permissions-20181116-lp151.4.24.1 4>$  Ap_LK/=„_I>S51hXⲙNNN.WL6?x5Bcm5o*shʆA\Q)>u4Gn%sVl eՆ1/5[B+>~9?(HSTϺtՀm:3 -4â\H7[<=a] \\s;bY1(%Q^koZbO# D}+S@uoG {́tcl?")b167a8b33019e3cfd129bd82f2a0c5fdf9f7005fec393dec4122e2a6f39053803e3166ed5743c7a6b0900cbc18c643e80ecd23f6|_LK/=„<D} ut[nGpN2 >*epjW7tE{ *ȟO \m͐թbO*{G^XU.zY# Z~@J!!k}%un[屟;޴.5D)◛ ̈a\}_EGw=q1RZneAbmzN _%px0w洢IXn rɜ6UeBo( 0N(p@1?1d $ C #,5 Nd0 T  f  x        A n   \ ( 8 09 0:0>,F,G, H, I- X- Y-\-` ]- ^.b.kc/)d/e/f/l/u/ v/w1 x1@ y1d z11111Cpermissions20181116lp151.4.24.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security._LDlamb23openSUSE Leap 15.1openSUSEGPL-2.0+http://bugs.opensuse.orgProductivity/Securityhttp://github.com/openSUSE/permissionslinuxi586 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system0R1U\v9;@큤_LC_LC_LC_LC_LC_LC_LC_LC_LC695fe6b30c6f66604218b2ebf6101892df83b7d9d43f77e36962e21814c56c6547df79dfff31b39ca6de5551a27befdb579d69605dde802611c419d391be8c0f254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3bebdf3a2fd6af62cfb14d31d80322cf577adf035137c291b2811cd228d38600ef6b6d2034bdbee775e5a36b081d38914fbc59f56f9ddda3388af6d3ccbfb7c8ca4c443c871eb13bccba60d452394b74738b8398b874142dfac310df1d7ae6981635eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181116-lp151.4.24.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(x86-32)@@@@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6libc.so.6(GLIBC_2.0)libc.so.6(GLIBC_2.1)libc.so.6(GLIBC_2.1.3)libc.so.6(GLIBC_2.17)libc.so.6(GLIBC_2.2)libc.so.6(GLIBC_2.3.4)libc.so.6(GLIBC_2.4)libcap.so.2rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181116-lp151.4.24.13.0.4-14.6.0-14.0-15.2-14.14.1^n@^>@^^y@^U @^:@^4^*@]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commatthias.gerstner@suse.comMalte