libnetapi0-4.9.5+git.187.71edee57d5a-lp151.2.6.1 4>$  Ap]x8/=„Z]rs.j c>?hzw햼btHg;Q$g=ȩ۱xϭQPΧ1NB/^}{RRhB&j6vtOulLL)M/U ye|,v%p@c?cd ' 3 Htx       Q TX]bBB sB( 8 9:->_@_F_G_H_I_X_Y_\`<]`@^`Ob`YcadaeafalauavawbXxb\yb`>zcXchclcrcClibnetapi04.9.5+git.187.71edee57d5alp151.2.6.1Samba netapi LibraryThis package includes the netapi library.]xOcloud109lopenSUSE Leap 15.1openSUSEGPL-3.0-or-laterhttp://bugs.opensuse.orgSystem/Librarieshttps://www.samba.org/linuxi586l]xe7166d470f7c41dc8f7ce3041fa1712c97091e91b737746ae5827adcb57dcb3brootrootsamba-4.9.5+git.187.71edee57d5a-lp151.2.6.1.src.rpmlibnetapi.so.0libnetapi.so.0(NETAPI_0)libnetapi0libnetapi0(x86-32)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /sbin/ldconfig/sbin/ldconfiglibCHARSET3-samba4.solibCHARSET3-samba4.so(SAMBA_4.9.5_GIT.187.71EDEE57D5ALP151.2.6.1_SUSE_OS15.0_I386)libads-samba4.solibads-samba4.so(SAMBA_4.9.5_GIT.187.71EDEE57D5ALP151.2.6.1_SUSE_OS15.0_I386)libc.so.6libc.so.6(GLIBC_2.0)libc.so.6(GLIBC_2.1.3)libc.so.6(GLIBC_2.3.4)libc.so.6(GLIBC_2.4)libcli-smb-common-samba4.solibcli-smb-common-samba4.so(SAMBA_4.9.5_GIT.187.71EDEE57D5ALP151.2.6.1_SUSE_OS15.0_I386)libcliauth-samba4.solibcliauth-samba4.so(SAMBA_4.9.5_GIT.187.71EDEE57D5ALP151.2.6.1_SUSE_OS15.0_I386)libdcerpc-samba-samba4.solibdcerpc-samba-samba4.so(SAMBA_4.9.5_GIT.187.71EDEE57D5ALP151.2.6.1_SUSE_OS15.0_I386)libflag-mapping-samba4.solibflag-mapping-samba4.so(SAMBA_4.9.5_GIT.187.71EDEE57D5ALP151.2.6.1_SUSE_OS15.0_I386)libgenrand-samba4.solibgenrand-samba4.so(SAMBA_4.9.5_GIT.187.71EDEE57D5ALP151.2.6.1_SUSE_OS15.0_I386)libgse-samba4.solibgse-samba4.so(SAMBA_4.9.5_GIT.187.71EDEE57D5ALP151.2.6.1_SUSE_OS15.0_I386)liblibcli-lsa3-samba4.soliblibcli-lsa3-samba4.so(SAMBA_4.9.5_GIT.187.71EDEE57D5ALP151.2.6.1_SUSE_OS15.0_I386)liblibcli-netlogon3-samba4.soliblibcli-netlogon3-samba4.so(SAMBA_4.9.5_GIT.187.71EDEE57D5ALP151.2.6.1_SUSE_OS15.0_I386)liblibsmb-samba4.soliblibsmb-samba4.so(SAMBA_4.9.5_GIT.187.71EDEE57D5ALP151.2.6.1_SUSE_OS15.0_I386)libmsrpc3-samba4.solibmsrpc3-samba4.so(SAMBA_4.9.5_GIT.187.71EDEE57D5ALP151.2.6.1_SUSE_OS15.0_I386)libndr-standard.so.0libndr-standard.so.0(NDR_STANDARD_0.0.1)libndr.so.0libndr.so.0(NDR_0.0.1)libpthread.so.0libpthread.so.0(GLIBC_2.0)libsamba-credentials.so.0libsamba-credentials.so.0(SAMBA_CREDENTIALS_0.0.1)libsamba-debug-samba4.solibsamba-debug-samba4.so(SAMBA_4.9.5_GIT.187.71EDEE57D5ALP151.2.6.1_SUSE_OS15.0_I386)libsamba-errors.so.1libsamba-errors.so.1(SAMBA_ERRORS_1)libsamba-passdb.so.0libsamba-passdb.so.0(SAMBA_PASSDB_0.2.0)libsamba-passdb.so.0(SAMBA_PASSDB_0.27.1)libsamba-security-samba4.solibsamba-security-samba4.so(SAMBA_4.9.5_GIT.187.71EDEE57D5ALP151.2.6.1_SUSE_OS15.0_I386)libsamba-util.so.0libsamba-util.so.0(SAMBA_UTIL_0.0.1)libsamba3-util-samba4.solibsamba3-util-samba4.so(SAMBA_4.9.5_GIT.187.71EDEE57D5ALP151.2.6.1_SUSE_OS15.0_I386)libsecrets3-samba4.solibsecrets3-samba4.so(SAMBA_4.9.5_GIT.187.71EDEE57D5ALP151.2.6.1_SUSE_OS15.0_I386)libsmbconf.so.0libsmbconf.so.0(SMBCONF_0)libtalloc.so.2libtalloc.so.2(TALLOC_2.0.2)libtrusts-util-samba4.solibtrusts-util-samba4.so(SAMBA_4.9.5_GIT.187.71EDEE57D5ALP151.2.6.1_SUSE_OS15.0_I386)libutil-cmdline-samba4.solibutil-cmdline-samba4.so(SAMBA_4.9.5_GIT.187.71EDEE57D5ALP151.2.6.1_SUSE_OS15.0_I386)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.1]_@]J@]:\ڭ\\@\ \N\e\e\}@\o@\\\\\4\ @[[@[[%@[@[ @[[t[#@[[Q@[Q@[\[[[{[z@[r@[ @[WZZZZZZ`@Z@Z@ZZ@ZZ}@Z'Z@ZOZ@Z ,@Z@YY@Yo@Yo@Yo@Y@Y3YYu@Yg`Yf@Y7Y7Y, @Y"X:@X:@XXsX@X9@X@X@Xg@X,XƉX@XYXe@XX@X@X@XWXAb@X-W Wv@W$W;Wu@W#WW W@W~D@Wj}W_WYZ@WYZ@W=W(W!@WW@V3V3VV'@VՄ@VՄ@VVIV@V`Vl@V@V@V<@V<@V@VjV]VI@VG"@VG"@VG"@VG"@V(V'~@V V7@VBUYU@U@UUAUĝU@UU@Uy@UUrUq@UhTU_@USaJames McDonough npower npower David Disseldorp David Disseldorp npower David Disseldorp npower David Mulder David Mulder David Disseldorp Samuel Cabrero David Mulder ddiss@suse.comnopower@suse.comJan Engelhardt David Mulder Samuel Cabrero Samuel Cabrero Samuel Cabrero dmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comSamuel Cabrero dmulder@suse.comSamuel Cabrero dmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./sbin/ldconfig/sbin/ldconfigcloud109 15682056474.9.5+git.187.71edee57d5a-lp151.2.6.14.9.5+git.187.71edee57d5a-lp151.2.6.1libnetapi.so.0/usr/lib/-fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:11057/openSUSE_Leap_15.1_Update/7d5b3605a519e39b7d410acabc99983c-samba.openSUSE_Leap_15.1_Updatecpioxz5i586-suse-linuxELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=1abb1b195055d464e4e25a9c0fbc67b8c2ea6d26, stripped>PPRR;R$R RR&RR7RR1R R/R*RRR-R,R5R=R(R R RRRR9R"RR3RRRR#R0RRR!RR+RR'7kŕwutf-8cb406687ae03a2dbc8da097c0d70f786d502e3ebef05a3f9ba8a4074f4f1cc3a?7zXZ !t/i] crv9u#)F}xŔ0Ws*~$xHKO%FVʄr6?)̉)a;k_ 6 rAP {*LJMwZkQ 8JT@g?l*EVw!WcSSx%Ϧ62 =nÖX瞃cSqb, UYI7Vt7HoA2=N~|(A_!4a5!b++i I=E1'+ek5Ͼ-˾?T<;@~xFu R9n"+咫!~I_Or!`"ԑkO+3P(>1P[|)'#̆bk \quw#>:YvHz\Z 7| >N9CzRsJP@!A1$Ps´EE⬰|wQtɮ>liFi 3b$2D[i&­ e9uOjt}M5-㾧B(",&e_ ; dM_l!hP팇Zb$~α3 v Ծy"?hg%.Jamx [K[Y B6XuTeb`箜[uM㨬3> ""g)*Wh?