permissions-20181225-23.9.1 >  A a]yp9|2^^ mEݔdͧGq54_W3iok]4ܯy㪧8dY< @¾$uDWwO'I_XJdD%Vl`9e094f118d31bb6df261069897164b2885f46374c180109674cb687f4fd22677979d3b154fda0b57a57773e8899996e01cce4088ȉa]yp9|\ OB"G9: ;*!AY99c  USt3Pr:`.b6&(u2-,tv r{͵pf4ٙ&Uƻ|ܪEt%,[ʫe_XT!*mw8Q"-y%QWc֪R$_Mr*NwW<;f2/mnd!> :#v'-+/?n]:u*ǪWML<0'hЦi^fO5"X>p@=L?=<d  = )JS iL p           0 ]   $ d ( 8 59 5:5>8F8G84 H8X I8| X8Y8\8 ]8 ^9b9c:d;e; f;l;u;$ v;Hw< x< y<z<<<<=8Cpermissions2018122523.9.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.a]'ibs-arm-5S2SUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxaarch64 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system.Ts1W6^ 9;@큤a]%a]%a]%a]%a]%a]%a]%a]%a]%cd73f4760679880a45dce3c9cb05db59590dd96a4598a64a8a09e1ac03effb06adbbc21d59625dd08c777981a37579fdc1d770dba133ae71044d05c154f42ffc254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3be186e053c2d66276c577c08ccdc467d5b4150a19c0bfeccd7eed528e80e61d425a096c599e96b0942e16765255528e9e346fdce199bb91cdb86759ad691289a09452506db92adb10b4bf04c552c30f0f40201f3cc88d9f55afe2010bc146667635eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181225-23.9.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(aarch-64)@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)ld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181225-23.9.13.0.4-14.6.0-14.0-15.2-14.14.1a@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shibs-arm-5 1640258855 20181225-23.9.120181225-23.9.120181225-23.9.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:22267/SUSE_SLE-15-SP2_Update/4b3d058246c9eac4d680a0bb24fc1a4f-permissions.SUSE_SLE-15-SP2_Updatecpioxz5aarch64-suse-linuxASCII textELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=05bc4b5ef94bb75a1930edbc5c4c3edbeed5491c, for GNU/Linux 3.7.