permissions-20181224-lp152.14.3.1 4>$  Ap_r:/=„Ea5DA&3$'3q)URB!sOb_~փAqT @2sF*3ٻ 1xA Xo?#:p=&.>"Lw,FM_nJWY]96#FSIΓ#&|<%qnL+(/u-ZaFkbF`dxhHs'a sP+om#Xj%RC享C\;mՋ-xmFa6746358c91dd1ef05c4ba54ec45fc0583a1e0d069a672c48b7a5603eb6989fd69e47294a47b0fe3c75f9c81a4ed45423e733c7d_r:/=„yj7vXR)P~[99w)VvXSk E +;E{;t /,Wɲ|Gue/\k1Zn`RLVt.}OഘɠկDj,UH-3+PTm(P|M'!‹J.w4{N 1?5R6Љw]]Yr($x.c_/?֌~ԂyLq2IuGL{8 ܝxs"҂ q{d;ɰ>p@=<?=,d $ C'09 Rh4 X  j  |        E r   ` ( 8 39 3:3>7F7G7 H8 I84 X8@Y8P\8 ]8 ^9Hb9c:]d:e:f:l:u; v;0w<` x< y< z<<<<=(Cpermissions20181224lp152.14.3.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security._r/cloud126=openSUSE Leap 15.2openSUSEGPL-2.0+http://bugs.opensuse.orgProductivity/Securityhttp://github.com/openSUSE/permissionslinuxi586 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system0Uu1X_v9;@큤_r,_r,_r,_r,_r,_r,_r,_r,_r,695fe6b30c6f66604218b2ebf6101892df83b7d9d43f77e36962e21814c56c658729daf2fa1e87f5f1df29857c15fad7b474a22da7869e71dd14b0af021009b3254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3bc90493a1ecc88f78147c4d9da625f8eea790a2539e21cb4ef3f466630ad0b796f7708fbcc52268f91fa2b8efa36764b70c36ef667bfc586eb289baa3fa36063e9158f56480bececdae23bccde488567d938d42e7897444daf3c7f1c6eb98b42535eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181224-lp152.14.3.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(x86-32)@@@@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6libc.so.6(GLIBC_2.0)libc.so.6(GLIBC_2.1)libc.so.6(GLIBC_2.1.3)libc.so.6(GLIBC_2.17)libc.so.6(GLIBC_2.2)libc.so.6(GLIBC_2.3.4)libc.so.6(GLIBC_2.4)libcap.so.2rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181224-lp152.14.3.13.0.4-14.6.0-14.0-15.2-14.14.1_i^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.comMalte Kraus Malte Kraus Malte Kraus Malte Kraus Johannes Segitz Malte Kraus jsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20181224: * fix paths of ksysguard whitelisting * whitelist ksysguard network helper (bsc#1151190) * pcp: remove no longer needed / conflicting entries- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shcloud126 1605530159 20181224-lp152.14.3.120181224-lp152.14.3.120181224-lp152.14.3.