libsmbconf0-4.13.10+git.236.0517d0e6bdf-3.7.12 >  A ayIp9|XtQ_(JުLnO@CJtn% .Bp}aAn2~ ={tlOXX'/:v4(2=҅3uD54*Ip% I8.̰PuxfнH0QX)~JtvW/B=V$_[C< %QiVt3'bAqIe;PlAn(o+nw^s g02ac3ab203fd3c3bb29caceaf21c0617a166b847f748820f2aa4c72f44e6aeb4e66c26b40cbec390cd700dd4178507348429081c̉ayIp9|$oB% Z /lV]1Cq-E z%~A䫲Rqxx:\l%KqoMR-# Vݬ6(% ~NA9(Ns?SṠ3x-舩$&Ikp6STF^Pv# ћ;Ԯzൂ-[CaJDr=+ p>p@T?Dd* 1 N .EKTX Z \ `  H]]](*849:'>@FGHIX Y0\x]|^bcAdefluvwxx|yYz@Clibsmbconf04.13.10+git.236.0517d0e6bdf3.7.12Samba3 configuration librarylibsmbconf is a library to read or, based on the backend, modify the Samba configuration.ayz&ibs-arm-5 hSUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/System/Librarieshttps://www.samba.org/linuxaarch64 hayy^6d16e01de720c6d63c9258d318ff5dd7cc02eeda12f04fec3cdd0b053af16e59rootrootsamba-4.13.10+git.236.0517d0e6bdf-3.7.12.src.rpmlibsmbconf.so.0()(64bit)libsmbconf.so.0(SMBCONF_0)(64bit)libsmbconf0libsmbconf0(aarch-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /sbin/ldconfig/sbin/ldconfigld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libCHARSET3-samba4.so()(64bit)libCHARSET3-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libdbwrap-samba4.so()(64bit)libdbwrap-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libinterfaces-samba4.so()(64bit)libinterfaces-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libiov-buf-samba4.so()(64bit)libiov-buf-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)liblber-2.4.so.2()(64bit)libldap_r-2.4.so.2()(64bit)libmessages-dgm-samba4.so()(64bit)libmessages-dgm-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libmessages-util-samba4.so()(64bit)libmessages-util-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libndr.so.1()(64bit)libndr.so.1(NDR_0.0.1)(64bit)libndr.so.1(NDR_0.0.4)(64bit)libndr.so.1(NDR_0.2.0)(64bit)libndr.so.1(NDR_1.0.0)(64bit)libnsl.so.2()(64bit)libnsl.so.2(LIBNSL_1.0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libsamba-cluster-support-samba4.so()(64bit)libsamba-cluster-support-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1)(64bit)libsamba-hostconfig.so.0()(64bit)libsamba-hostconfig.so.0(SAMBA_HOSTCONFIG_0.0.1)(64bit)libsamba-security-samba4.so()(64bit)libsamba-security-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libsamba-sockets-samba4.so()(64bit)libsamba-sockets-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamba3-util-samba4.so()(64bit)libsamba3-util-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libserver-id-db-samba4.so()(64bit)libserver-id-db-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libserver-role-samba4.so()(64bit)libserver-role-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libsmbd-shim-samba4.so()(64bit)libsmbd-shim-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libsocket-blocking-samba4.so()(64bit)libsocket-blocking-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libsys-rw-samba4.so()(64bit)libsys-rw-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libtalloc-report-printf-samba4.so()(64bit)libtalloc-report-printf-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtalloc.so.2(TALLOC_2.1.0)(64bit)libtdb-wrap-samba4.so()(64bit)libtdb-wrap-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtdb.so.1(TDB_1.2.2)(64bit)libtdb.so.1(TDB_1.2.5)(64bit)libtdb.so.1(TDB_1.3.0)(64bit)libtdb.so.1(TDB_1.3.11)(64bit)libtdb.so.1(TDB_1.3.17)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.12)(64bit)libtevent.so.0(TEVENT_0.9.13)(64bit)libtevent.so.0(TEVENT_0.9.14)(64bit)libtevent.so.0(TEVENT_0.9.16)(64bit)libtevent.so.0(TEVENT_0.9.21)(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtime-basic-samba4.so()(64bit)libtime-basic-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libutil-reg-samba4.so()(64bit)libutil-reg-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libutil-setid-samba4.so()(64bit)libutil-setid-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libutil-tdb-samba4.so()(64bit)libutil-tdb-samba4.so(SAMBA_4.13.10_GIT.236.0517D0E6BDF3.7.12_SUSE_OS15.0_AARCH64)(64bit)libz.so.1()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3a9@a`v@`a@`<@`@___i_@_|\@_{ _l@_i@_d@__ @^@^^2^2^^1^^Y^J@^2@^&^&]]]])]@]@]]@]nU]nU]i]e@]_@]J@]B@] #]:\ڭ\\@\@\ \N\e\e\}@\o@\\\\\4\ @[[@[[%@[@[ @[[t[#@[[Q@[Q@[\[[[{[z@[r@[ @[WZZZZZZ`@Z@Z@ZZ@ZZ}@Z'Z@ZOZ@Z ,@Z@YY@Yo@Yo@Yo@Y@Y3YYu@Yg`Yf@Y7Y7Y, @Y"X:@X:@XXsX@X9@X@X@Xg@X,XƉX@XYXe@XX@X@X@XWXAb@X-W Wv@W$W;Wu@W#WW W@W~D@Wj}W_WYZ@WYZ@W=W(W!@WW@V3V3VV'@VՄ@VՄ@VVIV@V`Vl@V@V@V<@V<@V@VjV]VI@VG"@VG"@VG"@VG"@V(V'~@V V7@VBUYU@U@UUAUĝU@UU@Uy@UUrUq@UhTU_@USascabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./sbin/ldconfig/sbin/ldconfigibs-arm-5 16353510784.13.10+git.236.0517d0e6bdf-3.7.124.13.10+git.236.0517d0e6bdf-3.7.12libsmbconf.so.0/usr/lib64/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:21237/SUSE_SLE-15-SP3_Update/d2f98d8ef4313516f89dded66bd0b145-samba.SUSE_SLE-15-SP3_Updatecpioxz5aarch64-suse-linuxELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=e88965dacff48d2315f015a1cd54175d0622c811, strippedYPPRQR?R6R2RWR:RRR RSR4R$R*RHR0RRRURRRFRDRERCRBRAR=RR!RTRPR1RRRRIR;R@RRXRRa3,^~EU>utf-81919d1d7dfb95efd8dced5961f8ef2f7947a437b9df8a2d39ebf6d3b4eba5a46?7zXZ !t/q] crv9w'O( G6CHױ`!pq@E~wmyȫbG: L(dOF*ɀQ'Kݥ)~Xz\NxQ ?6s0;QbkΏ1gA)\irbTJ]HcnAy<) a' $ETtc lR߷AWRVL~p E`˙}[64?fpYXɎfoG=9&-ay_n!feF%v2]pĄEm*{k,nz|i_{Ό髰Z0i7qOb z^:d&bԼ%%Q>?;pR/btљ̙ [P/JZIMR :#qnIU廔:ť ю; lBuz^-u=wߟ,G'7cfg@QThザhFBpWP ʲ;H=MKJrkN;ٿn i"bTJvQr/ tRU.gI~+V 8'EYhxcau4AVl NNqCC(CY-txG6Γ|tձ/:A܅l#C“ =U1fBMΪ$"gXRSyS~0N^:h3ZexF)2 )HlaAkD`a!wbYґ9a1:$jv}z PY+رULjFQM$mG ̮<ʼ連pXPoV !-^'#ZdXKc U }S"3#~nRa ij8Pzy5:؞Ϡ| 7wN!DB!FLڙ .vMxZ-q30 -Bz+_w"l"YsE2tҦ櫱h݃0WsDMM<$4Չ)k1γ0hz_&ohaQ}4O)ڴԋ&fm"%HA' RԤs Ӌ~wt]xj71/cwۘ_2 _:pų,\k}}BZЯ7.gZr]Y- t4iINA'|oempdk@@A9=ˈ;;*fzL&¼箮i1-;%ߒd YХ ~7?MOqN3s d(-p)ׁ@Hj9t=+|ARijvz𞳏0m5*uwf$'=̏ymp Nu&<poU;CLSPBbFi:ݰT. SDڵqʽ$⫲N-x݂~3C@LsezTI̳e)ٜ)z!2 \ຶ@OpPMpMl "Q 9y0_$w}|?Ցqވr)@UvMfWs#ݼCe[0r9KX7\f\d^n@i [8A,x< ||Sv.>WgewE| ŠFc]~"D^;K0|"+:V9N)3qÿ&]=̽-AASBn$L>Oʦd.א ]'3Tq^M$.QQjo׾fo|7EZ#L򿧘BITOs552eU`lȪ}aR 4"H zhVzCnq-l;Ytxb a4;$.a;YveZ'.ml4tp*hnl>giBHO4utc6)ofV M;|1*Xd(;OWөʀz'_^O}eSVocL`K€Š ށ?FM8ꭾopeIL,/ badB EwIhHBQEbsC4D!<Ġp67 .7F}Kkdgause;ܦM~utQ%A- -wn5/B rm2m0ag6C[vY(q,E$G#zR1Vm$pu|&>Oh/ҺKއ X =fmd{o83&xjB* WIc"S3VQ9T`RE)Uxs;Qi SbyR10϶5YxW::<|_i[:Ә?|]!<0 RȀq\0byjr$Cɋ|G7FO@s7o rpm18X>5gi`UڰXkbcn(a샅jn\ʳCId#؁k났ʒԩ_x͒xx J`}P5R%`kA]i*nL D}cʢ-*QpX3σs^] Qm{nY"dwyWx)?3hq"JC<9&NrP6+M:_< oHK "ЦS%5r)3~RsG|D`vMթӁUI^C)jCNohȤո\2x0 YlN x>:EPci@Q?95Dg!?-OPX) oW|&g /m>alX]/񟹒Sjb%Lh981iȆ >n xT=;?Roy񄁵EiܺȷZg?&с|gƌh(T@b nkZ5w'¸ZC Zw}@%񋭴.&0R'&Zה}Ǵ+!lWN=BV;z` 3a|7Ōt-uY]>@ftiע8{7`8"9:6j7ҿS>31Z`M5Fd)F3y'5U-o 'M h;KEP'#ieUDV4¡on҈d ՜-²Z,O * Il_&,b4F{2JaomE,5B)m(:=\E 0̇Lp-4B"M!?r.XYhVQu ᐒpC&N'kTcj`v{Ve'*M m7={@s҂V^kO"o.5sRGyJvuoũO.1 )854&Kj1ÚI[u͈"#g}@BV'8Iͅ?|ɼ t&8d.&" Ueٹ>Q*)y o!|\hn'9JKa  1/ܯe9')D O"\yO מyQ8վ6Jr,&$y{ 1@\LOqiꂀ V2LNخ͘> AԸw0>1f/fW/T>m,8,4"ZRq"S fD@1#Il1M;ɕΖ<_><)k1z֢N hyp%$.臲K8<+8UZ覎Iɵm͆/pTC2d| PNU ,rUp50X(Z,m+9c9=_XS2|b( aVl:L:mp[u-'yܪܸA{Ts:(ͥ*#{ 6NR]?;p z;Z4'nm6:S \A"u1OL?\9ɨ۰;)U>1 }ȯ3:JBUaIw 6BSkTzoBxgMQdWƠQ$rJ9 ĭ iXTj F|> T5c``ظ :X0u1¸j8A}?&{C?.ܥ{{ O_o Pu8s¥ᔦ5& :m 9oՍAC:D]d $ל!B3.'A[PH{]iX/9 ^~ | =AHMf+b;-H6 h@W< NbX{hOV_,yH%\ʛ~Ж. a(K;G56I~߫\7@؄FLWۢ@]V+01.MŸ:en;w#? 3C@ /TD|., wCʥZo{ >(ICj!Vԋ6%o!({Sd\eN*EUR Gv{?~Q;">A1j a|{p8v1Bcwa7J66|˳KN rm?&VgmPSܮ0W- 8A+[kY)I2bttG/7[XK̀Ϲ6M;)=6}nK\+ pbML_)ĦZ e-!P0e#{FE 5u?