Kraus Johannes Segitz Malte Kraus Malte Kraus Malte Kraus Johannes Segitz Malte Kraus jsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20181116: * pcp: remove no longer needed / conflicting entries (bsc#1171883). Fixes a potential security issue.- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- do not follow symlinks that are the final path element (CVE-2020-8013, bsc#1163922) - fix handling of relative directory symlinks in chkstatSync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch - 0009-dumpcap-limit-to-group-CVE-2019-3687.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- Limit execution of dumpcap to users in group wireshark. Added 0009-dumpcap-limit-to-group-CVE-2019-3687.patch (bsc#1148788, CVE-2019-3687)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shlamb23 1594051652 20181116-lp151.4.24.120181116-lp151.4.24.120181116-lp151.4.24.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:13051/openSUSE_Leap_15.1_Update/c5109f012a57566799171059bcc837ea-permissions.openSUSE_Leap_15.1_Updatecpioxz5i586-suse-linuxASCII textELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib, BuildID[sha1]=77e320ce684817b1d7d8d92a001163c4344a0b59, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix) R R RR R R RRRDv[_EL_VD9Dutf-844becc4a507980c304dea6ab2c4595d7f241e41faf9acae2684e794ca44f0728?7zXZ !t/'Y] crv(vX02H&4Ql*9PU`Q ,h7! 5Z n[(>vYl|-Itн%*c +(u!, e B.Β߲>`=e~^OD@^'a0 | wHð#$Cb?y52)>ho Fv|31+h=H.$s w%@VTMfYfQE_38o4u6?GO=^04O5\X Xbm06.d)v0>y>A =1li]%f5ՖPCN#RI`'6]ZYbץ58ГjTS[GxE_ǯC;1sGu niw |/{]_3bo^G>)Q.;Ow\C#g)u~r~Hw.-5s+z%U#4 Yzx]=l[]"~L"dDW,8'/^ߞup$6x,WFB a }VzJenfҁ{a~%eR)l^Y~8A6I q.m MZ[$G-Cƹ" +~sr79րZCNcϼH")-Vv MN,ցs]0aUelz_P$.y7!cOXM}%*s^n뚃!w!BЌ>Rd,9˭l`[/6 4.9;U쉰RZ]=kVh|F9NTc3OG䰰( W6.