libsmbconf0-4.13.13+git.528.140935f8d6a-3.12.1 >  A al_p9|MS; NlMd\jr9uŸ1/ZLk:[+lKSU\,fPӏiS+EҽVsPTN ȏ٦eNR&җ9 RޓϢr[,W! J*ᇝ9h^0:Vrv2{K^p͂j*H)P5@r!{{øͺͅ;gơ*؂/ӎAlۼBn0j(a@c06d6706dae582772eb22c118f25343f60929811ab16c9f005e90feb52c7fcce3d73f11a95c6078b9206eb8a47e1aabdcde7081eLal_p9|%wRᖔvt\=vdו!ذg7E%Ì Lz&';ɑTv =.$0/EK$W.$aVf=m=,T`xA Q`|ng;dDk8'pwi*Nzne* " Y_.YYo|Ñ6XF +r9]MH[rW ,- >tz#`jGnű$Y-R/9cAIc+ p>p@?|d* 1 N .EKTX Z \ `  H]]](*849:(1>@(F7GLHPITXXYh\]^bcydefluvwxyYz,06xClibsmbconf04.13.13+git.528.140935f8d6a3.12.1Samba3 configuration librarylibsmbconf is a library to read or, based on the backend, modify the Samba configuration.afibs-arm-1 hSUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/System/Librarieshttps://www.samba.org/linuxaarch64 haf1fb5b382be23752edc7ed21f5078bb1c66368fe0e958efe937ce277984372966rootrootsamba-4.13.13+git.528.140935f8d6a-3.12.1.src.rpmlibsmbconf.so.0()(64bit)libsmbconf.so.0(SMBCONF_0)(64bit)libsmbconf0libsmbconf0(aarch-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /sbin/ldconfig/sbin/ldconfigld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libCHARSET3-samba4.so()(64bit)libCHARSET3-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libdbwrap-samba4.so()(64bit)libdbwrap-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libinterfaces-samba4.so()(64bit)libinterfaces-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libiov-buf-samba4.so()(64bit)libiov-buf-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)liblber-2.4.so.2()(64bit)libldap_r-2.4.so.2()(64bit)libmessages-dgm-samba4.so()(64bit)libmessages-dgm-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libmessages-util-samba4.so()(64bit)libmessages-util-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libndr.so.1()(64bit)libndr.so.1(NDR_0.0.1)(64bit)libndr.so.1(NDR_0.0.4)(64bit)libndr.so.1(NDR_0.2.0)(64bit)libndr.so.1(NDR_1.0.0)(64bit)libnsl.so.2()(64bit)libnsl.so.2(LIBNSL_1.0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-cluster-support-samba4.so()(64bit)libsamba-cluster-support-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1)(64bit)libsamba-hostconfig.so.0()(64bit)libsamba-hostconfig.so.0(SAMBA_HOSTCONFIG_0.0.1)(64bit)libsamba-security-samba4.so()(64bit)libsamba-security-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-sockets-samba4.so()(64bit)libsamba-sockets-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamba3-util-samba4.so()(64bit)libsamba3-util-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libserver-id-db-samba4.so()(64bit)libserver-id-db-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libserver-role-samba4.so()(64bit)libserver-role-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libsmbd-shim-samba4.so()(64bit)libsmbd-shim-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libsocket-blocking-samba4.so()(64bit)libsocket-blocking-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libsys-rw-samba4.so()(64bit)libsys-rw-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libtalloc-report-printf-samba4.so()(64bit)libtalloc-report-printf-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtalloc.so.2(TALLOC_2.1.0)(64bit)libtdb-wrap-samba4.so()(64bit)libtdb-wrap-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtdb.so.1(TDB_1.2.2)(64bit)libtdb.so.1(TDB_1.2.5)(64bit)libtdb.so.1(TDB_1.3.0)(64bit)libtdb.so.1(TDB_1.3.11)(64bit)libtdb.so.1(TDB_1.3.17)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.12)(64bit)libtevent.so.0(TEVENT_0.9.13)(64bit)libtevent.so.0(TEVENT_0.9.14)(64bit)libtevent.so.0(TEVENT_0.9.16)(64bit)libtevent.so.0(TEVENT_0.9.21)(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtime-basic-samba4.so()(64bit)libtime-basic-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libutil-reg-samba4.so()(64bit)libutil-reg-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libutil-setid-samba4.so()(64bit)libutil-setid-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libutil-tdb-samba4.so()(64bit)libutil-tdb-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libz.so.1()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3a@a@a@a9@a`v@`a@`<@`@___i_@_|\@_{ _l@_i@_d@__ @^@^^2^2^^1^^Y^J@^2@^&^&]]]])]@]@]]@]nU]nU]i]e@]_@]J@]B@] #]:\ڭ\\@\@\ \N\e\e\}@\o@\\\\\4\ @[[@[[%@[@[ @[[t[#@[[Q@[Q@[\[[[{[z@[r@[ @[WZZZZZZ`@Z@Z@ZZ@ZZ}@Z'Z@ZOZ@Z ,@Z@YY@Yo@Yo@Yo@Y@Y3YYu@Yg`Yf@Y7Y7Y, @Y"X:@X:@XXsX@X9@X@X@Xg@X,XƉX@XYXe@XX@X@X@XWXAb@X-W Wv@W$W;Wu@W#WW W@W~D@Wj}W_WYZ@WYZ@W=W(W!@WW@V3V3VV'@VՄ@VՄ@VVIV@V`Vl@V@V@V<@V<@V@VjV]VI@VG"@VG"@VG"@VG"@V(V'~@V V7@VBUYU@U@UUAUĝU@UU@Uy@UUrUq@UhTU_@USanopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2020-25717: samba: A user on the domain can become root on domain members; (bsc#1192284); (bso#14556). - CVE-2020-25721: auth: Fill in the new HAS_SAM_NAME_AND_SID values; (bsc#1192505); (bso#14564). - CVE-2020-25718: An RODC can issue (forge) administrator tickets to other servers; (bsc#1192246);(bso#14558). - CVE-2020-25719: samba: AD DC Username based races when no PAC is given;(bsc#1192247);(bso#14561). - CVE-2020-25722: samba: AD DC UPN vs samAccountName not checked (top-level bug for AD DC validation issues);(bsc#1192283); (bso#14564). - CVE-2021-3738: samba: crash in dsdb stack;(bsc#1192215); (bso#14468). - CVE-2021-23192: samba: dcerpc requests don't check all fragments against the first auth_state;(bsc#1192214);(bso#14875).- CVE-2016-2124: don't fallback to non spnego authentication if we require kerberos; (bsc#1014440); (bso#12444).- Update to 4.13.13 * rodc_rwdc test flaps;(bso#14868). * Backport bronze bit fixes, tests, and selftest improvements; (bso#14881). * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal;(bso#14642). * Python ldb.msg_diff() memory handling failure;(bso#14836). * "in" operator on ldb.Message is case sensitive;(bso#14845). * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED;(bso#14871). * Allow special chars like "@" in samAccountName when generating the salt;(bso#14874). * Fix transit path validation;(bso#12998). * Prepare to operate with MIT krb5 >= 1.20;(bso#14870). * rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb;(bso#14645). * Python ldb.msg_diff() memory handling failure;(bso#14836). * Release LDB 2.3.1 for Samba 4.14.9;(bso#14848). - Update to 4.13.12 * Address a signifcant performance regression in database access in the AD DC since Samba 4.12;(bso#14806). * Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache; (bso#14807). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Address flapping samba_tool_drs_showrepl test;(bso#14818). * Address flapping dsdb_schema_attributes test;(bso#14819). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Fix CTDB flag/status update race conditions(bso#14784). - Update to 4.13.11 * smbd: panic on force-close share during offload write; (bso#14769). * Fix returned attributes on fake quota file handle and avoid hitting the VFS;(bso#14731). * smbd: "deadtime" parameter doesn't work anymore;(bso#14783). * net conf list crashes when run as normal user;(bso#14787). * Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7;(bso#14607). * Start the SMB encryption as soon as possible;(bso#14793). * Winbind should not start if the socket path for the privileged pipe is too long;(bso#14792).- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./sbin/ldconfig/sbin/ldconfigibs-arm-1 16364601904.13.13+git.528.140935f8d6a-3.12.14.13.13+git.528.140935f8d6a-3.12.1libsmbconf.so.0/usr/lib64/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:21699/SUSE_SLE-15-SP3_Update/08b059d7b5a0f63758fd796f8b3745b1-samba.SUSE_SLE-15-SP3_Updatecpioxz5aarch64-suse-linuxELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=706279e66f08fe42ddc6004fcd497900d350e0e6, strippedYPPRURR2R*R6R R?R4RRRR RRWR$RRHR:RR8RFRDRERCRBRAR RSR RQR(R0R=RR!RTRPR1RRRRIR;R@RRXRRw%#qH \utf-835a516732d90844c4009af5c7d9cc2ac38633a37b2511028f0e18fe0e194eb38?7zXZ !t/pW] crv9wTh<79L7?~2L2`?8xd}%&H0^C\L}~"H"|?SLr #"W_  <'*a~[TDp1=8)}oVs'q3Y/-] =}P%|F ]$cbDξ |Pn5.X2Etӷ`]0=4H2`[Dy8 %J=(%iև0 o[]Er;@tjb;EN_Y֬R'KLw B)W4$~&3V%{ܵUX]21U'd*j5T _,?{(j|uu~F]f%H' Ħ)boGW2SΧO-&16I^/b4oL ^ޚ=++ ; + yq$-xZߜ{{X;uS }҉еy"? .