libsamba-errors0-4.13.6+git.211.555d60b24ba-3.7.1 >  A aD\Jp9||>]bJN/ B᯸6S?e<:GcLh4mq p1M̠ՍUq ə#tPLN;R8><ƻ6oy2Q#<q&ơ΢251HN7Q@# \mWzȐZ݂yy&v:a?=ǿz3H[J?6B=:;"\ne8NXgwZƱG4CDnzD3p69a7cb849602e1f446cf3185f993d7af5dd097544a9dde73cb506920fdadbe74df18bc66b0fca5226365b46c620b3e0d282d1af3aD\Jp9|k L*Iv(>K{yx/I,1;b+ JVᜁ%.ݣs)nq(v& V'[]L@blRF 34}CVKΆ 8ZB~TjNLWTXR\Шd397%,NgPfPRDZHOC(x0'zzct|? ,qY ᬃɦk_ÀLSԑweɱdb}N!uha >p@h?Xd. 4 R .EKTX Z \ `  `  u (89(:4>9@HFWGtHxI|XՀYՐ\]^bc֢d"e'f*l,u@vDwxyz TClibsamba-errors04.13.6+git.211.555d60b24ba3.7.1Samba errors handling libraryThis subpackage contains libraries to handle and translate NT error codes.aDXibs-lx2160ardb-1SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/System/Librarieshttps://www.samba.org/linuxaarch64aDXee73fc062d39442676512a02b0fd526039e5dd8cd8ba7b95a988c10146c9abe4rootrootsamba-4.13.6+git.211.555d60b24ba-3.7.1.src.rpmlibsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1)(64bit)libsamba-errors0libsamba-errors0(aarch-64)@@@@    /sbin/ldconfig/sbin/ldconfiglibc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3`v@`a@`<@`@___i_@_|\@_{ _l@_i@_d@__ @^@^^2^2^^1^^Y^J@^2@^&^&]]]])]@]@]]@]nU]nU]i]e@]_@]J@]B@] #]:\ڭ\\@\@\ \N\e\e\}@\o@\\\\\4\ @[[@[[%@[@[ @[[t[#@[[Q@[Q@[\[[[{[z@[r@[ @[WZZZZZZ`@Z@Z@ZZ@ZZ}@Z'Z@ZOZ@Z ,@Z@YY@Yo@Yo@Yo@Y@Y3YYu@Yg`Yf@Y7Y7Y, @Y"X:@X:@XXsX@X9@X@X@Xg@X,XƉX@XYXe@XX@X@X@XWXAb@X-W Wv@W$W;Wu@W#WW W@W~D@Wj}W_WYZ@WYZ@W=W(W!@WW@V3V3VV'@VՄ@VՄ@VVIV@V`Vl@V@V@V<@V<@V@VjV]VI@VG"@VG"@VG"@VG"@V(V'~@V V7@VBUYU@U@UUAUĝU@UU@Uy@UUrUq@UhTU_@USanopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./sbin/ldconfig/sbin/ldconfigibs-lx2160ardb-1 16318690594.13.6+git.211.555d60b24ba-3.7.14.13.6+git.211.555d60b24ba-3.7.1libsamba-errors.so.1/usr/lib64/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:19341/SUSE_SLE-15-SP3_Update/29f5bd08f0da5c0cd8a4b505126bcd3b-samba.SUSE_SLE-15-SP3_Updatecpioxz5aarch64-suse-linuxELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=44069d2e46cb2d034c28441f5c7e3d13341c8b32, strippedPPRRRR=EC_z?Vutf-832bc966a548fee8e86ac1198b05103bd8f41f0e38b1ef296cd841eccd98c81c7?7zXZ !t/&] crv9wy7T>WT7ٺ9X5f~1|[هblJ'*rkô1oU;eH6'7Y43T+ 0gL :>THIs( Oz#KGp :!ox3&W=pPԓZ8,׳`J`?~V.%+"D234!RY b@crvv/kf1'`ɓwE,yQT VS91JDt Z,o$zP? C8Qe{8͛<åz[m)Ymn^h^44]:b&{h(E`vlDe(\T: #*BGcs0$&gOj硌236gv?>.sOJA7X"J#(ۙpJaH"DO7A ؊rzw; n_UUm7ąF"PiKaj<`6 BSs8,ھe =̪=FTWW]R %EM5r QXHIqW%H(Fh"yBͲ}7@(RVO|+cK:#m?(,nXaG wAj}YXQ5] ny'o~HW%BESdSh9~sO[ȓW+*i\z+C`P0_cC }SZIʷŒmw\[&K0Guy;ܧ;]7!! q~&C/IdlHka$ղsu4˗vxvR|6B@~ ds0 fZ+v-?w͵{A4nꉔWJde+@72&=je%r 7d[*pVDFjZ`>{_o GiOk45꿎dW֨nŏ @fc. 2֨ԋk!v3QDk>({'~F^ɟhKBF`Je5nhWLB)]bk ߷'+z~LtPA sH^a2K e`'ڷ[[&q&ET):H":\lm'J= ,^6Z*H7D"eU;`}{kC 5L4@,Z: J2c86džxC/+2s^ϗz[(W8i@QFSOJORk &.F)CnDfw624h7Bs>d*ĥgXՒ'7d01d]T9k@0M8XBc"HejӺ]ΉHܾȶ]FHq+_!(IuJ=̄#Ƣ"$~2fKX=6m^!jOYQZC>yyfymr!U󤕆@\ 1!b& j~P&59U~-i#gm.ZlGq*^*CS/ e8џb[Pؙ`o/u&"gg` :NH|:njg[$Pj_C?; ~=7j0-";ٲ_#f!<ׁG:$qzUHK05. OAٖL rE&W򾈓u*A>&MY3BiCm,;jA;Yluykdr|!1dO=zs[hJ0"2 *PE`y%4Λi`{$Y.M"RyçQ޹ 9>:a~$dLZX?>=FwBW(#Sұ25d wiYkӧ1AM>XV;c 'kך]@؉vu^^{b('ܺwf:(6*䀏SU;d :mz_*?3?y"1<*~Sɺz` ;aN>I KXd_vQ: U\v&k B,]jyr_a({.ĕƣcʈC n 2e^˞UT)*Nִzim4 =y4FŸJ CRbr93|$|'ʨJԙDÒC_5 Ը0S$;^8A q>?bmm^3*\uc&) |5]I&8Ld^ksKi%,Cd@`ԃ52bI d G ڇM-I;;[=oK{G]d? /\:j20i-Qf Eh*_uo g oNz.Z)Y\FBX=tZ-Cj<ۗKbTmOD탦{/ct׈Yjf; @P[3+5p:i74h1f==7kū z >k/:?T$qwLM._J1F-ьOn[' Ytq|ҴM|1TXKuSo,TՒx,!8SXw.^5 4>ۼ2?UuTyIK 31_yAkmD%"?," ^$$*SMlpMҧ:qwRRLocEMQNI_<ς$IW Հ tR;m¥gjH@_ޕsfy?ՂWiS%HfVI,Vַc>bNNgd@m]Ϣ[#XɟlxNyܔLT^#1YsEmDNq:%*!$Y+C,ZVWH" ֹ~Z?j7˗>즆WV>=pJ/Z:Q̅Uj}pۯgJscmKmc-=fcT ʤH7} ~de@([K-ݿp .`h&"eScpgn Kv͇sJ/iXҟwe<6b6>rCİ9Tc)*G+o>Ċ3 SbXGtw1@ gPLėct['0bxxV77:l6g1El:6ba _+jJT0MsGY9|R(}zz=JOm5DB~OCUu!y"gCN] Dz%d9ǔ 9M35X1s{nbNhCCځ8f5f\_r K뤰xj/D؜B& )!WVй BzIJ%)8 Q0"N[vqG#%|Z) UE̘VӯsFb8&ܲ!i5vͬi;^ETk\-R\JոhXojI.Fλl3hhjܽ[ n0JYZ%jp_YP'AIci=(?rGtܡ,#\ZqJ9m|Uot˜bibJ7A owX́Ò.EH!d?DD jHߐWXާ/l.~ za4o7 ;,agyY̝29~s5eS8"9;k̪#hWW2x}Q!m@`R>D[U! 92"?݄K 'o*W<;($:6.O xff_J Rw݃U ,_~A/dau 8z O . G5 }e@9©<߄*߯ k:WOɨ$NyMvdf7w&:cR>EH3N1yv4?f4~F!{f"yce.e5n_jǃ֜9S*O:O^𸢍#h Xe=\w' d? $ .*g2/BѿOq̷e3jr:A1ilu5G[YK> |7?I,G %<*uA¥7؎f[l2pD '| w1aB31%}u'Htop/+% u/Q dޕL1yy(Y\{8dO+|B))h7#Inmhm BPph!2oDYh׳ йS?r4).ōRXܓ>˕^zx?Dl񰇠PWm`FF)0.C69?h@,;Li{x؍l$"f 7N &h,Fq^W~(*9 Q4!R_kS&S,'SNÍl4g9Fj¤+&cV*i2=a•`zwjZF<-U `t$;X )Q5Gմp.hCZo-G+e,a nR:FcADYD?aetOW&x,OJtT̀ |ODPGm$o b3Mr-[0-EM+eeLB?PIjw? ̳$ԸV9e Usdd$[gm-+0s6](LH<0gR2 T\Z9Dn1M9!&0.t=;G9I] ' ҹ^v>')`, $ZTƕ̰!dz xvan#S ay͑0azxB㘉n ;&YQO)/?E51+S-.2SQ߽FC8`Ylj: Vl^ 愛&otݷ(3TPi4)AjKS;X 3>.s@ys@A#.D#NTF812SSrn3R/JTC!b0vF*ΐ/۩D;'* eUJd#Iz>| ܣ#xpXT N·Q~ zd\!1p?}Aԛ{+6΄`b#[&=ڊfFvQoʑ4:ZᷝCXtxLƼ^\''>Kt\ P@_I'T)n%K Ԕ%CXqK_|_?J{o:7Tz;u|B&Ϥ_kgaoۚI©SC߈sxZ>+@N+ZNM0tDuI1H\| u<=e\&Ӥ-máK!#1)Z F cs'~0dgYZ֑SY¦I[:sԫhE܆To?h1_5V́w_i  -l!7]xO@@$~;w|?с;Lޒ[%S}掣̞j40;) {n`<7(\/ )(Qs%bo<,r6ݤ| 掶:~;B6kQKCzX&&?s鮼xHQ)AŽGg~4?695rV?c.Xꎸ7ID2>->B:qW?Q较6Йk zfױ=P`bJӽf`p*)Q"ICVÛfqq<6-u=af(f&׷K$Qa1\FhB5cWgյ?Xm8VIS50ٳȡ${%[ S !Y\tW@adXᨄ%O}Iף\ [FШ R3PimkC}H5LF=5ßn 0ߙ 5iuAa 2FmcL?1xիYi"Eּ|:9?r N+/[T}"#z 8/scuׄSd$qf2wW yg:N/ՓjUByxJE<``4N g M2"#p]ǢqD֗%b:)߳xd">L_VʽI0Kt)(\S7U&?o NPВ/caTb̑iSyh+{hV:ҽ3A[?ĝkZu:I.I!:ˢ "w8thȘ6#'A<6K|eo!j?ScXhna$k㭬tYZܪ( zٻ6,ɏm:[g٪V X:E4M^>4mS oz:퀸.> -J:å K үImt~^0Y"ӨT{jl#FN}Iؽ IBU'L/ ?SߦPD $_u X_ ް>1m=i%y"S<^ύPNU_lAx#NQc\q J疷4k\Ź] mAÛ):npXBz(8N[,KʺD-^ZҕKDZ")*?6XJyPj 6l̆thMԋ ;h%\&c&}6~ׁ5Sx¿%*SSFjPkOV fS OгQ&"NqXA?p݂1]H*N㪳zqRXLc \nYD/h`]$ ^H8˻h.j1<7#&ް2'F?Vν9Պ*q~ǶL|g3,;9cJ;0}3E:C)J '{~HDwlGɴˆIt'a0۬ )g(,b\WW. sriY6r@r[.Fy)ʛ-@͜6`IΒLam8RqNۑ~g ja%ݪ)nqT5DIб&Q3wCGHl{o #fl,$AdET~$oM^V5x`mNoܞ"jp,{N hPAraQAF`q)XbQf"I:e MχK\^[%1yEq ˽U(8ynܒu|xwڮQKOIhŗJ `( (ԄdB27|M=0m\r\Pҳ?e6|N O4gg<ڻyG(_>&@yHF;$u (C yD;:lp|vPaLBԉےPFbfŠ;qo'O$msG'zVBWnk+k#'Y[؁xa F0Gc.ʚtWSS' ̏F{0(6,J+Bgt$ 9!- [~fbϾ\_B,TuliR.KSwz}vE/Qϰ MK Y"ET=2`X BB|}dn`W49lk(p+Waf!$]75;{LؾDH릖ҝP`2$Y<7t`ɬs~>i:@+)X)NVs5뢗䊼YKAF6~wؼjGӵĻ%G'ZFSl!I)lmt~uȭH7k+,:]}e5hrK !Au~6ݖGF~rDԩMꍽ-'m {AFxbD6Z 0@K kH^l7z\LYdx|FT)mhQEl.!Ojw&sx &iD  $'f:F/|>zS(zJ:n_}io48)ʄ, ý! e7f,`'yaSJ~#[͏nFNeZLRb#{ )_ܘd3Yk~xFWowSt%Crlrp&&1p'S[KJYP:|/|{#HJw޷4v 6 =cH%*뫔*g3Y FP$<Lyfj (QHR5S!$%4J{9kN!G<iIYl8cEt_d}7ϐgTOtF OQMц[b>ZĮ| UscUXH ntpᯪd:?pB]56vA=EgfY\EU{} oPsqMl,R=o|kNU|6c0e(TY"9c_()ȞDxͷ49C^vrl_{6709ҳJdtmuuSI59nm.;XSO*ĭD(q@LB[h"^l5x؍Fd 0]7=ˋd a?P<Y/s@¾hDj;uvmb[>_E#yrt' Tnhr1颵+"ȷI,f1Ph^QM!'>NaiE̬#x4;CeJOJܛiQSFoGY]vzdB߃~oH?$!Q.v;(I_s1am6 ߘ`cǺ.Nl]w}jOϰKJ6J 2yvOuC綏gVZ5uSn{;L,DLrX#\ʓ{0F7c$\ )Y 8%n<R ;F%mmZ+@^8u:SV mRf[~b)o߲1'o+w؅01-/ua8M1#4pf˝Uz]j lKGL`t_uLH~܏~ib$;?R&Je03T8:kUoڕZjtѩ[r^nރc|;"z-&f`<~a ?2&SZ,Y+c[b &8c"KEb'#Gw^#vPx_AOF[2h1PΪ¯u:"9 &7g8hAy Tsh6 urQ*H1 ̐PbkݛWfA `a$ $.g@O\O (VC괩3]R)ä_0弴X KG^;ΔZ\`DpSV9N+w4C+Q=B2ܦqEͧ E@(*@j"^o8?iDޠMw <ͣAv_LCEΐVz:dKMW[9`3jb #&kӦe6QɆ|}pr6U Ef,#vJ"侪;,$0ޕX Suc2+=_#tuFԴJ0kG33eb~^j|Lz|Fg&WO#+YJlxM}S3|uZ0¦i4ҎA ƛkF#)˘EUbfR7ҕ` 4r=eR& %KB0J_52A^ 43ވ;揜$KW>K%~MxE߄Bϡ/&ء.Id^UlLN븧\"ւ<(]ɑ")tz2p5+[(oJ2Ҩ s_UH+X_[}2Py:TN0 eV 3j vM ;[p+89WtkXD}I݋T!"CQD?բ}lI/ :raEܯ[;gRG*O AIФ"VqI@9u#(_W"J֑x!&67֣ħ|v>d6emo v\sRvzB9N)Tc=%zm%86pi}'vH?J%*LE-ף]A9X+OsjPtFGiݎsg|2mv]BW0ȷDWvˀ66Дt`팆;|;kQ&P v_Fv|4e~o`#=yBz @^k!؁"Vd,jtlg8 Q3mMDgi%^7-3 t@khM~q6\ wĔVUNnjg 1B@ :fS@ȁ!h5DvBgqMQJCjhc?'OF|]Z_VB\]G. qiCY^wٽ`â&uUą^@YEG| 1Bˆ-8|0mJ y2 MF~,*Oۜ3,]&W⬲J|'f ,}~YH(F mbz~aʳh^x] pL`E#TPH0>^GW#J%9Jx2 #?g}`%Ņ S28$޸NhV!I޽r(˺yRk٦Fy{,q0X ?F2جM`} W;/f{MXjdVP& eRGC@`lh'C'ߚTg2WƘKyzd#{lzU'?}ady{:g&r?6Rw$i$v*T_yPz?FnT #uջe/̢|oؘS_*Trg6|l U1/k, Ӵ{UCtd"F?5odfA:fzN0k_|ia[5{~ARItgxIGɔ<Qb1I\gkTi?&)%a}%csڹO B]dN_N_|5J7Snx+QCFquT}_aM M% B^AC( "Nݿʈ `I:+l58h\S2 dhW]ʱR# r}l~T'nQi q>F{cFt)iaE\J$P y-#+lBSć83;gr/tIpޛyP=طHnsmAto:A8O賀xR\+RB`?.u{-{9G&8:P/60(0 ݵm`\46Z 47q.R8@@׬pL%8 ˷hjޫ?a<Q$@*]u>*5]S?Ez.[fg?n'Gy)VA~2]ǻ|dKo?5`^ne e4&bV v+P7f;%ZOpV*aAH˩4a' '*P[Ejv}pc˯L&\S!\UP(~-:c-)Lz(w/zɫ nۚp@HM0pLxE꽑ĥDP<K+34OFG Ei(eqȘuŰ}AɈg|G6CFD`z >TbmQ-f|XTknwLO;Fƺ&۟XzRS^PC |ZOx_:IfΤ^&n)>aº=I^S뛷6~> J,qN-cݺ O5@Fc+H}s?U'-M b$]K@΢:tmcX 3^aP6,'%'97gxnr}NvM:)n'Y-0NvܸA;S5 yt1p&{+FQD: K<3dGwdG}xlzvaUD@&ZC_9@{/&mP/q/M%32=,w"v?);aM?u*G&:fBȆ3Ww3XOՔ0"O{:&o:W/JlÖ@@W0V|DMZz,!.|.mo\xD.#}*}!ac˄o/ VCD$Qnuygy螹 Kq6 {JmR[}B8J,= 됱EFؤ>? Ft';3D; >M89x?3cז#0?F Y ۟pDK2O־;"̃_FcfZdn6!Q*oCϧG AA*3 U TTi@6lN'Zc5m",ϣޭ&9 W5t~[ؘU/a{w|.8&(5nR2ԀoIX@蜬fL,ORt=hθ,@?+񐙖oY$v(8[_!p@PS\R[VgjCO> E.%HIڀ e˹x  o:ѥb͆hwMN'PSv>j7%?rK1₀;?5'#nGGƵ7q9⹲Hm{%:%b.45oR|& FY)|g3sb5 km=F?