permissions-20201225-150400.5.16.1 >  A cQp9|)7QJ\7m ((E }LB\s@#%I=^܏HPq!dX>[挤_^=:znߏN}pٌ u[0n~#|q%#} wNZgĽ>^4Ǟ:}[zUZQ&xTKoa ~}'mːIAt}&.-&^c9ݛu/[؝Y^b q:FGhNE ƢK\ZRu=b4AlL˽ηe4$hF]2^>p@Bd?BTd % D-NW mP t           4 a   0 p ( 8 ?9 ?:?>=F=!G=8 H=\ I= X=Y=\= ]> ^>b>c?d@e@#f@&l@(u@< v@`wA xA yAzABBBBPCpermissions20201225150400.5.16.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.cQsibs-arm-5YSUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxaarch64 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system-YV1Yaa^ 9;@큤cQpcQpcQpcQpcQpcQqcQpcQpcQp39204a3f4359b2d8f93bbe08f9a7532737ed64e7aecd66391c4a49eefd0331817c692a2856a44b8362c9ae147b60e9ccf721f11b0defa87f54fc73c45b17559c254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3b98674682d88472ea9f036494f6f08168c78423b08ad28403dc59ab26e8a830b5849517a933145414faf8627f1a237ad603f9ee09b67e3affd02c6ae983aefea8a7a9e3574f0263a17791ee8f44cf92aa0d230c6ae5cd04341abd844fc06b693c35eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20201225-150400.5.16.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(aarch-64)@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)ld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20201225-150400.5.16.13.0.4-14.6.0-14.0-15.2-14.14.3cOcEZc pbVbby@bgbF@b+9aea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.comjsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20201225: * permissions for enlightenment helper on 32bit arches (bsc#1194047)- Update to version 20201225: * fix regression introduced by backport of security fix (bsc#1203911)- Update to version 20201225: * chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252)- Update to version 20201225: * postfix: add postlog setgid for maildrop binary (bsc#1201385)- Update to version 20201225: * apptainer: fix starter-suid location (bsc#1198720)- Update to version 20201225: * static permissions: remove