libsmbconf0-4.13.4+git.187.5ad4708741a-1.34 >  A `.p9|F= G4~.q>]գ$S@蕾 neo2lQNsL%I݀VƱ$f"jB>M\kRٓ\9I hYI7T6`"{$|K96{͋{_]bK7uI1ՑdYa#f M*YG7T[4!&`"xO(=նg`fr:362a0f9e88ffe755c1088686e17a262afaa90765dccb1b0f735dd154a3188d59b341eeade73caa8208b40c1869b67a98ffd104baЉ`.p9|P?48RֶYS+ *&3C'V 6q s~.A\Aq+KHYV 54^}x,zL 30qGCc{=GoR:+Cl36kk;vco|㑆9BɔYʛ[L6#X&$2Xl!>_ 2_~k,CP'瀟RJ;tTܝOlPEBf+ !B@;\L' >8>p@?d) . K *AGPT V X \  <ccc(~89:'>b@qFGHIXY\]^bcdeflu0v4wxy_zHX\bClibsmbconf04.13.4+git.187.5ad4708741a1.34Samba3 configuration librarylibsmbconf is a library to read or, based on the backend, modify the Samba configuration.`(sheep69 =0SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/System/Librarieshttps://www.samba.org/linuxx86_64 =0`71926cc6b77c379095a18eb82bcf12faa8c1e68714f26beb13ddcba0a734e60crootrootsamba-4.13.4+git.187.5ad4708741a-1.34.src.rpmlibsmbconf.so.0()(64bit)libsmbconf.so.0(SMBCONF_0)(64bit)libsmbconf0libsmbconf0(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /sbin/ldconfig/sbin/ldconfiglibCHARSET3-samba4.so()(64bit)libCHARSET3-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.10)(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.5)(64bit)libc.so.6(GLIBC_2.7)(64bit)libc.so.6(GLIBC_2.8)(64bit)libdbwrap-samba4.so()(64bit)libdbwrap-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libinterfaces-samba4.so()(64bit)libinterfaces-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libiov-buf-samba4.so()(64bit)libiov-buf-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)liblber-2.4.so.2()(64bit)libldap_r-2.4.so.2()(64bit)libmessages-dgm-samba4.so()(64bit)libmessages-dgm-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libmessages-util-samba4.so()(64bit)libmessages-util-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libndr.so.1()(64bit)libndr.so.1(NDR_0.0.1)(64bit)libndr.so.1(NDR_0.0.4)(64bit)libndr.so.1(NDR_0.2.0)(64bit)libndr.so.1(NDR_1.0.0)(64bit)libnsl.so.2()(64bit)libnsl.so.2(LIBNSL_1.0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libsamba-cluster-support-samba4.so()(64bit)libsamba-cluster-support-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1)(64bit)libsamba-hostconfig.so.0()(64bit)libsamba-hostconfig.so.0(SAMBA_HOSTCONFIG_0.0.1)(64bit)libsamba-security-samba4.so()(64bit)libsamba-security-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libsamba-sockets-samba4.so()(64bit)libsamba-sockets-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamba3-util-samba4.so()(64bit)libsamba3-util-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libserver-id-db-samba4.so()(64bit)libserver-id-db-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libserver-role-samba4.so()(64bit)libserver-role-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libsmbd-shim-samba4.so()(64bit)libsmbd-shim-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libsocket-blocking-samba4.so()(64bit)libsocket-blocking-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libsys-rw-samba4.so()(64bit)libsys-rw-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libtalloc-report-printf-samba4.so()(64bit)libtalloc-report-printf-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtalloc.so.2(TALLOC_2.1.0)(64bit)libtdb-wrap-samba4.so()(64bit)libtdb-wrap-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtdb.so.1(TDB_1.2.2)(64bit)libtdb.so.1(TDB_1.2.5)(64bit)libtdb.so.1(TDB_1.3.0)(64bit)libtdb.so.1(TDB_1.3.11)(64bit)libtdb.so.1(TDB_1.3.17)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.12)(64bit)libtevent.so.0(TEVENT_0.9.13)(64bit)libtevent.so.0(TEVENT_0.9.14)(64bit)libtevent.so.0(TEVENT_0.9.16)(64bit)libtevent.so.0(TEVENT_0.9.21)(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtime-basic-samba4.so()(64bit)libtime-basic-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libutil-reg-samba4.so()(64bit)libutil-reg-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libutil-setid-samba4.so()(64bit)libutil-setid-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libutil-tdb-samba4.so()(64bit)libutil-tdb-samba4.so(SAMBA_4.13.4_GIT.187.5AD4708741A1.34_SUSE_OS15.0_X86_64)(64bit)libz.so.1()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.1`@___i_@_|\@_{ _l@_i@_d@__ @^@^^2^2^^1^^Y^J@^2@^&^&]]]])]@]@]]@]nU]nU]i]e@]_@]J@]B@] #]:\ڭ\\@\@\ \N\e\e\}@\o@\\\\\4\ @[[@[[%@[@[ @[[t[#@[[Q@[Q@[\[[[{[z@[r@[ @[WZZZZZZ`@Z@Z@ZZ@ZZ}@Z'Z@ZOZ@Z ,@Z@YY@Yo@Yo@Yo@Y@Y3YYu@Yg`Yf@Y7Y7Y, @Y"X:@X:@XXsX@X9@X@X@Xg@X,XƉX@XYXe@XX@X@X@XWXAb@X-W Wv@W$W;Wu@W#WW W@W~D@Wj}W_WYZ@WYZ@W=W(W!@WW@V3V3VV'@VՄ@VՄ@VVIV@V`Vl@V@V@V<@V<@V@VjV]VI@VG"@VG"@VG"@VG"@V(V'~@V V7@VBUYU@U@UUAUĝU@UU@Uy@UUrUq@UhTU_@USascabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./sbin/ldconfig/sbin/ldconfigsheep69 16203103124.13.4+git.187.5ad4708741a-1.344.13.4+git.187.5ad4708741a-1.34libsmbconf.so.0/usr/lib64/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:SLE-15-SP3:GA/standard/b5c3032238a4e7a6b51699004483c0c4-sambacpioxz5x86_64-suse-linuxELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=79725a665733c67bcf8be356a359c30274a4530a, stripped_PPRER>R:RRR[R R$R*RYRRNR(R0RR@R]RLRJRKRIRHRGR"R&RWRCRBRRTRQRSRPRRRUR8RR[eմƦR\}C@x,FfנSWki]a(e)^ݴJcU? Vy#,r$T/$I9"X$@GBb5zѽ|}:lkB.sqy\ 1=`[;c%μ}6gqF$ɠ)}r4)nG f "V*=vMgQ8 .k OCއd_@T1;k99AGI&K~Ԛ\v N=eKȊvy(BowG42_) sҧ貵*Gcɖh5]>kQQRP(e %۳H]D䈢+ ԔQr؊o;tMbD&A({oq1%+G"~ H)~]ԥrÆ!< oqɡN=|X$c aԓZy;?!@E[\ š(*'p77}_9@\c JPJA8_ڇ>-tAfpc0ː $iXryQ,yoUu8΂(^2qjz~X aBw\P\PHkݢA걳GHZUi6~i5/{Z%+>PTX[t8@*Y7 UNN.{ y(/cpE+(D:d!Oǿa߇ )k`8=it{0[_4rA6W a'0.ͯ 4I,֦܄D 3\  pGp{AVyo'qPBH{6ҹvix.fop)C(8+[7oK7^_S~/]>Xlގ7ׇ0fEն:832POEKA9r CD|?˼P,E! *nM4YP+9{&;+S x:*KHUʹ[&g xZ͏kfNN$8W9wZMn y$B#mP5\)l؏\~bοEz8NM m"`-4B0^rI/W>CIS .'<62oc_]HɝY9.1%sDx&/B+Bk'95j [ H5aCiR) >18E4)[ie Ts0C4/7_N],Ϊ0`*QMBXLU+ 3=rR^ lD/Pz{񏅃Ej W{o$KjP$E-#/m#O+Bo1Q!.t5Y ]o Qܥ488zGXī7oL΅F4co'W*\Z5.z@"/9s7 At~^d t=9vKv;11΋ jUX:?h|RQ{SuQ?9L( 㠜*y }s P=˗u\3KmWR%"L=n6rMj݇4m.b0Z;Zٟ^B Q!/ӫ6n(9#E[1R1D XױP>`ERؗCQh|8!_V 9zh1r+CtU+ D PgΏW\>3q\a2X@/.τjy:1TNXk>,]XH(E&-};׻ ~'2g%[^vK~&iHa'Kd1:w\ >KcuM̀-{xs=@DzuLMhG]+`KIFa>bH_6'W`ZhT#̪Wz_8`kz )5FS{#T,pV?|E$Jmoϼ,+`cg#AL$l e/!\rτʈ-$ -WzYX}=Hc%zEX;zM@>0c*iCDha\ C)y_}0)DD3Դ1L$=^RUDmN0oSt%Z /єͪwԆ{e;*R˙ $?vv\gV o~fk;Z#[U<.R'z(y+-F% gpҶ,Z E #Q-}۟*/бnf,TMm[!K3jneѩ6\pD{+'As &ǵ C8;l)"N"a m A4Iqaկ3j"fW*jfǨ3KsѺDGh LOEOBqV_m`\᭚&ߝD`2:txsRw/N)\H_9Ii{.v%ٛZW%d@qo {8$F% H5h[;VA-,ZiA.pO>ࢗmsv+EK am'&#cݍ&SS쀲FuIr3|4:!;](7٩Nbz 5'v4 I0ncG;pP~V%ujM",U<AůP ) Mvh[ru#(8gr[&N (c)!WQEuO!<&5 U(dv>`3;SGn1Df="׽i4Hvܞz\LT #"kL :ߐXכmE`cl!KxpqdH?^R" .$ fiEOO ~=RWWF& Mf]H8f5(Evg%wld&Jz`cH:.x ɫQid1_[TEY]1*Z9ҰbCiw>:IHJ8Z'TNjJ2:?t'wb6$ hLݎBD6{qqp;㿥7."P`aќ(T"8dE$3V//Rp0/m jد9=T6|]1߿3xA%fyQ.z {(z4^*μ2{S$gcqX: S&[ݑ%3D)l%2L(o^ǟqyfI: EHҥAHH$xZb5-?uU*crR:d}#ok^zx>ARsM',.,*m˛|jU0(/dH}hGzPn% p̤zR%|zCL[%zJ7O_=7Z+HI~2[iLyig h=fbH;& vވ]l}cIw͚ .U}g3s> X|([EBKz6epY;d `݃.? !aD Q* G~rHҩXE%8E.=dBJbӴ[M:_<6#'ZDUU*ȤĎ04R0:hI;60>I) V@x`|دM(lS1pD/hQމ_^6;u}g`԰QYuTpKi|pU-þiw}D@eM= G$^&tq frMBS]r!o6?'x}=2چ)֦ 2>4ლ ^ޟ&A4SOʛ|kxIrpЄ< b@P, ^OG'bD)7C.@Bl[ke~L4 Rà1`%C'vg,X:c6UM<ΌT@[56+Ţ\(ps4`MPSŹYJgihaHasMܠHG,S0EI2q8&7J?ȳdؿ#bc캬V!cyŻOB(a֮~9"wrÆ_88 j5c %?O1 *?eX6Ǔ޾)/ PlnJsݶ2me;(y/yn)Rj 1wR5WzDIRjsd)<|pS'LXit_MH).|ޞ$9K(j sT>#2Hhl߇ > v"%:0]Yf8}d59& :v=b*sCy KvdImOx1> pooLAnJokW-M۹AfprL\L^eO|[Ha6+,ﶕp~|)Bq8 R| 43`+4@gvŒ6%@/rIPP쩏!WaQEd~x1awS« JKM$I!yd9+06REX2V۩H ikWOW:}vkC!}md*'B{`jwG ?3(P#׵./y91YS S8gjyu;a%b3} &bZ4[GKTuR/Mf=difd~D;h &N j]M^Z-bllɐ'u9nhر̟zDGiY&)tDĻ[,g Y6>ği;$pضB;yj$Y4 d r:+_Ԧ0tAݿ! ~%ڇL[:9oH\ :OF`/e K.;\ΝG!)[[g:P/eKh-[D H|mݰ?<$vPJ_Ӷ6J D7i{bxu2E9q9AH%nY#W:$Ɏ8Ҕթq|D~V:I5:?7υbUc11w-롩\jr[y:db81' _upY 'fua"s-@ÕMrcN}=6^#ŢhCW.6{=ikb{=/ %@W:-+)[Hz?^AG 'Agrw܄_3) Ul=ǍׅXQ(^8 0EYLo^3Σ/ }BE%u8tTWY1{{j9"+ lDG kYK5fBxPVZت|<оqVW|_RKuzO:R:)]H{ Q,:,LYSV9&bg/8j݃r\-$|^;IFw>8#9Yo_TI~Dop]2e3)vLPSzMRϟQE+^9TEj\|2a_RבJԺ3˧=\͒͞:=+$K'?4fa3Dd&s [~Sb85Q\<гl*φk`+['EWd"CC+!1(gĀL/G^KJu|Tk"zHb; yRmsEaudU!練SOmETdrfNBfpH`(Z`? "5Y R1ļ^tMSe\ì.}q9`Nkcf5ڄ,,SxQDk?s_"y">T/`Ų6:[inYa /ɦvl㤠 9ܡDӁ{iWNZ Lp]-@*qgcS3?2cyO|%)7,hLCxb4W#'(4q̍raʷJDaL Ўݞ!