permissions-20181225-150200.23.23.1 >  A cǻp9|V,:C(ƘcOon ~=]5ӿCg U@ "7-\C bziDRPǒ3#;i/lISOEL/*B}WJD2Տ{pvdCcmhn4k#.^lbL1n:W:H@%NDs"J6zj{uAcAI+Cy_, je95820a8376ed1d93b78a778d37248397eb5a7d4fa7d3f6410df136c5e8f7fb7e4c11bb3b79ac7c899e62b1d9e7cbaa9b4fad360lcǻp9|.p٫_24vCẛjG{֍ ;3 eo.TZgm iԛ*au ;_JI@ʎS#Z1X|\o\jWn7H!j2MtT0@ iܮt奒S`*&EY[[WQWvb0[p>p@@4?@$d & E1R[ qT x           8 e   4 t ( 8 :9 ::z:>:F:G; H;( I;L X;XY;h\; ]; ^ v>0w?h x? y?z????@ Cpermissions20181225150200.23.23.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.cǻHibs-arm-2USUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxaarch64 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system.UY1X$_ 9;@큤cǻFcǻFcǻFcǻFcǻFcǻFcǻFcǻFcǻFcd73f4760679880a45dce3c9cb05db59590dd96a4598a64a8a09e1ac03effb066d18038d1e3d4765fccd3e0fb450b4da097db40945fcc794f5efc3cf952e71dd254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3bc2d6c9480c867be7c900c0918b5d4ee1bbfb9e1be8caa863dd8bbcbe798a3bb59f4853b24126924938e4bebc067b19a660c04ca7169a2c7fc80549970eaae29c8beec11e7462862414caf3dacf82b2705b8e502001e92dd9f7c0a3bc331ac1e735eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181225-150200.23.23.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(aarch-64)@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)ld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181225-150200.23.23.13.0.4-14.6.0-14.0-15.2-14.14.1ccF@cEZc paea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@wolfgang.frisch@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.comjsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20181225: * Backport postfix to SLE-15-SP2 (bsc#1206738)- Update to version 20181225: * Revert "drop ping capabilities in favor of ICMP_PROTO sockets". Older SLE-15 versions don't properly support this feature yet (bsc#1204137)- Update to version 20181225: * fix regression introduced by backport of security fix (bsc#1203911)- Update to version 20181225: * chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252)- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shibs-arm-2 1674033992 20181225-150200.23.23.120181225-150200.23.23.120181225-150200.23.23.