permissions-20181225-23.12.1 >  A a/p9|9YCM/By C6*uYȶLCm_*oR_ZkA6xdsp>ا@;4]OjrCƺmw/i/4#H"SB路겕 c4U/Sg+_sT`] pJH8$f;V! YИPUm]&Xev/ˁ{l! *P]㵋8ʫ?  ǛMTٴl0w| 15611333acb21cb95dd292aac43a86bb137abe929677e92bb32de3527eb88798f30b63f6026ecaaaddb5a848065d588abe086ec3Pa/p9|u`[5yViLD~aM P@YBjQ_o@=A` X k:vHga фo%Oi_&xbXrPbqL2ćnƌwti,Um܈ ;ޖKW飁2m#og8@Zil*>Z8&OWE]Q>@c9ˮ7=dZG"w5ϰP܏ʞąEE*HAL *HheÁZ >p@=?=d  > )JS iL p           0 ]   $ d ( 8 69 6:6>8F8G8 H8 I8 X8Y9\98 ]9\ ^9b:Cc:d;re;wf;zl;|u; v;w< x= y=4z=H=X=\=b=Cpermissions2018122523.12.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.a.ibs-arm-3TSUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxaarch64 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system.T1W_u 9;@큤a.a.a.a.a.a.a.a.a.cd73f4760679880a45dce3c9cb05db59590dd96a4598a64a8a09e1ac03effb067422c5ff5d9dd9db4fff1a3dfd8d40a1a3c85bf2ad31959ddfe48b84a4d64199254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3bb06089354355503cb5ac4dd194f1060fbd6e9fb3977fc49d7dbdf4e3ee875b9b8629bab725bee1b07bba39312965005baffab12b82936e17c0c60977e8d2c744c0e4a89191b036e69a32bf06c6a03b4f1c2cefc66a32bb8cb85d876d429711a635eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181225-23.12.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(aarch-64)@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)ld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181225-23.12.13.0.4-14.6.0-14.0-15.2-14.14.1aea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@jsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shibs-arm-3 1642409708 20181225-23.12.120181225-23.12.120181225-23.12.