إDp M>XRϔIxНcA Ѹ-6w~8HܸPZ#π` Qz Ǽ$ڽ {5ҷΞA/wm0Ϥ? ;,)Hd&-MwA$\McKE&ly~c&H|Yvqo6x]?Á rqr3|BJ 8}~ jUB<7ۅX|0%`I].E #5=S4(7rHp\TySɖYSP{|w~mM1 h6B zOAJ؍|S2f6-u8#l-3fΠ|餓3Ѹ;q2$/(XtB0uc #\.{7dt=Vڠ&m` ep4h{gee==H6~@AFkYίTJG#WbE#@caVT{g49,@ (#TMS sdg:k#F_zcnt^F*} BtZsðNf8 1n5E& vwD6t!;d+BixHfhx[&/^h,hؤ ߙ uF& AX8 R$(<&tcRw@<e)+oE= 3ZƗ1`NWz (NS6^tZ4뭨fgSVIœ7p0zȄfh̅9qR dB09}Z`vAkV]]#qE2e*xk_^~T膓\VH׮,gņ=2+ۆtt)SEa%Sr*3UY:_(Se$a,bק#%t/ cu|]UV/pX9 qb'aN`1? +nDju]aI#gj~2h3qj{'D0yMr7bm?axvJRG4D>C#m|>d▙>]s,QK_%w(8e1*(->H;HHICna A:O$ArJS>dOXDڷvГ|:09k\)ucpkai/7RnJ_ VҴhvW^oջcj6PƯ<@IWI9k97:C[%]:g0iL!FD!hCLo&M dzOݢ](6Sj%᭾=+|7s 5%YTO&rmo+LU"5{96B( ËB8шb̽ZY~qoK>vh eL8HBD9aM l2XGZk *ߝ`c赀d7@a\a7=+qZ*pˈx'Ӣm ̛}gu{֝a.y&Fi-9`KuM!/*#|4hXŴ`9YV 77&(6oGAAs8#wPa8ѿ(RPxc~դSh)X"1ǁC9]n}JEu)m[Bl⩰ p pi t,:5~N@k!-@<)$3+1^ Z๧E7P0^ô9JrZ0kP4k{kTG۷ic,bXDX=G(ScxvYAށʘm1^U\5=9u ")ݵȢ"C ,„ m5\y:;UMfR%}wQ@[Ł_W'ca'P맪zsodbU颹 0w-/dNaQaI25QG֦g9LZX[0$+5ʃ ¬uo es&UjŠ_#\a,Q:q|AO#or?U> ',l!ÐI=x4. )+>-gKn<ÖFEҕmP]l@>*skDD.9C@^V:@A` UV@[ JQqO[Z(wN}&աFGb"@`:r$s7lC`DA)!iaBjX;AAì*OAx)?~7{{L n. MH6!%w[ݡ{ПȢ8Бy$8z 1a'Wϲ8x$_€ ݧI9:Xsښ#< @àVztm驍oǧkT]:]Wh |B2%i9>bX!"MNr H| ZTmBy?~z6}OCض>@U\sHv 1}\R@axbҔ%; E|<Ϳ}@pqae76ͰYX2 gujN9K1.VyO]'@fqTd. x45̾kcjoJ:LuOAd bmȡ0 dO\2PKT,auQy8z6B3ݺm9Ҋ hJOKz1ԩ C/Tܛ._c2yarIUdPcט`o9ʗ1ZOY =@qޖW|+yϭnj'vA~r:A3c|d4NkRhXj8ɵԃ9ͣ!hB ٟةvؼ]jnC2"Hn[װ2x> 6*ԟK #GC/mE23I<( W,$Q}n'lKtT7xIr'PHtBeir2GW#$pw6 Y}D/N x3ognBaA~K:l'i`;$=s'Bq gI0Gݹd|N9|d՗V2пɢm(v{ m\1`KIcZwQwBS$*$?o1|&p_jm^Grq9I 7tc ik٨__\:,䒟딷ݙHZnVV:aB!sfB= qQjlp[ ,2gI $|oG @37'rkׂY!+DpY-WwYq=3 וUyL OfȲu*äwS7eIHtpSaٽJ.ֿ}CD5/t9hcb7iR =yS%NߎDw 1]!:nj0ԓ+ݰh(%OЌ "LYMGPg4Q,;P% DN+(w}â|Jc[t`,(o|vE.^YLv;P|s}Iێ%i')*0u6aֳnis)gGpIFǧ +3mdx%9% BJbC0JҍZmj9԰ ">5vZ9I#:~]"e7qsyKvbhG<#4onWe4 M=0m@ո۩Ɉ$A8JwC #M3$']Bq6te}rDP~ةDrVyG|1#p̷m\&z>Ɉ/ n'g)kGVӟ=mj0gт^_PCߞ'@7,t"6b/,DW\Ne~1ੈx]`^uۚױ:MM8tII-f%a}UTӊWf%9xu o;*ɬ`w9͵f*=T?߱MI-̠Sۚhy.#-@/U`Oquy{[ha]aYP[$/!,|LBrduyBZʐf5wHDm" ؈^lU|:Vsƾ@V8]{s@ ~%-=/(D@|)F[υ 9eP7TH|@<3$);Bgp0G[>BGc>t< eV,ENZ/! /˚t_:>u 6D|Fv\zɊya!EP .@]yaA/=lYmBc$f6u4owC|5ӒaV6 k]Ӵm1*ϙs[yk=_C+8W6>m:븚\P{ SXYSH#5 TErte(W*,z-/XpHTT"b)3 ?Ӌ3ܳX0:+]&JrC&(KRv%SN6`c,w(Vz Dc*ԛeN x}2->9o,򈎽CyhB(X=. 0s`.Bа5T[t7Vhn f iPO1?͛%^5Da:);D^KA[Q'2MUnݱYG.fzC~uݛ d~~}KG_4[ eGy0Ve]=5z3sѯx_Ctc΢j8U~d'`C`T- M0Xz&ƿrAU miҋXɞICcjz AV&(MnɿϦR,2ӭ輝qBgG83Ni%X;`B$"%vi% `Ģj^X>|M!بQ,He: oU~@3 nm*0Q@g/ߗiRec󜔄{paVU<^*^.Nefy7uNu,DB#BB9PZ\#!;χ|($-Tu}s,,a If&QJLy[UT6c_IV@?|,UY^9H\`/ u>e.WW~ķ6oo_&bW/&4D~4 @r5+9ODVDƛp&QXܽ@/л_Q0~jm+40ShAx0``N(o@W J1.@*ᗇDŽ[7n=˭f9[||;8*-=: i9Ƙ*^iv"B6$Ru.[xG p<L9M&gLX:qdZWDnD8}D~}# Qn4uIP}aY`sIp5-8ُwOz:s/f{ŝ~Tu㠆d TD`5}~"zg71vVR}e*` In4_ϿaovR8& a"K]8M ){j.^a~b_4~F]B߅j D ouV 7Ay/p]\,d1,K*$boM( Qۢʍ2t-$Q1UFU<Ķ *Ni_^1epʾ~--L1{~"d}_zl%=u9] Ж&%`&}?Ķ(1emy`Y}su.]W%^7{Ab3MAN_@TFià`}q[RgI  Vƙ&?_AQ8@my[5eC`Y` p a.9,l}T`FVWN}VgMѣ![Ɔ-aF4Tois8ob> 0/RDpe|kK<.ܿUR_W## J ,77Ҹ̵v3-b`i^g$%*.հwSEPachWЇvb7=<(1yaɴGЬv= )ä%kNHPwg!`eĹ1}aKHLc)}4kz!< Pb@+D+6.[PFtV{Q44zQ+U::f 9=of ?HS2(4UJ- ZQv19ŵU&=)QD pd͕M}\?ǪhJm7uO$(P]j=7^MsvcBe zeTh^Xݧa[T~z7 X۝gsyQsf-'51 !aZ7jGMpߒC)kX1س8î X:k7MN% *2OV hŝ6!qvsxDݱU0LhU:N}Y(cEI7UKBБ4`zcbyfӰC7b--SӘKËς%j*ٔ7hhr$ٶzoH]ZK,A& :1c6b/;\)Cdz{YU̜nErpb9v&ImYjf#gXÙ;=8[0R)Kr6F.86gL)fWd0 .|&Yv"?!N?JLsZ.v[]rNG D)guP[f#j.ok5qJGfk+J24 ~0j whZ G_}aҊ~T ,SV7m1FA˸ nt;)k';s@|OMٵ}- 3jmz`hިc X]$ͱׄZ8oʕjZ;\yvZ;@o6H{~(Up:68Sfz㕿Pb ƣ20utC k+XI81ߴ G~Nn3AW @f}2jDExθm9:9v25M1q>L(p; ^mq~'Y:t!}W^yh,p@n!T}0߭-Jc&ݺ\_F4G"*569=62fc`md]|džB͟EA ^?pIY[uhSvgQ9HV@g.Q8 \H'l]ӿ,TgY)|nK+_'ygSRš H*L=E|²:޹_ kWsćj\ZkD#P8ns=Є4`n|&m7eNs'#~SfDxu1j6=]uvNb8{=`(ބ-AC_Z~ x!(#Qfj&Z%HJ5d+J-ZsZ$+8v$V]\H48X掹Ι,5Ѿngg܂1>C!79Tc2yHoU#,CѠ{2|gIsU Xv^#g%@˰?HqnxO[t|GZFgv@[nqΗ%ŘG!B|Tp= dBۆਾ) ፷N_[z 'JAq؜OR(?!8 |cZ̢!)w oR_/90#_8?@^؈A0av͖EJz?n[}bcbC[V(6agEV 5ZVxIJ5 3 b]AwtBQci(Fz҂kT^9 Y{K a/TͤdB T*CAe*(qW;F@h5Wh aa v',1Iԃ68*EE%o.ӨIb27Ke?p9 BvU<]q56fn[-EXuynw%Gg~1z4XF +TN.nt$'KGlnW%;iUߢv?^8V C1;Leo74 8: ]o_+zc*bxf2L6Ԇ 5{@YzBWRǟjotE+1Nf g?3 >q]~LI pGUN^Aׁx8i-Mb!/P Ց s; 9Qi 3C, UO]R3اS5vw5,d9`_F#2H'Bt"R}M=#W]0ٟH^O6#?<^fhk(f+ӳ?Xo6c^x wrAwlD>m1kÿa4>/BȲ4YUu\ˆpu"2@UbR/% @wҟ}۪ vo 3\!${+d^۶v.8IyI |:n2f@e{KUz͹+%,:e-@[Vw^ \oBgZfk`vf- `r !"KW4e] 3ޙ|s'+'_$޵wƽ}ww~=E69e8 8*EK|*a"*tJ҅wFV7}1qnk)h9zS\D$T=E-77 DXe*B`F[ࡋ*>xkLu iqX1_=vCb?ku-)]=Z0в Qܿ,$j<+t~m7SdT#׳y(1U}-6yۭax~K+`~f=j۞1޿{00[w s4\7d Ӂ]ڑIfa{GI銈`Y1LCm?JV#B xa0][79ܺ 2aԐ/+PXTR>Fwe,$Yj3B DI>ʄO̠݉5eYpnWeXZhEFI}lzYIӌ^V(624؈A|X4<2Ex^нqP5MhMqMIw.RmKrx+^4I,T:uc/87d+IeL ^S9/sh$Unbk)qrń<ً!*1 R7 1΍0l?DIC0xM-7TT #2UĮ{[Lkݽ@_e̬A@o5 [X=4\+(|EDjq]+h`4ڄDܻ!hg= fgN媋%KKs$yXuoӤ'd( Xz7(m ߁'N^JK$ ؝kԥdƭq%picdlkx92sL{Wbsgy/n1ynNϟpIIuXg+0]#\~hyMbOy\ ۳ ~|QNSW xLJiF5J8Z'{c hϋ6@pXJrrNF]]o @ ժBk}pF>{Nӹ/Rۤ0`K4DMfLn|覚 hNmzl6C@A,ֳ]8os,-Bs8 x\ T@Dbwd8$Q!@i7K(k{Fb9Vi?Vj>QQn*F}m9Bc0n f!?@\ 8;v氮l:(Z]ofN0I(I\׆gce}%" Sؽkn bWA#dl8 ]3M#ZU 8)@ڰ9 $SOV BIgR֩J$M w9)+Z>s؟+Fd=xG!߱˳d'rW{RA`&#IEP0q4 xoQc?X ni H#Ǟ, 'WX_[kˀa6,b;UFˮY\k':ԶօFQ( w-ʭjV2[qCzjP%a whisAb`8E?EUoqSK:t#$ACOq,;h6Ъa6a?-GL3oN7=Lzc~~kPVg\BGPg/~LCоqD60g6@f3,;&mi~֯2^t̊V\ @ܙ)m\z4ԩX 8ܔsUn +MҔix3|6;Qnr4O @qglzSNHG8\݉_D%NKS@ bpKΨz5+/6hU7P̶t$8vO7i_ftiʂ&Y`hBqB4eXdt+PAc lzx|=J=)1X[B YfƬ461"c$wZ|'v32EZh]6?&`3z6qMFSz! nvmcF95#Ɋ&$(O빬Ux+Kg4boy5i5{`3x;_LםmbbV?k;cng:.N/n"l'+TC&y|0r*Sy~b!pQHR[TI VDܺ V+m &e?*_%vߗqcjxX-} tK@ToE >"*H݋5eX6;z"Zl;Xy:4Reo>x}C7F{=Z'*v[^c5k0vEP3IH?(ͧlN-1}1Ox_ڄ4#-db ݈97p. ⱌHaێ)sD d~+P&$ 犺ğ.sSJRٗ[ՈS Fjn]M9P\ZPf +H}0Kxꬌ/ˆUKd4زӚ'j¼01fO()X;Bz+ ~+ebBnӬd&\0híZ@g* 8L5UARQh᜛I"  r3p%i\Za6Np7Eh\Z)5gx*q {tX'VkIUlVq- q{$)ޤLS׿PNOu)oWޔ[Gm/)} h*OŒ 6g_uoUQS^vTg˰8ηiT!U;Q5py( /:OKk~ST ׉B0jo:zZ8VO_Œd/[M^^1)ߩʾ3O|F0WhT:^I}"w'2 BA(k#Z7)ryH Slfzypźl[8˪IFCo5bQR064,},]V|X+^}˝7$>| OxcoC"InlHù-*AqhY^j{,E#0 zJ_DLX/KRMmBtb%ZX`],qV$}L؛kސJ≇G ͣ ![G~'CqLA_4xbt qnH4v wA"$q2h2zQy +ǎ5ˣp$}L9Zvy)Z|YL Ҫ ڶ x7whT}ΎG,5ӻ lB6A~7|kCnɄ2& QFk2$]RZ&(xJ W"_fIWX`Gl]c9"«Co#ݦ.bSbtmCVb.LwM<r()?JEaw`&Uk4 KNb߉ewQ 0k:e2@n># ۩B_M#6R p-|Ws&.9ٻjR$ydG1X.qth>ӳ7gg2"*9骽$XxtQ|PGkqQ-mR` '; hmA,_$sqR' =Nu' >&`zII DzDžȜy'kʼnc=?~2\–>agFW|~I%{ Y\Q͛i#_d&OV(gZN2YxdYJսv KZro#:^q؟ v7~#xVċ5SiE2Ub!XOcAp@Qӈ ".c5헍܆Z7w;w(ñsamBWV2Ljl3 !g|U>DBlٿ~PlW+~Jéx $EҐM†ު$l}󥁂6Se݂FD;5zH +PdjE\|IB=HU/T~ n[Z&/Mhz Z,~dмvKL/te$7G,r0 ZG翽֙(7̐hƯAj;9F+%Hn-|dSumoKEHIފaN1$=0~ӥehV6l1Z~fq9+ q0Q6h2Q*t DC3{j8u;R^e4j {վ@y^[᳎( @=Z4 H19 E*g1 r}Kr2~ 6,m4NcʸhЋ?`>zlƢb5 -ޡ&5cѬgDs*%/[mE,qGˍjsa1iC3/c!8,+D@Ĝΐ-WXv ptuO5ϻ*M>i+P*Dvŏ@K(ÉdB@nmjLULˁU\^誧§sۤn-+VI>mǿZx%T`{r›c,F~@RFAoo,Uѧ)-U<7_eз * 0S-$J?+,b|x T=l:0zP0PK3Jr6B3' c6c~ԧcຜA% 'sG1\K}{>c RS #pade LՏ9g.UHUc?`sf?Pf@Pv4Ġ@QK,Ю'{mav"b,Y]n٫ 54RجzoJJ]7!|'mq/7.B^ 'm{AȠfdMUǣoh7ߘHڭVBr Ccu1*sB>= tً#,Giؑ/Sà \^婀pK\.z-Pʼn?۸+g&:%Lѡi6=;"=*v)(xBjT}Aoƥ|h tܖ(kk:p^`wZp: YDI~/_48r&f-\~Ħvn:/Kٌ7$ eg`d8Uǵ7\8DSrb%B 9rh@Z\BJ?l`^jGJ>`)} 9W_3銳),CP [#LS-} ̇oѪ{0Xx$nƖ} <ǕتF2h̓oT19T2v&Ʊt]jyX&wJrzpd`-cA&[TĈ* wj66Mʷ3&(v?u .]x% /!{Jy`&2Ls7yߦAPFzV`ڹx61*_PpiF9Qt9ʬyCܒza?;*/U Lt\\!EuQƀIv~G=\I~L5%rG9D# KOUbibj\m=V_kԵa$ )[T =ᏳZv ӧ:Ѵz`4_{J:k}>FZ݂`bY3LOwh^*4*_XxX %(!/X p6v*%7o5s(ZnTbg*- S(i[]Vfdc54Wz Az 6f?骒*4TJt_ J n"RA!(ݼUuDU&jKLJ/bz5cCkr9p"V+RcZxV*PA&,yFw OJ@')i]!eٓsr*IgS=fc?KUi\sJ SbVEi]ĥT7WhX}-{jȱCi;z{9ˎL6rGkӧ۬$sQYԕY_0}"*Du>%Il.W60qp9~}`г[+ݺS)fgf ۵j[xV%^ w@]%<-q-Mߢei m E[pIl f,Hg0;T<ۤ.Sw}+h-k.nAʌx&8UZOa{x=,eڧ3=b){Ka]eMLq SN2fqLl'7n! ӛˆX=ň&^aQCfs o9rv h ! /LZǵ:~˸+jJ=yHi'jVb҈:T}4('ڏ?4%%yA4 K֥81FsEs0卄.) 쟿TdSH)NpcA8{~!hL:b'ܠžxrEsV2pkC@ -/_ Q7Mɠ (aa4jFⱱAԗ_,R S`*TEҭFA7WVC`u+ ǗDgK¼ۼ;X?e2Jze gao菉J5w-F|zJ7r43 7gv/-TIz2l5޾yJFYb7~2y){6\pi}nFc=_ɐFPט(|:t VElQ1c;g%j[I1iNj(*bMdI|"W|d^/Bgg鳉 {@sKND+딊wac2d~t}q$9fJg$i1ׁ4NRMԓbkzT \fg{! ?&yĕW:Xז7dO4?Z}tf%hxgM{{3{! q#UȤţy,Fg 'PC)x-^ʍ,}+ʍ胛,#ѵuB\ ;ԮWn5ܟe9`2'.ځ.OlCU^b` A|QOpY@kbjQՋ5Z>ڛa]vc{ߟgLlGN?+@09l<0#f%[doӵIȎGq $8ȷ{|I`+F$Vɔ/E]"Fq8=ZmR%(Ro}`ė@a_Aӄ!Ed]mFB_܄>cA>rYJ!ߑ1@TwAMQwݿ v74fps^$*=o#؂Tz];!>G?yOӀݡJOo I'W.J6%`'J E>c-P`3$be(TMjN~pU%C_"UO D>5*4Xp>N%{@DȎ½_ŦY0هpce;Kӂ_!EIȟUXXvDi aܛ0(!.BDCI<ЧI.VV*󥾭ZOymNp@m5bcwt4p-cƃnWő9&!ӧ/Da,JAna?/ɦ)CZ}, .L aL!&Yjt=*x +.F6G^3 pzC݀-{K{iM,ҪqSLhg E)crI,sx*ZAĴ1+bvLVՙRb](ĶST G.M԰ozFAwyҶ@@V{kͱ=k3Yz{Fۊp64knNS.<ƦY4xN1;7?K:SΈiPz?ovC֦r4K7S@m hH w5GO)?hڿxrvEDT衔'VǛ\ėsq!Բۺ.#ѷcjQ$t[z.kC]gwB꙯'^P;?fCw\zA}DN5In XW5rx~Y].KF>Z{] jk>3չ} eў;pʐ>R ښG̃kE&'+ NW80v0,LT*Ǿ/RpN lfzV)+{858>xPoD5|X"vQ_C/gT7 {} AY0c+PLg6U fKR+e7!.c\[[W5KpM[PI_|=xTF_}[["!0>{#bچ".[( ^b!f +&B*h;Ȏ74eǙ4 R N4a}-C}J́`4 ?