samba-winbind-4.17.7+git.330.4057cd7a27a-150500.1.2 >  A ddp9|GYFXef 7E:uk-4yIU'M-(Ȫ,=v^Nb)'D5JyYFp eF?Ne\0wJ!/eJRzgEř5T<|'kJJIB ,$[it+AeQ+nXkCh Y?}7bYŠce(\Ȭުy7:_GHhs#W Yz(2!2 XfpZ{8b4668667ce7708dd4e726efa8c8fc7e1cf5c9914e67ee79b6c1a8a25919ff10034b992fc6deefedc9ad13e4a0a1c578a93e5e28 Hddp9|ZͲ-LD r- LWV7DoJ?bG>c4ڨKFreJL{CbnB4Ӻ]&APF偖23䪞gA+e*Y2:/HdUYGsi"Gu{ ;] &W"K<}ḑf)~[K Ţ^) ]] "{Ȅ-,0̄4db"bhZ? sx o>pL,?d+ 6 N *08   : X   C|6(787(9;`:MZ=>?@BFGHLIXYZ([,\H]^V b7cd7e<f?lAuTv wxyDz`ptCsamba-winbind4.17.7+git.330.4057cd7a27a150500.1.2Winbind Daemon and ToolThis is the winbind-daemon and the wbinfo-tool.ddcabernetfSUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Productivity/Networking/Sambahttps://www.samba.org/linuxppc64le if [ -x /usr/bin/systemctl ]; then test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : for service in winbind.service ; do sysv_service=${service%.*} if [ ! -e /usr/lib/systemd/system/$service ] && [ ! -e /etc/init.d/$sysv_service ]; then mkdir -p /run/systemd/rpm/needs-preset touch /run/systemd/rpm/needs-preset/$service elif [ -e /etc/init.d/$sysv_service ] && [ ! -e /var/lib/systemd/migrated/$sysv_service ]; then /usr/sbin/systemd-sysv-convert --save $sysv_service || : mkdir -p /run/systemd/rpm/needs-sysv-convert touch /run/systemd/rpm/needs-sysv-convert/$service fi done fi /usr/sbin/sysusers2shadow samba-winbind.conf <<"EOF" || [ -f /.buildenv ] g winbind - - EOF /sbin/ldconfig if [ -x /usr/bin/systemctl ]; then test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : if [ "$YAST_IS_RUNNING" != "instsys" ]; then /usr/bin/systemctl daemon-reload || : fi for service in winbind.service ; do sysv_service=${service%.*} if [ -e /run/systemd/rpm/needs-preset/$service ]; then /usr/bin/systemctl preset $service || : rm "/run/systemd/rpm/needs-preset/$service" || : elif [ -e /run/systemd/rpm/needs-sysv-convert/$service ]; then /usr/sbin/systemd-sysv-convert --apply $sysv_service || : rm "/run/systemd/rpm/needs-sysv-convert/$service" || : touch /var/lib/systemd/migrated/$sysv_service || : fi done fi [ -z "${TRANSACTIONAL_UPDATE}" -a -x /usr/bin/systemd-tmpfiles ] && /usr/bin/systemd-tmpfiles --create samba.conf || : PNAME=samba SUBPNAME=-winbind SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -eq 0 -a -x /usr/bin/systemctl ]; then # Package removal, not upgrade /usr/bin/systemctl --no-reload disable winbind.service || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_STOP_ON_REMOVAL" && . /etc/sysconfig/services test "$DISABLE_STOP_ON_REMOVAL" = yes -o \ "$DISABLE_STOP_ON_REMOVAL" = 1 && exit 0 /usr/bin/systemctl stop winbind.service ) || : fi/sbin/ldconfig if [ $1 -eq 0 ]; then /usr/sbin/pam-config --delete --winbind if [ -x /usr/sbin/nscd ]; then /usr/sbin/nscd -i passwd /usr/sbin/nscd -i group fi fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ $1 -eq 0 ]; then # Package removal for service in winbind.service ; do sysv_service="${service%.*}" rm -f "/var/lib/systemd/migrated/$sysv_service" || : done fi if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi if [ "$FIRST_ARG" -ge 1 ]; then # Package upgrade, not uninstall if [ -x /usr/bin/systemctl ]; then ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_RESTART_ON_UPDATE" && . /etc/sysconfig/services test "$DISABLE_RESTART_ON_UPDATE" = yes -o \ "$DISABLE_RESTART_ON_UPDATE" = 1 && exit 0 /usr/bin/systemctl try-restart winbind.service ) || : fi fi<XP%C^큤큤AAddIddIddNddOdddSddHddVddHdd;ddCddCddHdddddbd95eb7e0d1e8c973d39fb53be9be46276b21bcacd8b0ae1adeeb63651f6fbea676af835bac5e037fd6f6d9950ea49ff3f39bc693d479069190927c1c530839053e58310ba7330ec3712658f188561873c8fd052605481931bc35fa68314c95c657ecc22080245130982d91a3b26e5ab30426e75c8c106165c3633c9bce0ca348c787a47c3127f9c5fdde2848eeac71a06e22cbf997c132d74ada549c086e0d7ad837116f8de04fd9522088967fd90d1c40b9c1d8ff9bcb53a11dc27e7e46974e2b4fdec42a18ff292e2ffc9fbdfeaea7f35acdc019f0077ae3ffd9b24670139a16eb3e6b8e2bf0b1ee56f8a98e8ed307633badc5f3c02d8a82a4293ea474393bea31552d3c1d60de185a0a66934503a6fb03008730c292f10a6dd4e8ac61d4e75562bbdc3bb150330d1d4b232fe83a328e5abdc522b631d2574728c29551992e7508a7dc71e6265f8104569445293019b00fe0980032de0d67fff9b8f58b92c6b4b0325dd3211474ac785379683cc4e7f17e211327fb9d536c1ff9138de03eservicerootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootwinbindsamba-4.17.7+git.330.4057cd7a27a-150500.1.2.src.rpmconfig(samba-winbind)group(winbind)group(winbind)samba-client:/usr/sbin/winbinddsamba-winbindsamba-winbind(ppc-64) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /bin/sh/bin/sh/bin/sh/bin/sh/sbin/ldconfig/sbin/ldconfigconfig(samba-winbind)coreutilslibMESSAGING-samba4.so()(64bit)libMESSAGING-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libRPC-SERVER-LOOP-samba4.so()(64bit)libRPC-SERVER-LOOP-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libads-samba4.so()(64bit)libads-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libauth-samba4.so()(64bit)libauth-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libauthkrb5-samba4.so()(64bit)libauthkrb5-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libcli-ldap-common-samba4.so()(64bit)libcli-ldap-common-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libcli-smb-common-samba4.so()(64bit)libcli-smb-common-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libcliauth-samba4.so()(64bit)libcliauth-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libcmdline-samba4.so()(64bit)libcmdline-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libcom_err.so.2()(64bit)libcommon-auth-samba4.so()(64bit)libcommon-auth-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libdbwrap-samba4.so()(64bit)libdbwrap-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libdcerpc-binding.so.0()(64bit)libdcerpc-binding.so.0(DCERPC_BINDING_0.0.1)(64bit)libdcerpc-samba-samba4.so()(64bit)libdcerpc-samba-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libdcerpc-samba4.so()(64bit)libdcerpc-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libdcerpc-server-core.so.0()(64bit)libdcerpc-server-core.so.0(DCERPC_SERVER_CORE_0.0.1)(64bit)libflag-mapping-samba4.so()(64bit)libflag-mapping-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libgenrand-samba4.so()(64bit)libgenrand-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libgensec-samba4.so()(64bit)libgensec-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libgnutls.so.30()(64bit)libgnutls.so.30(GNUTLS_3_4)(64bit)libgnutls.so.30(GNUTLS_3_6_13)(64bit)libgse-samba4.so()(64bit)libgse-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libidmap-samba4.so()(64bit)libidmap-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libkrb5samba-samba4.so()(64bit)libkrb5samba-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)liblibcli-lsa3-samba4.so()(64bit)liblibcli-lsa3-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)liblibcli-netlogon3-samba4.so()(64bit)liblibcli-netlogon3-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)liblibsmb-samba4.so()(64bit)liblibsmb-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libmsrpc3-samba4.so()(64bit)libmsrpc3-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libndr-samba-samba4.so()(64bit)libndr-samba-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libndr-samba4.so()(64bit)libndr-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libndr-standard.so.0()(64bit)libndr-standard.so.0(NDR_STANDARD_0.0.1)(64bit)libndr.so.3()(64bit)libndr.so.3(NDR_0.0.1)(64bit)libndr.so.3(NDR_0.0.4)(64bit)libndr.so.3(NDR_0.2.0)(64bit)libnss-info-samba4.so()(64bit)libnss-info-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libsamba-credentials.so.1()(64bit)libsamba-credentials.so.1(SAMBA_CREDENTIALS_1.0.0)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1.0.0)(64bit)libsamba-hostconfig.so.0()(64bit)libsamba-hostconfig.so.0(SAMBA_HOSTCONFIG_0.0.1)(64bit)libsamba-passdb.so.0()(64bit)libsamba-passdb.so.0(SAMBA_PASSDB_0.2.0)(64bit)libsamba-security-samba4.so()(64bit)libsamba-security-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libsamba-sockets-samba4.so()(64bit)libsamba-sockets-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamba3-util-samba4.so()(64bit)libsamba3-util-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libsamdb-common-samba4.so()(64bit)libsamdb-common-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libsecrets3-samba4.so()(64bit)libsecrets3-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libsmbconf.so.0()(64bit)libsmbconf.so.0(SMBCONF_0.0.1)(64bit)libsmbd-shim-samba4.so()(64bit)libsmbd-shim-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libsocket-blocking-samba4.so()(64bit)libsocket-blocking-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libsys-rw-samba4.so()(64bit)libsys-rw-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.11.0)(64bit)libtevent.so.0(TEVENT_0.12.0)(64bit)libtevent.so.0(TEVENT_0.9.12)(64bit)libtevent.so.0(TEVENT_0.9.14)(64bit)libtevent.so.0(TEVENT_0.9.16)(64bit)libtevent.so.0(TEVENT_0.9.20)(64bit)libtevent.so.0(TEVENT_0.9.21)(64bit)libtevent.so.0(TEVENT_0.9.31)(64bit)libtevent.so.0(TEVENT_0.9.36)(64bit)libtevent.so.0(TEVENT_0.9.37)(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtrusts-util-samba4.so()(64bit)libtrusts-util-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libutil-tdb-samba4.so()(64bit)libutil-tdb-samba4.so(SAMBA_4.17.7_GIT.330.4057CD7A27A150500.1.2_SUSE_OS15.0_PPC64LE_SAMBA4)(64bit)libwbclient.so.0()(64bit)libwbclient.so.0(WBCLIENT_0.10)(64bit)libwbclient.so.0(WBCLIENT_0.13)(64bit)libwbclient.so.0(WBCLIENT_0.9)(64bit)pam-configrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-clientsamba-winbind-libssysuser-shadow4.17.7+git.330.4057cd7a27a-150500.1.23.0.4-14.6.0-14.0-15.2-14.17.7+git.330.4057cd7a27a4.17.7+git.330.4057cd7a27a4.14.3d6@d@d @cvcvc@c@c @c@cctc5cM@b@b@b@ba@banopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- Update to 4.17.7 * CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords in cleartext; (bso#15315); (bsc#1209481). * CVE-2023-0225: Samba AD DC "dnsHostname" attribute can be deleted by unprivileged authenticated users; (bso#15276); (bsc#1209483). * CVE-2023-0614: samba: Access controlled AD LDAP attributes can be discovered; (bso#15270); (bsc#1209485). * large_ldap test is inefficient; (bso#15332). * CVE-2020-25720 [SECURITY] Create Child permission should not allow full write to all attributes (additional changes); (bso#14810). - Update to 4.17.6 * streams_xattr is creating unexpected locks on folders; (bso#15314). * Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment; (bso#10635). * Spotlight doesn't work with latest macOS Ventura; (bso#15299). * New samba-dcerpc architecture does not scale gracefully; (bso#15310). * vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_pathref_fd() in close and fstat; (bso#15307). * With clustering enabled samba-bgqd can core dump due to use after free; (bso#15293). * fd_load() function implicitly closes the fd where it should not; (bso#15311). - Update to 4.17.5 * smbc_getxattr() return value is incorrect; (bso#14808). * Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled correctly; (bso#15172). * synthetic_pathref AFP_AfpInfo failed errors; (bso#15210). * samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC when there is only an AAAA record for the DC in DNS; (bso#15226). * smbd crashes if an FSCTL request is done on a stream handle; (bso#15236). * DFS links don't work anymore on Mac clients since 4.17; (bso#15277). * vfs_virusfilter segfault on access, directory edgecase (accessing NULL value); (bso#15283). * CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based SChannel on NETLOGON (additional changes); (bso#15240). * %U for include directive doesn't work for share listing (netshareenum); (bso#15243). * Shares missing from netshareenum response in samba 4.17.4; (bso#15266). * ctdb: use-after-free in run_proc; (bso#15269). * irpc_destructor may crash during shutdown; (bso#15280). * auth3_generate_session_info_pac leaks wbcAuthUserInfo; (bso#15286). * smbclient segfaults with use after free on an optimized build; (bso#15268). * smbstatus leaking files in msg.sock and msg.lock; (bso#15282). * Leak in wbcCtxPingDc2; (bso#15164). * Access based share enum does not work in Samba 4.16+; (bso#15265). * Crash during share enumeration; (bso#15267). * rep_listxattr on FreeBSD does not properly check for reads off end of returned buffer; (bso#15271). * Avoid relying on C89 features in a few places; (bso#15281).- Make (32bit) samba-libs conflict with old samba-ad-dc-libs package to satisfy installcheck.- Make samba-libs conflict with old samba-ad-dc-libs package to satisfy installcheck.- Remove non functioning ifup/ifdown samba-winbindd scripts; (bsc#1207414).- libdsdb-module-samba4 should be packaged as part of samba-libs and not samba-ad-dc-libs. Additionally no need for it to be removed conditionally.- Clean up logic for PAM migration settings in spec file.- Change with_dc default to 0 (for non TW builds), ADDC feature is deprecated and will no longer be included in >= SLE15-SP5; (jsc#PED-1122).