<dž>ا=ni"[1{Cơ0Kd A08jC;9@:iu_16mNq Ƙj+,_K[zs& B c 0"vn:m~i%s8:>L1 p ,T dҁ+|Mӯǘ2דP^--CcEZMHGt{ݪ݈5Ylwqu}s]MܪcoQ/eHP7֎ Gz;.q2 #Fu,AI9%NW,rօ_T#|')=O밡]]Qֶm@͞{B3t.4Jϡld`P7TDO')iNסz^`1ph졆l:jAE[hZ@gi 8I: K;a UZRوdqcwMhWd8nAkTTX0)P wh0X^hbhiqwsh 4`COFSN?wY0- >p\jn4D|Ds,w@fQ£ 4:zɚ57ɂe"+)!=)0s} $=gC׻/+s5'1/$q~8<\64T$d+ť*>p>@RrIi*۔ly>V[0^1DHr6 a28-5I<yH6t3yҘI֨ ȥCR"C ٟB[*C*m_wa~A"( ġpOĐo18{^Q]fw_'*d%&b [sZNt?vl&{Vĵ~3g+Cha)>wJzq[I Z7zʩpxAѯdK\HܟԩgQoPG?=!0. zorQg%>Bg0Ȩ~{B1Uަ<|]K:=HZSaPBˤ)z=ѽVR:muK)>UjylQўJEUvMh,R#2xgDi?_Jeњ9dzh4"{vo#4@| o,x*D ˀd6^ɟ Emj = SOөƺ5- p F 1l>}1Hv;C[O.w7ȡzĭ:HQ(]X6?/Eٟ Q2꽋jBkax!7!D2TmS%" g!a]a.M!.;]Z ~G2̓K=KyDՍP61=tw֛URliD3G{OHx-j0BE9:GI=6v7:/&nɾzQZfW -W(PNnDM$Çw|-h+n]}>:e?ƄgMO}Ua:É:U0eg%T{FzBi@~D/IM|;1e7k#9F<߯^5muw"[~ a<"_lŹ\9x몵5gN.BRWX}j>G._Ub[-zYJ>P'3[C_&=kEXjΖ'^esR/_l'Afޅ( %|?9 ;pbwIjj୊j vB!WTT_'oA Dw*zR"IUPr5z2-iSS6~k(* cA' Pӟ٢޵غTk\Zd5Ԍ+VI&r%|3@/n)VCY麻_ҳ 7?BC,Pu32a7K&j6u+<5IVa;DW}wN#dw=i* :h}aux e-PGYtp Ai P%mQKV;G8󇓮ï@߷0>B6 q6_DS;/9J#A" ŤE?WeA|#JR8xo<_}}lAg+_}At VIuAP7vEX)ETRFK"VfAV;H8 :a<%a`peke^!GNv|8hFҳc*}A\l{Z ή꺝 Ūgx< O$쳍3ȳќ]3m7P=!%x*Uۊ3J~jLY_p'>NvllsR֔ľ)h-&Q* Y؛(66=l 9p:sCvҿLvv$IлӤxƼf& eb4 (G.L'¡kE c>]F[ Հ;J5qM"dZlD6|C`tG@7_3D$Y߱3J4\.MĂ2xXgN=>\b'Z'UJ Vpd9!vgrh K0mZ!SbѲ]lû,c%1+Gu[U9Xvbbg§L¿$:>fȂ-xu )X5䇌l!<_+߃*Hq'dݖJQin LiR֙3)BbהeWX`>Drē !Ϗ\ Bv1;Y osHĜdÜ(mS6{o"_|2B,n{/עe?T)K)FI^ۍSֳ=IQl/(Fd1yXΆT$S3d ma^ӳlճy1G@ sW>}Вw){QO:D7us.;Em1=,՚?s:xm#374]}LM+KzkoӜdZ!`iqi[F EHM@ˊ]kB*-7jѠۜWbG&ХXö7N8&cu3CDuw&jRt=Th_1L. %NSnpr])iEJ4 R* @2Cs!s J4H1BJpNY vk8dB +XtMEjdSv7OQ>ڱ@RԿ8# Wr5BV'̳GC}SoW48`E8BS ZtОAz2ZZ]YRYUI tf T, .$Go 'vh}%u kĝ ve\D QoelPb l4<,ғr"hHhpFLX|~Fnv?ȿUX,HlHjr.V<x$OyucHRWkQ&7G>VȖʽ.kv:?L[[2 L?YPfClc+RY.#mxS`zI冈.L`2|do.?̧TEKwO ~0@;QԨ!WDbaҖUAf ?;GRLr2,iXGr?Dq*w3 &ċq~>CQX5zAQuٻT mx_=Dž*^Yr ?5]H"닮2*)Fbz4n%-dKAz"<1}fۻ|21%"<.Ŀ眥ii2xf':W.)qtẍ́<K!Fz5*xn51ٟ'=jWtxݻk=`~>Qm SaeIre  M6_^1oVBٮ!Kc.v?+ tcuC=k}Aɉ5dQu175W-Į.~,Ȏm$S6$J$f3Em4GV:^E XҸA٠8ґ3D|Cݬ<˔Bh z(VJFHe/ZZ]6wt ՗k{a/YYǏD]ٹRG+ Nh]7 װoj haդJ,z"O F]_=hKB!T^Ӑ fuuh^ le ,H6N vBdЙHFO3\t_OYdq'{٣(־"xrxlNZQNmp\46'C4~h1qGKye3`[n TUF0{RAAcH6LqJ|qpGF)5KӚMTc];XҾq|/+K$BPiq0ĭ!Qu.abWB4HEeD'SG#@zh }5lE3 DGZ_\j8 2>r]Ç 4%1;$I1 X(`z]g\sӇ(H>2qfPH.๊fNx2hbՉ%lDNyr/v9eM9GIP?c sd=YP;7Tm?,\eցŰʩ-k0 WJ i}A$6U 2jdRyfY2G~%JCTz,%C1l Vϴa]4tmRQsB qsFiY2N3l˟BW (9!S:#x>qOu33y-.m",V08Mr^@bFw y~sNe㜓ukΠE@uL+M Dɭڳ.!iMn (^7ެιIFط:P2F"@KD$~nq/`Žjt$ŚJ}#޵D&r9f>6 h'tٰtZ*3Qb$-EѪAvR@7HyJ:]_W N%'A7I=_ TF6H+gQ䚤r n1yYFOdH#B5&xu-yTUog_3d4Yׅ'``.l%r񖽙\_|Vޛ0U|P;bo%b4<_)@1Vr\SrK5vy$O8a6(Tz'`$/t9Լ5QHa+H|0!'x/Kk $$l>!^6dh@xKre`7#m)K/KH,XA%ƻQ ( #\CudF1> ](1#%`NGAȗie>}Ydb@t͡/.XӺ(}kaoqd)#s$9'?a8v5>uxL+k“m=R/Ȋob-k tED3Eq)ޙ>.t^ȗI ?^)SZΏV|䯲ةKVdW,n"I>ZF\n)^4C )͐W|KJN`k|q3dYά6a-: ~CJ9D+e|4]¤F,GfhL _9m?Y+)P"1˳tY:3gzak}!A|=RiSw~O i'k6Yu˗5N]oN;_VP9yJx 1M 0Ww.0 ~Ä܂Ej*Ãl`Svp$7GMU~gWۚHfwWbV]2ǻ"-*D'+ˉ{ZV:xI zIB!)!ѝˢLzK,uD/w`!mdHmsiiSc`#%f>!j ~>9Jӳ «՚獭arX:ͯ$*42\"oD*0(T:L#~?ƈU3ffGy?[^fC S= E7z_=6,@XHN-g.QRdPE`t4';CmRՑ5W>:k^2A{VV1PgLۧuk2[o,p 4}+6~^$%*6/)2 \5,J9N_q81:$b cv⪓V'i+:$ɲķS< ݴ)v X`ǵɝ(Q7:5/]h |ꇄwc:p @G vd@6ᵩ|6Hi NE/n]3k"#|a}zϖlP N)أi}p9S1wD ͣ2|Gi^ekd_ 0`up?wG 2QCа:THu{(tHe0ܥC]f3IJ7]A^9at%6pv9.c9;8ȳmx牷Az#"<7ÐkmElXtpb>K=)MC- wZAKGyWߏ0OO1AinbГQ5 5d9 Eo_ '{'>?"Wā6ύO(b(ݰKXHw?K'؁ ;d(`A+! hI )䥇:1Jr`4|Նo *&H.1QsW k$lultex njJ6 F`giZ%:D5<C8o{v`NfwS-b?KRv\&$ FP eZT5$&dB^wY In#-Xg@1X ,U+}vXb-[铈fH3oom8P5Z{-u ?E䫦p[iwi!ҬiťI@<V2dA~)y@|H %U垑4[B_@y_3kwvEoUd!1𪡘;j82k[zBZ7FBҙX򤐻 sXRcG.M* 5J`|T[]ǺRHؽ\TLoC|m*t,Z%℉V,_\(ִyd>EU<ل46W&?k&}.nI-~<o$se? r;9]'Cp1- 5K+VC4NN qPK[|߆-G~y1,L ;P?$b9$ZrL0o}HXtСei'ɤY\E& \ݿ߶h_ZSہ۞Sf%\ C>YMuM͢nU!nzj$,]IBΦ5 W/4/KFjgLu)׈/r,C4, Szؾ8km=ljP G/(0(32/+QJ4OYemỎRd[SwINݜ%NFCEUi넇Wzרck- }M#FZuu=M*;'Uph:H0Y !NѶm_L([Ac"^V*]ɸ E4 <>PΛUkOv=(Ʊ]p/a8lr>T͆C+2Ddo?h|=e?eR 1޲[34 ٻ&grP/_neFD} i mB|9oit9u1֊.]nvȽjÑ(WW\f'@7iMP̶_o \бtʳ* gH2֑BcZČgO[@q U5sy(%uF2Xl_pe@H(f&ԹELYBfжAoU*ޑȭVR"P[m ee@VJ4`MQҼ(#{s}8"eέ}~ ] ~ߌUDtFҸ t|TUxv:ITbMSKqTzAPֻ{qwhG>1g0!.Y؁WKeDװaa.20D?MK?I@Ŭ\iȏNG(SXz$}%oP0ӊ#j{JTSl4)4CaFs%rU%-76$Iom8U|iZ#A4Qf d#w$Qkv.Px{izq?m)}I/6Q[D|PӺ3Qy[\ĂO(5JS7T^ Z^_<͜h-wE08"h/AdgݼѹX#$H=~ҪSqLՈYv9vDVڈ|o@bzYg|8Ͻ0Jdu.QI?U^@IϤb0_4`qq" 8޷4VZ#|+d\ wص+cs%jz\=w(G2rhlUw8?o}i&hi,0' v (=/+'FS?u6$1T^?&ٺ˂/9`1RܻX~f1^w2-p93M91{QzSBT1p)dnҫ~D E|Icy qw¹?piϵl?/wU0s'Rj>(_|꼥H3c/)ѵcx!iG mFXGA+J<:+ϯQlDE2'_]$sG&o {`b0!/XBԤ?O_ ՜ISPl"wEIˍƘ0 2i.fUd9R(D%ud@b~31xQT.țOI/}UezLjFrq>^D|&|0~ƘPP,PQ$<OL8$<.E{~Kq܃tjo +yS_Q҉$_2WI ͎h207 vҖqڦn|zhы x'!| Ӑœ@>nt_g4r܄NDŽKy_G(1Jfnj/ ?'ґTQu4`"..fU%^Jk&'N.&M$iN7^@W jm:\@ZD{F g,{/ c+ƞ0zdWErl?HY{N *dI%+N֋KXd;owo"+93Q'>lVT$фK ކFD1k[/՛(V*KtVj fg}! Wt͊-DP5Zz_TtςF*͒ : h9c(z36,D4;ҷ%4֞b9cdFq c%&ײi⚛Db݌b:m{L 6 Ь=Z jlt -5YLb)C| 囏d+cdq%q.³~=%^oi*P]Z,h?N;ܾ>y(Մ9!”i;-bOCl渱l)QR:9u]qH$s4I.8!wݛb\vs+8o}XdMvem?io7Wp;RqʈFϳͧ2?)u_D \ۀȒ2x/wc餬q-;4:}x{Hȷ~O=&rˎSxWmz hF»~kڬU~M7!~<(H{j%-ONd%E6: ԻbBs\qw fJZ<غfE,ekOv3bۜdًql?y'P 8 S- f36e @e.J]mpfaG}I&(aG;!(0H"7H\s7u!&<44=) Uv=-YzubzV|SʺyMIj0r5ݒHDibs`-`#(bGiak!0:՟ǒr㖜D)yU|Q<soE3vGPag] ƹ8pR7aaVf5 SCވ)T%kMit(෮p$ϺpomE? =$;OoW]ryV =o6YO.+^ ]cYלl|7=34^~;xnyV/bc%.( au"i 9K—Hmcˌ{'x͏f5hћa[MF]:Q )qj/v1P ߰] uFd6㿾$}XCc~==080L,vFxԲy5#De||]')RMHi-;ݯ|I\G=pgMɮg_١᪃Me?꒎M:~r(3K|?})];u0u]1ҥqtB>M:gk.hцb}y30NW 9]EKu9qd#u)nز.&f1pդ3ԓҰ006ib59D.k:a%tҝrzʷܡ/[d.QLHwIɴ14BP?o;)oc辫Uq֭s>ntG>W*U{ Fl@] @gZب:ߢعv =njysnE0KВt;M${+ ̑{Tv*ߧ.d6ra|-o.T7gE* ƗSIU5"1U}\w:/ӗS#}1~Zrhd,'s2SşڍڷobT+NtѼk-ߜu7ii-pPFImAQ/=T.WyڟO>I« 3@1# 1ǵ&-kHh5j[ rgoOY k6F ^2ݝ*!|l7[319BDiF:fK^@XWzVA+s59ɋRTƆwMj`d@Bs7Y,㕊#»_{y0"PC!`vQbZ#x]Cu[;[~wU.j|[nc(a#sSK mi50ŵ. lA<.7$ j_J!;"ICǤa3i ui4vNZ:cIg.`, 98㗡2# 1<\oespXUl]KlEFjs4.\j x{3rp=[&䊪JQh3gbNB@F,: @Y3H4^GkFZRUA7'nlN*K@>4*-Aƾ}NbbrfrpBl o: `lվ(9vcz75N5gdgS ؤqTҏEi kjSDLFʫEDL`\: V@՜jF@~ż2_u(@~71QZ>P,e(I+toOEQ9Y_9 9cﮐ6z1kVQIofdD=ϫc`l$pv":e(6[6dk6^^;@e69, 63KscSM|k7co爰UYoݠ0: D/>YsZ, ׼{o]J|áZ&k%n3Ɔ6mV{5":!1 u6TziycuSQܨpgx%7iV[Cw;A[p8}&AC/3f cpmplדg ΊdED/#+҇l⯱ f@c)8{&.,AAh_OLOL4](mh HO]Bh{SgJ FM]f/JU7p 2$:KBiy%UΩVTdO&T{{K{&CgY1_O|*˱?ňÇK(ɬ4jdZS4zK"Fd$SFs琭0X..ZPxxF|d*)ங#%INI> 'ZRXF`“nHKs!kmyjd Wyq&Kt;<?DLr^xA_sy%gN1Lf2Y:)>W(O*#T13c\;uAJy @2DSk5G*Abxh .CtOS PW8`.(JJ=/Jr|}@59ܕ㺷';K!g 8k qsuXO5v)>=4<g 1x8}"xH~:/0vg`%_ <}YZq$7pyy<8)\'.r9f  ň_ʐu0U8kHQg>ַUG5:' KlrY&#e:4+8B5@W9R ~נc x&~ ]VDA7Cupՙ1!,lrn*L((f@ 3H@9חrݞnmuiJ| hoC f0{ɱ9 qVpT}HR5jCx͝BҬîf(=6.+I4rd`RZ$9M@5ȴ.-Ξ 'O9D17#9.3RV eɍم2I(SQkH6Vo/lx㤢YI,2[n0-dToҒ:;[v, G+>[/v41Xqh ^Z֡#U|?T܃Y9vq+h{EY5WJu ǟT4hl O(ο~3 ?\ԩ0D 0_ܙMM'4mj,|H dx) ё3Ϫ {[ɖ)Hƶ CX\{HH_-_mj}lZ#$žꠠd$*0L}+ לCb5T'HfZ)-D{fB-I7d{ zk>B97nBA}-}uhUaC .LP*\>H+_\nvQauGe}ujۦjf{Z9|0&(>D2 ?pIIH(ܹ.2Qږ:-i.aY.kRY[8VT"9eOa|1R9T{^lѪcZ $A ÖGד`"8VФYl׀yg9*hzQ#c\OXIJe<) Ftn 5}n(FԞ$ق#SW5[ A0*q[^1v̔6_5:x[)!ةgz)XbJQY -( ݑJHbfy⿒$p?Wl_5}м]B9$Á$ {X5L'"1qT*p!SԸGBJ[|fӀv1mLju9F({x/̑}+އ_Ш,'4(EmOSWKr*'X t7-1W]q]: \LmO,KÚ޷7m8m7z-ƶm=J//ۂqŬJ }@ԪNxbZ3E ] d"d"peہAV_y_,s7>'@k]A,s*9Z|XGBd, rӃ.b'~F KFNz dsrY:r+DmD2wלiC.;("ѣ嫎y9XŽg_˛ {i\"Hcgc)0EX_6ҤׄeI('L [4Kx,,<yv B` a / pU~:"21U&aꡃ۲{ ֩Ew-MgG85}Q:R09IE/{fP7Ŏ۫*Ov gǖN ˆs2'<-r\qJ׮X= Lo.[N% [ }sprAđ?^Ũ[Z C'F0bFe&<Q;J |6`gsu)R80Ql~ MjOM*t45;{0F&8 1>ݏw^jgDOL|3ev) )? 4CtOʯ?|DY}6~Wq^ * ٕw$y9{Dr/7 i#֘? $RPS}zSX^$cU2ySfF͇۾8-ym/3tISe7~jmؙW(S> TGyRNe|l.f.DDWhgY2B;6r>b+@ .K&Z)b!JA>q)4d YzhvY+wy+om/d 8Y4Eu@yjsC f#aYheDnXUifBi+bcI~YULq)yaV:Fߡ嗵>4ܭkE+Ų2ѝFmB\.EC fA'հƖ`,D+ (nCRD@{/T0Xp v"Spͩ`"_o[jwYm@v@_$봇 OzufW̤MMo $._7%+[kۆ%w\=ɳ| xxXiaQi{QF|fV %ؓ0nb`bAmg{|T!eX'H۴^c]9JjO^Vg=}xyZw2VW;`WOORkw\N u.ʹ?s]ZT5[w0vM°e) \ NMcѲȘU*+@sPȶZwNJfvq4l˵- C$:5F5׉[<+'wlvf(JrpR ש_QU4xHz>/$,eJiZ <qӡ&1? BGki&F>`РVdp1r܁dǤOw$uZ*#֧{Y]1pAJJH,SZR˻`~Rwbq2tE x_Z"PUF\qE\PIVog_1 yUt*Cn_Z3OTjT;4Ad睢e H6b̍Mrr=1HLL 3)WwT} mY0X&oH q`P^Z9B= gº:Ar$BAXmw;fa*@ Ai϶=(_ԛ2'he\4k.+E(@oAK]?R 3Le]o޷$ Ա%xL!5]X\ި,ELR13Ƌ.=ʄ`8N}!?f;۲Ϥ0 ]+Q^MDL5 E9e`Z&"9orIØ!oTGI\ܸMR #DٻpTrk n~Z?E N@~ m F&$>X7q ~,JVRf[5N4@(v#:a̔[ oa17r#d|0Qm=tW|X*ЋX6)[zGp (NcCIrĮnupF祮9z J\!2ΚκFBs8;Fix- [Fk!;μ.KMUP:CS #!m?1'_-K#cZBl:(E >zD7{:jC> )ghyÜF62=e2FoƏ?bOYlag*\WX)/xr˖m=lIXI<~f5x]:F/BۢT ća/\+>L9 M(Pb/RF\ϥz'e.5URˈhT7D-&4_&}6wTN* 7MrO?<&ES6@1j$J*Q{Na(~x DtRjcĽfKn[>`ezfD#c9K{"OB0SꋝAAxU,3škF1I3w 0S&"emi?xԷVߡl=UkݺպBO5 Gl\p߼qX)!ۺgmHu J1;&([j(m)7T < vU d-OMx@T GV/A~YŠ)aE^)?-@Nfᶻb[yRhlYjnb Kk2j.H̟K5gk' oStn0 Z>8oc}@"+  Rks2F eY^f҄v\ 肶l0N>;Kyy``AL~tZ:XUm}"T`|Dbuޕ '^(h礅ZT.n$CAGY螟j]7ux+!ƣ}sV]%lT4jzq=IstCE3/S\ cOt-R%L"`IxI=8{E?Z*i&zⰵ;l)[,ᒡB;P%>x&"*R&DLj/w{[s)^!5 A945[N[|̢ʫ8sS2Y=,Z!H 93. T:X6ULAa9t {-0f[LÑ6Opvefxn,(i ;| 6gspٯ熆,-AVs06|Fݕ,g5+\{ su_!P MMJX4x,N6q2aU1LQ¦^* l@sj>K*3f:fbI4ݰ?qř6l tÀ~+6)ɿ\Q|wJӶNϻ\m'I<d!GX|G8HH$jz|2tc}j}բjfo,iCrS fjnۡ`>3'[bzWoL|wl=@Ȥ˂>gIKq&XL(r'r'4L'ċ hU.