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:27462/SUSE_SLE-15-SP2_Update/e4fa7c0d912e72cecd158f1644c1a4f5-permissions.SUSE_SLE-15-SP2_Updatecpioxz5aarch64-suse-linuxASCII textELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=387b0d084592d52e1014dd04ddcbcf2be27a577c, for GNU/Linux 3.7.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RR R R RIY:Hxp`uutf-869122f8b171c62c1d26d5e602c29eac53b565b86eba7b17a82214e2c1017cb47?7zXZ !t/[oW] crv(vX0 qp~)D?tœS\V!(n."ebڒҲھھ,a2ųffM%d cI9 ioܓBeه$׳8Lu4 $#ebz7F`o.>YghǛG}~M؈||gd[M nzZD Y4Yապ; 3S9mwR!o4'7.Vy6^ (W"\SG# xtO!G(2K=HkI}"'ڈ3+NrgB' JͬK^'-kd.OdyJ{7uoR_X94a^mseFe=}_Vs|ȋdVF SOToO=ږFa}aۥƭCadW^ПB)P5,Qˆ FqNI^RTD=LBҝ:$hk<.ה(o@#2ҿBH۱F7jX])mgX\Ԏ f yDS Թk>; 뤕l8rFHO2Cl[ELohݮv&rX."gkIb`\4loLd\X\C4Ŏy7fžσfL3dP 'ǯn4i:v߳^FtKO61DUS4!t}rMv^ RV6*a%`Bwy_O2QqU'$.i[cķD|mܗ9H'=;.Ja5@P0n4bW/}`cĽId} "ّJ&3ȲԿ&ľX W)rP oRb ZN4] wQޢfbY~^6zwIգG$H/lEü qWΊOgNpSLw8Kiu-6R~8F3i%rMƷ:K<2Ǯ1Mo4uO椸x9'5W{K.ma}UC'L1P,+Dž`h睄mSn_ MO Φ$9:hʺ׹E3O erlj  T}Q~/7aqRSAϡ\Ϸ㉁ ~ĝDf"ܤ\ePJN '"+^Xy,{ a%V Պ='2-X~klpQ?@_:x#0Fw2C vd(3b)!,N]lƌK۝'$R4^?/: DoJfVnj\4se)U[Q;a~mtyGOUk'"5P6 d;Pʕ VW<8N~}lqNG`r8g)@hЏʁdKS:n]/ FVquuHYizpV gXi%L!݁ZXL1Ca>f5|qo]GLG@/Dҿh3J?sjP r!_Ħ!֍<J =R ms3~W|igU3lL!='𚬸 y,e뛍\OY4"w#2yNsDIc'3R9} 0WM7(^/-c%\k,•F?JvpcOE/jx7nSIU 'k4g9Quq [|hĨx#S^ V+/K4zS{N;?g%R*8RICl2/oT#dng~A!VoiբkjmYiu*Xɻ$Gyͦ6߽NRSz  J%*M.5!.~jc'leb/򓌒azBm_H]ǨAlIX..W~Цę%/z<@g?~5A_2{b,M{p0Ae%"H4>z5բ}NUk$\86efR>P\5RԂƊ-XG4(k>BDH rx@&%9E|g@y%^{4 R']TP称?1KnXREiۮ)`GU0L\FBvyQuoiM! +Jz琮}kX[;9׵9yo{@pn6Ȯ!UZ=z}9K:ޕk5 ߋqrI'uL^vk < ' @Gw'l 0TBEw3ִ/zu ~ku̔yD>c\2r2 rHRՕ>k]@<@Z !'Sj=v)ZqzFW6TK2xfn^Hv0ˊf`_NJ?(!uH3 w \߱R "ZWG 9E"`a\f)זy-`GjKBUcl= gAϱQ>qg$ m{ľ: Ύ6/!