}0kp.?m0{MۡR&G Ɖިx4FoVIΫJ陽cE^Pq&QZRqsFE"I۩{ ωA[燼S7] ihv=…c!X8ۢWC}9f]8<}*5ZJ`d~?LdRuT$="UKQx,ڻ:8l$^m T>iтɘHv0J@i)ʾsq*>LLgHvJ%ս81*2}g -0`fl-GSBx#=|d'Ay!ZF3Th@E\,ĶnRy5""{QP;o W#_؀#܍Ν6y(@ Eqfa D)@ii 'If3 PV]TkH]&Ă(mȓ{#'٪̫Wgws:Y`. ̕`U4ᣳeW<9 ݸ$x[!B31>˫\r<6Ўә+4.`x<WyLd;iZ(y۪eKmXRu9#xx-i}S!ELw4T8|i e*5 u0v/.c".O>> [ϗL>^]{kÕem*Y :*GgFVjɺ*~q\G4Zi9xA`#SD^k܊9К#m4;ԍ#cMaz o$8bEdyWKȓk7=LlV(8@r#AHiZ{ŏ5J 4e} MICU$U.Q-cs3}FGWHd\Y6-tlW80FQTR/7t>ӷ+K Kj!zVo$OeKaYPߓ =/rf\j 8ʆ~ivt( #/dAR6RϪ_6zTfr ִAP sr/J  4ōy=7RDj̲l.KN ALK\ >QSoj O뚚7`x2[ )kʀau-Dy2f}|v-#-R(kH-bE>=1`FBi$PkDӇTng H|ƒB"yUo?!81[nh|/m`XOx gEM @ЎG']SWaىK)AwӎcJə.Vu61؀\ !b9a!gh\L SCHdvܡZ:NH"0(8[.xGr{a w_Lj2SO||~ nH|!+JcK=q]J 0CL*Wn4-P_O9'=4Gc59.L=%7GV"|y4+ X$ Oi Zt?P>al0"@؝Lxde,8C]y6zaF.,җo4ErguJf(y233J1OpR4YLEltXs8DTRIǹ5>S ڤ 3;XkCrgyo' 5ǎ<{I7mqm:u6&!f=vY*G;8ll15>1 ߴŘ2aCc y4} J ̈́ 棑GzT9Ss5,eb3ʄ*PTZa3LF4iU_M^s™r+[ٗ\Gc`X?KH_jxqahcPCrxҦw4l ̅o%?V Ÿƛ2n6S(FG.R؎ C1xw:Sb(n0{[t1jjtqdFG)fjQ jaL"pzGroB:>74X֔΅tW A3Ƈ֠/d.t{ BP&T2涩gN0%P f D<ݾ5)(Z`LrmD[0z d]=ͽ'P4yzS;B H<{.QC0~MN&zgsex"$.h{V+x4CVci&.FZW2CBS"( 55!%SrH@#rAԘ(u@"AYjÓX(ֳ8 oL*`/XuS*;8oNn]/x ɭQ P]iqkDnRl>xpAaVJ3/˒@g}+[7FK l;gʖ9Kk7ZNAPKOaOT0`U fC}Gi C"FTDP! "?a7qੰs]-aΉdK!&3FKŮj:C [~ir[bkXV9\GP(!SVI t]C ^G5CM86o2"g|ȡա} 7H%3ft8 ǺgI+Cс7|IL.:JT/pct{|Ra XuU]D)X 6Xxzd%|TV!zsģogWArR2[y孫-5JU:Û71&R)PjN(}A~viJ6D۳~7zXYY!wYB ;OI8T1-n{؛&=rD^5sgϷ:0v m;-Ї^- muUY˖\ڙ *Cr*]C=00xTKJM i2nT*8~d~ؽ51EUVF%1i8gͅea+8(( $p&OI S1~s_S◀,M" ť ,^mn v~*v,\ Sûs ? p&V`5ͩ!O.T=/TKm7,@m$(o=o<y_~:*a w QSM!X3΂WR fVT+QwSD$V =-znlKO#8g u}ƩI?f=]*p,'&R27 Lyyw?\c_(|v#4?+SvW\?dHU"sEcn IfiʱuK{S3.-ОK0:Tfe aSY:I?,an=|NTsЩ\ -,z`/řA,C9ČUYu̗Tx M!)k5j ' (["ugb QŬQ] Jq!EeYI+W>Mj-B'KZ3lپT/Jj+mGq^p"s\ ~^1NkVH&k?