#HEƳ]`C$MzZ5^lNqex*X5W%H O`G t}sRG>}eŇqb8 ̞L4.>60W!4>WoNFW[7{ D|^)jic҄a9f]W|%,j=04:ur !,cѝΧ^.I 8"rx )L ꜜ[lI DV4C D!ݫq/Mlsf7J* tXD"$_}η~u⬏.7Z2c3]ҞfVxG0dS꥗E:?mD++E 8O!$y!j--+/] n q(BPll%iԡGٶ6(ا^/+|)\K:3bڻ/0yZ>jQpoO53d@8>F3!& ¦=-ҧ3u W.QN- ?Ϙva,QX BWza:sa)edLlz8PZ&=V?q/Pr:G^^oĕ U7s'D}+ D]FbϞZlÉHP -CAQ:Sk/Gy4#),{XKeA$1n잫StK ?ijdX:ϪsSx0L*;X:SʕCp1]O¾PP׭(&"P/Y"1oG C}>]֢ BO5~%ˋ1fi^]CK%`e-u,)%@ ?m򆤐i.ۄUXkb>:̶1U.MҬ >6Y|Ѳ" *A~22p3K: aw= .֡*?,TG~ ԴS:>0`RBì&6wVBu)O t+y=2s6 )1*' :| |gqť˘w'D13NJuy6՗&c"5 E@4# #6G.d 7|u|8f=X,Rtpݞ'*fU,k/^ dUMSzc$j5mXo[kpűw#IuAij6{ G.ٶqidǢ|,@-d\Bi;"xwYà7:,"Vqwkcհ5J'k:)iV"k"!N(o @'Kʨүm4 ؊ٚAQK Tvo?((}y2cMz#*f Fe6(-Ji50Z>GȸuANPo5KNLgzQV=n94*vBn@4)~lڴY>0A'EtEV6WlA% >[ElYC)9>̌v\|)-£dޏĨTEJh嬇o#Fw SSFgqo)P|J.J7.O~,3!鞕 8<YM' QOr*wTǚ="e;nUgJz~湙u6g5X:iu!^L{CڍmxvzVF $<<(^W#Mbd=zlT ^78\xo<7Q}2L0kdIL<*e`RzX}0vNLBcF<< Y]זc* N svdJLIa'Pr b v"Bzo]`deį\,a&t+ӶQq-(A)&R.tfdLT JBVM.g@ ( MxH:u;m!Io1 k&Hr M)35Ɗ ձHcJ/i7Bc@jÌ**Nd _4K {A9IiS)/ -hFDڨsqO~f7Ơ'W>`ZEQ:i3VJ/0dkS[0ٽӓrXEK )}T&G`tRy`P:[q"XE?Y=niD수xsRO:wH˹f'İOșAD>=PUuc#igYشg'kTp|(.V!,5X#7XQA*)SukR^~娰 3uz/(XGaT I=7?=6Ph_+ɱӉ&~A>|RdERGW0;)d3!%^i@.FH#:j(B`鵏g{+QVrXxy,i6gj|+YD̮ޕx'`Y!QI;N=`lFP6W $Ɉ/ݵj3,Ab#qV2n|j^*PCsAvp&82{]P ;gXG6龾J]4yjI%He[b`0]fF{]^K\d, Wΐڌå砲H+ucMҐc+4:mIIP.V+UoTi*(r$?{`x\3%\'.K)9  Ih2h>I&sΊ+#,bwIt*J*PLT+.eSv?/ TzC_ϡ$rAsyF^uJxL%d6p[G?ē3n?wT YcA-: .ٙP yEa蝅mKuG\1 ۾6TK54Li: f+#ӣ ҃ߚ@Չ)?[![ID#@pFvu&\ |I\LЛYK8I/–,v_ JN(uPoEQ@];U!Z5Į9y/:ݢ ׏2g?4ϑDП$b/rP x.|~=0Z.$4&ש;P4Ϝ 6Ъ晹j  C@}aFVS7)';} #)TK:|7Dfu3pz; .3s-6Σ A./lˇ֠J8aq`fT ?Ƣ&); "bT7T%Fk"/& Ęp{OdQ3̌-151[2. Phu2dMgG*mS!Kg<6p|yp)3+F`Eޣ~aKV;ݍ`E0&4ǞӭgIH[aNG6Sݔ"^+mZPo5{oEb&bo`X.uuH* MGytwaXbZ(G<}SN?bH$Jwz#"%A8ܓOs~) %0M* /!l{@3P'U0v[Rr܄Xȋ i=d3WvZ E3}ۥ*T#C̓1R7yN3)xxп{;=w,uɱΦcTzNfiPFbOa \YSw39ԧS_TLB3O0l.Ɔ)ܕ>F _)tt(LV*v|rJH{V,Kf.~0SCgY@m[0fp*ԹW.o$@L?=*O)NNfV>8ޥ3`UO܈GYP=}{W*B6N( ZTiۓwF);& J84tlb\|v~#%tIdo18EԡɮmV]?,VU{=!}Tda :'&3!ΎHK-~lD?\30n ~)wG!4/?z3N,n>^*WqC. pڷM0E#c: d@DJxѠ<{F ʭe|%U[8 ƐxJ.i})}nƮ.O9Tl^׬+jN2X2E\P3^?kcz2qk{,‡KwРRύRRǔ'I:U G3iJvҿjq\Lރ(NPͨԀ<КԌDj?yK`[dZHSy{½ k'aP}u 6UE=`F^xiٍL#ɺNU1)G8u(8xr(.*Ra l_oWV};fgjS3P3tWrw@;c*D[,/J} N܍XJuROa.!UAXV hȇ.lV-t[&vYR\I ,@y^0Z=w]h\3EL!6L?w]ӻ!q柼r]GJ31_`11ՀMNM''^:J/ۛN_B8Eɚ ea@DkMv"'yj;zbIa&| +=LodO+*KbxF1ޕolI!TN7$ +&(n3~)5l93ƟLywsg;8,דh({ƶL [)樝Q݄5ѻ=2jhRNHφ7J')q;~0섓`m]w a\٠2Юۀ}Ui.kIЧ 3aX)!-=0LzqGn&-TcwU;b Ds ')8XR/#ɈBtcuW,GJnC,]ZV6QD 6y0&De\ͮ|ɶL@+e,PǏO+Tc.Cyezf\t" ̇+g>ٛ=؝o `Jn'؜8>;l"w3L JnֻuPs 6">>{q̩=gF}NPB: ;u}hA1 r,)8n+هkX.2m|b^^smIe‰ed8:{4}Vx m-ֿ)55]i6!\-_.R5cG;*ŐcGsp{Ǵpr je:IEp9YoPS=2:mP1I8㸫77mɑLi;]ke ꜹPP&zPyͣ~wOgv= G-&RTC͊FFֻf(=ˉ̡9RYP9.{g% IMqQ_/? ~(z8zc,4)9q[1f"ā2'1rK=YһwGJ,gWmkos LIλ 1WMf PׇJ$.+dyB:كD}^]>qd"̄Ó㵄`#?FR@Ȋ<kcl/E_z@U"0+f2P@׼ݢϑsz\~`sRE,x[:Иc_?4{XԍgX' ~ks$]F;Z & #e'aJ̗;MH_[&(*h$cfX2`뻒*[wz Qcb^Ҫii=pjԕ37K=4+\ oO/ !b Ef%M<1:E*aNR6WU=oP~k߇t(, S09h<#qd )u΄!tzwaTqG169rc__ƣHu:hVZ4IdTϐ P'JOՈ\ߵ$Z ɂYyVH% O|(t]n0 X@S3;Uﰲ{{ݠIaLl'cy&"OƟc` ?C%Yc3+xz[);nXܟec?o~7 r֨锖wFk2r^J'3}P'eݣEkABMj%vy(j^}&1hW/p RX`gy+G09 &7Q`R t+AАqF@08{_|bT<~=Y:@D5\ּKJ3R['p@E(x +J%=ȆƆT,7Jv_ґ+N?mj^jgÓ$%0Jʋ9YPL"g-1Zt|TvPdzsIēDMp阽A ic+4;gh[9q9/XQ:^@|x& M}.ԛϳ~]ƥMԀp49>}$N~X@{~Nf3CS4J1F9U`AyF#+ԅ6FL|!Z`㤋U;u.<G\Ks>e%] 0V:VzYN5"6ߦ)~lTXOבβ3/ `o21TGsmr1tj߁yv} nt/:gi"2=KGr]2Y;'1%n+TUO1a$՝ )ΡoM UEVGwAv&(i..7͋A>ӈXr4)Z[ RqwEk¥,Si`GOICRgrtKdB]**mK G K% y*dN :wZRբXz+EtŠ+vXNR|rK?R;W’Cxqmj* XT iM A{TA4DU}˛SEH ӢgKmK=U DkWV>& i_)VUDU)u&֑MջmHZ fE8+&,.>w-gO$j8Mй3 #贑nt9v5VT[qLgD=Vp #T7 !>ʎbp ?X4Xn=3f70 X6̕;HP~h?? MB~ O+W{f@Jo3P|مz)_cϊpaKӝj] na Ngu*ug8YrnXݻk63G^Piy߂ErcTF8 >ђU=Fco 3kFK<#1\KRME< w}NDt1W>)? Kꈇ3D6H T7FqO'uA?X6;z wS"d>}+aU2|R/c߳@XFeԠu6U,xR,U$OISO|2mo Fұ6GtéM"ﲳ%[ɽڼC/C`qdRpSf0 dؼ,)\|})N<&7V ~#࠺J!B&T.N^/W;{؍qƒr^塺uwzYxt|?+,hCCRJ@c8m4Ye)4HG/s S&q-pmg$ ,3DEʜFJm{;鑍F~PcB>Ÿ0zeO\.us3ß~}W6C{14.:pd wǯ9Ͷ^ܣz<6xW^scxbi K]= O+;JT̩J$6nԍhp*u,yi FqjЈ>ew͠S|WmNW\>-r*_8Iy6!ǜ6՛nАlعQ[vkUj!ԟ9YJJЯ Iض^RdQ V s'q~bÌS8|zb 2"+>g8n,•h5OڒZC˅"D' KIkKp5.gNEV٪ðoVYunJ'ZO$[#Ae͉"! Ӧ*G]ebVs!2q0Oi2m[]܊R&!i>BxƢ6q(K{^45˳;*{2vRzt$WMb6t3U'ba5AjGOKu<"Nc j?(pGY)Hp9um׬A}0y/VlKNiB8ueA[]bЃ`S k`m)RNqŬ+pQZYTrfh ,SĀsRBIk9y1>?,?W胏-0~*SpQ3Bkt@̻/Rvjs=b] B=#OՊS?|L*I&U j27 >j<\)q0;SNXƅyŋtGmR`IdC'JٮZγNZ1IQsA5bCduH5qwA蜒`M SoҒ)9*P|̵7jSvKQ RS gκ[Z|2^ow(dBRz.5JUőQE*'RC$y>-!:ozvŰ_*L8 HM1sWgHS &`0D\Iu Zks- mRrA rO5J'gvf6{Xg,oM2W;c*~kʎVkJSsLF^ y%sRT5eT?/\dzCujqnN @{ &':FP.p]!WCëd/); W'"}c 5R얁:Pf1bnKzo, UE ˳{(δvɪ3vFo}{-7FCX&eUdC dyk_Q'q)Dvӌ$cny4NdvIDUo9MAZ1DY#W{m"Ymg"L2Z"b&(@kĝUJ{̺3u:LT3#[[][d7#hԗ 68'⳷M̢>ƻEPAg*L˗RK_x3A[xx Zrlib.ϪI}.K5H~'щ{2^O hbyG'ddMy"&)CI#,X!n)St<=Q.a27ۉ _4 r"!/$*pHz^;FHK] 5&:!p &| |3ו wHv),iH,҂0Jc!G Z :݆1L y( aܧuⲛ2[kFǔ, @=qN/[+3{Q*(DcݝJ:53 1@H4\ŵ "ZCpfOty*D B@$zMHxT䯨~VF̀N& lP&j0GO\nѢ pPnAlȉZ YBʭ%Џ_6mg_ϛAp)%c 3RuRwAUSÜ~މrsgX0fJV)T"Dhg?=q-{@1`HB8WK$PzW4>gR zobPabctdgBHFv1.Vdf< OW0S1A}mаWy) ];T ׼Om iJز)q᮫Y./7 Y61Pqi;-UTgZR 9^ka>q6F~~^${WM\~PR\1Z6VpnO >o] E'3F=uR)c24.ԊsH8le#&iY`99 a:0Yg8D/d9ʒ5kG3jGKKqu4+\L||3aZ)ś_`\n2D5 wSDIVbRhDBg'{F K,kvj΅T*L!0:dękg7)#Vw=df Tju. ًi0]$!?Rrց岿sܶ/ܦ:{45^5 j-PL/*˸n[!aQyB )54"m Grz3 iQ ~Hg}ߣ؀mXJJMqEJ [ӐE>3Kb(GzFZO_mTFD`=g[AD""E&NNmwyx|"rV,[6ȟ16۳t3=wdQAa ^ȗT7%-mC1Y/RsY+o9,'6o+\ۑ~qPB/R{igsU((U.3nI~.;$ GF tYB(fs׿n4q?y?VNK1 ^#N0妹`̀396kn9xHn/YlƉB6h d aT0>dP= O榵T뎚ti>}. L0GhKǐLXh˾vzà.WoJpM[8Z^[{C|!(aL"eq3H@l~22e7~XczqJ59 Z-ekfy-Wa2R$&ΐ^kG=Zо#M9kѭ,ž+^اjY3nl[KrG9`M@m3]29:h@T(}rM.%ÞQ0#,\AI#z+mY*2SԨЦYrjƥdhDϮ. :Y.Ha!7 jiY(E/ Le P&6?ХxT&֦+W&6l]{ [G|1NTZ'*wY\]B:k&h.E;d f-0a _7/%c&`ѡ|P0g7͠S nϜHW"z%jxrC3AS'H)(MlIUJ֟ĵt oϽd>!nk(A u/3rWV>AT ƊjNjaV=4֪/hMJ.iu( JNruC- cX߅>p(,Z'@1ҹn/fswj :ڈwڍr'NU#X3Z/E9<G#0XW؎:,#D.ĮʓmܼC:N1ҡ~d̄V$QKmj~Fb#;o/r:[\_vp V<_ }["C:10m;ÄKTá\t6v;1"W5ģ fw[>D|ʖ-7> /|B%⼊c^&dm}y>fGP¦h]'4\PdR[\FXVoo&Ɨ9-q Mn='R;Jtq JժA>3NƢ9k9~y?&z׀NvbCF[0q.f].uZ::-e~LK;a%v)8U֧V |.(|VX?x|Y8HB]gJnw4kvGYF U&gn$g@|A/8LCluW/yUMxũZI5Z{bX7I[#8!HnJN)ǍG&Gz\-4 #Z kÓf][WeDOMJv5  <pCF q@ľrt~jq0f@!y{;9ω㒁TKo$aD;;.S,Qɪ^N( k~+ ?"8@DƑZi6+'%Hn*}KFLOeZǮئС*kx8׺7`I\Q,O+h@ye&Apc|v$?513"\x*0ƍ{FWiQ3o e!W/@l0}p_E2ssg|3i en[ؐKiS .O%GGUzT{6iC_a%9:B1t؏NX{Aró8ie*̅l=oJ4ڃtlGĸ~ .?R*M\ QP{`RDOxI0i'wvWg#tǫ]u. @C '!ӎߑ'owΏO#'`$0$r5ڴxu0'\a|~Kׁ>q$L_7B.ԙ i UGq&uvB2c<ʼmˋCdAq.hnHA⛃'4 S ɅC=d XoCl-ٮ!OL)kiTBQKP_'Lݤ2kR$nDžJS6RdE$ia\hrPGr6E3m /1 '&W98sf)JmȒu$R2(e 9e$=:1/yOX5 Mܩ.Gq| /zvp"0,|Pϙj|'g6;#ɺ^J=x9~/bKв#ۄmg$P!'mDlEWKsqnx%@!`E]oqkiJRZX `E^˻uWpwo`\ZTBO|ΒvdZ]{ȳø;$+.NlTQ?cMQE7u}1/$qacA_:A1#W8G}.QMY0:WXJ͓ށ΁Ghy%ݧ0Ѯ@torޟ`@»`=ұURK+[OpՖJ9ͽW>@_U(`P`[/)\_N*}jAin=6 {ܱvSS[M%]r9ugI}ɾ p@=ކF×V0'I 2<UΏb\*yNu2d$V(+حN{ZpAд@PѷSLbLe w<&{t{lF%ؕyNq2G]\PpMHb-*'zDM HÅj 3:C] 34n4r)B'7BTLRMЮ"-^ i@V:jmQ}gN1|ɔ͆*j[1oc X 9M [P̊P#==ؗ\Md=ݣnA_`9X/){6-bwq,PojOHZsj(3tLIt[z~.!N-nyTӁ~tU4}R3Z9љ:{v@X\KV!쪧Ǧ0Qc^˵74 m}krejs0t T"J{%4;lNZG?JUJє+٢Um4^9=\,yc;8Y%,\بH5&gźֱ\~3AFd8 6ִR>jϜCZ:xuدK3\Apb:/2tKmR&'d]779#S _%ĽRK5NHJi~f9v-zz+z܈]`xLty1ʳa0A##NEjWb}EN(?.ZK&8qY{ fd}$d7|AEPB~eZI .L})˸t)HihLNK׵|8hRR_㬯͖9:vR^(Dk űDfa6++|=!> (MaN b&>y!prZcu~5ƂR nyOW8590˰X%rlԨ\eQƲH7;8sc~4q+@M: %g_60 Xt$y[r ?S1^BAXs4-CsGOi[Asl}Pv;s%w_9$۳J n46bolO=V_ίge&l.+7'z;ÉqjJ3uxʙ+#z*#LaU> 4`KW[:3VoBqjƍ3Ǝ*6Iv3~vN_Y \5_Wg !-hm _U B}|#r~*۱4>S 40DGÜE4΀)9Ky'סqVM ߝ谞1|;!oU]PC)rb?؈P:NBt24ԁ+j3^с|]UwTϢ} rdt6@iQw:>zQkKΞJ/NIvs͚),'Y(C?2”-ωIJ㱖.[h;g Mt #xZn6{c=~":Ĺ7TVY_BNܷ e_!#;Td'uFz^h~||GLU+^/+P ]PwDf 2;w!v`AqbfjL2NpLY I;XW%Mada,cEH4U`HcK*`K8HMa8PBmڨuHE¤K|j#57R6- {HF';e~2g8w2KX)ժ j # pkN ["G$Uy|)^7 B^\p6fZ2<秲thG^ øʇB!\HXv9\ŶM?O  PVHeklF]JJk٧ogM[PpIͽŇ c8yflU&+=S~va 3bPq1|]B ,}))&҂eD妕*Ctq,O+n |*Gqb/ z5σfؼ-Br`AX𠙽A$k;~ErT`R8^,) XDZ ])/:A$qZ%-+S^~+c"J4 3JoJqRm7FDxdTꢬQXQFR&,_e5'Е C+δ]֍65vMfP-6T`HƑ)=2Y`Ǫ\m3z88!BU% JKA-d[cs[" >WK0矘Ր񐙶@qN}B `ME͑Gg曆k eiLljڒkȏ AQyެ3Ί2T*IZ՟z[Kکz?]Y 5dsEȒOM΂K~u'S*SoUih Qub+q' $m}0 VrЎ6NPo iܕ2e~7Bɰh m$\M'n HegO!*'e%iuh$ OPV7b YJ#끞!_|6CqƌW&6Jݭ?5<WyޜS(@y>1֤av蠥֟bq+7#Ig؋aMM/On8|q^ PӪjmJkվtV"P`3q}W8ԲGc;,TĪ~Q-m8Hc7aKX/lNEٶ`E ?GNMANqClJr}v7.Nz2{P?dՏ>%o_v e7KuؘSfLD K@]O B{Lc)g*_e*%-J_/RqJr5o׉*i9^^QS$;x솪_PCQ[Ej nҋ\8e?|$*O/{^k!njY :B[GHv@}AsBfutO߂'—M ̺ڦeltڈazs`nD[coW='zLL 01$_ MDB[D`aQa~YBv{\J`\@j j"!gIr]7>晾r5!:kouSP֘ i㖧tC9yL a<~/-6"YBؾJz&~燁FiI:͜%٨[KR_Ȧ5Q)s%H‘ G,!W{3%|l]!8O#`Sb/sC^F>jا eb'SSS񚳷#knc .iV j!ʔ*]~ҍ]ԇg(_w[pץ# m@ŕ-'8oFd;~1 ̵]⨾72M?4 `:~?5d)LDlB 6NҢw=hW ItfnF. ٔT?,K !Оݕ̭4]M̖~Фzl(2$Wnd8Kb9Vc6J+ RL3J#B})=we42(5H7)ϊ+KDG/9]5G\6FHI~u~ Mt#!5IsPg/+he/pXCUUܸDAlr+X]>@syt޵l3=S8PD1A 'oCCVJBc*B⟳ u]CRw^.