>ibnj%w3t ֻOLQ~ #%f2k-%rd2UWL_ OQF&.bg d J@% Av2z锯̩LН@xE9:D_cN 6%3-KŠ?5il$?¨]K՝׆LQTyjV[< \`*>$|XnORNu m'x /(  ӎqȾR q'Ltwd"xT͠tT+_n>6>R?j0DܨRUTmu~a*T-!VΜ eѾ8D: 51R [y6FE%R8֍(n:k ''K{h 5CU qݨ͝`q">}ѝUT2:GWݺu|$[5 _[RIŬEٶ,7U4:ʔ-"tvcw<B.3e(h;ʯ$)zH XŮ x,P;ztv%c3Vǻo8x "U?9ZQ/PYIN S{ {!TGgN$pؕ,%x:{ 9 fJ'NG * ϝ!Z.,Xݟ*f~(d^t~tq@QZیt ,u6[J\2ާV.zpM2bC`of@t2.hlXmSBI~݄ &o~ꢠ]uት٠+"BrwuӺStr0Ͳ[edUM{@=j_6kӎyT27#0?Cvg|xGggr5 T/ oqC:[n7@d7blPe΄:kOXnnfAGxmoQR8y5kD9әv}u^g!Zo;hZBwmmEH7KSMDXFw*Ǚg>bc*ZQj8(|s BʜPT=S4eӺ9٥N?oDфܼO:Ygr׶tv ^vO൥Tv<'hC 1x<@׀_/W}IqUt>/2h:I"Vl8]=SC hx6fr-)GoDerf ɮ㈉<1D}-y6Ӧ+"z M1<<{̦őRjHag?pMb}}fƯskEmчZUunAt1=€7_tͦj}׍1YVo` N%pYC^ʸPLcK#qPW.*`ۯV2ʵdKlgpuO*I3<}J3xXmz"[շ85j9(B5A$P&CB9["ZPO`e`+ld[ٷ lG/%a8-:7| p^ ֠<8' è9C&N!634%YiXmn;<tRS`me?#ٺuK_E*ek%̃ߢx-)zx" ExU51PC@ډ% EwkQ1NNZs)pؾ!Mna1`f[W,ɰ9# j0LZN4C9kp}˼*ɇ^\e`<#=G0otУ83)*\ѨyPEzpGէ90# dKz>A%]e&Rl{k˂1|K/?U +Y<%߈K,ze*{vihCnPl 7b"XqYC6$T0޾Ox2dM' :erL[z!߇B3qKy'7NsG{lD51Ӹ?ӸzzH.k}K,8u7^y @q b.oZtNPA)-%hdëƝ-48OhȌe Ig7mWW]W+>W߯2й9Fi P~⦵ .pbZ*㶋-0]"D\ 2+@U;q }0_ՂGU/PeٽJ̞UIƨxJywʮRL;,C[,nplFj1Ĺ1#keJN4[dLl_ 1zBGZϏnK' Qu}jo\s\c=z)yIh$'](Mz靖  `@9L3@ fpnRɲ<\@GډU<@g$#:QB.[ֿ] cp Nn@ -Z4uu.ʎɎ eHA_^`j!$V'sa@bνR_C&{K`18:v=P$#kbG23RZoAsl8YQAܝj:-LO QM W@}v[vsV$U`oÒ O7 Naura܀9l6$3;I2m~oUzG97M1աM.NuNjJ+OUf6^A.Jt~_q0rkpg̛R幍`Ñ/ G ޳ønyǕCڦme4o WKy]*B0 h]~8>}:{ndvQx 7˜#Ӗ--y+vHk|IkƓ,x`8l6_GVwpTbhMt^#_ @yW57u,fnY{ Jy(|b:5KYA+`^x@." ڑDR'''t{)XG|'޲F{P`wnp佨+;%X_!'B|T-;igeMkq{*qO>3X#{wN6-L)H >SWu:&k}gt^zTD\ ̌_*.d#$m)!;B< y|;p@␿S=Cv{nJ!a/>&K#e%+͹p8%+P0I>|36JB*aB3zE}fHKC% yh@Y~ކ~)۹gϳeTk@@{FXu`Yn*k xCG(9&Ems_ޮܹl+Jeh°7-mc@G!Ml94Kh=9R! d(j 5! ;rav-rEEwYk?,C4~ҧ6hV*]y>xZNkBt)bt!T:>_Ĭ+Qs ZૐBxmӛFPHmrka*9w-+ԴHKӅAأS$ 3KXPwE;eQTc ~ d2ȅ-\ؙRC e^xM0-9g_ożl1j .G=\uy٘X_ yPWM$*4hԬM/AI#R'  gb "~*Yr`-I^ ,ҮES6ï4NxmuWā9 ?/&yp=V{qYX wh<'2UB+S2Zc&  4k4t HzLH[%KLK1߰9]@2CG-&mg3;x<[1PvTw9ŠzrB#Ƹ[OS$ՄJ۞_ϳ[ޒkG3pJjyi7k\C#$@qWfjY eBWUh,;*n hgWWuvj0$yjR..=ͫQ]Bii/0 wK݌Gv*gEUj $M#}v~ !i'=F' P$7 Ɔ?0t8PPT^:ó% A[ <\J*͛* :v|-|?CR.