permissions-20181225-150200.23.20.1 >  A cOp9|yU͹J +a؜./+D"0V ?DAO#+jpU,R,_`[ڸQj/[0]|sx[|b;`0!ytӦ_jenPKNLALS]%ݭ8&Bh4"QĀ Kqk 6wKqs28L'y-12P@͗ȿr UE-Y[2P%!%n] NJ*X>9l=J!Fͦ6q{БbY2jZ >p@???d & E1R[ qT x           8 e   4 t ( 8 99 9:]9>:{F:G: H: I: X:Y:\;H ];l ^;b x? y?Dz?X?h?l?r?Cpermissions20181225150200.23.20.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.cOibs-arm-5TSUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxaarch64 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system.T1W_m 9;@큤cOcOcOcOcOcOcOcOcOcd73f4760679880a45dce3c9cb05db59590dd96a4598a64a8a09e1ac03effb066be4b9c2ecf15cc16f3e2259bcc566d3712c5406255130fcce31901544a0ac93254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3bb06089354355503cb5ac4dd194f1060fbd6e9fb3977fc49d7dbdf4e3ee875b9b7fc9f96753df1265f4734a0c183d4aa140600ba6b4bb03d808cfc651e9fe01fa24b1f6c8fd6e2a1db8ab158a677b3e87ee27c873d90ef36641383d01595ad49235eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181225-150200.23.20.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(aarch-64)@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)ld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181225-150200.23.20.13.0.4-14.6.0-14.0-15.2-14.14.1cF@cEZc paea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.comjsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20181225: * Revert "drop ping capabilities in favor of ICMP_PROTO sockets". Older SLE-15 versions don't properly support this feature yet (bsc#1204137)- Update to version 20181225: * fix regression introduced by backport of security fix (bsc#1203911)- Update to version 20181225: * chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252)- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shibs-arm-5 1666157211 20181225-150200.23.20.120181225-150200.23.20.120181225-150200.23.20.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:26483/SUSE_SLE-15-SP2_Update/6c460f7c6848dc3f6bfdad8030a0d406-permissions.SUSE_SLE-15-SP2_Updatecpioxz5aarch64-suse-linuxASCII textELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=ce506ebcc3af8bfb8e4d7b5f7f830d3e260831ee, for GNU/Linux 3.7.