permissions-20181225-150200.23.15.1 >  A c!ezp9|boK˓de0+eeFÊ=f~I?g#?<+_|jVkac% uvV!g߳爼p[y,, nC/c96bYY!Kô젚!sIÈ]A ӱY o1Mp,y.#+(:wȕz+;$Ӗ@ Ɠj&|HS 6;ʋ*F2/^ҍMp hN$#!Cp|lN0cff13bda151f2d0970bc54a7f74075b3db7a83b5c6d64c7b7960d87fddb9098a15becdc5cb7fdce086c6c8b085dcc85ff13cb91c!ezp9|u;l4ΪVS}mfrOꮗq> L__8jD%Z -aCn%ꊪG,n.|5g~54P}kV3w G -pN+.>ˋjüe>l*Y'y?UXx9I&KkFJ>V~ix`7N0$Z 㒁$IjUBBZ0>p@>t?>dd & E1R[ qT x           8 e   4 t ( 8 79 7:7>9%F9-G9D H9h I9 X9Y9\9 ]: ^:b:c;d<.e<3f<6l<8u>>>>`Cpermissions20181225150200.23.15.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.c!e#ibs-arm-5TSUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxaarch64 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system.T1W_u 9;@큤c!e c!e c!e c!e c!e c!e!c!e c!e c!e cd73f4760679880a45dce3c9cb05db59590dd96a4598a64a8a09e1ac03effb067422c5ff5d9dd9db4fff1a3dfd8d40a1a3c85bf2ad31959ddfe48b84a4d64199254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3bb06089354355503cb5ac4dd194f1060fbd6e9fb3977fc49d7dbdf4e3ee875b9b8629bab725bee1b07bba39312965005baffab12b82936e17c0c60977e8d2c7441ad4d0a29f76962e5a99f984237c6bfdc8f9a9973d0387cee2c7d3ff1ee2256d35eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181225-150200.23.15.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(aarch-64)@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)ld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181225-150200.23.15.13.0.4-14.6.0-14.0-15.2-14.14.1c paea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.comjsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20181225: * chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252)- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shibs-arm-5 1663132963 20181225-150200.23.15.120181225-150200.23.15.120181225-150200.23.15.