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RR R R R_SR=)fa@iutf-85aabdfa4fc69a4a4320358985eed451b6b6898451ca9ba9d9d07ed9128fcdb7a?7zXZ !t/XW] crv(vX0'ɦĴ/TU@˦Qr(M"bسg/$q] LE?sa5Q f=pOLV2rYc ,>"Kunqp7 Y8+4zsllw[A.־|GsJ׸Oaљ3͆Vv[dҋW>yJ*$Ԃrr1Fsp:eՂ7%'PN!=UxwsEªY=UM?!%JY'XeXHf*ݫKq=-xZ<ЏJa`+61 /U@Db4CC&w鷠Gz@gt&&aD\+:Z :%Wܨv?Q|<0,rZ z{P0hAFةkM_2"rM(u|CTl'U4O3?M#״G]uԚ՟nS3+$W{č-r,?I~d\Ş\"U캒w͂`X0qLT 는BPP˻6 FZZ6&Ü#~8!Кj{օ@l7< FY R }R xk)* :0cDK>ą7xuKNoc6d]6dcҜZI<,#,oݿ.RcTK9$K) lBEQ`\ Y9n{yEskrf^$Xuztykܢ+Mr 8Eq S[W XnC[tyBl}Svg5w|;ɼj}o *!QXJ3(zzJ-'M"*WfΜw9Wg/ Vj}c#Cu}Zo¨QxOîC1ѡR3+%(h [ܧsžʸ+O1MIbZPsFlbQhB-|xLjp0(o~PX=ZTSHtp%lA7ReU*[rLnWዥwHؼ|y-aSñ O4o4_~у1 5\iA}0#7KqNdy]W 3˔_lq=#≪,ƖPޯ&{ZXU074'#8cJB6csD9@a|(q+<ʞ'١:KH KU Li0sx[vWݺq` !KӨοkBݤCOi?$uֿG)Wi nυa%=еNf*dYܧX9ax'az?Kfs6l>odO=1Jޫd g@Êl"r>'ƼZ슬8[\.F#PkHO D0&53<$܂j-B݇s<"cw6kh̋ (p=iú+7b)" 皑)+úr͙C*aZqYEnH>r-5g3M?/Y9&#m)v}ysHRQ/O Gk>[[!'֙e*!8 ^~nؤ z]@6hy`XyU)H0y/dwH\`M;~]#p]RYN.ޗ. ";ݵ4xk,4e eLd:cEa`<$*r}FlES. '?@v>?1CgdLyRjjk$IU k!n>]rC8Ӧ.f7/>CIMKְ+81vt*!S! ڷʁ^ U[$Yig>ssO/BbagB57&Q+N[r!W;Wѕ?(\Z]˖θ2WM<ʒdk 7؀P/Gq@ ɒ2#P1jU?aCmb5 M#KAsOV>3!_4%6v\ga8D}MԀm%d;Xtz:J~lQWt,'EJy8DJbkf-YŚ 3ϗp=PƇ_d˄m1؛QR6Jcĥ+~Zz"ܴ!qyۮ=(+~"#r0l+ U!_Z\Z98.Q3\K[ )ST@bZ{E)!=(% BaJI8x$$w)^jU+Z>"=fv[ϯm2Z?abT9~B FxpaʿHCd ynĵ5!I^ @H|Jɪэ"Zܻ rIYhϭ2f9?tkZo鉢>nwTs @ϻȖ;?,o+9_د_x$NKio3?Z7o# ibSYWя.sE:< RP R~QGG bʵ~0AIJeӇI奐-Zn6ø]}B]ࢂ;6JHd<Ȃ֕'6uYOZ ٩ެ^ѸjBpww}Ͷ1-~HqStv;F =ȱuu: )xRnU _52. %NWi(J|tk4aҼZ]P[_U:`E R b[aq|woyYu Ħh*S!@P 6?ɝf\E@?nke^ KYe.zFDqhkuXUZ3`I܂e^k띟Lc4&s S>q!(e%w(>|/ue><:a^|;E+F9\Se@+ꔹ˕Asyt*eZӗZ2CլM}Nwg: >?iwrI/Lr/!>sʼn( ; ^}qڢ$-wRaLO$f),YS#EwqnBso3ӎ>+N(| XRvJ5JMأu/??!~cn1QM(u͔:5ӀbWqpss#v:<r v.e7 c4o8#_$B ]ڟ$\"PF|g ъ!;bwp:^'YvY> Y)(cm7N*x APiܯ9i'!g\;uex> 6XaF$Ixk'I}סGyG+/VkH=鰎 &Zo\Xz "r^H>Of^Ս7b+ɾn)s*5d=$&H0:`ws( 9&"m͝"֬/i`C6ߑ >S%?Uㅑ[Rj<qOCZzh̹r2) ` D/'22l"Uj. {3ScE2zk8)Z e+Y:Lp\οsA4[`G?