permissions-20181116-lp151.4.21.1 4>$  Ap^ĸ/=„iYF}`fOf>ciu6 evC %-R`J'~-ԠVK8\}ľ_%2Rh*kHpQ7rF YKf.5p_ )Jn@4j_\ BrŻ}~5eRa!Ih%mFͿtx<+eʆ?2> Q86yHi#KcO$")W4cfb22ead28fd813d2175e349cb425bd7eeaad449f3690f913866953263f1c5b2e61bf1b065948d1078ba3cac809ab9d60609b765^ĸ/=„L4EPt+ዣ~}'{Y(x`9D lQM{e+sgV=Z-ϫ!$+ÀC+|J"`Jˍ6ǹAs2*>p@1P?1@d $ C #,5 Nd0 T  f  x        A n   \ ( 8 /9 /:/>+F+G, H,4 I,X X,dY,t\, ], ^-lb-c.d/e/f/l/ u/0 v/Tw0t x0 y0 z00001<Cpermissions20181116lp151.4.21.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.^lamb60openSUSE Leap 15.1openSUSEGPL-2.0+http://bugs.opensuse.orgProductivity/Securityhttp://github.com/openSUSE/permissionslinuxi586 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system0S1V]v9;@큤^^^^^^^^^695fe6b30c6f66604218b2ebf6101892df83b7d9d43f77e36962e21814c56c656ebf7a8c00082d8e6b4f9f54baef1dc543ddff173b1a644b1e7b2c573f42ecb6254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3bf3b3abe76bdafef6a7be1dc371a5b94e28dde3adc294376997d9d6af555101d3a78638b428fe4d8fac8018f8f54d766fa7ad564ad5434f04fb901e4e4c488e6a112caef49e802cc5d56860a8ed9f46a51e4a49242923e36ae029408fc1d97db635eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181116-lp151.4.21.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(x86-32)@@@@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6libc.so.6(GLIBC_2.0)libc.so.6(GLIBC_2.1)libc.so.6(GLIBC_2.1.3)libc.so.6(GLIBC_2.17)libc.so.6(GLIBC_2.2)libc.so.6(GLIBC_2.3.4)libc.so.6(GLIBC_2.4)libcap.so.2rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181116-lp151.4.21.13.0.4-14.6.0-14.0-15.2-14.14.1^>@^^y@^U @^:@^4^*@]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@jsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commatthias.gerstner@suse.comMalte Kraus Johannes Segitz Malte Kraus Malte Kraus Malte Kraus Johannes Segitz Malte Kraus jsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- do not follow symlinks that are the final path element (CVE-2020-8013, bsc#1163922) - fix handling of relative directory symlinks in chkstatSync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch - 0009-dumpcap-limit-to-group-CVE-2019-3687.