Δmڼa /ԟ[Ǻw\,0:mÚDv#QKh8Btt}N+ʶ8Q 4 5`{y.z-z~{Staoޥ$㏽ݷTO t&#krwAQF Pe3ĺe/tFSUX9LzrRܠ/ EƱ]bX~_ I%\!}`O:nyPV#<N]>Pa?eO)]שּׁwsoU fàVjRE?po%*E^n[4p/E:̡T[uS&1SQJ(2f&) -et푈*A:(tHR,$ٗ=_c`<Ÿt8snW-~qM#YŌɆ_شW[wW &αBˊ@ZӛcN/a611,\݇ͣ ~u2d4s.îѐzTpǨ45yQڕPS'Mg]@L|m*CT-W>Uqii_`ctEb;]˷]bX $fYD ]+sIvwj:S4y @%2+uN!!SKy<+DCABYL8c:/(>X"1X32&23ch ^ɓONa0b#D*gB/,M8Y|0 ]@}_qz=9{ѥp P̅ȩ=I3ц 1\V0>Sv|$j^ZA6aD%L:y/pyr_-DT{ϭMM(UU.oʡBJcJ۩vvD1vjNMB [u }iŴ2o1A8 UwzR33'kQD_W**l'gAHmqV*xa^aj$:?h,q]xzPUx*OoYctITLeKcI{v+  [K?庤Ii*p4eb J5)}aQ+8.G5LO*tC~e U]=5=5t'l'ft]Œ85e=1|s6A6_&|nwXNl@w۠cx΋sNVݸ AQnVs4, cd] eVl<;FIQ|L;s6ADy 9+b?*hರÔL&=Sh@a1͉ 뿺X߱?Yپ}Wm1wqh$lnܘ#"YL7wBd$( :xB~+і+G\' RVq,dJV3ma4ʎ[c *\O!8$ 9kYr9$0LyyT',) !ƴ3I2wUOGA^ye<6̀EЖ 186n"pX֛T'Yp}03 ߄vgL2]~>RϏZ:_)GTvа@ jw:mQG@=a7DWp;뷓R1X]+2PXl~6zBYun%vVqh>I w9%<2'P>:kBMϖ6-Hgٕd!θ=9Č: {TH^"vڇ]cSfñ,N\Ou} #nf hQ@gi=HpbvǿýJfgAdDU?EŮ5|Csu< 9-)Kl&!]od:GiT)縟.tӟgPᯫUeI5{|,j Xf*y2:ʕS>۰WK($\Lwu PgdQ+m?.d¯rL5? W>ŸyÝC0E4mw9/K4X4i -8,+ĵG~b.y%\-YPq ×LqD\[r 5W)rXJ;:}БRYZpr˔MhVsX$/_9A\@33ɬ.7OcxV7öl4AUCﺮ'`Ҝc1p|̖uvyTTV!%/uv< .QhnOcm_ o$fS ׳Y~buUh@t U%wIl-RKF2ŗwe ?ˬ3~UP2Z=ŹcqKrǡ p1y=8y6ulb Xn w4Hg.H(h{Л.5Cm qہ` ZN)c/Cϖ(`=\ 8 N9Q^rV&q-hWD_sXK'ghao[bf'wJ*x_r Τp"Xoqrl~JݜK3$-'TE[;rSM)[XM?6ŋG嫫 ONwmiJ ]b]z{~o:v_}HIpßXPn&!. a#qZJP>ab+F )H{)@Ap+Z6LC_XFϦ '7q/|:؁ dz(ڏR/hs6 EM/ m h ^S<}P\/g!6em_<mX1_tCl2x7;=EƖwQO{;D)r*& +|5Ow.)L?ѯB`azCW ,.шyfpy1gE9.zL xM}sr+B4Ԅ2:\A2{96M 87;lpd)HLF ҹ_eȎ'@t=IJ$@ugch@bLִ^v5x~Xt->oX/)TV%fjj9nz_K;*J7?PoS54^\Y;",\mNXyb 1U 9/W xWi?+qX+P`Y144j1A G]H+Y9/mЦc{vV! \(bg G ?x'66*P-Jeq%'uk:gjJZa" 21)S,.PPp1fkI8ÈRGCN2;7$WxKlZE`ὴ8Ǘ[R^rnDreynT !TnJ- 4 o,VuItB)_SӾȭխ5Svjv2 ,sl6W)^ pn9&jrO1#@R4 .N13HlMҋ|<68}cՂB|l~{ >{qŒ5:@u1gSrU8P N>4H]/l>*D(3521@x ^R01F*25,{i/ƷMOO9hg_.'{x|u> t׬Qjn8qI9zt  kGuTjEO^fkA11d gP^Qm#X]TnRFǻfh치U N~rflU5F?*M?m>ՕVwW Tq %nDz#\5Lɴ ڊ FF HQ2Afg%,W6uT;-Zm |eknajYp]0AhR|ܓ*X>+z{jYY>Uh,Ncb?NSr2=xr#NqE%Ry6:0 ;Fsբ:~* ɻF\N2}דB!hQ]͸L!/Dmx7+āF[(D6Rv jL+:^CtyY&Ԛ473Id%1]5}4KZdZ'0%ӈ3!"u-G w~˙MZN8_7PJ=VI{E0SK?QrX-i3KfU 4uJXO2bo)I#-y&"08r xv9g-:x!CpƎU"݂vagy~O5{DDo|suVW|V^1U6:-U˼L<`_.0 >5?OjuXZrk⍣I˥}|x;n  ~<;!JjnzBM`21˫,~'!1>w]l@g<}=s@%nVWsz&8_\Fl7GsYt(%( қ_퍪}.fIZ5?HX1ϛ^qaXeR<4ł]%$4[rW8;מ[U vUR(.`oȍ^S@/ͼ{?m<vtF37(^] M.~g_XJ;gPFf-Bcas>޴*e=<i.&69KU$LKH9j%]t)Fldp[C6-?:c|gP eTުnRqTNŦRfLfQo?k|_j[c6v(`H=m4XbݷƇ~߈WKtN&i\TڧqrKEC0vrQ$gk9_VuD1AkI;!V32CyMݒ׆+,[ KlSUP/֗eW[X){2sӢWkϾӐIֳ6u,S#DRafftݿ69hb'^>mtr ~v )ZXٝyܐKN#)H~K*3uIS9ĬKCihU&SɉВ|aC -t_+͢,!y2_Ry)uu?$bx\by`ɟ%QɄ]QCwS&TA-+ۆ|k,r?iѐ#E%5Coe`$)]홥n{StnVz?wJtCG8&9*-olx]Hp乮o`k%]T C?Qwy34CƏ4h9*1wzC)V:tbKll+:Lo9Z57O7uV!I;8m?`E|d^P[mE8X /Hsyk#IA[f[W0>3}:,UǬ+5\MĴ(87G-*04/\jo}\0V&|# @z_(*RY׾4P6|V$!zGA[İ3FJl銎p>y-<.]q֤m,l퉃ۏ?"o F Y!#ww [؛֥#oHP,Ecu5.e+Nƅ"}Fj,Ѷ"0 ?8?(>ߤji d|F]VLQ%aJvӄWl}GJO&>O򈷻>E~Bk!7ST޽kzgEAhB 6/D\ygB''1z}۴Ŋ je2t!RO%A -O*` NlNļ2j9`f\TX\HrQPY1`e&z&E@}2{\u@r-04v80Aj6w6'xXD ,΍>ƹ1#[y"f\I_oN\P])FXڕ܈xtG"UG9y!@ڰ9r1߮{B:Gp8yD IUBGYƉr bqvT3!|Jλ# 'eR*8&^&S=,nͤQB9!ًD-^:xO;#OAp?U ܛzXc.)@pdv7&1Lށs;" %;w|yqՈo whubY,2!ܒXS|cabG\|Q sg2 R2jQb|S,^kci|? ᒢTM10Y܈~bH81ULܪ!D֐Ҹ?  p, ObIbx͇ZB-ڮv?j>r{\KIU|9jY>{ id YML2-INV}, `.J_[eF$p@7Je/>rB1vfc>˄YIovB*b M; ڼfo,86 ̅$*^b?J1^cNK:lZO KGCi3 c7a%~!NU0*CFqnO '+d髐  h^tl :m"A!^} MJPD(32pwẊ)dI#YͶ3iuk}4XqOm)7NgtFپY}SaS9uxi8[P̚BJB~ESa{&YJw'?.6Fe-8qTfabн^ sXڛ1oV^{:)>5^oCv])P ƆRf>ah+[[ظٕ:+ gmL*"?XYQ+tS:y]Bh>9fr_R޺*fU112Le/t~&"|!bU,K&x5tQ߸2ɏ-?p(3E?ݚkLpYI,۷\&ɀ)WWp38}Phw_INK|>7sBSs%A#M׸z.B hWl8=j Mv$3e^W im7g8+ZIL&xfsj>M1 )4*E#_ ;6/4_܃xXΰ3p#淭/Kq^1:qhx[RA@=/h&(Mg@G͛%6f*rt;OGTs: l>qƋ0U ϳ(,qWk'R^mOt 8 M,T6ARܳ]ÆʲkF&ecB ?N-B8V)3Idk( uD\]k=? >URGV!SMyYR>ڑ܁4I'ə7(9gCQk.Usm ]k!; ڃ]BNX#WSW-r@!chy ővpsWJa2tKy>f,?+-l@1-HfĂzf)āuR0X_ U0)p9&=Ӏ˶. Lj;qNLnVMnDj,gVo,#Evpk P%oN_; M%-•H(^hI&'$~݉N~Jj~5 b47 z<2u(vXū쌿(@ըyzD6A eR_m&I0ߣ$ &qDNctʃ V/duk(Ez^)zTvbΰ.9A1lhW`/LZϲKz@ÂM]htݩ}vSOF=@E'=o c˾*4e@{˪Wa)`G?4퓧>z)rOZPY [k%!|,tHkn:Mj/'0ew:8g=vA4`astk5FJ9ۚWzx/N= &C٥LQB.?+ڞ2ZWEk56U Z3j}MB:mFuLنwj$jK* WAJ X@";K냄mXT/u7ELxJ?|Y>p@+rDKX vN\I~MTZ>OYm*ٳ#wISf,b }B[p̧ˡ=M+BկFI(AH*ܠ;=&Dctמ~Y`G'17pܴa[f&<ϣ zΌF 8{~J%ްkJج%Hϔzx!H.&xf6"LцD(4Kp@o;Iw(ƥ2F\pNi2HָM]wS(j 'ywkSGqRhdDaUdҟ|l̇M9M0Rwpe$WM<]?b`j/ܞ 3{|n6.I Zм6.}J Z:ngW,+hY@#< P6+ӎ(_Bm쁊DRB˃[r] *JsLOd8VGڡW -.|Ix{oL9[8)^D(ŸcV/dF*啋.UB=<DrA0n#Kbnm@~-g}q}gFjP<%8&7+DlC4,GWs9wqlmK6zM(C7Dx>3FɏxE3í9dgtq н>!v/G>DS[}2q/yBqoO+feNqkQr@ɯVg1@b.?02Y~xp ܆º@1ń`'$8&[F/Q1z'#3Q1]trOm@.s gxqs݊;r@'q!Uձ@j>t(1_j:0+k0M-23J - kop<-d)!zE$'hP:iE*@IG`PExqIedDb׸A/1r9̕Cm6~.E? YaO =/꯻vBx@HHAS.>@-*:r累j %@JbkT7Rh#_ڝU{ qyĿ R!,~SĺG=몁0$#~Xfqf^^KD}*=C5=eRutx,+O=zS>F;)׮?'kM?j!`!Fv$ 8W1)i{8iǁdo|MjwءQu$j֗Vpؽ(oξM%S)[zqB6PW{w?3fo_]80Yk_nl}5&^1Q"W@Z 9%L, KG-F ZΈը>ʙ'|el&,4u<A1~9UJ0eu{(4EԀE/|K??AnRd3,(!, HӇ'șٽ<qQʰBn_P;O"{%ji#l'nml" V [S_.bIΟbKWTԴ1ɜT ~P`/H{fZ~c31oi;tUE̛5>G@3R/d%_ zn`:Ka .,CO=w3g]ȟ| kxLa$Z˅~/'Cj r\Tfqm%&c4'bD.ZJz3JID=aXt<ƶWߓnO\2an?ę75\:8:P+!PNv9`ބxQ#ʳQb58'*g*FK"KإiX q fwGaq"5xݹqHZ2 T7L Ųry̏DʸmKF[܏n >aQ4f:˥`0Cu 6lq-ۦ\}ʼTmh;K^m!WN{-Ǥ!]%XKVxK)_>CQALyl ڴv]QJ,[ 8*FDqot+"y 1Znd$-9Vv]#-/y1D=hz׿QD5vb"`ϻ7-NjQ>д̨+ vU Kϙt=m* ~^Y|UlJ1aWOF9)ӏt.ᧃm-* ],pU A”AX8Q,CVlw\ -vr@KAȓQc'bSVUspr߭3y_\V+ gU:B9+ u4> 2 ~oh3!Yt7%6qa&Z]_7@l'a׌gAV7c6=*;yIdgؒK,PU/Ėy@Z Mf޿,۠ '^4˜kk2[ab%OSjhzj,ʔZ0I^KXp31>Zք{"+fOg@L;9Rҵz~EK˻˪2g9_oQ3 pƧ: wGG`˿kXq]z?.