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RR R R R$TUb(utf-8d772b902148bf6d7a6771049cf8470338dd533126b1bbbd21de59f2f2d9dae5e?7zXZ !t/ZW] crv(vX0_aL&k%IyWb>Ț \$ ,=c3{!%Ӫ;ZAcZpּQi ܎kK_荈.?]Y:Z:JA k~T)f[r'] IWw^a @lBenwUFĢKVú?}{_",VuJ!JmZn՘"`rEIe('H8ׁGт/w98 |_}Et: Nh.n+-;M:V_=}PG/[r}pđ_?_`|15j=t##ZR,.@2PJ }9wc:_HtE/cdb/ OD>iCZ$J/~5ӅME E7|*IG{'Y R=G3Y/EKc6FP S5] VQlc&}Ҍk*EMxv9k$|°NP/;GA{UM/E/WmCt 2LX}f@ճkm,NKM<5rBAϘ2}`4MԷrM(DS$yWp'VQ]4\z]m/SsNK ѽGS6l)r3p9FdWSb8@xz| :_oHvO/1г׿l][uTj\RDԨ m':Urk* ld_zϋNla W(֪IGQE* [Tä8$Dz SX]u ta$nt Eۋl' <yi6W -mMϴ 8^=ܱg6cmJߠ۲+U2lCŽGPۓGؐ h b\:?Dg*=O/ߙ6i'͸dxu񻞐]Hm}T񄉬aQT̈́n|=:m|Tz3)B0E1 ȿ[RvtCZrα1(@qh[oU[O?c>AU1q%&>.}~&yNeRz, k}h4`9If&ٌ/m v::0L%=`Hb{T<rvv)hWl_U SЯZ;@.c%=)E- 9;ZLU7L`> '7,z9.M#T, P};&0CNZfcuSUGlfnok\`'+Jbá(rd,l҂NIމ6*@d6_RŬNZi4h;` #g#yrvzES"b-7VP'I4ϠC= jG"]q\#\LF߿A(^gS#reDu5KA4qkQq%ٝtm6!>Q`B?.nLYIu3q~)yƛr3?{Z,aF˨9n(*G(ф4zm@"r [ɜЙ*-ʦsR}=ř 8/(ȵ q‘Z.zriI@zlqŮ>c뷗G F 6:IU>H4{a6k;i[\a_=:rՋE 6P5V_u֥K]wTfAA3~$)x&0UE4#O?_镨Ee{LIbO7;A2rLl.K_$,m)5K>2X9A an5&wx}}~x=߽{ھz7Z [eSgV.WNge Sn πY_ۗYY?'팿atD$zi0y l'LwG 3Z@? 35azY|2 q "Fcێk_'-g#W &fen`~ɞYJNvJmPN77Wkv1V@7&i\X/KuM1Z|(bEVD)vOP;8p8ڛ?JېiY ɟsT:/!/~#ז|p΁'B|c.cgVlT˱ a~7Y"'<{qos(Τ] RkjÛtؓG3L*V44I -%Fknx+BCzG{ȅ"T}>_BU_37%Y'63f5%0^PF έC [_֚}3ggϵN5k'96FC^'8 RKThٳ8实x}DJLi'JV^ `#^\oJ>JFG2sdKXнF :Z\jSSvX}mɭ.Z(\ml8A])-M3( l)FVL 6=T^~J{l4lpWL)(0YJ-~F0J3 7%T\9 Ƕv vyBT0meU"Y2r @O܀1 {Tz!@\~@aV2\2wRC{"ZO=nˍh!?[AiV%߀xڑ.ydJU"M)#y+od* \t a &8gu EM %Dz2U ia@h0IL9;Ls(`PF -8<ӗAo] _>N)pw˹amoWS sz:٨ 5чC.]@X3N(:vPtpWJh0hS;^UR4(kbd7/gGN7#{R8wݏ慛[WU'vaLں|v"5tLծoɶE8`.]R;zHfyOM\ !hAĕd1P-M8\4TA4pD@զ!ti%#o=b &thdF:}A]*0+uYjDQ+W֊wSa $jgOYsGF9|Tpq7oQMr*0}85ley|hgwlF6Ӆ>_.==LG贎[_wkɂ0ZJYlQWC٬. ?lSϏ~+ CUYQ*gZ:;5 `0!et UXYP̤VrM+5` b)e1\1;^l,pcQ֜6PF[2& ;$~x3ЛFcbbb^1߻#75~[c\@~6i B3G[ `v~9OD=Nr!>mrmgIs&+xEj MW,G#YU+v EaY|j S{aY1IGrL T>qmǹ2 o*~ݡGYx=/H;S=zMtb5ܨs}"k(@Y9/1ǞAB\ XzKv"( hvIױ|V&MAט0vϴJ&`,~5%BMSB&F[aŪ~ȩ;C^2`1y{7bϸ1Yv֞MΠq4ڼwXQ (4l14lCGf8=?73kԻZsʄExdx(cl/ qD 23%QPd\>R19Irxش ĻZxm0*]I2+>T",O"VJ~rO *_]pT jy V&Rj-$Ӟ3~WM_8#VJM\.eg$'ZC^~45Sb,1m'47 =7͋&~h=H٥st}x1oJѯDD%>PtW6m{nCS'^84^qc͐,ء,_dR B~n1Eaֳ#ת)O$&R6* ^l~],`*e umA#<@&=f |@<B<g.nôKxm69Jl(eN4l%"u@ns[Aed4 pE b!