permissions-20201225-150400.3.4 >  A bv0p9|D7d$/}XOu^uʬU-:q\^quNHk{v&!%2 wRM0Ƴ6̭ǎwmEHh".+Hw 1Й"tLʗ.!߳;# /;n JN8.m(>2hn^:Ic_;)7|f"k) dդCI3}>v t?@.c~j2'F$ [8ֲy?@tmCpPͤ#dze0_"D dHb=2sc9n0 ?a4 YP zC\zM @Fufu蛄DŰ pa7fo+rF(-der|T?tN/ad&%/"glY13jB7lˁ: ]iC]IO_.y-,XY]֩)9o*^`‹|]>p@???d " A-NW mP t           4 a   , l ( 8 99 9:Q9>9F:G: H:< I:` X:lY:|\: ]: ^;pb;cH x>l y>z>>>>?Cpermissions20201225150400.3.4SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.bvibs-arm-4X'SUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxaarch64 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system.V.1X` 9;@큤bvbvbvbvbvbvbvbvbvcd73f4760679880a45dce3c9cb05db59590dd96a4598a64a8a09e1ac03effb06f742019168f757cba5c3df708823390538a077199c16926825f12636e030c2d9254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3bd7e3d5207a57148f15e8e5320ea0eeb8cd84c12ca311d6aab8313352072ca02a4dfa32be5db7aadc630f51111ad2cd7a5ddfa4666d9cb64ef44a2a335edcd03219f0c57d1bc1b557cbf8ae9087fb90662ffc32f55c7c63e973fbadd0f5bcc66d35eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20201225-150400.3.4.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(aarch-64)@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)ld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20201225-150400.3.43.0.4-14.6.0-14.0-15.2-14.14.3bgbF@b+9aea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.comjsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20201225: * backport of apptainer whitelisting (bsc#1196145, bsc#1198720)- Update to version 20201225: * squid: adjust pinger path, drop basic_pam_auth (bsc#1197649)- Update to version 20201225: * whitelist ksysguard network helper (bsc#1151190)- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shibs-arm-4 