|Pv{! i}"g?pӍթ[;)Lo׏RAc'R7^O(^92A o R֫iMd{D9V w>F7]a|2(3}qI)0!Y0{^NgR8ܒvTqGoI&"RQ 9DzAgԃdR`C苅DU[N:Ԅڹ[3cKfH=w`/'ۊ V+Qe>}/O28:Lm]dV$]J$*ȊO@=町DV_Aҋ'Yhkz(P8" (>Ys~cjxv'AALWSxZ c3m]@gkF \ށ/}Z+Jeصw Y)BLA5BSN " GDۂ]0${D"6gIه(| ,l<$v{z_Y܀$( ڒ+_<( 6jƇ9602 _p `JBs40WT[vRf,R Z?:  ց O+03gG ̫eTrt)Yvxz7v ǁ36exQDP۽W$CrO,?+Qu4%ƛo"=Q\=W4h^mgWnjQ@fXWi\#}+[}F|Z5:SKmXJ?\<|SI#ӈIm8#3(g5f9vhuFq5Ba.4LỐXB|=}+U4kj$o>2/Dڋ4:vNpKsJ8 ݧ M혍vyC'};zލ $D &E ciແ"_ѕ'RЎBy_8wɹA5Q-3X(0W7Hjo`wԒuM|Z2_m~&qX q@|Z,O7DDE%q |ɼC0i vVʉA: ~qhlCI3)=2j䪭ǔԘU'<4SHsv+t)=h0>y7MHOZ *geeH[p7lˉ/?#(YqlN}&B%7XZ8I Y5z~K/Wc3Ԥ(p#|~l RO mgF57\bPud$ۈbO%y׈Ki3c]iDGl=wnO͡Q qB*/64 4Mzd4<^t jy׋Av _vyϡoCIMy6^ ^OۆTk6gΙ{4)mCm=vmK`a C<䍺FQTU6d0='?DK>BO!B}Dޮ{Drt/%|U3 2YLs |KSF)sm CZDx-ibKl# I|MKRpP! @k/Y-tlQ"$i`HV|͢iyƁc׼4AX/~ 0a+q-^\Xz5>+KzYB`+f@jgѕ' R,3s*6*Ia`P,&!^g ){%VxDsfةx 1&ϧ1c5۲9 y wPq,JLP0,<|*cKT4 ծÒH|2: Q1c{漭YЈzƫy:aQmQGANֱy{2pev$ TM&Լz;Ā_~n_5J8?X($ R~ &b|k[e,)e qk:NTU˘s; 0le;&ful͂xyYڳ=ŴqN szc RQP<cʢ_s6KyL9cHyg6na~dMgGU.Eׄ)^T7>J |.k$>P&b;xtYqk9e{1M hc B#O&eǴR8x.9̳x%u=tꆨB$Ȓ,='{ (Kl/;x@oՏbBjd'P{Hz-g]i71>mqOJGJSxI"*eϾ~2V[yϷ*d ђӅaCO*rP7<^^fcCG#\h'[VTC*^X5Ol t:E#7ڙ# f~20q[SES} vHTՇ%߂W3wxXB!FΚ.&J{3Ӥ6(F9٘߿X0 ݗD-iad4Ekˮ,N4KCgI __`b %KUXN5ħ_ nT O{B4Zhj"sVd, c?<=.^Sڶnnw2]7KYNӔk0)g!q#DUa@\qzoM#랷b xMRDgDdXķ. 4<yWc<(GVvesLU'wnJo^8>׹|p)/,Ÿ}V-!XdVo?dcFȲWN`])t2:KsX"_\QML:4)6V4Š)`nU@<*#/ƞhOV/om<<#C$)thﭚP [87zmmiwys玶4Q(WpHҀB"$5.'l'P^f!O^Y7.E7O!A۩>F3=a~; Mi\fwЉ X%fwmaf2e{Ua]HkV#Y5UDF-JPwwկzMqU횦oܬZ1<6(e1լ]ejA46/1sju;sHБPs k~^)]h[;V+?zw սRm Kw1#`c!Z[ r:#do(ҝu,2-z.u(21N~0tjHG6>YAJu(fJ321uZ șJRQ*-u> 匕Y\uMu)B3#pϳ#VaI F ⶖ{+mE9g^zS(4oPmr-!5i :L-`--]W e_T A SI@w9ś=v͓86!|ؙ]ih1D~@ntC~:}B3$ikЍ(1vp% "K> AbX=ŀ HbeH3䔾ͮ춂b' o+]/ǹ> V0s%֛L' :hTb;I/}`ۂ7?ҁO׹R]'znEԑ48;2"ݪM7%pe=Eb2jX<+n~x >cI]}ۈrU!