{>K f?pctx.3Xo ԏ!a$XHI=kmeWZOv@['eySX43`ԅemO}k+֤ 1kN,f=s\U~WKe uG@rP.1RHh$0WUgDoC6a  K ibh{"i6}~v(л ӥ%*GVh0Lܣ} /^2j{|veO]vPP@RB>[2BVS#ȴn+ n ##OEwã9|]OTAۘ91mVY@އJ^UMݭ|X/OZW9}@D5hFGmʽr1G7{԰]ͳ` !ꀾ^;/oW̓[E.àՉJғTngB 0#.?\ɓL#Ӧ] yDz0xApW /j4BDr4xOTvQ [5M#XTj$+t|K9 /rdqx9aPR{mlAuKLGHH7*So>nɆtyy[́< LU<1@}K*_Ɯ}R^R,5YڥisHKDb20O/ HHOp$B 26l{t%ff[guA 6@\!ʋf(F"v/a~D _D?7˱sbl\%=3(CFjqK4˥(>j,=؛e)yE642t(UvJ yXmǽ.#75#7 9,sst[dM> jKG 6Ђ۟ec۷ S07jhi=el1fTTƳʇAX]>ͥJNy- }Q+:Wy~6FAh/InI^cr%ksmFJQALEDPˏl1o[!hsCCMET.Ac8kcCZѲǫ$CE}{~:IUUIԨŜKW#T.& zx(ێk=: `tI #{c|qڞklMԮP |Iryp Vy7+/9-~]YrN)nmz+rD"ѭwYf4_k^*u~L)z+ZYwGd+A.aE<.IKE yǦeX jkzӎ#=x F܄g[r{akcpV1J_E%&\%У|,G֋.4^˴fщRul4ٗ')9/ x-Yq,._Ch>l %/bCDS`le`s? 1ĠtT?m( hE&+W詢0K7W-1DszRGNci 9/=,dU~&ץp}kHo)% ͵ңQ_[ˏXZ7Cw V :/ec#|Mxph)T,t>./r*~%hVe;ZI[YnDe#:ӒwM׭524y\ ZD`xaHOlz֟/)rMvV XdPl(9Vޅb_Kw}4WD@]e@/Gd9Ĩ;SUKHb[%AM8znb|O}ڬ?g}C Пg7lZuCmmR!^#O+u _ʣɷcX5ֿMv &񣪞ot#GMc@xt֩HBLtSNwΖ:$ϓGeLsCirS\񝆺VMa QF v̒i 2vMCXe[Tނ v >?%( ՗3p{Հ-Gr=LKٕɲiÃu6, 9=lY ې#3!4}gPԨ{2Lt̀Gڮt }hA[+iWdzXK66om}t g%` 8ci׎L x \h4IɤMGeS`_j .`-R?5j}j7< RWz&lk*Fvrj^'o_W)O#sE^-G KVAa?mҐ$5z\2pI*`vZ#exdt!ylws}{I*?r-ʮCVW2%$b.2s2)f eQ/v"Bڞ"-| IT!~g{ܟW8xk@*aFnD_٦QT8~ڻ.D\"sd/:۸y, ?"rTt<"Rk2N)3Z&}Z> }+}߅gȊ _4ff@Ā 9%$i [ 0^=pU ) q@hb2žTq{^-c"UbgaxOXd Ǟm }` E6#HN|쪫~!}$_*S^𓔳0픕{47|<9s6cxd \6+֛O k#Mvz:C>UBAnqS?yFDV#ĢpŎ9b z<ཻ2E֛LV"ͻc̱<w3MUߎ96BIp P(ԴO(bbJ*8\Yf\L }C9l4嗧*kc#G@ o-p6<́5+I.Swetrc=-7^pf )U.ULoF0]F%Kv.pdX4Ot3k6 } ? n1~Qo.1PlzR b{'<)UnE:|~%즪fw!T.FD*y U̲|<Tᱮ#ʵeQ6}v6lϪI<~[z&/`aXDtUSBa]Q\ Fq9ʟ- wEtᒏl{!: B >ًl+374y@N/TcߤvxqJcoƮ~FiBnnWpg5.uNb}2f] YO!-";kټ',Ӯʼ!z2rL 4/V^Xm^^n/(V8n z"rٛ5ТjT}Im㑟ӫy,.-D.>Nep Ul$J F#pKxLvr`[?_|֋"bO^T,cZ4UjG%N+ު73%asw}g`Rc3fؖ$)>\qc7LjBU@gTă+j!1*Wr.{x0!es;C&ȘTY7ߣ鬼"jbWRKM] $?8^fJTVqlZ)Ho%]< C!24+Y7#+*7?PDǨ-V0^'sǯ!m 9X^%Wp?%LGDrҙE)_Ժ`)'+w}l*I5"sPa{4#z| G0, {JdfuHJP RVش-YvhC;zi<|bPBw;cE R70sv'Aj!ͳN^9w-YF #m-&vY+iqɡCx5md ᾰod`e~e>C-mv_1"1ߧ]9^鋼WOD7;6/r"nv)4dD$(rORU3I|7$~6͍u=KHyQ54B\9V~XI08?#OP4anPn+Kulds+7.Ԋˊ/\Z"![FD+ZƏXVESiJk ?YAg/K>Tx{/t92;+t4: Rx0P[Q37$b&mϛ .zuǖt|Mw.}sc^ O 9`R-cζPnL#!&@wcT'r+~/n/kTh[ީ>g3ylIVKW**OO :YXbK1,i-:_hUtusjy%OJg*? M bpnEPnyο`R'Yy<,> |3߲T_ u "͜/Dȸ5Y/8^SH^1S_Ȭrxg+1@B%+kU=^=+Rج?B-+j܁a4sƲ+QXyVY +߽uBi7Vv N5s33tOLRsW}r=". VȌ^̷zrUw9c ̤ƩN1V/uQ93@B20=\1$ NyM*}E-8’ msXyOG5aRṅ bc SW/`ڌEb&£K/4lkm}Fdb{eSŋ9 M085Afax׮U W6mGa!?uʴܚs'؛Ģ4MVM*=$eDŽ$CXp*^! gMaGTwtFa?%,\kM m(*;.%bz_\o4\ 1y4 8-bZsU26]NGZK)/ i,T^4%p>Rd?[]0q<xn*ޗurњMu乍?q03&Qts:ÌL&(k?^uGAWdzt9hQ5B"Zb/Kdڞ.nXKk@Bb}/2k.'dy>;5bȳʞmӤ5yhPhavʁks7h1T}藓EtX Q &y֢e%3-]k!ހ࠭NU] ?)ToJRy۾BlrNW#)۷ ;,nRN*ZΥkg//Ck$qU'9iM% }>>Wb;&5],z` ~ZozbrS_Яf09HKV"p63f݀Cسwb>6ˊ#1x ֫hN?< jV,cV&|a Sˠ 4l]j-S} Bp3r ^> > ޜ} nd֒ Y\CzliTJ jQ4j-1OBޅf@"!$m%飐wHa lޖ[BاJki7Q.o?Rp/SNǦwAj@ K=r͐=+{%%;pںzB XnFL k 4i!1]ΐe_p9NC]M6gR)\FVzOi;x$HZ, БyسԴ D߭x͂롨' +L F7CQ~N^tT h- &GС(=UI4 *YbmLk_:BF SBf.Zu0agסȰ-GP_WZS7)j{;zI13B {B r;zoSAc  UFLi.eU l ə\$z,DŽ&Js)I?8&'&QH/DzPg>TYumrN_bv*%@7:vguPGc"_C ) & ^1i'.Uzt4mUYࣻ#3F0fM|.-Ձ644f/m;j,b.f߯-n48}w\3pеBExWNUPY4Iבi `oI6dn,s8n۸%WP~{R)RCG궒A[{({ *WD|VQ=Ԅ.ynG@=vQ6Q}q2a\2UcG(I=9f-3u!L LzCTG8?R٘fN i'w[[cq箷)Ȍ&@r7ceB6IDAo̔ˀS+jE wjtuNbE6KIb)hj ({$B+5QQeHԼg3sjku9g58s=,$̼.xk{!*h{Pxc-:eݶu >m+$ lSRe,]d:JHq(.3oاFfb c^F@<<}|[QlxN[RU_rQ;W#5[TheQBu|6U *DڣŅ.*jaji(Gx"A-rS?@ÀVzMOj}7^)P|iOl0U=}:[eEMKGRgm]S6EtףA+h0)m: l;?BCIYۗS"/z 8MwR翂 H eoS$=s*$([9O\?,{*,++N+(=U]kEUuV<\+i@4[;J ֙As.fqhK3N{#ĬpD͗7%Va[*p+EI:$PgrKv C= :jjY(l]j %U KfQۀ=ti4xS:jrsƒZ9z8r=!.O^WOΓ']:RDuP.!t;'n(4"3U)Ni#tQ OR5$I@ƤO֟ǝ'tynD2wL7IL zW IT$dh|x-CդvQAjW6VbF >/2ZY:O i[e;$zm1y 6ӽt`d@b7{e$kע,L4~fw¸2)R }])1",.s x_MM)~'IHET%QЛAK[J\0h?k9%ާaΉ|&>a6} F^gUL*٭x`t9 ɅG ;trr1&{촥?m&Ra v˖E9{ݎ2 %yEG~m3xλ\D.J; f3v>i0џG/=^k2`M6\{_Ĝ"4p!P˂+XP G[m)ȴJC[&VASRu/f<r{-LyKqԊ4Nkncqg􏈷s WE5xV `^X2r;Oˆޖ׌ *gAq 1!;?K a oW,VOLWQujtZՔ9T?9`P T3*TǬTCs0TqжkuJ1?π 4`&}@JKVOwyMgruT}N5ilC& @;ɨ,ӕȳ`sK7B#|[fE}',HDw8@a5[/, 'ђ71yXX.?O_C:CmӍÖ4F@~U;59&Ò%&lg' zYA63_eґ 22kc(_]E<"F\?b}Wodô&KᏰ( Fso/zEftVoraz.oV <yʡ8o䶋 ε%kц,MnWsw-8 ,D}zYSƫr5>6#ϥ GQ4qxOL@`idnc $*Ӟ8 eZ,2ziœmًnJ:+7dm9Knļ1`./9 ⯳ݿLn]\{croE"/7@ Fϝt.sv֋4U}BZKGFFˑ\ȣ>UL\fUoUB;[)$s0ZrVxhZ5]RGJ!|mi&s[X)"x^1A d3<66̊01l=;[ 7x\CU4i.m-'=> ÈϐWDeWvx=g s>?U.7 8] NhfM*(4Zxy;M23fѝIəie"|nit];OHu!\Ԍu/HpAddsqh(se}#U2N8Ba01\ wWdd-6/*RҚG>̛\8M<&I+- ".9ۥw0~ -O;~8d2l8hSH!Usvtj bﯮ(Z=#GZ "N8rf~W#ꂇ݁YWM( VX΄RŴamh${xa%mBG#ÍL.-ھ>(\K^jㄠ۰mRs:m\cSQL!DOM ]yV>j+h[ȑr Xtxms):w'NxA!41pʍϩ =Rؓa(6aq5BhYg'Umi? ]=F,PhTC0+{8-$͠)9dj#XPμRȐZ2p $<*s|*h|5bgR@GiR酴\ 4`@Aa-s*-:ͫ :|(6$GD⩂+ݷbǛ*yF{˾DgDXKOleB ?;~+ܲS|nmE\¦p SqRQ.,?xĹ5ׇZ'Ϥ4H*(q'^NNa 99BDjd04g\& ("<'2Q+'~T}ML$0=8/] 0Old(gEVO52csGS}{9K|?o5A%.Rd& 4{(r$_KB~3#*i%Un?@es [VqݐՍ|y\Zyj !\Sa.uH VƆ8~љRXY#R|ȡk UE}K1%n.PC=n*đ\ID"ά;AX悝0 ][4$h#*u\rg|) =15~34z+HB( b3%:g2=&M+J0l.(wzۙ\|]Pbd_,ȃqOe z; t4ߪئWtդ un&b >]e{]*5fH9K牺bUCę'_6F u!A$U4i|j!f849i2Rܐ9 Ax; MjO,) A8%^"878"/\oUZT[(Ąg\tǮ6eˁ1r\g(rZXdhG9?+m_P Jex*0PJD,A[JcBׁ(ž$W(_'Ro'^+Y/ 5?%̠av K}~R@5UqYoOOmGZ>eC=I=褠tM]yR#N0~y/ 5Iaeq#EH/NӶ€y p5^T 銉 'EH (7,Rg9֘"(,]{&s-x#%kTS;H/RNDoN:נ<҉&}X&txQfYwS+:Kq50(u^dsLߺvVܽXliOnI_t'& %I&0x#tIv 9>a l!taKq?(a Τ!bVZ;WFYOprCi3PYd8־{cpT5Z9!LWJ\Xnk7؄5\u?JD sV̻KRq7Sn?\b1Hӆ]5o[2ϱas5 GLh!Xames'(aeN`Uz F_6\O0q[iI|iZ&F,F*wHC./+d\ xZ! +0ūD9lsdZ2|sakؐ-_Iywh}wQFvXvvQ`"$y:^?o-{p(|yy|HR;-EC%s P:yΠ3Dv?iXC\LSVEǬ2b4jȈyUfE-ϛOfM9#7`CXrJ[:RX]gv2xE{i8w# *\.v,GA=@p+&trd[opq~ S%1G! !2~Ѯs}I-T2)$@*rOS!Ez8s@Նb]JPZ:\|`Tś Yhd2.зdd}5K^,$˴qb_fWD3nF~-LA!QYV f-c|r1}bnǚPD!ڤ>MRf=?m,X^EMi 7: )V|>"̊=<^ z}?MJyJ[ a38x.L?fLGmC{>C>ږ .y4l@;6KL.Su84r$=,sZՀIEj%^@E_[3B86,TPqGlZ2|duE(zeNvIxJ$Կc)s.T֡bn OSZ|Lxy3-GA̠)L{!c`NrLh Ry$N,7MWn& $lϞڑ0^Ãɜwe܁$DnmKỲrGXtriq-ElY5@6F p:plp6!'Gk,y,!z,5>Ѥ8>xշˤku|QInTO:boE c+7ZIsEqK)H(x,QMzb̂䟿6~jy1 u5 uƞSmu5u HUdc⊤1v@c>fF}Th D!uU,e( *n'|XؼH\-X`hk}2<,=rNk8DžKF'hGsp]au>R.+/eTM@۸BDۙ_HLi;e ?F#_,y5zV QRL]s}Qa*^\GVwC0n蔜P&0m@cISLWLrޙ!z}B& _d1] zq tTOooy%v}wTogg&Rg qzq%JƑJVѳY5L 1"x)6.N}!aڌD$"!pu C1.ɅESg7Cg$Q I @KT Z5?YF O'}8 D;W~pkn \v1fC@UjY&3[@ >{gM+fpks!#[\n]ϣr |M|^],l}IϺE21] l=F7c`F_ݽn03p{-ATs3YdMVivP7qx_T憚[]E=Unx!|h^C@@ f=P{#Ծš?'EKV1u~ɉMs[r4MTUI[Ur(ǖ023)޻ |FRi FdfP{ أEmd+V*?a熨7h!Hw>U Wyrw8 fRjso˿Pi!m<GiRQ Y`6!UoD,2flx (Cn Da:96\W+Jںb]2|呬(q]·yR/ -YL5@خ >JxWʺ -ॻ%!<<"zI{dWcǻ*1Uf{8`6я{U:+)gQ&q4 %;1Z+`cz=hI8ɮG)|k*CjzenD dL(GtqVy- F)&Hk:Lόφy Pnͩ>gYsU$0>vu aTH ;cRR^rgA@zQF)./2KQ̶6W0zї$~DypS Xӝ~DVZ qU_P$石F7k@{U~'דu58"jANAK #y#Cp u\m|'hn:]J6]|H%RYᷳO2h bkr>:~4'$jȭB+oGyG"E3RtO"dN#J Sǚl3Rk;x7'YjrW͝?3G|s ]?(P=͒;+~=Q>s3ϲ_^!M%ud9&x4$PuG%ji !g}gz!'܄YUGKi9 w"@3@C\!a-ƠGדI$gG ,(G &)*D1TYgY3jˆH}lr4e Qt|G3B& -;"mxTʟTD( >n-'4{`ko)zyxR. ÄG@Э$g6:5J<n˶)P_ w砷G!`[iֱv9)4O_Ā F(v_j^C97ǥub5ssiw?դU'MD7CiV9KYQUIm1tT:`s#{ͅv;|Aϼ= km>5Y:fI]fioI  ͸&wIAV  N)ϖs+w/y9hqъ*w+5.ጴfw2rC.˵{xkM,66V wMfAW8w\dE3k&]\=mC<G.Jϣ_@:}Z$d2.+WxcS U\+r!>Y` [ ƄGo}0I sֽB :9vW!۸>&(xߊjML70]CQL-k~JC &&=1VPwԇ%73 kҽa' v #h|ܐjP]')xBUp9Ⱥo@/̒)[;  聾n˰1 g]y/X"+CiOw@̜ɩ}͔ Z!:Am Уr.FD$v-e/4u#){eCqbs3Uӕ@QiR(i"`1XRhVwFom!VNIRF}l@'"ۆ'+}ƸrfG\<R'J6eҍK_B~cs .%iFT6 5EOƍ RB ov1gnGSI=ʹBR[QJ[ s1S6]Hs!KGkNwZ>r[[=jX!99(աH}pϮؑ@g/߿yxuњk0׃;sPM$ ~C.#[ X5I;wG!0JGL&0]C{ν[X\ -t0t!=d_ՑC uvub(;ޅYS;0~Yq[7!g5bSFM6uϫ5Vk&4t[^V7#)CmwMa:O^OKbN)WRZ ыM O/l˼&V䮤EMfFK](X]iGݯ!6 _`c[pw'<>X70$%/^hH\ޒj#RֹgJ,3k Li/4\&S3$C -'+?&j̿&)'wٳ5_gOK fZb/~__C~h (93KhdLUδIWWSl 'uWSO^ ِz\%v? >hG haH.fa:Tzݚg[qM$U$Gݜ|+Wn$0tYy QSA*{vib[U, ̞@Jy D(:^$}SoF݂r Gv}%ahh#lq$%<#&/ڸ L}%ĹnkxΎ9` Ø zʚnɉ0W^ڔh,yг 5zH@\ݳ)N- Z<kcnOf": Q{u@3$ dϏYĖqSHsZe5b`AqzjMHujF+ZUs"0 O;u|CO}AV{Grg1%i:4Lɋ]5*j x?B* ʶI;7y@)Q8kNAڈhkrSTI.R2-Y:I>]/3 Cdt``1> oSXFY˦z/U>;t.?&qhpZRl& S,mKNa2 \n2L8Oֳ |{-.^"wmu3fy;(ǝmx֮r훟iYB#D́|zW!XN6 N5X$ tQwIyd;**tzbDºn}P?D")(єMUTCR˥ .-r՗Fs-]AS}V1YljO>.Iz y*NRZ6G3}F=gO%N)$hkwtiZK)-WCAR5`- Eq~O~ tP Z£;dPrCLoe} P\J9l0 k/"a6SkcŻd۪R@p}4~фyfph`=.L*rx-Fyl!C+l<100`?E-'㜳jߖΕd~#V.,;ȷ嬈P\'W2.C2)`!{ D"# $:*ТJbnrn *s +jC I<mxc3A翀Upr8X AwJ|Np2Ww,vU >ECi)$Ko3Uթ^6RmuA`~6@6(0O9$${}e-*@a1K]ճP9K kL'E28(:z+5v!<u ]Z׼sGt+E)RN}w{DjxθLnu12>xqdNm夐*_MD@͆{N2/G<*Ȃf+pU8M5׬ڄ1 (Z5EB7<Ӏw̧k6vi~fB]NܡmÉU_s,ghW(Y4CH-HAaa"[G2h^7w7~z\ w2ؔٲMO+'nRQT\ )k fJGR[*&B"m=  4 Q#Pkx"mʿJS"tޕMq Ċ&Ņv7}U<N ~X8(~]5`p(j˨bd_9\lK_A,@Q\FiX`fܴ-M@6퉪X*blgˎ8)I4v[4iw4Epy{IdV9أS wP^@֦s᪢PQ#q}cz\m.>UvMQaZZYuNXA eJ4=Jš! tbU@’QrW1a+?O|{FiAs&x0^lw{[+5G׌S];,ƪR7zC .;۪!E¢g4PfS]`9d%?s]״ݶ;3 hGwF eQo4mA5(~RDz~I 9vWv894&zvN(rAkV9Th GɩUf$}]Ra條N$V">x䡴 [aں-_bm~pW6@^ˬи % z:JRݧ$6axZT^g>I\=/ol3R#Hf]0uaH,g/Z<KMH) 0M$*ׁ-3}kzMoqf()d|rSI6E: ]CRi}9|~O_KMϗG?N1}_ Q({|M_ E"oGwoܭšYU&RMR[~h|*Fɮ<$*t[OuhũPd8sV#tx+1 eB(VOp\eQΆ ˈMIFY 8%K'.