ctdb-pcp-pmda-4.15.5+git.328.f1f29505d84-150400.1.44 >  A bx{p9|7F~YNn7P¡Ol?Lk> h]>[BG0 {>kzUnuKʜߙbX?w1+l32F:ŸCpnP?BbS*re*CG`gۿ ۬;qmUay~p&h^F׋QGuooKl(A 6ЭIa*Zb` 7d6d72e15894782de9d8a393081b840b079a8e37f5646291d9ab0ed7a1e0546b78b9a1b98248c7ac809eedb99af57e1765df5247bx{p9|b?8kgD[NNxhT` Ǝ- "kx@Ҡ[r9hc%zg2-ٯn.tFH+7/~d57e߉F.aK^J;̷K9^$-Mz'\ݴ/Ex@OW,YGNiCE(@%WM+l1)%lNto_~Ɍ:LkHiBOD z=<@ pb^x>p>?d+ 7 c 5Vg }       ,     ( Z  ,, a,( 8 9p: F G H I X Y \ p ] ^ bcde#f&l(u< vdwp x y(z`ptzCctdb-pcp-pmda4.15.5+git.328.f1f29505d84150400.1.44Performance Co-Pilot (PCP) monitoring agentThe CTDB Performance Co-Pilot (PCP) monitoring agent allows remote PCP clients to view and capture detailed real-time performance metrics for one or more cluster nodes.bxsheep56rSUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/System/Monitoringhttps://www.samba.org/linuxx86_64 !4$Hh`AAA큤큤bxbxbxaaaaabxa4e16fd2123238f966e2ca8f4e6b226f565e5970b25a6c86d634a019aef2391047e27c85a6f558cea4fec679f084beb81624ecc1d1777c5552eed79052c7a666317f1b46467040f0afd267d9514b1ba913660022474f26e1be08fd3d6ccb77c620c7a240fd85ffe217dba596cba217d1afc72963de0fba46cd07eb238187a6a96bef60812d0a6c27595eab149460a761c21fce5d2606a4875404ca84cd8f635cdf884d07ac56c05e408f2e259015c9d507ea6a4d74e0a4948ab31da24c376b6be7e85f0231426094480d54f3d8860617c6598d850c12657f1d62a7819c5c9174brootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.5+git.328.f1f29505d84-150400.1.44.src.rpmctdb-pcp-pmdactdb-pcp-pmda(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libpcp.so.3()(64bit)libpcp.so.3(PCP_3.0)(64bit)libpcp.so.3(PCP_3.22)(64bit)libpcp_pmda.so.3()(64bit)libpcp_pmda.so.3(PCP_PMDA_3.0)(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.15.5_GIT.328.F1F29505D84150400.1.44_SUSE_OS15.0_X86_64)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.15.5_GIT.328.F1F29505D84150400.1.44_SUSE_OS15.0_X86_64)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsocket-blocking-samba4.so()(64bit)libsocket-blocking-samba4.so(SAMBA_4.15.5_GIT.328.F1F29505D84150400.1.44_SUSE_OS15.0_X86_64)(64bit)libsys-rw-samba4.so()(64bit)libsys-rw-samba4.so(SAMBA_4.15.5_GIT.328.F1F29505D84150400.1.44_SUSE_OS15.0_X86_64)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb-wrap-samba4.so()(64bit)libtdb-wrap-samba4.so(SAMBA_4.15.5_GIT.328.F1F29505D84150400.1.44_SUSE_OS15.0_X86_64)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtdb.so.1(TDB_1.2.2)(64bit)libtdb.so.1(TDB_1.3.11)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.14)(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtime-basic-samba4.so()(64bit)libtime-basic-samba4.so(SAMBA_4.15.5_GIT.328.F1F29505D84150400.1.44_SUSE_OS15.0_X86_64)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3a@a7a@aa@aA@a@@a@af@aUaTU@aLl@aHwa9@a`v@`a@`<@`@___i_@_|\@_{ _l@_i@_d@__ @^@^^2^2^^1^^Y^J@^2@^&^&]]]])]@]@]]@]nU]nU]i]e@]_@]J@]B@] #]:\ڭ\\@\@\ \N\e\e\}@\o@\\\\\4\ @[[@[[%@[@[ @[[t[#@[[Q@[Q@[\[[[{[z@[r@[ @[WZZZZZZ`@Z@Z@ZZ@ZZ}@Z'Z@ZOZ@Z ,@Z@YY@Yo@Yo@Yo@Y@Y3YYu@Yg`Yf@Y7Y7Y, @Y"X:@X:@XXsX@X9@X@X@Xg@X,XƉX@XYXe@XX@X@X@XWXAb@X-W Wv@W$W;Wu@W#WW W@W~D@Wj}W_WYZ@WYZ@W=W(W!@WW@V3V3VV'@VՄ@VՄ@VVIV@V`Vl@V@V@V<@V<@V@VjV]VI@VG"@VG"@VG"@VG"@V(V'~@V V7@VBUYU@U@UUAUĝU@UU@Uy@UUrUq@UhTU_@USanopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2.sheep56 1652094157 4.15.5+git.328.f1f29505d84-150400.1.444.15.5+git.328.f1f29505d84-150400.1.44pcppmdasctdbInstallREADMERemovedomain.hhelppmdactdbpmns/var/lib//var/lib/pcp//var/lib/pcp/pmdas//var/lib/pcp/pmdas/ctdb/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:SLE-15-SP4:GA/standard/ad59b5f0b76cde6393d70ef4aa779f24-sambacpioxz5x86_64-suse-linuxdirectoryPOSIX shell script, ASCII text executableASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=98785265985df058b21f6bd45f916215630be438, for GNU/Linux 3.2.0, stripped(R"R'RRRRR RRRRR R RRR$R%RRRRRRRRRRR!RRRR&R R#RR RR RR>BDJDb1utf-89d5c940e1b40d775285b6a5c7bb21cd5a15d6c30673bc20df2955d5817e078ce? 7zXZ !t/X] crt:bLL @k^YN|1/F I\腀 Xt&$[1so<6Uiֻ'M4{:J:j ?oy#mzW'L΋Pw\RŖߕA;uG>:%h#=7D *@:wzJ|UC1otmRLCm f: O^â>vpu p @!ΐmM؝_NuN1TD, 28UfkZCl R7 #8&nŧ5Og?k51pdm 5ԅ#0S}5PP$en_ZrfN:<3)L9Zv 7R+4|Ċ*TqEj&h UQ+V/=2G@ߎF7 8˛=hH3_g?lf~ ]C@ZyC,eoD ajPwfvkDqN>*Z$!T MMݢK| Ƈ?y¶PT-qTTAMQ\ w0ЋJc5?[ Y"&2B5SfwhP. 7.%ԯw_,eƻѶ}3"D&^_mkc.+k ը~[-(**+(Z[x3H_^堃J|ٜqPJ([݁}wy@ig(?g4GxQ.'|e阁ሙ2lo\.ò=I@~ ܾ6w Re4ҏp0aAp=Z gn>_L10Zfaf-fxjЩFX9ciw "l̗ACw f"Xꤟ*miFRDZN^Z :`ds~!ˬ贲4ρ3h i|H08RͶ Q~f^[Hb롕Owi*hj1ʗ& j{vlj&Bh6g "ΓXH߂HIt0/ ߹d(>α's(؜E9DxsSyhGw:G*ֻ7G`bdڬ N;$#׸BCrd-nroSi:>!bzlDAy~M[J@yH`4#!