|V;NT#d̰: z?yz2EU\Z Ҡd/-~.g4=v)5\;Cjk:&Řl%0'@=ԓᥑ1$dS!~|if~v1O1:Z78Y$Y(##>SU ڄ8}[:ǞǷq 'Ѥr <ݕhLٞ1k{oXyui/aц?.%=QuU" ݟn\hGW4&dvbDu$^ϩw#pʑNW.ͦEc w"Y%<0iRw/ݤz-Ucw(] DhJPkNQC\rQ$VG5AA. avA@љk!X,)Wc9k(tO͈R=O(iP9OYc?e,D3.GBkCS)yE3iPy(?Ցr3 l}ڬHujx7rv <^?).2o7CnVwvTK ْz͆tDK9;Ʒ"-7m/8yhe]!n֖{{DuEo9.jv0mPwˢW^&Wݖp"=&K;S=CN/3dBsQc$ k+nԚG)ra bQ{Mwz!tRfBe픻,a]a/^,`~ew hv$G^078<]&p8ZIh[mK9]HW5QZ;l5cFe5#Mӯ׋夀0wțNq++nsHTVt]籴\)-7MO(2%6('kva5%2*,opΞ{mա$qQZuЩe"U8.[`Q(G!P?s"7 Aa${,W%z*r鲩 c5m1_z,㾠<~@ȃ90d*qa^o[ 7Nw*MMiwzo` ~[r}fy_<[ݡQGJ}?ٷ`Wɷ}T!I8e&}_N \Y&ru)7__xϟY$cRF tSWJ^cgt@* 7!$y*AU͸n$фOUzjVZi3j\* AfcTs,#s.WXt|ODjhiXanULOX3|1w( L-c8D7m)Qse&}[ų!#^Y,1 ] )_+)qIx>TEi5h ?Aёq堍fO٨hk@B"Q bBdʤMBki[A ͅ>$4a7M#97&гP>0T> aqCyz>.'M2[S\x&d&͔Užes' DKgd}c+o-\%{ @g ߔ-0Ok= 5CFVk'050Ej'C VreATDrw y)-ۿ6:ȥm;+-&!L*[eSG t*B9J_w^|Q{hJX"Rl8hPq <Ƴu}+Hp,\/mKwh N8'Is}x/ޭx7vm(O'߆[#v8>@1^u!jk>Z RQ|T) izXG7E_VЇ;n23!v[<`Wo^/35Eq2^O:>{$p-򑂅=P(ꗳ7y..9BXl]Tt%N4Dי1Ь kBrC . fϰrfsph4;ӈJ;xVlZ[0 P;w^V _bŪ^K Zeuyr&Z׎P7nٹKUWğT8-{#.]ĸOzP!s`Arj^nY5F۶ Wo;<hƧ)&+) ԏX("˗{dkA]{ȔVgTT, 2&_J*W=t L_YXJ* uc:t;=c7|4Ȕ>TPx[ĜڙuZ9 ȡwOʑvoaڊo>cAZZUL4GordDh&tɻ"v}LRW 6ƎDJt;M&TvL(jw6nΟ'W{Y?Hk& ʎRxcV=˧Vڰ~sS,P>&gJʯ2‘vwU„c((jk]yH^77ɨnV䚍PE( `] Z E3Q"gԛ}oUq|s@@"&-9t? Ն ђb-ް-- @$@A$27-2kBᙱO+# }Fo5&At&5 qpTuH]351+5+CLZ҇8ܲ7u2dNWe-4[׆Bk>pN_~.v8!DmL;OǣMw1jgɹkZU v|=fIdDtg覘pd; y^=lY.b.(0^a(d^对o*?sC4zK=o⺛K߮[%3;D80Փ *udQʪLvՆ?kl%u_| q@9 PP!eT?D$0"tL<3eW!g,"6|Ƕ&wJ!EerŅge3lG쪭);DnNщ2Kf1\:ȁ7X+.vϏЅkKm?s{GΕߵޤQ5K2PdDi7qᾸ=.v{r!`d)F"ɣO\Y*8Ϲk[73'*kpE/* +~Mo=/Uca5^FҮkv ]mI7mU,낿a} cCD4B.zkϤpZk χ<шXFd gA]3yV76' ^K=;4ԟkP5P)Lx;6o\W{5x&{a:rgc*zGH} w$l؁5di_ yWqho5ͨ+9oO但76tb6^)iaً8qӾZN9QD)lI(#!tE1T GT6oϺM;2ꆣC:B>ZU(8p& Mc106L,'Lz;& }#.[ǑV0b"{1ĠFD),-;'pOW_j1zkM4[˨X0 gݿL=*gG% RH3L^'8xR"då ?ne5Lyǖ >=_7`Rk I @8BcIЅ3G`r% w'-魝qJ!frV0Nh7:sL. c_^@~Q=z#A YtmUP@_&%UʶŠ0k\~$D:0;J+lX b`wr6wC%;+D3Aj7 gM\$Kbd%6VLg%Uɐ~,Bt`9ЛԇҟP1 q`: Pp </I/hh#1ɄgaN6 4F% d)K68cUnԨ:3S'S { 4ӱjwUd |Xzo"X_Ve-0Ih0%l#mAA5꾶l+,.eS o2/VC:4P5)Pҗt)uڜ d[4EWwwå7)l o*>"SZ ™_jTMjaU>3o@, 7|]Яh>)iV c"Bٝw\0&#OBD,߻I)Ȍ!x6(< &Kr &F>ȿP/Ÿ(h)W(-dQRmv2;Vŷݒ`":f|gPzF&I13~JP% )]pYn:.z4uc|z9]U-kY^"@,BY&~H|K+.m^8]} (6@gx)D>4R~vQ1+*JW:EBQ%# !Ba|fEmqNJL 2MS;ϋ鸫 s'u r&b$.Hj~#)! eI1$56 =`:fbhʘwfPq͝d~/tadנߛxcS@D6D[5zs>HXkM6h uV\e|lyb4CpA@='h*z1=iJiמyz]zdaed qy:ڙLXGϸmwvE'mpf& QjI )@C*Dq᭄S⑕=66\|l^{v/NL23\&¥gXY;Eȫ8qQpjlSU~}"4\DqAj0MhtZ`\*Zuc6^8&X\Ό2bb"٠h丩nIޫg fIx߿iE]kɟ~GM0:XTz*C$r3+T(*D(^%U=apWDoj8ڎE觾|Vvg' ڹ~z/nBiȳ =0mTdK>ht+WfHh~CL l0''3r`]pZWYUaڤ@;)kҹw,Dd'**$U{fB IN9*")[nR"| hn;)QH k=ݕ$Hgsj'.GZC\W* QvIεfsX(b_2&K1mThVP$d faMkr[[DRԍϹI E)L iB?8ڡy׳8no} `lB(|A M]q +- EY* CTqWmr6{f3V[Dj!i#^M=kR3 R!: nw9C 9Jȯ9'w+sDӟl@QH:AJϻ75cIەԂ!Rvn9h 0IX@"XCjGY\wRLóV$%D-W/gG93|sk]Bn^`Hz*.+2&-^wQ#dMzC`u 9cizs^J\׬{{G+T4{%מ`Wo[:[rW|Ƹ=*Je』#nVkB^ |˕H Az,JKWwAnA /(>qؠLZ')WF{, &,W]Su&-~U&Yh)LBYe:u␮Sm2n2vXgx7S}5(P>-]$QɀN*.$!#K6V PB;󠢺Z6)Za|Xk1?= +"ZeY^RSF{GY"{6y}j+9Zj8"pYv>v5g묏h<8x\EI -&ȺyB߉FnT;mi n POUVd]@T/U-&@T?I&.H2XELA,#|K &ubXh,MHd2M_mRcZEw'[p=K-rO%ܧ܍¹`8Gv`!6xuѬydhQc*⦙9zNVmʼn](^8hZQe"H-s9 ߔ "j#Om7(F=8bXŃ{3 Wh@u@ֽkP=.$A!3J&|zZ87aRH0EkU6;]o.F`_  SːitIU =>̽6;OiT^qd7/==Z@5oJrgI0S˓hHUXQ3mwA9u9=쪬_7dyz8YZqhuQ OљxXd.X*w;Z{uq[W:/V.6G]m)9/>jo BImK Οy6hHh.k~:`J-3~6ɖ4(3B?;&Lv4 Hn4VaLР$qa O(z*8x)ZOVJɷm]~+& Kz5H<|(cAp9<:.\16ILjHD'#ʧDiG_R)_pXE}) $>ez/Ss[l_!lk2{Gw)tho.2/X9R)VN6CksP4‰e\ޫwͺ<]$JZ%{EE Z) LtBnRJ; Ϡb1KAYa\%nN3{BU>y;0X/ݦ\"Bl%C1gXѣkt1d@-JhATG_uw`J!I0&`- bχl>$}&xT6*Դ8=ta%n2GY?X(ۙq:$ƌE5?"@|2r}^ܧ5D,k7ٺF]-oWYCRiq!/giPb\GٓW2m!@DO62 ":Ud ,o r뜋:5/,}Ɵ۲r4wᦩFaǔWdMn,%ŧ[}!u".۰"f]ғ{dS␗<㤨N>9g|& q֐]Z˭Xd;*%T挒[;K[MF]V@5ItI?K:}=:yMʘ%[]8h#yȐ0%s2M2CwqvRԺe?g<~v LMW ";Q:7:&5`͂8ni+-+W!oV񉵏ײ LOhxv 8+jstyT(K;>Ohk'rc@E}޺7sWwkXe48v e|WӤ$.jS~{3\]j/ņA)h<$jؓ" wu+z-|% kL%.{ %|4T@g/B2ޜN,4n#䛉T%ە)%Ur3S)w$u`YETsjC.+%{̞ ,,ʜL YLtnit.!cBq`685kd~CndV]N`WdJ&WL]PxXAg<~}[cL^ZmBɈ+U+,˙C \%GH(ʿk&K}jm؞WƥT{g[j!lNyF7T8CoaNij INܐ٤^ SWge›vL"c#LAٮ_YͿJZO0_WB g+3*|Hᠱf/5B1 ^ 0sSo[-TfWP\1 댖QEܨ}!%h?EO|l0\LZʵp_Wt>7aȺff=g \‏R/ظB3^bӏ]BW)b Nޓ"4kxlg]qy`\V gS!#~+"k+.H5WDe.gJ~v̗\cP"ǹD%Gʒ] pX"h]IO.ҭcdA@r KKɽgz˺/i-2FV_Ft5|xrt^I ѻ;Ù֫e7SSSAB[&=K C8!;{c:&c+<@t޷s{Ǫ4Hw^t G̗Bi\ǹlKcҌЅIk>0|mc\iocgLV)H4z!.; ^M P`UWqtT%muen Qq,:r$-A:TBɪd=c0v)?-v\QmB"*x|Dpq2X7/K@awX.JZJS.tX(W8f?IjQ\aᛔ.шmP`kd6YC+M g`K,D:"'yV?#!{í:gxk7MHr X5?; e.u[d6 2;z0 çhpv)Vx֑E2/)a*jɔ4o(걺tEl+M4p@RߝgXj zJH^Zs/uv%Q̝0i-Iv ]B54待6J܌0 2h$t6T}HM!x#m]G @[I5$ʌ+0%,Pl>"&z.i9ZI&"8Edvg4U+86$ ٤R~v܆Ǒ%ͣ_}2i[&5B?ݓgi*-v$+8V\,hy#Zhuu]׿AUKeɾGE5`89 +C*C5 "%JiB(령 Q<Ӊ&Z`%hSl!f cX.]- ) ^<%v_Z"'$dEر_.rɠt'CօR:# I!c:Ւs6O#^q06ZI0ˢ=P>|-r?tlؾ/#Z%|0U]1i.KT,5[*~ F6as,i;q#2$?L()ն&(=Z9 O F0떽x˧qJv&vY'oARPdl"V:ēp8+PzILg{ OJy qu(BLՐb׊ӒW4+X%Ԧh>j Uyro9>uW$u*%ްAB/N!N^ 3׮'vL vd//b/"[8p)D"_ԓJf߈ߠvUI| I[=RȆt[s:EK;fP N!s=H@/!RFL:t/W2ΧY\bGXb,߿5p`6ʔ#,s2kBGuu}8b|YU2 L/'Ohޒ-Ց)EKQĬѭc <=oCў:>OR%G1M 8^۹[TRpI9c{H"HY?)bB*}B˧q52ħ"\|V!~InDx*:b>;"t6^IV髑k7b:& Rj-2+(\{M#v;Sq:6]i)k'bkgaIلzj//W֒ =l%S"Q0/?])J,ف{d mUF#e;kI$tg`~#N&ioL-p}`͞漼ov3[BA *'n0CDpdN5!n遄'ej܉8's&8(HT :66n-V!gO] stTfGSt+ S־I-vRi¥N9[,mŲpV=9QF'AmbGOݼl.Z0u{Te>p!q*rkg ձy5#yy3a'Yq׽ vJ!-]?X mf!*Ќa gƵt Jg#5G2vz[o# On#R_py,c`P `L\:;sg_e^Y7gIv^D5@" c,Vb->y61)[˨qwZig,"e|J#gj0H 4ז[)+~R#hqWj}CTfI5(eP.47YRtg29u @k1162K$nET NÄOky- [Dg\ !59K։P6xۯ Qza˫m KCBAad lsWmGLAB%Gu4k(d![6FľV渁bl*aac"RQ^>=jO,Xw#LM§]@׃kmN ii@09Ǚ95E jIt>9# }Hw[ r=yEj&N°PjB򈿌L`S&O ^Pd|PQ0y_G/Z%zِ}hkUÚɥ#V+?eNKiobNz+u2I0l$( {0`\[mdd#-M-J=$ H-pʍfT꿓k>aч|ElͿml6m^Kb/KH pZ7T3^hG*Xxs"Aʄ4^K ˭ڏ10$rY<1Sx LF9^rs[k^$O BfG'B4bQH_ ORo)JsFzA\_.y×RJX +IѬ;i{;<񔘮>-&OGpW7JmޏC&Sl]tVt%BNOa^=P{9aڪ#?iXUٲsiCĐK*%"v3%%TDPHQ/'8Tz,^|gn6R{y;mCk@(M2)ʥe_%½n/>^|`j)cMR=,^k~n2[@028un!1 )g0d5LFW: wu䐏K.ysoUMzcd7q8c7_Da'L %!Xm hzBgU,ηuy#j B2& °9qz${0FqwG%.[ ,]<WenLkȐ.{/VSfm5TK1W[B=LYYkj8t>6T7]cux I~Z+Kc=7F9eOYf:fN&US3aű-%v/WQ콹1[#LM݊<~ =ӽs u`_LB"I G tr8Xx,U%eoϛ<^SjDL[%K>{i C'A|W_ic*)ڂ0/@Ys(3I|v.pbNj Mڴl\7*5n$f3d~OhuK}sT<..֙qqkZeb) _x MmȻDH*C !%\ N_15i #Dݛ"esuI{F}h]YKn̂F)dYDWjd:[$89#lZ׃rb5< Sb _@f^O؆5Ճc&`ၜh- XC\!w}H1 עcZ.4^LkM mjݚL"_H r$9yܸ(mIT|ʹo97ߢ gxnbC+ng$ԔDj+XQK`H7/anMF| eK}QGnL?on"bx$Q~zJjMu$#-礳XWr. eSUw'?HFŐڀ)n/ q ܳ rC?[~`H.:WqK Eg|PL汒cP=ޥVUU3Q #.`q]nm>*K4<z4$Vu(O.mJxxL~f{e] Lr"P:ۮe;6}oJ [[و8&;+SM@=95>HˇWyxOU=GB8J[`ߦxd.yUmw^/ĀE^H{|L;Lw+%rCH մBL0VEAW6B#DSUgoV:Lv#%SѓN>Bܱ?ȕTY\Yy +45LD: %j8A5Db"kX3&;\,d'YZ "z>P x; <~A^6 ̒#c <G~rpD 4L}ZhgυdX!֕ԉ_#6)e{/ePce8`ٞjG"U ɸ;I7ҕ`H,r8VhE~ciI޼wvN@!:bz s|s*=wial{ ]JdЬNpo$J~ǎY9v< ?b {=IQT*RMJr)}RX;)} C#pUGwq|p/58;MJvOrL~C]0t[~j4uE& &_ad܄|9nx(u艤V=a餦{L$| X&oꌢ)js¦?;EV+ϻk&w6l{/EE ڒz/\a{{q!sқFm!+e,TCUXI| йG +c8[Jbn:'s׭Z漫5ƚ 5k2DR]4JV7xPI}`d&M-}˧ '*(I.N[x;07֗ ۠%nmvWx|6S% .%  {^һZ&{-E##,5[F9ʍ"`@GAWO޷oK_sԎ>?ݵ,gasrgZ݌eR`t@qz~I3ͤFᎌ;FD+ھ PuT@vЏC6ᬏmzd$c.xۢ$,eQSK{l[e;et/J{32 c݀rwr[Ddc&`sȉFaQo"#ዓ̀{_" !%a=D=r0mJQ^jP5s k>Bb\cWo4:4brӤ7dG0NsAΕ7'/3o[CjBM<5u3&Z`:ٮ g?=o$oIb҉qCH !xm^~8NVYTAnS+&YA` a%d5%,)z= mZepn i`h"o5@7+wkoofiV"W2 7dk l)+Oφqq=9iS5 LfJEg#=:kL@D;JwPo:JZ7%qM@ X]qS %. G~)OQQj\I\Sހeg0~[`l)2~~ApX|ʿ2=k8csYn(#$F~ ٓp{z^X7Rqװ[qM)9 8 ٦Ԝqb-lFӶ?ܡ5:LF h,Yit-zjVDhdex?6ʩ;{ 8[5j "Mo_3.U4qX; `!ȴm(T3/gS}]pNfKxYMQ/.UY/gX1owjloڗ|F{S5hoFJ&~>4BgKX͈DvbxC!7gLHi*,![,FRA t!M&K 8B䢣*4 zC"b~l@@"Q^uQ:By5E@rU"q/88@{+m_kj)6of]D~R)ժ'Na3m5b EI|Rz.&5A +LS*"p+^:^ɎK\!ѹcC Jf>д80IbKu#U~; 1>Ή=d;L -6"o)%ZlJMv!^FY?e$$Q~BnA2M84hL[QdUAԶ7K7딙,ix1n&RܠC8r_:=uyc^7SR[CP9SA6\RO$E.%ȔXn bǙb 8[vQf[6Z`v6Z!|4~5i}#\KK:7ϖ+('t9JV нѧo4Ӑ.KLߙ:\7q),}2~Lg7;sDa)/5 xk%cוVѯgw hw=O&CXtG^3>qNx*"%@SY󑂓D-x 1Uގ^`T$=Щ혂$͐i!fYfrz6Q-~ALƬ@76j?H?\jx}^ndY컟4x^錵VަY8ˢV00vNve.D~FQ> +x76`y==v,(ni* E4%ѿ1I|ZB6iN{ a 5+&ISz~߿@tXqncrrB&;׭`.ȑ9UKx.)0]ҁcl,}D\Po[=DVOe6ᔥxm̗t=>*x"k2 4,>uQF)GRWZ&xY^VOKVHPA3 pb5;u 39NiC4Zb"@@f?ßY iٸIb(fS[SO_ gG. 't2ռK^ëg%=O @ݠ_]qr1O;ZrI3'TA2:PgbP}X~y{xXv^]^֬hBc(7:_)12Na 4֊;vE rD#J yA ˦۷=gemZ{GgS[$ė2Hw:-L L]oE] {⭷EBQg:B *$#`yvRN[T쥦R1TVMzVZHl 8edy\QJ)I7XtSSc(O9YlQ=Ԏ-?NAckJb)A]QXV"~W.vpM.Z\syOUXh\׻Wm, 1-,8kUXKTK>?9}sM5&UϴfFxu˺&} rN>㗹U6Z3*۾wLtO֤EBGiRX7΀kjx-tHz刭|(1P!^ KO`: jhU]׾&?{F_yڔ)`O3l; ?RfmXqԌ׫> A}0{B.*aZO`jkDa5i?x[TGvԦaY][b)UebU(yф 6bh"˳QmQde6Lb;8ZjUO9W<ר n8ab B0X 5MyX][-h"}'%ϦYH_ W/w /5yY<8Q6E#rR1m^VFxn@蠙Gg9rcOh}dPiZ6m2OߦiӅjtMɩk<[M5`6zCEMaت%DT L:LP$_8ة˚$x8 D}Ls |1=ULk88uy%[}INg:[dm!w{ɼ7+9D^r;%3Fɛ2 lUfTWd21)?5|G?7h)2!]Ńi+|V6= FH؃@!g,/4{]@}4_t 0Zװ 0- ʯǸu{(oS §I?۹:~$zŶTHP(9D}7|TKR˾^/N, &̯ĩtԖz`&N{kB RY6pכc"nnC'EBiQ+;m'ր.+Vɬ'ӷ楬;(9@i9}6Z0eO%>XXlO3*V2=SuWR ==йtz3|;sȜ׫?$gd ÃDU2b/R"fEQ;xjU23Vi_2RȈ8)L Lj8&1Q|i[& :kv+WOT͊ʎؗSey+wep,@u)ΰEClJb e?]