묄P`#;Q~mA3hsf]AYމ2YAzVS7)Q tvq Y2;]h$$%]swQcҹ#m9ړ]2;E"CrZa bBOX3BR=QTՒXM}N#\w\!Ŷe>!CE`~hDb[K =ym.bM7R{ TI.$@+z%ռw¡KRY|s+J!f'Uw&ޜ!uPEͩdFիƧ=[0k|&\Er溰ULFQ,;3z4LkHu~Ƹ1>;(G-[M]`ܐ拺*BCrSU!8MK\&oj/x\Yp RίtaN[ g8]%_].Q}vwb+vzLA@|yHwr3(f 5 jz/S -"ԿEa;'i){5X|>3응3GXԍ?AGoG_Dz9rv=# K6=c*JJ>"GzuT߿:tiĎN׷РO~"[ MJFjЯ3`hߣ /kiiU}wGc~OKZ3BV2ȯUZNd|$ʏ}BF%";97B)䍶vH[³ R=&K9a9S oZg~,@WrDY-G-D C$|p)8ojȖMC W] qahSJ%XC>9ΟnVMWlucAnZ,)UNSs|n&uF/.$a@ <~[ڻ CN+ers@)Ǐ'RF,GbVJkoQ{7Ai4U1L _Ǵ|m[Ok+sKY'xߴ ;] egi.},]P2uU!Bږ0)ܴc3T B}/\- CgJݝ4$<z >%#Nս+[ Ӭf5#jenCD)NXK^6jܧi~  T4-Ď˂XJq P5/|S!2{9)Yoe[Y񬚜=1nVS{ ,Bx OƎNBDOՋ6ԃTܷEj?6Z 崁&^ )C]AoXF6c\rjB},w\/u5;F`ZUgvߧ1 '|$mSl8H5=cMeyyVgofܢKGs'GGִ$7z3Ca/R|7s*\EHczy!z} LěQ^L`2 'IZ_ )x,b(t5Lak)aw HZpGINBk2)XL y0xը)F@u+{ޢ9&{cT SVSZ/f Dk^jH pNm_6@ܷNb`@3?da-;ZT9Bf1u+ U Q:I${XF󺆅tPGsGtY"dZLڴca$[NKs4󡑯睖L['bD!i]4RkD\V{eK $3 vN{5V(Ge"0k9N2j?sH'/?kEP y;_I7حq|kQ톏Hg)}6S\xr4I*j_?E _1=}FYm؂YeB @,u'"bES.×1̡T4jwfBZVJ蹓AcWHٯvչfs/Z9Kv&Nowv.P<;ufиK|AQ9wt%li#vt!ՈxwEfl$M$!Vlh^aфTv d"vI 4E$e4.ˇI1E5%@D*D HhIFnUDٽVz?z\dBw= ΝmMjĐCJf|AZ$q*9:wX/~oųcUIKQIΣD{۷Zbg%(2P.e&\ʬw})wBOmAtd6oaВ].;dh5zEː73Te8OG_mhDQ-20G<m}I_1gYUCoA"胘ȏFMy ]l{IhIӗ*L D;蝊 펾@N'H4sd9ɺWM ;Li!FG,x*ߠErh=Y یm ZCn,%\GT ={xj ˧k j!ˍ4I&$Bv==eI|&\tտHY ygCo`QF}ATouYoqsj'>@ɲ'4X[^fu}v ㍆z?Jw N'Bd [3-e(=E[fj~D̥Ļ ,bx>ۈЙ 1UH-vqXkzx |F#-R'- SѤ,:ʯ$uZ䞮SáqR`@-O$:nI[<9Oz/_ou@2Ot{}`9ç]/ĂBc0E鈪8M0WPہ+vxPKM-S6ĎWa~R3%oO71\ihvzx}e g-׏Rlgm 6ZD>D1l4Ћy߮n(lbuDˍz(^% jgFuW\f' <2c63U#shzL|1.ǩ^[&Qа~6*U?TPqaXHPxdQs`aGqwu_r H~[lZm66gAzR ܖ= j:p9*UҮjAF uzk] =dWB wj[p)Y)FsF9 [Fж $io~_0J RKd[~yF2yi0צz+)8h}~X1SPܽ{%ZA"4M8ӅjpkN!1Oݷ"O]"&7(@-'=-5$3\{`wV)Ŝpa" vǨM/ѵ"#s+?OEU[{f+| zSR qWW[x:$j]d2G@RG0_baTWPզbd7WsYNPJmѧdMu,P7X_WMρ[XL9ō`#젔P+MF·t0Nr# mj6" dV"^rp.8B[<e`.4,@l\[8oCVYCRA/peC'kQsrp6,ŧUc#@e 6SU .,cQYFM|F*^X͐m8M[HH9d+^0-tW [7|ޟP6 rt8idPm {l^6B'l\볗6Wj r}|^3ҴR  | k(iE,o4yC1!,FܹEχ]+vXi,@IPX ^v۝4R㷜6{ԥ{Ylx#A- + Qt6dž6C ȓ&Nk̛ " o4-8:rf/Mx.,2@2Wd#r#=zoI8{IOX7=*Abڞ`ْV2%CU&Bò]^К^8ieWw@YC;d`9'Ga*^ԥ 4q8an՝hV*W(8J=|n7{A9G 6k?ox<ܬ2{tf0toagU'MLО_@(uǠןB8ERMoC@U֜xe2r-8lU3._p8[@#de@F8E@y *)$*7m*bщb{gSxb94ÎN;ʧ袦Dp aa +F2EمWQK̍Zx3 V܈4Y׿ʷ2u̡RJU)gGg|egtl (NU(pȆ?Ϳ{A3 >(!=&ZfǢyт?)1!}1&IoYYg#Oc,XnS%,P߽3g緵#[f=QɨNtYly$|?!NVs e;1`ā,B iRR$fDٙ(JH}>(dS]nKs" ,wN'EHiF%eI | @qNZ4(:׺V:C|J5V;]!rVIΗ/@쩈 F"ƢCl ŶT׷ l0rMr+ɬ.GXcTP(K㔜VE0s .}&Zn2 /poת5Lݦ98p: El޵Pݗ(/&!kᖧktjS(_3Zp(s  ͊0R\|.U)?& q9$)܀%LE ;4i*pbUϤm !W-! [`9\F";]=|~_l^E񇶮sl%t􇖅Ͼ_Ow*ҙ&ҫGoS@ TBJ =BvLD9\f ,R';oVM 貀Hh@pŠ|;yKI}Q,ػ#b[z0끞5+A4[ Ug:>~9,1)Sf,Jhi)!/_qĦ!m]P«}FWY%[tޝijA-<;nK1kZ|[ a,s1mP-Vfʝq焫G1C AcUS"]mOʜ5k{fāHSw `8lw梻WWPL{'YQ:dͺpRP2=P,?8??{'.?c_-@nHJgc*m >۹KX=89 ~Vg(.C&mN{d3ɋ|ʪtx<N)A2Đ'lp3\K;= tIιHUo`%v-{Z{ z=-bZ Uzd<ziW2cγb]{U &JPA |Ofy2:ᳬN͂U w eE\Wt4DtJz D/U*ΡMvq] h/S 㲡a6u'j$7tIcD* =? G0p_fz[vayn)Z"P'8T͈ex܉1{y-QX"4,1cl{ HIǯMHؐ.mJkRQfFoEhR%GH{ Akғ|7PH6z,nh,yoE༯1ri݄'c CnCZqt[vx)t "bN{ˁ 3mٟhlinj=jβ OpyY3:g?{$3x&ˍf],g'8Z3H&FwPW%Æ+Ew\|^`jˣ_wK棟}|YR P[䶨8㰯B_ c^Č!Mf'UGȥhs#mNbNE{Ms"'Ҕ]ltv[>3}{=w?pXX6 /#.Rv 8PԊ[RYM~#5ij1+1tՓc/l賒)u8 e}GB-#NBf{~lI-z e(AtODOGR|Rp^hݏFR~;XA%d^ie_92=J>[\?7Q)/Qh3[XΫ)!el#"EҖ.HL`tK)yaF<'&c: $)'=1!AJҊSx€3sԢ`YuȄ IۮMÎUW(/J""MboC۾-sOql:B6}_?7&ו_Z.ƨ6"j=ÂpA9(i,C.> =ofJ'kM/$!(; `Y"kF=rE"UY84)W{:X,O OBh$w1KĞb•qe׻̢1k?[ʤ>qpNk'wjAE{Z|9 ٭eu5#7}>Ly/- ڃBO8OW+s/2Zauz~CmM}Ti0:%[ \u0FUX$`t׺?Pu&vqG8|H\\n~^(ȩ*9QAfT0{:Cj,W[,ÆM]CF ǧTBPrmZ2v}sb `|]΄ )"AjVx̑PWGgq)#^jAɽ Sib؃t!~8$k "_EdTqt_Ԝ7jZt1m*&aEllғNɘ-"H̚H֓fS ]]2l\ wYk?:Sݏ0WZ/ A1+Eae~gLNRq_ޘqȷ : `5_A/+UI~|bbV,ŭ"TUB9!gq4>F#\6At4PɉdeӬboo\LT(ݏ>;iygR wv]y%Ƭz"+'L5aL_y"x/ZbBCC'%$UC' ^.rphmc( eBEyS'l=?W)pi`"Ҷ3 Ưk:%n?M2s[q.kH~&uIkR8Dj rxe݀Jvѻ}f ַ57wC7|*Yj$n7dU:R4R|ReL\5 O): 1*iYV'!gJ21AgPQ YЄ_Dh5^$QWouBFԾöZ'Fl묤w :*>_YOq^a+]I%" aD# kGo2nvsàskJK:繳kNZ7ycfaTWx$e{a@dHc󃿼?;uc"PϏ,fIx.{MӌrU MN@]ۙ[j>jQU%m')D͔ө7+#L B*~3K٣ PW5 yRDL%C ;ngгGRd==qBy1 =dhU0}JW0^3Jš 'ȴxL!WQRw,[Arι,r1lV^`(@$Fؾ)F7ſi [k8s$4zD^/_yo4àxY pb5k^dg2F'x^[R g)Ӯ|2N|%x\~-Zt* AuIPf}=7/dfİ5} .X[.kR'pd,}X_HU $Ђ&s_:cm S*N[ Bj)=e3hdzP߅د2b$uBt$b,҆|]Caz;):UKd Ry0mQgB,uY6(rpdD|d'6Npn#󈧎,kE^ѽ" p[??рh}!-\.G jk3NC^tG|NIA6N lMG67^{G !!^W*`d8[̠>x8f$x䂗WgpuҜq嶰KNG+ u/!chTZ`{ŐyjU5tN%"qCL"q8Gxf)8U)o@>e?PG7)ڰr^á5j9<{֭Vnjtd PO2p᳟ f-u#Nhqy7"JIz2P.2Ǯ,nV`.]6Fh޷H\unTr F@"1 YXW-2Á]J';&EF(8ϻql&ψ( ۩?`Ƙ)ȒJes0(ӒAKؠ1be4~rs(V҃p ryI}qz-'HqbiR_lYn y&L(;]7aҫ(<)0 V*dIpmou=' u{cFqT(9G3sb#pQ zIs(J'88zByY^ȿбO! *JV}=q_5K.^Jsqy'46f {Xwf@l2FNO%@% '$Viͯdu`.̯#H'~Gc1Yǀ%"0 :V;>cN&1 /k%:K?]6?TMuF^!{C^\ĘƮD!gl1_{l,.ZbD)=#~z" Ղ~- ͹s=i\%K]4-;@UL(c;Z3ӌj1 ̥]I+ʄʍ뻡 !IoOΥ] E& BR (ጘȞM;?J@@C*j$4R}Czǰ|hiusqy|+<]mk;Y*BBT]|i#J!U3eZ7reM~2!#$+DP+=㿮:{\R! E;9\U mOmz#wS8UnE5sp ~&xm@g8ԒM?YB_$[Yj\gՋS׈chǷքdAz>I@#{ Bt~2h."fޖM tu3yv6Ń:qrvh>S{)$\1`40 Zp=$Ygc%W2ϣk]^{lLɋ?bn#%lJ{ek{vW 2pz!~TbfʣCț/ *q&}5B\$`C#4`;jw1!\r`{_雩W)! asWL;UQ> HK-yK}١ ~UَnV*UWjA Na @/6B8Ȭgz:걜&,#rY"CtTFo2< *|4#9 x}]^`i(. [3.KhB˰Lvf,K{%ϨAfpSQ{G{nlZlp`- WmM=@m /[e@O~Q|$ά]rVѼ jiYCHÛ1~YgACHqH$7c!:kx8,;s2K O_4HOTZsB$za}e$I!Ȥrꖿdv@C]4nѤv'Eu2xn6I˰@A6,?w ƛX6/hx34up|lP[Rgց0[<3AfN 0Rcכ^jʔ<ܟZ%N;6qXǭpn#қpulg2+װرw7F_"`#]gl!qƏvaϜͪӚʞ'NtNDgeF4R`~ Lq*vGBM ,r!ǧ?L{ ܸDy]6L;9N3cY7"͉Eʻo-R jImMkd)@6L~"QbQ:; U@ jWpx iy+b|[u䪑KoʶzFT$O#b3Y\;2olcBB~ovg@E(ٽ〼p"ݝ'ILA'gd+pLB_.O|2lb-`SO>LjiM E͏bĈ 몙) M~[B`vX[220.ΐ,;5 H.ެn?1Qe@*T@bR@uH6m|>?SC/.M-dVlm1zc}'ڦqfѢVB5*Ok^iۖfx'oZ<Xէ"ҫTά9@I19KES m1%"si`.r̈́2?}&?\}Zg=gҸO!FTG0,]/Lp I!6UX(RsLw)\C(Q!MUw~>ؗ ܂xr/]uƞLGaM~U^ Sji6dsB`^iny%m ; aCN;6s`Ib:*j>썐ۧsz0%5aG/v#TsSԉ@Ъқvr´?۩6r3R9GpcZk/%rc"G&)9(/:CQDUN@wd!hzZ;f> Қ+oQ ~/߶bDRg'Hs6tR&erw6gbϧEHf$y%˖}jK-x b*j'_ >$cBb]VsE~q Z|d'XwoDTjBNuOLoqOݛVx\+|,/Xn奄s#1q6&ޝeq6Z|ia'+7Ht5XaKH>lT/\DmyP%'ۛnp9{"tcZc~YGx(X W!<NV$`{DLcNlj x,MDe0^:F:5Vmw/E鰮faOqi ~osbM8&r"{@|JpKhq| QOH3#$Pa$9ݖfMqw8?ۓk;v/w('ڕE 3t@5ȵ)@J43ut)y:c JT]p=!lVDkw䙻|I{ {iM%F =Ӟ< fO qaTl( yǷIzyw#Փ[WmڍKsnùVE&Ub^$u:ǖ !L;ȆR9Hns68 *5eɵ-GIw B篅\tV|z=ɏ3!gD)m1]@,/$Ld#jlNjjySiҹ);<)b 롩ҥ{xaU 2Cv|:O8vSMv0 |CŽ?g]Wߘ%?2_:G߱੃@'\%q{Dy(JMy L>Qre%{p&%v6qӟOD Tᄿ1^qcWR.!>:`[ C=e*#_aP!kydmCis+7Q50}_IMUߨ̴#/R )?m:U(^q~Zdŵ4Y{N%ʃ_H|e_P- s8qu߆peYȾ@}^ɛW ?PQp5)CL5 ӜFT0^I]${?pIg[%M>`88W*" &j"0g͋8ɬcLGvvòeS!uG]Vd !}wNZήpݧQ-v-C<ŵ(J: z+BS<vSL0)p͂3}꿚'N{#-\ v`QErJi[D3Ұ8uzC O+%IX!5hFGwКO{lf~䍌gpng#&?5T* OӢڭJ2Q)}+x;F9}%-3ݞz*ʝ+iU3"k@,Ho5f; γ??"Y2gsZ0] WrƢ&1nN2e %PmԖ {_ `Pֻ6l-T?7Lk5~c {"Hd-RXܼnu5Z64(/H m}+17!.9 ]ʒsfR=@P۴4STS*ZNΡą3DasϣUa)^p֪eCt$]Ę#һ5U.WۏXd&>MBtac$!S2RJڽaua)k9cY7o3$q?%[sQAѹCMCGL%{X >'T{K$Q :&ڌBSdT WVsFEp6^=oߪݒihRT٫pKmRJ ;b!E L sz3iIZ;z N>ϸYlzc[=:u  0N f OtVxG :J̓ªbe,Kͪ5':N@uF)AѮڎx䄛(x@4x#t#Oڞ*_nUOh>L蹜s>Ykq 02ƛu|}֝`2sjݓN_M<ɽu^S2~tԼ8#|↔"rZ8_3ÑAU_- Gp­F+ ]޷o\lzFv~XhCLP!=+*S+qa(o&q!$GMbq{~opCLgTa_KeRqG|[M8^y}=0'=#]~Rq4%!Ĩ)fd]t\E;q $xUYr2e 2|vٌ`H͉+y\0^\Lk6'74z)9kcrA7<%j-i`$ǛyNjƻ%'2Yqe҉1.mY?,qi6hh8Y3s%TޣGD>޹:J[s_w"6 K Y ȰD"&)Ev&L.bUHUf_%co+݇V!9jYT=Mh͵Cgg)/yT+ SJK Y(?wпM#S W҄'!K8!pXM@a d]ޝ[h7RaD^khJzK9|JRz,qa_3UN{u7Pۉ]^Nt {^3jE]#kJHp Z(M[_[ =i&@_oAȗws$ !1ef<,j`vDTxs0UxT X k7P,}|ʛĭ?MQQ~4..7πCc\6&W%y|&[3$P\nO|*[ܚA<;Tw̉VB}rɫʞk71|\qAMpO".Xy2>uq_ $rz-[`FD b+[FP>$RRq I[ݡOr6.2i 8@\n 9banHgS@ڌ}wTh]{xa6j`tsbYP3/)t;oUȻ#P-h'кd0h%hlɪvE`ׇ )1Lxpw.|\ZINuSXmZlz-E{~,Bt$Y]o1#0|2\ok%1Jz'lgC's\g5m5! ioQgOx4*w _)ϑPT0_i P܏[6yv *Ū4ۘmcХTN|teQ0PoBX^0Ȝ@OQ]uĭm(~f FCFΆa3Ri;ۏzS_4-z(Vbx7lxL5$QU,q:ШbnKލaf9ZHH<2ysĔ‡p&"F ڙ9hl ]|AA+ 4w6`.rW9fIɨʧX΀l4QhAp(IxqM IV;fQ*p7_\f 3I-CX v^J$EcY HK+$%C@ϳ(⎞2u T/Ⱥ@u6M.- '4fBP/ټ!a^Lk-i=,j"8/x?hp-0j\Mq:k]G& :>Su1s-! oi5 Z4nbP T6UߤJ榞LZ~*+dyɔ!)9@<4pWHȟ3A=BdLw}jEy0!@#P RƵYme' i=0tO,DbxT'ijQoU"&!)_Lf(z9Gc12'ސ " %WK[RL9 1{ȁru:3,ȕw`a ʵ $(aw'QH" p)CQRv2J|;iymL'5֙i˲G~m\;^e;ZځB{}(M_g8#q?M^dYDO>r>QZqD 'kZwt`#vGlƁSdUU&#ƒ|%:Ux;S4غa_D?]BY#60q@t jNFHyX'xjNx,ʧ5Pn4 EFGRhs;V鋴 6WS):NOa JI9xakaoZL~("xurIp%S=xi7i8LxU]th<$,| 13gxkmGswq}i^9 $5L?!oSױ6!։ZD)H %Ds :Y*ן hTS 'p&+6}9uzXbP`*G".;w;G@0bV&rK(ib_BʗҸCϐAyỵЇ_>57xO$."!:6AZC=[G[{ȐlK Rs/TC;x# J-,`s7(v菣=b;yó%$ f #W%UspࣈZE+CRxL\soMHNtzu^[sQV_x3ى[ XctO2kbt:8H7x>rhWCrso3Ў(w=O.O: ЫAm%r{Gv|@]:T7V0pa TGolOkް1W's熎\3tJvEmt9٫3&O?˛Al,Hd"ER<_ka~@4ܑzѵԯF؟1aG݄#r#]J4qyцK R*ZNxDmKwƩ,P;Lf?G%Tˤ&DnR!/gSWIbo`r0]Zt> ,X*G ΰnQWs37;=bmA~fmc\̜iof.