1651962375 20201225-150400.3.420201225-150400.3.420201225-150400.3.4permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:SLE-15-SP4:GA/standard/e411789c1de1356cfd1429b65d9a73d4-permissionscpioxz5aarch64-suse-linuxASCII textELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=6afc33ae2b85ddbdacfebd33a646b74933e82ae4, for GNU/Linux 3.7.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RR R R RC@Oe֙Lutf-8ef94b622ee6a12d0407b0015a2b59cb3a4a6f852512b7724a63572dfed0a02a1?7zXZ !t/]WW] crv(vX0&0: d:-6i= R&N~VJW.o7L}Z]^AnRN}7F#pZr n$ o'E_o]LDEG} <}ʿl}0"~\g0` ŶdXUFkj/R{Ru1riwq?brJ!g3ky,%gє$duH-ޕoU,UVٌf!آzL 1en`I]ڹ\|nf{dd*s/o? n |g5XT {˳ޫHq"xxZ%آ"(7$ki`Gl qaʤ#w}Q;//*44%([&_fr#VG`齔ڒZ"vyG)Rؤzށ2Bb+ Lc;Zb lQ) G‹Y-a< V(g\+{Ŋi;W#K)ŢGk51;>k҅)Q i;̐k)0gkݸln>_Ƨ9Jf.nwk#xOCx"osTWIm+DQ >LӢ?—ÀO N%LAPq`0t%L>ΞZ[QcdßuvS|@ 2=:Ye.㉐RgkB$S쮝%S?S*kрt^! "}KSF9^:IB}ڴE g9, *k2pG=OO12^Wg.HP}dDp(\f=ȗa7ǩDJ<sNfI"Ȩ4Mh~h Ym/+.{Jq| Q>`1T.JZ3pG&~B*zZnja"u Z:]U-]L'0^ߊgv֟k2t+%,)*^س@]r4 ԬV"UxjH:OHs0 j |x3͖ĀE*g,O /M Bûk 7UKJV% '& mkLlFxn_Т;- c6T ;YV&mm{R1{]Jd?]-Ac1Zj=]\YŇm]ru9TI ՜r dk"2greY!ʓZ>vb9"gHE[B}TV甇,-eaWwQvK }+I^Pue9m`FiθPDԳhgd>z('ywjz!!)D/4`x 1u zX+um飃KQ֜A$cz_Y| ɞyu.bn~בzf:}>@_n?:8-s""t|+4 RMCbg3*US@rWc>ï ]\9 2qv$S!0I|҇3z?GI n.;h(!ʻ2h >vnVp/χy5HIYepa4#SPr?Ɏ՛ mRu {{'MM?Ԁrk,\~"?ѡ0`-X;J!iWmdG87R.pp׾GdgXZM2T~,ơ]dPu>rꃑĩS(EO1άmgVLD=Z^`-벇4-f$NW/VUpʲnÓlKz)#Scy: K᭱diWi-S}xex# ~}"0=8zݡeS/Rc{k b1n gJqWێq>l?j/*>BhBc[&?GG euSݍOgfO[6a<т֌kE`{6At/)`u@;[9|%QE 4=@}q fmi*-֥U߁n*ԃLoE #}ϥ_,}ji ܍5p!]qaj]QGf >(zjZ?גgAc1$&VvKzzHYqOn8Ba"ٌqiiJ$BC}x)T$]"Zzw_gg\TTZ5ĐSr)#GHةjw!c@=nHBe+8/Uq9L&I>Lc ɴ.hR u5[Sa)dUq_!xG`ɋ 6 +oRa^m<2I q*j"fވ̂OA)asc7{E(s#bTjڻ2H- 8k.J ]6 xϬ›k.Kٺ=[*NJ D*͂XAxp l9 s+DSZrQ T3wH]@0Jl+3d4|< fȇ^w0>u$i%%55"xQo9Few\C9/S{]Ue~+uݏ' {|Shy,>xa&[^=rN1lf_l(,W9>TKUiQYηa:FUO} I0Dn!