#;SҀ5`YͱD Sdݛ(5~7|83@mROHFO K}Fț]v eƅI%1fȝ"xK/l]L5E(Aϝ<]fF/:JT:g> $7(S|My "6$hX͏\aj`9X+2MS|d+k.!vcV?M4mnVdŸP3QOP)"Fk'U>Ta>5p'MAO^ HoɅ2Zz ,[hv @u^f&c`/R Hdx)tΰԻxar|ٴҒCm?{QWNR}Gv(3+Yug u+aePL 2?Jc+56fZ-X-SG7 9]O)i"[PC. };́~ݴ::<|=/$k5!KQ[SKϳ?AMH t˾ۻ2 Tcΐ{ta1dYJBJ(ssL8;&4r,vc1'4=)C2al_vAnDv}JK%2Mӎk|t7zŒuOXq-c[]r"n0ʲE%E+gZUuyO F.\Cl‡y"fBSrII =,W<: kcD R\\F_=W^NjWJgRj{)Z\bDTNk @iҒqPխDc7k)K^u~ aq~5 T lIc 4 9@.z%_83oǗ‰˩pl]8R f=㸦5Dx*G1e6`ޯ\͕Gmfl]$ź]ûQI{!D$A[5Vi-fDF+G*YZhn[0ָ~V8P̜K?׹:T[򾰝7ꨐBDYB: Ig(QGa| PtR9nQ%Yap+YPͳ#><&P͑C )H:n`*]57-T N/~kmPC|& S@w-dnynĢF=s.1ܫSBխ7Q;MC)E.!?\`m>Z]U˶mc㣳&W_$}}|h0dSy]LtSwYVp2G}eDZ? hzz 3yCr*H"J:EB)'ksܕ!W m? ?V҂M*q̲izdV,Tph\PڂE|ZqoEOOpmN.Y-kQPKp`۱3+Ũ~3@%] Z;)l\m5XXUrH95۹ nA %Rp/zѤw&7`E3at΃+<ݬX^ /M,nJf{r$ٹ $w " }EҔjzcu3'g./_w'h|U 5)z x31XәJI즫bv:>p7q J,+[1Ac:Od7zQsÿ\%QHLa"YǬvW(&)?1kˣSJGi{ %pfKHfqK k.`7|(nLJ b!FOUFQMVˏj h"JfO]Ck_$EMW̱&mNs ߒZ$\(BԒPW03S\6|ULAA2,!%kWA.# V!ʚ#X産(0ע~R1ʚJ}ֱ۷όLc_,4p;޻>b[Y벎>l+G؈ie DJuB]/D=7F(yٵ u7O!XJ ,GW8ΰOK"" &`sh@yuzn .,oÂ*p o *WÜ{/(@I4o`в82Pvyy~2j0MNi(u47lV: <*PUC&)9J{y (9$-A1KG8 \}u}Qkw`E!>`4Zh:U/S+ vPε5X͍oPқa2F<\![рBt3g`:fVvq^}v>'wSBs1lޒZK9">"\zPj(6XvU͘ލNdA$f=#BBeYdgZ<hBQBfyglnԷ}3L 9ƴ*I!^#(BǶ\|IɲV8f0-4V7G=b;b̼v4`"z~U6GΚY~3\aS'ҥجQӈ&iW6ga P۟]ڃ^pW$6+Oֈl/i,Jp@˷À7CO綬VhEwt3q)Oۈ^8yM^)52[]XF<4HPy0_Mܙ%Do 2jT$5b3ےm6LW O!N0D5%vtq#~oQן<2cmu˒ Vo"`5s,_t!}#A|#VPbx}sVCtbTJ_(_`zDuݍ5C (UqEMq`7֨ K788v&'tOE9uD]gi]E@[['i&-wxQApX!sy7 eO/}2 R9z%TwAX:W.lv!8-(b֌⴫T~dg2 ]?[aqn.=~E/H gqBhIX^;zdHr#0/NTR)`KOF0>}=f '-_JsKl|y]zQ1B$ޚ滎SٻmLc*2~Y$N1?Ե:l87/(mƨ#ujF/B]dh˽6'OwZB`\8êӵ"IJ3D)HhxbjT)!CIFkSBLϻz89\,:G(ju _'huuaO*/FU!:Wmr4yz6\&aub4D2%&j:1\&r1e/(L#:dnWwAifbfhȸ: 5;@؂JTT2ZxhG4E%d5>BN4E>uٮ|3ՑOK\6^~P ͜{@/6"s4xʦ)qKy^@DRJ*fE SfU46`_&(!csVжqkk/d.6Ce^d$dsHx"ZDz:n2x9R;:!CWiP `f%Dk?Y}QPPY\C%tÊQ_Lp*RW$x<4Oc5b)wt_>š4ֲ +܀|o!q:[%aq3(ҵ slⱈ͉چX7W'ŵ R/IDf~<.Z3}u0I ]&ofx]H;i{kpLѱJ4:FǛYHp_}B@0f+'Iw`BuA0s^Yv 껹>;}Is.-1_?9)"䳍l!o{竼hK~9ݡuÚdp\&M q&Ȟ_zx<}ۤkpK{\X:3*Bo%}R!ՋfIF5$1@:Ѥ l~Nxnff!&׼7 (5z>WMb5ԃCZQ} #} $^Cg0 =zŴqv@ψC +`K51).t;Q$ X \URסc=*8U0ALie5Xю`4.[/[kk|YZH.zyĿG!e)a'PmAW"qaorC>o?r̳fGЇȒ9V P ]!eq$e1周 HI}ļ[ZP_oQ_D:k #!I?3 sǝrD{ޕ(?M2 qZdߨ:R,/fc؀4^neF "m=mI>1ȴO cn~aw*d, %Y7K7<.3yUongfPRYKp 7ͺkvbmJ)C3rfj`%S ); _piV"]Co>Πk€X,^N.*6f0)#AGWr?ȠB}xŹnNEׇ_$!Ԥ%Xߛ0KB.b#/^pw+~Q9B֠u %$wA 7}nm4O *\p&aOOsZ{JjݜVJNQ%pdDVȶ^ T^&I5&>.(z.#ؖ'bMQI\SO ,&  Z̖ >=÷vo5cĽk8J,pwFkD\g 7U晭qoQx a&_e}wmưosb {# ^k%\gMekw3/. AA|3U96 $0NhL;qbZUqΫ2 -[9ۚbN7P_G~_zi \{O{<+S rU\׎/ƈjzbnmm[8"<2e~\r̭&˧mn_t)eq S~tfBQ'"Q$3[(_SCV7A_685Ȁ鮒'Y-k50QQD,rk) ~'"z,s \RP?Bb0]Ju;];<ͧ 0LT LuNE"bfLfGK).Q|t߷wq-5ĐHۼ'vAV{MԻd =ܙX~עINڔ*~Yro)C#ٳD z,psEII-B]dY w筚Pb FB#uװkGv֥#fKXT'wO`4V(3sPk 78q?%i 1i;JxNy$}Fv&\kH奜/0ItFͻ BHFM%d4 F3,lzv~D}NcOUfMB-1 =yNJɬv8cÞh|P[u>-J:UϹBL mr$M|iZc v1OBX;6d00~eRHq#BfS谆i; ̬5G iVYa@JJ}~[Kڪvؐm^_R%SH?ѕNL*)<# W o]w!5d;y_MU "'۱_7)]H1:|ϴzNZ24e&S`> Fq4KEp싵%Em}jY&ȀWیn(+C6=h ߋNc - 5z|c_`&lb"ip9-A,2C[p G R..݁v; /7g3-þST1ذasdVt P{q8SW&TdVH @<r@Zg lA}Ϳ_Ӓ:u ȦWv.ħDQ1i:aK=jrkPx~vʣ~*oD}+Kɱ"JlzH @Dki=aC&'IuIǍH6*ƟsNї!W|Q%gզڌU$hq {Q̌6e4|g2J:@73"n-*ʺ^1rNx4&;9h0h*ZYȘ}dcDq[[ 7U8]2 n)DxSdc/(Ĵ/CqAiG>v2Ēt JgL!yFE%; Z-TAB7|ҜU{vil5>VPҾۅ` iW[f@CO<#mKz0 5 3h|d?N{в5V.`m? ])x=}?j*31"E dŊ55v1`;zpvA`}յĶMKbs a2kN%L0OAȳ< ݝfiPϱe(#hĘpd)KA[" s*f<^ЬK:/d4p6Z9XEjA.6#Bwrf;bԍm# 8gYqy_7iThq4g>3ȺMa {bSz :[Eo:>o. hNs%fW9Y%̲# #Nw ,l %n.i*<Ҽ|r%[btCow_W̏aG*p\٪L՘ P{u0K"Obgҋg>"d@s e}c.llڿ|  m~. :ki8aE`:K2-!dUtcCd'w3jI#>CJ uDXWenBE\DY.y/V hE0)n=/0:fjET`>= e8Uvw9KuO$PdT9u tn{Ng0D}da]w*ڹW~2δcn=(?:߹ᐮ atns[TqCR5O+K9B f`nbDS]/=[K þ79:C9gWD;ta¤".-DRIAx+%B"S.SHT,BGh__ cs-o"cIpufL=ީsL@u([CɈKJoE^\=cͰ.>oabj4~V'JCwRN!C+XU_u_dz::q-]ϑ7͝ V6CA" ';gLpZhJ@g*vJ{go KA[@PP#~y(Xw!@OsǣmK=-}F݈Rj0Je^.TX057iD¬.+u):V<-^Q8Ocns09Pp[|HIvhW}\Yo}^ ݳjjq|,&'kjvPcu.dJL wy6olT YK] Ta~ͧ\̎bD5{C Ky,>ͤ/rq-<?JiHKI64ːF}ǭ0?]I19rЌZricg~᥅Fڽ&x Ό] gz{FZ%Xf tRif`Pnt7|#,7c}sPva18 !+ P>(?l!NEKt%/J@N Rq!N"Yz3 NTL10h|]4 y̛)=dmhH/'a* z2E0k Ò+nD%e!tj Օeàʽ3].szmrZ*ar;ͧ*&lSډ=,Ul"V_yQ`]6-q>qFa〬,9_daJGH _e:؅^9HFpgs~gA*c!T3vaw u{mkE)L̳3e14y%?—=7g"l Gzn`=DM Y隸eݷ$.z@ƞe9`JaLNtN F ɂY+fdd#Y}̜lBhiQ0ɅGa0ٓ#[Έ(VV\ȇݣeR֘z/BX<zK`q#-5Q&DyY<K6hRp\9;͟=ި\>Q.μK*[fVPrT ՜d F·/P^ }Tz`B#8G{NCƷ_E#yk( .ڻ"ڶ2\A\#ǸZRJaw=zXClߤ:PCҩWjn /Q>ٖas̓*uI:|0G\5"Ez>5"RBr5d`s`9c/"? BTD/RJkۇ|.I<3ލ(Ͼ^k'x;Z _tjCʼצx83*9(iQ)FDxKߺ|8Tq 컚 37yŒ_ LjenX,)) *y8=N Q1ۖ`2 P&)gͱ<#in>X2ug1dJuHrzj}A E#/x=kOor."OmcK>J絝Q-/@ֱ0SfyZ셹 _Qw "&` = lo:9S{2"9GP;ރ{ڷJXc< ڕ.K |8ahRҎ\(U%nV< X$4cawf2 vQvkyam}o5M&X;kc--> Ě]aQ$UsvsҌMd[3xY-֭$绠d&÷y]v2RF1! 51Nf2:G2Ec󭳆Rux|4P]FqVMfo41)w3 &9y[j2\ 8ȩ+@ 6ܡgpU \Z]81+Nی6t1:$X8)eh1]ﮫ>rd?>O/P~P 1rk5X~]W*z\( 7[A!Ì &?pʬvYZy92{>ܥTZc/0>e"qZm(pYL>PTO[Rnܕ)>=QvIlK;v%!KľkڲG&Kl<(6g%l)qw81r:L -!TYj'V{2rM?_mW 7bM•%vJS.zlFA>/i:cgU'G %i7>[,[`( f,=D|lpmY`(bQn~^k\%WE1((v]S?w&&PeTɸ6_:cK K:~!-dy38yS̶Z7̖?2Jo n,URETREz|eGCCYs1y*SWl~{VfjHN_G DR,ʀ֫lt16_zA a>Jޥ 2_Fe(hZ^!M~;Q\*N?TߪvNa^7"Llm`k k?v>{Oeob0Zb1}cmZT0a/tU?\݆}%86 庹UuCyl&)l9yV"?Ar,|V* oCM\b+˽/RrʢuPhh9Hp#Ms{Y,CjRSbxˎR Co#ֳbw {B/6SklX1>pT1_kpBT0|8dDqyGk;̠_ !ҫcA&uw}D C hy k'iv?W]S;]-N HvT9*;9HBJcӶRU gZڰe8e ~79oݸoG&H9T1Ho CHP)W'QC)4H7_jUO 8+C31-[dϤ☞3lG$W_Ѐ`/|ڍ$ vwZ G@LHZ [n5%H'tP T\Od-&@5l/EXLHgORvn6RnqilM_+}6!Pk\KoGfY }^ffSeWdQs:c_];ΰ,/ب1V;bJvO{HFU.jjVSg25򯊒 +. X0P sQʽ3<>6ثK}Jh2C @|}^4ta]EP%yqLx>r#Ϊe:~ʩ uKFէxl1}r6fS PU{S1:$='U79x"ڌ"Br/_7/b R0_xlY_Eµ@&[ l]8S~Bǖ>(o3mۣ'pe!Zצ:!001c(v W<ƹzO{xCJ VSwG<듄yds8a30mCL#m Pf(ĶJЛ>⪱t ({f&SPc)Ƽ7f!