+÷]jjiwcs3 <՞/vp8Dž@R?'84']}kXêcmǵ48_L@CeMDGH yYuEoU_K(tߜ>X "LNm0ZUo ~{3'%JvL G ed3ZH5[GKȇ;[Vl?H%%vԡʿ!ǧ{Ҟ;r އhӳ ^`s@ pͽtN&}sAm) $K̀=]˂p9xʅ%ђk >ŐSKMHDYd$k_+_ŭ`U#u g2[^,ڐz%n+(". VJJ5)& !܉U1, ~y#鿮cbJI]Kp:'LA9ύL>" EPfbѷFJUIWv.")^uL sZG+c evΰg8eW<妘҈ۺS3:z)Xȯ`#D-9Taw^`CtDݤHsʶpdܒFR hK̽?2=251UՐ^rȠeOD`;;WA< @ "M6GAJqQec@#:9i (/. -`F ~* :0<% 3*3`9'@ &-_@kgޛB:?W2邐ѓ)9^²1CFoe#e6T썡#ANtχZHyXDCLg̬T@ڶ?~j꯾* gryV."e 6ؔq%JTT( Uоnwf!7/ުw*}zbqaf|ʩ)U%^I˅svrN׍tVU_j4ٳ=qWuy=ݧqωHHs脺$]vx)[OEnEL<] P3k*A4mI[LfPF.IЛwp017"5 D#tuC`*0)3, <9Y-xs,cxth,d|7ԃiД;ދkt)p [ w?Ep3%xA)x1 1]!ĢaQ$Z\n.:C0=z4@ͳF} (lϴ^%X*fx8o͸N&R*u)&}͎GsO=dkx44wDh8F|76/޴ꕱn )n|7q5tV܂xFo1A&aT"\#9e![L`}?M0B!>Qr ˃]"# e HNDr,KUNv3ͧ"फ़N-0ew~[N(v~н,"a@nO˟I.ES0O}aقY чOCxWe_KW49sNفYvIؘ`HՁ S'2Nyړ.-zCUVQ~QljSڍ?@D!kl/ʪG][5~/w/S -k;Tbǧ?%F=; Mܲ^pVtaCɆF}2xFo᢬ vr䂩leԋ=UGE9DFk2WOIW8-9xB dN)N|,-rrrP_4./ b@Ao﮹ӹA+Woz+k4%ӁVT fĤ lǮyYCIC I. Cϲir%FQ (m+\ [ϔq͵bf>;ufؐ V1"YU|}HU?Ɵ6+.]7?ҥ7MƇ⚨ 05!\Wܘ1˗Mi~D2^Ts$AcNjɝSа5(>E^ s żum(d胺TW4+|jP i }Z*Vphy vj!-y-syo+ș+[1ʚU)Oҩ lXWeu`8('IղJP[d^[^)]5-_y]3t}wL-G/qp-P8&ФˬJUYQ^Kj71YVAN4 S|rRW 3\$Um W45Fهr EmD}nD qU=CptU 35 bޗ8aA J9wwy؞J^@oMhmKTʉ3SC,N:Y$ KVh߈nbcfAl-D]\h;.Yg?oݫ"C! |&%BU}7_X>T Foq]tb9wTi`*:Or̉ ;Q3`lb 5o\L:fl.`(p;?j@)S83$Xf =I0o ŸOb!ܛidL,b``&Hz" 7טLl %USe.8 laf.!+R;$ԔE9!RtY^;r'Z(D6J)yN"aެ)X׽<L潐>Q߃oA\3LzIŠkheτҢV<; M a)q͵+?d&)Rt Qj4 !I³(Nj(4<|UC~aɸAq']ē,AQNh9m\W}v}cN eߠ`0Qg>v^ߥlIs $4QBsT(%}:J6lZ*W~ vw4ULg#я\q+k=+>s eb)f~9?1Y>iGOz9Uu Ve`)#pY̠x#91^rʕ-KV:-d-*a^Cͅ೻qT[!aC/I 4[VLNdx=[?K*f94`?$MIP|1۴ +FGs)jB@C.V!^9?c|@YƫОl<"$"p22I%U} 3d}+0 i4՗ ."6ƩIJu]mF۽+lޒGG2X0eN`N*E⎀]`nT@s=xƁl>w+; GXjv) ̡-H>|T7}V<hM|_?j qU;\=1x' fY\t*hX 2af[to+y؉.PbngrCs{"٠+%-7ZHp n-5.T|X9ddWpZ<{5VV[vm]j~9X sۅr;IcBh r@!^XJbHDSQa5aEطםO`s`]ZX(38pm"ToO-!,6a_i {{S+> ?0EA=Q=}XF1!W?կ4 >?MufݹF& ,Acw^S2@J!YaNP F7{[w ,5cO3K_NEAt;oy25.A >6.JfXoU7qґr-$ iG3P,ϻOIz)0-\;5V˩tg;PC=)M Ba_IW-oԓ5~|z S0λNl7`vy^v8K0%&O(K/x+!nYm܃ #gkO zSlmq@ר+_Ηhw%3dKPsU-'׮WBcK˙H.*Do8 k AM6Voܾ1`^ j0ЃB਎,'gr$\?cj]p~ֳMaKD 6"z -h.XcvFwSv XQtCq`˰o)`4 ;x,q|dcB%Y6Z>}LkM'cȀ7'#!S.D$.CbA0ѰeۺxzE^hȏ̸v> HkB»9ZXX1nH>pxJy[R^~~<"~I ]ri>~a>D[Yx /+9=_0\ |no3 ȗʎ 929NR$BZ)rUXTLJDl0v0v CGs6o|XU~yZq1cCzM-@[ќΌ]AEUcmvcG)m3 ';Ga+1*Fc#N߄N!$e}asm ?# MY:ipeG F]LEɊ 8(`4Kbteν{p fu4J8m$`T[=Ͷgw`з!D55KPHST&} 0Ɣu+!:,~lDok1 (blRI ˂HyW[*D/Gc $\g[$I2#RI<>Z)@pxmрeg+6X#5ƒFUkP$[X Z$-6P~ }jI9!GN! ALHǢk 3v| qQ' K.~|5Kƍ5 ]CAX#ֵeMec ,pT91PidUFK9]fjS]# Y{끑+Ϸ yMHoAگӴԌ(1&_"L^&UdF7`F$~i~^nQ%(iV~a֣ %ΐrI >{̯`hB+kpD\LVĪɋqʔl#-/Gb՘B[ 5PCB;r_Y\"qm*B_?)dZ9E l%że/!8Ե{*׉9;g̰$9 siT{. >͖[_yR ы.?8B/{Fg9(RZ殊×I Ԭ$UDdK/3jt`u0։m:y ˡɴ%o"; J[hC|{SiiХ_&UY>SZ |B=wfs%xqʜ*G@""zb+-_{`^ vͿ_]qv@PP;Ќ04pUh(fpDM^m8~DI S)J>JN WC~>H`fJK9WB8~TFi UEy/ѕMkw8j>YM[q~y_g$#ekG~4'Z=ݥZg%դvS/.)5%QT"B,rc3.ܨ1LRfO#=elƕmP+MbU 9"x2ճa 53z5p ^@d&zaOh ud!,2&Yhb> ]FWl/5΃o&P<'}v1gV. brqϜ~'s0^Q+}DCvm\}cG{ Iyֻ't~T#5`C-$:/Nix@9}'UvN:=ItWLS׺ Z.a $(,lΤ=}Dn#+E7?RZx&8T0K]\#u:fj[T+a!A.s.YHmKZçrk"_%4 Ryq>nL^[`,DJ84Zb pO"߹9T'kjxsE8_ك>̌VgOA~0cyHԌ{ 3TY %E;o#k1cO>gyu8~ٻ`\lCH\}i<)q-DId p) ~dH!֜;+%җ{i>.fB(oڑ8OQg]L:\EQPמXZyeX3 rZ &DX<@U; 4l P8z\'Z|Θ(v6:ghpxl&pFn&VkBicm`Yk~ˤ 3M-ë~$_f"Xh>Neu?:JRj׋Aq_&N֣Dn)X0ULڄ{ 'F|~k^l`xr&k{O@: y+/GԸ~ՒEO•plQ-Z-`LUe`PnY E.K*G% I۵ $i`:tn8@R a]ȋnLM}~re8T0óW[ns:Ndy_Z:UA+;RIh,#6\}}k[p2Fr~OZx\J !}vě!L5ye`' Y9ňm1mg'4gɱ#-1wymTǷ_ɴW1gv",sl4'5r!Bf PFweRƵՄj?tԗgNϨOͫ#ޚ`/p"͌g6ܤ3Ns Pq0,,`e>*GLL=aH[f bT8*%n,W #2qL5xΠe,R'y\r7D];<' ) sj))WB@m@82~j%fsLOmqfL] f}w\D<;a;E&5f>P1תx/>߷"$Nh8}ynn^rrg+٘Fدࠆs,l.aPrGF-t&,CCE OCS:T4ovNmR$s3rUܥ ]9,:]-`ЖWSY5։ay)'b ;?+Bԭ5Q-;HFD{fg["~| 81(':_^jį"M 4ڥj \:W0b咆V惁qŧFwc"8~3[ L: ~${a^vh:eb6V}Ɔ&ڌ"ʵ1ъqPx'-VaN(2(4Z {5Yf+JDDbplh'`{"N sV_Lr&P B=F߃2IC X{oyUi$v6ITש_$yyrnTDۓz)9]*72YRBYU`V|t-\ U4TJ#E")q)Hݩz.),.4-@-%i" /G&vQ3*42[|Wf \+h: ?>V#MZyǚK37,Xk޲@ʷ ohVm`&F6bM:H'Y@tchݠc hEKdfnVz~/ĥErhϢ3ۆKm~$Ozx gn=K'EN_mSVB$7R~?-u Vt0D"vPѴ %nn6Ze:x}+Ei޹x2)2p>Y:?.W 6„ n^0twy= Lg4NPF3L Fgn=ud׶ip6h_*`gis`sjWBg`'1sm|E DM5ޕ=UA ߔ k@tc3- m{U$o/n[n_dI#I{qpkF/A};P(9[6=Fne0yo^yG=*ு欨e74gzjoeehX&B-gU)h04ri 0I#Jf;ПWӓ=f/~~:+r+/x~%%y+yi!96Aκ,%`M#jw<2A1L5>k_:rMa)AkG È=(pDO8tR~Q>uZPpРCaOݯQT &0*עjF↧͡UW^9~)垾[N ¿FO.u2%w.Tӈ=i3Vv|x=3-QLuԅ> U;KY;IVz)zXYb|]Y9j^e i,qz9tK^,.*-%K͔d'&H@F<-Mܽ#VXb:Ova<*Y4LX"ڡBgbf_}8#R{D[DlzQEIk7~k~OnTll\6EPԸ{o*y˰i,v8`>uNN` ^y,&ٮ=%5YC mHg/^tـRܰ?՘0O^>Xe"6}^a;%e ӏcD7@{³P=pVnO @Gic4i's qq\jcނUk_,H$k\H203$*'F,'tb1YI,.#;4#߹'Aj#Q&.<<䳞tI` MGp_Fyn U|TxJDe?[;jc[_yܟc![+6C |2YwuĂIތ(3X&0˫4/fX웳G8'eumP}CDVr>>A>˩ SGu.OLxH4e7+Isކko< x&% B?dw(ȀލJK/ և|R+r鑕b>: @z!dT7ȟGB3UJ0eJDlb;-?B-]S~ĸ/ҵ%0hy P<켠!/.J5L+X3PvJLVz8ql_ hQ%*fp:|BN[(")mgԇ |MA , ^0jkrrV}1 ed:FtXL@+0bh\p: u#lՔA}qҚ yfh(q)ib攬$[}B}Q%@p1w1ĢIтsЬ\)օӰ7|8u,V`y΀͘DGpʴ3/Ys=eR@CXN3R=,`;u^teQ\w5lg?PLVy?2O |Z:m}t>7ky-὞12-{NsMdm\# x?\L:z Lj4Lbݾ܉x5 %L[a" yo@cd# ͞EÜU&j1{Z dG"'>&XА'wR nnY w)TQ- J~ 1i`"=omT4sL 3n|Ԉ)͆Xag> h5ØNn/~1Vw`w\ ?()h!Rj_6^4vK=lv.ڳ[1TAѠ*V9/V JBx?ĭ1SYyzd'^V|Kãg$ p]uC'(_"Elvfh*cu]HfVg׎ -ʮt?BYȈAf^]oV*t7}bg0lj.ö́ 8XED^#^qŗfR3׾M PE&OdS+Iu*?ҚD*$Rx]QX6WL7,dNk_ h/v lgazsC-toM\r4C)%v(D<⪈Oc |i[*$6}9 grpehIHV3)[2v2"3 Kž2}z'm6y$Ոfw7ZnXj/b/4(V?s)E41~VT.δiOKn2۠?%?y %k1?CJm8^j6B regnh>H'&Elj{HzSs%iq2+ /=6'ҍ~ ckBhXD!ZASʇ=͆"Jl*VIj_5*IcH٢s/o^zZDgW+H.5JJruCXx%i0Gu5 =aj܏d(Tnc!a2 hUa jڴ*ʅifw~r hlB?%_FCL*S{I FUmg]\?]ؔ3z8OSFU(L0I+Ӵ70xnC` VoD ̽r@n6op=pYS#Ev;eI|\dv9-섁SZ4=x G E# r~UGB94<G}S0TBIsǞdy Zs g&<8z-6bTqfR_: ̇= ِ{"OFϋfpQE{vOǩtYz>ӢȲ x0>}N~We"|x6Cq%fb8 mx6:l,8O%Aoͱ<+qHW& g?a_5QByˣxP.s  J .,#ljZg( )CK>*[oo(RR3BE[@-qVTrg7brbP2*316Q1iQUr졞{]jWˍ\AH4I;"(fxA{:l5X)ON1,vig 4k=V_Qϙ0巽‘XIe>ʫL`d/0zUt}eHl`w{lccXJگe\6O)iкXMÜV6hŸbҵ8; ]bE lP{%U`g''H^xh5Ի=a/ǀ$6w<_@qL6.pQ3:[bw@ OKa4 M2v"q4VY4>8-_oaXM5y٧] *b:_Q;|*98@ғ*I_S#!eddF4+ Vio/1[]m!p@7|Ll3yLHZ%% Z@mx" v䪆~х8nHeO/K + [K\)7@W*ovRqq,1 ;`SYnt Qc7/0l/󌓷b&5ӱߞs7^zNT{j:a3a}+v@F:b%Z2w8W˙d=W׽ epّ޵:כb~ʼn =QӕR&R(}xZķtOܚ]|$&> |]Ύ f{}]m xɯ>67[k~Kg7fw~>ƹY>ӷ=Wqh"+xsxG&\ /&@'9+ub)eIF.B2q$iہCA5l+ ]dLuIf(4+4'>=mNuxZh32Urh\& 70Weq$HI ,wnD ف0wefpji=9JhL/AiI.Q3OSdi8#K3#ޞX_G`&/'TsG6i Co%Z2@~4Ó%d}'H#2 +OɕVbFWgte-%4_u xe3oqr]OSHŒN|;ݰ?LYǜ0 +/.f_^2A%4{6LRq/~"ԸJl >\a2r֫V)(Eh5޵m>o㐳V s8h2*:稇\@z%nW]} *@br%yf' ~yVf뒭' #Db%.34x;԰aQgar68vͱ4M Z>署LkmvF*(腉p>݄t|aa|.ݙrҡ A [1=ECr[ ̖[O* &!f4L{ƅnMXx`1ai8KAY!Ic],a "k0T_{ K7k,emLw7DrLba6PTҶG8c6$ cC]r"r)pW&$ޑl$CB۶\,c?q[JMNi4_BU ٣XW7/QHz#5>Z"Oo6Kmm'}w FATyBn &Ŝ=#mKG |^lnLdzvYLn gSb͛޺bI0gqMb-OI_ݽAreʯè4kc y@qGlP'Ĺx*N%k^Dŝ~ dx`+l  u7-eE (=d{7+GH%ҀJs`eůU' Q>BC+Ϫ!] N=b-{ 6ԋ D(5 ջOj_:P鷩c].h~K2'-8C;t׿#{'DG`]ZN9WnJ>瞹J?XP`cd6:a}y|oo0I(Px{FW1nKN,k [VyƠdg7x! `.r>Q2v W̓s7ٳf窛YjD˵Q_)i,[W=H(@%F"ϢR )-&k{Ezzf438dFu/}bgyٜ}bb 9j>kIZ#Vf:f(/W m)nL`8sLGHB6!"{# W~qۇ=e?!D Fipj79w2|Pt@v{zՉ7jiY!@AWh1.R(|ѷRk1vs{}9@X3'FqY=ť[2wX ~VN4:W_8˹qujF4>>, yR$U*|!LA3W|cl,>p%GLy",t>"2CK??͛ږz]_9_5c߲N| &Hi wwwaɡ%v,ިe)J^w5s{Ѐ׳mmsϴRբ@n3(jSSZs}4T;O3=Ȯd)=vr6DPyjFXՈ\ڰdtK / n;Dl5I^δՑ2+iMCFhUUP̄%9.] tyT{rW.#5ao1=bĪ%cDno]h)B2zy0m>mowŒc?-ڤQh}=???K֒LywPKT,1 D :޹&R"+g8ʲ]v̧[!>׸u{^Xrf q!X$ ՛5)(o\BT9IN&r1-chEuvL^[26Qkp3,#N!5]5&ĄZi'Hv_]|u+@f\.d<*Mh51|\]|׾zn>:4=%x| ӱyať%w)wvS[:09ЛH{D/zŨh!#X=N冫4tZ< nXnβ]y,Uuւ-,__#BDx5JU^DS Nҟ2hk4P2Uɡ8qL 3XlZ;f_;[.GgL_2GxPhp\DLĝ(#!Pvz|=)AGaI; Er7M]o!f uN!!,dEZR^O)X^KE4 iB]pFnXFדk %-!Eo稇둨BU` ,ӿLC~#}J jNھZ2ڷZs~ǮÁOWf'y>cm[މ#REZ* ؿאhO8 pR"Trm+/{P )鳏 4{948E-q"aP%BW)L`{,TRg2.~8uv aETғߎ{RZ3@\[CЏ^4O=c.=jf99v) FB`[!K[5%7o?D)P; / b(yOAwi ;P_ #}`(lyD{)9h;p?ˊ(CŌk(%4rcZo<|ϒ)N쳏-zW5EШbS7~RY4,v=y9]|3 7VB9fiI`>6,mq~cR57X1aB7ñG8O})7=0ߨō3:MK4A2TY5~#+>N?jrn,15^HvXT4alQ?Q;|*N_=7BzKq;5΋O>JwZO~7yv=~5mwuU+Iy`1nL1EB[F}Hu"c|GaI/kEo"Zcڒ+Q: u,'H TI K{0p~K:I H0gЙ69z)=YKT[:ADDfLl#ir4&`3 h̹UWTonSȩ9Dº!W0ڧԵ-COpW[BQ6M ciV(ǥ"!SeMS. Ob)mpNqc;OD='M}ixD`e4*Cٝ[~?V&s:v'wmO1Y6inVԕ"+(*$š3%4@gbPYkJ\e cD]tq_%0|Kb;<]G[}IAy (H@e  ,ظw&@fCgݝX3;FR<\2$~`*9T=L\Zx4/O+Xb|-h0dqOi /^fI\hmQ, ׅlf/jj Ԣ<9RsXT4j8U*r?u͜҉\ y[%3{p5z(N%,K@b(nTdm߸{:nF\`.tX! u;~z iQX\n$PzGHK hĥ{ z '=yGV5w]F߻0E̎RA':YI_) Wگ&q檍2iɡOt8b\BIe+]zpnJ:6 n_UG̗D? Q|* w"Sc *sʅuO~iBmjjz|˼壵ϊ9G'"o-i%3YP?