-eRcXںITA{lGm[βPvҮprJ.LCC]^=!>U.\)$V5ɨQ Kp Eu&C"TTS8,,NQ0N@ұ:f|6&'#c1Cm['/5Ʋ&O ͯ߄Qȝ(E̩n>K K7(dܪp_9*^b1Nj%<PnwN; KT1tG̚*j9{*+\?g+ś$iM6z3/+0(C:pB=M2]Fآ\GjK 2v4FP 3hpr6j4Ջm5&ohqBwCO'ػ4!0xQ5atLAl LeD7`j z,94-;=؅l;Zo&`^Ävf|:z(Sz0 * hLJ mwtɳ $)\HxEIrr\g#hkx.֋"FB|MOOvڪ593Cz4:,؍:[rDIft\šridk i8{P 4Ym5tS˲/5K!U|thu<\LfUՆl~L[a"m!X'v6@Ji R.JD54A7iD+D[=PgQp{+WBNKFCgVZca3R)OFgT$KQ܄L[{)A=Pt2#˪%M(ؾY`MI])"4i 쬙P](ahqKE˅r_ss򏖡Vu$몶gQc⸦(c7'>a2HN;9[oyRcZaS}g{ uäoxzF f`Y]My+9Tu%6vF\'RaPhG;Re[u) odFHJ#8h3()|(:RtkHEcB ςQ"D\ҷYM%ܽ]y'ԞLh#ͨ'F'E 8;{JfQg?èT"q9/])7]}#`xfoX\ep]5d {Mb DGl4k>;o *eQ_hn^V^2+ reM7]?fƩvd\ꨳ7H^@?PVg{|$pY=6+#zUI+MO8_!%@k'oP쫌lkfE$}g <Q8 ްL]K>mKKW\6vJ}?rGCduwv^>Ne)$ɶ Px,O%wt u"!U`-. ׷`ZOq4}ʊ͢!*^U)|ٽtg FK0L3|So܁[QO_L(uVֆ,i rX3eFT1v b"szhGp9uV׾ɀ*v1hJ_Xb=m#mݤO*$n<7\КdMHw7oP,],c6I>I~'%?e 0 ݴ$o.B0EX: ]*`&5z5(]|єGHގk;8gSҦ$R':em|GwHʾ# qӮC \/5<7zZLHX~fLjoteP(,7PxZxYmYO0R`Ai7gVŘ>4At"sL _g<,ж&;^#c4#7=$p-͏34Q;B[]F<šĒp h%?}Qu,\<= ]sz`8uK9I5K"g;ۆ5PYtS @sVF"dsD q*K`F!! 1r}̃ZMK"iVvZ]CE$k3cAril092w5_ؼ="LQ* 7d)eTf2eKlv,Yc ZO}Uc:9|&E- |-M>:j\1N949K6xsϞN[$=Fx=Uզח`ʛ)!K3(CAeWD>Zps:^!ّ,In"J#З2n]9 & ,MBJg <@4x*h=U H>k1G׆VT:aT<|n[ʽa -fI?jº~;*aTuYTkֹE6^S2۽{UsN=d7 JTHy< D2=KeqصgOsUrE`5R'$biGMu(:j $Vǒ!J SC's 8"QWNJT([FޘѬb%NـW>1ᾅ 2`E="LN p{JŸ6q|_Jw266T_Wc8\c8yl}*U囉5ݿs %k 㺢;GnƮ޹COT;:^]2Qߏ$8"gyfZiw%P#&2:3$᮲7 lbPH%!Š.I6e|FFȆ$r i4 b*Q&cEclәn:ha:EGӒaL쉅 W!Vh< S3C?|^)Mhy'#5 @RO41Cc7Մ.~;Z Fby[5UDG+(/? 7elAC/./c VE~luŤA!JGp`g(oc!ޚG IE4+hY=KVi?Dlrm#Q`nXoϡ&y,5. 8c,kGpeB" Lj[aWN : (pc_7W"suV* ԖUwD ѣxP/V}]W[E*23,;E8^=-Tauj|Kv1eGKu&kDŠqBqAt#d4?I[RJԾpFlIO%/GT9 ӗoRUĊEA#X!vv$d:wGr"' o~! ag.&됪2n1fz8ò6E-HBq%d< B6̳-~Tc2&f y ᐛԂp96C(9{r6 q2G+\ӷ;;d"# ԰O3qed<5<+est +KJqNLUh!& >H1FH|A^Jm,֛C E〟֊k0>DGU.Ak{ {J7pu~vjU% `JV IP,dFh acOC1N|0uKEgGXisP 4Bک. `h 5V DžhHt.ka6\\k!ֹ)&rI]髲Sӛ2 =שU cޡAK޴]L W/+ Pض=MEOkE܂t,Ck";kk]*&ƚi=x4wdD2Y8U9 _/ _u~>xuEY̏- N\0uJ"~I:չefqr# )Lo3KiTrH4s:YUiXnj+23 wNa7Cn]8<<ĕ6kx0)4㰡't!z.*p޽ܙ/@ 0,rl^oάaB}@ΝkpT(#H?q)79'6i(A- L~}9?YeWMɠ 3pe W80>5GJq(,Њ=\N){b M!P_6;/@طmd.t]Y ]8koWY#;&0 ƀJJ;"@r,oԓ2SlCa.JGvxCMNSy7?&#u vu\%3^G}}rA w}(ނd⿺O ?HĬc^δU~DStZ~X1B a:ٸݨq-f1) 4V)rn1̦JKй٘L,d=\N4]~kE*~ <5E /r~ܣ? $o(ԈvsKCqV q恱a9p-iXr#9w8%G(qsB>bcZQeoSP 3mS$:@*QH^3T0SYZs|L~H+k98eWfP-vhӔ;脿%EÑ.u 6ѽDֈ 39"b ~-CMxUܣ9&B/_`|9u_PfAga(A>W`.->z7*/_ pv\am[_/a+e0Tn ZLhu81ѥyR=11ay}~WW'BjZphKGޥ=н\\EwvXbd4AR@zQ|y?7V8Ptim3:ig՚b,(W$oi5GkI=ޕ_'ޕ<⭭Շ1Z}qxnrteK2؊?2&W\ Ӟma5C-@uc3`ТLmwE}i"=8C7^F7< B:'xlIgR#Ӏ&j>,(,3 e64' *Rbz{.q\Q'^c%|->M/W+.~2ËfU  @H伱\_3XE61y˾9?r1lMĝ2>6s\2..5{TнURi'`:-S7$vC*.U8-L}R{umh^1T L*C[?7ɺW> 22ÝHhuDCmj9Ǟ^3 *:Qp8}YZ)4Q!<=s(P,3:nMJ`^ XF4nH-H^Oͯ#${c󃻴Q|֔jIbx! 8R{4ʧdtw.N~D,ΏZ*/ }96&$7rE\ {.VάN%z*XĘ_J9-(*{i4FRck9סlCK֗ƆxGRh CE8zbRpӗjfFף=/*C(?g2n܅"=WkbKW4<)\ jsKWxݖ4hNVJ3" ͒cM~Q0s@u+@~( `Po o>)RY'N7X%2>`cݲYnHzj3jo3/`/t \=%Z8E-=}靖dpunc?:e@,\m\T"vL"ܗp1YA]1hK_TV2jc,9 {m,T+:kU74;bS4~n f[i!š{i%*`=k7k2bslz8&J)@]Ƣ?܆O _W5h6nVbuٞDk3J^!#eӌ^CTİcz$L/]()&+wuoIzHP+zЏ/4&߿6C{,_zG0#kP 2o[{H3cKRڛr,iS܋"8 -:FtjP i镝a[c/c`hAXͷep{jB:ÖveF I3' [ףW 3 a(pͽ Z$T3c?UHJjIVf`ty#%3l39k戅$7+,/4Z,2yND'9Im4Vfħ @]ߜd]-Kl1[$'|D<$ЎtE'jHSbRo|,v~dZ,=`Tq7OD4|6S,zs7c=9)OqUxT bWu nz Ct Cg{BsyPsdd )aSWFp?m96a7 FGu^8D^HudE0;T-*0zJޗ8@Lx6甹A^:%ZF@z #As;Qn|uD^<q $dY:~$MAI۳?VĥA}S"yЛK2oFR$ʨW66# vk~/{b0,L_h/c̣s* YgJ'ƀ'W/2]-@ߎ \,|T[ah WG߄!~#4\Q٣ٴ[c?Mu Uqt\u>vsBBu Pݤ8h"h?_"&GptK046Z_nkUnEn*6uɪ_ 𒐙:=>WRrvKGiV>#s^XU+Sl6v0-Ys$AkE"aGd#ϟGc/&Qs! 0>#3<=O1*vYeKh0aԿ€U˲^DZsQč74>\l{;wh)^%OY„zo%Koh]yC哓=_ѷ^IWbMNK_e ( BK Nf \v;>zuؒB>dRp LuigKǐ2/ձR!~K/Չ4ˋ`LwZ`j$z&S1++7o>ϝRk'¯ۚ^hoer`9M3 dz[|6do!&w:,ihh8331\J $g%>I qil (k1D!3CB< _!I2ZokFVW7%n,K&=!07Sj}1~EpÝrAq* ë*d=צ0:b}Tz-\V, kCΐB,nϾPn5W,[)`CnI F HBVM#ݥ{S(7_Ug*22MT2n曨kP+U(+؋rЬ Mr:.%90JWN)߀A3#C!Cj 0 e ZNvZ1d/f##Uiȩ9#o_Fo(T!lwhˁ.5i)bb8+E[ [RdUn?Zb}ЬqQ-̱X-R?'n.^Y PX6sR\JZIBq'+=؂Ch1T'dNi;~әL 91:CiVt @'wޑN"ojtЦl'r)ۨ8ՉŠ;v:Νݍٰ(Gf֪PvacҴ A0U~StP v9QTs{S(\GiQL;Sluo[Eȶk5TW/r=vo@5ԧp\u6Ja? [Su/2 XN3--/JV7rlm)wd2{ԳKEb+zcm>X}U趔Δ@dic78{FJҔ:8qfOj*gT5…6  `mOu-Mj~96wA/"0|SbozK+u^Nx_<1(qWPx W["S$”xSX5ű=fZfwG>g<` }E/oTKƗB1FV 6.e9<M^jUE렄WdWF~\S__{J؄Mv-:_hXŢ6_B'pwy7K>fYô5qx+t.#}D$xAS|ZCpѓulR@p(8OyleOIwṃED߾G%igB{j (ud;aS7=!s] 5;h%CeUO~OB7Nd$bO hi&ɋl!Bt ԉ Waf"eH̤`9!E:'-`PGႍߋvC.2ʓ"tq\{-[NRzD7C~72' ;F-SEMl]י ʷsmAMl*@|zJ;Rj3)$\xHfoAHwЦ{nnSo5a/ a*f9qڷ[Z}Ӳ Y-bEY,@물Թ C+!ÐKB8XKPId~w#MB^ *Wdo1zu P9Ma~rX7Ru0ᢀΐZf[RwK ~uZǻX;nSUV_vliéi~ c^fcG !'vĨY?V&MP5-~sA :<)LS$!5@kNcLtaoqz{1=P.QW\*)՟k)p%V= a\tuC@u;Sd5O%jU8G_A͢OZ\$KZV(εjw'Ia6*{|N`Jl1ry@Hc()m6kyV}c;=ZD(]Ɔޛ6՞RIFm\oB@'fڎu4{o7[4oە2.Yjvl5PmIg(mjfXL7z]$ϩ؝Qu<PK9=M4449Z5ph2csj0wrK 3Ls*R9;0Z 2R5ʒ*xCy).QT | 9 g#-yZk'D'7VV-WBK&6]ZۦSwm"G|X)qTF6fXCk4qyÿȯ[4|r_Ӳᕡ]T(o{?:2\"xhFB^ň4- P]zOqNZtO'u*.Pu(` e(L͘Qo#OaZeSk;iPMcNp})Q<дEt+ݘ 2)fس^|JЁ' #y/ nQMDIޠ%^<_Pc;[R/]_GBUO{ Rԇp>kFɘDSaN͹jv[^ z|b=KM'o# ٬% ^u\ZX44A iɹ/aO(k9^~'g^я\om?V4 IdWW -d9yݟӥ*Ԗ͕0!bZqs2- lnR5MA>AN1FECkUc<7r%*S2ZPW%H]z3}p] k@jSxiX$ jaICkFy/'-ij+ܳsr 9Ư%~khŁĔzvle ĝR92dR%֎c-_K}QʌlcFspL\r^jآ!΂Osl$UbjCp~`lwy9}^^BEj|n q;̯nJ$%Po^_BK˖.ĒֈBnV"-:QO87f[9V}Ix \)<^9E PݕZ9^swТF ^sv:$hܛdP}0%B"#g}Y^$hmQ{tvȧǀengP4爾;8QĿ:SMAڦ>a{p ٷTz`lrޏH~2ZA z,)s^4Uh&9 eyIC(]jX׳:JEf98=8ҮKnT}ocCy_!ΒSปiٺPv-o)IA(tZ'YZ'pbvkA5IE}tCOn) d#/ J#آ?m?߫`X _D{s4M`hrt6($D5TFNnS6p/Ke!uGހoP:oi4_Y0:.^g̳ #VɞXj pJT@x_& ځtS湝aI BDH}^Q3h^e $(CIص<X+S+2ytZH,ՁQQxH='*:ۂ^vTV&wW[e0[c5wO {SGcnFR# ~Toee]r|2AY7Cp6R$ U<7kYQ]r醑E$~@Z37֊D7?Ca{ Mr(%U>bxVMnMQTo1B^i G_x3-2{?M?/עZl5M(F:SRg;71ӽmzt|%mzVJYx/s$?׊/y&|_6緔0rR]F!,^TyԕH,Z7o0JW{zUz3Qn"@\R$A>CHxzuADs #`ytR-hvfdWq)N7N"T2͕*-C#ϼ>) ].#n';Ap!+hUAIdf)?7FBCEɼ`}kO[o):jQj[l/ӇX"~pFi5f2PM3j"D;2/߿=ojѻ -*f'XMk'rL:,g2vrU{͝E*I~ЦPFLa}\z/b P#Q|x: 8,y2o#~:#cN%HK$(H;k;ѼD x O>&ߍ `֥R "ݕ 6F|^S?>h+L22NDua/vRLkEg4 [eXH(#\^:2>_*ϒ #uR=$Fh7㲴WC`xɤzm*ov䲬óXGߘ.\xT*" -frW ȯ\a JoC4k؇j:f@8S" Mk pfX{eŠȡM>yxn|RW2,SN[2;_m*>j, :w ^vCy*v. Z'FO(T+?`6[p3g!eDGМm|.r${_TP-we,Q q@KbmcdJ.[lu`ut# 1 ,F'y#Jkyfj>un>g4;bE΀w:7|7=Uʿԉ˥~\ѽ钸[:\#>!v:ZR~5r`+6m)p Im&L蒳[dueb@0,>,ocP@hv '<΂NkiGQG 3=:zBb&1EBi6-Yyh~HX iY"F6+`:X _ J 5μfdԬoGC"A9kQuE#[#W8XdSg[4C([s>~K[WH3#:(A@Vࣺ\]J 'Vь,̈́\aǹ@qV'as%<>>>Q)ctUh%dZËBU X&~:yzӔȾdXJPh;*sC3xCz=$N/ )/Hƙ:y\}m2zg BT(Ǚ)yE6h=F@} Y S٨"Z؂z Ro|neB*0:;) XeN2֍`K?9 3,a`lkV7X]η&xc.(\韔"Dl#hLה^^zKL`ほ$}{N@%mDD=/Y~3 K J(Zv@11ݩAm'] !A)#(з)yZG^pG6I0f7k (moiU4ϑlx r%|1piv5ݡ7!uP3]3϶bY[G/W2uV%Ås%l[-K,ЩxC<&m\2]< S_pGPXuuy;YP;@Y9K >\ Xq.. ,O?ȀRPݟZ\OXrpE4ǐJzTvfH, eōH $oo(KVh_JD&0\ok 3NFNޡ}uzS+T-~#Yqx)@T[q9p)'1`gע;4#->cV,".;72kT^YL_Ogr +kj\~9p6VE%޳ˑBsoV%&kj )dܼHم:'lpEuo$g_ {^qU;2" 丑a_z+Н3/V5XH=FlX&nQhIj\9zo$rQ7kf HLJ[sdmϯ=O+XAb t0xcnHb:8'IDhX :: C.=̕y~e9VKzWym=[_5+0f,KsZ1[,36+:&9B[ E԰\TDmk\Mj"Ha-V [q׬)~뉀p-i;i'"'<_KzшlȚQآt{FAv*h&OaL~u Do A!E ^Q? E &wqRɡeuQmcSkc *}Mzy|M}|#\ Lϖ4Y"0c9/!s-r|[N9Av\zjJ-- ҮlGҒ熞_ӋJ ?:1Yaj&w{Gql2DrlE! OCBɹ k^9Nb[<4Sf[S/!~3pe`UnR};H_XOCOw <]jjխ3zuEjrAuc;& 'QZޚYh? ʪ!ͦPlttjq{M ]"4jtx<Ť@lvLL0xay^;UQGd9t5Z* bjDבdJ {bbW+F&k"^$ջ&{iQ/Hd& tuy xh?Pd^j 7 rpKۨJvLP_Zk̩rXA{ #־lO$Q$Oi,%[yJlc:& h`@9Z*^[lM<)!32>P'lXl f+ BA$1;%AU:hJS{R u_磡PJ%Bmm=IjGtp_mu@xkZ?`7NJpGx|rT:e* E U6#EmZI`*=> ߑR $m-,9{2aGDءRz(h o&Zݚ`αL9O;?Dk~&d[wiS-f^[*2f#(͊x!c̿wx;*XD *%OMx2i$9N\:^ &V^SG 2`Pa#{ٵ?]2-]=D4:+M(KasszOr0uMLvjm0]eG)o.IQ" j|Vf'n8B+@!}VȢ.%NۓL9^ Wy>\{_7͞cNl/:679R1lLU&O =S w +gC YXW~q⎋lCxVi.sdBEe<qupPǹe<\2 ١z#' y }D;?Nazz L7pfVH(3OXU(=vrit{CWϷ\G$> S+z3<ݪ){p9p`7ӥ棂T[$I@r1^OBUފ7@g*'{; 9gt00b0>1,B`tH^fk4 ~A/S˪}Qa ,}a9euL i!gn 5x/lyAiH1p}Ґj0`L&rPG2x 4$inBf-Q ۊo2(=+l4,gD'a]a#, pcwbX'hPp@E& NffL:fS|} Yq h|Ic2r&P/JP%ovO0c*^p*G5)d\m0m1*x9}dT$Yh 3׷q lg'l0ʂ k!<î ,μv9В+Tp!8dZiU۵paǠjdן{D߫fpX^0/Y̩70,Vh`]KFσ!O%5*`8f$mT NmiFdi8N&'JW1ZDEti1i4 7SzSK~|)΂TT~89ɎV їZFPgJԘVhぢ 'jC *_Y}{1w ,a}b,fuj ivXILRg0(S'9sw*_N2+rȬ9^5x-G-1++My5-9q]&_YY&_ب:I̸\R91Jǂ/[סKYN;n?4!@tiA;`ǂqQ}7sZɧG8-}M‡n1xO::eO(a)M?)fXG>`W|Iዐ4_8FmBuw-)rDpXPׯSM*䔺^rQ+"@I][IUԉ !g!.վg'u?2֫FzsA9laMJ%1w]<CR1!P:KVߴ1vXH&a@y.Gۏ5rXJB'7K24J>1~9cy<)ޥ;6uϫ7![J ׉!oAGY 2e~i6xK~3&«i_-};qvPE"8kLVYGT1es_?prZEꯦ$sQ1lFL}>n k8rGP)/XF1;0B3 LEx[_cJqw=3NGCT dTVҬAj,X^ZptkvK;@T|oTл[Ս.q>}7s8N!&p54[s]˜OVa1*z 铴̒f u\5B- M9W FDLNO IZqAhqݮbtjQziO i(/ ۿI0bjXpL MYg_pc,5C7͆ S e!~b2|J7pLT *rSQȼp\q(^fh꾽tp}pǤv68\|U8máধc/*B4;@#X۞h#G,A| G%6ACoɕrD<M+4i*lI-|K w],@߸h ?BP9u`s>9WXnrNw,K٭,[A_ȷ>ظﯱ-::ꐑW MgdbLe  e&ܔ):&rEtq ЦG8A+ m.2euZin/5%%Mf12?,`Ѿ!|ۈߘ vjR?2}SNMcdUv^]= Mv)xlWX!