#!O?o5l)] ڨ#"-ʾ'gjfOo>*!?Lد2w҆p9/kkPIx׌P6y+II%Ԕ}bR &! }OrJ%xQɣERʄ/ėr_eVY OU{UAuj _3Do jn ѳlVΐgF¡u:=:In& GQnG;3#[o$ \MVIXbYH)'^.A>6= =ĆWÿBƎ d?egk4aHF(ei}Rhxy7QDbg-+A cw)l<S_`6uaQjcf}Q{C Dy]qq/!9 S^"ա%rNJUTMBM*f. j~.F-c7 &|FU LvJą w%>,F̹m%T<5/ 46jϏ/`VN(D;&$u.'IhM$ː `+?Y1yN*{(D5frQӴv9JirX#pؗQ c6V2X'ݖgnWavεzҁ zWPFy39,%K6?ee@/6 GEkhF>f6CՄbS58jAZ&qRbz%҂goqfzۤUǕ/ѩ|kgm0\kH:ȡeAJMt!o@эWb6G 3k3>`|MJp`/N$Ru٠l8y9Y}] <9ՐGݗ1d iuiK0_s6t(hgg6=MYT=NRtvTcM)^`NOpPuDD>bDy yPr9:Bm4#JMHc`TcbW C`(Q MUUܚ +cPU[d s̳0T~Z_ÐivePEJ5ѫ[aCP;xd̅ۋ i {](5'42,)Ud9U-z$V|?ZE,iE%ΘU6fԪ- h +q8([@4=΄Nn[v;C:#, ?4=]c\)W볼$ֱsYH߻{jHA^6 }Ŀa'/~i8V 0LJiTB^O)1l1䐦$CPg,:Pwugj(m1|Yv͢ ^ fJw%,4"%Ee.sr|R^AݿԗC7_(H .쒵kb.%-oQu~es]:gμNsK8l\pI}jӽ?(e}Tv}BK"o!䴌0ps < ܄qԯ*t!0U.2ZϜs?Yb3N}_AT]bvCDr,?77b\xz=W0gޣxtMp6M9?وb6pвXrќh8x ˉѯP#06 -ba͟AajNQ2cm@z|~Y+Mc\;$פ T(7 z.#"`]|+1^&TldȒ|c4TL5x+k̨: JB3pҲ>YJRUH4QH' 1{>\~HYlY$nSܬ tg'X=9bYlɚixLPE\/n Xo>D[eH-91ײAᱹe3.R$`0rP׷_@kP*kfhZIT̢OQĞ^s3DO8cTɒL(zF[=:/VWQTǾ a/{*3H7lzEH<_.d۳:Eajz4Et['*&k<*,P̬#޸3X[H.֤Vٖ &kN.1hU_Xԇ\%B kDq%+^VHSڋ jنUr dd:n\щPm>BXGȐ6i[}P?I'-h~هdm\ˁI 4qDضZ7Lh꼓pʙ~QZl@"KL"߀fK(jFk?8'|}+Q |`?t'o-dZqf #-5{ʏ㦻Y- 3;/i F=;L2KIL<|o[=w8l!ZeQ`V77;=c=.󞙍Dm碃 (飜] Auq!º5BƫSOpSo}w"Lڟ"8 ՗E}ޣ? @T lt3g jm2wy1.wWꑪ9gk) h|A,26Q;Ⱥ15^m K p_@. >%lՊX F邹BW/E"'ي@["tJJB6MVwJ?ؒgY#WbAs EoqNfqPMm=~"*ēY7JpNmVn62}_2NgPkUֈGܕ jc_ٮU* & C6=2N3FC&`sfzfu_x\b+(h]@[oEwg5o5PѢβ%cICV j.>K⮒ m{>@0 $-LD.o]H ݖ-RmMiJT@ CscwߐD`T$f;#7KfA(iKn#S1>=>bbN_wϔ"0K"{T4H`„)2[ٿLlNk^xYoXk#κ;BJ,g,vjhn38sNE+%"v %EJowʀux܈4Vzre4l)ߑ-:2M`1'dSaM6Ԗ> F)X+ c?)ˊЁMKB00(b|̬-MB'V, GMC֑u0Ή$ԅc=?.\ S\q@Pk:j|DUƁ@`|kQ %kjs~Cʕ"TD-{)-$w,D`_|aWԼc~I;4=-V34jDq4?vL{ FT`XUG8#{HW'z2sB6v:pIT6l|U.~Oi%*h.?7x_RkƗ$ƀB)>un) kw?"O{1rڌ)hiDdЏ:HnD6bSWy94V E }v t4T. tkٝXs3 /@d.ݽHt2@8cDz^G^j}v94 >quni%SYMOt9HT=}',dêߣa܄y ؜שRd_iYJa;~hFp%sf&&?g}e:r3,Ԡ7>s}%DM?Y(vnDrx`ZvȻF}"7E͒+eBAG /aug"Dlq|ԟ3 GP6(_-ô炦| b:v7xeiCvm絛dnea7gֱDC($qR]5+ipa(0?h½T | mmMjy􈊼PXZr^p k'XQ9Юc(>F/X?B lc~],FI{y C/ʰ^6})PCi-׌K2(T ad20OWզ<,nIA\l85yU>*{#l [ lA(䴟ӽ oǃGT(9v& /#].BE0Nd.u AA0PgTZLjhH'P{80i\h7Y 9{ lm"ޭtWRȌf3 BH|&s4%Ȟ͈Ī@*eKej Xoxkyz1-5a^ЦTmpPzA;9y^O(rw3>e3Hhnywg?L[\E\Զ}$>i1Z9sMdRȄv-{ؕf9 }4[x5 GlC&^2Zb'wF>4±{@pոݑo|pfBsүsp`KOm4&:9(݀ p5P_2v>*^Wr*aY|t"%=`i=&mqŎJl& Fb,;Z=:n+/OvͶ0uM$ L4.GQ^״UX%hŦ=4ڧ5ېu*E_ʟY<s+&~\۵.E ʖ&XIqvzU|=fX}!_ u徊fڈ91ٳĊbnFמ? SOUÒN5h6%ą@}V`a([.'+Й 㢵]Zv37U`1F.?4g^t - Ɠpa?枔@~9G~PjĄй ۓ^WܸvW]_0re L{-6|زhH.d^v ẉ0%5moCE]fEFR / ڪGj^Xog)Sn.P)fm؈nX[s]ho s;[./H* h :T-L8 xiv@%e%N4f?$27yJ oGQ j+4gYo:X^n:=Gc b5b\Et€jhU#*Rg,ɮgPN~MF.qp+|wt-ip6@3屮 Pwpt,l>*mp:"[_x[2! !Vpqf$H{>EK< ^d@vm0D*#aӬVht/ A2i-V.Ou{{RF r nYҲ5`U!٨(`IT>g>yhH3?6<'$")Bc0rrU9Y']aeJBX p4zexSL"/fڞ]~&=\F#3脄[S=`9^ȨWxppS6K8CR9*?=ɪe|xeEK0gf{݋ f> 1Dr%gVYAnprp}w)*N}amԴ_`'Kv wq̌>;5.)X)^dsln}/p2&uܩSG-8/d*ol5j;:naq@g#> CBHl.Z{[u;4CJڻGhjbc9Rp^¿oЧFTzՐ-OC@ ӗ:|?{gJSTHQ%0N\ 8-fR:g;OzuhD E_HT(褸< !qU{PErg۶Qu;.*"[̞mڪX: j̟Pqܳh֝˱26o-Gh%7J%OOVG .IL\ghutQhJ3an-7k;sQ`de-9o$7`W<}-z|rxc=G s=a~̝҉Uۂc=? d|%+wKʳ ;{M)T@T"3v8h}&\"U1!Fd8b%tZ6fuKW6`rDikpk\_ֈO+ nZUT71P2< "Lkr [lsD"4ϕgxE!sw8BQU[uLY#IcIR(pUEo bק9ǎgYXvEYGl Ǚu-aS^ۨCk^|@\:D˦ے׽+=`HޞQZ!ak ^$_bzbvv\$H03,׈>JDxw,|z !*(6>T,k PQ:},D]="vz9h`*Y7U9#A+ELƈ92-K>D24}Rkov*k5/rꏭmCskk%*SW'!+dL ;mK7ي|a|odPpC{sRl?s1.2yť8YEچ=|g:+Vkv Q7wTC=ghO\68ӛB}AG^u ^Dq$sx@w{1Qǂ0T -y򌪓0s \SݦKsTsQ|^F4Mdt)+'Q8&zF>W]<Hon;$,GYfd"[zsp0Fa<u&͊LZ"*.2Vk% o )|^<CP7fUrcR*jOADrY*3{s)02<O4Q 9ρF>\Y/.r~-VT/|#9G K{uTiGc6b=Z ފ:׺yMkDr5Z*b 2.ldI%{ШQFx0ީuW͉4r SVcKU*n=SyҠݥ(݌NFu(s={}, E=~93'#?KbWyӻIiAתyBƨb%vc^%ǎvLgL{ _xHjwc Qhl^*i/eν5iǙ d?{4t`٢6082+y6Pl#0)6IPdx0Rsw{؏g6 Ѥ3)7q$=aHMlLGQ8dܦl䧕ӻ(dw~␰_2v( ٯ#e >=~\{#.([#bBs$thÒrviѽ+ml[%49Ffx[)plbʶF/p&2߲"%[ wWMjWCT?:x[NRX9&:nBDh48tLl0y@`uT6 ًF o R.,7;Qi)W4]2esea4'=&71ɬ'jL= H.BAt頤 mP8//C듚O7*K`ρy` Dt!y{)mHx۟|AN>0qiڏE8OE( MO2_ _ p btBM%( I 9N j.0V/]k?l|#) o;MkU $hwd/ʑ$~#R`2'\9{Fco'nNBnm)ZG1IKIlt]3s&tޞO>)[=pI+Cj꟤exN5x+ݟ(*XHrS ~ I{ dȣ̐Ɗ|1U$ů1rGNgP2@tY`=OxCRoGK>4*8#0 !a,J'5rm[XwEbRX H?BHnD!Hn#{VtyCjs b#[V5P 1\ZU=>_>tJM^ +xq?t9;-)-LãԪ6apZVJ ~p9).~X%C|5,q ,\cU@CF}Faˑ2PtfMe|FEMb[؉f÷}z!!I׼Q Df\pq7hI_N'q1ůey[ B(ewh׾ (#P2H߼9ݸYyLɠm57J)\wm-)wi2)RJz"~:,M1sT.l\-)3=pJqcrE#_AWcƯ٨d+-ƩvN }ԿtA?BPU$ - $Y)Q.i25()Bw̓;cH]T8BzRn%0deaou .Eeϼy~ovUkX]i:-Ul>XN2L Y ~q5s08ēՇu;RQ{FWy۹Xh8:#jy$C6P6vD3oQ0QrƬcQ | 3ԣ{o$5ƆHj[=*K\u9P㏌bcC8s6qTeV7jzIOW'H\\޼"Ͽ 9G Ǖc0Ga_/VZ!e]N0k`ԋDpmVUcX{,5v3DX͕c|1 jCaRC"$WyKa!݋p+gRKϭ :~kG߅$F^W̷](9L\cP eKϽH8H tgKXb{ԩ[R$5WEqr;W/غ owmXn="`!օ=C&j}~k牷vi4n:0=]zh> T'\Q+/do хBiQb݌E ^i?%f(aQ,xGx$ 78! ZPU>Oˈ!_k r_p+I&f6Lǩ I1 K]2VM3~!b7sTrȎy|#z=Kު(ašp*]D`TPyHxWρ!)L?8Xһ'q|ɰA FŵN@:w0*"'[h0.hV8Ys@(cH\l-4Ԋg?xfE(V>QYM8:PA|G ds77&/GA1ۣ.XcsmK e[P 0`g ޹̈́|35 ]挴eZR{dz.<蔕ɩYi >h]PG+{h 1Nk"َ3-ڍc}.tUՎBO0 5~FFE{EZgV@-OİdV8/c;ݧ 7TOٝY)_2P/򡕾OկzCe{  ECV+Ù7d#@%9.83a?f<aȐZU2TB +%r1 ">Į#cr+{OH%r2e#c hXZv} (jmL 3mM`v|zJ1QDCp8_4yDͣT)DFF!a%$:/ y9/Q$"zSiINyاvqaZ^ۺnbg9/ eW k =#=q;KWִǦlX ;z̯Eۭ1vt%=]=''BDJL8m〚f`<_HɤyF޹SӂʲX<, {+r.uF[+r޾ڟvbdH Pq`Shb'Goȍ] (JEzp@VJrl4|IV!\'*&м2Sڀ wì,0^HOqr_<Vkz2Z"cJ Y!W٨0bʴʖW6W 2^#͡8`қ6eQ$\ ԐsKӼZ =д}dy+4~GglY6Ȝ2/6$t]f@EZ49ֹQ_u2MMmz:c?DMN_)Yۃ̴;Ga`ĽnW#U/5FdȆ'i=5E38:Iɺ +0 nG=k3b#SŻwf'`Y/Ɓ;¹H plcqhuQ;EtgD>wTCZMs3#HMQyj`/5/(|8݄ wm!)y E;jC/b< FBա݆c?-/!=\L'Mbd| %!&lV|2uDTdC2d.H\ RE&:Qm2l5!])|z`]R";O}/7&C$u`)ȧ1j9`̭UމbӛcXKtmA@[)d)#^^$*AphZ0]_d c;-.Ÿ͗eBc_S[#1ɵtu9ШP5?zp9EIv9] y 0Ky Z&TgQtX?Y :?8pp ʧ3)4,eBʣ#2. 1 \p33-PW6-ʷ:r,V9= ?~:=qz$>81rd'<7Tc1qNqQ:kʧM+NýHT3s4lǰw{p{az5au+Y;KF6Ta$ηmϵPj.e]zSql6g+^=qX)HvF8v+jTV Zјxf(9︔rABa2RahAJby`nf ?G9rS^YXVJH9y!?,r*ѣF'^kEĠ4aWڛeXseM(=!6>A!+0Ά6gUlX̨)|*ִxzf0 9zTeɩi&۬M$> pmttPrfտ vc~4`Rw8W[νdacy,h,v|Iw9Mif/pD8N7үȀNykU1eL90CYd{Yd;`A H'd̟~|/%5^ۋIr%\Zn6N^c]$vfi /8O@K-i )ee}mם[cb}Poy;)>i^. 4~m}R5Dsk,VpMdVVvy폚HWWW{~*]!5i7 Bkudm_L8,!ЈJ 4JU)s$:[CD;BV΋Rgڒe^pR&CƣW9|MZr(LCӹS4;:|.>'2$yz!fBb=aq$)~hdp wL ԭ$Q#{P$vj\|e?/aHژL9xrЊs9%[!E ˍLG!3ȕ+t]6 )Kra :WzǐpIWnxEOTB3R ie V 30 2:;cQfg xPm1ВĚJ2a&,|k[}ĝMP_B# YUE%2`h{v:IFJqVѡ~E<~6`t:j 'wOxT*>z!=>F cqs9v%`<45q}yidF<-s"f0_D-A -.MsdIKo V;GI"E.;0YpM$+Er+ EH Q_8| o9ӟ$77Mvh߀K. u 5Muk>q-my̹ŮHv\BɓyU~'숺2ۂy+jCE9%DcK:R[]?d|)^7HB#mAĈ@uq/VN$ܶ`\ ˉO#ϻ~?в^?RAARVe ݐ)',45BZ94".738?}.8A3Y,~-W2#L/L%Ѯ݈!yQ*NYvuِvt.âuŬ~GyS9YT,"ˋOpY:/pWřn0^\9d# eԾw4Ky>z@1۴YӑKx!Cq;r^$\.簤԰(UXilձM.{NW*p[X)Ղ|ͥkT"&1 *_]7SLoDhL7 gBY:ND?)zդ)ψ onj;L1] cnYEk8\få]3MEf4)i Krgy(cL cѶ<‡ @?W8̯؁ :VUVQ3cU'16*utďoB[I Ŏ=5"1NouѼmd%8' 'HcNGY!'id (DB|?H u#U_fӛDm4 q%kY0R5ɺ^y϶@* u4WWvl^9ҳ" Ϯ|NWfe*GSTzشJKb,*a@6% 6RW/Jڢ\ޜ)zf يx;smYП/uF*r'n,8*oT41: [+4Sŏd<]dC`&jnuLu,/r/1̪1F7qM?&ӌg?llzr6cdE}Di#[l+7 "&)4j.8qLOAoܨ]'DBŒd>By2z/oZZ$9 b96aˋF^9fc,!$Hd뫏Ǡ &PMGIyo ,?8X|7 YȄPn߶lI}HiBBlLF':Ӟa68Z)9%폖ͽ @;@[ex97B %ͼ+>573T&U'1ke[ yݓxǮ)A4Q!_Y4n] >EC[֮[2Pn"e X*MJF.El>ACAxd!4RVVn?+U톄7;z&P{E_@$bݤ)|K ˦ږ]R(7Wrú+%ORP/# 1@XHiK̜9xb-=M$7iT\dbu%&WF&A D}DĂ.L֔iWVuuW׽%LOFjJ [F6qda/Ewe,*pOE[j| '1je.%U IZbܫUѹ_GǑ4ݤ8-TZى';)7ML,_!O |y Y .1Y^4w|[b~׮].ό&&;FʹX*CJ:e%3rn^JKg׍1̙6.B=P'۴,{=?@ _ɮGL>Y\7V]cq'#9%nnٲz0ÑR/QS a#(9 VíqlX+[Z0tI66=79uiawxD"{-.g}\loQ}k|r5o#4ʰy]&ljʜIV09妝3=L $IEA!KGYN/f Hmfڮ`obsA?poqZB~Wf2a@BѯD%vX>O"Fe@4=,x s BG3nm": ̼j5U#~) Wr[d}|\(PG0oCMKD@) {^M-&R@V)4]+&㎥H hR SG-*nRiC#:O&JKkc+6~"!<Ậk=t(I?ֺzt H8&e' t `Yq·"u%,gL[^/ f8 72mFb72^ XJFoTiFgQ ]KGjvœQLn'geyo4ٓB|,~/vGBpub]{  VrAQg֫MjwG7 }D@293"a+'  ";}*<"V+7'kI*pgӧ6'qհi截3x2R?8}*dN+SNUk[<'^4Qnn#PHM9r\>94NM@ ܕ~*BTIzJwpDlrlhx㖖kd DĜG{N\_檥sqG2۹ mwΆH] ^D%8T&A*)ҁ3CLXWFHG%ʺajMG1 U%<&]=Uġ診P8¦ F7d_ckGwHUE<?pߙIOcL!aPf09V=?%h,|i]%e?1lJWHo ; J8d<ʉX U$[ZIb2TF #gBD!ykQzvoŏG5DcmDϓUt1|{ンR\nڨz2lBQ{۠##CifȋpKI Fg`@$ygykX\v"D$J`,_$߱4l,o s0mYΰrMꌄGܗm#VzKCafYM/84`KY"OLw H-y:23B2+n U\y6⷟^.j_zs|fHbd0RB#i.|ig}roKWj̯rpQ@RneMDVSl1NKG%XoM6NNُʗʲ|uAA#r9@xA9q87n\76WC.[)?>ذy:mw_N6!wԜ%|KTZϪ9Wv7Emc29 >/ο|B1  -+akJ+b7{d6P;JYpT' |/2h(ԧ)HUM_0nw1IK^O#kan.uXdkLq_GO-AJ#TP!&R2NiHH0l3OHP21pEMSÅ7G2vIk<*8*~[a!+tYrGr_. ǣ,ymbiAiߑǽ$ 'srE4Dܺ©&Դ;e%+k oS[1ϑJU!#CKeΈv8\: oӡco̺^9ii<4TAt^nn1Ѕ2k>p'S]\ۆJ Uw'Fc&f7ʉ 4ūR'p kܗ;tR%&[h@VxQf#5B uyd;z=?Xu\ ȇ OĻŰQ=|?MyI4zc|ecO@҅WHVLa4oHf}F'(GmAh ٗ5bh>b)\UIJ< VXhۿQ@Kvrgldſ35,Q|aJs-]vm'G#~+ހvL[UlT 7B&jcu9ҵ1^}-P0&׈/ބ&'\', 7L~LM]Vn_CYVI8y &C#&!,ϊ dq29>x0ٝ*X&CU`̓="'B$ hXSͺ? sS /eY~ңLm8-l:?aK0쨴CR?&6Mh0* fHt{8-Oc)K@xKB>Uy)  jɛdL%M2?-dc57p U.CņBc/ao&ǔfSʀԦ,Cq^(PeoNQqz? h{Goi ޯX1JAtm v;Fܾ!13Y=XNawش6!@]Vu[g.>#=~CgŎTS>bpkPC8 fj3bt^N.P f]ܖi$FLsJji6ȦW_>BDsJ<a}6y5xWiT,,03Ti$ȮtH`$'IP|z8d}@;qBn895J79@BWZxD#Ħϸ맛o,x9_~!gQiTK&Iml{i~Sp*_u5òG~ljA:0{=ndu Ϩ[jPj]ڃ5$Vfa` @I%K<AeʣȤ1qvdry{{x[ *$3}Jvt*c*5@ԙɬ1a%jA{h:yc+ii](9ܲ Xo྄l-dthz{=}FAル+ib Ob^ s i{cL?BzA#U wM8L1sB=Te vqM0#p g9Y. ^h_ 7J)åRؕd[`\6fn|S\;ĩ: D 'XD) Nj7.'