ڗԵ8d`غtߐ abjȢTذ /BOQ! j9յg22aOoL_mb  {'<+OŴm& ,NgKUdy\4AHr"!rw^:%7c"Og[W>N@4q)!b]5Pp$ %:XC˔'.mu kdqԮv!HSb*1}݅. Dp֞PM/65R z; `|þn2 v?8 (M-Lk.R8 NVANhYN>76{ǍU%PyG+#q2e@W. -\gX܆&:enDK@ €-EQVw%n(H& vu e-4zfR;cr* %Վ82?K/d75a:uv9k1< \9ucOf gY)9Ê/,y(E 9`$EW fѥHG4ՄObG*Z+k8&caPcuXY=rYH\В-#CZ7>]˫{^uɶbML͛A_!vg0:Ȧ ê}Q㸧>.%Ǩem$٪Mj.F]:uVY0tڴFY5kX&y2 & .ʦ?#. !!?cYQuU|'Uz^F\J*^.B=x7dItg-nكQlQK68L7զj # Ҁ/`Db.R&wQ}7VYQ -$ QSA'vZa| fIW/hX Mڸo$WN12>C[mj?\w^3Y`p8Ov%6%,k)@Z톄gcC\㡔lǵi ȣw B]n@N$i֙W^U Rk{E VD|~Om{IBc.t"&R !FЙ?,%O[4UV|L?X|# |d="|45h<qkTၘ35LKR";9eVtP [T}IēMw *9&p}ՉSd9*!h. ^BIX.'~;_m˪Csο'ĦA?ly"sdi+ vsoz:US~U|nGHo:e#;](f641vO{QWa?;%8_ObiXK&*R|骽7ZDN'd'>ĵYr#$Ê+E:MP,uεuںfڹأS 0ɕ"jD' 6ۺVav](x)@z,nF866yD.(f`(2p\}.\$h*F n|-`:57wߐt; BUfA|k^醗YSBDB͐+hq0h0x)uo WSsd;AZn /T'KOT8CC^% >$}5C+&TM\,e}`1&ܼ#pis71`G̿?a7x6eD1nQ';.Lij,-#tk{Bw=uT>n\0 l FۮNWh 'x޷X(6N_?dNTB>uh0yRgp{$*~l[b9#QB5ș4Z@yGo9Ϡ 8f(G|"_#s 1u/&.'rǿiEk5M~R<3~w:'jMǁR`&F;Ֆ#tp4\V7ˮn:'.Caw[[[S8h4{ȇGs& M1YRxWkMG~cbRI_ @Yj) ?su}2")>jD6JMj9 4?8@ia_9oGAiOԣj)|jTRC_N@rS!.NDƋ` f;= 5RGV;A"kYs{f ǃb*!O?+q$70Za0,ѹE6=s(6N\9 kQ&ܿK]{a;WuQb5B0W(m$_~ \{'Ԛg!@Ю'+u);A=95GY:bvj27UU0+4Bc9U꘠03/t/ G"JbMt+.xa[s>T;PِԦ*ҤC`AobPOW^L);7>~Y~)W_Y| 7q-OJw#2Ljp(-lO~7=aw綌s^L`A@^:˥ěvU'pٱ9l='aEFOXWĴ<{8t{5x1LHuU_wQѱyy:&z92 XM?D_ 2h35l_Iv2nq*<z`]iwu& e- ZVץ1v n7A=Ytv5܏DO 5gƥ/Ttb^#?t'3FvoxsxOYme>ɧf X`1@C]#bAk _ga|fWY-3 ,9t}e^DړHkXX\37oInEˑ0.[*n_诔t?!DWQJ3q mr\-L LBL`R`S)(FFdޤ1մeR*l+vʪDV%;ޘUT olJ G#+y\ykl ?qyv| b!/(ƹxڸV4?U^?xo.iTa,jm?I=[7laSOr:LYE8[i +/Pbuw_UZAD5땴gǍ-T( n dU'llju-grXJ xV<߱d+;Jrisw#sBHADDܮϖ1?aS#PM wZ蚍rW4$j,7Iu eNqgjH)*V\Sg-jK2rESm*\mf2Z}ޫtxeEOcmcU?%+ Q0ɞGy_jA1hNCfΫZ+G\ 'UF>.6zރ9bQj0&p` h^lh`a= vH5[͋:Cz7sfWfSicbszX7d^{Ft-_hJ0|Uxi΍qűMJeI+1E;&xк:fW!G,Vj%Iy$|Tu Ɏ!e2fJMr;r_]۩Ʈ_5l4(V;Q׹"?HãL;fdn2%gQP%pi&֡V=4 A>‘uey$\RjVQ1'߻S$SUN P[C{Zu*Y߸*Ǻ8eNtBݝ}Yg:`;x:s*+m`=}=a}%1t߾ _Ot"|ggax Ctn̠z軷tC|l.>3aKB bym{fp[04C("ηWa;JuA4tyS@l(,9j)6 p Pӟe$OZMH33-[8Iv5_8F߄#3nTf?a2/c`0&a2H@D=nMeMv뤜[*~< tu8㩭[;]V.7M7\‰KPI#U8ޅ|^칗r~EFi`Ƌb*]=P(ՑC+ʳZ>%‹=v~<SW8'pp~U lW2hgmx?{om\d"HB.#AX-r¡[N0ߜvN#!b JB t iUq/Fa)ڃ!6)[IMm#G_u5 .GsO5z-pqf t#ƚ.rxpLhnBt}]JG ViZ obDZu] vy^1v"As8M<@6b|ʘy5s+Yk"}DƒtlD@t0sjytsk2xS-\R`]]JV]8J{$?&+;[!zt#؋,PB3]ћBAX4BP' lTNM㈌0~82u$8^bz6Z.9W5!3XH.l2=lOڌ!OXT OL OUz6,R(z0+Coc݈[^\B_6~igFw>jxXYLά Ҳݡ7)svo@b?ꃚ`,ŌnFt6^HV(X~q b9LxLCa>IGky5.jA"5,!qsğ؛ e<:$Y:h8\(M(ئfr%粼͆M 8gN S_[`9Әi|ߓV?vӧo nāVfOvK>ŎrE>Yod3")?`z_B̮D0 _I=1pD ݠ Ԫ4{'gT3e 5%s]ɾmgSMw0K ~GIR_j;ۡ4EV9Do7w~vv U:>cI{dz>lK8IZ~4zO\6f;K!)TRRbwy0:Lej0ms#}(7$6$2Mbc&94ɨf*DUo'9VW$Nj#nI p-w zHc > g .! `ra+ZqP`ۙoTHHZF=>Ҍb.OkAGp0Xjܓ$PvݭCxַr:ƻ~Hwɛ)M(#d.5nxo_|V~^y]yӭpŅ߿CU^& FNԅEL)wзWx>a1k'eǂ'o߶Y7x:`, k+(dBabI)̝@B5TscJ[bJ"w "@o)2c؃11^}u1߱S Dy%6j-E1~b *#%dB!g =˂)'&UœnCDԗƷS E81"u*$cHҜAyŝptTjC450ۙoy+{:&8Ӣho0be,Inra"򢥀/*7;@CGC1?6HZLg)mn&v'Dž# <2K2a|$b';\wbmN NY)ȌgTQd}:6`N8 WI'ad_ h.F[ ՏBsIq䟓^/>qwK=<ӿ;4ڑ{X\J'}`<'SHs_݌&Z=&pOJ[`+pm I>:ȨfG:VOeӰ~qXc:VF̯x1u fx ,*.\loKVc|k n"%8ԭls7E-gp;58r[!P1w‡|w?.#yg=cT5| RY!$mɪZ9t500[ϡ>@o=Q'BQeJI4́HDK.S=؀B 9g{ku^.%: =?Y~$^U2بd s'{P`C@TXW [NI޹B՜dr渢s(di~ CHRev{RIrntt/6;+ʼn6IvGeBeU~^qM {1}~<1<{ETO@!&Kε%#5PW6U-HexX 6Ӊ/>CopBCZ1ۈK-vmZbq~tUiȐUci>fP{X_K[4CnG(ՌFt9h$Q: 8@DW}1B^O?LK%J80#4qA5R3r#2i_us਎yuF2ڇ31Z^ˉHE@JMŮP)9x7ۑoHI&8G*'kE;=.{;Bz;Tp&{䥰dރ46%]>^P)ݚ3.#]Î;c=]4Ҏ1^~[=HU 9Kr$%֣(|B;uDWoK mPt`򦸝QX1d ~ƫxfU] , |dޚ! TMGptZP\Q,&ވ]BZhz270et2*W x:z*w q EmW+[9 j@lc&`.pZ>ISs@PC*M+a]}׍ba;Ógz׾ c4;ȿFNw IifK9pF6X& nqe߿1)"Xkp3FRg\bzb <6q|Y*KY7 /7Kg:?"wONi0N;}ZQ=y I6ؼixfБ{VH-chCDW;[.~ "VwQoj VgtyQimWnqs"ܬ6:{ć0༲%!6"HB|dSL|—b-]H6Y`of*y6|.D1SBD>d7mU HPɂUBuW8!0wxIWSfwfm4*7[:֬ qc Do7ᭈR$4b(lj^_n%M!6+rRrEfj#Cs,ߴ$̞ }RGmTzH@qiʍ9aXI5PcMln{Uʤz5è3 !c(-&C(=-2J׃?6)g/\[=FƗ\ǩ5?(BdOyL#e3JLEOƖH>h?t'g\LֻG\T@ƚU8'3E[V=7Ǭ5T*,3+Fi;)|bC\;Q?{_ aȕY #G~[\$8YwXhV15;;EXrH("6> 6:Dp,R?A˗"W8<I)#ڵ⦄T!?J<8HyL$?48~#ZsWNBGbfhL +tJlFOta1$=pz4`&d [~=4LBT4'];F+lq|Dך `!u8I Jl\he[Ի{s*9<f l-(-!09 _-6B `4vZK c:E9ʍh,^K?@RwKG'>Z拊ť <$M$ix,g%b[C#^M|.许L1-Ӓs$5W߀CL,$m }]5ʢ_W>4 DZ9HA o,`6" B݇"Ϟ:h%_2ouI~3ΩfbꔔN\1Lu?`] SKNvxp8jJ|+-񎄒 ,*_%i A8bfUכA?eν]T-bվ.{k8& ^*Ogk^}(WasߑztI_~T8RjhL#b`.,Rޜ ]aJķ<\-H[*hoV 1PU _0 3scX/ֈzKK2c*dJґp"vfq2dbCT} &um ~?*N?Jȸ-Oaa7EzD32=&1yJMAZ|X' (7ܲZk%I[2sw Tyg@_0Pl0+`L.v;3P Ix(e@3S!kc$ƕ13q"_e*t\ju"%^8,ኡ6xF~|vrrlY VG^ zW)?(6 iٮ8y;>)敄z"ht:([N] 1rO}ZjwӔTcU2= Ѝ+ @g)B5Asj0V; (!\{Sޕ6e-S-zGv18V:<hO&vk|'&訍Ѿ8"%Q6|ܶ$HhmkUvJSFquZs.6dA/xW t;3|:CI!tq=,{G /hYn:aZkbąZ 1!'%כo qElkq*~H~P)/8~0+oGkeOgXXt`/x/$0M_&/}"a'oв܃PE&=ũ͐#إeXب( ho%R%[5p_di_aAsDnT:hArt* ~>gbMK*,iM(}lBg0)xF, v,6xNE*/ۆ @ЇKO<%o D?-bX ǜ*Mnt61/X$!'a|S&+ˌ}@mKTZ`ۑKLB@{MnuJ/8[Bte׆KD,Zb9bʅTO yǦ=t81#Z#MT5 q }.$8<[Z&\5SnPOk::Wxڧ֌I~0NXeV M6,$F'5_|.צ5kJݛqS4$@^BJQ-jCA7eM_8d :"َV⪒O"0]Hx< Dչ&+W.ml*+~ eocU.q[@Z\ VY5R 7 @V&Q 8',7LK7i;K;'"C)a&X7Bc^LZ|S;qr!e%H.Fi-9K5 <w;9kY+X5GDj^4< tx?wu[p +V|QO59*qҿY ]BEbB\)~rXHrNC`Ŗ[֡ Lz4;(ГŲ1NkQ1/}`Fj+6Ssoן3(֯^#}t<@pYGPiU% X^⑞~fr+3юXLY2#dt4xHy b s("he9u2nzYKQ-o/=F^Kv#vګJ_.Q vNN#Vn\4$v*i*@8־|5 ݺ3h\9.\?>N 3ܩ#T )ِ=%˿??sSIJ͢\f0 2~ M^SD^^ۮȯnl}e٢hvI+IuꓺE\Ӎ\}Jn*DqaVʽd;wI}Z8]5wܫԍ]|7#~Sr'exA<5.J&WXS%/o'H*ST?Y }Ĕ7\ɟ"Ti->@k 1o"hIwjNyb?;RN +-]N% b$V&3P,f$Cu{/血[U=e2RXB;%s**w2 ꗌ}447!ܡ7d}pR!0x?z( p7Zx-Hps080nK¨qWCƗ~bEﺒ8GeáZS_xK'%*x\0"h=6:ʱ\)iϸg ˡ[hSZc1ׅ_q<Vf"s]Xxxa] [Ⱥ̢ hѫ0)M~aG{tssYj84p_"ζ3z˜C"6u֞qMfeC;_ -_sFj]D@Оw-ұ§dۛA N<{iU|d"x ]]G BO;41EPyqc} -V,:X k~+0m[B@m\l˾ /CJ~7!y;8p =4j۞= oQBFEQWE@O*zG_cHXuشTQCyDy9Պ&=m%=>D6^(_4O# U Y/N߉g e@2s5)_k`Zy3ed"8 sm$TD!< K!yt3d?" n@E <9ZַԲVp,3E%cS.S:cK +Q_e#zkYe'SjmFkU֯v6&M>:x\Gd*U݋x)2 w7\G4D7W3P[B 5{!O5܆UuQICY1 7苡ۓ19h5|׼*)8h~ z5~D|}֦Drh'p6أ<թއ׆b`Cm%؃?]Moa}ͦNA@7wb<@g؏{2+\L*@ u3?79DuBeRN*m&(厵DIy`4NڻaL P:DdHѐGphv2REx6'K8*$ 쨦&cL?6tlph61$&;5<$RB*(|MDNٮm] oz}4kl)uoVegXU>1{ֺ厧p)t*Gޚکcȏm 䴄q/ > ;U(~y[2C3X='jG 〶rOވ.մ1{q:aV;u Ch+1Ή&Z vo(r{ De9.6lWVȀ1KUEISS=kh~Yka?Uw Pi.YmK){kfbኌ0׋V=MƜKg#ΗPu$>T$@ޭeWȡg^(fr61 ZE WpII ~ unW̓b\Z-W'hySyjD ۈ=Fzd^xm9PL|&^5ѻyC Qw`rFs^WOصDA%%ЬCfHl8SE'~r8ǶN]\SK e@k ȶj}uRY~1ـpYL߯i=P 'KO=mvH!ga2P\1U#6dS~vLdzNm7&P㟽OL Ex~="r?fsiE3VaFJ[{V^њɫ8@dYO4!/S nk)R>?/Hɡ6f-nfcDUj}Vjkn@y3:ˉi=*ZCIog>T0jXe{99j| 7mPgL9 *FHZWd"I{ ΆG!_h&oJɋ{G; xfIVA iн-W:h G>Ac)3ID& sGQ,E?[kII|)T^&nfId؛È:iʳ}5`)H>!Yh\.χf$XmQhᨁ% l 8 `Hg p-~`e1zƣQ! WjӘ1?֭Kb%M9u<;py!?"e Ց2B6_S?[0tR= ?N6({bWy6X V`éiK.L`듵cMk]n.ھ(5@q+"m_b_ e@F뮽ksRSbt+b$??ukf A+0 *nvPq+Y5XAoQf A5 s~Ξo;Rv%P!׼f&߬sC w7$OXfn61u.2 NVnjwQNö ^ @2J1qqAJmP:!nygnZeć"o3s{lOͷz,EB4Hl24|8{h^LiR7U@;Պe2bԀDMW's!?վ>HR[C5+B,=D%['z޶˄i0S®0PiW6]QЄDyrv7)*AxvԒMB7mk~~aGnƐV[LSrZS9H%\V!3 ~دIfR7 p^XʳU'7{ ,W>˖ D>h@\RP\ CR8О t,c0<Z86N}aTh.SS~Ys h`Qpc(ZؠLN_#<{_ͅG`zag ¤!W~0Gu-N;lI1Y7߂kl/KD1 {NT4rHb l v5-m*qP緬ю$R&_+ 9xXp$Ƥ.Gm )6_3qrΏmv(TYvT]ߗjjUu'FH%m ,q-JaA.\&IFZMeåTb=XL\>HK8Anb`EEDTWJcDƐگu'n`"OIMNZ@|Q6 j ?YY1X!):0᭦+{Fj@4Kݖ\31}:{V9> LCl:(::X*k=B8w=/)KQLg>A@FC1R0Y5"mhE/]wa= {;ʸg}3/sl z¾?N\s$,BgQw_NG d4 s bYP%1 ch`}p)f\S*?*J܎H.o_ W9~6δ T* yT Q&&XsAWbV A+!׉K6Ƴd-Jm!t4nɘhF " Tm G::m$PX5Sdjx !I6rFŝ\(t^YX}Ҝc"1I ѩ8/ZuDmڅ|@ l.'8*8-#A;We`L:@Vl*rFFC5S;z3sW'*)WIڊR!d%|zt @(tC? 8S3I9`5ଣ  hDB6ԘPiVPH< xǘ #tBsE8Ը+aq%([yA7NZ#(M+7`qSK& .GAu[EN32? zA~J/1v>1y^ *8(_M6,k[ϴ<4V 0 w4gukid[gJ?˷I:u_Dw7Py=@d ~/*. [w(_E^Gdtzb[l/ HH,;#\ll/q˲読h*{Lj@wqE!AtSiJ8.H yc3͆M4r[Sb ez^HSqފCߡ8gg5յsPIYZy7 Z]TFjoX9$OWK8R˰/+z;;l+}h 6ڶR 17CHs:(:IS=Y\^/e;iQxY,mm6QyժPdt}jLg/I$iSd۩l *hp>78dmsOj] C q,Y ^.srp%G/TAX\yXD!VXZf(Bhu0zt@18AGH.M\8am23nĜm\OfT2sX&$I:aڀ&Y&~HҋBztFҫӰC3WSj* “ՉƘh{Nzx+$ &#cgc Jb'̸!a񢮨F:-tjhqHX}ԋZ7/Q DnHN;z[ 6E;2?S,cdfs:{RaN~d6_$,Pj5\;.