|%-L;xP^C7fh!JrZi3耠+].s'3^C@$.>{8 koV(eG ZDY 3 =h (^KKB7X{*D3=-^t.^"Su'ufA9Jw糾2zVo`|!]*Z4wyR OW!/'Rkp,pZXRφ5ضM-zj}r }#4杖PAsNܘZTQBDJY{+O_f|sg5̏"~J\3HBUA4\k bƓFTD@>9Y3#5mQ/g+#@c6DU' eGC[>+3´L^Iwn ^4Hܜ|uG+PSHת ',G+3&O-Y*힧WB*804sZCDZ/%a;HT_AuZl3lLm"CfZhfH'e-AihM@ij8H ,'@Mz. L7zUGmL%?\0nPLlL~XlS >LH(eXfBR1ĜYxw~>\?xfm8 3:ՈAT00k# -"`@Mu]F%a\a&W(ފu)׎GP[{\'6wer0jM;h,?K?#c8֖nE>ǒ]$33@,͎ff0QnAYr;s cjN,$1v 5rZB(]/;F}ߕu_׆>80 s䩳ls$FYs^iBCFl.T#`a(23 p]k5{perN`,Uyo<'7~R͖ xVlۨ/6h Nk[H4|f)V.hYs=@@l'adPqF$.%+@O5кC {"p+>؏eM F.+3V$W.&ӵ5mG |^FTz<40/[1ȫWa+)E8`RrJ2ݒfcTT9?mA:A*$К$&>XDk*2GaAa,qVndp_{DA0p@:L25yd~~97P39: #{l~@ 4S4WqHݵ!ġBQn%j'6qA" 4u86qќAOi?sozg {Z롎-(Zg2.SX C6Yر:YP OmHc;Bk'<%SHR0vфɺM2_[JG`̔3.]tZH(~fXdh2yW?=ՍK-t"ﰷCC UЉ`եEb ˜bqb3$S?tFd/\ ~!VJ@lvX묢AR_ŧ@1rm P>GŷdC|V0HV#Ol,gKAm wbZ~@Md3z`ml>߇'A_܀apL=^ڴ51Sc%q8Za1$A2DH.V܄n2iZ"ev.K eeapoS,]K*4i-.cmZ+1 RB J\˜NޮC<]uV:0/-ަcWT~r^k$Զ!;!,Uj yq@7C"sbB_A akD;Jqy5UZgq#_/{CɥADn]?bϣI]!rCwu9ϗ()Z+Bw^OM'ԩ&5s.dӧ a<>M$zИIAd6HZ!~+>cgBVKGs]d}=Ld#v#Љ #xf'" k{z,&5Qό=M(6h#n#^uB17K T&ʀ>Uv?Yy6[ q+S;8Cؖbi >2aQHp<Q;x+Zb E*IntC|? ɣaAZla7Č|7oFfT&:{UukY/}1*ERDnacWR7\eY?:.p<+r̘!GB$yiG"-Ǘ);t}хxq_եEqQ&Yg#iv^|Eq{Mp$q`*/nP+GHz@S5nMQΨY!CdA]TMh_(hvv{!%\vyΰw`ʞE$/SXZGd @F`㜈q5"+QȄQ3ze3Ik iKAsqD,X KSXQ&ۺ] }IԪAY8& FD h,-<}rINaQ$6{mvO[udzqI̋PS) `#z٭'ƀ&F> oe{,Ja0u U} yQiƣ筹VjbF| 'ԞcM>*aEl̔DxUg,tjVlF6Z;I`O$!)7v;IBOvF Ý2RG6X-r—&w 0~)pJ~uBk[א]3[.Tҵ%[8êcǡ.CO(tGx R> ȖFMzD(NDH旒R+ k(& {#ҔhN?ƶbi BNSK Nч14j:d=S`/nsX6{|~-ϽAP~U+Ԧy0LE!&t]ݞ]S#!4 Eʚ*6l@xő; 9s j; sKK^sߝT2٨5|)ۣ[ Os)ǺۚKt RwlYHe-48!LW=ykeiQpVC AՀ;,A{!:3Pؠz76u2f` <&d?*KU=R::G @7fe3q%СgI慧<8\W_`IF\Cެw:IU̻+MK]3St掽^HySCQ pnX35^;8jCy# :P"-hT[Osxu/(!LఒԂWߚݤh yL%~xx`̖m ,i*sQ9ij G `|Xu˰0*2]ۄ "B$y}'7%Gz4ް Yc&RElÃfx N6oklOn#C[Q7'ax  &"T##!ĺҍ+xBkZ >Oy M}Nȣ޵7 $/S2yMNq켣n]1*J{H(&8hMS FR-DxLcy.Rs !&'^jkKpy~¢_X5n$ԟ=>rwbc: Y?*J7u2NYe`s[D9O_OUf0uW iy>AHs$ZKujgg!ī2Вڙ'~S"`ֳꖺ͏9ʝWiƃE1Vs#[&(bt7/7b>(Zte-k,E+0d@SOlfh҉]N [-c\ G VQñ_xay {->Yn6~w1,DhYO) HP9a%ZN^ZERw̫- !dkƃ*#ѝ,D8%n! 7C%v1/,,k<`SDu.) I[yLvq;69|1*mKϠ-h98цI:X#i9U}Io; S 8q6cuT>8#LuepT^YNY-QX$1|a׫׈ 簯`wwRsaCt6k8؃C_#5Kll~1Ac q o#{?D&lk/:.