samba-devel-4.15.8+git.527.8d0c05d313e-150300.3.40.2 >  A c߮p9|x!`/a4f[}ۉ(&-ؚe:%m'bc0?ߴ3"@Mk7@ } \!d7ΦfJ%#wA"/) )H7UeP#ȿu i3D} )orM1hnbBuւDB*QL岸& r3q׻><~ϘA}MpS`9#ǃ/rL eˈ46>Q4!f,ңIۦ>EvlZdff9f346e1a5079cd4939a8fc0a44d63f2c19e7ae8f3496e7c69788103446b3920d74bc3003292a24a71c2b9a1defa79d866c72fЉc߮p9|"X>$Y*X:22to I>HM_ڛ7&pi:!yͲSv~K)/'Y0yvX)^{o9jd>Եh[\ݖf+Y}ʤ[xqȍI(-Up;.pDEŻxQBuҋKL_=rg!}cʵۂQs+L8r+mnPRQ[t^| ->pAb?bd) 7 e/ Ee|    ! $&(+J+-$0l01(28296:GBCFEGE0HGDIIXXI$YJp$ZM4[M\O]Q^X4 bYscZdZeZfZlZuZv\w]x_ya,zbbbbbCsamba-devel4.15.8+git.527.8d0c05d313e150300.3.40.2Development files shared by Samba subpackagesThis package contains the libraries and header files needed to develop programs which make use of Samba.cEibs-arm-6ySUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Development/Libraries/C and C++https://www.samba.org/linuxaarch64( p=A@!1N  aF ENTv |H)KU +d`@t2!CY~W +g > v&HI!>,'I:l hd Z=1y<u .Y3T4&{66)w+3'A,;BG^AA큤A큤A큤A큤A큤A큤A큤A큤cc܈cڼc܈cڽcڽcڽcڽcڽcڽcڽcڼcڼcڼcڽcڽc܈cڼcڼcڼcڼcڼcڼcڼcڽcڼcڼcڼcڼcڼcڼcڽcڼcڼcڼcڼcڽcڼcڼcڼcڼcڼcڼcڽcڽcڽc܈cڽcڼcڼcڼcڼcڼcڼcڽcڼcڽcڽc܈cڼcڼcڼcڼcڽcڽcڽcڼcڼcڼc܈cڼcڼcڼcڼcڼcڼcڼcڼcڼcڼcڼcڼcڼcڼcڼcڼcڼcڼccccccccܠccccܠcܠcܠcܠcܠccccܠcܠcܠcܠcܠcܠccܠcܠcܠcܠcڤcڤcڤcڤcڤcڤcڤcڥcڤcڤcڤcڤcڥcڤc57f48e6acfed5fa9841df0f458c77820b6e24ed8279bb23819c0698df22bbbf19a87ebf5c3ecf098bad8fdc2e0c08317efd3ecd4947169677feb755c5f86b325aa97c3dc8a6da5e8d196a73bfb4bae250089de7237665a3a6dcf5512c71503695cd7da44b981f9782081d3d97dc2d2f26726208f56b10bceaaae6e1a3b497bfefa19c5bf4838b4013a16d205238e5fa9819e04902a006a08044a0da795cbaf34f53c103d9d508de1883fac4df0fff12ac27300409f3a1c8edaf31c05c054340a1dc2974d9c574811447befbe13fc0f8b3d8906fa58ca173857f5b73359ec30f161766db604986021c872a81bc3e6dc403b8960c06edad4595f168293005943b8486186e935623059f05839ab0f3604f56687ceab73bf9ad6070e58a7161041e32e3a21a55901cc3c7a46d6560c167ecef63390fb04b124e508eccf8156fd650dbd572ab4954abffbeef5c35b30e8c5806501278b70a08d6041d8a5685a69cd65ef487680f99891e461bcaf8245acdfac7964fa40fa4a298184528c2fe2b51b3066156e28d7375c095735fe583c41fe10f68711a286dd7616111bd0ba9a6c39eca72b30f0da89b141671dac7d0b96636639545a74f12fbbcc745e7e2597d71b4c7bcfa6e9c2d3666eaf6fbe6b63194f9d4b8991619ced1de631f1d7c854271bc4d7d6caed90f3ed522fb13effd5b3f9ce1d10f57b87a233f8b1cb8bb000a06b812e45f1d76df8d2fe7405deea4c26e6e1ccf3951c59a55836952be0923e7928b343892fe61c87666774dd2e18e31d70da33b45c5986aa1c23a6a853a6cecc906960aa488b92850596697a2ce4811cd350af7aec0b5278c15b3700ff5759a3a9ac8a09b87e376224e944e12a2067e9fc485ece8ebfbc7d5cf0bf573e0500c5bf24c38a14ecb5e00e24e7947b8517b8f39a652b5a4a7cc6ed2dd04dbc35210090e571af576c5ac08f897ec08b3d0d2d5d40952aa94d082f5550483c051b99b33ee65aad7a50a60ccf805be82f6209c702e0e7f73a5ae774d0c68b57b28dd1821c1ab067bcc678b898c16d290afc34539c478fc1f6b47270a45b389de9fb9ec0042b98e789e2e76a17d01c1684441f27e27f5c54d7d8d1607fb9cede012344438922ffecaceea8800ef2175f1046485790f995229035a56992eb9f80f586460519b697827df8285c4ebf06595b743e148919677ae2a40442c80549d7aba0bc0b696ca55cc095723a52645cf7513c55934096218760deb28a607b5e85f82db7c1ab580e91df20133ceaa62399bfcfa07ae216642332bf119c5a28639f3e6841dd74e2dd515f2b48efd9117bd5054262dfd09a3617405695236094798559211d988a68effc888123ae63e8d2ba5b96004c14b3356dbf490b4e731cfc7a56467079075b6004265e32c0338f01e95f47cda607f72abd98a2031f32f45a1470dec6e13f4c8e17e93041953c7a33ac4dadb193dc843bf0dc47196230f74fc5a9c4ac1989654849afcccbc35c0a397ed9b8ec9579d7a3539a11d9a1f4db4d40dfdf2846bc81f966b17d69a728af436e405c6653b76b8b1b0cea1ff3094b88f184043efdeaaef078ca39f9c1b6ffd2a287d8380c0ea5cf53ceb43040bca0c4f8a37c75c1cfd40923c16ebfe2ac820e071af1cba5cae4b019dc46eb22b6fc37174d15ac7b72c723c10d44a520b2054944d0606d29c16714a4196910a433f607fed4e35d63918562c260077a6a23b99eb7ea40a5e790a7d97b17c8adc0fe8152598db810a35a439e0fd2184591f449c79b6bc5b5468443920523ea943440534df04294b940ce1c00c0a68cab9a5eee13b0a18e6e5b9d87693f25c1f804ac1878bf03800367d25438369395e7f2006fb647db68043d1590be759478e33b123ff9a54bbcf1dd70a038467eb6dd4dee91c9309efa27bed7b9d371cc936612a2998c16e815dca6ab2131a2f005b7837ddaceb2598db386c1d34c1a777baf0d741ea2d153c399b4b0fa22367ee1921737df26ec3e9fea81c7f525ee4076db13008901c9ca9f404a6db835aabe1a026f6f3e5c05cd08a28a339b762c6189d4af93a1b6a87f9d9483d5833fd883506b51ecca8ad6df0baceb27177fb6499a7918703b897a45cdc7605a9ec9315a0f82f2518db30b753b0d4ca10b18a94c382f3ec70dcc443437b2dc9e3ce610ac30bfc17aba981efd38215a457355b1f19ee2e93d26cfc3f6127d4e633b3d89ae70e214c6869f39c6eba1bd4d835c031b67bc5c4f908e60816711e8d87e6d93f84fea1eb1df4a7c2bb8a671480afe65f9dc7f671e0e15cd8eea8e37927520f3ac8ae6b63fe8f7aea81f7680951eec3ab67f4383db52789c38b254cd5a9e4766b17aab8a99813258ebb4b147bf98c9f0b9ac8e9e07ad86cc4811fd17c0ca05ad6fa67befb082b2cd23859d7002fa75a5794f15fad8157402985d19cdd5acc91f4f9effd614add3c974f5eb28163fbd5aa8b24565cb1d292fe402fedc2b570c1acf956f394afcde8741c7d3eb9c1f0d24e77ba69ff7eee8ba90786ffa6c5f4ec183f16ec4fc964c65b35a84e0be1b1f830b8494c8e895196ab132fd82e055cc808ec43d0bf84e5bcc059302e71c0e23a257f197463a9ecad24f59aa597f875a287795dbd2ce8b56438e84f9976bb4b587c364e2b03cea9ac7bfe92f670c4d88fc1b382789f66d991a6e526f4093a1972e1391aadde980420a1dec670f3549f87169c890fba90086de0d8498f0fb36921439a3568cd3a29c34bc8fd9c25772cff89b4edcc989ff5af4189ef2e0ce0e37872c17ad0196c4101f1dab6f2233d4987af03f7dbbfcad01f857b4576ffbb67ed2f4c6cbd9f0a9cd2192a7cd36f8201ae7dc5c1bb59244752a7c96d0bcd9f3e3ad075aecf96bc9006c8087a428c2cbf46832f58f5a9a8a1269d77685a6ea46e21b05e9d22e79fff5ff59e2f6fd5ef76604c85c807b4e3fc0dd84beacab1ff25be2672650e35fc5a2a04de281d9dc535f9718a0c12832630ba0008a46bdb263c2610acfbf6da60c6d585687581e877d06ac2587e1c560a57a924744d428603f832aa43148df878f81961c305f367353717bda17d2ab1d3df620a04711fd5a61149d16c19f34a48740662395d01a17ad400b8e6af775cd8eeeec7fa786bd0c1c686c5562fc60c40b7f0fb213627e0208eaa36a7262e7680bfdf38ab43a302de7a5ee1b18fb5e5a69c693660e5ab407d1696c7b4ac8f6ed075a178fc967e2e68e1bac448bf37478948a1f40401d26eab750f4c70faa63142713b1ca959bdea59f5c83e1d20b52792246b46127464459c635949c3f779518d0e830d9f34a33bef4b8d49477a4a648a2d279c88584caef10d814fafc233b2ed62e1b088b7b99fc6b8017b38dd73cf8dc94a4e97837ae5a7631da503521a5133a57f0445a4dfa2427eeb926d7ece4119a01cd20ba4acec5db90984ce61844ebfb044780a402cb880b08cb0e3b6d709b17117204b5ce3a21b987f0c33c9147e5197c8e52257325852c5c181908a3f4082b5520d1cf8599ee8c5ca7e8584f8e6deb53c1682692aec09dc7339df4507a69a44fc4e889663a695d0e42c4ca1819bd7e814f21ea857ca7a1cf61daa69affa14cb497273b24b2f9adc344da28391ae7e27ea058e1909f8fd85bf9eb7fedcd7dde1fddb48b6600c8b61eccc6409a5a5391dfba7e45844c4f2da58e90d275e42aac178717449816161fe77e2af95aff8ff703003f5691ae2280c0809d15386619c3aaf0620e8697c3c0d494cf0d6a2fbbde841699930bd1f5d8c43118be577f601d6cc6d9ea72bd4e42fa96b0bf03b1764946f28b3deeae86aea0bec44e3c3fd05afd367128b4e2513a6a73ba9cdc263d00d43eebac1c05313154d5bba4025f00fba9ada003bf6e08ec3717c956f9a10aa3bcfaadbe145f7723177bebe2a8119752430aecb7121eecb4e1998b5a24b456197855a143c84f2ecaf31540b1f5457c0a2fdbfd8f53f9b9b119b1918376d12eef6aa5248f7ac7d7deb71f336a52fac364750774f797c061e915eb24775ae28d1738bd86f5a5b902862b25dabfc4618da50b85e66272bf52218a6cd2e26338d04c25404fc53d6b230205d0351470ccd8809d4ec02d86007929edab0432c4386098ef7d1c09bdd8cbd6e9b0ff02a77cf2d3de460ded50b04f15ae58b86ce48bba579542df1b00f69e97fe1427fb1031f6930e7c3b058c09850bc72e8361579d8f0b97ce6c33df91db1edab5412d88550bfe89e5d34a73e8be26c6cd20a922ff73294bacfd6ab37123f9f6304ac62b5f3f2c020b7cf90ed8279bb84b70e146d0a47d12743138659271122b65de007d76a54634fb3fa657a0e6c8a3cd600d4be43800c4a74bb5e41f57bbf05d01629d0cd9856ca1c5cd05b52579c70d58b6328de9543dba02672487939e41e910f508c1dbb0923f0726dafc2b4fac411ed2b40275fe0fec3322730f62b84daf91fb23bbb081489863168493d1d893df191dd1a0597fa2bc7c08eeb7f3e7aebc136e2d47f375bc7a94c423e7e203b5b38d858ed85aedde52b4860c9dda2161c2d570a2e1be8e3f8b243989b1fbcblibdcerpc-binding.so.0.0.1libdcerpc-samr.so.0.0.1libdcerpc-server-core.so.0.0.1libdcerpc-server.so.0.0.1libdcerpc.so.0.0.1libndr-krb5pac.so.0.0.1libndr-nbt.so.0.0.1libndr-standard.so.0.0.1libndr.so.2.0.0libnetapi.so.1.0.0libnss_winbind.so.2libnss_wins.so.2libsamba-credentials.so.1.0.0libsamba-errors.so.1libsamba-hostconfig.so.0.0.1libsamba-passdb.so.0.28.0libsamba-util.so.0.0.1libsamdb.so.0.0.1libsmbclient.so.0.7.0libsmbconf.so.0.0.1libsmbldap.so.2.1.0libtevent-util.so.0.0.1libwbclient.so.0.15rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.8+git.527.8d0c05d313e-150300.3.40.2.src.rpmlibdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develpkgconfig(dcerpc)pkgconfig(dcerpc_samr)pkgconfig(dcerpc_server)pkgconfig(ndr)pkgconfig(ndr_krb5pac)pkgconfig(ndr_nbt)pkgconfig(ndr_standard)pkgconfig(netapi)pkgconfig(samba-credentials)pkgconfig(samba-hostconfig)pkgconfig(samba-util)pkgconfig(samdb)pkgconfig(smbclient)pkgconfig(wbclient)samba-core-develsamba-develsamba-devel(aarch-64)@@@@@@@    /usr/bin/pkg-configpkgconfig(dcerpc)pkgconfig(krb5)pkgconfig(ndr)pkgconfig(ndr_standard)pkgconfig(samba-util)pkgconfig(talloc)pkgconfig(tevent)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-ad-dc-libssamba-client-libssamba-libssamba-winbind-libs3.0.4-14.6.0-14.0-15.2-14.14.3cM@b@b@b@ba@bascabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.denopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Update to version 4.15.3; (jsc#SLE-23329); + CVE-2021-43566: Symlink race error can allow directory creation outside of the exported share; (bso#13979); (bsc#1139519); + CVE-2021-20316: Symlink race error can allow metadata read and modify outside of the exported share; (bso#14842); (bsc#1191227); - Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- The username map [script] advice from CVE-2020-25717 advisory note has undesired side effects for the local nt token. Fallback to a SID/UID based mapping if the name based lookup fails; (bsc#1192849); (bso#14901).- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899);- CVE-2020-25717: samba: A user on the domain can become root on domain members; (bsc#1192284); (bso#14556). - CVE-2020-25721: auth: Fill in the new HAS_SAM_NAME_AND_SID values; (bsc#1192505); (bso#14564). - CVE-2020-25718: An RODC can issue (forge) administrator tickets to other servers; (bsc#1192246);(bso#14558). - CVE-2020-25719: samba: AD DC Username based races when no PAC is given;(bsc#1192247);(bso#14561). - CVE-2020-25722: samba: AD DC UPN vs samAccountName not checked (top-level bug for AD DC validation issues);(bsc#1192283); (bso#14564). - CVE-2021-3738: samba: crash in dsdb stack;(bsc#1192215); (bso#14468). - CVE-2021-23192: samba: dcerpc requests don't check all fragments against the first auth_state;(bsc#1192214);(bso#14875).- CVE-2016-2124: don't fallback to non spnego authentication if we require kerberos; (bsc#1014440); (bso#12444).- Update to 4.13.13 * rodc_rwdc test flaps;(bso#14868). * Backport bronze bit fixes, tests, and selftest improvements; (bso#14881). * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal;(bso#14642). * Python ldb.msg_diff() memory handling failure;(bso#14836). * "in" operator on ldb.Message is case sensitive;(bso#14845). * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED;(bso#14871). * Allow special chars like "@" in samAccountName when generating the salt;(bso#14874). * Fix transit path validation;(bso#12998). * Prepare to operate with MIT krb5 >= 1.20;(bso#14870). * rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb;(bso#14645). * Python ldb.msg_diff() memory handling failure;(bso#14836). * Release LDB 2.3.1 for Samba 4.14.9;(bso#14848). - Update to 4.13.12 * Address a signifcant performance regression in database access in the AD DC since Samba 4.12;(bso#14806). * Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache; (bso#14807). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Address flapping samba_tool_drs_showrepl test;(bso#14818). * Address flapping dsdb_schema_attributes test;(bso#14819). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Fix CTDB flag/status update race conditions(bso#14784). - Update to 4.13.11 * smbd: panic on force-close share during offload write; (bso#14769). * Fix returned attributes on fake quota file handle and avoid hitting the VFS;(bso#14731). * smbd: "deadtime" parameter doesn't work anymore;(bso#14783). * net conf list crashes when run as normal user;(bso#14787). * Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7;(bso#14607). * Start the SMB encryption as soon as possible;(bso#14793). * Winbind should not start if the socket path for the privileged pipe is too long;(bso#14792).- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2.libdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develsamba-core-develibs-arm-6 1662115141  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e0.0.10.0.10.0.12.0.00.0.10.0.10.0.11.0.01.0.00.0.10.0.10.0.10.7.00.154.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e-150300.3.40.24.15.8+git.527.8d0c05d313e-150300.3.40.24.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e sambasamba-4.0charset.hcoredoserr.herror.hhresult.hntstatus.hntstatus_gen.hwerror.hwerror_gen.hcredentials.hdcerpc.hdcerpc_server.hdcesrv_core.hdomain_credentials.hgen_ndratsvc.hauth.hdcerpc.hdrsblobs.hdrsuapi.hkrb5pac.hlsa.hmisc.hnbt.hndr_atsvc.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_misc.hndr_nbt.hndr_samr.hndr_samr_c.hndr_svcctl.hndr_svcctl_c.hnetlogon.hsamr.hsecurity.hserver_id.hsvcctl.hldb_wrap.hlibsmbclient.hlookup_sid.hmachine_sid.hndrndr.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_nbt.hndr_svcctl.hnetapi.hparam.hpassdb.hrpc_common.hsambasession.hversion.hshare.hsmb2_lease_struct.hsmb_ldap.hsmbconf.hsmbldap.htdr.htsocket.htsocket_internal.hutilattr.hblocking.hdata_blob.hdebug.hdiscard.hfault.hgenrand.hidtree.hidtree_random.hsignal.hsubstitute.htevent_ntstatus.htevent_unix.htevent_werror.htfork.htime.hutil_ldb.hwbclient.hnsswitchwinbind_client.hwinbind_nss_config.hwinbind_nss_linux.hwinbinddwinbindd.hwinbindd_proto.hlibdcerpc-binding.solibdcerpc-samr.solibdcerpc-server-core.solibdcerpc-server.solibdcerpc.solibndr-krb5pac.solibndr-nbt.solibndr-standard.solibndr.solibnetapi.solibnss_winbind.solibnss_wins.solibsamba-credentials.solibsamba-errors.solibsamba-hostconfig.solibsamba-passdb.solibsamba-util.solibsamdb.solibsmbclient.solibsmbconf.solibsmbldap.solibtevent-util.solibwbclient.sodcerpc.pcdcerpc_samr.pcdcerpc_server.pcndr.pcndr_krb5pac.pcndr_nbt.pcndr_standard.pcnetapi.pcsamba-credentials.pcsamba-hostconfig.pcsamba-util.pcsamdb.pcsmbclient.pcwbclient.pclibsmbclient.7.gz/usr/include//usr/include/samba-4.0//usr/include/samba-4.0/core//usr/include/samba-4.0/gen_ndr//usr/include/samba-4.0/ndr//usr/include/samba-4.0/samba//usr/include/samba-4.0/util//usr/include/samba//usr/include/samba/nsswitch//usr/include/samba/winbindd//usr/lib64//usr/lib64/pkgconfig//usr/share/man/man7/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:25692/SUSE_SLE-15-SP3_Update/31bcd539228044ed3b978b6d5b198532-samba.SUSE_SLE-15-SP3_Updatecpioxz5aarch64-suse-linuxdirectoryC source, ASCII textC source, ASCII text, with very long linesASCII textpkgconfig filetroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)  "&(*PRRRPRRRRPRRPRRRPRRRPRRPRRPRPRRRPRPRRRPRPRP RB?9?oN8X,Lutf-84c46cd13d80871646a5186ccd358463d933efc29f0efcc7517f030981b9e137b?7zXZ !t/] crt:bLL !C`p ;Ѥ~I?%Zu]$vMnj>q%% :IY#9܌n^=!K$0%!eLN[U~ ,o ZfMYIt16BWv],X)IS˕TФ*<)O_g>1Nps6- o mo)m7; 3Zi*S)W5 " BrqA8,ΗY7SVSgʅG層~1j}d]1wk_>M`z8(S^d|RX"դӸu: .c>p+6=NNEfrJLa_.PH-Ć,@ٟy󨏥s2$A=;ٍv<;MsFpē|, Q2@Td==R쭵6PƐ´B2 bV`[2C?R#w1z#EgمF%s5IS63d2/NQ/<LvFR4sMqOoV5VlAK!8e9Xǯä (,n@26ީQqp&[ x[0Y_qmfɿY"4FYsǡ\ԫj4g`@셉>\&`75n\ }zedp9oE]w!/&9os,#h Zӫofr,QZC^>Uu)l6vβqWˉ* ͘Zd}#6|8EH+G:Z3\r5g¾[FB&_ѳ8*BvD0m0y,)z/Ƞu ;՚)4*4N4YH`"!N˶Edx^#40AI4Vf>F2;'c'/1KNo[f'$e >0jq)!;.ߐ?Yt0{ ry?ljs Qgu'!n:o [ 2K{)_7j־N/$TwX88W39'Ȝj@b_]owRA@0  V\#0hSzjBucP Dp uZW+8^E*!y ՆsJqi7jO뭃2DJTF(R53^_ d8p2O+Ąr/9>IB΋79[gry3܋ޗl]zźQ\R\e>>J 6$} O)SkC)_iIH7b+,Hh}ᓅꚓ )?ǚ{ ֶT>apEtq+LllCKCLy`aR!u*tk\ߨ–нN^sz.*m!# N)Zc9DP#qůMOiВ M`n`AFd`{hCasmj.4l|f_!<_XH[LqW.(- I;ܹ; 3Y΄?FAMIЉ`xL|(3[Z+o8uƗ?96 7 ޚlm&q1?eipU[>+IG\Ӵh̒ȊDp?K`$tѺ"^kPS$Řñeh^=,43(=#_`Zd?㢕 JϳZxE0B}F\dB>ά!a;gNq2{0HwbdO}?lPm̦PD ͇5ؽ' 05Y}Ew dBP4oXyu ! ^{I;{K&CWNJPȩxS^Uhq@.gݒ͜&xDzG 0# QΪfez NYde9N G9^Ҁ3N0%#QkqǛݟbxj/6qaJtL Hy,}peDAaWIhq1?R-h'Evg1%pk !`YLrxl'52u d7@)ckjӸa$̜YM/ִ_`҇Tst2v 9#0yQ)@N{=)Z;z:BQܫ y|>.]*vQ%v@*+)B,Y6AJ#GAe")B.S ɷc {ٲ`K QԽ9 #GO ZMi-}QqvK1*KlģΥ17iǯ)Ֆ=X;v̑qsFHE 6Dki {xo7gFC_/ mޖ[{ś4x# OgBWeގ8d;&f/3ZM$  a861k7mU-e `Il46G=V'MS,]Ϣb lGoIf}Fm4L*k\@ ry#"`psCh}o P9 `t9! '>\@.?LaƯEH>5mDU)N`8MټcD(Y)3}t^) F $?f {ŕUi” ٬)fU=BP+'54u̓(<*t8)$vLXΠ2mDU?Ed{5/ġC 1\}t =*Qrő0yh``-Gh"Gd/VK/SB> 4Qp ^' ]t۝k?!}!=l j7(-aRStU t\`㛬iY|,MH_KXfdvP< dH>/@x >+E7NIӦe PqO})BdO0=؁u} n,9׶^Usv4GE{VHzD> ^ހoWKgle%2lO~L} Rpy = xz+tn ,$tK=O:LΓr7݊E+;{"a)i$h,:Fyvޚ=e{^<9(pP#I ޜ#Sx V65Ƌq=>KA qDݤ Sg+DΖIhzRݣ[@CI e7fII)!R* ]HضWXBojII0&Q]֦\QPǵ4>Vu@$*-kN5{Ƶ-{J#[ 64# ȝł(qA!tH=G}`Y Ntj,ԥ5@lE،Y4( x/6g,c>Y'?h@4*Q̟/@!XC Wŕa"fN%]!ݵ7UEn`ռ2WNي/KR=WE}7 ;q}J/-)V̐(7~._)(hZw/Dgrz;5[;K^ };qH)%+}rWLc`O\UiVK=x:/Bs;%MрNYtg>4̺\s>s/\{,p.4dx?Ws򂘱O6 s }RwhyiPY S ΆJоhTc*W;Jf%#Fu [Ȓ>|TlT#[[UʇWC?-'59Vo ֎IK l4Fp39t#i1HHg[ZI޹Jϭ*[EwԵQȼ'~tHHW1MO7^iygjFeLE^~Ma7GεAp  {YJxUB,`݊al K~_ɹ>/,3.S 8g(E2\ip-(NeHR+'VIaεz^̍Ƹ !|T]y; PCjd"L["-gD q2:Hcbhk}>S]8xq5yc妹*Aq-"\q Rm Ʈ4!4JuY%F~nǻE=p0 kaQvWW{anXo 7i8kï.,6VPmRh繺Ͻ^u exzTBD#y! ؓ&i>/^@:-jVh><9[5FX~b"\VɾMubG.LMH4C0 u,:|os\faj)k$va{I ̡:fL*cuq h>OS.j$X/(t4viY,c '/B"$\o˯L"؃]|epupxbd,_Cd:SK2j(hURr~4j5T|7<8멏T9h%(i>nqo+>胺2(}Z-<= u|v"QUF'WpGb%\jV@Q#ZR)2EmR)}HG^UI=JOcWkcaO%לz;y(2$a=cG)ki9D'G\}kQH&r*0~[4«)边 Hʟis6*-Ded1>ouDJa:mQJ=lG!̨8M 1d= rYw ђos* jnq%U %/ib3PncaZUDb[ w-5GxqӱN;S5hH(d3C|.߷ncY>.Tad,\1&aV}Mr|  1,=G6˖g6~.&oҁܿaqOoi>.ߪl`. > `5s.L)-6|P By^Cr}2+IJu-T]ےgw4Ef8x0iY2c M%bvEZ09oG2Ac=n +c,:M`Y tTVUNqu8(_^IGzJbNlMA>mg9F杩P@NkDTՠ{ mݞ sx\.1v@)d pnG?WWwDz5-^9`;n>"UˍE@GŇfF o|BjahI 鷯}0鰞l6ҡY?p+}j 'kcG 0j˘_6:>ꥐ3>9s/Ćm9u uLYyp|hO?5-B=]D'UvݴHv/% 0CFƛ"INei/ŬY#"q ^EC7~;.CBw,v3M~..m6S*I .LJy&Cv q֣F1͞97N~umm҃We(Wv&O^@(]E&2TxW+ @Z3هkE(N<k9uRbv*D/N׏(|Ɖr7F5Q|wX'dpdLk0vsZngd97eZ,24fk*vκM +Mͽ~R':@)/quc4̅7ca]!L+=yn\18Va/LT5 k3V!ۉ/'NN<-`Je i;cQbTd).>?[KL ~ӡ]L'/^р(TEI4f n)C*]=*:9-xan~&5"3}|Ö $n; pϘG5YSk P2.iZLNUhN>Oi˃2כR1ĔVb*pCi !jό@; T#ωqjoZ87|o6 #<%2>VمÁ.`@!Km~aɼr/ߔYX>C[=տO)?xvf} d:5OԖ CqT\/};#;||avPQݚz΍OKZ#[4Y|/YY>8A-7?t-A ?w4e5lۥc2@DQka]K:>. Exqk} hrvQ{4T /s)7 ŗ ;2;˅|둖;@E`z=^'#P"Bmcѹ(X[_QTjB,6hVYwZ! Hy&+8*+njmfz Ybs6 ky@7 ATќkNhLYz ['ŔYbZqE;6D\^JiBِ")qWL"*)8lVDѧ!MhJP~ϟ* 7vf`ye!sΗ{’lHD?KlehZ4΃: *!fq5).5ÙNHF+DU f79hjQFt'?Yi@̼_D/I6葴Ba,? ֥.Nq+$Iz̟ꖤrյ ]eRB~/3l֛.oka$ Jd'B0jECC)jzA&V@wx퍤.y]J1k"ha_tXFS>[= eܱxiIJ&- 5kD;N8(=4 z&9Fd ׷~GG"ဲ#L*е; FdU7}OV3 Z@E\Y{>*87a6[GH]يJޤj!b cnIHi# =Ȝ"x8^CTˏV5Pۜܢ5N qhм;٘Znwٟ͒Gf%11?2<[.9F98+ˎ j}I'XQ듮Ȱ5[փ) k!W)RՍ42:Gm7K?)Ɍ`ct=_~B m& oRTxP>CRO:'W]89 n[\xI 5IS`%%Aȹ͊`Jw"+u$8S#}^o{@OG$EA ә;p;o}!_/ǐw@eݢVWۢ#ǽ6IҴt,٫FTmY(2%XdMUX i Ї95ѧ`uqF&^;\AsֽBV{Aܒ]bO3n_L1~;r\U3ǪCH]pnf͵ZOJ2u|dnEaIAӽ9e}r#&C"W70gxC٨yy)X4iċy)T>Dqf_6!A!ę* 4R .'8OaB=R0+0B;x\HuǿXK,H^#bȾΨ5e4TXdaJV1\!DtEljw؀pFϠTFE1dć73F$Q% YO9KOңfe oɨ((*q]QJPBv< K)l $Aj+/nNr"K/i_ӺK2<~h F^Q0 òWY xs9}s&r_I^ci;>mGs 0GjN D}j։r'B8U2ָ؉5e_Rod<},$!IoeZ1g`yP.haOb 7 (~5QjB1s.95Bm{~ڴd#%N5G=>ې⋭KrQu: 9GIE:<}%L)5<2a4otG]7M( 9KO!| IK-ӊP0I%Li74PBSZM=d!8)aN_OY@s¿5y 3V(lzyqnQj_\g!ī2sr:[DMJ-Xْ5ִoREq=A5<Z%Iӊt)+0j;k|/^1vsE5W. ׀ /{n%9"vCa1Ppc. t>nĽLD[73K F`kոvIN/cv:<X=,# +JM}6!pe8 ;3"Oڢ-40ncO0{NfVݾ=۩KWsw_ Z;h3ML.