permissions-20181116-lp151.4.21.1 4>$  Ap^2/=„ E<0nL!aDR]tt4M'spS  J^a'iCā) 9Q,i$^UD!6WN-Tӂ7/g53v1a+PM9SK;@ %^=A100ac64e92df7a4fac3b6298637c495dec0f3e77280b39d0259e8420afca5143422a5dda1fe968594990f839b246d0389376724e1t^2/=„i1^p .j}XĽ͗-ԇjXTZjEݏ:(~ЫB'c5N rw*)euƓza.[ :"L铢թUQ6`O*wߤn!w ْ6(I.uwVzKs3dRQ[6'Ή8gš!$˃ R"6k؆Mh:@;R9 {2p̆>p@1?1d $ C #,5 Nd0 T  f  x        A n   P ( 8 /9 /:/>+F+G+ H, I,8 X,DY,T\, ], ^-Lb-c.Ld.e.f.l.u/ v/$w0D x0h y0z00001Cpermissions20181116lp151.4.21.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.^*lamb63dopenSUSE Leap 15.1openSUSEGPL-2.0+http://bugs.opensuse.orgProductivity/Securityhttp://github.com/openSUSE/permissionslinuxx86_64 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system0S1V]j9;@큤^)^)^)^)^)^)^)^)^)695fe6b30c6f66604218b2ebf6101892df83b7d9d43f77e36962e21814c56c656ebf7a8c00082d8e6b4f9f54baef1dc543ddff173b1a644b1e7b2c573f42ecb6254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3bf3b3abe76bdafef6a7be1dc371a5b94e28dde3adc294376997d9d6af555101d3a78638b428fe4d8fac8018f8f54d766fa7ad564ad5434f04fb901e4e4c488e6a1f90f15bf6791fd760b82507c30870113d23643772ce0a86a7ad249157ba135835eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181116-lp151.4.21.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(x86-64)@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181116-lp151.4.21.13.0.4-14.6.0-14.0-15.2-14.14.1^>@^^y@^U @^:@^4^*@]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@jsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commatthias.gerstner@suse.comMalte Kraus Johannes Segitz Malte Kraus Malte Kraus Malte Kraus Johannes Segitz Malte Kraus jsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- do not follow symlinks that are the final path element (CVE-2020-8013, bsc#1163922) - fix handling of relative directory symlinks in chkstatSync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch - 0009-dumpcap-limit-to-group-CVE-2019-3687.