- Update to 4.17.4 * CVE-2022-44640 Upstream Heimdal free of user-controlled pointer in FAST; (bsc#14929); * CVE-2021-20251 Bad password count not incremented atomically; (bsc#14611); * CVE-2022-42898 krb5_pac_parse() buffer parsing vulnerability; (bsc#15203); * CVE-2022-37966 rc4-hmac Kerberos session keys issued to modern servers; (bso#15237); * CVE-2022-37967 Kerberos constrained delegation ticket forgery possible against Samba AD DC; (bso#15231); * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided; (bso#15240); * pam_winbind uses time_t and pointers assuming they are of the same size; (bso#15224); * Heimdal session key selection in AS-REQ examines wrong entry; (bso#15219); * filter-subunit is inefficient with large numbers of knownfails; (bso#15258); * smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories; (bso#15252); * The KDC logic arround msDs-supportedEncryptionTypes differs from Windows; (bso#13135); * libnet: change_password() doesn't work with dcerpc_samr_ChangePasswordUser4(); (bso#15206); * Heimdal session key selection in AS-REQ examines wrong entry; (bso#15219); * Memory leak in snprintf replacement functions; (bso#15230); * RODC doesn't reset badPwdCount reliable via an RWDC (CVE-2021-20251 regression); (bso#15253); * Prevent EBADF errors with vfs_glusterfs; (bso#15198); * %U for include directive doesn't work for share listing (netshareenum); (bso#15243); * Stack smashing in net offlinejoin requestodj; (bso#15257); * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue; (bso#15197); * Heimdal session key selection in AS-REQ examines wrong entry; (bso#15219); - Remove deprecated if-{down,up} scripts; (bsc#1206444); - Adjust the systemd drop-in file for named service; (bsc#1201689); * Paths are additive so do not repeat paths from named.service * Prefix the samba DLZ directory with "-" to ignore this path if it does not exists- Introduce without-smb1-server spec flag; (bsc#1205104); - Update to 4.17.3 * CVE-2022-42898: Samba buffer overflow vulnerabilities on 32-bit systems; (bsc#1205126); (bso#15203); - Replace obsolete python-gpgme with python-gpg * Upstream replaced it in v4.9.5 -- bso#13728 - Update to 4.17.2 * CVE-2022-3592 [SECURITY] samba: Wide links protection broken; (bso#15207); (bsc#1204499). * CVE-2022-3437 [SECURITY] samba: Buffer overflow in Heimdal unwrap_des3();(bso#15134); (bsc#1204254). - Update to 4.17.1 * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Flush on a named stream never completes; (bso#15182). * Permission denied calling SMBC_getatr when file not exists; (bso#15195). * Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC; (bso#15189). * pytest: add file removal helpers for TestCaseInTempDir; (bso#15191). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC; (bso#15189). * Flush on a named stream never completes; (bso#15182). * vfs_gpfs silently garbles timestamps > year 2106; (bso#15151). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * multi-channel socket passing may hit a race if one of the involved processes already existed; (bso#15200). * memory leak on temporary of struct imessaging_post_state and struct tevent_immediate on struct imessaging_context (in rpcd_spoolss and maybe others); (bso#15201). * Since popt1.19 various use after free errors using result of poptGetArg are now exposed; (bso#15205); (boo#1204279). * Remove special case for O_CREAT in SMB_VFS_OPENAT from vfs_glusterfs; (bso#15192). * GETPWSID in memory cache grows indefinetly with each NTLM auth; (bso#15169). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). - Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689); - Fix use after free errors resulting from using return of poptGetArg exposed since popt-1.19; (boo#1204279); (bso#15205). - s3: smbd: Fix memory leak in smbd_server_connection_terminate_done(); (bso#15174). - Disable SMB1 for tumbleweed builds. - Update to 4.17.0 * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Cross-node multi-channel reconnects result in SMB2 Negotiate returning NT_STATUS_NOT_SUPPORTED; (bso#15159). * winbind at info level debug can coredump when processing wb_lookupusergroups; (bso#15160). * Make use of glfs_*at() API calls in vfs_glusterfs; (bso#15157). * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128). * `net usershare add` fails with flag works with --long but fails with -l; (bso#15145). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Performance regression on contended path based operations; (bso#15125). * Missing READ_LEASE break could cause data corruption; (bso#15148). * libsamba-errors uses a wrong version number; (bso#15141). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * New filename parser doesn't check veto files smb.conf parameter; (bso#15143). * 4.17.rc1 still uses symlink-race prone unix_convert(); (bso#15144). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). * Manpage for smbstatus json is missing; (bso#15147). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). * Performance regression on contended path based operations; (bso#15125). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). * Fix issues found by coverity in smbstatus json code; (bso#15140). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). - Migration to /usr/etc: Saving user changed configuration files in /etc and restoring them while an RPM update. - Update to 4.16.4 * CVE-2022-2031: Samba AD users can bypass certain restrictions associated with changing passwords; (bsc#1201495); (bso#15047); * CVE-2022-32744: Samba AD users can forge password change requests for any user; (bsc#1201493); (bso#15074); * CVE-2022-32745: Samba AD users can crash the server process with an LDAP add or modify request; (bsc#1201492); (bso#15008); * CVE-2022-32746: Samba AD users can induce a use-after-free in the server process with an LDAP add or modify request; (bsc#1201490); (bso#15009); * CVE-2022-32742: Server memory information leak via SMB1; (bsc#1201496); (bso#15085); - Update to 4.16.3 * Using vfs_streams_xattr and deleting a file causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * Samba with new lorikeet-heimdal fails to build on gcc 12.1 in developer mode; (bso#15095); * Crash in streams_xattr because fsp->base_fsp->fsp_name is NULL; (bso#15105); * Crash in rpcd_classic - NULL pointer deference in mangle_is_mangled(); (bso#15118); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * Fix check for chown when processing NFSv4 ACL; (bso#15120); * The pcap background queue process should not be stopped; (bso#15082); * testparm: Fix typo in idmap rangesize check; (bso#15097); * net ads info returns LDAP server and LDAP server name as null; (bso#15106); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * CTDB child process logging does not work as expected; (bso#15090); - Update spec file to fix the optional Heimdal DC build - Fix external trusts with MIT Kerberos 1.20 - Add missing samba-client requirement to samba-winbind package; (bsc#1198255); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Add sysuser-shadow requirement for packages using systemd-sysusers - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979); - Moved logrotate files from user specific directory /etc/logrotate.d to vendor specific directory /usr/etc/logrotate.d. - Update to 4.16.2 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * Reintroduce netgroups support; (bso#15087); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Update from 4.15 to 4.16 breaks discovery of [homes] on standalone server from Win and IOS; (bso#15062); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient -E doesn't work as advertised; (bso#15075); * The samba background daemon doesn't refresh the printcap cache on startup; (bso#15081); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Fix samba4.blackbox.net_ads_dns_async test with bind9 >= 9.17.7 - Support building with MIT Kerberos 1.20 - Bronze bit and S4U support with MIT Kerberos 1.20 for Samba AD DC; (CVE-2020-17049); - Resource Based Constrained Delegation (RBCD) for Samba AD DC - Support building with gcc 12.1 - Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362); - Update to 4.16.1 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * Need to describe --builtin-libraries= better (compare with - -bundled-libraries); (bso#8731); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * Username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * KVNO off by 100000; (bso#14951); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * smbd doesn't handle UPNs for looking up names; (bso#15054); - Update update-apparmor-samba-profile script, replace non-printable delimiter with more human readable separator as sed can accept separators that can appear in the input data. - Fix update-apparmor-samba-profile script, sed doesn't like multibyte separators; (bsc#1198309). - Update to 4.16.0 * New samba-dcerpcd binary to provide DCERPC in the member server setup * Certificate Auto Enrollment * Ability to add ports to dns forwarder addresses in internal DNS backend * No longer using Linux mandatory locks for sharemodes * SMB1 protocol has been deprecated, particularly older dialects * SMB1 protocol SMBCopy command removed * SMB1 server-side wildcard expansion removed - Add python3-dnspython to samba-ad-dc recommens; (bsc#1187101); - Use systemd-sysusers to create system users; (bsc#1182847);- Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689);- Update to 4.15.12 * CVE-2022-42898: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126). - Update to 4.15.11 * Allow rebuild of Centos 8 images after move to vault for Samba 4.15; (bso#15193). * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3(); (bso#15134); (bsc#1204254)- Update to 4.15.10 * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128); (bsc#1200102). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Spotlight RPC service returns wrong response when Spotlight is disabled on a share; (bso#15086). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Missing READ_LEASE break could cause data corruption; (bso#15148). * rpcclient can crash using setuserinfo(2); (bso#15124). * Samba fails to build with glibc 2.36 caused by including in libreplace; (bso#15132). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * samba-tool domain join segfault when joining a samba ad domain; (bso#15078). - Update to 4.15.9 * CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). * CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./bin/sh/bin/sh/bin/sh/bin/shsamba-gplv3-winbindcabernet 1684332936 4.17.7+git.330.4057cd7a27a-150500.1.24.17.7+git.330.4057cd7a27a-150500.1.24.17.7+git.330.4057cd7a27a-150500.1.24.17.7+git.330.4057cd7a27a samba-winbindpam_winbind.confntlm_authwbinfowinbind.servicesamba-winbind.confrcwinbindwinbinddsysconfig.samba-winbindntlm_auth.1.gzwbinfo.1.gzwinbindd.8.gzwinbind.xmlkrb5rcachewinbindd_privileged/etc/logrotate.d//etc/security//usr/bin//usr/lib/systemd/system//usr/lib/sysusers.d//usr/sbin//usr/share/fillup-templates//usr/share/man/man1//usr/share/man/man8//usr/share/omc/svcinfo.d//var/cache//var/lib/samba/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:SLE-15-SP5:GA/standard/64b5b387c32ea1e6ca2f425d348733ef-sambacpioxz5ppc64le-suse-linuxASCII textELF 64-bit LSB shared object, 64-bit PowerPC or cisco 7500, version 1 (SYSV), dynamically linked, interpreter /lib64/ld64.so.2, BuildID[sha1]=9692cd727d9d2d30d68738640086acd099725f8f, for GNU/Linux 3.10.0, strippedELF 64-bit LSB shared object, 64-bit PowerPC or cisco 7500, version 1 (SYSV), dynamically linked, interpreter /lib64/ld64.so.2, BuildID[sha1]=5531b58ca12e475a714f6b0219c011ed5e60be9c, for GNU/Linux 3.10.0, strippedELF 64-bit LSB shared object, 64-bit PowerPC or cisco 7500, version 1 (SYSV), dynamically linked, interpreter /lib64/ld64.so.2, BuildID[sha1]=e2b93cd77f9fb8e464fe0fb5f24bd15d522fff43, for GNU/Linux 3.10.0, strippedUTF-8 Unicode texttroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)XML 1.0 document, ASCII textdirectory.FG.R0ReRORRSR_RYRiRRR3RRwRkR[RURR.RsR,RWRRcR2RhRRR-RRRdR^RXRjRvRbRRTRZRRVR+RrR/RxRNRRORSRRQRcRsRRRRRR,RWRRRbRRRR+RVRrRNRPRPRCRR*R RRORaRRYReRRMR5RoRRiRR;RR RUR]R1R0RGRuRqR[RwR9RRAR.R(RmR R_RRsR=RSR"RER3R RgR,RR|R}RR{RzRR~RRRyRWR7RR&RKRJRIR$RkR?RQRcRHRR!R R\RLRRRBRRhR RXR8RnR@R%R'R4RvR#RbRDR`RRRdR)RTRRjRFR^RRZRRpRR>R:RRRVR2R-R+R$3B"xSv rP$tbj]gtimTB T N7 gn^MMmmi " ~rc`"n xQ*&$98b2"k;h q7[jˠU8:={Ynt=% 6#3J2h.* fZImk.*E%SYc .R_Y%M膽}p* ɖ M> nZzÉG]: )} *Q\/.F;Uuo/-;XLhGn냣mFb<[* j洗3Zgtz@Fk}ԁBi,7 ߧh*`ױr|7@P2=;92'NJh̒?{՗`~h )t |}.*^<4a 4jykSDfBmDcQ cb,q~—m4/uIVvjbOZ&Jħυ .rpss' 4"X8|~J^\XN^86("6 7 x N8PlKKh/cנs vj\>^P#;.Pão w~pv.cAmL=/Sn~odJOtW G^F`<+--S/} wSYGd+G%۴IwM@My}%* AGY|btA._Ư[|T s6ܺG\rB ҙ6سv痷;)D刊.M FNO6[̉3l S!ALJ37v%ħ"iGX+,>?=)fӖG \0GjґKǥWqz7 ր(WU&b0g>;gK_x =/Pp-0P[bղ (猐yDB67@ieU&IӂL88%ª%`֘1+y:1YB;6<]| >Ƭz@ZUҨ@B"ݖ&fNQ3ezt}]PC,QV,F+8]_.T-~kT\i?{P9')J#׶`.ofNUt@exH6:jk>~`?n)^?^ZbŧLHBg8ueϘ鍘^3+ r:mqm( xxB^zAX(uQC^$b7OtfNND$Ch&O/ %Wy HiS`F6Iˉp,߉D4Rs[9Gz:xhW] 1%{baV+B4T0Fm~Ǡ5rouRV(UL,tܟ䞙k& T *:r+Пio>c I%&1a1ջ;胠L[dU`uyXU+R?IѶti,MWGs ĘWnw^ G>N, iGgZkШo# VPy{.)\SE:liJqBKz릺c 8dT&e!˟TYtI=qp^̆d>N%O0{wf q˕ܾ' `X҂nf<3a%8~ :B& 'R#m˾^ȷT:-@VL*Ww >#NMe-$ha_S}̻X(lf+վN"9D%b-$X/)$9^=^0#=ա_ק B7=[B t˕R +@ *n1b$L||šEk&ʓQf)]QX`3Gz@z5Fظ<œo[g9ܹW$BӦL7 S%b`TC:u EWJw+r#<ό_n(K=+Ov,:Vj ?D)oPC+B y984Jp3yF#0k5dW(eXDࣗ)gru*!:aGc4һF xSzH>O4_"Ms8"|QyeDc;+*ߚ M 0GR6=DкjƓʽ m+̄|5n5{g +iQ1a_ԴD?U܈{8.fa鍵C¸؇+,ةD>?DŽѪ hANX!qE'03xru4 d4FXAMw/m Ch0z=Ƒȍ0BP![MMosҿ5;s%p-~=0iߢH i^1Dꙮ F[{ӏ`wZDu8C-<]5kr;qңpePxm2&F|:߂yKR 8(Y2Y{6X#?e@Gš\+Sܔ*E:t}Y.lRx-vqkxAh eԪBeYPQׇ/|ژV1(jfγd0Z,(i#e~6y܂/t[ۼE-Uh=jY|*bS> 1Up]OXGRzUL/r=2~:@6'AIM,o MJ$%+`5>:zHojf(8a6 V_$ _ýmI JaGM1kzȰ,*QPN^"}@,|l3,/_%AZI& E=l\#Vm$)z3x2Xkee|VPŠ|?uJ8q6521$/4!LNB :яq$^$wg!i*W k`٤⇴|}}C5]*Xn "æq\JUAvP_Y"X@-P)S&l\."{AO=K3)MSx^9W;2*٥_ \H) ^TEḧ́{zL\ ӹ~}QtY\I!J!h\>(t=1㌭B{ ǜ  ƚzPZR Gug(fs1d#\Yh5<ջMn͛nI>VI" KM)DEǭE06s!~ Td'Wz8ST٫S[br>8O?R?4LzW %ކ9>#>tf5D߻r8m,G:`N`:񚊞 hx) C3ЯG\*=õ% )XSXV BX2Lf֫2FcD<XǑE*Yų@'~b"8\Yh@( z cG=E4F`)刋M6>i9+*[X9_eo%~4-Ҩo=PIPq0`0'k}aҨkSR7|9@dUXڃQgզ4æ@arݷv[b!Cw^-yBUyb`v"7„A?j3XvG02 WD@0r# y5/6RuerP K]}UeI&mK| xZ6wwn ̥l^E!tNزJk,2N<a8+):ȭ/Fu /D7|8`c CԠ^pv$A #^(Tr _A`SBuLBKNhu82k( 5)N-;$E E+g/HbSܿJ|FP&xDݣҌ1,b4<܏{/,ԙQ@ {W.A 1SYS -\f[GUᰃã^(8ߺDxR?m|!P̈k%nRvoa0y2,UMFŘOin.#FP 6/`W3߉A4qR˭|uЏ#&ؿ !UdVɥ*'m jآWe_%nWjطw)Ij"p"vl~?I!?qY-nБinހr4tocǘ/GEVQHo%t>KA]I R:o `)1oV鹾.NeT2|/ܛ*E%܆V:VSز 0y6Bv#Yd-%sSR`Z(՘u::%~.;Ƿ6$1Y;7;̹5:ߢ0 pOI {ʮ_HZeqYd[6u)4:R]cnc,LR BK”SUcNʦRv\Q *lzqva}Nu)hNnXQ;^Tn[ENNTn,. p𼑻 av{5¡?{|‡VtbU؍u}6<;B2M q~?N̥عfT=0$1!fŽvIh,Z M$ ".ZdGDC+$*Y )E-Y:ߪX㉬ L`> UV12GΚywt./L$\/kJƔ Cx-F_iuK=a/4/WIKǘm%KaJ-m ѣf?V+T#no&'?DTu9nġ@kcGhGhBb]t.^aφ] HұӴ6PMǖ!6m[JK BZwGQ|@nSsxnPꋽ#b6S! y|O}Z'Km,k_R!\Mh3`'#@H ަCXT sj~ep`=]L ówɮL4\F.~[G3BkG_]@gz/,P̻Wi"b;y^?$ &jZ[ɲƲsl5ViB@F jJ1Nzx>.z)C }܍ 5~}|}*K\EѺ]\9#0  pEFN|'׮|\(8m ed~U *+KK݌qB' ߋOeWp=K͂1"d8-W[Xo4w Y-+E/e0nCG(ZA:u>9]ڊځWg:s6$O8t,9i9K'ÂmO[n.Ĵ~"G<  ρrUmi"< ZGҷu\<a gwX0}w'8Qwn~Ʌq\ #T5ѝ02n5dIf<ƃm'A7蚂~؞w7[_=5.ᝀZa:0e_s1rAkL%#rCqTnW&5O s; IMBh[zӬ*:%e8 P459CQpZ|js n0rkqI 0zћ/ e+6~V%|JR9(:J bj.S^N[=#&H,JxeǮ:L;q2B?ڤ>[,wg=v)m̄x0~t 2zf }Ql] Fϥ'a *hqk6F|k/qaJS p;G)*v.$:sՖuGbbT_lǭ;i3b\^7teO5,)K`@96}[ątlU4^wg [c.