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:15002/openSUSE_Leap_15.2_Update/3eb488a46785bebc2ccd039d1c7dafc2-permissions.openSUSE_Leap_15.2_Updatecpioxz5i586-suse-linuxASCII textELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=c373805f95cdc88e724f1d6f257e8055b01ed1d7, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix) R R RR R R RRR)8֖mm)h2utf-830fd53d57d9f34663d8320060bd56ce85613b118b8bda6217a691536d842362a?7zXZ !t/ɯY] crv(vX0bl?p?i{pxj5y{ʞS,۞nAN A*nzvګÔi\偸|e[zǹA?Uam]EG6TGdr %'&?Y. ˛D;bW pՑ;'"]nL~b3rlw[ Jr+ʉ$t'b sCś⢚Zz%V;x*9 V׀WSyOCEJܐoMG2yLn.Ҁh [FNJ թ1(PJ&_z J2X PV<$PA$\\@81d4 y{%]xY`t&;Ue?%;:ڀ$RNb >eLgþFT[HS;e'&o޾|>Ia:51g5n)'ݺ6A*08WEyAkN6AEy~t[jձrT`Д570z{ccAM-3,ZֵQ)(_(ﶘ=]*\=KL :<-lD$ [A嚝tp?#(?x OA ir<4g +O5#K);Ħ}ˡ3c'iu(&&xsG\Cp!7sؽO+ś/ w/%KM_9**G>/WyW^lqPw!3%x6i$y;CF@8zIebV jQ,@1]=h0̤)r97e 77qsm=NGI1 ᥊"9}X?2<3IrRkCPS=T." Վk5s!xxbН;rņp]OR`ydA|'No+D jQ cI:;gt$r&= O;}H?ə'ٞ}\P` %ljfSG.[jB/_Yaw/V':%U"lWooAAPn-DӍBe7 m%ij$|ZƬZpP;7b['Fy^rjqGrQ/]7X-)Jyo-vu!m!nh^vCKtKEOMxң=+=. ]cO|o0^1y+N W\K4?GZUilw5s_4K[> Qނ)wqXxٲjSYإ+ŏ޶k[¾+ ;XOMbɪ,Ie>T=_W:˗X)}ms,Fe6LM-,{nR/Ziӿо C:T5Ϸ4rz8w7|U#c'r}_qPХs+]n=# ͨf^->JmN%ʓPUp86cJ^cZi8uzlA٨Q 4M 7ttin4X_-㠣?l6^,v{i]X2_Wsl1;K7)PZ#4sPUWjO8!NoИR?ֶ;E^PMeli@rWOҚ ;W$~Ȯ\HX_\hVSIewe5)rcBG՘nD窬Dοփ35M %ޡq\y} aYӍ 4-)GI} Qo\}IߞF@ωFs NcS8!#Q,'%Y؜"@LІ*Dk5DZ/N["#˛zLM pgڗu^ Q\U={~1\M 4 nݚn 52`P8z=at}/"VʓvqpPѢeHc@S] nEȝҿDyɖfMypQ5bU c'aXؐ[8'A$E\<f:HbraYp%k$vDK8qLIƹ]iЈu"T)9?>s#${8L5h Ba#p˥rmYS7@|h?Qi[0baĄ {`$l$xB=:pO˔&P<ў.3p"H#\nP);}(DuOm\qR se őCB_^Oq6>k jSR!)bbAug*,% qMb~M3kGy\ _ < 3Au9D]smeħ^)p͡Ƚ AB)M+YۥI(N%nʃىMKS4 U\N+ /C$}}RAanj궬'.vԉSHSi+ psBdΏZjŮ!`DЈgO9]o=(ΣVDE/,d܀d#u>QzbB5NyQ!Mb G3)GkZv?yyģ.1Ϯb0N-fƺ!