$A}qL n"=,/ 7Vyv֚x =;\ )3Eϼ>nʶbm-Į2mCs`R[I#fz7whJث>QomU"ou~%jbnFztr'׎!75kM_w=pq=+4屼fd7sشnb$ٯXzX/18b\* +hV"#Z}2<6<.-F֒rt(Agl^:cr.uen=q|jЊ,]G,Jn3JcdPV I4mK`)xs1ږ~@K#&1$ʵ=BqIމ۴J6YҶ+hN`R3RS ӆfN&1^*ܤ=/k`ZȎ](W!-& (hH ='+]{]QL/ճ?mA`z^E&߮NzL]@};ŮsoO %[x8^Ƴ \Y:ٓytBBҏ[Z~!Ǒd,GMC9p)y ՗.H,a- ͐AGf3t`G,sl-`_5R*{BA6KK)YF,J]CAƖB/w3"T5(UnŴ}ZS,OX2Y[p/mNL?R!$=fpDX~Q1O+c {*PzY" U(l3.h& Dvh-1LC:AQv) ;.:%csOG(D⃧AػOY 3[2rЅHќV(1DF xM"{BB%UMΡ撺[L4*"G[yTGDJԹJgOc>iДp+GP Hݣv A(_ xBUAR"qRyn϶EzN<e5Y9ChSD lamM$h?r)j^.N@嵖RVCԯq*&mL ÏdGl'dyK%I`_>F\=_lhӇ-nMtqox ;m]g Eyֹm5gU"i(+ !ܣFT-GI2!ʋǘ1s[ ނ9]x$7gzrOMvOsis]匣GӇ vO>ړcߜs*d`,wf4]y8E 눖*}vr0Z̭˰CJAN$UӲAd)ܻzɭ@0CAcd,3_oѬ:+IpeMޤZP$.N4U:h⤭\21xob2x+& FEN J:PJ?APH{_5Uv@i\WR~Gh7QQ9]1Bŏ,ߗ[Bmtwru+,Pq|Aʟq[;CYX5aޠ*Ǚ>F+ XUv=0otHlV[Þ.)沛p#`ĸ_Xjƺ0Lpw{||O>ֺF0bčDbO}NE7S6EHD" Txl71V5WS[h}F}t:x_I{my; zIQd HͷHLmXek&anq:%NʓW+L$l];l"xg -] ldYW*gb9fy)GUb/-DqyOi-9u,[@lBÜה-CV`capàT 4 C*"GTG69$P(86õplKϔ*؏-Z?m[5کV N[h _oA!>5 'M佤74l6Q؇=qIStsrUOLĽ%9`j|-#G9t#[RhB(Yy%$x!QK΀Ml<:RIxHry,&~Be/d,["A*pnr?؎+n4Lg8-rTJ{! p;1jۤM@-zDZ! ^,q9Or&8?$d9^ [#iqC7ʰfF]A|Rړׯn1bwO| _aA=1Eܧsga $s0: Ԑ4Qp竡;,@d7rMь=72fd:z8j"U y:=kJF\h|u5T,`MVM_\ ) I3YS*|4{FL ٟ o)3`;M/0 L m%6&_: (/+\Ȃл}yH?YH |e}|(w*Qwsq6<2o=V#_e]t '5q>~l Fdg',cLK>nň iyÇfP0&j %JhWJbb2@dN϶`F#.< E(?PP!r`uƪo eY^V3q<mIZ2\ݺRVQ zss+apz۹ܫ>b=[>`Gy,کQZlJ2xaǗF6*m2z9,  .88lv4g8_Adi̡leU^;G 2 ˥Z 174%ro(C#V= YAbH%7TrJ]_$"#DAjp<:jY^stYFaȵ(@Xk-dNv ѫ NCZ,qRSBIvO葨Cs-HYnkI)f'}wpűW,Z$R[H9as lkqv '{!-B Mw9yCcϖG%\w6xZ]Mf+5lTsõ;$|u y@;ٞAP,Qg{EA LK)G/䇽$*SH,L-J1ڑ%#@ښ)T,pq%ZIT'M%79'kvt _G5Zp&eА+:-Э8%^KJr, OlL&# qS:͔D= ^r벩yMYJApMSy6̕[]W}ůQ!jnZuB- `5O (9e_BY~n!Q|WB/OW5۞zH%p𠠠A;ܥ͉c񘙾GYθa<ɜZmR7lewDTX_~3۵^*=ٟ-pD~V(E$ؽ#g>tJ%I t[ܒǩQV)  ݒ$q5+cGyH]ilҧy0i4&G~XUFp6mԥOR+ *ewI:?vSwAa~6 Q%弑|,IKgjVo SH? Vt'>J0"(K4L͗JEWDm2(^u>yl72x1'*B[QVuMX IՅ: r|6H?w< nq^ nRNjr!`9x/;6{DŽl8j(n[i(dGj-x iq̈}~۾~C_bd~'xE ^iH@EybyOYgd @9 8JP^c2oh31^w+tu]}vD2D*!@哦s03~+^UbͩB"I>|Aa܆eE5 ޴Ds-/%A=Ngp7ioLE~fo)t6G\#ݨmJgD~"*y .jV&FCPx9.,y g9UEFeOM aL@W ٿRvc߫5a`3`#5jf+ /'ZÅD.u{oni;5#x rtt0ZŽܝ<^(e]r؉G众"|D¸7^~Yz^ǗuMYa)e 7Xw&PϤ )O%wMS?#)GԮQd' Ft%O3cuO&4d4s?h~}$ SSuګ(F-`5QT$ Dawo^"c|<&)IdK}TcR:-r6“E]0DMS:"rJCa{W2}iҨ4K% kQ=ܞFcf &Lh'Ƀ*U3Qn*)WcS8 Ը kݔצ$}UJ}i}BB~% +1<'9!k33au*u^*- E*jZ^[%{UIW{DKI Y&UIR= >n}DaMߴIPBL)^Sa{! CQ;z"OC`qaRmŪz uF9,LBhZmX1>X ?S&~U0Ug/7i')<)řmլa2kN L8*$L Ƙ`fU?佥 ?ۿ8{ 6dgE6ּmC8#a\ӵ+̈ME!˷Rkbai§dzvlE`UɅjh츦Bz|#HrN⨼ X)1^X[QS5Ayjp#?xi yQՖWU{4gI"F"Fw+/Wv3`]YAp>3٧5F(Ɋpu66>U1@b#Tz4K qk]<¼T^H5=aYndIsH^AWBS-pLaXgǩҍϢJ`!g)nnӭHxxU~ L{0zczcLg 1׶NvaҜڂ2\g(mM!V'՘u]ɡ¤@1_=Ǹuh8.>[,&2R*=cQNܛnpJÇI~5$ fЙ 'I2[wY %&DUׁ5X*Qf6_GhΑ;]0.&H!==,CoIo,I2)dJ|[8(Pz6;>׼ΤnO%d%5"bh"!5BHS+ Ԉ䤱UWbý^W3,Ml7 98^u,KB< B#IOw_hJU*.; wh2M<ЁE) \<-y8a&`H$xtU?!֠N!!3H"lڕy%2٣'gky (B}ce|k~&apYC;Q,* D R@+fI%]Ζ9Ō^1ER؇ )Os-Xj٨l7ffi<e2ޥv2,{ lUKfnĺ {OϩC[|%"gLX<vH?JU"İ SJGOչ7wy7#s$7QRn7I3BMvw꣣(OE/\HxNgMs]9qCɧ}ǾsF@zQ5KxD2ȨM|{߷F\ 0K&Ĩ{~譡4oƟ8M:ؔ^Q!Td66V.؂ֹ̹6fIݛ/Q|oA#ةG^OtS\k ]t퐦 zשJiN-᤾]3ˠFI品G[뵥b@ǼMQϥPfNhC"=re<@e-+ {ԗ)/+fBldʹx.cH: ?ez$ΝfY"ΰꘐ=jurʽ  s1UDٟq̥W**)ǯi Mկ.Հl-JL7tgi :3[=w[)pMBKL^zdV9K9T.DDIW*iEt&T|I_av'AP+DnN)5V+'ԕ wbjU&c{X45AFŽu+2 sv֪lk9?E=<l$+mn4?B#.CF Ҥh>"B*.ZfH톆 1˗ͧ1$~yKe鋨Zgu2-|JZ P7m vSrɯg.53hV/c.n7NF1MߨRܯGt{`zJ}7w._پ g.bˑc&YS953J0rMGA@/~G@[^\a%u>ʄKۯI(-J/ 9N{!Y j5~Z%F~7MЃ szB * imB=~۟`:yXJ=4NǍ6 PZl@+I |if`/L% Ѿ4|< ox@ Oa R0r4ⶻrLF]$D= E80 GCA+kKch8|=]0cpg@$3Wn. apב ]~g | S0a[.{tr+_i؁+)z֡ nm ;j,, WY~oe"SV%]SjP Cg m c'`*2%*I'"3|B1oBˈ z>Gת@TT`{+ܺ P#/[ SIq֥r0^6,h8J٧!zI(SFjFW4,V$} zfRi(!Q.0[bEpbI& w^Os)H0 /3&竣j%怬5yr/N`mȌ=C1ߎ|mQNK,ls >92QT!dx.p4ݡ8"oNzeM yp>۵m*93f*|㠜Jaҙ~JWJY= 8)4 o4VjNZKpjkI=W;q%aH8|Gc0RɇxviTu^ `nU{رOYV. (-c[-z]FxIe9ςź_!"԰HC.tk ޑW~މc$F@w6sۙs$2 JB>B7{6'DyxXIpc a⛺i:/uy Y]pE4㑣}VUj+aoM]͢s]\nu7h=t܉DX*6Z0f=-}b\Ȇq'kf<]&X]t&.Q)kٶ/Z>]B:>~^R$큋bKw2 C@ΝL;lETT%\^^3'X6u1o9kcǑwޑK&D iX{d{yx{ ݉B1 8G^BypO ̵~$x%^R-~PDOܵzTu1)xWN@[!5ͿW. VEԣh=סEN @y!fWw:o:п%j Z[޴lBr ;בi!|\U2+Q&)lX;DH vw}FfzNa GsփK1!Jl6qe`_y1y@Tw<)Ied.up Y!q0jL=-GOY8iTb G UZ2ױS֪a :jXlJ>"rٶA02K>RW 鉻}G2,ߟnFs{5iĚѧ{0!|.$bO"G1.-|\6S ;^@w6e! DHf 1nuWVLqsp}oS>}MN֠]l>^e'19K۩|jk|͕ Ik]! C"r<ၑHai/ a9\ʌg_X\FBQkwJ3k]uzbRڙSsxQ&0;N2jL_ޛ$`^qFN.ӱoٳT}i][R.ђ% Oږ\ޞ s/} фX (,.$dXe7l<.}p¶LV7$i[>I:#뮞u_!Sg@l=uLb.k@#E9j?ex c-qFdQڄ}lt%OW )s.m,s<2JQsŔ3m*Omn<¾^Fh nqe3Cg*Xayi37LF2F:/ )Ho'$D.3 #@bqf9zIh.J ֛FbB.%\$}(qDinك> 39ꢼ5% !$ M/Ůt 칟>l7%'2mKVEHH<%Fus?DیdJSESH/$Lr<' ?O[XR/w l[:έ_OFCT /եNEȻ|%C0$Ժy}`;b;]4}Їx TG(>TfEqʁȖ$ʹR350G*y@3s [<ōuf%c 6Z(_ĐkF>iٿʎt3IK4UB|(GoCf4o(?^эǕi63* 1  )ހ2:tR =P -FBw!Cԧ*O42QP&Z+yI9\ ]T@TZlVh{bY8zU`׮ 7f(.3BPd;Xu0n|LOォ0n0A17JRW ā7oh^+pg/zo\qȾbYh6|t[6JF=+%bl]m?o:(|KiCd|`nw1,_U ދ}Ik"Ű_ h3aޢdd?d]NCsgul>^Mڹ(t9^c=´[ V>Yj ϶ bZe~\d\j(j޾w&??ZrT iN>a/M9'٥kQ %R ;՘' +pK)Ys3}8eO;cz<@P|j(J=^Т{,'9 P3r{my*اDԚ( 'GIA^kĨ`+ 0/ı- +\p:GrkrQuFíi"q"t AF{_k;/]k6r#I̾Cyl~O\zMbEn7x D$|]b`$G;/-jPz/$)lm͢p7_T}܇{׌?`JZ+fG 2MpbcaS\3PM)Y.͢w*0+M9.E5o;ȬH ZV`~^C$rr|D_5yݑ{욛2MV<KPX:#|8{LkRg(YГMůr[5p6P59cD$9 ;;qU_fjoNkL[5]" v-ڎ[m֊%迌e3]C%HM;N]+ l6䅁$x{ІH~/dqz~:߽zZ6w%v_; Jc9zLAP`sd.zH2 S!`$g( dQI˥#TXh[&o8X iNrS݂Lt"+t /tLIQb5rGI7G2 O<)/ݪfz H5If νItJ 9>4n>>|KHBm͒vd#Q޶A^yuwP1[9|/tSgx"Q-+ N<8O;J77id*yKz=&<\]% /Чh(=(ZaR=2>Y8>w<~Ma:uB.CKݱ(f?G("UĿ{v{1*0Y}Okhv_@2vab$:Qu1/htODVn*[.քTs@zٸ8֠; ]!*f@e\zehy[Do翢῅sB)`0SAC̉ޤ&0]=*{Cj0(vȾ 4CC5Е9ij蒿+ؾ͎lt W~޽w,d UQ=<28Yku*n [5\&=Fv=HR h's8-PmwL$$=W-`mg:JhV.iRFB'Id!dڋy81ea,E=wQk+ORhkiVj##)rۄC]((^}t&ҴW:7^k,fhAfPiDsސlwj%ED)Ws;DR o3-H15D3$Kbkl/(K21ct.]Y SjrD:ű\yp]c; RXPOTll[W|RpLOF@F|@:?4}0j8k!q՝^ ib1_@!:j]4̾, EOfщwC&S<|?ﮑi9dΙ)++;d鏇4 H6a6f*?V)Xsd0 X64Dh-'*fs)5CxC{Mt՗QER_󲗇r{kĦknkҫ|||s8'tZz̪ xeD)+UtLc,&f݅2bbI0Io墷2>:ԡ,O5\Ych`^ h6oRERH kvM.}7&zw%RUAmԋ1vzK 'I9Mg?ՙbn~IU=sPu:nfInO!y e3yZULPCdxH=FCYTz%E4܂s0ddC$bB93IL"H͉Κ3{Dp]i@W7,\F:ouO8wG1?̻&TYԶ?ݻu8 Vz :kf7AZ`'{SWjJ Yvx#E|45|*~Ōlys/BTHNDvP̢4)9ټi:݄ آ:Fwp 2;g(&pZ1yV 9d}jѺ߰r<7)o&OY&C)mq `KEq0^{2(jcDJT=pѩkDb />q_olKt w%g͖cWnjȫݼc=ӨƅoGPՀXeV 'sχVKx`wS^Z^X&x*yOj9sQkLOWyo(" p;jCBfz!J2)Vav*vZʽoXmg]>)2糯gOl$ Jrܛ]9h5ڳ{-# [ <\QaDtTAp7mR0֤kU=*/tȎ[ZMD͟&ǔBRoͥݭgRN;)W#yH`ӄpB9ܾ;O颣|`-4X^}oXkH X5T^6gڈ )~l< J~(DRc TYL(/`\#϶LfL yUFQkWp"?av@1BV 2յ`t*wOf'ac`jS؁Ea销G\V·DzZ"{ci.-:2y򴹚z1i79O{4{66nBZ2q;i|f)䛉y9nίd6U*Q^O*^K̘E`F⿶@mݍ cA?hňLݳ7@clx)ITr)X3d-MtX<.@B'T)*kG;gkH5AgQ5a**HP%8q;ͯfUDL ՠ",W$>085YN}{ d}k;{-7})DT?r `~$!.BK{%d  Oo[vpCy{'R^F w( zU($g({eKlpFՖjxu7_:JpvԲ@8XhSl^Q6+OSMIl0^~ڐsQymnEan0bifZ3Pu횴'L/VYoV{cjRsX6:љ*?F;\ր3,CxDZKwlv}9 4Nj2JkZOV?1[JOR|ҩYK%GC'^'þ{}W Va]2:yB x&ˮF"=L*)DK“hr{-3~CûOH$-٬ z]% 17SG[?\\MU+lg*AeUtdy8V|i^(ꗔ7d]F@m9Hp?5іۓ6yZ};|,V}AU m\8aS~BFؽr`CDz1e[ AT&n.N1V.E6t(V^46Tm"z^?$Aꡆ /~6[j&͡; `NXz3OXҐ+Or$c^:'ZOӐ,:LU+C)cV} AJ Jp"ɤ L+T8.zc{+K݅znŸ *cK7{Fr!UJvIc%eoeׯ3AQ׮B]Y>j︟4C&}sa38}d Vܰt0 ӄyO :G\tY;ZުҤ +xHJ+`sWEr{Aor>F+R֑ub*♭\`43! ƭ~*uZ2?-v1l>IZpU4]Դ#׊iH#AfT)nXO? jќ<ЈME%udlSm<epkaCEZzU\gXĬ~;VMIO?%*r49="Q/^ZFXKݬgeC w#&͜yÃ1l}뀟l 0fEpMmLU {Oh>DbO"Ck؎p9;omZEFqMgT[/|(a!'N\ a˿C 't1D1M-f=xizQ/|]MFR1iRZ1m7}/Mȃ`?A^b1}o[O}6B;eM*xN8~<*U͇IϤDsrYC>Yrh\8,C,OJ w$H쏚] nm r|iC cʬ"k%$so8.9tk2"VQwcsX_զT0t8 V("t}5fUmJM1zwHt"M@)₨z&3eK# Se n&^J3Xr ەߌ]%DB;@4+hCtP:ųn Cs>L/ScZ b:#Q^*M LT;LnQЇEXߜBᏅ-rPW)@wÉRW :{:!(D8ޏtwgU H J0BlB^U C'z4l^.1hQYyJ 5*ے 'B.Kz}wcB.)}vC -N3O n/Mr 5ü)ƣ DvR5daV Us !802_zmDJ5OzOopw|3Ey7,gGfm긧6m]J,~Ì~/_A,sF:ՖRMUϽch@w]MVSU ]R/꟦ K!^GL{T GED׶e`2zE}l-_YI0*:ࠡt)E4th&NF+tLrDu~7'yN ,V4ء;6Q^0w }#їgp-g޻_/6Ƿ]~?Ń-.M LW9*QT^%$:RÞ2l9Cr_xZ ;YN ]E۞M4he~dϒ !:'U4-(lyuio< VۚZp4(a/Abiڥ;n}-'Vk$9 D[x )ϊPSBB,}}*].gRm)k3NDbc%GcG(x%dR/SFX x'gv觮eˀ3sԻ>ls/g@L458(eYַYUu21kmC9 NngzD'dE\8sޝOfHFKB񿫪z`& E\|["10fNVɾI ?yK|ӰV!*f׎f> !6-!)[6 Aj-f𢱹0m0` C-2|M_e H-YsC} p¿XWZi('rj7D|/fk#ˊ13iݰu;k @݊sX13MՆ:NdܪFzWe%7\F iPL a |ڠ,z.6P =uT!{|W@ m\17A{/ Y@cc ~"z(C\FdZPI%U;l1w7#$Uo@{~A)V%`~A3H=B GWs H.amqn/Vtsxk͂gIWLO'G^ӁqȬ GHXſ7HO8@30x!