ʂaWHH/iy^$!tec'{[IWQ?/1+o|zFʘe*\(A 6|3[4%ywiv޵Myɼmn0CKLч!1IHV8gp ؕXqkfJۗ##~H.u%EdhÞy$!bUUorx(lJ;vH2*!f,v*T@+|8:KewP!<P:xNBz4wɘEN2׉cUpk a| x.Fc&6+%M(:Èlk)d4ֽi fY'G ;ȝw\b*~vTgEdgatƆȱ(HjiOE<._n&|%HS55Yܛ VX=(3)E2T9'Mx/cXznI)~{q"s.+7Z·Dgo8({ޞ7Y2shfEeGUxsVڌIzEEi0/4~?s@1&QՕ[<BᲦB@lN79OMh.'IV(Vl"A,ݻO ϘYQf"\X踹a`ESNV@/x\ӆۊѶ&,=⹉ac6Ild a_O.vx ŧ0Nx/n{&52O7ɫ}㊴ __$[$`|"ȝV~#]o5tDe^ډoonVsj1 aI+{q͕9LnvU{[3[r0p4 KIQu EȁI/ұ%HE\@PR74YF,'ByY\#k ݬwD k9Sai"٩HكE5SK~zi*LlYBs,bsQ`q%mRb43mF[&׳'R]{^{ܟ,6Z7bWaW^/tnx`gd*Mz[e22K-[ݽٶND]16([y>nfj\D6j:QDYX 2 /v϶\t/uuLYM¼U6jR/}+S>ioۓ1 Jހ GG C/%E;Ǝl2=OZHj<׀jNZ,SNF#3-E-!>6(F^d &[ё cJԫ={-/w7&!:F8)ZU7@K% ]zm2~n TMqrJԱJt\t+{>Qx\%;⴯-aQ9&v<;Кbn;?EEw*e*9l_S5݋pEGJghi zXx? BrP> 5w j_{D@WY_bQ !X'+Wgbc`p>Rg\ \Qw~m8AKo'LzZ#_lJp &U c rKjy1R aUJ(:MLoE؛ V˘6-I$yˉ̰!?=2Lq ek/JC2stؽZD݅*<,逶-  l=`?<>wRR;;YS;Fg*њg[ }0yB _fШg7u65R;Z(qvuBrJDFn[lլ8y#VN%}1hՖuzB0;dk#gGS*BBlL \!i6?TȠv#%I6i+~ :o&D[-KWD&n#_v36Qhx`x@o;PZޓaW\'br9j@rAi١d%RE)bخ%szs R\-OF@XgONrpqhH |pRrjtkӊUCOǧ:Cyx4;1#pW$]m!;LO+sTlf)+qR'onX\dA@<)!`ZrI1c}?Ȟ=@WVjqWƨ?W.x}+Km|MD+ioPf0xJCJ5vM7a'% 6@ 4I ;rJ?g8bsvs."CT"l.^+W 9RTw4IF+ "4rPH|qOgQΕHX#|&{a8!k%{1Rd }iG)p6'9HďW;_OaשaZA+ll*ی r u]B N+h:b u 9/zSY;68K UBN6%Y7P2)]>07>8h_/0$ln$T^^m·.6t[BGx,`%f j!2c do󒔰$U-da E%>Sw{4cqmTs1c%/e&%4qh x?c< H!qoAxsLmiϓE UaW^\D'fZB%cuIP$m|B+-W6Y@UPP޷.eۓ+u"eϒ+dQXaP3yTYǻϦwY; prfHUo (h `Yw- TP 0 gH;gd 1$7|@Ԧ5Ӂ"8q~<i[@i3We [?هjg{u!c|QZ#GHHueď▶<7AmEnwVGePq{;Ou>c%=NeHjx,RXu^i/ R翅^CE"8A;**鋧<ģaXj5K ?Px|2PA20jݒI*^1-_qxNn2aЬuO;hB[ )`^S&{"31(}szziVfY1#fà_Ӕ/:|s'ob^ 5J9Y/ʒ!6,1ħ@`3?t5EB!sw&`ӈ)/ރҜ^f+6xܗ/ӗEA위9 @3y7LvMf ØJH·k]rc!(lW,5B8#xQSRǼtDAu G^s7!E4thW.W'fwoI(#[)7rhx42>G I%]qKt(9Dyz{_ |C miޜrhw(O#яmؐM0NzA&^tk K)^:%$XAl睸arOgy2#eocοBOuoOKo'Ċ[ArOg\s쿰 =(S/ɹH pƝ&(ď[:q.