譏ӶsϴIp3=a&%*PEN;cH'rv6m. NY.WսCHMNX:o-M9QFHisʋ%(AÐ\E 1+hĤ$*GMT(whw#AL|VzcĆO|r戂7$>6T i3+SX7/@cPYw2qW(,G6SO[х6zc u9[1%DChA23ՠIt['"~yOA8m>OCGi3G$CqRw0?dt0MV+ AK}QզtdS9]OĐiBO07Whjϵ[7?syR >+qfG(Eax/?6*A1'yA UeƾK.t>.EMȄ_H;gݚH 2'΅*u<*FQN_o%X0qdLAVؔ1FU句MN]%`#y19'^;1 ɳ8M6+J{ME켯=SvXo̺Scё:'ի~}'&YBznbqZG>ӗE RT= 3@UByE7S^(E&Şi4}li'y<|V@ҥUxfBm&h8.-&Z 4Y;U8X*nK%NH 6@6#r AԳ9t8b ʊE:<<6 oW|{ޓg욄RbX|,(ਜ.:v18dco|z*P BNsIU#j^gBx!_bvW) J4@Ȧpe4?F̂vC$/r7VW7݅PE~H*֚`k3*I<&)aa͸~]\98\7s"lX-)\d'*uㄾЮ1LZj3L\_)1֊xl77"ގdnM[$lW DCNI[qCa":-O]HC { A5+rUebʻZm\XuyUF_1)-d捔+k־F} I^И M8H4r}͗&L~ 2C'Tі.%F̓XzW3ۖ qs)%>ȧ.:b適 <7 9V@vn ‹ $ tcL,5k0b0jO D(WJ_t<? 3T,dND6dizJB6m)e8MpŋT>O6QM >Ɔs|zQiD|/ +-}p[d5?pI#@#Am* NЀ UxPZ#^>p CoW굵k1÷`}9&5$]pLcEgGƓ=]Ř,Fo1 Qyt.. i Bc Wg< Y_Srs'X"BDmyƿ9R:HX*=SC2(:n{U%6 +ܛzhZL9 JFZV{ߌ`~o:p2rCirR[I+ZɅ(ђS7%(3 lf+_ ۇ{P5}Lc/Ҙ?1񗔦u<2EѢ.3bu׾zX[}sju 3Patq9}J}_q:o[_hgs'ֻ(,Oڣ4_@F}/>M;9iTLs˓~L+LH1SHoAG̫r2̩ R޵8Xg3RpoDwbpeo*9m۱h(+H'oAWm="=qa0(rRݙQ I.W=  'Zm D, pX 褐|r^,R5l̦W"9 ~uh^CdnO,WwgHɒsȹ@!s\0)fik/sG= =vJ怴*Lw 7pøqcz2e*ہ7 D#L;5R2&݅&NLy̲YAԀ߉KN4OLvEGYZrDL =-7添4¬dnO,;.EsQ1CћpD;NAJ9r&Xաzϭ_U[|I3S1U+PRef?TzKBP D*(rӭM$pI- E`bp,{u<#& pWfOf ZϑC,Uwjyi H՝y *K2&su7w. WOB;&~`}(9PQzZw``x=jd{,j 95jQE`~fQ6^*!b9'C'?90iY1A6^z^hTu0"!>]d-X[-_Fkdg'*YKy}t: pƏ.2(=kz%Q%@ #hXVaO:rM6Njţؤ?pTȵquň`.{FyDx/S5#J^:aW'{DH2V.&ލe&rߎjwc?3 6Cw (B NPR,9 BU-֏+M?>s_F3r3-S$/ ăR|k3,ivbLU0Y_ }L7k9jB'?# U4.'x#Bg,,h%eưw:ş=V# O]|D"?Na^*od)FGїhLK뢌hKִ-W,e:b5j|g4рjIdid7!|Lo*z-NW/ep>z}HtO6'i $B6)vc#L 55%" Ժ@9.@*aV4N̜,j?.LOwr`Mb$Ӑ  RA H;/fj0qɺ{NT{Z]b>uD%]șE1 k$" 80Nh,>PFUm`kk|P+W[U8bFGji_Yx<+Z2ZOb+_E~mK^?P z;'RB7@*o;NUc{ͤ%(+a,#!m#nG܈GX@zUy| F9'tp rCXc]x.D5S |,WoFnlmHojK,M#CA7!?B+U=^~FYIFc Z9ʥkynZc?D*_ Φr<t*ĺ;RU nv8}{YNq\1 ;݃;_Q }%*\5k9GM w ;뎝k|yUdSo.a*cO2>XIA./2#I~Bk5uC.m#O L19j.a*Xe ( ]?o7lQҦ7RQZI('_-݃b`c/x񼅴oDY#LAFFD!m_GdlZ+ X=P爘RjT"$}CPظj.8?s :^0u>*y{+`}u5 -cnO].:$Zo+x7U%s 0'uQݠ+h3wS#9Tm^A^ߴvHN2WTjVf@+=^+pC*T}NC k Y`$IG7E1ͿĿ/) 1 rG+h0@8ü*Xl8S](.')j/*ߏ32*kD;G&Y2a9uQalAFpƄx1옱W&lx{mWc qh$cPGwgTkK`ܲ12܎bִiٜr.EOGr}_*ؚZ Ǎ @8{ޤ$# <,T$eeOtB!1r7n;|./JC[H(WQvt=S{=Sk&ZD)~֜+ngoLS)BM=8ыI~^lj|Qb|TQ ]] \ou mwe+Ydҧ/d&y<䴕=2* @!4O1C`z%N>}=ؑG:V(KA*<1>ϵ QlD2\5Tr?cBhW۹t[szU.4-KZG.v{0e&=s[5 <:-MD(^ j1!NINȰ {LN!bM(K7=<8T\As}WbcVV} ʑ$7f-,Bڪ[u\N:܆z I\ȷDnbRj #HjFhT#AD*F*[]6f9mB4jA RFl~ /g:gy#m} b!F'?w?ful=MAՉ:JYYƲqfG੧|_tJҚJ4F"))NNBBx^"Kօ̽:hp{ʤ, xߵenR_^^Ggp`aIʅff#No7rh!hkSzuhΦ,?{XSNN.TUEPGJiE)ndrKދ02ϸ(}l;?gA2A#g'٤;e b[`5θ)MߡY7_)hH-7Ɲ;K 6k+ {,jl#ӋIY#5_u) lcٍCg)έfrD DX9#$yJtn#xmJgL8JYB&B3& ) NDO4_pI2QX{<0K.58gn\Ӫh#)aTӾFxdrtWQrJq?Sy,la9[[n4B:gb{v*2C Iv8~E5D>X>dc?2"Pni5?= DwțD\!?fڑfgcc9-f)`Ǟ4)j/9YSgxJvc"! ^eՀ|B[?ap\!^RPYH5'x *%d`?0u K4 Xjw CSq£ڈ >VT)E : B#,¥"tDd (5gj>(o~ 9lÇjJ ׇ|CVST2ѯߔ2+Xٻ֤H/)B2jXWvEl T1K]c ܽ?)brb?Cu߈k#mv-|0A= (I8fb;〘X`iki\Jd`Kv|.X nˡE] %*g>c'qKmԸzy920 x )D 2Z\Sd-Vj'͎=M/<ؙJ`A`۠cC$ʈߦ;$b1{sO ozoZCNDzF#`W*3䢪zHѵ՘ja~WXW@Mg.qVrF G"ro:Nq|c1FP"O*MR*Pr0WT .tˇֲ:T>Sjb^9`UMip 'eE,QMa;?Sz~0Hʹli;u#v)xSrfˬɛt*1R@ #͕L[O?-*[ 1F1Hآ@s!Uek[>s~ȻŢDL},.j0ȵ&>|u*JCҭ{P/u/ua؂O ѠPY3;>* 区m<#[Q \ doC [Vp#k U\q m&?rXt$=F=&]%+6>aEsQVB+5t&tpF~L[F\BE |3[6Eљ;IS*¤~ذ am KLJcR=k!`^'Nclgf Sį(\NVII,4<d1'0IFp{ǹA6ﲼrFj?}jy/mJ r"G_@?}! m8$:h#"4aMy >]bU ]o= ]xt~ I'G Z3؁n@-vaqrՒplu$1:鶚^qUV<ưD!L^ GԄ\RDmk&U ?ފH)v"Y! CY[p4t|=:sX/f+W#,O鄩X}?Ĵɟ<,'Yhy$DG#/ J1$)n"$NzKy"]-3i}b<) Ld 5H,ye{ Rlɽ(E_B1t}҃ZDUmc|V-L([,IBs z5Q*㪅CBu7!>S^0r"$B)cQj+f՘&66؍3~#ђ-˃taa-FJ<Pva+/GiYȳTj۪⵩NLzb^;=߻w$_xaU3tS'%)mv @ th<ɭ\/ Ck,u:+^|e7)/*“zq^OEGbf;dʭL6)_y.WGK*/q8(n_gbG@FH_rj=XX K[g&LtX d$ P߅!Oj+m#Ĩ} E3uU,7LOܘDŮHٺPX7̥0`-q \*shTԚ0ym+CU|ɹzB̐#L](Nu7QL':dNA0^sDTonBC(`D/MXfq;&lz)]wH)ÑΛRK.{;lo"8nPU\xc@aۑ׃NW-2tCLw1)Y@!gʹў",C8qZVF&4IM+ 8!H$wiq&jtin$sq5㵌}S͘w Al}uoGQs ysDmH߳r^"SA6Ťr'͘5"\6 @M?hެmF;]jİE1d7g..y cFc͜M~4&hТNa5qv\R4:LXBT \%#M ³i;<#SN _[׸ ^*Nߢ-,,fwiPk8r6盌u H-].%FH$H!hܛd8.ho@邺c2"ilY@3c&gex&qy27T9 hlfnX8ׅ!lx].cg5ޒec,US+|3|*ڽ^{fz#:w%RjE۩*H?P_1h~v+ͦ-t!`,J~JM\Yr iJޞ f؁xp}[Csc]`G=N8?MG)^wSkS@sϱ24o0GZ#J,TK!uYGפ:MBV_C'R;K%V eJY>kWX-~ !@j9~t( $voELR@"\SM%u_`O` i؏VRWDdԗm4j~|¹L*|ʍ\@KrĻCM&}RQ|Xu7yz=.KT6.`P95 & wp_s"Z#`RUOuN]Y盂˯zط1NT+~U E|W~»GXnɠܱv+Ma( CfG?o\jW{13?0R>@So."o(n`p"Du iu!Uv*To!?%ʼRfL,iInWȉ8CO].Cn ׏ʠ;քo^yJ-l f5M0Yx;zkuܿ ۬bيӎm'ĦKþɮ"!瞰"kKkX.༓[\MS4W1&3;1"a?؇ HIH j1gsU2MyXZ0(M6`|5Xzn+% UWl$G-Y%]wCm\ Nѧ^B1cd[q@p1! GO:xla@`#4R RK>Њb &%ƔgSߏńBA 1ebKf}P^07t~/$䁐NLjeVHOg~ f l&!#_T5ۅ`b~/yz -cethv&%K(@2MͶ!wT/?(@;'ƝERa_ ?'G(@'x^[|yEW O1~tz HQ. ։`dǽfuntfG;bGwNRnlo4"_>ɒ.W!6Ysإ wJX%gꝣ4}a1 5&%&U9Z4ـe| ~&xt"o9\a9>Ca<4׍?~8]hHAg6vGr G,Tf!e]6 ѯi{i= K,Oawdm{ZW9mC/}*Lx D( ,'-0.dY!u{#?") # ;q}iàXțOp#aa`em%lO)~у;;6}`Gn=ƊT7o/-}":'im%.'gO)T3l[ BF rG $ڵ`sgp(lKr0>\\X-5)c9y~<>~Pe l,Ԟp /--p{_PzcOcQOQZWŻ{ P̟LG xDxuX(-#RSwQëJ$9m@î2c.9t/K܀CreD|OU#b 'RTՃ*[w:]TG/}??Mt^ +$ 6GD3"h +7=WW8˂|,Qb!5?sr8lfGG̮}P1J⒍b`;+G2D~*F:ur2&pgt= ΅Jnb5,IhK7E8zb=Qp N_GּjQ2Lq^b,b?$S֚5]- 1"r Яp5(0">$tT"916nB$z3.|h.593[CoČ1]enqǘ8]W!b-gv:W$TϜ+0}zAGE6g |A 3\hvr3_~-(#|*ž͝ nbf ĀyE89(G;zF85L7UD57X,C9 cE rscS8SI8v+V/F\!)=?ߗXJ4_ ZEaC|?PX[vݟb;/jBTG9l\E`vM"8CR7i/ g\;g`k",W<М@KfǗJ! ,5 MHc%4neB3?@+n.](!VoZ*qq:-S?bPqZuf=#A[$/q],K9Bb[4N嵑rteW~D5?)uJYDU+ay=%%\\ꉭr:bSċzB `$h^XqQB?n#53z#jÌJ&" ia'B&+E 6n&:T"Q>_iJtG(*6%D }=!}=fycW C,!961UϞ:$ cLխH2y0]+}vcX7"IN׃ѳ̨}j2 uy іD۬R>, KDa ?2{m~8\IKtH!23Mv ] jZLJrR_!$e˝Pn,cy~CIM%X ΜUdlUM& vr!ɬM0B81Q>X>")#椳*Zfz fqgnέ_W {H.OF-l4+·~A$'Ÿs]&_XʎƑTXh%v-_Zg7e_S=pgWShIy(P}"5RV!P_86%Kz盯Ӈ:r9HPplu*ox@ Vi})9w|?KÕ*2GGã2ꨏcy??u;Ip=][|ǫ,Éy;08IɨC,,!'X-3&AJ}(]F[c@i- -kMqOHɡ>P뭜hvGc"'q9&N*>7='s3'Lw:cvAv2}~'o Z/|#2`gi9 G[!-҄$In:AN}S_aNq,)Gid81ߥY1H &@a=ajQE Tk4#yZt[f[X&50K0@i1.{%z7M3wQxehDU ,.4:]w-HA ζj:! y.=I+!Q3 / s1B$ݑCx?t c ݝ/:{]HPvP0_}d(Vɥ=R) #h5$TH۠Ϳk >#=nv£Mb1T>D OgFBvK!zoƛRO^" ꬜ƢۿEڟHBshIekE?"^l6i HV7y B pnHZ =#6 @_%(c$1P۾bK(bU>}@byD(:(X $ w;F'؎/"vvs`D07:`) z?쀪FЯ6m5Hg@=/btDBQ`n+d?~; ya:$)3=龍}GMI̟]-KP<㾇6sI"V-,D@\-ʷv 8I@^{u0ڐ'}:nѨڴm3r/ aS-y@ksTM8i =y{ʔ/Hf2@MtmM &V"}\0KJ6GxAx 89tmH .VsYD.b^MQfA k|&d#|<v}h^9]ֿW;0#K'f+,3] z1Yx9,`v&dbh W]W+x^r]Lx;eRI'xC/ y4aeЦ+!bR孀|eżɇ;hV KRlAn~Ce.O` 6t-b8TNu$1*|I+VHtE w6mսQkx[@B&"h@Q@"DQ RC&cW)]FI[bN]6Q;˳k~HTUҫn'*nyՙVeG)au~$P~4/laů_|3Qc620`.Zo[ehFN< |ϠVK҈Xy%ѽyi'`+}Z Gp Fk_loOOK+_ǐ&_,u!E 8ګooSO;SRxS |.@(Wj]ao9&ŲdT\&ɷL;]` 9:x@Ij% ]&jms\S=l|g%:ڏ+ޙĐZB _ɩI-LYOYޙ/Oo_'E~&řGXԖ3U6& h>3I)a'8p-~(oGYܣѝ<)XY$ T ChL?ʖX  EykNz,D]!}5:w>!%^܉y~Rˏ`$j@,g:TŠ^8Tz1/ea; IE=Cߘ2`4ōf#6)XeU^X  1DI /Ǚ[h}QLr&d?E͠+6O?9uʏXۙ ^hP{ 6{nѴaF,/tr-S0'C!Ywf¬[٫*&D__n-/"ʊ a,è/>ܻocV)>B0+lx^;z.ЁcXy)pcF W>bu07AFD~*7B7ҏ9k+D@&.ɼ*H9qs&!RkcяnTcAޓ/GCoch$he6"f*$J$_GQKp%_P}ؚ̼OYWx'պ+˯OKڜшtڛT [Dg =elĜ FwQ9K5{ /P/ٻ7]``G/~~IJ ԢQ`yf۟")V=Rp  syx?MLb_eF\ Qᅬ?xGf:CXa[.`:LX!ԕZ2+SF{)pʜqHR ZE6Tp#q0rr9SEYKZ #}:[F WӥLV3 &>kIj 车xFS/Tf5" bINz4HtNPhccIkoI5W:owJ{϶sy(4&,yD?"#*Y/lsئw?Lh.iPjawB+3AqF?yV|3e+ q?e1H'!7JrJn Kى-5[ѨOJ̛7OOË˲ʐUixw)"maA`UCv|څґP'<[V.s=ClIp8q{Cۣ5[G#*]$ڊgDJOpzYį >BQnd`NXm)^/ͨ4n`yJ\I9r/|DZ7#OBf,Z84k`ʝ ߊYmLƨFC7{F@ ]8%*!e0HQ9)x-tzйۇwO8x| :B& 0Uv-_vp$ޡBzaqY-ZW>5t~vƚQ&J3X54s;A%MTcpN%qPq yXE2ytJcӦ/26bXke3&NµINӻgkIpTQZ8ma˭__j!FG> bwEzH:4քى!u2#myS[v @w8\3s̓4X_.pξv۝E ŀ/mUՂN2;ͳV6zp\ՀW'Dbha|Zzb A*Z.ỊyE9됄D(etd ȥ(ۜ֌o`Ւ0sۑ$jGGXb V#Rt2¿}17P?C"sc3D"[,JXyr09Mև15-8L$9cXsa֨[\8c 6=҂>i$}H35J3W:B@Vƾ7(!$>vF3k/\DuRFXut4/;UbVd^NhUR^uAt&9h[ Z=INʚ \|g תpx=AGD]+FrXo+Yto[vQz3 *ZZt\Ƴn}zfU!zhT{]Sm "5 -ʘ=,nϴ\X4o:gеo>v(~e,,s[(Qnz D?L8#Hn۾0´X`0`xT% Wx(N+,B6u-##Q57-<Qst)@A]u:Ĝ=S bCዤ`jxIYd˿75cdm@~R洐8,؈4n_3ڿM<Էɵ0~&&`/XUCǙ*cmB!Y*cGEa !פ 9ݣnJCE[ll &xĺ+JEc:SFH+J ZI"ئ8%2n͋bZB*IOAgL&+D4-JsLؑZa{Xz<ʘ<bߣ3M*{2$ +|I6Xr]_dE4Grl3R e GKDs:4swؔ5(QGa[oې>b0U\pClh;Q66 ރו ^VAk#5Z`\|pyzp>{_vLdtž r)\(0 @P EYYUa\)mm>;א;/u~EaZF#'xS?^ŏ [Vp(Cύ@V _\JkCRΆۍ΁]m3*ZT|z@˥ C핺8c E[J瞐8%DCS\}/x MGmnzcVHQ Owrl)zwbԪY0Q0Ϸ4=JGySʠO}e805kEĞV &:HMfԊX iꐡ)}W_r'xҀQ]QS$[8qv8[zz R}>O0_!JNLڵկ]}m v jؕ{ 1ݦ}`Gr]Pp#R:ew]`@ʦVOa=c|sJ qLz갷!$r1`t$W-ZN; *F_ 5Xh{`@~{ҪnE̞i&aKĒ^t2oԆ>um]~!PD{jp?$= 92x@+`C>oPo1o]eKO=7(v([Q%D)']fF8!к0鴇q$2Q_X_ sdm2dݟ!5y{im;k^yp 3Iv0Η֓}5˂}}Znv񄥜^xzXʏg:HOkR[fINlUe( +uNoL_/7[l3uV+.!o5N .Vy]eZr/! >_R0~n!1 3 kA_%ǑԖ|l>dE󓰗!\PX$VH ^FJ/鏵$CطZ 24yzM$璴j=gLډldɳjz6@Zd릥r*JI(\R'T0Ӗ )w8|&q \.]=0{kfc0F\X7oiko)`Q-uRXalNHeۡo]Q݄sevu9yӇ1Mm"$@s%Ea6zcJ3hDڼ1ɘTXS&vOEL{cF}dMSQU\X^s`d~Up]O-vR-F>e]} }s*ȲMn'\h!ZE]F:BSx)C݅&>|w0#iB+H_Sw˥V8 ^b&9tH m1/ 7}Z+D}!1"##(p_ʿ`ހö3O~]Ep\Mr'B+T#tz'"[2`4$ Knc&6rjMʯh5`vRo뭿p0 $@|4*jϒaΰ=z}ճe,Za],V"M-t1}K~yu?Uz(' 4"MJvd\X&j~ӡj|lWsPf1LBen I bSZ[X;KM*{JW5ԋ=YN`8& ᇣ%?\*?yHTFa`!ץjXk x }&Jޠrj-~`k42zd[*#!o._i¼pnWs+@*) \7SA UM;|IUFfeK'dRutا"b _ЉUQW LY}$\Wror7MwCoYR"f|tG4EŴ!a"S%gQh#L52+| 53X󲥯vQ @O2ەArk=$dYtko_=1[ M9 t1>uY^ VCv vr IpFV_HhXS=hjj>/<5bp!