-rל Lf"0KC.;6qmD X|ϪwLp~ ̬ @Y=vo\1phG5yQY7,rvj}ttIf%Lv(aFT;EپRLdF}yP%k|I9/GάÍLozWOmm*~,oW/ttGk h:ōPazjM0R!j'^_dw_}˩vޭ \|a#ixzůNIjH4x}&ţY&eA~{>m6Ͻ .PaZ{$@G>"YHsϚ|Cx4HWR-3ÌlxWsΊE}'d B'3L (Ak4xe\ɛ%?2~ אi/i}/~ӓNzJE*zޛ59bRuAӧ+z<vB&seT3@BN(|%"PXC{~qDܚNj|"Q H5{uVF#c,>;Ѹl߫)&3xz)~=ش,wۓ蔎ȩ9聛5Sf4ڕU>ךM$yD=ˌaZJњp0_~n4M0+~ZWJ @MK[YKL琰}OUΨ5_8ff_{ؑ!<S?Fj9(e&vת?? & 0*~`O]JE:pi XWrP6w(9% $=U^ڑ%=2L h\mv*9m}Xc ZNN*C@ F]fcn\!`WԚM0` _=Ã({qh.wtp~|#b^ln^  +-tpv7Y6UN{ hmq8fS҅Q=%a _,df ;RVkYL^r (/ 5E LD.ԗscfZ@ufp`'`i.p}Qu}FSg\>S̒hIʼnh摁F6w׊B,ǝП֔;Z-*,&bR{p ܥ :[P;ncs Ly/I δ"Zk6O{tLK,| K+KUŦ1Aw͕oT5# cDns]W䜍|m`FCXķ8l7lp*;g'Nd.#^z#[,)ֲq@\Vàwé:0'/<kˁI!xkB(𣗻jC*)oGܣ+< {0:-Pڟ=,hjr4g' TJ0<*Uۋix1,5~ZZ>szA!rVuow 4;z_svK}j(C1dݘ}Gd>^W=\P ҙO쟵ojD0Ikc,g߯Nș쩠RŝDdZЉyYA_)6h!];sn!)s8"LQ56G*0]}C2}s5*@S.GmFg~pdѡIρ l׾=LyhYHSo+8n9U~*jVuY^fh5YNܶ]aLIf P^^"o_r ;k?rQƂAc^,m[ '=/˛KH|Ih|4ߥv<|/ 㐸q굃L61YP2R}N|aEp U\e0㶱ƺhd'1ZElS5 GEl;I R}&YX,q%OoIqOaQ{) 8*9Oɖ2l,x 7*9ePY)ZsT}bxޙ4._DrKE&!9󄞎'`u,.yఒ0:'vM#m<p.zV7{mU椖4GF qwgb jP=nsFN?KȡTd>$4 tcfk.[N+ ͵4dOȶSIHךZ)^' z/5utH!Dnfn ),S]O}n<_}.ݡo7п֧ST\9["&c(A-Fʹs1 @yih3nOA,c3ߝMit{) Q_7|_joRJĊq:B[X$m4~?|:3K(T*PڛjaIpX cZc֩Fx" y'YH}5邴_}V9E֔&\~ߟ촴a^0_(ɡ{v>B<4p xlٕ?.BREThU@gҲ- UIlw,ه8:B#e7Unc&ȽPGJg|v}mnCfZ>֒*"U{6ƢO.ZjjF+J}'Eip;vp>H:gԔ?`wh"3t!=;9dKd#H#y|a]pKNv!8dvА6<gZe ,b,ŏb5\\hu${y6#W4Yb+Anu0ԕX6M);8 kgC+'K"'s2<(/s-|"ABM=0Zs 2\vp.];"-}7 P@dEy͙JR& {Jsʑ;Om flH_,҉5r)k򂭇n}4ZnY:^gS8A=e/rL~4?엡 /^hPb֥)-Cx6f?`x<&sӟ;"rCF¨N[)|Rz_VA%)Dw?ĵ-.ݚQjk.&P <*k ]y&\^erDظNjUw:Gu?+-"iip"#n}櫑Q"qʴLc7}&W36ۢsD/nc}ŝ:u##,\H\,u-&tjʛ gT9Xg0LG]J!v8b}(\385(H]!N XvF9xHٺN1Տء)P5бK#Hc+A4gSo#5 uR Hs J OB )@xG4=lktgΌLȫ童s ,~E4~뤾x~|ʖH3bV;J QR+&u H Zeo_ Rup}iKBڗg9ү65 Hn/tz]#EH_I>UTU!ewKc,&2 vr@TYLЌwᅅz׎uJ(cS<S|'ul(!!>+M, +2J:^'0z3Mw>԰eZ:4`RQdž{/p C 7NEw)J}o!Af]Hrm AJoK逥9Yu:eZRCg"_/>݀2*nF(ۡ4͊ךR3!!+Y}@h2 !8*CˤX΋#I.74#nؤdΗծmn-8P-bUDBrK~N#:$.mw.-X<^MrDЍbY}>c㞘(T G0_:O^}ߊѯ"njM4Z˲{^No(r%q¥ÚqCSPA>1(@A79:#^d'J{"}bD%&1M?M9J-`60 6BYOٛ'$rU=z(R>+R魦ㆦ]ؤt؊E&*eT |䱦i_~UK{;%jlLRZ21oÐаRYFmqo\9$V́zT樇⊘R#-Ǯ'KTW!E0~ =mW&i6aЦt^ P;?2R BIBT~ϻYI8ӀetG܃XC@(%P{tGCyNr@YbHj2 6jBJ1$1[gkeDΘ.PF #WPrf;gSj0D1K.J]MBaTwnDeӫ(c%5(crTq vS afjq1lQ:!'ww%! &6/R Xjy S?/$ܨ XK80 oGm^h@oE@?=p2"R㽡8LH4-KCH4?i}2;KN6TepX)Nv|Uv0*?IiVpϬnoQ\ѸbCr~nܢe:DNYH#H?hvw9+.XKo{#RbAG>8Pz6 JsbIMױU9 _*r+@nENjql'IT_Ѩ8 ,yyY;"DiH7R;EM: X=maE0!Ź=KD)7Bn]+p fB{P(rZɣF}FC58J8@ n\o}Ac]ULm WgED$U47C;>kM3!(`zk ѓ7,WHkL[\MHObӬ]º},m<'jp{Չr%<1l{ѭK)7|NOV9W~_b$u- \5~ %/Au{C LM aSـ* ']#9!+*>q*7ɬ kx1Gy{pfHβCO pWMoC7]_XQ񈔉K'}de"HS%YY#xy- KHXǖhfu'jxjpa/CMd䠐iynokCXWe-@PzЋF[W'?~qk4fy?[m!xK"8DϠ?M-ϒL]W4L9iU>.U[B~*28ِQ:jpKYqV'/w5!mk>Ow βb']з15s/fhz86 bӇX0vm|Y-#G= 8%3yVڟ{[EC>N|h>=VI]oy^ T> yxw@m+x,t|>ڰkКB|u'dZ OuB6> QT! }Mw'4eSwdo:>M]fGQB#r嬌B d$7j2: MY UHSpJ=E9>({rޭ nYY"I3MqnO{8ɕWN8W>:E}@*Q%[xE7E!Ǻf[P۟H,H{ר]؜П273MRg`wӍ*De6B#e8LW.PQyzH5 6x%F"tb@O.ؘVFJKe ~aڌ+҇tfJ\] B(b)`4GK2F |6 jMIjC2(qykIi-*ԒS(KKXd--{O`h/THm ջ иeT |me*BVVʇ.ˊpkocN ȸs rHBȣ'P:=DQ=\N~R1i$gՁA!p/j¥]}<kJD\G)ĽCm&X_3#]:x@ k"^$Ga2rswE7uJJ7;@s3ߕ"G$yezP`(T NS:HFaK. 9z? ǼJ;ńbM%7@pYLP-WPRsagٵ`C1gB7+lMm [M :RJ$y'%Y  sWrP53x?_!fX"f6ml#W"#U9v3m<+kix"9̅tzM,+eBsQhL/f.Tyq rʝ+-ս_e۞.PT|=13&x9i;klY_@Z ~t;^',/ϪC-u.妈+BjOHv* Y${@=nB5DL|$pi\=俊g>q;t=_X{)J1 ޮgU).O&HG)]}̅3dm b0I[9xx}}@(Z>6 d:dE:z[ uZ!aR[ 'ʮǿ9fx^ >%c&R1@3H7['P_ZLADo~>Bf08}ۼoB-dNءrړԾ3ztJN -K .tVQyxAn1LǡZѲ뗳-4Ɲ0Y0XJl F%/x+G]%ۑBGKa)U6)#HXrh̢ WoI'3b 䡵´`},]nRPxM~_ Muc*A.iwt2)_<7ڃnGDr;E 8n䠹! wۊn*GN%/3/D1ll^KYTU/E = dMJoZ>5*g|X( <nAK^X7OZ$K[sį^Iec:_ )+06ʨɢ7 FuD==Ƨzcc6kf {9n=aN1E-pnwr)Scz6R_40=JTB),h <]{5#]Sf| ۊiP5/vuP^5 D]-cj7Q\#rT0K>sH3U۷Ё- K'SN 8$fE[uQ:OwqrR1oZ&Fk<F&#%jLF,^ -7:{[9 bJv:7gN= e_sMn>vIcFFJl6A4ȪA 7`A"nA˩Tf ni9t:N6\:7Nܣfd j*~mrTMdq mj֩~ok-L|\S0x#6^,tF̈́QR \O94 E>߶d:&bDɸ|o K(0@IP]6D4@t\, PK~_D` gw<]AZ5jҩH2MZ\Gl q9ءĖ.6(+ Ci[]x|k'nu pZ:-zW->f0^4IDFH ЅCS/,|͆2<ۜKnk@{|%1bPN@&`eNO,&MKvֆA (iA8Lʪe);n2ze}juDϳN՜=mh{vF-D+Yw2m}r~v݇W+*Jo8@*zSLu I)8_ݽۈd^\DVݪp}n2 ʸ%&U agd{Swźp[FCG*Bc3GJ ܝM0f 4Fb<ȯ,~=`Zo}DyE8 OLbL+nx 9Jtx.$2BM^EH':A{V|gpՊ@I^y:)ҔmS+x+۪wOw!+v/@[5ЮiZAKKe5 -a:[ȷ/γVp?.9f[4c~C4:S&f#!eٟ?Efĕ1.Nk)K02u]-Y*M1c֠5 ("3E r D(m1S77 3b u^Cqr|7wߋF.kJӼ6ъ7|~6(e梆@ҩ܎?QV}pK{lBYvn<Tz1<}o5:6 85, Hkӥgj WX!l3e sF[q`˫x^(tuWA7':B$ꂹ+hK N\zfܿNY: l&uk#a-lA"nlr8(Z3S7;qɉyAXxꋧQ92`fOWcYas":^3^*:t<VjRl_tpȨrh,ۉh}{zsu33@ agŧxm\>b2\ )i  q9xd$T, 5Q8gjf:UEkx3!h3rPY9XX[vܖC11ȶ{zNN▏;~S)^;I\SX`N-1BG'TRӣ{AL+]|OmNB2n# e0|k[kGq-VL`}cЇ_93BJ2SpJ:HU!ڧxr6.oޖ3D\<'#'9mR"L z4WTRbG'4B8h|YS 8}}'^, w `q}i NKD:o_ Љ`/>;Κm=R}mu(?lX8rtM fgbp5ăiL4I]*OBP,S&o `uEo!.VX+PsQ i4QƐ}ӋVXxEf"U2izEJY+}x hEAX 3~ȢLiXt̰N+Co*(,peze4KI/)KiH7Cxa8I0KLےVj ~ʣeպ.\PoˏkW0gR2Ļ] ! Fcz:@U0}!HRd[?A_L) c/昜\p&zEbҎ.[4& Aҡ' hi6>ʥ#UMQ$Z$'zI߮YJmM؛*W;<9>?hz28h!]/ϡ1[p r` Lð-SFc$/TySQ+kZw8$+.-YS5oMfWٯ~/ lm^oҤjUTLCa7jd~ H^[Mar:5ǝf ȴf+A`HGNG+^{RYUwF0#ͤ% 'h kZ{&T#u9::bmZDCALcYbr44َ8 ~w/7Q>O)}R/yi KvIH:~'Le.cQG@Ϋ~N,qyqxR*H&ncCr4Fŵ^+]{7OlK+ڶ%+%j_3p0 eU%٧a&,lg7G&W/7s- PO|mےZ# ?yReZ_WB=B8۷}bw<[W zAeq͑ۥK0CZ*c0.rnT$Tu R_ԑ]l-Ҩ'[$6~Jp~q l_mŌ|hD}b߆ɼHh1f/rrN갘KXYg|$rj 6?p)4A )!2odlCf$7ETe< !AZGw(W 3loTSgn?. ;~%O"۱!dCфF 5<&z>a2#B܊; 0^0 lvxlh&>1n5su `孼=uS,wgeq_54ZO2#TK~90:|Ri/[ݽf*[R`S{n*B >\UQ4}'b.36LmfY+׸uFѥ_ @?} !c \< {WBrpc +5?\W:1|2yAwлK+@|QrD`!_j ֬x &R/U#|MM^XN3t[0%y JrAׇ$NFc|$Ӗ#+^ӦYVbh=c0)6K.^E%&8q;XZ0 :[O}RnԄ+Oݲd.9z8o5L.ŏK~%1gko>TхKur2ܙJsvF[@M!DjbQ1MS;->.pIcVMh(y?9jͩs"4򸊨B"zi 4f) ̒tU)\(yaU Mk>axV4,[+gőt !Ӌ$]_9RTۤփؘpJkPӼT }uv]6lgO\F$$@`D Ymל+N;c1`!p MSRDWifKJȵA.3JQ-d0VtvJ{휑u6nB5ȺVc`aL(`Qψpk/ 6 ә4@qHM vGij赡I og毅ݪNer9C~o: X'L~R̀ǹ7k5pu#Ac9}@%(sziTUODk# 4޾ri#/yѩi11'0d$Ϡ6۔r$VXWAZ=)f#hUU 4ЇiL_]hİNQo)Ⰽ֙ ȯS1ߙ+ Wǫ,gayKПٲF |76z5 6M?OWT`<˻Ҟ{qPIˉcjg:ղzWl7DcXt_ w 8dR˂zir,X¢%Jr8M<ȢJ7G y/Xz,|gzӯSB,/ćWt/MAe=1‘㐑M{ p.,7dugvhI^M/v,lt-$dZ4g^aJA)SحH'B$yr/=؝ׇn*B_a%V __n"w]NadvTG>Bq1wㄭo>a2W u1İl2P/G+J?h0xvC9?ȝ:Or=q "X`5 仆?HK|pzwI`gcڴz(qϽՉF'\DG 0YBam!?=ڬ'ȑXz#_@^@>9huHV%+yy1/NgJ?-lT|z zfK_N/۲PIR8+4.I+bK7,9 =Up/nWp8ӲSsAJ%xףwYYb82C?8װ3͟6׫W;)m_/!{Ue6'fU{:fN 8)顯PS2`K%jjC_=Y:,AFz+n$B,G="MB}*O3~haoS^Ȯs_<tʑ߂<AT^YwX0лEY<汐 x:b {;u.AHݘlxt?ΐ~{vϡGtȟ s' P eҼx=_͂5{e<3虁75(,O eWsʴFm̓8cUlFܦ EtN`j&Y Ȑ_/06B<*ZO Gi,굊Y2dp;eA,}s"Ft!|y3 >5 M B" y3(};r~zM[Ul]W;MܸUYN^slB]DɬDPv>&%R̲=7 fl: *>ת#d_qJHnQiDA p|4TFܶ|Q8bH s󊣱 a|$Mԓ>Y[WFVT.*=TG&k[48[Nx{5B+7u ɖnı]JH;}^=Ck{7KѤs~'/`.lR\$[^4C3.]6Բ>Xne>"c7v4y;/8V[%nGf500iYW>,$}s?XY5  ;Jӿ. ɒVаz˫TJ2 ?`lc:yp.%8['P*t_к:_[pr_'G4*1yC⑆O EGU`L=Vj3}o)߇ MObz{H( ny4gi:RMˊh~CZm moFC+𾁳>^n8v?Ů },5eg[x;\Ju "p?X G091QaI " rh#T^f>r/\anle<t!~sm%2/aCΛ됝E2qb!MYWk$ӆޫ< jF9*HQU$'M#}`qz4 "d󻇭١2{A Zݿ ɂ`QHt}SiUR돽!yzӃKP#)AfE~6vzwKBul#Ef Ό?o&ȧ W䤍e$Jk9g`IAurU$ń>[)\b Fh~X\+f䱾V %SU!^Oĩ%0\(C.(PW%}6+"B؎yb#:UT ^=7hRq7Z/I 6Iƙ?TxZgL ,«I2:K.qqybw 6-ߢVrbp8VZ%LvUjs{924eɑq \ؖ>z=WsJn?/`bM/deLRTReMNxf heƝ[5#[ȐC!;RP@Tz}Y>v a K[*6Ň B;l#j}t)dWqʪ3*Ⱥm8ޑ6e12c/ +P_0jQX>B$JS<\S֐-\Yp ({򸌱E*i)Ak'ClrAKAZ_>,?FAXy9.=!sk*>`^w P?O;]>NR'NW4 IJkRZ4 п9&&nd[搁B"`%8U-\֌PC}v^}8*m(џ!vܱ[Ma!#]3]Q԰ ?_,|O>I.Tb4NEway*={$H #o*̓%ZopiZ4  {iG o A1?4NQPz8_\:"#+gߙC97>`2q?+d`%({( mZ2<΍D:ݶ?`JXy9K9 *=u.ll+1`QBDQԛm6,MpbL&wO .גfBA2b+''Y龜K}mDd MW'$27V8☝2h7kfEIg/XSk|euNss+Ib-mYb\ :$:"2\߀m„ ]"%b V b.h8U'WGbDBsR! n_$/{`@BWdhy hc)+ۊQ`Zul@ _'!/ 2L:Kk8 g߿l%1o;` R۰pDp%%,yLTx9_@^Ӡ;K(pȞA4|2&<NnJ&,+Xab/9U X*,ԏ(IsY-z@9Pv'om2!C<ŚHva?(i.F.px_+rʡk6RĀc25ߌ"f?$?=pK"ncat9!)mưqJgb{7r#>ãƽ_SӢ#2O}V$x?G=&udxpIb6 B~ӿð{(a~zr 8"KKNAWXr$Ѻ瀷E] '`G¢|[ktT};T cF`rQ :Q4:!l|U$N*#|W,Gfj)ap6fƢe`p@+2g[?&aP;%jv= TT ik07io>4Hqb:4:RrDŽ@j{Lp1)T)<,s9c +q0qhAJ5ӷ8)F-KwI9HOR罻Fx eP&̇N^bW6Ɋ{h-a|ʹx#uhrtWY/v A q9%6ʧKX~bgu 5z+Nի3BƫZU!g5oK;NT"% R8wM0{,ɤ5Qp:=ll~Q`PPNQ[466KUfF#̅VKe2.tܪj-b{ xY9>=h0fr% Cw1e73@mlkifS[6?59wEIDY}3kϦ]LY\V-B @]XХqvCjz{zsY!>~,`uu@x4B8vp!ki| {dљ^@WR¾ݨBN5yPRP јB0Q9;OcNS6y"< ut~ZcxK=NJ$JaH4VAw9 =/#r ]~/c2Nntɻ|8EuSI70pwRfpu۬`{ sؤׅr^t>YH7yqLtn6Lt&Zƫ@m*O\tױȜ#sGS6Wr@^Gl.#e]&yTv5d'iI>*dAA>;L+Qy(7毷;zS/ÕzmfE)E x<又un.enl?b0Vhy+8z* jY uU÷"=>\yvYʼ_F(Ͻl:a;3"钖7kG{?e}{2{ vPU *J1ruTRBL6&h+Da߆tsDZ\ՠs47V+X5w~Ue~?napڍEd&uxHݓI55PBEyzǵ]OoRL9nr+n3QĴ־0GFdn֦EWj.J38xC'tD_q 98ލlº&E\@7@N?Y+ ( JON_s*[<7zP!JhY`NqY֦͵>_!2f}miRj-$OϟR8u:sYX*ηiLo)IÕZ! BQXjP Yã.t+(U$EAwQֺRx7<~N6YҘ=r9!RRn;]SsDnYjCus!jkxԎ3MgfTMS#,b0m82&m4d%ctV:g1|>(;ne](CvځEmk쓡ȣؤxr~l ^3=(#"2D=1@6Mxz$A.FJϣ*u.p߅Ͳlk}ƾa7XbJe |ʃϻFt ݓVe!ij8aӠ34g,rZř"3h ' Uz,u K`k$\6_g8Ì6"af6w5@ss_3I[aT,tVryfq=RaVz ->r;|0cn+*(YL5Kg\F+KDV3=:--c#I4p %y\@[kR1.H(w/mAYWjGމO܁hd* 3͟NFߊd5D:t "ί$b B.s?7NYU?~. ^\h22詇YlisIG=.X!|01]gvq9(05o*(!%9w%x[%t;lh_̮94ѼR+8Q2d9UJS`E텤zoKEܖ0'ؒ D!QXXXWcXHʾM3yAln4jx9L!3"櫯UF^9wv"$mbjM=V6T&J_ꖄ'?^"p4i6h CL(1;K(SP}j }bl,Bkh.4 j|2s'CLPXy0@e!5k#$7*RHMEcJt(?^Pdle BʁS" Dfbb('SJ3nF|k0YZ(-l ɯcR9͐xcv1#qX#.+C~j{r$0ىQV#]BSOeHqkzxr1܁sW 슜_<I!!}9sbNhMsl+ ԦS粳vf 1w.= ѡY쵈1jҌ2/%4Bи|k$90`Fdǻ$_p |B*'j1d=h$S eorgvdݾܮdcћu΋•hJ$bK&g_FgXjNbWn3;?+zA153%H@H^[> {nʽ2jo8]yvKΔIYbgٮ.QؓЭ^7 AŒjz&Ф'9yPN M'42i[JJ--Aq"c u *[ވ׆ن+~tfrjcP5BRٮJZ\ؐ)ܛuF âSHKWgx ۫XXP 9EOP9T:8IW"r>ϾC+wT+g>ga`a`IE_C"/:n4}ȵ)qVѲI4$0lB5j3ĚV3b~S,4x{ud=/~!e@jxC1ر>b+±hYɳ G p k d83@1|j:{/5ilo~uc]$)XHs s=-:]nn}WEs} G bB 6ahd2ؼe]96ÍZߑ63՞Ťe:xv?GoiPz1>^L:e.yp䏫sUG59nmRUbcXw/9`{L.zg[ (Cov+Qο9k&W$sqK҇H!ZDD .^T*ovMgypʦ`t520]ضE~J߇szFZGZ >y{yAuf(8 KXh\y@yghSt.7{>n]˅r.Og\9#~KIpBV51ypycVӞ8ar~k{]w¶+-MDt3|իW8XU1=jk|ن5pcu){'@J UoiH3կ*?hwO[Ju?7<[YU8ԁƳ}Ij)~nB-n)nӐe)!ɺ`rv/mO4>C2<͜3{RzEKdvK?FV%۠3M {I|0:/eҫlk2cCq'(M,yw_dٝ}1?ީ5O-aW麡y : 9( a74M7MYh{kO~ZXe.!LPG\/ Mch؅dnywXze5c@Sh{>{[16 : fG`5bu1Y;\Eŀ\wt ȗ,\W9cBY@f%1-_rvxoMzEĈQ۟'}OStКl` to%L: b\EX%,٘l]W9ѫH-|a]SOXa|7:Fɮt<+~ a9:L$P6bQ`DWЛ6$^꧚*&Ē0jzS/O8HjsfYO\FaԖ3&᜙nUpճ"TM]V{eYe ym}0\L{ 0uV4 *ll/e0ŐZ1efߠY ^*Q_= O6)a]5U#bX_\«9V)H[ ^:ْۀi J!qa|It(I[ A^SQ*eftq2~f@dv%X:klX=Ms_HˆD59u?\Rl/Z6gP|"|9Q,ȗYBþ * n{sd d= 4ͫvjĉ:*4\1)͂bDfVg2^rNNu|1fp)G6Iys|=}w! o*:XP *t[Ɵ"JmkD阦VA^h=O/W|٢p؉g$Wbpv:bJ<I?bL@N]],+d@<!uDDV~?%r[BJ8ʜܱ- {Zvgly@A/kbCVAcR $ynze ;_:fd,DEkE&2;rS47˃% ՚Xm"ɵu  0R q$65ZQ3/c0ZsnUө0t41&iYI%=Ƣuk6)x-,DQC8nJ4HGi!MѵNW@戥^7hUd"쌲V:-Gm7dk=f}Ќw; W߆[ ƁKtĭ( ھ#T^(}@M5 !H^: hSx'DN g%Tu\rߛIlW˜[ ('=^VÓ;o{^7sl=N_J 'dM?HIkS`}y.nCiU doUyuV[cމTbe#~-bDH023YD~p v3L'\j Sr9CTh3+5{]`="îxl/m77LtI lUb{q xbfU׺0[PH;FM^9%Y$+%7:p7 K˭ 7^KO}ILeu .