ާ0S^Z!e{.Vɑq)NjXbU _}:)pޠ{:TcYB켰s[VOi2 0n`tN1u5J,R`}{x!+3}ftOmE<E!+vץKs &ۄ-$ sMӍ Mx.ס4^@B'0v X$aGA !:ĬR6ݲ0{P)2@練ul[pm[_,* 7ny:l[l#Bc(c iP5pÖue؎ӹG>yjt5,xOT-yHy[Azz}ކa:#2,.O%csɶ &SʜEy78PhSp#+X$S?j 2R`/f(NEC,P\ 'ǎ,ȧS0}ڍs P\!&i< rtl_' G$J('5US46Z >8'_rꡅ}K'rFFGY8l|0FeG$uHTӻoj$ m OF].Ƽ֩< .!:rϐ)]@ f$w:d+eR^ rY\mrr}G{ADE3^ `pg2uz^aL~G4å"a&#o@ 8R.P%֡h6b <%1aI.oH+-:W)²)d UhU /^׸rSw[bJ2?3~lA1|7m"7,%NXryhAuNnG –xk I~:"8mESh|2-/mbܾ ϬU\Jt{^XLɠXQ77Pqˀ>dA@JemܼSBlH8vyhS=ԯ#]ҾD-y.uv xGjayXe^zlfH}<2"rf -[gXѾ{"G^_okUVoIE paQR8}A&%-ˡxC.jen5/{|4:1 9H9W}xծ*-jꈻATJ ѾJ ofcCz\1L!y'erHza6(4_۟{veV9CApVA{V(1gbӈKo'}6T\$O!<&pf$ {|'D %ӡr {\TM8;=ՊeVDf,ċ :2]NbTO_1u_*ko$QexŲ.+ǕqZQ&\u-P|i_>3m]q`[UfOy ~qPV=o:IZ;N oٸ~rIih{6,_"-S h\'c`Vz䯽 i#:%['UK[ߒKcE||we{AY.^Z~HH9w%= r9o,kagM3ɘ?#O/82)S;\_S 6`̾U:PpWlnߎymCӶpeAFfCn^#uH04wﮄ\:.Q*o/&ϫ|(V"׺(O4%WGDN sVEswa0O .݃D5Ej~GZڀ=9U[#:YKVlyd=Kfn`±)YZDWxR+6kF#/ EZxc2;Uku`L=-אnڝ:NOgcg!,矻 h>h'iAqW tSF3Z?t+JpmonU0oH[*d~W%B,%g0\y[d#ˁܖnr}|E82uo9'|1oQW+z+Ss,Lo %@p9C 9#ׇ //zowې[|HFkg0@R*-t$#)*w*B,$=B|3T|_ja*e3f<+WH$V}I{f07Ͷ.N]BPkbTC/}xڌcMZ=n2Kube'ph8 r%v{V 6jGҘ2 .UAA_uLMscf Q0PA|_*gB9 Dߝ  FWR@bz [ךEEWB6c:Mx) =^&e?1dyyTV>h4fo"I4_堍Ga2?-CO}q_$+ZS:-@8xsϸZ!~~s,b_ؠ =J쵋7! #&4ȫdtY@*8R|BӉIEte9b -{NpN3qtk3xӸ(`Gh1⌻jA7q'կX,Ex\S^Ȟ瓿Tڐ P[qoE͏Ɉ68 Z)2Pi]~<rAՔ!:EgKѨ6Hv;LV$5LwS !Sx \pxYo h4j~欓MVԶ'"A[d&nxV3$_GoڳL).Jw \|.М Xy1 jy1&6fdm? kA')oD\S&N^*ڪ~ZrD.?ۃF i$?9.!(D{?P>NϸbexٍnHij!"Hkr:о^ |oN<" "%M laHYbSܜb8tuhcv1>Kx]p[ sm2jRlDǏ.Z;Mh~*u ĝp3Q 9 'J<*H1f"kNRc){at^(aK\QPY\V l8 u4c\kǴxLrrS=pXd@Z`o@WQ_}٠,)GպY%i<U %k #r}BB-s-G'$z:2ŭ۫,c8fqTLy-{_kN@O?Ek<_QK>UKKQf"V} DMҢ' f]ޯ wcՎ:#l?XI2J,^p:ߩY] ApÖ ږLS&;n^r[wϺ$wUb-4aG6~BI1*\{z>h?ۤ_~25`.[v8sJHMJC *;񶖁%73z\(W:~$'QaiF_ sͯA0һi'uъrU1&0ljamq.9Ӱj' Œ ІSr/8Bڜ|ov0RS.ΚXS)r>@ζuBm~9>4ܿ^Q>%~cΑR= 1::0; x);jk\jc%(ݫe1:!!:գl-U Tl= b˞%;fB)9 hYb(Gwݩ!޻7t6 -yhϯ9H999]C[[yUPhx ؄F Vܛ yOb6CЃ f ڇ M?;)RXoE!?p`W{4RvBgU}]2HMe14Et%9r#`."Rl\TclDž&K=wճnחbo7!!G|w|/A5t'1 ‹$b#{cZ 2NűG(:}7j_~ӧb[`Δ@l^ϺJۉb F ӎl]&rڻjnƿ>>Fif(QOaIXikD}ISq/j7,W!H?5Z԰baѮjL"W&DLiGsx8cGXl]oo( f`_ j\,O n>ȡ)]yBsZa,rAM>Vӳ?4P2[r`̢)OYNQ"`)9({?txC%͸ޏ]WԿO 'o]bC]Yy 1njt\^H!Z4v/Rm֊  YZ