}Eф{6S31 j-`H#Z6' f'oՆy (K1 <[7)n~@IfsxLTV#+y/]m` &jǧ5XjgD7C)67ڹ?7ƭ~6b@Ԙ e90u QuA idDez'`-%wԳ\b r;vc.c\vʤ{W%} )Uq`&,Xu<@/pl6=^ [G†Znw8Mo]-žOoEK \M@XzG-U|ܮQStof⌾iAsVi6 /Dna5~L)wYcCzRϿ[Pu:AkKvF͊C/YM/}Pބ;wF|*IP3:&je+᫛ *Q0DމƱ䶋MD#~ivߨO}_SSn M5Kܯ1`%H^( 12v oWKk;֪J2 `\mQAEUsлW`|ň*8ƿ>f6wY"Jnɞ+} {EI<7?>3PrIB|Txgڏ!u_ڃm)6FF|``pF2ƒd(N!|aGIY__,YBiÍRֵ5SكTB 1:蓨o5|e^ ʅ:Y+#/=w7J ^]{]ULʩkq3"E C veQ=YŸ!QEy\zwIYFߙQ+*^HtB }r=E"YpZ~w.s,=yr&HK~s4P_eNɧUhq4Uxf-N@! ڀ_ٕavb-L#hJi "9` L&|+$u9 {ǤEVp5'Z5ԃxv9[07'-bsµ+OLJ(#K* Om+{@",N~0 rC5)l"y|F2޹S:yQaP  \-Z"|}tLiIn{@Wc^6 f*ʳzuWͶqV M?&D`[ Lo1GY/' XkҥYv9LEOrW'V&m L:ZP+0>H !0;d4gPH.oHڑTF$f'.1.,WԇYT _qeee\n%]h#ܦlJbwȐ30ӟ~>N*9-v9&X=4G`]>?vVT [ދ+F:_q-|Z`,#y1} Ѝ! ˏ6(EAgA X§pd5Sic8(!e O(*Z*c;xTc =|#j H% *\/XoS>Xtf3JVBP= ɛyeE{~(+j'XFZyAuM\Ύ>qZa<8S{*>Wp=%V45EE"Pw}sB{S O{a;fzwLtOcq)t}kSQ+ &2 l߁d\/V\`/xYvLjҶXL2O˘>FS#^M[XJ4}jDՒy'׹i =[j!:*CKJ*`cÒ*bYiGO@; 5B736z,Y#BYUznܘhfe;p (_QR/G`+CEwT$NN[.9:/<8J,eBW =HJ: E8 G49u&Xn8ȝB޿8Zl3P LtYFZt.5#ںOS p Xw}FXÖо 7 DT z鐴"At/Ͱ0biˮ Od沃 I;{L5q6;>e<۳w~uУ1IzYk#-%ʁf X2bC3$ڸpZAp .ۃ B^=!dh~Y ;F ۋ3;ם燹ѭJӼO  9uO F >y]NGZIIL'K/+FNxϻȞj7K|w]ƛ4$f UFY5{oւ #~s<*lZ:;~p@ߞg!U 1`0&1(` e e%嶾 $5e3;l3 z`c\zaca/#g{LL"k}:RbӺ6&>LRlrc {cF߹TX)2$olS`` `yQ0xb>0o^s:*F?T<ǡSLhV22YGx}]!HI~%P[72b :ξMI}sJ]vnm|8Kl4TK /T¯7 ;$=Yj%zRj֦K~f{I玵$×܊jݻȰP)WS@@߅Mf}j7YJ?Q$KCҢ8T4Jq  OnE,<;;JBtɋ61yǞ=_1в 6 A_ް++W ;PMp ?c fBY|N#\oH{8ZL!aLdc.1bPԱHDFw~b,Q7\U Dl4v3|bǶ{I  XE0B r╵6 XJQ>V zq@ړӰCWpNT Ig Uxm'C撳"+\>|}?{Yy4 Ri]PUMK0Dtyڬ|ۃѨLn_ܗ a5SѳjOxkw6M~LY?$֙%Wɐ̿R[nlp)˹|ː_٧cȗtZ@dG] ik"cBa*sڛ9 ,,XfϤuy_5ӈޘ푰p0cZ=T瓏Qׅn(C:`ڮ>;40pJ|~EtI#^"02}+bD,'l|@{h600=I'cXڠR n? 6AtU "H}b1yT!ї7U` Ey'f|.MfRX0E1~Wvy 9u 13 uB[Nt@%_h+߁\xí%A~ږN%DžL>,dy$0/߯-?)]mQ !Pb cH8@D+1:-O`yHEڑNE*S~GױɠB3/ڠI7#.%h:.5xÍ1 Ÿ$SLv;۳~Qyp\ԑyabhuAnU!T񻊐 = GP5#q9=TWvs'#7:;!(_ /6snUbu-_(TŎ(ڔW-DCf8 ty[ u2_?C#io%hFM>^.{BͣaR}XXU>/~mTpOӶ୤>5ܔTXh"R|ܿ"iտ߬^,A)*|[r)4d9+v΍+=٧V]|{f-7"u]X! =$_A#{ML%$y.B9^5$sCzfpq{e&G $D -CNysW /{`lbF!^O p }zMIy2Jќ ֫<в.:{}_;iB+ww''S)ԊPX~Ȓ{E"7xRNw N{;"~nV> ݯ *|v*ĵn@6;!D̿_||c)pxUAcJܝOQ"; ~ |7QGH3 L7FĬ(+w [K8A1f7lc@?ĚU-ŧ/_]蘑TCoIH "eYp{A sZg\6\a2P{|bϧ}%]VDwl눦hj3n"$l\$&Jte^-}~v=p{s2o=Ӕijn (3#=hzyjr#X`o4|2\,#.kh-7s8lڝea4(K< jܚVZzp].!q1Ķ:b>kpQ^¡:Wi5kJԠ&s`>BFd/`T,{ڛ_Ь TCQ;lEYLmD #=% (y L= R.,ߕPM=mx5gҊ8(̍ ޗoujoՉ7G\7| ,Bt~G&/SeRBw=錻37ȼۄDQ,La"|B2/*+>p|vk uR﮹'$oj-6=zX-rR[{K*ij=:ЄGQ;ʆ >z4VÕ$mxK*G]lY3Z5  1%qx4-0h-;, \膉onan."w2]nk=m)JUycjZJ+Uq%v?X]feŕCr dDNS'In>*D(07oJ$OE9*ZJo@t'z2}/C 0(Is;P#S\,>BlDh:ip4}.9>9l EG% ]ANC̺)vpo*3|$+ǝ7"Ol&R"*eW1cӤ#؍-hgc !qx4Ą|x&`ʺ]]E+ )K?]zVEi#M+WX- AU;ONh6Ә\pYloCZMa&K;S"gч(y1,+c/VuS{:lCDxOo6Ѭ|&JiieZvNH,jĽ^;s@tWZ+pn+0sJ|Lΰ6ݧ]x"qsod2*i2ҧ@Ok-.>X^ӎd4?]_[\;gL*e;ඃwz'6ǧ\h͹+[TFf*z>Jm0}r&QUL-QC6-ZIqbBu_bKX:S Ë ^ &fhS0ushՑ CKf/r<{O}CAMmuy쑙0o*,$,9hs[\~ smAlOብwVS| !u̗zCC=rή*^U];rE YE¦ KF]3C?cB})i4Hwከ9~! QLdm4SVoh/}1/3`0LՈa~rfX/ _s^FzF1Qݦ F?I&}RBk~ ɁNX|` kE"JEKŷCD~Q_ 8Kzyp{IS@X[K 5/mA9et3< ȏt8A 2t \FuZCŲ2S;ΊGN= ,n镍AoHO| 6Sui^ QFk˒<Rc3zN8I;,R!v TB[B4b9+8#@,XBdK@ܗgM4, Ũ K˴S-Lk8xq3LG`:'\`i(9n5vw.>GgJ^cNab; ͱW今͔*^e wR^}߸ep YAC2Ji#*?Q3E`(` Ecj賬z#T8G8T/l EAҾFc*x!u/ד wˮ Gi"aHΑBgOEt'F >ȻZ]fR"2nRD+Ux>q:ƥd/zvO4}SPWh|<9,7mgr5^܈Yfd-|km\twiJ~2\ZS]QmV1@Zlm+'$/B9z!rGn|7HOGw=[E#/\ s$ RB!j*r1oh5RU:iyWkOOrҖڜu6\χN7 o>͚ښ>(($Djt5%P&>FOK*֧ȩ4*Y%čU>]$[W\qwqâNAT ( _,㟉2Fݬ}ּ0oE@޷Q;m;+%xk7+D5ɬz94k#L>~ Ups Li,U'zsa%ӗiK6te6;`UC3校ɄrXwUL9t[~{/:"4~ai^Т 6FIXpDd1kR;ds7wϢ1G%K7LzU˻?ѾYp'8Q*ZwVL%|y,UK$aq6z1%M8K̬%;FPÄ.89cTR,m:*Ao`W MɕT"۽eް?kXte?îoH9jO br?2'S"mry菮`Aj 6w ɭ1 MD7Yڝd?9].i% 3B :pֳ=fRxw,̏c5$}47!f#T!/fٳI.7.[P$W0bWt0)al8G\P}:<G0,1lߗGOTfnKo/IδShj1wcvpM]jX6Ĥ7`wy>8aEz$ƪuVz4dxiٶN`aKJ1 (sK(C}REW䰖 yFnN\ 2VYɂ]ߝBMla.ş$U~UóukPt3J^T?vlj״D&[+@Z`(@=~ƌH(=_ hP:CnS0,HmpE[`B.vPsq5$w 4"$otH^kS*j!:n8TZopf2:O`V|΅*7ˌi& JzJht:eedP qD[ D)^cT\:,+Sk/`%/a6U7.먇> I?n(3)- ' bh- HIKƗǵ!,7s2ƐYr ; /@yk=i,UAR 4ăMg`Zֹh-@WAf۾% 7+͒j8 ANItaHmJ$ě2#Q~"hrŽk p֒DDnGi#| _8Lmt']15C7Ab3H6rm#@20yCkvPO(Θ>{XW]VNx!q& T*SEXqADbzL:6Xb2ֶHiIޅ&F>3 e^>PvSS&ao$sD1nT+ͪ 'dXDjbFBSA:4Kӷg?0~찍&w5@gnj)ZJGvz!%O'{>aջ}Tԣ l7wC-ٛLV_,(TM[,xahe2\{s }^ m9&κ+ qW0Hwe'ꌕm ޱ6*u>BNl!@..p^[;6X:KpCFCsT4ހbAJ؀؋[8*TdP^;7\TWi4I7*IqKιz5Ɋ4)?_p|X GAclܾM =L!=v+k{ d I=Z81"sZrUtp 32kmh:.Xe~5F.y; ǎ1&F6wN6S1'#$U5`s2 'ieG% 0y#΄W'z|6_rl լq4"Vb!3Ke,uǵSSA  f2'䴈ލt6+&^ev+j?WpM=ALR`;uE0OFM*`lf%X hTg-;hè¸z;ʺ+4]YQ L:ck}AzGX˸=: 2o^1pf,ͫ5)&}/OtpƋrB-= a06Dgf,?wL-/6f$#Qa^3qA~éWQD4};+u+^gg{tۻ_0T&P\=6TH46䔑 |=y>Bĵ(z%S{:4q&M{dmZv>ZGO\ F+DŃkGZXBˋ3M~ B{䨩C!z -{vΣGoo iF&IBw@*!?yA<}Pity|#W`EyK`yAxVO]א=FQ~ylJK{w. 3..K~؀#\"?g["Co!(=Իɜ -?&60Zt>y㊮Fͮ$Y~]=Dua˃?3?X$bvȻ"ؠ0pU\!yEA\r@&$!q߲. U#PMGP=5n7prAO(pN=$!jIoR`nm5i \_roA̛7EZsןcœxԊ/QIym),̞6XCB&ORQE ^ G6ewni_ELBw\ pBHEb\jHq\C@H\)|ۢ2{1+&9vYg-j0FHɁvs!O$~@S|։~^K5_ @X2)P[LޚNTDvy+O3o%6R*Ş 1.|R0vv8M!Q_? aQ05ҀNN`}yå(‹yI-LL''3M3 F_0ՠ8h~c)s.OK-.wٮ26tsi/YJ|DSGj6WyPH}#z o/>.R=Ub`N\!^_Y+Uq}8{dT ;"M5[pXSPIͺBHkˑwF"]+gr? Rt}o׎kz|5?P Zf|$8 $Ƒl5IBJ%v9,D8m5oM!-aQz$3Q)\}w)D[ׄD`Phu@Zma4"oYG#}vu.`t6#;>Wn xsݰwr.wi܀ Z&-f蘐FjC6ƣK 5)5tK ne\uEzHuڮt /5~s7m~Ũ{)*;)2V% (cUrEJ[$XϢ|>b:FE:[\u0n|15-'ZJ蚮sb Y`  pg:)Jk|͢fAZHd &n~'UI eguXt a?&AO @mS>tm$#bzۊ?'5,̣O~Rׅޕ2z3ZĪ)Ч -@[~F.de6=]FX^ Dq]s`ܥJ?)[jjb%)/V8!:D'z¨@\Bl}!oݒ幪͈3[Y\ F9w\MGa3ptnӥ!C~$$#E%: mvfhg q'xl&EXbjiK!nDÌTߏuS-9Cj9؃k[a(79{UF_7!I m ktfKFcx燺Cn7+$ԥtf>1dT-^#G.sH%y )˸?;wdlQ5,KKY(Vьe>>dt9Q!^:*j m%ȺCH6 8\ڐbQĆ*k#TY:jG*i@';Z"aB=1t%=D&h}N\6'6(^ V K962mh"B+}GH|*vFOUI*6j62`U,w db5KF"1K ݻ4FϋىWK|]"h$3 G)CAL}~l=~4Ыې L&]ϵESX hќc::?*Өd7͓8~9? FCqsp'5WQ _o'9jٿ !X/1BRVFCKO+MMF2ۓN}fۍQT"楬Nw 6*-? {-`&\:Mǯ;]O,◸;-_L~iHxRXM`)47^'e R F&B9=Hb>ɮ_B%!?IBW(Ǥ5vFb,nybu ]IYгu+c{|q޺Fj%eFV^TQSp'K8> ]e 3ssRV5mPs | 򭅈i5,hcLB2|e  &w퐧(΋A$c2^a$VXR%{btkwv\>%/J|ckvC:=dk q&3+8yӢg浮wƂhrR4fIRYGFheSO^Q`\U [1XRߪgY:1\  l :t"ld|dW +5\mx~1Yܱ+NpXlb-㡾]<?p?CрLh̖CL='?Qp vpipp!?L@@A>&LyPo dcQdrEr'~lɪ8'i|1kGzoci ip_\Q$K4[k}VMו( `<谁V?YNaIfv1 EށI \d, t,9l59}:x<,wո(m433EēH{uI ;L[aYO3NY_n|J*|cǧ HR8]"O?xV&PHR$p|JasXrU+f)j+9Yutе4-HR8N<1؋(ZqiQBױ|]PY4UsNn/*`ĬʯK^B:dtc"~j+;c/{,6Ӡ"RS10\נ0[E/%l=\U$^5/>v{ UF\v .3Ւb)_CpBZm(1/umGIPs(cr&g`叾 #LQ#5o69.zVqwhEZRDL6d<.O*QPۇ@͕R7Шtw/ԹTɎuιPO. @2̒7 fsΕ'3E2{7aH  D5!?w\4xOeu:QL;܌4AslӼ3mɘnr [,"/'Cq)onk!f~A\4ݬtn7aG+$eK^hvp`\s_ fjb9rnڵ|msY޽q#oj> R17'I {wW 0OS^Ix8&h ЙA$daz B,MC A|$fs[y!aԑ딋y)2 jEN33Z#zniYP5br T ~ '/pBL'ȰBVU^%z 8^7(gc}"jC@Y+eT%W{v~vk.䏼D u_XaN:j9N=1d_{,%㦍%JDi9+qͼlٚ &Ctݬ q*X4nObg)'Iw ]ZQm›s)mGj{ʎP=;='n?$O@8o׷g2@/o/@XC+ܚl3rlqZqkב|QEE85ۜ¾dبnWӇTIr1X6d>ٵ etSijbc/v0! l%bY5z~8A׆:+sG8E),43]435]L_{>&`Zz!!L?"8WǓXbP"¦XIgWd6V۲ϵE<5g:ij sA㍪QG7`ƺM-`hwo]P'#.@>A{0f`T+ N%2\>B2f>g=Kб!K_,!4{\>]`RlؔABZib /ҧ䍡;I 0?.UߦJf˼aDj2ГM|xGG]GHIyZK{l&|$Ƶ|BۆW f`iԛRZ;|#)mTh AG]Lo8h>DA Vm\Т/87~&_=ΆF.0Ip_.VV; Kܢ%GDoO011Ը')uJ+Q>b:l֫nv֖]s7;3-٩3!1o[nRumⲤM;o g+LpF [jBQΕz7żzOW?2"ZOr5NҐڨVbkp:+3nnsgP < "ㅵk,6d`T\ +*rBx-FI2j -)=RTv6Vx~[%0mj͵:v;S+? [7f4keߞmC΀#9x^v=Us5B|(nü=O\4HqK9Bspz= ̕Ԑ|_:i‰ 蚰 [wp66#ͫ 7b7YT$s~E3Sg@iw8 κRWݳLE-KC&_uZs,p SGA;c~+%bU}j>YE=]4g#8Sf}r8J冡ǰ!1\l7 %-߻U` ggĎLĄ&'%)$^.o:zRL*:&==f]/*rNTa-jOMF#D Ќ95zrtxVR^L¸BhƧG㞴$ḣU:]c>R$QÅW.k~~_.5BKw`- ˯=AڔB̙upF7̫NYΦ5?ɽ ^NvX+| _f0h{rTh<N778B[)YQű ŷay)ا=Y[tv+},IPBsl?Lrbۅ푈nPLzCc mC4,H$[b*sQe%|9)K.7Ud҃;Iug8Yg$&ɛ9~}x3M^E7gH ߜם`rs\cfC-Tjw)OBr(Z?œ^<.ů' oK+.Uf*,Hؼ7Nsw8h:XLl+XXZL"//A3ZEofnT:v\Xhm5utzbƴWS[z6~um^khA.҈i}9OT2ٽ(gɼ[kz>B - Ȃ+,ˑ>^9dN{=JSWpfqpEil,23<r ',qs }KSF`,D[*?wS:(caT0-׊C&^_{C6\$ PvDwz*9K= t^%( He: t2PBY71w)}Nu +sY6 6 ,IמG Dk ;&^ulIaº;׷rD.5ǝggL^ a#oM]㾴R{4sΰ *X"y^Ԭ#h.;P+ dMSCu_PcZtTa)H\Wb+)Lf6*=O6}fJ;P6ccLhW]>\Q {cܕbm~)"g`82y^pO&ڭ Y?hΡeVgx?̈);N50kB_H4RiJ˜÷0@ƅW0U;,cM9Xo8=PUyq?YK/5oXH5P88zu^ YޣQ17m  aIE W^&d} bA˘T-&fa V A0dk]N1GA[=njlY )"Zy %n:( ;yϹqѡ(cxJo(\G8CX н`.Ѵ56t;@#<3T.|`}^Ya> 6wgGN8^HF+Csh g G39fŏ&:zb&[4klԙZ2*Jc䤪,L;ʁ^Jkf&7毸&f`kς{JDZUӔm6 K6[=g-P~}W}DRp,('qux ׁ@Ft&6H.KIί[  m= GU^":L|a$B/<օJ%"2dw1ӏ"^a$ uh"w$Mi3ieepeKtZ58cВzTmlJPb7=:*BEi,/B}$G[ &L$>-\I7ӄ,ه3'R<x+ظ7ʏP%P:'ݘ%v ' ic8>Uno.?9o*MHnXY Y0镇L# 1)zX7N$ rc^ptC&} pI"3"h;W v|l"|zC$xMˡʬZY6n ›JK7:XVi[<=ȥŮ93ͨ^ʒS$ VQ{ߕ>v]a=҇JXh";ُ rG 1x&"dTϓBL'27PftŪ|'(Na%nCwdZj0:,Cj7ʹ|%q }TԕzS 4>* wyݧ}Y~S^3)$\L&xwn'#_٥^2ܚ_1Yy }'.fT+o`c*_b"dY9wɾi&o34 1B,>MzݟSqjϯPR2ʆզcK(w- rR$]RhJ強3/O3Z:,$l>c;jr~VyInii8S\<[&Ϗz+ ώ? _IJqɶYB H̳-*kz QN:ߒ<w_ *k  Ӧ46Ʉ ˼s[W@ ȔHj#.eʮe'%[YbB`g1 I8f¹f @m1Nc=PVֶ_2őt,¦r׵jpn2dr, 3PzH+:NRz#Ҕ .