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:22415/SUSE_SLE-15-SP2_Update/24af69c0eeaebf90c0649074940a8198-permissions.SUSE_SLE-15-SP2_Updatecpioxz5aarch64-suse-linuxASCII textELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=148a0f36c871112fbd8948e8d434dd3e0a861d96, for GNU/Linux 3.7.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RR R R Rf 9%Yutf-8a1affbdab06d540ab4a90760daa27f4bf2dd0cee1ba8b70f52dcb4323b273852?7zXZ !t/ZW0] crv(vX0''JqkQxMwIH/NuA ~hhs[~^mo2=+HsR+kJP"cT );j_7Q_g * LQDcWˈcwj" 赗ph ۳"2bPNOXIXDx+0u-C8b| a5L` R5v2|.o ۹̵556#~ aQHcxnbkoc W/A7[&L!`-B@G[^4JE9(݌eY{4𓧘&jXl=>_BB(, ZoO^\G|3M6ԛP120lKW!D%QEOKE _ m=rx%kHˬ##N&xjݹ_U w> \|ٺ1Due{ B-b4]lb q8w(KI"u-]TSK'5JL>$с9|#GMxX[1z?GCچ ܌Ef75nq?@Px+kQf5 1Rނ\ Vx6/JRW+u\S1o'./RCY8><vy(>NwmR0 />/]T7\O_ž. / Y.&%NvU+@d,8!/ɀ#4=H /5cLk|YI4R%d'{ӒM"r#gTrԐ22_bNmk`;OJ0{I`P=%(_|R|H+h@GCVFb){~͞ǩyGC *N{߀nP1ib0}𰐑AH\*,,KEI֌&jO!(SG0x?ؿDY'0:3TF߷*?oN]ʑ.#6kA񹑫8yڒfJRWNn-ʠQ IǪ{fH\b3_mK:zf`Bxmi&_^}ޛo@4߭!M>O|`g{ DߏĒ y,]h7Jk}U[Xjvm];љpvK$DzrÍYZa[5sP<2E`R{J&?koo5OJh?wEYrcvҐ^w 83"=97$rڣNr:^'|5w]kF]/~srcXpH(X ikW#=;(zW>((EC9"ܿ(7M-DQOzYM+=諴H?^?I-z^NnPgXpu˓O$LjVr#p2 A"gwpHF\x.2;[$ߧ-tF)]xbPNX{[}rYFG q5(-sI,<BJ+sΛkyFbty F[?UJFy .[!)dm?/k,ahm SH0,IΗ@` Mw={w^١覟/6$tkgH/=҄@h`,mwlT=wJEb(`' &8~uųdF?* g!{r``YNa{Ŀod}C^,iIӀ=_b| \.{ ƹQ(Yg-Q-:СI fU$ZՇ`4*QHkꨣf5? Fm0~C+@Rԗb p@ n%tٮk3|}9WBTvQk3rz,y04O\JADE:)Rm$$qP@1mIP@1jY_yj0_ԕ/Q hu ;>’?/IӕPm,%]hׅ8Q%bo S;V jc C{#vOL !tS?}Tr׮"ݭ P`|i dH'P% %8A9⣖;;,l*9ᖵ,+=~wIL ݚiHjG~+}b> nL\ < NF]Nx:ʗ-H`[bzhBE6؋d1F}nf ᩖ1S >I=U R;E.^v_eP/L}̶ !E/[NM {oyA||\n)vU|U2Tnd"׌(7d}A~4`"V4`"ȈoHwOVV%oUC;4A-L}oZjKu>lW!ךźv ~ho8;(f.-68,G$9-fA#bkzZZ{U /ہ߰74S+3Ā@i0ɥ@uϸF Ȟʮzuk麙sƒOcN7|%&I(d (_+)B(ӭj^K:C[bGz I$N̙yBs;SYBO voBg7kowbF%-TWm;`Q.4~ nB˜wےN5 Ɣla;83Evp`p7j?%ClQkÒi ϊD7mcֈoWB&Kv?Z;yۯ6!h 2%}#SyvFM?]!