permissions-20181116-lp151.4.18.1 4>$  Ap^/=„x"15lw$\Xt bV1Ъj<4 k.SiVYKg.u:^1[6N@n ވmRv m`nشf &٤KnpdQE͜3(.i8f4b2>? ȱqockYRT--&W<(g2ZȺߛӚD p6IL gq̀ŀn6Rh\8948bd3d67f5b42fed4f33dad1feb7d75688a5856b0c272f8dfc8f997505b063ec6e22640d7f1d2ec24c19e6b690762231d23cb7 ^/=„+Pк\B V\Q R4\Rל$ A50+5Әy}#WE!FU ؏wԑ-]|o۔]):8,qTsZ^&/ӓ͚FHW^B>c,iQ': %o{COAV;u{r=>^ЯǮd vkZ݈NlZgtsGڠ΋<[S\%tEj*6C5e<[\/HY>,0CD>p@0?0d $ C #,5 Nd0 T  f  x        A n   P ( 8 .9 .:p.>+jF+rG+ H+ I+ X+Y+\,, ],P ^,b-7c-d.ue.zf.}l.u. v.w/ x/ y0 z080H0L0R0Cpermissions20181116lp151.4.18.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.^lamb18dopenSUSE Leap 15.1openSUSEGPL-2.0+http://bugs.opensuse.orgProductivity/Securityhttp://github.com/openSUSE/permissionslinuxx86_64 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system0S1V]j9;@큤^^^^^^^^^695fe6b30c6f66604218b2ebf6101892df83b7d9d43f77e36962e21814c56c656ebf7a8c00082d8e6b4f9f54baef1dc543ddff173b1a644b1e7b2c573f42ecb6254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3bde648074ef2c530e72e0664ed77280c98a238eecc6edaa2c3d346214ce44955fa78638b428fe4d8fac8018f8f54d766fa7ad564ad5434f04fb901e4e4c488e6a8d6300288644673bc00a22ea5a4e2549a61009e7478cc5d0b1433b5b0263d32935eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181116-lp151.4.18.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(x86-64)@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181116-lp151.4.18.13.0.4-14.6.0-14.0-15.2-14.14.1^^y@^U @^:@^4^*@]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@jsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commatthias.gerstner@suse.comMalte Kraus Johannes Segitz Malte Kraus Malte Kraus Malte Kraus Johannes Segitz Malte Kraus jsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- do not follow symlinks that are the final path element (CVE-2020-8013, bsc#1163922) - fix handling of relative directory symlinks in chkstatSync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch - 0009-dumpcap-limit-to-group-CVE-2019-3687.