+ mWқ"k:Bh੶#ɾ'ZWkf( ('aA%zog[~ |?kXxiLH G Dq!~I|c?oΙC\bvK5x1Nc8PV%UYtQ#kKV*~Ո |`ZN{X5DJV%pQAOH5GX/8^9Qga7e&\gq4A[w]T:^n!—O[MQluXYޏeMv͊#NԆ̊V납(!Zym =MMSA(KI.0eDaPOބ@܂I99:qLoڵ;-ّ~#8<$ר~v'϶;jI|"77x^qr7{esKPND*oZ6;pVC21̶n2>t<*}:X1op#>"؃"xap4r%I?ᢗjO;NSL5wdl*۳8 6\_){CL36a]1POߜ1;`}| ID:&"XWKZj,44rbrKN;6'k]h0r+d{Y/ezJQOkU9AGFfȈ #.PYG!Y09{<o`uK!i<Kι9.؅u5Z_h*2|q|WsD}CĖ'+ۭ4N,OeHɰ ì }`E4YM Wn !w$!t> iCx.|>":[|}Qu[~@c'ƻzc4ֆ]U=ƽβS 4ڕt}0g I9N/{nV?q J$?bf.Ģɱ(/<@Յ Z\,jH}sF5_}"ƁiohT6 B>d;I8^s+pV_m}ᭊz*yw*KIltNUYJA.$8CXY[}c6Ẃ-z,N֔n~_z .ϜN,񐿍Ql8>$\i=^Em .5@ 2uLVe&\/]&&t0Y xUiSVjk$g{adCs~T"g7Oz]݋0VO\>ށjP:1 “g'Ѻ`4`Ն/w; mƬ2VzҌ}ٽ,* JPykkH9H#Che0P//X'fȽ7*1Ѕ?OKo#F (XKCv/11`sCd !^)xn>c#4_EK#!Ax& ;YԲP^N0@r=5[eɍ CVRzߔ,/S!噃6:/P$V5’zi{1g.dzmK!z@~sx:M8f;%[r&Ь\!F*,0 ūJ;jl|3۬( 1>^0O.~v9O!Rm/ 68t}Y[&%&PHG- x>=XV8VXy7Dqusא&9d+e97숬󶃾 GjȈkῲbW GbD[F5lh2Ď&*5st[0%=z> F O#VQoTwV.}6tcuћ Z+YlУ1D`2y6a"(:\ _pK=JtO\,kdh%-&D*NQ藡ZTeHWB,{q'OAtmiNPEUr%u|{Qy9'\*ė;+\R7`.ӡO?mς,L ^-ohcCu+$Wm0w<9l [oΑ jljO=y;F" ;XFq%E5?1|J}2֏mxP&ttW2BpTY_ʤ0XjG<Ȧ75nFဘg61D?vC)1 S&lH!C=mйMk>S _.:Dmk]qjg}ܱ!K(Eo1񴦳.I K뫏pi@U- |gJLse=\}:V·UT0i9A\LJk;"&34ޥ}{~6V!EzDfb y8]pSp?ˎnaxuIMVAL5g4oK, [GN.?:#4n5(+ͽ~RnbӵLa!!n4{&񋗻Q2J#$$*$/$>Իzq}&xei_AOxjuLrs_Hum̶t7!ŗ7إpTi?ߣ}d!ߏz7AT>x]/m!\Q Ap d}VΏ[?]vIDT&ȍ&eMyA|"A &!E8e4 yҍuXGj$np9~u4,qUpE$>zJ(J!p-hBqv;r <e&@ c寅pgهPHLZ1Bu{+ۆ X.6Nrs|e)tϯ ?o=S#_/(^M%*}շ;PbLgOCl z2܎41ѤČxsgeVp,Gj]K^ƘbF9f"] #t y9lx/TKg[!9Q"B?OxIo.smEJ(r<8_ h#@B¤}X;c|s(]Ý;U 3iLgfp_);'LSR /a@J`G ,Su%k񹜳sm5BwC6zk,Hu̻ܤbNIx &u9*Yl d^\en{O `6Xu[R8vq n8,$@#7?:k[Di ,W_W,UՎ PW~תClau/,u1JI vAp(Ƕiͮf&2KA6]V!Cy17Xy. g%B^\ڋ(HaRO'鐗bw$JXl[< 9+Wf'!Nveށ4vWȂ(pG~|G‰=s{+q`1aOh}+Zg_=s(>ei_x Ly.4l"^L\ZIG*2}z>=[5d*x8?KՄnq!MGk44 |/T}&O(v`;qVgj~,)Za`VZ>~R(*ݛ(Rv^ MWG'쾼X~g"(UKX^2"`V-8Qd%]aew{ z^-'@"z*}@Eu҆嵈t;Faҥ>YH)hHdq 5F8囫mi;L`g63O~G"üW\a!ʍ*Z!3=x˶0d8l3(Tu 8U!@E(ό9#D3Y"hfhu\^yVޡ YZ&m"$N.