^bANʴyР2&:q& *A'y;g_ejɛm c3 QWө*wEPu?;d"M'/̻=&[=0%ۚ$+z9WW7&taAfM%:&3cF5: ]>iwwE<fEWǧ^+~g3M Eޙ?XcjaPC̨aRD눼vPADnjYtHjߠêsXfoqMJqU̫zEw2cH"8z׮'#ԫ3 ;KUu~#*kDmo_{=$y@~7'*m`2*bj)Mѥ3dKs._ `+GixYޙ}=Ғdl0qn=SNsL>99ч[7"i؄|B߀G{}T'rHNE#׊ܝ к͞TO|(-֠!U 8ikMͮE?W<<نlͼ{#GSIWby*{נu_p<qq̲2(C) L.ݘλyO\7GS9>V'o)m%NwcHQcȠ]]t ~Z W1';MNOn\W(vrMyhP сJ5+Zz`(wt²wgy}V!GSsQMix9KIЍ^ˊь뾀ѶO^NN䄏ljR7A*\#($A8_y}^zk7A.݇Nf; 4kzMVtxzgkm7튊m>~R?ȍ lq)$T;]}6U?MHY0oUZҜ'S.jZRS\yPR18y,6z՞]o)ԚcO縫}[M/yϟ51jt{;I)~C<;aܔiz@lIKUMl4F?)Y^ 0lV0iJ![H 𼜸SU~t~.F3H 咛_ٔ~wa+h9 Fڹ/p^;Y}8"BRw=].|:\K5I-O ۄ5!5Ä |y2T>4>)tdv~i56RYǕ=Ո g6-oȐkM>djjLY""b0. '܈7hFZCb3>J8/7/RMEW(}uDvRw6^*@@$ R6m_7x\0RjoɕbxM@יAV PQiރ 2#v:[["0V %8غ@\`c\щ~u.pܐ܃9Aw@Zm3yF6gHQ*XDhVo]ϥ).ᴆ Ţ|MKgZK;ry|oF\ 3w⾲Xi>ZRvDj.=rǜJLZ E#8)f7.ׂ5f< s=RV<^tonitz&^GϮm;QS^ԘIu5`y$)* D hܸ;<%imB]d皁dSe;V@Wd i& i䉣TKWEgl|%]gnKr):[(V.I*/~&`10#u} q< >FKx c d{VK3%4OX w)w1T1NE7aϰdHE .0ws^C+[xeϻҀR6WvgmAvBU%oRG=T%FlUг;WZF!7֯l6^2uE&>X[+Qo+AUhvt|F+&C\c*n䀎Xa~&dw0ʋ#8K248l4Jp2@VV8j/w֠MAm+ՉVT><׿Ia53dϢx{jh(GS믿NHϝ7դx2ņvӐU쉻s'i R.p<4tUrj-o)(_{PWHR}|),n7H9_@M(8qz< ofd|mA[MsٓfB0XiU j#'lwmP"7!9;_}zr1Bb<=s>aa<%siI&H^ܹ:(BP؀¨LYOxP !nv#48hgVS;8${qɕe+pYt%Eكϟ3r.wzؑltOV*!il6=LIm%=­ z1j@h3'jO@x<^NkUx%F\R''0)|, d3g+z˟U+Mi'ʍ^{Dh!A?ؿ"y6C|T;!jq"FFM#fIvMfDsXAd_jm9v$ȄǾɂĪd=KqU@^ w 'q>:^ ?qiLEʸH ;_'BGZ kCJydRy kH9P ǷHqv2aUo\CDxA7'Te`rTS1h$l04rx[ $VtԈMm{vQGCO5`FA7ue=@޼=f֞{geid'j4UM2 ]Q<߄hDž{=v+v1P4~Ż;4pĊFHx\sf'jaa\.HVZot_H3+ 8>'92[,x.z!xu{qX=_}Ku=IX!I`:SLm( nP`N T}ļa5 R[KZ>ְKu].y1T ^C>vW߇uV&@/C7jXT( :{>_'O5K؟=Jt]D'aKsJPG"}`YH\\[G|!DxU1ګwfM:참xX{$.%IF ;Rg@6 ̣#jůa {J+r byz"<'9:. j̐)S U&Rc^XE FEȪGFl3_RY̜l:1&Te4Y(8:A}zpe8Fg 2;@?J&08M;(H0񞲻bm垴}v~ o-;a;Vs9>ǹ֡԰BM&jwLO8>Q)[V/_"9랞灐OaC@)kf%VDʼn%ݎPs;?>_ sӦŰMFVƥ|E%f_EΑ`V\59xWSw۟Q7 qS/5SU0N8fe\:;uB9uzuLVGٱj|`V,; nͱ:O)N4uC썼Pt] NVeD? 8/昹S/ڲ8 eꉛaa0-"Л7BO`6@̪ ,ǂ[]F@%J ?GY\1y)N#S!S85IE \ A[hv6N>Db)Է$&Qʶ,5BR9,?l?v ,/?m>QX*YM'C`+ ܍Lq.{N ڠQMM%:4[Hi.kUOMƠeDεRsv[ϘXCO[*Vғ𿦡VMmaF^ek>ʍfbyy/*|)m_@|D| 1Un+PS_~PtMPzaG\/rh09x4ύ,|h@˪H$ӑzEkP-ěC # hoWYy$Ij]r.r~P,ٴd J"ʢpAzY ,u.yߚhsOd䎕!X:Yusۥ7k[$J2'=-|pf!c:zB7j5 /PhFw؀NCgncF %St}u YCo좂.s#P#rY25m^f9$yѺqJ=/b*|N#&d ԥrB]s7˕Oّ= yi*cYA͈zk95{w7sj=M;XiG>1wcţO ;$$XM)KiHi+rwu/d- srݑLJ~j@7C}Gm!nʱ89ܸnz[ K:Sh47t۟k^X(rÚe ZTWLOpx 5?Pw/LA{F mtɮd䕠"bKH5 TQh>BӠɏ} :ʩpOMc-' n"T@n6u`.ɰCb.x%Lr/ed3Zbyz ;b'D.Q"gY_i, TNϳUؙIQd:tsz@LC("9ocuC"rd#Ӿac$Z:Ltjl1w{> 4' 5,JI-˩%b$ xt"ry4i!NAD=.;騆j;>k=X$}S}R7a "|6E(l|᫔X\“g869x#DJf$ ͏s!կFن)E ̟7Щ+nDV=If:W)4v39^>$;:e)Ź}*)d x&<2[Su, v )Εkɣ+x[G%vFCK]IBbN&8ĕeFZ _'s*'] !B ̡(Z \ H;~?)ԹUIGMStc)%I"^*n.=g{gV[J"M^w}d<]4)J}MjiԤ;m(xk/iFM>АV[9WˇrQ-ؤ/9v/Z0:_.lm6؋'PRx^ OlD}H['CsRٹ`fnʹy5OeYv= ./DwS@[f~lYʊMK̔ s[acU w2畸{pz 9vVJJmua\))nm\Nr]Y.DyG"bJC2`&O:w}afaV P}vDMnq߮>"s?O#ji̔))/}rl>R#?fØ0(9p@~ ÖϑKV283DN;lš%~b<5[jR˦'ՕL֗c '={Xu[-JEr75 GH,hZը.Qok[* X#wC+X:n0]M|>4h 9΀g?voG=9Y:TFIv T|Cal"#bW;\YXBDZe: a@v ُHƊ!VkLaAO{mKpUC7EV"5H̴C<#ؚ:]/JdgA.8?yp&%*1tȔUBMhhEVyyIUT?3Qp4o˄Z/)~y.BQ4hZb@oJNO!1q.=Q jλo\=J^J _VZ |5P1{<33OOMjZ hО M_wCBv  &Zz2(,E"fȗ??I88Yw1F葞1,rlpK) ^*V n8̲wB]G|KHo4h]Xw'{g\Ucʈx0eTH\wK}mbVe,giC`h}#Un0$6)N/:]6߄Ųi鎝33{u+*Pu0_/^rW"]6Fֵ[|-h8,C!8J\HA0g[~x XAftB!֜(pKm~$džD/֛ d<d"*#xNoKXIV2nT3rJ8d [+B. fJWsL&2>{6_#*mnI}7 ? G=+MCӈ3mF'=c*-V%cK@S$Atݛ^h(jϮ~ WG|@=<̑f4ĢA2c:Zh♻nu9I1MoBHGL^tF5Ef>ё4Dl8Mz=qkMxOX!bO`;bæ8`ᗟǍГ25YcIex+(\FǠJ9 K;5-kPaRBhj=Xy~jaىc7 IC+Q4o@ŢKt%,ө"bH:+q{fKm!~BtELJ'⎺U/'7ňUUyzڐu3l "&4bg} #9fgKu3$^ʄ؇\z7gDt /5b\ʪ5ypW0Y]j! HVdNVUd)uּm6=0rI}"'?CҥF041YRLYZk\ɿ) /G6ffg+U5dej(Ղ3,)Њ(YyJ;u4X!{6қN5q8[( 4ju%m^M,1e7 IyD@Ӳ$ j_D?yrȓN]$_u!3PʦM0tZm]UҢj,,ƗI P)aaPM*`ۿG#fD҄iq܏DvTAUZӺ6*Q o)&yFN@cF'm}^Cȴz[ŎEsZ/I*n4DžaoTT $#x w$˄S:{Gt͂PW4'X J1_xtb>O.9-0U'Q} (Zqw}Lkr|R_4$DG)'b }u+%eRS߹zIwlHʌ28j'Nѽn;w尩ƣlZll@L8) D1_2c*Lmp5lۏ=eVpeNNנYQVfYKF޵ B}g{p]c (<6NLۮGa5ۉ=@:jasi $SwW!e+xɽ=/p/ i_f4KQҕ!С-ε s؃f<30zFt{{} -@be5.g{2z :@E˗bM3G?4FUQ3JȥCDOj{cHu.))5]|…6O-% LH<5$D9^SK<3?.ċ,=@y seִxyz,_ j?uI;`挏d tB]e,\#B=d='Y.!Nb=ye4޽ SI0]}l"wD' Xd#xNV$fܤ9"~ ,zA鍺_Fʯfz,K;!;CSc: jyXCzޓ|&YO,7CM:GcYP8YD 41!.zt2bQ8oE1ꚛn?l."3+~YpTrੱPLGl*,^eq/dzx|S'+7ofaշFLڀr2+di!mjsBzA99HƆZA#0 mUJnɅ@GH}~f.!Ynt!\`#@v45 sN΍Op5JeQTԧţ+5a4HהgTY3)}a&ssM*4f, 03qOvyZ쩬{P- mSgIW,8b#.w~[d' `4' wV;L^FzȆT!t"V)/ 1Yj=>}6 4Z ~3LX42d"D !p/g` 0Kٻ9]& t'Z 7DJ?R KM#_Jjtcjp+C(yTi~ y$ Y%͞< 7i6@7X%0__ͶUz=V,J#S%ubw`;ӴL-VuIRs=C3Y$Wvv V:RɅiQ8e|Ghw{io*j.PYi%#DlDwӻ{'IKB<"~_ȷ8Gj#<8Jw׀zikWi~o#72}Mz»֬Z{t2`݀@xhZo r}Ry_it^ C"E;;2\ Vy$_0k1ܽQ]b우-զ:2XPa;(~@YO qeZ; ot X#y Ս ClB}lRޔO Q$[Q `fgx.Ũ!v?ٛ}R9阅CUuNL,*(/q k|;_$X; zo'2 MS>D1V;lay4qQ,:2ΥƦ0XC֮Cm"fM_5ԙx< NnFXHA[F&cX,)Jy$F.p<k)(_I軺>j G<"1)6guqr l¥X֏qۯݲJE'I0qm%,? h{=2_)Dr*Eߪ`'o`;qW^%`*Ҍj) O*c#|;!j%Хy/*ɾ3  23ܐV]K$¢ƪ( .(8nY*QG܃BV ǓatC2ulXkǂ G_[V5ÄIK~<}1e5 $9м^hlvʧCoTNuU\R!"U:Md >,JlAhrGjy㤒8vz='!d\H!PGj1vڕؒ~V^[}TLg/eboeũ8:Uϡ֟6 OFm.pdC?Zqɮ/y Gì|7^z_%0*I7IQI(xiWe?^20[ŕf_{w[!