(T|dJPљ Q#46wy|cP;OgSX!r;a`om~U^lM@:N]aOW{ׯ풐yAQS( _"SK@H]g8`gJ j硹F[Ga"Q7r0! W0=I2W6oQ7#]*x!ު’x'rfTo~z70ZJ#GYU'9tݓG!jqZǻ.Y\$8]w,;@8e7@R]jSDWQUeY2\o`mǦ"f s9aHKfDhPhtO n#S酆E 3,2fYӦ<2z> Gŗ""d)wC @Os-z?(cPc̗w B,Psω Ck#D+ZߤW4,,Mh+[;ÙƖcD @CEʇZQfrd$8~D ke=S6,,@]H7oSoysÖ/${z !hV>ܨXcWPn(Gk@pX S5Q߯gP=\f%k//_H3$lP0PEVdeCQMAn& eo C[v7>x"g#zO^diWcRtyP㦬O"b7Ϡ!7@xA+2(fq;gFY-E0K' lR߽ tVK!\}Lrm,ţs}Jj;7d'?a]"Fِz ~E񀰕ub2|63z&ېw,j=bQw =N;̜~99.F|CɏXVnRca [)fK[m+0V+t?5ib!:J饩y4t8\kk}@JpV&xFiY߲YV24U"yȏ =sԵY@޴˨> "3lrq%*?,TŦ%Ous1YRVOywNx|*VH[X靓Zҥⓥ,;iQ [l= eͽEWkdq{ty~m5IT4_cN,~ u>5=>(-/.cwig˩;Jઝ:si/ԢUnYAsg"ag/o^OH"?xQ췆ȝ%ZA}Bf1 ƛ_$ gNo[eFtx2%Z2Kl)3VLerB[ZrM1'ٙAP)1+ȶ[PB΁QEU2`Y; [WMftK}V) 0Aѱr-:Y~R^0b<ԡ"RT "x^ =_>QNKrAc#g^Ô9? xv8s(&Qzt$n/MI]bMXq2(-_Dg0 phJ:rS](n Hd/ث}U(}w33R훙]x.]v!~Xn+o'ٻ_pܙ+S[d~$Pa]4(FI:fZIaAS)Rp.dXcNecEG $G4D!_~һ9`% ( lOTM oq0q%hY|K=Q7ml5 ?Eޥ OBꧾ%)H?nOޝ3 rlSG><"]?^b֠}Z]Kl{ޗH̿MIx'fus#f[Y;y}3%? Fk=V<^Ϧ?8-&0:m)m1ЦUg͍!! +7QWx 7"=9z 9J.4f l%m)$fțc߀f`0/h5tr]R' !|#-HM,q$E-i-֞"Hq|25H;' -ɥsZ!>D^6]Q~q<˸H+iu'}{ds_M;c*Ѿj:|TP1d_KҒ$Ec*?*P.^5HmISɜrp.Vp85ژ/i>rxNIZ_#uV9jkfvۨ-QV,;lO Xdau>MD&@,9 _GB"+eSsW72ɽpO\?'$^L8h_>*J;=)$#).ر< I~ 3 e5U20UlP: A@{QVͯ0\PO! 1"(|=K.ԑaoILE :m\r'x0yCaʦBXW'm[zU}}YMIgd!)2W MVm P;-EEXF>ƬQñdn?l;RuKn̫'+oҏ@,hM`K9)20{SbOѺ;2*xu;h*;mrGBHȐ^A{- '#KJ_i'kB0iA(,F;HַXjy C F=9nw?\SrԂ\{6c '7b\WPxD/s/X#S/CVO{D Nϯk+N!w 3kjt ~c% "loto{`l9Y4CX<]d5ګi Pt.􏾖CEvK+y_4~ uMdwY"Iƒ*=4">`/kG,Yjܳ? \vL4lDԈ)dF+mH ްl,12unz匆V4s\TI#W~o|ܹe{!HjF?}?K^JP1b=fZ vBCV.'1$5W[3ZWOU tMo:R{FN<{.2rWz@)/_MpM ^ 8>y "fm /a<;zi9fce}׃2Y3r ?'L&۷ķ+Xf~RY5Í66ߞL,b#:>/urb#XZ+l}\^Myh(DŽ>[t?T,<%o2L1JL]dFD,x/_NR<,x˰Q4CbP?("|!Pԕ=@RȄoiIG/uxOuJ5YN42+NOhڻjWhtNk4_rTLAf2Pj䆊Ѱmw F0VRc'^΀'NL-|ڂ)JddW{@0_<NyZ)#iQ3e{զҫ1EÒ~UJ@U(k2"Dj9mߕI8CE 4M̈́įDX}j0Hˋasr"-l=1` }aОYqԧl~vٲlUdjAHh)}R MʿtI19BFȫ~aa#ڏG/,PF_5)/v`$(KI0&7C3nInBF4 v)k+|7ܦ7 0zOjB AMlNL!]//MCpr2fɩ?iRKq|oY]5BvdRJeV^թH6TJ y{ŦUv =@h"H3]<Ϋ]~}ŠD,!%OwXN@nEE QfulQ2Pa^YvݧB<%{ ڜodI/`9pp~"LKkE:~@&24NkJlj )#1+Ecgӊt<~m.ziAoav k3C]n|U9d ".VmDo.Gf\DvS뼸mhrs,^2jFހ=b1/JD$ԁRu( H:^gFK+)x,N_3U7̅dTnxZ[);Jb-Ya\F˚hF|$6x3?!QGT?b;l'@y @$gg WG^ʱ$)s̀QўI?iWm jeZTSsEZ]S>sR } I(MtB`hC]n pQ] CBuiQꌕ& ؾU#d! av $Z"ADgTΤDkQ,0b]?a!%4E_,e꓏$='io8w˴(>&mz@RktMk]&c_"s+*m>JU !T|ahǔKOܔͰNõ̓۬?Cx~> qR= T& }O+h#s@Kɕ@։* 4{ʡkٰ@L$|Q&u>6-0k; AO$|o^!XK@' ň1}Cq`dl N:vpMsZ6qT1e*>N:G bVR2Xd ȝU:HsJ-Sj1 P;$|05N2Vpg(NQf6QR9y<0 *8 ^i n$bcqZec1e{:Le,)+//31?OP}oyF!;b75_Edu #|)k,V1):51MvV(=lA qb>yTXIEq;1 Uof}a֛&|i 7zAq;QɜݖIAs`\ോHP!5dS Od 5% _q7|0 ޢ4' n-B0_x V/씷)lwPQp&L:`HZcB57rVN|6DEGƐ"-ZAm;[ڭ$2)be18c֑+O5o ΍yF ΝZW㾎x_l?8W>t^c$&gx;/XhABBÁW %vt&R: !ut jM b7HHR4cC ]~ɓUlf>NkaVL'ތD1a1 0Vsc2ZkC^^CĞ)0)2e Aqr@A<gOZh;a=WjǏN6G{^`k٭@' I[9Y'3OLu}hZ^By0-b#}x/ٶHA OhbXU?%../RhĻf>{=,,uS4|BB|skj"ҎnjIP2ZXbgе~063{%l"VgA)'̭c=a" 4WY\+0t|KODz0Ei1N.(Ё$?;|%w??AR0FO5nwe|xpumM/#W! lzIEf{m_Œ\#Sa̘tΎJh"~]aU(#c'bx);rl9^Siָ^{d p*pL`8d,bp{`#֌I a<ۜRȀXq[~-A!;[gJUGwHHTcjv;V"P+'L(\{hGSi"~' 'L5"woҖ:*Z+BV@#DH!SSMnXyQ"5򓺋?1~T&ZIha:ܵ] 03WK֙(y85K**2`6h\,|岅:D![>5 GTx{6x.Z҈@S/'\(]Υ#-yˣ?GaC6/fD1,a,ojlohO''hzx+ʋ8}DF4-[S9;;KTBC6 7Aٛm"?$OD2>aU['n+:8ԅrdM2`?gkLXAő6e~s#Wk"7EBDZu6,rw->dAC'&Ֆ揄>H ] /0 w8bݹ̘Y.uSIY}c{{7Vͭ65(9K0,zG4c !'<Ů*RS73{IpT>aQ [a&Ҏaf1$pn*K1f}鄊KIXI610mҤv*#Mr9a6=( *_:{çBp"/>ϫq*_CRvPg*KP椆JsZw"HN7QJ,?9!@KdKȣnƒac\{5m5|gtgmSO .z [?| YQ{wk&t}RޖHʋu@ ׂ/+,T'ɜdiCLnG8i/C֓_e*tsMJ$8$jT3.5?iDlͅԝ Ѵ޼QU60 fPFlٟ }8tY@wޚx=6蒅}pxf]Ŵ/4,"Jm-OX*)x%^-*+pa?$>dp)0p\9E^כ wLtVCV Oǒsp3wt8~j}YSvOZPxrxwԝ3%)vVatCʅؾJOu0bLD~d)51Q! )O ?4|{| >L\0%WWT9_z-HXRץp09mv p0z?ll^\Y` 6' S]Qi5TtJI_.E#[*ŹmĒ~&0G-js1-M1x Xܱ;LE2):W$Vg8#N=5\_˗&$g;.:Kcgf%y;U ( ;yPW ٓL ig]6:`>c;PPS1vm& }tLHGOjjߗhP˓^٠eTmwIYj бҴ=%V$c7-GNi9G" W"u%áO'أaHS3*fkУUf%1gk@!<h#>Ҭiͮhayy{w.>EZ2~JqSTr:oF/yaʻ{MR*]}C(f-0)I:SVBNs Cʂ\&^# 7;s3=aMI4QɃkBDUΙysr3E!;H%%;r|{%}U/ac4);DFm $nw#W&^hJ%ќrG=PLNrA!!9 GEH30;;nErCRv, 7NF/=/E89p*$Oz_bkٿ46,CղvًCZ'p<[v_ȿuw]|a/U#!&M-^πqӞyvus¿S όh+u偭rX2*\lT^k- Bnfj"tHQv uo#4a W4S<Èhh0 {\ )^2huYW5:39vB0{:(Ys܎V WWb2'"a܁%MQmn/[+MP2P'ʵ'UN}ۯMV34SK2Z^h|YwQdB d/ YA|` ȿصCQbW^UZ,!} `!Iz-` _&)̋9_j "#P :he5WY.Y<砅8Nf-%c  EB3MS˦zi?*i@^Iy)W*`nDXV &C2aDar",Q}- ǟw1\;+(mOeӝ 3a5 QyxsM5 f,ПRq=a $2bD1-{<jي=WԭDHDM`۪(am5ʸBy9N\b~f(`?1e2|8fGˆf_=ɉ @$.O=$N:NAj=)f0uD_uQ/#i?3.PM$]&'kf<+O6;B0tGҺ:HԀE专S'_Y5D~ AG'W© Y=4:dCaɊIC J$ M [^]D&V0AChxV#]qqZ2S00.l665z#c^0jR}+ri$vl +LtLoD }UT驵!RGJ3H\6FQwkegpVM~-).Y;m9{~_HCʬ*ӎTbS2?_2O<2?ʐsVɓ ڛa@uTT%׈W$YйFIBcyP.q-g"NV`m(j~dgc^P@2ifsOx#V[PulK7Ŋg8J }K/vg $1a,6Jګl;J&>&|dVNxgeL|p֠]tfZ h`+IX΍c(<7mE 1{?wqGccTPCō|Z=SD^S^2jӶ2QL @_FXgM2b9at]Sc `>63`([~l"ɬM@Y9ߏb/̏ʠ)md P~2o'uSk@4[oDM8deAւ-jKe?rƦpLQCDLA! m Vd GKSC_*-}-E̚DxSiz{%@]վΜmbX|q˘zDťK jVTnѡ+0 G $ᛐx2IfTUY:GuWة׆s7h=a)Gl%ݝu1Ngm~jJ&q7Ͽ4@zauȈ%J &p#syu uWݰ`1%2BBTbΦ(f*6)9Vj__+j^5;OH`0yD` :/^!HswcM wU.Ol ^u5~JXZߟNr!񝚈Ip3n"l+`u ?Ovў@,CxotSapI+a@l: hy͆ki\80[|K;?M^[CX`_ ȑ9j%UgdaH⧵Tpk> Ln|V*^YhK)uG/F`{k()z(z=ݽTfjbҒ ,t I-kry?&%9uke%#a,⤜x"Zys'ZwNo 4zxv~9%߾]:MeusֲXCS(ΞJﮑY|'+?d^đ7nnaX~nqh94*`(]Ο: Zӥ;a_M!a3zsM"Yw^HcHɮ8Jʫ/4VzG[%Vyz^ǜ#a]nY435|8]TE/go'nʅ܁`J"6,+z_Ż]4iI L͝C0x X;enP6@NpH$?-;OX=/k(jǗsp" d'?"pjMw6ۅ#09[#jmCP ]j𴟛"K2Qyhq`|t04j5 :is NOf"M&ʦ# R(=ֳYFoneP7]VɥLމ%Uh~Wn1%*s,6>Veaf4(>qA148b+S#ԜikjPi&3֞#o8xG/jW =8ڕu*pXnEJ~Wztb?k% ph<BPD*cUiHٞ>(  |"4K7hRo,ҎfwxIGX#yD%Xq== S8BKyĪa$*WM#ǽVW #ݜFJqr/'H t˾dgEmY]KO={dH;LJ’ی8Xw l|\7c(urXI$="ˠPOm lo CWMYk$Vo9hG 6\K" b~&.wQ{ ǠJ ǓyӋX&~ZKGݬ@.H^&L>qoih<Ȃ0_ 2֨oKQW\n ?lr}NH 3*ɧoԅba2^8]̓eL_/Ivmʨh:csbVW?6efnTIC(4V,OvTQ3+GOҙZq5==ƚ3#װ6ys{b1G8  ]N‹*.:lеjRIHyEӔ۴9ϊK ZkVMH PÙc~P漽9O55^""s?%{kM6 h\zZ0rytpcMeDn3OpkFAǜzQhhqdcz;fG2֒=L2#4nѬF)Qs >@&&~PB)=JXi?'vF_/;};7&jʜƁ4bmߒE6G! 5ɡ)A ![;E٬W#C=*it%Db@85 @IJzFr ij38?uM,iiD>65'״x\.њsmYV2 *JԈB7NhF:(.2?[r[4Hp.5 KgI }[1r)Pa[.L'Y <+lz;Q_ULqG1U`;[ _ZN6Z҇&StpUO/c)+$+JjLN-G}ZNOM_ս@R-h.JTN*_J>\pD] `!Q{J}Vc8U*u9nV2uHL/S@`hR.@?,C4LKf|؂̶XaWV-B#dbY>rd 1sI0?E:Wut թע<>L@j&Λ.4*M?^@rXB4IlP=ݨM+gFnVYQJAA,M۽sxЦCup9sVW?B3]4B eT Y dukjwN>s#Ԕ5924=Q3eS5 k}ʋ3V%ۦF'9~g~>ޯh~ߟ^ ? /zˤ)m(\mjY ZU(ǫ[Imy,ߖsyA~b5+K!B"ܶ3"GRr<-j 7ΕLH ϲsD8a~RG{6a_{ Fv\m͉dv9af䒝9JNg4?AY joZ?UE+ůGfiavK{ʻ9r$y;$&jKLuy4*C ;6ҭGiN~5Hz\0q0y[ l|@{qR4w_H @0P0o'÷'[53yxPŁBn[|* T4 -Hf_×nErjl@eԺӽuD0 Gնs]3ԩbGȁ` A[EigF9肂y225[!h f▲U,nQu%hv)k*9 P6HPlB]FԔIڎ*X@;/Շ$%"t\l%#ғe*=x"Y 1lQFHƭRo5DerZ3Đ?ڕgMxSLyC2eˏ[\(or "rn`@2bZq+1eBc0*ҨX*k,TtST٫,zέ{QU +5ί@|ת41Ӭ$a5r_Jn1bi+(?_P1s_a ܇b4o> b>$?^+e׈3=[iZMQ1^jR6٣dy|\zz:ܛ\Vycjy}Jx_c<ĉ{ .sB2WUt63O_ftC`-lwk?ѳL/\Mr%*Ii֗K}荍j{̉k$@7~ۮYgf:zR d8Je,\shS]kk< b4늨{bZPP{F 0|()om ,/ogx!b'81_~(Y 9GL+*chF1zI*\֏'uL63jZaOfZŻ|ΛR~\iS>|\D"=;2|rJKV s]Eͧ,IgާQC-C2NV"`*8uN2Ό$5 ]!.Lp-&Dd63$ ç4'6k4?gL3m @k @ɡz&覇~Fd&`BoNm5T-gHw+Zu[?a66b  hI}a2RN5Sn-\L,x*=%UʑND4Wtc/`J89VJ/̯ru`?_wژ A΂,sldfl&&qWƽ A *kiJL: l<ᴵ_:wq1@xJl'jW^G#JܭF;Ԡz$#m+?z폎׬?ųp9Nl44xcߊ^QiWss;Mq\<̵2tkYj2]"1=?uxQIM.5KRuIMɤH>NG)D~\#34X*^J9ǣ&v)ŗUH+1}Ã+ n.%M x0`1s-03"]d$Vu{*Q)q=v<2ф?['w}K6 ̷{ #7ie^*}k@ Z?>>0G[(xە 7b+\sn t:[y9,!Gdr33oze85o :2J_.},N*̝U;ܬ6_܀<}=c17 ˘6UM9p9qA$PRO &?<lUƯ/>˟¸0ǎ lgt-䞯O!_s4;hSDc|AHu!weѴf!m^{GpCa[^eIDOFzͲp`x&<7Remj-9IY1 $g+faJϏeAop4kvs蹚#z R,qWԆPS3rQ&ة c'Ȅ?@+,ځqܼώ^$bYPCN (GqGx׀ѝ 't) m`;NU&S &y}v?Y?[膉y/P3ݒֻinuBk@LYࢧh:uٗd-Rs&2^\|z1 b:@{J9Qϼ*[Ie1%U'MV7aی.89v{S1tϪB2kN} )\T].JWώIq)Zs>HҔg鏵`zfTn$7ykcfR!p;K 5|տBrW)ɭOo@}Ao8@ {΃GjyV7#\3g܊n~!VAi@{Z '&H$6Q}Q 3+V{PYKb0)H#dhe!;0T~sK]S-'SzUP5 G,L > i*P,=;כ$;=fњX7;do&ƽbu$}.|i fvR}kUaœ[YK&<XBċBD9~ݩ5jTbSzQF>3[{ë2㊝SN!s=laaG}(ѹa բt3Gi^,t,E@2$8ҀM ^-n! lpMRit1ݣ41꿑/omquo #NW`[w5*aWcmD}]hpt΂̮ 꿏%zS+YnrWtk rSuh`Bf˶_CU28_ &;=0&ocva>Peu5d^h)?~B|K=˵rhN8_1PyHsOM鬍?HpV_:Wy_,[keI,c6㱯@ɑr;(`ds^xpjt9F [>Z^~*ܟ6G XA!3VP'lj޻LѹF}T;W \{G0|aBH$a!G}C?FrtnB4Ǖ4ABkPŒg.]Ucrv=W3#> vpwCn0t{{v>)Z)4tmHJ2˵]& he:HTgfC=? _m3.F=)kg@QDg]-b4vU =>Ms\`猖%N3E'V4䧮4uuLp}^ 8A")8JY .Z= ԳX,ӨR4WK0|KQܧOi+[uZ 4>a#iz&58I>İ`j'1<ǗykC)!h?`֭0ud~)ƕ0sO ܜG$\Q ss]V~ y}rJ6P8lKgz# #\؜Z6$[R}ySD]4y=2MZ =y!\i('#O+X۱ӆnXGZYr%C`(&w>չPϓhzEx^+e$iUNp@9`|Ezepf;HH۟m@ })Q;Q lk¿9~ႎV@Pl>E:^0Fc7|Y4"Z3D)Ž"=>Aa9EaM\s:6]NB m T0ݍVq{T`=Ds#:0aW22֝ggql`GS'h i7z"V2$́v4e"~yAψs9qcpel|9{ 4r 83-H]C ǸwQ%xؕހ볲[jB j{0=hRT w&LFJiYqEi 瓭7ݾAtu[ h!4+YZ7Y[HSW/\nJFnfRb+ߌ?ə\%xJKήR)T[n?7_j5S ⋥N!?b_K9b}:j?X :`{z R ّ;qĦ|""Gvm9EQP'U<y qyϸ &h,;uޟn$P0 "qx|T_܂uۥbc6DN޾1IO-{aflA:tV*`)VA:u x2-lo}ecp@ ;Ye@G${-)+yAZk᳧*qI\XHuϥVxW n^v9+>RĦLKHƩBzL);1#o.Zy4GvB J=0$=RurdϚ#f2ƖI !#YNޞk 6Mr+nn&$KudY5RСuj֙_J(80l5EQzyRA 0m ˛jwFz-ĝ2st-zz.( Dg$V#^³d?Zq"|- T/̣?Y9-%xf|z,X=]?>GzT.ӱ.T`7u+<[tMI*{7rw 8;W{åɌ3P_\! 6#`;of+-룫q,EhЂPF`j'H.tE=^S̍Jhŗ8@߰>QsZ8~ Ú9t iDUI f`eîj\HN(^-a>B:b\mvc1eDK &d8kɫs9@&ͶJ0Mv:dCUqRPu^ZUH@v&dBH;@~p\K3P uAHwu[a~{?TJ!>pJϡٶh."