$ &WwU XfmcaPJlB8%$/՟ T*VrEٻ_I):$%5FIYSqB6<;[pk zYîU[XT,t" IXU7F+T+˃T-秞#U͵{y2XȻ^R1&Ӌ_Rdz)#1SwȎSNB9wX:Uqm/^d(Vbegǘ~U>I74cg Hﴸ|7D  [,\ h*]ROf+?J,@m{+Kmqs 2:ǚxѺd`KuzΕm=sЃj4BBOt0|\pm5eeQÙ6*a|Ga%(oPiuzն?;g? nS2?2qt U:H#r<_q'X 4'D֢Z0 1U$ԙ8+QV xco{AyGưȽ/:EB?#3/b 32] {U3>m53N\ns!|rp xbUG2HckG62ÀY, ۵_v(\xr>&mkذXyF*kĝI3vfO#66b4{F]ʠL1c}Rm=WLȨbxˏ_'lH:v <, 0A'|*렠Nق &XۭYANwD$G,. آM/H n۝(#6@%.=v3Z8"%"/A65[y.dl?)零 Mt<2֪?rSqqwM{L78~ґG=Mm('}I D*?%qh'/VSp߮k!rϥ] ȿHo2b0L?Q5^o, |qA/Wzx3Q4)"D5<d$;hـD>Nqgޘbރ*h!p2#fbGaCvFţ(%G kC&zy C'oPP"/M^]W;G+}d7蹉}]h b02 f5}c1cÞCӄ8[&oM|VOR>LSΙz,}@vq$%9c ]jS⹉^!'$@D'$Uy^-y *)5#~7* C7P]$ iɔ4a$`*ȿ}""dJ9<6sF8V΋,ߚ~e',|lk@A!悗Xc@mMЇU'lm 8ZZb 2n1pƚkȡ>㢏p ahx8/9we9ҳucnO2ڕ?/K8Y "C \eW*426xL_O7lY# (ŸV^$<)hz7Y/E!%d AN -=w,ymr* sVa3yaG_]\Xd 8 pʫip9ύFY=Kl*v!V3so,ʗ3u LCN6W]n*{"1 ZT_sAz vOXQ;,»` 6 N&po 짲|mx{tz4AU¯ں؝j3PEf,k UxmXvy6cuv^,sʆ}ȌEkx?&fIl\Aeoq:t{9B|,7e =UVK[UWUȮf%;$Qf&]爪[.,/MoȈҸRWͷ3GYq-t 5H{np<3qßi#KzWS%t%,L:S{hxZQť֮X-ј6B>/>&Uv6L汦P6755m#6Ws17.%X6>24 H.w0rr1t)mDFEM֔fJ0PX3>֢r$ärn<}V)g&k&ص8vjN\G Š|UM C+>3ȻسQ[a&~Q˰$#)d[-&AJC-Hi{I*a0z t WZ?#}0$rdF(L5 ^32;, ; 7eF~+ԞKRگOh%pJSSÏ5B#愈]cP L9* -\-U|@d^+M=kiyFUx8S@BlY(N$ɨ5a#qKGt)8GqdQ#Đ\u~wSFi08Zs]G.۝-BbGP m*Xd{>"3gsn!UaS8aJf$$ĺՔZq'3ylQhTgE9jn2lH$ a8m% kP ߹ h\GdsUT0ʃdDbnG%ڽ&XfD^W.rK=7jet% t/=8tR +UCXu@c8ӿ 8}kՑC=LZE'^EWxhy<ěH#L\gnR2qx9R{zK:7EÂv7}fxQ>N 4&U-BE@_PD,5ʪ&&aזYdDޒGSaxU1zS\FVR +oOwpZ_~booz !>%\IZ]Tp᫚ T'ZdqϘ݉?&Gf{L|޲B&w"']G(~Mev膛:sm6amS!r74`~v\[pLq19)% 4^ L&{|-֘ȉvXm^=Ği >վ!mS}$6'$f~O-%?0+>꤇Ʌ Zcs%18 +^XÄB; BHgqY ^spkL+p!B7ξ,veǐN+ĵ8 B켔I*6!+(_vn ]A"uqaL_(:̓JW`fд\gb) <}2T큝)51۟J HJ "g%nF8XmL9^&Պ4QdW'A*  p LIJ?}F6.W%Ѳ5 oxTV9Jy1J (OMnUxN`fkNmtgխ(.*duUڑyy\ܚ6D미-X+tdYRQjQX4#6u ʠb_?,)K̳GK]2P%iP*"/)njXɓ`1Hfָ ;m.QUM('t HdX6NK?:);wm9uvS" VY?sLplue 3)Oh)CbٺV.א\uJUGr֏7Nuz>"X,ܓFi=L 9(Py#{XFAduL~R.A6Qh䎇 K]`Qy6a.QfF!^wůZ;3 {KN,] \YYb.L{8_q;((p9_}affQvn (IPBsPm[r ?T%)S>m/֝PѪs5NZvH YuUI֯d-t-OTT `bF$SU4SWU;u5.oԞD1as/vG Z=lipANC8(io?1JZh/l6h9'Ƹ46<|0b?SA& +_6R)()OGId!p݃F[W-;k ES 'UmX+ѬpK0*p Ι^(. mnpXy?-긼h6"h 97MVfEzPT8oXJ5t+ .{ѣS~ʗWM`I?9>L}{dq;`jB%$<^-W.C' 5G$`؀mݡN|xmZN wdDG:Ԗ/}xeg 5&-V p5*85C;CӘxuf"㽖$MCׯoچ 48j͐yyi^e4Yk; RLG)C1ƉK\V>?z ڳ_Ӌ7>t6;ʄzf@è, D&~ 2-YÛm %!o6)T^Ld8g2 L`ekPMt'?[<ICFoK{ kILn?,@vdu>ac +A= *'zmUMtinpn"(;_%c -c6yn H.PN^f# ,YD =WUm?{%©vGPȯF;!cr WvnyhSG[J:Gοa,lzqzR ^$w<]$F2@[KМ%>fW''X8 Y%I%nOٸ#Z"V UX%rWr2ΗL'̦0lIzG3W=gD9eL]U <nM: Y:vkbP@E)3D?ͳu/>7_ƦU`jiRsV9HVmX Yҗю^>GRoDhqj=QjP8†_$ЮDw1KO4Vl_qN~VT">9N)Fmq'BrJ+7'!UYbc1!hׁ9 wd\NN=za*/C1N{%JNwǞ(BaV%Bɒkbl u;KNY:tW9~t3daʒ,DM5a>e"/al2rkJF3+ǭqi(T9 ֜>oc,) d]lbM[!)hY*E9}4twE{z>3opKaz Q_S[4Y5 ]ĕBNGb­+\@@o]*n ,nu$E~I\iXLƇU8'}uˤHrUzwJ` As~[h@L*QMMBy^^:uyFA˞@61'TN’L!r?C Nd`b)c%^rfQ*dw^VC7x. ĥɘ)mǤ3"u3|c͝a;+> !_jc+L0FcI=g-9慠Dq}٤r^FSs=vVmSɔ?2 p0J[8 -=:``S:ڢtq\ XUK 7',&9;;koQPq/O] [u<8$ %-t3ZyD+ѻro2HsIw{-stiY|~ ?;se7,{Eg ,_rCcH FeuȢsG1Sbނ¹Ot;ɳ/YeX,SŨ3;A!NLZm=:$)xP]D̺<`k̢FHSm/x}]D2U˯KT\sܙʍz_&j&|fʛ,ÐDiR?'"F]`b][K׎Fh2J27h E׸Ү)#ϪfZQ8qr Xܽxrt,~Lnծd|ʳW,?B &r'*]X'z@*3)؄: EώYbEއDW9SPamg8,APoNr|@?ˤ 9ݝ2gDn s!AbD52M/!$H7g ()V kFEItD X7_zZV'Ocq.bbWARyOYNx@ׄB$*YcgŖ>6ۀFG= Zhȏ,\ Ҧl,^e _HW{x;YX곤~ 8I $}_ވ᎐w)[B`i@IeKZ򾷪{Q+Qyfp[K ck54#k>Zp5]eO~l6.7 ZPbh,w7&վGR LmunC(b`_ށc*] ғ_u]WP^ 4R^wM8!q)662-,UHs {Ɲ ߙ9rZl _w9))c Evָϡ1K nlB m.'eWLE $*u|u:VHe}^WDA(Tf|%Cn^T_A k͹MjHPm@`oY‡ dh-JZGu)#@ōT:Zj /ì-[V?X8ٟzh$n/Q{Y PCh*=1|,4}ڙ)&%1ʁP@L=]qǛhL!]\3kEڂ,:2<Ց1޲3۵o'\_sǔs-J^swRIf' ︎Ws@踟O ;@puaODAW5~$P*/X s q=y (a"pl>KLJidAF: IU({# Z=}j,51D`K] [ϩ%(ג 3!Gң 8ܬ,HcޝO%J)B|,Fjt{k?\"& f@-Nwq7*wVSݙɲ < /Fs{ްAK}NE[vrղcX*6WtJYBe=_}_>Z|P°]q*RM;Uy`/NDÜ~DL+QCW7 @e>1 5dĵãyi"ِ3-;\&@5 @BA[8mʢ/e\9fW 0r9f[b7drI$ ]S0-/INc⨪5j Xu|qasCgzg} Rnמ1ۀ:k "Vi4 TB|QKU_镧2N!80Q©^^1I{ <bttߖY#Cm@[/S~sB=Ļ>n /)!76q+{\ #%.zAnŁ\no'erfOG@[䫆'fԘ"U"#I# _л_k`{wLk֋=ПCZ})(! 1fO! ˘}he+KtӢ;T׷mEP!(o|BǺy&dLYTHBՎb;tو( NSTckv|Cl.`0n1߉fw=i3Zݥk@Q.E\E [s ;PZ(EEB)H6SdB(WtBQ,* sHMCs4Í}P ?៷{m>WQT:ypE1|fYs4 u*>^n=l%+1 G='hA[.%);!%iQV~mz>P+c_4;T=NG`4G©zFkNzT]Ԝ}G|pfY(m]dѠzN>F`Fl 3Ur8kz{:b]Lt|O"pvZ_$lqM¤PYn:o#_vcgKsB Ǘ@t3Xmrb+BF=Ta{JXԴK{r [bW(Y8.ntNoX 0caE湻}*/1/Q ~?U/Рŧ8Ο#|>RQAy;d3RA$NynSąJ&\~.UYݮp޹S?!(G_ͩGi: s/|>aeHLʢ%F`vn'F[Xnے o}'86̝OC/OCo44]$oJ֯Ip!zp)wbnҦ|}8Uwn@V,\bץ }& QŠYLq]y18Ruіy-ȮC˚J.5;mN;*/ZlT Qs.̲)D /<}R?iD(%+CLp 8Jⰷv.djZtCi߹%P4_tWY=' Ru NZJ8?gwƗ](P', AާaUcI%I J%6 4m/M-B=bkw1حC4kͻ؍D6#Ex/t0ҩ'768wuKd*W$rܩ.A_ib9\ ]g'P\ mPtPީ&z30H RORJ2yGb6fou矞 $ξ%0ghݵ/ge~K0%ADcڸ켡Ȳ#- }<}Tƀ ||&N]; .@p@;j„"ugI?8-L?Ә; szpD:ww(p7JGx$. UW%בh9<Ȑ6 A=We۩7#drD29T8O T-?'g.tw5~鏛AɰYП28Hg}x @a(Iȷ({t\vi04\@5!܎Bs &"g8WRdnˉt5wܠVM<0Vq6**J͡I)lS_Gkoh}Aw6/ , +r=K wUj =CJ,% n0vTXʈI09l%HŇu?I$x0U^u)^?4bx| 4`ʪV̬[eI SUR}&'Rt0"MRxݬ=S,P!b9 Kje͜mm.9xGql\?t34dL^|:k3"af=}$=#[cD$(ǔ#oDTNtoMi$4O\XiCթIu;Jda3-4ZVgӡiJ8f檌mNis Jo@,gd]d1} 1hrERŘѵuMzm8-"9Ƅ1fG +Ӈ }f;ƪJ1[soc1}Wuk.\lt M##Fh&p%k¶f9ǾN+OG\WtG=*hg5j.°ۍk=#V?*Uah~n0ٌSɓCZcinn\67 &A%J ɽ6XCQ2gӧWV֛}umyR2*Z|4[|F&ՕLĘp. ,o^*BY[<z̧Os. ކK)_T7Dp;>m5?S8 E_qJ P|TC&UH lh'졊D]1gp(gDV?MqcaqG*K)3u"1 Lɭ܃$p Խ_+l34Qe&G"AW 3.