φz 0}e?Y'Sh ޚ Ry,߽2o.m&#H*{+ #\)v,1 ^֎]~X#_lk~u Z-x<{9kBnXjRM`Y d+pTcd -߁&ۭRf~A"䈇1>0*^zz\Ś'LjxXxd 7{:H֝p3+ʺsߤ-'fwM,bUAp^w;P8 #jSor6bŸHPcNm~5jվ0V?$cOh2\}yXr&M8!lAY6Z1MZ6XIXuW+"<EM/81~Ѵtr`G9.*?N i[Vb4BmF+.v灈KS62yK!ZQvXn<E$|MLk46qH:)fmx?rz#7kzyNEߏ*X pIL:'K}#ET[tuPDvv _]&[T')R"w{o26Ks,8>zTTŝw)b?xքpc(YA}@Z NhsXۣ=2`:,6 ]'_ۦ)p!`h #&(U*Ć7%HleeQNn p!|#ho/z7Btfb'QYv%?^USQÆS8JB@㖭XthSk:7L ՙ]InLG=R7 @{\/~ě#0̗ LGP l$iU@=cr;<=G>P]*g ATNa2;ƴ٦A["mwT;ء9d+N)i+ޗgyO`ڰQ0F&ѥ4xPE9\L!iޱ'w۟ʪ|`g oΟ5a R$N*լ^yoM̌#TPDA# &!!!$_:+Ѩ GU ua=Ft! ahLM„HV1}u#GFJMcb%{;rf>h9ۣu1y&ҙ(x/e:GPx[?P2j|Vc$"b@(* b՘J3NUj g.J gf`}7:N[V Adk͝ Q* N+ee -^N^z4JkI adL}jXxǟ HOW k> -x $6}DLK ~njH\(5rO"3ae Dhr,lȍ2_St0|nY/M Lq_s_u\׽ϋGשnGz?f,8'dWbx_^ &y/_VGrd"mb`g*9t= gGK=R䄘k TI*5!z9=[jxG!X|=ca8XuQ,[B*X߻&{/O 5jS}‡ K}; 1@Tw30ٔ `[ȯУʗབ5ee.֨+N~S9tE0{l+B^8omȡ@ ^Mmbwņlf-5c!b LגD̔9*ʟ-d=ՕX:I'1=o(?2;t / aZ+hԤV/jC >`Hkh \еg3d3b1;L{PIeH"X@N6mCj7bc'TɉyNئw,kU9"'ig5šJmVY#4P\"zB?+#%ޡfc`xy+ ֟ ʓ]Xn)߮շ&F]L@81c$I r_s:G'&%Y,bF ]B%M76Jb066 '\Nxv!t-N(hʔ,kk\#6TӝgȡP*RrEtԷ ҀҕڡRHp"?)'kACb1֐HTV8fž[pS2NyS>4))@X [X!I0' ~}^SQUnD/i  t@{ݞx?]ZG Y3X0PßM@ENI~\#eV/KWW-ՍZOaBЦpjL"0;W%ZG39CrFOiI"+|[,?X@2u'ToQE>̍o  *ggJ)'Z3di[2FXXFc c#Z&T*FAŖwkYûa[^,ul 3O K*8uZĆ`hdkicX+`ՆϓEd1q@-JA1F8;l0˴GKGڲ[$/0>4'Ê<]F"kZLg=}tm6IL׭TCUл:%* wE/Ox?\\8xSm@xdLI'0 S*8T0g$4A|2eIԴ9Ŷ晁Cecq~"|`w=؊fPt@>\~#B*|f_r 8@eƥ?C0[&$ ~ˋ<; ӂV/Mcz_jg@Gi5r|@]~}-q>M7h=. lw{/Vy19UE]%h "&LG`NY iﲕΓb\n8&|Sw"Zdh5Wϴ!@A(|nT,xF$[jn{B'嚉+St< %N`&}h~$K£Ir@gl X)~mC(;^f71(:φfS^i>_ єX>c4$8v}KS @QI~RS8xGOcZtqW2?Z&> م~G 05{R%~[-9gͅ]Jj*0 stם)qV7r%gaRyk|^9jh,Δ`HTNwNP}녶Uf@ hS=R lz/pmW/xTF\0ɟo.lt O4~ 8'mpx$Z͂C[❫XSvI֡cwc_&y΁fNegk'嗸%,xHL(rt?+0n6y _7ݵp/"NId fH0jm&GwT U+?D=Q6!Asץ|k-dTC!᳑ ߍL']IQώZc׳^l%ĭ2]G#K\n;1d'Ba[T!5~di8۳q.tqEgiHY宣M7e]'N=0P9 ě\)Bݏ>qH~ʘ/i$QfSuTaYG{|g$ x8}Aʈ=$MO"Vџ7axjPst'vnO弬Ŷ6shfR捍i<5ºr̉oMS{&dkxWP;xTUX&~EdrZL\cgr%Dzd{ŹeeS~t›o% @dF6LBGoܨC{\о PtXsFLgq|;$_ B4b= ʡ]q1o:S(PcJJp^ROdcGq`اl(wJ%Y0T _F7zTݭHkխ-BFDؖ+ߠ|@F 3JO%}J[?ugԅWNoFqsp]93wݯNX\o!t$)M0ɕHBюʂydW+DeTWL6g0@K0IV!sn+:ѹxLw= 3ό i8+?*V,ʋ6&;kTO)DEXW2bv#3ӊ|Bk= 7m`ʠ7yqjcdza*~'$sx>@{ȄVO38kvw"1ɡV< FTK4ZgE?6/Dwl)Y cJѯ&#"r%\}y01Bu4 a嘆[0&'XP[+̷ΝKl: _db)!:!N2T=mxWP򅊹2Od9CIo! e狫YpHS eJctT9vw# i,Vy5v>Vo5^뿫ӁO>bvZ״z+ &wƴe KeZ3h!RGrB;hoc _TXwWD~C .͚Աd֏YvD q*,C;*4@$iP1Sӥxw/>_^|y>7 RnEL AڿtZll{T8Tp`aLL,''}φ'QMʬ|n'85 4H3ߤǂvLX+5`+{5\}~N{CX׽-: EV Tog37wʴaR2ۚGEWزD(G#ZY 3 3ӗMYckh+#2F$=TG%_Mos)m}֎LE7|c`(Ӗe#x1M! s[9yˁ(36%'ud,9HCC՟Ndqv-J0>%gōg`KʮZ˂EH)ɬ:|ՄD~X[}ΦdT>2zu]&?HP ?9X/g4RY\Q :rծ9]鞎Ukt_iu3-C`)pơӺ(ޓb 1*I}}+MQ Geޯ":ԎdU9qf&/lGE.> 6U0'~uP}1yRwxVZϜJ}~<4m!&^b@UvEyVy8|A~P= eǥJ3 +Aieh)Y_A&i318B H$1&eԙJELiBO sm'̈́#<)XR- \iYa $#\9([MxUӴXp@-OÉ3s/jx!ys"%ssAfOhT^H,N07C'3K/578E$j 9θ,nyj/c\AwX2UkgdPrћ A:qؐVx[piA`;a._5ިdQmT,tx|<өN5GMR;_t9e:,kĮ꼕~yېQQEjt` Ck]B{0x6ƫaǍPö'^ qIcO~p2Pľ땎Z o}/6d'  ېEj6X +x1P3~)7 1 k1lO݁]KKːA9{cR*  ~nfkc@αH<\ i\DYtG!Թ>CMo{&  &?V:%u?_`!N^}U=kgZT/jǗ%%gIqf^}Cd2Ԭ-9 :!7_YɘJUfS$6^:4<@Ex v{/'&Abvc$A 0@Pbl$f #ߞs9 O8o 5Dn&Lz”km"C,Y"{~R~E*Pk1  :;ۡ?-%_7%;KS7ہÔ80W|MۻCu"iIQ>M@m':JBz^7ahnʨع,ZE 7ݚL?ӹ7Vd~Sp{$9:ϚZAUxX2:%8 2C+N v:F?ަs'I4f1jefBq'I7?8s"g!9m̉㦁+;l,А^bA.?s3'j(;"~eVAۡ^" #ޣ:rPfc6~W-_ +'>X 6ԭe{zΣmw9"66ЊXk@%XNZ }I-_Lj+j(T sC&.ArajR#nvO>a!(n,N__!—j-Pn*,֓zTɊ4s]Կ#BHX.!fN$KT{AyǤ@Sn K h遠^x% zW3ZB9h'-$>=z,ze3] C7Uzyfƣ묷_ʻdĚP_Z0Muie}.x 'M<<^TbIh؇Uv"#(ʀTM%rмK蓶gx.Wv/9 n+CCU{jx<2>"he?nEYyLNu+L~![1f 7I620(N*)m4J σa#jZ]!^e܌ &nkdbC gb(:D~a߲@5@y3aJ]KWE"gOr"؃Ct,J{쐺K߉7:qWCԦ39Zy­xv%hjB:m0sȵAY0 nh= JmNڿD+Lq,%3~?h3-vi, j0zs韇d (f.b:f voP( W񱃦WDU卙Dvj<(Ejn~U0#eLSA0^#9s;wTSz6AXU{*By7{~w2. F"Ih=[2"*Cw6fa($?Nlm7 ʡ`7ֺ@K/j)kxMH lu+`:DUU&Օp;:60[[E_љOWN.S#i_\iC'ofK1mN s}, LL"fPm6Y]b\2"<|r:w^Se; ƿ;̧ٷo0F vdG:ѡAVN IV%ϺToWntQz-NNʨgLTg23iwrX'#,t&m*ĕ=GKurW:ǗXHf/y܉,uȐe"鏣s^@:i6ccޅ.*@Uڦ2蜈A(\YPrWo?u3-! QG{T RmlDG D a/ͯJ3'iY[(B.;sʁŘ/tRF`i@\1 -GEz=bv; )\uY$hYl' 4@ތW($ Ofdm>^WX8i E|ob (Wb 0*4 ,v\Pb@M"{r0Qrr.2LR}= e`^X'1BB0-O'QLR>#gZ Άt &D1JumY>Ą!U#3D(16 *µ6Vȉ!o4OEE8U*zef.mvv=!҇Ar*Mth3IYEⲟTծMņZ::)įxjP\zlS#, iJ}WOԞz٦%2HGo6eL?wN%M/N:?Z0xʣm.ބ[4V`_O$A\J3eN떡k4&ڤhIloҿR(TWYu H|S[P Ihq _DӼpm#%iDCEx D)Tx:2R_Md,|azt0: 9JK>^(8d)_? $=5IrzFVQ"z2lz~ mIvAhRyՅ,9D P O&w|fo0*Z5OLkva?"\qA^+|ֲPݱ2\7)v,n̟O)j4SL\d^TUY][ Tc?L#l'Ob?ǹ7䗉Lm>=vYLXLI 1.~#xvŸQ엿ηB#M-L)=SxѣLr\ F %ad!mPԍv]1[zC1{["aNzQK N/mu?=Rao:~zs **4o\{ݣtxIB;iV6a1 Mp=2p;42a06/QT?M,"g7}Ca ${{C~;糹m=4xF uC9.boRپ.^V#&hC': `+S~p.  YC>DugS|݃|U\[!/y?-#|g女G !<,h;S!* vz?;w)| H)Y؅ivÃ>PpG@Y i2ɭH<~(V>Pލ/etɼRJ'Nҡ1 ~KN#-;v+ΈjTUc~1f1ys ,!$+t7O/ۨp0OnE*=ހ& y+\%,CkjS !_~*�lԡu!Unb71u`aS '|xqѣ/EWnco BӐ0U A>cH,&Ƚ#-fdKppc7tҾ%BMFbxæWs$zn?r5թ47Yzf˪8G8EEPds+ UO*f Ev:}NPVbzT48S{y\q4?İ2`w!q&S]hLFT.+e.ym.kRevIu]$ᨅXFw m7@mѱ dq7z8 l3Fej*tVQJ-qx6mWǣYr}~kEMCK"V:%jS_t\/=nimu6B\pȅZ> iR|Kۦ`r~tʴi 0U6Qc^@I_|Ѩx'xN_CT'b{﬚Vk4.