permissions-20201225-150400.3.4 >  A bvp9|}XC6/T!s͖ 24C Oc`1hȊ} wD!Wz5Zx re Wْ vw'^.%T2nzV[_Ҭ6Pg}a%D'"'tC mY [ػG7 +͏= 6sLbe.;K_\s#"o)U/'Iz+_Y('TW8K-OL>DFNJ}27e41d88d3ab4b07ef917a36158aeaad4d5ed48dc8e7de8e02a36650f2d42e4027a058af174a5b63df02e66d29b0b532ae925366@bvp9| h 68J6ChP8_k 00e8';ĶQ-[PNU/nGsO?#<9Ppʄ*aab*W1=DP%v#{RD{?bwA?ʓ6l\G\fSBo\tml-wǰe&uqx-翏>3fFlee)fP*RwYqf*LOJ w&(Ua v͹ZaI@DaIMe<>p@?$??d " A )JS iL p           0 ]   ( l ( 8 99 9:a9>: F:G:( H:L I:p X:|Y:\: ]: ^;b;c<d<e<f<l<u< v= w>T x>x y>z>>>>?Cpermissions20201225150400.3.4SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.bvpsheep66SUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxx86_64 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system.V.1X`k89;@큤bvobvobvobvobvobvobvobvobvocd73f4760679880a45dce3c9cb05db59590dd96a4598a64a8a09e1ac03effb06f742019168f757cba5c3df708823390538a077199c16926825f12636e030c2d9254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3bd7e3d5207a57148f15e8e5320ea0eeb8cd84c12ca311d6aab8313352072ca02a4dfa32be5db7aadc630f51111ad2cd7a5ddfa4666d9cb64ef44a2a335edcd032b920b93891f72a28ff8ebb43380d45267d84b24ddd9fcb56b2239de53f04e25535eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20201225-150400.3.4.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(x86-64)@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20201225-150400.3.43.0.4-14.6.0-14.0-15.2-14.14.3bgbF@b+9aea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.comjsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20201225: * backport of apptainer whitelisting (bsc#1196145, bsc#1198720)- Update to version 20201225: * squid: adjust pinger path, drop basic_pam_auth (bsc#1197649)- Update to version 20201225: * whitelist ksysguard network helper (bsc#1151190)- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shsheep66 1651958640 