_:ζBAmٽM|?R>: V#O1&‹Q>A/ Wh̿ءNLfٜN 1̲4p`ďcKiVIP &Z̷ÿa=vr?Q\uBrFT(I ?rx0A&8ܦ r^ŭ`avx^E0/ÀTA#VqЎߐB﯑֩Xȝ @)f˃[-] y%pnXjYg+2p:m 8nF3#/utOOPX mg,#7[@ȣ.'Nb~fV:ޏi7#g|.e"c'zu( S[%ujaHtgކܪ* PhLll8 '8wS2NO&LaTR%QJYӆkO3z&iB<ާJ u^ͽuª,Q8 ml\e>/%:(iw(ųj"z7 0ۂ˄KgfdRLn5ʣSEAu;>\6{Tg7w0ZsɬQ!Hhڣ4 6/=!>.upcmnFUR6bz(`jj3=ȦB'7ș\埝r Gci+s2w8)#JӁ3 lw#PU9AR4'.!`Cfi*欔y5ؕ=-ƴP(9' c%TTPcAc*m]4K;~l(qiQ B?llIiykpq*L|Bfz[]<Ś E^i;` Rp65ݪg!hN]w$>ZԨigWKv!X擫_Q@6L,w&_seQhM"o xI3OWˉUT $q"lZp%jޛcݪ%(UnuN4 ]j_1tBJC5^sYG z}.Qbm4]|K̩Jxsi,elY 1D`'p#雮n A7g_[!m\e9#I%^l"z13fr*>V_3èk۲"Nⴱole~c]):zS˔>YfHh&Wz `Q[K7E3(=Oėo@_%243 \,W^ *04n:8[q>/$-0+vR#)!Ls{CRc_Jd0HOm u"%N Q} f)+>Uc}{yjoŻbXxl9/ m^eA(muK0JI"EP/aLH(?kBN.0?ًP<ᷛU 3  &X6Sgim%TZj5aP[0C(Q]i4̽C7+[CSbϵQ|;70Jb_|o|  l'gDѼN)2` >ROJ#uE#Q]L0+l1һԜP¾A%!:iuW=(wđP!ůC*KnL̤.5P3m膒H/W5;p.|D5p.K8<@IhH^+a_'QB_ m$Cw;H4_JuyĀiIjRwp"̺Bl4%yvm4n=&M&JЩy|}DTeC' 1m_Ŗ 8Pn@{o]66Z~ W2{ይeY pd$BYbLeh8&1J:!N_"dҖ]1_p %d͏r0hZ${NCjǞ@Ml ~X{#Kmb{$k!8A2Ԟr+<vh$PnBs+Wٮ-& f#CLQ EHx R򘧧 G^g:OANgo#A(#|R @/^WʹeWHVr}%SVt |D9`q!i 5 DFf1'8n}Jy\;0[G:±qZmxxcJ8%y۶?5o XRɐ ?_T+~1x%"l3 PO#,Ĩ<{06| HkM鯛 ǣMpkw9U2wyX4 BltY6/~RC2ƍ$"GP/ F q %EbMzyLsv'* EB}"')=|]uUC?!~j|L^rGVމ[i-揭"箿z*~72:|ZMx, +ug7$'㩆3UMۅ dΕ>$tX_U=Am$_O7h, XwS 3pۇM$}}WoMm8xƕ Eæ u7׿wKV͐5U(%!o :@*;vQojnhQE֖}%+w]'˾F9jk)Gu_B$1  39t^ڂ B llݡ`]j4PoFJ:{ctLFV%bk->:|uvSZZB#טzK&h=67Bĩv붆;1˪0xdre4{By#&()͑[[ ZB~AST%MzcL2`= 8W:VM7E> }giC{ .BsA}So~Wr1 8o505䖠ܪh@tFPc]ȧwBa/㑙? 5bo=IFp&6'q;;5qvGWvj!ܝ˪hV?KmVQ&MCcY2vRgT*MEL4;֊WGu~2NjV@ڬJ[Qn?iiF^^)-6Y|w씉+bZGX:\DH QFu _r4=.YsGTdM`?6`YhPc<ŽǺ wMj'2/$TџfNΙZH\/1pg6U6j_[Olf\C(³!@((?̶$ X- (] ,/#|cN6zy:/&s( ip῿v?[iʲ}SSU X*;{pJ/53F%qtm Vgr6Tw];ޤ嘐=R݌z_]_bd܆g4z\ -ҥ*7M^%UVEحl-SB"@g5Rb 裺!?n=j,(X%]CnYP[=BN/I~H,:$3 i N:8r4X/P%@+5RyU@MAFU&`HTI^e\4&?Z [+lt3!$W%OŽ) c#Ħr ϬP{t^DnuQi Rokъua跳zFRp%"A !* $Bsu& LT.0ic2upҒ?&4`~zghtCN80ep==2Cwn:B -v;p|RAS]" w?oŚI_/IDs[paZw }/V%wDɦ2 nN8yXJ<$Tja3"Ijx|e>|ت*;x얦s }JqT2MM鰍GVQ?gƷ."gs]AzotNPIHm~e*۽Hsj'=[f]jY&ɅDXb]Y]exڑ-G#+c3 ѽ%hզed9)9a`nΣY[mU'qt6bx)zf.YA].8 :pB#s*s+'1o@u*3s|uS7Ctb*fLW fKڀ.Zj5[Zx# dy .MXV#<kQ c7H9dP^`گ FZQjkx,U:ن=<BWL& ?Y%HysVu4}dlpjQ1v0/vJaj6CPEɰ}a02E1u<%x{DǭH-D\YJ~ WVAE K=m{jKQ#--cw"%?:q*@|`O`Q.MZk$xՉ91epUG(_(/>&Q#)hﱻ1?P^h -35m_)^ sa_}B14Zb Q:|u> 7Ԏ>Tb$dm6녥 tz)):·M( lY+!W!$T!dpϭoTS.̞a( sյRFZ[Zg p;fMl(xu_ ?%o!8Vaz۱N}u)AKGL7)0Kۗ9jMܪy1tkU=GBHNQ׿M}T+L%UvpG2 j<')htL\eI3H/e>)OE4K࢟c"pJ`OcWXҁ3"a =za]A"6Yb2Zah-Zj;_nV1Vƺs.?c"|?蔠eYC`Nz yw.FQ P%(a(S{:t_p`a/*  J$pg %3g }z+q ؊WMtvEqU;0n.-K4Vx? 6$ZU-#ë8eBioc6TכEVys\֦f ޫk$cZ`"=(0p7qa[r-ӌLL*J7&B~:FxĜ+" yYe[znr/S;Wh\jɪhvZTr " {I8&DW#&(X|e+=ΆSӷ?# 9 f9f]4+*h)#O~ޚY~ 4yg'"9MKaf!ݤƜV(Qڋ}ڌ."]šc ݨdn<,aJғϺBT.TNfj6~M&HE<*zXDzbҠv /:5I2x([nC2jY_̲`dbT,[;2^S6B(:~<]#g'I 5]BGK.?QN~;n=hr_ lfO?k䵕!\3^} |6k!ˠHɬ_7@\wd^0˜nvA/<7ZM8C0DPާrD $ G^b%BnroEg 1Q^`K W->5 Pt'FE:\s) _oUR`,7D|#Joe3߆Dnu/쯁Rh2,.x?Y]>-mXmO+˜E%0CWT\~y#3"}ܺ@<<] wn3cPkH/ڤc"|C^ Gi._a}m nVPtCJYsdz@x@z^GSu9:a#.HS?0 F1qRՔklΩ44\XRCp(6K/1 .F♼?2Euox96(!/+q kJ Ca)岘$킽8M냇ÊźءW2!&B䟳OI(\x6 ʏB5<:yHv-Vܡe;vfv]? 9*&D0.ۼ<=ÝVFw.աO.؜-t(Db;\:yp[}G|_lUU.,LWчD+!)0ֺ;j+DLc]SkX.Hd(Qe#&1fmʢXopvlyU&zxI`Q CT0@"V=9k& 5c\DÒJr!X5 뿂6_P+X>;5m`%OWܕbIUyG&HT@Ή8~)J԰c$9D 5G29IJO{',uNǫPd0&+=W"^`* yQ0/9A.nTJpxx~nM< a{Ԛ-ѷh ClKBшP8bsi$]VT̼.fi_);~SClCw3*ݪ@rj3=qkɜYy8̸5Y(cL/bԘBGID7*ڒ_]dz* HP'A8Ĩȃa} BWYGOX+jWugoE$ݥhZ,;;Uc>oh I0. aN"8mѤ:CU;|}NT52AQ MSg E:jA 5MZQ$Iu)gp|SbץkR?ɺ%,N~OmO5euy ڭ? |B8|^9?D,n#d(_xj}l,{Z s4,8`A~tdH3&N5XfX8~EMb̞_8L- jq5 NhY>;'J6wfޔa 9Ug6>c@I4s״z,7I=4b 5l#1xʽ8?w`a|ɮcjnI o;VI>ӇrD#>U4KP'T] O}c T}ܼ([YBaVOwv ;`\ӽ!!3}袶y9^`;| E|QA\]!LP*Ȃ!4u%4;=X ȫPϤ׊t !85wOfRLuZl]ۻk i2 !D6+Yh{vg7qM >I;$]w'`E9=ڮ q$>M 3f:P8,z[%hIRb)<ЁJh7B̭j^©`@}"͜hSie)ٟXgYyä>K.*LE#r*3H0-; D )6l䡻BZz/y!-6}-.&fU)g^Y -<6AzX٩W|0!UU]*'9e'7 *p 79LK{zNYVnZN;K"hا.efT2- ]kj2Q>: !;}E#>SJ[E~[AIa KOm vNBR=Y~}O:_+= "ywGXo32jʀsOY1Z8f  R;<`)RqϮv*Y[+J·˓*$kAS|VйKCΘOql&lL3zeJ2D]ŴY3vRyz'[Dr)[~iw洇믚2NϏ,f5Xw'^>3m{Hd4$WO8K`RfN8#H('䂌hr|!Ctv( l`hѐxD 6L27:{[q,|ߥ,:M8S_j*"{m擲FXGYIfNa.q:ɨDض_ڷ6u6t}4o!Tb(z xhM1\"uK=j/@ڼRbŹZw`!gh} ;.´:ޘɂ]5 4 {]yfU'&$ bg9J7:hSʻ Sgp-8Qlߴ2Ts 1l e9}FVBʿsg6|P) (s_vmSbxA3-N0JU%я[^+ɑ#8p|-m4~9'v lwfRA]aL؄>>jϔioסf #ۯH餀(>.fFɊjf(:s Rj;f)m6i5L=UNfw=6}2ystOH0O.늼 Ԇ_Zr&30|Z06s^2W2E*d( ksE۪-/Fa^7G@B +l {0kbQam5+ Dil-C(NLNv7wx쉑Y{8kU<%+#KƁE|u~81EqM`eOTk^ 嬅(O )zf@,硑f Rp\ OZf0Z2oPe$N w+vn;!싅=?.|+f1+1W^`cu@XS?h3'.a&5γlר=ͭ8p@oI<>.P`xM`$]bna0'tdq)a5Dנr T6_B>hıڙxԩ[䷛B0-y {}()JЙ\_N%I_hXMH/+D K-~(Щ.F1̉Ga !On$?3Zp{*mX>#wKۧq mU"6 ~oOG$V(!#N)yV&?7sSfj0GmC%`,X<bo=ƽ \3PIոW,g&~'҇CMW:A2Q>*q }[0ZٞطjbRD脎VG_sF尤r Vv`2Q7]%SW3d}BD7Nnd&TFW`BeZt[%*"Ы;ڭ Gy'"؇Z)񬊔S~bZ>Խ0^Qq( 负BFB Vq?ZHF~"G/M2]-}(5!&,ӎP]HآLB5U:bnƛ\X>z(VV/*ՔEd[;*@A'ovPۃT-7Vϓõo.UXRZGuczD֬'-HbNAG]-+Jx&>xM*Y9DžI 2҄)^q9,vG44jK2#- #wԳ$) \xCХ -ݔ *jNz;M&m˘C?I(G&奱$+GJ쿁X'޸ }Z#PyI6M/]@JTw:fs|߃-A 3/' +_X85"}jڳP.^0eg@#MJ5PbQzP{phGL w!RI[u(thf_#Ld]nӗV)hQNBJ?$x9^m_&Mٛ/-5E]Nj o\(ux?7c/ P(\ 7u)J+ aya~[5H_q b}] Hj10o2VՆLUCpxX4?;0jz2la$6- - QU <`/`lgâǙk5~Z%1BƸązpvb8@El#J0E;KY))>JU6}% aaB^0ҕC( QT祧xv]@9!fՌ0QZkn ' XS'D|zGkzle3j5,RZH(eȑ%_ϧFrG(1j~dhPn|xF؟C}O.!VU,$˚1i,lx'QD(i-Nj G:z/ws4@;i@c$IߦҾNwe>e^6?uZ_9<":A x.1dL!* Y vDeEcp ?EU8 6rgݳ\ozOE]F}5X-S顣M$rsD@N_미chʩx7L `'J;Q(> HRy ds8'.]>eR;sX|¦8XS0Dئ9v3]|`ø@z6sV "2^5jQfM J=Nz:LȖG0. 猿`\tiL#D1 *?|vYEF&7r.1RL%&G?H\n/} E(l%3|JKm?/̲%Dgiek'>\t<"\v͵?"X:j) ,&X4ljħJ Woa,!Mc)X|n'^2\M329?& - etx?Jw NNuRSwRI}2WdZB^kiԀlH H}ؖoYY$ +m/xך `=-jևH?ݾY\ܼ։SҺx^=SL jUM8[x?f6Đ#1*lg~5"\pIgY\8`p2ڙ:8nN )T?2A CȠTVv gB+ŧr#u(;x` N8jZ % QNZXx,bI`Qr@?b2wyR\+W,MH!.owH='z@66 iJ =76CaVbL;ix^h9xA <\)ﻲRQu,}H %rd?,Wk&G ce4I~9l*RW?X[Ve@L?c4J*`P6݁i9zN?U{:.[@Zx6h#Ӌ[*=>2078Xse7rw'su.3^v<†A6ioo("BDc#$/& DZ8=Om-(t -!M.bPԙ5Lwذ-ˊRSMMvIT[xR,J`KuTC:\j` 2-0& j\d$){y,CC*NbUO͎S]a@JH5mBpI}{[Fba}P4k(鯾lw3CEy5QݛꜪΓ^T,ߚ#E@C5 "sKē\`sW1&鈚MJ"aVx8?stuλ07|HXʫE28-4T cɨK.uIr:uUcPqNs̄ kV kQGO,ZY7-`¡ s͕*@xS, „A?e2c36G1WLH@N"[R0ѕb =OoPa9◷u$Fw\7Мw_᾵"mn$XsH\B^Y9)ɰ?3: gtйh')7-C&atUHbeT@jX*"fێH-Lv#%5;%iB#iP7f?  I*tvS,%i}dDkM@Y[s!Uҙ%;NyLߒa2_P;Tlz]de/1c htDblb >i4eo|bƅ@|S oU2I,ӲΖ?f$xg@GnmT?eRWQL 0i]H@ݵyǂ&utˍ6Q?Gwl,W\.5ng˜3BCc$boԽ<ѵ1{_݈Xlvd#Ӫ5n9[U|tqZcy38cրƷ|{*4xR4t$K0;%>VSYOؒ3Ld󪝻 W;f91i./y7+t|}h_ mI>7;ICY1Mz+},}4_SH!^Β%OހS_K/R `5Fi$k#u*=hj 3{G\΍2:GQ9 R;Ÿai ~v fXr3 y4GVn|u. .Fy)MoVe|f }L^ۢc\eDPίqNk%YONi|P]vSr3WH&jίxDnSX*Wؑ94YCY1Cd*`"6Y)^ :~x{ p,|Ͳ=P&}tyl]jѤQ`VNM7"j𚰈| `yZ֓0) ^\A>9o$ۿO'WrE>6g$d,xC9Cf-0ytQjٝ0W1;-'xBh\lPl{/%Sqny"",=HDF !0FHF]_˟[r(όD UVVA#k>ZKpN% lg `~:s> lO B-4髤\8pdg1(CNvg炙ߛ}CF2Rw_i1ז <{I8uǷ;sɵ}nrscFhX?ޡ` zL]Ό:I-&ZjeȔ+~Lb.y3ōh%b:[uiDѼU$ݜTjDgv!Lp ] "2N, :YLja>A%uS WC6͹/JN[]{W=mW\1jMxSc5m9Ĩyy,giϪ[(c[6K_':ߖ{`~)Fq17$.u&/!>;祻YYM#yqf49}'{>U9!|\+\ 1QK0̟t:ymc 2YHרn3v>EQeYH%D]hSY؜+/=xB+åd]$7=Lp7ga_MNN n>yK!f-"^Q>Xhՠ :nI AZex3C+Zyڈp@͝O>S)(e^E `cg[xĈ.~%᜹ ^tj;Y{KP`KZgj؜XbvDfk FZH\A&.k:7M {[B Nڞa^}ˑZŒ|}ץf?96%d;DՅᗳf;~*I[+cUiEaN`齁Rd,V"WuܶG16j*SjVLZ8 :VldV?A1Y]Q;;K}R騗c*fg-0:珠$g-&֙qG| SLqX\4̹ .v, V$qb.u9%K! cF30!gR-*;+ȕ|f&~sk6GZD& -ɘ,-ܟsƻ X'\[_elN>|2TjKm0MT:32Ϛ=9ܲEVK}8[}V]yVFOc~,uwGDZSA偆7@lMarqF[%th}ht7BOTx霴-;aX5NUVVl-S.a=E =M69?V[wMN.aP@{I {0gkFx37 ņCS~!A]̢^ԐGWyUuBy!wtUW5έ^e/P)4+>/ GzUS ]u32^ޱMtZ| 3ёiH_MA'MmTh'# ;D.M˽޴8O{6s 5,TA#ku =]*?+RLe*MͰMIC)͹Y*zإ tIv(ۋ"-_`ݔ4t>D&RQd,4/:;0A23}A΂k`zm8EJ\8"G/M VlB|F=zch׎0;% sMR}Q5ys 26  臯_䫻bz ߋd 6$C8b^*ƮcD&cF7Xx Mz=oFi=f١[RTl8/? [VRB <ӊ OPl~ !w|Z46cN&JX,Y_"A䒰8(ӝ2D. ('~%2Ka0}g5-ue$U++9,QN9Mo߫bi@nfx0 ߨqdE8_ؽ<:EG1P}eB. pqwv?$A+y[71?9 y]o~!xDg1X7f3o4gsF~qM9YfV)G)ḅN`4)AZ,*gZwXWJ|E7õc;q4x b 1{n9|Z!˦W[bj%Ë[G)"?>F<+Jʉ%߂<,t]=cD$܎rH PtܳJmV!ͪ\9Kϯ{Pա@+:U]2ݻ*Ghb)2]2ͮKR(o# `Jo)*6`q|.i;l!Dv-Wp[`Keijhy{GA }6Bߡ{d/k3A['X4,S-Hg~J3'Lnyerۢ,Z)fHg?Kx|2QVb/Z7[{`tOqN v_%gt1tĖ@FBRFt"A"֐gPp~jo8/Ӛ$41k /IB@'كeB]8x!l+Zt4Ɛ,T!@=|bXp&iE1 y|!cI4@A`RC*al̅e㔟UMM`kg3ON\)#'c ͊eyu"DˀȢ7T|/<4- _x|QHPc%ɞ! :SoYSX7~ Zn|%iƆla/ȷ.C9'h(Q(f^c~a-{}{ zaEi,c?r4l.ᚵ A!X&35̞ vldu>1nt] » %Z7ܠ{{ H/ЍVbs!l_xX۱!ߗH 61B7@;}13ȭ]x;arD4><2'=s Dơg`(4DU1 >4-! f.ִ9u}P>%J蚔NRڛb le\kjҲb+ʤ}bu tjC8(IRXlBY }P);ʲϊ+#p: uG2gW`^ɭK"y&4Xҏvww0"[ڇ=I2ߘPSs=ز۠rFmP f#bi`ލ"A)}$ogԨ;;x;skT?a'u |ܕ4N.1YrxSPS,a+#ߒ 7{/;07(KVTÊ8ު&X-i!tw1XHɇ^ziIH4}mTOY"Ph C/!*r|"LZEP=I#{=\Kn*[_nFȞWFyҍ_Zl56mAz1cFZqVb+>4[kRVh uXWGi }nqk'm/S{-j+gvEߐF<C[JW+ Y m@7g m :ѧӌaSL0p޴ V!?5yѼGzVc۶nBb5q 6DSjx*nHGe`xcFbK Fs`km~+ FbG`3u;3Dkϖ3;fC,.As?uvR2^g0հk90C^,r rܐpB"~ɋTPƑ^'Ԁg1,[0 XYc񬔷q=#1m|a| m{ʣ3gȞt0yr$1tPb6꾧*~<+9T #%CTK= Kȅ(܌,8&1#3r U[W`L!`uAcEC퉴I囡7(vA̘'(ܯOAt"JKmj6~vTؓx1O'yु {ȽL; O|@$S I&y"u6HgX_Ee]v]5$Ne,p9yٖy|h|t x;hKo\FrO`6AY?wqNR (@ )p\Y=?![׳bM=Y E(7;Q0=tɭ)GsڜFX{gI?wԘRݒÉ,%<AeLPבl`9=@0(^x M0 b~] &A; ʽCjLeÿo4N*xe7́,y!iwiwAkkh;h"Ͼ:k@>Aw+On&kDI4L-!US#I_rfV wh3(gbd.6+6vEnuŜ7ccz (8G]8o3t?PANro1_tP({4+ 뗛+X4 !