ޔO6vl UoDz*Jm>h7jN=!N+[d#i9I,khl'dR^FW 9tdy1珛 Oٲ*m5 gY*OdOqx̟\d,Ǖ|g6J7`Br~-efʕ TL8mTCuLeeedB&I{#l E;g2Ne`˛a LI~wv]'VDJB%XXH#r/WC.JFVb!lukR m ghΑs5c$7sN=Ɵ>‰K!: *br]L7d'G\qPv8;8݂}񂚾SJZaӇS`lFPi畄c3nT svButBGuR{;D!xRzI!jX4R)f/5@%nʸ+ &FJ@)`$>B/5űҼ_YJ:EBIo_ l.f/@|~ /ԯ܍>W YQ#VT\ˁyDR[vI"j;b[kZomOʙ<ܖIcH$]i pGaNCP.%k,ȲuuKDhkZ'>Q݉;W oFI}~]z ;ckGI*{ !m~*ۂ.er5g; B`^V3낎ImisX: 9__&akvj[-+|,PP[S-߇'PEc#9T-cLĥ-:G_ ˦g-U LgQa>hW~PA[MSkZ`Tʼn+kʖ d`Xi'lC |ELT'FG$(F_dYUDJ|emXzif m;`5MM].6%jgD\LŶ>QxqZ&K0 / 0id|ܵSǵYMocIٖLoO L z9q\(bIL|ПD9.h 8ԃ^YUtC$s%ڽӁ)rxnڍ\PWnK3g+pnV难qHГVAj'<6B"B,g,GD_WU,(.Q+J=@2d@nu ].~i;{.楂faċrR2Ct9~olRhu뮾 ?mp]YFyCFvFaa^xSFKc+M)@Q 敤eD)޼Y)Gsq>S/60/\s#}mJDU=`Ɔ -U5v\|D_XCW͡nmU+gAr0˴3P"ycFV]rGZߗv._8ЃyNYI /wH0#Ьޥt(q#&a|+78g°b@<7y,M42 "+ ۫KЎ:ZY̌p c&Gpt)r=r;9biyRr^rW6>.Z|Tr۴Hv.&hRx}xؗ*BVFhO>l[Ԟ#5DUirEX_uW"+JXUDB;*)VX:q|mL_!LfhGq|$H _Q~TMFv1_a(`^=JJFecT1?[h;s$evl'BMHx{_~jT5'MŐ YpRێY ;gJmcXPpyo#"Swwo ?cFHmCG]x䝖ߔNePni#w !xxÎUrV̨qE먯ro #l@%k|P;;bd,易QAdpYܬoBQ#\>f'[,8x1wT%25?0%cDga fNcR ! 7oChcٯõ'IELN㄂ZMұ/ߌDlRE}D%09o})噖WCVRI&w Xei42 4@׺`_ K칼9E e$$Pl\H-9= yXLF[ SkChvF7œU|5;HF봘6= F]ٚ 9bݨ-pe,m?-l5MDH6:)B5h& ; E##} u^/ax *%=-usb&a>BYOݶ \I!x{SY5 ?MXƙ(&#,˥ok9)諓IO#g.g4wɛ%Sm$Ц) ҭvg-HCApD<yIм,e P2?Պ#%OEuI y4ifЄĶ][J!= 'ԑF @^Bal=t LD2/O;vզ HUE/Ddb)}xE),n&WGso:Mz#㗣oK,V%`$)/ߖ/[|ˣ.D1K|ۄ%Mއd&ZBe Mg+kY̒$`0bLt'DrGF#  !wpz(ʟj,I`Ri[-G*z71>:^F$p[>s pUNץ,6UOTdJpwayʢ8Gd9ѽ@/B- 8H0hX]u8i)nl燏6 NJH?3e%[saY4l<0h.:f}4X=}Oˀ -LHfs=3縑;Z])p-"H`AZEк  =KuT&Kٸum+c[̇KM` 9` >7U됹fdx5zD[`P/1@+ S%% Uvuatqq8qMz0$XpziWP&Ouǿc1ğbfcy}+[ StC 7ά &)U}x=3[܈FiNND&ЇBMe3 |ql#}^`_qHK@{ٚ Cs$.KPI&f\F t 0ٸP ݫc!ft`hSq>@CŚi'$1M7'~(v{&UC<K]A#$ gRb"›5,uj::s[қ|1_y>WK4-%f;CӾ%y^ܯ%S{&9dzhሪ~ euўf:u91>jhn^Y`R4z'8hrϖ|4ˤĥ's6M3WYyĨIuP&˙eN(A:ԧ 0? Կ OKj][zqztf=2XdFWW7Duuy4guk?zf6j c=r9qK >w2a^fz2hjv35B>,xV]}HHZ7;1}dbOfO FYw 2 dO`=!Np6V"Ŀد/eO9IfDC81Iubn wިH{ /4܅71n0)sM5hGPYdy$+:T;r1ap\y`hۃtK.:Bpԑ> 2=їLv5yYad ؎#rj0&N«# u.Pr.3bSK_<O]"ɘft]X;LZu'ùqz.Q7lդ (Q B}:۾`ˆ#kXԥ?e#Id J,akPOW0@@Xm|9ljzgZzZ`3)yI,rp[I˭6.i:8:ro((Ii| vt_Z5ͤep%TV1[4Y!ztY6UG(Xw:_8Eׄl0zN ~".Q^;SJI2xMIOfn0 Ё#?e죑}짟+;YUmX9ahSӬ72b 1vS ^V3-0fwx(^̑I/D (]P4PU"=g{|q[RDtȐܸ89;sCBr"FJY]T^sS:SCGJ;*ONqBc1)DPi:^:8ڷYDIܔrYd wT2ut?Z#.Y T$QY N2z_ $g:oF3S/N;!