deprecated bind / named chroot entries (bsc#1200747)- Update to version 20201225: * backport of apptainer whitelisting (bsc#1196145, bsc#1198720)- Update to version 20201225: * squid: adjust pinger path, drop basic_pam_auth (bsc#1197649)- Update to version 20201225: * whitelist ksysguard network helper (bsc#1151190)- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shibs-arm-5 1666258803 20201225-150400.5.16.120201225-150400.5.16.120201225-150400.5.16.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:26482/SUSE_SLE-15-SP4_Update/cc249308f61e00752d1b1c0114b2fc64-permissions.SUSE_SLE-15-SP4_Updatecpioxz5aarch64-suse-linuxASCII textELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=c330b8f42d186d83611c1b7a50fa0e15f9357ea7, for GNU/Linux 3.7.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RR R R Rbn\o=^yutf-8acec06bdc60346dd3d73909b3e0c5f8a05cc82f7970c856e41f590566e6a0e41?7zXZ !t/^X] crv(vX0R3IgN<j]hYt&# mg] ϽdDEP~Q[z4[OݲSa*.x:^y!p; ;}[9XގWB* ?8\>A\&\&J ےտpTk jD* t-gl4Ļ:T#*'+z3 (# >I[RZ3$!%'gMBF$Ȇ?5eJ4Ր%Q}i( [8ǀ7z)wOy-{UagX[Z2퉽oX6@ 1Fn}pO,"6s}iy(RY٥@t(qe}\ PPךu3k4߅/ӫ3l8['<n웋2ثMHV w2Bu–k}{(|hQL>m@޹וxGrɂ- κ^4#<TXX{;hCP2DQ!A[` yXJm{*nDQt1-LZ6l+D;Z8 )Ew@Nb-{|{^ ׁfچ]/=W=j$ykkfɛbkOz@4S]%̃3^B񏄠 m?j͈͢EmCehV3L7XwJ ~L Mn|5juwܼ6p} AwMpYy$? b:b _q3 &.`46:*Vw_drm1h,,.* v)F`^VᲞP'U*_^Bh e  [!8qQmUٯ| Te{:rHi5IްIJ[ݍ>^3/ܺ>6[9CT@f?81գ?ߞtlrPq֩~Jmd{9[6_^FVvY Um*7F{YSN;2qkP'QwҀ /T'CbAQ/W66Fp5L7B«* _}< f*vQj1GJJɠa ?ԓ] Q  e}#fm[⏳š*_Zbr;BP7 q8g~mE"NcA3j$Q:yz;7o 3$m)DgL "NnЎGDec,y6'rBN3(!ֶMX{ F4?N@ DF)wllXpԨD89; T7 SSiRl><∳ xSs, [-CLI0qv^uP'tKH22c^(Y/wmǙQ hNf!Le94Q8kj!"Rey/HE[5=V63нXdM٦Sᵅ蘓`L+o ӶI.Nid5yhW(k򼈇otMwϕ\t"9dFݸ )X_PXrӔ>P2Ǩ&\_a+pġZ; CjM8@ݗ'xs-Nx?~OIBj>!Ǩ~%'D es&镂ewrvʖ5vOG-G ~F^u< !Z")Hh \>Z,XH2T5L[Y^a0 =ͮB@>(ma*0~TLyG&(|geQJkDق mi|ں޺ k q-iڴo0)3[k ~P9]hI=iu(9 ba$Ij^4"Gfe4C%` ̾Ѯ[zU:5XuG3QY2?SU<ZIt[QҰ^d^3bca^6b{L1.)gYS.HJ}tg.;4ZBJJE`bTZ[|s=k1̺킞qbgqM-X)iDˡ:¤{ojSs6^na2N ݈KYXU$q艑٫44dW趥hoDL2@\f~/`S4mO)l]M֕X-1&\v_j&=HЪgAa>MsW_ttUۼ }b8Kx[kܡXB#s&KGQK&Ú05rAaGLo ;͹p˹\(!