ھ'+R3S1`Eek@.mX}eD+@ԹJ\7]†j*g Vk@>;l: TJs 8i.>H}kgN-ĖfRWg rIJ/Ėmap璉^+vja#H]66^9NY~V? ??XW`> p?'B}:sF);ٺM+\_k1e(0|%jB"20y-1<_6GGrist&.m{l^ !iz.XIk|PpcMZb9^Dp!VF;wG,P*> Z9ZZ}E?@mp Zz9-#vS0\aqQaywQv(P Fvѥ Vؑa}qaC\Ӫ' i˙ H "5ՕįaR#i fevy^}$&PPZֈ9&ȿILҏvɌZ+GdZcBU7 2pʠP+%=:L[z~2Z\:4fQNI TSÇpgɨ!pPwq1cʌu1[vu-Y?%o8 |F4FTH+ߢ/*&ܡ G|sW ,*[u">?ʭ<,^WI0!+!OJ;ړ ҏtt߄~XdVZXمQӄjAJd[e-"D )77`^c*cn/r#<2; C%ᙒ`Dd7-_/`L4{wICcytk(f}hL}y΃#M-[˞n ɾ5~u$?7Ǽ[Xw28+^uwgD<:d/NB~;5m#F?pA ^F(g5SQ~0$<߁ '{@Y#Q tquuqY<>aMyKv RuENowaN^>횡0E' gj7&XP Fğ^Ef2K?k ?_ ( 6j`{:x/WY3֌ o2ʪ͘e9Bnaq[sG|tқ;ސgvt:}`F9F>2Қq7"L:$KC2Wz)|+5$Jlw U/Ϫ0g b>۲]ў97dn7ZBGz¸k) v̞b{gWp}ÈqM5"`WVK阛[E5Gc%?ê6cJƒ-QUٲ1gˁHA#{H'<`kN5V9ESf y-{io Ť 9Ta.7~ܠjT:!co)¡Vl~VX3N82F UL.Kwơ#Wqtc qFhX+G+ITCSCfGM< |nEFpRuY>}kj"oyk*9+HUl8El%o\LD# )1JiVtI,MdF ^[ :PfW46WưG]tP2= ߴ$/'Qq@~#?l;[SJ_rߘI9<=+h0b_@7+$=ݭ!o/9jxFؑ1qQZ#?! M5ƒF㤾ɢ"hI̧x**621׵_Oʃ+kY=gcÅ嘌 (;" 9x)a ,u-dRTatpBoBb) Hc~Op> n yR']d(ʞ$DEɮw ހMq\q^= IyW7 *}-b{0bQ*=i nyoA JZzAaͫ5DjЖojRc`GܰL1c ߩeƕ%Д^R/ 38m ΦaJy _J;X (5)-)ZqCѾͰpQ֦i?=jsHQѹp͟Kpmwxū+|g*]'rP#Ȯ1G8-h UawTFձAZ+H)nZ%dD UG^}]>ᒝ^)U_ nG^_@O/{WP5:JUL-@!Wn@6JoWgŏP(uF VZχwQc^ U6g%h=יs_뚼J$RJaos5e@!6~\Qhy f#x!3,Gzmkƚg!kT?SŹ]ZM@̖}NU>;&ITi _+,5ux!0$X3)\Ao$U>nCK; |RSieOF-.ZRV  F/d26HNΡ7lEmcZ2p Ҽp\U2k]s3_C p/ 7jq:igV~-S7@眷1sn7,3Yi\ڐ-8l~ D&d7JOj GTYQ+fX^ciC-Ta9+q891z!X {tk 4q g&Cx֦536ّs`{NM[La{" =:pTUGksAѦIOMphm؃}OzzNmd}*qՄ',SyzӦJ}7Ksx} hNEEɩ(Dן0sc_L`LgjX4dkaO*{ ׸ksWʴ `6İm"SQ݇ :!t7/#=X!ov #&fXW^e Q:I-rg?f[OxHk Tg re-GB?xmkHT?ʇ;e^ PC?;aU}ag3HI." lɁvp=:$f ơXws :/E^03NCn_Bin?}c75l,Pτ7 ۜS B>T t׃o [g @tem-H.GQ5zЂ ۙrtl?X<$ G,9ٯڐƠ=N+֭P ʫiV  j"lw ܩC.ܹU2Z:w]M4[Z}3 WއGK]sOYoak5  ك:<-24yqeH˂qa.#-|jœ] uƞ@@'?HgKh kĸ XǤ$cOaQ) p}%dGc;}F(*dP9I{34[rǁ䴜)LMi^x91Rw{-lgK)LK4̧+%xݿh'BhXCw5pq|ȢgtKe`yB]뒁3+xE5 siM1kb`>w'A X{֙HCȲ@V D(wM}G3_ *(XPe?