׼׃p EJTh|P%e!Ibw$%7*>wð,l}:ȚB#:CG \& p L6K ǥ7wsL*c3 aVtoA$s`gMw׵U:,DV,h僲i]8yQ߂x t>/_:Pff I&x%EYkT ?$SƵռ^I^} 2qy`B2ʦ|Wl I ߭4O&owDqfr݀-YswRD1-NPx^guL9f6L[(W('<7=kp.cZ mۇڍCdR_h6Bl9o#rgփBZuWM;骒]uOֻkKn TZ!Evvji IqGjSg~ǿ ؋Ttr`fWbC̠t9Lބݹo PK~Jiߺ@d 0ullnϢ:jm-% _r|ߜq UY^ҭ=% ^ U%xu ŮX$'|yR~ \hbP wheXX/ o t.%nXanV +F@;;?2lef];ub9V@k'=-U p&\_+8z@% ԃZqNMbiiiDEe? *ג\;eDn y¯Ox..̪갸Pus /\J|/[?v B@d]P0A·tUq5A*<CVLȿhha2t#nC6:toT{jhzռ>t<eTec}R;z-̮ʔb[F9~]G[~\=/Q+ŮəVQCBB]AbfsYIj@~>3 y˥:o$cx/pZa\&C6hM'/tfϔ#4Kސ'PPv I6,C3V/n s;--gAm~o? ELMbS( }/FmJ^,ɼ;R?do ?^e ǷtzGm[?N:I: woisp2GpґS'D,š.p'6ֲPJPHc)R*nG2@S612juxK5KzNu}~z:~kD HAfu@Ra+^,mYj >|3,S=aܤCdcu*b9㵸gM> Xج_ih! NiM}299}˪[U :x"E9tw3-Y=rXsZˈ`d{.+藨,&Z.tXd`(}! ]B2 I÷LCp/(Jq[O;r#$Ը)GOVo J ʽſbQL97D҉' 7[c^ݢ1`ɵzųPҫp=f|MCx$q]?DQզB;UXҡ&nY83 'L6QTي:7<h4w7a;, ?`&`ұ64cI"{.de[ۤ~FH)Ɋ#\Rl 8tk=onJ;T:fQ!@u%Ƈ)PhmdOs?)PB\X lr8"[2%SʹΉR? 9M5z3 |n|FD؃-يP$Ͷ&s"To'G4 /V-Ӡ(Z>od=`t^*ffF] oSTCgfݩt}*P2*1$AؽFoW ƌNpk$޺vJHWaو1|+R.'iBisQ:Aof Lj"ۊ㈪o䂔 >) rmgл9^dS I{$Sީygy Pō !D *EX|vȴD)usVi]ađ9}It>׳S Ha]VMX#J]tݽ'nnf"qYBی DqG]7)EL^a03^J̵KF_K. M!Yk2cg÷m^2u}멏.|հ~jԅ%#tZp;j|iB0R ^%jCsvuQWF?gzms[ F|N?Fs~ˆ5) ጘGֆ2:NeexX{!-RSV$˚SFBS>EnVч!q-셯 췓9*{꟥ 3b2}܌aSˏT0Ow9 6Cd7X> RBL:>RB}ʌ}SXСED?>8ey@t OIpMs.@(Y\r:p4Cx1 ד9q#蜎"1;6,m$ENkhy {Y ))QVGy02O& t{2@ZxrNt\!.h4kY|EHhNzA%gZuMwDhNDн5wWG Ē&iuXq袖4I`"i!gAdq):}^QH/NZb3xO}ǩs=f,Aռ2)^7"sT)'2`xA|~cjo$*{Nm)WbSW${a@>΍p\FbGh}ɨjk<]a!6);I=xF] 36F1rKV.{6=wĤbaP:"a)=cHғG QkS:Ɇu[ғ`ׂVi /~p2W4o7zA 8Km)SfjvOQiq=t-SgA#6o!g[%}0NHH jQ"{4+TQF(0k9eV9a'䢺=xgAeE%# x6NQzA)n܉0PSmQmY j6ofL~c܄wY5;M.Fƨm 8Ҋ1Ji;D&dz}ϵ &Eyph&T YاaVVȒZ! /gq"̍0tr:,2}͈Lj;@wF9EwP"JcUXë V-fG!#|@1M8G!ˣ:Ry mk*1 w`钐O-'QW$9OPݮh6ŅotQ&*O]a(^/9x=)1oT%8*NDc<.EK-zEpÅ]yMQ(LEhEOޒO}\:]+BZ̝>6x\&MMs8tr圉m'z(zuHz妌,Z~)$MP]I6& FqE*A9VW 41Dcp$ʦc$<_­N.Cto=?