20201225-150400.3.420201225-150400.3.420201225-150400.3.4permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:SLE-15-SP4:GA/standard/e411789c1de1356cfd1429b65d9a73d4-permissionscpioxz5x86_64-suse-linuxASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=130ce87b45096f0c2ecb3e7231c257379a11dc71, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R RR R R R8"w=tv]*utf-83fc91d20b779dc2096be4ac45e50266db6ea4f2872959d5bbdb35c3eb33442c6?7zXZ !t/;W] crv(vX0&0P/䑽!be hu ;±dF8hġ 7kh],IXLU}D kuӦ)( G]C8r+ܧ{Έ@ttQDr|V @YB¯G*SӉu\! I} ,>?wDF% 1Xd`} CG+ȉCJ]ȣeqVIuM ?VfՉEkWr(GV,9 C* %봨9Zɻ17,tqb@9UOhc5?0?HLMJW#ib%>V><6]_vĄq-a(WIAZ^gz$BHJjy0 CS޵h C*h@=S~5Nр ag<]<^0w!+u~qi1m2]k6`C2МUn8#r]k:%,Bt!D~|_Btīg(``i)MXbγq,86:rEl9_\5v5)ʀ<@n47az֫XI:%Zۧeϕͪob及F$)s=jۍq`̵;דGN1N;KzX"MxONlJeduu lSY ۭJTuv6ݼFYWCix`ʫw7hQ oKk'Qkz9BԤ<2hya@ Y4>ABUsWQ% /Lg1{]9W>&6>gڗ$h ؁$<%K\OfW7ɡ4 +w5'/TzGb,doơ!I<΍iſcV [%ZR-@f$%HG4i#qc!9=U:!%Cƌef\-nx}!X ;62GCr%-$ Bjdžs︚ׯfvuzܹ=\ =X$pMx]e 4zF$WŰW⌨m_r $kC Ny,w$vt;#q,qӢ=A?!c3Z(cj|lv6k2ﭻcs 9zs 6nW]zg΅ZFkM'=tyi+⏀T5Kк#? :B |ގZ#~8O4݂?v<]ihO9h\k*Fz/N3p  fCi|֑m$Tt& +3Ug Q{@ Y<,!?SLK}`+O9]b'z9#8~v^<;E+^J$ B+VQ)<$b˹R:ZKk?ܝ;CSOxIQ7\nD]{!HpO˃ҹ*3ܗOki0ʃ]f \ܙԃl-,\D)5+ ̕CܠP@upJJѲ.U[RI+JKlZ{'>=#\@ոZjI&BUרM '>6m-i2<p dY8kLfa-ro˪tk.(v\*\[ni"ɣ*D8=8i:BUf=i܍` %](E!XvƝj6~eO4q6TF=y93!Ff^u,^)^G?s*|*轵 fH׎x?Βf#IK,n4llkv/ka:v~Jw+8BRtykQ4h)/^L~:M3s+?mkSdZjC),vw1sE';Bƣ>ڢߋS TVGrsοBdקq2^ i:ΕH [#XdXdU僆PE5˻8Jɱ`hV[/ȑ!@JCKF[{tжJ>:l翈E {΂ycصVuRmC'{#sVD)iyRNjɔ7'KG~b.$I_ޔ(? ,kT^ly>N wt7x密(Uø@ 7[B0ϸR[;>?{K5H\T]\딕Z.7S0s+c1%]^WbH`ظ#^i Nt(NPOH^|6P5r',XŢdw%ĀuWDzNI Yqp4CH"xhwP36Z 0y&Uצq,#$L9|fTod@Q%?_~V;2^t9饤$ P qa[OF{wfҬ!1 A\ʴ(0fR߁cQz̉oe28/\q."7  pmRzP xH|?@D |cY?^w‰5:dX _j"mmI/QXYtO (4?Gv!m;MŨf[ $ЊzA7% ;VWJ̍V/XpY/TP;!EN~ !¥7>O:aV~VusJ{zmdOgdSRnWٰH?S[Ɨ]2red^Gw}UŽ % "Wx9DCLjT>Tֈ?q= Jm~J=^ML~>da^Y.6Laa<. mJ~a{Rȣzt)OI"q,w\V x!g7"6$yħwg1F-k<A`R so.Bӭ=yo0ڇl(ǭ gӥ16#kQ{+h !ִR8J 4D8"9]D}]FԼ3Nb2jeW>^bhJȯޱG%xX;?&"y©`Oh!KUzBO.v.