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:25918/SUSE_SLE-15-SP2_Update/b2073a6e79212dec5a376adb0f1b5388-permissions.SUSE_SLE-15-SP2_Updatecpioxz5aarch64-suse-linuxASCII textELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=666412c69f4f8bf15e309c64406eccde83293f47, for GNU/Linux 3.7.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RR R R R)/l x vutf-8975497bde69be4c2cb3a7d11c91b4b1e0f609650acdc0162be41807e3e3882a6?7zXZ !t/Z/W] crv(vX0M]sj<&㍐7D/-$2knhz7"t@ Hɛl8aS ,:Jh8y!zsΫ]E֌n{sIu)[,!Q)ib )+:h .Gɛd"UԱ&]i9LЭv-ۓX,LNPb $9aӟ>&Qu Cr6 [P&-bD*jX ԣr1h?n&'~E;> V2+5eZUEuG A'P, Ӎ|an,eݬ|E [Vb-s*Q!a"OK|W1ǥ7=eU:ͼ`2֘ e&V(7.%Ɇcc9ݙGx5;-ē`Yi8LWP#l=xmnj4L_Zv7`p$|$9%fԫw("1ދhX?~_iFV c"vLEAOm6669=m[8KD퟿lj )ēk[ v/jÉW]y4MAEȤ+S$ykYsy`yǦ>!|at,垓T50zNbՁT=gXCy<\O;/C jxK&sRlj/$܅u)|I3\;nda&mr ͂o^תN OGW<9~x^c_}"  |:rO\J^i lZ){nZ}3-U'%3HH%+@I9#c|uMWWSh9v HgGJ &R kdV۲둒8+sF^yߚJ^. Ow`5: I=*~ \.gk9 #FgoOIABVCΕDa/IVDHL]9d!r00.(~%`[h;1͉ѓ%8ȢkW1nuq^g)zj8qs 9 uN}P&d]٧7Eֻ4W2nа2",_nҊ xS4?^OS9AQnDM"M(P4Ԙ){!JV0q!oQa ϢZ/6siG̦Pw zÌ%sT|P M"%I!K__GLgЁ ,㪛o9ԛ fE)鞍ϡ{tb`'`D_h"Ir`"ୠ 8U^#RP&`6H-HxarVK-`G܅&a`Gќ2wXr_ѓXlzuzDU6aqˊ-*{~_1d}U/6NWstUX͔['/ږSzpaV="֣!CbO&)Q; zGL S/p >KB\ilLp*(Gua{D04DMOUC[ iN9"׎_yE}[A-l+W% ̪ =@י֚$}`±š#B6.= _ܞR bA=1cN`l;̉MDs}+,ww&,N&Nf j7$Њ<45 YL%"}$@9Z.s8 IDd K:i䊡ҋ+<ٔgomÊݯ>PЧujA9vNh# 'Ѽ՝ -*Uvv@%V(!JvGuьؾ*'~1,+!R4C`d{,d|0W5aawYHFs(;( r=ZRe~d;#g:- sȊL+/[;e{Bᾚ /3Nޜh˹HT<0GIL,@aJ늠 R{|d. ^fNPOMr lI,Ve^'{m/@3תm 7I<6l zQZOc` +=:O9EUۂp8ԽP갛"cIl쏞ː^ѼK I]bS哦z]EWM<.`[Mk3*Z\G\:|Uk`;{cёl MT: Z? j`հggibX`4~VoTZ9=͏S MA*yx̺Df| P(ol,DW#tk7(azTB,Bb'Lgy?he>PKtRay%Bf0-yT3Eϊ< WNAa)(l{6(nQDe/GtA+c 5:.qPE>%SƊV@cݽСPT Be@tMMbu[v$Dϻ.