(QR"Ygn-פ|:Jdr |:t ?T8uM1%%DՕ~zcTl??IbBU$9]/xY ,ɡ'4H' }rRQvkl8?j~&?x[#HXF"]˾f_O?E2˶v[LݘWx,b`[/l{HŽ]ҹ.]&;ߧN3Iߪv03ěБ*4T#r=!+m" {Ba ^QAzQyc2WOu[=:l4d"'vO3~1/]APQpfecI-:uO3J$*~=!V~!?vgqx&nG-hВ]0it=90qX;ʷLT]XgMDR<_D3#X+%6 1qVܰqY(+{,-e:9k;fQI˯Krd"f c8O0D't}uQ9q_JIPnB"UʂaweFBsvs/*2#[l'6 E /5*@3bćگH!\\b`74ft/ XEBys!dtB)jɹ^)of1g@=ecM 3{HeCEq1HvY1z3`Ymh&QZw~漵nt4tH&T(0s M6nIh5PY'W@^y  (c59O`ڒ/hc0Q{sӆdjZV'H93 s (%*񠰬D _T"q+,pVY3taݺ PpjLcjMʋ2LQ[cARKN藘aeYWj ^~0d gظ&(x-~;s9ՙh<) \Qd`#谟؇h'O$X5 L5>{.#!Ro6įUEk/ya;l~ ],E/bSg?L =HfZju`G9De nb صLH1r>O[S-cxX^voJ tlqf˓HėR~X9˦yzf7/xf7:ic}.xdn8A/dhl"4Ej T-?S}r3W$`fPME0̲YxI {5yz' 0P"ulv~Vmt,7NěDJKQnAqCkI- Vnwi6dt%Pzps r Q"u'u}EGw\<ޛCs>S@X~N bÁݫ;AgD5zyW =ldڜr>wp U&(BT@ݷLprRݬM=괻1{}cQ_ GnJPߗ/w.z>PuYe<7"-r醓\@a%Hb2VVY,rhEYGAeX`0ßK)\?/i_tU*+#siQŵհ ,榓W8]M='ESF+⩔(5NU _t":Iy+ $CdF9`5Q;XrW|&zez:|t!aA%h#옲cY*LgYGO10)S:U rIЋ߆e:r5MVEhts a"DS<῅U}tNu1kc~_@SKU"S|%-D`F@R/a(=hF`q^>Ö7dZ)ɧ^Va;}zFB,%$,$矘V ХxkuX? $bUs}:@oFH}cl0[5W"F=]fO(+7274q{_ҏ9[tV۩uR8!d@pҪjxkxJ([~M! 3KYƕNk׻{A>H/t"̑@'&IypQ{d?IDtL 8BD lYJj!?U£w[Ur~ -mUo`qya5s^_zE0gdE) 8[zтD)pji1׮ D3'NPk=ҫ'-nAF:VInxT8jbvɷ[Bԑ$jw8:Ҿ<,Gc<˷p&'$:,tUQ5hՄ0D|6 8{F>A's9^8d K!8 lͺee6vww&Fk MǙtS;b~2"6-d'~-^ t-SAԆ2Gvu+R!apnz 8< <|ϔ}Jp3W ᤑV mQ^w(a+rvP]W⊵P/uW8I"oKs1M=M3Fk;#?%F&k<~wIpY@M'G"^ڸa|gA.V>h}\1 * bwL+nptkk}E2xXsALk?1Hej܁Z~/w1s267{3 \,d>%_Ê N+}aԭs3! TXJ);;=P^  ;9۳kno9Po24 lcp64QUٴ2WG/h(f@a<=;k -l)fs)*$Wu:.+g<ʵ>P'i i|k^͹. NN6#9z /2J/l*Yݿ^8[ Ј#K*!\XkJѼXSBBw#|RC^mLʩPV8~ 2 yJE`OWxMUnu ǠE%fCH5uE n1."nZUm.*Ɲ5@q'H T!|oq 1? \ (u+^f埃ۼoٵ?uN/X8B!C(25[f [Y:h0 ςŨ ^#ptu*H]J_EUЈwjǥ0  w*s_õt]m"8L9?Av'LT~C+餎?5GtZFOΣmolByxqxՠ8=G:c^O"kxTL];^%; 33!Co[V7Gz]ޱN'[oO}ߋ -OʰhRlE &R{nw*zW,wV:Nx\U\AX̛>/ XJ_'jyqŪ5-U\^̂pk-.X:M?y䶄r <s < ;oX *Q懯S@G/|Zirٟ x?g`Ŧ"t= iָpt!e9b+3IL@ <ٖL|` by@k2#=3Z~q "&r ^X(k0InMa\–)_k:}g*XT{N'k%fhcɞ!N (yuCAp RQ/0\t wѾ4v%){4x&.3>d$TKy/.}tD;A3+`ʆ.#\<EN|`[8&Ҙ1$Np7Xpumq$f5|d<H~ 9C>cCx$Z/DPU/ n \}@ ƫIe$Q9zŠEy :1ji˷U8{[]^nEO_(ȠGwr^QKsTwĸ> 4T~ klꀏ}vp0GGGrxD6TkE?@dWˠH>fad̹-~;M|Ћe^ X }@ P"2S"d* C$zzӭ,lS}[:1W XEPmM4$M"eU̸8~CI͓[}TEV##"T^Sⰷơ}(/_?zo7HBZu%E_q30|{FӤM"GdD>9W' $SG:< F˙-»a( L桂}98lJϸ ST9q|#A>AݖȱI,wnMn`~ QwԡΗxګ(yH5!KQ,joOSEm s/C\"xDac?5^<ʱ2\Nk%:mlaO x), '\ q!Ē ur-#|qS}=nGvMgP f[k(z$F!8'h)/}cW@6+bh%(GBaJ.6ObYBW>TH*6nlXkHz+0JBsu`9; ϻCGhxP*Ձ8a9,# Ͻ:uG9{\43Az഻Ev7 [ǸEK bZeU)Lպ/i*(@0{_n y@EA_xn]Mp ꑐ bT2R4.i )]A&[Z l]`q-QWy̻:L!ig% 52,$8U&3`o݀5&{o) 'OA϶^y3 hBJV>8!x/QzSorD؊uZ[׎'B<.3v"jbqE(_ƻL;Zy@5hτŜ6/oxo8JU$- JYaQʭU{0e{¥F)Y0c4K̀/pbε¾Wgg`ח9蠵e=$X3g-%&HmTda6A,,':p0+n^Ḡd&bYk]5q]U娴bZqRq\*/v{ZZ^ҠtcgP}J'ClJ7Ɏ?@pP(e"zx|Ҫ]ڻ)*2'ye}P.'5*YYL1P2.6m^SI$ՅS ٳePV(BGYFЄ4:,<*ر䒿sC)@-:9e| )KE)e-|1MeKgн 䀃6jߏݖVI3nz}%<Fi0! n珌uټ"e}[QQ >|Uؿ?Su$}s̩u.VQGȳa~RN2",\*q#Ea_0m^yZȓ%̫rܢbp2I/ @8\a1 ]ɗ#Û鋱R < ,E 4 QN pOkH%'㱋tɵfۜnUN;4ټ͛m|,݈eu&R-pyW`O2뿄C)1#ݕU<$ ~0EVHس; i2qT3c׊Jbӟ]6'5 2Eϒt Zi4ڄI"5(icN{h7٦h`up_3KsqH''PZ*̦b50~%P*r2H 8 yV^4kՏRNW,|P5(WKA[3!n("ZDL,AE~@4=qVJwg"E+C,BטN,lml&,vNOcs@-`O,L;U|j\`U_QDYudj}O>F?ITPݷ Ă W_hmg9M<_~z__]g;cտ6`Wes$W% e%3>rKIhĨƒ2J$dXF/m0Y ϳo 18VR%{؝|Vy3h>`Ϻ,inkC.S:+A,?uەßsJtrp wzhđbL410"RvCyRvɄva1sy9]NAKK.RzFrRO&RVXvP b ņbBB,U%'(Mpm /6WZP}b\urmA('F1 ^(3_V&‡] sT}"7㿿ߤ`V#JfǗ_d41 Ej+ ͅ\Dm}_eյ/SM'9am'gi}5ZI xs #~j`VO!- b Fd2⚌A?.31 ,IzZOqRj:TgVx2! :͑6S2Ռ轐i*)u Bukn=C)7Pޏ={4sāzP>Ls HI4LfhSo//WuU\Vn9i_@%ɒ+[[R^HŏC;.Œ[҃}0 l}'36hȌW:?ϟUNOd뤲m TC&k ^?\\f&= @ EҌ~?\)~E5?qDzON|\U,5-,- PPłwω.eaiy!fSv yBq,mO Pc,d.0YҭJGgXqߢ߾"̛tq^|Nk T GF )=J6qνh }"2t e ~h{Vr*-ZGX] cIb2tʼ"kyLSq~V0TyV bPe9k Uxi&!Á7۹"BcUqCNSE 7X1ڜkru*|2_mM}9? qDJkЬ72Wo}]Ŋ[|rU[1{!"6&J&xW#&[ԓH7K͕c 9:067W$̛7zyv`f0N Qso Xҗ^W&|V݅፪g<Or |e0tQ\E [Zpb3A5@hZzC nf߿=p?~moa}K#dBv{m`M:n*x 7K*a E8%t@j>W;ο3&Dd͏3WV߹EQojiͽo\[1"-@AlSaP#G4 Nyk Yԥ (- gm- zk҆8=yu6/oh57bG1;{Xlj;\?E8v3fIꇄFEI9R(hqXMs8n\AU}S!rQ"ACOdcfjf_{d|2efwU3*0Ch2 )^evb7@ ʨԫ&[Tl2y1G0o95ouq{ۢ7ͪ[1x߃zˇ,OQ̆Hv;yNj{nΞQ3PLpOK3\;*1X; ]\/ #,|~9eƣlJ*r AҩK=`Du3- wD Ap$w软_ceUf _ YX25ւ$/eRGdzjŤ-SɗTV 0(JQTÒ_yq$$ke@/*6W[,Lx )dF m ZZƮ}!5|Xu^aŸ^RihZZǷ rٝ8W#c !A~D"o ƆNxaj 9O|%yXոv^2`@U -Ѹ\NqH+\j}MѐleL59 2U x2i#p,pVϐojk=SEmbTuZ4Zb1{O7l'G05`0?DI|VJ6cR+GkRm7aԺ"):}Ppo`'ρ#`eclӞf+%|;0HΡtB3 Zuw<9sQ<I"Wj3#Vm45-[mWޣ=-ϨX`z(:Cx`"ͨ G_9֡9P,uv"m{xW7Y7 :m-9چMSTYD{`RFu:K.@Oj0/p8Q9TLʓX+ RmJlAޏ eFHs[!߬<#07eF,R8,#}VǕJpN? _Z>4!LHp"Xr\҈v5⚳PzԤȭ dvY"@}aa8mf>x 2ZM[; "ivwFe/lsN֜Feq=Z3*2eFpzDX}E+i<@+ Iy*IX&=Qұc(/an&KwE0tCp?k4~>pK9[գ|*"|㔕 /7J %)oD!sY8yvCNw/#@TUi6iJEy5"F g"/ļoY l'G%M?ȉ(>?4:h. rmufQ4<4 jDc':E+55XQy W#ZJIy@fPouCZ^:dHJ.6  'C35<dFNvIl1t{j-va?eyBε(p%kV`4MA| 3O襆bs8*3Ѿ^? f`('[mBzW3!)Y%K2 mD5Og`$4!i2QATˍogN~r4!U _p% z)5@wBV hH1]Rn0ELã qXR"jvT ]l+@ۓ5;yRE=keK| ;ȦFiN.)X˦IR(FAϟPkrnp͆N)@wB߭CH, ZRtw7*t {"Cs5ӹC,J%ƒ^ck [e0#& OuaƠbUEaBf%dR4<qbѾ7q>0%|SBQ3x$c1z*]REV4]\LdIJdm+n/(NJjv*TwZEo&UpS-$Q#A@Vfj~QH2٬qq{~t"8z 7dXy>V&A TNH? 9ZmM޲hH\NMc9+̴=%{"ԟ"ʐpvvlTAطnA Tf 5ݘPzyE^̐ E=CV h;dd(ތ ka L0e-ɠZ)-JJ7]=WZ`qFǨ/p7u1)CӡɆE"|P=,?GtL aw@qMWqn`T^uQ}K\f䤼Ym;~XѮ"&5e2~mYw^2c껢BqsjŻ "[<&hZZJlWf= %c\^?.