>/7t03F;2ԣ ,shJ "~ @|Vכ4XzZj !,}!m09My:LjEK AosX8_cZn1Il W<₳NU g3XzKdzѩ'_9BDtu_;Dhʴ/8)(2snc:{G=S)b}A1{&bgynqt5 GiE3YJ%>5R>RvA'%Vit7&'e㘭hXңhXx}7sʓhrݺ41V[p4b 3eR }|T Aq|ZȹOMʾ&4[cQhγLcxF)O&x{ud9u1]F-60aݐ>9bc28102M݋yAB:{!o98Ӌ{@D c"M=EȊ"wۛ7A#L3jp &+"Y LXG{rnjSod݁R"Ð7'(,=l RAcAK.&5qBbCBt_V;ʇQdW>HUV,q.H`H#GX/Z3kj[F{`x]؉73v3m+#"ٸ;E"wڿ=UH=DB| a1YL E5hܦv2fǡ-b\iE0675Є.$L8]RVT.:Gۚ^.-ppUu2F)b\RFܭZ}d l ZkQI yj#kQjl.Lpq/=q=2z:!̐&P?V>]x\I@2'rˀߦX kD;HxiO.&)􃉻(S’xtG!}1;tXdfab:RB8!$gUV1fNGVW6A%EʂPv$q &I%)1h`N \3lbKG/ =M$2BEerWApK0T5#Y&֯qaq%u!KD+j^TzKCֻz1} bԢ̢v)=+(<wc ,@[ڎ2[J~UHpobؕ?GE@HDrY fQ_\T+*Jjjɍ44aUTM 55LO-kPOmHvS[y4sѬ9ncuΌ$>⑨Wq`}sQP̼}Iъ?O؞!qϧ:P:a)ZY ;řwH f@R?ϪN饎ZsEr8! Drd2Cwzlm]a3(R/-KB q|̠1)z&s%OGӣ4S&lA;kJJwm.Mw|ߪ2 xnIDHQ*27 *{əZ0mKN [X;DZ|(, _8zmlTiA : #1] a dܼuƅkHB+%n&eG,JѥKտ,YnZ<䣄%*+m'=>d 5XK0W{@EccAu$ZGڷ!#-"8缾ں`_`P/\9ڒdž{USTQҷ[M݊Zc92$ÄLB("=>uߪ:bŠK÷iTDx\/j*Ķ<Y%huP`~E:(qu8@!tA5 Znn?bdCSX_uDZDH3jIJ*qDj δ֝.%LoF,[;@]څŻvDÑ8Mp_pzDBTbDYdJ:ʃJ4.Q((y:)dy􇑠hz:M i*Y #+)Y#BuB M9FwBIt,M5؅M%fJ SRW 9H κ9y$C"xupyonjeۭ_7ӽKپM8/>5ZN֑iz˳ܕ$i5 &~yv YJ Eض{;WuԎ^u>c$8DۈpIM$; 6dZ] v{:J;1]RC3 _eK\"=7fGzN2Tn鈮ɊoǢO0p_dKAcMۮ+8\) ṮNbhm<<j]/ʯkĶ?˜}"G?K'qj٫VN{nI%*3ҨmUd 'c+DGnnگWs 躛v BnL͖>׶_;hikM"%ߑ#{ ̙b$ &ą)8=[Y:qBy 5ST*8,b.CҷM[s jdQ0H z/j "#S),N JYY0a0jq}6n 2:c^VWq:G/P&]hWA]XKі5o%#Rة(@=>/[MwgdJ7`b##aP. ] :ڨ@BpRaJ7'?6,~ɱ WvvݐxtoKuqS-r>?8aJņb;"<g@!BaU%.#R;!k¿:I,B?/p;Uw&ZlGù+jR!ʺwȲ)v+pE#U~4pÉc(śu/jCjېw̋ hΡXkN0lo^U$VFBacmīKH}rd³ΝK!X"KUI<njU>@a4~G^NWZH?idf@Ň"hnAg!/P%|aZcs[)3pů2mhqvAE>Z9jӒWoC\'9$_v0Ct j-&j)"Jo2ݦBjca!0&KQj9u_luXRMXt +N{zu25L4X ,=>Je/C y },hLmk`wH;>L-@\®E#Dg}p9wy;f6vYx-hA|O.3@(|㑣F p D!M#Ph`8]:n{Su4oc\UN1ש!:2?