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- Limit execution of dumpcap to users in group wireshark. Added 0009-dumpcap-limit-to-group-CVE-2019-3687.patch (bsc#1148788, CVE-2019-3687)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shlamb60 1589372089 20181116-lp151.4.21.120181116-lp151.4.21.120181116-lp151.4.21.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:12559/openSUSE_Leap_15.1_Update/deaa9815514cc169a41a30cd5ccb4134-permissions.openSUSE_Leap_15.1_Updatecpioxz5i586-suse-linuxASCII textELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib, BuildID[sha1]=0c3ff1d4f419a07ee3fb91b027d9c4c532344b02, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix) R R RR R R RRRuOIo ֐utf-8c3960c3c0d8a4f96b0646ea2d1179286b6927d0ba5a9c21afeacb0af648fcc04?7zXZ !t/YI] crv(vX0eEw[zfIc?{I ^e% ztj > I /$VJ% rUBr~Ӂ6"Zc?J5{L&lV!Ihb+O$'ߕTHh{UXKoM-nK::. lG-4 ^YfRnV/E;KT*QאcζmD;K[%2aS@?:iHQ4!RO5[32T=G p-a>n2(oq${cu裑ԈVYe߅o\NՆ_)=G]{9^@}Dl~p Ƚw9jQu$p*m5w`zUGa0|d__(,4O[qQ~(ު;4P%,'<@!XL ͛뎌ƙ&[we@L`+50(nHĀpI0_(sc`sâOVp,wqҔQ%z7 d1dw} vJ\Ëy|273 {4m& 8! #*=/|~x=@p!k'A+{_Z3BQ+F nz8!ZegbTcJ6g8- Թf x6h<4VI6  6XSt{bU TeoU%TV͟JbvϬofuA|,Ws d* G#QC_/fVWС$uY4Rs'QҬKEq#bt.ep!g)#Lj9yCiDRWb~yNGg@>vOɓCJ;[?f~ʩ%&)A1]Ƕ֙2OX5/r['l80Vjiz֩Ix%ꆊ &HtMCNE:oK5⹆ETm]Bt0AS!~yȇGtRsO(9JԔoyk\XP?ŒRKxmBhQ)|!= BL01bfQp0*5 8)jK֊TRDtphM8Ú MeֺO%onUHaFz: $Ù̿>x Xt^8(OOrvpA0#ClUvǔADʂ3OqI?q@HV/ . ^QVQ92_%k.*',+yag<$ƙBԪw{ľhB:=$td=Mc(ÝEfܳI7qn;^ewDUX0w6q4;m\RM'EO~P xPzn1"ÇHOh:.ѹR;5f@O,qSﵢpDŽW?)FlUR- {4eC޾zWfe>b}-x?y+3$bG.KAO@4}]'|HBuF+8q\|]u|~'V9m<]]-j)ٟQnʃ5$b֥Oݯj+R>2?O g9 9 uRB$="~TV8M%&G.7aqB ?GI9?