֨~mcY>OLKÓ$䑹)z}C3V8ȩHkd( ՗e| VuR]K/)R*6C_QMo|.T{AO|o}Iگ()?P:Xl $oK)^ WAT󣍙G @D&7j‚VKAB 7NXQ=`qQʻ0s]9]թГ &@mNbnoUo؀PE z OH,hM1,6b͑Gض=XJıO!cgBU9bYxVqlbCzקX->SugC2nZYVt>:n@$n Og0YѪNVY2nGpQa30$35ZIm/Ս82>6:x2K{n(-Wq?drmp-1U_-zgrߨ?ek?,>WS[&~^hh+ ΧCDaJ/4dV8z!\ 9{H`c m,7 |st=1Pd%=Y;o, d-4n? 06..7گ*N:b #=xÛ= ^Sc۪%`tq}8G XZeRw@sQCY}fY,om1n9Zdl21VX)<#N`A9ʫhcc`u2.l g Qm;Z)@lCoWjV;IlUM͖ ?,`# T -T +r_?kt#2K/3p.jZiߡP;ʡFPKv=Y50{:D/I1^c2ҎI$^V"GCw82/Q{e /=-*YZݥoXi8cFS?ϰԁZ"+7l:"Qwq4! pSǴ̰b\'jmQ ,)9Pfz~ ﳬAX%[d#zSX$`i_~~o#:Orn{7e4x50@YtD x0AXXI(TJ0'.=6JNmckk$xqK Aǭ:/2{ed__% p*;~e_Mb؁og2a[*gm"w3Gjv]ƛch)Ɇ^yH++o(LTe''0y~`9}iCamZijzYC `5^X¤r}"C1??Nww1=&.M]i#^6a u(&Cb# }8V] eV)ZPgk˸}VQ1 00J4n'[JuiW[ޛI XXfh$„V3-+2zaKq`O`')~l[W,xpp'Un:BJzͶ9X3ŢdUClXN%Sl6KLrw҇7gy8W ODvט]'Ի-\o}q;2w%3r Z $Ԇ,UÁKWG8mP^7ӠU GǔqZYֆky}l#QiϜ6,)CWLWM*{1kU'qL)@f(6xf̹qGڡks zF {L:Г^~BTI#n0][IB]a ՚-Ȝ:S:0QUqc1f5V8N590yziɴ̊>\ޫU wkɫ=L*\z؉Rc^?uUO,|?+C&k_ۦZ%}+2o6~7Csv,ːoZ2/_&dJ(TE7xD۳ܛ{u\3`o,1u{+&|Nlfę}8wG!SV:[CÐGN3b]_g)661P7 Ci&c+TUEWRUxil)Ė{[s!Wn>9pSk/|’C{&.3Ӊ>qB<5 ;OҞB|㩜sJPEA_e=oOGƐgk69ޑbu<&2c'ep~ ^BaU/ڝD;1<%ɅfRx;3x,P?iwLzx f7O͠KJ=m/s!?'Qf9܌^lWJqH; (p~W`ms3 -S)g:-!3/)x J@rϳ1}vk1 'GdQL:4$e^$o>:m)|g尼("% E#Yz b -lP8O>]-0[Ü""T >p9Gеy@%{TPqi9 ?c[֚K 5|T/\4@8pHjNXOhӍ)XfB)"i` 1 "e'IXZ1S."V8V’/6;+zh7eU6,+Q>S*1enAqCQlC0 1kźO@WMU'ϳ ۆJ:}X_8>03Y}7B-icoOJ$DM҄#S;,_!*$r%!Uf/QB#ssW2Uʹȗ ;KK ?K>'N`xE[Ies}eUVi39Sϧ l܋jlW@5T3~=?R73qŦ 6N=C>"X1,V2|@?D_US襒:!.VIGJ@%tyBWvs8*12Ei '5u#v80.R) tpd^9~h2}\^`q8wq7mn߁NK7Efr#cw ͓h3͈t}FK38\]*4p^+eP&F3B= rP݁jFR^%Dqɨ_/yp"וe$*C$iy6݆Ѹb@gW UVUO؄+˖R4A^@њWM'jPR%{&&kz?Ŋ#ỖCQ+;6wU(0ICFEeT1v9֨TĞ_0dۑi[%$*dlei7ZWAWFS bn (PM) wKf!l"@=]%\oVot ~|O;|ZY`AՏ:ԅ2χ‰@` V ?p) ^B ;4;ǧg#/of [{~|;kG*c9DfH P4tUUu/]!м?Orq-݊]TMR(D*0.D c|cd ~S$%TJu{8Ԭ']ejNZu;SEPʺW_;P\ ;S "gݼt"5uʹ)lߥcrRŪ, $za04bl0 V2wu;6E30:D}-nM/,xi;-%!*(9g,-`z +秬(:( '.?