톽)[g Z*fpũWqtgs5iᇴ%;8ÓQE IuR~җ;]\K:>;TH@ d\TNb@Z,~c+u 'ugה\4~s9,B\~:sMW'+igGms9zW[l2e&bfGKb>cfb< v`hIFŸ@))PoҀSzE G$S o@AeR4 >>?Ae"Ul'S֐_pZUF^ h *búmZV)W:PP11'1,d  2Lob 9L 5׸xK:t7d)d.~O ˠ$U0sB89]MD}'͊sH {L9KLq1Q䇷"fzA~nQ;:(9\|.J8;wÅ+= :OagȾPًǻ^e(^ҝ'>d!q﫳U7YG4HnnlS6~W]ӕiD@ k6y;Q2N`P#h=8F|yvwbM@^J5J̟1a®`@} xa sj~X>i[oU5WIb]q%ɛ"H:[ ZMyq[Kys3Q%SG ȱhڣ3"BAo)eG2[:Kqb*8F px Ce*H•?mI%-_IB ‰`H=nn-,~hqZ6SS5inG|1PZp(Wcjbr͘@!Mc7J"MD[z|PAn/ȝ:"lm#Iy)-n8Yz95EUӅ(l'P|[AW3GWfOKRr+}HE=\~w#`FWT"zwN0O.Ոs=̊P(N2P h1NH+Tr̄ha*FC1үxL2}FP i&qܑƥF ;F0h" Z;Q͍ vf%BE6 tme؊V:p:d#ĸry>=Sy-^rcßZ+NT?,8@K7&wfibnR'v<]v%SD$R)4)gj=#+#t ܀()&cwɃ.ؘv.(4W}ey+&2ڭk0שr gB]V"IUc[ .pĐ"`K%H%-qu#xI z$;뚳u*=-֊'RR'פ!kOAi51R9Q#i4nG) By5_Et4=`"L9Mݢ]{Uo>&MlN_|3@k9C|&.>!boO()x$S\@2-rM60 /J/5/eX?ǟR[*w@*]7هxأ&-|dr{| X)0mRu5~HIZ] *Ui~]Df+s4 Y[n+V%Om…9H.r껝:x+\0!Xe̖o_8aA@X pX9ٓw\ԉ7^-TwR1}[)Õ_' nLA쀋뎂lPIv9S*F! }maMMMb(8f/c9ػH/5ҩeȢsNJ ͩdc[K(+]]OlվyD]\7Zi+s,>ԉ2 0nKVt>PFD^]p+4JYN.ַ<"p'meW\Z0K.JlG`\c7hRb"_Nڙ.a1WEX]Crwcp ڟ U\ R7m[w@6&IOWL9 @35jw.[dȻ|;{VZn(XeKKodrV[\ 62s_S~`p_(9ݻ 5b oW̧hViI#x2deXXJH-pqJgG܍cdϪhP߲-*WW"A֚[VyؗdW[؊thԇxƽC  @A#&zKή`t{dQ~AV0^ 7q]X&~ucvP/BD},N!O<Ҍq得~?;/꧱PEapL'ϯǴu9(%pk8sP\0uKgv:"_:)zt? P;1Wګ׳薗XNm}HiNO[>'Uiȭ[8!:fiUZ9K&۩ZoH@`v¼P^1[#jk%ezR Y}jO3y9$b;=}L>> _:;ʺT<0n Xe_ )p0K 6w[1Ԅx!|T,\Ip%..qd$onq P7-Nk2|ȯxl~|gG#Ү^eMDyysJ?>h̼=N 5:h;BswYQ&0dP![lZz 0&a/MM"|x02!3ggotN}2*BOlSM4F}Q^Ŋ/k=Ej5) ?Pwl9l7Ӣ,=nuV 3@FenE%"%%Gw[4b>@q#s0vP3>8$-{r/WKt0ZR_;Y"̭,<95A͉8j(R\!7F(l;E_"[,aPGP8}&,bⷹYPb, dZ k\<^$9G XnS}K@ ǜ<(Jc)z{1VgAmOL1)ks4FQ0vSmb &W9r b&Y<W e!T!<dCjJ1M:]nASkƼz#8Mmb֬&+r2Uc#DշJiB lVRVuGHm46]OQKۺv״CkJ3iج(\@mo`h*X"Y8 <ws7]njkK0.'\Aoc%^ڷ "a UOdi> [6%REG*| QUX#;[cZF6kqi r&":@'@YVPa]PAu$ɳk.ZCzѵ赮%TR8 E&IeG-UGk豷5DwvƂ`DN Kp66Ͳζ YZ