|:ߋE~W$BcejGᨩ )TS6}ĕAͪè<šKhoorf8zA] 2̓2Ǚ%\U6Hs2DIآ6h 2!:2,g[ӶֲEtZKg8Q7eU82,<`V< Ci {H']}sD"x&(W6?x*kL0J|'z9`5~JdncfҴjv[m,cR9mYzo8f\(*Mrw&N`됅O ef)??8F?$yFr^#qhdA>8*]E3/ 8p}I+z@tu_yIJ^R*+ڤVA_D:ߗBnM(i/{IW:*}'$m5 5{AvFF)`~p%/$ ?z  C_P 'rl`ކSM:O"a)XoQ!›בݧz!<͋V-E}?pl B0)LvdN}C^wȾyxsTl6f᳷%4hOYP+f´0<[Et"57J rsqf6]=ss8'=V5STc ȉ$33\c 9!K C+FgB'qxM[Env,g$¬ m Ҥ+ S`ڵmP sB:qԫno\ \CcrGU=b)ʜ728I?۟.X{E}tP 3N$+a䒿{ _ȗy)Лfh+Rߜ|f@E`Óՠi9\a-uA %\1s5RJIczU:Cq]QVcnN2Te Ds\{ݜrbl(jaeFt%f,N 8ƃRYZiC*FI(&FjTV"9A.?,.n2$}@QNj^Sn<7&].ÑNY."^%TkԱ+U\|Q p)wLf0YzX {0Z6Z!\wN~5)˰~P \>b8)_=)mbw'V@jUk FN;Z7jzZt%B]4cat3\ 3R^tu+&'L/7|Bsp"`$D\jKOgoz(Rt1ƒ/#@d'u%BkK6vZ R5ڞ`=.q.:P>bMP}X6+Tap1=xbf3Jzqi$Hl3'&UGu\싸m揿Ε޾">mJ25% sB&Ru1 ȹxFѠm^,]~g=ŵzC X\%H c4E0GUÝ}qH) HQ%cq݈7p.%"S\6D=Dzbd) X;9 Ք]ρ Gz&-@F#ghy\tpRhi{Wjz6;MD2EbAgXbዀҝ'wY#C%4RbL(C[QQaxhݵj0&zC>a\,Hw]V¾cO{^$c-h5EHA&߉С9X(ܲ A _O]#4ѳi!zw6ԕXUF<0J!JU @@ (*j,$75()_9NBŰq|0XAC;o*ef0۷~x yF̤$+FNc6 +>2'H$ZOc$ǘvJ X.v1ƭ ]0+2K16{sbdCQ y 8)H[u+F/X}I"pN͂vJ$ɍ-F[?H!9P^pU$b4daܞ_+z^)ךYkD tcG8Te푕ZsAEɹq=o!]a7f^V¥(5zN'}Dwg.n~4$,VEݰKz3/ ͟Z;ޮ}gy9:c`ؒlī>> m Jcj];xI6B/k5af EIDބMZEBiWԂ6;ȏdHN2M|sC'e`rVCkgxP1ŷv^ k<!Vc^9 񚫩_jm_˙3\v}i[zc7k0RŌt8y%^L4qNՠ5N88j6sWVAx$1GiK޷O7i~f@|(nANΖԨÚ/41~`cPuyZdIh3I-ߏmc}sF!b5R A)!X/"- :ӒG; I}NvWZ Vϲ@G[?c W F5 ˜"7kOImarcBv}In T~p?c Hz؝ Ld\9r^GF|~r\/·:M k\"o=SLn(|Cz&FUVAXۖ4[^Z O _Kxt|X]埥ٰX2a!vӼt gq'"jm9lb4bhݪƀUxDp:ǁZi-4ڞ dQAl~mNb:+A0`3pŚ[Ɯ K 41^I B?WgpobU&TnIRli /i//i Tati 嚠R #2rfY+3M%iꙘW-܋(?T>Kݡ윢T~na(ҍ.XJ+֯s/:k'ȶ0#4B0v,ߑ_ c{G6~`4vj]R1<;?(UJq|>"SCTI@7kQo B`i@%;86>lCb.6/r#`T^v'aAI> j:VuE>7m>>1E6?/jZId>e:OwnJN3C:V=Tu&EX:ƣ2vdj9Ԁ*\N,ZN9DI\r$hLbp8K_U}V泼ŏ,ʹamujL^`O7EC PSb{\8xx怚`a-A7+'䞞2P,W,;WW3ܵ7b?2Ƨ}O}q'Uy2S&7E;|ߤX\F}gSf3nma,f3~DC ȵn0haF_ݭ Uz/{`ݞ!wKRCh)(AtiqDHi\)-f G%$(ICb?~Pup\9ǣAA E#NY-جSt&&m3s"` (cTXcpt*wq&QciLn3V Krl l{,Xl2'ھQZ|.Gbot|dLX͜ [^55"q'FZ@{[=ѣbWJ&q>)EQ%k0"{{03%H w\Q#?BׅrY[J5VC5ӧ̠"u*Ɏ5r*nlR4R aFc\@hP[HٍofbѓB v ,Ďouci,,О}vZ#8|uܿr#XI#0@N/Ag۬Bۘճ8鞆$nfStl.|jO_ze2U>–T`kQCW'b :#%?ϓÇsQ(zh QD5iyof[lRP|C*Yo-awӱ %yBO&j;wR;cXFmKSt0pB%>H鎣 _SO{ds@<~%޾:b'N>m͋Sl l`3CF\SRN-shj2zl)P1l'Ͽs^$KIv4ڜ]yC4ܩ;8M?VLAbw4γE)o.L%]/==p@pfދk<=GP!nQ*`U ȓh03a;U-9[Iem$Gx\7U%"[z)e*t?IʪxQ)mrS q4DadI# )^Wa: 7UzS󏛡c:׏W+@,>J/( dMHJ!c9@(69ҸYjD#bqV1jIS-<{vMc+sW(' 嶵I׹ZWRbh5HUZCn>*hV:-y4Z4G\s]]QPY ߇No/6:I+A6~x*߄t]`7c L*W=9)|<%OyzXjl,eߋ Sq vŦ gjV>mӗ#%E4F_ڈ)9:gip!du-X'-盉/S{{ о" eH,Rr2% OdYv.5P}XRæ͘B40R~r˽[-gS̓gnf*a9iFbe\*s?i w29ieJ3'RHWbml cMݓN_t\ Й1")0cV]-yZC}`*҆(kńW 5Z$)Tdh09R#-f]ʹUi  +,7 yiÏͨX6O6bG$3C{bY#ڕt,rR:IC,Gv}E;mh KL%F/Vv1"'詁$U;QUXHm])jW )CŚ av\~现@B"ZP"6n3mxu*/k(`]/K;*?nTSR}SO0 qڀv#N9l``* {R =qj KHnB 4)zxʆV*V0[H͉z/oqgm>_>"/=0uj+l|Xl0?|aOfV,qI<YTJ|"H\<ܬ]g"K' /ǒ~J/Gcw[#+Uۉ3*10lڪx]"km%#)i EdAk$i RcuM] e'S8f;}ުƲs eO^SS)|"oM /}+MBMfi8a_ǁ~*?D];=u,ٽ͔ޜhheYdg}np6Gtl |,渖̱ >mVvb+ԧe0tTXFVi_}:-G8~gf Ib> K:D<<#gl^`aS MXv=#A\%^R{iyקY y;;ñrM̐qƴ@.d9K@ԳB^K[\[pV ME6#T f ! Vκ"1k } /VY4׍"{g)lЮ dgj8+nЖg7>:%n$6^'{RCs_&$>ϽXybv8s#7F|n"o7jqDp[:&uP00І"+#^@ӈ9)~u+]_Aj5X<}W/d21܇ʙU1PŰFI)daXᚢ\ 5mROt뜃1<4/Nj3%'_LkF՘9<؎`XU -Y_N^Jib5Fk{eҖ=-U0eE_ɪ6  ):CA_CH $"*:< m~ 5J' L o[3?4#6#;T&<߱V͈Fvz#"~YPՒBQEXޠ‘SoϷENȭ̿@o]|?Z'rM6LSэl̩bkjS4#Jm9uA:vgl^S6 t VxUނK'3rRa!-u39 p)v 0;+ޭ43bXK7 Vh?cFE:弱H+:c4hO-ٌE $9+"oCe)O*xC t-О|@JJTPiĄ̱WAv飦%.`//$LJ0=gH ouqu!*&&Z P澻$ON =f:T7*OzQvorU[, Ic7Y7K੠%rÄi 23\~% &s>kp?PwNeun˽bwCc8)%Sݻ@[NMXc>:f^q+u/ķא= KSF#6rG1T/\%wT=))}>6Ty0  9l X0Z8zUzuB=41 A|;gLƒø\T %҃+c^J ]_$QN؀adyW cd-"ML{-n#Pzc@sqDZA _3j~s :m'KlYCIWCFtZ^B|Mnrך‡G уON+εe"MM|jք3 FfS4Ls%nX$js =ՖIxf|6,VBȢiM IaKtpVuW) `Hi)tEÒ'#4Ŏpi雅+ t#oR*jSQF%?d}8jWx, ˝v,LPmeIt q&k $OYm7VfPZbԮ 7O䞤Nu\҇GƧ@/0ަ2&tQuSN5s&-Շcl4B^W0@߃L+5 bxkT%S&<caUc`9ԋפT ~/qhexpF:k)d[-.Aa'yqzf|sDÁCO 5Lvtg_ 1؆-$L\SQ Lp 4<A0#slŶ)H>sL1>X(2fњ_bDz$?%rI.,=gMy.ЦtOiv[Y*fOI7 IaƗWB {1,! $<2 pGy'rd0<P*;[;Yy\2Fe;nzKNWt LȉU(}!}!ӎ oG?n%pO:T\bRTT kBXI?4%1ӈ [)X~4~gqiNiބi$i#Ζg >Fޭ7G{<)b9]l7,ERb)+!+D4\Hd<:Ʃ",t:)NTUVy.slq$VbG1]mXc'uZJ}/I{duwveg0c"|܄xFӣQlNNvB7gfcyV X$PiGXjKWj\`h3tByB$}sF!qR(N >leDn%;bϟ&H0glMv yД LC<'5(*[gNܳӑEOLXtp66z u M'QЧ,PP2@8̤,0ً7MD"8bYFŶCaobOI"YX{kc mU"fz-P C*aU?@WPݛ'oyݙ&xbt~&f?[4I!L=CD8r>;t92F[w0Uz]OiXVAQlop4OY&\lX 7K?EL@984Xr'mľ1%U@gU5 ,k~Jf2ZZTNeMo0``HUh D#dXHPqo?pB}0 x&x]ۤ#;oLlgM TdMK(9ʂΦO*9Rf~ G Ե#W ͚ݕ,&#:PsD8YT0yr!9!"km6_k֍ c&teJs`dm1Fb-^i[.ƳIQx>.̖l'D߁VyW޴z!Y yP0c}ƊYvX85yL:z茤S+An* ثU2 Qjb 1jdM$"V*mޡ6st9APְQXFֹVQrW `ƛ qFG/.,ΘzѫΩSe!pCو"(x=1}X.'%?"=M *bY0/=]L3b'ęy.^F | 3ϋ ^ԍ^{Q}O^]ŨG Lb0[`4̦fբ43[Ήg1()ΔFDCl2hAd<bq5M<J*aZk^IL`y]!u9| [y0sǔZW>Kv|i*V|T}U9u_vT//oq s]DWCckթQ6q읩D*\K6 |MBxN?ut[Au *0dPQ=VSA5 aͦHY'/w?N(k8ZXzR*ߨzPAw 2̳=%^sL,!!ѧŶ*eg+mAPI{=`8|>$[܍2_ql4ɯ 4ߍ^-6+mE7oӱOUD| f=δbXo\% b]U5fXZcY{~kah.Ed.pZ:RX8%<# }v( >[$cFv-ci~&h^g=$o*I*Tg#aJ..f;GkP;7x-a'wW|Ibhz0?T!om^ʷ K2cX T𭠋nOE ̵GSМ4Ozws! 4NN=рs [tEuO%jXFaF,6>xk_u0]6е )+kعxê8yAO҈m%C{%3xe*JU Q7?鷃 +M{H&-ďBw@zB-9xyv8ov_Yj.:awisJA&):,W#׌2s0>EF3LVDR*lani&Z6~FNӼ[[ {^"lUԗ*O?hL*EJxdX<̄n}YqD6xՎwr3,REvcT o 3 ؔZrNU ^ACTmiX.]&l]67ӟÂY Wu_WbN8AWi-:=FMR0 a uz~*$jS-lG5;c!":*"ŇƵd0,hҥ!=>r x m78PwZ[+)8+bQ ^g'pkeGlTvSﮀ+uYbS96"mgqn{$& 8n2 g2[<K[k6?ov7XYr }֥c"'F?Dڦeu<++;݋ߣwCHƏ֧+8YOy9\Bnt1"Ҟ緷)f75&!O-= L_zye˂e%r=Bl=$79b[\< d N-3E mY[Wϱӧ pM|/䷌9VozxCB`28UVQ+8(0.t"O p~Iz0OSG̀ť4H }ay$INs*NQϘAb|XMЂ$_LS[-œQ:WE 7Fb| 2 }LѷΪ@C)?BWZ1B9I6*V-CVա/W|՚ !2Ey*':H5Dڴ?Gi'=N`~]Ocv -11YZOA/4q IZ+:Q1H- V;7:<{~SĦ"֡e<WCk8" C"ayFii.*0jvd/ o1kf~0.bwf6D=k!)I$Wis -Z;kiEuFn} ёd8lEl0\~ kg]7D B #1>vqZR5W% N?1x`TXek*Fel^ ڬncSWҩY%˟׏8ý2d{|!Kzd*N{vlIJYiBL IJHs<)M1[^*¤7Ze'>S ˿3s,EVJÂjh/"\.rN⁽ 4 3 G0_Fj6gٯ@ !1By;꘣7 ham 3ږ\IRlדmIUC0Z_*}Uz(yp(+eʵ-O?>Hvr$@ /SLok0Ԋ }LA &m@7Шt CiyL^}@4ӭgg<-DP~|;~j]+!HK4@AaG#h[, XH\;)'%6|7hʐ^%L'b9Z)q\ ~7B `z(Wt6GiE׫c>3r1L30pC U~ZNpY9Tl(W")sHަbhEȗhW׶nK6} E~rSRx6F,aU:'3Cd]ܽU%Xp(-X̰o>{!|\Uҹ 0v˺ 컕yKg`c!K(LP J(ȷ'm'2ĕS ErG^F-O  Q lþQ3WSn^Utڞ&=͸!A{@e tC~3 "ED4oZjtbnR%1=Y:$cysgg=vX|zxNj8gգ הS(Fڅи܈) 1HbS;4{aД[{9{UÇ.5Po-2[yüV{IE;6H1lQG˜[;E !8l X$dX7p,MiV3G1s"I #%zV`xP{+ŞIs&Y2т(2ǿϔu]|4ƅZ(.mHR:'$#I.~Цo <*Fd JZ9K#2-]4tQ($y9i?XPIy&r[ n!͎否 𡾥.^Emb(1ġ&J $ eayj"Jl7&^)z?tԝFu8:SaXBSx MȔ 4$C̯qwB"JS~6E]2L옌-/L$Cxheɠ]ZEV&讋ʖ ZBxd@?70`&GopI`;a=J(=R*n Jcifp?3%{CYQsqaßE䊚z[cټF. I8¤.`;|93ӻ^l3 (:8N ϓUOc+NT8P)]45q3WnmP$%IyE#0tǵ" &Qeo8\S@{R-G,{A% N)iI845lW6yq1*C$v ZL=ֆ]mm)lL6=DPU:B/ΒCL8ˇD!%N qr*?9vlïmN:4u(1Ee*k|'"Ĥ̽ڞIҕ Zy*82 lSنAJ_%oh>RbR\ 3-4rvy%0>ܣ"aP1sc{mE0x{  :Qk9:]|&J-x", ̝AYց&Q*D伇@܄Oc\-ݛbV=4u-@V/Nl \b.4YjjX035Mu];u{9S-kyVRdys{Ejw{M :OBQRdKYDt9bIƉ-Ղn3X셟) ȮvvyE 32Ud(iav)?q~aƔ4R7;q65dEvJ o]2ل4DӜ8NS;x Wȼ,|R.^3sy 6jc߮O> L$\]7`x56uuGeniv0x/dCf&tK/+zXn19FyIQ[Q;$^536E4S1I4!vȹ5)-~%: 0;imJ%(ܙE S:jIbIv$TGWq I,N5AŠ0f.8^_rE.6|ធx Z\7RF=,@KGN^%[4وS6Vk7{GdA ,pp=dKfrAs޾O%je^a#R«QvHU[Qincz,C5" E Q_k\ă,#NmvN?Xcz!C?ޚ_Ӓ$M v|MDG "vSr]iU53fLό: i3jWt.gyD댾{-4>=;y k}{v:wHA>aĩwc7iI8y*E4#6oN1vG8U4nѫn9<եrn u!׫d߲ʚ`<^PBe#u!`~M'Ї,iLxHJ3s(͌GT u"*݊6_(t֩3QKn0&E^vYk4"g%8qr^v9 P=+Ocٜp0 ²PS;٠k` hXxjxK"oDN΍@m2^O"fkgZ .HHnUR|W3;|ejm4Ltvk( ܢE+%R#UQʖI cd3 Ha@6>cV4 dx*rT=HJWY).|'F-įW)D\Q@d^]gȸ<*,kTS&:y9;$|UM_'J}Lĉ/[x2auwHFLWo{K,~-W2.Xe}؃ tc$ǰJLPoNjl.zųV`ukʛc l,LRfa#IWջXL |$P01r$4AdrV#黑U屒=}Nӭ{v[GG[:RkIE1*2ŏO?Ys?؎,w>Cş$kŠi#` +ŽCml/Worģ&(Z: ST4KJ?ԡ $!7&b8ߔX'v aS4yeWѴ#>Q+I-%m ѯJrHRT]Pe,(M9X[r=:T44*Vc4M( ΑiQ<2{b1{R+k/I3W_GxJ `'N쓆)Iin?wmUC '$A1}\\Hm5P-iif'dfU+|s 3Rk+S-; ]/Za5 Cڂr uOyWleB-ҒB;+nemCӝ|׉$ h6FH&p#3bGZl/Pɼi^Y)*ODSc։h PNǛ-$Luhρ% Bb8#K<3TIIqN"'NoTcD2|-@2_/YaDr: g@ 2L4/Q\$g]fLa5ZwV`nEʩ _oL΀j}'51ʐN|`2;Bfj4T6ZGlȜjav^ײ0󺗊e&ث.n3@jPp@|TxѳJ}x~ TaشAgE(dζrHk~EUُBA`듃OGC' O`3Z_-wY֥UIsepSn̷л4$ED7T\Glhi{;o.%Tv?1L:=fP`btvMGѪq}y82"ri I\k#(TFj#.Zsv<5\(?wHפe׆@UmCs76FFs|(W1qzR92y  I*oh.吻3^~h9ѠTW!]lA/dnF={FR'_E@;rߟJA2/3;ħSz"* YsȦ:J 7[QUleܶ(O'/OZfsQ3cj=Y_xb)͟n&rS-&eG7^T*Py3b0y_p=+]E1ɨmvB{fKwH#?Ti>y׭w>fi<z#[q'r&m8[!bBM-h(`B%[vyk@RK^6U^}TK6-$s$F\'2TWde<($|hZT|~PrC:cJCVpS6;%t!t)-wפc̛)GOw-]t'F7qQ"pcMܺ+=CGr=C&~$:kA[irj'pLzܛ0 1C89 e ۅ L4W:}2!?CEcnP,6\Éj܆b-|i>#NH^/0`K a K@e;i74Ќ3X6-?W4ĠxR %ū jmr0/pQiTH!= ~ތIjV$L4ݰjc,n܄uY8o3snC8+,3ݣp6mQQg#)PdT.&XIF&kˠ+5뀒|Ģ!(mH@k3V=_0JDB#5%gIJ8N5\tǢOҔΩ^dx 昲Ī̚$ !yf?U{DDIx9>GrYmxN)vպ 9ڑ)7?"fݖ~jde;eN3eMS&=Go_g6 RPHTZS9HuDY+*JU.4EmT'KGA6cg~$_DǴf] 5ch{Uq{as_;p6ļb qjO%arJE;>b{i)M[#(i٪fzwޱGveS!,1 {gm2`jc v`:QjM3dVD--?ԨM@q};2y_"SwܱxK-@%D{ʋ:.B l2[2l@u\0eP7}G'|밭(a!Fu4{s~|Xz/8+? G. z1g%9C9&q \l՘DIXߝNi|vd9_Ź;`:r;݃W<ݱEce5= t.bOьP<a)yknLGΞr.'*i*FsiycJ62k2jn+Ekʝqeo}0{! ,=%LAƽBFSvR]Un`87MV6"B9XeZ:Է/ZძDUfo&x Z[5jMjsRX%辇kT*Ok[ʥ8X˭ӭuZSVxEE9/Nq:MPSL :vtOW\- 6~9{߭ɯ^  C·0!*^T: 39 b6"X R .[ᴜ&K}㢠uXEyڡL\y[@oMuh0V2; )Z-? q%P"r  ?.OSA"q4et̬*5A9>j4S/k_0o3&12?dR'DT0S ǩ/ 2D[7*4:/`/`apuvs`ʥYX]6dq}bO\:Jd &&pHjmC tUȇCq<8[L܄ W\w mꌷO-F~G9 (&AJ!롐$SpWF;fwiB&?j@'+җ_m;}Bdve lK ,)Cz>y.jii$9K"3ec;Z"Ȥ),V˨! EŴ=VeFڹeFܛI/|=ZE(riui_pDsx8uс:ن-I筫Gfkm;aI"&A&lvC?fм ]Gyx{v2X?_y7O!mWjS'$.J7Ŕ# 6a<ֿw#"g%ZMxQ˚^(Q48MqHpլ S_aψ``Щᇤ8b>!j䍜_Q:ih>RKvc|u<{f]?Z+@\+L+fM2Bxng*-'cgˋTx9Y6Dw)YwWRqW"y;Cd+L񵤎;܍n8!= S2;luUd=1oCu W%+s81owj*B>`!3F%[_YӵA[ON~^ibҜAz174s^b‘(_AB1ӿc+@֋ifS4_D?X-VZ7 x 3 A3W{}@"Z?oA !Nt (78\%Dϱ2n~&+*#NͦzFUtVkm8( *Bw"n2i% :$L!m;Sc$u'}] ,~&p˭aݫp?Iu܉oؚFkĪx g9T\'L|"b!3R5?uє/ '=l6g 80[mn fn-t4DڡVU*]ݻ5W1LӊKXG\jekK=b 5}Eyѷ@tX rԔI|PHT1_=kNM;#dHy@Nͦ`ZpdU?hȒnQ[MaZ穚E<Ua20qf8ih'ڞDMF0AzQ9596W8F5aXdk0_db!YNd'c(E/dqIcO4 H﫣lQ:wd Z<`NvB%3a|DS 2Gt~ȸJ=^Aj1qGm0FcI tU[{q1$ʊԺ_wbB<]IfiO9SDex糺5K<`eb|,k-<(,b~סCώ; QKP*Ѣ߮MFj8s)?\pqVIviQ і9X[y~0qN# eeH'ZƸt+~d^+,dR&L"zTW/j> L{9=58 8_yA0C얳'cdEsj#ئ&,u qD4M­T=w\~; uӨ3O97t*M+>^P!BKp~M~{qV:鈠1F~!d͙®+u| Xp6\$}Q9֛Y]p5UB\vk;1(b]ǎ;Azy,4ψp"#,?)۞2F,й 74]S\)JΝI6GLnrکKw;[MYr*Rs|};n A$Ly %rK vVj/*bdc|k!aVbKb)ȝÞ[t7`vNa IЦ9/M Ϸk0 ̹W9mqx1.zYz ި֘'# `ș*aE 1*6xۑXՏg2#GÝpј"`-=&&+iߜ Dyn^}yAxWGĪJ:IEINʇFQ ́hXFbv}WyI; 9>3,]RҀQ1gE|Q_>9ɧa/tTL*kҦVbLŹ"G\o2:̠s+qro!UuS#R$Զӈe&.b,| `{` d\^l (]vpŸ+uul=:#NC"iuERjeV #%5Pr OXv-^9.-jx4D>du0Y;V\Cٽg^=NO ھV bnBIk'~aKv6yi&Rr^-{fi"Fד\?(& -\,Wr>=l#'4+%uJSjMdLOZSnIxK~2tp?A[tVx y&qur:sMu>O8 O t kawz\K.ٲ b3ԏY,"ٿ!8`J0i4GP!%Hw;`ֵ g_eC9 T_=6yX;Geg.!0`_ #uI*Z-dԐ OHX]wD" P1 7 Y)H7s5h3 yAzM+W~0vg)ӊ˭_*V_B!ft-tr|}ku Pl=[ 8 z6]Q'4N[7(y(9rҰ [U3MoyU\(G \W[,xa"d~^Y*,0^ $*9s.bt/{=ٿ'( Kwt>2̋zFC ;ђn,/ꃓϾWpx/;]y$B迥g iZ*2wl򤖑 9}z @~lX+8?] ܄D ":Hhna"!TfUrZB6PI/aIs .|2WZC`&XYyux>i|vGP\?KD.0;ԼzC󡽄LC1Nvnqq4X(t ډ$$ xī^60BL+w2Ir2 ޶5sպF~vzNRT(&A-%D.0sN /$a(\ceTvPi, N'2tlj-kmר|^b@7RcbZ5$8jQ0i v-<UZJG9(<7xzӐ/}*@0rCHv~ e\k\L>rgz :J*ɘ$[7mW|Q 7~ H"ڟ&({7;IP)/\oGHu`_jg~rUнE%m-Ke*RnHN4;Kw2ɗSHɘx >K>G>}O.{M84YnT8n &'=z.ާc \]&Y{R-fBoēJR8)&PLD0U/aJ3̹Vz(GV .^'sM>6g1%IZZW6z3qu82/&v69q;ٯ&uvȑ:.kHpy\zͱڍD\|F;GUJ+̱9I3m;Ҳ&61%+YM.U%[am@ۂyF} 172jPL&0_,%I 3br [vUAe d6!筘T!DAApox~f&z l9AK؄uU8јNGY{ZSZ[IHX}lgaotW,&X],0 Xt.'+A8ehwV$fnnx8c8hH: G!̝WXi)tS".3!_ٌr?'KCԵ|oTrB&3 NA/>pNP\J0]dn:UBw,mXivSOU\7yvXyUhzъO+I!`0ON̈Z|4bʧxm^Tne(أ{ rq3/kY]yi>fҎ6s3x%0;Zi9e0=rp2So ~vڞq,_@GN3[i|/^l.?! h0dߌ~)J/+HM=Da,c<բ )әG6 \׺%j(TıQQZђ83Z5N;5"G{W)]넁rGQR-)'a 8hΊ2/|?r$M?pFjϖ;YffNN9p!N 4:b-[4W_mf^dx9W{Q/&cCU[)JSUd^V0=zђ F_CIǎL ^[uyqM +,Ap|TF?U^\ty.ޫUeEϿ/F?C_ipX.| 8 34-?Z>7`~w^}0j},s{R֓ _~tV},.KXj24>A9w3?pփDYLgS'r볬2A=ba<-#Zç W&xn#y2;,%'fů.fo v(c"+]?]K)KP&+ߏI?^nz'e&rFg?Aa+ ,'M/.UL,>@`sC*}JBGXU嚾 M~mCq5>F9OЦFY k~>{E>ʄH m4jW|318#6- '`9&`pe3W֋9.>dmT1+_7mA0yXv 1E,/k۵& 甦/[8jٟ6]$od#芖(Z83hr&jcm6mcUre~մ=h<4{}U{t.k3.-Rw?Md8q1+6#Z5̙qd2lL ' (X|%h-Gtw e7t :ُqРs㿛-+Wp.\U=T);eBǺ|^.)ăhǚ$k<>׏5Au6VZelέs0}M2Z9Xvf2,$>LO)ޣv=ZâX2A{A&tF@E9, f!| gnBVvݺ&#*ҿy[l *Aqg=MZt Rw%GP`4z]Sr ^Ѫ+Y8…PNW& Cdd`PM&l'C\[缏dK [;{85+ sP/3H+1#؂7>W: ,w >ڻˤ,oā+~GQOcd ox̶Do%=1SWH{6ܗ`?BA&x>[&}jrBqaS}Fyr!ue+ՎK`ٷ6@!J)/G3*Ng" ' Tp'Thl32IX"דoC0ÜYڋ ѵII4ޮ`)-y{zx~uzduZQޝؑpϝbWUD: fl Oxw  `D"4OEۣzoR3Q+~4I UnVQjqY(LP. ]QM8X v.jBeR!,teP>U$MK=I|2Qg' H(NgySt|gcǵw[ޑu`<&&;/E9+^2Ւ9_qo2t( B2&f҈7űڊ ɭDjgӅ*69R,ReTl}X($2 JCTYdǃg֥U(uҙ>v3t4>"UhbP!ĠwҵIL,:~ɴ8#G\*sP&x Df^S}a:,L͌⢌z<58@"NyPMUP珡b$?95͐SP##lkP 2,ytK̼?RO (%] m;E26ߢ?vGs>-+*%ᣎ1)Lǀ!b60 *KM#8o4‘+kI?ӥ8d6A%Q=|,v6CvWıFћe0;TY]J݌bq9Vv>nlě(+e*IX ; kҁzImsNԛ,W4/i"]`==BM}t[bк46@Xl (rޕQ 0UpB7:ʄȣj^M˄-`,G'bPC`[Xs L|〪(Ǎ ω&S^F *y.zrK!O8Haxc L0%MQ5Jڷcҝ~QQMe4 =t(%JsrOd.D zFZeŁ߾lvK .㓍޴lAl gp|۔}U1E& l^l|yaAl,E¿%1XMDt7c$ŧlR_ r8DibT8sWaECIHӁNMou+j٪0` ,ЎLdд`r9! CŐ|YK9K;yJ) a0"V-6Ou$kƫ肵2lEd i2l'H$ Q:nvڄ"Qnv7pHzkAкf6<М`!\gP84PFpV5n$I5#&^Uk2^-WKTvX7Ʌ jr˧{=Z2߾p%:tCu^/-q/w$=_Rr1-> 5[SaA o|KV JAð\DJL0ͩX=S![ZA:cͳE-/jvcI\Q}S |GT("UvZCT|N[6vRCLظr (NwCcW"K0~s]~+Hhu$[*TOPIaX "L5JYC*]upsNvsZt~Yj+$<ߓ wbxe 0^ʬ9oZPNjFfϡabP}fځfDLmR$ Qp>>(wfT?N;dSWw `6xĒzx)/ Rx] ԋ2=xR"rmWXxr㳷8bO/{D,b)fz`*Dx%P]8U_Ə%siS tVweTrB3XJh6ov!a}P'"N#Rb%>3EX8!F=B=U$\Snk > %3zKQ/Pa[9ˈin9e*Xܡ_RΆc⳴p8F- M2FL=/f^~l*`]0!b*D up8yNʵcݻ Q *3.^uM˿ n0M7'0. ( 2mx ?z}SwR ҂}"`Md)nm3F 4[g ]ةt,KqNqB,k78yO7z1nb}&\ 6^Ij:lXqۏ_H4fec=/E#pM ?(tX!i!UapgSӪ Ԅ0+c(0jq[am)"m7:I3C\_N+l,s^xI$:~Yn>r%JO(P +ȂK֛j?~L :I.X$ ,=T :~(458eT `oَU(j?^|cvx{Ω 吼DP aX ײQU ANȮe? 6]4e͇-~4Um/^axw?'[cqs$.7U? u&LYuPMKܪUNQ?݌e6R*r3=y8f/@GaA>mCN"h~{ƠZRQkPFp~f "kUvT%ˈF|R\*OC'(5QÏ[VFxq5{'3"ݩtd+q?1%}!!T~rZ;QeASNc:kf^ړ@@r᝝Cyc DaV.u6B{c?)ZՕ 3,)2H|G SKhL#z@#As=o,7 LApk)XsyϥZ,*Ty9 Z]?OjpKJ <7u4BV_ !t4.6q vh:) RK N /ˌa:"\bM#wRDO6{|_f`U: ^45/\Sot hT!Olzr/6={צイk|?y!-WX@ ӏ9o u}@6[j\tqhN2?n'xʘuu+jZ9Q?.eK'fQWn'cEN:DXNz DD#$'02 h6c~gzӖ6Eyn3)Fe=|^ M.& +3 I2A9}%5ϫ.yI1B)Q0{sK.45?^ KXO7ў;\߷7d4Utf=i ϶ z5Y3o;B$k ++2*ЉAG [t75<=]_ ^ֵ`pMnwbϞ  oØdToY"i(PCIޥA30 \h_I9(Ԅm5UYM^oz{[EXXjܽ5Y(rT 2%Mߺ B7Ӗ^sU zu'6pi޷ Hr{XٽIr#(5k Sӑs{QjQo s*$J  9C@uP:ZxuC²SM Q` D/nH`y/7C8VhPUŰ)@\\6Mw2qMsRi67KEE.Bkp'_cQgRqX#u{ܿGm/l.=ޡQg+WТvY &ǁf"I1G/x9TgLT6BCa\A1F}v ;Q\3UvQJ7`%a]qk4+,,utTÝc(} ~W`!(JMv(B؂QþQ4"1+&P@@5@q-x֐V1Pcayj ei$Bk*Om~Vq'X` pOH0Rڬ J*b$IY݆K|J%4WZ 9 v Bm94ɂ216&5[m*N7_V C-y}M-NfQ|˺p$uuM@ʓS|rwR%pL=;6 Fp!&ZxcytK\U]  6hR5 4&eM[8_.v|WQ*̯>Qxʝ#Uu_hސ1¶!cf"K4 :GΟl95Dxhm/v.乙iҝOұ\^h[r[<>'75pRdK>_!(V2;s׶)!=C_d6eG 4űBpBU\N{ٿ4JKtTS" Gڕ# fMlVM2H@RLύ_#a>y9NFj?L]6mp0m Nm@ù+%)N N5fG[veMEB7 MҢn*Ri3]qRgY3޼8_F]2ʊ+- ̞_)mTąmX7xm;njPQ A8bq s'?'=y+).Nz.s]8.W1c opQy"8rc2[ X_Y 5)Pg ц3 [}3.[_}5dJAnoOKm>%5Ŭ.hS`Ô)}oZ1iJ" )MP]QnJTj~b!)"]Q6ݓsWq'ø ޼@J %u.S`Q(& 2x; *ذ!#L"~\'sx"q'ȧu:.ERHr0R0egˆB PD(/. wLaVQڪi?K;_9`J,\0y7T4b,A|Wty${~kbD-F^2UhguA )WF+IZVⰬhgP ih!70TW̼O62c4 tA0)`*9xW/QuG]Z9d \gktFeޢWa3ߍ3? ucCl@>a~JN-V!j<짘u 5Yغ| yC{I9 ![_`G=TUX_ ػ!) nϊna0zbnEE1ftqN2R.[5P@T}]`Ǿ4DoUx,=[D2aHT8˄F䂘UJ[u9myFCkv>JthE1YMERS%#0xHsSHlf6[NE^xMߟ1i(7L>_fyAnp_2q)ŀ9$ ۭ}kwoHـ6/S̭5{/pӝ ~nfi:^I-ФUu!nPA/3V;dpElOnFwiLYFHA9)<:)lIEB8'u8ٶ} BviQ,R8)Q+-P ( d<@`ՆQ㘾  i0'1wu-8N?bFg ]#buG[w>U0d!I+J y񳸱X-g!Qmsq/.ԛV fzyxhS޸gS\xRs*"BgLbjMܸ+@d( &F=_: FAr9Fѳห7G/T(xAfv :,dZgSb1"=IY7% {=9HBTI(t jg"b2  w[K DeY^ NGuVMeDX$X-a`fqr ;^]p ,\Uw9\VMWYceLFAR<M/mCL-V K%v W5|xP^0\F!׏n6HH;`sӛZQgVek.ha2Cσ[CZuh;)ϲ`6OCC ۰pcw`,l ?!U'llԡ$–3|ziuLf23x[MJѽVq:S9QNJbBr `LD7\"m-0PC+#9>YW{a?{XaGRH&BѾ!0b7b|axz`I;L5d,5mloZUo/nS7V mpܪa)1a9<* = }3[ 4!P67?Nu+ƃ]ypgz>zo^rϝ&+fA4#x3TU<-ț8vsDaNDR4nܫM@_3T ˖cPrVme")lN5c<hH_wΪa ;p]osOO]%~֫7QGuJ0e;܊YaAtkKwhׅ(,G`wN.OiD4JO|E }vg=.p xw 1v+X:bC5*Rlg:<YRdNlI/F}fa1]O, [37ʬV4~_=RmZG:%D*B_>Ai?