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- Limit execution of dumpcap to users in group wireshark. Added 0009-dumpcap-limit-to-group-CVE-2019-3687.patch (bsc#1148788, CVE-2019-3687)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shlamb18 1586425987 20181116-lp151.4.18.120181116-lp151.4.18.120181116-lp151.4.18.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:12293/openSUSE_Leap_15.1_Update/832e53f6efc1556fb741327f93e5b81f-permissions.openSUSE_Leap_15.1_Updatecpioxz5x86_64-suse-linuxASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=7ed606f7b9cda6a2f585e418cb069bb44bcd2074, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R RR R R RG{#3X8=1utf-87131638e26f9eef7c1076ccc827f93bb41a5976e8dc2a66e92005d8c8363d272?7zXZ !t/V] crv(vX0E暆&N?D\d8;cs+P*VA)GޕMT-9?NS6]O֌ZLց|TAf7 |Y:mgR]aV<9Zt^]%R;&W*bk~Np3i 5LE`"QկSfecx feNGD᠘\HgzeGnmW۰ua 1jv{&"5BSAPXvUҠhJ . tۇc({]P]88j 3׻Bo̦T1\*&Dp%&[8IPm~t𥕰`QK$"5"aEU/N#|%SI8n̅$ JMP(`ʼna~bmDӎ y?w ΊEb΂,! mXKUQ0(m KD%6O PW/-`5|eE {k1OEv7n3O\𭼴=?@ YAuR;@Fַɛ[gYjow7S>ajXNBP?Uhӥ&љj[MF;<:3ݴqݭ4$LjYn0#l $=D/zlej#tDD@1U30b'C5iEZKE/{‹g 6{J~ik32jOs Boc+46:z,L6hU*t0J.XQ>|ir;ANve׎>С,Y c6YFve~O= 1: JSh *c',dgfF!/ 2Le^.Y59j)OMm-Kk*tl"op;ĉA"E`2{1G|b= pB7ޜ`$~غ`:e"8.V)H5,FqVƔDž2#f4: 7dw L sh|C )^>ڭHKU_Z!gf.͙?o] oD>v>X1I!*Owj/poC9g(Er7[Iq_ȚKR\+B n$E.WWtX3D;w2 [ߎ~'VRmЙ(G1N&C='v;kjPГc|ɦ[;;zLV,/|%%XzL-MSS>y6:yC=:$nʗz⹊xlCGwd@~1!1 k%Lb7%C?dNs1@2p(?;At8Q)C9\93Ic E~2=(0?n{i##?iQy@`OxS0udz<"t\xJ2&Cj.-p 0"iQiJ ٩a+a3_c@&*g(r{ [[ޝI)I 4@r<'[;K7o$/FE,S:"x^GEGe[Y8rQN Gj^8e17SM|$A4W»;K@7bΫ Ifà;Agj(niY y`|QhL'=RzZm.GGH4 '~4$cAzcݬS:J|ba HZ9N|7Fkl6Fn=G0ctBQ2y C&'ܐZ;mw)G`壨vOqg4|R=uH=lDM NI4𜀵6% z垖sB c.҂(k) PyRH㺞WE{I9` l>I%K6:l -lv2,nV`"11ŴgզOĠ8s!6 E SlԿ+&;]ZB7ؒlstBX܇,Shp%'>"[cKƤlq*>?D6z. ,+̑57zߢ 7b~apSS&Ec.MZ\ukKT ۵^\`դ 1ǘ3{XϤDMGATc5}=6(Jut$GfJ4 轵QAQQ<)`f 5gxZgu,8gOm D燉 N 9뗺At~r$סK1zpbvNQy&܁ؿeyQ? YV\dzp\cўKC-CujKӶbS,*.