>YQȵ('9τc؎YoC KvΕmBus8WQPv کYwe{Nsrqd} Q{I_"K^#tUpEVY .@6T'Upi[,r _p-8~?K6s`/mMz[{H3jmڲ? zF樈p.2us&KϨ̼A5`"-3$PjE i`M6I1-/jKE9ʞj ֆMHLĉڜ3ʼYFZ4C/l>gtCtW)J~!FO-[np@D"lyß֝\md#P{sSD8\kz+L#2{vqZNL wE h©g&ݠQ  ?x֙M,]lA4,ͤItf" _,b,WV+[e WyX*a6Utb8ňũ uͮd/oX%r^H~7fx uIN5ePTtԑ,0_WY:t¿~5^x3 h .e=Z]nLŕ C</ 푲r|W`?z1BbeL<3QV!Aj=Ϊḋ3;  N΅a5tym/{)̍4Va(K9eb̵'Ns'쬑c~Wi.Op}hÁTt[A%^B=q8=!,N2HCp]L<_9ft% m>ؑxLʤ摥^+T ;N2n{I{)Kn O=Rw>p;aW|5N&E.5ؔQe$'zg*?$5Z¾-} /RC;;t9KȖܮ"dv˚"p(+c F+{w'?٘wV-G'^j =Hk!) 3;EB[2F+@45 홱|o5!~ڜF]*7KFܦHTslddC vB.]i[ zCJ/q"G *~< k:Uޕ׌i՛I^.w_ Mœ y9Z Q#p@JEhyBF]voO,3J!n[(l!z\@=eYkf~P,-̵;z9FʪU;SSe1 zYݺc PإnG.%Ι9uo :s\&uLۀ<4>EW `4C?i 3 bo})̪wHAkrlǿ$pְ<"t\x/>u?\ƌ>Z>9̖QO.Ky{gwlDeK7 +RaM2hQ7JV_̖%W/jkȴI~rh0؉nڕw/5K73D 9tq?!1O'#% ?Jt3nyxjS!UeR;֥=W;]榥PbN$(,y;cBj[<.Zx* %sA-֠ #&,Ქvfͼ=LT<xN}\ibTn_ŽG ?6 6⒑f- cS#gQ ]k t0,@򪫚g4i{*AIm4Rs=T-G$v4 #W3x%xp1WO;`@X 3 h` JPzC`x/"4B@ !  χ.FFǫ&$DY{6F/D P_U").ךw')BRY^xŰo~F~d5z,~FA|)f! rSqj٭)Zo w3|,g.p98x:a]BU;M[u3r,uFaF ɶ ٥{2j~+p{J0x'>c lX+4zp$AK*$G]duI KVY˔6WjDDĞCeI<%c-WpNbd5q'Tlg_M-@\u/0xX_@k.U=p[43m~OW (+_^GW63N9AB?]J ]B6#@s]m-/uNzU+G5,D>.+D_bjm/.\G%-ac\My2ǤIU"t5=jy/ȆY! 9ZJ_vhM#$XLgyǿ|d6G&5СbME8m#C2~j#U5t"|Uy]){#cjwdaM$اp,ޟ3Y-@]xNM I"~p'}Ӭў5ª2ڮi(n$56 ^B2j a6A2B[M}Z.ڕV._wi쩻@qGB @tgAۘ'hE & }Ig}yt-NszV8on]֟ LCqGn[=’b+cN*Ylu`R)i"z]YdrWЎsE8a;2cEvfYE c,%}Δm( KOZ5~u\rr|Pi{Kާk c3ǎ$PJ ܲ ~Oq٠/ur‡v(UGmؤT;` /G_ud72!GU''k9N" 8 `P4B0!j(4}HK4;l"6x1E\ĉ t~7xg*.[h#!R:"U[84t\I.6'jءC BuvbҊ཮+/tPgK#ڡ]|:jCkvؕ֏ip _A\>ႅC 僳 /'3ij\" 1_0KyR$ 58Rïi |k ~6 lNMB|DHKMO9b>\*Ea0-C$P7? 2ix~?yt)1}=Ldm?!;ҥCbd׸R½@y^*R3 ayCD#[8.|-4C?8dZZ 2w (2_-!7E,mf}a|^|!cD{0)' axf:%nr"{Ƿ[1SfZƎˠ꩔(eTvoq)f7<Yd"0N>>{P`,-j_?o41XOXÐ c4虵Fe3qlٙt>Jyu'ۂ^2v6 H]UAd2:Xw եYWF>C - & 7mc 1Lx<\m'2V_(dɩuFԂF5սmSKKܩkzjS>/ܞv:pթD]kpϠ<^55LUݡ4~?nK]$HLjyޅ8唜勐!Xq`Y?޹Ce5[|5;4 p_ː@A6ϔd.¯o7rF\kё\m iY8Ĕcq#[^TP (ϫσFT/8|1=?jRxX,DnǪwrm<]-:Nm>tg&?