@\W/Ĭ01|?cJ:2ΛS*׌$ԩ|2$& Dɻ\w1 L:bRKĠ&vNb -N' *JU`t\DLpLKqtDJ8C öm4O>w;޵/{߲C4-h(!h>>&3xqa+91Η eEQEbH0wS!סduJnT 挻֜ "1}Yx)׳hxl>E%~n,w#Bm5Ƨ4zv#v<+e L`3(Z !߷K̳Sbp^BOggVT \; ,W`7P#d- %' Qhf02s@@+2WJP??$N5^ :^*6Ig)K,)4qBHɐ]: ^v‰,\KKxּܵP#SD5* U]RY.--BZ +Ts3$tqPaӈ~ՃSwJ !.]d #uʄBFG5ֺ OLgM&_D/2%bQ&v, ۿ}mBjCmݩ8ywH8IA3gye H[ɇ8pӵz@4kS+\yUP JeӚ,OI ՙ6ҥ%f .tfaH7ֈ$Fa{lJ%/8uMnOS[i="8Jin[0NU4AGQ^O~Y{ HLTp^T'c5o2ԴD 6~/a%nxd~`_Ia.SxBv"gO4u:$HbB^GZ{u! !wd^ ˯v؀;Lvb822u?XRnG2Tj᪌<ەju[z- Dǂ2A˖6PbOzJ*ktYl֘.!ls޻]hckT.3sM˙i| ewRbtjJw$3 Zz \C?#jrm%MCVFsBi~`;|AO.|.|['j=jbZT]1Td#Ba[_9cuiGۣed>^>=T2~d~xIEr0\զ50,s,a lEKqeO.C+á M&O&i`'kKb9qXbEb\'2>-ۉgkDG˚0##bɔ륯F永N}2yT+T߾st5iaY?IEu%S1 _XE9ѡYVq&SK!5[<#% ;۽,TQ/e▁ *g3;.îi9GynyFxߴF`trck)E#3lus\bd "q&.&Sbnxz:_Wӻ4>-I[<„ɢH?]< Tqr͕_lcO%]R F0k^EdE=5ab_6Xo^VUHj[ȕ|y+QlE3I[˙}?_y`8OrU>R-FZ2xL_{PʲplHD5Y)*ta!#e!8C٪;CeGN ZuG;MW|<{>_t<5C{-3&4v(]/IJOԫFqm5` K {Pw/ +q_g]u.W%a@=/l:ϘC)L)}"]{"mkBod>J]י'!`6l%A9=}1e"[L1Ta QD7!]Z+& ! 7+%Zݜ}99q5:U`dMɅȿ"-d[ B1l-ۂ8J][4Ӵߋ}r'w[-sx; ZtZ9)E3kmv9>Y-8&?UbY#H}^A+ ztyjN+.r6iueբX5h\)JFY " HvP4"6(Rr_FY}Rˏp^`fr NG5DP\?.AHK|5S: PMہpAk1;2_\{:  tܡKj^Dp͸PKV ]lToQaπr.CݯDqY(U3fQxh,2\ Qt|dBl'ӫ?~WzhV,1S4uN)eQ1،EHlKGخ\8.iNqy}p0].LX q9z+}=MW o0?cGp:A|Mo  VƮ(\ kfuO4IcW[F\z7Kjgh>1Cڇ8DN lbDtJ-bLb{kH-v0#-ƇfX8hdgGbkdlwD=Gj,@-$F88:qbCeup֗f ~^ ;73Swqic*~>>lO"ʗp(!uQQv̲Z#fR&`!Ye!Q1+OX3 gl{?YjQN_a\&PR5C1Ȫ 18SV9fL  *ES;~V(C%ˣ8.#TͻAlܕ-jtPtT߻1^HcPԸCUN"79t)<˸ɂC I᭥c 3<{ӱCIH?@{/תC Z 0a$:6Ըe}8X!MJrt n*`A {cRnA  =8U#N)P`0)|]я+>ոĈϟQ[qj]ĚvfU?#b*0bF^Rҏ\폘4`KNwB& k)r8! N _X$d,beOIȅU1CB-V\?w˯ E9oWB0?~{TQS0#ǹ+ n-R=w?9=NGta]k6=ҍzi, *w"e7p?dj`*QGs!: 7e?{%3_Cq6Mz9 3Yp ZK]Dخ;e62E{^/hhibʁɸӦF (fC CŠR2f }dS mX)—7W"zNN_[/ƒ잒_i֊07]0tQha&x}#Q<>KUvBB㰑Kys|<6Ks}>)&yO6xnp)ߊH`c(zkθb8_ho{fJN! /ʊz1jPW&\y0PY".+ 8hYք"J߳ X1JC 7=(\>VpV/ǻ2֪;B~cV}@GBgSRh}`\ .nfROk5e",w?&u}u{4VG<71J0/K&QBoOY_'du)/A(_KIyTKp} ͵9d>WeNsE G@g5% GI:* ЊzoԻ#=֓_xB_Ѿ87yfWGo%N@v,|zDx3~Y\l8m  'J'щ]QE8uf," /,)ڜ̥n1G&y0 :&⃱ݵ; ;7W:KX(R) }ȶ %Pz#8y$i;hI`\zKIp _a^$=h͛'-O@h2Iž"C2ȂسG=?}{`jպ&ۼ8+Uou!Kd w /M9 `.*rĔuԩb, $>ﯣj--K:Z.<4̌u.,*'F`nv"Ӈ=!zq.x]XL| E0Z?EYUKi;L4k (dxi3UWgNNwE8{5A)47@n҄^kX2嚾AZ Ԓ٬Ή)ԎxIf U:ӷ(C98`_`Lu„"tV\=3@ᗳϨV^JH{rϭ/<4'5kESC$Xq?(X f3C%ReD*gF(Vjs, 3,"|ntrŀ3]"2C|1"^b)gLehcۧmGx᭜{5IR*%l;+Lю-ahdڻˈLJ8k,HTٵ&:-?.a&/ug25yO$=%e\RG 0;b9~cg?~䣱ZPEk^&LSLKZlJ&ApBIȟl#3w`S`1{Bn9NJ) )&ײYDqjv1~F!V!"ZC)o^CH^!rUItpF*N3[[MT&g^4}_E#S @ 3.</8ߏYɻ}pd+1e"9(8 3|`9ʯQG?EN,gv\ҖAe)w8qV~))qGtƓTh k{k%QGr}}u4K{v&wiTD jCwN+0mRaI+aPgYg:V:d5e=] Gl})^i3HZc%Ί-U 2#ճnW;󩦄{7AN.$O`+Wo3Ow9t`Ȱ?@'Ȳ4)g/O}({8ΐ!@CfԄ )uQb.X ~sIF>c$|Otn+)n rc5qH H!~KF&!`\AVZ)64 Okn+UnUTm i1#t FvoJ7 &X?/`ԊV30"!۪rYm@-`Qm b@ ?`),:6Zj)}S! L}Yp :`vXr#g"ƣG㬈D#q[H_i{ ؝m";"?V0&`d4}cS{{wUUu`vif*[#|`mw ;3rYhWN9`׬Z>`;dRfM.JC'}M4aiMKU(YJ6R-m\;d(8%SKo~ {NxC nmBZ åjw^GqŒ/E+cތ!85tqD`oY-%0wM!VQpYLUH^(-pw\>@E^ʵ:v@==qm `j >_(iQk,w;C]"xKBeKT͉s=QxYߧjY qH[0#яQ.uX ء_@j[&G> E![YK\9h0\|2k&eچ= {=4sd<9E7$Ll|w_=_ %*ً&>(DMNs}IV]K;F* 0Y}WO/d~z\&d UH̠՛BTVeP@G>sY?g,ԲɈ|E alT$ IEQ|EWka5R`5chk ןc 2\.()!7mgop0C=蜅A5`Bx)Y9M:#D:D9;0 *I4\pb2$R3:Ή|Il&#ki0yTzNh_zQbCgzl .I|+2!.3^&iI_Rm*1Btc7BxCs(RDɌcͼv5IZr'4R,ȢFG]3_֦ԕPe#9NlZ|#?83)UPijg'\-!]`Pq #iX*Lf7(h}Ak$J WfR_|hWCy練Jg%*t_Due޷=WlDaAj$6oA٣BF(q #Bg0Z2!lC2%dp5&f)^:Dy7ؓPMX޷/d0~Ak34灊%0., ځTHSJbSԢQgh̥=u3g~V:߳ A"yI>F<,͗>Q9pj#y@axAqj8J'VM|a֡0͕ |\ɇ0 B|WC !- ρł0|v)}?dƁŲe^89?ڥ$Mͣȉ9Auhݬ^z:ਗ਼՛N@ L4NT#<~z`x@r?t$ќ3jE)\lJN  O^z/c/x{ButCBY}5FJ ] &ߨQCAn5,/ְ;2]b =.-ښo!5rKA{nK3˛;snIkD٘y8lx!_zbU,pk 0Pmy X≒'܎Mò(ig^h%D˝~ FWUbs,,` {%mWZY,w@ʲ&s=ZH'`%s'O1")Fih߹jLjpT_I.oM_vcC/,["& nXjS9@(0&|`i ǝZo@-gvD@bǸɃmlǝ_ e9 QWĉ-H*[\T(S bv3Ӵf(*C&@0=II fӬfX(u-59&;78U:I8=Z,Wp ~ՕE"O鱽&B"6'K*15ڊ>ۄe4:)=XPBp3$a|-joHe/3ڊ n|V"9o!,vފ)֔gc']57#s%㗲L(idR,:"Y3EOc"Sϼji_¹I^l~)mNibnI S⡡yoYFᛦQXBLQTڳgw6*bHуQL7drPU!W|ei(w>8K; pdG.Q?-p!A^KF !n\1Ő@3j#LP/9e|G7o\?%V}6ziX޸-kVDj=O]7Ugx)PQS ;uGoiiEg+WM芟4r`Pж oUCfb5_62wSNP82q;NW 0(D/2l[/~t;;]7ǸI4 cXv܉ZEסO$wB}{0sW*qovCq8P`b374w)e'lGgaYf37sĺ֞PCK v;(ZSOƿ̨}`;;vQTo (쐮xl }1 4IR:(5ޮied}Ȓ^b'+q û|CAH^^I,'Re<Ȝ5$@XcuPާT,mG΄;>dɽq%ϟyߕ] bbhsWmJG=^bsQ?VbVvp%?Ovxr. *jAor|kXc>юeWU7&\O  ;?lo˞)64CC#Ay\ K9\>'viAB΋ "AHΛҠ \&S!JAhKIl,;Ff~6?ɳ3L2pCӳ#Jg;&f ~2e'ӈNC撨ly$U?3ŤQaZwȁĄNk8/^K-c됍6ɬz dTf,S)y6+q4g}8ʩ ! @r CV}d^|&2,ÊȚO7}`5Eڿ޸eUK[wXZ! 2:N!VNκ?Sk&υ8sD"w?}9zigC@bR#[aWKjYUT"NblWM 7\ M2vG$>~.l{&%3₽a܂!.\9}5?Q,&y:@J[Ĕ8ӿ&.M!/3Jyk%Y'u!TRф(U4"q<(cZbYzR޶{};͍^P8yrئ]MH N|ڬ:8[ ?YMQ[.+@ ޵ƫ 8]]{\* FBlm0V` 3K=Czn*YQq~jqYB_[6vHhӖGa+fέcagC EL姟Z,٭(%])qe:)=_DSEpC@;!H) 7Doc]$.M0E$B3ӹnܢ/b{fml*pPw< Tq>{}|TDv0N'x|] 'Li5.L6_ QYH3QъY^{y}yj=/3s泎L݁$i堜+$#R*ukfK嵳x9S<,J%Na,Bfy4[6+'+52kbU+  𥂎H>O&a MęJ):bvd.BX/?LVQqNI_0;|GIW7fRϞzudKS8AerN~W?0λr$ }Dx\ي`"lE_F (1u!tF#Za}ΤP*t(=Ǔ,.*y RiG֩*Ãm,[Խ{ B)k8ُq Gq'VԚ,= ă$FU gxRC ,HS5?OBn`]b*#7ǻ'-Zj?YaLp@* 598-A1)յbH `{ I?CvoݿK"=^ NiHs0j}wW3{5ߙ+Pv髹F=sKځ:1.ĕaXb9@u<VH+0WqVYZM'9~|(zػ9FeDϦ13G`6GεbQ$gRIU|?(KIDh$ Ys]}h־mHH\Z6*Z>~*Ō^ϯ`Mgc~P;FyiM\j`GdBc 1% CK\NcLUЌp5#+[0.㨹idB>׽<$_ۘ䬴!<{9&.jDGV}5X>- Ø'wrP.,Fo ۰mCb|4'ІlQī O,:%ݵ?Mvژoۊs@uv0j)f2ZԊd5SFwv9;4Zyw#6+T@D s~[ɻĤ_57Q+sN}Z8YIO?kSd-L?l03$ &3TVϽ<({iaB@zVq`2>i@UO-H%pdG`I*nq>=%bӑ͒V 1-5vKoH` I5Z3pqғ,[/B Y+ '/ټQ^ 1Bu%tDnTm0ezD* :-B(/VT-LPdx)T$ora\࿟){p  źkRR` wS !XȁHkԢ(Lty*@1Lx4 mFҙP0ɞiP5 ]BĈxG= =5N ;wGvbo>0;\#G.4ݏ"*q{P&ּ<\ObU )|7kqO ^d|Qr(;ϖMaE(%V |p.c4#}D@0I8YC) ͣy,;- ΣjPr`4%;S>~ATLX<6 SmG.JxhqSYjrYK ^«UBn?8`4PgN>'7XF&tƥ‰fE7qäiHj@жa6~Bro(<0˺{Y 2& (]kW Rzb! }!$=v3:!|IQ4 跳kcvVTK5oz90l6\ zjy =9By2xBGJFl )[_X#JH ;=?8-.j5]_lx˖畅g([lvL38٧4:CP%h>e?dO;ps3.+6_M D];p{m2,J;O(&FqB&@S+?֭n77ņu:'!ɥ WɁ?zދ/K/NyɊA_쪶s|Ric7q+.>vڡGX(p= -CGTMf@AzuR>p:iM;{[N'dӶtˆ~kTMi b@=uPEZdmmj;4^J^K!CjoL:[KI]@4 g)pEfa!@Q~Ӗ Z֭2 R,䄁gǰ&,i,GQܲ n5ލ_st$~6):J g0<%~2Nm=l*jjX JF%|lgJ+®W`ZLߥ.2C C. vxVaNxܼ`MDLe^b蠃t߽16L`LlzI$i^8MpvgLh)c+>mPTUprX +ԄN p"Ρm_@1)gGɢhjXˣH2.]->@\Ug=t&;1@an a5:`aw1L "Jq5Rlտ;lb=)6D ]^5ɶ%mglOfCZ]Zm͓'%A[yQZQUnmOOku2{dToZ$\ܓbH%]^j.U!Л ȣ > }_碃 Bx!#Z |0DhCvMRD6ʡ8bp u-MSDc+L!缰 ]zeW˵.]݌,\O1Gc+{2|nT%S-Wƒ->1¨˾S/B:En'n)+24(˂B 1cl[8P1[oFY|#^dI]QtcHQ{ƙo }qܝk52B/=?3?n![~"8Y^gƈ|ͳaSnRS9[(1EKUӚ[:V$p$mOC LZKVg7; O?ƄhZYWD\V]ΜW;JbћuqT}T %׉`6ȷ'KA9p _5l\`hhF."Oj>BZ[`rch#2pWDW|>ƞ1"<Ƌk?3(`X&ȫd7U{aGs٠ǜoD (`JRȕv~`zLXЋY_=\(Cv@Ν%Gyo Md:3%e`[5.-=6?5o4@ATiGW]nln_ݫ>9[ޮ_c7z!Ko]M?%3-^s: qVGڋ)XoA +džDv_Ȧ"/A%:2Z,ؐc;l]u"ߵ8q7+u5 b "NE7̪,0 N.6gXތ@C';"ҵ`k [NvaNsB;9CJdaq-fjkNٞw"+}F`;IV- H1 /w$k[C{)(d[2< i u2+?, ZK<Ȧt 4_v@n7bQsH舒, 8ЃS'U²DբFs:T5C4@>D@1}\*}=ѥ 9sii ϡQ*(E},^m f=( =y&Q&_:=BJf:W ϛg߹i1fG  -l ]}މ^0 GՋ4{]Zd8Z_`1גՁ =XbR{X3wM( E2:,dzNDGI6_5 4_DJayyC - Z);\DKkKƸN?QJ~DeoD}?E|fm+E/dw&nP8>! 4DIK.b>&G<&X W@Xq>/sl?+AgC$$UEhݺ8va{&*ka{XUPwųl1nJJQ% m/tc\*<t)9{<;]w5$*!t- wL"դH115\&*KlCBi6ud0]+lUl -=} Vev.^:>ppvwY}%-RIL5yWu_oa;xkWjZy<# l/vkBt"Y|JfwAֵܗrnp~!th/' bgm &jOUUr!ENqDiQD#)<R~]YiNm:Lpg͊#~ UQ,9!ۖ:EQByHSz.U^h@gY@?+]nbĀk>hԊ v9eo\ x\S̫%F+92Gd.;)E7藕g 8ƜD"B䧻,\X4 %/u%Sx]VE/et<HV GtgH9(dY@Oo,}a?BvC|(Q*a'^!KfO5@2qdgɳ0e-[$:,И>P(=u1cs3xkTfhk|(piLPϞ#^8ӦSO}}@e*;ŸO~eH,b4_pd9к}g&N7DnG"lŠ2C?6_=WPDDԇV_Ss#DI*é[=`0{LKZ۳K֟ipW.$o ~ ~6`hAr{/2@/МH-TNħq3%<q!{Am/e;]D:ݡ3i|`H6M0 з,P?e aeF&;JOFaw@zdor?2 T0#&~W=W1j_O0ˆ IX+ .?B&hBFT}a圫X/o~28bLz&otTA, M9ȋ.Q)w|cCQک3f'9ԙ]C]+շүҸ(9[Oe#\[9Ⱦ-B鴅K|'3py)?xyFdc^wC?x)Wb=}E"sQ{VO8Qb:͢[U9\N[_Mp;O')j#T8`n{A9;4dYeMEz,ɹCpG6gwK%bmLWJҀwΎYyR'į[$LTP(8ku%T7 ȉ_ǩ1@gcw\,?c/ YS޸?!XOyf]LI>xeo #w&p ;B`,(X84OQLX|H՘S6mi~PO*66T}Ե[/)裣yaKϰI4/G ՗ [pI~ UbXK誏&qh^U#% JUreڠb4 9.߲`%5"Ngwg7`EEL:. c,*HT ϙs.ZH/h([ Y k}eJ-w)#xqdXN:!JR= Сc5Dd Fd7]sW+ ˼?j&o4.'SiЦw~ ~<i+uR]ȶ=#608._\p^2_YIL9vrJR ғt7CP:GȍFgfJVyN>d*Pb.)X(+s\(³Q&L.7P+qo4^t򳵊0E:Bm:@.Cc~hr ,:&=]2!=-e0i.o_E5(} QJlm?AgV~I_eTh 3f!xFံy*e3cF&xRqG3*ѢQOMQX Tѻ C!txsV⺇ cb=ULj5=byi϶˴c nbt)$y셽! B`{+R^pzED,S@S{nޯ B MW#{ &)=4WU#a^J6k|}!o4Jn;DEkLJ~ٍw)GgYl-5/mWl5DsY>тgɝ;S&(dP SM¸tͼ9CQc=[Nv ?\F.u(O@F,5 HQm w_=wvZ]BL=YI.|wSY+~ /\xݮ 䰄k3pT\խgF(„ ͭMNlQE-rJa |;9V40E fH4kx 4xձ++yߘ.|YD;#bЎ&86437h)"?$]<(x(4J<8 Ujm[8bFu樽'ÁZ1_Wj5-mDٮTF⑲4U%.$Kj1/3o㻧Zo-f?B zݶ9> ĮFmOt6d-6xXfS؄ z-|uZ*Tl9< _/]]qeTk4JH s̸ KήRGhX"e%vLD HUv `z4Cq8F%X~:F`"ן_3Y`Q+,u!S(vA6smnoϼdO9pR4m{Z"BK.0W1KSkfc1:/]) Wj4` 2%)yGRsW H؜ƺDnO!I󓹩Hп.lBu ,motڈk1Z^ܻ3 ,=\ܫͯ;6a,>A(>pq[RHt5743j7K+r&d?rU<1 .MY*'>S͜ ӶFoNַc :&u-eaQɏ|#=(vZ6ZÌlA|jaG 2θN$t?jPImhg'_ d>]W1mF:뜚RЛmCPn]8ܝI ~{4L3Ӌw )O  >isӌc4 iomByv}vhu&y_g,o} Dže7_,Wa)CToS/ 9-s(!a Yw YWЖ$ Ǐ |{Wctǘb)^L:Fa鴷_ qj~͂|uge,?yLawXeotA]81Ju{\Igw6>K{[9nҕ n3+5|՞&\걸_z̆Yp8Sۥwi/SiaؾES=K 00QNEm4:ge[S-Q9Wz7/׺0u_#$qBHQa]%2ie ҧ6frĘR}:/* | v錿 (rZ22 6g5zv&:&Bl6򆡹 k6eY.OAOi>>ІUsW{oqm^wrVע+ ЌKð".3>z'58q7 W֠ׯ\̒HO|M 9lŸ4 >n Eˢ:+vo듫yS befG8])O"b|7 sxgeO_1 L 0/z$ǝLM=:5LHW ,;c52R=20'D%q*P2_L|,!E0J۲廿rca#R Sґ RDۙ-E4A÷<~)F ))ɩ*Đ)_Bdӛ!qMh `9|H-0Pw= 9 K(AJ}Xb@`] HB>1KK갨;yHr|m̤qoO˨2g[YK?b a. uQ|lc@Oނbx$Okw6A-3py.41$=u𹓎zڵë$Jb_E-C2C8sy9ѪRhs(zMѧ bRU{O1)5Ą~\>̅)Ba~\k6U<#݊pm1 6r+mF6ח{ pU, HSZVY?t"H&<̟@~Y68#C3tVÿUҥDrDyGdmRphf6ґ(ֳMmrCp:/Q) (oЁjߠjv/C+倫%G 2kjMɜVA"R02B:P?Rj[ m&zЀsߛm+'_2)6aFj(h3QͅAǻ&N e7nɺ׮͌yԶ xٰc"w=u$X"Sg:}>JEº |.6ڻ6VY7lwuyʍìURuƳi8573<e^ KY3EJgQ?n^X,CSť3J,Nxlci4ڲ_[h UYMd*{܉dU*JT,r͈7'_"ҫ]w\5}n|E}!U7[x8I[_n/ *\-.aUr Lޠ\H/>.Ӳ'H(㼼*qv(rF??;Z?i8^-x#?dgX8MeNtÀI $lK~S$ip\R:#8&uI;Tn0r5#"_b&4Dp==e^oSI62qˑ#*Wڏ_ H UX\w;_]A1mgIl __ܬ~nDN̛_PJHpyK偷X⫯nmG=^؝l[-Z#i<(.²u:%3?5o杧(R g#EOuڊ` EFX93vzs\חZ'Cl-MS%ֽЍo6IP#P,x_Kg:,\|fӚHxLwSIPKAt"Ms'3ӹж`Bϔɫl"b.-~NɃ] 1?fwv*;:>ᜄ1h~ܩb֚mȄgciUUӹ6} 47b, M0,uN9pÌ{d2O @5_Y_6T'Md#4#ū3U k kARO]y8ffZ B&-׽ xtvtvģkXnLtkXs GdDYt[ҫco?p:Xާ]4C͒OO&hc{J-TEĨ$d|)ՔĬ :)BT1($JPF@«;{X9/*`?ΨMw69H+vNƦ$[5?p7;ޜ=|揦l[ZWO\gaϑ*$s'~& ,+X/1 b Fϟ nRSi_M)p9s$0JdNn;zT* RN,i9j5fnH)\`sN"Fpt㿩Q9`ӗjz&Rsx%%HN06)$zK^P^8B+ we^lB#'eU D1BxbsZxvRyE9*vt4Ψg[ hTuɸ_=ܜܶ11J)BN~{0ۖ;N"v 4&uZi KcwQ#\Hw /0]\.d؍ZLڞYkPY4cvyRצѡNgp8I g#Z/\ݿgp< &àm?::]Ī)8u3)ql>ܨ,~{Lj^0U"S[Tj&j3Eͱ3p+iMT;$8`QV|,FA TLD#9NwbŽI!hb2}ꎥ 5}sOA[3iZtA42F N[}kc^TNzPJ)bԫxZTM@,.s-H8w->AH~TZKþ p&2EL<H50e}ݷT 3:G- a5uEsҷn zS 12B]ItK2٥*/HSqqCx/K?^ j>r1ӎZHBѫ&`yneeLI Fgk d: u_K0\̫[Y> 0d~[U8Ǵ@ÁFY>+AیIL0MwSU_L-MJvR w{Z`[ٕSdIӼW QHqhML,f{Ry FJ /@qtHz(##H{{2q6CֿV/91k@.5MRք"`.>KoOr2&?SJu(rc):@W\A[A G/ $&>lvR snlҐ8q8N6{ dhdO ]1y 9}ZX+~LM@)800>WcSd:{JQv;cpL8(Ex3~ ~5:Q 4cBɓ`i Z\e1%i 8{~Hwg9e,̇3@JuI5-x=[/^ -hقH9W_pD?5E3-%mt!2uixdKBcCf7Q L#aJ#ܶyY%I 0xKؠyȰ[u͜Sq2fRnk%^F2z=rhN5:n]@1*'XL ᇜ7\V(l:x hc X&iIk-3ogc}y/B:Ȩ2%R˛!̷=JPCO}~1 颏rfޒ"0֨ ??nqvorSo$v#/c! ^U}TͷBd1d O`}y&$ZE7)WQ#-k0͝!1)0 X$wQДt}0w:HN(ҪCRQBJ6D7:\sq,Ȟ !GpK.8i%<FzDV"{XG#I;}n-󡕦R?'WϢ,Ҭ$ DI].Jlު?yq0e>7g;N7|=( v5l8æP\ bZm25I6Ik%\>O u)&yGqZ(sRtU~U>%^RM`a2a*DH{8+]YA@4 nGJT}x|)tsV( OfX][ 7T=KMCq}G+ϫmx$$"FvK+S,CvzrnQz 46aSIzwTm ˢykmUߗRCrJRStMvCʢ]Aj?1*D_&6=zSNg򎟪pTvYp@W̦IG>ӿuEWJFHq5.%@r^)c*,2B a*`g ]`4&Wb<   g5,}0\➇/Lξ^7,s-HѨd02l>7ZƮu]}q=ħAzP@jX&{H$>-?S.A|[c͛}S MH$-A Juln ~ UTx}!Yj$k%i 2\w";dß @c3a T^_Cᰝa/&'%A[ "@s_=nS&߫e0lfde"I٤[f4}9 cݽ_s?o ~@LI F7?<M <,Aك{ZoLp+z p@ BbJ<-[WO1`/! 5`H-q;F-C|"L('< ~ uѣA)Es\k՚G֬x"4wZ^g%)d/*i@/^ Za:N} ܢ-PhX>6b!,do6)yvЦ+$s8(9Oc,>S J_?|P+Y.D$Nr=ht "<w'|[O4_?UY >d!w\c޺HDIo2tފ+,m3f~%} %tf1og%I~H?_{# 51! &7㻸&hF񀖆S7e&R5T/NW_ 55P&MIZPXxO{2W4U:{ _Yec)c$fKk`~xAҍ޾+& #_'Z6$yH_>Ժ\ja7n9zMS Aȗ[S4\[nu7&a7]S%nW9 NBZ> —{NU):pPW޹=7>v?Zꮒd["rv b$ȡװ.,ao vْW)3!^ЂD gN&}Tsɟj,11AZB_ ?A{i၇IGx:B3L/l$[T~xxď,ud}SY o`Mh˵]p.CDtt}Bd$ސKM*!¬=pfnE4Dou!y-qāYv-Tg4O% .)W&6DU.q~wbM($M:%%t­byd sڼDJ5M3,f}>5[+ bXhē$uQul@b!&κLcW$O$hLRvC[Pl/I&!Aߓx!(rEw 2:[!t|bGID6~dO~Ұ[skJ`Cu/%zv"O/!w|Ǒ7WO49qZÕ:6%KI"Ǐ, C:**4 w"{iJ=#75N=s[7z GCzssee~Q &_@cQ?l:1nqt'MOL+>JÒh-PttPEjuۥ:e!~AyoF\ּd @ Z^;<>NF^Ucj~OrCLϖm\A5dM}iD1LQ Юf9[(ql൯&(yqA41vKN7)*pi=q$k{rM$J};:)IBt+$pYHnR&tґNݣySu&/Njq1{Ηu<AAu}[W&"Ͳ)D$ͥ0Yh^Rj"9mfBuTGr 1J@p$蟖5T蘣r \7׉s'C":spRC<P ]p=k5waj=KdU*%$)P+\Z{ 17d4#I3'h$捤/U`8 mD8XZu  ,]ؾ7[ Ԫ +zX\ku%y꺖\C0-q$P]AqFR!XToʵ ➍E Jn,ELr7(@QO"jx#ھd+?hWy@FO {ey['&Řw?lMR:qZ+GV50hI4iU(VU.6xt5^\CPMߏVjs' $b &X@ga@h2ڴt.~ߣ5b&۾ f¯+g4'9q5}h(L6~}y,56N`_ֺsȗ~nb>jyj sf+">}(*ޫ':0X0dF%%zvxI['[r]Nm2U:}ά(V9L-饵#n-_K$9  _|鲦50⹎cBtDž&:!) k +x楅{Ҿ0Wkj6Ȉ"5k{e\{=pд ;ur k5*g46ֺXVEBb܌ 'TLߓ=TdKaꥥG5>>?/>XTCBS2#>ywh1Í aw+t˴)C>9Y A5CQ҄= [K,TF|.VD #՚&߆2CB'컂SKǯ~xCվN-qhm+)!ٔB{qZ>"~Fcә]:II\n'Rnje;G"# AZA޵XUCeUu\Ҷ5\UؑSh.8S(Z߈ y(F!&&Ie@MzW [ M!uI a, `Va3贄*g9ʂL,"`j?Ssv#xaBW/:?~V@ TsFx[e.]L)[HXѿOÃ/elt8« 6mK6)\Z^GKPAOlۙ#b憐[6#*g_rߐfZ89#M]uIIa<[nRh@-ՙUnG/С;HEiݭaGq CȘ=2\j͆CZ zyh F 8'!D.l))D g,P&L\\EFîN.58])رN0m=pq? ,x@gvDIJ`Ut%Az6RRjC,. QRC>AceF xR=,|!䳃MʱisZ$ĸ ,H@W-qOlmFR%X.5]GVz+p8x*k7.#fVv^ЂmؑA%_~ ^HvgK ֽDao$%vFNQ}eUS|y7;ʖTÎM8Pyň-'w.-D,켈w_Ǥq}_j9g h^498C_!c|BK'("j2O;Lpͪm0[cLm}+4# *I҉dn`ȎB!^GGmLhzm@s,O٦BCպtmP 0[E,= TYÿ|נ]o k@ؼ KGd;~YJ% 9NQ֢쬛N#sxVt❅@-ueٻ Z:69thkw ~F ;;Oy;%XGlqk(FLr{+=`Ʈ$MjClT9Ϳ:eFN7IMѩ$::-1J 1RIx3__qu2)ؓ|aLwaCՏG즷/oDW?w5xaƹ %5r:RPSXFS9S*TRՠqTg&܏ƒ:r fm%:^I>(˨}W*K 爵MAR.V,++>vC=:nF[dR2Spd# $P꟰Yof<=b3t&SƑ$/:\h^<~DxVlB'e}AdSG갡Y>GhQٞ>}.L#U:ɓ~,-~>Odɿ['EѲYh"8h:I1JkZ?oȉq)W UZ5O?Eq(⊰!V-L0\d\!m2(` Ʈ͋<1ƆQL]w;=fU$4W{k@seT'\MMG^Q1E(/K@⣵OPJ>&f>>\^Ѳ$6sT~~14uKǬδ ~draad̦E~Dq!Zԗ=lܤ1oGQknyb ,Qι/`I(H^O=O(c;K#M>DLhs4Om]=LQ{8mͥ0)G%O|.b|5Kh1y%ȫpPe`v')̒. >vS$ĸv={A`]8vq26V0*#Iѕ`nXH E8ۃp\RܒT7bhi籙CZNWۡtReDw!\)%o,GeHzcyt֜ T c3OE>N_!'9̬݅o1>ރ6utJI(e(M,Ư1mP=N3|Vy &^.4וq`2S-=[ɂ0`6Yq>&&aZ[SMhdx0ڈtG6i߮G喔/܌[$@,!$A,o֊[db}q70DmS,7,Hq!8Ў0D[hz@Cʝq ⯘W"0_'w@?@Ru[B诒FU؂45|E6[/0 Sҽ#s{n*_UfKJsYvކP yXH o:m NRe3?*m[0EQzTOKXfVEӏV-Qɏ[/p!VBԆ{ͩtDb&"4cA?bFWKGz Nb%,"(9F}DrD2@ondgiڴRӜa& eW~JqqLr!Nqls;`oFoZH.ͩ7p-s%΀TC#”QH#@B=s1$pBn~}7l:M0'wEl0f-5jѯ8pu&t=N)hsm,Vi}ࣔu1cw>t3Ꭷ: JAr4;yBފȽC?haPL9Aqj{b3Lzظpaj?"q$zaj){Ҥ/D 1BlC5K4{-2NxKQZkA)J3`xdӛgw))^ĹW<B)YM˻sOGJ43pkMCݎVaP-S̈êi_~&Op;#Ktl+`9"VّM? ]r`QH:nCxwD{%feO!K븊;[ ZtA$TJx H0*?m ݥ5HA!}gpxbr!6SQjA7`'';;  "Zu2{ ]6q)3ylu/r圦Al8R&5MJ2\(NoVvV0L|*b5bb +3MƯBfeܒo?Lsr O:#zti!-߸E]Cʚ_6$ؽBjMڞN8ss @w"kCEx7,Kj<窞 ^OGJ9K^:G@p~xp˲c}D ` qKS\+XE09Y(ߧRoB]_r1t9 kw8y;b_$#43]9DKW_7.a$'#q L^-hN^jy ^Sj|>sdZ |܍sɽ+A7a DzMMN:MF;CT_\ ]D-IEy@-m]oӡ82>h 6z0XZuz<]9bB~ɷ-Dw=Gc"ꤖ ؒ>3 ԨC9n8LyP]İ.20ouN$7d7fBV*Y{޹ *5  Vl}&o#vCϬ! ]#.ɥfDfɁxp1d%L[qn:>7EF։/5\8 $Ƣa̗W*y$*ϡ_vDջE"5̸,IfڢF?9uDAo';7>6klNr.j[N 5 FJ`1ܺi8vG[nnl;ၦf>FkAyKD&s:N fA~r d*3ђKF :>=q}uhd[aEF/}N~a*JyⅹR(g4TwXMzL9#8p=q!DHA^wyAq47EGS6`S!eHp 5kw{ :+`@VӀ]u\ Q/5ϔr;N)d9v19^Z B|"ؖ,I>k ( uqDIE AVfJ փCWJE2UUh9S(@t5g;,xs0*l'S0mEʔ4~U6@/u"H{GBb  gV6gEyFύ \}e|OcNYݗBch [Wv/K jxc}ڍVLů'Ջ,)@ߘ?߿k'W7(չC*ں&0݁יfH-DH<2F@zy- 6´gm|[_]lŌn҃Wa9nԢg2)ݓH>55[z<ˊgXXЪ. / q+3wkr2㯟 2o? x[ͷ2$UL&栬 Bny] C=#8Jb);2%x'{'ߖ4f]⯻Ov#~מC. y!b˔d]RM`60OE gx|,e`Ņjh"EW/ߏ?͜e;4t,<l`pP h:ζ#_ jo-⿑cl\e6(ք+hߜ(=xD`QF?z;'4,Tg:jx(}UQɀᛉTO3O7w|!2>$Y ]egDS]z\VP0M-~HAh @ =_P`[R xq/˴8D;Ql;:$PEҷD(rk}2Ll Y$!/FxzN 7x#x\*53<:]0ȑko@YŌgfuG q<YK'v5!AEض瀓s6h2ԇZd|ڦQ) RT[Goy7IL<Ӡ\-yjӌ>ݢ,7a,<;}kvWhOXغ:|Ŀ'1m'W?ѡk.;ru+d 5б,k,6fXu?15쌝5*ݴ 1P ݳHJE~0EUCgP*}bf9fﰼE1O_ނFW,zz%wX ,Qmfx&U#Ge;뾞*q*ST9RQ(sb OWp; ŧA^ `|_#N4@)*Fv˔(?