əG6'gFp@Sasu1(w_2zti2)>&k*55~ FV輸c F?@a |6"~kD8x'b19lJb1>Z gQuc#/3ۇp.:"U fTHsh^˷+o'$$O`PRQOSs$O.W!hka$L%,[ N=E̖QOtcj2?ҹu^ڏ<2 {0j( +p9P7]>[[ݥ@0V)v]3˓_4w~#b~hJ<4XcSgI@qPXO1@}E޿ ʿɉ^a36 hYÁ-I\DT1%lIzY+h)K˒Ԑ60϶Aj!: M/diۀ2&gk9ɣ\3=փP#g~B";I'W[1k8 V.OJK/L(,~ܱ @}7#V}^81s">vF#= EX[?x?KpcP#7+xyKPڍɞ%4t4#'='do='m޾snS3=IC]Ր "O^rz|yH";:|ЩN$ڟGL#:m=J# gNs{>;TB m2OM mFϞK-Jxaa7[ ].[o6mҺ%LIHx\lgmQ NWHc(.5F*wwj7FcmH*(Rru tɉg8(3|Lyu}hqlu Tߊ9f鯐2&Cx4 qՅܽ8Qn- ]G4Ogk=.KI #$1cP>U𾭽\+ԅ.Z5Z6WǼ Kw~(T|C^N('P2*HaE*Y0l 6 L 0XL9CtrnmUcU9CrCZEՊ EqXg{0Bˆi3ue^+$`*J oY]ɠFv~\nt:b$ŜlQэ;GF{:en95N $˷m-׎ wS(}}1w6*'jdM}ݪeyɔCe<@+z̝Ut!F<瓊8j7WӖܡff=ǭcԋy\j*r-rJw!JQ)16gS!@jphRBnG؎oyTĉ[(?1B OV(_}!ӝ)ќoñ)ΔS~DZ}ٕdje$k.i8ósYc-pC8Wn?| /V=)'Hi5 )kwüC΄[:ܢwl= ܙ/zjG#n0R Wx}Sޅ׼ $-yR_*$-=/tω;Dy~jhnDT=؊j)oP:1zZW퀷;,3T* NQ1/)DX"/ $%9jMj\a` ]3n=͌b:>e2ԻԨO2ybף;,hPP{9'69?+V6uԟ '86 :J_,?EAu wSGp4״1N](d~#p");ͬڨMiwVL`hV;}zYXY2[Sd,Y2]<LMNx= |[nP %jw y;YRx*' 쳕{"Aj%'V6, [uZ]5ll j^;;1޴IqR 9s)L8/wGV~#k>#2iwx̩f#2[-T5Kv(1G(4wpfR }92 b/+<w?f@;r*q͎/ һq&[;droTDRsV/ eZ?sQMozERloO?ծVf\i1,I60?Ρ4IȗxZe)bC;s J,; "})̭SO~Gg,aH䌮S`p%7/rZ~|55d#,LZzfn&zVA0Ŏ Flt'Rb&C/ilPnTmt-ʵv^Hs\5nng_ ޝ1̵6hS<( s+|Qt 9Fz f5;|h.py_? Roj3Oj 8NY4T`5Uӹ`rdG^ > 5;ʳ+o| ITem"m3<%4Z]jI+;4cvǮ%C5Xo[.<< U'+[ x%'Y0kR] ?"ԟNN 5›_^CZ@!6~ pRGcZ$2 njHlSL-I=[E2Q#!5f3ԪdJ3? #?@rc/>Hp 6>b6O2D58tr2dЁ1q,A_LɃ:`Ƶᎀ|M=tX'Rl,f!k/CJy_d ~umA׳w:5a~?nV)jj{ЉNIܖ^LY->ngsɜpR G.9Nt.d}`w Xŧ摺t n%U(a'̅+H|0Z>Y1']C[z`k bSvFمŕ/-|Gsd>TMnw-z}P^oM-FLd4U1j03Y2p(Q9 zYOq2WK lt%=[z:KBTC0wc 2 zĚqx#Qx+,aà |H$ŔVUW,\'23rC*&pD^9'gǨYr fo9 L'i&ʏ$xUΗF'30\׍DWXcU@x n@ѡv'[=^v+Dۻ?;*i`#'TDỳ1_rvJ.sEϔ~Ȭ̇@OHpTtK7Ϩ>|$Xc;)UjX< /eWxn24}[>W*`5p#nh9n8vl+FW K{1%PAGf |pjG567< _!