#M<#~)/wU X;h99Pϳ6%-/}6g~:hqf1Y*5 BssDKea$t)g gI܀)$p>fweg\*R'9w<`H+mэ^"]\z0]`@ L%X(}\y%fU8w<\/,-jMw A/ls6aSgNϓCƬK ոδPy)>KGmc,]tw Q N)#6THA&//a!m3߯fEcL=m/{U(\e݀ QSBϫ~jqFYUr.i)ja䘀Eפ%}_iJ$獩z@0co2CV7ak4 w~Xm6͘Ipڗo6QW -\tƻ\s8e=uflA$Xm<8S>0gZ9fZtRC&rvDq!B@F}_0uJwaZP3\ruEw޼NZ o7Y.Op&e+BM3aw~0/3_RKb[6yOn{cw`։J~yݽRfӍnIj#xh$Zy~R#?e-/D2XuHDmyL ->:e3|u٣S"?/{X⩢/-7}6q*sI^"jjm9I1rהZ- j zv6s֙a\|%CN‘yY 3ORpwSҪ]+wg߬G^khi)mnWi.ߤ5|x'?-p^Ρ!$oT3S'mpw`W%:!/ѯ%E-6>v::?7~D\?yJF2nfn4lA5Lo:og؍('вr<-({)2|.L`-Co)]!mT[^Ɖl{=?hyzz$؈o +v'; 4^9#qDM1!$(a3Aa+ ZQv"@1< X<;ao[qD8hZ ٦0)d%s%)h0.zC_ZH1w洪̆;FRJhxA8 %1j0#|-[o\2¶ *fCS+T_K8o\˶M4y})TVIa3ŔGA-j aD2c6QKZ>SwFP?Q*b-j_FSAdՃwr]VjbQFP;߈QQU¿هlM ͔n#w]x+9 |8$ژﮠʫSZ;e".-!#_3pK:gVYRJMA{g{M,S9_O.đ&;|@^/E-\8##}}G6&ܜh^j'd:8(1PyߗAj'ծ˜۔,Ŀw"`[elf*2iGaU|: 79)A"]DW w.#Ђ#GO2.Pfrs82ڃ88K۽c·X"7J]*nz}xuy4yD7Q+l1r@eCsk5qwϵEHU\Fm ̛X9Z:avr][C5 t|^4zVb) ;x ,2I+@bSlׄǭ'C;q~Jp͵GG@˛Rr%Y=&VeҦ;E' GvaU FUaPBV/`+ķXӕLw>&$k-wXZe\vJNGkie . +5ӞC X `JHC}ƆH8JiL4VA+z _8͓1g1yjS  PbHY%+ 'Ū2/\Ğqb-Hټ9dShѼAr:?Ҧ㠳&[#:24Nml/_ƞn4&qKjޥ`B?93) ?/kJ n[2~rX`k+8睆'kj>Vly1_E'(cԾPx[93*70f0XvO>lAHd0 ^n5LÒin.nU V-;B~`T4/˙Kbeu Ԫ!eދM: ^LWA %i%" ,E,z}Iي;ƛLw[[PФYf <*1Y{ycMNȪJ\YϐXw~2l sܱB,bƁ#s=M~rug~ZkC˄29}vOk푯7{ 7t TzhDu /&vpd] ^piK3(g.ɩyE\DD33' `F&seW$(Z\ m}:7maUČl0Gn<+ID2WRvڨ Rm7nLfnc.)Ry@x n\q"`{\VuO߶Z(Ŀo ׋|"vYd2fΔflj҅vF~A[[X.ݱ P>g bC}y>:PNOjaz?ɸ Jm `š2[FgK(82zY sQ@qiB7(dcr&=.Ȱ43Uz"<~|BN<2=ܑ9~9@O>tfh/ɥPEAN<ǩ^4p]R饓-<㊌/QRBhn[7D&[?!ŅK &yqe6f{H?)P~GriNG"{ s__f}=[l:j)maq(]YH}YQ"̧sȯaCwN[>`j9e) H_!| =vQ/"nT~Bi>3Y41ok=@!sĎEg^Zt$$YNJřA+{0ߔ/Ҡ{ѸRod|!Bj}VR|It>3:cQl7s!9"M8pҺ (+ȗT* j#%L@3d'+_Оb(="W9`3o͙EW@Z{#-V>u MfM"I;;VD5pvWq$ecw 0D(Gx%Bpf.&KFyqKV48w5 {P]ʚȟUtqKtdFsFuB?UGR6vEޣ"cVRb!YOPڃԆ XkeZD3$'OhX* *6oR0>Gsh|4KaV1y<e6ˡ]{-̣s!#Vl&NǛ }OlK1:#9Y+(vJ`0;i`㪈?i˻2[z&_Q#_Yu}3\@vwunZ b S$^nd{v'VW DmM/!۴Yc.8Z`\d |9NkGCxO)yɚϿF~ofS=ef';7OۏKb 93&Z|zچm^H |[\Y)m+^{8\uQ!=+HAqE@yE)AL !]I/ΚR-P-MtOe@Uu-LFZab}EO.3]D-^ C[<\J)Shk_`C^)EEf F#Q0]?V !wW93O*ϵ0 h+*cV_d~_xtW%@}+ 1xEdzw h3^e(vQDک2HO LJ̶ YZ