/,[Sw%'pHǥaPA  8菐ʅ dW^8á6q)eVl$n! c0OwkUkyًC<,=$YIʽ )ˁY$ֲh4M2E]93:`J|"Eb$W NST;QG#6[(FaMPb:$g HIƿw p(u&QZ4 7nR2Ї!9Mq0v -k ,t5nޢ 3:qsSq3JǢ踁)܉~NɷVO$Maaj@hd;lfT2XM{ldv= Lh |k&9XVNbY M00r (L#a,).IIjpuNVA8!]%&d@zgU&# 4.Mϛ($aENR 5yj6 r x [;NVڝmo}Ac=>69IX4,;?3D`^U\NVsIIUH5cG"e+ip-!A5?0:X[N I9#p3$'u 1_n vnʰS?(ڳņ#8C*+%?7|ZGFWbNI?"3!utG W/|/i6gbA0 "@YEb 눮YtCG"'NesI@!yɌwp0_;6V7& }:m\XxOqtkgÀ^>`7Q<:w .85Rǥ%띔PtdٶVdƚ3;>׭I[oԀ4C"OyX*$_w(<{`ɵ-≾"-Ql0ߖ Dq0=4EwɈɉ"`gpf߉%> յ۵I$+-A5t5Xo'P&&U4&jVU%b&cmc2W6k)>Gvza'̏vUz2t #\?uw2?hW`22VmPB\l땪,1JH(̋aL>qyEE0ǡj$Ej P xstv$P`t=]"59vgpM}Y4N4/MO[B^V {2veˡX~ZZ.9djDA;QyRaVS8W sʆB>^6K1NjczE;meWw [Q.dLcKbaMb߇smhAH7Uvr*SX8)d̏@2- &s[yKBX6) ;7^H[ 6mjpʇLC]wyjP$vŦ.cr,tNgI,?w2bs( քРnPy@TjKϮɖZVis@E[&BmeCrdfB]NAvN sxJp}#mQ=0$!}=b|\=@򍕞}6gt˭V'BhM-N5g9^#m(Qx#|0GĤ5::vV <83ADCsHQx.oA<[cScrkiq. r|쓶;[IKrޱE6',Dg%e.1&.C!0E&\j0&9em58 FD'TǢL)N^a_ q%Ð20i9|)1}웹(?Pmq ]AQ@zy0Gn@tp10h=fWf! "PSq8Nd&ÚMWƃc Fc3e#š͔,37+yk}MS~B#ˆ(uvP}QL&}^]F>/%:Aq*ߙD#T饩!S5i 2F@`?DPrp_o,1kD^}/idYŔ'uږa>yRQa(|tSjV]u Uv^k٨k@4ݔWFXXAs~ƓbWAj&G6x(!j s! *~h'H}8jM01[|`t2 e>Vΰj"_\cʊ+ZϊU-%nμ*m!m#D%Y}F(`ȉE`3aQlUyf»zn tuAKu2S%޳we/̽F** R-%6h Ȇb (9]~# |H?_ik4A߁!nni$ $i#t˰%z0f$ TZv3CI|~aLEѝ֒5XVWr' [ߪ͊GAcr= ?|A1`EStZS] Vg @_rVg2VRH'F{Vpܷ ^#4uq&x xp 4bn"Bh:`RMwJvֿV)|S w +tg~ T#XQ!ϘT.eb('+"Q|6eD `_w1٫ LQNJQX't1fs{f|zC쒺jϬd&^/) ޹|O.eixy@9*Kbɳ? ?`{,~$H lͻۋ pF|'կ6hI`Ӈv:HN77u&CH">rqJO&oRj!WKHZr֦F^Y!We[X!+LjR7#ywCas9ý̃ SZ|)1vܴ'}B0[-]OA.M߹|MP&/b95Qw 083c GUX | ~+$LQmn)KomU OϽ+|&FT oQnLOkAgU^J';><1acrI@ )||§G7+מwb܏{Uʗy De1rTX%O1BH\/&j yhY(C*)=цL8 SflF*G!tYW3iY^ Λ ^PuNB'xVp٨3Y&R圢עYm[@4Le._N4m(֜625gu]?`zbXWB8HVH2+־nzLII)i$|4.N24Y1VczaFWOb/4*0Xɫ^C2MNn=}wPlX @x)(\х/pu.ab.fZܙ(shm@ .ypۆr_ '{ϵ=aGj@3f kQN$0Oqm)Ej[~~dֆNV4]eysꍢ<-zdkɥ((YvAHkD}0Bu˂"7c^I37"̾6%x}61<f\TL~$3T>lwps&m_6oa@*JWDMj[4L!C*%>/Y *LRmA ih;)Y؛1$;\^>`_j7mIȃg40- =L~ M;sSx9K&s]$5Ax1JS˱Ş ˸3NP-fS])C9ze]7OAȂ& oϓBIb:)Z("2 Ӿ3}G.l8˻3;%f=NIl10Qݷ'r!SBFTUpA M8ղgV/]H[YDS 2aC@jCArXi}KP`'m:u-!