Ȕ{W|+U6B̲i̸8Uw椲k;wݻX*>QĄ#mM*KTX[]%rB& B!R=9> T~cnM>IlNiߢ|5 h~WcUUbצ 0GE奭|&<# b8SBo@8yXVB&Xh7~o&948U?epi1:[[R0@kѧ@S]c8`VEZ*N诶QhJPݪ}SpkW{zwL5+\m@kl.OђF{־z̴S]FT)\ owBp}-Y@>m*J#:d8a VsψFGwZ R[ܜ-w UΕ=mFu{1;xd88D OHmMFMQd9:a֍5td^C3O[ør A!$j8MmFaFnoțOan j+f9YMyL 4qϡ8`3s8|\Z|)?.WIX8Y9g}O)8ΒKIFv w\5=FE~3>Q6cF/rM1s9 2#YNR4y9U{m|~,9qaD9r4eöKDUhmU-lBShbP X* [ iJtz[ɔڅR)7;`3/'^P^`ܮ/*:>|;uV %_۪7^hmM5K>Z(cA}-u à " k>#0I{ζ>vR-k?M"QА#q]lj\&<<ܯeY0P xΑUR`# 73PX9WF X'{?GF@\d4Q)/HEF:8 rxfe,mWX~~֠vF8hC%#wbҾBA}Jƌɵ\Y=صNӝ50O;Zm.:ǘjfI B:[3u2KYSL1l*w4SBz4)֟^ӓ!,oF2n\ xe_\Nɽi9I֗pIyk1&(O8rfqNiܮd<;fnB6c(T=[MI{ВcC4h*)@$RNizUK [nulu*n02 '[;قKҢe޼ W'1 uaLHeP'ƞ^%7zk2*7~k gb5r7T ]ǝ-mzUGMmζm@z I;uj(=\"S )c0`%ln9қFH ܩ5}\.C*̛zkg9V Ol>|j@>b&)>ANdy%];rQ&gC]zҴxf{>z LeYƣbEmkܞKt#Vڹ|FMG2ee_5fE.yD=.-%&a.AEB;HWm#ܒͅ6Bz'zV6KrRR<ms~6Dz/S!BxNtF|mZV4Cjm73 q1pwt8 4X/l.Co}9pAuEfb? oUwջ Tӹ?i7Xg䝄b+>=ÉM1BxG6ܗ×~ўt5O}Y~ؐ/`;NMڱV(49mv Ehp+ ,Uz!Ƚc>8ןnci+ mF8q*)ŘX&_~vgh5fێaP0ꜙϙ/PzKL љF]uu~+;z_LԘ 4po/qLWU9G6vn^%2]UDh ߂6{SHTLdVw{w6ytF H}-/ϛ8iGC#Os%GwCͅw ~7Ru%C tӍn]x9J zF{X@ - ːh|W-m{Bs6Ϻ,DA`_M+K}Er.rpW!xFfOPQ R0cXYm%hs#l 9$L!y xqixܵn |VA"eп0Į T 1&?&&r;',ACGԭةp8~?t!=Q>r@ܣ5Ɖ[.+`ȃ])$--a?h9n"WN s!E.,#Yx֝Y7G@TW$1#XSbu O)ڮN-tYf9VD"aУqmϥiFOI|v9_@oPtj6ndh?O#6`YK2J@7Q^j*+%}* nPk!n nB\ DORGu-Dƈ, q/ r,UprhcPqr!&=< ɵjc7h6[S2UZ(G,N %jecsjjqJ )cwT /tpW/-ZO{<{(Md׸u8S35X#2Bwtg:R3׻۱C0$Ci Uh~v;D*$$l^+Rckv4 gr_mP\[iO"6ȟcɀPi2 aWvѱbzѓ_+k>5)o×#H >8Dȏhvl#r΂U|f9KP9Z#+ Zo!v؂2'S1D/s`ѕhQ#er+*>h'RQ LGS|ϣj69΃wN O 4o>RʼƮ3ܿp :^N=L,D;]at@Q߷;K9h19V/?˂*JjXprwu&?ۅ-?W,SL<]ihbA\V~{Y!Ϯ/`OۘπF%Z[GY8yG.6G*zK<;ՖgAGHIz aW7ulr =A JF"?s.3M˺"=J_UAż_c^5eNXURzŨHPG{  aqKMYBn ܤqS@:3l!ḯen^ -X'!Yr胇6Y9n{3ozcAjsnm\ 0@iV1|{rcKPHIݪH.. ]!eX{zZi?3p}@0G11.hd|Z373G\)߁䔆R+OXMbnpߏBcQey Uf>{ ӥh28}~5Q0 SoC%8뻦Ju gǠ_B* l~w)kc+%uf!Ρ?wkµ8;(( '+mѧh{Sv'x;,>}15_^ ;%((vۆ'sr,FADI@wgӰ_#N٤5Kt)흸s &}aQӕ]BznCVcC3~ץ cCt챝yoЏpxhXSJԖRrڎRZf~R76*'pr"Vޗ'ǿVq2ڲc;Oj;cKG$EzLokc8uמ7Hc3V0 Pt$p&ɛ,),gvilVnrk_CGX% Xr f-_A$a`C Ć_QvȔ,"g؎5Ofl-:f;|q?]5a$#jDCR:|6*D"Isҧ8Mja֞Q[Kbz VCW7c B윁2B>-ߥ"I}/e'֢Mcڕ1^;-H"M=qխooCDBi 6A W6t.s7S/+߆deyխ'RQ\hmC30Oo];i7A gSן?g:t"7M s|(q Gp >e,yKXBT"kwl"~J+4SW_y $} -FpP`pl@|Ƴ`6X/ۺ\2"Wů_$Ł1`[]O#o"dk_4xR[T({@I tDe.Z}q&u̫c3~Ua rkqpnV.5i4@cbPΰ~vUsWN.ۍʻ٠ݛJŜcƢ) *J/xO%8+5-u7iAvᑫ!?w4o"4J' tvur,| ۩`+!Vnb` v|/,.,Ot L:y0Ҟp|~Z0m#Dw2b\,NUn*~~(R/9m L]v[NhPtdF@"A,tR)ReOiY ?m+&ƒ+kzqfJW\(4ݣk~q/KV#eyʶ]MC]Fh9@V<!9|;:Sp;3um (2Y¼o{]'ԇd<[z,4kN9V+6ZA?5A6XpkOHD@gL BK7 řు}L)ۚ+vPS<1w:ȷbͼO 4AR`SyQ   }kAmH=pH 'EwmȢBt.c;_MZէ4jC-ɲW>.Jl# +FK'stA {ٚvr)G։&D?w֐mɷ(93H% .Us?{nd2* җXb1'+]AAo)߄D/_ު<s>*nVyJ밧@yU"kSPia⇪K4Y$(X]HqbTmZXxIW> An>lKboIy@b"]n._xʃRV=p4^_h0.k1|3'E?f6a2Ai`d(tns|}&]1~[AP{Ƨl=#|!dw3yYI)fVA dhY @ kUD,g_v[¡[ЀO !d_C+Z7Qxt:_j.@pd>dE,ز6;3;08s+nƅ;y]/M׈\=o<ě auiW<{AVwX\6($ }w:|V $ JS_7ԴNů{V9B==&TN)CóEhkyemtU[IuA ^͓'u6)p[.AG:sekOJi..YC-. IfK4:C{z:j|fKvIG IrtWmVxFxS꘥NCB% 6?|@`5x~ys>aO U!dC;Bu$n5[<TtN:auÕ 5>d =e `M7c\gtǭ')GikxJ\6ʳe$׀Кou+`q 00wy? eԃQ>#| )UZy0J+)_Qb32a.3e ϣkDlQׅvПT 箩Ļh?l<m-O4 S6ʀ\0Il?E!lύ.KZ0Ṛ VwXoƫ,Tuፂn$ȥ;\C9piY%-uoaRh`[ŰC+|8 @Ͱ+ "YS"T2Pxh2~7ջϔiusf_(3M~$yMNĻǜݓtk<#Ø쬇`0 ,{G3g>x%za;'! (h},/̎= |)S~*fLIFΰ*'ޖ_*\G7ތ[w8X"uIrv0.h^g_@4$#Kt? nT7I|}DϋoE4c5S/ڢapek,1vzB/;S $XHjH/yH@@ xkN,1=g"ZM$_Usi/ (xNC_I@\n1%r/.{e`, u pŀVu i_4-_ǣ2ch9E̞cCb$qAϑ8:fc+V.k[vl353%~l͆܌==y"M`^]nbx֞w Ge;#I0 W57o䇥mUC}%nC^}]@L* UdA m_1g]:7H W,^_%qJc3dB,">I@(1a10m+д.^V0 CTP|FrnGg[˜n5-F d+ XǬcnx\ ݣ<{%d.P00̪ *K$k7:x+>su H:C{ɔM" &EB@[l7@U u~DB ͞z5aDw9k촭j}U+A_ yat0 Zsx碇sj ~jǏ慔 ԋ*)ԸcLlN%C!,,&S$jۿW%!d52[m>քm'8x˪䬍wfc5E [o ThJĘyCs7]{V{ScֳKy1As.z[Xu_G.֓BHh׊{=fg<ʡ<5p~_k! NMYq7;s[rg8$މqddzjXqvF"_4tfן{Y^ ww ;d!J3+6P(`5$|wPi4n]Ӭ:^1:^OXaj,$QCijdO1K_RL\Wq3{U1!3*/(OIVc:~Lmg"%eKf- wAv*(s\mS;^-D%ԝ)D4U1[_߸Ww⸍}{P6}L >;#234$vޥIٗM(,B т{%jbFJŨ@s@]2$j&DoV./Dژ_ N ;DѥZz­ ;WpCH0P,?3v9A;$u|&!!>-V}PgwGG EovF&FѾXy&oM2^[ A:oISszʗR*a~9[ ;< FD6x"z*~ 5R"L78vӆzUV!G`ބ~͢CW"WhVM*M6 W01&BsR MWȕN&ala'Lli}}4"#Szҏ,  {kV[xG{"z{kJ5cL!_~%=D[۸+rH1}",-< $أ|1waW\EiJ ހJ~jG.|5/WI  ?,HzH,*2Oi 8V7xKplq^V2Q]7WV)%+wk2BRrTL9>"S}Mv7CI>S3u?GJ6@BwVim7- k CUGURjkX ߋk_-N+"aӘ/툞n 5$$ȝMx ~8Lبu"DL? ,_undRےX/D7Zh;!ݓȳ ;٭#lZ:F[)Վ ן\@b7JzJ:˔B:,3BY獇pO9/'8tJhA jgsק-6Gz-VS:&scGzs焀ڟՆ:3k_0xqxUfl=.&5o9OzYi_e9 Dsk]Lp[g* !{̱3hz%֍5ّO6 NΊPjLՈ̓!p~<6 vitu["&1`n$Ts?W? Sq0h,;TmAE0O_ #-m7\˶*|@IV6arlL98 7 ].]GZKbXI_ K\Yng*@.hɿ A #atR|36-] ze)tp} XuF!sGz~ʿ,0H·n1A\rY'mːl$'eW1*glOXQ{xh/'|v#̀jZre0cʆh~r.S+@]+$=|qtg8iXm5ط~"JL/o|ko oU,\ 7Nq?YZBzu&8P W%FAC ]!5O:uϜY)/x}i|ЃId|-fϢOu ԗ p׻RDA}U0!ㄝEG\֫4Iwz,lFGzt#Dqse1uTkX[ZؾBYzCɐMy5t#9/ p|dyԝV,֣YT.jPOb1%:cdoyw A֔N3nOZ—E8j~gG[-'Epf4{A/pѣ֮5繾2v؉%gJa8H)# `LFENx `jk%jц̲Mpr $v;SWsOgx|1#1g74?}Z"Vdޡ*r $%^N,RH~cw`Q%`NØBp`QN%cn/ke6?UZf&i$8ucD%ze'x(^4wq=3!e80PzC+D퓾\i%t9#PppvR 2AzE>0\7Wn8aӖQT#<|x};sވK%DGikC!:.ڷ;lĄA?_mfH%a UK74VH6|Nu iTث'3$wuab 3ɑEYCBJYqk^/H?q< iRѥpE2T5 .SNMzZ I9Ahdګ@J'Cph*1V~ë B}lRɐuKOEBtM]C]4N*i)P$<}=_ 2[(FZ&BlJmHS↝bA %TZ&6>$fw@_YAx28G0 JE^zFwȮ# !Wt88iv6n=⺎P;%o[qVi9 tӋ}WKcC^5q+cT_:> 1&5 !RgL5lq[O5!h#[$,gi#'#DKNlnc ̷mdj-y ~^GG|EAuV:e&2xVJآbra,[Rޕ5hmݥ&;@'_;BDX |t<\'P;^A7#V]8ENWqך9sʛ / _O~<$? \##KZNդ"@"m#˶3 JxPoSYojMTCMpn(+fX%yi"ƫo* D[Iъps/XoO@KA rTaݶ99y#'9>않dߒXމ`ԧ8^4zYC>BqÝB۪V>g ,+אz9#/5N9de@T̑a_˖ :`}<|eB.)@NXɜQ$"AL! 천4'_I5fq20KNv=BC JB2NpʋSt8}[/5.)@w!**)CޝM]9=yCu1=T]_:(`ago>f*d[Z_JkNbt.DZ^[#ݢ&qJCݼ)]1D7FZ{ɾ聜9Y(7螛]z)ڃLi;¤c ٺ IbE\* DVBǏN,r?NԹ^F8% _x kb- ,ܨHκ|q:H8p/&&|@~ $rJ5}kZei,PN!gf  /:N;au0OL|g`D(Sh2KܥaJˑHG&z@ėw[hO`ѷ_EkNqWq%"jR+&Q1dTQ2~SZywt@;@QnwA{Kd'I|6B 'F96ņ{Q[7H$&>І1(]Oi)OʒTR>^:Tl[S2]h߱7t=?* A3BtmW|8?hpPĿ,3"XbD !\|< yek&{W>[i@X/ښۇ7tgM/K3~M[qE5<^׮G7JBKFȆ@Kc\!>2:&k$8!x$ssy5ɰ~PdN^  % G#~ ~a鼙km#t HlTWto%>oF+{[V0djब#E ||ޔ ܜ02_ `"RBt"}}Dz)!, ;^U}:e/]0 t]ڙ_EF=7-.)=W6!H3@|¹&3ԧ翟1|@mșIl{ΈEV#oiwP%P0GZlVD |I9i|2#Z?Pyu)ΤiI>k9Y C5_&#qJ367䥬 0"sS[||5 Vd﬿3!lE?S>C 4,F"'tGQ̙'ȹ7޹ 8iOO&S/7{ц U?G~o=*yH*06Tƹcl=~AI<0ΈǿkKDn6S J݊GdLRV҇}5)2Tb\gSo.2&[SFAբ^He̕ `-"Оb4NR? 3aELJv.m9-2F(t)O9M@+bcQZzX:5$,$f o \!yI/eV ~`^ݍi?^,a1y_#faJˣ[ղdZq5sZqz4n@cX_UAja~ŽLx|i %7DSJo^|A af:Vc1EqEypBGpBT䜽CRu_</%ѽQu7ۘ,#҇=~T_` U/1x_5 ȲĢ}a#sG%؉E=&^7MmBEprcc#cQxS.^|MjkR4JSg\Q5dPy2SSf!4_1vCePHEUܤ'`ȾA9atcsC9=O4WMc&UظR-K9;朑\ՇS;v5 <\,n3Xw䪖LY3ǺԈxzqSx0$@p")DOXIB~B|u6Ϣ(I5k['5 Jbm- c;)eE,yzJ ~q%b=)f/'{#>BnDf`|fW-)VіѰ?0qꇡmE ,K~e{1pH5r#^rxnFNLaemԽ)r݊ c@X?8-3 b]ǣ84al,\#l3Lގ9"6j0Ո"M+$Aj.sO+.>U޿CEH[-~v2[D4`m# ʌ,koߓ>8%֤9bzZuͱy6ZPiU-_fjZJUQCV~tW6?q3nY0[>| "e|׶{/I5 +;A,BԤ)%ڄd`*Pl L";RBsgAiƚPE='$WZP@XTĉu0_&yKʤa?{y~#gOؽ } œrOQ<6z%q#3+3X^Y]Hk!8S&/쭭uڅ`PFPgg[6rrzqdgC[ՌmA&ftg8XvjO¾9 Q7"ڽ@ٹ ը- = GSMk7$XLDŸJ U\3 @w\1m8H$L[k^uWzVS/UE`xă7쇿e|!B& 3 ^Mx'V;aeO[.l堕G @v=\f*άEjL0?m߅?XEX$ؤ;GyK0orYXw7ӗ&<ZmIik"~&nttNHԑitOsY8()+ZڸcE((Yq3'x.ЮY=GlUHUO5O{W V5x.=uuݍ'Z=T86B&} GaHPvRj?2m*U7 P<'W'x^oEomIA{4/i2uG9WZÀ$wE VRYyYs>.~ tF^O7`>]Dlpb#Φ( ܷ+c˯[#%f,@:bOC(^ڰcepV>d5ÑHёXߊR zZ}N^ƎsEtGfj>/r 拀:<$_t| RbC? g߽l'8.(`?vLy*Vq f2pbUN$_F/FH5g6s<MR9]BP~bVTCTaKoG T15=ъ*3+=8psb.*slC('ki b>V*v셹Kd o byJ$0D480,NGiw|ECٮk*/uLNrE}R ۔Tz$4n+Va>Cccm@u`WA}V#ȻR]^"5(ax^-%$tne4A{P{Y8Yf}Ф4m{Wb؂h_ n)M%G»)$1p%e !}fW]JFdHNF B(D'.+'ODf"gb[ۧ BnD0qVbX9&}Xc?Ҩ-+M !W2E|ckQh!MiLmxA/1:=ӫ?D6‰J`&óW2d .#ix7^&fe.~i|Z7$ CĘħn1;|j;%Q>):S18g8;C:{llӼM2 i6c #m~H VcCzWLk[7 A;nƇlSJPtg!.~UP"{rʜaQޖƐ )M]~{*6"dScƺנ[AM.Y>#\ǓY8KKy}N$-x kR #'LX4)* K`dZ[EQĎf&!ÄƐҢQ:9Bn1f"aG:\'Va.P.E|Y%/7 5wT*f~0i)Zj&Y`MibB(B]}8hpyep6GEYSJL͜p#N"/ILp`*];`+~옴}a D:e>`(;sУT34l2zVA8ԩNl"0by\$~('=81r&BDuf*)B˅!o#8YO~qE٤nlGp6>\|sfcWxQ oZrH1C*8.5T&=I"v8FD=J+w s3h'U8<М-#KCr>:U7,QDWŷ:[%! :jfe+&PEa cQ3vO^\tBiɨ͍v\%礆"+lZ!@+kT֜%2?ERh&0ZA7հ(뫪abg}EZ^oHuZ:"cP.kA.l6a&2PKBZGQG~O:S0!PClK&xUd4<vŦ ոanܣj*_çޫ-ѿgBU,|GK镐D9"q YҏefؔБl^stP 0f3j!`]_73x`ƀ [6ӻSHTXKZIPTtrF[|0˧Hv 0d?2O7 D:{ư#WGHQS"+GG%]=ϲUM&Z8Un]PKL6MT- H*hK%͆r}MoJvA8Y7AS+],ShiPKT</[r5gÙ l Hws쿚7~'0,AzVAqFf3unRNid=ȓH:]# )Jr|1*LLg<(Ֆ(K^?_$\KuHr}r2s2___FPW?뚇{HI:6F$3̠, [ n/FήyU<]\?D8S!`p>J}bo8#, _unҋ 9i *1Dφ|T5~O&wвEwQJܵ= z3 7Pgы p 񿰧kSO"k~:x}M^WWI~tTv^&~lZUnB v2pM)B\3h|$G[(S6[ ~pV>Oq{Ye;=,Xӌ2YW2 !7f_aL 'u<>ܳ'psW8*X B qp,A7ҕ"Z&Ƽ𻒙"1u7km99oth<E$s[CDtgsf~"H ~ 9Ն3G=?Jg3ϱ8z>e*rcډKA.==҉ŇגR, ij.1C.=|`%@DOxma7'HTphZ6CʇnaC!eHF~xh^Ik򢕿(~}Djq~b7 wLxCݮ[.w̤O܂hk8]zkhbKRy#̯8톂MIh ;lx˪ό8J $H{mkɞ~fh{b_j3$zs@؄󊗺FEyQLaݩyB4TJ `OpȧvIW%$ʦLl2,Foo*&?ɞg@P0\wfbd=¬ocy.m'm"_&pp"`5dtlNzDӻ%8>mtz\&7IAԑ9Ѣc(b|62)@n~ ?ck{̊tj۴ԶRv*z&V6bi؀ O?NYvAhlQ~!`ZwNG^@ʐiZ{eW`'(7[ʡ; ! `xZMS\?>@\*]ɬKp">`Z6h+њ(/ᜩ䚐ܹܙ{ Jg%}&dĢBxb|]L r' }.ƀ#Mi*ҰbdgD-8 ,P5X0]ΡcQW^;jnƱj7'no2;r gt,}yP|4 0g39:,l$_y~g w5 kͺc0+}UI(uv2ٮx)p|%٩(P$Y4C&_w`O3lA11Fc4psKk, S객tLgEU3"; +t ^<@we6;]1Lag7 qu|8XzQ1 ''3(C!lVĄ_>1-O8~%TQ7|%wi*z+&~Z 0~{ԛApxw)yk]b Y6'DtA´2əy|:Fxsqv%~ eN2[Z#B%3!