@T \Oۡ<G+MJTmEդ):tOQ;dqO қ)+287mn#[Pkϋ3ND\9+.Y1Q;>pA4 ZïdЋ}y ̥ )hQ# LpaT4YVLꄢ%'`<1DWHWGq$>s+>4~QAٿ17uD,OkߘRW5$K~EBWTI R$8H%ټ;>&TrJ^*è x=d i,Х6! gqNeF;2]a"la@MܰPdB@E>ioe (^\R`das?NCwIfK`+Z|E;&^RyQ'pb⊐5xp_1(]s k ƣں}CK;$?6J |ye y+i>a)b*Ԉ-=wcWh{v%-L3%CɅ7795[d>~S`! `뤘Qm繥w&$g~9fQ9VQ3°|\mѦZ4hۻ *U&sy%UǬn*pP U^"a54[V";>%\>dceNksC+%O/$zV0ťxi"h`{|7A_!kV8Kjaca؀8sL!Rxj2{*l O1uM(]ZX3Pm&T[ wx.w:x HLNpR3~4mѷ'Mdwy+}< '-?c VĭkO+ҾpџoSqYij{棲Ƶ~B>da5QP yqz^pwaEd-Bks`R_@o20cYD |3G<1٩C7Č3D? ZQXB7?GNyj7{G+qHRd0{"b[H.eЄ  @L\mJRAKd`>XgF-pƙsyl:>LuД/5 Y}m0~4AoƬol7w+,UZb/vޝ #$ ͈?p;dňc"2O]/ى;vh,IΝZHtC?@mgN7\F_c*{ W[Qa&gu?C$z, Úp9f ~Ru;c#H`'EA82'Im]z@* VGTl,x<:Zj7%9&DQЈOo֎N ̣5 .~ :îs!c Aob 6C,TVgug»2L`'zMEقnbɧQg`StטF;~h'TENmlKq>g)zEw-)ZA8 Tў-TrN#V\9zuauu fLD7R `,mcת?sv4$a ͡[~F!sHДڶ3|*؄ LE/b[{8#8~`Imy$M2s.A!ޒa ArHP:Pܞhã81v3nWnmN@xl`E|j+n6{jA״RF~W[֝`2V2ҖkSa|poOTZ:Gn楸L74#ȅ$r2q7e J2vȯAN=\\+1>V f3I,Br uTk\pEQ$ =z-u`;ZP{ YmP&(ocv1+QcWOijx?E I1vj6c{?įfbc^ #i6i~h$XDݧ oRXR~QⰁEt] If}\nH"Wp4?p%q,pF_Lc.d)xpve(lSP!A|OR%=1[pA$|qDjzzGHi`ˏhzӆ$ȑXX+񾘘w&[bO)݄Vp/)e&+㻹$@Du&82 G P;Z~o[/bA5K Z^ޔ29mHO+b2V^3ǂUed ts:(ʡIS?3ek仧y s ȟdN5)i VcW:](&0SnEC@U5x B(^;?)_Xx. &x(.xBT+f9xzGqn中6%'G!R3I؁*\8wfVZ{ҌyQܘ7w^"^8K5<g kd3~WM1Sɩwq]~˭n !a(oӑ#/hNCPY8WRI$7Çqфi&gR cʘRKq&-Xx|leRh7 &/Y"&nE1rs/ 2ݾ]"<AFX>-Vo=d6^w:[ <Φd{NzfG8wu7]rz=Hyi?|\)ߑ+|JT8knq&Q*0#5צ5x`Q=)a0-.h[ϯv]r7lK~&)@TlP(˟SO)qQ6T T'y,LwbN$917@'BÅ:Pkg77fePKVI B6M0W`DC襛ZY@rI3ߡDž&iRx3~57F*5Ubg8>g^$AFA ( J2V7W*ޭS=65%1n/rx¼)t'}y~T G|AGl0GmԎLWb*2g?eSlDs2{6YEc>b"DQ~-5g${Knq0Dգ) ϦՀ!bd"2D@P? &8/Ǜm}$fOdM@8aoU'~֝-R^ĽtجuCF{{|\Q_H#rT&}2  |,2$|֌fک~- qjc/5D _DZjy9(I60x(2^HЮ`-)H a;Z1f[),Ɇ-۩lXw*]Oġt (7򛜵'>{p\N#X,QƂ-nwe\d} P%-\9 hVJw) Y0j$3$< `V7sr1܍Kkm\}+FfODgAESA2=WvL](]wVւ\Vɝۊbt ۿ*9g'H\^m)Õ}PG*OxruomӬ^JFjmRZ:) H+ư;M iPʛ\LعV(LRUNs?ه遼(Lju#t|eu|1x.[Uy: mdLe)vPEo}U`=*D>^!fk `v;Zy ܲ ؍aNҙųMd;SWZE :=Ћ<"2BhOȀul7N[V@m3)0kPxY=|U\JsL%~Ty<ןl"^ |lR pLn>֏Dib`E Wg"%=YԱ\b)pҮv[4u%k A-ې_Ș3#q/vfM@0 "inyԺ(<*/7L޻W'Oj怺oq ƊRR(%74 X~4k:ȖfRxDpl]aޡ\8$*ABؚ+9H:zU?\)Hle 9rzuW&zYm> oCp1,q"7Ri?9ؼW8I/To[1uTWtd8?w cB$=EKڰe8p 4=JP#C