\ǁ>ڌC^G~-e cQp16e>ި'•l:DVx5\5KIeKKT#h.)5S{VRj 8)@A3lɮe.4x;/iXD"ux|醄cXvI?!GQGi,2rVQtz~.h/ŇtZDzm]H=T$0ӡ+Wr'C>xq=Caڔb(UhbғfC4r eep;Hlن]%.\@‹.zܨmy`6@bQ1AWTXUݲpʔ ap*~Zu$c«tb$7q5XrU}+XY,R{8͖L !hm fԯkzzǶ2c,F};zP1Jx3Z"Kbdj\i)n__KJoݮ{K9<3|? *k Zk|}s?.hZiV)/hx5y$N_gx;+4J%'У:gNsJ(KP9\ k Xyw>׊L;R3ފ$ x DN; *1q)cEXsnln< MRrJX >z`2ϣ+1[ @iOC}0\fб~\ {TZl^[4x˓QE.4Ĭӿ@נ4õ5|&F"l2_r5}ϱDv }BGvCPxru1 9Qn%c?J)LTxw {x QYtfX)'8N=s0--<^rwWhh"8Xc -lȞ[2Nv viS&unR|lJgKO5 ,3qz,t=ilvk nQwL2P,4aQAwqsheƌZ`D?-d"Lz^$Rjae_V)..HKK,+CK4 ϧv[0bUpfNH9b*K%ϑLJ7̼kВ^UX# k_(GpKile=*$VSB7f>d@OO0] 385ʾu-]0 *DE.)ۆ0DS!"ۀ.BxbY>BN\ !5sB!̆%=YcS_vOH/JN .d ЄYp,JԦ #9 jUq Ql+PrAŝPkZ*Έ6f{<ġ7e:r!e(Rb /@ [LH3v97 .ʥc,~SԇzIi쐽uXu~u2݆ qҾF#hK4~J [ɎFRo:Α ߫K(ׂyhn^صZvNލa^Gt%qYR 5D)U@_kƙbx?#wb\>?ټ_ۆd ^]R$+pe`\h%Ry .nBÒd߭;HzP> #C!yǗ1P2x[_y:bK$EqE6<> qFL+ȯHGiLj ʛ8:u!ʕSzJiͤIy!@^Uy0#sA0لNQHO>fF"` *d` z热e_k)'= znү zavp1buʔO8AH?2_)>q=~{iϗ'!'x gPVr۲=xmf|4*]z~i#_% YQ 8ZZo(ղqtX]1PaG-khDi1~yӧ#&*4& y[F3ԏU0\L\G_Р]>aYBCK}H7@\F~MQQD([ҐGgY m .2T20&Z J%0kW678 Ţ0BvF XbcG!QWel /ч,Oʫ国>ݪ&P(ܝ5fA[/Xp(P1OZ *yc4cvO,Ρ?z;XҕtST2jk/P߆X}V;1>gTܐ%Vމq1h9wefZPaQ>3LN6v:v8ٞB WpRG;: Ij*n9n!-u-cbvAJ퇄؇B o`TNש!0K[-s< BnQ45T7ZW + wn^mtZ?zSd;I' kZtv 43aMMI!Ju9g)iM4@Q tY(>zZ8158R,oqOQj%ռHRnrg68LL\9[!s\2<ܽ0"GSXpi%;^AP7uI-z}1D\DOeP키sA2:'qxӠŴ(ݒT[tEAVsR.FsȈ#}wʰE\ͲGT쏌{5[)'fE"(l|\2QC\DGEq)癉j2c?H ػɔr,6E֪xCB=jNUc?yۺU3Ves'ŊG-o]V 8zjbΪX~(ˡPLA7ovb(6qQ}V6[ V7 Mڤo+p@t< >{ueF0nH,Xrs&}82&߸U͟ ۬|959,o7er0D!l9϶0!m-r+޺8j)wӥ(ń+NĬYZ%u b_y~ Lu;}t3G-E5|z(pōJ9r0pk4e+h;DFf![YǞeqiZڍBjr%"{L=rQX?!c<r9x\8&PP-#툲+췿ʒbW2sxML2N;rh;|ʘE¥m!] G}̀jKtl0vP&=1T,dYy"1)#[$9ي~T芼,.4<>UzQmg }g^;F=0VI}}Bi❵h&(5X=|7!Fle9kUjq U"W^m#BB\0>=!?KD4@qUo(jĚs)o%-oC3-GA_\!{W{req'CP mP;Le74 |C!Ԙ|,J;Ƌ?l܆|vaf>l! !`m(+dQ׎᰺mHY= 7њɸF-\R7rgE Ԟ8/N!