ËxUjv^[bDIsAE1VE78,2H:ϗ}m߸OZV?}ia\XBh\.bqCmA}ƃޢ^@^ʸR1SlJǯNﶾA'}]W+(6xsM [TQ; hkoe>CzS "ზ|/'򱵐Z(ܠLu/nThto/e G 7TPQД8֥v&񜘶b\il!!0a#/L L4{߁{{ X3T[IDUP-CJlOL(ʅ&oodVU̧JLkh KG#÷SMjɉOێ'+ܞJ2JSXlzύT̸jiJBI;H \^ b+8g-hWE-`LP@.w_LKxI ǰŏQg`ͪ:ϻ4̾TOh/-e{ǰ'׬yͺva5~O@%`8 a%We]zKzQ:װd[ۆ%'WxPE/8!K!Yg5nдcdSnϮOS9]:u 6G9"?yAѮ ?'9Tjg]k"tmQhd։Ŧ>]胩qW. h<4SE쓝'H>XJ7(xvO<宵~՘0̔v%9Vںvϗy?M4vΝ7?$4c9$I33:٘n\Bb8Z̻;_D8[jY;$I>YPP$?y < ހh*cDl 㙽?Ffw 4]AAUFkbX I`b*wI]J.y'5B(ї3̳z<xkGf68i(ŶT~Y[(e r{NTZN=&gBvԧN$y0O bu9=< RdBӫȶ1ZZ=uP(Z!\"ˮ(Jj-NJDqg\֛ Y{l"+FAXe/p'b_De`"0(]"n^EI~N?ě8M>6Y{xDO~r0S^qьMf0ϩkhp `q|07i8,dѿ̬;\Q7i z mrf؛~"!Pssu;^afAp/%XtehQLqw $?oivj))}x1h_{  Zq]4^Wzv ٧7uߟIb[o*l!SWHQ$$d4h<ˡk[m}L~֪,SG|#G}n` d>nĶ֣9(N[H|liI2|d̓WQyI܄[up`Usp݁pC_*l9Qa w?T7Ȁ0Ynk;Z(Y*˕ݺqcD5 spL]ԟ)`#}wDc)w\M"C\\9&o: FVZV~zxMo'0/U!h_uCUNyM7&E\L(:6t}_%Ye(ҧ 䛕3Bh,PujOl!D"o-I<h^Ȍv (yYc#jxԹ6h{jn%bm=i )SL#`nA: 0ZljM˿.i `Bi"cQ5F, qg,ТPЊv~_9tiF(Td!^1w@.nqY 2Dȿɾz6k;2Ug8S:ks}9Q\FHb/v5v>ys]B9 t\鉞Wc_5$=>֊7M֮ Ze jp~Mci^E@Q;vu̫xW 12C;  k?%dv`1jD4_)Avhmؑ<粞PH~Vֹ7bv?$B?q NF_:np. t ,C[U#;.ؒQyoe` n^e=})愍@)+[x~Zk68~1r; E8 jv DolMܰ2YB8,ksJ{A]oOa+{Agbamv~FxIzZ,{1%a84ؾô޾qy/ |ގ2>] :+",Y/_.3t9Nj^J^by]lpN]}țz9Ή7nCp2 A)IFHx\piGfSFB-oݧNnü\K gRWA{16g _Eaõe'T俀;AD'6/y_o'Ho3gvd=$|T cue $e-CD7^gN="U:H"OT쑡 m8JC˥}da5B62h5kc:=6tj#zvH&>EPq,u*55? kg'wn^Q3gh*];I~GFH)5{j]gǬ9 C{l/D>A}k9 tQ1W(s'65bKxpUQ8 ׳btAbrFQ@J!gqw~*7J7ޝĎ 1^%yw6V!oۈ#AZsqstppgu=e!J; ezu:ȨdwCg U\8惃j0 ?sgx,e#g}綟߽$="lhbf~$LZg,mW M.%vt!7>P+冚] ,2|SmԀM*&Ǐ4#,@3)0IK!:ּsTs˦6@ a6~&0ۋbg u6k_|lHAx7^^kc5ޛ+H}ˇ!J%M j\G %7 <`ͷ(g'e9YOpg;]zBrޞq*q'ĈP%0c4Qyxvʦ|q}&ί:sq-Ú^S?t`s /2HoZL\~w:NTJga3i=Ӡ(,L`u1|@ 4YI)ڑ Ў)t4i a>J_ڪQ/sl 6aq؁P">؇RyGɺz8ģ:b)GH 0Q*:y]dZIha9- tpxkE~{c['4Xsc:4;z33I<e_1` C\Xzh9Kz EHͱT'Z+_]"GtNvJ;#6Ԓ=Sxmlܘk_vy]r$s^I,N& g&+s#h$*zH)V +5='ܥ t! qڦSx$Uʧ T4O%tWX[XC};(;?(x9&=J,ỊirU$.#DK,F_jCaJ:0,gߤ؊yrӵzGHIive݋  ٯ\~2ӋAk☼q\͊F12NoR|\FSG }E>EtV,ArÅ%P}$c';E9aMd[8C} $6\ Ģ3R oл`ɛ ϳ\)z>t*:>Dzq]j~R9~ b ulD.P)eԨ]jPq5Gk,{C[&nKEhԕDS'p~$N\>s K:n2(/Vd~U70)@f$yBkY<#)F(h€ A~1)$jcei_kSk'Yw)IX*ض  Rt׃ue3Vc&_=EF4S`f<y:/>i=LkψH8ec*dVt/8l$Sv:WᦵpPecGTfZu@`D]YTݲ%ľ)Sf%B B@B)slEOk ~ ;mTr)fZUzF_;%nLH 7O#v߿|6]s*@-Sp ]Nt[=0Yب<2xMH%ZQdYӎ+)C/)Т4ʯ['NA s֖FO !{KA=Y^Hi bJ]ډAƴ)X)MV֯ŗ\ EkH&rwS3A5À0" ?Hyûbݛ_kBF >"V%\6=uCxۣP[6pmZdRrdI`Z޻ԇCH+u҅)0+Q$]|0C~6&( ts;݇3f B =*2Mvj5C^`5" a=IvGP57"6Zu2&vg儧qѰ&悧; 3|?Dm.EMbϹ2tPؼ(hy 4Պw|?=X[ \_`EXעڹ ? .ȁ {ZoA;ShXgdD|2[SQZj3@CDt+ nn 05,@+l<l}Lm nU* Z/ȀˉXRA0KRF8xhiܵWiUST<,sZBLQ]VgvD,,FDlhM8-sB_J/7I,Bi0I0"/ߐʢ-}]AtݖSp~RNwTb;8yx%,̶ ._}2q/bMdDb,+`ƐOFB@ϤKmBigə}U`%x ,?i^~.#Q!>WTf}&;|4kFs03!?vC3w Ҷ\"q;s+w0@M`C5PXeܚ ,c" +6wR.thhѤ АI i}H+tD+Mp2LpLĒ '\ gH/G:Qvѽ^K:Np_&Q('E6wbYjhzr*|ogx:#~pzm@=WGo^m$FcO^LkEBGj#Z k ͨ$Yz'+0cRPsk"Azke uiTwNz|ͬ-:.j5 hG &nyfqsQ4ƒd5TgDe:(!׃{oY]>lt<[&N`(+<h 'd{&`շMV9黡c[M}VchmڙWŁ.Ej1=k.Kx?V;iKgxm~H2= CR$m3-qm^[I/ M{t4*! uP$h`Y<gƇFo 5|p2- a"x/Ѻ$bBN?9pz"/))6gvg+L!^3=,Bz 8UHp=b\ɍCz;ȲD+uؑ}EvjyDjNy"E72"G2s_cڳS-*;N$ t\b,^[P? 's҅[k9h.?M \_>w7dۅ>a-1P,,|Qu%]d{X5RߑczgeՐ$G(*LnǺaM͋ C>uF y/51+ s7F`}&ct -7gmW64ut!^(EFѽL*bFNSŹײ^|ElDet'a92jH9)^h:IT9{Ϭ.Q8?=ukԡܒcVjn.#NH#t'noAL>7.;[Y޷T 'S(t=ʚ0Kֵ\%H}v΋re*8v5*eƈV΋bB+=̠:"&,Q/~cQӟa/`Ò@S X37$gtdGrzkQf|l`ȳ18V: j_L(zQ]eE 7wyY Nm*`3U|Ixx PN2$|FėB1a5&[68ԤvYƂ;No?3CS& 84#iHɖ gNVlQQ&p̠-as`>20[c8] p3PϠ}<8;ejd]z[8i,ܘ_ѾCU=Ҵ!lu3=;߲6ɆfXiӒHӜ {8̭DM! Qb>?9%&#>SQ7Hz/`w`vCLQ$ 2]pzrڭ# yPl tij~n/{2Zl3[~6[nvӱ} ̺fRdfT_)]@ÑC1$aUWt*g7,åxFOY~V,eb7$TqF[/MhkPXs\Yu~S<\]ze͎f-() (ȝ 3bķĕ3nꖡ#MMT zO/Q>b~GΆ&;O U$ 0,WP\}#z*OWE_~rڕ,_EgR${h\Ǵ m y۴p0]5-RUGåaGfq$kةPln`IRTbe9WOR)#` #4اLXE}izkE2yϽbl<0*@V.U|qcehFx]_< %BѾa4mAsvPT*ĭiI=yHjp"BNZ#8);2D\+[OOt6rr4Ee42в ‬8^lJ 5t?k^qyq95k.-W+FDrV{$M6R?vepYFUX2i^GYj0p)VR]ˣh!{~ "3䤔piF93˼ `r?,tJ3cs;ث̹[΍4C\w1od= 'wcBbc}EsmI ՜)>Efd:tӒ64_gLKO3IbHv#{ @0nNhuԬK'~l;<[$]gdլ/lV+f ج~3#c$^^Lڧ0;wW=& .h}*4}{B-ɧ'+1b.6.a%3)!EBSBÃk/zmڢh0p]\T4&󬱢IM+;O7%3GHo`5[sݡ=;[a|KX]( )"<蛖pg%InKlU]NKNjA\p.FW`DdETO'2!U[E4s7X2RcJz26ɫx3!>u!fc2eԨtgaezpmC,%}n"z5e9־:T:Ռ j]Ѫ5|$y)4V7->ov! l P6˶=-G'GRxN|cX_C4CL!Yl 1˶Z>fRQ(wJKbҖO(ʯ`XJ4Yù#j#L[+"~b$0/y$}.V㢢6v:6 nQ0 c 0JE/( Tt3@[mL]Aiޮ!ke Q(ĥE~׽?/O7lϔw ЂRE]3/b^;@ ʐ_7f63h9T*7Ԏ @E o$ uWD ւݘO!! {?Y\0|nM;֌"N2[ں^nk\TQڛR|<㊬k =b0B-/m\ $p}ȟ9, fr$A lDWwٖ~4{p6ۥ(Ƿh~Yf|H26`Ẅ́? )$, B&Gf2M+$Mf>IcŒS^Q[ڙ\"WJN,VDŽJHvg|9;c(j.{fN $5e.QGO{Z}F0m&$$e26PQW 9LTZdR(> _?XU15{(K0cZkU0j ir$7 4[k}fEdk۷n\1[C5b]8/-%)XY sa[(%ҩh?gl~OHۤt}P, ̂$pv"(d}dGɈt[U=#,V2WHH'JΨT_Nj˸E]IBіQȮ iGfU!~=qGd YEV~ ݙ[ ;|ƝH#u`iǢ4W h gSPqUA(SLMœpo&`A”$Fc2f/@ݓHS/+l ǘ jSBiq m#߃) m6FyǶ-XÎ^z ~Q7{`ˬMى! $_ei(Slr2/G?bCGb4@lz PSftthՌgvQ R*O%f.r vCKbǿmF+Ĵ6$m=l8geG_ Ӻ>os-6b_PX>;E̩-Y͏JrkY.H -UWMZǽ{&R֕%NK).5LF~Uɜ,)Ou*VʕV޺ aòD`KxV?r%WGh:_fd@߶sNs2NЫ5p )&ix؝;"7]c}܊S09)ٮԹIG:‡ %L:!嘡!1C=X<3mo=]޿eԯ!wi7T8m#;q. 3oP)[B>x"hD=_*MTB>~ T#Cnl@姣j.!5:{0;iV' 1&sF."wW%Q-5Juki0#=B⽶):,"X$?>|Ebxu (ө2çF 0P]0!g\ V=OiI/h/Xz|3HI+ {m*5kAI*{CgC$cp$ 5";Qx@W F]=Ěpw,=ŞN\h8\ʧlvbvIS!4&&z\2 CfN~Nʬi',Qy-kKMy\_ o._fV5W, YZs!A>6'RXŰW&l/}D3nH `-b{KHɮC4!E}z>8W~;c;G 㙹 AV*jsi]WF``vw2"x(}k~i[pC2N\)+҄L R=UY?Mݻfх#I8p, _>|bUKꘘ{9m\%<_*UvM1}x/=5H9@:wp~0) ԥQH!Pvۙ<2+gog濊YAhGi@CxC}o=o+PbƬ<#j1a܌Q8#)8S*1inbEtYSu*{/n| o$B|㫒Iãt );mV1:Ė:B?-`"Q@l4o|4bFFp%|urԎ0a`jK!y;CU;r5:vQUQ% ٢1Ԩ,ҍ- c7ƳEkux!7Κ\T~R(}ێOHW9 鸱|w`wmZ'}"OCOB/1JS7,H3XB9! QgkCV*@>IJq&331H1)F &)TMji^k݁/`>F/,o/9im^q?q|4ˊ/E{& JȎ E'XH=8s 59w[ w%`?+ .2tGLϰt82a% ьK1#i}G՘%u_7u Tsy7?+@|`fcV'89?JS9 z 4F|%8w< PPxg aVTC,|֭.5 ;2R֮N8^06z:$@p(ϚIT<@"uaZCP3sޚuwgo{r>%rɾq$:xdgBePuG .ﮓ49m *S23OpiɭՉ,Zs/6=%ӕӕ4oN3|Q',!-_.,*.P|l:52px4MSi$3jqEQ0& MT^%#*Yc7q>c:' d`(4[p9x+I[d)Sp!]V۫]wm |`Kʬ?utJIrx,'rtܸYwܘ R7nk(y;=ڪ ye5q醽@uNC7D!h Z䶯xUb77ֈ&{ kw&V5 wB=QY:"=bߑB#*n%MQ4mg ^*)\D%'*%o?nޢˉ9Hl2(\Eϸt]>%<X#dsHJO]yWkmI[0dYIr*]{249/ (N%)X'x|̓Ϩ4-5jQ!Qy_ZDb"[ՍMvCrYskD-RX E.V\Ϥ{mn^Ĕ5s~SfIzː8<==.7Ibh?4ͤ;i'hKahh 7W*c9\EA&u AU b#؋Sʲ҇AJnov˛.!JwJ/{ڊj?>#:` OkA0 T*.b)q+qg2 K9jꏄt/xc.P5[~6^gpo bЮŖ7'u+I̚7 ;bh wv,6-V> >CΌYLvZs:3ք[dVuL3(ˉZrXʽU-Dcp 6:Ne uB;eg"F)?&{?S40mkX0aT!?#U$g*>YW`PH/ AICP!؁ܸ)}ǩ|KFa.( p[vְ߯U=:ME|⓴ Al ??؟:qb.rBfumȘ␀ȕ0ŗ|3B}N}R4ҟwL9֒$ o_q23k.0Y2ٽ0XFROPB [IHs8Bʐl}Q ?jEBmAwbߥeqncLn`:yW (ϡ>aEgQriߎ?meLTmׯj39u:mZ;_4$O/rBxhD"0;b`/Sep6mo)W_Zϩm`-AI$8J>ݹj֊iXU;8fe '6))rT'_dK W 7Zο_t z˪G~eBk{ }h;ĤsUzӰٓs$C@}P5'4Ǿ?/h xIQIٕ;v<뽃ʒ|fzF֛-~C?!l,-*O?7+.<1B17~ʻwj́2>kEDYkmd\9s#rkH}fәIϯq 0Lya޾ߙ$t5U:Ax֐F׳6i)t;Bm9k`4눿(4' Xb[o-+@|a^6Pw=C\ΝoDPA_Up,>gB?yϒ[f ϒ9G `?/ iM"a@̃s+*}F~7PkR:}c^<G,i[>@zpQʆ7ϾBWr/B-o"=@OOhc"1o(j?+zk͜b>(OX{ |{"5ݙe/2nI{[:.m`w!oqLp _vu ;1$1ោkw n yzlLFͬ:ŏ%F`f1dmg)a@Αj,vLv&#:nA" 6.uFY1dN6ؠP\ -NFbeo-dJ)FnKٮuD. CfVqϢL<w"s:WL!i.@ [vsuIY0+Lۇ;oO T}@sqԫʙLr.( O#cIg4;*pjzC |XִxL@j^~| (-a:R'\ȷ;\0qJ.9\ՌgDDf24l]Lf+%V^xyY5"0ہ]MOE`8Ol닥O: ,騹R=>ї<Lr^Cc[.&@I}o.d RpPu I4r([W?S(+ց]r~~ Eز+Ey pbD[4IMcGџ":\4T05էn&P$~».{aI!sO/t>kWq h"U-[ 9vd_@EZ~>` &d ?uJƵd!w+3W)W8O0 %xD%K*}~z-C'ϒ,p]rku74rBQK]p*M'VV# I<]!K>&EKX҆@J@AObR3IW[ΣLdv^#t2@`3aCƗ&TPD(6On( n|Glu=n|v;;8)5R\XwE=DsŹOOTG#@]ߙ+I ߜBU։cF&Q/_'sA3PMqPZڙKmBKrJ(}]D;F3 v٧cbV$@J۲#7) A G\㌖iL&-ط2[LP3܌%>fvS| vZ,Rtlzߺ 6mĈb"s:fV輾JCAŅ jV0_7蹬=OKS_/4 UY rגWoro&R~bҺ)BfACxIkI̵< ,p4y4 xlfho!jJޤЮzwqcϦwߝ}o˘-z^$:l^8(4e anD;T}KlЗ:EE2C]&]M9H83CG*~e"UF+u;~xb`pVG\e`zQbf/9],Gj^I1j} N-ؽՊ}9QXr8%`T#kG7 eS'OaO#"NK҃)~ʡ^Cl%WCTʫPW~it_VAK"5{Jd=PU0vͬՔC |^mmr{ՅgL~ƓY+RO0)W;7X^Qum_ FE;PؔHa{3#[L763ByH#Cbׯ!;k`Di4Uyn:0 s/_8uЍPҁ9F R' "]:z`557_5߈Wޫ+X㾀uGߕC,]>8?r dyS+3RYt DtEF^ `W V޲^wӞW~ɍl_ ^\k%b"I={H`i$8bwԗwEa+yd G(y5+UZmPjS!sR,eorWX4~kЉͪDExL,mӊLY5p(*ŔQJ{di4>N+!b ˅6cMF&e5Ѽ'sduȯ.iT}Bzgv_Wͭ)gL Si)qG-АO7 lu\c|ŘI io~Zsbwz˖Jgudp~7ֱ KI{#5lfbo06BjF QXl׸2a_:Sca7{ܖi͊ 9mg) ޏݣ mdbj?Z_b!TU:] om閲!*Zp/ 1EuF*#efC$ѷ(y}S5GGPu.ݨh! {'d,#~Cԧ~uI|7l .=Qur zD3/4j1{͓ ]Î`k^CݬM <&6Q}|o_Hcݣ2A`Зk+v.{3IK8™ 7{hS)}=far/lDqm^sV 7ݏy3}H/El:a9 IԢ0,*Tt-6cT˩/y,h;,9;Qz\]GFQ=0sĬĪ VN(rzJG /.C%\EKCm]ۍƗ=cQ>]En"VԠ.kp,|/b$~x9L6YxBΐ?]p:ni4t.$PX I<?1t!eX(zu}gmd؜a+GPu+Y 8$hVPwV_KBu!*$p1#Dt ڛR]d~/ӳQ7; ^%DJhB2'XBKcblƍ I sLޙaQ ],W{m <_bTZ/Wꦜ<+:rzPѝy~/GGZ(7e& [mY̗lQJy3Pt%oz#]qm!FLt*]W[m-+\T%1d@1jZ?d؅^hKNW0K3)b5rZiJa[$ê|I/,$%=L* NZ;cϼHp,C_ԓQAj! &<ԇ"& wN{.V$j1S蒪]AC/"\wH#s8Px_ Vɀ&M@wxO.}O.Z ɗ$ 78|Cg *OL1W-=5+aJh} +YkpMUt+R}nz JmE-s^= ({>"(JqݶU8Wӻ °]?#AM%V= Y¼h^*-AǢ@jN}S"ָ HoL[0KՌ@iRYzcb* @dzɴ_L(K[)ZX5ew(50%8e9 c+4-QO]2+p%sJVoMevy?v#B.IXraQʜ-y8†TX(:ж0 ڗWz6 &u"p~R˝wEhŇJ_e)h!eUˊp)lo#T#B-\b6j$]VIoj.Vbsΰ3eЎO(4u…Mܗ?