`0SuƢLe0,llsZ1﷜58*F 6Aı5= ߋ<NcVJjb,l>Ix eHG~7x;bB~~**AiD~`JUY]!7Uc HSX Hn51]-THEUCݤAՠ)(D? p6W7pJE_ jcrex2INpM m)J`01PR2DTBOeFK G" ~zU}RQ$zF$jL^ xDhcskҼ!́|nK+ZAS/Xt\.jV$D%o]|Re@_O-wۍʄ+7wp{0DrdP;"H3x$)ΞNWzk?F5bmՙ@8f9Ia"FE4ڼ@FklF boyL r 3劯KUș(.SDuV Dk"FIQNrKH1u+aM jP>fٵ"Svy<5Z*?ڊ}J4^F? L!gǼ1v>7daQ?fXA L{=%S)"B҄Er]ShS҄<)вtt`uk?(Ub /<ˠYg/#fYY"*)=fPoɜӦ>ӏm[sVgojgQa;-D\ZDp~hr2TKIi1b"nAuJ2MSڌƷGrs{ .sqFK=*dXl-^=q!Q|ZjC+lL +qik W (2X;! ^Gz}PUMPRW>* Ig~:Y;FIڬE*[)T~]|#gPWm-H+JQpl,,t$ĉQbCJe/5j['5<4IY6 V'Yc2DW~lfi¦jMڻpp_g7f=P ۘ.aYCbk}#&4u+ו_dΪN ~J/U}]^&jDY3~oKJ^yzFğZ`p!,A6Qz0%960dnЖk.R6 {s? \1wٵZ'±DtJoJG )uY0p&6jQQA"65׊Ө vQ*Ý8 oDeiڣ(ml?Аa:@WB7K5{]לv$pBVuiN1F(m?Ր3*gA=G-s$sY@]q)@[.U>UiciS#K4{8#QגPS^SѩV=zֽl%iAe=T흣Dӷ9VX^aP#R2|HT?`򪖱w]߯4>ɐc?GA9Rh6=#6\Fj'uKV%GVJ#J66$ uJ,)ΒVމ9ծUa^O~ŀ}iHwK\Rn}L,Tf/H(%*{:06H.xBV80JČ\ԙZX.6ݓ#جc*ί0x5L=Sya :C7`jM{ 1rwg b`c S1J)Yo6BǶ \m UqL~qǟ#NΙ"9 -⮄g )84-Ys n( DL?ES d?yOkqm S%URgۋ}pkTlW(8n`w _FIc3HQP.~2C>ʏ`"jVOwٕ.ZIQJ'|]P'׿'LRYUف D97O-[?;<D4TkZG;?=Z? R"217pyW;ڌs؃ "3vg$fQD>[;FA v#4Esŀ RNoN^d7P\2 XF gx~09er[壃t];am9P^`AX{A>|dr̒kB?@6sB [~Ҋ;rEc.,CܐCptl:X!TÓ<=FXXi'eTXڶ5z⠂ 1.沜!N]Zgu?,YMꮬct;p[9.|jBQE%Sq(G ?aESAV7^sosކ9CWX_}tvcx= IvkK4ƸW8C'%ْBqr.|LDzd|/5PьN`ͺC;W~bJ%rb|N: f$5K mUOhqB | P0.dko<%M-l֖/׃y`H2$yg1Sbu.BGu,?'W _~qbёPbiUT}0HsE_zM]62/©pX!OEꍠɞ.QX-v?|w'(8=sɑyBȑk-HXҡu{zYZvPghX،gOu"+apԣ YPq*?l>&8]VU[Jm/O-o@:  'ޭ7giKv~~7a^gpsqLL0•%N*Վ4(ˆjHr(qD7!< sMC SˀuL JG10k.W :dpXi!OT::& 1M4'g&qܗQ-N3TQ8YRFE'gJV_> ǎ,Ѻ#0y(RNN}p.Fd>u!CW^(2PVNar!!<hbx3bHCyijU;EݓTVX3vd U \ls=dR]ó0W)ZUycxZt`2M_np1ɍjP,0kV,Q^!l0q(ݗW%XYB@, نX[-r Q7/[:&lTQ.`td+B[y-xݣdžnF;)~ }=n/כ8cgtd! >;XQIqJSyPV6cg ~vlHGzZse**~᝘0LZ]rXB$G$Do?w)aP9Y,Hn$œݻM^PK!IWDVP/;Hf *!Mm OiAN)CX.ϰW;පkj{('3OUM{f.Mu2!21 l=䱷?OVU&LK.O/d)b@\s; U~l=ā)S*I42tKS#:!ZfYfF>і[%ŋ 7tRꈦOQ$Y,aң~W*FOcݴ5e!/Z-3}}0JYrnW]*fb2f%hC.A }k(Y>+-ّjpfݎ!fzxHWd\dWk*9Ws@XS2Y+mHZ-ױ_W#%'qa30ED  V{$\o5-M`<6zߚwX:<lĿ.KOKVknS@}ґQ4DJ4(B :`Вdp88Ƈa@C*أr|~ zwwqw,{αq(hNf,v(~ /pK8yYIBgMlXxao4 pQUbt30npZ]@ŷİ7"5tS P&0j-{*%Ŗf`,#@TBB (MdX>.ө~NM>Tn@fP39C0,Iɒ3msq9ul-.yP+ZݸLތP{?H|:HfNٹN7nɾM!ԝ?R,aҋwqH[8E+A{%A1$wxU5zFڂΉi d`NϝC^;O4wލ#h#׌>YjK:~EaքO.KR+ɝ9l[)wؼDZ/s!˖|^`d@(]4i8'Q:N5Y^uXLq,mqQ$IKI`zu]Xk,ni.—av,nǯ9.:7өTNIEBǺPv\X)uTcUKx6 Nb nS] ^l]PU<" /7/; J-11= 4?=LcKD/‰^c, ^<]DvV?2pʈCw5Idzjѐqbx^*.z[mwثӔ:~ekWXepYQ]pݗCgVR^{a$_lpfMb3/ugGɻI:JXa8X.81r sY;$iyc؆^)%Nb<ѷwϾ~8\h鱖=M o±dZ`c"v)p;rq3k A#`f>˒luU Do;wFaBս')n/;hJ:aQ#a9u/|0zޙ[[rӈ}FʦɵPFPj:vQy3QƹWE 8 qQ; _HuA/0!{.^p%vi ,q4V]0s!֋LQ.Qwˏ6tbTRD[)!Wvh ((x{5ZO z MZ.FG=3I[n9Wwaۣu4`y/4)9AYd-rJ nAnڎ4σ"ԥ{OpԡRJOX]f1|Ku=EMer#u Ѹxgx }2=MxDWjA^du UEB?t){utSQ64*hfDvW1zYN X*#jP'-_% PcR N㐇Uǭ~ej 3A=y?Lzfu Չ-rU4Fq |ODK{˧d)7ՓǦL@aΖ {q|Z Aq~8pbZh;vR4Z\j?O+ /jH V<>f/ߍ4ta\4 /tʛ[Rrq s|R#Q[ov;[s#4#,ηc)$E![<:!6K۪=yy_ Lk|M+X]#ΝHIj%yOχORqly@ɼ|V:˪MZZdVST'^эD},D\RŠsImÏ[R TqLwbX*X!4\;pv~!i-3 D5GZ.CF$-oԽC^W#!J8#KlkI:K~IɄEG ktwBdW~8%4Ĭ+LihUܫx' ,ado଺].&n0_ %9aDXc"9l芛@J Hg7JK[7̝pS2ǫxi]:&`9:Q@:!g+Ʋx_+n0?k"l̢[\.]Snp9pDʀcU-HAyeޥ{ն$s^un>]|t9C'6Mc(Ҁ#ng Y+c f[ۆ0I-dʝ̃l.s6K lĞgX"Ė78>} W~;=m_{v` 怑ꉜd.N"rF;&~b5o0Bj߀WN<̹B*D4+(o8v.<&-n&q]܅E,ϩYJ` k! vI70Q: QB߳oMl:Τ_XbD ̽ϔO {[ kXcP?o"(XS|s_gsЧikT)N'²L* w!F%=(^-Z4r+^&|KQ,郻JϋʔEĪ/JWJ7|M:}%tۀF-6vk?)[:xtjyj^kJ\Aם{*S1 nD9I´Y5N4c٠gF{_?4IkS^Q>9Jy^6C9gB9O([ -yo !ԞFDk̀ڧuIjHgLtUC*Ę'J{x9jQ{p+H 'ϸ<~Ȳ̘@`in(0+ĥF06hgΛ/pn*RS *DlROktb#ϱ/r6 }3%U9Vج[XXE_'`)]kt[6?O^x5cb967h7@78x ϳm+IpmP:`RΒҌ %4Jw6QjP[^mAbgyg /Dʸ/NKwTi9'-R1 ÂN\ZyqE}CRKZ7.K0`QHl픩`S ,h %ks ėoM f-l7TFL*|l{N V-Q˸=/j7ńuI[Eؙ^֬{/$MKuwm#hOsa{s,pUnWc&8$2xװ+ԦRе;~ hҕxaAeҘ 5`G~~:Q w˵{`_9d8Heu=ԗ-KV.+4uJ AlGk ؉3T!ٳd\ۙ'vI[1ʟ/Ԅ)%g0Y`menFD0dl}\(foI lGM$Aq[Qt ʋI~M؈N,AV-;~_XɿJ|Uc סE1ܳ]/d8 P?hHBѭ6wm6@h1EU;^Wx83ޠ"a2СrIPEW5ruBt#HhW_O(O(Al4E [䶀 ?7]K@1h>O 1 Q`5>lZA]lh.Ήav c!- {| HdVց/92:0u1hCݒ*5)Xe e/ĿZs d"g,x80hZWQ셛܎Fwx3¢K; JPzur/-+zZ ѥͱiD[)l X4'=Ot?Ze}(HƼpf{BDEmZ'Obju GA;K.rvW>-=lU  ϥZ)_[.>௕Q͊D$Qݼd^ zWyٞ0gR|9饷p񗽮,80b9 @\Ad%Y$A\dfLHJ=(^~oR. lϨE >|=WXհjJTZh"1kN f%ȓ#`PUM Nf W~޹tŸ#Kpȯ֦FkgvHK`SBNKg~}3}\'fJ%<.M{ ރWDїT/( QX!O۾vwgK%tXE`[./"ݱT*TQjfԥ%QAT"FeeUE d&th559ű.5ezZAJ'}odN_V @1'$F@)9lG0׌p Jy('5vB/9Da`3W >'ЕeeK^v2;ZT%3M^ũB|A˱5GcX)3 rsq|DƤDWTr:l,{7b~u1.ǂ!Q*~wvTKGۭГX~O<:@~]hӻD_Ff?R`t?sT~zE>ic^d0.UmVX56'fwa1lTRO1ByD\?7:SSYOse!IO x-1Mr tdQʕvop0(ږZAu~3k?kf9(x҅ | X6WƮqӳSŢcQJR &\OZ6_dF=, 8R!ʉ%e>Fz {UWQyᏡJ] </(d.0 ^#l<"1q6ICI s}4J~? ;)Ai##x.Yd}tXL~#3>͡pn;̔6 pG+`7V}E)aQ=3$CkLKLdo:!Լ ?:9|nCA8>!0H_`t!sȕ]MTT79Z9( fK3bA;wL_٥5@m µ |0h)S+kl+8 Q*u}gƲ2EZ":0|6pϣH`UfN!YR]&`:5Լv(? :y;#QQqw?zu@msh]™bmzu;G!!Wp ]av/-TJ8f⾫VMl)3k A6lkJo#ptCLaPd5:C}q-*,yec U,bPCa9-F͏A35\UIWʰ\B vVºɚ#nf {Fʡpo("hG%ޠ]hj劌'|h%T.Eq]"<+Vz0xA"=ڢ' "v-d̚} hz8)2Æpd$f td1}lXϿ5"0On.3U1rDY្>6\hL_ Q=g^pχ,V\RM˝VMLhcn0Ck1?xDҜZ$S AC` ׍~D6 I Dbk+62,ޜx)>Xz@9k`/qĠq(pW`%ǭ7H0 iޓX"aGH xfۋדէ+i41'+ZRK4+T}e<@iE"/=kE۞3lD\c9㾍82JcGTh}l [ 09{wUr\%Fo%I}ʔz(F;u5I7k?@?U 2*M /d 0Ijw+:ؤ3%s@>q^F49~sP7S%vsȟ|PB.3&}4İ$%p~<_h;P4ϷLv~s * esGrQAH$2؉Vr(0*D 6 @)-ЍS,&)1Èdu dn-f0L1Y-7qc1"2!_XzMKjtYeU/;i_K}TGJu0n*0xAA{퓬o!"A?v3J\L%5KƧS~Ɏ17`u-mXfK=wӼwk2 7%+g8H%,K5 Qx:\SRL.˟B%v@v+LD$)~_񺀁|C<$ P[8cw #T{;Q'|iq3]6SڭDNb#M]AޥChDG/:M8<- lxGK7:{ҷsx{/`# υ)z::I>Jrvҙ4~+(&ZeIM.GHi dp %2=hU1\]xf8 ˆ`^C[poo+ 74>޳FΝTݲ:nBsLR \ʢț0==\Jw|^Z#2;X:*?%grϒT( _oq7E]Tunt}( e W-ɉ6 .