*4< k h# KoO'ŃCTv}5o`ulM :bՍc ;5`lN=yy4[0zd'Rp$"2PB6<< Pm;cY퟿UiFfAOp0p!$pQB%&)R5hŲ=w #N/ knzH5lNMOVr/3}tOT+3&Q*k-06rb{볨i_Jh%FLcDAbdXSDn06Z^=N\)ϖ}Ĵ<:ƭ| p`$ f@hYGjOPYI.8L)B[htJӴ׀UYDzlG]bol+͎ el $c [#Xo?Bކ[:$$I2F$&5m#~`É"֟VyYջ[%3s%1U`3@] XnCH҈=Yjt-  {6 M{]oN+(6ްTj]LB(<#6y v+(K*\HX{:‪pPCjӐZjjk.y2sTi}*,bkK_8Q48]TXc1' I:$.qW˸Gq]]ː4ueu($o)!4kvx$56'<ú3r> eGv\TV> 5JK?T3hD^FxFK`7L>H*r)ERh~H%P"Z0]BɹDvh$Bh5f/z99S6xZ6TM ߭0̙лԉӸfm]V ^6a7]LȮeHb}UX}.!OP(=ƞ"E}.Nu*Apak;+&tbRx-2f7B3#|ެBikE#'Ds9Hb%4v#{ hNAXGD5+u]q \d69#h /=;4O c$|3 r`BK!d4ՍƱY³ gl? 8=o[2ls`PŒ :I=?Gq#B- ¯R=cp"W#G =?1%u ez(RiW]e5 OaEQW`K#Qmy8x ,G1: 4L0ǧ*K ׎6,!۪Q|݅`m(/wSE j^02s(z4;_Jp N(-ㄕvH sn(T4@#KK^f̪I[]ڗxMՂ3 μu43BF~^Daشj'ltiWǢ8竫PC'`soڅ\C esE!+h(dGQz]c"pHe? r`ϮKͲgf'رg'AL%h&Hm͝>Lsߊ}47\e3Ԓ.OYQPTNۘ“U-_V}žx)(u723׆]!NJ,N0mx)p/_6/EX}[f2lw5$qoiJ2x4b9W5@sÇ%m} zqD{,uHDrk`u' ؾD/9ƃihmѯi!b_?i)(3_J(5'F`2IFa2dxGr}H'I{Bd`av{ n/ݫ9qo:3h mrRet V͙ ml{OcA ǝb"X>PoN]7.`:Tqj(f!^Q1W-NN[<8da #O-tL+Rd@$gkԋbmA4Fl_j+i_і˺+c `s+Nj=,m:/CĥJ30+Q \2>_fe^]^b_h + irt_t![iq̎=ڡ04f%m|=eΑHu௲wmzFa>yx=-oDbb @.(h{Z @t-N| $j hR:Q[W< ڜ,x>61X{֤ߑzv*HfA\1}fr ؓjMiCxUD\WgUß_lM`ͰM5d'Ds8cvYk:yJ2tl*Zm U5zb{;P"[=5kr-w)D&%?}0 ݎ~gBKQjBnJؼqDѯQ}z^c(Gch%H7Gu 5rSnazs6ɠ;کؠ Y@_0c=sbb֌uLQblMorcU7۪,e:*MTyps0HՆOEHvG"*M02oo'I5Xc5#rYiS !Ea. ǀ"/JZX@"Oc7#zl't 8k5KdFrsD#v>c Ez_MjBMZΥI41(=zC2+$RհUiSZg84w#:]jaQY-[w"2~LΈ,pKS?(!RzGJm~Ro%Ff+Cz˹%5k=Np`~aV;<%y5]$7[aB#!㽇s}ڌ+1޺8"CSjv=V4rU gxzZi|+ ؽ۽狢d!bj ЛVu*.9:Ȓ}M2)_"P\ЫyktM,_߸Ϫt@WZG#5TcSl"KXVt^`l{+bs7؈SUjw,-QGxĒj+n1&Օ1z-)eBNtͽRXAWԄ#<+ _ңZv46g|ftjRfꢄ~^yE@iO>29|ֿX׈ S%BS/0>J; b4!P z ~b2?Ϧ] G%5cU2㏁qkiPH"*w\7fDZ&#@x:T)4Siʹy؊Y"hj Oqª~d+6$c;SfW\tj˄y ߢ2w?^U\M>R&SeIkC K^ 68:a7Q\X+R]M7/=*!c)4Z%$?`i@J2!/7ٺGΝ8.;[YVjJHuX(3,#_Bc~ G++F"4|SW`|"ٺ^~*͉0k3bT ;PGGw{d*8O!WǓSUЗ/ZtGfoz [œʐW29L¿X-T\&?9/YQvE/˿jF9!r -LLx ]W Ftp7AmO: M rY Q\j\V#kubzePQ&Н2R_OܺD @jH?⸋& Hbk$-쵼΂F$q3HO# WrUIUVӧ#_ &H )ˡGnb=麌i.%ұa0jJ_nHUXf T-u$ZD61ZrEwX3{v6I<6@ՠC!̄oZxC55=!8 T{ 2n<LӜm\B9%e1"Ϸ`y*l 54!DVHyS~& YZ