(꘴BS~ū?NkNN>1t%l!ϘI3>NWA8[Y; #ľ_i Ԅm;"}N]ϲtFJ6&z܋C", ]~ԏ*gC2I2-/4VREɭN\EU V=Q8Vc7d u>B%]̔8ظND|ܾ)$,x:,_\nLbO) ;"ɐ-)׮%^u~ e %N[ƒH'`y0ӏ9F('W?pλ?0͈ɖ&ͤdzLT5z%JQpjorl vgYUV:GۚM\1U7bEtEkVt;X1o'T*d$Ci3m(N(y^S CFEe&޿S8׍.BTOaIEh0a[q@"LI%W:{n20A:slqTigJ% h _7K F`KOP*]C# 'peVLqa*OWM1ߚ4:6b2e`Ղ ?'{5f_rꑣcvfy{or8uj`3B~Bh{ylSXzw 2 28M`)֓!Cq&"XN_S \ 'fJ椂].0&'=?aXb򧃺"=:'PV䃵8VAJJe%GpL!C}àj~;#f64N<Pt68\1c_?ֵ5)ΰ@IcHgS'[o"Zl߯1rsL x)_H*לr|+!rhn_} PŊ_$% 3>) +Jx18w9bؖ Mzs$%el-M>i9{$gHݿ$~@L 'ȷ?el@4xBM0|vMlBEll$y@i-|}ʻGeDR.9mRd7D֨  o^CLߍf}$&@Ylq/D|3@AʏMK6Q]uT1h0MCnEN0 u)q {ύСfMXйYʀYYp]öu;cy&|y>OӢ**{SovTnda! AIK;$ρkʖ|?q~^ 4 ɚq-{VHL6`W%]0 BKcq8j^9Xxm@80>Y6ɷ!-Pn&pBzXH;.Yy%4&wPdǘB'y+<uh2ΡPv%NKl+şS>is: !I (Nz+a9qBB-5TZ= !XG M{/ o@=3_˔/H1 R+ rc+|#7]xN @0qn/L8NZJl6iFii~Ga$MQ `2JI4v>K6sgH@CNhkRs*9Kz 6 Ӱ3 > dK-Cth-//B'"R-^ J%uGR,= F[+FOBWF#meܥPfFwLyaYK~E)IQr;T{Q4gbƙbW*rmԲBd̥_A<5.ܸ?NA<>V7n.2y}rh_9hy8АocU@hȰPh`<=bsuxCǏa;|Ү#?LA\ԭR Hi, $,Ǣ!a#.̣brHm\NMtx,.9~W'WZ$ڋ͛޷K'Aqr"\ }i؅'AN4ZE-piTB9Le+=P_tӀO~ XhțmӴ s^yy#\ y Hs` BVi bYqB[kNり[秫H{lFF݀3yyWe}EzOƖo!Ce.#V2ו).0ZR ".&F[bCƯc>4"B%1Vu~*q㈷ CPFP7x3QDxt"ôZt!C;M=o9z%Q7l#4mUg;T8 ~hc_mIh}V~2yǺ[LtIz$!@)~<%`hOF5b uU8?B,yYA˗DM9nxh:j(쀉/@pɞı$}i%*ʮ9*\bGKҵ!ߢoҍ%ZK7`.L}&OJ>XO] ʟ/x4Tp [X\QyuYJ-Z*4"K(`7}>#:ްY}we<_=*ydqI_ihIIIIVďT;xȁyQ)xo12sOTˡڏ"!4 Rť㫥6*ye{.}"³Μ/6 ݯe%]GK i$ 0M /!Vڧ1U:-lx<2q x Q(Gͅ{Bƃ1#ǁj(My`Ъ&ziR=2TVŒA4 ȳHҘM"4KR+T!^R17yj#.%$Oɳ4hWN*'\FX;oB>Z-wB-gF1I[z_XކrxIaQ}I02sxl_i†#0'vc٤bZe>)QiO&z#7@pSL%RT9cDtu.č'1A"7Ž1mg/9GLӂeiҡ Б 覥 rzjAO Jߦ.NG.uKxS4XńjoMvBv@؉NAy2OPɺ!K"I@7*GE=CdX`yz4)@R{ߥrQ2[&s&N*z;0-=a[s30ݞbgֽԉB# z}Sg%S !>pgU#v  4RDSm°X΍BشѲ~7 *LDBw$WDhtū"Ɂ\M-YݡC,;YaKvʺĩ~P:܍c ~wGRd=0 i$K@6d\n$ N/PI2xI&̵Ib59KAIqZf=鄇]SzB)UK;j^|_7H/":1>,+e{n*QbFtͬh fg,$ EZt[ Mj@8Zr.g naxQxy]rDUp^$ <[ݝsGj&>AqmcJ {hvWɯ{GV7"R8VXp "HGՊ{xCl9 ;ݫRB}9-[F[µs֔XS[{BiCʹ|${l/6 zȏ, `:桋e)5û8[iO>SdӃT,$b%% bĥȫ7VSa#6uPrm(AE噀sZsddfLn=FA|Ө;?}WڀEs$Rdb,(z]Ù*}?& P}iFVN-4vYGt-0k&B^SDD㣥T=]Tp!i`?0rqqw ?5Kh UMPkZ[D1C4AoA?<WL"tU*_>i۱ȕ\WJȱS;l|(g\Mz%=ĵ,$2yR ʻʒIwKK0/ݸ寪JS <]j;[yT(8͹޹@XjYo]h_aH z~[)ij,պ3@9jcf_f#b8jA^p]>T{pSfQ A< }çg .Z~ y{@`[qt6 $'/ZT{i<':M>p!]u(qΖPy+ Zd>>""%^NZĀi61]r$QClcN(>]F "*M=:UyI~).۰6If5]ٳ  CRFo̲4uKt@YE{x{"?ɸrdUƩ7Rf`x1{}>v%KT9>^r疝=Ba\XS?*Q)Q=U8 Ea6ii$Ai+s0aM1ڿeD)5('k~ƤEr'9ҋMPJTFTF?9ʤ 5 waA(pZZGSc=9_ FH3QSfO7hjcD?zrpM~'9U(rP ;Y}9vQR4㯨h|w@?êlK{OQd-uʨjt>\+ehtZPͺĭ5 A75"=*sgV{7ۑ)b-(SKh@BY|Q Ha{-@s VW1Ce "W6&TMsP 3Ⱥ"xJ/щBxK}U4L]?PM G=%& CT!n782vvG-ᚬrs\1n}A&~#ͰδavԮ+LLDŽ;_L΍[(&J]!V+e`\7YR@UM'Q$!ӱ_UW9 LqL܈=ّUtkem7:5d2sNr)nCJu+H+lDhm0aAi uH+j*]u_YrYNS >{)_LRV' q hE-6Ħ 7r݌lFtNA$HjfbDŏN>:ĄޤedhrXF26YGߠ7W-^?nz{`&(NZgMģ0`tʳQ">rizWD+31 -3~aMaMĻ+Fpa 4 NBk æͩŷ^kʒ0ƱA\pYKb}mWRRaM< mWUΞO<l, 6wwńI)7SD`q8cDoY/Y2J‰f^Q=)N 9&,mwc]=$M-zE4I^d ku*!>?uh,{\yzg-$[#6:8VT`y?U|09$F Ûљ.luwXP6k^y0h t.ʆ"pdͮnHS81Au7.-\P4 S.w a4iKJ?T[yL?;ZB43"̔JG9y]x"@ޞ2ig^axqdpqY黔/a@ ]K}l'j[1ʿ3+]4zwe}_::X;F7C*zdU5,;Y-Mw˕$(vߖm<3OKԐs@t9m3JQAm1^&-Kcr$+!cY7?NWCNGa`P݌S­B[í,MA tlo;vpMLjieWf] \:æ-N\ S(St2KBoizu#u\6`*$.ׄa0^lb"4C~F'|=b 'YOɅm?uB POnnl# ͭ jWK_-؎EEY<{\s=!F%gy6[C G\mc+zK'Jz []r<:vGY qlm}C1fv,:' xoXCZVcS{BScw*%0UGyjuQM)zL~08帣;oe=eV :x)ֹ{&.;,jx !! e;yMSkBu{_C(z$Le_H,>oGE h}n"T:疊:FZm߀b@*Jo$?(XUynqzl-8VT6xo E )k%Bs.VmV[QhNĘqY GS[8.4ccqh 7x+ZwKˠW4^JM:Aq+:mB|IT\ч})ż!4:Tz;Yץ5O_M U9p;dWgOB̃8SxZSXP$[qϗlp/2.˭DIx;x Uv]Uy͉]ݽ[_^PTa'eS^ixZJզqy`a_=ƷntlđPē6fc;8;=},ߊDNW-/*pd~r#2E}O/&YU .8vONZ:mG؆E:_|c_=GSWxuVw8;=2;3k1R6`>vY--Yz7 p99c b3Tjܬ<9xO*K&|.O>+7t/p/ŕ WW-\н> >(c??KRg^8EIwDßD:E0ʦϥ ᪢=Kg' ~ى2O_4_'s;͸mh6(v*ʧc߁1v.~̜4mt;2S_H(v)[^9q8ImviQb(g i`[VdZ74)iǖ+^Ar.vH' d8ʝ]5}tpOHjJD]H ̺X1/'K$PJƑDMpcfi[kt88~DJS9qZped$suw,ge @R D6m~T|j*dn $+O m:꧜} fA0p+Ute" 롽BgZ}Q2W8(HvƘC \?;1y/#kz_*-Q$'9 _ B*jmM QqD~ FYtG_sb.Èۮ%z5 Eɢ*8Le[!ըu WCW.ɺXzs,eCE`c=3wf|MX y")dSnet?iayX`l=("8L~u2R`f;T 4.%\ a_ Tb=p$aWVmc8NTyS$ݻ́eeC94 hDsӪK2g]SH'>r#TÖ$!'uS#?xb]y#I@OP`Cζ&x}ҡ¹^/]e|Dtb,~^!%ixMi!k:^(B++'{?.M(eC?֝{pjKvIsӌ}͹f Dmeמ<%O矁hK=\5c)=@"< EjW~#9"%Vӟex ۘ~WLh dPqE`]8I> =վ9:16fƘh%?oM.ʧXycz  az:FSvW:q,$[U@ZS &k'ڡ#j}#Me$C'y6eFh7o +'Ƴ%GDQw!V"'6b\8 drM!D3<"8(-45Q(1x%߃d8h@Kh%>c} RBRVQ臤!Cw6{{͙F8QyH+zlh.6:YR[:kR&:tnYb)0gzAk1oRN}^L%ϪŖ}gemvLHZ]+2JQWMfu7% TAƦ @5_ZX:j4:/h0qTѾ󞊴쇙-;`-Y|X^L1Z_s'ҥiDhH .cyw)GⱒXyܵF0_#ᔀ[ЈQmo<Z@6 4hm R~:~C1>΄s]xF:؜=G0SR {0KZ٬ &.]@_]G.A,|M>D*4m&~G<-bwIsp_+`TB߄]ڭCЙmW>55*C*35*?O<m5(YO7Nʒ6@"[C W*X oۿɟtֵ6g#ot؇ vZ^2p~cnC|j+@xۧIsa"#YX|{G8V)tB܆ Ll.=Ђ=ƊǨM~CM0\QYWY&Fp0(-RK- {AF蔈)r&:)u%֕;R(d,ߧ[v}YFCss {1ѠjɪxWFGWT߫脔*WasuY5<?#X@bO#Q鞾eAz`3ph4QeJ:!GF[%UN@FYF%ts' qwf)'d/FN''0S)tw&ZJLlT[' 0gpN9!0sDm$J#mȅә5-=('i]ƿ.G۫'{ ZhBԻ8 DcdPF*Y.fhĘMrao./B{xN©m{r fp}hY#GOYk,Oba۶|Gc򲓍sW_mC$9͔'%"_40FnC y3Ntྤ|-CA },ZL;<2c4` In0ꗾ) GTD Y^9YR4J6Dx]z>=[BcJhG]nxf7s ب(Ƨ7^!^)q-k%U>&@l]VJ鯭G&-~nnϲ 4ڃp[17,¼6^7,݈q(0R[309 0 0/|VzE^Lert5wn021 ȉ1V 9g{.Ki;!4i^jtܳKVY p^TGY=uQ /[D*DʯC-H8v =Qtc3۷" wtycXm #ܜ$F򭆗.@f?Cd.TOZ_5[b ,=aK]"w+/>7*+VȼhjMp.`bڙTznl>r% )!}NԅuLFrp'゗-Jl5c_OL>I5P&%D* yǖaѯwxpБ e%dڶ&,A}ޮ;8k k6|C*NZ'(9gK=ODDY E=r$"co8-5 2HB3[g_I>$:V DY kւ05Negg۱qvNcC ,$#qOZ2^~-iէe,c5lE.4 ѹTt hLf$98\QzMOVU/)^p=1YB6ۢ<݉p`z"H hRMjm^G+ӶoɽnrSԜ}5,"amȾ2 ڷAG:M#wFhh16Ewqkv.5aޓ3B:Cez$kyp eشE=bq"FRd6 `PXx?[g S %4" y*:˛T[;WPL*2!ޜD9c߳R_Cgn=8Zp J$#Kz%eLmVu0\ͨmSU>4D0VUj):¥4'|]9m5ѐc&M[-I~5C9k:E=StzH1 >*6n::Ss;i8CTL2%iTJEoZ掄ӌh!b-rt%jxZ.u <(36{C8=%Lv+]=bsi]Nh p+J,7hpS Q,wy˼WuC ?bcs=s8poEPJE'^mq3`Y\XP6QK6\^„;.; \9,Epe? 4smм6Q~V=+aJĻOFul {$Ͱ8LR3mi֢j𺥻^FLrQÆ@S ] .=n/h׎(ɠ>8R,֡f<ܞ 4ѫD#f$<7ұ9rAy[wiWk\H(mN-0Ip[%  c_"f#̛^j>ID#wɱjh"58A?ߛP G|HeQ!nV΍/ ~G|Z~R%u\`ԅPj$CF{e/Lr:TU#mODyQFOU-KzתS~AZWCpr- /n0_LeHE[6z.T~[/Rvt|X@."R> 3N-P:`Em<ۍiD046yw;r9d5ԩi^>Scwq_ta:j}ӥqgZFJ]xMa溿hWEkIvʵOsWbGd(1ڍɚ)ܨh~x_"]vVeS _i0WP' {;,(a{LC-'5KBG:эUz <ݫ0Ɉ|q.Zwz<p\{y ŭQL 7ؠM>01UGv~AxX*C ,:C&p[7?o]+b`VDWT\:}́i{ *|#K^d&~)Mkm~W ]Py)/SQq U qҠ_&CoOry+:wJ ϲ3~SƸl#`{ t+Q@ߧtsj Rti|jd˷&rg{0Eq~n;u}7R#JD;[v5p1HEK( iYf lf ?REGcK-kw xvBzLI@Tvf}:JȧPREfn ߖ ӋDHOγ&Yq" Vz.%[",:[z̀-s[ {O ӡ,W!V.B,'YHK]Efl9Kjk:EW[!O!n cT8x 8UR zAKz6쾾YӂAh:mv-7tA\x"j3apb[nNͪ #Jqn_TR6_ i7#<;[Np΢PGґSMXɧ~tMENτ·s4߿hzVBF/r sN83g!eS'XO`y*MOb}ah:F;o5J:ob^ UOAPea0|?%h tT(j`/@|6읃ad16johpa& }}YVUCƝS#VR,-P̡M!'_>(`UC!;`L &ȋ!4C4mt;UdhROIQ)TnS7-`YzU Ath\ !;. cO2Qԡ?3r*D7եPJ`'Zm4nA{vASJmhw'70H},xܗ H@ O a6~1%kwv/km&wr h֋R) G~'P T8sJ NkCxIӥ@,[]%8zL0u"%at\,\~%D  K |6b1DžwqGY4kTxr`ѻ U5O%i:1Svt|V歧ahI)Rz&`ɾj"~z#3y z%s2|#\51!@@fĝ/Hl0et^p94 mZ?BI"~Srh60~XcY|QFѹ)kl+.!a5z_i&9$܎'X;A IDB&4ʀl:Υ4N2H0lo@@ʇ{`m-:3zƳBQ䔚!R]Zb[*G zP$){Gb %ݪ ;tR:I[AZC+fMW/m2Y5|osktIe<Q֚oy"){TuBdLa;\ZC 6#mVbPL`4xiȗGT4t< 3.6=zfYv5X],,{?ED] .a[A.O חVPֿ7Q>Ȧ>B{B:T֟RV9<)ٍ1w]Y0n:bq{ʽp kO=k FʭDрRk'oVH^*]M 9 $*6xcr| m2$Y,yUHPxfMVKN +IQSy [r[<t >2rldհfO{5@ ]\aKj puzTrBuϟnyrl',ܱ@=:25jp(|f\޿ΑZIOn-6Bc^8mvs*-H9FBY @s[p,lzڻLxg.DΥRn1E)PуOxSwP%֎ؒWn.NW=$rf7P^{Mx|  sHQMit mꐜ; i [R~S rm ~ tn-#~srUT4s v([2_v!(6ƪ; J~!R-aNz׶5ddФw3| "躴qgоD$' %Q!S 傀1j߹Y195]ח[ö8qwY3;K#%6dL uI(8%]zeE}nIŔbV3}IGPفF1 *Fv4&tޙ>#O:^>x\ Т78@""$ӄf፶[LAP2MPR*P=l ]s?1unO6Ap' [r?=RHP:Gm*6Dip@;$'_DČ} ^^le)ߟ~<7 :#1Sd'ð:Ne@΄(J<0Fpw_X^yg5)/eS;)-JϤ GǼ}f҆r÷#i'Ոt_PS_@(@Cq&PR8!{R =0y$r:WX*"C%LaTIy*ÙC{s] N1i/xğknH{ EE((Ă Rt{ Z5WqHUQDΧq{.R'$ P?aPuT+dl@2'$4NoB%ГTcG +J?֎"WTl'kx7[ٴ9f~^!" QJX nؤs1Nqs) @cԔ"E-cErI;8]r qQl>۪2kcWC|g՘OT1ژ^RJnL{ V%|cN%Bǵ>?Q_GFy( (DS\_S ~ʿ57=^~鬝#9cO& JKK.3ɚ.%k.!Ԯ+%Wڄ Ѷz]2WJ3g =oD_fgS9l8=gYHg:OV^C3/|L8!ď3*޿ wgW8d<GخN#l/oO;ŀACʶ!vid=b_ң1ҖľyEdEݨ̟ݒ!pBՒ}7,vGǚߺ <:uC`hjРǚf LTj܃.콏0! %9*01 ~ F^Ʒ(H\$J)ǟ;y$XS}wuEdUN!f`ph~r(1YE֨BiúVofW}@Je ŏAs+V tg>MAuQU.e8gzB|Ao|{ 9^;^qy+mЬ!)Bc3o?,N&BRI@љ~o{cl. \n䣜ęN#u֜)'b?R]f׿ZjP.߈5j7$Vpxy:҉!tC_'.t4g oG*փC,~v6g7R7 ~o4i*༳viqvQOt,ğ #Ȉa'@FQ܍=ǡFS=@2g ,;[U+'39 mܘ 6c{VjزPJKSy 30%$df8Gƒ2xG!]CMY'4w0BO< ^r/Q+"%7U cvၿz8U;|h$ZuVq:zU>N|d(pP3g0ÔFWV8h< 4@Rt!GԵԃc~S7P$ F 3uV gk i BY͔RNqv:d wjGsv/J֒4 bUr|%`uk :T0=.RぎRN@DhlS=TnF[Vͬl~Q>tWB{`vs 0cF%"&#db#/U)ʹs4=KyZD1 OʾM )lKYYDPw0^v0j) >LZLo曹Wrzt!ʆR#_ӹ9a)kU)E+{tV.ʛ8|$-@g9/(_[RF׭¢jSQ&ˠ<uu b"I MԺ)hG7r7(iA-bfhof]PW)fcBf$~:׋ yʿEbgϱ9Nkr`.qtZ9rScEZI2>@\OWV1:_v3Gjlw^Qȝ9:*˫Ѹbfv!(uF;tE(,mrWd)~\^:4 T$D,43{ɟOWm{!f7c?,0c#1@{VHp۩6* -| i`؀x1s[pw$?U_2!,-Nz B2ٻ &,]?^qNcMd>&m2B`MX0𺛼 E |hʆ3\oݶW65DO"j ZBcyHRg&> +)ꨐ(Gb};$·a6EgJ3ξMRX(߯R2B u5ψkOyVOs)|fyDiN/zrm8 P54Lms'q&0'',96χaL'`\M A/ /=/ƴdu>,,yCnp3}{˗>/~X(YO-E;]$'Sca8S'-6d$mHn)XE hyAk VpT3 8R/ɽ5oW ^ 5z2Sa?^gY> C:j&u49 )7DTHX<I\-p$^%}3S>c` tx/-1)j o0'.c;wK~sjĮ˓Ȉ^Yڵ 81U G 'OPsش$EL~F y;TKAύs*3פN}+wgfHQȫkЦ35--2md mwWA 'f 0@2 H]CPߪ/byݛermPqykRzND䚘@/Q s\Lh!3*Ln<Z0P@ a P- g#s.T(OXzMC_ߋ )nb.E"I ް=,(-f{e OgV`2iy9n3㖋T.