˜D^~Z;Ɯ%Oo{7r$>MAG:ؙ^^d"YClU<$'֪"_qgf_qg$_WgGЅM!G"Ijڌw b4v%B~Rv- ۄ{Z@gY Ԭyf "eq_|]N]*[e3{4Eb[<˲^umАcs>hHȿl]GAnY2|^;4ԓm~![_;#ÑTvYO㖣Q*bwD ؇Kkk 6J~ؚ۾"_>9]y4>Ra4Q(E8MIyA˘$ D:dx\ii_M]LjgQbvtyq7Y ){={K~6misnGA+,X1V "է`p=k^ǝmts3%n)(EXD ~I/k2'L%bvm@|xyGa \q۳0]ԕmsH0 .(oTr6HW3Ж/Y(9\ߎZљeJơ¥ T ;bl,l%!J2&ėrsW"%*ڤ$0!bqMC-_?AM#?$z{ `2WLQǴBa?+;ep4Fk-3AS=M]|NJ/&f,BNvq6w~kɜ,.8Py \RqfmJbXmNygk08k1 =asUCFE3Jݔwv5sbd g^[ QK 2  U3g\Ͽ,E5Y!s5ILl1RϮ$㡵*( 8 #ﴊz 9թVPč4p2 `7nl{gLR`8/u5pԠ<n%t15ѫfd![]|^!Cc i>@6oI§/| "FV,\˨`?4 (K_ov}xLdՏ#UlM85#,-%5MĴ u"5Kjv{aC+F.RԺH$%-SP'[M,l!a6\t(;C#\L;7_ڼks2ْ_s8;R9SA0M重q#`nQhwɼ$X)=S@tdp}%͵|R]H7L\sʢivFE,݈EN >dVO+A!( !CK9G{"=f b#>Ly`tmАc7g {72u5\O$ϧ2 B!;n<#Yu xs3X+05L5 ƪr\I;Pg$}`kKy |A)GAD}[$mP^O}4Ngp[6S194Priҷ eoۊ0Ԏ՚!'|>9$#fL` [Ưbu-><+g~?eƁ 72GvAWPe~ȾQn<ьPi(GgTU[n4?ۀLBEIv _tO~TV0Lŋ$rt?tD.H*!@J|έ"sDq(>,>I{ D%V"rˆojpJTl z]*DR;rĈ'EH|ye)_WLn{2uy=KXr?yyz˭RvYD`x5M|{&Deh3H`f}/B.~~>+BOP&dj =XGUjжW ̎E#tzyz|%Aoߐݦ.%U'ݣ]AKf-.٢,/Yഗ )ZLձBwT8>zeg_K/R(s.G|"9#xC8jH2t k*NZtȻ/|ab#tZv`)$v7=apn !Ds4"ޓ  {u& SyQF!]ac\H%fDiIH"ܽݠ91j`ždZM!ugn LwO@%ࢊ9Xʍ:bUx] (Hg4{XB#nIng]8lŀA gm"cJJJ Ȓta]VA=oFU1z}:Ke2L_a MhGY)"EȾ&Y JGC K":s7[+0Is@l^WH1T*:J (;hANp)+,}ˆ?{=iŰ_5F$(F_ZOi0 k/ hP 5-dh^REuvWCsU-sʲuQ9A;x8s\ˎuH>!MU{SXHkdUcs'sa/?`'pGJzk(]SFWԨ=0uj'4JT.Ftbb͸Y2qcF"ߑ͇˥r{(`L?#ٛ23|_Zlwg%YGn Uwm__&~nk1v^aT9<g}CwP#pʥV,w,9o 2e33l'MMv.{`%GB4)5|!|ޚHlC>បru ? H5l)5v<%>41X뺐gh3,_; ݒAUIm'WDu:ұ9!CMtω~“ L嗫 l55o>~tL=: ц&[{ ʐ#c JqE;c\eAB]˾o.x0%w%`̝֒6X=#K]#YSsRc%l ‰w]5Uښu_]W&թP`oT %6xD'gyʳj9A5.TgGKhF.) k&m59qЯ=X@ϣvriن Sp(ʐFM#wHkmKI7o8O\QO? ʎ̰"xkcN%R[4zHd 18 Ae2פLY܀8`8tr<JVk)VtjG XBnnM9ݚb^OOVei(-fT}\g>n* ᜥ/(fB8-op痭GaV$;]tD'R乽;uxo".ytG|s<3 > VR rHfrz0@@&&Jr~>4jsDlH̟ $VliuI>W]k|4b>sW@}[?9 Hw6Ons懲cW`1]OGDƟYQʺo#O ;Ц题﫽hq}]>*[,.L&{ɘ\zwD\Q{d㍵|l XmRuF0Vh]ȳ.&_hܭ19(ALh6C0B'<+rzU8 bLm'aahz^O4: `;r@ ^FA8/'_f .DHNܝlr8 8{i|TE&*q#"Akd-\fN#i Y&r`:  +ޚ#ufIYJ53J4%7H5op*}"UQc}v҇Zq,aDo ʍHW\n(LM'*6`] zc|Tj1 e^ϕrBnv/lڻM!} ^+$W5TpU\٣[x7)̎\X>?MU:)i>=vVG!=%$:+FFf2d4)r^,u>>q"^:A8?)b%gϰ^܂#> < eUquE?$z'D__p [CBˊҿS# gaA eg4Uʅ+`&o˷O $jS@\6l S"IM)sE0縜ɣ+?o^hU7,V`Qy+D11U5Bޭ3Qq4%$qe 0wM^䧦vEq4X--n Jm`)98R;>-+Vh.6!UhssqRvX}gngI?+ZiPO G7lbp Y+\sGu Ɖ+[% ^[9zcV;~Fq@ 6Y (&%y?U=GyJ^ƘxۄY9[ų}+{I_7wP"Y7 `6"-B??=pT Y+&MQ|cFd4 oؾhQF^A|Q;zC_)צ ~й54:T:'QхA x1 `J%?b8"Ļ2ѸwW^S8 a3[xВ!DQe֫Bvώ5}Y/y Wwg7=,g*gGrIfo2z?U󮇐-TN=n}?!$UfPc&@i T.c葁1yS/W9Jm:,M?U݀iR|r;q{ϱmW?v맑/ٶ{V U1:K> ZҥjӮ1M+ٗrxWStVz:a7P#b,T&X2yo+-6 n9M$dz.@1\ċo& m@m)$'vd-gv6fqg׆]JO i /Ĺ-}׫x(i-<؀nZ*m*jKȣ8(dU: ֧Q_Ef*ۛtgC6VnD\˽۸^|ϕ%Μmm~^enId湊qk7Ht}d>*m=d*crHwۧD]F` Y$Y A-&T ~ q(ӫcցeVٮ->b4_ٕ BFdJuu4)0F~D$) + Bt0,,NMI=l 4ZOq\ݖ>|q@7gq;fWQu𕳊~="ՓRc9(:[3- Pӎy]̷>ThSf[ uLz_VdWd+uވҲ`N!vϷ앵KlզBmp?P;7U2CLT+"*,AfŤEo'[? "po^֪0;*=БؙpYq1os(^C'.7|y6%װ++Ѥ\Y;浫ېdGꊧ+LhRPqj;1>K3j.*5*2+ź#4)߱\AP?A&ve{3,)cmtG 72iwwܪ9p~`-ƭ ΄P'b Doamg?x `c.ZI EYUQWN>[&Q076H!gv§1m\c:k ߹Yܾ+ mh~KJ=wچT{eAP Ƥf6ŠCmT)b)ZsZvH?)@qnnpY2l P6Cgd`sIKsȃ #1Sm T,Q(d,Z\v>!A!_Lh8vHp{S? AnO]_Rip+2f~-ǓyC,3B.]t*GwaP Tm8Q$)Wzjɨ.A߱2 w;"LH K:㜚4u@bWowc:rI9v&8yܐ#0 .S;K=` ||L KN]Gjy:#(?b+/tr_V廑L+FtQ'Qff'C~lJ3.|y hsw|O)=QZ*%~._죠砙(y6)4\b>M4@|P Ȁ2북xcL9_Q2Hy6RiԵym-YqbRSŪC¥jګX,iGŢ"֜7+ 1ֺ ӈx ft@q4 a$#b!p=mwֵ\o$[lo ڌm7!]Jul5Ŵy؁Pk8>|Q_;^AKNkpWUƐsFDb6bM^x%c_-"ߵYtduoRA,'$ TTN' @{EVĎF*YmCRՁxGԑ?@+v  >>T *Ie B`_BLk3l\ _k+g~1IL%9w YHԻ3Q,{q)_IDU)y`d`_!1lԶ }B5=1/?3vQ}Hp/aE"^tr#Qg_+ZDdtNy޳ 1wbZp]I"^цV(+^0}UbJ_=LvP.8>*A P Cy[~$]L Li/ЭyF`Ai^ru+]P[h7+ӕ-?ߒDԱ`!gK]uQB4!wHYW(_,d+wXlR=?—$x_ 3:t4'Ri2᎓k5&|4Blj|BKc$i6xePx#2+o|Oar/g Lh[xqp )8i\&SHPl2%٬Nw|#8Χ uf`;x"uMRXJQVg6GՐY,:qUʣAڃ:XS q}= u`s1qA#9&8tpUV s+E#c $ ݜk{qG?% #CMk;sMl?Iqdq/.^fA1`5. @~bCn%~\|cEd0Je}1.@t iz21͕Z012FN<{J mxX\CŜ6>j"\ѱ >FNVe\0ˡx{@|K$E,i*\WFz*$"r˃K0E5*ATp7$z%/q6pkb3]2׹6R5hMQ _T'b/㐡)~1jQVx75͕ ʀZ1vLU>c.|Cp }92uF@Q8h H iG{\&/C%*|8sJnu&@箞Z$} Q7:=i|DotpNrz+[SCƣx5.2Tbe@=%Qh?0Yovgmiꭚ:m|uSy4{÷I`4dPJ7I`0DaL[~jwyެ~\ϐyHF, /zO8n=$*~-YӹLM1h@$8v gJv2 ;cWwQ|?J+.MmO̲8iA8#ʄb <.M>F2c\ B4e=xԃ0ċ~9D)L`N4u$1hYNRG+ \x}|E5 DǤ߹ŒYܕy7ҽ&0w$m۾tbІ Y y ].t ثslo=!P•m.ZIOu)w@Е {ӫPG!C!- &s 2aT0('S%yakTOٮvn:׳A6^&=HQ4xvBSXD~ fAP@蓧x1}.͖ffS07uG8bS/X#ºknM\˕i8Į1+1̧E >Хf_ JɮXszdAJ|K@+_PGJS4e^N]b@ޔ`5/c3ڠ} 9Os\ t&!Jm\!ZW^娳0F0Y!yc^rt!J0*Rx5 3'SكྒY8 [3$K,#O_9C0aVx()r 0^X$SL`Jw- rD%xa'!,4^iH *㒔B4qXQ kv}65yc__ YL_p8S3hW B_|L>Y*&1>23<{!nrܴZW+Ĕ}AH2Z 6 (FذENU[2?Hа}G@p۪Sl]N`MO{9|;x8g{ mEd`(5cR&r ,Bu{ؽU~ʫBQJ"pMW62 ~FUEٵ72?I8O/CeѪxwBƕmfv(=d$G&< b0cӾJ 6f^?hlT ޔ *'"ly~TE3͞mxTٲ؎V_d{7@~[OTjq+a-PpEVQ~x >_RM2e/眷+ ^zaT`I(9=a)e)فgswG-4C D(׍[7S8a0"-*Y$]<~mjMAY3Ԝ>I>8DgTz}-%Y [zlFh'2B+J{4MgA_[i?eMo-t v@zJpT2W3)i.j,[_*0r- \ jش)gKx֬g.LNKNDq4GWI9.[ t`TB>ld)pCOJDQVvS+mAR:QsǓx}}CL˺sRK_!]4q6_ܛT]*UU`# ώ*>0t3~EܤIt7F}摖֣yf:?xl=N3ۇc@ÙDhyl۟zg0*mE($8^X )WGQsSݯ|63!)* R[.}VNjWEä#2gc!D[wGQjKAJ~٤VmY=ml ËB*(资oծUCCEf?C x]%vۄCreR #\Z7.@x^{ʈ@sz=Ǫ^/4wp&CU12&Hluv>QfK7݋8]썬CJR +Ʈ=$/5mL??H~$U|Kk-sb4ηU&C ^2 }MU5 ;nn=-Hgq5J[]?-6*wՑn5sZ(0X5 BJw2WAB+X"~ܤ}).(ސ?>`_*o@/{"oF0\bX]g)%qHNtryUl97mA6[*< 婒S+,@ |$]PpZzHI.0'펤c:6~0I7oU6E<*&B(^c,%5'1]zg2ƛm'׻Ҁi ya(@yk*S;IB![%Ĺ򶼇hDqY>dlH|*Pv4"oYڽ3|lfnъw:- Iˊò/iS܇4öl쩓Ť{](EHfd4tL`K8Cz1h6O" 75ǬO8/^Nh6P %\Řqg>5i iy'*`Ԇ\OP([&4}nU5NBnǫ>JivcXbC%Z^^i'70tDj uyu}#zs'I'd˵{.*n>%xP̿o٨cHYaxkJ83kz= 獌Iş|m 1Y/A_0 jswVH3Ssq'`.;%*1FF8_Py2:ޑ3IؘVHH`-gpRse8t SV._LURY`LNf^0e29;ۼ=vWPoС$7:w7U26+G$HIץ|q)u6C6iٙyWcO=q(a!j {#@^"]ʰ6ebb pq\j _IDU,.1:F(( 3l3m(aF*3܆L|HC[zq3>OHI;R#xzdRx{oV~._I f;ÇGčڥڳ*Bpk,b~)W\PoJjN6יWBWJV'%887-Lqzq$>6dK;54A)]rЎ+u~i.Be n@<8s[Dhߎ,Y]N A-Cey+5lY:F3 ˴__3࢟blRh'ЇFIT).Nb #`aAΧa$ifC`1=>G?8h_/'e{c~9pj~P x*<]n511ja !_"hz#w{Y(lkM*%_Ւ'X?E cHD5  pP\`YݳGRK/I[NcrFd~@]X-?x-<,-)|6? @2HR3"%*OIAѽxXK[B O_N67KMe\>:a8j3jy*CN?o9`/(v3l̶_lے <AsTȮ|x^TD"G͕o5>П*!Kxopn1mn(H u݀d` ghԼDr,2rbr&M0`1"4M&7pD$u~09r> _Os$LNizO8d]4G7Ƿ@Y?zsb~v!^cbU 4"zn9`$QQjgliYfZJb"ѽYSw&|M"!\*ľYO*Xc#V1 }z^*_Bt/6$ d)d1hU݄W~jo͕j-2@rjQ{x#-ZEHnb; odzl<ZyGJ4o˲Lhr 1uZ?SDRr )C:g"ڽ=`t":,Y͈[ɝN.:V,ф+;ꖓr7;oTWpp'7MOxC/9XP݉%rxŒKƢL;O[hh咫v=ǎ8bRH\GL^1 d{`M{7K9=Qi澰C)ܥ s:"xnhzkleI_]ߥEU`iS_j*1p6of8}HFXHPE\DcN3'ۢ-=xmW  +XU*=LGpF?eԝۋXzׂah_PIIlo+-\Q4Owвyil{.{x+ sP?[%~^]mԳ1G;LFP(kN|bL_:Ē?\xc qXFv-|;,4݄'^ F[e&ah,ia qS 6^'j(,eMB%-wK>\vϿB0^rlypv,ذi^.GeJ vw dq:[cp{JKr*3K 2ieƚAϢbH. IlclfBi⇧bVF1U<ܻ2&YUO@| } C(:jZ;0Mh0 ;G=[ްҔ\lGKoq]poV!_eTU@)g)`7C.Sg0.4v lSt1"T Vо!EkgÀ-kRM{ZpBYpr m3fSɈes^3-3aE!.&b\}%m:[)y\+BޓPG%!P>ߌNm'n) u f3-6$]54  ;Y=XPFNfÃuuÑ8k̙\Yʢ]UM a{3/ԙlw]^iR q6eR/V(=~NwA7M~ûRuzc.#HQg-bKrKӿIELqh\ﹽbOvsZI d)"!y4Y(ت?w=|Ѳp dKH[[lد=kqV!3ꤐZ02J!r͋k 2!Qc̸սLڄ5ɰD/ fe'"ĔItgȣ\>@U|ħ. g3Bf>ކh]eNбZڝK{K\׉_<) OC~ݓb;V Jx3>xu̅k(li!NFִMgw¨:!Un 033z54m]_n~a  [,䧗hMY9u%vgߛEzL3ܧڻ;(h~jrL؉0$ac!#˕}bHSHjhIi&]j:/4 3P>E>jCzx_E‚ӋgpUky=6;d3dF~9/pY8pq->d5a|Ug7}w$^zq.A$UL |-$}|kWf,՜`-Tv=,FhXDžb3҄I|m4')do #i-'|km/)B?|犖Օ>j'YS.V"M|*O)چzCX1HDoPdw⪎cM҈^Hc,ġH6 08u]Tu Wm@A=J>Ǘ _6{[[j'=dlc^O|&X/bQ?dmkO)sЅ:$A`on~6 iz*OYTW8(0 @hd?KnjO/)%J@-'+YϖbKdu XMml0!WKK*ȔC e"NqvT~mezxE AUZ^<J?̫F+lYWyK6JXt 4[_ vi/I,4RcUҫ @wv^^\[蟃?$W?CK1bbbA)vWXhzCmgc5~:&fT9|F-&OT|O#-m$]3} V2F(3Sö3"'ݵh#o)''vcJ~j$R743ЙB@R PBDBT`|8zoФD7=jT.`RjօQ)h>R*Ԋ_M:b` )PЎny\u`XNwշ^ӌ8648R)lǚ~t5L-!6lBXh˖nD$3{S`fho#Pn%4+m$^&k5,<"GMr$̏URXҴܮ)WkA3qb wHK7޷oRJYwMH,ZkPʉ#ݲ4zyϑ}qOܸD[].g{<ƇlG>ϿaXgdu.Cx$=Pz˧·ld"ؒq4+ =WO*>i$`5_MۃTe]X0 f. /BtqǞi5YLb 5Ʋ@2>#~^ ^r*Y; Lu cbjSv_RfRE sz%s;T.Bg27Sg/ɜ,Jл_oXl`nj,>\ӈhoG٬GֆYtHy{T| =@>ӈ836SsWiogq+s3yAx]S-0B~)"&er7儳G}.\*5tة=7NF.Y!h{RU^kE!&8ԩ ̇lӸ N:SxAHI Lv =|:?W6m[<f^J յ9y6wݿ50*%eDuFW f$&6 R7' ;첐ʛh)Z5goL-pg+Ihf[wwB"[E}"iBbmtH U'z'5~5W%Ň kOe9!|h 0x?ؒ}Ys}ۡHv{cS:P$B1My)YL &[*3*<"t+.+m^ZDmRT!z$;nH 9,|Ifb\Z|X5GǑ[lqrO=-z$ 2 n;gH-`|BMw1caRk2(7:9@xԩUl ͟6v+;Z*ݎyϧyp/"c‹Z,ob[ 3@%>;5Ы|0ʛ}$i4) oOdKz+#KFnN&ȸl5oR>0y5kŶ;<NԳ86i+Cw2ސt*~믰oDoǸu$U,+uo=oHX&%\q)5.2(ۀR5Ŗ! 9I03ʀgh硸W {qPMAwC0#T#΢Z\gڛZifK#e!2~o +6N 3VfLwdP4TqA @=dR`Du<| 3`zV vHQ<͙*Wк`6isO[J8k/- +ص[\_;zK/գЄkN$F%|  IvStRR`(L?uH#M .4]+/{9?%*'/p_ |tPZ!_f\v?x&I@4|lGOkmw %mvΕhܩ 2di\ܸpn[fꇞGdx l"h '(J쓎7-`kKݘ-L걮*fʸ{S=Rṯ}M8e .`Nv$Fۗز3t]K"uJ^bN->@\O޲ ƴⶣ|;TQdiޥMv:e;CW8F//1ʄOnzؑXSz?:vSZ}KR.Q$ؿ`3@K='tn7{f#i=O>I 6!h%ȈO}4N11(ӷJ5S k/$D6FV (JNq}8?j~-M% 4&B4HMꂧ͓H #m|"@AKo缲2\IUL#Cjdms"`9v<<%rM!kMNr6Hx&4IrD'C"ȋWZ]Cxrk-Slt.}FMcn?cCӛY+Bzqeʒm{ĎU،:x\~D0sJd4\<sU3QSN=ʼj_N:x,!C.Ԅ>]Qz+>dȍgMȧ3QeƩkߐ2 _D05{'T|I :ҕ/`Aq3`y&pjvW;]Ug\DTV7rM9U` p -ki]vz|˕@o "}w8k[;)C(N+b8-;RqWjxA҈Fia[fnOn4Vݨ^VhaD,)y?Vn\gv_Azcw>ؒl?9I>NkK?X?[3%|9*FU5sP)=nͧ_w?ӂ>l]j=G۵nV/\w H sf3*}fBXn,DZj)^Naf*5xϲT(Gb% 'O^Y"6L9I8c@C8.$ \ TTU YZ