|KF].n<hRP3;Ը" >̈+@Q\U=Pw*,e,W{lJmn0gI ]XWY%ڪ¾J(3z` /Ū \37  9NnyI01ZY1/z-<dckbO>OoC $It Yc-8 5)*N.u8\ۤ!17E6DÉՌD m?bCyPGƋ ZN očUK &df8 x!JEsԀ;FsOZٓ;: PңxWaІ;Mkf_YkAaSi[6zEbXo}5@P?.MyZGy wCiuw4v&jϯe{JZZ:= /+Y+#3&W!hZ识e:XS='&lLR4$_Hm?U9Ci:]_{W4߇Py ՜8. GSʗRp=yvuUPEߘ&XTSmxa\vV" r[zٔ Q:$?|C',E/巁ͦ R3۪3P)VlaPg?L.Wu׷rZ=$7ȀJ*fC 2tCcBVt.Ut3`ξ+5W }.Ue,1fM:d1q&!mjl]S2%JW4 yQJ%'3T'V]-vA|ץƆ,.ARlEE79*cSY3 h:lͥKmџNw䋇D@-l!(43[hHhJoR苻qM2ľ:#7Y ;z 6|/xGm-rKrWͣ41,2@, ;({}:Z ;AGWL7&WNp۬v.p'酘W=sp -i-)EV (x|4l J>1q5]tX"AfOJ֑ MxWS]{X}Ryiy:%7s%zb蓰A|4n!4 U^д#W2iK;>u2$.xl<}8Ս; Txnx*-Zrd pvG΁}`lsR NTR\ )2AʣiaR# ;[hZ껉p_0,'V^bʣ~bǓS(cyw;C^8h+?+Ťkm0X\$LA1H~" 6KYKs m'kdZ+2xFԾnډwTTG۶B087 jX;3!U7K;Ą^Ļ(#^7n>0̘u:۰GPU췡.Ogm&М"E\WF  QQ(VYnAYEYS}9y8Ÿ&&`u3/z5KoC̪ރ$`:⢼HpV c2a+7žp:z8Ũ5^ LG(ώU? =]0TߨxCml=dŕyh@sw@ʍ_W R%Ul?s6Bڐ}3((3eHڒOHBS悘-@J<I 6Hbܠ SlE#2;zFZX#woH9>T=O\]5X X%Z-So;/9YW}<#WPyjkTpXU20NMO8 -M8qN)r/Eg`u?wX鑙lDĝLg^b꼸TM5!eF ֆoսZD6054.x˦빥P4}A7& a5|unhzk+N Kbq5(!C+LNO KDŽHE-iMsM"R ,)⑃@Xԩ -T(ɼ/9wHb/1SA.R왾&Ȭ8- jBK+Ή! $s2֑&2Q J ڍtR10]P[:}),H'G?Z4R & P~UjVrӆZ6# 9 -(:eRRLcj$qwb1k歇Ā#H ZsGk, U@;wVævOܷj?@#F}6c|8źGh/5fSڍ^B0b[9P%-@xB;'wl&I_Wʔi˩#H08B4 T,-;YAU0q5!U1jUC@p-*,udHL>H֠xrșBRf)8 ZAwF)6HL?76AHHŁNqu;$ǿ6fKQ;i1#NEFVt`&;ӷUWp{݂vi Z}C:ƕl՝h~n`m7xC5t&Y:R,+K[U-g:6vTf*(}-$C>H^t!hD6?ԩ q,zket/w?7~?hܼͻ$7Xނd\t3: miʏ ҿnJΉ`yg8s'vuwSGb'vV)m `o%Ms$> \Af;:;yoDl<-;KNsXTpj{zB/H.q88}sqLk#wwt:fG!\B]8K$ od$5qspREEHAfDdgC:F!st2d6\@udx/2y,_ ☯rBNS#L Ea఩Әy᎘n9R-ȿq#7mN`O+¿~~suB=.'w'H-״&)OpR+4Mg[U.nx|(wsjQ5uެYyL7:IR)OYKhP9dx)FXZOp ZR|fk~:OZYo SޤX !q(wkJg4%S{E(נjJd Sut\+ 2+(ݎU乌辕ɐX5kI |oI8Hgm[^G riUFKb(!${ !Lyםq_O3nC晍cG|G_-tkl7/?!F@&C6~H+ /sm"ZC3,i_\ߺ.