-8K%x2Jy+mcc3/$[s Z@fEh”#]AH{ߩNH>ٻM[}S7]׊'XtJ sL5X˖ {)Q6^0ض '-jT=tzȐL5Km%-xnCkgO<6v7%3<\@wavĘBC(^j7s^r59%Ǩ񼉄y2G"/f p8 nrtzRuiESߟxMܦ$ &[lmI<3et,/ /ӂ gn%[UR$z="hle+FY5G*4:A7L>ȋ O#hM*3Y2n .pE-nՐû*}v Tb\0el*j* \p ډ>|cQַAWF<NL&|NM7 ~[(I皀F4W;+oK,#&m"- )DycҙτQ7ƊuF1з cr?dv{s|V[|R4廗:r4M.!2F8]zC*g3tƢ,;E2 Eɂ=#&,2B(DCA+ &dqAU_|¤LKĴ &¨V_>Dc No&]lMnQgOxU`ⰼq Vo#/m6u7vC3u%OHsSsa)PQ憖yebW]IPIώ `K1P!a`aVUaocMnݓj!0 &򅴋JU+"ۮdm }enE%߼ -+::F̾<3^ֽtH nF6hdHzU -cZQEJ$>P y +MLl $>Q;7Dd x:S{#@05 ñ #Ph6“O~^F$sσL.+FK#bȠc^X\A;W?~9c܈ FW#1KT Li Ӫ1^"6Y0}e,s!K $+<!+;~ZrwkrJhS *11w+8jRfW*^!0 ;rZLYQ }!{N.VTcfHjM+sp-=jP6kp)"f5Ʊ -kh)l~!-A =k:T_IV*;'$K(+G%Xg?\}8v?\.VCv)wt*J,({ma﹣'3(NIL] o t:= \CYB~ j)ň |U\ ے iROl= XW)[<܉6ȟNNAK**aKdi迖ۺaA] }"_+~(#;޽xE xVrlFL8$3Ċo$C]P?&[T0ЗUS]HhPj_mZHeJU=K$'5tG~"F\Ve;vK}7ϐX{ 6pCE TRc.Y~3-pG9S=ir.O1μ,o\ `xix񒪀3z/ %5Fwc?u湡Ռi$ {i|9Oum0İs3`O M85fq=X-+͹%lZ4s9;wW-6욧QؼS)8̿~/#t˹IV(gJ<ǁNAi`:9Z3rU沶$ Dv ";Z ~Iz[Lw?G3j Q.Nm35$_p CY>|+wh^go\ZB;xa#\jOcΏ,4t1tu-*c037(x $ * jpV' CGh>r^ƩZ 0wS8D.ڢBn(d{1D=1oݹGro¶uJ"Tr ;)oꆩBNmz cڬ]JL㵐{bWRR1!V(2'r2c xM$֋!?1Y|< r^o_m2R>^f*6hqI˴#V`΍='1Bc4AN0 fu"O$%C-+JV!GXIVn*!C@)ˎ,e9~2ɁY=IdX:[n]qEJ-!z׹@$*xUʺ]åL1;4E׍`8?{J +@rTn=5Tɭ4 t[:s83 \жMN ]lR|!>ξ\u^%Qcb 0ގ$ 8޺) ە,XՆVvɞ4 _'=%IPM:2L1&N7 fOF19>$TUFihsAN˱@;. flNqCJ(G إq70[+aeXe5G~JDQQUIcu_>{g+(8+([Y:فFX(&lfsÎimI"Z\CϏ9lu9 ;fcЇ>!͜c^NAlDKA[TI_ ZT_˝l΃yr! 0A1UE6f!ye[F"K`ƈpN\H`mΏ!=ƪ !iVP0 Iٖ1nw\M(q V2q߭x]I ڤ,;kau(NK:\.< :V\Ӏ6}xrx|grP5i{HŏpyF9c[b$T]"TCΗ l8!z@pC'k|6on&v3"Ҽ9P UmgSn|ITA>%2n߷/vy"GGd:%n Cᕷjסf]aj9t ӥJBTg .}UF8nO QzwkD5CM\X K|1e}Xy_+m '9q,ؤlCąg3R:W%e>wV7+^ )B |6STl0F!ϻoy^~۟S 2pf Hęf:_D قp/0n |N6%~$Be3d 0=PVA}". ; -PXI~HslQl1b`<4nJ2N᧔3wi>C(fiB7.is+&9I/6olM8i'C1 .|7|턺uQ|{y#x-x\X47= 1^tbq6HF@}̂T]vA;/1Br`%R[Ҥ$okXVpCժ=L:-id8<'E^)ZpBZ\C-F=b#U@#E%':n ,gɏY;mGTôq(*;B;x15O^Xm ۃQ !z\ne?^k/åE4(S-_̅Ȏv Yn8WbHx/550»N2osfWZ|a;2$PcUXm6#I\Ne9v ÝN2G'} B~}*AgU ]Dcgl:?VHD\Vw _?L %?x}3)&]iB泟D^]de¬1ryҿQE%ȏ'hS@SNr;6npn5[GhXbhrЀ1r'Y)nM'a;tǁkikyAqc:D{}ۗAB+ MLvZ0JܧfAAOGJ-~(Q9.-Us%MAhcXԮ;JZ#+)NL Xnw[:{_6Ɉ*#SiRh.&] ryf GrΔT}zQ iR:F}X|$z Gm0)[:޷5r3>ДA2;Ē_A^FR-Nb]e~/"Ri5ҤmVX.%crz&) YhnczI!q!х<@ȍLV€aBděIm$V;wW[>+E  n'E`o2D}^%B_'հX r #]NYm2`},A11թkՋַ^.Qυ44#ދAest AI.0@ZBZl^ hTra$ư[:L؈mnP w.-yFy#wIWjN)]jh󝹺ˣo옳,j᧨Eř0zH^QkN} X1o{fckzYߠP5kʖ!ʅBTRוϥ&AE޿Uo?Hzn ۰ lD1sF?\)5bwNS~@m{XߞyK)Q,hZi0DMڼ:ܿؾO f`!x͇* nd$9:# dJ,,R̜IqB~>/tG=>E[RV(Eqӎม+8[{+KžWsx~ejIHK5s+qbwš؂z%jO{uOR:7R1(/`mߝvi%gP}{\~p?HηbVxnwEysjA_֨ 2y]ܚ2*cI¹o|e'G ;5)M[7t\yCSg׬`@Y{DJN#x]ؒxT ) .F8uQ x! ^4c͟R(@r'mg1s{>k׽B}o;-poDy2TONQ'L)Ul=Qz*s_=Fo\-qH9&# fKζSQ,w;˶JVeO_ Wva+5zែч.Xqf;&a|)g+fbxH-'ݰ?y tgt<.͢SKٲe͓vZpLhf0A@=Dl6.Gtޓ jH/A7Qzxvk7!c Ņ/s.@ey/i`U"Wpp"d 4MK%UCO e@c@``WnKJ/A{! f|pnǮjR?Kg}%K᮹#Χ-o: +V]2ֆ,e͈-xlEꥀm.ؽ,Z:){{c9zOzk(Sg2 .GChJ#$i-SM roP0(MpM |Yq, %~CnΧ~.blX#L;,6޸qy9"-oq'ԙ~<#\+d9:AlZ %eRlpi^%i:8{D_X$y XdQ4ULNXz p4E^VQ@[s b7K8_[*94 Z%s YQ@^Xgz.z Jsj`WEӇ3ӘG,Brٗ3s${aty[Gi`R>~C\Cx"OAf,> A8WSA&tEiM Q,3 kuCsQC72,6s*eUaxOx=}&V|6|^`ۻqa8m5ũO-G&9太PUC N  ۨoH75x.fnGNzzЖ/[Mm^xu,=I'J0__/˒ꈚڈʧpNl9kRDwń09t*Rzi ƛ{eEKf`z:!%Gyi*\R/NbY !$))SMv{o?؂_WgbO37zGn(O/LCmzQQDI!W-r2f7^BC^}>d==T@'09ln_poq@o**\1 VT0\4E{hs@ wf8;[gf=%"o@tRwRՆsf`WC:3ij*g+k1b޸!5tp'@uX4Jz [_ll:MR6< ݘ {&Y<詜D۞, nJۦJ=8T)P~l&sY>544<*,V9iGf"=0Y=FSK+(gA@%Vұ69-|Qn1dH7ڑ-2îvS9]ɩh}kX"fNڟ'U1tr ʨAsy`t|x~À;+!HӓA<9I`d)8b !-W$Ka  |Z {~Ae"=GJ;xDŀ: Q NZ&[kЅ$\,ٕ{T&p ,DP=MU hNt )CfL%\#8,byvD8UlP(0zΨE)m^UAO(2evUT9G%~D?n*ʞ3N?wǷaP4y&Yd6$^.wzڤ-~t[;Dub#0?-jx>dƥi(0vipq u|O $FtaxV&n{k# X<;6nr^B.ӃXt!fsWͳ##vD'N( FaJɳ2w=ah|~%onj8l_9N]^<9"?N[{2u,g;g?vtբ4™K_%,i X3?kDrJ$]6_ @<urlemIo-*׬Y]6,zp@e߶Ι V,[܀ܤ٩r@#אkt(.)jfwsϓ&XW=8@h|_Uϙ, oAT $@Xq黗%@f{&+QT5qbN{. yc0Oj1Zț_}$bo饭jzC@gq19 7^F)Y.e-|@SOOdgL\CؗGg{JMUVx[M,([69Cbuz^/IuiD#Cj_l#E[=fb8kF mJN;E%,vk^{?#rV-ڽ,"zv6*b4HB{ <{D󼏐0YNuNmz?\֦Q`\FwIbACҹfrGjr'Dd[c.270܀bf~{$u k82%TKP5>*l#\o~ I(.eFWL- Y ҁAb+Aj 8\?tqStk=!%Q t&!AYGDav+^W+5}~~q>~ r0,sxڑxK-}7SonqxuQ:7[8=Is۬ݝI0|eP354bmF wN^y"^|he0reAa :O!kHV]A]r*vr!hٍ?*!N$#Xiֺ־rٮk]Úǟ@;9efJm ʵTڭl tPʇ,i3e!R_FJ^MG[بZ]}K\6Vu?ȣ}J-2&iGs9*t.c<+&>DTrphj,gsӵw2E9Z>&FezTQ}k,g!ӛlLNt2TIARJoGzT/-~̽1VG"y)S |2pFfWb8o1u>SNO%Xr-M`#i:Ǵ,]4BSHUBD1}$vd:\*+3i*jn]qF+f沙!C֞slDZH|-07;>`zM4#Vԥ箬nR48Ƈ-\ZiM V AearZt4,'1΋@18 LݧH@wE\Xw&xkdMM&,P8WuL{Eq?¶ogJ܃!/n,.Ds8C <%6( 2=]r.* YM8_ol`BZ? ~ Y1 ;_ʼnQ!T%r&T*s{c˼=N=?Dœ&ЅLuI+aO^#i4 s!؀os8r"?+o艖O nMn1=_'ԇp̵@'*Sr@$m")hlFkx Ň*U]M]`p Zf09fi{ -_G^d@4AaOe~.n\ѱ!˹,}eL(ژBjK\!'}{z#b5+Uj-}*nilZ^) -cx𠅉`:cq nl0Lz !& a5YzmP @0)Q9n_.gzvU@VuDkG7b\*iJs&_1IВ)⡣ttnrV`w <8ôk{ݮ}^֑jVDZHȐ敿/'ewRk8ITWM#,FbZXfFwn-Xj9Il8YU5j ?;OG !],2@`v=IlM:сwX ( Ġ|o8 nEг5v$Цg=*ύ,:{EbI\+%2/b"v\F*<אz3`pMOUFOˡϟ'A`:q}2VJ >D @kٻIĤN֚#l >="+g@ z;?v3[dJT [Ǐvi仨Eo^z* !,8W|KΦ!kVLXK Z"RX7MSZ1 l"X hu޼(Wf7(vmp$\Drjxt~+]Ko71M]?Jpbp&or׹ aoYE1YXA=-l+`7s xV1|I ތTakȜjCUt13r(He`|q*6bh{FmEn,V<ϱz;_1RF␙ |{{ӎ<[j{WƢTcgS9ZWZu qAc(+F{r=b5m Ah\rYrL Lw-C^V%P^*x9f{dU2lӌ:R?~2\\1(\*AX{l ]ݫWn(H&D-D. pyR*;oΤ O5w^f2E;X{EUFj[&7; wp+RrG)f 2¯m=q8g,p©KcTeƟk0)ui< G(zb~&m8%#SR%\tVfs6m@]r05{F %ʙ\Y $˖-r^uײP au+{,_֯?v@"iqU?I9jw_cMSFQKԠ=!~6ozC?.jAIJXI!jQLz[N~S}˗p!(Kb@' U]Hڎ3t@?`-rP^dYe3]gYT7DƦtGyGS<BϚIw1fCbAHO`'hT(hét9E(ԢU)=@ Ɲj2բ ^3"a1WgƃBӲꨩ$!px 3T-S(OIg«bSL6Odi(^k'؉xhwi/G}6:z60>:LX=%9#^xN9hinfN6?! >͜p7vt,3)ܚpCU8F{4I3Ϝ&`~h`SE/}D@1J;xy9MNw(3<ŖǎʱP2/LWx#~ݷqlJ)n똘)@PV>1ݝ1ۗb$s|b]EȠK) @g .:PRf}!HKҟU@g0NJ睔kN{%*k@SӞP<a+H I1_6#KaB;~t^BXrFov EAǁ%)+vs4mWP.q9LDJ0ˠbcޠK̄v'x{X>^!$|6wݩff6셞3K*jR9nnew0zЬ> % :Kb㒤 H.'ӡ|_H/.;+MxA ~n=zeBh֝Z&(iֱ,D}s8̃&6/Pڗj.Eg&^?qζKCFO fV풾?փ~GnPD+x8ٷǯYKOl>phYaH|/YGty6$7sdHOgA=Fxkt&`OeZ?!p#P 7@JH0:I@MLVO9q<3 GDhe:~c'yӪp$K,f,K3@gG_2o +4+d@?t*ļ+ dt]~)zW?cPV{ke hϭ;Y-.JFjFS8(IMUAl `|<P0FtbNv" [ 4`|RevGZ( Y Ν<FQ rbߪ$av=J֌Tr}Ӿ9m^]7J\Sw&F^;eE<9 omX~SQBSfQPvu ?x܅Q 䅺sX2gE%T,opJy尧g3f'^0r7>F'C]vzz"0j#Ye6< 57xhv;_~.j:+UZ{Ǝ<7Eg`oOEx5UGtCg]+bҵ ?Chj)Z?] H]?|`>V|ngm1M/y{զ2IWc5"`0Mp7B$-DŽ ]cy& ɉB>2z--ɪX%qA鮪pV͓a6k|)®.G9Bgu pDM 86! {TEֶ{<\MqD}w(+]pŢ(c~.pc'J0d:>{2C E߇Jf(/?!s(6n@FƺSk1,)ܜ $⨛BCjLa%9"Ş =*z(NfHiN1@pYӻ6TvF%#Sg|K ;3WzMfe{ XZyԢa1?u7⤨QƦ29U H ,Fф 6(VܾL3O}X#bRB7y'&h~y&~fxL7"kYPƺЌzRDY52tlD)qm}VkIYT1Tn#\eB' P6h}*gY]1p͎; -zNr$w} ||XV%m.kY'l]9=7pܡ'i?L2cS ?-*ʚ3y0_ѱX /83D(/PTG;#It]V5EL'BY{E3IvIJ䵵Vrf\ML{_X}>D/w:Vn%E˝Q'~\=N/Q]}sҢj+cq8X*)_%5SIE&Tp\;rUhጏvK«׏e-w$;Cǵv"j"&I9ۢcn'/mq Y ` |Ox{r+~P(A6 ݿ\vGד3l֕J%hɡJ#^(^/bIEvL^O:X 4e>İI+5V ST{ջu[(IlE[wl:$ Cȑ/؏=NSq2ȅ!ciͣķ Lus!d P FMS`d2' ;q@5ڗςR(=jo 1r [ ]1iP_jf;,§Tyzy3W}mc 6OU3FѢ Tt9DRH0kkz{iGvA.9*cCpp>~y<0YT%(G7#0'Dpny䎇8շsVM3dH"bގ 7+U=3֗xM7܎f@Em JPvP#IL}!gFS;". )uiX}u\a2εXäxE&Zm;>)Jh,0L_{î i0["ϛu۵7~e{iC醋`՛&Gӥ_0! (|I-k}eдE#H5EPtyΞ !LkzG4/į2en^4Jʻޘ?̿s!^y8T{h0(v,\j&=xU"ATb93RLyD)~WϝYYΓ PR<[^FA7MEhaDRp“٣վ3Q˛YAd-!ϙK@iRS1.Ls+bCrA^ \*%E4" baOIRyGd2ڲ-X%p 8),dDa?S'Pq"(  l=Ϋ+𽋴LKG·[A]Ϣ&gUe9@V7U@LTxOL XFac44džv&ύ.8d4La(BRBykܒgx]I(;9n; #M"WfY4sn#L6 >n H= W=(fEUIZ6Dg p3OyY8荃0v:ִI$Yq'܊;!lEpeNOWpCa2ԉsG[D,JuINKyMsE5 LW'26].{$ dԜ;"Cn amtk0Ug`3^\cNGrE.˽}YSZz3S3aնw1z⎯Zρnd3 "L ـj[dd DMT*P06IXA05'䝚!!+gm_9KVNCM6oXFOY ;nsb+ĴT#WC-ywIEaĘSs$on;h v9"-VA5q1'iЍ22wRL)^ڹgYhMXHbqjŠT#C4kQNg;K`e{xLabv`s?LStqr,3pJqFh>x唍uedcWSj-VUFc޹٬U?%eYz |>uJckUm[!7N9_7j QeQTJי!`cBԢv*,YD%JU\"O+s.\eHZ󨹹ardRQêX酳pTclTI=S󎻞VI͢Xu1I;+ 赱p_ErEGYSe*G ]5 x'w+Rx8  g/F~UX|,kUnc3QDe`mI,iYYŶ*Mv$JKQc\hױJB3Q]"f$8=4BT$%cƹ=zb+xOv4e@1y kՇ]Lm ]t[ڱwEfMQ7.hO$֣8JD|&rII-fu1U ;'P*';qaj4yNQ4sNvTkZfۜbK,=4gCHQ6ipjy|MY~w$jz\#\ 9/bR&_ig7fxX$ȩ5CW*@gҚǔ@Z8 Xޯ%8WxI{RՓHo1=)G!=oДѼqʱ@ho3rO8b=Nٹ\b׋5eĚģZl-]kiWy@W8\|: = ,z1l/.i'a4֯SrPU=969O8`Ts8*vBL@Xx]$I h>یhe, y8tɎҲjx[Q1 vjGF,d,zh:hlbmT25lB>'jh["sGbSn m-k7d*8PJTP#G;k^UuxR +KKY~cs)W!-d02tMF{jUCsxEyLV{y퓷\R~=\DT>Y=JoJ;2ha3fM[*z",b&1gPl1[PW%9XjΦK|5!NW/UA^BA#ڪ7yŦZ]`MҕVkҴ4&g 4Re*QDZ FF݋|W& }x~t]|cW &?]B }^"AA-aUin% !c:)yJQ+p\Owqc*z3G. 35$+?͟BH6:I f _z5ŕ8AD1xUi6 )+x@q:x}t{;`\1AHgzc9 ?F,bm Q*ɰDb yYzT4yQ+9N?L;h7{B3Pt wcT9X nqÞgօkJqEΩ%TKuMۜ@>xD50,pmu&z\qgSȏeIsCVک U*f(~ؘ`0C?ev=ChσeL\5W/l38.W;Ղ\ln'S)x]T (΄x#Tj$D򺡻ptHCŝ3n񓈚 .8̤Z#.2^Qu#%GGj0p~GnH1OYLf3,5Hn^& 5!mό0'-fp@kj#$%fIE" 5ZٲJi zjQm쉵XUz@zyѝ|~,60a?zvVW>/bb>V(q# }NM 0(X?uz .>EHI^ T q]S!S,Ԧ2bEN[;npQ4*j"+ϟ'q2/ Y8$bP(]#3@ceO*uC BAJz~?sJ}i '<5ڛw9\ĭa0 чP5ګ }(]H)'7QXOo=FM( 1V|܊kf'ys}zŵ<܉Ld,jA+)P7b*HCq~|rbY[&T:- ۹GdTI6^pH(]E OsrU9†}"r,xXHEh$(UvBlg>21!A [נvՈ&GAp|QB8“9J7qȾ%H<އB94eY1 ,ErW:]s3u=jֱy8G|2x g'|[kRJOCWA^eOc% =_%L0>qWlV̍(>%Z^d^k6Z/%;.R (EnF@JA@t@PDs9_u|x.8eH}l;Q-U4kj )Zٜ9bv.xJMFH'Vnc^xDKdkuYlcQA!|78E & OqjDE:wGZ$B{\.Q_>ohκna1d&$tD' \Ec"1Pj hjС N%i8'w$/tY$q#X9{`^ 6)#ejUNH CQVpf9<7~َ#ל>| 6O5e\o0-{lH7F6soPH@r35Zp9ߝkn_6*l=EZC_+Z#} =LIΜFVr+"O\AG0pRYAPig{H.:8Z0HHʔAOse3ʣؒE4sV"y^Wx:%%uV:I|oz8I~%,|$?W'My9Y"vħ64[HK3H# )0? }]?(!1/u}5]QRNG* 5_'d᲎RN%}TSÁfCGKGۚ=j }ZW;u$+܊,S{62 =< hzoVN?UC{p~leQ ڼ' l{([!w::M/ O\eѺ)J<_jj fqJ}OcrTIyD0sáXbeaymrМao7euA-"{rXM٣덃^@]nNH+"?v9ݷftG v=u!vk]kɕ_$B ’g"ӊ&џ+4ŰBrO&JAv|9 QaM) v~O5ʲ.d|-MYMWd:O|gCGJo97,tN)Q GAGNK`DO#Fݰfq{+XF#~h#nVUPߤDhYwsKaI𕸌囔5Np&z_7/Ǖ&OGO^bzΝ2zԍ%Oޖ}e*ϳ$:ޤ1{K(&:rv6}!̋c|myyh"OX?.Χ<`} Ez^]|薐@;seҖxQu+.[s-e>)(b 7 ']Wr̻CYy4maen~2VVOP%Lh0Kp|E$u;L`@lnNG8}jMO,jsZ 4pGw:R{/g.rhq_؜oe4Mx*m@4t\K@? Jk*5(bO!kebK'p {`4lK҂3J' t=a<t+kvd 0iWM!Uu%k0iJ2JhPQHԏ MZZ+@D;(L:hjyhNY*y3RѩCEC;C؞~\@յ1@fkk֛pȠ&$AbA[qr!TDsF*.73飔GHz[š~bP3H>' q_,O^G.3 Lt4j]%q r/0uyDùQUiMH'lL\ 1;@^_914'[ܟ$NZz賸`w*<"oH/xC{zpVfH3Aln 87|*vFLUkiC8V;^w.V@P޼ZhOAY]Ɠ }o!L95WfWiki?uԍ*"a$kUq)FBO{0Nh,ʖʯs7kG~fGwIn4I[="~)tl!-)I,ci{~MiP4֓" Nbs*XⰙ&.rTFէq UٺY98EE M;5tK1nЈ~.udEQ1b8ueII\ ~vFt nWL'ڵ秭6g2L٪:/ET.EVj]e'Zo2T/tZNJ2+372VnBaM@]+PR 7I!_!W@]c@P64E7u(r<$!Ri5SlJ)|~!J<6̎hPԙ 5YP%T l|=166g)ђ='k VGd8syQ&"Z!ѿ߄~hȞK<{˹  SYG!;<햦;f2ʗt' ؞*DRR俈ힷڈʷLS*9|(qG^A!]b Vm޷?li=фXfK0E_4#zOز)_^?H?2BJGC5^:^J u|=MqĚ[?hŶo'UZm4#y@c;`gKT>m]:_$Ɵ[V+_Tl)' QK4?D zjh\0åF<, dhonMă`ݦg_Զ=Q 5>sm+8 i\85*-H,Wb@ņ[@ ܏'4!(_n! ,aߞ~ҕ o2 )V^7&2U' wBGi_lDB{Upg]G򰱫u3θu#2S 5yLf߭%ϪxpZ4XcTp~' Lݞ3 m֠FoG7ˋ^ݤ-M=&*&#'BQe6sa- wMWCpB*kr= ^np}.$p`Vq3?'rHC9=9%&4:Ӿy152n5E%f5]"S73xQjUxQ슡v9rE.:fٍ]~pbH[Zl?Usrf^)}iC"5&)OGk}ik8@ tIyc x-i өC^,Hm7CU;έ5sgL4}yCɦ4ZW1d![޿?bW^ +y s4ttޤɊtDt9̃hϴf}.Iiv3C>07E`{KCRzbE4K/@,a ';=%xIBp/vDnP*{#\+&&AWi5m {`I(;,vTŔQ@޺[39߿jMxm-<"$.߯v}0- /.- 6-xꅮ&Y_):3J>D`ѫO 3yz{3+ &>cA"f⺄/9V!k*xe[8'xQ oȿԮ tk=mq98$ +pg<,Q &A*R6? #m; <0ӽ ` eM ak$ }ү,O*BU=y7JCůeecݗYf %jˆj7}Jh9 Lr?8 92.dWٮ'h2Z'HiiRKSU^V"Wrpq4ypcBcj@,R4%3b|ֵs; #}+}dGCmMړ\LXlu\%imRVyC`3antnS}!2bI;1_ꨧP3ybXB/$?D€rK`f+*(袍b#m" r-jxJUUnn-e_\ r.ܴBBـ\}g[š dNMUW M&*R̉Y1]eE(; |4Ji%?!I>&U3Sy֕ыmBMn Uf"QvgE=9,B?K.*4~]N,PsIU,zwꒅ}u@̉?umɭ d#@cfm'4Yq^,M KvJ>X^EqhiGU]?69)1CHhX9;x qaA ^T9oa0F"#b#ouśVT'7uU/6cwTf@k<\ʹܰGS8+*O8 :h{#giO72t{BϫI# 1Y {q8*VtIULcK+/:)ҕp翐\ơHA!tAP¥r ,n޲9F0=>,ڦ8N)@PbuD-nS<C.Vwpѯ jY2WrI)O8$jCd~*܈BǗ YB?ɇ![,$T43YM|Dn`CORRm= :myIrf~GB,+xoݩuQco]J,,b̺t>|x"ہڬe+OqPrdf@R%꫉ ZG%J* 7^Snҟlګʳ2- 3guI%f-3 eѵ^'04]kr9+/ ޺(4 beSϼ ײrێ6*r hC ahMs~Z` @Ơd݃&ЋE0ba%TG D<2ϝqzVGRhz66 6 ܗ-Ml:-yƦ"jT 8o"ox鸏Z:x|/D`U* c@WԹ&JN/:/8ͳfɑ ^Mm 'EaRK>Xh};Ayuo{4j]m=2h<.fBٮ0eșRq oJWgTl={kL!mȵ\曐Ȋ2qSbBwzd1H}=zx* {B_esDWlYƇnbk˩n5ípq¦ yTy-j_sSlKKWh8;9UUz-rw(~,A%" InȸO|LAS-YȕK2 a-;cw~#}=:F̘5o&}A؂ Wz:p6׆A0G}7垔**}S܍h,'wIn~{yNl2t iw e uv8-ލJfd>>;|ހNbSNB.}==f؞+f 'ppndʞbDR>h*~ri}RUM泌{it}}eC1C.Bȁ3-,ɺtk) AzX1s5L)Ru{+Zs^^au΀`i,l^ij ICRd\HZWNq]?0Kxa^n Gc۪!}Lr(R9LY?V>\[K]L e3"ilWd_~$(w$Lr'a1A)4]wC< Qp>Ey2:fm5,t2T9mFoW)rǁ%.ŨAvKaf}QՆTFj33~ߪsnf21ZBoe,zePa(zWNQV&@1n"f9[ʼnw]EoŏQqq~΢<\_ឍn5*@k=5EUfthpQHxze N2Q +?U9,C ]uHvnrרDS/ڠ‡!{@ag γ mA! 3ՏY v3XmWeϦAϋlO\+Lc$=hP(=˟#++ilpj$feV!zBC*'&FKGA}M%%p%GR_B@#{21Q ' sԆ^_#a)d"0 ݼ`f6z "#¯SIٹ[$pXE@-cbO5ѮSh˂ZjpJo^k^w/mm P,cr2S#r Vvm'*a5kTfmu^z cRмx9/'a9.8qizq^Ul.F焳k wf"  <3O( !'{9"IA}AIؿHƘ_楩>9z莘GLV7dyp.OLwHIV:6emT npD8SPMtuq}YgZG0v9^  "c[A6v e^eH<(P0%ZBL@IUU~9ԕ$\~ T`c:]LW%Lqfz>OJ*++!ea>79)# .po|p$2H#%1/--$>ZX) $[blJh a< ,j5+!VdW[-aF3 PطNvlJtT9"µ i>Y%ej4q!{9>Tz54ZO*ٓ4c}?Vsap[m >ӲKUE9֊L91 5hƴM`IM2}Ş.7˽x~sJ0rT Xnnf+dݶzɕzT#?V sesQc,&-G>W3H*p&xÞ04d Y> hd0[` &HQFo~r~)kB!48fnTr̝W5μC/٩AcLf*q:z5-X Wr,w&Z>d&}^xGmQ+A4;.m*1˅UWs2g:Z0^M > ˁ/< 3!-5&5!ՀN4*D(*x8츩@˕r#di)w_SC1_aЖ 8ВZ@VYb5  2fG dѠ̷֣-0Ip{9CR>ͨdbfxZG-,|BF]Wl?~ؤΥ_ԚpyCʂ_,o]\j8YU;Ü{U@gi#ʧt׋ܛhmW{ V^~K:q}ދE(fx\u>Z=J,L}O)Mz)ُ祗nd.&X 4*JVѽ ݒc3 ͭjȩQP|BG1^*$ i, 9,)tju+yi5'48 ڭ nǒ_CK'HDp#ێ occBTkl0ɤg4]dqP򟟨жsэl؜Z5ÌnN^MXTx[J/e46z ՠґ1{R/5.r'.8EXu-G|[]/|9ݔlHwn $2PUخ;m.5d =˧MT 3 fJt`Jb5^+L dYYvks$dBH֨˭*wb(s.ɦ.6 6ũp-'-aF9%o Ē:pڭ`a JD"1;Qu* Nw`9ahZV8,aJl"Uk ,7g3>F4\?854R2']"~(K!<>μ@Yj_ 6GԎi~#<ڣn.ʱ E~UւԄYӮ?IV>NO-y{_p״K.WP9)e kwdA \)H)yd+vј+.l OSgecri,3W t}f|芎+_=i#=#C`MT!W=+NSUq3?K8ōǍeWcZqS'l^~ݧT֚]{G fBjtn}xnX-kUڛ:xI|b^; :~癌/KT(߯܉(t)T?LG]z sMB:ؐ$k!@LibI3 `{5JewjLnnb puu^A#x.Y?(TI0꿈]0v^in+|Ѷd)fX[0NLrGy8 o2\Pb WlY47LSj=hujγ qeQr;MawZ*W  HX,٨/{<[lu|jo!?G0pLx.U2GzFf^I({5x6" z`뺙YڼH]Vq]+]{T1*f@Iufu5`ʖF{*N\c wkˆo;)'խjIRQ6 } |P3R7 Ɗt7#e¥0(d#=xpX|3 ┄*=K5?:]mb2n|kd"ub)M23.ѪAFsA_8+;~Yky2x3{{%6O|b)OUprbgh&U@4Xj#T<1ebtZVE1zX@s~#6)6(ITEɁd]=M״gqŦLHifWrUlSirG¿䫅AiTy7,lI+#A߶CArP1tl\:=`%g,W##3GP L<èO\1!{sP6۳eM\ 䞻ՉdL'fT 0Qtд <۲|70Ȼ:'_]Gwcׁb4Zld*WZkVxQgPFyGہPХUX6nn'Hi Z٩ڛ:maDa4@W,iGz ]$ p};eYP9[&,SUu:zՁq{JP+lrf.ɵ|hGOnB4l(0GQX, Gm@M ִb_%FwX S^HᾃI|4F@b.V$ʉպVX@:kQ6fD(ցsIo zEc) I'b; V5##rLQܭA"4%;B<|w4Dn66qNHsS _S0ӪbQ0 B>%i2G}$au4hwMLB}!B]/ Dʏ d#/q=(%hmA`Md7Rc55?P^HG_j}&]^}rդZiϳ`A!>$H;{={rf4Nt-%C@tFQbݛ§w!ݚOs< gVCFJ#wȽ{$œ|4T B}}nK U,5lF̄1S4DU}^=2cfh^"5xALז18p&jR8xHoAɕNvӺ12 %+i %OV$ʪ%F  pd􏙟1+Q-CU iz69bې^ FsG)f7\@*/=ʱtPTxa!  (sh[2a;_Bā0!t.xbv$<N¸&f lcH>7zdZ9=ز0lEsɂTMfV QGbh@bEsW?1#9Ĩ6brjwVl%% uiebZ:S»=QNY̆>yԻ6;d^ݿcH\`9ōI v/%շzq2na[HEЀ<%/}kX]2kk r;. Lǣ}P,q )m)Lqf gz Ig־mau?q>^s[X6Nj[Npblk^W6bpё ^6Bn8Ǵے!~}U~OkSz'@2qc9)E_jif]?} EfizN3#U_kf5{#HZϘalxa7(alHs anp|7F yQS$D HX,@ ~EB6u!|ݗ)b3 #<4#X1(͚7HVjFP+ "Ǽ&qƌ~UE^;6FһBu ߡGSэDl9#Af;xpf(N4,SΦAl=g~3&^SȇMyQn@A: M" \݋Bat5 1WDŽֈe@kI'Yr z(&YyƓq2{/ӄԢTog:x4*vf Kz[0Q7OD"SQo UN[ W~¾'^~Q|@p`:" `Xs/IEh-J@0?cm_" h#wsShGOI\v8x=N?b̧]Bskk8=~%0K'"9H vd^Ə`;zKZ 9C"e3Wtw?FfAڡVl{"7wp}@3["T2%Ûη 99L7nį'>YxfN\wƚz| "/Cq5~W>RF?ƒºfFOB䗞;t abIr|m #oW/fIy,GB ?KdS|SI<*TuzohYkBp-{!Eȝ1O9U k\FJ;MnORaZ EL&ʜ[Ja_*jiﱤ4IAW+*E SA-@/sZXj4v:s_q_/(4{1Bfp"/IjhgPj\xf} oLU!=M(mk]&3|$hC铋F%H$$_h0b*R٬y@;J@ %/q]S~n?YSgyG xrOj-eY c["Ny Vt CyZ~r C  b(DCr9 Q VOQ[0gcA=.fiLHhhle׾:Dھ224F⛛{3zDLW-ͲLϨ17XRpT8!<6E*OV,Q#;pNԴtT5{Μa|, 34)KU= 5$ޑa:2kZL#V%zE5! {Y]oE.yW@'@aK?k.&}%}._z9;B[1%p.&mM0.t!5vx>14PQFV}cͽ `ҨUSAN$A!Pw2 .ܭ"U![hAZz/.lfAi柞5@˘%14oSbAbozFu5"VENy0GtSeuQf /D%x+#JF̀k\џ:|8v.Z?Ђ2,InN+ꓶ[)m)p˦?pXO&r9@1tbH }>Ua"L}pYg?ԇؘ?Om hh:h3rݥ.M{BE"gGp(B0` 㯒>=% ieeB+'  y/%*v{*5a~%zy`<41˻&eU?J4[#7?љC3,C)#m!,0̙RʞR[ʭ+!b)*89ȵ5;[_`*XdH7se?-[U `NݨE1=)t2{U4,68!vaI&3Eqt2!X^t59a喚Fh/l<ԩF[*Wo[ +$j!yֻsFd} &[QHއ4Lⱞ*G{w L^ɳÐ|*C{Cbmmb'RQ^8+lr3otwo;Ģ8Ԑ$Aѣ K"Use"3;7.+yjf՝%1fӺWKQ^INǎ&{^[fTVoj+⦢,LGユFtI7AZշ8`֌׬pu}3WxI-v|Lo]*.gC]e㽥V: @3 /*wH+n9N:Kj%j:я?H2ɮeQ1eUzOvPXer] 7(yDv/0{/? Ш! $ ;3C^3<6@*~r]=?sct·9vx&ܠ=:AS{$sdNhs62sm8@ <[=!X∦ Ny!(6E]x$Z N%?yU4aY^^~TfU,<[%4l_aǵYkvq?fwr1p+p3dL}TDwm>mwOtfɅMuQ㱥} zܩ9g~=x|;8m9ʴӔ _[>ndm; P^#`˦5V@*71L߂;9siad7lr^y\;M~)cE};@ pc6싖t<#B7n{ NWW Dv]!X0|ۆ$Ђy xWW@UYrTGVM/ÿLRόH])DGoH"ƃ I-̻2;Xm=' aK`z@9$8vaDwq9`X@eµKLlfF(_kM`_XG{"F&c\ \,pe<*EypA}jZoCYr#~r<.