ܨc!Pe\:AѸg {Z /P!YSWp+#f{IEBLc4Welf*]h I% iJv!#B|]0{JkWʭ& cF\LL]YW'/[{Qs^*"'wָaeTY+wXcٝ27o0 x[Y`EOŧytlݔ~Rz5PT8#Y^M3=}S,o bGAG 4kgeāͱ#gGR>ٲ@Q0!֬ߍDE@ {i#فV.i8y)l%Nʄ#SKV$*gANRӎe2y% A$JU61P4'WQ1/"/s GCX>7 n dAE`v-޲ip9@EP֠-\H;=*GyvJ.L. z?pq7Lm#?˜T=2WCqn)W0P"X'W,׿o }(PLU#NLuz3OYT1gJyBՄ%"ЕM^'i%Q7QX #%zcbfbWJsܗU=A1L`};Q8dQܲ׫OyF+!*% SwSq6AACzN_j9YXm<ڥ܈j?;@+v4jR;+1N.6'$iџ&&'A)ME^>R I?i54M7!bRȴ+ {vt9^]܌q^qNU6":[a?xɻSs_?ŔZudPH=-"a.·ڧ4ZQr m)[AQ% ,VnRt CY]d Xөeõ~X@?\gi|@VC?O]RulUPP1$}eHG ĽχHݎ@P}7L]@%iTR!x͝l,1Nn,} fzG4ȓ"9c}(Tǜ|G>_4.;[un$9gzOj#֛|֬>(ߘl#[=NX)5 [5j7Uk~vNY@D~x-Xk xie.lElAt]ҟ`Nw'MI,/xһ6a kxT0N#kkf5[DnсKsEO'Qa""|~jd$|[4qfz*c7舰etj'?y}&:jLuȏ90#vMZq?#PW_ځ͉-ҝ%>4Kj~izH @J*rBɓl{6jmf^~ŲB U#ˑp/ iIo5Cl@W,zUF<ꦊ< O" dH{Ý@#^BH /XtO%5Puˀqq)[~5fb{+XX/XN': B'7{H^I|"2].TLPeQyfFgHQ n(AI铄IV, HȏrumdVn}o~XH~UwԈޠӯby]K3|rY+R;v2ze83R׼KG13~V4FDm]$=@|U. L X(A5AOf-pbeۤ]swl^ZN|FVXS^FDqQDDuXu\%m:\ u׾ !$dىT@crӢ4f2\cgxqigֳki-Q# W^ AIJpX VS"LsmTٸGfF趃8$1Y\% J3@j"r֣pWW鸂dOԅܛ앴&8._@%% .@L Dq ݧa68 qOGT3pb;}̦Ypq MQg1-@/l~=F84D"&rSXk}; ޣhxaGaWM#usZ^ \27ï,QpBMيD ?ۆȿ^0ͧ4#yҧ_DR"JyQmyjnIH 9.TOH%"50yP$&U[a6T2] t(I~˳Kn⸡Z^}B`9W,5Cjp\^֏-DOyi-1i_aLZy)LYqe]diLL=A /Ou6,/A#v$EL?BU{Bqm(X(د\\\4@3UjIM8g 6ؤBj`ֈ~+*D6^%X-CE&XA2aR ݢ߆3\(pP؊|yYf㴰; IQx7[Xr|҈U[{ֹ$ho%~Xp픔 JG)x2߄hr_+-fu49B !" m&ɆڞoE@ЀSj_yJ- a7ĉvU{Q m\_|CIz'/pB~uHðech✌(ouhcEdG,581+8Z5dwÖ5&#dr-7_R?4Ae#7D6b%.#u nq'+wmv6e$|Y6-DOvΖUDv.&gqf / 8`_=9yv \Ɵy~#8 WAĞ&xM8cI| ~F4oI+'̄SKbD>vK؈rFvIbȫLl j.9^#qͧ5Mڀ;+}8j}9~e*ցM\nnw܊]=z/qWt[UwJ} 2M&P.nםxF|F1}.mfʎCJ X)L1mhr#XCO^h@Ma4G.H.1xt[# 2ǂocwi@CCdβd#pDn2Kr6Moyw:&(t!Ws"T/!r{-By*aI {UQHEB>9*0bJ:̡Ņ6&eY9ɔJ ii2? /.w,R&X'Q̧<a;'/sQ9,lWN7:HPPCu_ItVOW;$D$8RQVa>z͢;lԥԝ+qNk2g#u=uMDV9Lt5˰4AXo"9Y!՝n6abv/c'@9l4AJ{ZSrīb}tJi)vQV. b'(J]f_݆9![+Áҁ] Hw :m gΚTj&DSyHg%f kn~:wLo#%_u9de9zq`?mdçyi0dLFt 񢬕Y:t_gqRBԤ@_[*.jWqmGL!g\+yBmodYBVZ%6`#G{V Cn@l4u*^-9HuKr.uȇ7!8i¶z*9„ֳ:/N P -g[EiT#Eu (<"u1-4N ~~f@da a8goL :n#K-VV.:MH@ F(Yɢd{i^U)Q:Zp|tTi`@4hG#!c RX’Ԏ,'FP]lNXRÝU⴯gpoSWd;vQ) Pa@`4 plvrXu| a/T;yX.lwD lIa.(vX625_xy v0B^Ih223otLL( F|zao:p}:"5%\2J0hV">V=l9Uy6PCBSS'ԛ =;2kȑp'k19#g>- 4Э_$l~,RG&Q)㢴5-9/- TJÝy8ǿF9 ]2֭8eey]tWlGvAx t Y>?<10@ӱ Hm֋S2 Gh1\b^ΥJ5ROYlzq|"VտPj!Ơݤ-&8ʅWp:;kW9 K?'4 Bjʝ5DQFN‹w&O6f`~5s\ۍ@4 `fx0wF~Xn( ojiDqطd5C9N16~wx?}omi͹]x/QeK;, iGN@T3;Y-%O(98:0^J4P(K-/n짃.f@;'vQJ Ň/s濹ob- @歟Ӻ\0tz-ҴWs:JJ|>Lo_!hg讀.<޼`Ga|Y~B)9H !D͜cKO(w*&餿+6[3:1 b_:I.KnYE;2nHύLJb(10@Z6rFFYokf<" 1Fmf͵ԩm]*whjGvU:C $æ jg>δ ]*~ ^M Q^;730!f:x &|bX^}>chFD! X`r)|?Wf}VWI`% O<hzJ W[2ӑ"Y)h;J>YbTmԦf@w( %N"/DcƠOiNy{́5Y 71Dh<LڑRL*(:Y 3]D( V˶-0XX}E0"t˶XZJOSeUl^'*1foIgM Cfzhu }|='=MIGd],}+T^*Ze./,H"|Pi.X@:`ѠMo]yvƫ3!fQmdK) תBg#f"e|u^=q7Ou>QJ=gljTZAAp^^W{VwIymOeEJȽ s _hcjt ,<2cjׄoks;ZD^$SֺgulڠLiBHx/kƠx=~RߪB5s#BK Q2{CC9o`nS+ʤi+kᄗ@X9+E5ʥ<`yȆ>16 !3qx:.8]gg;n' # ቑL g^E&Y܍:.8DP :άevK$ Kx-~@& ?ъǮ:ߓ~vs0ބhǒ/aarx 1Nl^q{e#V rbe" b;eFIy5wA]o>2FX!n5 8َ0pCF*WSf+U#ITasa^jv|c5,AyS @M=xuzS J%sO}y^G2bZ'Z M{,"sl7΋|,+zaۀgv`glWRfRI𜗗Sbik lU׉y U}P c$>D@k{ѲswNj0صІ{0joa3hlyР[l:p#"x+7o.pTR LD}!n` Ȧ }c@M4&W_VlOr9}zxͯ@Z^;*Ι{t/LB3ut/bO߼=DtʮTMj:yv:ubr[7>\'.wiBzqe*)2=0ܘ믅̀tʏ~T>Xkemg)2 $-`)k@1yl o`$nVYRY~xipU,y n:۽ ΒTc KVc:(azOGfg^?K-b( 5̈́dr(]#)I4v1, כ&&v%;:evNW}MM ߉'D0~Sν/qXrtF12S2 ?+ IfeO"eX**{ K{<ӋkSOkR7L)-vNd_U:.B^7rR2͓c }(y,hoڏ !BH7p=պrё;z:4*`aqQFVΪ+9D_0lkg]Q^/4HNb a!̌ HuۓZrs$g0iPǰ.(1sZ-x*o~6_,6Tcaoh!YZ!% AOUpjP?Wmu_6)$O'RIyix:wZa=}Qnsuww~v1 fVLqh8xViE3wsǴzQfZ7x.92U#{ȭLKY:kA -*̙ gdlѯϲj#yq0vˌdY5g8LgiX6SضA#m$!7j㭳}ܫGW:?h?ҶV0htm Sb|H:vjn-t y ra0aك%=p} 4t[" #^uWJY!+9BvhŵF!ofR5V~M_n:Q:=0LoP$ǻ"hcg€#rRzC9ďkn@JG8[ZsMm|KI&LBwHX 8{oyJdrVEBw=Fi[;$b{F 5Yq1r O3G\͠I^`TdڈX .$U o+@y5[h@tph  b^)0UHлV[gX]o<Α8|Ry ڂ Ub,\2ũzǮF9RLo-4@x8:.&6#{] \6Knr U#SOts1ؘҾR>Xֺ0hmH:vfCh> :{7G j%䐙9ꃫ g(21ߎY~b^j|tExU2_}_SɮS/"߹2XJd])뫞+jq|~%h1:]};@&qxMq)9Zrh t8-ɱDUH! ɯTn fxWԫ+p!{!#/jB1IOi >#,Uz?u볮,{xîÖA /,՝S+yC9qz3U> 1me%߶¸FZs?JiQ Kh$v_N!J% HgSA00K3ʃ܉p) xAu634há駸jqܤ V+VKt$U>x?^Ī}"?y*8}L$2" 0>o?E2+UYa}T:Libc.Kì+DNm5äD'SFr|d Y =V GH5 K.@MW̑w E'O屳ѡAJD% 5C-ڰ lXE6@ ҿqt4K 8Zӧ~/XD1D';*w1LFiG,}su8g$NrWC-;LtaQ k"̔,&ə 96vX#^ R 1vJv Z3v~oj1~~^r,{I95e\dV\]muc<4j4bfV=_v˖A[B6%8Nc;Hhw'XGbV01m9&ڳҮZDbY}_HQ '(RCT\D<6ʖ,?'#*8WlUQo#H:eݘ} bj|_ϲa7 O$Q{ju ~#b1{w}_)m*w zLB>]w*< M{/-MynP%81kE}ZJ;],UY1?sn{/oYaKйg V1`NhBx & @.tȸ= ]9Dp\kL2kPRca%XEcВSdSk#şΠ52cU@ K2E6R^L 1W`bTTpKeL[dcPb߫Ԩ^]iEtC*Ьb62g 7ٶ^^.`Nl^JQz5@=z͚ae7JwvIjCm0K ۮ{DwZ l]=ݭ2y @cSUCmߌ쒱W8m[;K5 eIm,ǝY+ ~f. {x]r/=!L;n€}LB}⵿e ؇q!nm-.G3n?ZN*F {؆$!Ǫ~)a17}]qd͸QD/Dn!9sW+6}H稉 E%]Z1 X&)'O'n 1' \_:W-C&sf-鷔;"ꘛzԩw`VM[M.T5>[b!^ xl$p*X~`-`Etn 퓒ݦ<oBG#UV|[-*dz tcWNe.gpSw3Q!rVm ȲV;H? =DT0dm)EY`“3"UǛ Hs Be D='?R؄WJwڿy3-QfBsJ[UG әa *%Φ [YG3kd5Wǐ"}2\v'\ $mµ̥ܚE.ڎ5iNDpI\>Hz!2#=Hf[ijgD7=Yj+a?C NbUSy1^˳k=CƆ!f ;-|Fۺ,F J>+Xzg M6TMZr^IU8ɄszW0/jQQ㊄&z1A!0yI(H S"  oԆy.vZ0{a,3}J-[UY-2Jhj4p卶ɝFoh(,/KK99in< KQ}$X4 ӹ8rMF^i9Br/UwEFp9?"QdZȭR;܃/-ZQd!tLi٢7UُGH+kqatfO@M-L_"Xt!no=Ϳ=!- Βt#/V[i\ m_-SӢDĕ]i'<أb~ەoVowd=cdMf0%PuLg[SOs ͛x &cd0i#M|pp 8FsI*> N/"il|Y݇hl})w>#{U̔NVBXζ@cM@ߔ4@ktgnYG>yTIP&ܗ3rG_F`ۀ[Oc.Ҙ?4Cg#(RzD4(^Cg?Y1r%V|3d-kfDGXX#vOl| ǯZƿVVb:^{P 1'"W_ȱw/T +wBbm0"ɅރeQy(XEx#1u^&oDl?yD޹Zh/g}jZ 6)֙\ +ӡ̬`QQ\.FՓ$EG;{v~W8RZ 3V].uֵō "2VfUjH[)w!It˿3ǢE56?vH'"+Sstx ? !46G;ڣ u"L#/t"I:_GJ5 /M L{ZAQc7RTQ!uߝYyA +&3>b3J|Y&xٵ09 !Q&m2W'sxWv{L˥0մgn( bd=Ο.}T5qJ׀E9\f+B8d\GcUk!H2Ip%  v籴xE4AZyZ$|9 KѲ*?2TG f4nI0 ='dWcďx֦Xi _KJ@-ËX.nuD,HCbZ>,6 U0f_aIikj蹟܀W[Q"? Nobb^y(BO) ѥ9Ȓ-JA{NXudre"٤<֊_/8#{^0VˉJa#七xR _g>q䂇qpsz۪kB3/et;R4B])ojb./tܢyAp>'Z*[Iq65X0Aeǫ@qɿIB{3ޱ;{BBR U).滭3lT]b?K$J7v^A($gP)%=1$ùh&Oڏ緵 YzqWBvuI(K{'z]z_leEARZHP}iq^ihY-< , kT,7";t bv =Sf f9bd(gԂsFR@^ЍqDU"7>`)X֘ڷ!}d.(V<>IپQ 5+FN~_+`f]` lS.BC?0&?Ig/Zn RZ WQ]C&h YZ~*م-36 AY8dM!Ձ5ǘȑV8D* (gL< t;(<ܧyHZXuX}kf쫖͒~6za^;3WpyT>hJ8B!b69 uʱRCL7'W|Z]=*甼lT; GQ<9F`wzZ-0BHoXU rET\H\Po:Ja[2_z:Jǿ}EыB@<^ 3xV Z;rsnC~.LTӭ'ɲlkՈ`Z{XLLԥ 6;zr&C/x|.H*Pp,O3+?2"ƀR~5ĞKmJ=aE C#'AXXoTW  .bz\xIEȷSwhC4\Ey<"S0ھ}#aTB.H/3IqJ.M͕:NIE?H=k V>tp9z2/ ~DaX|o3X=F.rO w/}E|[tg]>n']ך1W'Ґ H3DV;,O'*.o "VziEGS~"v oi%K6 ?5kZuUJG!̙ +#oJ(Ͽ0Gc7jW/~P1ʅ5o [-0X)eT;H]S;y|0I3)a;Dn?)9ݨ5VXU}@%fQA5+>g|hҡ_P-Ђ]҃3yK6l (O7 >t]xZq6;.\SY-sz#R_ܜ /0qmsc*GULI=Q5TEF*_~Rl}%w x!?1ҎThM^Vg*RvIK? [mvޣ"(sl&#x*TH1_PKe  uT/͏*$n06i$j:>1Nyn.'PC:X X5xwGqy<@/gD ȁ30 SvN64yl%)֦ۂ2t %(%yjj>%XU;w+vOTLjձqR|&WH ' z~sy/>$CV≢=w-M=<%ve-DBs(ܽdgv~*/sgNު膦S,.fAU x:[2+R$3\N] ڮ8-q_LFmv>f^K$Z;R Lc딭#ҹ'ɘ[H<;oIuU܍Ĕi@0#(a죭{ $)ri\B~gMV=[kZ"pEQ4';It+kw A >ܜVe ND3lE=7 :gr%VbaMZ%`CxSBmpI| мKj e/{ : {UCnP]l '*j}^)((ߜ٭A"u2H o2FHQK6zxqw*ʪV>Q)i֍XhxN(sF}-ZPr0 ˻K`kg>s^\3}O@qzAa|xD׎23GqYhKNKm[ ~upN}FT;`|(~5sdg;o P%A x8Cf@ؐ9ۛFF򑨲/1d0Y7FMd=՚4 K\o_& yUly;g de@ y(NWOH9:]e{1Ap{ظ.pWدKNy"uy&Yj s2+("zH6D@0J!aȼgy)Ϭ : (F;c5fֳVشI_vc#Jx$sؤgPU\A&mXM6y=;QR -_4^ӤFȫ躚(`s/ڟ^1KaM޸R?cIe{Hr׼%Z^L%`ʌu#i_OSb0ae`-M=`Pi^JʧdSz)X izg3'z)Oa`}3i${Hx$%5HrP0@|.u]!.< I!<loRACкޗ 6$1M2xR("Tj&;B$'6wzyT *d{m0v(l  #͝#76UN^餏)LE|E*Ȥb,6{|X g+*΃V\-p_V|Y< @ò VlZ?g&QjW@ 5mSg'B}Jk=wPZp "E{ЛmEPQ<+Wj]-,留C"XbнJGq A=fG]5a>qU6A yp8^ pL(NӃ~0:xIC' BI;,JQݛMxrdvӬ=THJhUh7 o)ACbN&<N uYJT'ɔ&~{eGH?29V`.N~x#0\] ?f S95LV'~϶*05`DN`O%]𧏅q۬?>biLa@5SlIO )=P)k (HӒhM)]"^^Yto`Q}%0_2: Ó:הpRUS>L)GmJulm,rZ՞UqK{e*fW7ZRZc:N-_Õws~U {'#l@{= ;SBsG)]u%=b5rXˠĸ$מK>ۋ⭭yn'^fv|_3mAʣ6@_7, VVeW [b_B%pF2jsc2_vdQr|XO7pz=g}2+D/%\d̻bk0J*1'-l9S P)"蘑~a+P0} T6k #^_h#&kK's/ rY:*7e"8CphH|q?.ҼdRd GyE;Nxe/ߴ PlstϽzb@ąPW?3%8-oT&- Yo^͎ }e n٠fCk'5"p:wU͈uc F1Bs\vW^a+0hV?Y3%ڋ<0ދfpC/d 3)@M1[q `% WJN\z3 2%yu%z ]cҦ_BӖo5J ,N[oP}mTPTޙ{xI0n!3mBmY c pK9)Q~\pCsFq'RRD qyU7xnنYa chY2(xB )2HCqq~Ԗv3a@QƑtry&`K%ԀSuA,?1IYPKAоrPE|Py{셦Rtc»X*mpE#CRԩ]@[JP`tt*5@_nFz5xF), c#t[~v\8mgdM[g/7F{&xdx.v" Uښ²0p6%@&"a >Id:(L*s~>%עzˏb7T @l*k& 40>Ԩ 1V2>3 R?Pb!6؉9M Z*b@T3*|db)ӹ dnء6Aett/ou*1<6fFظ^‚)I(^iG^uܙ uSx+hO2lo [S]Q!L%Ϛl*g)齱[O _:rϡt䤎{A6>\XjUݴg@QE]W8]f|kznIHfH^2])8͊AXJIK@iӊ>,Ɵ|eeLHuy*2 @FV<5`6 d `Zh_x^׏_H`Z>e-^aZs/]u+-9b- ˂6{ė_ənIrv63y ؠz<9g0v<|ht2mcx;NMH"6v5JZzEݯ7HCm0cΌ@@c- E4߃h Xew5OPb1/>n<^Wa'9N}8cyɃefBQ\qS5! {C"PPxs`}jh0sNTD"ޥ1mtۺ[Kč Nhػ^myC [vCh<~N'D15'R!