ֱ5TMHHPqA5#2 TcCU?G"Z*Gj]9G1ݞ@^[ h#W(t}8#vSز͙U@FzaiEg,M".yMn}l608NPBA\k*{dT޴@a{32{}*e+s=N\w52^; `Bgu!1^Z߼+1!< |ެQ1.dE9bjqCs2zchp\S Ǚi<ތXT]ak--@qp Qo={7O_QqeԦlh$#Fɘ6}-f"VZphNz Yhd]Qh(Zɒf0"t1px@<Zi?;;>-.o3 ֶHNae9Z 29Cb\3n15r3LWӨ|Wثb{sfˋe+sM_1FRlvIvL⦾ؖ ӟBP]j]D.m޲q< lY:ʘ[StCut1;'s-HTqٳB 4$oC?Yܕ팿ߠ;?"6qcFzsDR`zLYSfQ_~f@g 7ϭX^BPKI @|Tq$7sA) {ۮf6VUoC1!,9mddd'oVhu>ha Ƣ;V."uhDu!WKg{:E><2בBJ/v)#ڧNpB݄f4x¼Ts^bi` DjGmy?L8р,pbC ֌%iM K> ZKa{ݿ_q21l|46t\)W@`R?n1lV4Kjn lvSNsԖهuSW2ξ8T$ˌ'WODz@EXӠX &S+[mUxK',{t\j7?*_ٴˮP/2[h(:P(OV_3* 6M$mN&cxIB] )iRYNF ,'96~dBOyln1KL '<,&kk"Qjs]\#oK@4:D+9-/-`e"\@!>Ptc.kR/,3\ {1mF#9Gunӫ02md0Ӿ)?cFoMDxo=dtPG=z$Ye ? ylPoRsA;%Ե:B wxv?W8IcЫy;Jtoj{_,eȷ4bVUt/=Sh:z+]x$K,S1Y 6vSd)P{t`+1,]fR+{~PsTj^Cyvgwav$v@| l)@sqV2k7|)qEFH-͗+vc~Yp:>t__KtJf)H?yM_3$,IDuu"0pG@_ ݊5h27 )Qވ1Ez%\yJ YB7ڣA2P.EwzwB*.#u?mufE'4Z1kBE9.Š@x P9Bmp)[fws"ɿF/;V|rR\P n1)5Z R U#>> p%Y~91@G/UUD۷3N!d/%_Q*J>@2dC2XF{q WDLBu(;b8,W5 @x}u\M.I:򅧦Sz ˗ Np-pex 츯 3czn>fcL(fgSa\':_u0q.ĂS^N ]ySpWIv6a-eRb,I[kdC5xnֲC2-bcj_'Wi6PEsTbv/>ͼf #`Bqom1ћCqHL \kj ^OWbVu@*S_5UrN*Zir&Ъͯi'cX?lϯ&ys8TQ)aɯXbΦ6cㅔOFw+sygd77i9} u()|Jxɾu1.t-떸S@fYyJw̫[7BYO$h1#}FՆZ}a DmT4IZrxX0[A$Q+aPx(Ëz f䂫n֨5^ Gsg̏dXbO]L6lƗY^D`:oh|\ ]0CŒ>Jy7u 1Mgt2ssG?f9tٮTatAxk6*A<6rowwq8 jQ`e613FHCmX[/RI&vݢa"NJ"{=?DZ9 #wT~a~-aPu|XnPQcNwpnȗ%OV!0*\0 `h`]5/i >QnJ ?[^CpM\~'砎^>ov7psi`R ]YeCP ֠@csOd=]Lʓ,?c$A8h[/?7+9U3K0\LߚRHzp}L5 N9mShx;K4(tq P>;|ڠC0S;+c0e7FR"$dmW& qҹw^گN* @Y9H9D jm.“ ~x[\ Iό0s`aU8t$#ʢɶs2a=ĞӔ;(D+e|]k-[* 1mbq_ʒnPuP: vҢyh(?]~U:ȂR o5`ԕ4C% $"QO|ٻ⹳65E@"K\Zndd$u%_u~ϭnx}.r>^ZI*_x }efg+mGn"Gm1VBQ!+zݘ/, 9jԸx<,@G.te톲."*thkX$ qVyl,M8D8>+6!o1FM.yw+3Lp^@I#ګ+o2N@!b5`4YxbY5||~i[hxά}M0\ץdXJ"4\g0`~0UvZU+u{DXJܸoR`]_*TA&-_WN Sj1Uc aIT;J+.S Si xgZ:o}ynqaOGP &KՈvC/V9_!3R?C_NfA~pd{0fY!<^¨!b_RddЊ—ppʼ9r -lDYRp}0 _|PcTE jխr1EaeMNRKh`[v}8g= c{1~{0WJ假&}`v[-`bFQH˴] 4'R#\Adeb ϳHKc{۾A5_ p 3^5`4ǎNg7< jkʎ()ޜ,F>CmȔUNp#!/tXQ>6#T,ݯZM_4Dķol>[,99/']|f@U'_[ e_ٸȊ>ņUFE_R5ZO$hQP'3M5¶P&۷ʰs|F r  $uX`͈5'B%btsZϥIe"!|)d~j`*nIݘ&EFq/^zWk'hwW~!WO(a/]["zke&dkF@TuADJ$VsT$nf2m ψ6~ i:ST:7;,_'0InNNn<)L?CYtX1mGs+ oE e1?A,b:8@wI/?Fnj&}Rh߹Ո|-xQ\^.:٣;4Ҭ ,c"  TFTL{^ ]$Pԅu=tn%BݹlWj}yL3.t@la[@,*7OVlN xlt4`tgSCoDjzVkW_7}8V~NOʦkօ^?P}V2j[(=| Xkd!BцҬzƠ1`'@gJ5fg%cA[fۥS79㋷d-"=tW& 8"$ڮ,<Βp񘯮$_3V0/+GuùQU`J,UuVk?  =lP#/hW:1'v&̆#b9c9Aa6(A&^SHrk=jq$GL;sԢ)4ԯ;r0?Ti/|9;e9K\X^;4|5-_l `r]#F/wvY|C5808VԲ%Eև^x@urW/֟:+ .b.D4TNt5y_6hƗ0_#[/NUR fq!kmНzm<.,`E?pջ`H9 ^gߕ^ִh8BSfש9{@Ӝ3ڒs:4FA'#gef>@1.cSyގ`+߀(NJbsKs/RY It1e?s׆tv/+sPq)7pݡmJJdvЎ:X;PzEdxIdd~&2GԕkA??6>/Wzck5-0@p(tIzr ὺTP F]5)E1E|]X@hf s[s I<ِk຋+B"5`A>zϨEZUYv+".lun3#+:K7c(#u tC>0 !#y Jk͊-9NSzZ\q3&Pk5C %[el x!s .J1)~v,z؊Ɉ31?ыߘ_ Nu4ƥw 9ܥ/; ,$JAN -쁼ɋ^ PYfxSC9".:u9D.cuew'&Ռ$5X3F~ױB\[%+ mK1ƩpƣZ}$Wls."CWܕK8XȂFwPa/4!I(dPc)2(znR}xlȈGJt7 6 uzĨЪx<0m,Z7 =|L ZMM-#W(7cG_ zzq9VS>l`P-[f:ܗ'1Tyw?z'+>Fxs۸QW YOQy*Σ =[3ί@! 4}_"tO4ZEuD 0hxZ*`S!&y7e&|bgw8L69(J|'ɷHOI!r01B]9 }ztg.o XG{nQĞ? 8kZkRKO}9 1٩ ǭ5!9uÈ3-Hn٪c.`T=Ⲫ*)- ;Pڙ1<9m:fuyǡXBMP$J1BIQ]1U cu;?cE[ڴKz3A]]׿jJz4gqĒxU0}e"B*4gޮ$Z C<%)]P$`o;(uͅ^Ɔ-DȘ & -ˉ1G3 (y;0hjj &1ܲ#cOvR N9آ% ,mU/K#iwW) icŘxmvn+(m2앜 *GO#4=T๖ci&cK_ZNj M6R{Fk%qސӣA_cl?;"$t*Fn3ʾe:EƋv^6 ~ƒ DGQбAβG3Cu7UfpIGLPJ}*ɓ&ቶ5p'~ \g|8-쬑=.]Ul&V _Gw ŴHj!5'ŽnHN75]RjfpOӽbqxt-P{dfd7co^ 8ήoJ&{xQn #cvkoGFc^ETOPa 1sN%̨c9gB|Xֈas+OSHR9Ug`9: + 505IwAyf]ftC5YL8lͯlZՀ?Ԅjpᙝ&@ĪD9Ԥ-nMUB1Ed::&cb鵥.İ"dЫ$P[/8u{g'hi ^k+ vaV*&;)e$ t!u|H{|"\=  _v:aP-I5D6 @n|ƴ_jObHcb ܨ֔; it9w(1ژcjU{yQy BP#_KK4PR)汒H_;d8fV`aVgșa[a'q'Ƥ*ƊPt֨k+) w<.4%ʀ]I dЦr!C9v<aGD)%sԧ3 P۵\/)CHտ7hjN\1A pJXhR%$iAHrb9cGbsDUX  jִՂuͣ:U@= uL1^KP?Z3(ޡ%mfaq<ut8 ۮ̥Qt'-IڳŎs HxpG"x&9xlWd s<(4BƲy0މ8v_Q1T`A ϊOw"M0,9QZ/YA8-G*<߯1u=a71 QE7N┹=Rswo/bXsVCN mȴ5qbXl`DŽK#`,"uOd(#߮v0VuSUE>-o aA0k5)ژr^y cE:ۏIicD"eE.CDM@ۑHLb{Kл۞fdѸ1; mc=CNyN2(o8{|H&&^{xb^ râ\ a(ktCjZq^C~\IQX?($Lu _{"˻5\jL*z,0Rxz}owTeظKiU/ %G몿c3 h \|%[)O9Bo_F.O`mV61>j.7@ɰkM)haxDKO1RG-!J.&ua G]ggǮCJ t׏ 7ptOF~ο'(7D|; "kaӾrqVm=G׆:/M߱u/`ʯ0+4.k5yU~O6yuy7h:csY_EZ=b'`ܥx9# 91]S:>_$Áw" p&n.e*ؔ _d彧yBH1'&_v 1l)kD?= ms4M=÷[ƥJnN[>E*pP&Vf$\j呵kr-X[1hJMj.l1Sc+uϛNl)zBRpB^z[ࣩ/Ot3z^Ųx:'qEo[lZQ}f,1]lJ5%jJcC% Nu}sSl81dC-Wnż^$U;iu;: 4=aD1ZsvjWpېų/Ѓ??Q=Nxg)_x_@6Iaque4AcJb҄qWGsy6Bこ,xQ@I[oRx[*҇ ӳ\ BL]$* 5tB݉-lNB=d=(L׶*` u$hMI[&iw ,ʁ5̹,\2 MɈ Tw ~17e`Ӆ4ΐ)ULJj'V'^[l_* ?׬;9G735bO^d(͞" əɕKBc?| zuHy@>K9y_Zp- *!ǷҀSfw0ޢ2n@㭥.7W ODŽR _ 8CnERG|:O};l~wTB`SbZ+&y}6%۴Ռp43$%X\}ҟ*AkkRڂ=N}ӳpfL/\֡~MTWH6,8T6qR=۬<*k!o:~"%=1issLXNA3,OU{bML0ZAUtOh0Ju}Hr ~3=dj)%Y;N9E񠖧QW[N~(:^D)WUxNVC~n`R *BCSZS79H]w:*#JRI$3>۶#R/8 r!$ "s:8諈;FEKk=u,kv 9^M­ĶaudV']鉺}B'f˹'ܦ0[󔡮!/@ik[xBۍPQěA;fcMnO\Zg Tiisgc$jZ\ M65j7T3 y{94fD) (LFE]Ic=d>y?BQ0T"Q ̞()HQA䚠rsҭ0[;~jhJ F3:\+Rdڈ+rFw.n5p@aEו%Fݑ>t8}݄rʃ~ZlC=lJ7dr"x=~;qA V;ufFjJ hb+\Cz{dH)W,*e^&BcyuBzpC&fIZitk+1 ۪3Q=zEXRЊ((fY/ˬ1gzVYL 5#)-= nHp\\yV85B z"sz,/6-٣'6>mF6tp򖪱+M(Ydor~Maҳ&q(k5)ް#쫙b?'d>]rC8K |d'&kv5=`,C_ j#3j3. iqp E ]&9#vВ*zGL6HjtKi.„ǝe }w p8`FkmޒCP]V[ALuztXeО}; [ xyI;9WXb'-79]tL #%o3l n߿݃wb_iOJBL 9nu,ou8Hh_#`R#zsd] 9mZKBxJȖۭ͝ɂJu_Wg}[jiH*'<DNp-"ybFm[2^HVl_s`^v)$oHJ52ڄؓ2d!epjOe1Jd4ozb8FKQsIg /M`^2i*6׊ CGA tLSij wBmSxaDwMot֡3ʶ^n&!4 1 ,_/G +<D`I5l? Z0)yE,_\Z K+/Zd߬X:LJf:N3%/3 (rq/F\lfooWcg]kyd_j "ZSâ4o?jO[pW7dȿXp&$,BEƻW]'ɿS!L#cXz35:&^q2mXv \vw2J$GrΙh<| :+qjT~ j֚ځCj̪MP 1H| JW.