*ȝ qX㕉vg ?gj`Zssw 0l=e UQIw^%y6^5WVԺỌ@b*=qAbxs BAHs%a+*W)?baeS0J]U/ȕ~AIBzvPKr;8>..cbDzFr|P&kY70/wN[*bd{g. 0 ]I4  r^[A[Y69C1ܯpr /F[+a!1Muy~*;K\*?C YaZTlX& άN<^t.FMIN&ZN%&-9D6+hG<3{0x4_3vBg1UNisL1`"\{ *}aԓO#ga@Ng!Ew}>qw ]EH7:qK<)Bһbx5S0+:~-F1mP?jHNaI! aB岷ŵ"JmUOeGI;9GՇ3ȶi/z@ ւ sd Hee71 *MB#Ol2.-*#"tBs3e&h#+H Ķz?g|#WKGqX[P+ DIn'\W'odjj˛.88/`իlR+U/{|/QV~~Zu0 d+$eG6ɔl[xf (t-g.񊏘0TTVDfwmNeCej/<˳`AByKKpN!L/MbUk6pAE_ z{o|&mՎJmNXcg>/䊷TmE+PTtyUOㆀ ڦ_?tj(gsZJ#exK>V@}m^\3yzyAۑ`;6DwJ'tnݤqu=js;٫md0@gjDZ=3\70I4emffRoOgtiZ#7JsOc_z+=*PT;%_ʩ?~fl}u`$gg,>A!+Pܝ-3i[|ŞA^hg&P_s$pUE0-li!s"=[eCa83)5BxOx$iM@5pf:gbv}jAwtu>\/>nZ)5P6밁+ i^׈Ejͮ{ e[(uF텚2ްπ~9T&;L X◃q7ȸ~k P$KeKT%fAH[w.LW+\}Q45֧|TB0kRD)@9IqLl ~=.]3ydH:*>.J&F 80'QI5\gq)P9Z:BJ ѝzYDWK+"bmI$Xg[PQly?/ځ;X5V1`7#X6K dAbՂB+#v*#\yOQ2 'DeOu&C6hs#l%1A }O۹91.(ȾʔssA/V3#XG#[awq2Y H͸*: ΋DOU!ֆSL0׉r?a,IwWs&ᓨŠC#+0 +܇R\!SBG2W^85E'qϿX%s"R2B \`h•/hέR?b oB.њԔ5N PXBުG9`R5Z&zκG[<b<ŗ]87X)`htg6-O^ƞ D/ʡH|pyt`!wKى/ }pԆ*h#b>їEI+< ܸg$ln\Fs u?˃2 ):, u-]$vNМ+/8]˛'_wZ0>Itɽ']uT;zwW|CN.npI&2CIO *fm_|5:X >\S\|~ V79G?@V l\ ei9jM WQχTH/b }sߋig8mW参01TK珆4}>Gwx).b݄ylqN^혔ʣyQ˧kőeG4`%NPY'⇵/o_g3,xs`LuF )KDCdm9Ce2"!A77<O4*/y#eEWAm"I8J-};OMe9 {'qRe CO.;L̳Y-8]rP4#=]u.^vli{n[+(udSi-Hd÷B6 <&O`@FHZ)/P,O{q̲hӿr/U@RGIXKND 7bEER8a^rM睷[)f{OJ-1[jg}5`~9cK6xҶpχnާSqDaC) Yefo}R.tHom/}}j={-+fX1+.@t$rz,\/P>(BY!T))^=8`<A}r>9"U! x8EV]jM?/@13j[仧5yT X`j( ^"2sYlfJWR gZ#d,(Fz t:| MvJ(E#)ϟB41#0ͨUxoy!b9)ҺF/9''p}IA Jи}{$ͱp,.1i8u}"g#t'dgWKs'y}@4NDBz@#]#.0lGl8@w{JFE,ڌ{L$$0^UY-Qw R)$:բs@j/wL| M<ܞ=͓*tj;u1s> 0*I!3U@?hV@',Rc 3 j'r(@0fuy~Lq>yc8F$ -whyZQWCv3,rY46SmD[{n}6y>_7iФNZXFmaK@{ewΥELDrC xC%_[celd8@S\ֆqp!` j䧒 yf~24&H:=-skWU/v !񆷽 wf95nT=Cn"B0&mj"rC3ZPJCxjL{^I;p9y^ϲ+P CsqωF~ѼrΉ5JD*#{`u=fDeTV={ԬVc36ʅMöH&;Yclj1a K54==. bxA;GB9;=CF]iƒKEޜT7$`~, @4VɏgdB6A#p74W@qc4hJRl[] +3j^vUw>T|k=>^! 4w)Q,E%/&ޅS^Yϗ4%C=Cda[ w'TiWYa)R䎊//5p/ 0> 4ۇ @@Xfj 4]6cq,fgR3mLH%)>Zx܋b0?FaV`s߻ސ5>T ~.5RJW{Y& @<*+ľcۺZ˜^)T.o d7;o&[,di÷v6)# d4/ߺ{-d\&VhZDL8BbS׻L>ۑ,eK’wHJ |wsgg $+<kK̥;!73y-@h-BI:4$y9XǤ`(C$_D/0W=Dz21h[|^~D ѩzBjeR^(/Ypqz I[s/uZynH%ʽ^Q1bZV$- KT=RT.Aɢ!wfRu q_Jy;o ҷM(﹌h4'nD#{VjyIĉ.NCi,7Kb-}u>^)ZazVyJY -i'-m3^'B("rzվQ<9r ͢`WKun]Z(%' a܃;[v:m]ڛ|x"0Z>oR`"隬mśjlY_{T0R~mIR.Jz1_`q}*}dFܧB޲%m9^πF^!