܌j#4HCo+2ǭ}ߵeɢCuozȂbKۊ o#tUW7cb큦|E"IخTeXmMGP\.KDbGIh >&Sخ.eBם'OJ.4R ػé\,<:))\{n*IXw T)í/Ȅv+oo,=/qٴ v@7}/qAy0(b6dZv~K=G, aiK<("&=WN2fChZLb:ĪH"脣/2뚝@焌LX默fTkVX mnS}xA3{'{P!\ (Vc̃Smm?}:nLojŸQt<5Ӵ$%&atz7>|5Zd؛]}#G|,![IB$,&Q>bX"zOm?m887!S0q@C䙖) ˚T"_97NjN=#q]a*lZubM 5~m#LqA3 l$v{\#`TkA4}n|]C9ۜ ~{sAޘS+?l7rfBR,Uomn#R+e+l ?,f/JE{H;E]S~^yeDKff],t1cuj#a$ELp00r z§y2MGpu:PE+ZM-" zN 0먡/ňo/dR<+I} PFVI^nˉG u:=puө^?ܦ"9ûȜ^\u3TXr Xd.{IűOH&G[}JIʀ\ƴ[X0.vpYfRvOe4_JZ^߈ R|4#d0a~抌ҞrU_zwuCA(/lR+4$*d\4W4u)]P  OD092fkEnl5epA9GMKf'~/OWD7O9nJVyY7]8Hh #{ % > ,I4kñךQ;٠w^ƴ E NusV j\%3Őɐ\ 8_~u RfMЉ)c}h, \lӎ@p2GtZ>Cn(wsHS=eRwsrmwQHۓhZƥmUE'8#bPR5H&7:v kvr]ƬPI/a[1xz 6{#Jv# fI -?2K9heVDvO46h'khdjhn^~7B$UW@OOk GH$ڄ]b 9nR{Ow&}_5|ԉJvƕiq¹X KG@;3CI8Ţ Bwr8 ԉɐAk=KuuDՎ-vO)fV ۸GA1$k*3V>ׇ^8g}F O>Vq3cZy]r犑FA[jXC7W9,Bɯ*{땨pYIAzL5]r e0 2SҾ؍B=,uȨSm쇃luu5>r 7:n+%׻'$;WDgt@r-ZJcVA Cv|:iMu|C[mccM86liIv56ðC!;fҫrTZ hߟIikhcw`wXRYxY|W\&H^:f"J {9@^4qnԚĆ(;t ffȳq]GMiwZ/#7-bglnd3(?/yL_6U71Xi^Q.Wܴ:Vwn_}2)-xmQ#<~dI !) *86(ȓEr& jzZ(lV`aNƜ+L.0$,ud_V^g1R ~2= /YcF3!- ku/O~x|y\E$vnyc3j]CƬ$"w9E2b6WgD$}f‰φv{z*+m~ݯkj/Idb`s1Ȉ˘.0 t7 &NHqƲQnq-}J" ( w$G{Kc9Sz_!_%v9ΖI zzHrK,$i84,ﱼRXO44toރ'`cŤ' a)u?q<͙Ǣ'12'I5f4rmՅo(몢j- ) ;~}Gu,uǥ0KT`429vmi,IRJ[vvwXSFo;_kBKg~_ϴ J87/ʔIKqlnB >&MYCgbP)ύ&CHk MSO8яa5 4 ҝ]HJiJk;/ qY.'<\N^/ڕ!ֽʾ=Y$8քzdo(Į$$bWJfX-zp}p  p 3LJwm8";QP#S9[# m]Jnb*m));LlA k[{u,E^ 2adc.my'q>|$\R;N~μvkO"ڵJ[v_e4xt<`Uml ͋PE!h7D>Za@/+QT뵶n Fˮ+jvEƀt6FweY7a14" b䌗D,%}TɘʩO}9At/Mڃ!yU_RjGĽ+43X?܊~+»=|!`p"ejK-B>93Ay86:4.қ;a)p~C  zCeK,~MS@#d8\]dǴ(}G QL:lc o͏_` jIh/dY$SdGV5"nē^O][|_83r^'GLIwJ=~ޱ{I޹]iv9}i[l1\8vrOa®6 P:&m?ń!a>GS~e'kdk3WVS^FTސ6]ysL[k }vҍ4Be<%>kk8`]˙V5O Q5F=ؚjKlBB"C0^p^ qmGE^JQ^uoTdZnM k# @>..h/u6ASڀP 7(IH7/B5;7p74o8HeO0N9{$M[e>X E-Geza|xKJQ.:- h!n06!dR$C}8ES?&0X-j[S4*Xal[郃}2 ݅I:1$lUu0:e(qrCnp:hzZbnNbMU:[te{v;+=lz6\pknr=Uy*A`lOؕ4;->n}c@>%՚Nj9_'{0 {>ѶX&Jw4U 2+bu Ntx~k G:u@+me=,Chmv-V%7)ӪûʠFC7 ̱@S VC!/lߢbڱPʉt lNh}3թ; vZa+gyZ~4e'AYFkak绡 X19qmoRuknJ^twUJQV#غ=bFV@},}GM&t sTўI2lg tζO̘_l)_zu=;s;dؽ]+^9? d>@A@-`{ &84GG8%6܁3x3aN0e#rnx C*[T>x> (aȢ? p E*يgǚC74,oΜ'~N](N71.?. o̼2嚔 |ͫu剸8"6s~5S&Ai"1>O'V۳-^Qp*Ef. C] l6dp: X.z$~(KUk[Ś% E F YkS<UP+nH:wp?#D D9?Dwۘ pxmWZ_T&R]bΈCj| 6CJG^pR觠QҪzD)KtbIA*+z|$cەCAF~dϼ9tCDamR'+,\*q6cOm jFcn>J[M ֒sѺ / DMȫGww'~9l۱eŢjy(eZ*fh5~&ʱD#ω=ɑ<;y6@þ u \݋8y}/D4et.IXFO{_l%K,*V`5𻢁wHuҎBͨn:Om:M.nT`@3"::B}Z/q鴋`+B݊;$OE|ma9 iu$M x gG꘠z cbp]IL{) 3O+DO얬{9*vH\Vi;e),$XoFk=g<{H &S&Cs#{֯"7rA9gԨ:G I?Ýp~?7{!LQڲ")q刾e9o qx,o][ŤC2/Fm>=H@N8 bsXAf.dEةt{>onEQ&_X<ΥMQ֑F}*]~wC_^T7rM ΰ !WU%^{ܩbփf-[BF似,ɨ/t$X[ 1vula`پ׺BZtRq%?ՙ9FfRیV7_[O2|ÃlBKmEPe2ջDwӉ-WưYrBb&Lj"0 Kfkl&Y߸l?'N$^;㟱^S\*l48y`HW5||^A|<&e&R@6ոp5zB63V=6)H*SÈOXQJU\aA< [M҃pxs7&?⁵L\9E>n/ȇMf[88Fg l E5&ܗͶ45hkn;n_َMH2wމ2#̒~^׆5;U¸#8h F\Sq ?L-%<##Y80De +&՛ ټ5׏KS-DK| I\-Bi9>˸%+LM~LAu.:1)&D{J, B\ͫ0JKcmh4Egv𮚵C\C9B5-UiQ-^r,3S TSwŒ*DET4P?״Cu.MXAFT ivwcPx"?5$ТF"3.WF4 "z!'#»{}%N1 x zI'E oIVwi3# ){PY2 Z"\l#'Ż/ŢH45%Oo<߇ښC j zAg3tՖ34:/|XT׌-[̛ ̵ şAde_+$u:naXDcű-w+7Z=>&^#>wiTSqx||505LJpb•l}PӲ[k=ZϾ5s|I Oqga!Pl3c 9W|g XdE"S큘5ʺq v4^ W{*#4nӯBڊ:S]t)H/_#׻O߮3ɱ5e/K]3p.ܣ g^)g ;ϡ*k|0so0| qcٱ$e?;l4nqW4,مMkvL;Ik !Crvf\O$P9[\(,|oڮg%u UfI"s>mɷ=cv+ဢuE+<ؿ#Ҫ07s FO*wyυRl&Y eXvqk SF&ؘIFhT@E:XλEԝɸw,(c|n*1_X:덚`9Q7HHagi`Of}.1y5cʵ>gam|3v]`i=cdh6wDN2yhq mWY_1uֻc-C,8tF殅F}gZ+@4@jIMw؇L[i[T_ -LtYΘGjc+t[ol}7+WJG0}fq\de0hcasrMFRN4=!I3faR~R ;y!|*^ ]' P!#&*&]m?߃ 4ɐ׊z6bx%44u&8;SeV8UM+z2u"]T>k>{ikݲVb?.nl0MZU;aa͞P+UφH 'I0YgLj6uUGu_Fy<U|#ŒR2vZҤ&if{A@ lH`zuulG3r3 vH%.o : <}).d]#ruBnơ1nZԃ ="4*Qݦ+kL`QN%cY4 8#ݎ%gFi’}{z#qԂ1Hn4{rs)?4f "ւeު /MjjI u+i\*Ҥ"cHMlɚa&>qA'm(\|-07ZDCȻ뇓=9&7 q)it[X6ٮF!t at=(d&ڌrZU4uVs0K1?ƓMBmQDәI.͈E@aA ه=$P2DYwD)I恵t29jˆo㭃A!kHՋ; q$ǵy/PE?;{bF۾aff洓L.:=I9 pF !2KM^a[:/Iu @$@v)BX/h%^/C:#ϥJAw{&=8u\ξ- w$/^?ډkF0Og'm,cG2 %0x UkXq#.Rީ|7Xyzk5{ Uep =uS:-<D eʟC*!eMG}xb'Ф;3g$\8 c#i!`)hgF%pϜ:>`b8_R8EI h0E㽛&SeGZW6I T2>W 8g13c[vP\'*ŭ9&"]X18=|;AfWo_X,=}$LM[k(Li6z-?"{+;gKw_VFJ;q;r Bj퍎~[GVHDċsHU8Z_ {ybj~Y;(MCHNpnv]W,l#vLv`s&JɵJOӲʼn$T;K+}f&i$~+r fQA8eMb+W^D՝&#!c?RwZSn٠ߠa[ ,S)dșN)5 L#ACt?P hS]J@~a(ʹo>}%L7Duy{#KL@/P~VAo?K?tFmԻ[a>| OEWI]r#Hr)ĸ}]Tz& l[\ 㩐L.G)}j靏&t"&"U;FYMAEu>}XXH3ˢr:72l?8tGoq2ps+dXZ9nc#Z+9dS(,kZRnP3*QVd*ń_ǧ]3`"WNd_KuGO-`//q2\7 fP$509X!j^ IIݕdk(\nmV+8Nܭz:e"?;>GL(wc??Iv~uרLĸwJ\0[+{̺. n~IrFj/珤<&0s@!woy-s aa,JOnN- ;70qP-s$#f4ʘhNl ]jݮ:1V9X:vxB~3Л.RO4T>%f,ުr#G~1jXy%JH0+Qg`OK\2LdDMy YT <apE'M|5&8P'2MbVqjs#8V9Aւt;{(%aEUc'q-lQ0[WK19vpJNA+ ˻Mx(PDfqZ] oQ-%Cݼַɣ[C"؉y$GTQt]/њQydsW@X:[jTq<^z u8*m~{lZ(% (0:JeΨIp݂ R&bA* lJD>W٧eM?5x^;.S"7˕[Ce$":N=wU\ʈ~$R ,?NX ,glCĦ |x. Sr}-g幤:U)\9ddPsH>TLҙDI7\+J8mbxVEN: 6&: m'LMgvF0 *DYl'[k}]M4hxad> k޺Bha9 eYK73B Ֆ;E?8ll_-];b"0Y)a"}VD =rHITF=札e ڕj%nM- "=; ۈ%OR|G0gA\''?->=dh}Swզ b 5%rys>Ό61b AN+w.Vi_S*;`D(mY9vΰl&UՍi mVw~}xY0:OVW]4:Ov:ՙgX5,ta"ypNlM}{TĤ+ 82y -$!P $ЁecI>H[cdx}i9! 3rcot/=!-9x)ėR,pq?ϔ,]{t-SYYʕNMg\ujOiXCS@϶Gb ܘ]+ԁ~!ݮ^CMw0$/vf0tڻ+ȃEn_Y{j;=1Z\FI2oŵnOw$VQ> Hêdaㆎ ފdvȃP:_Zus֑0bU0 k<ùx|)ţѣwөrML;F0Ԗ@7-ɸmMSLrug ~8.rl嵜gؓ]ڰ'.3Z\zݤ0 LVT*"1w\vz֊*Lnc(Puf}5nAKpLj\t#84qn;]s(D3e$籧to!~\6P1^DZ AuToKe NȺr_Ws z+ %D+],6DYEnqŅJ?\/I*$;h ~۳y6\r,-zh#X] |7l/JKރe;#U]ڑ̢TVYúY\VLʧJl%rAa=/ÈךZ]5͝EOʿ%ZQ׊֒zH_@8r߀"V 4@JWv.eNWv+?^.Z"JuЫWԱ^/aBa=%ןESf;nǡW)0=9jH-)47v.@ZHpL.HSny6nWx?3Q95W̭:װ9V)cTVϺ.w鵠vB398PxoXזɩ[)k5ɚF⟦: Xa09Jj,+ESqe/2w=P,̈́;0cCtWS;2;PP~$7^iP;j9U,1ߘbC Hu3.wj㿒o[N:Gݰ&x@q <*cqp 6Æj6hSw@C{(^e_A>a[&;Em` җE2K(mR#ojwثīRfȼY|G39/3BgS.ɚkDQTH ~+ aTkG: +uQ^: }˃h WX,rN_( KmorrccRq1Xۚۍ3$;KO*E|JP'hg$9)p 0a $cvB(w.Lr+37Fv~Tfz0c+]wNd0UΖz0~:i0jfV%]\b~3冃m5,|h`2H\pHghlm뎾D)x/z8qfG;Ly@٠ !t.&DK/x\iXwwW y]֩5fكXfb~tIS2Qza5bY'Ǥ93!68ᳩF'.OACDsu%<JeR ʌiM1DϻY字Dzj+4wmbzR=} .ΓJ~^p>"0g1tE~,I߃j<(9׭I2`%wݎ>/K^V9þ+$GeD*7'ȹ | a3~b$TvuZw@˻7*B e8kIxD&m]_,VK6ǰ dF_zel`=L 4Rq5 `2bov7.4.aGbP QQa\<@t!tYAv@=M2ih~w?"q&~ "4e6 ]/IMbpuzjCn|&u<1V?K^f~^*!(k%T`ZaL[nL;+t#/^vzGO7P;l1Yfi./P.aA20U/̓ VqL8<^4OD)gv=lYW-uF(ߴeP肳M x 洐(]oI+x Xpۓ`ЩK9jn, ¡U^&%;Y) O +Ě賓1Ru=P!i.Dɍ mᐋQ8SiIjK*lQĩ2vНV/CzUVUkdF}Ytct*7x9`Č-lA4Mܶ 짳\~E? /P hq!wutYDfҥ LHHf&GoÅ7*:[l~ |M@U2#79V X5s Nf %&xTsyLIb5HKzM-bxU;]7l+XGWs6YvB! NVӦ09@z;Z`lldZmzya&6ng6~_4ᑋy>oJ ? *:5wYMF=Η"dM`>J~MKd3J0y_(ۭ+^*Tgh:S 5bvݏ"FN⦌I2v`{BwpV&WJ!:Y5ScY` fKg{O_v"Q{UT}@5 tHv)ŕ3 T!azT ZRsI0I:~h[<[^Z[oDs:R[]dZ}`kr|ePJ "X '  йs ӬbQ|4rD^Bst2eO#oA==i9. SOr̽TbMF\m{k@‚L&1WJ7dҍzυQXߵ\,T8@a0 t47 kM{W {Jc| :UgiIwtuP7agpc xxm8Z5ծlqS"~oDIj\/ބ !Ԟl`G "+BgH;ޟCkK߿H&|VR`pO}T/`aC}B͛XQR.buJǮ(WiJ%s$}6dg3qH|oF*QէϪ d,`0 ?,t>N=i24`eJҊoEҩX )ѬyAF=G+4V:hYCckY}G7`ϵ<@>{P*ǝk ɏ\ljbzKC[Ing]w ō$,UWZ,*[ "2g|dТvN+꜎wsw&|=5E?aHpV{9m9үݮ72r.g. [ ^^>U.amfBLAKſ]]H?1N&!OsG.}68TbW%Yp޷ő 9+MzD~}uЃƎn y>iI}MBۧd( nYK7]媅MJ_ )叮c `KpYFEn#oɠ$|U +T?S!}iW=Gb =oV ?l v@.3Y {<+_\~W2@}0U&$12njNCi[4iB-)9yp 'i99IwLTȕ<TvG. q@a CUͳ~!>u8͸W," OBSx OXQJh)""n |ܿ|4LbK(6kPù ;Fg:L>\ j!HlÚNE*y_} f¦ܘuU+QzB6g$^г1` \I 4NAU$VX~yPjȁA3I׆w}\mT1O:V_LST8o*HָWG63%-(W`]4c3H?W{,F#,|6H#՛pB+dƂ 3?W[V_|G"`o9oM௹0{9?Q[;ziPni XB( ' -ۥ8gs4LnΙ"GfeひKX?0>u#3$ll-;'#"u1_JvŁOׅ(:Ns+%: j=Ǟ}oO%vo(}P$)cQ;pl*ೇt=0˫ PSFq؜ sK y?X21y'EW)(*RCy&[ƚJe fwҳ$;\I{RD![%:^nlsvw>\vN29]tAow8k ow 0t92fe+ԔB,_]4Ă `PcTL-9 ij=ji : ?&sQʌ?l^jo-&.EۀJ28XCUgW=&CS_yh&DAyp }, 2OMzx^T?rIl^53\?U2f8N! ީv  [I82ZwGgI=XM,]5AM@R~륹JKx\Y\e: :g O%X*-|%g4]g=/!SU\˹%IWXg(붬P*H*wWy=wEH+Ҩ >Y*CT#9*im&␯wbsDžǴo'J:QokxZv"q067r*R[3,]eIa!Xt@p (y?f}q( HssMuGR\x/X;xu(b!N2e˙L"#:ˮHkYvO, 53W>36 y 2q|TJ)Z0&SD}O/1c]1J`)x׭5eâĪYgʌ.2VT<'L2:]Й?lD*ԡ'+uޥ'ND| FɹC.'CZt?%2j4ekrVkHJ=@KK].|46|R(2!@RM:Z|"e AHAҊ䪈,V*Wm*YȡǞ:J|;H&%@~7k'Q/*/eB7O}nƕu}^Q 2t8)42eh4JEԻ| T+ͭQ!ܒht>?x D]&`3Rjw@ge- ^d!l')!$;3H^D(s0}n2`WL2 ^)p>;kK_ 4|l,˳.;ӎA_>>hW!jPȘe|P9Y 60g>U#k7dy.m\HuҳSUk)(kv+vPBY+,'>" n6vJ@ϰ@X*q1SӍQbs.nI.2=wGI5dw8,#=~kR)OYTX՟IaWEbSRC u3BhaKh>u\mM6xאk` e`8 z7 _(Wp eiv;P*sgiZY"@U;lkaiu-8IY&+sͦ7ˡʎanu `꣺VA| g(f'ʅ 9iK-G0\& CZžiӧn+Z8?9#ẍa-|rMHWjXZuR [o ?v;iȲt@ផXBYDJ)P4o.He>p"n*}0 X]r`qSE\@&0.w_]ǭ "5o㣭?IoEcd-E/' YGBS1;KՃG3ЩS]$)ija4Bo;,5>Z. xZ@WÏ5R@wRw~wnɱF~ $.VdJyk-& Z/(V2-=:RK̕}ԠuQ*|Hx O.8)?,(E:w0L*!j]kSC BXxs2Ӣk-CUV(LtgBKQ @`3.D1/\3 +WzŹk.I)10w1l.ugޯ[0jح$'%T4<Z&>K&!8z_(\(P5BI&HU[gxtEo )tVоBZ7v&n/hic-ooJ Ȥ;a:I!&O@5 TAJɱȲ)\&-+ۅz}@\iZOkXyL9N8 LA0,-ږ0vDUldfƄn@l`TFûs*BK!S&(+ߠx2jZY1CB+ypR^KtsvcPvɑpm ZdAvȃm0!PT|@zB|{gnNB|P9+tSg!iGd?4Ȧ_[FYi"|H3v@eF[|/X%P(IC"- e)EK1$LW^ؗ8^bziYq8cC1{0'@w9{'T2Dqŭs>(CQu95CH|҆Tcsu ֧͂7׵IHxB=|:耯/j^DyK[|Kτ[2@4p"EZ,]yK*f]նr_fBj]YõŖrtCdE_&D|3N/GO>g6GYUɝ`l=3{S=h=iHeLmWڜB=Q*D,!U+@0W@ k8FKc8'_8NraK>ko  yl)5"җoMvd;sBAƧ3G?y~ |u$'ADE7|~᎓|UȳWQmi͊(/eP+VNF=h0Q)0V傑f):$a+PXs"OmC¬+xR[b bstxq=plO=X=Bݿ'IqГ|J "XK c䔷#j)d()^x2ɐUrq<@h5a.5C7.!TٍJ_ʝd~䳩5[\CN\wID(g]"ksB5}Ѭߩ ֆ*A_͜eZeJUȟL0t5"=dSRAۣ_órZ+^"v=b }ʹ'(2͈t88xTHnZQA]& d.;~^.o # zMJ%F} IޮIlX(%PwR'1 5OxiZw_2MoPe;n+s],hjս2|Qi 5F|]Qض58%B~AU?4jLU(Fkx,ЏRWa>}< 7gS( >}E33`['*.9UwV&~} a_on oz( datY\5w6$qֻL|Ķ5tA{*ҊCr3@JX?