`CBx[ Tlc-Y%( 3WߏMn'Ekz$`q%lqI%բUFrQ6;J*WH' jSj.V2Ã{j8V\Nr)L"J'\%_TWL}Q*(p6f9TXx)1~, wjn&_4zdĔfY/,婫Nr[!]"Ӻ7Oa t1K ƺ0 6>Y*<ZF64#\!s!C4RPsMxX:K) >=Yg7$DeV:5, 8gQɮ B5s/:==];G[f\6fhobhIbs,da$w3# &Ng为Xu/]fmfT2}L^}`Tj7kUm[tے펚.FBTȿA&Z}3d,wbzOO(df5,of-3ދ޾K]梤"*H VpVysl1tS*:ˣR{ҒLaRl W-8+B#f8ts$lsB2-F*aCs:Vnkk,-/e@tQA>}]k}VQ`a%6l00<;@VI?`_'#7ĀYb |02GHZ~.$Nf3GaAǙHRH#G}ׯ hdM} ѬbGT#'s6ٺȸ9Za{Bю?.ƹLZCU!U

->""URѨ 4߇5YH0%-Q<o^_mlU$NJ£րY!ށ8ej&@; ྍx%ѫ%Ҏs ޫ9[d_8,M;y"B-d+9Q 9[xUU;ַ9/0[E=}0Yֈ^:B['2[ _Ŏ!mER4+ q,'{Pa}>' R*6 UQ~n_m>Mf"P%<&{ceMxBG2TՉg$x>Tˍ~xvEVP/M*S]ëAWo{_2 BXCۣfb;omj8'fvHt$;rM[V}`۠qڭ鋾WL3juY։F2PMʇZ%DsS9DNI}@ɳ#k]T̲"E"A?W6uJz~R ?#rAx$UH# 'kd_GzS4(j xLX:[!EQ|id%ƶc˓Kb o¡jt*'i]wxO KK q74X`ϏT⍣#tb$iQJ_ի(J;7< zZ\/63Cdn\.{JĦlDhoT:"qڤTѾv^Ō{z6=鮤4"U=4q, 2+Sк7@0sJZCݔAAl}usdLV>U݁ Yv?U/:y-shjphBNL,_/g}B GaE UR^Zy:ANz%{y׍ \2yYqOZgvCl}.ةv1T!̿GL#.ˢ4YV/YZTj!098`4Ȑ,r >r|>dގKëG/B~:~f'h,<)t^ ͬtns@z"h0s7n"݆0W <]4PKy`f%wz>"|vrQFfoEFPXQxUmj+P)^+2Q@~y&(;r^W*<|i`>0(ܩs{F ?ɆĔc*9~xP>K|0%P5Bp/cwCЂah>E;"…d6Qk03xjF?`Jage㳡5%҉|788`Bj6c&}M1xN#´ o:1]KHQ:DVF/oYȔH{X].=0y5Xt؈Rxoj P΃K9S?NS}nC\TcbE ,ZNjϠaRcwT²oƜBnXOllf jBoET}{Hey WK7 >&}mUaT#Mqk3ҫFkTkWpD 8%bA'tU`bMΐYf;4Hgq&~qx9A\s1ʙcM uPCs{ |8ZR2bԪp,uFƍI~۪x@#jMV&(غ18@{PNSNFx=NuS&aam30McH\8FL@7o?!;`d=Ρ>&uRYAd,-EmXSXj3-TY*g:qɭ ^f,+\4J–Bkb9>Mdтm ˼R1_TLl 6ЌŤng Lt4$*޶W *F)xٸm[c #QwȾ;gh4X-.` 2EF+utFC¾.D;]ʼڎv̄$ ha.jHk%]VDP 9*/q+E{NA>ٽ/̮c^x4d)0pOͫc1 OѨGHPwGiǭ!?E^)Ozm+Q,u 'pbVgɇ@#kzMj#Bǵ- HJ?O,#a0Y]Ҥ&Dܛ o74:;^m>㟐%E?1Pah[؛V~`"Q_`"_2o*Q, a߬qPKft *} adysvguM|]=8Cݖ>݊Yjr(% y xqsj>[p]x{e7ӹaWqɵ5{yAےn.uGA&(ŞFFNMZ5^qqaCG8U5'5LS-c«=xO)S#0)RrҤ܏Hkp챴`,J*ԫap6WYbPΌN[iװX{>?8JW9QzA_-~p$s$2db_J;z_7Y<O6UrX~#X8!!