`^:aDǂoҮ^l*dG‰ 6ԷPj`P1UJ ˾k|LrWHt긍@;։ܡO jTZv`9&M}ndG%zQ>Ŀ^3E"-Q^͈[>N^⋧^\ُ>'Urv(_DFzU]'7>X=)NM 0Y* *!RIM~ y'A\'ED0ЁX1&E-J2B퍼ځt~--l1HwoKJ]ߧYFH{+lR5Ñ,v>ԝD(W( әs' Omˇ=!. zz&Ć6nL*GqY ~xA$Ďmqc:^婮[6Wb%xAhfQ-`٨x4RTMm-znYL[PM, dWn@,1S |ME/Qj zP~A ƛ޳.b-T3$554=aQg̹"B?GEMw<։9rc;)?+B09^ omVtp|["쳕xܤEVk~T XK@ѹ?~ß-Mۋ#K|ST,#ܗ{ROtRlJ:lvE㠟x#Gf3+_{&չX*$lesM?粧oZHjtp5m?WkX$ *s~s~ L3{gK A.6Bi5's[G>w:,5$^H'DcmVI"I{g՗Yr=_ ZR?R#\oٳЇ2G b¬}stQ1gOEcg,r4 L)MF]O 6˼*(L=r"S&+-]g_XӐhh3M?ّ)}~ U]+mfBOO3ǯ@;rq7?Df+$Dw/-V>bk.M3ؗT 䫤S c3YGއC%ylGNfҕ2 :DqZݿ}.70@a9uL0vħ?d"g 33# j^]UK9Q2"Jj0tȠ%UyzLx%+8 ihR7"").fZqW3P)@g"ѣrȬgO]RDH]kgdX,3Jx +,kp%G|jf E&a]4o4jbȣàWBQ5QS!(Z ZHt m{ϹI /9p:x \^?jfI]]&.lm^Pk>bG:뚘|G >0[E| ސnK׹,h3\-a([c$S70gх >-R*12xQm F6n ,@>M` RӅ4;W дp $lr`@Qu 1n.mRj[B"34Y1jY=jZ> Sb'?/Kp9o~5>HΤ#֪Lp,ً(/mg%hK;Q[ݬk~kfDVmS tQY"{C^hśgxoK-L=0Kydi@r0oW?.^E[f E v3 '%Qf!YRL5Ǝ%]>}^5Oߗ*̀7W,.U_ UZfrB>{׋oRD?sO=z] >[qيo"pAYuوC— =^Ż.IO9o%:<',R)zpPE,dNC;.Cڢ6ѕ1(9ٮFz>햮]i0͏eG9;֐_¦_7!{Xj0;Aڥrb1rg.F[ql$(@j^[;>^_Wj0iš3p'=)eVO r'PFJhYꐁܞƚD`xG¯ctYbs۟n7mCt~ o{,?BBurvOa[{u䫾6#7Vk@&G){찾6[%_Gkա3R?`VG4< x.DA3ͪd<pXa.i ǣX= N`[PskF0:96ҭq dVh{TRN'k8Eh.g-g&c^+tхWrGJ0) XzKɆuŏBV̞Ѣ'_^huˬqhFi4*SlOXL Gθj,+&ēM`OpZODP(tCr,H^\ ]՛|(^gYrS*䱬w:_^4ksqϐ"{c1NH _c n`cz7X bXΞQ8=eОE[ӢwÕ)!ǭcTC t`~]e0}a8(i`]': ASwm_FFD vCamkӖO, 9Ӝ~cMZi#_.).L6{G5h-Tl&tF7łđǵA?e Eœ;R\( tԙ=Y3]n׭_kgŲ\ςEO@g%G3ݴsaT:'%!CIDLۭU )4? @W/P69S7 ,Cd a ϠsocekT,8IW9jPK[qF6UC^̶*):;;ig>o(IڲHܚa?q| q'is Dں5+;}DTXf#'mb{+A¶TMbeL0LiN;FQf\ b\G&/D9P<uՔI"Ԋږ(2_5|ѷ!5?F(DI$D%z~,zz5.8q~>'ՆuR>}iȠzN͑+^OiԖNWrۀ` aV|"+ߺ!$smQ>LY t_ QG.gJT3c*4JplgZrOy0}^!Ypw2.?3zD3樧5HU#6JѿWk\c fV 5YzsPNnDN@R~ߍЅ9LҴ,rf!lb!X9>wt;ejǺl;7pE!@o, .$(irWh l_ӌ+Űi,b^C׶xGU\ihT$TLqkwV;H`< xu+*c`'O&PG 5.=Fr \$f7VR8׀/u>xovҪJ{hs4.Ȋ$֙R`pa'}Oblv1w wƳyN,u&a&[nneп1wnCSy2о1e PS T* ;)Jؐ@$:k43WlM_̼r!"puDMھsSR.-|ܵ0?JnnS"~Cȭ c7$L*ܭ0k idRvs?sA0X{i[oEw G*tsu}1 H[ms紁Pb|E!b]!e>:ȗLdhŀ9g' HkA1g5nR2ǁMyRlAt> Uh%~JFpͲ`ȵSUr*Ep,6Q3}eusBY֌ozJgyTZ[r3?x6 <<~+ aP%|冁vYI׍[&SXJ(n5>УXVkPY;7Y z!T`LJH0H{'`bR)|<|>T 頿 0f&kkQIlw.bV3|LoAx`&ZUk15\nԛN?A |Cqp;!ϧ >tM"e}^7]9Nʺ6nqboJSo"zz:v)3D[xq JF2S@* `!ݓKT]\;H4p22wؙH <׮Y\:#z%!1 K$F$RQ1p'Bg~MZE^*QįJj"GFT05Vu{9gq =v <Ѭ(}-fʋnkhky.0RxaT'Q9Qv\s ͖lT,Uʌ8բa-Eȩt]["{/sBy-v3K y{sS2ׇ /%PsmKQGp Mj@c`ѳMF KK)!@Fct|Q!(݁` Xn,-%nndX$N^">Q&T`DKF1ْ!P&=zDs=GECs#Jcu+ӨLќ._A$ElR4lv  <2*d -BzJGgBUU3apݖLi>r(F*60j#Wr?_~i+!n`XZ.EAlm{G8/J Y]gfJy,d~C:agXk{oQ~BW3GԵl@zECo~PAY Lmc}ھ6x˦a`vcIv^-=`Q*M }{D!7A̰iK32'|L 1C^3rg 镸Ls亟-w*+A(m9x*dE8o<]pC E1Q ,~aM(D].L/@<8S`U1K N[ +#4_ 0Xn@Ƀ{mgvr@Ǧ=OqFQj|L]'0rrÐs״u$bre 3Mw.>'7Vsm5p" )9!`[މE | и2^>lDv4 *.u8'+~H_WwDeL, S+Ev+W8Xo娪T`6}hKOf_(8ȉ(~*"k~ |२tz5\(OFN"%a…sgebRY`_+'Hv{Cԏ+\<"Eg\E:) |{yB~ѓ\K}ূN9=]ѪݺȶBEh/&#>fy3]#w(){B)e_&/*?%&g_ѲGʭbcaݿ-;-k7B L Nh+Zi);L~'ns`(mm@ RqKVFZHvɴ.UM0v xT[M2LV%Aѣ*Ljs,?OGk/D)SW7`=.Ґ"[9Yub܄ r$QHp5<TT4=sCWOaMƣzܝ[?刞0 *G`n3xID>Ar|ph~bNQ0VSvGcx^ht4= {ث \ d<0Fr+!$!F<&Ѱ*dfY3!4q!64@š}|}Zv rw53%ӎ3h<sUFDr94O^~(Ouekx+>3CU*ed6X(8mO!7o2 XXs-I&}f`c8ӺSnFluks\cc:(tVjK4zx8f]EQH? &$umL) kC4WWDdk$:&8 u̞$2 &YG@39GdV1hٵ ]OK(GHQF,2?wS;P߶":lW鴀W dt"c(¶ўj:`dulzVƁD>%62=7iPdN*OOH.bx@ŀ 1vT#R@E]bi`ZtKG sSsZ|%˅W_F#aġ 2D7цryO4qZ3?gLǼRVDsrWkew>RS Wt[9<(Ce9O{/9(Dy'^ Fi/Xz!5I,o0DGWP4ޱm]? bUMbob~9j R- Z'/7@$b֩}s7nx/}'c9f- Irf[iI8SIJVn.Q|Z>uDʗ,ds5/.bSaZM66d mAI#a{#ã Z'[]Gk|EK{fY$TҢLFGf0D}׻'T|hߦ?k\W_pӖ'CtWD(g]_]mſ!_fA;83<>V7Ta*fbl? وO܃vE{Pa󷿅ˡ- Щ傌E[^a=Dž.H7STˤa-?FI4-$Wr54V18֤?x|[O/^,/;F-z?s 2rbI-+6,L! W1 BqAF󪟕Z~%v .Aw)֓y S<:V-4]+ nU@r{W#.BWgxg * ̨<1`yC"Xxy$ ~,1"<|ZX+ 0omZQj> KvCy| ˇq7&k1uPVS͊_A"tQ1/Y3a.g|TB(;2Sa+TjAkX?~zh{ƢPrNU?24vչWr:#*BNڣ-<- nأ c]i AOg A}ഏXʓٺD/D!iQ$1aeT=-D"۞abv oaqlRLl@2B\ 6= Ŋ^sq׽B҉B7d)1Gws/xb+ĨW\_A(*݇ŭ&V[+=$'2`T!9C%~18/?# #\Aij-R`Z L!(m*_*MD>~& a4L:mAv'~xHdӆ?|bίF=#x{hCM֨)B}-qhk-Yߠ&_~JA6 J4._c&P $VK>G00 i;$= ˬDjOk.gg`z˹ǻ"ErgV4(dVF\ ݴP%*7:r t4et3UMTcG},6.Q VmAڬLAbiC/-mU9z6㩜ÑLx 74Hw\L;{h&- RNqRu7y0\V֪qtr}(JgE[T)akq Wdۡ ջXY y}=w؜vE.@osrXʍ8g.m'|(# G:MI~rwS#G@2Jj|Q!"܂3tK76룷UݤXz^r &$@YY+lL>qt,yB`X9mkM`K%O΀ lq!}!Q8 S'wU IHj= ?߾&u'}V*v4Y_N?]Tbu6 ˵TsAB^87iRfŀOrDKťG7p0]4  nBqlTlJ?h;Gg<@k2Echk(jKAIpFl,Ֆ5>wR`}1E<0/~CMBA0ᰄi&oGVmɊ9ݤJJ#%h}9 s NE;_ӢsOLw6 o=#7=*,ޡl`l"nhhL&=W ]l~Pt;XxͩW>VL47Lǰ2d^aq;:'K+ alҘ: J8C8vn67qGhH{Q0C@>qŃ,TÑ+QH4JwYte¯<Nz1'1\&qJbcb@ ZQ-12ʶfE[5󗗥Pt6)4Y|em%M?E%?8_2~ hiK3t@m"C8=n_Ei_v IE͎ fO~?VKxaS\Դ)eۡHn^ `+C/ }<,.nuWzH%raZ)$+Y/u%_ێEViE4]8ށ-xq91|8 *k7+a~egkK=秡nl.G\NkvrbQWE/͗,_z>Q'M>gL+pQ!x qoYԺ4"N9tfk&vi[n8oD(Rhf3:&%ب"GA 3/Of,y{Ik)vW& ޲bs1?H!