^)by+FX^7ӏH~{_=NTݘ(k;(K.Ip Bz]#Ι5mF7]xVwW#tw\,Wϫ;Ah:q%\]xg~usw C7K[*qՒ : i8 *3|ADFYmZI{Iig@uRZP 2I\)۹(kʩ"Rqup. bljj!LfcHUpdCkK ڬ1,ϵaoEL`.i)v^h9T1l_bĵd ߱\}TXˀm@;.qqK@\; ׂ1k}䷧ zXe˩; T Zo]ꮳ̗7FB/JBpYWKǬ>׵aNYCq@dM56Ek=jr씒09vȫb]+`ftkd?/e_YY?JdSTvFt|XV J|Ow'ܓ[wmK%kбU'_Y%ם _:iq:Y}ǓgS+'*͐15 PL|cnQx/ ML[ @9bL;k"`"ύ8OUC`HGQ-ucZ_[!o5N F5doxI<&wn +skr5.lSM27$(I {3SW }DbV5\-NA,p _uUoa@bC| \1kɈle:?[g]Ѕ {I 6lOFwXEnݵcU1D3XԷW M=/GE f$-;J07T߫y l.#ߣ>oxrg!yBF=q|`]{<̑ܮ@\B^H&H w'P#Ā1]1tD?Vr]kè1.:T ?@/[!ښMHKe&kCpY]XPD_;{*BH&M q) ϼF̑˦E$㡊7@&"4k{V7?gH,ePZ bvTB| 9r| bdH.2 Q2xY.FM)rAή?Ĥx1) ԋ}加a?-~|(fSI3(> a<5?;"BFB"7 a9tK-ꠘdhDniui5J;M7fA4O-c֤nCkj^|5#f^?br`)Lѭ"pOG$Dm4=P7X>gC+@vfL`=cAԖefpFMv`elL߰sJq6-PBMgUzɘ{] *e,LJq">nT%70F/ GaX9C tO58I෎x~9Z:~H"Fi øRY晋Kq~tf/AH LCȌ"1:80*JʒG^-X\\+=Ijث>oci[!3CL>6A&!kO:* **.ĐҮS,17o"b=ZĶb""P/IsD\F #yUq >u~dҚ)Ih=I0϶@6{YS);%Hv%zV;l;ǐƱ<9X :$P7f˱`~WUVd)8⇰!A< xhUʚڌ,Sgw! ݯ|2T8kLzU}r)xUP IP`EXB2|auڸMП'HWq$o)39bI;=kH|.7N9zfk@lJf)s?nҿ*o;ڢ˪gZTdޥ`iV>!Uf3.b =e^Mp'nAkDoq^\["L5m\Qԃ\ͮRoeơ6!(ޫ Dm2ZF‘iِZ͌\y̍iDلS9b޷c}ާMw4V `8tǠCKH):&v3uUDꧬnɃ""kY;û~ff> F/)?E%JG6Hn88醸 cmN||jw^KjSa^5ɽ.)i;pCt0|bRķ;b!_6\=V|䑣d5x!3Aǽ>Bp=vSv{NC̣cyr µJ Hu='nV6KN_|ֵ(n91cnj߯+>PqS:!= bn˄4=KXvRYIZoN,ޒmz6\?u[ԛqۭE֟v3O e 2QA~e#ÜcC ;`WњD 6 )2#dL?F@}fhqUȦn~pIZcA }`n{gF n<9NhްJO3/4HȇN};ٝYoEOAufJH1"fݑ/DڙH;x 5?NԞ}jؠ0fg~B>7UrR4jp,. O wʖWgjraop団&|W]#8}4}nn)?:B֌WǼ˔cgنPP-^΢ !`)D6זa31k%)O2Ӏht?ﵵn~ٜYAJpu B4-dbuTw&t'xWЪ#!&Ӂ\G6 C0Z32Rh|#mÀpeYJ2jL$C*\DZTK0ŻK<=&S1SvuH+vVeagwUKDasI* pYһ8^+~- FȖ6g5˔|L$}1!zdXà5T|7-!iN݀OQ˝ *Z˽'\iݢ;.DQvP"pt2%|O`,w u ?cX2u}sׂ_zK_zjy bOU'T~bSC#$@JAepK= Zvz>ùw emln,umm9r"1g}~ k E7V <ó.vj޳9OTS\Tnmf%>{UZtՇ=Fc7BziefX++))yXLz·IrE;nuӉ\0P% ˺uF|fewf|![62)MˡsY@ꓝ%>GNa3Iyt2_ 2&;:I/pN # Zye[[Y̤;bAv$Xd\9Py E@Orr% ج/ ZAU?+D3PW6iu X:AwYVf5{UcPgw%|"sIL4j}섟GZэ(5 ]lvǂ<̢\> hnn[%?Nby>/Yk#3wdSoWh{kBT ɔuIf֋q}c7r ]mq85k(Z8*K 0KM!Ͻ$QCd484l侢$I+>GwcUwn!ÜEچbD,Z:H[C]Auj3SKnI(QCq|R[c~c5WLT 5ڲl s:y3~Shl`=ab:葬[(R|Rܱz%Bi&tpodz_Z؂'h%*ᷴ|ʧf=Mnݬ-Qː >oFh8PA㘐%C+oO0Ueűǔ웜7&q-w d9v c#o[L;P&3Qٚk1 8V<1(<GãyԉpG 9R̠1JWH>'E.{\#;U"ѳd0Đ V3!ob\ViSAӻH(rȶ> C7?F3"_&H o&cUh2u!6 gsdg eqG $ ǻKb\쫺L";%2mebb6{68z?'?\R :`" +ء>Y9BuhYQ.nZ/ aGA1g?Ǘ>x2B o}-s ҫNL;g'@䛸劃Bo`lvGK{Bڬ}ֱ.J?9pXJۘz$Npq #[Jqƥ\EU,z0#< rh+5~/o=ۯEwYsNXs{SYHî= :[y(XBeDʏz-4HUf$!@mw,]_(*?Gvgq͢N'w6ŋxϝ;/&T<Ӗ-^@=5S~->*O<(-gCcV1BGRQ.L.B-oe:q).49jw $BEP >P\~bI8BoxpﱙjyjWm]LZЊHNEL(e d>UjA.X"Z );w ~ՏM};WZi&_HnfSN9`Y+n+=luNv^{m.q5:˫CZϲkcr(Mʋ33{ګ9!7D]ď*Np۩䡐ba}>s#RUv?Y ֤d8H6|+ ߧ@HsݕF^hE%++.s|5@ERKˏ:gIg =R%*2>{d0ͷh aWU{+h<;'?)1{ 4'˸zѐ:wRNS&Kh1^HԐA1T:4"W>W}#h[A0 %Nf!Wz .6.󩿖 Eja9k96~+pUB;D2n_*ݜ QiѪ2Uxv^L64y)`И~ /{dL+XA3;)m7ȼI\ ׽Yբt6հG.kEMVYaoPm.P >JӺC z)뼰H2EZ"xv1%1f'44#?)J40:6x}XڀpˣHIKA"`NPPq7y|+e6yf&q48BcWx #Aߊ~~ypvT{=Q!fCR˂_Jʇ*VO 8Q]Yh8ELSTVJ N u/D)Gc^)h6KZ~5V_sVS$=JA-;sw9 RR$ڰ́ѪnWog[Smh7ʅM}\Svd^wۤPGa8NK-p ':b>1`^P_۴/ D$ʙ -9Ɣtdmww'i[2ҳcPmULۭ:G("3lFBi{2]+m*]fw[UAs5>gJ=舮w R["1,{{+0dE˳]i0n8hTR_V![$I')Umo+EoN<}@?u˭o_snOcs,nR\G I[7D p:ڐ]ePtqHM~npC-bM.1A\Y z 27#NIZzOF7޽^WKw>xA%j@pL >k%wgFBqdq} =1z%kJY̡JdFZ;sO|xDSQp 2BޱyAyQHOqxFxDUll*'x୎2FJa9U*^8L uj8k?[9x(9p *k^.e#." +wsWID=K; 3O"Kmajӻ-uceBgYY"PCǮHScg#Q(w=Cb&`4>F|RǍ}&3ƖO[K.lߜ4SY{IX!"&1}ήĢLAYl28]L$ wpeY5_&C6k64mWGhx7b\T4HVĶf' -z25:e5+9=ygGaFѽ=~" yuf؍:s x 3K)?I2+(- (cW1;r%垉&OBg:b 0J饬o1;x!$Uuϙx\xQqSk]I#U`mm 'Y3y`+`B|1-}+L0a.$?xذ6~,zsh;O@ťDf#$5ꪭ܃8+'h*_~PdFm VʒQ""jPUov{Lձ^ȧ[_aJaiW_ɽKa`֋ԮoD؜x-O{7æc,.hJfIx-{ׇB!4>a3=qmY(&-l6ȴPD*:5`L3Է-KEj~Nc6*x*7ێ:zjNSKPtA6[o{GZ G $ZQۊ9KFLWHHjdbru}~/&xڠYRS23'$};F~/~=!u2Gjw3ZK)E)lxլj  ;cj%ϖk"9rXFD)HYA5`0/:~|YDü {rE';V^Rxyu{^CR(oQ_Cam'st\}: pg8TBt;kw-pGoÍFDt5d/fCqlIǒ=,A>BQ /VzaǺ/NӑM.O6D&g*eO Sge <sQnmd.ZRBG ɂ@Bg[ȢG$E#fH,p${M!ؒ٧IV1QvAu50_SdЂFGyDV?116q *|.t*چPcRUmE´VW9$vz('s/!(s8:UΗDЩhh>,.Gb ۗM@%𯁮U ٦L|)d7*:ك3S(-o@KPgxوeS-}g7[YNH5lwuT ޥ. FkG|ڴdȩFY/'pCQ|Osdd4W;V6='M xzw:-)+G[aRc^LzXf2Y*X<"EXsa<5𴕴mY:ө>u9FG]O /f2A#hn'K]E$2Q$G)P~SRo( 5 \ㆬ>xb7#A]8Օ } v&[sҼuTn{ʎW1jH Qms8mtiFkg%t*T $9=VY~͗/qǻ"6xʽ-`y`Mx+%nD&icLUXedQ^K&-$ |Uf:E~;d bZ'N9y[0 u߾@6_Ό -s/?ٜv]5j*: '-׊Ig% '9 +cֆW۞2Jq|~M4Rl gVa>أNx=8B 7 'Qe8R%RP8a~8d%Arj=`,+82K6aqoB,XaW9V=pNn @ji\Xa_K;M `PuPXMQ0\s+2st8F"$!J8C׫0a?C3:^XAexsw"͇6z_Lz4obu\CU>4c@֔yT?s0 UEc<32^=|u:l)LSf۞8aWpTA҆Lqzk _5r̴zg#G\ >UW'L@m /Ux"F~b ,WW9(&=16=I=Ca4xP-@<{dHja+ϰa'ݨnչxThO~o?cFb[7ݔABg24o4 &W.%{O:↑(Wrttuۚǁ[{ZT2&\R.}_?B/6*HA`8 D1]釜œdcfX+&*(_@?.{EJC[-:wlߎ  ^3#B I[UU=S}8(fTXľ*j9җ'.#S mx-j熱s尅UngF2h@~ׄ9.o:*! 78-B+ݸGҡ`& 2K v yqVEDlֶ-i_orV'>.Y##HI|Ib/wYFk><nmܾ±|iq#S`w ˜j3_wh'tpfFk$DvJ5٠ U{`in/tTAQ 9C8K^ w< 3ճ% ٍsZUG+&-A驫Hs&xn:YbZmJ*HoCyL-]K.+*iR alfik[]P >؟<Mչ1X-3Оie6*͎Y/ۜŠik$JqFlhy~{P(&wAzv3QuG)|Kv{j)F<1cZdfL B9P_O|iyuCT_T=_o.ջW^9GǤG_o+ }zyYͺz2#.^tTjVhҊg@FG6(i#U5+NϝڽQuº$sO*ɉPn`.•a)v?g[-Cw+֙tR8![l&YjC@]wqekq>Z/rs,$H2M}4EY{]ݢxQז ԓ,xs5(ha_ K!,yfQ!BqSTD[c! '+OJm(Z^+KH4rw7SUF 7Rq:BaCJf:g$)G WCq%1yj` r`)q2E -"La4`;j\f%iT,V}.ة?'keEJPm3SmtTrBL!Z-'3 0ڇCxې{O2zq% I) ێ9V"5]$`ˬv0q&nt *:'$j)_98Q=4>)on !}Wj^ӯ=_diI]mNXy]ʃkX(vR8;M- EWyZ7~DOJYVDqkM/U61_蟤^Omf5TK\"KuהgdgwH NǟEeg7AyУѱ$GL+>#ͥ5Be_nAI &3 \ 2.='0{0#irUİt])ɿ)Y*+y6X=QmDѴ>3z-$6^)UP[B@юO`Ο(aǻrw ry:I%'x&~py~\cUDdWox߿b?}rY G^6d7jTcFT7ШT!UU; ,"j鹂#pfO-0\02踺-HEG$SHi7~1vѹQHa n6|Lx\FBݩͅثngJe'_a {M TNer@5moUO)\$X%OX5IM7φˣUk@F USSqaܘLψG^[T}InS 2HXzy"8 @?ZFoRb14o{^;إ-Ow>FnWUܝ1>fH1l; Ӕ@A+#RO*&pBX BCJv$%GQZKmiy55K)]ݲTk?BH_X4y$[߁Г"< EUvaHa_+g62aB^{q(o ,34V.6^p=x32d%㦩2=Aybҷ$`>/>޼r}FX»sBͽdN=Y>i` (09٬!N{*yHUm(0S ][ewN>Q?:Ц,RЛzgw_yTI*Ec!Y.3o8$f)P^hqi@jݻo0q}`cvP}xݽbojpæBZ%Q)VI.ڝ-ؓ/Sw.plhI;oKǨ_z kfMx|y2p}.ҵ,]CjԞ;z7ULa2Ϟ~K_?p{nxAnhWcJnR-~k&P1q-GaWd'KU _wup֭3A'0G ZCW.s[Jz5c]'Y45ш}ǁ̢t*<atN=ucopt{bo+Ѿќ'^xT80T!i:'je1@<`͑ԏ%oIeцf#|>]OYI"ÊT.+j Pe-hrSU(O'* nJ3l ҋQd%̧fufsw:ќ7ό;w<> 1d&p͵1^m%s;Dmc}Y XKcsCeb)f,9EY$b~夢x, ^W]ܟU52áaF Au[OUɏ>͓%|2 i%w;fܪ~;\,TO.kKµyݦʹaa&8F$Xo;>9v9}d|< ;Ai۔`Y:p4(J23 D„*/|h"MǴDC)$oύZaR?;վF]Eڽ[dgktRn3"Yr|G|x>HjKq2ޔ^Mlw/1OWsx=̟ d?M-> n +ܳ /wouU<Ծ0:*T82L|^M 3G_?ߌY .`x')6/8 V=W-9HGeI6=)n [y4}[A3|K)i3Mz9<o~UCW@4 |-$δL\7*&ZՒYrlaD~ۺHVeSn8l_ t+ށNjU43._@fg}[C,EZiiR(jҴtt)$[Ha`H!Iq6"48rџo$Н dg+ŕx2Q;êzV8rJ`VM69Q=i-o]ҋ|PDb;^' ?*Y@3>a;!$;&pj1]}2P\ :𐪐 {^wsx RY+SnaݺNXn?H@DN'5D?*)mB0 *GTFLL\1IT K~=/Pn3s֮,I帤;1k8+B?hJM<Ӏm]{VW`KWgzt$v% DgAv#02N gHZN?Z lHaaX.Za<ȫZ(VF ~3\ea5M5o҈ĜR3AZ;mq?惴=xQ"?߱=Q z }S\'V4+ ,0x PYt׃>:>jX7YX߃.~j}^㩇ˠFb…"wDj/О:տi-׹sX0臏XRrSBJQQt5Gah/'-(,ۼ3,UT19TJC=Po#p<1w&w[[D]r:m Xa#nEmxIRwM2(Qkh8viH >qujMz F70-TSF9XE&ȚwJhU٤s`n_bܵψW(=ZqOY]@Bt#;+(ꋛqI#巇3btIJ\3WF8 {R]krM9X lO eo|7Ntk,y$woވ_1Z8㳱=_ dpVMG[}p\ Eϕ ӟLn|OkGxa3.T~Kxng@^-qf4Xhg ;>6 Y_ݒe9ۚF xѓ\pm,P_8$PiAH(>:|9%Σę4WBA]VkƯA@00` jn'+T< ǴdOo۩a6'讥r3P%09kK<dP>A-hAĥu6d4L&DY*xڔ"a>4["PHqm'ęsm8>z!n $$m(D]2x=N@k8|QHjPL5v9u D9mAׯ`t*by6)#62࠼(9)g) i賨y7w.uBdpר RsGUAY*$x':c'zKx4ZSSe j6X?!9zGi* 疔"Uffi=]燎#V tXGmum NLjv[mis(֡.},lJ݉U`Pk:Jշwq\lxy=t+4:}(Yȵ̇A1k$QSߑHFI\+xcoh1^lP-WCUВH*K404 oiD%Yi.3 P1\ъgA-ɝ.{>]LU# Ti>|=ژ44,1_%WPSьܾN\goP 1I#׎%(@V>ٍ%Ne/$VOb a>r.Q?+K V,=4UQHYe(V N59FÃPjebù67vӨ\0zZY>w*܅/7sC\킧1p,&Clbʼ{mK[j,Y6SOt>w+ksP[5oB 8:ͨ@B?m $p׻@*9!JޱmE͑\ Ʀ`ickJ[0M` ~v=ӓxG5WȥuE&]5OB)浇 )e$eᙌLv\$><5R ,n.wO]@a\ɩ;>PrS~1zٺXmqx,Mvهhk%Ƹ8 <DQ_2 j`J*K/19.×ğkt\cuU H{x0~{·M}Ƙ9%+v7I\5AMQztX K&rF.|-t-xyKtL)ٻ?`ee[7:Bd F@VE6>:Du p$dCJNC,wT$C:&ޖE;LF^_#ewa&-oGRzԿnz~7#Lz"|kQgC2VO)JԖO x<7G,^)}򙐨8i@fN]P NY-9&zS=ߤ$rv_q=bm+pT1!_1M~e=;-bnl]haVMj=Fe/fxP2 -H;:o{Nc=ά[ȶ!ےGPfg^zJ\#| atMR`Y4)YGg0h8Җ3շA,:说Ih^R|^[C58>F*@-lB3;=eHZ.x'J; iOVe@hA0UWڽd"@3 n4VvEbP fkj9);6~[&&5M"O;*>㟞}I ,*JA_=aOHX#Rg!pDt^T8qwpoB|چDv%"vb?.<kV6}(|eaͲ~m쪃5عKȚߌA6=yoȲ 9@…K=rPqrFK`!^o: _*BiGbG/0d@tq2PNjɛf-Z#z*Yb怈xlNGf8TcMB:byOcFjs0JWYw4 Dyqn >I#p҅5Qiwx8?v6](C=,eVE ڊgͻɆ:-|53s&):lшiLrۗQ^mc5:ӒB t~ `Zghl$N IPEyT1qGߚJ2T/-z$4d1YvaW55}6 UfTL+ -343i6&J,֢19(QWj׺]G3t b!ƭ?ԙg/[]+LNpP J߂YEs?)  U"&՜,5[=Ow 3Џ+&nEˆ9'Ńv<T|2vZrGٔ<o8I{[?ϝ(B'^k>IoQؗꪾ:1حF[9f]9A*;.,iUtLb:Sj)k(n`xg+2k?LHHx)߾Y?͸0A*VԸ-Y\P4?Fd0 SylVg 'CG9T'(iߛinde|-ﰙͷaʝ'8\^PDrb!@eiȿΌ\]e"OfF Ͳ?,[$j?Fl!IU"\*؇w6uR_*٨z[#RGZˎ+v󉼇m@vȀ0 8QoyAn\>KHw)"b]IH%:$Z;H*u6D\ab8P=`>V@{z`+`Xސ`&SA|(;9r֮ [hHD9Xe2'\F|Mֵ9b4f 7z9=q٭C+INcI?>UǙ_Z? y(>at+lu ~8Kȉp .rID7ӣ2PבN8\٦wB]o"KTrWϻH%~V5CC v>7c)׆,˪E ìR2c{gE9p\Գ16ޝ/,`v̝%l)ޑHàG ڧ#@ 7:.*p@mT!fsi' x HS SWw)mϚ\FkP$w̅\- Ӹgi&oDpz4i)P2bmr.B{ye&;\;iʒU#O|5z: T {n bI( <(QȊAaWzFB+ӺL ºL3?&1q/e,KҮYhadHI3.承!~fΪ0!K' WPzK vza4lEߜ$.?uO7L ћU7$7O?nmVs_IAt\]^4/ ߟxRҝ<= =qa\`iw}ު+? yTG&SX Tdv>Q9΀Ź%M!PxU|1XPۻ5 ~:Ĭwי9<:Bkqv93{F1 Skۄuq7x"ֽ 4FlY;A?BѽUz7;qgviXtXhEs]C35=NtE;ӺE4rُn庉,wMKX<><@O߅v TJ Ԛ=a8bc ^jbd;͙աF1wQ%ITB%Ǜ/ݫ1j7%rxrl+XDUz@3f4C,@ILfuE[u,rͦXE &(kx+bJEzq[OP +r?Z/}CzVrF>w_ϥtB>ݸU.c31x>U/)/Miͳ Ih 8g=ŽSdI)yeQ4J%ݎ#ƢeRek÷wbA4b.:%-?.0@y3;CDU DAyWv4%lp@Cr:Y'C"LL3qc;UK{f3X 8ص 5 LvnUo9km'(QPf _׍@-lM|G^~PK1].=W>;#LZk[ l}"ŧCɽMT7sO<m/~ETj)7t$jL$Θ6*|śຕ0xHIqA;O'cwm (MQWoLy_`%A:N&1U:=puo\M[,HBƈ"tpQwAK+)=VdC3$.Y'w\4q8o$2dl/TU1*q؝@qWtO @bT?7$[Wr.bkI^7I'3)Oyt"/P(o4(\x{sIGc) \ӁLuidL #C-o!TY'g QUģQ6t#jn@vl/3 s~2:I(X$* @'1g'oB8I .GdžOHgIuru#%$ک¶fctiIy1%cƩ]qF^)ؽ) jz 05bڶOWr-.j9H+ ö{ Zr,RlVxZz˷o&w:[Yw76#$$U`D(O6G1)T `vp{k_LX][M^e*u h')q/T mI0O] Y?"vs "F,sWR(߆':@^_ʁ<ž[$bphv9nc`*2W[QhD'&}Y2Ά/1g~6d8w]]XUp3|`F*E !rGĽƷ /bD$ ɗh0w^.a!OF P?gh#a v #_c5*5=(g D:]?1PvW_d~zo3l[w5aɬݷX IHHyfk,ɐtEk <`s=D^}W,$ 2NݥVձ6G/4چ|Lӫu^-*?$.˺>VIcQ~o0OG6_q>"a4fĒĒ` ]fVˣ5I=U)N(V/717UaCm , *LG>4at+{tfy A{E:z֚U?u%tk5`۳>bDll,oUa:v䫡U \,l9+uL޷e6pubr0|>;а| Ӭ_8HU')]e@15Тg/f$4z[&l]- "B#(,)Ȉpw,+u;T'odC­ *L7Í.izݍnCAHݩe6WHwSMAvi\w2֮D Q T1/rQE^ v$c¥cFRC=GbCጎ@Is7S<㬌y陮Mdcss é~Ho(|*qmk,PCJ?C*ޤLFAȷJFBeȶJj: un3&c?C"$<4{֕ ħoZ{a-~"DZ,R({-؄~VMfja^uȠ;|&j9eMg,-tOu5x'|+,zu"{=#D; =e+jJQ;eԏj-gu;\c(2Ll^s Ę"?*0Ps1:pמY V#>7jCΊDlKvS.rH_XS?ގZbI @}7|pOU'|i6Xi_h-nLTM } i /޶_)/ݪ/˕D50T%VgX7u Wg1 d-j^mf0W$Yl<[nHa+rՐ2ryB|dyJE 9V _{% f4پY#*+ExØ.`Oq&Z 21M_kۅ,Z٬8\s(cН=E T ODxU FO{ϵ&\eÌ:C>T `2A0.tXNA!P5E`Xl%!?K=ȺtyӬNzehu6E Q,X0}J:BtZu*h'">Ǖ5yoQ` `P勀^(nGmGBt}mg9_oZQ{K@O {f[vmdFewR83P oԿPA%C9Qȭ_V ̳.]QMk&2]o[. {Jc:d)"H0xݦ׋75G폀墇&Th8yWl\n$$䇈/E~J&3o+{n* {1\M/ /ƃ(AXp^6 kA|L ΐo`2c<@( ݱW[m_Hm;<"Jk=Y6vW p[jÑ0"_|0X~Ć4yF]G0D<5$t9|n](*h@{vVfPL`V!<&bKYڣb091FeFoviuІ;T%Ti{.$gY*6fC,CA.F5Z=$Ծy^d+Ri5C!!p87@2-R$PL@ yz_+_=6~d |> j;[`GBֳ@0B܌«¥ ;icQYRRhpҳ r[3VM-΀ krE꘏uU ,poK0hu{w_rACa>xD\J \pš$zoAzu\#?X'w?ws/GU8{} NT1Jz~reCApF8IcLЉLzWRU:'A9X'xN̆i\'(jP}+;:`q Q *΄9xГJ(6-rnV XWM|YmHirx^p˚bK-XHCU0sVdo r;+Y\h86H d6W2|̥=kR+Y#"6Ĵ^Y4s.,Nյ W6O̾`7CjD,{'t)[0ELonft/D3}{ Sp4' Ş ><.ɳW˵61Tb>ռ)/פ˭S#a,,G(֒:[߱iXRxn[$VJղwA >Hx ל=_lrZa9G^ȜC* ulBvİDTn/m np-Ei&=)HYN ?F3~,t!g$WrR8M@:6o(fJ8e*[xXH r:ANqy1i os[q==#fD'͘"3-/|md-a_hPjsq~V82@GW:&Klq1"xg h<#VL,-䣦 >>H{0oFc4Qv%iT5d* .FG֠5R0ք#=m\Y-A$]'Ng DdbqgITjs.6WEODb@)w@P4=캑R-Iz<7%خ;iW-洞lJI'pF7g"-@ke9or.h]53=bw~hx`Rˡ mx}~ܠ.#fPz)H %l!CN_QTC\EokO^*pMU G0{PsB y5Ҋ% >Z9M_ZR0oLJKw㕏IYڕ܄?괹mr.2A[f縠'. 6/+?T(U`x YGAyK!E5kR4Haa}\uTE/hxs6BLŸ&$7~Q~vVxᐓD<]f ;_uH}o1{@ܕBr&VG D|50U8Ӿ[Ax~ESh3RhOu6 @ q|d8#oQԨ+n/x)ݩE kxn0Vr~N鴀5`59$XP1_= E(ɷБͅAcwk*<GZ5lZ׃Վ$WC#).&6YB>eXwT ؃zv?n;Omvq# ^.XMo8<$ s:+.u )Dx[8w[s!#d,'¤3z%hdt #`@6kq]jfT3ݢexP]Nh4f}3!׎>v5^9k{%BmzJHh}~.TJ!nqakH2PIuI׀lQT_K'J4 , 8%<=;*>ba.x24(Q*#~@ʠVѝ- ǻ=_Xsm zz):-f1Q~MmLf $ŹAlryC_@+Bǥys5M ffΏ)0țPlHtn[#^ÁP6'0W1`yRowhkY!*'a2Kd=]gbT:-=>U{aTտ O]Y;9 un-λ%:#Cx_Azx+3SpfA:?d :am∌ b'Q9NH-pgRZ/2+CiCuhv9 ƶrv/jT{\an.ʻ%<>aoEzہ:lǞ7{oagEp1)=בU}҃ӉzD65Yt]_m9#f$-Kj.Gnzα!("2F߳鶏Uo%[ ۀ! 0uGKn7^RyH/lؗ:U  ?M]Gg@1']#Fi /8]ߔSUy2T a 8Y~?VD$+;NAvRp)9.GKfqhs8+@f}p@Qmee+9f1!ڪv30:Lߏ"fE߹$4F0a/%pCL8DZVv?Ωڻxڍ ,ApYiE ;=ѥ~_89,}q)tAf͢2 ؠӃrH4$GV?25o=ь s@܋C p2'A`,rڪ UK6T1EA1UuL0rɮ wktj2}_qʡHgǻe[Q Ήل^8b/k07EP۲rJBb A%T &,#wQ2HE3r;y?-J[LEV;gZgf(Ͷw2ɾbÄ~zJ;V5#/3ԟs%˹`kk{"q ox ЯFDKB -*d2!zyƪZI.r2T=#NH7Mnض]"<[HⰬK$7)dxIiPB.Zl'؆ޫ3O~dNd}qt߄v]XfogYB+ys76p6L6^wMKoDg5:;fh3 DBؗpUA5I Ka i_ɛiȧDTmElA8$ z X "-{sT[:o:9z셅ը`}'H*7\ '~a!c#! \Ilx1H:2T rO)^~\4_|wX)e+NyU%4c6… gHTIvեY] \MI$; e33EcyY# o:4h8ؒe XFe2Du! uvά5v ^KeD:ݯ5bYa$lpV<򈒲CJtXv:y*cT d3AvFw荲Z6d3ifu.Ư8fSA =V& /8g63ͨbI(񲍿@jfkKt7lc ЃKD1m{Eu)ekfq%xm [6u40=c0Bώa= }KNv\]8bD|հ(-|/M ѽȚi+YXT$CIBSN"a"&aƝlJGU^BwudSǑNq$-1q_ڀM"`2v:ryQWq2%/ĔDPC n%;Ok t0¯~&?i=>6ȦYNBR9Xsw΍&iN CSSdI4=fM_tQ 0.(cO2@ܮW5e!hw: Y&8 [M"7]F7G:$՝bIq/ ))iO`=..d_4Z$)?u<30jF.4TJV}Mz49֫"Hw Q30JjG!yM ya嵃!㠦T N؃R{أy!Lz=K!Wys.-¦ gn@B| ̰UIJr>k/ }qU5m+tXBS+UVAn_8ɧmOw@+ZM\fmw4 5̥58JW -79%É %D ={=6{~ rjy#ׁl]Bd$󟨂N%nb$iuGE+P6J[e cE}s|$Q4AT5ìg3z|}^Z=Rӵj姍2a&Ɗ&! 00QD*W1Ғ[6t! ,Ya󖹆z@dM@?$8Q+J3qLvvq>O|I (أ,H>mhj~m=+=Ip+̢Z87X>v;UݲDI2cpn)inm?9F$eNSm+ԖG%v(Э-Q!( ͞&P !ÇKؒpalg؎ 49Y.M_ˊBٖO>I9c8ie+j!ޖ6 [5Lpb},gyz9:10C([094] u= pl9!^oiԔyqmeˡ%_.!9FݒuS> ~Y/c..DIJ3Z(6Br69׮~ٞlnzEb#65[(!a: F^PϿ{CpF-635HB͵]+OnfCKjl}r֩@Xh!?EZE5}a",:Tx bF^w|UfւOZy|+e*aGԜP'dKޖLjjN϶#׀(yi?Uݺ:x8Btڏ*bB.*C8ɶ_cֵؚܵ,jۂ=)&1N})9z{3il'mQȉ1@tqj.b&VR| k 2W=D5z1bû0lmkaLۤ7v?g䓋@? c و[]Nל<9)ΤYY?LF eM?}q9.. KhŲ"XƖ :szc4pl#zxUoMdb'y02(0Pǭ-[pW2& "2󪰿uہNn0~M+ɇbfuOtJ*샆[ل"`{u`n|1W*l>¡cGwQ$k{XzTgDt-[z}d-]o7 F `U(6U\S߯]:k#?;& ;p9'_qxMCFMyv1q={Kϋ)2q O¹ #PKzp.މXc%O7nBKZbr##y0M@lfn/h kZuG 5,W }/•ٟ} 0,']7Pbȣ C7Hՙa+C$X[D V83F«".#(?,ȼ=,J ,Ӄ;YC\@(jF2LFx$`Ne"gLS |ȟs~ؔkQk,r9DrmU-H/(hi -  >IPm)-T#H2fܭi49~q{`A^[Ҥ@L:[a(0/t q#WzNvZ{e,z;+q>sDU!2)GAQwoy#Smy_ƬyenPR6v'3,Fg}Jt2 nOH-.II»ύT]'\hZ7:^^%i:Gl$ruoߎnLc؊g[Sd':WEW&}:$T^L6VߤYHzcK= w2 B' 0Sfof/rA(W^3Ӽ:]ہ;G ߮cO' ÙƮYm!5;uܢLrWguU5sxZ`omz8aJ">&jX\p\K!wz XdsH:+D#dw\,S)|AWt۫<ZN Lt,JKrJ7>'-i Nf:|GݱR:0IH%.6vG3Nc%N VNo{B)0jtqbwAzz݈;͖?B</%֠"m;7R-όm@נ RLMZIl VyرM{L8Sz\`}OhgIс3quS"[qϬ&3rWVT9KÚQwS+%R%իWan:r-m9T 1β[X.A*q/ F7Ķ( Rg؞|{Ȭ~ގò l**C:X@[_0#j]־ f*|݂~8=/kzu{T@>m '7e-nh "r kzq n,5gNo }Z. C͵܍K6)caɅzqG:U#hP}{Q=~"62$W6$}l`,x(tr21FT>lLpQ/#=rMS!;v K7aRaM11n0n;%52A}R|ƹ]&^f8$>M*L~YJQpڙFT&b,4n] tU}XjܟʒeI6a4 BrG3 D+3r2 Sh@С"=p4΂_*2MLV}n8#ORb^BpҧezVBӶ̛]epP)Ls(ܢƇrIDR U6vs'֐xYt [JQLAp9 {S{'paJ/Ju x9@W+U6Q'!z4sMλ% u&zmJQ)=̮~I'8؏ۃ3ybxc#'z"#1+Hi&CH)w2PJBbJTol3{89ZrTë`tƬ*[0dz>ZϽߚ (H)]6xD&AwZG,Pډm^F1Sq"7X_{Tw{V~n7l^ 8z^͑>Ρ m{ U{-ֹH9M[i4S6<i,(_XqPd>Iw~L{_,]mS}NHBOZGl{7-eZܟfXA?=De=5{*/az =5|Q|_Ye55rZq ]?2pa jrӗ'[s`@YuN!+RU\I$cia2Sl:Y O,c #m} ptz,sivBe؋W皂}W.7(&H Tc-‚6~Mkζ8>}xɦbˈo!)) t4$ȿ{ٜ*Ӕ ,b<Ȏ7E@uN7ar|~?rl[OQdxjEۉŢ9@mvY~V,ky ذByH"E oa뭏r]ހѦpDCTc3]/H _$Sbq#fO='w#|4B/2C\I);sK#x@q T2W X]8e- 3KX5 +^]:`8+bMU5;h{ϋ %i Z}xbq+=>t,b0նғ.(/%$X3Em-O 9~ZT3^sNtĉ7%o& VbU@{tuއzzLvdDFH9h*:MD}ZŽ疑pqN*00m$1=t,vM x{ϳ1Tѥ%Tik,&)p٢дh}~f[lRM@enTΑПrBRl7 !zxmNG^Z[2w=)sړ9ËƏJXֻp3q/w+X3fA<#l.7# 6v:X,G8Һ{um.=ܡl/8lv~* (ic[VPX8nH$8mU{~Qe:? /uj<Mm5 Ɣ}HL˃S(.76q&bD7i@@o@RYIB2V_vpS1(=9M,E NH1@٬=[NP#-[.9QJ.X_ ReWٝu !J5E|T!N֚mǫK#\5!>}<,T6z-(mT[lr0HK0A ;QhJx@OK;\LaF17U3PaJ#bU ^7Au\=&IxI,٫}Aͽ*̋& ij[|*w( nf#7XCL /VӞJ%wNPYF$%yFa )i9YĦGM/ xoV{oBq!gUqƇte$~g~hW _m"U?,|Ӳb뀇&Y-v)*-tNSd[kÀ,'#Z+qA|!ܙeYw/P:Cywv0Fyoxs$3CD+?mߝTlG6s!q(+ je!]dcdBۢѥ<6%9Bv+92P36];s|֜͠E{bv`J'ʖr'g#!z< 0o = #ݕ(90,p7zdK9BHSn~~JD'IbJGqɴܢT7SZp<i2vp.SZx\ A%VIJ<,?Y2įލ5pwtawL@tr%hP˳2e PmETHYn"2V\ >ܮp?V,WHho#vx$~[LaO{^hp Y+ŝ#QYWXu,>ۢ 5 m&y$K޴/j/d`^3Ru?j\_vHbI"edE.D}u\ ['Cd]Oy#̗M=-`D8?