״t#Y :?EL燼li`1tm Iʨ ~^=x/ju Cp%ө#{1SyJsvd Z>]OJo,]=Qy:>t-9pڬblHdҲw=qǻh'`PH猯C[ FU{ݵv(6}C꘡;&⠨PMNHOB h;*ѯ~힌y{qTyMVJ+j/$AOJW.K'&N  \wu$߲Q" QRiOR>wmcN|vsIG70PG7_2Uc*ʜw6igMy 10?+|h`Ȳ!#g,lNr@rCxfXu f[(0}YSpy)d0(pE"ܹcI Xr rOuI=\=av K$UiH $Evɯ2eE;K :3" 7H(,jڈ>%$2KC.( TkYMYHkLr,Pd%/B_+)kT4@k%!ʩ;Ew#_1_'xffhTGɣĄw$. #@F/LK*r4 :rvai3>Ii4/g7ivSB9W*D>wKͪ\Tt@U#vw1>t.±(%͜=jaS!-Zn5L)z ` ܕ\\wb=*c{m =:M{vayS(c|Ǧ_4&Ѵ3*~qެ" h޵ĠȿϳjƩh&\$ v'G$ƏTIU7LOmĈj#{) @~ohGj`QxEx,9L˴!0r]{{idti?WP+ zاvMcBTF"AuلGO2rJQ i'5`/ B7Ϟk%b9tDX^.b CyX0W !&2CG# %#"ˠ2@Ɏ6);q/Q@K?VYLa'\RƼ"#bnu MAӉR\okRYD&`AMTjE~ߜT8j m+j1rxZchލȣnA[Ή҃gF&I\로XsۧJ̯ŨHFՋygIy2=A%{<2wRkXXwܳ*?_RR! PO ѷ E,~OxV=EMR4߶ytgwXA+nB d\i%x{%FISZ\IA9<"j#'Ν7)iZLSrV1h so{(=X0HPQ7!DZAUM Ce٘z~w`=rI6`V3<+ŪgX&V{[{4FKWqed9r/ C *Z܄1WɚCO&l-Xz?ue<[:ت .QQkx;}_αΔױߞ9\ F(^Tj׋uGP(ZRxQ}/-Lϩ4;(7l@*Bߵw.If9)QftKURr/B4iqxt\Z[E셧Jȯ<:u̞P^uCC$5NV9o`,* %e s+);TLcG@Nȱ)ow*DV9s9-LR2ϞeNr$f%KHU?u]#dPFgO^7׊7g]t C߀ϖmvnIdM8c!L A9ǺVʪL0@)/ $K./>.Ϻ:e孉/3'O`Eu`7kCsIױ9q^GB T>BlĮVIX 8lȉL(")1 ߎ.cXRΏ?1T %cd#bSӐ`aXavj%gd}A}7yT'k+C4tGOПz1Vmv׾z֮!mQːN*q6STvj@Oܤes͔Ec8=.rVFKD_QLYY H%"Vʎ(`%*3ےCgJv!ҁCf?goZX }qɷ~Z |5; sSFV>b!=7D-g7FN>6Gc?ݹ0e!-16S2JB [bwuF&m~BldФo >VdRE%"RB*z6~Qt+3_JvI>}B-GQ>.Q@@j`pt+t/Q5#m]Jt0p4V]IQGhA{=ꏨȊcV0"|:I\6tX';x~@˖{l LQʽwq탸jQwMk / zҀ4МZbM~gcc",<QqRG6)m85qJP0D?zLseo;i>jU-cL@ٔlj86{9j/p^S5D#[ˮ(bSnYM{p:֤-݋kX4X}&,~|a)|mVCk!1%O8y,SW]SP"k^󕞬@oA,3sd*z$ jgyIy+~PXmbFI6^쓎=[H>C>U5:X f{ǸNɄW1#tTٲx#K$HFxh؈UClX4h$fGwas'D"䨥NZaƔ 5,^J64(پgnx.1l- nGqwwڰ !)<Tk $Q z6yF3V I;9tk˰n˘UJv2]wjJtc- bۑRbP<^OPd72q}[/ K&ssΌhYڏj>_Y9_h\`U#!>aJIKvRȫm|IzG?nA(GЏȷ.h*{‹7CJ&w`s)0ϟ၃~x_a4.5pKp)mf>F wz5`Lg—)Y%dl@hXE -$;ti]$yG$(L (33QxaЇ ]<2 h7^|ƕiWV=\2ƫojW-@~3Č:gՓi"neI,7|M+#Z5&'7Lt R)+;D.(ǻh84׳Isdeysv>/etkO籖Cbhm䃹RyIgl[f ﰩ7RrM\r2Ww43:K+ ${tH\~!9JY:Xt3PGE7wL %y{o"TN Ef ֏sC܀i4v//339 #ԊO,s_ O08