^HW9Nߥhb<閂ϛ1"Ya-| k2N爯ObFKm$3U .d'ƯBa8{cMA{cWMaJ$9x5pkPwR@<u>-4gwXB\bmxx25FR7;,6P4AiUds1iDoU -13~:Oge洵F=ڢo a<x  ͂OQt/vwh:m^usYHdtnMŒa\Ż%j-YeG )x#>="I/oگگ\w#JkΔmK9 *7M~fvR3/j,kvNPąwvU5wmdI2wm~+?˗Yީ/߱f,'/['`4B[L@Q}xc‡DG8T-!Hg'(7γR PĖIq3hhxKZpeh{͵|w"pUy1 A=tD vrSlb 1XpU<H7('VU$tOm $ #Bh[ "q-خcawꔶh[X ,Kf;*:1#SFɽΕY /Q*z@5J|G[ymGDHK ߊCZ`c7ڐ叵sD2$=woDOLW/+a1T}Y9}͞GF} vrqPݎ?ͼ#dtpw(?CU*vjiRtu Q<2ӕ$5p%.2ieLZ&bVÃ$)AsW{|hNjsby̛\F-0v&mo\R%ٹx"S;]`8),Q'.W5Tb5LW2Ԕ>f"zׁZsKAcGgq#gˋdh?Y3L]7dn B&_JSS"/)_ 0ԜB3,T&ʳ(ra[sp)*x8EaU!SMsbΘ*j*Ja 7wيN4tԀo,Cq.*8Pq37nc!YiwMVj-( .>檍C䖜-J*R%zQ@"w~,,hw`&V($^϶.*i;FH=:)$!{`j $R_7Qa/$PRGlYVǏ+V@#H&gl$wpSI6)R DBfeͧ2v̴blZ5n%[_(fxj*mR4ty-#,Euui PSJ+Fz:ʍ=tA:J ^ua>CRĞ?C0"F{*D(1O 嶞PWOnpڛRʵKWV<6Q@sLHŬ7׳/6eyus8B< ]n=\~z$5*"9|a;w2Gy(Nq-y{<i Fu)Q薴/A*ڇ\(4`M6s^'9S ElU{զ*>^ J 8N'mPؒrG9GCAi5B 8^({[s(SV,KIͥS W}1c|O |\Hh.!mLg(C uWp \>x,;T!N6ɞ^Ji__TA!@:jg ?j7YI8C!?+𕌖 oJۦ[rq~>sRI[ִ\.1r׵;TT/+)-OܝDѲ+3ٔ?r>a"l*8친Ped$,*TVڟ(f>,:fyK"N~]:fXЎ{jaބj]Xb89>,OkEfzW0uq{TżfU\ B=4/X[÷:ՋM&T^;jIbs7RI=Ê\ΧY0*= |dqi$3%6u֣# qRĩIoQ],qLtIs (<{菸)ǤE""qFO~#[m0W=$جGJW1ZӅ ,z0.ծ&!@+L*ˍ5|s_j!:cB4 ʧ/ =,Kc?wEi/Cڒ6|ZӻÑNB2Nh[ƌψ{#fg0Q,o5G 2~v$hpߨm$"C0$<۵Ou~-䀥^ +ץmoYs`/{+MBO) /֭*ՔBF.61_fEC3cDߧuC?FH [S-iZ4 SH0[+q΀:g!M}ZIH<=70hG]Mt}, LGY ~P\YܗT%Yеfn׻&lhsl2I{#ʤA{Go"YE J=~(Uƍבp4tv(yulX@r7xa 1WʩȺ||)|%o;QXdQc>hqjf!;p>Ae` $4P]ad{bL}5a E[jt2t7@ų**_ބmSJq '5H8'c-ݘ!Įc,L $.$UjVb5cƼn "/"3eXF\YxijߌND}b" kb\kw\8fc='rxE śOdXewH0SY{(Pr ދe+,c)<i\;Az`dpx&Aȴv"A: ZYu)RuR JuLz<"oU}766PDHO(^lj؂ğ&NKR[98tXӼÙ8^hlNZ fAQWL:qڝp,ÞvV'zZ#HHZx#.^bONr1j/B^Jilf"é6)3[ZW?QCGŵ|ll`{jQ wul_Q)#E.fQs” Wٛ/{MnhrГ\EG޾n BQ/((w#&.uZ'éhpag)F lw#6 ]{s"ؐ:}cgCPܘA{N\1 X8Y~8:-wuC0n6_!?