| AMusQ67?0嵶p 6W8td9Ǭc7 X:zza,`eVxh&6yDV털[ xny& L M3D޹˷CcJ(<P~vۘ<d:ga $hpm*SD 2<1V(73WQZ$$EmO T[NI ϿC{PLlh7,ma<+zZCՈp5d`|ւ Emǎq[%&[$sUZ `Y`nXhD~qt!OQ*4G@r=\HܿX0ݗ;fk>ݦ b|fUQ?ʀ\'a i8^FPaɝs";z3Ý]?Ñ1CLA- !Zsn>,_eAE)6+)R>st(2z WP3tm?apz;0H`t &|ޮ-ځIimfxl[W/VFU@8_q ' $LƢ Q(DOH4+k_7]Bm2A2KيOLIcƳ UZ(+ucfimAP9-ʽ Gbww ,G98'as¥/Wͷ/_̨՞nS3Y๖5]ilHTx(;NPdp#Vs vQ1xhEa$9;'ipIu5b%:~/G7؀f֍-lە5NINN7 C~ EWo *'`+)+k[#z/ /'mLEKMcS`8g_={yv*R0͐H Y‘#{GJ;>T/c8p!~ՊpDacÇAi>snUV*ހauZXUոٌ֥KE\EneQ^rRAeHBF|fxTՁi[6Or|+b9Z.̳E:4رpG~PYy[C}2yQCS0K}I46g"Ev+ޘRIowbFw ZR|} 4+B#>\|[G׌Nbmp$8㖢"QW\ K6 ^b!yI~+jx'h.؊;ִ>YLsTv,iIv+4RME2 Fߓ%d9 =듢` ,Ue ݤPc4߭GC 1-mwi$CzbOxg>k9R_ϙA3ɽ ٩rVN\KNNO,_0Za#|n cMZ8c!w"lanyv`6eyY)n8˴ξQ4ʣ# \Y$\*^f:LR>uu@z8^)_f?xCfŸ"n3]fT3]sgF_\Cg@9Y^`zC2hjb04zSdDgEVc" $U%$׺]JN~V@?tD$yѢcntSdW& ʱA˗`Ptk:N8й]L ? RD#i?܆TO;4gRUSW!Dk&Aj Y]GdS ?B3͔n..:9?"jfX|a$R% ɫsi'}p-~{L:B |s,mL$(fܺJ?.~.K_ڣu֡ï'ÝazB9 %3s|M635:IS8  C\g !2#ĬoF9:K@ǢLuoSڂN9\8d3Y lG2'g?Ͽu}|q>*_],z%3oɰQ d3h4 PhAd{U}f2/l_Mi:QF|b3LwF:=E 9\?Rg&Zqx qmWV PJ O)sy_־ִj֤8eY:rbuzU8Xԫ^nz"9.oIj!ew=(])'L$MRY> ΍}ua WB0OM}LO[_ӑKz1mm&[ c ;C!3] w7DwTY*Kڅu gYiZ}s~;W@wSHmT:2fY8S GV;ϲ/)C?COxbLɓx u? IKD H.+]licëqDV [r2ҰmAf8 WXfKu:uǾ.~\ȗZW\y ?.|i"< u1m?Q~Ew'UZ9N-CjOR !ޭ q %|j#EOrK'@6*9IGf#*E&H HJ@3%~d@ϿpD j ou3$>~MSihOQӃwF<< 0qu~H׉ñ*vstQ|0BOCȷL[o)Lulz,m<74f֯$h&&m"@qDDڷkvMUȐ\:gr}IDwT.7d:i)pJiաmлf~ye/BƉ@ıdFTAތpYxN.>jhd膚Z"gxCx`㻖"h7`ܹ.|yk@Pym!y~n0wC-|%rwEr3fd2POlgsq)ՠ2wFr^=z%F ٨s]J 9紃riSƴ{'[Sq ,c֬l)hX;Qg|8%2kqA+fv:^M3rgOdjzԹ%H"{(0ꥼO^D|h$QG|7OٛV&$GO."kZvf">=:kZend61TۖB͉ j4 iD۴/aFE/"Wãk ̦Q)%VjUfAp&dכIϠځ C KNb4r5óO(_<"Y$P4?֫pR$p 5s:f}2wʂ^gduN&M&@Oz5\9"&nu jvKVCoyPcq&/ʋd=a|3@p wYB5U)uaw$fFp#}r h./]뭺~6)ҡ>HIW'ؔh(c6q;~ p@[5#3[E<9O7bO,4Jѯ,u9RGմp]HmF1A+BQLK@Dx6>`{-z bTՇQ|Oi 6/S>"!:,2xf(BEYo>mY?w*`$/<1::8!_c;Zk vΥE?CKF'"Z.mH`u>Y /#@ť,~ish(ZT4!@^Y`) ozmZfz CоtJC/]<Do;!I?;E<%|=R9 ]>:)0`QqtÿGFjVJ4T?3]8c|Ng@+iEqw ݈94zP2rQ {_vF(Coi,"j,|jI!ITAj&5vErYEpmH4@=A/?Q̰k: ~3{7Gg9]>1#ӬbėiJHDij@)p!iW`[߲cs!^,{/RM 0Dj0Rkj{ 3vl0оQEۑ.WH{ LȾEHl|_EƀyfX(u`Z2"OZ,~]mCxQ颗i-]+fe|vr֬b!vSOe&D+ЖZ盭l\ s'վyuK1D8f}_vpb2"Cpc<+M^d?rVyȚw:y]eAUNd.[% GKM2°XTrT)ǴsD~8yVcZ0LeY|65UE zuU=^tnogKmW mç%o'8ilsO,l.|D4R0za7sYdj;#3êѦ[+̍}ct{HuضxӲ0 ɄZ3c'|h)ƖG ui&yqF C ϤU{#*ʲo;fb|w8͵6&ĀʴxPn$b}ى60k#Ătm2 ^83RM`FλiA "5^!ѶW.4G]gA8g凪}@[Zd}x7D35&1wϧ^/Wx'3ٽ~)jǙLB_~EKpN4HBc jimV }ﲰ[ԯ_Q=ŜN0&G(vK#sQd #Nb 0b:³'X ,Xk2Bp?J̸,YX9%, mw}U#9Ķp:"تl 34ZK3R(\h$yH%T@EXmݥ=ɉF|Ѯ3 mqj< :3jqpBūc$INY+V@*ș!e$poY 5\Jũ[7K K$ρ/Vs )6uj Z)Jnh{TmR [NQ.VTx%1EeHxv&ݤ< dU0A sOSɩ{>@&J4ϾxuJ kw3(Vo@K5KU^aIvj[pL!%p0j,׼8%zKB:rUq ĭ" Fa(%KSșBcOj6Qڣ/+qrxT2nՐL Qآ0^/(gpg.$q K0bzA3K%PS&ݭO%`k(RdqQ"kjT|3 4Y1F6h^W:sHCP2x;RdCaYe !m/RO_U w-w<z%q8c K|-f٢ 0|q4p@tE}~ieXېC"G9#$ 5%]W4{(Sjʋ?R Lq$ZVvފFe9PRt?~y>_4flfɌ3E:-IJt ~[bO/}`HxĹ}{#7-61z!y3SUO$IBNv o|>WL\AJy]CƭzP̒M\*z^mߪN/HIpbdgVf.k{%)B<)wvwI&N`q[O}mt;!,?r}T~ ` dh>~> [t#nôhBa %cK)8>;wuP x }D2} g>:na4U!Wu.>Ub[Y--=Z(lYp'1Q>~ P$7P9Sj6U`ΙNf\Q#;@ Ls(4#4TB.M~Z/#)U]+[-ZzYS엚}Iy3<nGΧp_%ًԢhiꀉzf&e]_b]JgcW|A߹^~5&|0ԹvZ7zU\k˖Hr+xj@S]!@u;qMԩqT>H CR  1чDm%E=rL/Y=YC=կ;AUO~1(u=o6~`I:eP^UhID%)sS~%DVc 2xT-] kt/ %ALDM%?2Z,N W\K]b 4Wg|m w*Ĭ+뜔&FNc\W )m:@x գcTĢ0`|^J^)!' Ix3ې a }W8qn{<NϣCU[NW\CI&25#yN͸Y!C6j}>26pM@r+,ޗŠ΃yes4"_ߍ-[ 44AĊ[]+aXLs{`0B oBꊏgV0YX;@YyԥKj%.p~ϹA|,w:j- TnT6Wh] F^#'A8΅4A[ZMrLSHB!ɽ nVDr$"e~h}.j f-Ge~N E t>AK {&(!KSsҀ&|dь6Ve3d+N]p%CᨃPutZLއqobHL[5`^71dS,5"L{ԗ53ɿFtN4Qe(tRJ$f|VRgk_'3u32QllJ0S7偫Tdc5Tpp6uҸfCVj+9"6"Yt'jݢO3[N #9pǖS ŀ i;7f䌞qz9As"zg"U4؉D( i-Fkx54m\FJ6 kN*Ϯ\|aۛjbSVle]-%&06#;%^rC4zZܠFE)`u nld1}DzZ>oࢁIJGNMa=ț0Ch F>P., 41MXWFo-QyF Iv23-WOy^Ea٩6!tKqZZitjkG3=~̔zQȕGB *CvF0&sZ |wכ~u}.G6@!-'Z@ e*jl JΧ7޶IS 7-u Eh'v)Lm&X:;"JE.&ɋJ ` juc`&O#٧[qh]4MdxxC-t ʑ8:4;51av7 Cep(cDQV?,#$Y\cbD?c=R0 5]>Jt-d XHX?MUQ>p98_S70&fᶾ &}3ExoxD7񒊥DwG:YK3U~ԬƬ  ƞXa`g62m&#^&:UPHoQ{QoABل~Z,MAS:Szl]!u|)32Ӓ)<2<?ITs] 7p(%|-tr G^FmY~tR b6Ōp,F3s{V珗);pff/7x]v/N EKh̞q_BPрƲs^6Hodﻍa5iچ"fI%(eu рf\ҘBۍid/nP;F-o %$7j hD#k䎾"%TR17qÇ#3Ժ- lzgFad s9^&3ی&]C!r341ҚIxC8dmdkѺjh?}=)Gn\jfĔ`d}f>*4;î Eí[aMˇc`g`zZW,n)J| 4}ꕣ'',J ՝̘ Σ=MV/)c{gWޗ̩N$fXd~h־Y]Lu&r5^ i F\>oys]т6 l%QƲ| EXnWK'YL7GTS=OR)x.ݷ^;&n"1M7=1}荭RC-C$n!5,)1ٯHu> [QKVl('G\zW-E72*9} CFrf+y5'4e ̺_M0jjA&;pIPq'[m{rc~>?"]U<<2b (PH<{j%¿e\nETh ?(H8wF`Ǣں'j|.:R&J_Tu:B'A̹=n~*YW\͝aw;tf43*sPNzc$(Sr#]zOvչX{` ][3JۖOP YF9m.Gqzͻd%NJ̚HMo:I5 :IhI lak *зyc[NN[ʝ Ρ7޽ۃvh@5NV2Ftj\OA=izž$kpQI'7FT1P֚2Q/Z .\[Cgj͡sgY X`?mvM%W)x>6hI[x Vm,Ȋ,=qah5 A4흐dʨ} djâws ;As)¸ϱŔMֲ1 <7aljذ0NG!ho+csճg6GO0UQE^q./3'?&I`(ޛ+ݙrء$䩦%*ܥ?Nq BzB]a@4T}PIݙuŵV5o-TKaLt@ (qK1{1JqD¡hOҙE1a$& Bhg`^1b6L+?` 頣 ~`|}'<\):cI//vmZp;'HDbxK@xr ~ Wm0Cիom<оj3be2ۇa.$g8qaʒ\T[U&0Gf5y)%:&z7Pm"ݣ7'T B9#=MF՞TwS@9$cUbvQ(h`M:gq%崚8nFB$5,1PlOmȚ 8 {q؛5q$34s 2Q! wBUSz4!"<&|[۠S]~@DYr?Ŷ4( =}M5Rzf#x"AK<.=]Wf}hme̲e:Quk=Wz*y%M_ P"X]_Oy~&'/B`s9BzL&,3!Ej9V$\ךU7[4:}\GLցL#Y𦤿QX#Zx,ģq !]|)i'",GWq7 $t-bo@< kd3ۈ =Ci&c9FG.: }`q ?nye1s un@Q!6Lоm Zȇ{C"b{89cu?.P2CmW%WCKyJ kx-uט<lr}4MIc2Bn;WuRWZ@Y:ӠKM`jvCK,D~&xbJT8J2ۇ/ {8/RB> Ұ=Bfĵ+nbfR2#uY3bbхю ̋BK-qJw Im=g4C /%/4X$$&CZP?tWeeVd}%_ύ?yN>hQV{)@өyD($A/:=~euސXJEHqRj$!m9+78D }$.ΡE(gViibIp;w`rnpi%*WקEd_NxlҥLŞ&H(9X:oe&;LT`c7j@M>zGoRsczxSM{ ejJ_!hv{_$db"g6hѤxßKHps?7r&$$RɌk8}gZTxEb\9hPwF`B.F|颡94tqH& !z&֯W{ö$\|Y.6K9C=3+Qu*d;‚1DpR6W|Ve R/Tr0ƈk;DnE)eYh*08iuu?HxD(9-.mpVjkz6}JmX_Ebr81v䔟gIFQM"N?ZsjsN0v/Ra}БOE3o+NFfɬ:FW*B$ n^/  u~ /=l “QQm8ݭ|h 18ox9C)G:18?A_Hrrw{>w`a58BѯeEǃ*3w6>yM$h .>ʗZI!uNp8%)BZĈqqAaΩF wD%PCvqkxW i3;e@GV.ܛUÀ/_ )ɉBEcLH_֩RᮼAxSVMZ~U:'b$2l8}eQ .[<9.HǨ_J%.SroV9&85\$#tc] $אo}+h_45y _ {wSHuTS06%J? :k#rPL"L3qXʳLS=HvyYgEmLZ|GaohТKodzV B1I8D ĒtC1&:;A>L=ʋ66!T04!K>d\P:Q . cUvv*T.>uo;r `Ila$DMM۷#MokrdoT$UttE:e\V*,ɲ?@F0Oq}1m5}lw, h{Xz.Pq$93٤(kЄ(gjM;d"}ؚ/@;~߹۰`,twː IHJ#TgUZf2 @4՟n 󶗇ɡxT$0yZw5¿Oc3$E'>n]bD.*X ?i%u6θ[%y;1YޙUd/"[tHĽְ$v5~(jh;L3vakqXoqܒu:# Ynj2T۴ڌ%lgbU YlBٞ?5V&ꆛ mCjs"Za %Ҟ1g.pIWobyd>c kLIn"}04|NMؠvTPۨ4# (7[v&iZ*O|92v xB -ޮ{ mrV`^NuQP}iǚw^ N>ڣ\$X!5r>!l:8j4=J|#?Ւ?b7n'̷k}O,qw9Qɾ񄷏ѥ:mcqT) !Uj0yemLxHvb'}P zTwV}qGҨ[ G+Qz&DWثiq;CH7ͽs"~bGDKz_̅U0#I vG.DQ3}q._a2=r*&3 T^$`zFmGn GV>YyXcm>Z`D%*?0 e)L8+)AaI&8{pQU.4Sdq$cn@s#Cy >USR# 1~=a)m?H׵?ADRFaf8s؞"n*#-(oj"Ci7<-1zsʁl&6 0*v$[m6؉Gb}BL#HQ,X!p[}RrBKb@ߍv1fiA%n!ظ:Yhl' b- LzoB2Ҹ A(d <TjP~*c-[e¦ޞ^_L$Yrf.& 5KMU5J'ѥμJpy_j7e1eī1mӣ:^f66SʾL鐍w.Y]uW57v(/RM.&QҁF}ya)TT#X`zv%:w@_b|R&؅{qk؎޴ XQt;SH!z'4|$r9ѷ[5T|1r|](]9Ug<ݞ6{?FP0 H|w+Rz|WnY-"7d`&]:ZԊrۑc#]n  r`,0<ڗyR]~ԨJ0+YUC#;Qd(U~`^ />$׬ iF?6 fh6ƽ/"',lai'e_,*U7x[T.d~:oSYN;]73ײ*ݜ+f3 7ka? hX-@O?r¶i(U\KX$Xz; 1{pcYSǖʘvi.I!%".jCyyzު~beEV* LisFlHa\BQV|rNIH58Hs:z$DÖ̗+"3~,J,d%4MTHrB@-*L.f4yj>{kb8Q5a&Ӽ871 8Xz>4R,jvxFԙ'Vv`YùLQYk'(09*C.Lӡ:]-аp@s ` 4O8$W".DF{CqH6` Z#qdx7 g9vV5j~,u(uŬD({n ́qs_.GXz'lM]:ʽ^<[3 !F|?{.]SqJP^%a*_37~Phh\Jg`'D;>geݢAg.p4OR>JeǨٱI (_ەA\u+7͊غ# ŎdG&kqfh3)LoIm9K[MLt:& kyGRgnQ'l*: K!1hdBlU%1 C8 E1j|y*@bQ^ =9M-r8W H)1~͂:QXrrwF $eR趜V*?_\|zifh*R=#0ưf0RīYϟC>C@DŽ )MB(6 jC #68{5N>c#/.0%4Y04O)k_e4=WZV-Js沘Jl%%!>lX uGުGR Y!H%OfK));‘=>t[nm Jm$yQ0 hz=6Px9zbU7S+*ƿ_]tɎ[j)*F8Uˇ:v':.),܇wߐ4~@4 Mh5:vGA3BY}{ơW/㬎5d=#Rc?X2#skhNv0f!ns=CՌ jMe >f૯;e]]λYt-PW7j ƞ͘gB s|}gTzMA !1LcU֩E}+yT[K9$OFqm`Jŕ" a]si~G7@C߀oN0􍮻$wэ0(_X:S#4>^f@Zq lΑ9M,yPy%fsmύW곖uP;1RKAnxרǒJ^ jSK >j, yVʼ r^ If\<ǟS<6u*iNC ]PE~`y\W/w oX{ߡlp5TM{O{Hd`[F|- ^g): ]6lJWۧ At Lct6#JS7,"hA/n҃"Uܐ:p>]2ѫ.UfF+hʬF|Rq.5*EKNN߹H=<@db+B Dщ`A,7)C{ޠɤ-q< K?SY.7:a(*\c j0zni&%,MEƍ6Qz.},,Qq$U2죡n)cbxkrG| OAkk7,aT7XR| ͜]o>1']nmPSkBsĔwyx=YVyux`eh!"I}B" Z"H:IsmȒ-,]f!@}61Ǧ%PƔ:d(6yىi_Oh`YМs,WU<,L -\HyLk#{J>&J$(Bszsq{ Bm+KPt/ HHT[Q=5pl%zpNHjy#h`pP>h#%06p. +DS.Ii.uQkT|~FܒyfEDX,lˮ*S!X^U?Wp0t@&MkM09sbe"'6n@{ȓ=9b67U`v6'tbB᧷VCϝ}|J'I=zA{9Xw#@zӻٿcF"اoYflEnv* tz^,-oMqElL)2=/bታ7dJCv"AKZ[| j:F4|$'yurײOXWƟq ဤҝ? R{h'_l@NRy]oJLfÜE*cB1dLʶЪ9r)Y*$]K `-#$@(ōMZ5J-1OOj1Frخ}PrPwv ʀNn\&4k)*o~6!?:'1P{oNUr+/詔VoޫŋaڔMCj'Ռ]14hdrïaN̶&cK`u#c-o[{iK1;&X! ) ; zfRN~q?c{i)[ x|gƃb4h)U60h 8Fn&0F:͗9ijxEb\Oâ΀bqn\2ZmQ*QumׅT ̎JFm|Z)㕼_vT(gQׅ]9/6\I[*q%JHO}`G)e4;@3^Ú1QmTrX'ƸS.PO1(?/<|^ӊ2" C G=$"`oeCY3FFEa/wFi@  LGI,w 0b"F!Qzqڮ\i&񽑧PK#NS^,Bx J74`ǫzQ!݉aYX}ԹK3w\Yg߼k̒Ifwsɷwk׷rkSp&‰ȌG鰙?6,[@Pw˨2>|nj~J[0$N|Ձ`S1 SSٜ>_@~ENO_K^1(",f0wiۏw b&!oSBGF  <^ $ kMʟ%pOZ0c?DE3 P B#UiRwb۲9e|2 쫹1_Wı.`]Fۧ~rqe__^&ԩ9UrH#6ɾYYIhC5U}(^4/qjMFjf5Fk,GXV,綏2Rc'g`?eMOa"WjSk&@HX !gIJҾղ7V!~zf4H6q|*L/@')@Vt B+#L}U`@*dEɽCԘн;*Rm`!1 ݗH(٭(8#ƫ3Ǹf-+WALo#GLz˓p? P@k< 1ZOgQ<[.jq7i>܋tr 2h؇|G@E'°[V#t73ΩQ΂$3+|&+eHܟPu# 2bXL }۵FTjzmRFd*α`з K9k\W)+Z1M4T z/{L^^Œ& K« ^GS)#$']+kdă6PWHeAO1,|}iګ^h"e Dv/ T=0 Vh,E3MjL/z6j6^g_5C6an}owWHY;(aVFǵi<³龎;|k wsfr!~[P/]336p)źB2Q z9PNW1 X&7RVb*.vCHh M, =m9/'P5}*!$mSʱ̴*G(H~ԄZ5r~8VF#3KD?fyExM7̀xAiKmE*K>6/}-Ktz'6u{~qd}fp;J;>Ma.H+lhIq9{RMv<8Ϗ b4vE+U^;8ؠ?yM=0_<-~5-Hohb0#1V-oĆ- ;U tK RN%b37FԼn蕗BrV ]9F8Au0{UlkB+V?4Sˆ}AMZfV7 <IA' Xb$6ն)tj{|xo(mB vu6]B\"X?FWS L!2<|EK m/I =gNP)[<`>|Ωc(? |X-\iMgJn3T2U!}"LB}Zhsŷdiw=j e%Gp&&~z)XYhT __fu0 Nwx [Vɉs@4cY>xVxmF1 ([e]=ڿ5븩z' )ur[xjK81ٳ tpkP}3\5&eɒ޹d1ju2IȎ" ֝i̓ĥ7uab;w1^Ox=j;Ephޯ@*s ]^7u UxRC9`nV \ƑGQ(1~źd: e4ψb*>r5 G瘰pK o^ەׂD $<}*Y ?v/Lsff\X$pACr0˧iDQ}K'xJ։`5 [:ۑ) bxxɸ_4gKp! 0P6g)?5NFe|?SkR{" SNf9a!MݢCP <5|wD#d=Ւ9B ²lZQZu[~\Vyٺ Yʣgp]]kW5{fh1'rYVNZIs?U2yu$,35b`EEQ;r}SN`P rMimx g٬yG?#1 % _-*U)rI߭^/E`#0!ǹic\H8:2`0DY}H(Pp9Q{8]*t \:8mycUz:.ԡkmZb@(zfQr(Po,Ij㒓lԍ- f5&f*ˀ3orQp3+R*2_n6/('Ff|Β\iPxf_!f0FUo(s_[7qI3?n*IYKCf1;2k#m}&CAZC@&}kV4/&`YY}阵V$:{Ef98}Bxߒ8Ru(?ٱP )-a#챎eKx0׳ݭeOlx$S$a&U'r度-PlμZګn2m}u &}mI*oA;bɰ‡W#ΒmavzhRC./KF"s5kW^)[ +ewNSV qz_x+? Iyd,c1P%> dw.)N2uQCLaO^.#o a 1J΀NC !L|18R_n'̨᥉MyB+R?]_d.<1B H͵,#aDr*/y!6џ5utN0-~YT`y7 [WYNV!U͏$q#pV `Zl`4u3M,7:V#bc-,Uo VsO][s$} ܾ{[ۤO&ƐSǰ/f ShH-uu쁇N,ޫ<6Zg ]a4)ۃ&CW72 fgR"^37,[J~kFy%l,0u?Z+Xs3FLj+%;/Ҍxo -' g4lwl` rYh̽-|kptdd4b[Ɩ 4sMuAۛ?jF[n#m7MKAlLZ* ѭj;N:vx~>N3 2u2qgӐHKWaWMϏ;Ɂ_u_>5q{]͂O߷Ukٟw[X ɂǔG^oh,FRoa3KcCz'Dᕗ wf`tz+B*K~ju!sdi1x0X fpj쎎Fc)\ז.3+ƿ2zw1mq|S>^g2Rm0ڗa#%XbWRx #'Nh5:ftjl ;ėZ$o*9)+!Fj(Yl}IAԂ+!=β6V˚6ٵlK,X)g, f)s0PEYVVSpUd0Ϭ,X,=(mVtiRAࠏ/Qi=y?̽m!C@ <]><ߪ)>$Ee[6 Byۛo!MYMt)=4MS5=ZolɊD e]CjRL5נ3<6&Rͤ/WOSѺ&od~9Xqd:S3(2I$Ol3A]LNO}-|Fӑa@K0]PkwoXK#e\8 2xzoֻr-yZ= :WM$'(w{Ұ2_s 6 =&h3S$Ml;(5عՒs2PϾI"Lf𠾘Hޓ͠Gr!c$@])T js pZ2{օ/DA!9)٠ط3G"Tmvѭ["$$שO_uNB_=7kˌ(v٬o/gnqhR mBE{Đ-Q>2X"nhfcaM Еrc]=3bNTh $!XJ~*86ء?nRźR$fW5j8]Ji^z\.1_$^T5t%8ZlPsb.ve,ٛIh4kZe{I+1G65ZV>ۀ5;pWɰK 7+ŧ&lelMɰ.LdLbӑL^nS*!