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- Limit execution of dumpcap to users in group wireshark. Added 0009-dumpcap-limit-to-group-CVE-2019-3687.patch (bsc#1148788, CVE-2019-3687)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shlamb63 1589371946 20181116-lp151.4.21.120181116-lp151.4.21.120181116-lp151.4.21.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:12559/openSUSE_Leap_15.1_Update/deaa9815514cc169a41a30cd5ccb4134-permissions.openSUSE_Leap_15.1_Updatecpioxz5x86_64-suse-linuxASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=4208fd8ade33c472b8e7440692522ee9b05fe31f, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R RR R R Rʿ^֪:ZVIjutf-82865ac2a4afc58b2f98de61b846c401f285fe14aa541ab24aad7058a6b7975a4?7zXZ !t/V] crv(vX0eEwuzk7%ۇ[Z0|cT*#h|V(@jL+n׎jq5;+t>Ĭ ,Fh%LGs㺯Hnvg4#UB Д<_|zmֈsUlz1𮻌(4&AG u观N?b;dN([S U\T2`6!A 4ǮTWG^w+/xG1 ]܈QamT:_6}|41!L ) ӅjH\+>MXpk)!BI;ƳbJ0^eB(iv削8Qn4 z?y0nT5V*0 4+cE@SAq28!ֶ۩D>[ _Χ1+a@E~ZZ"cY$9`egOMKjK,xnOWzC~wAZ(mZb+=?f%vP"\+X?J]}5EwE3_ViNI.OW\YQS Wb?MveDG[G kHO\Z7D -}>(2H]<4 보W ijkFQ"Pu,L`ltywh,z"M_軉l<|0 9.5{_E6]4u~&{(_ P>VįX簾JrwH`dvׁ!vRۅ}@c6Nj=-p\?lqiMン( @4C]}LBd?v >ux[2[3uLӼo,M UQ$gc; e|b'sR.UӖH2TB{Qwwiq%='>Gs`7BP  V|ΚZxzLB^QQ&7;ck}!}n1qFD,oc0~ߣ5zY@0Gu!T;T3Roՙy~ѐ$uW l)]Zփ{hJ _qMVֶԎ˗d^Fm6$ѹ8#M}'ʼnX' Vϣd{pebfq@MUf-pD4O<=TȊjdՖ}? :)p}QO]yX}OW]a/GX v~ܶXٟY$IEkT Nr U{eDNϱ_/ aE  [s 9 AZ'8nC } ̖{eflZJٖ< jE,se AWxf?gZY7K9Zf $M>^&f-dP')VH6-Q;P_Q4f5z u"~jyX:yKBh\GdgxXOT T( QeWrHd7 /EPkP;#kPR9~ \Yԡ5=̃‰J ) e6#?:Ӈ$J痖?Sݞx]Gڽ6 XC MeҞ$xGCUx^9 cq^!G]nI6kUiCouɃ'\d#u}TG3I`]ڈQVܞP,W Tiꦖ|bT0?q7_<.&ޏ klU%OE&zoj RU0]jo}o:HhoR C'kQwǙ{LbTʖOoA[r QK CaY큳AD 0gXo3i7S 1u ^m f< [5酅v>t8JNb lhgס1 n{{o#]oDAJ9M"fU!7#( %Pl1$eYR L &A{~5/K1/يWaؼAKׅAw}:89 !,+_3Fɔ`+?.Uw/̋f8zt"L@qphLȡV=裎X QHoJIA,v]($a[yUSq'BV )WT^U۵ 8gOl+O'*JYg qZ7hvHSsFgvadwٓZ}-8淃On΍ ;!m!l[~BX ~\M /?3Ajw,nJ9N e6J"_GT1<#F+U[ ZNѲ?/;vh fxJNdŨ)p)7cK8N맶$ &VgLWIeΘoUC?