ݷB'>@,~Ghٺ~LG%ec4JOYM2&fwS j 4~YHj|2=;7l>DR`Dz_(tsfSͤmZ^Is T)ZDqYex}.Ap4R[ 7[ lo'k 8Y_nzO:䭦FUfwӛ^Mb&4R 1NZ)^)l6iOnVqJ@g~dA', &e|<:Jǁ =c݁[ӑY퍉87QZw3i4i6vq~_- psgzi!CIG j:?|N9T^!AT)h#>MLl^肓_Z{/Elq`?t쪟:wī!^(J11|#yɹ)Ub *1+PC+P=,V~Sך JiC0D=i JrzԿ?,KMۖf>3Bdcs }қFܠlr S馠# pĊ',B7Iw=9< U266+8/ʅMC"~Q.hO-]w8qnmx*['i11햮8CmIԆ~Xt=2<_N9;~4k̩W>NJB)+?wYTG(ؐ4u r#ec6!#ȨC=P=Gv !"m1q(:qYC/d 8hlBj]HyјUTOSmrKὀ>f/T79il_Դs-my[&.7~l)nRQUɞ4ٯGr%s{RIMW]4cm˜>h>I5K2o>۠ $Y@x !(YvqG:F)#exxLMGQƇŋEZ e% O8^v%7m:r#28RamB4>"0ƞb6t%v\F?ѭuHl"O[ğf#d461pfoť dxB!!ժ_g 7BB;{WMX`R{vk< ]C輗56%f&Эn}zd#OV@1>p5 얐4CEڍn`atA I;%(6Z-9>+svyԑ 7*V@P$>+zGScϸR&du ei XUrl[$I7I7S;s&歪i2TNLOP|{v kA"_a 56!e"v,3^f39IRͦt_bK%Ӗ{w0ǣ~Q4׉^x?-"s9Lec-tNbX Z4Zna&fw@%so㿄rz  G7 >ObFMDv {k8^XY !Fm " nk8M(UTfމwiǒٷlDqpOO~8QyH.@#B>5cN pOr_|m^Pnz^_ tqHT8xP&bQO#VՒǕk65@>+ӳ'$`D5"<ټB3Mfb;p]i(؛W?[9-%wQO律Mºy\3b1 ;7 Y8!$2֒S;8lBҬ~(P}.7 xkev`(1a AK}kEHZV͋T)DFBkt%4jۅ ԯ׈Ǎ Ik4H+Ssh-pMCTĹ/p"<5Ϡw_ҬV,^8q3 ;xDnhx (Hh^n.F< lKQT*{0 ӄT{"lNզ{x9E ][ݥͿrkrZNRbv0.pl*,B7HYKKg\=EttV`SQ-# p -w&1-(ҭmU-A݂}@_Pq6"D3"ԇ&{V7\Y^cLmN !`,5t;Jd?GH&ͫ@P ȞaK qx&^fvZ97?H"2}'t\-c:,[4D^+>WΣ{0I\kXMͱX~CԆ!ns]JQ (AMKC;͌Ml>C"AZU5ߴHy("0V͉'n g+h.5t4cxܤ"$^'N+0p `}oez=z6&.OvL`EuXEb<4ק^Z~?P7me٦|kVԢ15$>_u?-B YСU5F F0.h^fKh5ؠURܻTYIȥGp,4±R{M\I"=~b9{Iho,AV.Ԇ)[2;o=d,l4O N& |/ˌj۬Z9WAS6Dv@wt)$F?ml{oSZ ner;/֕HI_4@Кd "̙ s!9Vim"E@ad}E'ß+NyQ qwg(s ``*bC,${~1UXLa kE6ꞙ2_ۃyW}ǽb# P=P>W[X8:AM~4ѫH`ǮMPR%wA0Ė+l;uGTVI褗3ǿ3}jZvyl'#BM rgqzP%H:l>}:F+P EOz~hhQĕ;'1L/ۿнT<ߚ6dNȇ~{j'zxO/zk+jʫtv겓faLSwÕWwA+;w$[-Jmh1xL20|D\o}gyEʙ!wRknfim|)#($nJ'J%J8׆dPSqlI @n\6yB3T.; hu|T=oL$r쀮6rWaF#Z!fʠ:iL pjf6+|u)A7$l](uٵF",gl{ Es'-Y!GXVy9"bg^v޾nXliN{x:6|DSʊ"=3!N=sDw-.ZkcBR,0A#g".P'9&LHڷ&q̴3&ƴ[N8rƏiB魍!knL_XzE+o8!IApWD BpK!gԮ 5 2\\&>cNw sł+l`7 2;KKjQ ״p8D *ol^,<ٲ~0OwNv[TyK ٖGJ)wlup(2»j9m`pz ^tTPHo@K,<ѣnH%]at%˓aC_3tr^gOuVY!0@я껵ȌZmrߺ]L_N*Eů'6* 7 ?QgxtYTfv;,NI$\PRk#6rP9ݏ#< ȷh N"P~!cNc9{_sl3'Uʆqz r,ʪكl$n$ ̂} G30jnWQ<Ɇ{WčLK]3"SOM+}ܾP'ű'7-(|msKM|sMC6W2~\٤*>oU~XDb[v1EqXr3l2Ԗ1t.1?krc~Q|>z%@BӐNEMlmX]΃(#Gc􌏏( `OlyuvNO>Qdwfl4 u`?K;Ghɩ"7Wthqa@Dw`B4qeqR:_e" #nh+˄ٸbmiKyMJ)1Do ܘM+v"-^?