˜҉ YG:_8 y7gCaA2E 0=fuV*$lȑ~Pa7j^pj^"J[ tYR’SN]g%I)l.qb? qckhI"@*@SYi=Xڝa__IKcI6Dr(R?$ʼNҟ \Ƥ͒IcCWԗ 3Ԅ򣲲/R”$H+郟s]8;7~"|ohbq>^ }m-9=|AꮂpȆ e0g.t+-ZĨmoِ 5P-22V#Pe!Zu ]E8%J_aFK?vYj˕:0I[:hۏ\[JlP};ߐS= k::g f#A:`_Gf:B"3^ʠتN/ Z%בjLAK{ jI2EMFIԝRH{5j` sC mg@6?|kd tn"?B 12F&@C8Pݏ(U0ZUz,.ZɜkO"x?S".yA1Xw -V͞;>7̆e8Œ+xyHPUكecTS*3"3XRMJ^*ҽ:1RyޏXY=a=BT[zc)ҖP[ $: 1 :PPѫ?Z+4n}j <.o!Ff\Moʮ`h‹,ZFv]yz&vQ^L QH/k~({޺#l;HA[/Nh~1=-lS)m^T}c| DFu o?K>ZK[y\@qMd`(,kDh9IST}9}ld5S-&Ib8_OA\ĬtMIaÏ۽܈^(Z #}U7i.lz{i2m{ CC%gya|@,+HF˂Ⱅ% *Bb-Zhs=#3FN7~B.Z_fu0{&پH%uuǪkvΈ*MGe ^n;6B,2^ +m%PI5+c} -@3{J{N,> 5+10g̻4{ן漒óyv[ 0XGYj}(8{DoɝǮ蟜!z*4QNw-7K㩍z`<`\?&)'Q=h 5|HF{&nX쭞+ >ra|F$Yo{ N&g &qHyŷ̈]Hsc62BfSU zi$̈v @ACw694N糧I[48k2h|~KMYJ>[^SP/` [q^0bp!nC7Gɖ)J~=7L؏{GG ix>I> v`i@> O|Tkf¢j>8VY-x0Ilz '耼#XRS>CFEEZm[ws /sE-3;^>J.RkN!^%ƽ낷 Z*m6\t`wdX8[eiWD!Jp[s/67kW4-@|=dAOJZn,Q3?`0Z$zqNO,ʫPٔM9iio NWH4Ra')IpDc\Bsk@( >5Q?b̫7#=Q8)ٝDAm8eʥ,X*cPS3>W*wrZ$%렇;y7 bl/W6p)Yu(߀JNͬց~i"KRwuJ'C$6x r˝[fy}e2]Pw;=3X%"FDdSbi2;qV//8Ӂ r%\Bn ,EG"0CYx]Zl,cV=(eA=z4׸(1Ts'eZsٙfW9=6a>0;Yqq o !i{}Li,نƶi΋"SO8-R3^YJD޲|pǀE[RggYs[Le,lb%!*cڠdK07}8i;z.3{vnB-*tÛ##/M~3I*a'J 0XG!/l: uV8iUTHY#EML(?0$, PFi 'ZzDijTͣZzi՛a);o:"'2&IsEG8seΕ󉱑^4AH{^I8șRY9%LKȰHmQ,(8EQPe,cd Cy-qäQzRwD@REdRىu7E~*ngQkjG8|w(>"昞n.rm<38V.M|K>\6(A AOcD[\7nUy{i O\)')W㠣4sBO(jQ5tE7Djas+@L MIW9"&~{3 Yqzr9eWšIn%L07zC*U]Jbѯ gMEݛRC=r66xf)R=ImRf PJ@4C$6@,7ic%bk'h=-ꕜj{c=|f lbu6k\] 3ZUwKw7dizÚ2R6߷~othWvYZVA "ޜ34Ե7DB%]+mZ3>D8daQ66;HJRFf`HTV&-a7'qԵR- ]'Sk}$WpOvt GfdwÓ'yvQVS6f*w 祈)./ӃTD2jq>s#!\g+j=jF@b}c `+8&liRf:B9/rSW|i$6l7Q@y|}כ3nm#:= l#4#Yl1'qxWDdx&tĺtR%8{+M8n}DWDV 17s= SF H桇N\3}޽9zF|jj%m<7 d>V x͜7Ryʼn jS gCOcD\W##)k8+UF7L.:~#L(UW0>%ͧљ7Dw;*R6A^;Av0BjpD"Z zph:"0஗Gkc%Y-8a}b+ e wIQRcsFC_T>a;)KTL.6b:6:K@(38sKZцp7KYrG `v?LZ _.L@|?h稐v }$KO Q-Mn?pVb}󼯏 l<,vс0 Xb{X wa2޻閾u:LJ`]fnn:͑h7} DP砺7 LRSiO&X_t/|KQ~/6;Dѧz yL;MX+6qӞ=Q<5Z=X髦ҀN[sG+L،G ^ٿ}PQU3-YX]̼͍ E>+LZW]$}U6C3MJw%wp<17m&6y_xm4:ɉv~]%Ɨp:0 )/b5 S0 *I/qB>ʚt 5d,60mov4tѢL)C0=IEN}A"|Ii+4FdxT9O5_x.|eu\؟ y[xR(õR)3G!| fբOEI66h;/MIm25ë:PB 2Gg/(6z褅^X 9sҿ( nuۖȸ1- Rl/哢&IeIPpL-ҡQKʢ2 v6SoíiZԸRzx#N祿߮(OeDq@URgANyn}il)">獜cA虏&J_`F:\G-W<{EaH,*Z!8 6Pu%G *~yVcԂaN}ypViI&k/dj T{PV@Zn?ny]9 L[?B<QQ ՛7ƫ%йw )ґKFlyeߟ [jmIk8s_dsMk 8bϔ[#'>aႣ%sqi{!"T3q%󿪲긏 ʅ30}%GBΫVn8Mf x|R;]bdLbyl.y6Xy1N;P3zļ\P tCk֯e®i'2k9602@$p?>S/jkSADk4Q-TeDu0OnD3 *z@Mz>gWwo)W.LxG(Ѵ(U|>e*-OfR]C_ ,[e5"iʕ 䓭th.zEwokۆ(.=2[i7ߚ#L 4ݝ eb>j{M,44bh-T{?kecPK̑ D\oe|c߃42$fs50{)>k3<+#H|shTP!*|oT$xf I@c?b<`Udќ/֮I>3JE7j=VOX DX).+`Zev>YLZtvDEÓcfirO\ *+#!6\Hv]C(qZ^EEs(iEG5=PDD*ܜ;m=d'-ᚐX(>QP$ܩ`u%wfFZ%LRP4ŬO OW# -3J%/6h AA`M9C:Ra hZ"v '۬F8LN0d(3fdmMц Lt0^>T$yjnn37eCpo,=ۻqPBMRlpzZ@Pӎ"?;d_S(Ff:@k6HߵdHƻ6N9YrtI KyrkL(\VGߕ 4K>uP"2v)[A P-C.4z7 8?`١R|ȇ 0>6r2@EEu] CSZy(%"̺P$lϐ?{3Qx@TZWs`b(ߨS۾\1vg6>gs[tȬR)d c%sZZH,s?-[rF~jWCvD^$ .H\q(Yu Qc>1q*Tk2+Qq)VwSfN\-؞eg_; kednsϪl'@% 4qh}x;k8Ae:Dg˛.}NGs GFLCZ)`˼g!3\}@[;;ɎzJY|dEvoJ9g@E>rs RJwޱޑG6W=4O@H0R#1d7J@bsi]1akzZKD2S.3vzu{bzVfN P'9sL# k]Erk Gw6tx MtMc^vaŴ$#MC74W/Qe%adem4k^(qt\GS5Ƀst#N+yOae6+Udm:_ Bk Лϖq YnQ<@*xHjl/V-O0ݬYʅrP*jDKwϪ֘=,;0f <|y jI*w460Ya=O4&MZxB0Gs!" =]HTAa 8ho^/ǐ0;3vmxD91t;qBĀ2IzQ˔q=)A%Hg/So R0Z_yBT9w#}N؈VDSTø}rn ^HY5`O"jά?|oאeAAy|רUdےQ"UP=jx/!8n//1*ڒbFzFӹ/#stfE&#]>.ci3tLA*HX2qP*IrV٩Ѥ^-/gANt|޻A]jUP+[ +k6?s2MOl!VLjb㡱OxHIH?M}>?1DXeՁ;g nR]evStչ*;D*cb"C}uu]:.!qw5G@=foA竇D'3VE\8h"G2H UYYB7V%^)SA)>dUj@}2p׻xYUe:hQN( (gMOGue?xuC3WJzwcYfGzpJau>IEScSZ-$nU(c(E@ +Ad?L 2%#s-R@5gVͶW/ zC9O`9kls_-VnK:oxI b3 )H=615`1{K,f=2\s(}z=zwP,:2il[& B%.O_G])JTkZ/r0WMi,jgP7V\v~ϳ]WKm_U·lǡ"G##c `< c_o Dw"u@x.pa~54UËe jqD"PTg[k$SxsZASS+vٲpH)2yMX`2rodTMx 1k'{d6)KW;r QΉQE>WI蘍uLL;(uJ=X1Ýk賅V5PR>u}"HI&5=N.z fPk?ve)Ŭ(*sv[/0`Ճ;n=hBTR"̬H0o Eho!׭n%١:!8{bCYSjA`XUTJ>'=ߣ+m"fz u7zD4RJȦ>.R:lXVgf ]=kvkrTJc+p 1͕,MO,!Pz7.cN:ꁃ/47ls_[3<` /Qe%Fx4e^e֣IqBMBL8^󄣑Y G ]H~ [B젓 gyKKf$*(_:!.1q<7 |XFݙW>3wP}l Ӱǝ#;T%U>}5Ϛ ^0UvV1,g/Ew"zT"#XNl5ZyHi78Os, 3M$=6DH#lZB )4f(x-rR}S;d x:kkZC+moV*6+Y_1X+f_ DtW].6gfQhQbJ/@'oÞuVV\dU1`Iv.8$#=]9 |wN {م[>fyBv5Qn{-D IZh/\m>{h\Z 榱hG6^֯hmfua, ܘm͆+9qIɱX3ɰK($XȌkHbHmxPBZjNo5`fEͬ٦ 7tLQoMiZTK?0hw9ϪF} d2K#,gBw0Zz3ƜڷCCE\PSN-ڶLulb3?'~wGqD|hE/dg^Gƞ3jK\ 9c.r˰p ^o i>`Wxv*wPRq߄"g?2r gvXtҁ/Ǭ1L;hQdv)ͫ32.:C@ ~^LӚ Z饞2NFn`|Of~y_gkl fGxH_6 Ql]3_ +-'`6ܣZ?1fS܊@ꋎ5DHβ1#_Tbì.)t'Dy0eAHRRʕSl(VMG1KJWɘ#׃D0d%.6ѐ3 c20:u 6~ ,—Z)O:<#R5T0%л؃#{ԑo-V/tUj2L[>oS07\TIr[ KgTuSA.]Q,pzv쫔X%("> '2Q, m!L0̖(AF"{ʪm&':p{.yVzdM 4 E8 ~h̝'ȻD}J?Hv7=޲RFyP?q˵+CvYI Q6=S G؟hQ7Kyَ9>L.봛x$3e6ó?"0TCm c <fmŽA?Qh[/ kShK+1ԩ^vf[5y4`*y3u!G㙑-ؕv06[EpĒZόb5w:zd ܒQBP -+8dŽ2Pc1S6NgsSw뇼ZU.VN#MmIO=2`F'ag)5XÙ˴(2).Y=cqZQqA]QorJ(0=9E 7OO J|N:V} y~ R{4I *>C'Ȍ_j9B@巑EN,5 b&B psq# k1GVMK.GP1QFIKI+8],W%zj66 r0)[CpϗVޒ$Gy{(ªgqP#+yhrd}a^Ygp!@wwx/ObTp3^sXn} *t)l:zԟ{h4ptSR:Z0eB28H)Æl 0$.TL@r ڙJpؤihA9ha%\uao2$}{C-"FWICj/,'`.L4= -O+s|u-zpPx 噴pWTǴ9AxNKU^pĆː𧚮rq#+ӛ@Σ%)Yc´68+̖ӝ:Aq)YόoXWe.ɋ>wH0o]葇@.VZ({*Gs-ّ) qm>d͏c} #2:YZ|lE4=` qjU <xʼnr6 c$M|0oh۶}Eg$5.jpZ0'+:f(8)my7s,/Ж mGL~-ӃH7/ఫD 3e>;PsI7ǪN}-5@{9;{f,y9`#ց lI?c6PdmmxL"3 =kl4Fy a?T 46% ].Jt`$2 ~[4=<A4{4;. >he(}4^2K$ð'Ғ57f8(s =)7lcv@+Γo!"G{i-BrdˇP[!9,L6UK+cO^J`HPvOՐAc?[L }NI=8¾>+"$e=^9qbƮ; 6y/z#_Bp9čha[dR6f'C""}L ,WbDkoBb$ح) eVt1,PTդU6 dɰY|IezW֚⦫N b}qvWG)b!ʚwJWG>,BNZdeN)ײc\jI4{C#k(F%Ab0X1q#31G(~p4^U.;ՁpUSMpy:Zz*=3Q(>&W KvPɣ2ǞujnUv(ׅ_ŧcL~Ӆ"ɯ6`HeWED6Kõ!M'1aty>շ7 $vlF^.r5:+pcHWYљO"vBCk.B}~L-Et_d\{Te;/w4{F -!x1v @|F~{'ª^%J嬔(D1F6޻C)\lb/S&w3};P 0"B+ jDl s3\9&:!)~}Fd`8nkB˂1iJ7n4uWn6$R7~p |mнhC'9"_L |];CPkb߈1MmyhgJN5 DOِLƃ]&d~Hƞz4Ϋ3tiHd_pg3mGxY%;>IGաۖyQ/^[5gˬ"7n D&X42@v]}_UsL)g{F0p a֍4Μ>նX, [$k0 $szf?*Ms&@~6ed5AoM̂ꘐeo^嬇zc$ N˴ D?Dyغ?7#TAusLfo;vVw֚Hf;a:" $YF" ;Qۺ#3QGIm!,%|iz221Vv @ zOW 2 }2Ygֵ҆V'[au4@#ԗk$NAXI2GJWᥟ1*B9ɍ.&E52W+;oԂy\ܔ `~ΟiW (B)UQ}ν:̟qqز*"6Oevsq/e2#0cPqpDy9W+#ơXGN , ,gH 6#=Lڅ؈[zs '4b@F1C6e"|C+ ͊ch~)1bOႶa5Jmg7~/ʃQw,m7/3_j$\# :J_t5v?4_DRgG!>s'0@3۵a 7@̤3;#9NMT~-t ʆYIN1 U( ҹ+?4%Œ=FXY%#dѱ:%z ~s>|Pȶ]=HTY [Bn!(RulQXϵD$d0,sAp+$+$l0s+y!Î e}9H ȑcE3Vzp8seJ..cVe N\  13J1i:E݈iHOA'o?u_I5 5Wz!+>:¸2rn(?~F߳".W2Y˒8h= xR7Ѫ~,; i^cgo"ŒI 5(܏@ %H~_ .%j6C60@XQdnV=ҫ^nk; ǽ[CGDbcR}ǚ`/tG0 x#Os(;Tn)y<YfC9!;w8js[ A-c)}p+N)a[ _ⳅ),-Ŏڑ؄Juʜm+~5R`7qzs-ˊ!o4V*oYXL!ǔ1gzc$a ) 6o@ag3R-T8Ed[Mgnp䂨9wm~qe2{޼yW@WbV7OwBsW4J FjgU 0EIgO?pN P7.g#vf+w+f>UQSQ2; ?^eS?LW_.`Nmio~^}^>lS5*T /I@D; b.MH47%-^ws&lvedaɋ~g5mL;0$3J$Ru6yFX08|ASOD?DFni+$Nu&g:Fy2\4'Q7 E pV<$UdаׅeԖ۽\7sE lQ* us҉,\ku%&,V Z<b# %=Qb.EO?Q~YVUW3Of+pZGPKo ;s-Uj]#[H2 yXǼHh;59sp~t,H'TOT9m~ [K+u|e\+ܧdmRwq;h^j 74#pa">F{ 9VŒwU5#T G Gڐ!cD &0{(pjm0s ^<\waO>KAb<è$=ru$Cv*UY* -*^*3Q*-Bx(jL=b#JGHgQ!.8-$H{9TIH46Aè:5A 1wsz.o/E9 iZZ(Jc7 3w~rYHZOX>xYi o씌ѫD/Wޞ옩rOM~`$-yԣ*| pZVPz53XÀHB z>'e.RyN+\vv(s,!vЈU*SOd<Coeغż ix⒖abl L)B;tN"b#[28J3n;kJiuI$eè<1)nZbϱ #Tu Qӆ9/$wub/Ô5:\ǚx;Ba^`ﳆrQ!?ڬ'A|/1R9,a@͵nܗi">ؗ -aLMuFNw>^ 7":0@şr/K":tZ*tn+dd5" tՋҧR:\_ 7 Wn9l22ڒ[nt<.z:%).4:Tlaa ͞]Nޓ~5Xد<9}!5 @/y}Oh>{0qÚGICF(kB~;M8vħ堗6hX+&hT <HlU'00x> [g8mAvn^WFKM.h P[.Z ;~M Ih3pYbx"fڗx/ =* 띝̳iS_Lv.N[w({3n!-,|>.ekcZ^щ!hf}:bi_@*t H|Vxo{.aI3@+d;QZepexʲKTX^c+Tl -FKAFq?_\In.͟nPQ{T(r0.;tvt (žT"|1˝$W#u.=f.oxm$Vji0^:t\>1C7JRo6߮0]fx38I:^٬]v19sC}CZ;Z*GbEn$t ))íWGˉjJgv!=#+f:â"o  ޕYcnxB osi_%L;- ,F`yD2&c-J# #\b+=3!aݻ2x6;j7](&T{UL{1h-@Y'ZZVXNZ&֐BI U$qM<]@h^wՈܰSIFI\tg,b Avϯ$+Ǔv o{Tמ$#n|H>|yhgu%gKd/?ZMTçyhFeU Ǜxfv uЛaf:94WRo0b8nsIAH%!(2*/"O(θL&³3c3׈5'/+A)UnE=pJjUZ."=FݸryV$kpD;Ge2V:ÚziKwƫΫKYL %7ݟnj49nq Һָ:c&<^A5b4u^40cnL3k<e.4]!+*\i"{=]fpəO'S pl {o_KJz5COqAq@tI7 "eq/ yE[ 5_zH#3E-V(˭rp(kM@|(O )*qgƌmIUSqA:H2jP0HY@TO|̈́3)6,]#5~'Oь# uw u%tk4Jgj,LQk+{^D/Rr?X1`.S?w/'s`~qn}|#, ڶ. i=0߱´4#l_TI<c\ W/xoDʝsVH%H+u'FRluf5*rH^? ';hD^M ^rIY6`5ôa}2[0'E Rw Vay{VNJRdgYjL8Flq^Qr-)cӫ_Ӣ8 iB"^KDٗhEpdԤ+T,e= 2KG8 G\Gʢ W.S89sRr__ΐ& *hV ]&ﱔu$\g|*Lƒg38FM eS9"e@RXP<||A?F>!Q6]kߛ vFz#te~ِ &fDa6V ?K[ ̂*_w1O;ic "f5x/i;NNFHaE5oݐP%GR:S*D)aYl@Pb-(aK9HkJ't,jI=-i[OFŨQII4Whsy>u+t*0 [(P7}=`4Ww|sWߙC|+Vjܰn%^UYhqv G/h+J$b8 pوu#$c^t!ap`OLDHWL_JXƍc'*ꔉhg쯸Ђu r{;yZqOa 4w-x;[c>ۭG`vi ˶)3CYڦE:BS5Բ_;m'r5цc$t{ z ^ *.ZH"bՍu^ T+^\kuyրt 0z,S6P 򰶬XZuHG 7Y-7<% ;P?릳8m[khU`Զ~eR36o)D]v6RMT":M 5ClW_!-?7:AN(JkC#DŽJ 9 F rsAfUgݜѕIwX-YJmBD^8u *Wv ,ɲǺs'Hubh!ڮ .;PN@(7sSwt4i־4]$*_iAnEzgQI-Zt'n>A_cƺz@M|s",y5i7 ?^Z~l$a3+|_8``2lY# |)+_2J̤OLv~Htak"84]rc4 tl:F|I҄$X%;6((nCMQ}a)q'3[p5  !#uC-H sߊG]->nw'0/s)w55B<~XRɦy#}o.tw?w 17r+yJ} Ih(6N0˱/ն/,srw6 [nq8w8 fANJD$-{w4#R.cRN9maL#'Y !g\hZNlW)Vĵ?{:MWdÓ3$,!X2nwNQ{MCM9&ݺ?_mQP] UAu80hdiOo3 F<75YFwJW * <^?1:l*Hu$)dCo=ɩXY ".bV(]$.(CY&υ|<I{ "| .i!cl į_F+Cps!ϚivS0y2°MiYEryXq=|eS?gQD #:i"?0p%DP0ݫ&ltA^B#"Lr9\.ؽLT}GMd%]-B4=j̥cVht%v ƖdD'Y5rkRoкzHS,R>OŠPPh6l–=NBюa4Ặ S@4jMD\\ CŋQyجqzͪOH EthA%*$c'dS0" anK*K,-o;yf]wbo\f/Amy@:}ۘXL'm,(oy|bdc 6ᱟ:3=-7pg&v}+$QAl,.^5c˥쬴Zš'wSm? |F&litL }C)E^*@~zPg]\>y24UVӊ8 !a2q}m_>)A z3yI`HJC&<)QnX?K2>Sl͒vḇE)~~WUFW[ &_ BFgan ӕi)=tKdylW{pcsQ+d\:xϳٲCvh'w|Ey_m?U¨5)y u~*NKhE E4СblRB w GhZAքd,gyE{3=(!a.0!0*<ltO٣/̡K7/z)D:ۉdl̛0W'5J E5l2D65~̓"v؀q?֥,my?Kaܒzd;z@d p?-^69Gk,|HbúTƈdc=mj˺hTMCq4@.IP~| WT`y7'G֭u"|)՘‡M3k{{,H dIaE r}} ?H(ԅK}]I4nfR|Oz{"DkSN$6 ւ)m"WaA)ߋ+E+ "daj|?ݤ Ǧ~>.p-х0d wZR@<~mo4{ǁLa~GX'ϒ~Y~֋OS9?Q(+l*|%!?K]ntbX u%$D97]Ujs>]bPhB/Z2幊O`r`Ëq%?92и'rL*%a:Z,7"ٲ0<@ 9G??\X*#$lzO=^Г՚{̈ BNF zi:%-`wiRoy]X{_hՄդZΟT`;ʵ&w#oќ, If} -CCj[W:;B(iJR-Ògͻ[dp֔!DPoyA84FeF-fwY`Ƞџ67c R)ܐǜJG&e_2IFybZN^{Xv,v)2TrYDDYk0PW`) պj|RY>myvAҼA4Ϥ)$ F6َߘ+ WF\@27'{,7~Pt}Y&@z%sC^sq7z,S 44^L>>s,E'305 cKmb[ȶ0Q/ peYkșUf6*zn-9y@2(!5<*'_,k} Y٣| m.t H8L}De[zά3'|<TCEyB?ζGݛEd_MrI&괷bI&oU:Sۏ:ٛbKꒂNq&tcD:W{޻[m n /Ǫ&t`-u덧KDVS7N ^Jd" =O`WP%nlĸ6C-Re2gWq$v`H<3g1lN1~BkW8*ggj̘f|H\BB1qz1gmxn: y>8F6,6/ŀ/ޕ\fP ·SoP`!MS[\u|; D6#}Ѳ3}y )8-Zŧt*#kJ*~rB Ӟma05IV%/ʧig)ׅĖRU`OtG ?x.ɮ| ba|M57R7IY2l G#{lYF+ I]bx;70i$Ֆ e'qjEc H휛7"6(G89^Yrd ġ/lyDry?:[3)a)ΝBI(>tL1WV\لP_$r?ۗ8e1w{z77eӂ?]aLS+9vu#ۢ$61*ft-R,GU[i044bY7`S#ZTm':$=l 9 |p:VeE* mY)ⵉÄ|"DKNs{hiq8>0aʚZs댖6 qm~N]=R[%وgȫ(d.QX`S_Y3yOJ)a5QjZ;CIZY[>4jqJ ̥/d"d'*ޝ&5&CRZpNBVrP5AC~-ND%3x`=^R鲛„&>/̇F7rнT;<]o&ҁ yZr[ KVxbH.&\zTn=xlչc1Z6ky!