*n,BykwLb.Tmh @9:/tD5u(!aoxm lFp 6cGA*0h5eAj)@Mg744[<'sm#k- Ld$~q0iD i,}¯5T\ X{3?ʗDbׄ5y 8s:l NbBPߟ_,r 6^' ֲo'oj`T|lT#ma֡2#&L~B@(LSZwg\޸^.;}h5*!<$SsiyCŮkẙ8Qwj:V3󐷑}~GXnusx >vy[p9T̝IqOk:^˘~ϵ_ wLnxu[.49˗c&9ٔG==#zķ Zht 2~~ pM6ɊCz O֐]֩oDx8HrCLy wi6l;١+z'PvpĿ'4|E{7^@ގMuѠ|81G [g%l(_BoZb:'.rȎ[A={w(Ph+fИ*}!rDg8 n˷ٝ,yPg"ɚ U`b l+opASS76͎JRav#>p8~׫A>Jn4L-tgԮ*i~ ?FˠѪS}u~/|> =g$+C+,(8ApKFD `8 Uq6Vl0 ;Hš0ԒpDҗaQ.U!`6 YANbNءB? wG7hlBMcYa;3.2 O (~k :McUn1L,?^uCaH7Ry:?| <)'+H3@ߨ Dj|@Ռ* ZG961& 3sx;|ﳸ?uMRA-ȅcۦK*)} My68QفrW|M]nW]f%?|U϶kࣕuOScJ /Ak)f 1t0#E&pOyR/%’) f;MP;.hBTޏnkL~{2~OT?`8C#&2okrx5k#}bfhDC?*)$Z݂$zxz]Ih,(jtRc28_lJ/âHc4̛I: Cs'c+F5qkG.pW2"Ԝ)ľJnee?L _j$+q2Kooivn !37}wلTZ:2Par0G`FyUó̜5jX;o2yN\z97|^ZMGcg܏k>MMY6LEiN)AS/i?} ,ܮxsp񂤽U w-Nu׵1Pz_K}֫"X_諤rfPlHp $G J"UOUHu-8:02GEu N#!!{Rw:ok󬐿 Z ih=0 Fk#9V|/.Nށl;y{uq4 Ӥ?qLȨSQ^ʴ}DZNvu(+\DO&|*h j^}Dl)]ѡֶRR^P8m^|77#B6Uc,ݞo2x}XE$yHNGՈfS4#1Zɢ}C0Dn5K:% 굵4ZHQr"L7#E3r'57kQV?eƋ!T֖'6xwȠ{vi!Lz^߃]nL襤;=UW8o5|%/mB2`SOaq]x^`7~cpygңF'>mFlgb2C]Tەr.M$EEVv|SZA1+[)ti׺^^^}sPѺ{hC8o,iki?efHj:Bugj9*,irH!6`*?a\e+$ ? GK4}V=}+rCVK췩DcMFQOWk ɐ@=V?<|f)n@* |U݋Hmb" Beߘ?h;ƙylL@j!?]b1/5,eu##v[(W20iՊUbQpM}J39M<`IXֺ{ݪ2(ۼ[fnx ).G\- g,tM1U/N`, l*8?Bv&qw? U)4=l]Jj}ynfv &Hw_m7gj39hJB[Z!dMUxg9 g:ߔe@&O_š?6A-]M>};ضٌOZ.p69.ə4/<O)+GgB87c{"j Zo[B;"TVpՅtPTۑK6u0/&i~exnR)9<<%L&Ǯc&&Kk[?:/W6Z+Ed-KPQҦ((W#"Xmh5#Iv{J(t{e *PX2xA1ˤ!*`sK|3SGao%`󘃘K^y>f傝Rh ެa`?eig/wGJ|鐜H C w{,@uN7rz[c߿ibUvA0AړdoS-*)]%6 HVW&:BVLj׳aW`1\`9DWs/:nn~xdJ`1$\߮ՁO\,.Zy*4Vwtb9+(mj"gޕ}(y(̏O"tl{D^, x4Z5ͧ,M rl7~W٪^/>8^} `,S~>s SzfXrmm9A^0kZH+Y鈪"I1.43*]MDg閇5";W|6+@w>. PfO` r|C/1S}Z91YPqmE9|*_!dH-VDp*QͺՇUt_.,Y>v*VM|XIF!xv5؄ܦ4"Nض9ıhf~d4*ϰ^72zx$zph^utwE7~=i؃91D`n<[` Sw&µ'LI"e&qc .Y=(l@^s ,f.@ӂ1/,1ݽh_ Mpާm!]gzcmUl>(_PF]N@l|=sx'^'ͮi|=~D#9'5HJ߰hb>7J@0bDw-/ Ne#'QM`gBF-2WʜM̰p}I9 ],͵|&0PԤP~DUdƒ0U 6O26;GiEB*;QƇ]tT@qșw<5IJ'%ׁZCt5_jaJM`M_HЂ&P,Y]$&ceO*e[2r$z_~ة2! LYAӭ/|RPyTEF^ 2W!|ci~Zʖn+MFP/cHgmjSF&s{ji[U)qM, 7LZUw0EP}ďӺsC];þi"޿lCAx(^A1O.Y/=Mףeo=IU _N/*-]H0K_]b3ݑ FD[ϟmG06R$%z=fׂr22w"i!JL s=eI ô _CG>Q=271fb3d[m~ʧ]1ffM&S~RXXUVËĬ?q% /®{W3#.h8[}x9JEE;D90 *h:}?2ݿ;8 m WVX?7ZŀțuI!oo#<#<LȥSEY&Jp8GkV`crcBֹ,k3NMXH9C_80wϏ^ܟ*[WFx/Fg6<҄uhV; Y˄0gW@\E1/pؕ7PD0vfNU/聓4.V !l<~ Ҥ\v%c;%߁FB]Nҿ<}Q[kçՈߋ{iq" j—)gVSl_l˷FḩcOעv?0]D˔cq, %oReuEPviW?0xr~]_h!!''<3StZ[[:":ܵU]DOmh@R;L]=r#,}P/'hc Ӱ_o P6D2:Fb-Zflnpn]gn%)IW -j@h_gMVe0UPC}Ƹ>jG+)oT0F37"pZ=`A J>:~?HE*cPjVS?+XqQ|]iw:|orh ®ְz/ ڇ78ӑbdo_=9~iuļ)lȌ{f?,M4», )9vgzI TMerQ"T"qU;fl Aj-v3!Qo^FozK vԧD{3#f{QV1Dp 3~{g[+>&3N~'ü?ոVj4}w0\Sfް[%÷A# Ž[N࠙ڭof<G y7B |k?^1v$Abn\]ݥs⦼N.&@e4KӔ>k+rBN P\\ [ބuFqr l湲h?H'p p9pߧ߭Bry=$1$n*¡<,zyS7pJa&VnpEHNUk.eg4@v~*S*_HæuXs6◶`X2B_3y7_F!(Y0C_0fq)'o1vK\ X̔kG0yY3@/؞n,)I%R7T;`$3g[*1\JLv[3u5_Y 8:k4Lǽ0j`ϧ0+^.>1l'B8͋"`L,醵y=ޮM|PG X8Pē>ʼMaS-hM&@c*%:L@椩 Vhy{n;&;KlRL}=uuw̍),gG_->5T*ǖ,-kؤء5Q=A>Dyw&0iV>MޯGZmY:hͬ[-e9^t1i.h0v5Ѻfnb(5- Ď GoBZgwI2nMZe=D/CePEaLο 9AO5,q 50.3Ĥ+iG3{euP2\K壠~45\ުW 2;){ʿ+"2^D@MZ\U$"Yjfs[}RR:[V WuSZy%bRiHt(,Y: gv-|ė?YaRٮ-l6L= u'KJCǡ@H!Ǟ 𴗯QnR;_W+;PPVO]4 orfؙD m8Z_D޶eyQWC 4fU|P'?dH޲Gv54q'5eH 0RR_8Ob6(mz5HQ~FR4j˯URzaaqBr*aXVyje{Kb~T~0M+6葤63pM`Uv2~ a#@p 8ISkA֪qACt=9L\:VC sX 8?W/F b-+M(l=W>>8-9-ƈ1ғ|ZLĤ05^wm$=CII*ysk C0/J-˓NCL%t6[ByuEoFxΎ03 kUM `,(qIkJ1f>Ԓ,:jVm0/~?c`ݢF'9:9UI~^o>g^\hZ]Yf?w5N(3/ƾuLTL℈bP^w[ ϶&EKId?invt T7x0]ŃfrUe0RY áVBa>4UMzVg^qxjՈR-Tu_~h{.1rCwV@#^ >m"vh_vd)4ӫV+f4" Z{ͺVgi'})`j2Ñ4bB,C軾O( -bO`[>(3M:^G0(Bi˜Rm#D\[Z= yf}7Y4d"Om:Nxzl|q4iv"Rb)4$qsO6+W^ϐ& /._=Ĩo22Ł \$s M4GA3PVss)$t<$ūV?ITϪDݐ3yIgc[H\NG K I3d&!Ë!34g?bgFHgb1(摂K GDެZ fّN} ʘrk,`}G|8͡As']q0_g'mg0kB=1l:e]T.#̤m˽$oDnV"#*ooi簋 N4nh^ åt ە)\t=& hFܙѭ% 4(% 7E4}`3㣷K1DJ-BF1mJXr̀,0J!F;6 uʾiQLZ$`<}><EsVH[AWuf q!u|l\:WMku,/#vl :PmNv2,\T_~ J= V*1 㓶~~ 8Q^菫X0XLB ~,_7-~^k GF/!pz $(.&3v $j6hcUhU.^UNjo'_Vfs8+L^}m =2"4 ]_ć2 mOi”{8(C`nSm-?֔]oyR}8jp4W:?_Az0' "QYܴ(n*7Xdb!:HI]F׈_/qn&yM-/҅~8P@crSr6HBiI q(CMiz|ivEA%H&Œujd8+PI'd} B1tP:1}#Eaꘃ0[N/[HI,*䦋*w*bmz!Tv =n!qb n i$Ze+S/NpTƝSS;I΄z b U 1lnf=1*9vwZOBI^峝XɜIipm r%G<\eH|Mؾ’u}񠸱?^&Aeri5#P58l "\QV6"sP5Y9935v%b¡Uuť=f. B$\ڹ6d7ۧM0/-P4(\'![WeF/'G 1a;g* kGk#Lb0?dmP܈~lKw7ۤBO8<σvH[֮w7T/Rۤ:boY{ 3z%xcđlsz(I+4ug0Zuhi'bbUt-;2RM!#|<7+蠳2'֬1RA8n83c:,ۋVz)2uH:kJjS-dJ(]jy-hgOl2C@q,VT`[NJa@`%.9]=qQ<gLhe ah/$L FG7w4nB,sjzT 'IQ'i'z8#xjX%^N8yGpKtrNq (euV&4g˂zz9')3 w^26+y8+l[ :j0_+{xED/D,2/s-~ފq3a&$HKU{soW2K`;: $}zˊ Od-<|6~|,&.7#f}o ?%>51X{9xلBt#\+Usn'ZyY)rhB,FJtŬݵ;FxtJ;) C1OmUm8ՏNSY9"|'Zh-|qA;Mީ_b=v lX9Ds4v(m(W8j5ۼnUuфn )// (2\Qˇ%ˡmNR E /wQ@J[GQH`qu;eBkut;!pdg)bz 3?[#DIw l~GIj y?[qƣQc~aM٢rsDL՞%X'}C33C"6+S˘fAy0^'z,^x Ӣq%= ܤ ,3kF)eT!T;N(031X Ұ:jc)"y ti M  ڦ% ݘ{v%e2 _% !ln9JC^۹)p7 ֵz;'b;xy!]# GwdS, 辣8'MQ+כIry2 8^{y=蠡?eGc<(|<::3\<ٿ}abe鞯 l4 ց)-*ywa cyML%},q$rCz=͞ dQ@A7= ߽1e5 H>7O-?\rV4&FFE6lg㔛JRX~$d٣La< 3ȉĈ3p-+N0NBu0Q<<-Ra&^H 1&.{ CtG^6 Sn"iia3RcJzgz.0@EpkN 7C3SuzSQn(~ <] =X]ZTg"էdLҟ' jذW,&:4^8fxzH8~Ys{fxK(qpdGѐDԾ/HNՇfGC>{ d+{hL⡂IԮzϢP;@%Gge$wl.vgP3$WL͈9 tJH댆Goj ,,9`;$nZB5},XۿIs_uMܖ>-=OHMм,tg!gZ}Ft^]υ83&^x 1^:PNziOGW Wm~3vo/gyQe\7 *@L%#8p2t~ /ga|@zPY'^?kG}AQΆ>\lp7 7@ |Jb@|e'<\?^|! Π-cHy?fdjb%lۆs䀣-d+d%"6sxYZrJH˼!W0`Sjh7F[<1 n 젏Y*Q5F0KLQ%po&'Ij\㴂]ԍfwuA:v C s`oq`啇Coe:R~pyxPj-;$Q}i>|[Y\sݥ)a9uX # ?t5)lOƹxh~X˪.?;Ne.}Mc_0^C:g뺼 J,xf?B:[uZH>z>}# }ޞ *@Z$*(RV @ÔQ)1Īם5|{'JWjf:ʛ|&P$ΰYsz𩙝6o-)\ RI&-.Fm "1J\dJyM߮_5CO߇Xp"͑"fjZ-JBVn- )ܩd/chxA $2b4$W xR4rˍDn`]p{G޷7YAmxmj%%n~6Imh` u&;OcWQ ݡ^^QY-ynn"~;PtM|g?EΗȀZ٧dsD 9;sXb=|\aqe12=..'b\xXmS-1N`[̕G$(kϠY)9B2Kf~!#]2"pL֮ēBCeHrg$~|Jѝ^k̰A^{9UԂtľӌbqb6IT^2=3Q $lh厓^,K'j3R~#5oꁕ'MXdѩ/.]A_V_`Svqoxݍ5\=S *Ƨ^cΪZ.5(#~BEŷ7a~Q\oI#ߓ=$ql,\dQʀ!T} ƚ#g@Refn~i!Ϯ GD\iV6(5zkK &+'܈IBCpх}32GIzD< { l¤iF8Ы,UiBEQZ0Z\? ݤ[{9Taw,nἃ.I|9>aU<ڛb~snG͙\ھAn[Є5n汨I`njq0> [ʈk,%)iNb#;=.ҪM&}}V)^,= p}5իZx[9;B6=8xaDŽ!9=9:Qߨ4o/+/~f$PW|aHo*(GVofzzJȡ%5 5=cqz"H(KZ Z*AB$/;]p퍸n~rnU#cQ?״߄" :Tk83 i<$DROjnF-8ug_va5 ~o#0{Pb^Ƣ\ e"dbe1·-o׷P\ }ﲇ.[$„=ɒslY}qu KjO($ Q[q˪rJH>!(>xKx?EJ ~+M ;bH+!2/8s {bΎO,`? 5O^s1iUȆ;嶾iLjnn760NA@#2Zie T -$z&)5D?gRg#׷rH zߎ[JCp{/nzzyCml8J~eC`I*15GBM?4 :$?0ZﴚϓzxYU+D(75XBe[0|([([>#Vvc׏9fgECBTCR)Qu*9pBQ5;\^k@ܖ:c|ZvSC)٥)=pi?@ 1}y'{ t2z'zcZ`>lN+]]QBR|\q ,=_Dޫ[:A= !y={qhQ~RI d`~t%?^d'Ыm'hW}19.|e8GQkD)N ;p>zL9gOk7W/O2UPȲ~tdC%ő>ﵸ^= B\5j4ۿH١#K"V0e.;RF2tqTNVX9 >JFSf_o8s׊/}0l+~R 'c٥ =UIJ od%4(VS"T' uP{R76wbʺhJ6Kш}&H׏m= c탄.@ 9!/ 9SNk/+kHzQحC}ܯwD$ Rj?vV{SzM"'TiBpvA/NGVcz1SZO_Cä=AZ"vKpڤr]mL 0SoTƈ&=9iSOn t0Jtl"5:pEq-IDX(3y/) AVYؿѵTw76]:x턚Rdqƶts6sIh!p2K[mE {xs_f |"i*.'ƞAp?/H&ȉ&^^ÇpK #z\}&d+BU"#ci)/M![8R="&-<"7iN)Y˹CU EB2=BUEi ]gpm%Xl>ҐN</ۆv:C_ *A^-;F8SQ5:[- 0S(N g#4).q`b=HS},fi{'g EIÑ :R: ܫW8-ݪ%'ۃG0n a .ܒQ2,{ 'A [Ot%,LA|OS9`OKmZC0KP1"@G!ppȇ#ѿW3J*#{ H9`Iض$ Cg qid7~]=|~ݗIs;p@~{7*Qc !9z*tw=!PםH,ѕUt†[>^K+!o2xOt" C1rX6QJ3d+ (r"We9NM0EE1~yҶ1r>qx@IS#U_ #.):.,a s'X[4"bf7"jL5<'˫#OJ9}^|X_9KCuGS hm[QxRIﶌV6Ljg{?&wg:-ei1;ǘfrnFb'n $Kzc=jibJ¢vh烱I3[Kzh7Kxv,%T2+Me3 %NR)7Ma֞4^F[۞!eWN?%pRIah$K|%X-T&Y81nku+i% sJ;~(^}P˸p#&S9-[[5e(3krGoqwM .Wӣi1pZyF04kI(TD1{ʜ*m>J1_lwtiD: ,$D1wc~L J@|O P4'@jG_chTIW'y K /te$[UyíoJ][F>X74/uC򁬌?x.F _QLCi{5{=NH vhht.I/0!AB֫aL6(>J*MpGn·lNPMS( c|ƶe%P`!) $(ңO0g<{X]tY%Lw͙Rnwt&b:!"Ϸ (I5xjO(hٛoĽTT/BT돏$^8aM89 Eĥr> >:!tfnu.K .LAu0sH@xbRʪџ=.˞U җ|94p 隌+$-S٪|%x--kL2H^xnN!}.L0YIEnocVY'R}|x559%`! 'v Џ5C&=ƩU[Lښrq|˾^9)&![~)hcd٨e;L'U%~]b?|pjg% _d}f;%Acvp텙, ":-9T3ug`#X--_NqBĬy H ئBM[xAUMpVNyGK:~~GT KI&,TKZF~*Ҙ |gdԳѕR`ճoO" ,A;^{YqLȝU.ӚG \[Ghϒkm d/FlcÉ*iؒ{j/šyh $X)3#C /.ő$LbDQ5)+BdMWij߱":w,%AKlzfƛra1OՖxRn'nm2hBX$"\Emxm B3̛ JRxhnfKҗW\++=?