>9'fGHIrb[0Ud`KKn .,X)VAqǘ\QuK],z* Ñe)`ոbcYNǵ00GD?z| ym[i\yi5q'G_C;Ƃ允nXvFCFbXݒY>:vVA]6@.8!N+~N!!7BqР4)pB%W!Ehi59d.k„3Hgt/^@ U=󂿮Ls%jXjiD;.|#E6A0P.*G@-1Nl3\/Wƛ1b 4y&&Un/6*=!4t.T97748H_!H ҫ1 sl"ޕ wa"ryl;P*=u+)R$ [h4t_O!(n{ia6+%@+4YT:x}k;aJ̔ZwH|X?6THcՅŎ8ōb 1Ko ֮UO?c;9< e8RV܆-cj>EO3_ zZ`iihb8\ue{oFa{#}ʹ 'd(23 ɰ"GE֏FJ|hR d.ûk6I{) SEa]pjcQ9W8ZTTWgM"_d< Q,&ǖ ap:ǚ O5Kt%~Va!1=lx`1/&~(O {gت:u ܝea3E`\nީիLkZU%8_>vBOTj՜M"յ92ds^>3nTuesӒHyG}aa oM]DNտh$FOl7дiQ@5f]|^2U0?^ocT3jJl*++B ``r"\9 s 2Zȳ&ހc._.%Hڜ+׹g%'U;Z"#Kq}cggҳ몪SQ[9a 4ACqEm,b݌xxRskrZݼ.ZhColq1Y [|_x͢P>iP*=1W5Ƌ. 91 `cxYw'=~!0m)NaA{Z) |>- ?@"쁛AkG2A^'"P heru~_ tH]H`.@,127 F1Dh.*؉ H嚡ԇ|Xa/Wf'pOB{$=ҀGB5+"~.#S\H]v/C[yYӠs'TgӆIb4C tL[27`sHmUh~ *n5h1bJ 5ɹt&x'O ,t; Оd8^v:&w0W~.yHNPIj;*lX1/Hx! gH<6Ȃhٺ*X-؊|R8S%JCeJV ld|XM!e~˿oKF\lJ+[`aVZft&wsy `b7g4ŁZy 'ʁulKSQN5kd}gwȆ跍6IASػ̇%W D4}{ 2J'mOx"i:LDֿ+V9u_/#6Q1b]>ÖE5Ȩ?Ъˆ Q 7#fnhoNiY>m(&R&qwW30}m.9zW\{NT fR_>8oTip@FaTG{E"4:[~\b:2qAF0hM hj{/;˯JFV8Ta\jN c;e >DA6ih< qy,輧ᙇ~[o߅YkLG9STT1 LC~}鴤ph-N:D2wgKp7 *UK)i]lݘ^'Z&û714;F-*ŭ {z}02N|tY^Fș`c:W!4_50S%[UhmaWwAaBaK@zUblM~TVA aY 诣yV,.cV"Xvi#lA/~fNNptX9[3ZцW`岴g(_ӣޅ G!Q܄ְX9(h#*dl|r^O,̉] \6'e`ف1Gߍj"`5Sf53$@9UuO:GHfuɝɀ(3 nY qu n!ۨ"@ \A 9]}*tsA6H`b0xlb#xM.ϸs-úC.uk8^#Le ?qrf8ɣ;Qob_IT9q;:rک2~KZsϯ}j⠿ydkxLBHsx4L^܌ ?KkMi);GBlL%sQ G宴k\7S3>jz+=4"߻lf<IR\Z64!C}5!$W]tC# xXCp3ipOyG%Fs 37Pf3RCj:rrG3oKf8?Ds۔gJ 2|5R>[jMc+%$T>C7ZvftS&ThSBiyOs+iIA"5km2pksI!&=ersR焂|]m?2Sɝi1CrQ"w^mmJYO7kpTh'R2xZBl-bѤ@ZhvFNpJP AčnL|dial:5YD@D#zyG9}@?%wNWVxT*3X u2Z 8>Г:NP;Pέ ulV-2Xjʠ0yp'\'Qd2uרu+Rt)C!|d[ rȂ?0aNmZm_Ry4=zh) ڶzBt7S7" NgIY-{zQϺ=eNݻ^MO?S~̀=L"5-tzg:\G!.,GZ J4l!QP0X8MZ>|aj~_W4АW[aj#y@7MX#<q'2Zcl]J\Bl<C*]jv`͞㲩ƃh* (,`W &|s4N (PPxVZ+k7)wZ|Ajav.I>c_^<zc/7NZaz_:%G"p"3"}~@0JXQ$&ܚn!