%ʈ f5&<%Xo'#}!b<^Si>T[;^x:#v[(R%}u1%P /( ) QMmʉ2=1$spxk9A#]|HiY86֨L7lPc hoe%GX< gOn03)pcr \wMN 7L%w(B#zt_H=r"a5OʭL\cx,OQHtKL`f jWJv"G p?c%mon;frV^4=/)';dgXY<6XR_tqf=oֲZTqw_E@ uAJ*cwN/HyFvu@v6I.ɢWy+%YdͬiWU2"x37~##Jwk[h"v%N6S mn`C{/4ejn͋&f̿Gh6A% ɇ&G2b$JyG~.*#;A~N 15-=s,*jګoP=󠒱o03{+D\Ȅ'{#2Zg?8/P,#U֑/@4l>?Go>殺-U/4j}Xوv0bIX86粏769d``ZElePB 醩q\]PdRAqfme-.UԹH*Mߌ@'<ӥOldb4tPA[Y5DL!Aђ`ęMl#Ch!,5fݫ7pnh3 `'}bw1 mb/ž."G6~T%p9FYХsPA! \Wnwvxg@I!Pw~|Q_F2aiOOɷroA<1|2#~JE\^rME4;g󔽹/(5/%d =(tHe‰MnQ#xV4,t{uR oBL\9:]vUKRñIp:ŀ$ryjRpiui!y} )‘}[zġnf:izytGD-xgf@(> ?יof9(ΨqFķ Js23"\Rg 8GʛXsmig@[_La:,}'@Σ&Z*H1sB%ҕ ?Hi ĭQ~'WnO^Êt߾ rK!rM\ŝp*wLݼ=C3rj">܁pqIu1ϙz:kI NmP,@r/mb'3}T4Z)8srЗOA[^ &MK9Y/*[*~gUq%O6׽vvdou?SMuG[;t12)~ޕ'=Έ"!t^/۩p1X{egxPڕ=Of=>rȼZRli4WF|Szx-M9UOJܛUPjSwu5b|/=߱g]Ij}ע溇6h%X^VFwR[ֻv>E :isfV ͅ+nlzx=S/?byV}H$r-uKF].oG;i ܽU "nO4ms (f-,t_z@'2 R-5ڵ{)2%I{lzrW%#9J55u&`JXzL5&1zpu汁ΓLO8˰L">=Q~e-Ѡ&s8 I U] CR~ݼP^mV|GB|Kއ!)Lh0ᦵ[V*>mrcahS~)5rx e`Bm04oK\#IOܡST1b*A|6 QݴNT.tBCY+*M<1fud+~f`2HzNVW JQm]٠˶{#ЊOUۖ7=x#M~+y񽳎$t77)8aRari>kg1HЧ/c̓O )؊O w2(ѐ}FNP]2V) 5̕ ܹ {&k^'E5;@?ѓl-ze 6'*LtTt zHօ)5zx 8_mueC my;?Prq-5f 67Gw9Q|2tCuٽ q%; *լ# DbH1S˅"ĢxGKϥlB^ru-bn[L3Q.s`l57>b]G,~`'>IzK[{^XZjQj{ԵC%%|8hʲ/RZ~+D`I8،,]675ƁoRv1j>\H=' tϧq,݇<=ْSǗzKrO$+qr:q1Ć=mn*^yhjSpxa8иԭkufn M"7 %rPV DH{BhWY$fm\Ћec~BȚs ws3_T8uawke,Jח X =C4/]5v+O*HIOMtP4 ;**GF&qd"؈x̤lE!݄/K-PH*r1/sSlb& ]3*I(bo>6t*vG4N!QOlțȿ:c=G7^o(ڡ##įĢ;(ԬR=ef:fC} ƀ!ϲC늦I_\!$ccv{bhXR~q 歄vl-~q^Q\g +TT: j[ַx穇jp=B^"k:4..LδY$Lq?PtxzHMx)$ t mb wmIJʣe"(jX, %+UO$Q tIP(v1@vh~(~H9t,\hJ- EˏDqZ'nW%/0ZƆƹ;f3>] D|t8Yχ0~=|ޥ/X< рI.}Ԉ)QSk9^;JL$*d:K˶2*؎z$(~˻ܔ.1i OzyJa$o3Ĵ/ 䈖a7qq%&^ Pz*)jnPs-^EmW6 q^Uָd,}fhKy [ChhiXf³uEup5jF8IPCڃ+Z3cmc]I ܔVSKzzmѝaѵ@CZwҢX4XO e3 A´/Bd[((K9QtHSߟ@\ޅk| B#ʭTzr rx#xG8VC3x"_R:7{]"BF> KZ:EfyyH8j%g%?hWpveZbcP݁WH A%;7|j޴qL)yz#SǨr1ETV2aڪKpUTŅ)! hNV -(_. qWXxA`O+@UE!FZY N|Jx [|:{0:NZsX^W؂)/C?q =BMSjrmo/ \BYHSw3?QH[|šnbx;l!*A4_|e ߄~8 ?s͎ I!)> ѿ@$l-W5 BTqxڐ׺'j4) Cu.iEkOPQMR}G/KvV AC}.U7h 8YK瀺7^ PN@uQTT)O`j^2 -׬%?űZ}LР mcf vUKEzh . CY/`+@ߛ"BV7kd1hL<0rBj#XLANb<^<I!cISsh(T9, 9&ezXchbjkP~bÆ6ޗof,!rv2j_i8 Bv0$ImIxfbYR97qGfeFf f4QSDy}[ WGFPᠶ/\hоf u=$ؔSIJJ*pF}"FLzī4Dds<79e2 zpegkk‡*sV~D@%!2òIz,3 pAH:3$?sXP.?Wލ7>In eJf4+ǻI&K znz; #IZ_Fde_;[@@]~ڎYǧ y˗~cW}p>Z6Z}Hό4eݟ!V2=&Ct0)tKߢj^QʯI|cpޞDv4,iLL/w-$e|7{ ڸ.Cy]SvC{ĊH!”2s@P;U`_8B^!'ZXPF%V16/ u%J*tR.{8, $OEO[D0ClPw$_KX0lR6A}ǖg`g* J0VOIJFʕ[%8c) l| $] "rIҰVU&lop5g13)2T ۹4}^k4?)3%Zf#/Y,l JKqԞ'$;z|TK3w: |ܚMME=՜?d !9pkop$&>v،-Fo4 ( '`(yI5] *a RqL/sz4^e\n&b1ߐ%#/8V6dz5ab#4l38'SY-g*ҾÔma`77TzoѕT_Փ~J7JY;N(wK:a> /5{42 =(NsdDo=YHzMc* NwX|6VRzfSqּ}cSջ7y^v1c$eĐ!̆JD\DS煆QIGQXv8Vg\!+5."0tnBiАBMg='c_bD{zyQOCj4|`H|hH2 57cm|\F1d k\ϧ_y{A$TwBtR*zf>5lMToyj*!̅~b [5Xrua&??x[qW8SjF[9vȪ Li5s>D;}Hpr[ww6]ʣL! [n瀻eFТ@<a^-,xmy|uJhv:lzV[F']暃qr:;Rœ%Hk ]k/?߶DKE >RF:ѝ2L ?}mq>AR+dGB抐)8F 'BX} }/z]dM6aYQ05ؗCS 9qWk]Z p@OC3d{V}lX#iM_)έ)mnAϯ|/G(&nAĿUU?Нuv+DU"S<"< @|U\@ˁ~oWW>JQ-$gt7j ^'`_[ݠrSㆫ%v*Q1NDd &|v" k%6m Æ9E]Efyœ- >o-Tox%tz]է5x{*vteƯfxI#B*fXơ!Ip&z$!_nMJ!NE| Lp׮G׾|j;#BGgo%&fڟ]Q H'upֿ}.b]ཨ-:(W* (3j:Y@Wjq -~)d^.,c͌_JN"b+j~?r};IGVi=oJvVS 5kĄN !&.^k-h*1-9LZQt@mKPn*Bҙꨖo.cnԜfwhuu:49^ޣl}3FQ[?{*D e@unB~Gn *J{0țDn-^[]1 2]Vtp,0IJxV>hwέJ4([vw7 RYEa1iu-ppdJ8W&nG6'C6rUvf¿r(5~ɩn)H.HaHDM"Ƥ_H[!{hߥ5mbfj%s>;ShZX|ݠ[ɍA{eElUR$'vL:\<' 15㬱#ఝj;.^!B'],r `3 2}c|)E#N,0}յ,["(j?0W]31l2xn!py<7}QG(-Č y|goluzÎ sp8؇ZQ_`Iy#csL'*.g7`">S AC̪ yAɃ G`kh'ʿ3rNK¿$76WZnP `[*\q-*@\,/Q,sHp_Uy:d=F␵=V-26 2[75+-?غVD|*82+wS[+kpڹ$`,d u͉ .iCLaH)W)+S^w⣦OA ѿdB衢:2.z8ۜ_@D  ?_ ȨAg6y4@bg-j=fr9ta Ol1k{NfkWT<NޝĄ )rns k_/:pFAڗ=a<0#M*͎WR÷F7>n4.X^AgdMTCG~\0`bA驺77XI*$RZv*DdPٌ/8[󢡐_fjל36ѷz?oߺ| XK ӧV6 K[Ѵ+4bUˎ4шPjn[t_DzUFN>Z^Nz-a?$X/UuxYI3hQ"<ř+>֘ʙɴ[F+C%JKïݿ\jfסf7}h 82Q*՟j]b,rU4~=E>ʸ2C]o6!/Ι"}>'q ]+V&PF}E0\)6*=hw`վ.@l 3Q 1`ctwBH) eθG] ָaY@)yUfS]7ڑD湷@7 i:J/0QS3NLώ.[ ̧YgSoBWTbVWҸbhzqg ḎYEO|'Bs.狇Re{tHGʼ+e^Y"*ƚ]U!1%ƺ ϬפC2%Q>bxE9on\q >;ch/{KP"&,?GP/*/,15ZVap@hV(K+ \?];%om)0 sZn-QͦdȥC5ƄՇ]XnM'rO .d {17@>rM'pcBHM’u.RϛT݉ @$`EEH:WyyK|nL6r7*|F vhj"%Hh| gP<P%1 Gz/^mD&U  },<,,=WY]a:\xT.ݑg%nek'yh} kr,ޓss1gsp8GkpiX!‚H!e1& ґ+m "ǹ8 דMhoYFGJqW;c1YYo*Q=aNQU/r&uF/E 6O93V)\4 7T-ʤ̘TLb٠f%8{`Jt *}!pZ5,4?0# LM.%N1erkI2.r( x(^ ,<sWG%JppJiIEhs3$GHN/ڒCxȺGZ' hogO8&0*ʻw]8erg1ԴkUfa5[*8'; "IE$v MDyk_ QBkХe@lz#Aa xL" a 㰎$ܐiB+#[jW_n'7/Nlxmw?X] ;nEekWNկ)x "NycsS;p0ZuN25/v;=-$Q|\h8 jnGG[C`tqu20+|dJ DF3 A~q>St` 6k(f$HNI_gÎu38~e3` O ] V>wo!%n!R5x;@P=m/BI^[!4zP_U~NW E u G#0Z(+-5ٿWP! \\wiCRWlD aƺfWveMe;&b3{=]`P(熃@hóƼwusYCKlUeVxʀЊo[h> a5vEUVY}f!#U#i;OSo\^jՉn)*sd߷wY f"vY8`[q,>Fk" )#"Eí' OL0}G`@C8*py:3C0"P1V ݍ)꺐` WDDNVSCϹ@ry.Lu4!E@+ۀ>W| גsc4m{ \Ϝ9D`efz/-!bzɡ-V)Q ~É\x(iիWE".H8J0H'6 X&qLRI\R0 /902qV&(Aيq5}'=a/f~Xx87yc3J_"hRCjs~ˤ>to* Ѽ֟wqIX|&,G\Pf(,~7 ?