^Baqhg^п7#Kl{2 R`kkxlSadp^.Tִ육N~,cDUJj-A'"xU[TnC=e_K?S:̼#k%bobHxDq&,tF^=rS4ؐƄ Z99?RN֚ 7]S>HI `R5}IU#HfjD\Z߆c FC"55n1coS~rB#?T1!#Imk}f P >*L0Js`An^HTeI+ vlKT;3ѡ_G^` юf(F%U gA(/كy͝#JչsOhf/ER"ݳߒ8*)a8RЕ& OI9NW8r[F"͑ƺ39+AC] s1QuT0tL]Yu  h0j0;S\ɏ"WnA(WKɗ8Q CE'T;>j`Kl4L@oJXF?CБԐP-,wbSM)wTf{ 2ߎ6U|W?/"T0p64Ax4L{DwI Sуa7DF(gPbE ?ϥC/s= I&Q&EPD.If74lZbÞBp1O; L3a:A?tXD֏k!gн-7Hy^b_rWD%2=fBX8vJR` {no h 嬫Qة8nǎjhj,&҇Im*y 2Fm[OhՊ+rB<?9lOtg >{u}gՄ^I1!=2:aR~)TY/>́HwVM"ZEj7q`݄bk<)zBs -Wd{y01U p<zְ_/RIuSo$4HXGN+p!6U딂*_]0y\e6 Gz3Gâ,u[ρ%x9_[_oiY} lQ' eןτVMq}O(wDYj#71U=v]PXis-B-{.WMcx89(+6etK6y64 pkġX;' 劾X~dЙED\)?(l>W:Ic/~Ȟ%C6dyeKmUh\_F"p(O@mbYP'x8.[%xul摸Fk_@fg \xtm䣤ooKfI-<%m<5sӥD޷@8wneH"Ա.?\aRIݝ3^V{[7> r5љ})t5 ƙͱ? P@`}!$&7WS$kA.z,H2LL#o h%0դɁb 0+b-`n q|i%E0..e<>eE-Y!X s .q) -$`zN Y 3_LF%CTe7LUQ:nPϵt]eRTC̋{iNaRUn7lf- 5>YYU"@qGEfLd*ƿV(,4Fm`km &"9RXiV?(*0NҟSTߝDMG޴n->mbzIɗ[JD 6@2Ct]^tzfe݁jR=~5>ԞuZú0|!Ͻ?!8UrT71෇<#7WLJ (_$ l&9/~SkS2Va ix{3/Luz[M׵b9ca0ꕝKtFpr6/Z_^4!;uYdR(`E3a{;DU_.!퓻^H~W\6y  i_!BHk)Z:!_U _P3~PJ"AiB@0[ؠ&)ik{|!*I;czN3q|t4N| xJC?rkg}I BQS4_(*wqrXrs¬jTqS$@XvM֑H+>:GY_S⌣2@/C(o# 5uzz!lUx+Cԑ' dFB-V5an'Xm\)lOإO7T5&#Ԥ-.RJk/bi0VTYQZ j!U>g5]p>tʲݰ[ "ZDnxEg+MʓRh]4g]{85hgR"ᢄ^1@8 |RB) 9oc?7$p Wмj25?J0NCk$L#7'&sZzDU 3@q|9n94ds;&XW{([wiHGQ\qz,|]ԋɫ6";6H; qds6"c+eL.Ar`-KG]k8!|M=2 ^3XVg1I)lg #&9ѷ1B{cCܩQo_V]Jѫ7*c} ^jl ym;ID]u.i?VI8fQVF;HOQ|H!DI(WeOXNG>&fC"x5'?Ge:yS-TƇV<͎aYRU0|?ƅ_b~copvf 4@Elf:Ltk`AB`=l@#t]&jrmUk":-cEȁΫxZ } DuBXfLT}\m$MGHJ',s'jV^.X 3+8`.(P0@;yvhzȏ 騻NBgqOo%5W)&cwlIA[Z ؇,Igb_~r,5z#S]!Z3 q­U N-흰<(,7kT2HGzK ߑdXZbVbܬiav[MgXYy w{h.ۼ_~LuqT*s1)%b?z.{jHŨ>sN3Rj*ԉ^&4Ku.4KE:ݿj$}n3Նq?jpM`Oc^;װ4eTA7? ]>ie=_7nbue&~oNtkS$,<|<)J/GF^^4$'^1K(#{ Wպ_S*"nX lj/ LL#N^ 3|[,sAE2Y K u4WvV3-%Uތj[gjYǽ@t0@r{O@JdziB)q(t$8/+guR#?M!B.ֆlqWψ(9P}Xv`*UfRwhd(#6l'F^ض_1l<͌!l_$aSJCdAhKa'T)m1foFJ.d%[~' $ ő넚SȨqltR0/-Q%mhǟb4p}DtoYr2w©prC/0:eAWdu.s_d5: ҩ-l<aJq 8kQn)u`]XHXZ(ĈZx~֍F~ >y8\?l:p<4 ؖ9 <19(hHnV;vkĦ,{MafSP+]λeF.<_b|S 8Cd491e ;c Zhϛs.ce`hۿ]yK}5rѲ/\2~o1fpRIӚ, 7={')fﺹh`)2sScÑL,:>$Apr5DK~j]ÜMu%7κfߎ?2 ;Bwˢ&=!,-.UY% |jpvPbSSfѡ[ˏ.Q)Y>m&HX |kb H\TV/JVLl8˦G^❻-H@E.$}XpCE56Sn;ِaO7diurt'_;τ֦E{9N͔(7brXlM`k rJQLVҰ_QE&wB9VvqVW#zegIԆEJZ!q;FTTh]7IevɾjCS?ïVdX䕖n:*P >pqxƖR)@JL4Y И imfϛxo`͗^vSb{G,Ҁ鲽Q1G[]IF;32BWŘ pNwμ#iZ%V*$>?'S 67&kfyܳ$qK4!<.eo٦VEm%ϩ S!D! d]asu|TJ>~ӊ~ iRoƯ}$K'hӐ}'~)s)㾇ZM/K@OlA$smXzSTȦf [)u+΅GycMpQkN{˜AKc{Z| ނb0w&Οڳɩ-se*C/B7cqy{5NWEGڴzcj ߛK%DΘU,?q n`+nʞ-puMﰲLZ΋t ̑Iثv jtP_t$^1 H>k-Y'F;m+Sl*qD>cz11% tW|͠j|U/k(/BwJ;+za=3wh7 aX' I%=,ܧQ^Ge2?q~#(+z Òs%n0HȵX{2 1|Oq6u ˡř03 \( &'bk9Gb|"%rT?1$NP;nr$}ce%w">+?6NE̟{0Ko `HB t6>s<;ՇKT|PT)vIl:u"{Z6+4Qsve dR9g0j~L|$_P{ iaGO ȋmV&Fb< [6{V ɼ*R5ƞ!j[1q6j\Q,v&/Qh/3#{w,{Rg۔'- [L G38OJ~[&$S$&vk 2u'Ⓟ{'nn-_ނwfZdzԀPG{22ǵ[#L qiCY TYdH$fiVdrK*5P?d}V)YkF֝_63YyM=bP N|on.< ,48^$Cq~GK:h _- #ƓՉ5j 89V@|:'dEb"PݾK2LiA1*RUSV9o@?*lBQM906nxZ# L;rQRJ,z>sK]Uڞvoiʃ74$xw-:5mX43~m';9~oO>T QfcAnCGa 4}fJ v(;o`Vd06h{Ad)fȿƺq UŏI\iaUU:N"L+\;̏))rx$k}=Lx&0`ohj5@=J{e2VHCj(ԑSz>] rDs\Fq֐ !b2~6' ;,];p :ŴF`z&JKcB+f|_o1HD0MX 6VQZv9)`qȐ%ʵ¢hi꣯qC4T/YHN!Fdy( 2dZIcT`13D U@K٪a@'d,U£u/IAQژOBtT&3̹ד/5o  ߲Y7cHX%~܀FG{!G}@"༸dYf7 ~ R%Ȅ s<\ ޡy4#*G6?:aHݤL I!@*/MyVQ}e!#7-gvzKrw6 fJ!_F?۷# N ]j,D dJ,9Op:8k1׵dL&WC3gAȴdW<>VUJ_؎3Svμ1L>Y*^؇D|Ioeg!~2_6gv "jD@ɺI2xrXUX^q:xq5{rI۝sS~W 7T7UurLs <9ӽaB}xzdjxGQ;4'}#aЃalK l,V:݉hS:5I1-`ֶ m"tmBBMW}Ӫ^86Ft#gEa${ltRNVhtk%-*v RBڀ-B?:4w+ >|Nu=?pO!bM"6mzˆt]t-K8BhQ0HJCX2"pfr/}z-7=ClŘʬVVYm`zޜpT`A:/EK}eS Uxjb>|eT}4.z8o]+7P ` gZcpijr":=Z\Z%8◯~ [fԪ;>ҶR?;UU h:9%jxZI J6K v&\6b@$S ^Тփ.'bCOԔQsG@N?o2c_º?{h-)m0j:ơKF',X>|1sMUީw6E-|0M0 GD_$91_߇Z+8("m[ע#?in7;0GQQ32CZiƙt?N5K71Ls Fr""76~וx 63d.a(])Rl)jGV Q>=ߖ 6a(B^v3ru+<@nF  lԸʆܞxÚ IJ*=ѓ;d]I,Lw;yao)٘3BN&Z9(K0I‰t89MӲ]eVl /%QB[M_ܕLZHv=qxum]PrG 貮1.mm'R|ێg2r9Q$R|B~a7Փ]rt.yxԻx~#||E~<.Ծܻy3Kp)CUf`;ĥÒCZwj@PT{,S+kE9AVl^=2T D0ƕ5WB;-f`m90T6[N6%y\iq@n {y`3gT['Xhꀒ| & Vc{h:!p|ӌ|A.NPh~/̄+e/j. :%8]{Rgiy@3!+(b: 9bneM=t, QvۅU&,u?:%~t _6Q5O Ȧ29~ue[^:ޱdcG}4\X0Y?gM9.sA ٮ$6I$UE#*QUm¡ +hT*ISHPzݩ$Ae:YYFfFߙL$gy9Kx jojه"wijJ;!7Y^%"e+".rNQi2zσ:3 網g:h̕o Ŝ u_$q dHŢr8:%! [xfcl/p7gc԰yi əew LJUr~Q)fgC(dM`hj'=,͙=j%VIǎZ v1x[,w[dFE>u.S`> $Ո3;S1R^'> Dxܨ0|I_O"i Zonj`a(X y\s&g"'i:q៑}N :^z(w9\XRyO?6A"y61 :bֹUW32-)_j)yqX'9+364+ .]h@Ș\2{[ *4:pqXgKZ20ewY8Džk3\yozst4A%7ẗ%^x(9&M95,_`KxWvXB>pG2$}PzgekM, `1Qkxui,w%R4>5[S_NVnz!؃dh"<ҝ5jH*.R/h۱&B\2;ȁjx,_<^}'߄ł `>z'5S҃mlOEh (._Xx@Be?UȣgUBS2EKB/ino,&'"*v]w u%L:`UOf cP@[36I[p' 6Vgڧ&A#8 '!D('Ko(6͡<:颅-#[酋Y#s쫊91e$vG5'l͑RtmbRKKzjaק3| ĆٶFĥODDA`DBmKTGnu5=<vzn ȭE٭K^ܤBA񾛼}eW| B$h(YIH :bGk7r`,lWN)ʮW̓Krln啖oNMo$𡗳-߾ y}ƳMI ~),4@s"k[l#{ Kgm>Zh򨖙Iэ"$+=-w^b[5!TP4@"rFj\ sޱ,}\0EԢ5m eZ!x띑paE[[t= uxUL9w^bƞ<`OW< qׁe-B_Kjze[W9.dgUϝGOAyQڬx\WɟN=%_t|+޼ CHQ 2DE­eϓ$z#5V$Xy[] |qRA8j,owMۖQ#{ J!i|qENlPFc˨=(;iuF;X d${REʝ'^L 6?3 o@SCPN2]R Eqqw,J>WU6E t m߰)Dš Lh]?Nz_I4e44U5ynѿې),@)?7l VVsrj>W@Wlxgnn((*.a0"~ W@ĎF{ZWR[utC"^ǫ#xHl)٤Fh%;@\K*Cne5 Ptt}nSNm0%@h7-?%m[5޷'=3S KOBlf|#"߳#h$F9&0DY"w`1 *&+L(5*@Uyv6?iEǝ PN8xWӘ2bQxRR*iH!]hL\npqٞkvTH{%wT$+Dq>TRBuo"a/J3YZ9s–_<ɤs&yRYzCD19k[8L*Jz" j#ዟm*#k&җ@iNլ))C{V!# d/@ Eh:{1n؁OQ ՚`H1˳IH"8ʖ8mzcjJH3L-KN>4lnʘ#9$o [,G\.lǢ}!LtŐuFk&08!6zᾬ?t?Ɂ/XoFs*YL&$J:t\)*%|8T^fp/gh c|rMo-6܄wS)ܲQs9] SC ֟g*n>j45x_SDmVIc'ֺ^w _ac sVtR35"ކ+EBVv dTYCv)0ؚ/Xؙ">j9{v>)=z0P OTb~#uE{aExb?ٖH-JdfYml55NaɎ+3"Xl{uN@ljՕؙĬjȔ@ 5uKh71q xިlȅ3Eg'7OnizRc^{z ٷIeTT0i,cH@ >F4#To#!:Dx~$qn] [6sVQr%SNއN|KC$=cA8 O8&{?;5{?PګWN/ݐ*+VfAv o2 _Pr2o"6AHno%u=4Nmw"pC )kح(vA=m*Uzܣ ׽!&쳖izRő5~.e:iM/ X!mg +"OpA-o(-XR9(T 8Ǟ]nǕ 7=nuCL>Ilȃ|#GziHaԙ̙6eqЖRCKA@{y?X&(']cHfwk3e2q%*C22#58'2y;iU >לZx"p | jۦ9\j%~x{p5ءo+ޗd/vsxǓ6A,N^ٞd-6]-b2:%$3O-tA4t*들Q'  MsK;tP.]KHu?gcܫ.Lf&c[Nϑ\Rr}2^cW9|&O? dzE8& ;T=YRꛇė׳`-diڱwbM7 oCbcݺv+b=ud(n9psK܍Xalސpɕ23ǂ_Ic2l;2-O;H/2x(.Ǫ\.}'>.L,:[iu)Ok3Z\HlՔkzpurrm:>5 @'$H0w0tLRMXLuGf ,Wa(z e}]t3o븹T;vDQF_nc%| ث0؍c)8u  ʠAأ-:X7rcگ"2oQ &p|ڄ=]v6]ψuĻk7V,%.l/3FUC#.ɚːv Co~㤜J3Й24fe!&&o-HEʷ$}~3$mҤ%P* WD QIB7F)5Xם0i=~m+S!YUcp#Z}{9 X4b0 ˈXyJ9? W7)]UPǡ#11$R;{@Zʾ2坴g}pl\^ Yt&DJOo2וn~(=euI s/ބ<|FZwL-F 5i+ᦙlD|ʞ8j/6+U"y)h)Ei{L(] r@4y]ˤS9M(^ 6[,ka>y \UԩB+eՃyf=,xEeFP.\8-7 b`ze5P;z+3S67F W9Udzco|-!gXy4T<kҞ ɉXr-.L/YL$J>!tE`8H dgk[?!|asf$֏,<9xx3n .>F[jwD/!y-RhNhcyܡjׂTsy:(V1tFh0JNMr@êU#Ȭݏ|{mxrGb ԨOSh{uMˣvp)]Cz^.,Mԥ"ipLSgno lFx4Ok0f9 sG3 ŎD>"wɈ\Ή./^)+|@]Kj_&3.Ǟ J.Hfv5Q}ϣNoHEQ *lB}`㻿娇_:LzwêoW+\ό+UboWLc+ ,[Zw>-'˂ޭlR<s.j7}wTCSR,;C-??ϰ#یҊ(X2A"sLi:})V\H,&r??<-i03xO/ϢD/v>=XV`aMF)Ӳj>JJ xԷ8 ~lƣNkȤ9)Nc9i Z5VuO Vg)僐64/4Q{8`ygbD/jn$kHp5l+17lrzԚ>~R/U\ȒA= ,ɚ|J_+ăȠIY;ډ${\HiV!rIt VnΖd;ǧoLp27P@dC~E-!Ib^% /uxnMʠVqy+JtdoG*VY! wˣ*X>/gq,ybM=ʷYIZ %(Z?+2P{U NBGO9DƓ *<4s<`; G>Jcȿc`wo1>6Z O,H xyaU>^5FA(;nD=Ъ\ "ƯV~1P.S sڻme@quՠv^{܂c`,Z\1jrǩ0JYZ[P XyG.'BrĶчm*X+j1͜Ni~Oܐdd FLwl>N:@PS=̯< k˿sg"W=sS fv_6$S8 HCW) oDɡPa:* `JGHַP2v ( 2 z A_ (=-ǩaLs-dv?xTry$xd$KLmPKmtXX!Da_F(뫄2,IĤWR)6ц)f k#w6Loج[(TF.FX~'R@egsLF!H)NAN 6&tIm[ BurDIfRuu\NdWzR'yu6SKkSB21F'7l|z2҂u g !&eX E⃫Ҭ]"}2Q%tc"2$ju tq+xt;a/‡'w3b;K흮k{禠;Vy o\>H 3c9́U =@S;Лxg<81v#<@*JnV 8G<`j-5檙 :AA*N|>Fz?3 ,2*JO|'~xks@>5?~;@ˤ<'[!fI/jeϟ+cA-9Z8ȼY"ԡgxu;2a19 ;Zn55R3ŅrAOG'L\LrQFg?O&<ˁjء'nt!D(JN<Vr`إڌSw5 $~zp}~JHj|X\b:bPzW7Nu0* SWf\FBy*Ct  X!?un O0ҍ?kW"2̥b`iV.@,1\K~k)*`=Ԑ~k1+ZMIw \aÌezι.\~A'g`nE7 lR- ܒz$5Qvp;;.Pi_$k6P)O{'RI$Ejh?Wx5s= S6o66&u_kQBj2bn\f$Vkkt@Q-RHrA^De?6;+(/G d q:[~HpŊZ)3s,h>>h. z΍nF~s0a8*?^gv Cy8JD?th2h٨Xbъg. #&Q23gh]tfׅKY[C9|u~É >U^PmT,L[M.8IDpHJ% /u&eWfЫVņ(IHL!/| oxMeQYr-w]=Tyjvh-6`Ǩi[;rV-kWZش]a{Z+o5c 1O^ ?;KrsJSʼ!ʈ A'=mUI\xfO_]aM=*gU@9㎽k{:eU GK#]}L;i @]q[$z.ʖd+[񱼣Ⲝ2 /.JgbYUO ul]%bo}.džNBȓxEa8-NJd"HR{)p-Z7u_a"kƻ 7Ó77 p(%AKfD(jshT4"bD~ea@ݙfP)S)j&0?me8LK'^߼SiF8Dd41Upx"<Ե!vKxXiT^DFohjٵ.2oh8S;'I͍؟Ɣ<ӹh*:.^o"29Ƥ`Ua7Ln"j{`;=bm<}ơg:$c*Ӳz .<#Hv۝5  _y08ֶOH? h_ߵâg=bTgZɴi2R qPO+ ;"%b\\kli0!-W:Eg (l Dc٨%k(ϸY ^Bpba^8',(Ȳ[1kSu,koo0M+oZ+` (gwzqӔ1FVvѤ`ytlnaH^47\lȈӂl"ciJ48&]CWACWUdT8zSbEʇ(^~. Z8X!apkyFxw=I SmFY-5uOegG:,.*M$̖s6 Ё8;v&#>z;ڧpr& ,UBXȎ]C{)S>"W\c"xfKYD| Nwum,3&O< 1*^DĀ; F5ݿ;62mH c\^q̩h/L0#2'ąW@} #ʊ+!+>grc5TWN PP>%3{U1t (mW95ӓg`X߻JGQt.ɋ(hSɓgA*^6l1Ŵ(d6; aNrMU3m>v+6E~X,]]m|;7Fn@N ekUL`ֳݷauJ}5>kZ6Cl%I#1XlΧ/; 6R7Zs(Zߝ׮&^7I>$%Nϯp]iL9-m%o9!n[@SUlA?8c5gWޥyTbYُM9Y䵟?3t ˲' Ef61yo„S5@L}N4ݸY!Y%ؙRt2':L1K9:) WusޭYQ'XGd:NJí`6)TuV6du[ h,=O$nv[8Q`EzT1kyӒ]_'wWIGw[Q5Du]~uˏ*|z93 >GOQ<'0t{)n=$M\'<񍪡=ї Ӗx]0_/k.`f+Xx$29hєѯ!