(;TO`9Nɑq; IJ2G>ZK!ZZvL-p#EgPܣqIܕ +>ۑNv/L Ls:#rR1c %J'0vu *7_N-{fQ#Ty6DSV~V}|ڸ{*2`)dN~2ٖiI9i]baeHJ P[y餰RG7j<R@Waytk5x?7$e79ь A)2ܜ i NzߘdWϱb];oPXZ/яM$L.Xnu L~52o' o̕8.?;jm 羏V' j[0[Q9!0X,R[H`ߖ;>ToUKa -IƉ1,z g7v*‚ u{ PL:aWZ.JOK2Ң($'udJo+qlR;璖t IHJ6y'6k)R}+w*jIeOH5YT \<K!25""@k|,YiLe`}Zų>Xo!u_m&K mv1öfRm0x2xN$6V݋"q(ݕ"j!Z/;"3٪X 8D<R1f{A4\P,{5,V|DiʵHlke?/ǹm}Yq ~;>|&7=_ 6KG/A4-ن@"u DoZ&@0Rr}LnBy3z31{~]NA?fc#WdC gP?Nyo7PZ m\Q}U7NR-e2'\8]^N>2PCXp+~1T2c2зsHbf=/X⯀2Exa1IQkyXy<b3,9{'i[jE6hn Ѹ-a׼A92&ATo J"N /nd2I21^4BOꞳ Rn]pGO~G2d2$zc#v "DBXGޮ߱<933ۣR]uȣ`D>Kh&di*_wctVߘN:i|ŐJA':haW%Yxc`;Ov>ͱ7GoX:1Nal+ygQGnnx|2\ry]l6%[@rrβPøT ԫK 3H݅Ӡ=: Nft v1T'+ZKft8#@እ} "h>-=Vw,Ay k[; m 1nS.W 0*o@u5dz <ƛIƺQ[G܎Yt\܈#x39;T{Vjk#0z $E;5~|F~΍x LWY{Feo2)U9ea&0*Fܐl0*=\nvPNÇd^`OG)u"a!ݘ .c2+*&8 wqTE!Z a_x!.>0a?^-.L0RTߋoS[fN)5.-Е1ѡ ?,."Zv$ïFM 쵩|Q[n=8髇;IՋ 0L̑zk}HL|EMabLfO%!pڴ?X_8.umK(mfʼт:\F3LJB=½ޭ'wK'荪[yzxYD|3GcZ7'9r$ sK{z5u;-=E&,qstvھ؎3#ɈMJ p/S[4[|[S)#DDn/I;E'PAl^H;R jfO08( l6hP+_<$v]Z-)CXf(nC7f[݅ &2^~&ɶiPiXxnBMbD!Ma;ߠ-gdC:L}R^S c^ɹJuj]?xnmmAX-+f9X%ᬚnHM'蒪) m6? `+w2cS _lkda6 }5 )Ved+Ɂb7bwj^6\@Z:1U ܂l)?Ƨzz{'JgۈwE_uٴ3TvdD> 5 _P`>KNaL4yW8͙*+i#A6Kδa"Gɿm,(s*Sh:<Άfխ -Xvu [˧yj:w -TX8u^%sZͶ~,@3PsF*ڹ 8"#EVvu(XK(?XX c.DW+'KC]θ}& \2u\.\} DT!~࢑? W44sUERt lγ"PDoYEE6?CYPjQxwgXʟGhDzγ꣬ +NPG^c>x eY I]wGh ?*H-iR)3Ї`CqrSկ&bfjQgIik^lYu9+8|*v^ml3uB>1HS ? μЈ2ȤgOE8u yXc՝xQ[|,TSX(80R9EJ]!tLz&jf=_cG? l(`I g?[(E;I9ebyNOҘ%#!7dWy.yi32W-~,K^8$z3GQU8mNU R|Q!DvgI% ^R]x SHx)gxȃ&!iE/CG>>hu+)KRz4+k{b*k%u&+m /w9 ƆA_3[qF1Ox}r76Fi0[T՘k/!58 sN !EAҸ]gTh vɎ-D;06$'H]lh\:5P"P M.U ?5Ky[tTƊTCK@:#FQ~Zdj=c!5UQhҧɻV8GY/_5袹yȥVɠV}&)Q VR叝/TOWAGq =<40̭x yԗ3:Qz{Hk33آ<ՎkW48gج:#.6і 'rSZ4sVl=/C{:˰ ]lcr@:ҧ]#B(SHfVy`Zu" _5[8 9/%b"!f(WQQZX@qS?˜]8Ġ/T-TT Vȋ{b%UAVtZI`OQ)FCF!ͼ%^#QzGd0RRH\Ҥg}T-IV@7W$d++DVg'߷va*=z g.44uAG{Qm(Ł#I^?2a:W rδ ܛk!uCks ЎnE5xLJnO\ȖITx9J#qO 68 8F$c`:fr* 2UB}q/ʗ;\}!BMs}B18nS)pR5(_Rf;jj[7\ݤ;<  YZ