˺7Z2x[^ĽGyĄ'&@Bzљ7$lܯ0i޿ұU)spy5ЌĮM<>GS^ꙬoH־cѱu~x^qdI^l?A2CT1\?0!h (VlIoA%ZudڪdlUsQk?ƃ$Up iDN|} 'q"ļjx+|K.`ӥ P!'ĸ$@2 O-ۼi )=S0=!L۝ePIEl3]<*.MA'avt,R,fшݣN?WyǍǬOe;y\#`+=<:QG[E,n$A#'䤏=7[w>=g53ݭZlJu퉔LT_w܂so}1+bPLY;jH?Ed$f=HlN3ɬF4fljGd~WQLﴀZԡOM&|]me}(C'eSbIU I0Y6Ӕ@T0?ɘ9᧷z"GE`J&}:L6/Ty\Sԑi =ĿBִ53 ,1s-fۡ d“t(&H 8NaU\vX1aِ,0c~6,*⼦z _r#T12>mg2(jO͋@~:*qbLtx 3_Movw3D] WR=ȇ#+ %%a΁ذ0E=?Kgh3D.)̂R>|׮w1޷Q3'؊T.{б#>%.U_廣׾Y%>!dfE8(۩4]f[6YZq6*Ǫ^eӑP޾, ]([@AU d9DRO0u?(̤>&x6? ko40 RƹR,;(shB4\8f_hʉ>3]x(یXGvL#!( ?!\jYb$ZF1rc檝I%S6:jJTf5r<=A-+l%Ωa:mR Ƥr\zQ+ISflؽhz!{~nL)uHQ<\ T$zy $jvMח t3;5?Q57)s9>6HVmҾrK9P]SC5a}``yfՑ =ma0}ƪO&Ě"@ *%WF ry [{CBz]K8FY+ L,*CNhLKb%rxt:ՖRF[Gl- x=L=1 1tQ6=gd"aUqD[6¯Շov7s7l/ٲQtʱ`*,/9Y5ңL B֊F" :s3蚸26O >$# \['K?gS 7ЈV||9U>jQ2.jwr3M>.9BY,Y[@R*Hcf\/ e0 pĴRCl-YWE@NHq@EޤzQWcI|X:‚UfO'I(wLPRLZL=&nu2߀(̭D9'dZ~.b3.am hLԭo hC9Wžzz@PD8 dFȆLE[8@r_)׉^DzQP2g .-Ոz{@[u(ALBcfCYd<%!lhkT Op ]"M(!Z:sA*CI1Lcu-ex|{3%( zϯca_s@\#IuS` V#u>oȟ/Eou{, 7EI GVFBQpk2rXn$L *akMD(zH-[i1XɇO)(lIF<$EV0Wu2L:J[j(3(jf j5עR4:^SJ`H1}HX?'Drp%J$^ sWW_ e4%>,[R[Ahi񿉆m@FO]jLĻoXQ^~Ģ5)ːu$Ñ:nUX#@O |ؼ~PAhsFA QcMT5;/Z (sug潞i/j_@D^䎋~0Sw)~HŨAtq5:~7.Yu+n(~fE[aVC,_<>DbKF%{u":ܳ+)' 6nxkK2IuRBߗdqxLRC&?YO`wgo6NYa?zZ} 6ʔ7ԉ@nG.`;ۃW6p53stiXCۭD͝FN`Bo"vBX,fFatt8oWԼ{En>eKq5[Lˈbb-Pe?p\nrD_5p` ߉^R<] Un$AmI-<}.Zj)"pSIt-+G!UuXȋZ71|&7L<:Z;t[4GlS$OPć@ܤ;OJA#/ںAәFZ\!" d\PSd{~$Hj&-rsFiߩ$2Qv𞸺rkavk2]Zе =MS;_k)jŐ XrB {L{T%Ml`Ʒ$ZwJ#@s؜; 0c$1vF3 fVcQEt'*y-gPmc CNtcF1lO} ne paz)L݂TJ]}հamSS $xkw{y1mpnB$ Tp[sNIq<)%{VbGZs-_ >xHqVnc>1f!"$$T`8YFzv 2LGO]Ѷ6: r Ml]v"l`?- a97DQ*EL$& @WbVktzqYbFf%US%rJpEQ)0k>paٯ0*TܒQ u/*d/~OW=&4gcecKx `A)D-`P\4yL°ҚA:^4f+ "NBL{:5!