-D5yӱsήFuV_> 삷bE_ L m^q]wjl #&MY9{M#ZPHHlʼED&lU@9^'Lӥ+iAg;U; ]̔Jo6H30a@yF_ck2SK _{ [!{k_̍Z}PZN֞mMŶ0&JfPU?U)x7`pEbex<ͷݡt.\|:ҵ)n"yȭ#n`K+~+(3aŹ\>gqB>:`|QK@@UsNV?*ܦL85X肥~utӢc 7F+10 71} Z2 ԕ[<b'fNGIqdI~*xyVY-*Ia).3g(X ٱI~!t340zEgҎ^qN5;΄1}۬VOTh˟ ,L^U^o>)0ߢֱ3[R K=+W5k2gPlsRPX|)?q\Jd5Zqt,.iwmVz2\Ʊ57 edO9_PÈ4J.uuza*3|N^(y;ȼO)ll3Ioÿ[A !]Ư) Ј6LLj Mch}*:HH8:=y6FEenzN`3cZ #˩6T0ի#1rS@\%RgV6Uzv6%9 vgiŬqQ|] ǒ :8%u3dxzR &m,{& kn֩k&nn|nLWpa>y48x6ALTᫎI0$xasR5qF c@hM(Oh*8ݞ`I˞z9Lr*{Vߔ L0=ӅИ*ɞ9UfYH;ɧ%kgӖbNmE~cr@wG!n`"l~Vmr>66X*_r O$E TģsߞSY{ LZU{uCx-Mdt]:AbVغ&jjl•$q"U&ӍH Z~2οPqRrziNBIZ\A /E }EHFB,K8+6r&NL,7 o=oeX' xZSnQUU(ݖЇ &h 7-0܀+mbV(){&?;*;PuxA{s4Aΐ$%vRXo!CgĝB2ӏ;nSݶ" z8(uqi۵A(S*-= --KWlI곶g0~s Bn +]$j 1N>XmVZ ialYn%. ȠrtCOB+[05G>e,ҦS% ˳k5z+MJ!c/wcsgArz!ӗ?rs|A(M+}<>ʄJ?'X EK'w?Eށl"6{^:!QTՁ*:rI>I"7ߠ)6]({&󡔲{Π 2^+8x1}|&/IAƣKGyՍ 1F[t{z,@ݨ QwsGw C@{\F!I0=hb+)o<2ItͤLdM;RtX[mc^:g\v;+?:0餍UTY%yes BdWr pӢM=Xzx:wDEǤ,tJ"-E<~O4J,*A}Zf|ԇuZm haN!W~ UGh "Lzj fь=%Kc5ƉK6䉀Mq3B޼|Us1A|A9$FW>5tR^TC=ok+YJxZ/ haY~ B֢lDγzr\ 7y{,>1 vhesU 9sUPz&39 67s:R_$beE|WK{ 0)`}) (5rƻ򊰅ݭjG04 t/,$D9fbn<%P,ENp~^;3 !a%kBtW}?_I4 mq`gGxH&^a4թ^,>>̐1Y/$P6z.g ;1:2$*<&X6{+5DJ~֡-7t֚zu,!#~| K xGyjwoa M\A6K_p1z.ۂߟar-A.ǼdKɾ2mM'7w blD&aX(~×)t*U>.vd>WU ؂sDkpk4Xݑ@%v&7WSJk>v46tp`> osh֟*_q=e5<,43$𰬄ސYscdUd* _3w\B؝8%vݚ, cRvʱ7ȯzyML4ۺtl'\q.6;fL,f"썯amj-~ŝY*VU"VTvrܺ#sً %;O)]хlXKU>Gt,l. ؋|!̕¥vRߍYy85cD.{Q?S^*녞g0NX2{Ct$N︅g5ЀglXV3u +%? ݉5rGR@[땨 ԈCT83K ̈́˴};&Jy-M0)-u|s,dV1vg^V?2ܪ^tp|;*)+#j@ebe?V+=5݈b1Ɇ,E\NWWG,%`,Cg#fǣȝSTt f(5d' 52BOy*9ɀP:ޘ#Hb,C!4nkg-`v$M+M_{|Fe5K7*[b󛝖/" ~b-iz|3/]"+RnHPF L=_Ҕ!觛 NCM;"|\.Rmm #tR⒜JzQ[lHؑ\h?@,#Լ&b$0aQ&0/y՟ujR~ r*e"ݕ"Ƞ<5vx_1 K!EHNsJ W/y㝰G10&9dn{O&x]&ȏ!Ȃ6ӣx:(|Ohk_^J=m%g{TM7g3W>q&3Mod4=֬ߥ|QEa%r.uOл:Y[ҩ['\$o0 ? cc(U#MEЋ,KKUA:/nj[h(Ô`5J>O?gY4~ 8f=W2IJH:AC'Ø&Pot ghC/ _!K:r7ɠqG3~/ߪUsqi&xsKUqExȴUՁ=A)_eY9ܘHTB4dѣ9r\qv$_޾D>jVubs0Oc]WsO/n58o>:kTHxBA*Ql'2y s}MӖB@SMt_؁cRza4UtJ5X:QdR~N >_k5KEYSJsȾԫ'Zg|8*2'Cɓc uBc^ 00V'6g7)ItqXXX5z;0(oҍLawDTs=k@a+M%" > X?@UfEʚ vˬ"N"$"%Fޖ~Kmx}Q[{U%Vb3[+lZqyIM5:lI;%F}WVqZu_QB_)1n>QopP6͘Еrwj#3biA~-+ϔ˞28J+W?d(Ca<XIO\J)P\B"#gk3Px5!1 '!vwQcGAu2’cӃLd'bMpc@[ w;&/<Wo>zl4&~ o゗  #$/~~``@k_ :u 1Tr2Ie-(%M_l_M{P<UŢF(,si{5̑v`_uDwЦȎӛ074@Kxq$yf+} څΦJ$a0tɤPg(ǀKpvo/2D\M!c|=Mg}h=mЊ.|~bKlio }Zscցԁ5=NJyU,ϵ'bR.Q o3H#tkFsnѸ9KOz@|qfvCi!MBTՃ؎x5ȦBl56pbѶuv&X& YQaƪ7 (EgHi~T6>266Ds (ܶ{Ƣ+uԓ\nI)Xل 7+/)*Jj*6%ZB_O@*7ߕQױ+/=!K jF .u<gAT7=62YS/vtߊО^!0uHmE`:<3l{w -/ׯҺ8Nb1(wjͦbBmx.vP˓ْ@i}PO%2 TX qC8(eT\U o gѾ<54=߉N=cu2!e9XtBb!QW NDlwPFJ%S =5p[6h ?9^-d[j$ - y&6CIV.byhU+G42ҥ >ٍ$OLd?ɯۃ%i$ (IPXuyCcI-b;E(grב2xcAzx{Y9H6eRxc DSh2`-7]f{&mUOIwuΉC;t!' W$H⹣EIf(Gꄔ\RZ)@H T?7 2'3[ĭ&VR7?9A ^wz]G>.uO91kS ~FQM͍bkfT$UNKw*n(Y&9MX͢$+ѵ ̃[Q𦪸uւIAq)Sl=x6N ,QT [dfOj :-wn!`tˆ#Robd ,t=!AmZP˃v9@\O)tVԒz hsB!1&vt?w[^K&6?'p czUx3P$ޗvba1R 7 vSAJeߕץeWH,%ӓLb/^zvBF> <1JoXc^]wϜ<+8=O^,MBI p4C&B8T9^Fp1} zd4q[NJ FIr+.!ηϔ8V kOk]FlÈ#l4޸w#~1XѺn$(nCw[qHLFе$xtQX)ʒ\Uylv 쳹, [yYC@ v_̓9"d{ґn Y׵?}Z.Hm[ā vkzky Fs"1ʍK<^;Ba ڲt"Tه Paҙ={bޮZ@'_NJ׽@*3Ǵ)> yI{Ӡ2XpK69z6\X > ,i-SP8wJ? ~!ë79Q jeѕ!<tCf5iEH3i^"bW$ȷ]1.ލit&BHN$0X:6FH8Nѧ['\Z4*PKc]MsxnwH꾙G]>q_,'Ő3_b{ U_\D[ʹrޜg5PBfR@vX8ǔB@݁(Qʑ)o=xܿ)cѻ鯌;{cAmi y~v&Қd:u \fD% -£<nYn|/WRT(F ['ܳBcz=gp:{3MEcK+5jE+%V\\X$hPS)K0my_SrA52785TTR\t7WƹSRܕQz CF}*)/Src%3k1ZU+ZU=Ҏ[S~4^n`Ag@įQ8pՕO+`nؿ۾~vn [Dm/RҖR6Sػhw6*PhkMpUԚTj[t!&k$Q9/{UhHϠ2EzJtY,QoaoW9Ҥ4SzU_:FcK@>F5S_h 7pd0I,79%шs㮐 Cy[#*'AJ{36&RO[ ՏHhJWvJ"Թ9дoX}gѧ vq zkEs7bcIfBt7Z=]Ok/b/by:[h E*ӴR)ط[fm {pޅDX g},:kSgF>nyZEy9^%28dcɖ/q@oi9; Dľ27Zȴ;-LUG ʃlPod>&)[FAy~('ߞޟ>txx6|HY=C@H]9Z]֋ 7WLR6|0򈷯~|ѫ}d X1yx(; MeDsp^kZBŎIV9~@װ"A#XϔMHVU!]Mf+:zh%qmTJw3s<TIثvk~{G4a[s463Bf RhUYѭi}H#(ewD=ݎ.Y$ /blPk68p5XN%~ @V-gD݉O/hH,) NQv#‰a@;ߎEŽ鯲M"T@g: v9P(4z,K ~8}#B=M֫2n-}8tׯOߙD92W-s N/) ӝ"Z~W5K#k/G'.^UBB_+( ^XP=ZNT \ PTۑvvTe|HGf T×72{]tʂz8B?+zB |셶LFUX0dҿ D3p-SUgjabKD) ӌgBN4DJiױ3ʧ巄|W%d\Ohvּ q4@r_0mǓ~x7~ C'fT799aoo)bG|4RHfe88'x9:焳pYɝx=uGƽ9q'-m jaw*kD _8ԄUi`m^hg+)y`OI A-H>toF27ȗ4JVHLĜM߀2zYQ0 Mv^O?vɻ?bi;vk!JZ:251>LU4oTLgy.d0D6gπv똚ܪ:"-ߝ_\ ZtayˮN-+ZXwDvL \g,l@Dv21`HEB +Ce"f}SJQ}b_z>n*eo6iikR_l#kKK'-""YN|vr  VyE?YBo97LOA&k}[Aaxʍ5@|٬GJmZUh0xc"%9I~le(4 ZTCY ^ Aυf[7=;T@olWsQmߑf{=ɂdPO-|̡])J7[6 v@l ̖[@Q0V%ĸIh9nT^9m2؈@g |'Z'Hpq1 BgG9ܯHpm1z@ŽS~/ D*7wJ4]>*-y*IAq|f?|q5*2DuZ $SnH2켛4(8PVom'1j 9 "Ϙ(7ILmE;Ҵ٣yZB f`fM޲Da?16b}4^RMк5%0b^yt1דPp+}C!uZ:2P_J1lƞ96~騾.ϬePYmZ٠gN:-'3Ц3eԭD셈bH|zPqVj W/SZ}m3yX i6cy 8jR\%O\up0P|dTFӂ'%?)Wc\li ~+eX ;)F;;Mm^k~2MuݬS| *N ؤPLJ;IyAJ$ Am}Wmz]KLXV.6}>HKn]q fAjhWTI2O !;90p!CCl.Ν_ *smqVˊ%|}fKN(g`%l! X%{6&=O–Ud%O%D35 ʑN]n5чPPF@/ i<*Y!b|km@O.Ql)hbD}k[ 7D;ZxTզCאJc \nR7{"niM_9$S5͚|x'Md 4=:?\BйOA?4Bĩ 'a'+ؑP}[R9͟\gQFvo(pcF[eZL6)j{ FfȊC.̛^}H^O#Gd,@,nnO\vDev)pr>,t^dV# F}X|82@M)$z?ӊH 2fFT#89~z8L6#0(s&]}HtT4 yB~q|bxhrE"QR\Q% W^ljj+jx&!)(3D(ӁB9( on1*ދxO|`~ۉޏ8j keؿۦ9J b[ޥ(:QTLƘnwYFI܍QxH3dF pceVFwfR<#<ntSqр yEo/e&!BCMS1%m𐐾| [<_5CJ/rً-d@7mV 8 JV,vINDMp=TEOIa \țmNyhȓJ[QwfĮ!L`}7+m['&@h s)?"-g h7+\G̒)ل0ͪ;ךo5"%~t!eR`]!-ꂮHF [4#1̮9qpٳdLޯv7u͆HdpWh Ty) gBy ă/>~~}PGq 4Y`|/lպHjo2)@aCl4j;"[#Y9,c@ m¦9Q}iWT.LN1f3DkDZ߽(awg[%SpV7Qs FF4&bb'fPW5WxCnV  ZrTX;DZp#1 էN"bvg ֣Sh܆NSA3޲ؔRG bY1=:sjaHWK1\M2r)Y>N%k0 |L?<ȕP>to8ca++UtiGJ%ؿfT. Ļ-&W·'HWq^ ~ojO<w$=ZqCH%4h.FOj. :Q&Ҩ&-oEŪ<#Td7_xx(~(1e/XO ,OQ0Z0dĝBr`ZmeDק7>Rh~t@rCѽ4y>S1|M$2pk?ႇ$ڎoAuJ>=~lj{c3J Z x^ :⿬t6.d%oi0k55uicCO+٠^&O]0-R|]2K?r=%RvbWi֌pzl2W8$h4Z#*Bzŏ V33A1&v7)!>ќy~8so]nq'l>gLSMծ{u3H| Z˝Dt:8SjSTڭ&A4A$cH0M:, 4gڼ)eR\9Btx dO mVKI٪Ԏְ2.ƘP E3: [,\ <_+b z 'S_]Z8>HY}Q6 \sY4{\mJ$=o_qx׉XU~AMQ!' й[+` ͙UoVR$oFFtyVY&>֎d|/vRDECٔZ>: Y~ͪBܨPW\U&]H*"/ʱʳy?yx6P JLk$;[`q? Zm|lxQ-dy@p0&._v@%_ $qVO.8.\ [S={rωWM镏x0l` P֍܅pƘ\,e7}n{G ګ~%0.A0TDĞĽ 87rVfBQKVyɲ%1S"e&s'rT7d1?.}cQB'8(u#6WiG:kSa^C2D gYIȝp-RVU@+?%I})<0R- ƕP2Em$*R`CoS!y/S=I]($-6KUdV^F":3bS!aq(39t4w))&`3$8E:βq{-ʿj ; 0[qM0N rɂTF\h~%hX >mP 0<5$=8gRm|*WsMwW\t1ڡ> AO"ӜikX&BUb.Ѭhӗ*̈́5|x,"`p4# ^3J{ nj{|<԰Iߺ~Vk,ϴZ{)hq2_iYT?WM@tmarVC{D)WkzRDS.$3K#XQL@MZQ8. bK 2ݻӬNG Wg4ROD?!|mU7SE{e͖~ B2!ݗ' wr4*{wT` ,4$ai8I \/vӺ84HQPؐPO)LKjPra/l?x˳,Nȫ$mr3ݸ8on C@V^vGB$DČd`C^jB@X7 W߹9NJYbeH~i h`KJTwri׀ʆX5Oz5.1$J?=;AzaoHqX(R_AvͷI&$ݬr!kq ƲI*k`a%pWB NπQjFRԛs}kv˃kþ+ fW+(='`}fgx!yd G=fU2ʔ E@i* ){28U~w\p\nЈ c#mTPMĆ暫 *>-+zd5|~3Az 4brtP()5u/.UxEj)-BEDI-ɠd`CdWt7HKK,QQgXaLgRPZjs ptESP߫у (3A*ʍ6M9 %Ԛ5^+Ya,mW DGB#N]Ǒ!(8o%,e@u{ *Ƨ->΋9Lʮ&4/U@HBI!|=4ЅGTh{/*vs3 \KˍŃb`wO1=k6G;V6(a;s_7 ċ]m"j;3;.锠O,3*-6k:#[L0וhXT:[xO:p`ӱ1gycΔ+&SS jZ%hXhH(e)&'VM8y)qoo<!mtx=د0۸*g;5ׁ\MM0thwQ];>~[Znu*^Be,K|P+tg#=?Zyd8>څ _H]nBsȰE„Bb6Ӆ*UyYc\1i U̘^< L aѱ'­%TTe=Ƙx XL=>h6?8 7`͹Wnkt>}"o\д=TN5gkH 4*@ٴ'>/&v'CT"bZTO _ާU4|}]ϸC Ponx6cyRFO;Ǜ$K66Q +sh\2xodW_"Ev[,ypK 4 L0x 4gƟ8Ix:ݱF,Kxri\zVjiR>X|z(7p(,Rai2.f$_J@\/t@ ֙ :07N}?%02|[UGp@@ BsaVd*y)U0 *>ƨ!&M-yK5IL|#*vKK HaTi('amdLׯ#뒳(g"'LzJ"n7]ɉ%pVg , =d0:L;ƚRF)@֡n~q8ri$ Tr^f=knb0N$f!;+o:_(^~gZ1>b(b1 bC.Cԛ'4 %אϕaۨ_["s!kɍ-ODUB?cTض_UkǠgdhqȱˠ+k/ā!pR՘}meA~Bߥc쬹|K'*RrtKe$Bdžt۶DZwY*̐LX*ήw/YfI}8Â>,F 2+Tv-[X{O I(luf2u37R>+5C+Z2*þK^4bf\i-3՘˴di oE\X(y\h u-ӧnve>^#VլPN[j)F@@iQJc:=hkj@}{.a6LHLr`|՟ҿJA){ qKzM%(wEaAt0hxaȮ+8X1II}P`n_oصTP&k {My1]Ȑ}t{R}O@-: dA!Bւ~\%k#CTj DzT>E8>ߍWQETlICGC+6m-hf'nӳ ?=Z=ٽv MDPfە40w`**ZK݋`y*|fϊ[:^.Ul)r-\lTuwÛ[/RY /I/]W|zG 3?g3AQE"[u n K!o]?=a q@/,mW}wcD3d:TpFpVVoeIQ=~MQ П"|7(0lXP(Gx&WD@s-59@XҚKb!sAF-YHLjOL>%>U7}ʧ;Dqm$WzeAN@՛@SQZ2 d}^Ƃ';襩 o!g?L'uܳ8^c,(dCn`](jbŋrwCdԫ" ωPl_YQs9aB]92quW薦{n"m%/bX3k{Ռ6ʺǸ̆nVj@ rw+:ELO!ۘ j'ZUWu*&a뇠@$ QMkz6RnNZ@I:q.ϝZ0Pf]D\rIO՝물JT=_\FUVO*J~Gͅx]Z n_󛍤MU Dz\?3z#My 5I ؋R>;ƀ 4kR^i* M:J> -f5.%KܩN="DxɶY?g ٘x.MMzfJ1m `B\b_ML[TϗhOEBҥ=:d2bFIXqM1˒Rs֠9IU<6#R?u`kȮå9uqǠU,I82Qڲ֊ngӰvn&:J3j:`6 U6й)mJn*cP@*فzE 'ATsr c0ugi i! J!AhG]}0qcNF F]{ƶ lCcc'w_Dۍw @ *]]j\$ljNCe5Ev7S SŞCl?瀿[?R˿x})1PC]K!QĸǣfX lhƆ+ gr4F,mw,o)/W\,KULHm=nlh AJ['Y`a;1I*rl1>ZU;)Aq4 4-qQ3=5aLe__v:,` ~I@|&VȝH0<v̸r Lȅ7S䠄\qL?THX\(ܛZ6X[Оg̓Kpi0ʑ"YZ*#/m `''"yY~+8~m۲/OG0]:*'`#4yx e>5C+ 5z9<"P}^$qD܁ +fprP[9֮ 2b*[|[8k Id}l1}_2Pve/gH_ ,Cv+]ڏcŦY7vjWnsG I)m$U 3eu[thjƩQi?*DqYm-K=.ɗvnîO0 l `HEnSTr`I9aq%g- /lC&agn=e~4%ŭf5f2ELu]>T?|9+)rur❜&o=Ex]P ,wH́{ެ01%BHTh9c,&4PXjnsqq~ߑ jx,{_h='䴯+R^b m*r7PaBD4 }YRYE$n(S\YUk9W`Gy<ȯ`Ý: gqN"%O o-p%st0q#XxMV6ŽmYBr!# X`J[G!i=NѬᮉqk߮Oyf1D>]9G}k/mdZ/]x=oU򌌚/^Cν6'/5amW DDԅpo[@֐'}n;tG>H( kJV?U&DB!0RINQ)It?V6wF=d׼ϑz&:ce{[sxau{LPJRE2Rs ޭ@S7n.9KUQ^TLwOs#+A wzJu'ɱ#'cQ2G!7 r_]ӻġw6T| V._b=K+w^h2en~-h9S[PѦ-\X?S"vu2;))&ؼi5R4d:끵y373͕~^0U-I՗ lM;-\{^N[53OȷfX]Θh h5`9LrN3qn.tFUi'j͉0gMY::Eb@5?T^&\ػ FGXdR 2 iyqyaTNsI#8M]=EV\/D׏H!w);y KY2J-A},lwkJǃcleyEImHt Qc'h>\eei[M>h:|"dȣs3r,P's̯zvHS4NzIު1}Ɏs'y j~rνc4O!wp2swEԢ6L "1>!QKDlC?O汷`%H0I 6IGOXyyIgf$FY%ө$PZ"ІhӵmsMsù+wRv @))3?}b.-u3<$͹n%B@/[>EcXAď[O0oT'1<үφb?!jdNd6Z[*ﳖ5E !nf:)`RmL39M[BE%)2ai[(?{N@9a;霉An8)i*188#?H5d FV9Zj(_5 ZcSl#vQB/ lq3o M=q} s7ITy\|0nO&%ЦcVsTpԭX{qd^9_G|QrM/l{Xl] FV%,H˘n>2g`:ik0Un"@+-T;ukߏ~F0v%Vߜ!*ɛX\޺iݞiZb9: Ӻ9PFJg׿{],>}oxo#ºL5gy%:ZJN?'/ؽ0-Y$C=朵 EP*cK\^6[m}T #A[Hhsҿg!Mߨbrϡ"]`*&^k(UݩY%PJV0zU-\}V8ĈI8Ou*6? J9YOMH9g0hADa0q:CΕ|̊R!gF*9t*H'?dA-e'"e˚DZJK @W=( |6*EC,tTw}e-hK[ KMߠ'%lǹ [gWȧ:C$dՄ2@3Бt(dt t}٢xJRûYJb%Oqc{;D0h!|~z e.ǟbx6K 6˸b aƴX -a2lCm`qȰ=$$ף8 hR{$w tW} e+wg/JԱG4\qo瑝fo]ڞVSt6l[%)jG59ZyX8~u@|QFJ7jWLQ[9b8C$ĂP:Kf9i#=?ǏT^7͝W{@6}$zpzdgE"ժZg$.xf.En{?ua/vN}c8EȎj>F3~õ4dO#G:K↺6 'NaᛎQkԅW{+ 9 Y˝?qlMץ3䣃(%e2=erɽV +};D\@ _:۞}C|nRH+7TXF/5r ^@0,XTGJPYKT7d1N'tk7f 65xn놔XqXr]plҤ{ʋZU 9ߟL:{*k<ɧ{",5BG"0$ʓYDE7|;"u{Ojf@]Ĕ$75"Y:1|mZSQ)kK. _]î1:.3ö2xW2XiCAôe(N0#iR" `'[ *"EBFʿx#ֆ':*{rw(gkz{6QI墂R3-V #5 puJ3Ah 93@)ħS7Ұw>$MVy܃%lTo8U[`ib MK]=(RwkJ^L4ݍ@,m√B%ilpJ:]ag ˱zc/h䂰?*PsӳoNnЕDTSq`U=]OLHTc;81"l f8qmHk\ٽq>U-M(Uݳd6 ;^>;wefo[d)rAoc*Xx-=!w0%;:.MZ+4F}ܓRVFGÓģE) \x |ZHH6P[l9 V3va1u<~4*7;Ҳ}j7R1(H+5z 5iTuϤqi: 1 T %N: |r`2¨Q/_ś?ڮR% f~g9WT=KsmlϫC |%l5^MagO۔\^id/! p]a4 N 1: r+K#jS}~)h;DМI,@)mR)A1RgLX7Ac5dM",3Fg`i {aoXF4̠Wm\d^[\H⾜11 Ӣ`*C".a8RYY9x:푃u'fӝI) WumXlk AmO ۧ f%VE/G ; gL%{]-nPH"!匮TӦC ^'}Om28lﵐ^O<fJ>WQ@=GIP6{Jj"r_O/(<He-0N0("r/4hL|F6.ZNm"q^'&KDž~a-Q%s;u Dw̻ݰ,Z2ĿL%Y#5 6\p nauAU2iɪ=1˗Sʍ~BY,)̥HsԼ Q/#$(pgyUcl=w\dW>x!.a<1?u[g ]|uW7M`Ixkh:=pd&6M] N|1!ǙA\UfnY`?L;]h;mi ƣk!ɛ?+!^> WoUA4bʍ+~ ǘHS/K |%r*u @.L[q֤MaJ;P] ~ ]h,q]pFa^3on,<TDb_uoc![SQˉR7w8\f] )9$^ۤpO("[A=fbXQ$uGP2eu@)#fMyuyc$>ϝq6$j:Vq:k  !