`F?hte/ģac?7v3 -%blU3N}wwRI GTSf- z`oNw l _e%pHMnVIWIA]?U[QV-d(+f 9 fVGFRO&f;`OHMbE[:)^1UG9׀qAkQtIe/U>[ %B-*yHI=~\5lD4l4'saFڊ-YÂd&8:PDjE ;F|s>{cS0 e~=wTZ;|Ώ EsāC!pl0y i׼#4K5,Ƕܻ&*T/+Β 6щYyG5J[qtQ% nאt8 e~4Sz}bٴ>DAH4:,K׵BHh<$kUT5vkNj5QI*QJ=i$VМa0:"sp!]oi Z6[.wQ)ͫDd*P˝!x:Wly9㢐KVbU| .>6 {HW/q [)WV/OmA1J??Eϗkqۋa8"bLޅ#S=bkCtk)(_ȜSjLv_mM5X3duk_>,eY\&r2ocfXsE6qxv (~6Өc4Χk(dk2Aj]LU#[\բWSI}g*p5Ud(e̳8lxH/Cz?tMڪqGSjP{t lr|ЏBCfp&0I_[qV)8FJAEtc6Bmzl~ z) Lu\ŴBRk;&ϰC#r9vIU+/Wyio AuQөJLxbnbzb׋iRLƓ17lIDjaj9+γ`10Ků)jhD󅾟ywmn.T: f)SP,SrF7%30 /e^m16hm? j1#9;X6r<[ހm˽$*QVnW[#,,{n[o5!@ۺimFͫ?O ߍNj`;_XI=ӞKQIipDO kf2] AqS""EuM"t:kG &7&{-`R 4TBk@a81BM,nW&ʛ͋-T(Peb:OW=\-o,К.)6D&7Lo- /nt+q,ʚ-|Uv}Vq@&Gx)8 &jAN ';HNDWhD>`M|Q.eG_6O~u8U9Gyps'WX<#qdCqzGź*ݳɶ3niu6oMN]PTHSѲ:#<|c(p l-Py-U e T6OCe`/벏[uwfU|W.%x6('cShn@~x]/xZ9zՊs}t6DQ cwkI(;D3(bz3H^ z)oJ L!mrE$#gwD@hn~e\$6wA B[p@V1P̙@Ѵ>fH8 qRکT)ML1+?Vg`wV7ܑB)|`=#G]=::?.~߅ɕk=fFA5X*QuE{CdzsDs_.ڭޘm+ Tϔ ' ($ްa;Lf6-ELk`Khm}Յ?NGsC©Zr% bQAiIKa$kӆSYfbuQAZc~HfjKSd]NG*n&Nb8|Af8kc @\li\Tl eGo77m{.8]02xٰ#k{%~":A;C. z*-CWvW &ZC瞏(ABYaD ZU74{Ec}ۧ<Dh$MQ)9,˩q1 5T] w-9dJp'_)I-ܧtZ9Ub-,24'jh -OI^Zf^4tz{xݦ"5?JqeW*0JkHKl/ 7C9m#h ,WoҞK |SANu!֭j'N@ } I2#ŶfXAU DƥC-]y!],[g3}l"Sg VM棸~+LUw_0K4i->sCD ^HB0l]oy'ň!/-qiʍg|8a'~ۣ$LT&I!aڄ|{eYBf~_g4p6J ܩnJ]5;!8g0L럤)G!¹xoek-e =MU`6" /@;L[Oihww7Ɍmvդ23W#HEmU$H!+Ycң|^i6^.NKĄxxPt l3D&>:2k}  =:)򋵛nk9"'»+I(d=r 3ohͣӢۯ-P5`t/2'gȈ/== ^GZȸWq SԙןrJ_8z Jvrq7N~R_U#%|;^j ,R3m)8 qW:\,IMw=im_sKxY+<증8>"aps\ HqJ@8v/D;p=9*NQ*^Ö́ct@$2 ӏdj6Nc&.y\g dɎ{>kE(9foJw}sI9dtO9sh1ʂW fPlC#fpڕw=c=KvO|X Wƃ69}1N#ŸX1#'W_U_8^UnP'hCILR3C/V;Hg0($}5DǕIy~ Z--w{',z3(8 w?qn'96%z)= cG>Bm_@߀|^<, .Qu|32vKF9uɮe3=0*<r}*yʮy4... 1 m*2 x+剺LC8DTqFfbc\n@&5^L P#2 YDҬD \Wb)Vd]ZȞ7jL%걔Sj0EΟ-G vYu`4j*8^|ZLXCd1͐Ar~57zqh#q]rfNc㢹klUbRK+'[D쇗[F|\&&ji鉜aH' 2M]=}ᙬyP‚ P88 uFe[1вb坊@d3d2N8>|vgxʋD̓l߸t2h!YK$h!U kE,[%8Tl&NDŽ1/lBrfTN3"G9g䑹Usq2bBgHIlqʣ~}/oݜmגٍ;^h :'UDw~ 8Ґx &f;>E0( #[4h0/7 g`wQ2 c~@TGSZB*"@`@?rI0vbTc+J*4>uIqa$?dӣR%@ ſk8`@Qj-TuXJpb9Q+ienf7q'2U0R!c>~k\B8A Րմ2힇U>*XJ"̶h@~Ǫl6h.<^>O9~`-bw'Z5p-zr;|u@#j`AX-bD3_+ ᗫђz^B TQ]% v 0=އE< Z- c< >Br-x Ȥiв( K?R= C%4 8uʹ{A˻Ƅ~fztrBJy,2M4+f"raWi4l1mFilIr.ArgD"UD19 TW}qzgc \q-m}s"œ!