{s<`L9cO^#gVWA))2 ]!f{V!$C6Ih+ RS$n,SJѹH#fr(k> g@sYu \-GRp'A jBݳubP̕ceGu!:n>kǍJq@I__Ȳcp_[ #LjˏyH(S#9(@[ 8bpN!{o*3-rmba;o3Szu"pbJOc'ZwrV}D8T\~B ;ɍfr/$ ">Z:eto`0r0;-.rQْ,z#+v5:~4X9t7-n6QӟcAў\ Jyy׃M:GTeYP}&Z(-ys +|`tl~D`'7˩c6%y`#+MڪY'&z^Z-1Ե T { K=yx´tup\*e})o=D2 &B;O ; |uY!C`Y H=damA%Hv7cl;<<3:4 A!3T)>{a)Cg]` F~QBO7ȠPNW(@b\̨ݞy:BN~;fʨM=T︹y Og]Ay%$40]ҋ ymO3Ko_A@\۞wGZݿ ?PCŕ14( (6Kr`Y6f֮"p4'ʧgvkK:ȧs'Ei(qZ*%X< ==b}~觪~bd^7|.hF4!m";ʳXOf[fڡ|Oj?GjcHglB6)(B0pS*` cͬr.7;AyWzNMN5췗t )"a ڜMM| \(B߆fF.߅5#`iQ,'n.;e|nK@ڜ]r3UXIA!nTjKr:O :D*ےZ֮thx.涧4Gd|J{)PCg1䁘;)&=d;QW)Ycnc2o{A6`ko?B" g;߮G? uJfAE*ò*7 ̑~tuº p#M_E:fj6/S i =Pñ|G*s_ǫTweSh!"H9[~Ek?rOb=|@)Rqcv M+ 6œ * 'e+~R}OjZK2OoQV}I Fb&߮ ΁|B۱+=/G)[JG }{hV,tߦc&/the6ypV^FTvD2I7dfr2_[2ϝu݆k>@JJ%eش =-HbQax܁< r\Gc, "X>kbSMj#ܣ[ޮXs6670{}N{BQ =9dTc^ ,qO1!z7n]7.OgAĪ+%L>;prk+=e,օoeD4?#Txl#w] ?6 84`ɤ3в\Nc~|u&⮖4]6X$yO=ue[U;Vh,O ՖҿYn:ѵߡ?"s/@:н̂Gså~ȅKoDjc]:f~*yTe҇8Ns@lrbfk* Y앍4\[3VN{0~!vK \zi+\ó!zȪb$Eh2 hEi̽Ks;ȟfiS;WYsMxfʠYqou"4 R?R|H x !$)*ueC-ܖXbR~EFnR*C:cXem]3:Ӗ o| U9P :AݻZUF^ -Kj#Q\ vdewfN>|9fe;9)-nX)b~h..k&V-8BzҝB)HPs!hvh#@MvG~F@%J}KWű\'QS©|^kԀ~;Dr2(T;`#[T^!JAg7Eyu*eGY }*̝tYV077~ʻ"@{i<,ፕ[HDHJ 5 EYl8pҶ5B ,7cdeo(SZEJpD9ddws[zH||CVWa- 5\Nѧ_P=7vΙ5l] BZ͢ '/ *q뢦$u6#. ݷ36+4Ή5ϔS'G1:ڃGFc, -{6A)I%tp~|xJ^CFCOiK218PQJInd9: \^pXϸ.ćwVj-OPuf1cдUR`gj#VZ wCDdθXvF@.@}gHftMrfXMxHtqB!rby-=^Zi饻ڋ E;`U@,x9ǻϴk'%ܗ܅ o|6RϏ/r-wN?6Y͂-w!>K7:$c,ܹV3x3-ZHsҴqx4Ӡ1 쥭|ߧ5շwǜ27Y<#oXbԚ&_j`ur֨28_=K_n e^>6o%2`D;2#PWOZUz}:P֟.WJűW*ە.?gFH3aNV {fe\#.T_םCK${:LS"LuQ&TE ]V={."<)kJE&TK3<l8躪ROu.Ȳn=ue ǿUo~\7c*0 r}WLK2f\l~Y)/OYƨL_6ؔf )h,GUZds"Bp[ #؉Kăb7QpT. w.7JmhAA*q]|pY67LO]$[^Bj2ZHR\D)<`;H8S D o`^=9!|(BW 13H<%Ϩyv@V *˙j8K"B5{xAfx쨱sA=r~QO#7#ddO g1C|巶>oWL2g˽㠄,9ߛ!\2f?{"3,GLjcWykd_4Ѻ挿m#Y/Y8;m8 8L˦oចPm>%Ocw)ɍ!Y R2bZ3}#Ju$2Y 3[g Ჽ<z"CuS{eq*䗕F;UښɵV&gRF| +Ub{6~60y E~Nf\I?l|>$\|H4 g.f{Z XX&GqUjK$K9Tڎ3v9|Q))gpH~5 TyfѫmCX~PlªTn13ü@74 tɉ|SNZqj\Fk"F w`t>GiH鐠}G~X9SZo~|9+k4i/DS)r+ҝDO70H!#@ukQ[%?/#T *GR !dU/cԙS_,KTp|Κ!uϯU&]́V?$`3~ZVL`ʉg3֥ Sr&U!߿?! Q9IWp1[jUm;İpV>T7w FlSezVc1w8=ҍp:7."Űڒ՜;H"?jcTuc6-0W9u A~%+TaAy*ZeXNcYin|쩉08F( ROW'LŏjM*{cLJ+${KB6(LˣS85V]5kĥv'QW;NmlAog)A2@g8dQ.߼VD3e8ie91R{ظK TQ-X 0 P1[?yGKNe]mK>Ϳnɉ^+6aR9.&enޞi?ōk*0~̻χ- ,r/Dim$q q)MDrZ{Jw<93Z0CAdah0lT#L6kXڣ4fA ׎Zz,Ȧ.+nߏՈi! ڙ+4]<`hyZY[:a6`S̿" qJvo쬋^3f&6{h[2DxxmlXm0 qwS bqoq~ARS\׽-zVm|xf -ˢ +gOsUrg輚Bmrh (}/˰2]*3+C9ErD9S4-|}X=1xFk֪" yɲ ٯ>akO70=8çfދ]eP0 o_J 9 |lxz3iLgSxB JI 4s{0]{ EױcZZYONE׾̋bBri(Ǽ!i2t:I"L֢-OELE'/vEq&= ;UMp4Pk/Xs0U2)E %[f9..ٯWGW:v>pi_]*j26}LӋ~vRNQevpͥ&ToFXxUj:F`:˾/`@C>lG03(c!C/aE`ŗCWpPH@ِgt\Ӿd[a3p,Ԃ/']،{4 ;1oAeT?M\5$7`UAaCxI*|2^u CYU,rTm*(RF3fc4եa?=gDN Ҽg O[}Uᩴ'z5)k5%JaK#bpy@z4(Tk Vff$@m( xz [vB ǖDL.yf71MPʗnS쀓-H3s?`QOS-P2Ba&<9N"[O݊yg;MzRMZYn  B|<طEyg(:iF(ot B2%(B}z!o{MѪ]!)[i . +|dq5'L&ⷽτERBL45YnXK27sOJ"j14+GؐͨD\i6|we3EL\;7(M+w;ǂ/X{|Վ6OQ<}Xkҿ˃K@$}AzV'{S-$2_̓8EV^2$8(GоB0ڊRh9JYH=Yr0ONy8M+FP.qcU`mlm.1{K lєI&p+lf&a UeCn祛PB֍Ї~/Y PWi@G"V&iKqg>=3WiM\GJ&sֺm~MǦT̶k*~.kmp I3?W하s=c!; s d_tk˜N,FE|Jª+6}i<C/Bv!*ZqԉdY[̳|hfޑ&3pw~x!_<6wk8xwP>aks[)aW/WqaWqN@UdBcf5m *$;3cQr3 ,2 rbTioJꈛ[|@^ɦ{b7ϹJZk7 ] huzl3z!֟P*QׯU>0p|qUe>2rnod-oy')Ki>I\{@^].IC+EA;b/*AAU(]˰ĭͦcVQ%xڬqug`J U2euQX'}=I|fON}P, -3h)W]'7Y𖵗*a$)mFIKkN1 b+GtTm^25̰bF@0$3 Ęv!n*Z~nq`ۏxC;0 3ږ|*&: )'hbXŶJYL[CGRIGNa_sNM ȇ\CDE &&fC>t29YP/M7#Қ  gUhܯ(KldEG?yBr]eRs ]ub2: *.P#Pږn=9@y۝ Y.z|íXt.,HW:g27fu9Z*ē}'&T¸v Y p>)0Tu` EbE{3o{iL_5F$AͿ1rWDXZaaU}fw˺O+`-,Y}8p/A'ޯ郕2ag#ܙ |wS+@wXcmLsUGQyľT! Y$F9K0AB&m*/.f󧀌vZs Z<38DұAgS:?O]#|nS-9O5h;o[Ņ!dka9Nzf"g0u8T# ]8`T7u[`ߒ}ZN19>(G"U酅.*\DL;b;u  s7NU?-8tْ}ǚ//: Z:|.;]t[0_csM*#Eo^K^].EU;j Yҕ;[^Q]E!3,Z2%Wx 7"N1F@ngR3f 3 0PWY 6RR>gt@ [Լ8Iބ*g  `0\5k@$o@}5DOV,Stgbyߔ҈U~RDJP=QW[G%(]Bzqt?N{J+ƀ@wRRFSQqH b7jffM9Tg~b;4$ZJ{6 R ʍߺ>`m(f~X9>Vo3o;|-\t#H"<@nYxWb smU+ xf2GHϳկ aLij=oQ9cusOJz8n>~ҸkQv-[6G0+AV%PD+/8J Z6"R`7_o^H`5?jk?,|1g㖣6؜@0Y^oZ7 C(lF.F[q&sFsZtZ0}`GYZ+LUJ<5bG6Vs@gB}1-h?]dp$,U蟧_k"I)>2nEj#wvmF:Uu@O+zQia fGv0Cn_YuRʘz) TzW|uwhGk}U;oc!II;9ԙNx>&RJ4܀bF;Ņ+@qU$DEhty=P PN ޖfK+dߊPRDm’Gcf> a v'ڎyN_ Z_KԾp *&J $vΎorb~o"z9Eژ9Z|8g>o"s{{ZN1ba%ja4WrԤ@&LwQiߢ ,خA[#ROtJ2 XY4!=x:e㙳U$.+RcH;D}-Pc܃`6FhL%xYX?SUZypv"UMͥ2CK.3NA;ث+8 MJ+[۸fC(8=xh gli58B6RtxՅzZ%?oVSq N#g<:5!]n(]6VJݯߔ3Jۊ*='/ҫ;ӹYPl}ak D[Ӎe"\Yi\\ Vy?ִD괐U4k=Fv'_Ŋko;rL"Qà ݎȈAT5D*ml9MS`,R?+AfTH؝dS/,~):}5y9{ԝQCnaoTܬ\oϚA;?rH t*S\'[ZQ!ǭҍ^Q6-&jI!4 |URC_M#ɜ L6]TL7w-Kl)&I7re4z99=V'>SI?d&,^3") *j=:~0On=Yaw/= >DcU RKxؤ2k#8lLmrfosJ,*J PNn0I+s͉+w%9+Rm:nÇ^ _G/Z9)ݮYFv-UPFay) l]w!r^tG\Ibj&3_ 3l7Y pua=;c/h3Rg'2q|Zc]&NL>)όڐ{t5\h  ?__mqٯ){b; 8 m>rDO;1U(e=PBjd߄7() gǗ9z WLK=Oɷ|Γu)U2ІFbtAOLDdAFNRP[ͩUľ!o2SfX@?p~;K`C &X w_ȐVֲL3j 6E=_RtK ),6FEB*>t{ M/xlWJVZkddv2ENbP}/j}KD}?LRmy޶дa>I MQzP2oܣ)-V r;4N#{OnlUd#I%*ͨEVwe-pZd-qngQmR͘0(@d}ݟV˅p \9kx E yG+@hP`W/R6BT7:s|9f.i Pw" C l;ը7IjDik g= '/ȳ;U&z7C( :231_Yڿi}\T)Lɹgo{*ޕh9 IzW!x|>:BS'_@iq*W^f%⎫udiof}ƾ0: 7[kϽt :*>(6].Б_uW~ Kbg ] H{΀+f j$>{ >5&!1%ËN]fI׉LRA$Obs${_U]mhrzQS1 g;p@դ*=&ud/0sT7c4,oUh{`{uN~,N`ZmnGKjc0V>} aed#O*Ck]?6T,''j ƗZzIa``Ud~lՋZYu4e ]|x3ZgTE~/T 3VsٹYIA4lauLn. luiM%|\> >Om\^D/:1\R TͦԼ{ B\ Je {4D~ij*,KD㚖ݵ'_l{hٗ(d Lb r+{o@"4ȕ Ђ;PGtwIN lynK$;?=6z7=oY08sByjY(,U FY+p. }(Q&溺SEcJ)5 q l"Rɥ|lt`U홅!+CzdVmkvjcqg+c skqB™[ 7: 4 l2b1אi`$2kO` fi$Kh'W`Z!HqK 4fsND ,G;}7`[S1c/tڢNa6^qB201g >Xݩeּ=MP9BC<03[Fp-}lr%}'0L% 1¯!c|_s˖ʸv)*8 g'diС4 pDnpGi-zQߧάURjÓ73vT;i'']0D%A&KqŐ Rc>;0!!ŢdS ͫv3bvZ+.-Q?Ϟx8rLZzuaQyBp`yV;,sTIdA8f vQT ]?ZE[MӀ]SsC]P#f$~wfHLMw\AMkj,nRwoGGsl+dhC\8_b o1ǘ(lwQCI{[mЙ @/&Ox9\[xNy&@W!P|-#Lgq GZ§cQQVpu⺰ۋ)鸖G~Ye( l( [.]Y2PbͷF A쐨%6ΓZƉW@^@mDK6^@$ R @s`{ wpp a|Zb EIeBϦR.Zs2{q6s1[m a#6X!{U(N_@Ԃ./D &.x6߮|9WGl~[Vx {I牏/sǦ?,C> c +{.c;ie$h L̍50*={nd=;͔na&1u[dcO"Eg~(6_ gV'-&L&5:ۍPUbx #U }8\9ʝWTP 7Y3jP`dv JHj~fP$,: 2c` o좃;יx@5%5>[&@`Eܾ`q}UOf>Z,ІfxwV+TRAވrl1m(V36 1QԹ!BʷFmEY63^\R6ɠ-Ή\bU6*HE8+-}5>(}2fTٯRm_{%֚p^wέ'F" ǝ a|P%D&UHX;7&VaZie- i)w ߊuV2ٔ@,Cvl]`szH/U~ *>L0UHfuU?Z]KX>7n;.^u񶏡t!-1#~<$]sH'R4 k"yЬnT=`!D Tc@nBY/Yjwlߺh];׫m=G"ʿ[\} (_lC5Hƨ{@ڊos?aB}Q%FV=/b6~H+S0c_nNy A<Üd1Df+[ <-YxHu_0o|& =N_*vΧ6꠺xp2[Sc6_}v{6eL6=)d[`}Tu]]kLhd=(L(Hd> `Dȟ SjBY8t524<(+M5eg,[TfdNe~wAA=]ek`LySk(QBN]JO~fO!:ڼ$TbT"JÕF}T/*Hf6+>CJo? joiYh^ǕnESWD,F3_X;ůPG})[:hڲQ^ 3Spɸ`?ڎᚋ^VU%P:c~}A)k c̉c/uyK艹LuEf}~.MpRwDK/ ȡCZ;) 勄 f ESu9QHHO-1BRr$\=CmLRc_+["sL&~66Iݹ1Nc܃k6ıbSd%I[&Ɯl6d)'ؼ\VŞje@_=HQ #G"vGbU/FBub!9&U,!6A:ySxnԍ3T,Z,Frt5QH Ll(&XeAӢEMj]|"մ\."+ s:O @/\CkA)ô zkF1 uЎl͙%Nx\vC ge =q$ [4VGvfF/CD:y:w<(5| 5#&bY kfB8dĈ:>+w.ķXƀb9o?;Oڠs&S+PQ+Xz45V UbPQH+gJIPْGGjX04G7bv_bӋԲ0vG~Cs;MzIo^WPƬzӽ3-k CkU \fq $P|@5Ⱦԕ' LlefZI,Gt?ѸD0TO{|(6ٙn(~75-Z8P  =EyHĝ>\цR 5NNpdKECi^^C2Ez׼qm=P\Shh %Jk7I aRye?5Db)L&U\[anG7xSzSGuAR$]"fvL72`t[Cyvi?\$~Hkkq ;iQP*-iJq1n-84bPěx:(W%rҶY1{WּoF0OWPD[GAB#j>csCl_9MKH:M2qT3q,˶ߝ i("RF@L:ED,E{"̇V۰lߔQ)Ol@F1CH,IDJ)a\yk_|7|JAcZ@OvGojGĩY~ܱLzfh{~A#2黛/]x۲cB^X2).1:K.۠vt^ELj0ihv rQUgH㰯QA>: a.zћJYh9e@%uuk5D#5^S~ X òT»@d/So@LrڿD|Mcܧ^% a-Y^2K+R)Vٍ1R|4;h!A 4JJ񅑂?r*TIfRp yF~ߨfJЪyR #L(䤉9m:͑yU0j? [)f'hF)]xY4{|Ǟ]L I.m96|8bz w;qr!xm 0X8J0(I0Iwɮ7xǒ-,ebF*wa\eLv#1=?oN_ `ɝCf dLMn$[KE/}i%ة%Q #6DiȽE.U:vQJlC\ź+ƨlAY#MuOCp<g5XW]zK 3~=EYf=SP9)pߦby6 Qwb5d@idS"/;r?t sY=  0 H=BI} "h[;:sI>|{nBB{aEZ7sչ:%)y^gR9]Tq5݄:"_,~ ߄98)5{je<y <׽LuZ4z#)g*Z%z2US!R4K k1w ˅ϧQbAiu^cXt&&*HZDBAW(ʼ :eo_ͤK…~5㳉.PeR9Bʝɢ>kO1X_[b*֋iIdp/n.?pqؕ) FXWr6u5tָL‚@^oTG+.#27LhXҕkpA71o@e qשA5!ˢdۡ9+a .!1|oUXBEA95ܦ[ؼ8M5ukCjAa QV9KX^7P׆hɌs@Ԁ#Cb4ㆴG8Ͱѽ#-/T8D3@ *gEd&61͒{ u8~#lDJLGqx fÔW_n\:: GH3y\ǧ'{8Xfu6';muCڣiPՀ'C_Ĺ*fGW7e?|8OCÖ+$pse`uN;KsgQn/>- d-vhCοbZN>.pEq+64\lY;^'Bma 2} p'y$睲cځc1zԔWHϫWnYN;%dc0ѻeH(iҪ9{0,, )j>1@,`Wo#43G ![C벆?_䀾Ôb}1;<ղ@FtJ%B"РuD;,2ds1}+RTwCm<g)D=Vi~ ?M([`L)zՎE;|8V/Evw\X@<˻?9^i9CYG}ap2Naw|`ſ 3bLv yԊƟ V 4 i39Q [AGlYiYT.YD*\01A.-B+A:SRkA{` "h儔7 K[[!EƶVXPߴu}a7ځ{ "P^GE`xI,@gpE>ajWh/Ƀ.GTc%rS r&dm5~m<go ImTYTABjcO*0"Ijl:+*UPhgahtr|s:]ʺ@#gEOu7~zCjD_5)Luw= `Ni~9^pP3ݮ[vJEN42 _,M!޽D҆tFq#SWYѴU'ϕ-[%3p?dqB~u3zF t>tAA>];T,$jTAoM8F@V$˛4#)9v~݋*tADn>ʙj_/] ' ``bJRcΰ H1Aۋ]\$q2C#ҟI7<*?~mX}G/#Anhlg70unxX"0 Ë#1]T=fdTVG/TSaw ɱ\9/'~6BeW I̅TNjrfZ1o+aA ]I>ǭ˞J}xoqZ_FqZ%fCj8%T:=cHz&ז&^[,Lf[kh/>x;:pY#GākNOH^(cPgilg:$1dVp+CITu.VQXyk,0F,؂P-^hal]:ZSlj>4-Y“Wh ;?>[,y%=C4(eLۢP^-co ۠z՘K|" > hJyʎϐDU(~_Q7XCU9D+覬} ݜ3?Ĝ C3tͿP6+/" Ȓn6w=i(v`=^^Q6Ԧ3`{.'T˕b[$eiV$r!jL@v)֙ePVR96{eP.,)1JhszuP>65ǽ^.NEq$r◜6jO17}Y@} JTV r 6zqjɯY6ݲKgb u ?