@lOm`>R7f' O\K] ŌzHŞ|Kٍ}(=CEv͞Zs?K{Y=^@֯ڟ,=a"A90t' yRE!W{ŰL_ʴUX=cQLsUVTOk}\rk:[9֪H`hzŕ/q>_uM wv8GVW[>..LE >FO渙CcێM28wSTMW!m4$G%*wnSz%mnӌnL܂EB{&GIYg7d2?)߻`[fRx賗cb+O=3ĽnNk**hs#jO`sCڟq"-H5ɬr9[ !] [ /jpbtO:xEEeJ1ߡpX$l}}ub \w ?j һM\qjQ)!<' `<*j5D0JSozvx;tpx(GÛZJSAN[zΦEVգn_gu^q˕BbiHԖAav()}G| '`;OeAŔ9%7 Zp @Xm#lq!o`Z~5dRCag+H*tN@Xp {at$1eSq B(6jNQ;0 lRE͓E7X x5x<28ێʼn!i{بڃeI^+[~0 3\Ns;kSig 5؁?ѵI$"-R+mSP3 y݋FI\zլg nƆ_h')L^uwld@bf;R) TPFń`Nt=9_@a kْ_)BP+X6x1QQ;d(?noy͛|뽿Q9]uę&vL=VC] [Qjx3%xF{} (lpf2^$y18h7`v@za:.7hjԕ+;Pr*Edsx0_ I eh mkA1ܮNbXu{%$#倫 _"J b_~[G+M1{"(׉xk8/Ղ.#4%,oO G 39/`F=HfN4Bk`0ڠ̆qPJ} ^j nAERB6Ҋ5L K x~sclx?{fni8"E ~`ڰLCn: Ȧv q0  D1# ?`*G>+0L8t1z,}Xv6}SRr|y7&`t^A[e ^%c? "uƿ `%^O^\τC+Zle#"Qщb?[8Rc֟vL Cœg< OVrhuۣ:F]e(/$ޫэVϩKz c!YLnaayBJȣ]S v KuѶg'XRCٶ2r@߱36*#@Ayuͦe4w0Zsذ96Dx+[:u`85yt@FdiYuT)8A@ |qk{t ,^n`iധ#FIPu( ܎] 0 pu)vq{z#9w)(lTC|$tR|LBպ\M>m A8 :;}Vݫ\:Ő -4. @ɣ}_ I5 }b&A n5|EDžE4w]brDӵc~FleKɕ^KޟKKAJTnt.RR=S9p`lD YP88Kߧ] x~5oq ],Mg<++.pr\E6;Jw TO{:+^MǃIv}^.iHQ E(6+PDr^qBSaaVؐE}| ۙlQŋqotA>]PeB]Cr%xԯ 2'IIh~Ww_ؚ0 F:=>1=Ͼ;x!~0-0H}.R_t\gPq?Lazo~/IG|:mcDaw;e{ {:=MkhȃԐN\5am~`cE%.{oS^Z F\]P+@lN[Z/a0zF 0hY(:)`4ByaBa<9eE8 e(,D(Tl"JBdh]+~8\:Z1!OmŠvxv"6R7-5}w J(@(*A?w|nj?0?Pç}\쉚p  d1?(&tJ=;>(,e$d1Ea+_':$t+J{65Aݜ[8#ntrXP"NQ<-r"7ƺ[,{?xxSkvI>C(*c,~l|&B H9cw5T=p`خ€wy%5:h wH<ڪq瘁I+ݥGAīփ\̼4IkTX݋S&@ nc)7_?Z`OYݒ$7ɞ_p)r%7B"H/Fypu*0H`aN:77$WmZIk!˘<<|Q9' _%c~a(JAgsCN?!{GOOEoo4cvlc芉qw(X#"1DǞ4/H*"YY8~wvQ4~&Uh+_ t%JeW*R=Exq *x!+/̞ߠ P{)䭎>=3R@w5<8w:塸BDAE@>^0"h98G;l>6};]'ѻ_2#ÌlcYzI?ۼC2( vXN_HneRϧzG±JpO2x P<^TpV fk0KYZGAQU=@+ {hditfy=ՋvCij3yu{/bz;D!Y҆W׮R?7ei2b9ҫ R2bG'qKIg@ Ɉzg*OvK̑b"\nL"84Wہ5SiuPb ELu1\**Z l*Җ#_U:e"AccqS=joDKvʿ;YVd{l+7eP͸P"+?b#l(n>yCF#}鯾 d-uiŨcMn_&) d4Zʂ)1ZН6YB/&KBMgrX)b-Vu(rHjVVǟC$A8H~ _, lm|CkрYSDL#UzfoZ5e%˛ڮ#L#zH_̽D1w2^b}pH]=Sb`T\:@Cװe0ϣiKӶEwnN.{@_']!ɗT\zx#`0$V3y[z K^>||hOpcDBP l3i4q*@/ ^J:o&>v#Vfb"HA~UGLQߋdS^e 'ƪc)Sm.ǓnvŜ {oVyqg.Tv,kb ؞a5Jn?ؔ-ƍhUZLoܓHhA.oj4%t=lkW luJe&l)CZOKI)CBBཻܦzX-W龼pGB…˽7v*΀FV3QWdUCP .ua6}` &OD{=Ȏ6x>A37EQھ 7:L'.)rS0;(qLIW/`Fqc2Z+)0H ]9TȢa }7[zASpc&mŲɐ,+)3'E8 ݎe9:m[E!A?d9ԝ!g*Ku*Z`W?!:8H:f@ 0%%p$`֫eqlKNQ sʔse:.aDzo?(`3WQl U $ #`1xC3[fSoէD_GZ:H֨U(1h?b"fNHW9f7oŠw T`.st5$v5CZjRqV?7Xr5Ȃ̠"871/:SL*6WcEbWuOвᰣ\L2`E DT/v9om_JrHR!~{ =ig +/e[193$Wd<5^@Y6vZQV;mp AEU-6KKAk{%U=ju0r=:Y:cgܽ؃#Tg&H94=I#.XX?9VCG!bz{xMVPh?E IzC{Ҳ, c -^ߟp(]88F,u"m _ßG+!3JwZJ{}Ub$!q,[f` yP/+a}zΣH(Doh ;(hE/I`8WksSv泇_/ dpq=Yǻ4KZH8y)3}tYƝ6)鱷Wbukgawi#g#hعVk0QjMjL 2z%LN85*&S2rm ٠߈#oʿG.c7I3):XFə3-QnuiI+@ ylcO V8[ӋѺ,kS- 덮y?}rg. {ƐX>vM^S*miwvurg K̞A }G>` qX@y:Iĸm N:]d79(h4rMR6!YW7,uM\y! [] @WtGξ B/v=R_$\UEpF}"/} H؍P n;io󁞲f~4өDۈ 5ғb|4T|bI!<|D]h_k1J:zC#~f59H]) S%vx s[F],ԥB'qi;Fl&U6R!V~PďY[;}wl&Ѭ2i{J(h7ͤU_1q#7t- g:zU:dU=YS NwYK[B0oٖyi ?$Z%j[s]@ZV=" ӣĢ/,sw皬vӲͩ0958 G}Hw.GDtpvNҦnEX7JMii`$EbRyPݥ;^,&Ʌcnen$Qɪw:-|9~zOPO+)WZp͔QksZp0w"%ېWMq } 4 7YINKVA02sZƄI`jd9| / O/te,·FT[%%DpG!:Qz;'/{uL# ^˩"l,\ɟtF`$}}>a'k^qUOPeaQвWw[FmS(؁y/3%aW.\F׉n.\]fF`h,{IdᇏznJ7ozF@l0b=6<[ӮnsSʻn*Nf+ؤEd,:-s#*6M< }gI9aƒ28Dve;Nl٧vzb:}{AAS\0[ ܎=ʉ3zl׭JkDFzQ@'x/IF:3.sϭwj ;h<UK膈Ěg4bt'm;8p )4RCuvE@Ll$+DG<8Z6rM86_ۦ>gN"O9i-$a@=¼x!].ca1:QL] >w-t9БwωM͠xsZ1e=Ȟfv'z=$r|k ~/kFsN[ ׺rM|2K8)LֶI^C#Pvn)a}nߟ9{,ihQYI~x,(H~6{|ώV:IB3 e]u%Iqܗ'|bd]F0>^ƙ-U`Adu^$g(R=Q[+$ܾY%Cf0N/DoB8{P/YHb$4F)|!d`:iɾ׳uR*v {FmS搆ctn(w $&荏Ƞl@ڨ-bcdH_Ԓ d4}~k.M4F"uۭ ڻ±$u ' -;\m5N(!ϹCBѣ,G^QT 9.v c%6ν]CS*ܙ˄g\,2Ȭi)T-S.cME `DGK ,zsTm:~()cjKj@{6 J4h_2А⃞jZIͯ5*zG۬Ỿ+YK(2ұ]M-z&^&>`SQ}THc4i -;uaB1'!*(6y}@|03+ ݓ wҿ@TWA{y*.#X'=A#F`چVLJI}Ws}PGu:s.a8 ʧ٥>Dz9i-}l_KH#[q)ĐTV3aVHfl?(O hr8Peib9[eƲM( ռ$ [?ܼB_'8`}EsԥWljY?Z݋edIp9m\:-$ٍkY+)f/"huuq>pn6u_O>܏`d &}]ppM+}~]1/$`om揃)[czKWܴ'I3Sjwe?mk< R,Efc5aT^Rsp%}Ubl"=&W<cf7$=:iu296iGUW1K.=],aB1A+`p<49 v 6\1pWz%El ~7܋L3]5oȞkՔ5\ͰxXb`xMTï"%aN?xO2I-⥰ HJwoe*b*ѪucxuҞiMy$&P3OɐIYͫDZ^\e` Fi2ā7!9J )xuCcѢf0nqa5MnFO:. UY뭆F: -];;)bNo_Đ$"&d XŋC~  s"9b Eg7\}u+kG~n!YpDWÉv_dPiij ky%~M,Wf+$aDBr;BjX5Q0h/PZ;))%P=Up;O;o{љ_}̦ vՆ FpGҋ(oe3)oL}RMA2$}C>dtк 0{Fô[,bI)UuLk&5ZOl&'OiCwA8J^!^nR"VfU?re3K2<egZ~,c ьGB.7#F~% &ݲ.kS,bZh?" N+G'J'IVr3O%T0NfL6~IV|/xjai0ƫѥX&vRtI$B $M/ '&6/H# 9?kuhfixfʨq4]?VG:vP(?6ȵ&_gynߣ_wj47H^Sø)pPEٷsAn~>$uD=Cȝ6^FB]gHpP_}Ұ4Uc:0e)>E؞1ƛy't R\p/)2] q-+)Rq ,xܼ+gPŒ N8,Vb`Ilt}55; 3un*|eNZ>j\p;F c/и_S>~s&)1J>S_\-9Y8Sf ڶA"Z'$䙶Z=wihWpr}C&-'_-?y2ʠ)/Zl– <+l UQH#D%9n*O/i!,I0}8wNԓ:N.%EH;}/r )H;WBBlY3Ato29l]muQ}87̙)G{E B;՘ΕSvsݩRN "1Cʰu26uU-"B?H@ R%2CDY 01xn[ 4! 6|r#/;EʺĪ;s09y5mV'V OHƪ+/%8D뎗IdyOK#^KXo\YoE49؁/i:ipx5pB܅q%Ō`tL)KG;/`7A]]ٛy HS 1C&?l-8OjoT{"Z-&>:'쇤KMQB K] ZS!&9`+릡i!ޜkpg24@aӋûu.3y%p%$l0MP'x`zMUmjiÔ8W/m5 mƯ=MN i!W ;V r*>͖SIh|xk\VK-@feaT\.>>]Cܜ i̇sC 䲛}nC}zB?UQ;zW$g]w춢\ y/X{,PxvC;*#!_dHP1 kL6 vXu~y#j V=77Gƒsfz9OmF;. 6HRJpjU5ۡNoB]ߦ'ۢ)ņ'vu')j֯\ŠLP߳f;ˣsKв`#ghh!G73"RhoK.k1.# Nׄޮp<;9>Z{h҅NJBLo~8+TI}QEhJN&`JK}d )L(M ]MlO"b.,v`G&4~1 &ZGꐬrY1._*1%1v4'X8鞫#7ܕ_/ӑ)Ӹ51kL2"E_CFsk"ĩdo\8o4s6uV GibwXc;ny=%^TYM-[) a"0僚zQLft@ ˒.~^.nbqzæ+4e镇@KM߅7б&ʷ=;sͬnVYɞ{SlМs3τAUd _O,4Sj3_D$@&1Zf,e< 4H kCo ?}*u*[4ro׹q?rμ F[]vlvLE.A^sJ '4D&/&fEm_Ec|ꌣB/*`/NAЁ`̵j)`M81".L2K-NjWDjw+3]lm^ *۠|^QdDg~bFNRhpf5c+^>+#8(ɗ~GN*>m_6U͚n#4! ir3po8/!OG7s,\ɾ6%\Jo-81 /ː#NB)E.?x 4|\̴j5~ /D ~Yڿ FVW4džLBp@ΐEGNɯZkqb_U!8NƢ41kZdsؼy|rYbRÈd }G vT^^\E? o?0.ZzԞ`RT񑙊.eoR A&{~-{bu,K !3AIk-V>v7NxMG>2n#$Oza2 \Hj_aj8|b9M B^a]0'HrtUK W\W4JIs0&t \7<5 ģ90Hz# Z#BjR9ūD)R6jL\$JقP[%*~T.