=k{3}pI\z@Ew#J(OhXHVJ}9Ph lM2qzQ˕_h kj%0)+V-n.Bi?;R%FWge98jsa\0ND%!Lx(D{p[Heލ!=vOwK+JoȍohYǼ O[Dvwgn;4s4݆M3Te\Ҙ85"n$A'HRbS'D.Ͻ.Pz6t 0EGJuMS6{b߾|6F?fcr yYY񼇟\uaQsơ^Q ROu[Aro6w*X'H$.ֽ2J-ZTQ޽ t| K_&2CMi%s> B3~ơBLFH`%xh@N-:^G}*0@=4jߘ:Ӝo3Zaatٙ$11Q%pDc\ga  eMfrLØJFzAx_Jͪ\1edfb$zNt1ۂL(SX޼.a>B1*s 2':ȱfã`  uwER4Yl9߇t: n鏮ry9ݱ'b>qByJכcG2Vb\+'LÚ6)O]ehLVߍ:tlq;Ы\.qbuHG5ı4Eͪ]16No3:xy 43"w𵦒 =~ʭ,ϞDC~."rHE3+!Dm:ZưYdyY2S?Du"'cN 3wdk_찅?A&뫈4##hYʳF) ZIIyd } x3_(P{aZm>~:x-k $WjhAdji# /@|!s$, %/{øF 9`δw#>mG$'ȱm8J~CZc15;ӝʒ!bPswQ|i9􀿒@_D}Rqvp3P<R>oc_|sC{$OL.Az*'xM޸9W2Ur /IxCZP7jl/ne ps3J ~UEV W;0=e/̃N+7Q5Tu^--Qbֶ`d tJZ[Xd@c [I4LWvk%pͅ)q7vrP a_.ݛVUO %,JGnL>du0`ud_LMΑ?E6ĿnKkjn̬M"?^9ڹpNb ii=yԐ'٭ޮ-ړ倫\V^*HKS7ܑLS$] nxAء^)&H`T rqnRUHGEl 6I]忲B! {q`ͤIOZyN!<웨E]6aۅSH@ZvXxX}:`v𼓪8SO;:O>}mB ClAǝD]a$O7~PUBF1zGrèܿ*f<یRchpZ'E]M;M}&+BMwmY=wdY{$?H_4?A~Q(GϼB \lWE- 'dU;.I8`t^dA*}-<,RH~7?T/JZJ;GLԁ)*mΨi6,CoLzip9%hi:IУK;:}i1ܽFyB>kGR:r$\mW]͢?Ś fF#>` ψ䕜ǯ-Atu^ Zm/k jYz3TK+tzk` o}=@`&E%3uS"ʗ<[qgIJ A0vS h4jXkRKbӛC+-#θkfA6!rKoLKEX`6 gs;?ƙ TF9` T) ]0)1lՁ>9Up:&D䟄f9#ȻcmLw$_'`%pNυ2ܤ^|!c2h̾Fh 9)~ٕ#>0@zXK4 Yo49|gkƇ~a}8ʁPD \?՛'CdպssAw* E!VY"h)DwYg%o=1oCgHnoFQvS;*Zq#ΩBw-: f->ef+Z.DWpj3w驗B֦o`k7(:] ӄ=D)~1&JO.)ܣ4gwKrߊ RAHy5} PDn$ y6(*l ŏW F0P')5oNz-Pp>y-ϰIᕋA<[1^m:.X3:c ݙ4] }muybR\Vzy3\ J_< Eo'n?YeĹ%w3t'cENd3Ɨ(R"fƒx4lX>z*$3q|hX2],Y uˁS|nU߰o㎾J{!Uԓ%L6lOUL)g`ׇ9j Ĕ%~dFOְܝr }B!nUEYg ׌s(7 ޙ|Nrcr$[ ]VE8?&8=hhݬ[!:kBa,ȂH(BksDS M],8zeu p]ޮ4[zdOkbuBv:Lmakqѫ-ơa@C?1QiT R/Z| acx쾖Ar#Yt]MҽjeK#/CS&8i9Œ<1YrE7)nEb6TJv'չ@7B=xg27ehhm bJًMO6*T+#"҆1<]A+O~#ݬ̞:ziy%d| <6-|pMsl [=!ï#I8:08t.blz+x-c<@׎=u>xenF{)8Q_J6 j.S%!]æR(C M1U |U LyKBtWNNcnJ{4nYc9} ,0DNns Fl5&/2a%)ێ1&_Q($)s/ÈC'[‘埂Mfc&x;W^s S|{jcC?E M#_Y.3D8r.wdh=7!`@LX,F酤fXcȃ~76p.+|h!fM4M=dm8&^$Z9Sa!^&6ݵ }8&>\Mkc>48'W1Ewل3Aa/:0nkYeeq朸morCW;u&v^C5(y6ңrOH^암RIpğJ)Ow+ݘ:gvM4"4l&8asRjS,9| b:B(4ug\*'9fof;{x=Hx g jmŚ_ Gv*e۟GV'=^eeM2 ! c"6TU-mAOʨDU/_K,3OPLZ|c)tl@CddYJsUs%}oec+]iƙ3*3j)eyN@G=鵿ݥ5YAȆ>ÃB_z0*( Tv8K2!