-wwJk̯'V@*rAG7#Jn-a+VdGeV+7Hw*gU8&u{ϾZk$Nkִ䇸Ovy!mlB`J>` m~C*7K,ɦT2]-mљSHz^,*~ؒn@6D G~y)" y8-}m$=LnRaTo[b|CjZETbkpGYa/2e{5X]F{4؄: | KE!mr拓ߘj$Pݤ Řjpy9UOD~,&:W&Sxh'}?韻eS(ƶȕI5`]?zqsU~b@@aO]ױA?AmIGEli p!y++ e85 =O,XZR2G_|z nѶ:}vڒA]`P.5/`qq%UFEj_;4X'|vǐ)攣rM)L.qRPUh=<ܮV32FJeJc'5чm5EbM) js70^}n-f~X3[ӿ7*9׶>8@q+kVB9US 7fǝRK2De}&7/u M0 kz]kcM9 UaYSJ{5]U{n@z=%Ä+zew: kL{vt2l @S+B9K';XHF8{9 !c"@{)㑕v,5QQ(6pt<k.5OQ@Rkν)Bֲ 轢=5mL( kFek;#~0 4׆ȓ&/ wq jhuRUOqk)ݝe^[#2@~zO$M4>@Xڝ< e!m_ΜSa DqF:D:i ,Lٻ~% cj9t{bLR9>xV;Q_l[1{5yjiyB l ,'ivo} ##yA1xv5zJ[3s^Jg]ѥ&?0`NRkQA+>5F KvaksO{ Rv͉TEx%;~%˰8k{g`4gW8O0.mFئzL,.@$m:S9\Q2*Yܯ_K[~{# =*{T/d ,e ت#dq صDLVuVSP? %s^D!y-K37V,8"JڎaG=FT`*BLS^VԞM69*Vbzoi: U v;>wkXd݁jX_BK+]lϨ-dQch܍u+ޑ͇]oP'AFSFEGagvNĬ|v`!ʿ+c6Dy{T.ԜDkfդߙt)'QȔb܁ Y(yQ %|>\Sq{'8i3u¬6uK^@C .r!K8i2 zoG;mQjgnOG\M7~v*} ('Agbr&O O<\! @vMP):m]۱\I<AX) WÙR0r^].)w5}{Mĕzg!^.pH2H+b H\J>@[Aycrwoi W2TѦx,o_SBUvQ"Mje?ɶB9Թ/4xVA5s0@g,- S_sPNv| Wtc JY)jh,Maϥ`M63z`@L?a077{w?ߠkJ;pIi6ay{ڨQRF_?ܟKΓg2<1LxPg\w91B"VfcvS$G  ,L؎.Po=ٛ&n@ 7Xt׬Ӯš06˺Cwd#z2%}#`ԛx1M,}<96c*w7;5t¸4{uNWxv2EZZ=:bdWNZURnk#.=wvv5YhFJsLusi]lB/$ z?(*z/gҵfl=0R.~Mnǃ֬x/k7Ȕ'BaV}%DjdIS.[NQ zhBOgˉ0p1?>\g1kquo~ f8h |tvjro !7dPO`Tf|$jj{-NY$)'s|TW0uM٩1?aP'4\F}0Nι4ʡ׍`"M;頔E\MqjQ.Ľݠsזd~"'3ʼsA4Qa.RkՕ\])> ^{n""ɇ@lTʤYꋒ8DaO#g9 DJI_%Wf&L|^ӳVsgt 1'ipqKU6TE(}d-zNOO}@R|CWr~(?c$8 pNM[p=&~rU_nWutӞK̐S-*X4g8M݄q Ӕ*5nRP5:+DӘ_*H Oy2$"mgXjZCu0q„ސ[Ol >k&7oСiU3Cuiҹ!uM[-WwL6DS)#itk q3c'5 M+0/ҭ]EIPS!/sF۝^^Sr~|+-pQ{azGsZ=ee&jy} XaJhy?+3e(a07rbFcbF(޾NWO\^JI2HOrWU51@\vL!cFَu?ֈTH=SN *歹DǺ gQot [6n{R(X0B,E*7@t<8FRnh, w:*MtW/O0G{n_ E& YZ