׆NGEY6[Cm ׆r8oUe0$dڼpKb#9ҩNѢK΄cWr"g8+lYm6T$ml&d撛__ȑ0!xgاDslu%+ |g&Ov:| ʞjҷ˛ 7UhYn2"b܁pGcy89ڨ,T X ~?Lte`j7RqoA5@*",T5@U'u|Z!j`p;(ꡦ? PC:"[rg7h >9 Bk3 s' ;˚ $45<-IT1&cO)-gkcu:΋Ԩ۲uda-`nXA);.o֠c[lW1YW,g:ߥLplͯBLdz#t #&pnN4JRIܑ`Vp]膙W0m`_:EV"&eWFk1&2#b23?z>@.jS?Wp21+*d$w$RdWd̺m;%o3I$tB*WT%5]7ߗJ벿31;6Uʉ$֝pH9x!xcd3x\dp@\hz lI:"i&@}-â'EO$ĥ TliðgЃ/9 ,a:xiqp/w ;YjYd/<_TlّM'֌_Pi% rhrX}çxL2zYQ./Z+bSu0Q3B?X:RqZK&FgWw+܈>EdL0&Y@R,?9#Sǣ;5و",7/>J9%P۪`*"uoWK!gwD*"=ƽ0Whsk%1~ UW~/4g2\j+.Ͽ7hWeDZ_!r1[]_{ T]mV"s]Rˌ_ˠaȆStkZ[˜Cc p{mu\*U~vz˗!ukQ`yp.eB:&k%}ϑz$a!X6<)'dj6 8o|.J݁8rya&Юvz*uϮ^2׳e!6H-+CT^E7$ ;߽wH#:Jm3xQMHHPn] OؿE?P2Zo\ހ7׹xdnZz= BX[ &o˴ qU 8Mu#w7TT?UNJ^Od LX~=}hHkz}[ }HG#T>} \_a?(iQ&`BMfH#Psx3t/{ACGFK,0@dP(7]ϳte]p-mS[Ϛ.Ϥ;h>ac$.?#E3 J,E/P_`&} 8_?bEƤJdwl$"^Yr߾UbmaN6Ք Bgv=/GpzROEt?o 9N? xz/ʩ^16T| m @/1of߇}3J~Nг2evG>T>JS(6|=ƟN^`N'D~=_R՗4sgV<"e[ NQ*|vbE&5A/iF_7 ܌<>-W^G8^ A~ W)+&[~(`d{DFWXOMԇEebqKc©j_cM4u]( lcj\GS]2PXO6M6i7CÍܼҳ ļwٟkIݒNGsCv%WNyi]zTIXI+獼D  "*wnj&IC9SB0$=H>RXhuf:#?Yf, &J[M"h 0 {!,͆: rUYozgzX]5:5ݪ;yA/е²9}X=Nޕv89/^+Ԓb]oY4ci JVye|2# L6~bD~]P-) E=npGBX'YW6u~ag)T/{:+*sJN- WM8Dzj^N6 1Tў CSߣRgC#n7a%QZŲXRY(*m DAk;|5j(SÄp?7~mIb,$@1qj`Bb&yw>aܰKJRJ'L]EXgj;Xxw jWz#23#O։Ov3\f]%n '',t5%OA=dD^6Ԍ]Oz::)_YIǝ;#T&`?t'}N/X21S>@Wb‰Zycypp VDsGY:w2=+F=ݠr30 Nwy)֪ArX̄Lَ_ *Z@m_Dxd5Ia {(=c:[ybɀ HN4rpH^rt +Wq!a{FI_^W0 \% :7_b["QTTy9ZdVE$~t_JK6#P| ou 1.%-}-@W~3á?P/|M)%ӈBv8ɿwΔʪ{+ w?9tnm{{+F_zMՑ.\|2, ]]wݼ](ЭAo)wnKgIobi-=nxƠJ͞ގC'ء׮4 ҽX!4OyJ>JSzbO'*{ Io,DteWa3i2LsAǖo:Bu3 "{7|IDa<g,l3ML~P/s'p(PwDdمr0GԚ ]挸?6K%%`GouK~$j+NUQ(F{7pI:u@>*O45y# W<٘nc T: &г_JGRQk9ð b]#Yy,aJj 0 ;pǵrK\ Gb`v7/اh)Y{U8s›`VOUO5cKZ5o2 F # B>8&uk98%m߿rDv & E_Ȏ[)+XHQڧ4/Hq!ڏ뽾Å9,O TWĽ kAX{g6#c8T##hWzacip^r#*_4@s- 3T$L# ۬x"NkըC7 FGa:aeo gXT]﷟w OKܐғGDzx atrvxI~32v" " #}_cE#Qgw_+gm=TK]Jʪ{Ќ!)ztflE#|/K#ֳ[/e)j4 GǾ555A[k9*44"l_VV0ߌQN}P+d9DT^WIMlٛ`_c,qMsYI!"yX鴑@ݎV ][+z/P5`q1gQȼksvS@qDPx 3_LPmS ڹB4ucw Rfu,و(- DlcFJ  P\jmGe|pmz& cn@H9וv`<?dI2?HO2ۑlzUԋ;i DRȮ w6 YZ