/or)\Xֽ_)x)$1R٫9/]#Jq_${3Vڅ97^do 9V =@MGsWLE {מ3\L'"d=?lʊCl0ktҴ Řԭɐ7}fR2U#>qVM00ÞRk8 XA(!Q/egf6oa0k-9rWB|˴a@V%D :#5vK0ɂW!} d#hA%XKfQ`{X@!͘R™.0s+[#HX8[kL9IE`Kn[* RT:SD\ɦt%]^̮ƪoIjBq?4k=7;6woeZj~U]0 Hݖ-jbu=އ[i[~ Ѹ 1 L)4HE3ea;ɛiRjcg̿"1YxzáOSec1DŘ{յ|3T}GEB-GRf\`zBo X+'oi<#@fH)Z,9xj`BcU;=}ȋǯExsmz %&L6uUcĴ{O۫[lRIZAtŞZv,ݪmZET3vdc*[_W 9@|g OS(g9iFP6+B"*m{UBE,Ka p;N==.4^#h|W zmR/y%iXS~1}&Qg.C'I$P*|uV5O,sћ<*+=S1~G%SA2VX=8l^p/`w3_Ӄɑa0&P@ ͥ-Ffկ"lBR88~EĘ3bGksld{ 1/\g<+ekJԭepҷ[sm)Hg'WX2;ljJy,un"Wqg~To݅":)\VĢҚت2 ꠎ;OmG*o Gܞ1Fsy2ć|$dgdXX ,[:T:E HyH]eq<$FbMWDn됫{sQ[i"$@$Fr e`@Q.M{, W~h.ԞTCԲ$F>Wnl>r op|O맼+дӛxMcHAG CWrUۋ,]`ƶZf]KBzIN]fԭ=b 1H:i(4)H /L3_xӄBo&(qo*>[.&xF㳷v"?Vz\(Ӈr V?nߺPJʹ32b n8~axȑN`o|%y tH!֩[95TKL@XQ)~@Md A82LYʠkpeJyPv]Έh1SRlJ%ܜy=ea.4NyZ-ix^u^O8 4N.3&4V'$DG1޻W+.$$\;lҴ04-[!P@y5=LQڷ@ 16 , YIK3K;R)LVZ`@^uiCS5Sr;>hE`c]QBȺY",G*=-Aʉ om?ORz/=ڶ.ًٲ1UH<AZW>}dQS sLYb{\> #e?B9:MF3\+=HZrU smY@=hDc"bΓw`s1|G1s 0f0=wL-}}/`n|д&U9+zUc4.ZʣegBTn*c`+ 4΄aArE>bfIdOhzcΛol$z+t76Ė8 Ȩ#i]"}էZ"$%՞.$qw_i UPmƧRb)'Sۡ1U Gi[$7&}z@ ".=71zi4 AG8(eHWl+'xǜ|a'J&WF˖QjhTJy,3{a`P7(g`'5'!4΍ ϣ1chbR >"yG52 'TjP ͽ!\:X10nCa $,;5mlt>/0;_ W<,u./h@MeئUYCnog4vOG"LK@d=-Q!W`ҴcX"<ΛU* Nn_uE;ȯxͶ[F3Dҵ)\}蠦.񯊔c;L4MGЭSAY|inRn:bdhaOr.i`@>dPb߃EaG6g>c6O{e_3t=A2hERWiE|U.oj#0*x2ZZ =x1hD|")5N`=ern{2WA1m= Y?yM3k /X5м2ȣlcc49ji RP^ 8'P@*8}TRPU3Us"zxr|_Bz{ƋDD{%'p0}uq.Qe #|GcL9?exvly$j R9c+V9!656/~fx #)s8~F-)H!W{\|t!aG$<x[4,"ŢGɾ+t{> L1ۼu<9**XqMN$=_?V6UjcQ+?LOz)S =PsA6x2xcU1ZZ3up6K>5܁(#\bUc)Ngkɉ=8>+h#&K%*l??vxY%tl1NUm՗EA-S<`.u|?]"O#.~c<[ ixEk3.#f'Lzzq5h>oK!V/2_^zqί1#r;d$6J> 41r`Dh yC Nh ^!Se "]&dNĵ~oW!kc T@p}RHm eI45:3t#ys6~lɥ?*HX8PI2X;iEy ēh^ι>f kV  g}(zfJAK}!. Ee}{$Q\lI!ʺh"$4]wo j2xIXF |V՗ķv|C%,st|eDK5Gd㿵eJkx_"t!WjfrmѽǥJ |35D$; /ÌǖwFM}ݓv09˚k Gέ䰯lFv>^OΖ?O ޕF3376&{CxP~AeCUi IhN| <89ō!t e=Zx,ζDyU>,}$׺/'CŨrtZٌ{@01S.iUu"?#iѵB0S$@5ԧY뽧+#>l_=Oڷνs!=eN@){|~A%؈JHYQS,=,G~1sa8dquM(R#D5Eyٞ%T~RhB^!