+`BQv0fOkҀ%ר)pV6L빯_&BaY :BHhͷZ@9 y2s*Tl!;xz: Zi$/G05@Nt~ਉyGgDlnܒOVO8Ek/D:n=!&YĘ@%hmu˰6te: 6vDq7SvE{Lpf=.bmpt3*س "byvb0NJcnKL0D T)jXl.h<MJ^?*j]⓳]O "F+ y?"CHY gzW",Ňv(3P\ʁhd_4hT𰜜;v~4o-z?kmAm0ĦOAÍ,B&amꫮ 4TkHd/~EBeW?uq""Mj,mw2Z+O "q G_o5O6cly&/w8HOlss1W`(agBIW7 3y/4U;g1p%]Ϣt*8#~i0y&纪`¯ؤn !U}r:yÈ#< x pE7,1`2Y #I?88ClkIu[ u9`#…YN}d3VC0=;Cv|.̸RK hTz/jGTk_*ӵ 5E64"yQ"Rcsru7jD,4/#{d|õyOqoN(b 1om֬XS `;&U7Նu(a:֟>+.4Wb`Ȏqx0IVR442YbGq2Gd R?Ca@_w.yܙ!R°"ٳoצηژr, !(~0}AL|93ݩ*vtg|RMKGa`exFaN sݚzcwh\ǃcK2lgDx; '13EX`FutD^ZYN u (7+TVՇA}70 _x)4Nkuy^('XIz'TJrM$Uuޛ5\O3 #[AݲI+niZD+N;?=%#G2kŏ[\%n0BJYWApW 6)EXmj{ጶpȝ} i^%qjZܰleN.p6V\9#_$U(ًлGWa"dzm2FܗcM~)Lڳ @]nKg{ rTRA{We*HjUNDɁKîA1<pf?XV}5piV/s1S֣kA?=lq٫Yq~OA*S`(BJ/Gj:_+JnPnϮf'<=OIDS@Kw$㎷L  eZ(cz[E t\zR_JIU",rC &`O3QL<F|wAz?"|r|遴˃YE{tdj<=ьvfn .ռj~u;.~og"W[CJZ)~odn~H ז#tp*1ō7׈x"=>wTRWRh-//O&+{؈j^._!А&@"1صļfk2M2 bb.P*nt85<9T݋\N:@\HS/&x.8 ?z6bIVkMqD^ZA3 ]Etα<Ҽr4z@>u 2J|~v{ A+b-ۥ#ge}5;)|=$Ol\H2OuhF3P q~m܊KO3;=JfJ`0i̙<^Vnk71'tyljPFKnA| Ա\cEbە0_y?(>}mN11rs3hGOO#!k,> +X[M֝X6KA ?H"(J ȭ"tF\`nS[מ` +` SFɃ:!slr)@Ѻg%jվPP,,x@T`Ȩo26@°%颽>>ۜCъ֍`Z cf; @ʠ"&ޯ}V)F\r5jYM+pdcEa)1Z#OpY_Zdf@p?oGruEa ܻɮ5H<`/x L< "ZB\_Bu XKPVO,. R>J1ۗ= ϿáMLl\<\C9TN~Z*M%{T+,}u#q OWˀ7U=4;83\D\o8!3^5v UowDd'7?=,EaDL::yؙ1[ȹ0 ޲nKΆPhK ~0r" 5=w䯌Fn>Ls֛iGN?(v&]UPSaq.N׃c%/dMl!rѯX Z)Eu;H4";\Kd0@$;nP_9y 3]ls%|*>WM P֓úT#ӷ粏Ջ64A%`b#YC/-@'-R^Etm>B --&UܫQ+{D~=8Ͽk_Gmz$J #6 e#TĻ@~WV|SG'@Ȓ{'].l6cH@Pw;yiTfW٬T+?8׹o>_vTN<0gz/{U;5u` QĂ6e,!ޑ8CÝ9oç xf WX@R'BS/[{g"L/ #]x!z7CՉ`GZu9u$goz|+K yO[eM_P`Ms?gkp6薹l䱽:vLT .dmsܟ5,迥[5}E5v7s*&L H1Dϸh׹*'cS\јT(Y#3L{~SaP2>kUT c]iƱieqPeԄ71™bh$2Մ_qyx7G|FM# =gɏca*A!Uq9o_1xJF_Y|"G`փ Cb| 4rs̥<1ifdߺ}HegHx9vqLE"u>/s'~-K0DNmb{z'$6BѴtN/{~P%[y5bf͘zsDDic'9?#>&1 Mr\GbHXO^IS TNL_+X2k 6(}iJ~Ti/ܢbJkaxK PP٘>/<>7Ė9,% (72v-/Њz\c/nA V&nd {VV'QfAʓbr]hkdlPЭ[oF@ $a/ H:JƇ-V#>޿ L@/9Te,ojNQ]ViD*gE#މ@D! ~&L9iĨ$w(K3}|ez+vH)>X5o d`2-4|)\}W•UR#s85 at真WG0[.$*Z|<ɨ*!Jl䂭 {\D& hfLc٘~؆!/GhFU09%zx6~ %9SEqՔ,gD滶;N?