(PK詟qE`חwKW7 43Mָoy F1j9F(.']#rBuT}ă&߰fgYg^hRܩV.bvqv+s)B:?"4C#U0%-Ce A Os=8]:iU \-; S?r F?Ԏf$d*G$*Qvɋ܊j"ZŶMqj$8Z6];q@zu?U*U~^:#L/ /T'*JPYEߟVZxWtS6MjypA KbIg1T sv)g3,o #hИkC9q,өߎI{T( ~/1=e vOR)n2oF~;ffbH_Je< m#HܛjE{6xM8~>85X9yx;p{`1/{4 ^IՈ~HbkJV`,/ ;nGx&?$nEmȫ a\+y<(T؃e-iu:0EgWݧ$Z)\$*0D@KI($&DXW, =Cn? c&u䏜 h&g6K^VGKfq؉ 4cU]#ō`$jIYDѐ-m=#l'հ;%:ϰf+@܀/0U}GM5X.ZH_ljc"͡jդ&u&-+1L!ކΜمPTlr@y ^UBEȨZZw!N2Gk`G?`i34=/{E`$tUq R|{ӈSp w;΁{Gv[{S (|ieoyepAQFj i`4w"G2"T3ESŚ7uI,,%nlڏI0  AOP5t}NG$5Q#9UljȔRl`g @@= vSͤ%D::FddjgfɍnP^h `ctzV?v#Lqp΃E 醆G释=[/~q/$^9V= ]ROK{ xfPN bIF[4~2-wv}` tU 1kwʔ /ikht9DytoK10^jC#1W< 7X+oqGߎǓ(Wn7KT[zhY [(K6: 9%">y O"ViS&ݡ:]WOnLauhc>z#DwjkH*펫'D+tQ{Q-HX݈א/a=hϵx)YNUA(׊_lC3GuIμt T'yDAbҫ^p;? BPѤpNc}9|$v}//@@y[T)]0uǪJ`1: .'4=3ybG쎊v{Uڏ@qsYa P!`Mt1b8\jK _gi=OK Y?4; h2f-sn0J]w@-& YꖫGi߇˰Hfٺ@pIo# oFyNu租Yaܮ svtj9䓝$&۬Sf\h*J3oШ,B~PȈB YyoQ-^<*?Vئv+ͧ lk|$&,%&{B  J/--R l~7vv^ۧuXk/%)lT@GjMd9Ȯ 5uVG!QKhnZ=`g>":-zЪF2V҄d9h:ԞR|P#z]`W(t'{P!?!B+J9cVq ۅvՊlRkg+NRà 0cWQʓؾ-ɊNq-^0Փ'Yи=#4Qn7d4ko9(|:;_5X=iq7 >W[Tw+oSYhMbZ" rK7 5+9::NS='XrXꭓEPB^@ *n$80a4@{$|YY'"G;AZ4&McV<,2ZY)X1IGK <-+of9"E:" I7/ i{ .WwS ZEEzPsO^ k|`\^5CY|Ɍ; 怜0!E` pvܫo j M^]m+@ r{(āv ե۵ ,~*gOo">Ud<˲?WUEk*uuDQ2g;JtzLvs-YG;v׀Qa8b[KFĉZM8Fh&%,(S9F0N`ōWBBøJNƠ~79HW,ο>O/+·z!=)#)Of'Ttm)r^W,%Ȣ{fN>Sv}H36uMf'kr{*M)j&(Z?} `8/N{}=[,~1A'iYbwӁnJ-}w#k vesb㫑Y!U24pčqj)2/]3T>)m*L/LWi 乳/vAI6w>a}Ѷ9*ߍpT;#+v'Ly:{^*r*}x 5-(8sģjZ͖9K9ޜ|PHDpH8nD'$G@ńplH.=];rfdU"rbr>s8xhKi} f- }g|f |[k|dv7/tStAږ+MuudSG]!bq-kXǓF1HcECjU Τ-vKA]zsgrtIaްnhYF5cӃ5CyY/UG_>8kp%:8ow rI~1|gԆ =;eW(Nݘ"x;2u`X}`Ƥf.cy1V|pf;);^;}q;& ]6"R熺ҽyJDkpk \&b=@j}9}8 ܫC KFv/4FV7NV86kK%޴ g(7\7 =f ZG1BTs0Wd ev@-cZcV^-ޅY I͘>TB#1}0ΆhsU첰XYcY$&:`H۬e#af&PCֹhK5`٨*Z"ԜRZLF(QDq;4(."Z=9}>TLK<愞uHo%3"(Yl'qJѴokǖ`{)މRڝjSh^<C~kP#YJ3O;UC$ $9ԏ3.oxB1tL`U.FG|}3+ [JHMU vSd FU3c TiHZ+Xu 3t$Gd \ ӝY^S3Up{ _ot?O8vH~OJi_V{9wJVe=­UAZRs!ںN-ʓ}|!1-lw18$5lOJ!U{h2pD _$)qb5US"Ѡ`=+C_S'w! 46_&ޘ\ɠ5-Ũ X5|&K"" c=wYj|:Oֲ0e)\=d$wALX&3ɘd^zw>dN >r{'CVQU@3*/d8g/;,`/\Qh4Jφ rIb+ed:R^y 7\&=r#*{#_xb=YW2W,"ם(nfH,Kf[A#,xOR[sF{?a"Yd0q Z'T'޿M^Ӣ} u}%Rk˱/oN S*?1-m#bT؋8 *xA 0dL }(}qWiVcw?=8o~mwńq54}R#Q1USe`,w`=6h`ږi\{68_…h-~GőQL¢8)Z$K:pu)QFv v[\ƌJ.o+72:ֺGАA^a(xj,:Gق_hOĪ1![|/,UFze#]R^d~ѰC7qfE/[\T3̍_['7 -ժ퓐KnNW,m| xJH/W/? w9"( LzJT1Pbg͍ȸ!+uMGv ]!7)ny8{*\`CpIB`ڨMccCo*q=#QON^l.7N, V\K57A2[ru6{o@8KVzXW!0pC>V63_![JePjx>[$%\$hUW1H&QzT@?PޡG>9];6I& f@WT7>,-}tv7B?#=qhY}f>UQ:o6O$?f8,&ۗOxꄒ( }qywѺ@ݶ{Gh]=17 G{ o@j\~"bYܻٯz҆b7~]*~sdPT4I0+`,pc#61 47NjS*͌?1mk3N/y%J, &Cc׭ #x*Q--+ߌ0cN\u7*kIK.CI@x_$J`w=BR3|BfK,g QkZ=N.8 VB>I;صK' 7wNSNvæ?3Km3\fw],\ȩ)d9ig3xeM_y,cd8 O">" t߯'1"DI>4_'\'q78KTſ>I[NQ q#QDy˅ñlW2=oo{=fj$^v`fA.+ʬb}ܶMoX110}-p͗L|MB& ܠPI"Gسd^CӖ:_Vu VK#C^&"W,蛊,;p_QWqW`j P$ >?,xGɓVG7|wj ̠1P0O%*hssߕwK2[suQ]S͙sвR?uJhrYIDL4acm4L~k!wWSw )zX7/GDRoҀꋝOBga|ܢ):nx<P1ryzM[ H]؝5b&)3Z=KAH6Yˆcz.hk'"y~OIr7`\2睐?_t_@y$)<pAJA֏=ސv<+ mV:"a((ۂ㙧IcRL3ndWaXMI'q<ǏDFbg)P[rc59 b?PlM{TSiUUbwy; ᭦;EqC8fݰ+BqM -tn!X9?T8 -Afϴ(6ŴňVkgJG{DD>\>7XaƘx)w|Y`6`tvSR 7ԝpCÓ G>Ζ%ɰ+{}SƖ#XB/^eVHB=io(x3r /WzWbb4w`PA au֊H^S >rx╧Vũ= r`xHъyAHP ., *t|cz?Wʞy)xĺLI3@Xj^8q 2sEBDsAﶬ1D@sYIئb^4V2tD#N$lt ,{4Ua|$=uouˠf|_}*uI17bi^1i$[ѺQ7f~?,5;|Fb}7p׶ٕŭ0#ԃׅZm]hDt)|YVUK.'wi,ȑ$#sɔҰ%ݕ ߑ:'pc;^I}@P2 cN*ksoPl i64dnW!('uȼ#vXX^p=UȀ 5-8 6'GXUՍA3 b=NZhT)3pTKeank/~~P=v+6~*H 5.uN'OBw.f/Hx`08$<`fQ;|YrṒǿCYS2E1:͛@Uxb2:V5 *z(%ĨW70w󂇡\|0bǨ݆ԌrwN0o<˵WrpDzNS)K-vܫJǭ2+HƦDH_/Uh 9Jv^dc8)+0}n0!֙lnj!áu([#P>+#胱@h 'd"٧tբ zQmYIx7ttJ(AL`#!tW9="|O!c*J =R4vA(bj&jk~BK 'C V]ؾ9 z= ";sN5`R,:~zE-G ۮ3*}G"pX;V{c2%\@Ӫ@i2ݭp (?4УXG>Z5D0ۓi]<ٜfWn-B꽒)Q^rQ 6؍V_E1/MPzbɀ 1:?Ybz%M^나aǵj*2uD [WT":!>Rp;bnXv0lۜb^u !5Miuǥn{ʉHkX}@]T$ޒ%S ԩԦ9S3O2}Lx7n'lM6v8=J2?M`$ U7>UsA  2ƶeF: r1KM*'=Bk Ha f?tg\h޴WBc2 zLUr[9Z[2qTX.d.'LIYQӳfJ5ns0AAA b}B,|ae[KL'k*0=8[gLXFp} 7cp2_=XҒ[αf-իkY+.-bz}i yDzaTƯŜymy7\`cuWAy61a߹:fJ@eK#<rwMM zyk<2$zabL"8j^FO{8C2k'> ~"@~?1z]*P"EMl+.nRq1 o*6>nL< & ]ٜ7$7! j?N ZyK|K2 -O ۩sC0'A*+!RK2(W$\dh:&Y\ ?]pdߥ_r7r.}o(YM$-U:#A;CU}Nmxb8 sgX7!3 |p/BEM-mdSm@-4AG1\zz.O{5 U ha]7“cK)_Q79M[/J`}Q&XP^jG (yʁȻR-(buܤ&*XA$Ab iмu+˄&pwgZ^ly^Ez+tM!^yY C7*Ljc_"J>R2xOK)] iufnb0"1c"-ȩ)y5O2㲎 &41񈘄]rיEmD ?YC+~ºR[QUNP;#پ!/jzZd‫=0G Uz.R"#9;6t$( hif T:ΐ,- G I.[uZh\Q @ҟ{?^?8"_U7$A! ]Y'2[#0- UΥs-cɐajn/:%к30GTW\V D2\<LA~cY8>N CO<>2{V{_[=ܦEsJVnaÆ=b1̀TI3LEL ia9Õp*o⾨Qs#Nu ţVQRa"`X] C]؈+k,KfC[RA(؇X7nQC=ks4"4U`KVq]"x%)_&F)" /@wr@_VTyG!kBUh(|#0(^[e_NB[^V!4H4Zt Gy.e/veV譽| -B-3"QHcH^(W Mr4P_Q@aM :NX)S:nl";xv@Wpss.?( ҿ' T/{4GuSNva1a=G îj\CuM<7Q {Hew֦Ė"%x0v8قV Fc Z4o/V' pfK>ޭ-6/Bg~L9m\(,dhM7!/I84xܲf&O͡lpXjohx#XZD@kQ,*{WĦ"on5]"Or@%UvZ.#CSօ/@0*R E]QԸ=j*xLx"7&YyI)}wu+TKY!ЉRiRcfUJa}W8 5!0I5+XEc<^G=*~v1 0Ѱ1AJV2L;*g ij!iYrfxN|'BV(`X Ǻ5$%~$X(B񐭔Y ~ ꣌2ֹouJ hiz\.sFw%c^4ܔƮ}xYCd #Ή)v[v+e^섟M>L5u}]gя\orBrD5T(4i,,,f\ TЍfspM爒+ 8C**€CgO:J,9@I5Be/7=х2lXE2nhK%v7g^ѽr|g-Sge5QHckz6# (jeeEcJLq, 3# @LPhaF%zhUuT|z?{1P(rP{ɜX2紻\L[L7x{o,'@ _܅RWă87 w+xol-6c _:vh@":Ur3iXcsDv'<f&5S3c:e$_"g0ȻB:]MmAϩ7ɶ{R!c\Y\xԻmeJVȑEn($&)siRo&8{|Ԧ\%\|ꁕђbWǗ!VemwB8I4af *[{}pW}eYZ/Hq"T}Bn,f],Y7r6^e//͎ZM>^۔a\HnZa`9:1E^PcFm%נ=)ԇ\ËIuA\'/z>4k5-A+`n]J#1 o::;l* י?/eõ;D&ihk$ֿ`:,i>5s6 ʱi+u'o/c%{Tz{̟b`kH%Y@: &۲hAX^N[_5|1w_^_i<臏trr ܕ(T}6I`(k:Y;F\YRPR (WdGr/re3c­Eܦ\RH֊a$݆E!(~H|KW29j4?EXERco42>ܟ:xRfGHMUo׷<&V+ԯyS;-')-%Dtiv=Q qwcF!B DV7b".. @v>&! ;au[XTbGps4c\^9`ƨ8EX}D{AZb1yVr\@VR`R=hG7E-.Tr#+{ސ2:G \ԟ ay]sfLqͲ^Ud3X^X'V es.5ЩF6&d3bzef3#iv,]f xh?NBYL+yCPy񭛟{Mu kL0 7|4~Wz)Qub$`᫷x)~-e^ ((W]b!,۝(zlS!I*2=sq\s*_T_9$7ordA?E餂,k4 ntd0Ұ`A7A}EJC`V+C/>)@7SCHJl+a{>bonYf0muu`)oBa*L1M {fzBn{U^N.VGhsi|Ǩ-X+6D!}Njw:j}IMc] Y M-[ٌϡWcdw^[fJܚԖI=x@Hr_Xƒ7ˏ$L99!PK\lVu+RG틌 ۊ 6 ,-e眭Vɚn"UrLLMˤZ+e&4OPPoe3 ielN+_Uމ6+"- s0j^ 0x9wWyØ hi 0h #6+˩eO0g5"s$Jq]4U=Ck <z;J$O7Si9c3UhC<7=z#d>vKr󰆒t ҕ|E=!9v*jmD֑1BFY=]W4h(,:VWR%PBTh*мļӃ$ĝ]|h~J%HqOoo]NR"5K7=SP03*?1qIn, xf OÈ|UޔO]wrUHTCĎ| RL _U&J 5aa[r0Y7OYO\S̟LwEcGUNoLބG! =lI E=fPiOg-RW ^`mi$q~}4`lS<* TY(XckKG٨DB&#gRW"'h6g aVXF#A4U4$y`e"j."/-(chR`nj凴D\绌KSt7 $:?t6c^},^4WuV \{3߭F!*~U5N0 Q*r ѹMJ +z%PpU@{T,R(Yn֥S;:"01Cgׁ`KB7n','AݟP"qS3Do<9OT҄#p*(^IS\e߆܉`v"/C Z)rɕ|cW4NӱlMwJv)^W)zy_xWΒ3g~~ۃXSK@Pb&ݜ0vXf rXD]@#3f,J,M8ά03)G;݁u @k#3\P6@J!I'[_`Nq\{`Oc}d6{&X/;?W o@~AQM~$*76ZU>rÌK %jo碅^n,nܫ|M:5~bY*Z#z1[wt"|Mw,[J4l/Oc,?+ewc ُ<}uWAzg_02f}yl>98 Q*ـ mO GC"^I|l:HC{V\I@,y#4ˤoOb XMbLϢgoO𞈛K*ɎNN,^ZTzjj̸ ɺ@[ "-̄Q*{bKw :y> ׮ Ut@D-{7eXQ:7 ɦt36S)eRYF&xIeE&k AiO,jIO=B#߬_S 2:XTzfTF8ZDhPVvOBѴ0 5Jb8|7~Qz(KJyŝ]xv"ydsm񜕿Zk_U #sP- 3]3y,IhPuK7.xGl৻ 46pL֤TeDQ)4Kko6$ktJ+I 2I3w6$䵶E"Pב["s"fuiov-2H:Kw9PiΘwI7x+Fiԃ(9|MqA1ݾ>5ȑiFhFj*\"J\x[Ց&|Lk=@~ܟA0KHG rhSIvrQo_?L-IYxIc"ThH\i/ǂilc_ϡV0rs:+iυdXj/s=!4i*ե 37ln0CI77?ѨP3D to6.xd87RW)A ͂} f`C1v{5M9 ]:7֓V_٠ȡݼF_Ȏ,#YVQ4d71ƣϊ3aA&S,[^;Xfi;N;gT@ǽ^4QDz~ $3kN@ARg)g{UYX'_2GGDy(qK wim?=%:K{C0|<ӊoTy4&!%F<>6 K=M(۪@>M+Xo81?>\ஃ2g^ F4Bc u sKX9D.TOA4eDqÇ:P/"}Ǽ?w \[ '6yq5!9 sV=Lxם00M+0TLiC_4}AqSޔj[RPiPdESDe$AɎ۾p04&?Vn۰4o ׈Ux!7eDZg9"#h|QhZ~YWD\ 'OE%?)JV;l@* mkad= )wP/C!Nc+[n@EEdRVMT=$0twrr a|xFO{IʴpLL MA|8,DH63]Wb xF\'uЋ>,]re&Xݛ7Hvl&(AW+\YP۫d%Nm/xN)󗜚 PTa*{eM !:7b|b/̨5p+?)W5re;$)k\_RFDs*n eb z… `]q%N"M>Q%-O!g~l/u\ztlwA5Rs*=9HpaՑ0pR[}^Eeޗjb1TL|gFefP{߷M T2Vdzu}rTӺ)D ԁ!9fXNJyb4(^VN eeā(<%q10b .ߜH%.ZT9i}JP%x؂7%qP4e|?9~%Ap-丧Ѽ°;Mo\8!zSi#QtFš~! PQ wx e*ߞ.2#}2 D硷cG<DrBA m}4煁nF>_%@lgOckhzl[`{Q ; ~u7V5w '~[O֘P7y7/T쮜9`O/]F}Zbu U91jEQ#A;5 0\~nSac]OUDiKc{Jݑz+D?>M2TFc{Y/go 7>I7 B_N[.~wW|;Tl97@\hi~ֹ^[C(״%z;]=Ϗ:ӊ:nm"go鼒`܁R$-Wۙ)NCnб*d7N!=.t>KEm8W&W]9kWi}Ķ$'`C+"ujuS0-BL~e|Vcfvl*'j&p,>wKjy {8׷|K F2d~d̻Qk>f{S=Nxkn;6?~Q}*t6&;|#`i4> /ћE1z54$ŒFUA8 &՗#lVj tĂ6~\LF{!8nЭy!cr¿u `RaS%v~`3u>A4kdM \%#m"Gqr$//hPL!npMU ,o .; Soe=8B 8ѫQ~ËeYgmR`:dEG%6nTL Fi CU)CiQsX\.M:N€gT𕨐8dbɊ\.|ԪCe,*_0tCz[G8 mwG7~M~<™cÈVDgh"a-t7|>[5*}OoZmw֙8:2wKkKD!`1lGd{i| $no*䪠汦b1Fw-~9V{.