ڙ%+~5Ѣ8ܷc6qtLF^鏨\B围D (;U$4KAT0EݜN`FIN/yAJeASwj;_Bs2($SIHE3.]BT<]K2 w $=k4j2}dIN\c3;](>/M|m_*.uC_w:S܁¦mJ:ziX͢ Mw"aMp+??a*+ r_DЀ9jT @cS1b:pn4G f<>JrC5l6l\jƥVkӅqĪh.Z ErH9^;ZB|wqE/[QR<۔%͉%b2-*E+j-F+`>) @O=8~Vy 0'7;Å^ou15*Di{l -ݸW[1kovA*}-=} ?UU/HtXѪk@5UR; 8sf!g%Hߠzb3ݟZ#E=Flۿ(vZSE4ExYM-ce"9Wےiƙ'%gƹݧӵ s`Y2'஺醚5S޳E :5piVGGY%(Nfa $?A2*Vwsq{&oK(uaF~bn ~E  de&R`mRV!toԁ֝dP8z<+Ě]RWL[iɽlS6XԦExmiygǗ 6Ƹ{dM"+p>ݵTL\!8~Pv)8T`fn8w3,&i2Vwgb Ԙtcn"&ǥVz kΐ"m +~!9Sަ07E~dXVK͠;شIH3 }k[GʏfmмQ,3I(Uܴc(:KɁTl<j%7| 1$59x$,'?ONll)W,C )O1YT.*~iu}qYt1z_bW%5z @5MI9Aa,hdo&L {lT$+MAa0xiL|"πA4˘:wh~8P&">S (\OW @C۴ #vIpYlOO~AbBzML>Lh7jAf6:K7a<~A> K}#G8\ OS aNsPL=ծs0#HRP3ddk0ݻA!H~!gv)ffԉb*35! \B.mCGAh<},]6TQ4eAl\[aJnKzP /!/4yP =EIwb))!%iʋZT_7 9 YswvHݲ#pBqa0(ywXDbtWe;DkL߰V=Q=)*CyίE7l}LŁ`C;1B80PK&,5Y.;?5ʪrQ8*ˆ9[m]r'oȭDCԥF#K;]cG1_ f3Y}XX4YɚZz-2MB;TaPw6ٖp^;Ǎ|4!LtoOMT%, *MC)D(LG+Tm6<=)iz;RF@iz'e4 2 3KuOfY,U CupLQd=ҙemGЇ)̵2zva+#"U/d`W*:>y|+ZV %[q I='a+@TBOJF2X[k&Bu]ur9e4x!^yW8T17q2suk-6[s:F1W: >b]@It>30A2'΃;zd>= q.qRL)Č"8tF6~R# oG!PȚ!*i]_j_{`3$_=!L;qW~T lՏh <  80FT]cD|:jUD6<1 V'Z)Fft-'jxwŪă+BTHc>h&w{?[C5EʛbXO馦Fp4XjQnp-G[mq߲¢)媿 %װ_2#AyrM&O`n<#I;ͨ xkҒz{ reݷi?^ul:ր=x.= rnlK3КDGz_W&4C?4A>!%tO٘d(K/BdHnٿ1of"6>i:uwd:: 7`/M$.rXw@_A̪v//XU8D9/fi7d}nqNcr0ˈ\G7: L2lERh?RzѬ Ec5 [od 1xVly7+w+=-›+Ӆ R: 3@$y*N w^CabDQؖAEy: %V8#PC{:&MފA^Fr\9c|yQU͡km"}]ßw;ì!Hׅj!T1&` _2̹:uRV \D+aRo9<a[ڒk,E ʫk5ᫀͦ/=J^vj6h-bA|d0Ĵ̞Q{AiG%zl$M6_Ζ* T'¥~EEdKʿ&jҮ<~89bwJ eh*m#e*X\bu~0SO|Ez=A%G0{Ry@+idiivw @l3 5-C#GoE yw(k1:^wʳ'M|\SY=+3 6DYk* 87HzzIi)}s 3ͼbd?G:bQŽ2}C"輣xd9=5ә_6 wXbKCS"ҹĂStLd T^"mp/zv*k%D o[r:Upv/cvUw*xQnܣx庨Cm}^;2ˎ/:5U4Er[C?fWc"-bu "uP@ۚ_=Xʐ?~5%\F'dR&b>j4Br$'@]x @v(eҤr6YKIy/} sOzBL]J#f%Vt`D܌6;yݕ_ #cJ ;^Ac|:l0NZh>)3G&K-C)p+z2cp x NsXb!>HtUn //b.2 v Vd6%UUN܊U;霥'F >CBO0q#ֹz$GWp;˰kZ9z'^dA"O+%}|% +xgăLUX*XAJgZkK5-gAPڼrKJIw ڄk~ȌĻp)K k^gU +&ngU$Csp)]$UA?-G4=pOnOn[\׻ϒy}ղM Hs7@!K" $x/ם-8l˜-ǵ\,7.- r&,IZ \WB:J+ d~Q0H}V.YpiM7'J2{(. pveBҽe 0RaɣxP|Nm12hg#V'a_`e-2tU`(X9!2=z/3Djb 1T1yv <F+¤2#R/u'P9_2kXTXEyV'T_V=ۜXoQʨ!$ M<@/HN$52ջX'Wߗ)&#?O;03D|b{E[+LvDԛuJ*Wߎ-"?s! :.i T'Vƈ=iSBڛ-m(b˼JU)2ucɡiE 9430b͙ t9#U1#ZkE:;޸ǩixAu8WAůzh$ggԊWUO-qtu\9Ƕ^ Cs:FC~=^%#)jveDePd QZigTf>ta CٍX4Kd6K )[ӊLnl ŽxtُE74`xD0UPAFIF񬄇g >i]DYe߽g,`ALk_e]јQ!UH&柕D%څ0(ƕ` t1JgTo6XT@,,mu/aF*"m K*HŇ{*<}:[֓3j{&m4o w:ϣJ5i1Vf_cVek<6>:q-q0ԷK2AP76q/v=^:";-8 WɎuC!<uIsVFeN?W* QVP 2ԚvÆ\f2Oe3)o4-{c%;ΆBӉ\1).TWUh;b:(.UvEPAofFRNqlwz̢/Pt>%W0llj1ځ鐄#pVCA-1>1S u'׮"1 gҰm<}C_Gr.RS@E8&FLj S5ú,5c)XYҴR @Nqy.oh\qZu>u+eƗ?+FR;X>bG;w( 5vXשP@DD5q}_o G'~-"\Ⱦ2=.0p8(5{wOxSz7 L6*F|27ba;NvW뎅l'<}f!k_(f{LG%PNHo|1< Mt2eH^pt LK ~&g[4'qpة w@bAVcavI{|HdlS'T*S9:w5S 5oX_ )'QVD[o|EcQk3a*s ;j0xdًYara%{̱urzmaV%ƓömR؝sณ܆68i9XxI\:qifj$s-dsc!$~"sW3Dٮ@Zڣ>4TDdvաCȄfk@|G4|r3>{ݳxuԓmqS0۶#Z 8I-^|^=V:_]V/xqyn5 ɳPH-7*<٘ۙY5CN@TOEԼd+33䠑uh6ZTҗGvqksϼLr)ijåˡ{Xn_5o;\"wU[AoK qM?f4l PjtS R(20QY;j3|N$|ؾ9ekiTBoFqN ~&EXJa#'GxҍW5Ԕ|лPr;x(ao-!Hh1w3%l5HթA'E"jH9) M[G:HGric}UCIRy E-fm5@ ~mOS8Q΋{z5P(~%븖QnãzFՇN[,`E:>@zA_1#&^p58A}^Hͳ`Y)A h*?1Ay":L!$3CAye%΃*׬mXȱ 0iF$ ,Qz@f[D ;M׌RΓěn ^K;kBFaX~dAO1K gtV,tq]~4nr8㌉3߮;Rw2*La)s scך@~2cp/Be-kU;blh=s M{*|~@?Z6$&EI2JrI< TBdP g4̔kpO/`Ly5C2yH ܥfٻ( {J .NY6j+"6i!mAd]^==e3yS#3_;oꪌݍzWJrj>DN)hȣyZqda?WóF9;Й@i!e|Y@WYSn Cdn`i+k~W'@y=,ٛU8ϕ*ps.-hJQmىRAd󚣎˒Օ5t Pԏu}LG~$Ha/ Y@^Gi GpTٲtbI{Enx-ǍK 2D <ۋgt }rC*I mUy-*8Qc3d} 4C' d .4OY=9;k*+! x9V7R'#z~gFx0| CNjկMCtS{CwHTmBƐIV5z_fH{`(Doy*hYb3e] =)ovlm9p H\6 ȈyqԲ^@W7 'J߮,D5Uc.g)}niLMgs(f)p{Rbi>ďǝ_-`&D]RUAxVp_ƣj݈5a]ٔ I^R@޸Ć"4iy\ll(59Jܬ6iJiu.̌C;Zak֘Ar 6c'㗌%ά7 eўW{AÝ17Q2B3C[ʦ}Hd,nm#f}Æ}Tb0CZ;)iE 41³Ow1PwNXxkuh4k j 8=^A+c!ЈQ?Q fL1 8 9$ ukKGf!f*6|tc; [j zt_&uޭFUP! |Jc6|BU3BD?/cx{PxȖK7ї(JH)L5붢M^fhgpI9B.=m|zJKNhu]9R70ƵY+ɽ'~ š\veRBn鞵戗G1,O]om/w`bވZ@~(:'-PZ/erR {ہ@U 0Q>AlBYV֢Aqzё,(VǂFV5 ^iO|QGqUYIn}n&#;r+;%Gg:~qyx~R2B-;t\2|Ŝ YE+(C/EvUV$o֠{Ky0 MI-YF3eS\+l#f{ozl싶Fuf̗]!y ֙*O-qC*F5}93A M)&d&N"?IF#vԉU431Wϲ֗$UVe Hyn`\ 5 xڋ{Nli¾`&2,|:8j`iQh9)hs5dY4-79@!sg,L S^GQ$F#ɼTmG1Uѭj[p+~1gGeJ(F$8e 5zkS8Ah*N'YQR-S ˸eO{BWǶ= qu Ɂˆ9P a~ *⹌I}ˇDÞhGdNR Bc~&pfL[F$"8Pu #kXbF6V<|k@ۏ> k9zE2`?]mM-_GJ)*bU#X4ķP]:mY2ZTa. GA4/La59 ιKΥ}C Myda[zF,b<$+=! 29^i^giR!qW/URz9u*\[g]p5[IUg"?Hu>_3%9Oˋc9Y̜5~- q'? [F`'JF^f@v2[5T$+.^.[^II=}lLWr~v>1yHnMwvzd],?C„y6-3-G) qE^cBW*>a{]"ax "Bij0Yy֙5 /_PĚfHdup1D;xڴM'6:B1L"2]NV"B-+6?R ~~qMLiW"N Jm"_ho!Ȼv>/|b3-~Hh;{/ ]|KiM47ހZpw6+_#7'bnyZԿGj $DS";ԟ"])\ gV'2V<3`bp̴i :ZW)4ܱ]½Q̫kۛTzi $DvAZFJLt _%s~:-2ܖ_Si/j"6P֠o8[4royOCg|h $wz#@oa~@γi( H:ޔTqTDު /bov3*NhA^Ϊ}#p>Xk @nR-Wt3j0P{-'\/ӸU@)f%"F>&,A7ߓΊ`щI;uv)Te #aV8[ye6cl`sc1,e#RB,JB$(?7ʜl,UOԈ m%A|&JPZft鶏f/~bLtzpgi_gz4 I覵WNT@aTtŽ*!m cej!g;~,hHc4A!Q#IZV]8%@<^Ι 64fDuv}Id. .G7; 7HQmz)i>}꣉@JKQ1pZZzǕѩGy]phO}|쯓g){VŌp!Qk`e&e7ƹ5x".;8g2f[[A9e)Y{^Zx/M]`H@ki&A'!5ULOP'2M g#I?эzi&%`I!3+kwUϋGʵi0+Jv8caK\Bo+uG 'O?Uतq)YZOؚn42#`2Z;&| V*VmtG0_Z%`، ~ED.AdOQ1O /L@P]p=+{ZtUbQ^/]* 쐟ʗUvO|tx¯F}/gGqgwb0zٙfOBL/+/ϙn>0ş쌜if^\D=pT:hp Ydt7G a[W C^`3^vG h ]j_n 64_N>8uȹ>B[-GE\F0`)^=` G ͺY3k& ) 4}ې5^ dIq raWlOJa# n W@tKW6YxM>*MZ"Whĥud׹T0BS2aAӎ/ae'Ⳳ$5Ec'kp L k>VӆJtsIɌ;+5nH`?3~\ 1T8*$ 3Y`f:ieSԛf7Xx 5==V;|9D /pcK5qNGj _-^y9zP }RJ7!b޾1$ CŚg>[)hz]B &{کZzmej~#Z[oBQܑcz믁S <5o<#J,ОdPx2z#LZ.pIDV~>Tv()WctԵj~lkkoBJB%ғ ֩jZj?α!8'wtu,\7Gh bĨHg3_xT}j+rm^J(2uAb_s0 {.',l§'K-xx{sE@ؕhy P\kx;Xv? <,+RbL?BZpj%n sZmA̳6p5嚫8۪ A3qJ89U-?#V"% On=1@v 4@ɷ }…/ԛ.?ƖW(u nHtZٕt( K]vd ]DH 1(Jw7ͅ~kܟGYqe|;OY svӸ:eJ^4U-}‚A*:HG;^\4rfފ4tLNE\_rBo8ž9G#%BVճ/׭Sȷ?c}gϓD/sB^ )^5,?UlvL,`o&7g9f ?.Mk[0LBܛ6-hho}ˌ7@*$;YSGN3\Z 5JMmӽ#Bp}&{kRleb ֎51s@DTPyފ'I[!zVtaOwD:߱K!kAL8T8co/ ]mZ%`g.XW*#'~ы(S\\$rhմwɣO{`5x IIDo''-/B#˖p5 ~aKj ipWtSJ`;3V[huwUz6v˶dAp /nNo,J_w:q<5% =imW18K<֯]nr*5֖iw&/T+Tm:mLH[51#feTŮճ2uT+l N!Uex?zO5+ :?\rVw1h,?Q6) h-/ iz+~M[X4c]oEhL p"_#2\}I}lv 67[eȌ5SprD_sH9:0v|i7FR-LKA3lu!E3[̑\@Z+I=mgNĩUNYve~&mӽG/|^1]49?);6~ `˥[╺XڼPPf׺Es& vgT߇OO/mًWx&ٵꠂF1VtKcS R(-u'2_I>>w! ZtzK;v\,V*M @ (rM~3rDSMJߜ#ϊWvą”')Zr~uK$(@_Vu#*F,gi;ϚY%76Pf ݘYSa̵G$I0hȾB˹ p5:}  O]^15ga0Z&1!b" C2P{ثjfڼn ^i}Q:oCldo>i-.J([}/uZ~xCXќЭWFH^˖©)p  φ4c:ң@r`tyc+[&xTw|T2仔&\x}7*29f .XyA~.jVa>#Wq"n3,Jzb*F0M|d&c'?Ë!Z?Ǝ}|r>~ E}Gb"Dٛ\SoϨR,ć[l(yC^tfZcHW^?Ks)U̝gxpQZD  |#Ȍ[=]Cɏp˭6zr%}"AQh+49u Զ_E-#E Jd$_1k'{5ҶEur"gT*7^$(7Rw`TAQ,l 6 2ӎb)Չs1]7k nd0BKSܿ2 N1ܕOW%,q,H>Qgױm17P7~ʢ@djJ^̬ ߮W%4{2(24B:*OE4}ߔm#̺/^d)qK>CbFwEW$(EܲYd4&Y7f Lz!g"WD~8r2 lhp4 (YR"kuzehߧ,(0p':ʗFFӥ)l4 2Rw;oe# o\LH-E%m[/^>"ҝ9On4$|r@qW𿳻ɘ`QcĹ1 Xpal14̚' %!2D<+ /%\.&SV>vG^8NkOhaJWo߆`k?bVHcA_v9TKojǖqb5@IZrAlBr׭9ZoZ_ A_Uɳ\ƫ.u(bjZx)̯pWqv1+37[ɡ}9P*4lX5#(ނF[)e*CӗP]E_dܛo @`s&irWRbj Iaőpw§1sTG[S;$p[.3oy3)? b~ X%,l6*;q5:!F͕;9)qu[%nsdS{iʸAXkG3 :k8wcGM=%&~! K\o |76:{ YAI8x7Cf5$ 3:)qO7c^~e4cw/f^\Y"#qlLܵ5~%WH` WtqrJȇ^DV\vB?Cfd{ƿ4}ܳ5,VR{‘:NzGUGNKb}vQ(ɕ "\JZȽ9* eSePpUrbG.>. BK!ץ.k7aҫĪCUN0_"&og_d! lU vV=Y>]8ٟ 4I7ݔRO ߭m>yuUdaFaoQEZ{3!=ɾ z_LomN_M $MI6Pb1=EIQӢܢ!PY UZ(7> b >#[F,1Tv9:lij@kM~Ncdd}F&蠌}X:U ^:,c`x.b~X\֯'M:d-?Ӕy>'Bi(@V=}Ţը R:籥_^Pӷ7޵IHfD$AՎws: NA S;mG 2jaB`^ˁ\:P|p$4i2,."#cw78"7m76NV rqdX"'7t'&.y|*)JcnpߋL8-.:Oiv`qpS J?#1!xxEq;=+_T{=SlV DPa3P#=zlp0AZ44ŎB\`MڞVm'49rfLIŒbSN]} ˋ6膁pn*H;e,We -kZ>5 mFا])t*!Gqr5XAcpłąbFB9g0#kvqWH_]ypv$C H)t ӣ?7. )?`~S1W3I Izoϻ ʩB!ޏ|lZOИVv0XҊ܍C#:'i, y`GC|⽀n.({?+s6%taU@6V)hO dWJռDw&Cjrq3. :?J,(u2`ix)2) yϭF˲3=6('tu3f *YMJOޢ~B.do >5wkgZM|-SĨbl I_)me2D"SɺZX?~C(_P<Yk ts'jI׼UY>],~1wIsx6{!wQܯ8Hˌ+ɩvo7Υ*.P<|^+>J6by~Q9??5MGxT ,Ȗhq)AP9V'V@IҎOm&(7Z,7d{>4n>L6۪U{10 PM7VW#]l-:h WB_~eY.җ;gu1amӿeCarX{&R7SC3cEP6 REpn23XX?hC:7OŸ>ѦmLK紵 ̦S1k[Oq "fi.jf'srD *.~1AVq~_DPnXw^(,?y:=A< 8(Y_.lM\1s i@V qM 3D ҁ}N8c"B뒂yb\CN`?9WNWPRmEًS*3A]cx!t~!=ǴÃN:&rlkpbz+V{v> P_x0R)1@GwVF$CHiv[WG㹸|uMv%x?6LcY\5"#i k׀JލϛP8â4_MxGWkFEȰڠ3B&V7Z0f[L\C A03gE(հE5tH01뾐`<@T0s6Hb))zj)DW@GJTk5S1 kL<3S~M3!FR π*e8O+E2=47DR! h9D'geJDҧzQ6^>Pl@FsbȁqPG>J\`n1C ZwO%f3ζ*Ӝyɮ&,"Z`M|\W=& PfH6=x(:N 5# ^il]Ρ .{k^RF8o% wvOѨy1]b=7zX.!6:HEVY٥c!{#Tz*pE4H1\.]&$= P.F޷[d-5 ߯%$ t^[T6_}]P!SK]'5aԕJC~f mMߢ}FXWHK+˲um~]ǡ7z/*Z1fE 9H:Q͋bUuV3Tn^4v?sBw恉 3K.e# ݊!-gt^_Nq?q_lϺfO5K GI^}(U(!??S%Uvr3C UVd*ETH<ztfHI?Z٩"fAcZnUy7=>Wb Q'zWɸ Urx@PŮA'TYJʃ'* kI1iT="Jh9|q|5=ig㭋h6w LgAN :K[gZDŦvB3%}XIJѐmn/צ_@UtEvF &$#^)%U*_ {@_?ތWXe8=a0@;\@RbH2Uld;߻=1MRLfS/aV u~ӯ\B3+@Cm[I7װ6G cb/B5lԶgXSAaRr+>>;MI?WA`-M^M\*PgWM-_3&90,bIKfG\hh't*)n=k6%цv`-H]e7Z%9}Q f-忈&d̆("Vb$^[vF٧3rɀXd!w!p7vnYӏ8y=ԺѹΪBFx~|ėKCloL+d/=љu\3FXI9Z8O̲_sֺ9{we^lZ$T/آP>7i5Ubl0q3tkSk9:Y,JvSҧ08orLU>-6{)4mT0؎m~j'+g3zXR}0wKڔ)OYWK4Do.j߿lIЉb5j~x|FޡãVd{YX6T:mQqKoi,Fph~_*iyNOk{wOa\c+|3USV7WOL?@Ec:ox dTnٍVɛ<گh:?[{.=涬lbAHLT-_VK- Wt HG{ 3%}<Ņ*Eb>P[}S9Q_^@Sw"8{JHMn 46Ёx;EX~&\VW$q$~KTY>{nԫ$"},su lK #v|>ȜR lTf.;8i.5J@w;?m?Xi@>!Vt!~3WfA9?(xfKL /N^^9&]w=Ć|(9-_y( WkJCN )0DA3Y_%S\t{Ě_!B=`M"%di[&% cCVpabtV𿱈 i9_4PfA˞!#\9ɔX72ԡĴEؾsvK.aʃj_4Jj|<,FKoNi'femz{/fQteǤƇ4'YҮ6-l"tOyp`l-$uYe{f+(Xi"RHy{_ PSж 'de2~rwNt-\UH & % 9< 2`F8>* SFZmvKLҚ Fj٧yjʵ`]_%u^ۃ0{͑OzZS"'x#ҋ ^Y<ܯ>>el+h\җ>4}#T8Ī%+6 CSc d/$rBY¶~}PhfqM(T-r~H@+ng9޷5E#b?;L}ڡ\gܯI#ߚa/Ex&KIط%xW:eQ!kY§vVfo#:YbW*n)EXK!(TBj^FCpl&Fc෈XvY”0h\OdDyiG2Pm[%FչlкrmtL`jOh;!W8Ƴ fj2)[A97WRoi:OVV6rn?E9ԕDgxK݊1|# 4)i_fԵ\$o-,CJ7ll_b֛Qkd&\t<ֈoO4J8+1{s=qQ!Ϻmf2 Mn٥S#!?ʈ~?ٴ(1<RS % ϼ_M9Pϙ> "k$z;8П:* A\rtPa[MHȣ줾ʰNZa25=;ġC8*z9oi?xO'ƶөRkP,"_1+a~0ZJ#ar㔃r}n'uK^(!yle٘0sk.!xk_T.ƁCA3^WTO2:}cIE,yq 0IhC~73AIR>kzJ&PJUh6g!bH>ݘakW޷ep('k^2l}8A>"G0pCjp' l6Ϝ)zȑ C .L]@\V$wO'lZe]̤Ip]+<iq8cfsGc iȉb/a9㶋Pqrv/$ؔ?Afn\a{Muz 0w DyND)k^BqS+!f4d*ͥZP[0r΄$4+4:qnU?aZ1˔(%d12Q˄$ZR$iDX#@v>V? oF4 %T/[fcu$rNheQw5>Ͱ, L髁LܲUc (ic +tuҳF~AVoZ3lDF@UGΪYl'E]\KoR][pIBPp%l.^Dý- /ej=rP׸]:6,~BBNrl4? zORu~dx&碎@N|sʣ>[T!ִ},ݐj0R R<[=}>3TEѹݎY8>_]?OFOTP녑lMTe#2O惫*xQd8m%o@F~an^ZƧPSߥƄ$V: }-ir25I ATppmAh xnF 2VU͘ R-..e;6^¸h,9*< U_Kf3}bKنtim1=?v}.󗗬46QJ)\#{ I}x?sRG)d!4g" 5u$ru6JA "O]3KM2?R3 z ޑC7/'u5ۙO1H$A ^/72lN1$UЍ).̍T̷pGUK> iNR*1Ig _{υwG喝UbU~vc@A?}|ʽ8Bko!HY!(E\BW8k}Īw kbͻZOtF ld묷5%"F^^=S%ٙ"Mzd0P1Նf:vG;!8xaޏŀPkhlx4Ei-8f6pkԦDksW+Z +F;HpF圪Ro%Ͷ4j0/=2r pʱk9*,؞$T1&=2ؼ#Fw:k%J.eR Flv /!GXF^KK'b8p[M3ZA P ~}%/ \Ay 1Q1zmD+M(ext-qE? GtmǘmoTЏĪ=@pr),=AՃ D5{: HXIGߧe"Kp ߹y*"3ҷ] hI'$ᠻpg&Y]5sVkwn;3.~[Tzn_n]3R$qH=soyZ՘Y6ݼ?(\U2͹ U߮2խ|d]!Ul8lr%#͵(ҡ\LXU10:ЀYҎhEq)쳐ĵ~du?oKV*vk]#S4͎6TbC>*my+X<"hcaٍ2wV2Gq&p0tCæY՗Hw} #8Q%M'!t;)ٴ{rq#ZDP`~lh}9/T2wSIh|(aᗭdAI[5O+aҘ& :J9pllKMR4JJ6FSҫ_qC#3j(R h2F˃.yW`Nt2:/%`vKUv8)aϮO$կ|Jt0`0;r0 tX^|e?mWdH `&/e8<a w- yUhg}([ba9mxyn%-9TE9TJܯSuO;֌u~ߐ[@B={h5P Թk{CUI5Xΐ0ZX"w*88 kZ|z0z.(Zmi:>x'e5" 2 2ŒbL:h*vn8%wt'>3Cx7E T2>wςfœ.IJ WnYw)ESkAثV@ G=hOtʫngJHvzB xbpjbs jp(?_Q(wk_)AIs.g Nb˱{UaV+pJvFW,]TyG(}c}b匴ԯ䛄ViFIbwUګ겙*Tb]Xoa*hS_R 1 Mf-Obͪtgi,j\z "xiK;nt@OR!so7"(Qg4#M: JFA^j눝wBl]-YN{jRXgD NE6~ $ g|ͅB <=e8{ڱ$v4)#ƄH&Re_5 IhXz-miT9{("RI$lG/zo#D0PjR"UK-wB};'cig~FwAU 1u @q=lHvb |>ءeb٧P4oF ckŶA$wlvfW`? EcԙE5{ٓؽXq'9<l#==K5w|'cśP <ٵ :-GqZn|GnlSPOD(1  eb8NVp2P{Af>;dl0XH?4/z1Rm#`CV1vT1SyPuyWIۻ3υ<NugkR 2 LEI(Q$Kb-g`h}A`m4 v}^855W4]eNVw&(b~9Xy7A&.F(iEg!:dUI:R <G$vlo@kY;G m(D-4Od޷2#u#.jSj cyWXQ^ 'Rd}DC`(EϯU, کg?L 9D QT?Aq42Q1.cEfںt`[j]yXu4wo..=A&5G;{vx; RF;-)IZ崢S{dlWݱbNQBsB6btլdKTh #uz k%q|JEJ!Վ2dT+ME+PfD'^Y19>#Z"Բ{>< #56 z/kNfr0\~|W\ǻJ09fDtf2\bwWf#Z|޾-lZ6mNE g(rQ$/w{}&s ڷVdϾDylEС]X޳Z:ɭgdUhGMgB2jݘBL,?݃bjcIy3&eYL@g:Svvx~W3xKmXȭͨ1@X쒹T{YՁoj Uo@a![T0!LC^G8Vq=&.Q.}#>;,tr~@d@/pxO؋CGPHqx͸-(b8J*z[*),7:?R$zUb]aOMd e7~DP7 =t9"l62Y.k%bl/7׏M _J~19Gvd*2am_Qyx>u}̓p$ey])H $4 H 6}Xz%_>zw Er  !ըO'M+C%W ~}\F|e('|+NZHaMKIsx\Єp@* 6r:QTټsj3 !Z" \̗3 %xpȯ2whn4?SGl}*vp{gsl91R1[5蜱SyHhy< %sV@ dU#1I,U9JSboV{)E<_Xfo 0ؓgsl޺1QWF!|Atjb|&1 AEذ{zܲT* A9KS|c&/ۊykIVtm. a`jk<@OK>QQ*Gⳬbt=5}$Aq -9Gw=6jo"x$Ҁs>6{cm 07h^[!pOw&3(MMc jlxi}⁧8.Iq}w}8/6?25*JCRlU[+שsRܳL~wD1"Eə5gLL L6 ݠ.]LN15Bd-r+::hX V}! D or3ŭc{0gP?X B]VA|-_J~thZ}GzkkP^PqJߒRllpQäcq,zw<\&Y=ɦdխ/TFaӫ>xnT%^d|EkB잷IHry( ׾o`;vW C Mfn l&' ??Du5W]섇K$r")Qq& vQ?aF˚6jdq?M@@w:˪- u4eLK)62>#9ۙL%")vٟyx^R*x7٨H ~VGkaoWI7!p€y: |FU:VہT !iYsz)csF4w+_EdE WK z:EW\ð7Y zl?&)P; +%3(h;\9tOPS{=iȱ{#q;e!r`WڤJɰL 55Ee܆qB^ h*(Mz2~^b>6BtYextѝH*q#6{[ɱ[jMޮ4HݎM]~&2O8J| G;Xj-́\g45C( SsH HQ\A M9ȀR}>^Ddr#R-ra?G8gss& B5ĩ*7jԻ)XvF3,qcUzM5:~Q}y\c2o P^vT:Wh&)k˦l¹Z(פ(4[-Ŋ̂B%ٴ`dۓOF H7qDȣP2n|d8//ͅw&-c Trۙe!;hBvja7tkdgֺas1bkv9CzcgC {Q^$%ym(@(XW={ۃt什U}1-m&|• r[&Q,'J@æY-%ÚS09=]ْNmAo /SNАdXګ~APR}>ΰn !Q87@y Z-~@}{FY "OHz_.to ZǮ&9@3~|]=bVJiZ|ۀ#&u4"!Vu@ 8P IYs^עOش1-e^CL-%$|t]R'mZ}Rz?t?c" ]nvRΟjEِzET}׍Mz7Fl#-G Mv).Nˈ}&ITMV@7f Fm$dGn-{KynPR&OȳbDe3 ?UHZ eԣ7uѿfo7͑n7_c %ڙ۳*%)b5,(kV{Wݰ*.IeI6[c4fA(߻޷7O`(!LZVǕk^cCeL9P`?*(}B籵p߸<~|ʙٲPUȇ#ڀ3qTޠ+XajARGQ'*t)xH#=h)p,KW'[Slʕ٘˄s fy FV2߂!a<Rg:`SA㷐Ll$71( !6ߨW-)EfmFωm΃*/c6.W^v͓Vrʳ.)CVfsp =an{hqwy!ls^g'1JNWBCRt4i]A!Hu݊-/Ux Vк? vZ*Edu{U_')wV݃ Ѫ@3mBJ #h hWQ0E,t`K.(ԅg ow/h{3yJ A+;l "la+i5!<&Oi>QepJU998! R[`1֩ > TߦT wsUy| p1n)%aql%4:]5eYѺA%2HR}Fjg]AX6 ;Ck.A:rSV9625g^Ҷi>ϻ+DQVF@iM] NSHI~V]J\O^fty:+ $~TqMYf⃫ΊɽE^Jt>&(]3ՙj=|]~R co܃W@rD"zpZ/ߤeS5yS @0 ?7l̙#+aZqikiUϔ2tT2"/;= v #BU6nFЁQHFZ9`*8p;fG+Ns4Q@!OAPd@&nv4pՇɠ8 pxLkf[߬NIee-d Z1^KT}rVރu3w[#%*Ae{Z(;[Eog/Ç(R"]^A(H!A oJ9Srfb_f 9W#a!ZpĪe Gm(직!Kz``yj_pWXS@,aϬc wh{IFБuu{ˠ%qe+ j;F{y,ªoSRwo \|bz okOx$x6Fb*(Ca X߷+˳wuU4,a7[%*{aΣ6'Rl9}>䴄KFC\\q!LxNB,ͧTg߫3pS7^_5V/ 3" uw|CkܐcPn݄N{"N@AFÚHbxԃÄ.Sךz?}?jr BOVRѰѳ?`۴uҊ:J^ 74>6}ȸHm41*źSo,bIba 62ymJ;.3-CrC׶\[ypXHP"e)Qy(Euy ݃^>輪힎XH|8|sf$DV{22T :e&~RW&?Z 4pdR4w^Gj%=%4XU?@++Q8 .4gOptܘ6jG+]J:59`?:6`$wfkPFoD¬wyD9z6g),9+bwv8L`?PɃ`Xv wYDًp ?hJOҰy gф^2!-tQ8 e'$< ߓ{Ԛ-;6] T1UJRp;/FIo%|X, 4o?p[LucٹxH!}ʵӨПYO[Q]#swg 6Q|3~9򭽴f0Ќ7:Ŀ5bBN4lчs72*}X, l ͪnqjIu!C_~ ]ねk1к+5IP,`Z_^,+l"x %|:,ȂM˥/n&V7ng!N,5XyGi1H5'"v/;S8wW #\^\܏e8tf;2+SK%eJ BSeoqz3c-IXU\v02'y SNP΅ku-!19Bx緩"#8y#spF~>,YKn*rEpU֖M${?e:ɚމJ= *)jI\kuI/o+q}w_ GBmI'dA#xZrq^ O$).ص"r?F,w<S S78-r!ZDIK\7I&$;Ovz7bpu&nM@F䉜]c:^zw ِ,ERIоNߎtT3u^[4<.z ;_wRDAĆN%p|w+&@5qMR>ƌzE W8yv(+WqCM4UVzP"ҝٓ֏HQEAƘ _GPR j_Κ  F F2 %DBS28>Jvގ56g&fW)rKKZuu*2RCqgUof|Ad]K &FSgq 3}-( xʀzͪu"1pa+EǮDfHrNͼ$.C@4!5`C#iOvkbk|KlrH3><95Gۍd# :*j1GGN9_Ȓ'T5(֗:r߱m{@<~,ld\}˓?6{FM4?H@aP't r}~pfyc[=Z4+΅ ۈɃpWC1.R= ȖnB؏5k&mC`5Wu#iXk l$Ăsxt ʳ~T>.="E]`guu\;c*KV(̧ Ng MqD|@lf3 }a9b0_rIB?zD`&.!6nY]J"7eԹAO'bqq\ė!]ts5~Et DխrW[Jݾ f(7,<қǛ7*:/Qh="DL Y{lVz,K|Tž,L]i&{LuC\O/^M2 Cmՙ&2KW>$H5qml^c|P~9)Q1BoDWKLOZ1^lϚc eUAF8! JgGaհ#lqyEB 澯>ǣ *t=TXx0N౗3#/ {-YB.̗YlyPFcS)xcu5_6-m!L$@,cQ>t,c3,7#w{6D憺%6_qPuHC\_|?0Ȭ%n7 b/jHZZ]aeAHv*&i`l{Ai)UUp\'7Ұ\08)I?@Y٫n\*arnqnI$D^5Mi%`Uȷջ&[NfGΘG_ybֱ[HRZcBQШGL4)?Si? ix6Bf$8[ۇc[>E~BjuvP@mX- /V=ea ۑ<}~(cv @G#ޓiyۀ_1ꅲ`_0!_\g k,IQ5 0: OSC)+bJ 1 f^hOk|tDwe1t#$<Z.^:Z= {SD9T޽º&H1Gͩ6P?tl_Gw-ARactT8,m ͖m[Xb?n\[8s# Ƽm.sxj,TjMaE)R^6<&Tr;pʈ|ʄn(]h/Rf<׭aW9]A#`(F2Y)ΰtbEPo5Xo@|D珦\v|0c(O#:H@:hVϽ\Хྨ,d29 o㇩o0]ҡRT:Z|4ڕs:(:MۉzE~ۀ9.| )>g+alS~m&sJÐķ7>]Tf\BqжS]Omk'<3`S/U4uk%^ֿPJ8.:3MdLmZ47aKIK7`Sk3iƒ 崡堎XSIlX?O+@ o]vYw=73yG[Ȳq3@_uUZ4qjB>%k*_ڰ=<6$0~}em.~6]TGz|[`We\,O\29ڈ捤ъ "Bj]+W"dG6q% 䱋M@\mr_WƸ0X.?x3|P0I ,E] o'k7Eɐifћ k?