#y@O?Rgc)S ]dEIW1qI?H%>h<"vG4z)hg::KjN"JHncb&tp*{$WyY,E`M0O#TyZfi괨[^k b,'{Wi:xpf!n9?qVC('8_ FP%lWeoj~ٗBm X4*>E㢈Iac7)HEǤ+L;oanCcOT!v.j= Od R@oA*^+4. '˜ ɫ*7k]{ #\?wD{> ez] UoGٿ$uPH"|+1$OG Tچ`84tNITDHb (ŷu 3"ObeSw1Lr4bt,Πa| CQS- tZ8Z!@>]2r3DЊ!K_ibZ4M׍8Ҽs)}Sy:xYb/ 8CL~s~ 8czkwGP#w;zsRm3 #qӛE#t fWmhGin9z[8^89ջ`#R$j!Bnj ݄LiN a)ZF%9ʗ5,5#gxF+'0&Q2.fڨANЯ=]47ʵ6~qAA0a?€nBoъheu9Y-NMVx *p^z|5A(,(28>.)M5xt1wMUOMbf9T Im~9XҶ~&4 L9{ƹ')3. Ewgmsqؔl*,@aL{I JUi,zOR(f7s0!\j"}\j0V$sQS \{7Tz^Jyd<ΗsK@ofJjrWׇ`iδJOV"2cxfu$Rvv/^ U.za.9s&#!aZ:5Tb|>Uh)u[Xa&H$]x$, 9sjWc';g 43̨svtj^QET d-4o9.dgW|Ԍ![Lhf'6-OS|'s NH-%g2;﷥VmKm=TLTR-K~dCM]–&&"C јu =s[Qd;lqq]8p6dڌQz16e;R*qg8`h3Qg:307ŋb9nj{J!C5&;c-L21/"[hS #yp7ob A0]!Ali8+(k6a'G<- b¿/rRT_ Jڃik(PBaT$KHOMӒ=}5s}PqɤM-͢F%˙vAMjYFx㇆h /{LSp,3zOa3z3E73to Xu- 4v}VLrrTs@謂|sslB qai5q3KFqk8lf^3~F#`fes㉖7eaWCrV7'!0曢ޑDQKjc1 cص:ʯ n @d4Ap7LyAbs0#g1oCJ{w +_(`Ra GG Es_<] dc9M+gGu%*cĸ޲hہ#U_VYw®k&TIPD!88փFDBV:Û-R7-|tIy:05Kpa(>q25S2޿)?z UpC0@_DFx0!j܈?; F z0'ݡ޽d\;|&nx]_SnI(#Nlu]c+pu iˑ/e*dnȢ`5"3IshMz^|PID6Gbbj!PgcdȲeDâfjGl-*c|+59@q\\QYiza`'F\Xw6?OP~ `Kq<%#fQm6Gҋ_/v#xz~ )UpFZnp.=BZeb.DlB ۧeȯ^&9~uXl0BtXu<-Uwe!7Nl׻ ƗZ3 VKR9vBwiGuVK/6 ?qU=[&Cb2wh+y=4J%PՃ@%|݀+EC"8#``?OЬO݄-oIq6jk 䖤W{wLapFg3lO?U"ToXl6ۙ/$ $3#̐+Qd U-?k s;(xMwv iyL vUX7w.@āw4-o-(tA_=PG{{`Cx=>*+F+ F@9CbϽ ꌃ%#!'#ms7iQw3^"+-Y`ItR'۞0VC'@.) C#6քٰ;Y]ȫs zoq-0|8&:x-pL ş()ZZ@7.q@Z+ +Uρ 5t e=![o+2s4>cpNsI7c5V$*:B(@hdW1 HΦƼ5g[U W"r^|ۍla3[If#~aȏ?^4H!_ g&ӏߴ5?qr?2^6%a=|0g`m'_ b[\cG d~OGBtD=6{w<.1)|hvktZG]:vvOd slUe &HC K (X\hdt+wQҠ dVdvۮAŃ/YXDCv<_(P}SxrzwnZX)7--WeZUP˛Dz1eUl@̠}eAVdz;}kJaZH, h#$6CԚ9|nS`5z3HCl|U@>#Ů@j݄_r}!%}aY)GY4Sy_ |)W3WoflDd[/rxK#gA:vѣ%17;a fi4[.xH`GI5@Y(H@I` .x`$;C(ͣg2(߀ZhG3^OP6Akفυ9W!KI{u6{'p Ƃny,8⨝ބEpyWZ{B B_њI hrx<?"6Eib%?e=_7s@Ǯztp„C_MriOsPq<#"tͯF9;9աRCl<18cn0\KH5]@ Q:#S Qt7mj(\.y0.}?U賿iND!Vg;oYP\ÈWH| gk+iɡwJwoDR^kyXUmocE$NODHQ0Mr$Gi+2Eґkbw=fzGmᭋo]}0Nv3BqCe_0<(65DnF@b /GHwԅqjৃ^t(VSMյ@ :0]M2Ԓv~R<λ> d巃 ޻Ge:8\eQ(m -ůa40nx`K>Z| j׋/1\Ƀܭ=&Cr.cv9ĻY˛b,)[_HF,FQ#KkN.t)fT!J #"@p.r4qV'7Z$~2Lw( ςpd \'M]]mI]X1@qq,{h{ ,g!ZepoLC_Sg it4zRD֥gYuy@0q.~,yˠUSA7џث uGe*@[9ڍ6'|(" Q]siڠ R.Us\26Z!}Rx ~?;XFʸkׇ1f@]5X+$T~/_,}¹3SZP oxRk,W1iJ@W]$OMK0ɤur8>–J6bu]dv14G'nK?k(m$bOӻ& O`c|XBDC7HpAbߴK mP-2ZC@r!Qݚo(9b /NtIR)t d|YဌAqy\[KxZ6+^Y0Ir|moQ<mquP=n(ͦ@YBc0Ms2_L]>D#|D9u)%yV(-BG_BG?`DzRe)"(@Ve0rH!=[s \ĝ=N[}`gMF @s’Cc'#q!ou'IgˏQ"}|i\ p6f~ǗJ 2bgT{Hx8^ F)~ma`ET ؿfq>k>x>{1?87Ϣ@\uFNmJiC|i#:vS|bOa^BtfR~amECu~ ~˒ LIe+B@6k(趱Z `Ac>4g/po?zmsXʹDt/ }β;[ [& .b[Qط%-~>9XrcH.As}4_j? m񐼎+D@ko$jͷ7A@?0DO ֿE"_=ÃٷxKwQ w zg] ddsbqMi]j(ji' ac%Zux)ɮ/hD5΍ m_|Q|4,Z\n'}\zKƐI+k}u.(7c6#BifxIcHX`sSr bG,e9K$e"fSs5/=V{owmfnmCoB3b,ZŤ(s|po!i\{׆CrX4jJshV(ͫ?;dmLqyLYKʗ/9-9~hJx@DWRu^盜F5Pk5N Qkw]~J5%O O͋$!j2Dji j󽞚`˶0xY>j074X"#! ?}.I!lFJ/}RMzyv@``|zuuXb 57$ۄg$e:WE=Cj4l1jsC%֪r>ΑI&53e]}Q'Ͱ(N Œ>}1C%$]nzK4&`ґW:T f1{5_M *W-w$Ֆ/Ѧɿ. ZI6R"~!B땓znXCthfe8`$ M V֓/Q2{Tb rcJߣ@UaPfj6;#Y%ERr>L\hd'Q)JV8Mj!FeOm[fQciQMC3^@jlmVL Y4tiSdS|+ f%7N!%aR E٣X+)Wؖ.^+OA ( a'e6ݤB̉T!:>IJ9 :@XYN_ _tR-4'ۙ5]Ra8e,QV0i]ثU\jӶr9kSLO%\ڏS}1T)HKgt*0{Mq6#zEd粘L{Ah{ a@ k66%#e}'l9\l=f r ᠝y:^2J] bSIx"0Q1tII/SN9}&A<4VSzUG&Bx$o/ր~RzKfAK$T$f e}R0f^O@Ͷc:3T򽼎rݯn!& R*VP*׸ZvlX-GJ>ECaZr?Q>G k= bY3"zzuT an^,GX[FXVV`ݕ!ۦxH;Zn|qZ h]e2, 8C4*bޡKTQ a&>25Yd9e*. x u*CJRz-g0\vlu>(('9|;Go23Y g jfZӭHj0,`,ЃܴayH;ģD".Ò"b J3c:|a.]1cstOG4.(a|]HɊedCP\췮gr?p`; (ŁK8LI%>\GOtff'WkQv!JաIQ8u))BN \tP|9<@Gz B2&Ώn-iMrM釭C?:Ƈni@N.ϵo뱝 e'<44OBނ yZ DzFO<n)+q(w4孧fhBBCKM}EֵOXeC`ThA)pOl{ #6 *S 9JE9krjچP"+I*K8j^ϖ;%b Lyɓd>2⿔mXFTy[C7z{6X@l|Xlyt7z2t#0L[aq$mnS޾Magi .M.0$'PI'EV[5rDZ*Zl!)*bl_ GqN/dtYE 3_ 2mR.YRYP&H 7.@*!泜K~c J [WsGH~J\&L;ZqXcJuH-ig3Gcd59otZqFx/9< n=Rc *R-4H-(w|4ſ8fBTMrlܿܽ'}t$"M5ꠡ@{5^-emDeٰ|zLӾURRU)yzOI#H&2LГZK PP)z'1Hpي9Q0ZL,R .%8c5%0;5/>wJeef"8j虧DOX/97C ŀ/{G ԷlH ,pFdUL ^ѸnH|W!M;*B`*wuv Yu_/f 85+H}t 4 6&k6Le_~%3 qdbkreɄ.@.ՓmDF#a|h?U* ǍG32ZsK;>L^BR,ygu^y7o&%@N0bP[:Lh( |Ak*zyo(tl7ͪ_ "eLK>:ǻs3<:?{8%KMYkJiK崩>$~x%ɻg:1fVޘ.H<ER&}Gjt ҨHI9"{W B[>Vi:nma<%$1_ထ$_̓ DrI@8^W|,i*Ti1nj[!C.5:8ig`-ۉ.%ud󃶍Pf؍/RJBq6MB;?>Cb\,ECd^zV$ZZ =Oiގ~yiEq8] 𨆪Ք9Sv/KSYIjDCk_U9\_Vv%SƔ5'zyD9cbHfؙ{UvϤV&eQ[Jt0ʴkNk0ƝQW9Cl"X.n= rJ`֭ڡbԄMxqvoNf^v\#x|Tߢ ̡}F: [ so${U{ؚV7DvLmXvszTmPl%LxU?XVYyzV:F;ձrD$_5*VwFH$-(edٕ,m_SV=۬xRqBsF);;< Geg tmgn"nSjL ]ȣ@P28YW=_[qh~oBPflB..(̟EhjPJ ݦ¬&zgc1/aٹ2Kt[jDR3ܐkޫ*(v acN}ftaĒru2RdKoShnO)꽊ʝzqt5Z8MZ\EB+(zs4[ giWb]݀s% "G`E% š[I!0(Q[ECbUNjmis'T{f$巂Juc 2f6 #sf$Su쐋÷ӯfbЍ[A`UJ-\uGB!Li/pK %k  %<RQm2p'0de'n5D!bt,6CԬJ$#R4!H _2'EaZN5E %]6'Q,Ll+,ԢOc30 3X;}M9Ow]7oܶ޸V"M='ŷ٦ưsC0ŏO_^~YXvFT2$*?I-:Zm!0%GW]X 6=ĕ_yOF69y{4 +W+J8b'0)YpD~OV9?AO VEpeA[7|H+auR [Pl[<<܋)SXa2Կ$ީA$n/M 7nFJdlALKO:jE¹|B jCS",:G)Pr4/ALcF(P73؁>dlWBF3Ep^: xA L FoAȽiG"8]6\ɗ'kFe42k(qX8Qծ:LNB ߗ`9ptvG*|$N 9W:R Kpx;]SBܢAX8  oTՅQ⸷"+;uy ❷.;),L"'_ǭc$Voxzy>e:/wbaGwc='\[jCc@0  d̹/>E|K(G(#Nn6NUk6 ~ pdBBj 8Bȑ 2> BJT;Uh?ɬ^ Uֱ`Ҵ?#-n3uE?qH>tTTyA5]41wR:ˑ0[X8oڪkq:n@$n 6<ƒp f"zJ|Fz''5ObW>mQ]c\DL\/¶h&fA< Ki`,s~8$֪X8嵿h9|?ʛ{hF#DJL(CPoQG3OK=(Z;F(Kg[ JhDKǩt+GɎ殥,=EE.Agzvٟt _8u[}PYWAn+q#ퟵC %ϐjC?kdڷ7F7}۽/=%l9ґ=k"6]> Ȅ6e2A1r :Y!c:1mB#@ԭUwkzLjį8-wPV+pMF!}p q4u$NOlihqI\y_qcy*[nCѶ1";nն GH1֋Ʈ 6-REkhx4[o0Le{qVܞQ~`=H+E~;jVf-a`F:;|kXK2H~sZGRu{eSkp1/mB9#L'XTWAy]mqȹw}>IM"zFe;)9Ԥ:w!J{yT^8,L}adyP\Z4 Ɏ4O陬Xq)y-TJhTa/V5~ EpS`&`*H X2jepձ,ix &Z*RXLiN*W#_O[5kb]6h̹K2cXZb]\TC+zhDsC.qٲxam*;kToQԭC.{Kd|E/PfQlg,t'ee{ݘ;#'NcSrhb|雳ЪQii)B(0CZ.a;S0 6l-B˂鉀1*Tպ^YXǑ mQ]nI^R&berX4af BI[-64TUA|o#'&+՞iM; 97F$ ]/%Knv?${BMV߄w+2 q['rv5̼4HAٌ; X6lbpp N,%fy7u0kj]$>=;;`èGtYX3<}t&`*l݊ηK ~yljK?6#l:c s#vW,ASg1U9y91hC ⟐I~IOcN,1HϋFa '|ݷJu&8liZ3D0M1+bVVC)#"VㄊW|fPr I"a=ڇha7]& ۚFs*ޕoaS-|N7|Օ |OE"`rz>3>)Yrӵ]bMMCF:qE釻WA.QF^6CSV颟#LtuB\(/j'WRe@MȚ(L/d^ C[eILE{COir@:O,4,I>V qԻҢJs 1QFFI\)bj+͛'ͺO`?X};\LœGL`@qȻyv'AʼnS҆ @oP3c^6d@%`tPDzP tڭĕ 8m(ԞB;DyXSL飐}S'rrZؤ:t7vw;\]1'`_V*8j|SaOheݹחh}l L`#Y{ˡ/Us?TQQnଢ଼o<>?ܾX㡓byc ̝͆wI}2ر R&2rh6# *މT*2j!7k-,qAQfU7lHr*;~Z54}dՇ!V/rNtC(`sANCtB6 wZzKs9)xw] w&g"/7~n;l8ղ}C̓F,rcG JX>@ϖ p{-I܏**91 iTݮWzwy1#\s{LX@;Hg _?Ez }&n-YYN/ O@:S-JnOe6Р c lYAp GM#ў37t e)̞Jpf{Zsy-ucؤE<ݱ^f-\N+ǯD͕-P2h]'@myE CIjIcxY퐢 {ҸlW2ꘜ1^0kZpNz8 GgҚY7RQZ݋ؐR4 r_V4 ^w&S! ) (9ĈgP%mDC [EL W%0w/Qyʹ0ş( Ga2"~03'GًjɧHǟƝ^LG$O^HqR MNW"X{bηѵ${9Yf JsyUB>BgduJ5 ȼX(" %Jbfhj/ĕڸ*~=]t 0Xc4}B]˵E&t(.mlPtYˆaVv]SY>rYDh1_r:V 26=d+1lj@#iT؛:Kw{HK^R 5KU"kk|e p$:m`юe3Y?D{r4 !8JѴ6̿(laWN;^*Mj :}2.[9:C>?w)/܋guҢoaXmpL#VQFmBY6о6{#W/:o6:("jӌI`,PMks-sB)RX`I%Q֋o-#ؽ =bEٍja_{4;Ra t) ; ;T7M --&"~V8uLm͘&SrLXj"`l%1Cxu!yEp%ENp2*bKb#ȤxL<@[\P_wNDZ /B V=ۇٹ~JN ?9̜ g(oLq19A=$Ʒb0q (iߏ`Nێc2P7tcc%mIa-€z ΛΤ{%A;X᭚BE.},Y>|" R+\{ 7EP $Dg&3#z]`G-NfL8)&6 ]@Tne)OH8ǼqiǤknL%T0${+{;RJu $ay.t xuͬnh Dup+$n661l:;;.J[:k| owE.9eD~![-A![*o(9Ӡ>j@g"5u*aϛ ?p-QD)\w2/F [}#}Y<@s/*%^0nJSBJ\t@8pQ_˯ٙ^\ 1>pwCR_> +ob/8"Ķ6m1^$@b8D{y-ˍ8,'WH*GN{JZ4iQqtL_GfhY _ PYƛO;; JF4֮U. u^r}w9/ N杼H=Laq-n]l IϾ92ʁE8c Ucg:>]|{/K6K&[XN&DvP|_9 %>׳v0[~niXrJ /-!}G ^^bwJi3^}S!# ~w4Qzt,hb7=s$'\)|= :lBzt"MR.  h~UݮB D3i#ƖjRsՁlwbGna[ð=}Fu yK٢*!cVMSR9Ozq` XoqfeBL̦i?L j`')e^9YĵTg4_~ OM1u2P惪<8= !Y~!ap0_O8ГCB0OY~!kaR+T*Z߈L[&uJɖ- fO'y`4;H-d lԙTT[pH'$=+G*6vPc]v0b~Di=| J%Sԧ={0b[rr5 þvM]"z&ᤜ`1>(+*Ɉ[T$0>}юDD|N;9 osdcĮqm7g?V$*]GkVi5?qS N1D;% 𣌻@UaZ4#$}+>PpqI*VkSPHa8E5}ES8Y~Mje(YKJTqXm(+T[(y뤒<%]5s)\vOz,ػQ0b| EBfٙt$,PtcgM.݇ǖ&yM9O\Y ^HcFw)5Kc+ Q-by:5+AI vs0'AU)AєB}5]%_:<\t%l&8^SkOdLބ֖e~:x.%Y+S!Ne,B7:Րhz"jR)BV8]ľuؿe^qQn$P!UT]ג*Qk)3Y:Jk߾3VM&?E54%&3!(T~ 4 ]kDŽab[2n|-Uz( Ǡ0 `@DF CX:3 QDO! !Fm$:z؆R Όth 4AEdR6w% ,\n%|7mWCJ\@C3J@4(3 PT[n^ĬIfu Pʕq lKcdRgPX󮃨{fiW Iy2C:Ղn85S\f $I_8C ~Էl?^/%T<oiZ.=n?h]3S44r^<\E(92%ܖHm-El(VMO_k8ZpnXNsc-Jqv~$N5il 曨+w tu;<'}R1?VOs Y(;" >Jc坓j*&)H4ԦxWH38̺-/<"ԇSd *Q׏/AgsI߅vp0*G$aZ_&y50߉ct*|59Wdk{f;}#M\gI1IRC ͌bËV=]iLt'S@nyV7#kPFGޚƻiـbAr{қcE[3d?)ű[08ReT,zJT+>S,$N\Cx<*lÄ n{I8H!}nhi)>˦CsKtfg'yDlBүdT/?Bke4T 'X(n[U]P qXbU5:̂tYbr<o7 >@V ~y>HC)_q&0F>@t;]EE8^f<&MNѐCAi3DPGtdBo8/pOp xU&e|bC\2.Öwշ&ܸyN @_ W.mUl rw9n%s>sJ"wi ѦlO>cibĿa҉\r _(!vYm"wc\3jk9dhSntXsu\tx)TH#xC^NPUGBK-iǺ_`C)eVՇ\U p"s&b͞ >0n.~5۲Ӥ3%VzGt3ץ ~b<RYO.j 66BL Y.lHS 吅6/lDM.=B ^mMh`S9e3r_ro]cv𼛸V9f&Mow -aAȍ7Qѝ<_F|X[RA1 -D(3>%1䀊jm,k!L7`' %idY> z@<7̎LWiFdQ注#' ܥ-Wc7m|?(*So.^& T gsܭ#=fWaBAe4 I,/vw'*xSZq}AXuՖه`EÂZ鶊VAO {"Bb+n& 9{2* gg̓Ie'nuVeD/%yϸ=NjʥON3,U# ΒID=VcMLL6ő>1/6S1h_TI yN2d2G6E4 -dSJ},t0F̢#b:5,Ul\Oq0$ )a8\w!)j:JZ>7ሾJZbU}-[ w~·O(<^5-OOdv|L#pIʪ*? Úյ:~K= $5g YZ