~j^[£b:x >`]%9=C`|IG?4Ҙ de7 3t|prDoss'+NZ0j6>$Rw.8ݷ6hhlӤ8$* Aww)UGRv]n.phKYkxDt~^x\5Lz AG=IB][0w0!Me{!Rf㿾9I]vmKB@**lg^NݞtCC*̵5ZVbEg]Ơ7E-ZȮI~~e͡X} 2Q"_I@oկr $ކ#I9zj"eå8 XD*5%u^Ʒa_[!VUV7l4:p3==̊` wlwƇtkiT|k'XvI4A[1r~|@+ɱK'Rm~>Y ׀(Bh{B".z~Fǵi@ƚiS6-pt?BG5]x>/gI/[GPP@\?5R.S45J B#)*dނn Y3D>hQ##*vMXiFIQ܅LTyXˈJ/ᜉ 閔" Ua0_YKEBңrA+lAW,<ŶҐ :a&gjB n^*[vdG c CfQ/ \OB~p0:&zSheTQa J+ =7F^J<,F[ij:JOxB% fXh#INYm,pbY52Wf*.J絁;$O{F3uH,˄vڞ=$g"0QX'BΉci"d>4&O?%ڦa)9,Wa 362r`)#%S*oA/z,A$S Yq63v ,HH?w^w1~6I2V_+p>_NJwE{:غ.Hֽ IvO-e ta6s;k`Փγ9Y53PURrkO+EjO8o" 6/* QsZtay䤝"(Sln[-#1$ l::-3 NAGT8 tҶֳ%X>. իf_}eNN\ҍTu),U ?dag;d^0 tGy **ߐسrMuEac.ۀO1_\sO hCX͸:WzD<n֓>w<G BwǛ k֒CbwvTY yn l2fK h' =[W ɴ"x8/Ӕg䀴/D*l_|*ހ_lm)#і":g_7dc] lNqz5Cz8APq}%p%^ VN6㾴;aFI1i_N XoRxlvU)PgeL+2܍%Um Xn9e Lj7A/4IyRjI/3_yd8q}lPW #.#+ 78Ye]lK3 />?:S [x +`Ϭ6>;s[e-ظ)$"iu\e~ rwZoCܣ5s]vhqe$lۏ!2 AԻUqۙf Z5gI悮/^,ϋ$0j6ư?J-`@HO GZGy[!_pLjy݁0mݞ&K&pcOBݡ<k]bWp;AIC=4YLO"j9=A+$-FzP,) u׽v=+`KWlY*+X5*1֪( f,D.zo:lhUkǚÚr4^& i(iwIp%5G;=FCԳ.gJ"0,?D*>1[Ncv.;L-\-bL hPfl?tHe7KxR݅ Wǡ@;J;3P6L{ wp{iHN4e)\y|y!N加Tlhu)&`3fA;q1$J,Lu͒.ɲD}6G-SeCn8*<ȹsþIxM\E(XKH7,wO8eȶ-b}A؉aUVӛ0L}YwQ2G[=ƤOPA~,O2SGU~\CڭVi"G VZlKN0LńZ0qDd 7%b`,h|ξ_ISy)6ws>Wr/ IYdttV~k)-]0x6o:w'S r4)ak$a#IMB_n<7&hYza qOɝ=*>_|S`+,)ca?uy d_)0핓D7fWhbnGs %wM@Q 1kNq8AMs?zgu xCEXQ*>.5xQ謜'0E`8yR'#9!M€sPp~j7~3o4j뫫`$=RDhБ#k׆9Ҡ);%ڰz(wC+n#GqOhGԨtQ+L=HУDns}OksD MoNpR˒agU8IR%"eM !#~<ٗ24z<&$u(1 ޾8IgԺLʼn vebp[Pߙ捞 ~椦@[lιrVn u81 9F.jцJg8ZA|a:KȟFhj7 Vt?} ]qcBIVz˟mE!:ibmYҗW6T%E{R|4=ˤC5v|%ic\܌.5>5c F3Y˨'Z6:lc}wx@ZUHP"#j }±O*?&O`e(D^zoiϫBM֡YC\pv[4 OhqVT7mp'!]`P>s4{/(8@ϋ3H!k!@!2g/k?ąx[k?DZnd:Q}eȦlݩgŖ~R%[[z9)2P(DAlf1t-60d}>z!1o23룽g&{]r0Ny_LNl'ˌP]ߓ} 4~yƙ^*&o%ϧ:/" tqk ߂/U%2T8}8mב1z֠IPv(>WߎEtt鿃"A\dQ=I0) fӑL ᜒkE6;L;%:._yP&N"2]_d-[tHM{0_;4 tɹd(OnMLأ{x !T>-CktjL—1H'Q쮤Z\tmc-`#2hx2mZD2C^ɇ#y0>B"5a R:ȓ pv̕ښNkcRxӭGY  dUurɋ~mMYKTdͣrίph*q%8oSŹ;/e{ !V׌@7LO;{b*6j;Uf#AP`uW\.#ӽqYdT|{Tdw9[N^4 !"zYZ+~Hю[3RN\C~^P^e#F77@p|fbT=Qܙ̒}.R8jL7̳.8M~{pk n0ػ _cIbYxA7CT8VjDDg,"[n(@a XI]H5l4^St' RYvFeebN3͏ ta7U$"7-| Nb.̌E.)|RPP$-LK;qxYfwD0\ WMux;P.k7Xڱ-H9|ź(/S~'HP;Gx({ ';~QdePP?,N\^;g YZ