~ubFxFڍΈ.C_.eHB(0@q$ ke|]xgSo`TC=9m2^;}>bKM 0AqlhywQq }L!L93JrA66Y#ӪmKnu)k^ҫ4AɌ!nf98Ԯ5"=85&Jk*sЏຂuV(=Aorwomm6G4"yHk] u!fqFw_L2{B8Ŀ!MrWo-:tFŕfVkͲgǿ!^3w(UMu'ӏHbnl}3vTŌ<2l8wpTZP-'LMC "*FƀZR\ī׀Tt'ۑyQZ 2.}XnEۅenV:մT4{mwY^,Gsk#nj@?'+yb7+*nUu3i_z*[k:Unū0-Lnb+ܻ ,O!+ G/l}T+6p2dM N5cWK/z굜`~j) _@N[mUG{F`&2~B[zDw[{W/;ĚIrn<׃!}V-ɾSIﲌ; Rn.ʶͩ{vfc.dL̎ARPx_&"9 n1nQ6q~i^v2(njcmw&x@KŌ|Z~1XhF¦k^咝(27 \Jbe;仵>(3J1FLJWD<0UFh{#|"b#yT6eU;"J=ԫہa5MRl}u(GFZl؆Wmε UxA@M#.t,<"< ,uqFUXQOZ,I$jL b3N[ҌRCpmLF}FePˤ.::;TȣMo96?ē"w{?޳HaD %x?2^g 7v]1*9>"> jR2$ ۖ}\ eKٙE6n< 6vo+֙gúi \X؁/(WAu=_ skv5rFd7ϫM $W{R-"QuQH]o+bJʕ>…zbdbkVD6r!*dL U_+=623aĊdƍolS:;@-޿0BXSa uS]x9ס<[%_mWdfmdVX26̝Msw &gj! Cc7D]^ﵾF_Et-{B651\Xt`(Řh}U20YQ ?0:Mⓘ&o)o1*vcD:צ}n9/I&?eouޚ:n@wu3pF1vj .\lmdކ㺣40=f,qnv31Nq!E˛YV ͭyS !/_iˠzCo*?\v 9NoyAeJȩr24Ib^Ӧbih[Vp9Wu\\yd~Oe[X]ftφ _(*0KlO?&ѸTb{hD`nEQ hWS@EmaBٻĪGnm $u*U4M!*ƚSv:pKQKB"꘷VV ℰR|WY%C44? K-{7gߔM1( [ 4/^nW+61"mCW0噐o;b"OoM@`ȲSspG˭}<"-{ϴ>LVZT+Or}Khuf)l-wLna2bCsDhkۆc#<I]# p=٪5\&[@|g[ZsU "nqe~12 pgLrx]F@{IZGm-Į-2'ÙAni@ (r^B5Yz K>pc,f>6 6m/@t>#bWp},;H>:fߚm{ζU~?Kjcݳ *@7jx%d~.m7LRCCp8D'h{X%+ E^74T1RbT\ԩ鏪~+̬P/x2cmēcc@n޸· ;Ds (gPxV2@t߂(o|V7R\1*﷐He A4tN'ք,kQwڥ#)@.{ӛ+4<$={+W 6W@Ax՝;,'8^M0X'H W/_Z|pgoj5EFԄ27Ac8?HD6q&柂Egǖ[Oү;J/|Ԅ{ѝ,A{xΆWTW/BneԩD򏲚?U,Ȣ d1C=f=4^]ٸUH]bo>G%ϐ4VK+̀70T1\K:PP^@1r }g$ن"KA3lC Yfz s~{l.U>vZƢPi``|Ӹad@5"V_<Q7<*0M{RNލpR?Pv+} e?x|i`_I(uIV<<쐼#&k%;JT/y-k`[HZny {xmh:D9cJ]9ȚHn?//z@1c ƭcٔ1%N8+ޏcPmӺMyx ~=?@:k%K!<嵆G4' %̆'-_BGER=Hun /PP!UVnKEQnh.ѕ.~;qo3 V G2 %i&47><Z "mz_%k]Y;{`P]Lphs +ٻ֗ +_)<=QzPlCR1K/ mr܉U 5dE- ٬#P\)g%Py5{:~JUx<}ل h'R CC~ ; Og(,֠=PlvI1Hr¥s)>('(ck1:k٬MQ+yo oxȸlgmMoU|mvL4x-~K*s[-I/?SBL~OH@˫:L*F!AYS\40X+cI(7O10/,fq`^A}/@bа]#O.^R<`}ݜ- TY2p=p670>'8 Rt7YCJ7F}j1/%"5+!mɀmWjU kg rhL7'3!IǍfsnc3۰嘳DZfu\X';8>?Ik%%J24_DGuJ$4<-_ߴ))ºl'fI. KP"xQؑ6Ǔ™Q#;{3We[d@uLaɁH=+Yr.?ΥE\ 0Yx3:[ u6mj<% [B [C/dË$"`{ e3yZ#nnm:Mc[t3iJ= zB"bp.m~g4j3.:SLp , Nӟ_ < AeeQ[i3huVWRPo07*Md؏27#;j4%rw:l]%dA-L;E27l2GLهW. YZ