ᫎSk#n&~΋ꬻ'cDxg3$ca/|N^W[FrKcq|Lֆ6; fbv57W ,J&^ݏ,hV1YMM_E]=If+'j>>yfm`E8'yAۙipwnU/`Uu< y%I26M p˂$4+pun֩Ӱ5iLΗل4*O=GIzM՘ayOsY08nvIbA-%0NK>0hGeWۄ(-Z+!3ζT,=U-)9N9`mwV=4`~I`ytG˕eڪqzA 8.M ̩Ťm5&6ncqj>0;#&Ddf˙t3d1ID9mZhrteP-tUr1[@xUxw/}6Z^2'dm!!r#Iw!uΤ+O̬^Q "b%D^{9tsyws^c#}pnrGl6 }Y*Cm>k#,CQĚSH e-Qة\Ӽ22&0PVɐC.x"bIfr~e 9Мh}I@kÇ TIV>(N}s.PBw$8 C9OяXǪ _G5ѭ-evc3z{vzhhuV!mpݝy7/{T1l[KX k Axwέnm7F&pLg^}3i5 JL7*0Rf6r1v6v]!B _D |qi3Xx ]4 JANh^$Zz_r(/AbK!McHXrAb$=C_^@'eECˍz]VK B#U: )v§؟ŶA3Z(VՆS" <Qqi;q!$DPd8΍ { 䔬?&xV&~_J2[r$'˧7&z#FKAAsnHMlH߾\sh5BuW?>te?ak4N5Ɉ Ww>(Ig &pT߂ T-gWh:n6) y0&b?oԶ[/#~r ǨϺGX=22y/$S ?7u MQa΄J7;r2#(UrkM`nŊP9-K{J8LQ*2P\ر\thf9ti!fKLpQu@+5'5V$A?}RLԃn?)w! aSE:k+}Qd0viYF؃̯fMh-gg&3wo&_!X݂.-Z\%AQH}؝`Bs׫DITmlO'TXDҶg?ئ֚3KZ5,6у>F+#kX[,%?u(܀gw`*}t]4F삖 <[t>\ (eژ0%Fu?jR~*u&Re3džڷiN3销cU#>Sc+O-㧶X ^ߓ&3I "r4c1˹Aa] %݊3=ӡ^ /*=ކ4AovnzԿ։:nCuگ@_*BK)Fێ72h!GxM XFRT cl@٬ =A֎YrwP[ᴢXCy2Vdl]̫?Y 'Fel̩3g,e}R?S)3o@$ANX@5! @VYO [S}) .?znf]򇖍7QHq+]{`6_ tk },S vh*|?_~Ϙeѥ/,H 8b'K+M ]lq~Z77qPcV4kvH DrjE;Єqj%kRi> k9 Hxz:aS,A.b"f!AH5ݚJ~)MR^#!P47^G;i =bUt&RE,A߯-4YH X* A~`N F+bF-CoDJ[6>^>@uXTv0p/I.؉a. ܝ8]R9^hw8v).8RSHvP&J-R^$T>8r^ԱI*է­K3MaG v KꐫkYE9*[P5G\u,ATt: ' *ճ(wƋZǜ '3cK:'`ƪvr:4pkk\C}#:\f+25h:CV(ix{1癊,-}`̯z:> beeh_ Xnja!OfR*_ioqt9DA6sh%bjkջxל&_^ jȈZq2CK^ "C SCDcm8 qU-4YIJM}yf,j z"_0JwNVWEA~Tx>-&l_Scn/.hSCht fNd\)(}鮼c<"%s5֌ۍyGSEMZU $(Jbt写,ɡ=D iv[p{ %6ME=1._?}P3WeW]}qtlY^hDZ-pu7 dׄ%te'F@͎? 5 )Xb`2pTrbL,i7s*Zf[ 0)PY9'C! Ay\F$t~n&W1[ BYa=Au 1\~ 0jϒIz (kP(,Zl n*i.AJ\zX?`c%#.xgJ|,SB'1BL^Ae5>>]I9 (^ue8EHOέSBq€2p2M+O4|5t!Rnd 2 "Nt}wb^&bZ70Kd\Kl)Ix+QtkIsG͛ժE"g*4"`\'*sW"F Hc[krjTPeH۠-qc03"' ˏD?Js.;b?PC㡵V/|(ٺT(B^̀!KuIj"|q[MJԸ(qCv߅?[%\~*V"H4" J1 jBc9{ -(iS.\t̋|)3dř.RՓ}E҇kHy8 }rI{2uyҽJ/wfw ϑ8)W4e GKv)"DL+)3%?da= t3r\m%?~Y ˣw4wD9X)چBƠuߝkX-uqXoábc'0s#$ZbX4C](|Im>m2s.C +~5 ^ ʉZ;os<4.1,HYj~F{u*ske?r4slъNOL =$RSˮ^/~UR^mw*_INm_x]X:2>@LSlBk:[c-nxg~yȴhnA1ei`nI7A5CpGID u{uϝT"?S{^ܘ.G؏4<&}GrJWf'4/ЦL+ګ :Ɓ(uFv ֛KO$(m-Jnŋ:NjF$lX؋3}io}Lax:Eh25qc5p}T2Yj8_M0hʖ3L=A Y+2h()j˸pThot&&qA_4{ 18WQkÜL$\E(Z.9ͬQ:Oqɑ($q>lNj~`24ļ'%%u-&pҒ(-iPkIL##;Z>, ʜ >^}O9F ??pyuɆ5-uД^țnW] L#k2ެx3Nb QPrtX^ Q}a(Py'T$ޜ2ZJK\ުɠOr9Gq6#:UbTl= pWFt&XwOktPz(t `U7D]d>BQ+*c68`KHڱ?X 9\K)+Ɂ}N@ګ4-$ s%| jb6Voap0BIZqЃv%N4P::V$* Զ YZ