%Fzq *a4LKsJ;vsq*u*rL!': x :E)i6geOQ'zؠ%!b -ׇԑ!K]$0QnZa kϷTbdbx*tDOH1XZQOS@ƥYDg-f NYiYЪ3~ko%W8Y#V O4PG]*eD*>L5~^D̤8ud)H k/O}[M2e͖e 22v0ܵe"/UM#c6c kZ)wqmZڳX2G (5Z`QhV˄ y?8§Qw~YlI:Vm%gtNBk;a '@o5^ʍ 3V \sL`߯>^&ߋL`+,Ԟj} S8_ 82֓|n Gt,Fd4!gPxN!'F\-6?-a+"O`6ژbLY%_8pj9)Qy*ta驐_aRsd] CQ!o#<)bo=*>D*oCDWj5Lj;ELKHHv[Z:Y LjZv'9PS2qHgn;RdQ)ci[ OB 6qwx{qSROm\MyV?~/^ǃ8d L2d4m웩!*nsC&\ϲn{?b î\p6s )ޖJUS( Krk::HExH[2 KVGQRh# Vn>VNod(OI2U>%s#:mKt>k|| kMX~\ };V–k.}&H^vz^Yͬ.iMOkvDw|PʶZQg% @Q{@9?DAWs:>2W\oGQٛcǯ `RwZ󔑏t,@ eIA2}83+>lK&Vg83U=,Ͻn3 %-+oׂ-@<yІ&clE(zdr+4D)>h37?y$FJ9yJKuGc'|`b.:B <9zVIzCQ1xᮌ{91BP_l41l"`7֚Z[]8W6 KQޓp-k%Hv$@ Q٢\Ysr1ʶ,)P~{5hJnNCd4@e8H2yeg.<ˏ 6ԬOZ1e*݃~O]K@PB 3ݹ'*Jq)^0Q 0Gqq?lP+iS1wi?PT}loӻx(= *TpT" Q{rU(3lk΄Ϭ6YoVDGUa햜!\|ZW G4eb"H`H:dP79 h"}Fѽmѵxm}5vcL-NR瑓M^Oj7[ gDv5og`|Va` ^~ 5}#L4IT۠Bb93LF]6* MT7s." {Ey&'9S_Ȕ_en'ݷz»<_Jx޿Fyջr!A*VߎW^?sUFQmOeG1r5t韙>Y`Pbf% opmbLGJH{oM!TѣzUXO1I_ُPl" ]Dl]Hl zfqBSH%c8PDwaqnеœKD">WAq*PltUG|1l p.Yt6tL+e t>iw8ӌX z_qX!_*]®,sj쟄Ѿ+Ewo0d#cv#G".VIޞ pcRU ʋoaSї Y) Wn@_^◳e>7t#)jx/ Hx[1p5-zUA3aPO .0' VwgՀں~Z%n.MY1qwAf38\_#+^,#3s :G}NzPq @) r(ǹ;$ˊn)9 H55Ar[%vr3{WFM@b=޾"7*!&9 4,lKϕ(6ק!z%Ȅ]mC KUKZ64up,Udݔܪ2+y*AIrZ2|a,*,Ý$Z_Ύ@60-6 jK*;nƩeV]+O`t֬4;Ue#a>k[螙|f,nSމ^4GAelPe "µWK!&p_=+21rcB([4R;Cjrև`jۜWzDصфy1" ^g;YE:8sDūw=G]>NsOV+*ܞ ~Co_ozHf\MH#cPXN׬{(r6yeF*Y L,]Ob2ʃ(=]ROߖ-,[z7C$.Z'3`Y1>4€ΞhW={h,} 4YSG{t{*Kq XjQv1~%e03= D}jA2+aʲtj-ɲD%f켶 #>L؆|+o<_E;"d4L,)>4C;:-l,~O_H8,3'ppH[RX緁K%Hyi) @Gރ%B/{ _{xȇsk6:Las|tV<V(pL4 7MBMVR6># <鈕`[/,#U 5mY3\g7Gfn l;GIGF~%xnu𛗍-kuv]ADlP+]*K&0> 8G=ə@]}( qOt" t-r#j˫,[0` XY6(mR7+o2uUڳupU$g}$RVC_rkδ& 6 ĥ1EF: }ۼ^ڶi LbY^¿x7wAV|=vR:k }Bmy &ӾYt\iVfBdP-B5 h*żCayR}˓xlt̼-r ' lxd)ZBs4g5-$z&RV8UT4@R ,%Xp,Ͻ0~YL5Oӗ֑Б5[|/JyIV8QHϳf}IL(MQUK+KZ !e,ProGwd T݉[zjk.1˹eِ"‘SaH//y".}b-zG3|z{ZhE/k0QYT!hvE/RKÝ|s)AL ֽ/,tZŭmWI%? "oW{"h]X/qԥ.oM"WouI6_ :L("Ijٖ!f\!lBubqNQs) !䱙e䳈E"Cx#x ˾@"x2T>AhPf37pï+wwƪFa5 "]mg5*['Kyʊ`%]ޞRoRQ2 uN_@PG&4]F';"sr> Kn4Rڣ-Wu>?u٭|׆ lJG\xb*H:M PlSiOG4xzɏQBvkWsS0'9gGJa%QH'iҋ2Tl2ŎqXG A[{(r")2d0u3W=}=pks|Y|9 9۶ YZ