>&Q*Pt2W~x18+Q1;eĚ߳%(/nA*ͷ%msO^ fC n'`{{K̠o&@82uDW(]i!W\jR{Ddۃ]shlPT{SPݕ_:ڴB_s%c0#3&駒$^3yYz. \ʚsݜbEF\] V,Fs_zi0C)pUN;'z12PYDۑΈ~ 1Ӎ팓|k PHяM3'{݋%% fw; trV43w$)}̉]A (")U/%I6eZ?sgdi|ySWQVqK#h-xh53 R1u'O|iD|롈Kώ‚!*CW":VSвL0lZ¡?w:i)K/# IUkVDzfKqhrg tom<#qDpiGD^0Ld4H '+mWrﱤse~+k΄%QA[V9KY.y vQŽY~=mV#3'dGZ=vKȓwِ1 2Ҷwa8{0t%r9 s^eO_,bǰq0F8CPinaFSy>WEɆU %dD{ԹOs%-kYՠFLkqΩd>"L2`&_R Ci+lωYs`c&Bj~OpYp7T<!yzup[$ܗ-qIE3!PڑlBWAü% l8z^Njxqu?~Tn A(C!q~)tSxgzE>ֿn]јP~Φ}~1&O`3Lp ~tY9Q`A ޴Ђ[Zzŗϩg WyLNy5r;A]GfAU8y?cRvL$oSƅ{7o ˆ]AaYJyH^N&K[cPmOIs /N-+:3Ǡ?UZlp%P-`TS1Hw\aTVY ҕ"cZ !!!6hâH"86.)ת܁7D@v ORp{Ñ?`6buf,zV7BkMl^)ևiIsdS,IhE0̰NW v(1 /?@L []~0f}'TT!8ٝG.Dap:CmY8Yu cl%*XKlSAtur ^oX=Ӕr+®6z?TʱE9֖@!2j^@oW/&Ϋi+Lnek'X8,v&T8O#>s0)_zQ$^~` mO)AÚ%_/,Y9+_f A&TZ^8%!ESf%wƐ xT[υ9;y2͋V~L&R~R6O@S@ i1P3b]+f& JZȰ9뵌m.QU~pG˟$Uy:^f99{6VN0&X {1GlO~8"KŐ_2͌K_pTQDJOd;%eiگS+p{I7^r"+8{iIj zɯE!o޿4E4 2q8 o$cC҆vs#4x5tÿ0?gxqe;PLU(M?#{+V)@Zoc= )cy{8DwRc-,]y@n(];z.y4Fbb!#W60.*!)'MްM~3ǻAA κD`5Ή?\l<` gWOzcm}w&^ -&-'ڸ G}bB(s>&27~(.71A*\OI$q$o9dC74S_\/";'^gn$"cGyh M "J9]ewf2%&dVr~{ )y*QIBDhkhx@PB 1vo̗?u~ òzOK9+4RyP4)kqN}*0-cA gw ƓjV& b]K(2y0P ldY`i|\/2ҭLRiOpߞihA J9,v/:]Enxo666Ҙ=]DhR7ƪѶ]Ƨ. ńHlI(-h7L$Kxd|@v#Ӥ]xH ZY%T纽P `Z !hnU+υ \W?(b]uh,sN`=Axa+ -LSrJ Zd / UNr} :Nn ?"ʵe4?4*"=wX̳c?M`wB<$㻏4ևm{Azs&-; Rzp:6xL"M$H KNUuRT;ռ;AT5"ڤ(a6;=έ&8OW]Gos)]ںZ/KM-$DPނ!HF4}2W >$%LOz"H az.:j[U/<~'rɞkHVO q:©o{%9u1Ϋ#DQ5_URh7PF8 Q`x)%*}42Ae=0Q'tj a=E!sz1WPdocW*TĉY/&,dh 9kd/k.dGHېdHF_vަ0j8OLW=;W$3iV^6ƹ9Z+ כT# 9DUB7ē@;/ƙfs?ʑEE͂|z5ώևIIÄeF;o'A\ҶqY_nZ[2h[!' הC@Te2 ֕<6'{.Q, Z:, /+ t`*k8/#I67n@ƮG9NWxSʆCxk3,G&_SkDY0Z= 912144)z(nV_/Z#+k#x|dY_cu]AbL4nNk0:%@zi߇<,|ҮXໃTM~,O҆f*bR,ِ `[Z:&W"To~Q<֣>BuΟAMPA<&eQy%|gPI^5S[-)1*~תjH?1KnOFg|2\޲z^ֱ?t\uIŕA6Z-%\ݓ!o*u NwێdI>׉ uP߇ BC"\UJ#v1d9 T¡1p؆t^:y= $[I^V;.3\'eeQ< FbU S+ʖ$vvmzau+O,v"%NN#֝_>)w_'Y#lY~*iS\ h\m0&w`4in`*IQ8ahIJ(@2BBV.0K7 L0A$E WZd{:\n$l,SqiCW+Ƙ P[8G)}b)%Js`qK#'RK:]0!a"WrG+j&UGeڡ9& q 3z/_ގ{0v%$)|NX!;2t0\rmĀr0LͦTe$"ё(B?yGXXOl#%so5V;NF'Ҿ7ق zyxqsL2s $9-JK(? óc@`ç\ |f+dr@yYoM=RŖ[a("͋(} + }}|Ok{(W2GQan+Vn B&:☝aS:;ra\ȾBt[CF+Ut4z7f'N3sbaz#סNT@$0Y% *ӧVtJ4SVPRdu"`SV$=S` \%_[ Z:I/1ZF(3uBBsrWIrcu2>Kk-fB=bA^2~jZ 0ZXl#逶ms@;  ],3Q'6oú6c:%5\0SӠi1_jId1m׭L|Y ҙSG,j'"ra-/8fby|ŖYH;uC+/w9mdYgkZZgC5b#=NfXWLQVGI>5,[>%a-bФe{=ڋٺMtlbZ3w\5?,c;&a',꺙wUKIkg 0;*`f20ˇwV=sA8G4@Tt O*<*Ҧ?j7[3j7!<Es<% d4&ݫeX1Lh◑=R퉩8P讠|$3{m\{FA_y?38 5Ol|,y7Ư>$Ir!#$>‡ѻ/?᫁Ad[;IJ1KqaF[܁o5jk]@)-7|0 ֠qaKmQI@٩ *P0Y"&krPF .nl@5g"&@,{&_ ,4正?}m7}|Xq,փ%YFvǚ|`G(`X7 ,\V_*9@NƸ ݜ)8,Ѱ|U)6dLKt1ŻOE%~y䇮$d'b>mݓVo{vA;(@!m_cʗ p]J< <L)W68b4 c}tV !zT|'ClҷQތPc4Mn(Ar=]k!Ⱦ /`\)MLMڱO9Ӂ)hg(i,H=/vnV&Z5ϥppP"Z Ҡ7aRgMn=t !nr&l˜9eL{GGQָI {kmRd;'΅UאG?<I)1,K~תj૏ Yz]?tN4Dfg7EA)Fz FQXl ̿4'\&+s/F* 1@_p6$43En62Pʮ~l1/n6Ǭ$^c |mr>lY  ~%%r,H*-pb9.@$7 i 3/aĴϩ#ҙt˙`˒p75<0IJ;Wy.U NPwl\ފJ> .ǹeA#*,>ƙA`z$gYi]ma1p=l3$.ymrW ~E-[%=~b:$sWB3b1I~ D뚒m5@fbOӕ;~wEyʢ'p"[Dmd_B~LkSup'u ~.P/ݰ.]P a*EDv ߅d PBӴ!F9h]xYkwiH]ї G^RWDZgxZ,X=٠/zIPW6`NuT*| D®csaØQ11pt3|J9̟"۔o7Z"@xN\A.!A|-C9 TWRs",+3r9IP)~64ey6b.w5)s卿Zn[/*ifV?Qs\ofіUٝ&gxZV>p}v+*V,B/|_)RoT8} ^'2'c^+n )OƹQڑ QEHFtrP"sՕ}BPZ6;84Ţǟ||E҉GaS+A{_P`C!`xrT(R؄']ϟXi a15^Yj#\c e. / GEF uYw]4\Ufv֣:TU}{: VU B@ 659;/J^afj v.^iD`W/2m>u$SzA:?s}gԋrHOe]z i3-r;$Tb>qzJⷤg5˲h̬zB3J@NOnĮ5<nZq?B SGN3 %V, 4#,UNI89#ix*.e.@I W@x j S|o? 3d.jz:M3or V= 9vMQIӧU\UZ1 H0pˌؖxp%6Q>Ɖ~߆` B}+Jz!`C^_5}eN CZ,=S0UELpJ]] iƹlWH 2jw%&0*5fxaU}hc{bDhG3u8o@>.Fq#&B \U^,QOG Θﯜ4#8*]寏"+[2Hj& a_֩a[T{]PC؅zqT2} W=U?a$i xx~my*0QdI@:bt[.?jr;1"TqPClYIQ XkVό.KN<2z\΀~";ҁ-៱L!PB8P FLM9_ww=^ϔacG_p$#I[(>%Օa4]1Pb#׫61i%Kclɤλw+ٓ6SWm/\w"ӝ 2%3c~{IMHf %!>8Pȓz* Ft68~ eWYP;r͊t0#'"%8|%NhCF]lOpT,Q8Վ8ItYh1`(0q:alr.LLor6Bd\0%Ce,GX|l"} xe[i[]{N}]ǼѪ$<=@daRVOE9+uE@ bR!2;^Z˾"߂Gn@_qsiEz4&9ښ; Nzr%&dү)k,el#X{,}Q&e:B+x S}!nY;KAdgmB|A*7%\ZEdsCʾ>IAO_gi-e0\&'y9yz`c˞1Bo~ p%5QUW.ro,ȦEyr&rCD( @ݘ˓WIOrɟ+UdTRQP:c D0&JnERxN`ǾAFT=TF'܅}[TgꔙqkN=V#Uueef$߉J_<-VW!š[2v5B_-S/nږyŝeE|AN_X(4 m|jj%K |(H_殺28[=R]#𙢏-H6Rdι(o5kZ-Q}z𯇏-u!rW^mZx#!ʛ7V> &?u̲FKH-qXPX×E+&suJYYHw 3 4*G[.?b$#wэa6 J[dxrC8>^lShώ ,>@ˆu! w>J@/0;nl%4fp3JVDgfIФYrs߮@!H@huH2y7YPJ_UPNcn-Ǝ($!J>[i TH{k N"v%¢ Zh-lZ xma®̅'6SLO[is59<:MHQE: Gy~U0[`G4Yw7n 4FuXLHk'!Z34tiDzqFF24)}TLPԧnj;Ee@~Y_"88\>}Jk;9@ ń>]xY-{<, S#u8,dܻsnLoD j U / ~`{u,$jP] }HTMA_y? 2z?O*BC%QS"}i?و.zc|}Fa̓y@i)0U+h/i 2 k ;@F!fI&iRc?xg nN.5B(RlaBK[3oG.2t.I1Z` ^K jYw:>5Z6\4W4Z~.ѡb9HswÉQ;@Bwˢ3>v`-zo`Q8b[֯`3w nC1lncP(-ìKcS*ьŃ{l:77KEP=l'3P|@݉j 5B nK}T9x?9%%Z!~O7IyOA[(S0!q L`p^U'SB u"`GT`ua[-9 1I#dgPe5B~ӳyFc ?Nz:- t&li U:ӥyusK;ktG@&>)fn%7 -0⁏vs V5Ճ )/ߌ3Ԣ/>w⭝QFe(Yq /!9`SFӎw7!e-E1f`vcJ]4@|ᬨG3;dW @}UY#8 Ucq`P+Ȗ0.*ꮒ)b1`*\Sڽǘ/B-r[/ {k$UKtص׫>2&^CVЯܪ U-ϕ5 -N(XYԥY\( Ox`dock9c}}i˹;Ҽ FPݾgrMڢ6(Q-Fx6E{+{G}Q9fx(z5h3=WN-S]B>.YR6w&+|)[sfPu -Qkmm(4/:=B"+CJtL]#j@)&0_=XzbF Q1ao6 ൌ*KT^НoC" 'cJL$ZP'%KΖ6,y!ZKlqP 9#S` ARB hX-?'