+іQUI \AXKs= ͘ T!v޾jߥ]ЧG6fJ27T.\hy Io" :-ՓhE]0X3TPqthkO}iT4.gKbEO */箔 HQ$!SY+U>k)20Ep@k<zf<و毵Ao>Ekw3!4X-)u䙌)<aUZwj ^iCmKhCqW*s'fӹT(ܹԧc>l&s6ҫ_XL+s4JWnh&2ajb fK#juֳLwkn] va'B5W]O>!`^4%m[Wc&o|r5 Q$emН::}KcXU@Q7y%?k^-ߛ1K ioYS-@izOZ#R^35哴q(ta'P3O~5E[_YŢ@V\)C`Iiu1@6rVQk?Ǔ,\Z닊c^,#.U@d5T!IJj,o9ꋅ`Xjao_; oL'^(=PkTio ke4/Oڅ3FtY]Z[+y[ S6D| 2!yN=) hDz+ryW:eVbc;VBNߺƋ1S&#&T?|k)S:u opZl{m Bp|Z~:b$fgjf?hkHI"F "[3fW)1@$,_|P0)U4̕zf-`kb`Qj|З@isŅEaۤ 曀s{^9{`E227CpTp*c=sa5v'WZe:Rs  7*Pg2 %'&BQmÚA*9/fI97!=J~˜78+HI^0 Q]VB|j4ŝ(2id"ߏB9=&r bS!sABYq=qNJ; }hL{K:rwЏw! mGi5>'H"؞FJ_zB?b6Rvon6(r7Ihak]˜# ԕ<`GVa K*.@/;g$]Q^`R[x"o,R_q߳N>5ogfX4ooB(_>l/<Mh,`,Jm*WYѫyŢsݛygKvIz{-Z㠈b&2Gh7t֋ыKᄻ&&߀SL\; g"hua0[a. 0{L@7FϿ65<ɲ޵m4dק2i:ۘh_zeN"Oc#ݗ@IQRAdbTXjq ;ѦzՑdU?> 66 ^:esݴ >E;Ry1'/(,+aMEؾh'czT]vx& B3p#(ʯpqu%oً~ oaX NFB/ij/0>v'лo^ېי0vh.ayh΁Ǔ[L;Vbo-QҿL⌞g_g1yn@8>g +.Q.x:%RY4Q&q+ϧ'HM\7Ȗ!fZ|o}LDkpM_u0t l>Y-"ʄ[6XÞ%?[e[ܯá9ZHnYb nkod2[ MC:/'2# š$8B&+O%Y n M{[m1m[#Y{Ae.O*}2JT?,16=+ -:]D,Uw+Ȅj %j?Y闐e4]v;`0+ޡ R1ԔG#$P .w`Y&ݏb~#lb8/Nj.ګΙp0aLKa ns&: O=~ViR\ˉ#/9 )ɛ!7z䍟 =iOw׶Hp涅4/UV^h1uc[xEu})?)a2z6w |'*l2~;kRث1#dw7wZOBy3m m^!#{7YbmtwK^;U=OVyHNeI]$9࿀xgxJjIc2PD@*=!n#F'pt{0i"bmjO,RcK,'ag3XPr9Wev!/7:mT gPAc <^J",(krfvA!oV>;}I>qF|1" "jq\9EKU?7JQrbq00vp'dss y)] w/Η0^4g n˟ļ]B6wOfWMq1Ԁ GX1h}V .ߠށэơk-fT8PFp~[)>)HeZ=iˢx N:5J_U%+#\YEBQhe[$. Ss:zd?W`5~ㆹ59{8)9ȒKBOwS)psC-ٚqqkac$ Pq|$"cBȷ f m?:q[Z\; 0fU r7:l 5<՝~,J+kdTŠrŀ%l7@UF&clN,a1f(u}g=(M0ۻJCĸ;k-XirrL`۪onwcOFX4OkNe>3tr_%&C5yk@8ĥl!;"-r>۬þ\@K_h @6hóI)ݷIуāV=: wϕȒ-K$=C4mh[T vnDw }T*o߄bgٿH|KTQ%f; ^':9.wRrP! RD*tGВvUhʋ @;^ӈHM'*}IGZq]Nk SZF[n,׍Y+~_*^m=c΅x #D5o%;]g LTmo*nwNWa7QF:.c>0>6שVο;ϰ?4Ra ♈pvudz@|=xf\izXrdIi&'  \;24Scw8ge&y.o8C1I@3zJ_V{W:d?1#ROֵ37l~l'eO鞨!j* i~/7fuf&c_>)Sk5 [|sDd8u[@Ha1' %,ݰVtUҜ17ɀ0Rغgo⢛ (O:)3jYx SmI CD:ܤ &@{W&,uWW^t0?+k["0W%kyG o꣘߰;heh9~ֺ-܌\Q𐵲'46ٷnAVG[ ^%tjf19rg&̛KtS@0KPxKd]ejZ싾p%نb׊Ԩ)uf,oCmIͺL[.тI%fEK錡ۿm[^WTQ_|q=++93J&ÏVhf(^MNzy_or*Ծ|'NH|Jr.GrXwS՜GIrT)$v5?#J'() 'm?eypqzXܙ`YVB0u^1p=VQ[oZ9!%4ủ,h."r:FYqD ̝}YS}Q$]٣%B7Jr9YG+ J56Qiu)I+٫!\/Qy @ok F:%SV&^MZPLkӴRaw^oa}bk\r`ttX[h5D՗S,ڳc$޺P<~uoj'B\wr8$aDz ۱Z@x:J.c-P[bo4o@堿sub۪mvrZqQ%vRC@B[%ʭ߳8źJAiY}_tk.KQ-n ˕j-tSRJ[]HC!Qͭʋ" ;BҖM7E,\ރɏ?FiHS|0?D?Nϻ|dS>rP^nBKUsF&08;xdƩDgib%|Zj~/Ik*B1ㆊ?^i7ks ٩fCk㛹B)5Ϛl$#_o˯.3/ ǮA e ]}9XS<}l Y6ga +>HB KJ(S;X ZE~*:I[ 5_[ٍyvxSx"¦#N722\sZ\y1/lEn[Ble:BUrKEr L-X̵R|Ԍt^Tv\jxM MQ9ڢk$; oxZ{ }Vq͸vja@BX-(@,wR82Ż,c @'T0qvTCr>4T43ЊF"t%:qJ]7Z fGb4 s .|r]*y@dZrҰ-p _]gb@ A]XzNQGPDI#EQ>_0 n8Cqyr ۝־}W6dU8<jѺWnvsD@X1qCBQy~O%q NvXW?ZqNgƽ,Se&!МB}B}9шqѯo٨-3^.`6X?PWX<tB}Vh+MCn_Dwe @@Hp[zVl~PSڝt({GD:^4 H!wӬw; ehx^u΍JH%M~ANڣWŌ#و#+ U\՜%v';|P'.[xVb%V*\+T*S< B#ߙd/P6.4GaBO;j#2qLٰYbJ𙼴xwmzCn+v#%Z"^a<|?"TaNWٶ˜$W$R}@j$.!"1P4vyu[ٔ*@Jl)bxJ(tکiV( JoNx_Aͅ 03h+.Rڜ!vBYI kQQЗ ۔l_0Zcw}:BzI;)aNS׵c!+Y_~\YC7|$1dclر8!@[`.&v?3[,!d*Z*aIM-t]R HH ,-mNXV;n4'FbZe@r WϔE;OuK=R-, #'4r Z<-=IzS2;`PxF u5 .cA>c9[ }K sA'c HrؑԊhHv,#gEb#ѲFr!M;k+ASӓ>!ZH=%utZWvXNCiϻ> ԍKeBP}# Y782z @z:Wi!Aӆ#.*|ѥZLK{%ć=08h>GWYxMQS<x^g 7?߻{|sŋVNKpCmA I#Z5ոTZhV| hpА0]Npfo&sn:%8[k=x'4fV:)YZ|H9 R$YwX_ Våv@>69V@ ׵3c8zp7z =z>oe2`)?Q32x6\jwt?`zkب /PBe8!\ՋS'1vdai)76yMIKe~D #' I4~i⾡Fl|"Wc-Gy5~vѱՃ,UcDv?-Y'+xיZ,v SmIhctoH'\z'pH;N4I͙o2_#,s^#A*j#n"48 )t*e;ÔyvTu(sw0mR%2f+)=a@owRx܍!fE@\p +'*ȇOې=o65(0y^+{UF>٨ɹ&^ت,0c``j[ ++Tngɱ&摾gX.$ۧ #6LP{Dw6;)9mVYW նB@],/6 `NWBIu[ceW# Vh ݝ(nvSCb f!(8N0c?-X 0 NED_'L֓qG:j-dJ҅HdNWa#BU:nsMulkRQ%v3D_xk]nc o#`Y \mI87AoZHQ7|=N-O ?@eVcn÷1q B=)lcQڷƝ X &C밃7)40k;1;Bn !)Ff߬RYb"8?ͦ0,{_NɳL[tS6mI)нʱtϫ&i_(%k!&ܦ) 7LGş"C0SaaE8.?KjB'kU; nX&2J8V lex.2$ \ oo:*^~|OkɳB>]l[ƄTΪ6! ?NImu5;/7]ۃ}ŧZC x1N!fZlqԑT.qz ku?@Uz+O/L.4CZf]IlN*:e*J~憳]1֯2rk#5E=oA}j9)lEF5!~p% ~Oᘁ qTb0`dh7Y#(*%haæ{.'\ ^six6{g. It_Xze┯8h oY MzQPb<575S>ÏnhӆP[7b#,PTagՆY/Yi9bhXyBenM0tM%YO.3~tdhHU_k`d"V1MJ:͐O`%+9q B"=oD)"= D]Y]3U7) `=I?G| n'Jلwk|\nws"ְ5;oATG"BݤޫS R%r. 0o3<9أMG*L !㒀m kĩiG,'ngllK b\( ToE~ oK.."*'R`kR¨;PbB1V(a~B[Zn<()p} #1;C3a\(i[0䚋2?~7a-<3K2HxyXO<Ҫ ͬ ~mŮ t%y\+fmeؼ5蟬-y'mbq9݅\3[,nWaz_|\]fbZ 4sԖT08`>!O$>5N=MR7,̻ɲ-mwnR5K3L"đ ?4Km; PKWiYeྒ=ՆpL.!H 4dz_͘~5Rd`6NzDZ a3rHRAf2fYx2z;Oe=$.!j0U+s#p~:5ҧj6Wd\$ÿ.Z3AV+X²Z!H3(#Evydw8qJu1mf3Y>od˝ϺZlk'r2Tj~I&pM1,_dHiJtGR 1A'[aҘ1d:U'^2X&p#+~$(7L>_'עiUi1mGzQ h^}o3`7AʡYS31Ҳ-iOQ(k*+VY"@Q3+iE'EMb%Zk0*R\_lR{+^K" 5N6KsEソ45'uL0kzxL>Zh+'vή@ ,$sHS)䉁8I9rUu3tYM!iUך[,6qřȣG6 O;%Ck=DQ~2#4=& ̷i"h%]ȓp܋,GPwL s?DZKiAPAc}2Nq4X_D@\<֥nu'ltk+!H­5XƇ)BRQiF)t ^NCLzE]I~yUݚN,/ rj)1֬$|>撜F+ȲgA/bU;o[ܐ}bWd/W2@!#``6ŮH@"~ٕȉ8|AQdd4/Ѳӫ&J:ө 3h) !nMs`"m&S;=o^Ly^ڪYkwY#j{Ϸ`,'_qEUø(SlXڳ>?rTJQ sHTp3֪B$FrU>'seWNtkeΞX~OYSeܟn{}ȟDW*ȴe[[m-?Do9~ iDxfMea]A⟛G5k(NuffkYwk>QՔO{gy 1e98 qG>aa0>KLփÓF*-f[$rʳ_<S#z"9\͂|ϫ9 vkN|m𣉆_z _F!F.ӎf@ '*Ev͕6fn ET!Xi7`o<@HGZ84Oc 'WyQm`?nVk` P顜#sIX'||)A@vK?Er<"3@fM$+]p9F~Q z pEK4Ao<4\k#@K t%14q#͖lEF0z` cek>A8ɦJ2<٫4&D]Vhy4XD|H,[O+61{V}$}؉Lᩧ=kD#\թc󘢲 r3,[/p* ,xRxOZpL-),N]yzk BFe^< λO WY(gN f37+m(0( t4OeMa%Tɒ@n9H~BKz@FY7SewIJxa%M ,!tFv ;*lTSv+( B: 4&~aum$ l]áRҡN1Hꭘ]/KC홽zzҚ8"z: ?Uonuq!loǾ~捡6Ms-NJ;?^/4p -lvEEø#q. 49-\W'p%zb p4_Ყ@\z4<#E%RKmqbq%XqS;F{7ǁzaK`5 4$_߾Av&~rpƐhAF@eAt[#HRҠoo⋼" FᲴBrNij_Hqv qE*`xr9A0utCHd]U =qD2 Z߫S'ƘhBJqJ{gFZrHoQlF(V[8u\ =A@l=g `'USBWmb JFL 3T6'6櫪#!UtN8ļdž_ULT`*}  YZ