ܟ99T+9+uĉJs!9G$eKr2B-zX%ˁF#n)(/u^}X*O_:dBG0p% a溓ڑ奰yS$~;3@_tM Yj=iQග7 ab0W8;# g6!q fZ3A?z{utr"3PCuYr.z;pWV6-r*Yi3p57Z4 M!3Snu>gHsJC>2}gY-pL47CFh\xr {-UڍE/yj5 2a?pytA{pa_$NGޛbOg~tɘSWL@g'!|dC5 1WZT^y?+,`6)>ؙ)ըְNcm:S P{RR6@~iO/?mJŲC e\*@wy=Ø1 Wё E;$U(Zudh*('XtY֓z v=iCc+1,JIb#BU|jfM%F"u>ZaͧK܉*/QuvO  _dU;uN4M-R)y' {c[VUXhLk`%r*#V=p +uDDB.k ^u,Cn+{CUد%c8qIEٜ'*J_~"m FSVV-k=)љ1>8Ml?]%S^x,fTC(rRf[%rihsq9p_|/F}O߂7HV {q Hp-Ǡb_!1lM'0ߤ vڿ#A>zR{KsF1r1~4Gq3X07UHJ^}0 =F:1$tM㨸ݝ3XUD-}#VnrW6lXX$ %o$2M$w^C"t%)<b$7og ORۓ9)utA+F5/!@H0J f#p:g:>uܥ Um*g;zLu ]ޝUs^޷aG׶'3Q=&,x0cm׻{" n9͂K$ʪ)@l­1"]y^?Y+rƩ#ˈuƑO+[n'+e/͎g  k_b(tWdmI'@`vL 2Lӟd4([Jf:6o ZHohB[s>!EY7uT@4W+ewd61YhRKJ-63@}zd?*8&Kp8< |& Wcd[c|U1z=XhPT2 P/3\9zѫkkLsZrE ]VVrw"^O>E,'cZh8]11xv'1މfO5^ qPzQ"feF )­ S["Aj끛^siӓ~yJxd5А2qb^n67NeQ7KmA0 TsTtA䤏}T8?< f qZdF!iۏh|\PN`.ͫ@,ʞje mhG@A?v=Ps.ME.8<*J7qwjg8/n J\dzDyG7t ^g'CC(a>4|]ϵU  4-oP ,lnt@ j|+Ys'ZV Q8򪾮Cʢ6%)t\TwҸ)~7̻ U {ѺwQOQf,U9C1*AI,uYnm;:CGoP 2w >]D9qU}З9KJ#@'G+_ :XNb䈀 &z i&N "ҡ*T|mۆY Vd{K_ a(9C&՝TqemIt4JH@ؑ`>"7aX' DP5?L4놷}6Ȫ7~VywN`qԠj| |aS,oKM` p$bN|EBmkI4hy_Pc8\=-h4XZ q=..rl0hwަ7밼p~oY !ƪilmE?Hi-W\fH{J6F'j>yW կG=p/p 2 A6IșM'̶ pN60lrw mi+z37-klԤq3,W38'LHwB=s 7C̥>ԍOHոǃn3KcR*IFV$it_ַ/(=I裱Dܼc?rj.L#s%TY#ˉmGZ#-x=l4ۿ46;,@i62,M=S)Krh^A2"įYZ4OCG‡,|T{\Zoyc~b3o ٓ! ܮ i_"leSVLivf?ՠa1`7s>u)ߒ :[;֞_hdAL{!DVGH€ g:΃h `zޙ7t B)K G!J%88nn ٚ ai9xp ycE3H.lNW>YrI\vivƑ{xeaM؟!he 4 !>m#v9>moP-T=G\(j?j9ĉcR*w~Q $W3GbU^9b?f$4s5gK%ucoB&z`C4gٌ[-^y1i^=k*5p+0(> 2=:(1"s`ƨJcqy}Ajsd2[%d콱w(q+l~9:)x3M:< I[W^ng/0fЪW؇>+B-b``(\"]5nCaTWE Ϟ 4u/1ȤK8ϟz:X&\kD7gcqUtf}⏣44m Ե|}K38*UF[= >i(vю vB֤dTm4ى(-vеG6!V0yT[/T[]jjK.e3iThzF`WGo]J Jʹg4[Ũ\IVc؄ {)w˨Džؕs+(.|@θԆɻLWUXֵіۡ"/U]xM0Q(,Af񊟣~'nCcEKS`Ev9ԗSt1eHeuբ{*1'guS UrBT1{7"Gm)E(ay-jhOS "ANNawEjׯu‰rfq 1IGϣ|퓳4c9ҥҦ׹[9p$d~ǻ02Eƈ4 8b8ara'Ry#!~jv&WR +vM҅eǜ$^SZy]5̆s|F'ݑg$O^@8֎n4M?jvY)Vcd ۏqD .x_Q\WwE&/ D-(:An!䀺H,0Jp5Z ryhw/ÈIfoz|j8p8Mm;ëH{)}Il5DyX8hWj 8)uIrq}("N ,"J<c}'%"bi:5;䷂ /\(f:aUGyt8avssuxХz?t/g"cP22l#E+!9|N:%ŅHŵ +nL[*1 ( KClCSNj6> 55PԎD{-+cblVf5{nV鿈m[hfso%e["9QT!ͻF*Gu  %6o u׭+*}`gV( IYjlev*?g<otE[6XP66OݒꮟG 4+n'bSFRɢg< ѐ :ȴ g\W_VƓ"9;!RɌo(dltlO r@kޚxx >}qs5sN h ӂ}guvb]rapvO?<ıpUe҇0&~4:aCZd?c)Ŭk}%Ob}>P_d[rE\1|OA [arx  OE%lh'D_f*@΂ztv)f5脖-@▬q;tD zM 57d䠷< wYI+}2F*elr&MKb%.qHEtc~E@a#k)p9{p%׆yYٞߗYpZb3:}fS"!Q{gO5B]1(Mg" "Spl~u|8!LWst%I1@~|3cڦ\jVs19x/F[1)!3d֖3Rw6De/+L/חV2O:0>F#OПuHm9]cĕ4͢Qu&r#"qG4 4僆㜾"Kkς 7>|k@.؉_q[納Tc,I~3l[0,[?R }JH:JD*.=jjv(hV8 ţ]y`.52B) ` >{F"u0H>L4N.Ie3Fq&o8x>+jK.jkJkӭNTInBĦJJN3lՊu?6 ѧYn|2(| wjW tꌼ"^ñۭ6U?Ni]ȃ/KSژOK(u6ϗʶ}c ߝ^R Ws4?Ʊ)?)0r}@ET_J~tE:fMpӮtsf\pFle]YWBc>P=v¾+-&'xƴi{ÞDu*tDjlO69ϤkgI-2uo_xزXS{,lPLw>\[귑p07D>*_s( 0eV g &ʬ*_m;1Rtad&b6<{ƧRRrq0Xjm](7n)r[ IODKj!kK؅2x2!pFEdԻ<, ehdU[)#6ZŠ :kHþl[D\*uər2K 6E!.53 eLgDC`7 M:lѾ'$iIJ-;NOGrb5i/u$ sBEv: tbSeVڴqmg-k+8e[kά{>2PĜ5zZK =v~gIJO~yƿv D֤άƗXX'~X֞s l>w 2vi…E$gk ILE,Jlyr$_Uw[]Hs^~Y,w0j2 I 9mp뙌#WaO~:FK}U]5,~1+aZDt2u}+:eqŻsblpUHt&H-G7I 1:A?E)EN 2~n#9msjq#h+{p.ߖP(//`k-Y3-id~EG{JرB= P4B| sB:AEW 4^\U&t7~& ̵|` =< bXs!G)"/J5DU#xfs`R43n Yɰ9T_Z06@VǶF7k; 'hnGmKjmɭ0S0G.v"bÍAoxv!J76f+r0MmƱxir^c{?Ϥ7/IǤC|KCdu:un;PJ,Պ't\ gE쏹̲KiQ59< vn^vޓ jd[x@4&l}fMG<R)Bvꑺtfcx#yѷdyXOdB&)6YVnj8qQoMYVw=8t8 ]9=0nXjxdYUy|Tn.' -̑l;=7-u_aF$[$;Y-3 Gfw:֝,0$p5G@,;?qĘ!4oh}]4O2 }Z㔢SKwhwaqڱm 0ݫ@X/98"UdL< *jRPͼ<-9i8 vߐM.-N ԃ&VLbڛ$it-9c/&2L4Q[Pr%fp] (֗yx~ے'Bf[rU|ZjYϫ.^vԀ8 {ALSӞeabR5L8ujJ j5ָ%U5LM*f&=3:4t1r!!d&M͒Hx߇29Y(Uk-#'mqHCMHpU] <ݨì -a2*f٣/%ehlQ8k!^HNEhFM&XcCUc)x_q,̂pJ?9w?ѨMGl\Q縜Ԋk#6l/&䃍QHnWAR(";Y_MneH[$Xۈ/!!c>“Omhw(KoΐPGKei Z;$8ww6({GOlV/ӧ3>~B<3Yk۵,@yŠrztsC~BZAb+Ȇ0bY^swNCQ>PI{ #J ~y03l NDN׊TQ|(J(FU-Lv<#/I}J;px + W,Fw* `D䥐F|!{c #}~–0Xn.Ehi`-+Dh:ܽхUZDkn,Mkw3n&}2YTmU_kFNl7ELɯTeb-M&z-?S+h3VpA.`VVKrBƿH uQ7+B )X8 Ɖ  SQ#3zṙ!N,4#u:hА&CH9H8I^S|Xz"&o#Ϝ\_vj" ƵdA.P6"qjsh4=LL)zwbgLTe?c@c9!C̻dFt δ=pRt 9aihA5SM\S/쬖/ }zƘb//I"!{;?=+*vu)JKRῚVwGc&F[Q)[,M0+a.K/ÿ* Z]EN\k"hƚۉMB$$T=䷼zs]QJ&>EG.OJ1e[6qǒ/F RDjf&eMHP=S&[RFu΅"09lݙnq+huvg&7֬,r38ð9GfeZM5ǡ&ٔN G /DϥVr㸞A0Ju>xK 01Om.BPr//و~" ~ $bzhHъOrPV, UaeSi ӢKkf&6,eLʹ73 lr$e1豠j|݃`{=[v_SgJ# ^? oˋxyo6:K$ٱZFcDo-/l)y d\1PB딓$q3F8lJ<?B-Sԧ ' &;+;;^6aq"u}kJ?[IbA=4 ~W^k8+aPLvpϵ' +8[~t_Ϥo2t_17QC䴏p/LDKrB|_Z D돨)sv4wd~ڣjP yfaeh;<EG.Rf-NӉB2/5|Nh@ L"-^O{VKiO(.!#(&ٲjNyg D5i:Ɓ3Ŋ)4FwZJ@RG2/v{j%Y':kTy \cKm62f6y5gE_CF FX&xh\%عϲh)UxIJ?D<: _;D{bOY9xkY2|xYb +73+¯Ψqt`gaeTs(l??@ǭey`Hr0%SA$$V*?P!P;DmM(l$KuʁEzQj}}%y 2RZ6^- TAtw \Gehfq(ϙGi0eSI|+ ]9WIos&/i Xׇ}T2b ,U]̊`9LރRiBb"S 7LQĚ 7Q<ؗ'T|̋R0;^%mM'zH ]@岅p79,^d}5F+8J@pPq"/NiHګ8lܗCĴ:v,lc1Kr}:C0! QE[ iAO41J3^=|L>PAEN(VKZЫ-]Y7#|Z kG;PmGA*)rJ5t6ގ~#ۇ߱A");*cDP/α|`q]wl4 HOFw?PXڪ0d2n|p(#v m"v_)ƙ-ތj HLmBq73TZ~KSsd#Uzna"nMnE="İAO|ksC> xp邚@'W7q7y|CZm>Bߛ>8=l,GRcl[un[ 1 &V4)^g x!땠e0zZ<ܢCϣ/()*L#@9N1R9wDKgɌIu ]DBTDcWTs1n >Zx4/c/Ӄ"AVkq爘Rc_DBe-]7ͽđ(Ԟ13=:U0W«XWF{}G})@\Y)D~cꮻ"yhl<' %ۚ%Fe]'rK|62Qdf _?m7&`;)1P?i -4(*W6!BBˍTq $ɡµ%YmO<.~q,ZNV 6b=ѝִr̐5PrE/Bі;ݓ9zSOK`]+ep9YRW>opxٴtx<~rɸ?t5^:ΩLzZjzAI:<@ٱHJ^=&#-0D,8@u&jK7ɑWm87g|{)*+zmAڿhTw4>h.;R38o'8!.U{1; :"/<|4 ~o % Wgy:>Je}Zvߜa­h;!c -B'|Cn@B)EhPăГAQ({MSxr c98jQ/78ߛuk#w.- p@TwIs! 4=̉|,lr+Kː-X!D.,x#=b}+27xa{bL`$'">-Q_4T8OWq:;jq濈\[%ۭ+'}s1Hd/.s_2)R8PJc֬mr`75 xPl=*] Z$<;pW3IP}( ԳMPTsCz\IP+wI[.?KAZ1~"44\eXv|Z;.MCljnX9p܀G:i;.b'?PQlkSN#d, 1!=9LaiD uhݏ7~z0:֣!&x.sMWڹLF&plr%4;r?uIgm+nJD<:o U-(UX&KIZ_ɪ(|äBMmI8 JVf ~ "V KvR%|UnY3= NA^"] ^4S#! JO`[T4]~~tI1_ _=NPv/]ZWMUzi<a${G}M@ff "ѷ0ьI/ԺdэD\Pb){&;)J pQΒS}(Yd;+u&0pn'TiזfJc&?cP4T89H!D.o$B# 4.S'$.fL$= mcFK7Ob5/&ޤ§a0i>d#H5N٤_'iYF&Gz¨@-/`*Q:\2+^Q<uv|gfNZ `F.6OjFtfRRIv#?֞c-N!11?+&Bn7q+[Wn!@Ŧ]"xMJ2ݬ8ޠ藜3ӰOnLͣ)kq[<8ŧOD\Fr rR=Z׺v_y] Ѭ}y^TZٱ,-,ܽӡYTqY++#\ v;H\)͖a)zLh9s'ϾŸeKh-&,/j|0؇blCe/kj^]兂HoǢ@c̢s_Zr 0E3'@,8 6#B@]ꚩ :Mk2b[]w#rĞq{҉0qVG.OWgruWO6"R/v+S{4QZ2Kw Ѥx]A.a3~}]99LGg>~nsRqTHMD_QMZ5= %ވ32]]9m{xUw>k4IgV9,nR)uVSjl( >QǂxS1]!Ѵ'b;BD<+nVz`>`u*IxhŲ7Qk7-Nhȧ Bs1P++rWK.tU^thXGq k̀>H]@-i~)C1nƁZnWˡtVLe.,YSӆkq@/6A` ,Q<]AFo#+-؞J2mbPwqR{%#t h5}Q:SC vùiϺTX$ 0 k\Ǘ'!*Z^3$I"eP2:xtH&9Vq=spq M nd7c4*#eJBDj9/r3O"8OYF`?&q=kj9k ҽ@c|r 1oWdVF@ 3KqَQyc%K1p<& z]$XUZJ%}`]*VT -m4q?aXGδJ&֬{<n;8[S. nAhM/e܋Mʟz>9-vWƨ֙Byed Dh'ZSȓuaRoMfNwb`]M?[!.ZĮj_l5-"z[z0)~d6ZmRU˒)wuR{$1%awKEڳor>,56X=h;q}nkO")}>'N5Nw[>eXQ|/7*sTLQ uEM*͗9,lJm@K ()u@N ]AR|8F`rO5icxmT[E좐 x~|̆aH/ٴK3^>lD)Cu| 60 pGI(NrVL&^rro{{|9s-_v%M<@oG0ւJZ¡(_&r)5FTQ[77XN/@  /thڛ y7^[I#=kn0d4MX䎉\ĝa~Ke|[eݰ@e}4e]cHQ'gy#nj ~)yQJdYm_Mɓ^d6lYυGU FBE}%Mc?2D5=vI2Rթu3鲁9{ ˴،sv<HC ڛ 8'ٻD{H&,p |#؊'Ijx#),<6b 8af@$bnA*Rzgz?h m*ʬ~ ~9A3ʢxr]~T)@ߧx?Ǖ`mF{sBlt@Rn½=xeˇ~ :2q>- [@:&Ց(HozEQ I}kԵvCH&؈IFa 6|: Z v=۸aBV"""1"A(<amXNm; šWL-Mm uIݵ; Ja0"^}R73 FCdl^Eeq`˭nKNn;)'Ua_JnQBgtD4Qo) V׮>&i`.w #b3HPـq⅙ Atgk̂iMhŪKOhb:WADZ<ɘ(|tC^d8  ks225P*X񷀦lk+R+UH]4-N2z%jL)LexQ{=en46c(#lWK0zꈔzqc#.g)*8?% EImK5tH.3N$>Oh..˳AMq޹u9vz9vT璐90M6j^*:iXbWΛWF;-r{RFjҵ~1O'l^ 2ATԱ}.'܈cdZL*s%1&W3.ҞXgnAp998 j:⻤#&2{R':ؘ1[rوy=fQD2Wv!XFoPsR 4FNݻ+FFV. W̐pۆ._%v1rPdD՗@rKO}>A:dزա fs"ɶ5(fJvtްX@t8㶍6QeL2Ԁ()5U\jڨSwME[F_8@U{ԘA}#!H@(DnD< WPީ%tb/2˸d .c ^7ե-YjIZ1L*u6Z]"6M'%fy=v]bFR*r ^dd/RN4cL,Y}[X|ùu10$5O@!1\`X 1:CK15~l6_ֳ6[ar0FkYЦcG?yI!%fq2ѕoFWF[wbG7ൈ=U (ʆb?`ɚ4-0ꮸum1|_&:)6\zm׭Rٱ/^މ<':E*;,έ"B:~V"w r`i@ ^Z|4Dj̨̢ W &vVb/ ¦oxt9₈oUʂ)O1FWZ.9K'9!K;#Jw?[z%&Cuܨc㺡)GS}XVTS!@q^d롖;h MO$IT1$ɻ 5< ^dӉ0/xUQd, gIld<%Y_%Tp2uu}j yՑ1ENpE _TI;" NȡdBO;KKC"? nPC~)%yͶf嫩]JPFN*cfdoMΪ=M5 k"rkсpc<3>iڮݩ!^Q 5J#n mV|.~Q>v[!׎>0wQ90n!ԽUbFNV+O(G}at(hԽ|}F]MtP&mU%{S =[inu(l%  Ʀ $*>R 4#-Fq#xuV< %\;\/7"qgf=l_MRj{ '6w8V\<.JCkbo N` RE PDl𭼎2Ik;ѝ;֬?97*K-X< +/ +rvBr Z\֯K6J&i0}>F]mP̅Kp_Tё *+mņ]F#B J{̺֬}!M r\CԓZ|rV/qo 44OUm=Sa([$j=6G}Y_Ãs'Z*gͱ`W̙H/,ooTz4%8f;-@C'콠{;,n#) E~&TQ ⾎vBSG*Z$ePh 8 )4xmV^pĐUAXõPz,P2P,:sXH~6&&#MfI(t`1hQNFD* l5ɡO 2#rLZP]=P|>߉)t{eڕ^-0EqPYʼ :2kX~ JEg^o l'YTԊͣ#'U[@:49 zp`#Y#In*sTBM ;')cke d/uy7^)w5;1_o"قeM(yHcVdaxL +j_dĪ~1h| ݓ˪&P&YdLJ0֤>t=ZIL =k8MG|Ҡucd? QzpI!l)j.Lx@gh͓/em%OC$V2i?ɗ#)uKԖS` x."þFs@%a:f|ep `/J&eiN mQ7xft#ؘ+24\lnrmIL9Hg+UwRY "yTv:6A(Du*:*$BȀ'tv|,zJ|u!`%y:9[be7w%*""5E'GguwJ7*a@D],`.Z!NaLR?-9#1Mj8Bߘ :Mlڒ# N WQOrɔJ/@};t?30`*$JF>!lSgE_ .V8ZV7n-,ho߼WUU˄+& d}RMTUk.|q~ GsTQYdSYJ ,G#B I:xC6Jp}Mkz>;d }S|-9s@d^o-ohAĈUcIvĐn AtꙞJ q-v=g7xq9W9T$i gB+A ODzO䵥3AL%u6/8n ib$$IROvh!+e eSP}. DZo-(n#L+-d G?W3BѼUxafPBTNS;&&06z[l'š=!ݩ:.m)'B\WkebooTY SkNCaq$+YYP;Cfn߷1<*ħ;Tm0Xk[>b~a8ρgTC"@n2gX?;!.dEo+Ƥf'3tW 4}k0{MpO'搭 M6T-fSpAg7:B!8 -D̃H/v9tCӤDw߆^W0霸JNJhspxMuc[)C5b|(pȌKng5! ~묱5E{icAwech7lՀ"HZQC&i±f}'ՊjS:Y!PTb>Xi"dnr8}+ 6f3_)s-Da_&'!ws֍pzVU͕yƌ760-Wa-܀Mj_yxԒHrt3T8WFR-Ea^F4*j1 U-Z,V4vy^F!MYU.If-i!ŇbŰk5OܹwXyC}?YuU9B) $7%gv)LXp (??* YZ