{VRyg]͗9ԈM[VܶW7C?۸Ҵ *8/ɐ@];\kB;I94bvS4Z_fǎ"Rd?~gz|#iʲe_xggť*._?ϮY{ose-ȏ%Uģט1 ;ZOHbYCpfX߈»_\0f -Ib8nE^gMg]m2Os3:z)K]l䳇tQrbde$8D*cAA_DղC10rw0 ѷz#pjV` -g՚L1V|>!bڮԯܐO %n(8ŸQbiZov;VʤTECVo1**ktW$ d(@jU 4R>dm@bGS5as rn`{P(H١Lf/[+?%Q3I=)}"#5Sw+{Uک ZŇJcghy׷׫?ebv+237gVz;3CM,Je'roÍq&lM/7&N|} jt LwY7dH 4iB?>N|^5Mu'):>]"m?n9AZϗ#r$JD"-AXc'KRkŒ2\#}3eS~őF٫"2M͘8S5$TaQ06Ip^=ˇoeQSFρk+ʓ#3֢#Psw"uাҁpIa[XΪ4.2gޙqStRݢ%ॄ#WG_dlB zj}"jsj27db5-Xn{Pe5d|Foi,_UFC" ,$694|9c@C-镚i#E۹/l+X G4Jng},*œI..L.O78qNBG~݈'[`&~C˙rގ4LɞHkm:^;ߵyX.8F WYRur%i ΈO˓diŻXJ*3"k*p*Erhiw2rݛ%. -uů]u/خakMԅKTUUa-"@d3GPX6ZuE-h9p&EwD 20mP+_"+P&?>թ Үsk(gJ`<,L2-p!q  ,㥑,dgn -!lk`*^Ӡ2*#Gєyy0:T:hƳD虩Y/za~ N a梿2V0֠/ژ9;IA)*R8P#Vű%Pd%-䊙}(6+;(3Zb8mfҴŷÀ`dgB=*[1@R-2釜̕`oVBޝ8ΰM I09 /gP㘽qh7V5/T {8MxVWK9B[ń{l{n^l(f4x\/t"lpD-&0s7h8X`BA%';s(~)v.J99 /bymvPF mɛqqҞl 3w #H3C㳠y^vF^P<1>{)y'^; W 7b`T94IKZ*7〥1$<ZAplGC}jLHb<_5-R=4XH`;YS|O۩;mI|̿Kjʹʆkϋnxc:ӎp!hq16ĨWȚ T3UTP[Z/Rfk-\Yԙ@X+Њq%/EC,Դ0HCT50DbXj&M#7S .')l_?d`T{4 ) æLlB'T(e-*S^pSN}A##NI0}j)y_Lt?.+F耵ƅDẽrb X>B@Mї:!kޞpWzfYKh8(-u*QC"qp&PUTY\Q_"Y"VjOc(+}͸ӓ3L.zrGz턟 ](ѱJxKv{2 vm߼$-}"O]a_`vIS #=R<R/1if!+SXKUu( ؚp,L7_ha h gmNKsDD6-y\#(K5!_QHXR1ufL_Ba(!N^ʬsx({B !4t%P'BZ;LYK2۽Р ; \(2]0cāHQ&II|kZ<q~j.lk0h?xɂZ0ԹmJu<(i΃1[!p)So !}cユ50`Л9v E=2ۯmANmdty;w%Epb o}vc'i OC6O݁QRiDoS῾pـ#_J2) OIG~Ryhp2pyb^sq^?kz ֵ+osSM$ƛr> @*NDHdؠZQVm`&>ۮ̂9ۮ*>~ڇxھ*Q8[g߬O?fJ;DB0VN} 9мQV䫞^Lw`u!}h'{=q^Qul7H;̟%0 zE>:!EHv$X*i[oW;ye*mO,K+g]wU47LCTvȲGOtʿdbVk`K"׳+2%CS65 @/ c@+'.J!2O1- sQ̖AV+Cm8m+hĭŨU$x/թ7q8{fyyoXkw󅄲>HfQt7W8nJrY9/)Ճm\ %ܡ Rj>e)’۝|.FvBaoLFi5A 'SM:e!?[K4&v&=q&~Whuq0]37I)cǞnJ{,hVBҾaG[4DQd-Y"d$\V{N$/ rGCe赊A2pR;{wv &mSF(أb\Ֆ~*ti񆕲,2-R/S?DT'U"":t$`-3K3}['! R 36~WԘ9ld50/g DX uʬQjZqzwQKLg5ݧԟT6"a( v24$Cر^+G4XUiEڵ22Vڙ7d U^8[`#[Mgwh~l3PAZ,aǧ+V&a% Uy`/D(o@aW/oߩXM&AOɚoKC?j{ ߸9ћ)G33YpkJl$U(懭Q&tYhLrHR[33 yR[S]-J8ᣎ&YfTɻFI YF2tSƖB.>x-u)7Z%sf?ȣ= .NlRܼڤqyKa Yi[C+=J^tDS~r(㻶$6i?U^I U? zl4ȵkØ̲E]nqC7֧5|ydq}\AMhJk5nqo MočRҗ%Քt5sKBOow:ce! B)Qc91Ȁp)Y }ƱqbR+ I-}4RL+6әH!)p0 QA|EUvV$&} 4;jz1;2烙&qsǮ/|;t;2dBMf »juɄ@1KH# IPp*P~ߘlp6-3z8YF =oN#aQxk 3`Q.[O"9[L.љME?/ҒN7klDztnksΝ^YE}6[f^i#j=Ŗ$̅#$׭, }b \z@{6fj(Yh T>P1S)Z?]>htpfⲮoQW,^تظӼVَZф;*J﫼DDa\&)j'MI.;AMRga)֬d8tqrԪgNe⇑āixo^p/ ى4N%*@[0[n5pEvA\@J0vΓ9D$dƮYYM>Kx= )|/_smQ<ִ4-"}|ek0E@9 -ɪY ZkyucmLe4!6jHfVZP_JnȟY?]1|Tv ;mnp RZ ̀"e _̀XU x==M 02'l'@66H,1DǘBz.O9 f-U\V다~ +e>`fWk `Gj:)χh@뾖$۷A/ϏD,X9̃b%uRHYO.Fhlda3iS!E,Qśq̿`#ܪ:-Vn*mG+F{GBC / ̙JgE'QX8̙{Oq1Jr+|1B81<~ FI:Tr@Q4t W=`sh%VkxQoo8("gb[ vfkr"@>ZB1pJ>M%Rfowv@ٱ3 ~N .&g0>Jdܩ|"@9ѝtNlTѽ-Ͱqܯy0!}@\.V`q:3cE;^0-}OrMZXT-b&;;v #Gߥ~1fһy{`mq `6vöSF5GW+54L&R\bv6vSʉk *ФQ}DZ׮&Ci2y}Z,/'W}?ltT:l:eȗ~Y N1Zn%-|jS\Bx8Gܫ_?7PSi+XZ >o+n gܒ<>ْ:5SӁ4^/1*=UX+zpBu=:*)ZCp]÷}k״F;;یtu~'Χ<~j9\*C"bM{&e=nub$?]7л{r]U"k u\?zj6qX"3 bJpP{$O6E>$kQ&$!.-Ǯ+ϣdH{-{,M{P|=`Y87EcǶv2zz$Ʋ kՌiҼU`jL 07xiiإ7Ӕ:d:@} .^|0)>)\JO2d+qpBzJxÄ4lE˿;_C.\DW VrMLGR:#HB9ePj씰ي̹J:|j.x~ԬԙG-n>軷\miAVri^)'yAn'~PŎƹl* \t4F A~\/ :Rפ zAs6b'Ru;E5|2nUom25B] 6/"\ ]a0ۅdž W!K^wH< Ô}0gpM p߿ca=3wƒka3h8ѵrqk .V[fv# *Lwav> "vghBsC7+[Q,a5,sc..CKV- L49;Sy5^YF}A~ TBBˡ3jxllv`O OۼĠ {RJK pLjDx鿎$N&cۇ&GAn G} Od,Q7HS`-SmE~ה-<GkU-)+Ol7k@l[RU]ĭ )`АiH!bv+D?)& l #E"Ӣ8}+ a61?9UW)8I~ ;Y iC`0AK~ȷ>E!e~DWX޴Vhit8iN0nm}d뺓"{Um8DN+6Mu?uZuc 1od%6K c^dXb㖯t^ #54AU"aØf}VQ,P/TU2,DUFF  x#Xud%GUN |Vٴ84p09oJ JW;wR0A%Y5\p C j >.` klu98X5)m y:HL^ [h08ywckU](cDA@qDZXz kf>p!( QBzg?FoH9t0=.~yHhZq9x2֐RhLlPRw?qؘ;e]tčcebm}kQ&gYdC@JMSDiY/BYdާ.[AH{P:ʮ!衫*,-M~E-/WF@!PǏ1ɟX@DbNU9ѢY,f@n%­1ZU\]8ҷZ1TH7=CJ ~\^Ŧq>K[u*35e5\54ɆY<~/?&/ N.Yvƺu1eF|e7Jmַxu3MTGk΅ 3yPm_ {8d_fRN.sӇP9Q *h:]` S+$ܴʌȦl$J p5 B/:(0x5t\766]ȝ MGxٲR]T}^~OͧCݻ=j,|9IK5^1>WR> ]FaRx*},/Eb <0y #΃CQiف1z-O4=W޷B% ?@}i.QFg*n~՘YSWlDn:"/&K! Ǚl lӓ>Y;i Y(M1 M 3ZrbIZr(A^pǂ`(r5 ~O_IcvƗQ0PUD*9wrs>_M6D9*wB*ś"H\dؽ>&JJyu>vmo`Q%%͔ \xVuJPZNߥA[_̴}!>ɆY _N=d)4 g"{zĶkBo"Cu=5 g pTjs,_$ tBov/",eAG WS죡ǬAKͤW jGO} 2<}RTŇƕ"X5hmBڡy͛ Nw8 ΀,޴k [V:ǟVt͟Cw(6}.:E8!%kD1qr- u(T,K[ ^,MuiY.~/3Jޔ߿<,;: #f- z Fd*w>]@+a&H\^% WH7/Y6iErqýᎃvy[6Q_׆Np7VAl7g@P'ƹb- (r=n^}"?me='0u!.dcbmjʱӚE9/c ZSrU3پF<΁ANtnˎ0\pug-5 o"1y$򨲓/@U@0@ZTnXP f}e{O ǃnT7VhgWhBdi^G,P.ԙ5,v#>*kBerZЊ *Pei.x~spYy“_MBō,M'mC9dEA"oA;7]oj~G_]4j=|K[l=F! |bRŔ3r{NRI_ c :~2Ll$B)_Fx\wJ\e3%5:fDpMD)\'fWJ\3͌go(jOҐAej75z$9VE~%&16kZ vk2ٝ-H͊}X=0&@v3'C߶OsP)q'O$M 2jy|͖(_)2(Q"=-67K~{N54 yróx"yNM>Q |VqcHN]]۽JK:G[R?}㬼s@kr*bA&ZlvޭީXBI_v I˖8N|XBڝ,\6Hq3e|h&h`t$|)!E<";Ѝg5gb30TMx0<] *xNep$ڒ:1O 6F8|!"&chN8V ] qa_Ehboֺ gp;B>=rAwwZ|"Σh #n waM]™9S `EEiIahA-k4ިlIL|LRQQ77 / Hh~+k=Ük+SsxXJЀ^u 6o |M P (V^=BL&*V|N)C*oJ=@@Rㅚ`iדTȞ'G bIY-l1aS}{jZ2h:GcIסE5W8gVa3䀺QR-9ߐӱߑZgS[p _(l*CeǚTLķS&vA1봇Sni|09Ob+Fp \wۯTQ m~i4?LIoW15nÂA+J!/J#WGz i& CP^rޗH3Q+U hCFKD&K*gShx@wIc7EaqH\u`ou\fTDF~ k!F0ب,c҆^g:HxzҠ9b&12NHI-o|@?S :o0ݡ6[bi[#TIgU=|Ⱦq6w@V5hdImu0@T