*%7ZҾ^;J9( p;aY0{g+N,Z[ts@$%(:7QF Ő1cF{VH2f>6Ѵw8tE=3S 0)kWu'PeنQ;/ot#a [c*ؿ~WL=B<Sv19[H"cj肫m;4 Dzףm@Mxfqok HߛUQC@mqg'@4KHQ/rBܵZć?A4K(G/MIюr._2((D}dO, ^f[?f$K*J6i'z뵂 =3 $m-䶄i o}g@q8^$E[FyE!#_A!,A(M֣RvhMbo zKĹF88=`~[Y"&>3yeb"˄CY&R 'N|0N`Z6K3;{ 9{?5'3%oQ_0u JG;De3~ 4 -4_LJ~M LţUr>э|?!$G?c~1BIj}Q)_=4|vZښY~O:T2DY/m ysF% [1d< cңI6YnXDrN5ƪykM!= ł'Ci>R\Pj(Kdn)7 Vɱy9PJ3H4ުM&" l|!B@ZJm-ԉsEbʹXJaG)z+r C,q'3NC,CЫ RMH\&6$? -hyHk\ zP0ޒժLB(`$° rcO?ւ<_6vM㒛<,D3.I92G*ӌ2Rz4VY/닸zOn!BΨjXQM++`US@=1\pʛtD篬۸?+y/dzBOyg[Av̏^, ۦB9Wd< ;Sle@g}u.oYT7:^-r`شXŴ:MyoV籒vGQyc1)Z~G r  o-,H!:8q|8P95]U*8?Wiq6ʉ+wYiB9N,`=4#mމ3KT6'9_,}TP_qMu=04A\ݻf~;jOKFD-"8cd Nܱe(N>\WO9X{^YRP?6оhH[^oRlmmsdGw*Q/8)IMxFU)]#;#qx79eda]{Ǜx}/CUMų_"SRFv3 n? vVͻe&ij@kZb Dj:!lU3"5v9;B5}T{۬F'@HS(!TPj^H%⑳VH2v`(hKvt_:Y^OVgzD8[CQxylŤ\DKLB[ 0i[:RH%D5j#- 4u?/Migf)YdZ-掀ꜥ"STIeJD"q01͕Z7[T}ڑy-U.X&94 ܪš1P.XȬ#Q3mM͓ >(%Ga+&ZpYLRMbm/Ĉ+;k{EB|>P١ݬP=w' 2}B x%F"_G>U{-,a18hFlT|zɎ:!HՕxpp P,1C29pe Ī@.gU'/ ҍk )}`t6:\N.u'ýA5Ү!l)È `*Zzc'& apF=1'ͺ6Tew$?0_eqS"G.l_ZjހYO\?8JWd,cΔjP _:%%]VY5Bl8Vm12YPܳprY 3 | #G^O"h3A$#&`&ӴRz,Ԡ4n^ݧ= s C-_*l[ϡ`E1Ue@4dWAR8k_&Ϗ6[sd!Њ@p餥5xH"'(94$U^;#:!.~@M|c"5͐N2ٽ2l=EMG*:+2 ǚgl wDYE6N UBl[ ~C#_u!APkQ؃KB&W J)mP[OMx3N?~Q&*5 "a9!>{.PIؿlynpY{^GAd ~HA59'E/SB// Mk?7]i[A$[jt3=Hmtܘ냨6ͮi8+7RydŪtEAʨ38ߋ ",8PNAJU[!89:h)[:,*]C[{]a%|"n剬h'Z}R¦"zNc(n;rx"EXӼtZăpwy@<̺dqGU 5v~*YW`n[+^e2˜ ^'F3L(SÈ.'"5?&-!LOw)Ѻk yeI8cw?Qȗh;\ CĔ:d:dQ!f8d)S&^0%pH+9h?iVס(0dve_qH4nw˂F:($ j(jcڻ(!;)BkzTH4B/R3V$gR1eM=2:B-*,T"RIeY+4fia?qM2>Әru.Am\ѐnkP~cIE*pAP\S1,y(;yB rB<.YtGR?7ל7A'qSjݭAD8^t6jDy98ڄ7E7x)\ ~gߜB#{1T]%Y uHDJ}c<9/ZvBpK_`_Sa{HC>v?}`(^7Nu1CfP RUÑTl O݋lq @K&fd]w7 *glc}?j- xNmw[Z[PYFRQ2vD1Zhj0RH\E48Mz}m*@is,]yͩ@>"In/n?A]b?%mb*MT";*A"Y7N$D,{WQTΚ_Iz\Gؖjkk#p+QYcޔ5:SC;Ub8)sv ^3t3qHgq8_ ˅w֌zTet zCNYv⦲P#)~VV\Vt;sZPĄ.noB(<YuTDTS> o r%KWo Vڵ|5 : <>+S~godz-v֚nƝ( bHS9H`qk;/mtz1hAp 1kiz-;/gBZPpVz$l`۩Zb_ԪЊ#64i %j p뇣`7`:HLwB\>h̩kӘ2}䓧gPšbEo0B oPN!˲;fԃ?\>7'W 2<;ptVYQF!Jt_x6ӿ>:z٦gX`U_X;[wksu'TR:/'Y ~,l_!DviN'gf{{ȟ.-Xl^"c. [;n [ydـIffx['"GTҵcuEB)Ĵ;pV(D|$= Pvr2TY%Š~GZ#8V^rxXyH?&@աھ4Z&6H_ƙ4j1cC;[<2RÙ8 M 8Cl(Rz<  ?Ftsf@h9QZ< `i!MF/z/^aO\n)/o]+D߹ŷ=\ƪWgc$LaJ9~nM#*wh;j҆AAx Y'Ï YI躣c[2 &F7(HK+jMQ!$CrkjW k<*=~=X ⲒYdh!ga`~WZd-ª.kRsTD k8 )H= Gy\m<ఔA/m%{;ن!,[}d<r/Z[szD>m=%%صHoHʃRN%&y^gwp\AZ$EÂ5c; js7w- le 4lՋ)$!KDZ}MG\kB8X\8Ԭ{ %.z\1QFD#9=f$p/V! FD&?QނS[' !"jεtA܊U9XiCPo{b3l%7;56{htYtWF%ŔG Cs;(Ihjc-p/O0XZR!*%Ss4.ZEʂ T{_ y^VDc[BtJb/R,L!/6|s?grPLqִk)g$A"dnąH6sK>JQIHwa "KM}CN ~|@TF U'=⁊#]ݟԶ5CQƚ2, nEBb ͱ"AzHhMPLK] oD'Z3~Wo"X" vqA=^e]7*Z2ܻ-cYڼ-&wP72Nɥ |g ?EB$OʰnWbzgÊ'⡹RĎbSRQİ$%\>Tj{09j^X^Fi)ܪZS$*+LXX)6&8 ͈ sCgr7ҠR~E܅Dം^~FZv0PEπ;!M$9#HUex߰)fƀ~x} vF/B*qg@)uwՁ]PO1T {l}iY"Jz|[4<6 ]O_5RɝcM"ˮ G) OIpTڱt.xVa7ͼ )G>DZaP9 ohգD\q*#\܏Jq,z;\ӡHKEv* Ji]ozlM9l:8 9ge/DArN++??9!?W5Bo=6Y ǂ%^J>׮+E_qœFg1Aޞcz)UBp%ꈻ?3]0LƵLo ,xWq0`?u 0gA-g/QT?Dq-CbCT,"vWK nE a8 `8Wbk+Ŕ{;](d]t F{RE;-0lÆ) (F |QvELCږk-(39;T9o@ͻ1%,0Sʹ$ZlWcVObLV<L@:!eJmLUh' БOwRb`7]u2˯a׳]̦-ٙZVaդSMݽaAc"m)u6Z|M7ɌUŭvZh(1Qj oΩpկm9^ugbiZ"7BŁhYMq:UeJ7O=B@ʲ 9)3 UpE97sh Ax< ^N3B{drGKM&=P #Ea+t5rej /b4RikkD{g"zU1* ̋ߚs5V d5mhF&S EI+V^S0/=  m\FqsɓDu}u2  cO1/V[9,nIڨ3c !Ζ`a D`SyO`uĮ=17>c~|6#DПib|/hxJ؛x"!?[vLvFqG/> 4r;Tf"@&@k-dYuU_T?Fޛe# N~]K?@P&Gfg՝@eБH{a)[ds{:u3E!SW帡h2%r,X Սqc.#X8%1H0J#\Kꦒ-#:WsD}Ĺ܆`1!puik)9gHG:b D: UqSM*Z`=fc>h*P0~O9#1}"#5*H2;Q~ݾJ"%.E>kM#Qt,Lbh2|6ahX e}^Q8BUՅ@oy>eya`95f:'A1r|70-"^'%H4h+ CϹr-A~Jo`iF>szA{ Bބ~Y61LZ﹀˶zjR,,+IC^5clO;1v2pLݐ;4ٱmdSY,&BZNZ"^,Oh8:iSI'W-_Q: MФVz K8p#8Dd7.x\Gb2wxf6W0&5'yz[ᴵ^vnK<ȐG.DWZ,WhaEi jT[-<#4~O;iM8ۋA$+I^2X:V#`nr{k?Z kȀyfz"2 [YA@ъm,T #sgRf\(*')I@a Dx< Tk[r ZK,;Stͯ>rK-qnR9͂IC%b h2NdQ'R]g1`q9Lj&u֡٘}QINƣdF: 3q>I90[$X+r>hõƅVP# y8#zl ,JSæ2:E1W:9gLC ?:>E&=l\>푎,i%#AUGQa"OzN?cCO͛h0EώV{ʿ`ꂪ5=2(r&yQEFruy6aZ K 4Q @3}D !I$4KN'V~c&~Vs 2;$T|P G6BC..dLQ06 D3w-ݚ9IZN"aQIdkomWyoA heƠ[k}_2dLj|dϮ fG(]k,fqч#cDfu{ ܹrΘQN \ZY:{R Wj)IU.㉂d~;jO˴Jp( =y"KāB\bZɽ4B^83]#C+9qNjPsؕ`堜 VX,Iw\t*^ 1Q*%P9q!;9tmWqTfCDkS%DrZ~'1Vx'BVXx!Ӹ[6%TQ1;Z!pPuf6-0dN\f4|d;Gw#ZFIU'bm@nNBXWa$_ ɯ_x{`ӣ";J6>p|S>m8HDexABY9B7yfXSZlߏhA&%7PLf-eVO0yOےLVxS'"x! e- @n$.p2l92Ce}=eá ĂLجҖj  Gl7A|=A'FyU􎭋Ε:v%4vO k~O=ຍuj=bcGD;Y9ͨ!ngo\~,slM~t5Gij7.)~!pу%༐C9pn#0^+~!y(lwY^זMLCM,ƴEeH(CysUvƟ!,S ,O6سc=IY hAlk ]O-ÞQ qP7D>V3#@tgPƐ;yX m0[V&=`#AfW3 PxG0T. $ X`FoKZxh&sM-'}e?ב{ֹ) z/#|w梊aґŢmXY}4 M6ऄLM*`*=OȐe~sٕ*A<ig!W$SiXأBCwMT3>#JS"h"ĮG] Z9 \X:S(Qx~GjD,=B7!XUoqz#KTMd+)ՆHxڹ S2KB&Z(%s(KɁh0Oxd+?M]r/n*j,V)8BHԬ$%hj1&s&XnvS gc*R.+hB)h!LոLe,W+9O(Z=]¬;U9yVoI]Գn>B7݋1`lw]<{=Bj:,or9AjOGSğ9~uoSB8JBQllR(DOPqJC[=~sY ۩_'j=Qޗg Pm5:پZj_ZJCU E]q'ľ!"fjbcܤw;&"{9LrsFh RtI(C].ТGΫus] Ǧ}ve2?:vF f,.asqȄ(".sB)bRT\'mXo~LMCX'=^Չ,Q;%x J]K!gi L y%P kUQ^hh'{n124 qOnj֤h{64|}hpމoo`׆j0YjZ*2p6Y+ҿP %IVCX!ۗRKtD{E4-/D/mu &oD؏Rܥ[F\%w f]yraW)cG)Ihg"gҭLVΪ\D4Cl-L'e!J(xdQkVw4hfRh䱁[H?*cKZʤS|CZ+q%k4K0 ˟yXw1rU^OƏ KJq/2yM_aK!70ح޼&X>.tZ_sp|9D[0QV.*@8n@^> -rp|!v=^ mcmv1߷Z@RuYjp%Fͽj YQ/*ox֡ iD^ ~ TMNa]G)8Aŝ7. yt+-/R|WY8Dnܦ4&d~U]j.FQ|>P {X^9Q0Zk}Cњ0;|;3"{+-S}R᯾@ V.'q o{•:j9R 3g[ҵFJ>*|t"?o `˻\9hh)VI p\Ndƀ@?}?RAuWWdAM1%4(8M猏42fA{1Ơ Y4׎lߞУq+nk*2MOILy_^8DVQNk 2a}nEvKZ$i oCيe\.wϪp\QW ׳!uA&0鼩T"gTњ28$rETs?72qu?!Szm5ӸxewXzK8@^(bb/D0Ml|Cl ]]]k) J4:L?Ind&|񷯹{)y#7h/.ہ)Gp(>UD[F/yɉ|hiH8D(&R\*:N-f O+R/h xu);_'E¸m {ݢLqp-y=(V}FeK8Vہɿ.I6IA[3>Ax@]a]oLX? 0Ta J˦*{|2Vz|όC]>MWPx@o'ML?3`Q="W3 H ﮄΖiO_v9 #֗zmb=#O )S f/GA~; a>yk>n~w.KNXOix]=OI̼m׭XFgJuXxI}=[{Sm9˵T=Z9."~S",|tY_h~lU|z a =j؄u(@NBX#d{92gÌuu>N&$(^.V)bvV#}fpTUۮl)Pzg'}!nh1aa+2.E|5? 1#^!;W*f{r-v<像CL+"k}*wi=q"i ./*![R7@~@xvD1 ;/_^S_Xaqf䟢xAm5]ىX:Bt=.}m.T MV9mc$SsٹrVcǡhaԛZ7|Xc2ʍK^L|pp=-ﲶ olٞa>Gj6)ni{,u!O[QOy@& LKP5Om $l8 "6q^m)o|\>饐WTksӯa)go8QW¬3d'=OTp4-xVJu!r &ыj㝑ɠMɸC BJ*6D@2hvM[4vԞ՜C4?@*ُ@ѳP7{M0U#ݍ~;D2$ "#Q[7;PLmJrN&yz0tb,€ݏOw ֈPNymdҐRZꁵ[5ޒ"ͤGm*-)B; m`&!hDx2?лCWFN|eU6 G1m9wvce;Ozm$2?]I8U$`FfXC_֜E܋r!e撲E &kIV%ZI3r;MzPrk_g}J(?D&s3[ aiUs5&HdXXQcF;fDd}UfgCʨmNHɞ},<NI,hx,;v}uh3y$EC({wCggAT"@!r*k:֘'1˴.ʸ>Znc-~ң$\7-5I]\0ÔwJ`fUtKCr$#)qPZՂ=I2TSב3rM~Wz޼SD|&5ns I!VށYN,"wIqstàKsled?J޼^ey_/V BLx"t ^лVP; [~ƾGZAT6)/X~ (ldyO"/#Xfl\rc^^7kGWaFs8KՈa pnɻ$!^*Oct1[f쐻Cqǃz[m4nU4:gu +u %׺ڪ(aEI*4DK#X|Hڄ TmB}tB8`҆0S"c.3ܠr> 1Wl-oi'~-cf6̋HrIŲ!zg=j/ `6;dKVF 3Ʈo^)f?͛|nSR=: JZ[ !(70-u7?pS'ō#2q{Iq_c {ŘOVK/- ]aKkr eFR4QY&a$&9 Ha5pyQTMsЖ:7l][j4HQx;P:N1 e-?Eͼ1Z>q^<z|tVƹ22h*}c_ĆHS{{sͤg(٬4EXBSI.=uΪ^t&.7}W'_q}# GR5§xK(6dϢY;on3 Rx3w;딡l*Uv;V#3&)UFz=O]_j309KR ji:YOݠ ~f-K] tQW&(1(LUe24'&K\v;⫊ InMT+LM%2Ԝ0zvDۊIJRɛ֋$^:N!u V,C$/.zA0_u5fl+nSƠD$My_ZLdivex qDLx_IRuQƼcdnS݇#5Ŭ[o`,'7('uD.yX)U@&6,mtދߨd8Get,OmcH{5?Z>ʠyeAMMRwҨg3F9N/mifK`+a2B+9P %=#%.#ڴPl](YN=KodĽ78P,#Dd4@d)4# #Pǘl%Fh4_퀘/: ̼wK|ɿx*KGo%M<{(6-2qrUI{Jn:̣݂ K|eH&Sg>34,1cT:wDWݤ0m"ݘ. 'vDgok|߁/UrHIjac+UmyV^<<rй].pmҌ6IWOXŦ;HOg5"_BGA<6ݟ'n9rȼ>4ڠe]*Hw5]Jӓe>9 BZ;?9>Fj@T\rKəH!W:"^@؍ݕTSi`o 9m9Q-lDӨ"9?r[{}F !BBx*^]%y:| h)ͦ(s~ .l3/f\PlzʭQ:);"#Ύ<]XӨ]h. *uP`}354S!(@*#rL)!HJ%˪zǔ?cٰBo fy^}pwk#gP}~ N>͘KeWx)DLFЈlT0-c=8;2Y|@j+q_ gAТac7q+(jL|hWsT8Hdך! - 2:1Ƅh6,K-g Jgg`3 ^ryG#E2k59y_/rBȏI"`bAhpVA>ܧr!g0n8iV5gᭉ8 La>TEB,hQxVSLs)[xKR~W7or. y>M-ƛH-W֨_Qj~+K&DiQ=RRյlj^w)Mή箐&[1&H띒fŰ1DpI?ήEg$4Ϣbd:/,2HԩC~j=h]k9FIwSjlR]CZ>v#C}0G͎yCcl*{S*4ЉѤ7۞.P\Zvi A]lc~㻲,[p ]FIh\DU TɏJ]@]((n?(a0\>֚p<8'G{f&1m`G,hSpMH{1_ϛr*e)?3䷒͈Q,\S2zo \gkg2f L\(8KHrʃVF#l;}([+MŽ^g 5&_CzQjr[1bȏrF):*%Y0N㜉m ŷOtu= laJƤ9~1w_} l?$ie2C/"MR84Yy%12,|)S.p{<*"Lcy䁻1zk@;R" ?U:`e]u>bFc"-Y"cE6IW> `{3$蔀7V|cg| ,^(~>}(ޓV p" &݃%~'^k ^ʻzd= ѡ#C[S/9.ΊUrPefjȖpZƇsH0CGi* u(@9Me2[z0~{PC]ǖQxF~. 5?/GpLGIʲ3Qiil{& %E !ӐR;قG{!2 Zu|Js}&n< ѻy"ӚV; j>2.k@-zx8t.Hgk0Q q9GZ- f̧Iv+ ]dX_3!]&M %Ie|i`$vtBӖ41ɲd~%>`y!PZ[J;@]v_UN@@ H|)uLAp׺^~W1K߇(E4tmŻEQҔ5\yG~3_.LLq8Yc&đSW+&ES~H!3VߞG mS fOZ↑ľw^%H3xo/j L qE|.!1O>o $p|_T!v q'W]J#__sț@u;]4 YL;[XF8$}3ĜxzJh) +bı30W8q)ۅ["@ 2OZ/7tGNWi~!ZҶօkL2?-vͳDF~Z"Dٝ 0~S4 x7O6d/~,?__p# }F).嫖`xY{;/wF'Lmh.Q:g'yk,1` QCS2mtX Khw.742G1 XY)i0 95|whH7h!vޜ& Cǭ.adqK Ӟ rm*CUᮁeN^ςPg7`ffp[V{,^ulHu.$h}nچfl>}8ʙNUbs0h<2(/>N_4,٧x)KwCi;r~-1)YΟ ^QQb&$'/; G,q ӎ6wR6O_A< E MoWC2~\*ULhMgpa~@_3Q$!3% B;Hj3)+ۋ+r%6|h}C \Fr1JuePêZDNVtl]I[Hv |t|Oqsqp >{サdmi3AmZrO1CHPH;H8Uztf+ Ak`$e0YL%=!2r )k ٕT.!D G&$4gOmUAُ!G0 6`܍UTf#,vK&⮗gꀭHM"6I_ʥ Gm.&&K9>,}\.= o"̊s- 4e+luMaҥ#lQgX|Ŧ1tPWC S1GK4t-$շi̞}ta @a D`'EBi-cRJ*^ 25tzT˂ݩxB?,T4 =a=ۛwO;=UX+8MLr xnQڨso2(uP5,p/4o5BG)ihq+I eKFɯ!& )7ԊwrY]sa*_#HuA'35{2Iqgx}h9'E {ʾ dRzbhq0?JI2i!K+.ir$ 2(Mq`9# ag{DbFHYSCG򶻡ՈUcجз:VE 7ZY>=̆ڄ9牘)G_doRGkNj>cve"v/ /sd*_q-Z7|gt8E0@jtff#4kY(0ֺvO\焤oY]wqǍX\CJV-^C{?Ucp`I |&=î bnphYĥYܭPg\ j]  Бٿs HC~rsL4gSb:q>Kbnj E#J y)ԍqU*yF]jDxxH bY[ev? !bT@BQZ+}\mxt/8@0B&(v4Ce(}s^aTIA*Ne{CaI71ᛸF<+,86T㧴=JxDءiZ5Q0?vָV X@빚k]kMgYRx۽~[R2erH.ٞo6R p)\Zt9lX+H_5<)yC@ +dwU;=㏹Eox;%WlڬpEЀōmIdv%Z>JʕbQ{d~H.Jr'$kVyE-M0t;!̄n~d'r1ѷ"cFϗwKa]G *ƨq,[]y ;70H --ej=,UAjka "2meDIBPƄx(EXX2X_cкG`كYYsk^kK\ >እi|2W4'g=Mc a>1H/y&ܵf+Ky{tCAKi k;CX^\:eW)iF$5XaJ9Jȩd+ ?BR0jlcV(j#y&yB9w~TXq:YM=5~J}9Nv'㥏R%_;CR&Vt<1/#QoLC @:<.\GH̟]"Z;pe}D陊=Ƥv)ƒ/0T]: ^_JRi,}Yf1I~5 ?(TTdWt7+W˽yΓD 5_Ż,h·2f;}[r^ӷ%D>K߼&Bo_i >|?!f#X"*g~ecxS2˖Uӧ;Rb$5X[=VuЦhզlPV鞪 mXM}Mm3u9gmM)A.[Y&V0Çw`/SKP%ӒʻAqOR}ES [vu"} JCuenZzqŘEX#sO-NEa bUeL &ΙLZ&bHDi혋Թ^K)RxF !in"hmG<`NwJ9ʯDNऑn1Ƶ#͏)`#VU:ߋY@J,@dK~n1@pYMx%@&θL.Rjx7{?\}?580G w%X&X<,Z-['*MZ=Oah'bSlsƷn}dk-;dRZncp^myR%^}sR=:}-ŵBN kY$;}@%tnۤ6@k1֜[yYC.V2690Qj8s23Xdm*25>i/i\v]~PQV8jWk'@^sNBX Dd4O1`*NJqJqbE$ue˜aNJeD3 iQ'IP(d9!t3=u /l:F{К=8D&w\p}?!cdSϝGX郧J6+ӈzrkzΎ3!q$YB!s.KpQL ЬUGÛkl[~55/ 05J#`%niz 9{<ßf;\`T+x!t#7 ZCܾVV$:7N%|"Tx k y߮2hUK={[> SXZbNULzET}D*mKCk*Z+~5r+솵q58MQ[{PǾR~D,Euu'T<#80]`a52xU/ C 0t"c:l`7:vBb^dI悐q6! Nʇx"_8F`{qd,RUӻvcrXP ~݈.)/s†]50PBi{X, OF*K&|B *&d3Ro^ԂD!5]6) WOb8C'y4=CGKٛN9hwZ?0;,/eԮ$*(A RT EHq8Z_[CIW,v GuG7ct-}hYCiqqCK?9/&ʂfsm͡ghvk h=\ @pa4wl "L;SHqZX GQ |IBԿ<#L {;M bۥ#.\KvMIЄc'N8Fb{Ҏf5Ԅh1GVĈvQ%׮N}>gկnDuE~ +b-rJt,gq}}v4Ys _)wt;krTEA-J9@?/,">F|ud8d2+&ƒѐ&ͨ@߇/DVT?g|ifbU~tu+fgET"0tKP\8:H 额-;ٞ҅ƒs7?G@'))A4KSXgv1`iUѱnﲉ2$\jQ0٪NSs6Q" A6` ]b~EE!v+1:_?c[>Ԝ>+]amC"H<)噂i4wO]=g \Uzʾ{oRIU1,.⹞ %~%Iw)&&IhW=~6SZ̳-ZY onߒ.,_#v(Ҷ=JkI-&lMO*Ag:5E!u} pjke1TʾlY'a!-1>>Ceץ9n«*&Ot bWzq~xFUWH3f;SDΗSB';7f&xpmulH:W]'[mKџN'֢%btQ4J_1޼uI?^6RޔҕZ/ &^h;*7 >L"/|1 L ĜZK9ڪ⚕ٗNmȆmnF0]ts Ot]h"[s%O`#ag9w.ܦxfR9j yf+ow!8xdyL<;bN;_} ,6HW>ZL*;}Htg0fg[tvoC8Um:3z3DoĬ[p h}&7#yZ/eT ̺4X9EISTg0ƞ'Y;)0"3*AƛRt)/1#SocI7 ~3ռK%*^*6 7wy-cj!l%\jV~[ njHX̊mԏW,޹w\ǞʦD.o(P)xF.n{>NW).\*(M8ͼ?\:-С7h"u C<3x`ұ(LXoɜHG?;ٕ O$uMQ !,R_Wyf 9{('G>B^A:U±5wV|ȡ%KT۶%RH/nFMir,AI*Lpj]x1s^2  KMM)j/Ř{muFsi$+>UcCfͥP֙|9J^Bip1 %CŠ5H7[Uve ͖O͟Z*f~ 3Ǫ: 7/yhy'[`Qb+- C:*l/sC^0۹mxw\8&5t4#>Ftߊl5B4~K))žŃtCZI2..YBgg-͘dhZ8i=5I!O܉.$u,x]xgw$>œʍ>E 8=YI|MTδ386Y9U6Ni2XwyOUxSN+lJ9OUTņe߬*Ur9iҢ11KG"lP9Z P=|+qi._%?[l9@+u( Di؅fBO{_RpCeޜC8c,G8 K[)NU.Z*&gŦpZ,x:{Q+^]dzk0'*GWk1[~m}38oN7rE%@j0V3X"95g} FЋPuh%3n1n a x&YeV,'I|&A"I+9qqFf{FܼϹ.^yxEVUֶ z`Z@G0*:8G;/Őuz|S Gik9s{UL@LRb\A vYI ?g\>4Sտ\.rmU bC*DW],N 辨8kظA%1H'u)~W3`>I;;#+Fdny5 XsBv "!Lk3^!'_BQhzp*Єe&{=&.5qmT !`2D̒loQcu_`XIv5ǭV;DN"Y&vm]Sz;(Ӎ{B %xB+JK?ŸXi"]wtǠ.Y^"}_d&`֖kN5iИ0O^3=GpPk!D&m?Mօ ޹v b3W$OWu[>cj:ŕ=f/O$}Ǥ9 )#־K@u|.dz'oAS_oRXE#Z_y{F6ޟ4fI!k;%XǙaI|=\bwwS[s_V-5)yKA9tk ^h9<#C @&s\5~lok1y扰o^ҤR7@ ={])5"Ie1h,& Yw1T2 R΄֠*=[`  ޓDzّ.']WKV4eCoʴ3iFy4MݷkgSWJ; Qs˽$b} w-m+4?"P;;pzKsQh>y) ND?F:;9 оTE"LEq֝! ؕ7t-Q=.,)sٸ"ɒ <+Qc 'pZcD&cZt ΐiS\5CކqlH&7D]ijf7}1 q/!l*!kjF(6["oiMM`йAnUظ̀6AF̩15 a h.|)#aqJrZw}+5kxTE|6oByHTJ;Ŧ.&N?^?vyzYbt m*c #28::-ziKD-aeF⍄:=1xa$['l=X/:ЕMR?o? [4[çL<: rHyy\.˺fWk{tE8?ys=߰yyVFw-As{uudRcY<55wRwI n<~ZRfPq!+>xƙ[bяoS~Sz>YaC;Ajy '©|8NSNv"T߼@ 34y%.Qq&Y 4NHrfF@hO&EDSǒj_}r\]gcFt2V#Ђ*qƛ myC6A{b~rdn0 g/ tbr@nc^S;a tD톣E,\+/JqﯛȔV3kbځktM+"$X>XlY{~c=x.2sm?DRp14Gގ.;a~*s V݋<ŹRMi*Ju4c)QWu7q-A4qbuOn Z6#3WR%bTZAQV㥒& q>pWV%9x$&rdY͢aC+}m ֗F`_#h d;" @ﱃvJh7^iܺXnw-i-ݷOhhFp8^dיc y=`f'vR"v!5Ƈ.-_:˪Tùxrngsqg:,\0M = [X]#-U ʂ)W#2=2^Hdxș'(xr@0r0`=ÐP64|*LB1<0)#Kab$@GJ8 E/T/X0Gf qlwM :=m p%2JXJnИ!Ԙ=xm:fe2aV0*>(CӼ4.'X*;{d OBeb^:,[j|xb&+rS,3[+ ߯ ~.qGoϸ{i(U F|><@ GF ɣd0t BhLADP 7Ż̖Eb{\h4hw5r-q|a l M>K:ϑL+-g햙yȼ0_d&f<]VY:vsgfNQ="l^pDdD89*KH|]%^iR;-|Qg$TЈ}1ͽ9MqQz~lC=sa'7./G82||;'#'8!^\}lJZʝsJeHQd>~zWtK}mA/Rζ/NcBw:λQB80Ǹ&ϺZ& E􄐥\vo]ǵg~fB& fX)4_imtqY:ּ.FGDFlT ai4!HcϋhJ_/)MDYB(-|kJVtDd-$+Pʂ,}AaGR%& Qyʍ|)ґqwTa2+BZ0{ʉ3}iqLoU JRnVNSNŎ0t8=t0?\sA"j8/X<UUǒwdoPsW[}4+t91W[G#ROΦa^#ɺ`W "1"=,mcNɾ8[!ew<-kghWt5 FPՒ {#I$_%V]0YM֤Qmqqk-~:Z1PO@/~ͬ1渺#Gc(ak}tEkt~ wd,]Lʁ*?<@ krRs~@sG="Uj@`{1Tuu ^ T P`~W =!Z W> Fta0"[<l1+J6)c Opv-F')V1p^?Ejg%LjQK ݭ of8/DNI!ԺZ/lb;NA:ܒМ9ހ|3pCM@cݕO7\ ̸טl'[:PsF8 @=DWc{N l*>Z⾉i17'={$cmR+: =9=p QvLEÞ sM6uq=!Pa0$<2(6-cMUkQB!ZPUgEiMiD..ECU¡d:mqVx(|1&-Ej4VhZ9gG>CYaz(9i8 If{)I聉tFCO4 #jC9xc\Ѿ4e6DqA 5O57wr*,w>+s 0ҾIJK1c0}'@8I*~eL$i:U{Ekz}>iZ_ A fMw];|A@XPTLet4cv㩲Z(]1=}-5l^(]2֌+fD,x(\iS|Y+>YlKjHYw@R;_%D>OoF QN6CHXU5έ~pq(Q;#+-Q:є$`࣡ъKb佻LxđԢrѾQb]H JI)y5$^6hy21Ncs#b !d)߄'>S4t",ϨERQ**"f1 Ϣ?PY9+cɿ0CAbaBpO&\ctQtF4W,vm}!DuxNۍPǀ^9rxG1k)UF q_샚.+ebWBl2fsi_ntR0\Z!n6B&h&rRdgV~?ZJw:G["+lX &QA8>2ӽYJdavdG CXF&R \ǩv Xg1`˒ يc #QՒ!PT}q’?Mڴ 4;-Mj*}H#2FY)uUO-zCj˽kWY!KQȆ щؚ.t~Z$o4`aY6q kڢ:m5l0*=(Mazil>n/w{ۆ%)0M!zͨ`-GSL<4b@)Jڢ8OâYP=07QGc]4U!|]_m;lp̨R29uʏeΡ=yCn&٫˓j ^~~Hƒbv#i:෋Ru^޳%`EA9C-~ 'OWN?ص'k&ՀREȂb:ɒt.*rM!Lhl8xiKsNa}Ei6?-ixfI z|[>@8(1'L+LZv^$E]+z0dG@Z{^`pﲊ{u6DT&#lֶDHx!i7"wiV2@(J99۬%d]S@sw,.ħʼn>JJ A~v|Ege9$[9uPL}-^i V0uݧ0VWӥT~11az8Uf8"P~'[GnXEG SK G']wNʬI(M#;\g4H۴[4Lo●/AK[*1*qruqiٌ @,X; !{xPyHƳ̭'GLCB:蘷0I":1y].R?-0&~FmCӊFEPN#dZ3=ՅuGi'M?Tc.?=;9J8ދNh- *!biõe޶00$VATn% 'yaYmHa6 '|1ZU q p,4! J^}meiӒbϭ KCe1ɉūZ_KY ,cfӷ[Luks6i eW)n_@fV@+liJj{!;%qvևQ8Ut'eƋЊ~MU'6ʲXm0uO&kJLt /|ͦ˨p8s,!(|@fT_ItLDw%([fv 6H٩T nI)Bph3\oZRQ9)vъ9HJx|mkAQ3p$36i`q}GՃzUGLQG3*߼w,3A& P,W-u 7Z̽6@=ChjD5DzgIčڡZըu~4r`yצ,Acw;fh?)G&͎ohG-s #mv 4 >tX'9!%y'c eT?ɦ`JvXRG:=?Vc['drb<4-!uNpd؉ƾ&?xF })a ݖ :+&ҟ\W,lj}=i}uʼn~F~{_= VdA=9<*o_$Z]匾D6h-Oaj;M‹6qYL>U7Ѻ34ѹ\ϯ"]e8#Eij(^cc_FQ4hYDZ0#R[ulX;b1N4C;;\swYboO=r@q#D]^Yc÷x7[qb]Á?9WwDமp/އfU@sDXHOxkȾsIY03{)OKG9 w#-%N?m`GtC}W^;lOL%) N}&?h[f8zp\vjK41!t5.&ajMgn@K)lk΍)"d-1 ۜ_t~ٖ>m ,_}rr6L=KvUM$+*1y!_)̭ z#GdS3DLęexr93.3h@ȿAy]#<']|U> z퉁>$<".z:&:@sw/&j?oUxCc]k4 I%O 86֑TnUܵ"3MIDB"qF}V_hkiU!-'aH…P^>5> 9IJ\-{I&?AHZXWL^m[1/T)Amc^ǸPp` uFltg7ݔx~+O! L\mgxjYCFC1Q NN?J۪opZFN81)6z/M ͮK߇9r$Jz-Nce  ؈83X gɓްG聁'M`E`WB"(^:7 ɦwV/D0B!qnp hmf&#OWR?~-'ʄvxW '`^r2MP92vǺ0ZERsld9|oFm 3;>yRj7 ~TX|lW)RS M 4L5k;̇'ؠGAXD +Q g/c\5uRWt%$cPXyZ#`(`&EAt'+Ȩ ȇe23 zmp`Xe'rj_G6~y5K "ߘ̒S8_. jVT&+ݍ2+sH ȡŚ5s|1egXۻtG>PZqQ9oOi*9ݍU_3$(Pb䖍2 tLFb%%I>4/9mS>Q\i rP$\~'NpʧWR# Xu@nbiIE.BYlJ Tq!o3[ɿ@%6ӒFj8%mTC#jo?aroDAI$ćEO;Av]*Q#P/-`"Rjf)DƇ#RQX]`벁$xb&B⦆1(zp%ur FXk%+= I¤RBM$\C++<}S ]x2ɲ۴ct %)`6`D$ &cԾz38{X7[ɦc ewh(9Y~Q|k yh8,\Q 9"p߈QK4^_Fԋq9XJ.5)\C~Hcl+)R`[*:ihypr#t 8,-"(QyxI0geg-s2*䅃L Zb`  R֌Vl@<({"^P=Ki@,"EV'"di04~ĶbDV)ăwFUs8,H_k"-L`X3˲!W8IҸ&ĥ뽢J\ޅ)*5ߠH1%ppk9^7h<<^uÀ M ʵyX/VfEҕH?0W`*jm9AF!V 匞ȝOQ.TY-6^*!B^mx$3f+㩭ٔ&%}Ȃƺ:)&lBO6c#=vc;ٻމF9 u|?l|P]dPyp)mCiczҴme\Kϼ-o1FGL2/`2xr8KXteS7 Мhv ϵ?grqT-ېkH?ka[6=Sf?׹fd>.__QާN &E| )6!it^r@Ԥn0ܸ.\D62*vU;ɳzE //] d{yu?vivYsȱ5bKD2L/--rOʴ X7[|4RO#9F _d3)BvndgKf-Π(j_j<]({B8!d]-y5?a'^oבupq=à,V a?I:ڶ YZ