T8r\4@ tʧʤYHNýdN>Vf L`ѓ6mZ@N(\S.)-mm0W-Po&U,pm/Լm:ۢ=E_J7)_i_$ݪpkQ~2?̩AhF#)O]Ĉ50ֺߖuY<^COGn(Y7L0~|Ō?ÔiV)C Lac5K|kWS'.g`ES7n{'/x:ٓ>Ic ꌈwq5y zKݍ7wo_-|8ٱ\Eʵ $8Pt:KZS@Z%/H$`ai3RW ;1,+OL)ӌүRHUx)Mz8ÐCXQn1+/a7r۵t&3K{PV3j&Xp8(41:PрF׹atR?pbtmU$647誩g:OWMvso?b?_Sa+M.tnb?;<1<aZ="uI˂K5AVHWJCWY?}60/T1FҪߗ-A $Gm =5FKڹ γIg,eR9@Mqs vJ$^VdGS݌#m=!J&8pt,=.$d`wd^'Lw:/6,~ҴOrH~8^x­ ˅>`({?!GXqY%$Wn[`JfNSf|i1lImΨQ,19=_֑(+qu?@|rL)S$ :vd S3i'r,.a_y&7v2]k l"6lMAQ7D*<"x.~ґ?DRzPÝ ʇrTd`[4Rʶ/GhQorCuo3&Ti ƸW-+QYKOF1̗? (Cf΁kx"ƫTٚyC GA4XBzoݿ<-KM".[6;§AGU*;GlZ:Za" @QBuW 80$u62XTV2CښąZ8T{kQx4}tbV%R.L<7ADL) w -O!d9f٭2 ۮ $PIPf&ӱlp6n+([xO8L8_ogKq?I-YCƎLe6im^`oaKMEρ]&L E3!>$M9 7Q|~ ?B^ڒ h/Ks'@֢aYݘa!@MISh_AXlhlRy/9jY̑Dl)EX-Y)t JU;G'V\qkX}0υ$.[<^h|;ϩ݈MD@N>+jr"Z:PZDN|JS¨Y?H6O&CpvwfذCevP}s'fB$~ྙ1Kbp*T/궍@u덼/qtdz^isGSnvWs8NWiϳ9Wqu\ptfw^e*XÁtJx\TARc +ԺjomM Y;KeBy my%bEWn …#  L5iZKQ-|nMG'o_铿z`ȴ-ZD/9cu^ª8c&N2nt|`@H[DE c{Y_X|I bLQCspbF"+ZIdqry[p˅;[šnmdM^;`8ɇʐEщ/Zh!2 y"@M.xzC Nx=ši1@~rton l + cc27A|6X\X&4gʾv?Cak #8i _K ,_mg( 2@ O8 s`u%﬎2@RTsqQЧVů_(=c"щM\FAVV%0貭3/ˤ0['Ҙcwˬ$/ m)~r9&; F^9@ʉN9]) \+P&m&jŲ˸D՛{aӓ4h)ƹQ-W% iU_$N?qf#)|7::CrNFk)o)U#?ObSl:eGYkiј_Wof$ʔ0~A\s%$%3^SOCK}@礷췱e(E$<7U{atʮ{P!MVقF +0R'OE #pHE.{@ H@y퓖C7)߄U Ůϱ}~yCe$pM4;Y~< T$g=!V:$V9Zԧٸ%6o?Lf.T(X7lv f1397V88`ݱ1(rX)ܪ,5HZidl,_4쁴 *QG#53pܯ;IV-Q7KkH^/&x ̣\eR5kR Vbrq%e $BiL{5-1"JGOs!kQ2݁Cy&+:ƊG1j2+} , n?wl@wv"ۢw I Χ(%zҎ-VۣȅtTk94SǢY-/h(^ 8^h bLߧk%(]_'G2D7"P5#&m=OyوۊIoʔiX t'1ˊZ 3nFwsf\/:8TG5wztEbW߲Ij+[ i[{$1ٝiށ$l˾ /#۷>+}x7VxNz?=aI+ޗEbz\})GnsU~a 7*Q)$z^N# *.ogJ/;-T,(Y+`%Jf=>Idzf>Fk:+y:UlőCE4Z XXT1Y-*?(c0Rkg, K+,Rӆ [)S W=ILwU9v}khe)@f@ᾯk'7!ņ#&d vgګ𽼦_Ϡ䁎~^[Ӡx=:";v b-@Jg>,e|_04NZV.nThDxgzkw)T6k_Ҙqо)?vG5{&Z,@(uܰh nz<)j\ij1|k_F59iK kh3Zn)B߫m3Q_)zN9va6A>?%C^X0dKQg㑏HT/#D5i"dYFsndJRT&5p5#^FcԞ}iht'jX Mf3DE.et\Q n*km9xVFBbxƬENCI*p䕽h]s s S+is*˜bi>̳\&,äzrH>nO0s>s^; FS8M˾nEgv8_kVhS`]5JhUAEߪ3q<)yz3V_ W5&dbؒNGC꣜dW Y9{e0g0i$]üҽ)ЯZY3On?pLpiu-U61W?9qY-%igAVaRe×wK7˅"ͥN|bfAˁm) ^WfB^犯KuzspN{ AP\EV |H#/롴~u93.%< 8Mic:yd~V-$B?m̕oND$Q,Q7@Uఌ_*d7êt*>O]1-`'В8IK0/Ё;K-֍ׯܮ&hh$ RfqjO0zsx,P6sְZDIK Oح2K]aY(@٣ˏ:2Z.3Br}^2!yEy+>͟eɝ')' k/bj+`fJbOf)ĎN|}kvmUni߲ud!A?TD 붪be4x07@8 ЩQq>!puc㒛`)FJb9쁒c,<"5kh 0V!CU_;,?ZKt: U2xT9QHߛKkDL 1쎸I~ rSGݜ$.Ñ: Ck5&4iGy~MenOeT(` $=6sM-~RmTP>ƆT,fER%GyLXe+JO; K:ɂ+aaະ v5_ƆBg .TqkOyǯ`M}+b^7Ona Uσú︶jr̵ ˮP0Aۅ.OK#L8f ;ld&Yn'ߣzHr La.]NDVFy=Zj)ZsU)8YR`l?(VP%|mQSJ*{u5{5$6^sU$i?h;!90\Vup:gs"iH(l8 )j)JEq٥x㷝8^w=QA%x1,сj=SĢ9 2kUa>rZޡ~e2+{I^ѷox$8F"^ݨfgQV$f-oN?e:GF:MGK,g_yRp>h0!-oEk|3Ek<r±-[>b7ߜk"4:vmu)Ac 8&N|̾^YO f b*03I;|o Z:LRcj\Ƕi krL"AY<YAwSy[1r8Px{rle*,u|]Ѵ|7Q)B {5ژhfI%:ڲ;q`o#P9gHpCv,V_gxQPW,o9* &\P@V%1>,rvpA%|2ljgw|,2/R'9$2Ӿi> E~)/jD=DӮj$ue! 5H'6J:]1%hyI >XZ@pBL vZ9pEE6m܌ի)|!\ g/Ak{- '(HNR?eSFcqR0R~26R'}F70*8Z80O\ߑ}J~ՊUNdS`Ij!?\<= Գ* jyM^U*6%rXF.cˁ5i`9M2