ܖfoZ P_zv810\7b>_+$)^ݸK})1j;2ZLAu|)OcM޾Li|.jxyqpWP`NH]6ci{]a,떕['9<(:V@ghòauI\[YkHi ܌3.@YO9W8wIܒkU#`(PdgXl l& Y@Q Le1.?1ocW}ʊh^̎' sSqW<vS9mUcnhdOQi vמm'/> 3ępD0{q %n]3y8X%'k80p+ As/#-9d4ՊmӎI֘+jk?M8HY@DB=uFd)AoQ)uY %0He%;Vrf=YOyhPJMze!h+Bd 4B)^f_||XgSE}1̲Ob_=_Wfu 8C|  9ƃ4]20upzܧ FϜ1SUGmhw7j;!Ӛƙh"pg'V!_/&r {$nئJ@!ӸL; lW=qLn!@I4F@-ڲQ?FлQW%nSBҗؿb/"e RW^71&SJY6/(^~-_=ThPj0**bdvCKɿjǵF;5p?5ы^6Pr[\׆fP;6jb/#C}R.[ቱW^4?O-FCK9[NNHf70w$4gdH7. 9fȡfHA!S:OaP)~' +|jzCZ]゘ɼsTCi=퇧`bԱI]3A<@މIBèʑSoj%#,D؁TSk C.~C,"5o,NüͮJf"OQ͸xc%=VBˤdw4T$quVaY.n꒹ȲNFVj/ܿ[תp1iUl.c̠Riԣ!(i~@ˡ.JѳbZMi$5nD E\\ۏ&L5P/^oQ9xmW abfZKntK>/E JʰuKlh5"$)"~g_;<sU0rl]L:K>ؑ n(׀.R6۶)mٳ+&{7D+VesJ< xߜulAlۜB_Z<8$)O*CNhc-(jqF>yO.r&W I -Ë{fc(>Yc㚜R+U8lod>Ruy.oDsr> L|&`"6QܚYTⅮ9L> M0*|x6S= rb앂ƆkmHC,M)єC/3lӪ㥽)l6NmYqP~e;AʠG뮠@ZeB%Z;axUx?sׄ>Z1a8G2OCHzcHO%DԱM'[..JߏNT7.HCI/B.V# o+dP]u ? CG3³+W^&-{Za7ԋCx&|8ؐ"r' @&cA?Go=mIQܼYo=Lqjɤ~5oytXʚ$X6z2 'nN=m6 ~s4szޞ1WPxUڜur i?坸YA,'J/(x|C笕g:5%^dr1PYvL-koɮhN̓ ø4?YX%:vn;!lq5Gm_;t PjO Lȗ`%+P[c.g7V}W4d*gOؼr9(L>'k$pU-([Wr=˷5vxJўa&}2L1eb;R呰q4MJ6HaPiGzoYVEU\<ŕe~ՓNcKU?ؾ&%}e)xLy8A.Ew-=Ej1{K>klp\Z_l?/IkD a/t8/TX sF*}ITkytfFL渃ޥ˧j|2{"z5v=t7rVp!դFkf UrͰ$fך)""X~Kp[#֚V4Bɖ/ٿ'D֒9mEȔTbu zyȂMfUVrJ3% hOya %Jd6/rE/4;qE_Z8X 9ݷbHBn/—U4xGT~ޔ\,Q Y!^78Ose)/nq]kw,*5[.n ( -V#̹S*KaRƞ;4^#Ma"W_*':/@pCېQy4Ke M)TPpn|l%2b!OB ?+.%yKR_5͘/IIX6͑xVk5f\Y,eM85Z ͱDxA 5%`[sF,9S:}sl%# >k"Kt9F-oOñ7*_i# f.4U{Ju k{KAKwDݰm&TX3?P~$B]"#>74߸x${nOxɳˣ( O@`_&Ck]Q"ѦTKq: EjO`Pkm?f7&LEW-DhQ+<} lG=aء<-ɈT vWzص$͕"B[ye}Jۘ.{t:sS髼O+ P2nB&д}3铲&~$vYJе{`T388rw_+fd~ND ͂\ܴNRQh$& }l]^4)kIK-xĹsHM#x|G("8;'K.᮹@)}&G=zʈ>c=Q-ҰPⶺo s&pU*Z]4rX) /w: ArO‹z]|jCj9Bo ]xD1nAME@wzi˹*ŗ\6?hMW #Xza|zw<[zt,*; u@Fմ L7X& uϷ&aR2N?Et^v4DG򣳷~߶sN)diqWR(3*|kT, }r|nqPWs!ȿ3~hR?sK*,x˅Z\R0le^~#5 F 3VLj۟wMvi6xVGcd-J(Uj~5A^XDb3Kɪt`DKiS6Yr"%9$FJn:f51q.9Y T{ ~Ka]fMB&.IDU=1'%+?N')ϛ-@| Nֶ(# gg3z'LBRkf\ kbγ<S( 9KӇm,p~%+匉4Op{~ yY8Eƃv -f~rao4PS<Ʋ'j,jkmޑў`яnO?|V|J~0BֲtCVhmxr+xw"c[fbp+,nVJe裐ZMi-)0v<@D{F)u7&%s%x |xs_ÔK qm_l0FN`\H1m)V- ߖ۴-zBې\wLd9 ( 2THۨ<X!xv+|kX#`a]^UOnL=\{cP^Z=-@ @ >mޓ&]'ap/! ұqa!IOξx-9Iɳ#E&~;tzgnȯUįETgae!|2CPXzm`-76;LYJKBx&>(C.B`6!{YqGb^r/W[/B*!(2\*iz#8=+-3FrXvC^{ &fq1(9m:=5P_[a$w%HDk.=nseCF=;>Ҙ!ַ8ܬ\R;5ЈJ,\f/<ϩrRȠC3sg:tEúiWm)ѶI-ՕjH|]E01?C Mv{:Љ /pgZiUq8  "c~W.3D.:/CLJ~ 4mQ5~W#mYHKvж\|(^ "/HhuM c +A`)!tHvɦ!Fw/'8*cv*t6E=dut~%>.B(e:d V, p-u=J }l@վ:#\1Te_ -17Vo (*LP"abAwb8yjo6Ǚw_k  jY*<7Db0дؓdQGPcV:a"Wďn$F/bnSo܃cxn0fYm1UP2x50=Hq"u '7>̝ڲ7vXeҹHmj$WI|Kǖ\X;1vAGl7rhi.s-E}n.. ]ǔI.8a5M c1[rr/29 P_NoB-Dl_^! pс a+jSg ^8tk|{1sVQr<G5j)1/f˜0r)'`2Vsy~C2w^4V=.K25ahXL:#vu.2cb{VR?(IvK3eL%S ؂3ރ":Im^i+Ar"]?8Kϭm<6{7˺@o݊-`|2͓Dm4Mrg&"\V Z:?u`yz͆9%hf_#ƕZNIVi.v?SKhh2et=_ggQ2{o3B.V瞱 ` |ul-MZ@:7* E uw *9^5f!B Kj%z` v8<@7iZtj"^~]φxM|y+N7(ߜJ ,P P7Ҋq]7~pdtP5́a{|VBa |K. UBM7M$QWl8;rXH9M EnUE_.=8vO;7bC`e識Xnא8ݬEE"md}%ep@k쒒4Gv.!0Nv^= )%w+29cQ Epsla dtNhB:90$z \ؤچ{COn-Li8I̊2m?O3g?yv&)rEcgDJ̤#,T§05c/tRJ=G#a/Hl?9<<3Y y.*4QZ&01lGdnhO/ wg:eok]4˩jw^%m5|u$*U ԋ/tMy2a NE,QCf30[;wUP +=)QLZSEk/S<njRg j#H,+ctr"_ Jm)3r 4RA| Q 4迤̮YbһHW IxhqpĖ%)ɢ#!h+ TN5ZN$zRª e ߁D/h=m}Xv+o`Pfm#0JzV>ugr,OŶ \nә`xx%X:EНWzh} ؆"FD[ֱ.O&akk9' V?(e%g&T]^*뫒oI:PkcK>Nm}e|~*w]d tr*Q)rf %QnҰl6C{͙eȫ͝R'n='h=x}*lh g (y|$5$wܚ) "UW1 /('? c2*c7/fB?xO*im&}Bݛ1%WSLwR =h^Ri2:b!&!T_Â1j:R%\>~}Vr"(BcOp}V JÊ!$vynq{1Cb T!eNcVT0GU=QNYl\ r~']U~,z{@1Wۋ"yGP&A +.J5\[6rRB"Nd8I.JR {!!u$I֪i"&]>b'MUwbӦDޥw>/8g~NYSQ Py)+U~ ˉYْ^L=s-VV:S٦c! s!"4B-yd+txjN9WN^jv" SuSkH}i,nRw{n$|bis[AMj4E f{S%y1ףv>puwmYr?by~Ӭapes]X!eF%EYֺx~R^)iRx/S3ΰu܆ ZpL,bmlRq=aP_8bGx5J9ĺ'xCCOP;:Xnd1J# a',#iLG ܹQS=PJ햃 LJs.:-.xCS$XT䃲;?bb}t{zc&ޔO& S8YHmXdg{i͞#h,4V.H:Z:v-xu)fR9't:=S8l|Jt0-F jh񯎆e^b?1?OVԭh+\jv(;XC UAxtd,s~`b< j׬ S|4 _-@6:W&SGg ĝ Eʑl|~I^#7nR#Xr"kBBy8esgDW PvRSܦN'ITZN\e8PR5"jo@E}!೑T<ǀgv;T|R' 1kNϰ+[t D|YQIB`>u1-gkbjbؐ=]7K1"օy\GT?fmP~&~H1?w(|+cǭN*'t{t}s7exmNCZ:a+ <UD,%_sNxIKbzkGb huVʵp˗y52|2QNGCp=g,&YkKO]ȇ!@I7UAn_'Ne"OyHԼْ TZ036w\^R/Q@ju[Qh_,7RHL'``ijt(XNTӻokl_1m_=fFw P`I 4SƦyտ*I+ʢ,BV׋!ڗ6U&~n{` cs JKQَ!lX891R]X="bFczd+c;4{É|>E_hx6u-'oBZOlPZ AW =Ys*r+wOcl$D2 yȱⷜZػ*m ݘBʨ'%\v[AV̤_ǥhi9#D"C)(ۨ X{-ι3-86{D &)[=uBw11[c"ᅁ%>l`HpAMjcRkN#_zP5<fiKKR;( yct3)৚g@6*8!IOB7H t_+қsr| N6NW 'rڲ;goDG87$.Y0#RK H`  qCc23boFlĹ"t ' I-Ug$Đ?aq,/Q@ݚ_g$1 yzuGMaEɜYTHW2gPt\/7y| c, ^`cLΦ^ }s?Yn6;-Q I5+LvS/Ċp%[a5'Z#d[탼SEN.rLpj-"U?8wSk%kF~AJbxo6J#ab \‡ ed1!S|OմMN]֫πȠ0pQ{:#{~c? ŏ2@IE'`xffCM5;ɧo͒Eӑ6ݨ-a[ᙅVFF6AZ]rm P@2KcLC$[%mY`5l҃ո50knkoH:.\˴WLZ>  s'F^8NT4,C{ʱmd9|2n667u*qݩr#斲$\n8gWA]Mv/WLpM+>Yhg95Uo9/PTg("Do%[* w^VvF!r*}fw88Ee.Ƕ(z}.yN8Pb m^+A6~8 :z;W[8ӜS \~\idJȹ^8IoE6Eܓ- :008A/| 'SC%yWwb$g{&x glqDڗ{yXE"O™eWn.lz-A@]Fs>(\NSVUӊ)epD:>{sѰ WdPY>o|GAJP]>D9mX0RG( I간x( @LS9#,S ͬzvݯʦ9ah;^[J $xV!&5 @ѫ!H&f6y@R:3 gVTU0- HkԎi\L.ﮫk9r]SK]B0 vV(4AxiSrоEa<" 9kZNч"i綗 ,l+L's)B.JqHX}`8)HP:&u㨺x}=|~ZGrBv$]Pp.:<`#7K? y6)B9}q7\]-'\+FX+!C7lAFg[ y|c];'RVvmnEt ɺ(/YITs\ދ K$ڒɎ R+u Q+Mm˟Rн+O*BNZyDhwyC.bF\{2҃X5gH+D!Sٱjy1]Qȥj/TբS/%qSdUeId)!R0LL9#a^bWB t|ƮF6O~subUvH _`/^+ ܟeÏjnU@ u@H=N0+N`Y*"4#=uk- xcO'&b_6>ޥfapF ?i '߳ x!b!8)י!v 𥘑-7@HKh i%8-rreh'npWR=1 W8 y&Y'2H왓jҘ,#ǔnpˮS5c ;|xAH. 0*fL'TT,2 p.2!h'E hƴM|j*!#C/D%M[%{2]4%m.o Ǥݍa^d}WD󛪺) 0ͩe.Ե`Y}GR7f] }Tnx?}=s\83p'敌€~43p|%zV 7.[Yԍ YY5BV8[{@1lQ"-.MC k\޺Yң;5 J<wzR5:^e<`y~1+_5\CEpИ8vq3[ohu Ej`_,g%f C{7T#vgrdGx$?MxCԷ6gnF!GA$32D2P2,aod#P g"z딘a> Vn8%Véf'k29G|p`@iw(_][w#MbA|dw&Lޖ"3; 7%VCINdQ/=Ө%ϷɎuI&` |U.WJ(:x!kS!=S>xh{Yv~=K x$ 7H0{P,^9wݕ@|&|QWwLm|hK (Y2 UCL[Ʃ 7 eV 5<iP7xy %W7.7_Oua# c$(Cne#i^xTK܀FxْcݬLRנѩgc{mcϘ9&.&-YX+fh\ {K ^e(G9V?IilN9>wi7t ?]ԮPf胷1B7]"tCНǗ!2Cl Lc:rRl[yXF&+~)mb!d\,b_7?B?,,ke3ff(TCttqI@EK2t騩Ъ.Pk d-چydXG$@ǡ+(%xY}IQ kSSm7.ՇKR /1ɔY?V}ޗwl=U3<]g٩HZ,VtWWV%5OHB*ÁWg}/gFWf7yv~:C{$K;nT/+L/A[_294azȵV+E^4D]DŽT|0=8h 7pX`A+' h 3r*l嶨2Y}hPCq';ukD!oT7qimJC|l%SdJ\2'QˏjUY[xZuuQ8Z&̢F1J=~yT6XNc:uqaS:Ե|~wXpۇdWȘF{uh<.qb)唿9|VNPY'HDuJ樉uCl3kN>*%& >R8hIKT3CvJmSw{ݟ2#-xZ_țsRe'm>B-V4փ$lYK"{:>@Ǔu[T)dYeS3|k6"vN Zf'VC>$ KLo>TSS<'zeey`%RCݗiCmMF\iEI#hߙɇz9t0HCJA2I0͛Ď3x ؒs9{L.Qw pt $=x% %]N˟n^V* eqb`Xb٬"6HNZK&4'l@@RJ)gE5MV݈L713`-W1mEy !SW(ȩZlt &4>낣: Fe~EX-je|?k5r>8?ͮ${i{&} aQ8@EH_'[y,?y^)'OL0p<%0`+b^eIտ8cK2[j~ Y&8esy8#khtKP]`%YJ$E6DH ZuiD4eq:Hy"I0Ą-m`@&U=,`Q R Zvі+C"}Dﻫk&B/Sق{F7uᄆ6X(:4%K8mzbmո ʊˏHq2tޛ[ $r|YDn ǞKJ2(祌W_MI/yy|tvv? ie κn;5zi8Óݭn,s b˶#woXmgEiկ5j{-F|Rit6I(.WiipF4X${Na0ULxseo+6Ԋ"O{ 1z6wGURODd8:c㾯IG++:˻%+]~Rzܲ )aw,2bΪԇ5%,?"QrmߊcdE責xsRs `_flS4.p_+Q#IN]x %3v(e(qvX/]v~$ ;ǦddΨ Vuߪ8E"Wb=wmYfWꞐ|n1-AjaצvgZpSyLPg*_KTyp>}_r^2\Y'Mp0,Q rG伃:=xq Q?17 2TU G3 g)&0ize pDTb#<e[SGH^ "1X7^0Mw*7Vs´m͕RX~bdW\LFw '%R5-qˉ{'쿉I[ j ̻0]5`x5dFd9« fJ[{ȀG[]6]"o7 IxL$R*5jap~7t2}޵+0`wkw<߰vr5U <~4W =BPz"QhA^0)Zd77 `"G~P+]^Wg2e2 (j&R`@2MhR,xC`G8;t]`My 4QNZK9,!qޥL5Û̆> :pӲO)Z?|#WC2 "wUsI`pឡum +E{y>fnzS6 Lu&Hx7LqhRݝ.{ ƹw;/,T`\;&$>{9>1EƔڨ<7 `_ߤ@w/Ijpj.a ϙKAVed ǥmMQVFЮMU.QH?P`5=-{cWRY"eAA\L;ڈ?Ar*ֱ6R )T !cuf2E\Sr<()ȫO値JPMG/;v"d' غU2TZ:~;?uLs6wB M>;j^3>Ocgq] `eSDfQ7C#ۦk VH}BD\b\:*>.Y7^ zXj l-C34Gɲ:;ĤP` s#Mi 9to=Ғꥯ!BOj(UuB֥кԔ$..8V2U")GO@soR_\s{|Hȝ˦F@Xxץ͢"g ^I8!1zOM/Kl6F6S7]N5ad2uvSpi[m) R?39ɀ UOlul7*VsڑFp$LWU%״ÝT%Ƀ3?Qz,P]a2QA"bdaYLSfSDI E_F~ݩB&S ,cj`؈= t3< 6ѢDk<7_L3QˑM8~6a'RpW?/4ln|:#.pg1f͍nX^w#}$p픂<ۧfcn@`Z@8A,Bà_ˑxջce-23AnWnGc$X$@=s3.G7O  7;|>\!0xfV*M*gll6Xq<)cw4T6D?|.4Yp~ s8R]␈8dŋR_K!0NfgEo}>z0 dQ.6We,3d28|it2&yɮ*7B5Qlv1-+5iokъYK皓h%51rLʰu5BnWq,::,. Sh,9`7fԼUVGvC?bl:Iy`{5^zIrǩF'˥|*yo Hp}F`L@  r{ܖS ㏦mZQ pJ`~.i^~ؒbm͊rzEu'P4B٫$6߶ JdsvI;^& SGU;b%m.ҙNI^Ր8!j NTQ;y7NqJ$5,(|ބLXsnT`Ŷ3O(;ԥo!r?V l# MYJ5b]u wDux2PU:%r22?y1x`MzDZuG_OֽO$mJӝO މ1N齒h\֯&{* </y)S=2"V }=Gb Rs&< HQR4lX6jSiHf &ow댼j/+IA66v*srh-I2RBi g6ٔP]go5We򃬻d\WYReX#,|hR(&T;ϔ8 rwB1^VqkBu}ZvES#Fߺ?Ǎ&4 ^1YYRuF< ^H^cUPMfЭjQ4K& c-l;]Y =pT"/Anr .c詭v[> ("w==͸ɥy38X>6.+[ s+: e=We+ gÍϛǽm^Ui%1 Q-iy؋jR|p8(CO6VxJ Kdqob( ;0b v rTvd1q0" |[v׵BԗA𔇰0B7H}%*'ҘMNm1vVc$soغ.sTYX"yw|1icr'2q`4 c^V~qVpw33?)WEcmi֎:)r )Bpj|וȼh{ v-Bo"#8H J~YVeO\iЏUgKh%Mmʐ`Gh'B"4܃F,;k:ó94F0r2sM~Dڦ- P&7 wnQ'ٝIR*Tk07A#%tRBwmGFySM~wv!(v1Ј,gy*߂^{PI퀟Mm5i_FP O$FiƶfrMD3RGf{ Gb֒I~<¼(.|GC>CN*|F;gꌥe6ug5ރi k {CeƔ'jk" ũҩqfxPoc$y7VbotWvotqMQI@qBmXvmbO/:QT.Lq>Pʑ5<W@gTXU'}$0&= 0WHt%. :̣+2R~ތojfr\5@*H-~\BPPq]8c J1Y]D 盕hcӗA ֊tA}"]|!8[yZDә4CLj |_$@m$`]Rx"s ]IT7Ķ"i1MCOt{GCJj~)C ;z>5?[*?O3 bxtV}q/9yg>s1.~&pOqđ[M 5*RJr|u%`wopy>0G;+oQ/xP~QPɭn6@'ۙ%iWR!ݵ1w d/j%Z.* RTXoH(S(}뀅R]4^;xtԍ~ET7}Oy໕2 zDkh~㝝;$\⬃nK[!;̭C褵P|&̬t ZøL x7B=ǮQʛN2E{5;&lީ*.„a2={y{pvE:{X6>(>~". 쳇bep¹T 8f ۣoqts :{Ps -5Rr|K5m*$G/Z.0R{+k;'T !BU)eNM M-X<%w;f}Ӻs+'+T/Ԋ# x-"ȇ3MѻCu[䛘rwf.7W48 V~UGj核 .[DP\NyphKyr:Y" c}i w2\y\ȗD4U^e{X˅lnNhTZf>0{!yŭ&?O(RY >Vْt|‘1:F#+B!-kYd~ $φ;qznA9^m%*3i52'ugBƝd$u0?Pm[gIaRX?y"7ϷٰȔp⴯ n!}Yn{LSI.Z"/F*Y?$1--EX:6zY,(gtn D9q1/>N>$nl ֿ( |ipMUe=σtmV_`l/ ? uE&:\'%9' gV z8U}-*m3\TZFG0J@;>!(;q "?;)u"wKE8u5 m2.$ߕs-vm@UDijUW@:ޝP(7S3i쭾3`Xq  l rS~ ]4}ȿ=ꎭ7S{,(Eke?X7{EPU i(j"{B!~8fDvZ> !Tg$'A)9!LU)[.M؊Jɀ̊ [b>f%m ߛ^([kMt;ă>bILL,uh"!/|⺁bVI]ԶL: ?Ed!FԞm&ˣbeR/p}m:ژZlx(oڂo&8On2DDVB{Dʦpdu0#|izUL,uZbȬ\o/[th* ME9͙GRk'd)*FY:m;!tI8Q-H>`8ѸET2w#.e33:{:pbsQslˇDodnp䂚XD -i*=[_4<~=ع4?, m=XDv*18lpeL.ey }a/X0( x, UR|R]GJIXĤfdAz4^Zw*O2 Ŭ@Vv(jPVY\T!x@x.N R-y.JF` +;% S cF֋qכWݗDA17l;Kq Fο ʵ(|;9 [=PhseiSޟx~&,$wvfH_/J$!(X]n_\Su<{pS,* q}w*By;4L=! W vW!#Q$70e1ړ9ݳI( `BCVV d #:Z0u㔞?'kXU@Jڌ19v~`ɸIlLbn*A~"L/+7ji|o5_°9hU/QK/aD%f  O0*퐤G UB>j>d0ZJJ4N( }+6V,_BAvyrUv*N*Al&43 H>ℲK)\޹Jω-{gd'V˽'^(㣧7W0J3H(kp. oc ?7)6 IMNUS?M=N^jAg@DR&HkJ¤xog݆h20B!\&F(Wk|}?zTӿ#O8-8nQ:+Ր?leUif*a{ICҋ,WO Rg/ـR4;%2V*ڡ@x@:4'".\1PG!)8hC{bF~ٺ()fQb SN_VX` ί Զ^'baFT[SxLsLRo/[2=ޱ<,weds671C%F癵 E9BZ,On荃M]19+~BtEb~]shx_%{1'.}J}3+}꫎Se Ƒ4G'QH% ]ɢ%zs⍜+jkE?B}H݂ڝ!wE,'7;>X)-2!Gtp=fk`޴0f}`ev34wӿdu ѱ䰛<˾(7`|ҏΰ3Fh)H`ӑPL cn8,"wY`|8{w|I7&:;sF4roƧZh9Q,Wy[ՅzLp؎ضfa\2tZ@TU 6cO%K,S߯HjXD}&50~S4dwzՠu+_8OLksFYB0l$|J(A9b n,c##Q~zI5zEt7LT;˿}#'=W\jM Zցz|ղKsUԵ|r4$GlCkF"mG-ab]u%M<_d  g+֘F}U(9l"(HȺ}uIP\B"AYZJU/|]OIWpعeH%@)_éQe djIp}$yK~v KG0O!7< QCc { 2r'Wyo]ϏUX=y9"f=$Z7F*1ec$rٗ.d N |_XKuf1@Qc``;ڇ12FD5T7:GBpw% kB3xLFSbe I2@$!dXӕ0Ly(2Si{m5BAm~eO W{~ dKd.6pUݡ$I"t4V wx^p!,S"q׏D@Fs'(6Kq9'w!"G/GdaWz$:fm`۪عMK2H.9L jHA悯T|ɑ$zm<~:.H9~t^I>S(wr{qe]?