ȎUݩUѵL! A?1msKxݟER%@tЂ5-Z9d{Mp/֘<ז޼UѫKGFTLH8<[ۢ2TBf @EW0<!ڸNE!AG5;Y_fxRmHy(QF9uI{CwnWAa&i"TJ"] 7-VaB̈́S[ٔ=(!+h;0,BQ%Gɑw(+({ .2\1߆dn%NJד% _Y㽿;{_mȠ͑WE;x[Sn36FARApsh,E)c U~[J5 rxo71( r8ɡvF|>ڔ\{HfX@9elZ1pؚE*ɯ wX'O]hI絧OYU&~n2dFwx# lpB*}trJ*+?'B3E*XP~,`" Ač\\w} D BPl]ʷRj^$4Fz!9rSj!MRz |G?D|0R65-:{3]q5YzB i1pUrnۼؖ_" <@FDkp}PJTWZ_7ҬuaFyU]4uuX Ɉj@tA\ 9 ŝ~Dm}\̞М,%^:D|̌.5)zc$2)|n#;V@DڜUzDm!ƭ,$ zƍ&zI/9_l&A ]E|w|Nׁ߶o'/~2S aD+СRKqplh.pq&ӨAsEk1WMs&29\D*{g؏YPkˌ aap<{_'v! 1&SB&J}0.#Hꏮ@V3}:KЪu3TB ԇBHicwXY7ĿD,=S͇d+' LZ]̻uB0%]4vNG֤BIىT|%BTbP9r8G814ڋPV{]f6\PWM,}<ͤ]_]5sI}Z%N-$Μ_ur_aǷڌ=?Xij iJdFv.T<|79q]E%Kl@1nt߉I'J"Osq/w丯c(1QL%^*~~Ryy]Bj{R/B4!'^܇t1Y9gL EG'@9Y\-2nK>ܫFjg0}H  ~i4yϛީkƲZlC{kG]iM*,n8nIu+@v  xLR9ueU_ & ֳ7&g\qh| Ē_~p,!u΅l>0kBԕ+!ғ 9JL[5?vWk]gj̘o'Rc{g$W"8Ւ!XZtpD9i+/ >@jX^ط+$Iq0%zm?9×ڿfoS>)nL.x6@B+ځ KꡲV䗎߮2/2rd! )tUG8HI.pk gfsP,y=.c,Lw 5u痂4)Wljw aN۟ ustZʠ{ H "m=E y)ϕUS t21$wf7|a+k 뒡J%qW7.`RU͹Yzi17BE~C+[ z=%A%n':(,,IPf5um6J0)߁]r1H2AddfNυT0 ~QžVvxO3 8xF@0B)|O٪;3o.-!P~@D9pQDun3ήT]BG98ҠT+R[9h]'<@5X,N .&8*Y WN303>c/2=KO]HVCQ@ Z+dS۴|f+IήBu,XlEZmxȺsKWFv4S`?S2 VyoDa i} H &)t.yirκ)9 yј TFB>N3:}9ohݚdpi4o.8\{Y| spúPcfc"@FphͿ 00` ?NڨJ957ӨG+ܦ:'+e$BJ ՠ\ ^-gS8[BBҡ8QgPo0b9~ O<) Ltth,%_`0k [Qo:4B57K%E򤯩xѯvb*${fA6$Vm`{8vd&(~G皓J;E{By/x;)2ͅg4>#wE Q6ٝv!Ͻ(`l0B}D{f`$otH^Qyx/cþ?)\4-.ڪ3Ja?-|_FМh&U&!p 3JZ2/y6i#~$l0g yJ=IiRV]{=av;ڞ)ndBqq ɪ^:ٟI I AY79+'Bȸ>]=cahh,C=u<PO?vf4%Gs`z2x>6`v1Q8u6.1S^aA` i,pB*/zS+g,-X_5SG #E`m~3!P,zCc=ՅEvEt8!ZxTVCÍ[Հ7cq@ _DALo&J7J&?!DKїJ!(l`Ia x7{Uhʟ?4rJOo=sN-5IF^*Aj&YRv$=>&qX5#OtFw?Jrf0E!P>pġ}[JBHʂUƂL4Ye[Iq@9-/hN̟+pE|`᩻"ӄh5_M2tg}ax$QO؄GtPZ8Zg~/9<ļu_Qֵ{znps9h`AaB$iƺuyhy͖3patp*fMns$X>;` SO7/;Л*yaENڣT4G6:%8&G$ n Bȹ"H8)cC\9~5{$J]Jc,M\?q5It P>9~:A!&<Vd.dpp >VSUK^L;/˥e};HHRSMZMD ^RV%\<a.\d8dSb0rzskt }kfs߃Jf8?.l Tny[PU {m[L$]|$ d`A92є`*\jb0KqAIV|#WW<+> vY6C&V񮚁: {6r iNY"IN.!VOVկ 7 lFuf mB6D1E)Lj}fY::(>{Eu0$ NԝjSK(zhWodlϋKuTcB <88 Rg}Q#/~)=0prLGYiZڱHqI6n (H+!hL xd|K ~IStJ_)À<1fԶy`f{tC R sEau4 kl&8d{e 3!g/wKsPSº~B|٤¶TË ~BSzr2Hp2TCo-I\W{63_VrE~݃ Z~_hH4i hc/`j낓E٥xZ\sp%C : 'qS"X´|,}GjˋvMYG8!^'0R/3cHVe."UD'_\͍)krnHѾCQgvD7q;3xsy/8^Z2W4:AJ-cT2t5`cK n e, [Zxvǣ͊yE!֫9 6 f6jL)R(a PBh,ߛN49\QZXs7&+ >%2iA_-0]rhDq?WI_*a0(/45!92RE Q=5zc|P;ꕴZmzVCIomz*Huqۙ RNGgeA2|6 slym4q_8o B6Xؚ0({0oI':j R6{^Dޑmۡȇ%MQ$Xc`6_q{FwX%%nc4%Eɨg:ȫ6 {ԞS~=C`z8u&RSeřZ%児YExe\8+6\e6mDOW6Cy9T 6D3kN`uP/#N¢=<$Y4߷N&d9^0?_{?>rfN#gg4#n]vD݈)")8]A{d<̡{J$B.KI EQE?ALPqvL7^0Ybr/]`yy4: %Tp2;]Yu}ޡ:E8޴vuC+(ˈ)%Ȗ5a}N/uDI:RGfDqy_ߩ=|gwxkbW+j@ߘ+M 2U(5^ld?a yOssWeGߜpC|8>1"`r[\wMWl">fed]@EMr߈&jWVv~+x${m3T,v'wR`])&O -*fᱬTtt#p0]9MEixX?P2`i u[d[;RĨ#6-c1WKXsFɗʬm$I@ @J{wR6¤z\ZBI |01f9RSCI$2p$h Ef+9ߎ= GdD5wJ){&0u{bk r^\M8P[D z Y2JF.*`NyuK#qkZ&AymXc4^.1.@'6itBR%< 8f}0( 6cB`ޘ2pVj~3?5AzAw:(udǮxj È'i|x5I;yKes i/BydfL(n嬳D2Ag)0nӖIް{c(, Cm :6:& !S# ]#?e}<47?S%&r{ E6.)ZCI%k,- (,ScmuJrNMTCG#XY3E5t4Dߨ|.38C%HyI`n!Ѷxi} V33A) B^5yk- +_] ^W0e{"m/eÌxTɑ{O4,uUWQ9Qϵ;:O |*gUNHIbۋ/j]Mc l0%9Tt:IO|=o ťڵ F3D2Lr}d /ˬXAWEh}VU\,&V<⪫VtSZߑ"XGL:F:j`zF{liaYJ2/g] #ҕ8EQ1&&w(}X%cm1^VP[lbo8$:뿘.cO|Q{._E\W5Nv1oDu\=xQJK\f; .ڊ ~urօƠ` }өSKqzP;ģ'V, t<ם!` v: ]n*/C}вy@>["ŖpLFpaڔZ^@pօO&a \-˃`s3?rh(3~}>ј~ d|Hj䝇B[gfy(8R2ʴF[DWd p?Q9,e*?GgHEA]4x[# +_"T 3iЮR 5 %= ^2`M+_0gTg-S$;5kh&iM"(㯂Nfh -5ԁ%'We2ۇ[Hy Zŝ:g%J"gdi"O3Ϫ$oy+]Yg4tL0kʂДىw[/qVsӠ{` SSRheʻy1-de.CǛx<<\a9Qi$hR#\dt;#ҞC-q?I ,ČlLt"CQŮoF$ İ3p#xPJ kg= Cl*B=ѣa(;8{a:y,In/18j#ZGD!Ө'[R!3|97 %.6xa)5P/l8* CdF'}$Օ($$54õũ`V6,a'=b:&] Bx9'uƧWGV}&t Zԏ7a=&0%]"sl_5j)LCY⸲,G{j=mhۉ%^[ۺb̞jj5g%{j$ed0jbv1meØ"N(D +zbE-V'8.gˁ%$S pH1D_"nc2#9Ca3c i .Q2p aW 5׿YmY gZ"!9Qg {N{d.zIuy9˳Gi>qJ,s clJki(.x=AC0N,xyp b q2w W(x,MТbD-Vt;bҧ^\+ 83-Q%hK7{> GtL.bLIA7Fw u҈o{x|V{2=߹d_1ElƞhLh=%/5Xl1g68nUuxXɄ];7 TِBv_aHng#ѾBW.|7/;>wvЦJW"Siq.yy[QYlϞ Tc)( ǭ$mmyXUSeЉo+Bj|'LNE.+AމBB}uAhBS N(Sdk~Iď?UZk"8Bd5/Xt}q_=yfQzh_ T_}Ԣ9\w @L2ޅMQZO>6V\ʡMX>r \Q}=~'d7k#rYȠVt!}gw;ИL)#‘&E-Eવ_#I R7"YsODMxY6z˯mNp24%utrܔ0wAJ;+g&Kx\ݺicmVWn/}6E4™~Q"96Qq 8'!wc**ÉQ8?f8[]Y3n`Ю^Tϗu@ aߢ2#MOZ[j 5F/SUw ):fFq!b!WZ2蚽;gA^}1{A@{#{37.m.Oxb(ƕ UFknr#yDK-栋HaSʗpCypҪ1:o?xS}csh/lyX6.L(|Q+P9VCրM_S<H ݪUd}*^lmkD\&!xR C 8◁Dr%bjkƱ#$ 'MMOwT/EajJLE2k;.̵S#٧4ڔ=:9-ԛCč"ҸhTeRa,&Ĕv7a{v:n83\6\AWkb-M+o#%ot:5 ˿d՗mG*#c-c.ɘSGˁ\k/RA?G9%vvPo0{EUSmZ$hlb}-$E*5PR ;شQ7yX ghaVk8 z7g((V%S!>iOOIi:9qYٕe|pr|}͇^ lYyuWty+\ p4 AfWwGSj;FUD* ގAFDx$=XҤl˞h/:HBWhyeI9l/W(j1f<9b7UjJj'tVn#. ;0:ŀ+.e ZC'kͨ~?uTNgQ4RЇ~;&_휚HX 1 iʱH#]40K7CWR4&٘˻0xznye /yP-"Y.`8 8Z~@6Qhinü@|Mr"1K:x+z(NwI8eG~ l^Ků9g;Wis8°b~}4{AQݿ& Tu9ZفTHOlì?m)xĶ?D2|M 0ВlܺRsP19P`D{%z+}_ԋ%7t МQ9IE&`kT[ }z$8xOH 16t,j Zē _+Y4Cε#[WYnQLl+/ >=!E$M]\yPi3:5Ž~<~ +J!؈Ya=řQ ZHQ1ѐP31uT2䁕f :vU'D[q́pr}3TMSӷREw% Lzx%d֬M{<(.ރ]/>wKBu:Uw+r2~YJeF/ycVKk$$==+ ^|o˃r5JXB *LƊӣ n림Z~zTMoT4hg{ng($k1hLa`x)Owu"P 8؇dت@F~U.[ 7s#tFϕh25ϳA otH@,“so?PQgwA}.c4H1\78O4ۨ`whrr`.㿣_Nwֲ0u0=WJp[XUͦn01dl@a#*US,ݘR6`vڊ)k+ܰT*$O$tX j8XbkbɖȤ7OneM`IBm53o[u ;VW=ŝ ʁ@-xZWmV[03~-, V3la/kαVPJI"{2q/oCs pƨ›==qdi*S=RTWAwyzZA1;sC .·pRjg)5nZ g"Rw!0(psFTRrҝ-ѳ"|H 0.gjG&~/¾W&_h4 -d 3'3/}'*;' hw(5F$ 4xkMH% a^8"sؤ[ϥTc:˯X$0.*fӬ|W =RP1w*=\iGJPI9MViXW|axۉe< no&fM#'g |ܴk~DE0US"1EGx(WX9x⒝9* A'@=nA`.Q-q'5!o?pЮ'GsUZ3vq:Ȗ@RR3.!׳{ ak0MHFl܇|RKUor}u^5;eVhθSS!]A{rPεr}bBdp!I&2Yc"g HcX]gt`P1}yI1ڛ#CUkfQ_ J=>%9jbՒY߬9L&^~KFeuVm U"̧t+ cZH1`2`LO;,#1݆RCA-󲥔*C}Sn6f ȾacUr dޜEJNS3'hYRy~HnDR{ ºF':f/s۰ zܩ.vgƅ0TMCO, $5zkȍ(4 -S7юF7 ZNj MTm|9ٽ*I $M62Q1B"9,/i<e[WF_ lYs kC|>I*tArHw|X+l!J/čiAFp${|`1mȃOM14SF1.U&aSb-n Iׄ!p|4F*?@72:_X5N{?ZC}3q<@tfąxC|eC>h!c3vQ:Z$^n_Yk BH,vl1U_xJ6M=\ʣd9^G9_cNP}/D&J(ȁhlvѓP0Z |02Nm:iКABXeh>u))9 YvC[&T+8ErCRye Xb}5J[ǃ3*;L'.+'FzbQ5d5ZQWy.H<)dexfc _|?wRǿU< Pl^~Y}[&4c2#"c٨LOz$Oi2 Rny/ M%a$ɳb{dgo+t"eLA%Ay1 FJ*/8<F5ZFT:Tw; u^JҍFzؓ ﰥW¯jsc fD[tyE^TP*x#wN4r1@RиSxΧT Q]|Gf!EGQM\ w 23)s{Vז_LLPoF^O-eݛInK=ϣC- qPs{G=MU?]؛X>,f r.  dy2N$NGcU`-/=mS3)1WZ]Z)`vBA;}^6M$4USJHh%S~}^^4h454 [9-S BcRUk:dzkLU~(Gy"eȢ ȩxҵIl+r'Eq m}Vf %l.a:>U A?ڧϿQ>(/~6jrʖKԄ`:kW4ʻ!}UêeUӅ1^`fNQԫy/l̹e@ ih|&!h,AK96gFk`.j@IozzLJwƅ9 (U{֚ZTGl|H:C a2"詻M#֒Մ=HTVg: IC#8ea[Q2gg4O+ؖw$;or\ o L!u8i #|Iݍ岭)W>iy:]NDի\|2.{YLA+YGXޱsIj0'g + ZxxGŽh9P+ 0"Co}vk,(YA!h׍ʩMcFvDI?^{ 6!jw}EIk4pDgscBWF*/1Ū|97Jc$"XPunE^⻝R~M,U=AGغܩDTe0T00WJtmhٔiY=D&J]vg~xnN674+"jvqa1o6DQ!(Gfy8kVicU(f;w0E7HF c;6DtYRn5p].dZϪgfMLvԶ&?P>Ě "ewwtfy*ŊHĮb+yMpRyi =5gy]?f{=rdV(kFikW.gMBSOA5'fH:k{DnʘGd1g{H]K1#)96=a{;a/ wNo>\G ؚ)xkÿ"&,ҋE^J\գΙ&k+9Nл*!uyeth=b #mxFPFڜ\GȞ !hQeЍZT;IukhV Cyz%a~Ȣy"J/wB+o#g zJ?B[[kbغ .GAMZUfQSGn MH29̤65UPKM}2!`fGH^ζ.il5@8CDD.p)M?q 9l$4 Af `49KWn\d)V=NAYU"l*vq1Bm-َQ5pdk*V9|0JAhƘ]~=#xr#PQ\ >7fv0lU Iߙt&B3Lxp`n2kTX6?Ptyo^IM'?!7,}\*fq_2 X#9P-Vn4=S-<6oZwFQaהg+|)n<@O}7WX N2Gq3tuy#hc~vV*BFϻAdu>QRmt̸֯N染[r.=hJU._gbSL]H9t?t823H .XSlLW[rm ʫ'#;}~3~HI .H&}F?KV6]tXi( f&aExEn,b@+yr Aw>*@Fo ~Y:ZfW eml N(9 !jd{$Rv !_BrkƓA9V!wfإzKذ-+ Q1EzJn(e'q8iMa33C ]}+kEsu~": Eh$Ofj*" d&sC>_%+9W8w8HKvP!ҵ4Gk2j˻jn!y-MY@~giCgQ?, `]O桱Ǡ*A 3o D'̕6<m8 > KP$k:l9SJ?3 쟱EPYǮZh%D^!6zMSчQ|EnTBiGA>^zR8` DPǫJ؋<9KK_n36xZ$o([;_xw ϶zJL2VOar,2"h}" w#^R]h}W)ȢJKs9" A6Lj_WdfK5z+#'8-hE |qg! ̓xE{[̎*Uy0{1ȚhZ;fer+L^LC ]$$&Lj-Yib @KO'׍uW/T)$9VC39ZOpkYXL$ BpŠO4yE֖"A+KIW䁐MmmYPD}ξ+t +P>w =HjzX%fӨ+!F?dw6ʹ'~zOXYYQ݋S_M{\܀:,F8[fQ(O2^OSgFzžNB'PKosA &vF`(.`' <x@Scu#3öD,s7ã,xBOiINEi.V1[b0J0 (Hy4* NLk"7/ G7$b4[N[&Ed)*%o_p?ttnϘw ǭq7`zX7֗+<; C`u.`U>'gk٬Aar2Y=Oz\2ǵ"Y ~0dkFU5Rh=3 D:7|:/>b+#q!jr\8)%9z*7l x|8}`]FLM[pfYA~>aqqi0H8)R4RdڌhG;1_ى* l=Re-  뉀a6:m${ޕ)1%) 3d[*dф=krJvlz0O꯼NTΌZjҹ`fM^+"PE9!|[u<C=$dwO3K]b0NkHoXlG0eb*=#dL`Pi2QePmw*s%Xz L)[?Su&P)cx녭Ggkb' ۰׍AYY .ӝks,tWmaj9nAH 笀^ݹ!@4R u^^L,&$ B;W< sQT=Q !c:җfRfֶ;5Н/afp@+xVgՆL5\bAz[Z\I~k'A myQZyDdzEG,(' ĂCFUpX<{1WŠY{F:d!1W*/bI-`@GLAJQoLOELJ`vl`diD\qY

WBUp1x kV{PO%؆~+J;Nt965+cIl{#ij~yA[B"eaK\+3c)'?U 6z7},l-5gҳG2,>:hHhۚ#:gܺJ-]ˍ, NkKɡh!0ٶ4}09 rV+B#!hckH7!` =,pD1t*]b