_CKUE~dw+K-Ŋ\oN,`"k`v;kLio0.܌4HώTTÞSsWL/Gs#Y'x;F} <^|F([C Ъ O,px£dd ]$OQ<Ђ)&W){N`i ١1kn3to8g=841J/&jñX =ѢdWXĵhEX )Ukt~ңDV쵞0u6ůHJfan&l@kI;X\Je*G(.4PNq1OoHXx\uZ4㌔ Ǯ8ͨ$ԋ:h*-l=g3i\Vb扏̽72uÂEQiWJ%%g#9'{ bq -\tNJ>orwU4{f IߣŮ_FhJ!y CoI-/ ?횹!b >cP1sRBuMJ. $w+i}u 3 T+?a= UQD0e!t껐nr?v'I0|ۗz7p%~uen:Ti r7+UP]=VM xPNbk2ŽRA/ZN )3V@R#!+X8๭7ƒ]|WTC1BM]9_Zo!|>v4͓!G, lJ "KWwʇ B+\vEdC04Ճ1u, /?SXrd="a J/@rmL |2]'9J[?:=/M$~魸ycOzo}#E!n=^-omcdp8Boԩ-c^ ^Sd8\i1orA }g7Zm]:C$s+s$>Z ^xވ=d$΄+R@ǥBLBZ{gZGy O(jAޯS3?`0B5r^Xˈ_@d-G&a<<ޑ3=<3R45t&!\Z)A z&u|'D>в-U I2rJ}Tz[pF2x[_`~]K{?#W?) 9zQ' Dg2ٖa;p4HOL i& ( +BX%&=KS(k9Qb qZo5UM KG-)U^ʢ^1s1`b 8i[Wx&j%?[f;kq,c*ئ3jƨ3"&Q$}k$948/*\Y2. (OF[3(} @\Y~weX?E:=7G0h(,a9 ok=@#}˚B?_O"׭ a6؆EcЯu0_6r6qwjM;W"ۭOwejuTLV%O') 6:%s- B}6T1qtݵ*f^g[*#'"un%If; ؔ }h >Sc-xKX|Y6$lE/ɬq$quTGGt: ^*:xmR:󬷾H\r4;zbBrݎ/ú?#FrB +S&?wQ#c%f$|ŕcX s];t6OZmG M:l;Q^Y*)kU[Iа(zng @JwƦ=&~ s0›#^ Hx|l蹚f6q Oe1B AsQ҆Svp;'!)Y_]՞@xZnYyjEBsjvҹp1 ]+'gTdr22rXovhП?}%I A$f9Cob56f)(YO%'932+ԯ:1 zH"%pK6V|Ouv0ȡ L5cš8u7h͞<첅pLZVo4XshD$I.pɹzl@vml:xRj~r R\- BPY@z5uZKȟhl{nQ'wk1 .V:ژ @ 5i"N=Gs%Bb%5vQd;KF ]qC-.Չ^ǥ\&_5nx(H@:(71Ś#wW)]^eM6fl=FNs\;Mq9%؆ mQDhLo*dSRlOK8Mf* gMR_"P/܉"W4B:As!,JX~2[14a)AŬ 9D6m]ECTG9isIQ2,[y/]6Նt:Eh_Vzp'|js,%{{n8e놤i$Fn䱨lxw8MlTJVH VTfC *JImrA SKMѡ/24ׅ J#K'Hm_+ló9.[&W5zEQRt|E7zmB`#5@hF_OҠ|* Vl @i9RV.8ks&[ގ7"w:Sȝ?*0QƮ?s욚tZd1=VdʵAeKR60yha a{A%uC=LtD A"OiuĔbBʣgI$rtJT2jJsqK/ a.,k]ܪ;H$0]xY!Jh\0+qꎩ7@:a-Pw7tF҅eo[/C@iO=&WЪWK@i1dI `Kȗ7_dBN*kNC/a8yx~A߄7S(^Y4 Rǰū>O b{ ]FYHۉ¨6| k!8f89޶缼xts %PjTy}[@Vyf6M"FK7e| "% _B~U>jJ%#QI7X3.?a??c$t޽dmli9.);ApPM<_޿axEbjSړr?g(2*0o3ǔmxGq6is6`NcAt3_XwNk<]eWQxkUi`lL}ĕ!O'.1v\ ۣ.y23 :k_X^adfY57_o*^08@Nf>:XZrF‚i4^8 iȦ|g/aHLXxUNP. PЇߨZQ!10!8DT* G Bn{8'S\@I648!KHPg_nX@D{i+ k@ȧOF6]o I7ٰlxD35AGNf}]ywSxr-WJڡhPLbp,. q\;XLjaKY 9"UU~ NH$cHxPUBf B$ezlX?Z|PݯŽ 1|V 5"L"ZbbX y`{e3h5"RO<ձ6Kجw1qP ,,2B|zvkV,8G25I$\Յ~.PvJ:@$e"TUp-iءps> iӞ.޳T5jwגNq19ӓeI<Фjl鵆S{D30*x'YGyCc*)a,;4 L[|`9 cE惢 y?utL9'{o/pvq},jEKIE\݂ٔN6ha|Ggq_x¼yxHTAXI{Ai+81BbmI#B,e+H"Dc:Ss3~VL0NRTOx⣲՟#y26!W2ikj&(gl0tnW?tq˖-V9̍[IUU6: fEpr 羰Omv$OP$>(Ѥu4kӺ4UNy¿e}M{&9'4HvuhTx{8m4} eY *\' i]:(:d)57c5L\1,h$Q$7:$Q>0/cLWI4*7adi2 X|hƕ~"X~ ¤2mvMK~0`&&5nW`x*8G҄E߈1vt05UJfnȂ]R)}4=hp# `?%= i1g)WJ5pv9quS\?ǣE&cΪcV;>&S|f3au-e4ԖK'Lp9q_뼁)cP6>?CQbr@Ĭ׶z0,\rӰvy&'jJ?( eI9v)yZ[2*}g„ˁ0+2;vRH;:v#W8 4Y?r<> }fJ: md%AOΏLEHgaˉ:*mc=5J 1#^U,o$Dx{ĽPnf|@4UVߡ~.KAȑuòq69"%9'gq1L5]J;r ſca"C@!M+*`[EX=d M΀CkYbh *Qu߫Orފ=vOtOqkg-˿zZo?+㟖r}BsS[+CLAjoUW [U bOH760d"+FEu\/nSVE,UgvȆU`]./vZzm}:$𕻣(z~.3hsGU0@tg5ۋQ eMCLnM gu[y۱PnA]ԫd^˭ #1hJv8.'k@:7tWJE~A+T;\)4Ek)Ciy`3">?ۯ}XaF Ⱦ@ 2i03 JNŦfZ.-$ x9Q6I`>񤌫flPi@å 0{kWEg 9흞 2 E8d)R!}[ p>&a[ٕB` &>^=5WyS[wr`ʲd1<暻KTS'$ch~`%=U ߺYr*55vfVo,~ ۉ S|rLe]3ږ,|r斎#NB197-F@ǐ.w8؋aG#;ΰT[Z*+0u%gH0ÞщM{]0Q%Ց \IFMylrk$[h\ٓu%VX0ЁE'L< m"F.-ɊHp=93D}E a:j%O&1z Rw#5^hFJtqU/jc`&pe RQvYqu|&z^ʟ!d,?doqUb9TT(t1迼$KAQJ&N@6pg`GA0Q!J] ^ޅ!xtt? BXdBE<"D@Fo2gU+`8QZs_js ?.V*aS8gniOE ]pSYk:ɵ %Cg"vrnS&obWW4c!ɑ{X̫(wЫu[pKu}FDe?}׺fON"N`l[0jW>[}l' A{hL_@v36b5|y%Y yoq[{gE7vzulUQ]KU룣nfZ'I*4Zݍ#׀2ÅYEڎgRsJŃ5Hcm[73^HQG%dPoDB8NW7 XUZ=tW9'# Džѥ[_~,5K&q ,)_qsHԩ }S3ژ‘cy?u?h0)~̺HZ)$mCUk=Ұ >nz1{'8fbފ2FwF93\թReJ@#9 2srnJ4ƍb_"[ip&EE!Xb/! ZI"+jv[ woA6pI|0P/[֔YGρ8޻Y=5kceEKg&:QD!{Wͪ} Xtd谱>*9]>V؁֬Eੋ-QiE(QPqe%&~xL#휬Rj}4TH! ( q(m=a)&RHM59?8D0MK*G yyՓWb [џyr;7MkNo O* o I:sS["x&i/w k"gY |9^؜ׄn|VW<% ƔwKrhQ5x%W-""iZQ}:M;>unXŗm}:\j| l}svuZ&6Dv{*{4;ڎ'?Ԁ[E`FTl&O^9JAН# xb,0&jOr-3.S^] µV}֙[?Mlk26sC=+&HHQ߯ nW@ϑSm`@&\7F%ebay=ZFW17OمX(ĴjڪH5x/R=b}ˤB)`ڍ89Ga3(K/X]ZHBHPe,G&@+O>NӶ~5,v{OL ՄLHӪv?[Q> HDA+% {{_=6c dVfē'*(-x!x9t-P@?˕%lIxЖIy(q[?zv+PXÚYeRhQ[qsiv 2d<uNK(KMqj]T _%V|dN2#Ov))ϚqTgo 4 =hqْIPZ #kfU6o֊ xovfX犜M{F,7L8315؟^8k%I)|jyTFoGS|8)?~ 6cΙR*b8ȡOY^5 +;qgHǺ -5uH)ɭIa;ZD)'z/֢ RFVn(?OLpiwlr^3t1EDN?"жVh4P4wy̼/  'Vz>70|ZIcݥ_J+ܮ -^Ӣm;Q!d#ׁ&@}g1[D7`j7^4*idVuɩ1b0T5RuaO ;0*6 u),s65?r΁KAW"rHD#,UZ]-.A `1Uŗ?%(qX&r|woֈh[#HİE;:%OM# %A/?D(c:3=FJ#d?VT溔:+3]E9P2־Hۇ8Pt6tŘ{gKih`^|Zn*2e㡒~v[&޵ r"c L,NYz'AMX膮bffЋH;ymŸ_8 IPfBKnyX9 ʱZKme{tH.{:P7*#A3|.{vUP}ሌ,yq ^nS_lV5eE_b>4 uvK)?Ddf?֎Öʢ >k\OK ($Nh~+NM :F\pw[ ! ,Z~OYִ-*W)fQ]KbSG\8x)"}>&MEi<Ao50V _9gN k+R'<&cVyxorh< [HCŁu:* S> EL.r[LN ^Z%+Rc\ J]9VT,* o ^;К7w$Rπ6"Q!LZ.j @(;OG9+9 {;>:N{T H-bǯ  Bpӛ-Mr0t_"U1 ΛͰXNvgigpP4F'W.Z%@Etd6>A@"P߱ʎڋ1 %7[lw+вsOe$LbxmKh+}k:N9Hšܨ1,FA. n8C͍X' !\c';8XƹG-v]T}7I"DD(Ck8qߏv! +M9.@5?x-:ysd?4;b[ԃ I8`p$VF?ʏTvDg$NQKn%tBrajQ3==_W럕AQƵk=dU{b†;ۺ?*J4@ێ<_άW +ls>GP傚ZuG؀ɀ;eWH@ΧyA$}d߭%*zGr"tY(FzI\3'77h˂l_ږH#a82fP+"٤yGP i"UQ C89]Z}}(i"QO&[YB@8ՇhIa 9\]DqHJ*^u1# pڒjm,ъe68zǹh?'Sn-@7P,2}%4Z2Yyr{qg5 MTa4"pS2#&Qy24c2;Z[k"bo̼8?sbK{m2wKwA6!f-BEl@e7 ϭߣdOAb7S?<4Έ ' ZYҾ ku]\+ ^!`(X-/4114hm69G;9>:kםl;&Ŀ}؎ED_ȵ=*r/5桵he"Z Q.$fW쐍fe1Fv+Ѧ](vA:{ÚJ3=r )y Lj΄*PNw[L/LW5Ky4C8ViEb4B] ooWUmd+j0;b:61|FH4=w\s9ܣ8Sުs 6ip+'DCw>m&a"+`Xo=)WP0tb1hKrb~WW-s=Xk"ye?<4Cp.6}t=$gK9QuB(._-ʃ"f*d؆Zq.B t*TMUOt_ʼ@lL}zvYTD-¢ӵz -pxP١j:-n7a1S }U'/C)[Ρd$̥NWL$hs6HŖ%&7V"U%ODy)quoujBY?aD5 D8rn>CB}X%Y!LL]=rȳV$2X/Q:UF"Ic|V⯒vi䬏3wJh)Z:2l-2-z1g#q"Ŀ>]Ƕch>IF"_]Z%SqlW006x .$Ѩ9Zntރ[}( Ĭ>Ԩfg`;7O$yV^U| =w âcHg&%s?7]¬rD ZtZ2=WdwTbN37v:eRO>0RnOz y!S9zH$72kވڿf[G%.<˻?B᧤y?w F,)h'8uLű62UIHse!י㪶"YR\DS?aHOܣw xG+i5Bu )J_gJ C6󙕤ba%OY.PrT]ܼ!LexBŏo#ruy(t7k<;q8אּhFo#} .akp_kE3 ;}S.袺]"Dw9Qmpe#82U V߷ӵnזyȌrHq;PL--vMM<0  [)8שƌ *TY}݁/#&)Ki"]QF'~-u{A@W "$DS!@{5ղ:{/.D·jo3>X nq;~#D#ʒb{KCۚNZMNq_1/b ʺxl,Uß\ӌ´׉[>d \I6ҐJ@CP0XMo>V%G1pOдy[}A^ h͑hv UX櫽~Ap$5 0|}mx0^X,Fp4+hv1^ V}^gvg,灠f9nz~"-OwU64RĔ1$6nwqNM5r$ QV_#E8e1RCf:-eS- ᱩ.XLK1ia1N~[|{y fįwkχcU<"9 'ί˃_F|\FG1Z#EWa vd5ag4oNLŬ? NFyr~$g|kتvx{\m_#lcPݫKA#-GC #I@9c95@ /!5D}D!ilڦ~DuF 8V'ݜ@kWG6=O7Qd}rmbVgRLab0_ei93|VAMS,:!B.hQZ{?K-s3B&CgEE^N/3P3²GbhV"?W lW ۀ dH=r9wYik!*510!EDr#ZJ'Qo,ȍ ,֗~~5%s'~nj BUޤFpL2ʑ hEF[I5GN''$2omVH W u ^ k&w}RKKgd{\̅/%u2o~ 2Xr.oy mt@s&*OGRαaH^pXց/N0i0+t'"oHotb۩1T۲E.H.LR\~w: Pn,IMJ8lmЕ+T*F +cU8 ޳WȣfDnpCQK7oǴ#J9$1e6`8s/d?/I{ msrkG~xPcۖ&zl]r.} ޗV r;Hׄ*[!L{ d(K?Ea0skTkN2i[5+QDer S)0aYl/i/LS%ZfRɀxi+^ W̋ /U͏gJVq%j^N u,Fܳˬ5Oho.Ggk]u1sgD]wEL;L$RR->}895__8KG?żk}cǞ 2#P-dR#}M9 4,&3>ʁB47f>.J6_o<1'KPpUmC&$d7noe"460P\'{ItBT@ȩ'|@oü*lr+ˈf|+(ާg n05Y(vH猲o`wq3.RfL~kC~м[5mTd[;r}3M=g;~4d$D#(o9x77g7q>:moؘVXOotnH{DNk$|Ӎ{*r/:ufUfe%+J|-GxXٷ2:P-c'2{Rϱ[8E[<R8DS˒,VAvgV.D1uKs!reғfЪ 9. T`uo+ SI+: #D^ j);$T@[3Z[Nx@DfI’!x 3um(Y0ެk|B1v:hj7l%sM+D9#]cW,[$(۠,$ 5DquƈIg .Nse rv_~Ι )׮x1>'JZͮ6a%Sӷo `U)rB "F?Ӏ;)Dah. F+Yt9rLN.a'p'~DٕNhӸ?Xd_6=G=ew#Og"Ķuf=3̽Nu8ʍM1/JXm㠌̘J]rw@  JY9 Hm}k'Ĕ$pXv 2BGTW YJ 2{pG/ҤDK!I{UlEu;U>gwy&J~z{OlD¢Ygp"6x꺣rET(^jB@  8higtK" ԗST! {K1h!c er!g?%z ht7VL1lA,#4 0l-"i0ڲ:>m^*4/^) VN!lF)z''gw!BD )X;$(H<]Kj C+Ɉ4 LܚDKK$x9[En[6oeLY ӻ;.y7k0[1 ;J^IUch^P  [< aEp>ܲ#e‰ۑH#wF7W"-(,]{wdX'{SƠ:%؞ Ul(Ej>xͥ2B*#esYWTŐ#Sy{<\eavYʶ\ط934S;9l0c:̅v#h?h0W?XXц${5u:!h7GmYwM#N)tZY?r~CymyUQ"tc b=_d;ɍ/{ mc[ό)BSHyKEmRrVaBZ,'jµB9@̣y,}Q'{-dur,_"2k$DkFBOO3*3v恕GL rm 0kk9PnF^W^w qwfˤ~;B$KִW:!KqT":=y?YݯAR: 9ϻdܙIH?o \_*|х:![P{~Ȟ$W,sk]λQoYf-%~)EI:Ҡ )XUSݗb9ODXFPt'ZNvy,zNMe5pI7crP/폷Dc+ʖkiA0WvYX ]p'$>Tx}lp2+xqT$ *֑RƇ1h¿=y9Ȁɼ)TiX#|\1%lxݻ5av2H-~*fz.xUˡ172[xΈ T90lr@qg!|;Ͱ|0aV'B>Z733(nt fuG ;$}-UW(t{[ܰ-MFmIM1f 2Y"ӟpF}vXuW#\|]8T؈kr3}Cࢰm7 ҟ6\ڪuN0eeaDN+#vIr!ۇlZ1}X6L>9)R!jKi .@_Q3Af@ `GBρB4&%I"ɪb{;YmѕAk;#@Hp3.bULOx)0;zS^@Ztы:H^5"Ue'^:8[Ͱ^;K'잏 qԶ~Uȧ"ޠЖGm$$2j/%ۮKivKcۏϝNdS f-zm`:8CRힸ#4|yK<6ۜCg2\*\ jMhڶR}oC' BtDVTZq0o&@YM `1aOnE]Ϥ~YvʔɠqqJ?蝨w H/^ڬo\?FZi7pJ0lPA)Uf.zo?Q|B_c5yW 0&8c)ΒXn?`DUZAB$FA,ACjϞ;O\誩2 \L}Ԭ}0gZi-ޣJ }t QVMf2v!>@uwٟL0KaZFe'&hnϞs$NnN5(n| ZϐE{ m`mαasy>9O"Iփ "fʧ (f$ؗZKåxQ9bwvۻ+W9+Lw~{@ qƼ r\%rh"5wExb H#;adZ[dV]6*bHST'A;XH }~3i_M#fQq)RO'O47\= tN<>f3??x3#]WX]HLx_-p;Y'3 r -[q=sghܲF o pw9zsd!U%Q4(qr&F?d^Y}9G-g>t#eܢHgDZ= (Ԗɸ#7A(fOM{-~GX)^/*3E~UVNԍu2 }]KW$ ]r/?X~^DTeOCgaMRoziIy87͸18*8ͯf:> x\ڬMWOX_+Z%d~+zſ )pDE4*E3...LTpLz,vdtc0#bK{F 0b"\i%&{ovg93fUZ.,(@W]]:=3Ta uAqy*U)1o vvJr74Frw6ﬠB a:[%Vrhm9)+L^d`S̊?]h- N,(uHm!=c5NiYoٕ9ˬ1ŐˋRQ mW%vnvi`t%U9moȐ#\ `*\,I8Iu%IߵN9o @N]"u`Ll R痔 T1yοnx>GLEt1)#ߦ"OАN/G!V 0g|(VY+ų//"r'.?ӴVekz0Kn&(Lt|O oۡ]z#œE.Yn/+.ȫH|0Hq8pQV-᪙INԟs7H6T hA/ȑTBs+OM{Z~$Ff+]4*n {I!J-וa 6*-_Pi4#:{MoCDÎAt]Wx@1-iQ V!c< 7/91 n]so*y?M\/FСq2Ckť1=~Y(A7g4©gt!=.pm31jB:a@Ds6"Kַ OXa1R,\hEx2Z?b`XfKY2@1-b0l8bhD-Y:]du*Sgx_Gf^4I 'CGݎ['xi hX 77l5K=ArUث˨->l6! e;y&qI"~Ϋ8 -#VS'r.582b9OL0\<S 5ڒ(η,yv}(zW[pf1y3.wWe'%) 1j'11 _A^kD\t06d6DxdTtO/r//E`sAV"T|>djDe1$BPJ3,P@%Ek9틡'/Ȇ6u\*M \=T'q ҙ-/X1S6mu zD1Sy_=C7Lf#e?Ewc#^^^ u4GїPȅv ODR#Bn~;W/+oᢄcwj!K4](1Ni1QwxkP-v%-zO O5`Рn}n>r c/! Rx.|]kM|::ąkBNВC+~j!ڻ/8%7!M(K0 D^w n*;Ǡ 1 KWevM@URI*߱WmYPYG rME-[b;*NUFq^>n-7%y.zĮD;K'm{va]WYU9$X/<{\aJڢ6yRznז{> uj Hy|HhZ kcNb*ӀS?sUUSt `d@+^9gn=<+0UĀԋ'ݳ»QF GRp҆r1"s01JIa@ 9:(]h/:ľm\ij*x9Z`-fƐ%ZZ#%m#,pHeB).bDټ3 Ɲ J^0kXmʕf_) u^+aͭ/ L•|%YIo)J!I >YnM9{^f&q/V/095@sH%{:`I3 #+7Ft4!3gu^ ٙ|{rANC1}ql|0oIM!$B_:+s_o($>Q9]~Ea~M$`[gnDB^$Y -_2(p*0\/,0 aHE5^(˨E@Q f$+2#r).9W;9p 2|3額@RHQG"`*7N>ҷ+VCBjkF*RgL?Уaxvb)Y5S3KA+}uF茆p-L]nY!& K~J!Rlޠi6:LIV%xT먙Ms7@|+*]YިD>qsp@p,EYe@1:S C]Vlc΅b-ޣ&֏h )&rwi,^+eߎ9ŒhV74bD뭙]1-y|6iv1[5q@Juo%^'XZn)x$^I 9ʷD8໊  M=Ov^J&٭,X%jٞݫve! Myqi38TCz|qB2gGntr\{=Nu X^5j@Gqݒd\G7dp5 ^kblćF|I1z&N_w8} A=Jv:v7p,Ӻ+Fv S֖4j 9]Bj8w7ǞlAwf[|g>/?G1!yu t8fW]gY֧LzN\m u!({ׁ̄ʘ@(Ăs?V4;Z:YtHӔʂ] 'liܻN|!kF5o׭MѸ[BzWDվI|Ua ZT3UFye6?D=Iz6x$$x7vsB.\n<% ]vh\y_ 2V h@u/tu( ewÆvb&Qa$c^o =xu+wњjVR<HF}#8ُo|$O.Xt5j)/JVoL KdNL-mVe$ 3q/Ͻ. KG*VF $/73bm?1<&nUW6]3<Wq;.9/} -޺ag HR[t30o"HJ_-ֿ+A:jB]|daLnw9W 'LyU ;0l A EXwU\=]PʣqOG̡3.<O(bcT(Gm*b6XNA ޅ^[2-]P&ל- F۱RRD L3gcF =-=0E2{`;'r­c-hM~~p(!^=7x+9+*XVTLZ="Lx{au˯ 5g!w Ӵձb+,3+V d w3 cl7+Y΅s@i, \& O؟n~EjHv8 qD)& )62N9]عn%\/ONwEE(v^z QϑJr ^dҩ 5צ X# %, w7>TyH f.{0#Ӎ j>p:uWK#lIN;ACcG7;bOrR)HU өJ{C%M(K;b'liU)3 t S;vduU)dm M (LV |n^=ԁ.ydPa .:ǀbkfOrQeKQ#Xqw?=;-D2IC}ո+w(Dup9ثPn`mŒJC)%c' ENL>$t[ qU4.2_0yolնU/v&  hU*w>2f…uw_3?-I,>ʗcHP伛߉P֐_)=Jd4bu/˙@)Usp߯ae T ^ja,k 3?B$*8Q%{2"uI#FwiGpr"N ~0&AMwXM\7HY!;_OgBV5WzfI8*P!ɒ=?Q^wZ͂fgN/smʒ4]u%Tէm3Ь6! (%ŸFO]x(vKmrm6c7tEǗ `"-/) {Xm@w$7킅f~j'[ɽQx6$`"0^ً8aGuz|Pc_Oބу! ث;o ՘E#q{y՜ j`$DAwl9{㱨F~5 H L5(@p@&;e;lIbu;U3A?0Ԟu@)yYprP-XJh]~|fticXNv&=S֦% h;V &v˵aL.|}f@evH!?I?4G=4GhO\W%Uw3SD*#_\254 ĠAݙV;==lWZNƪ%LfE%alf*!Θac5D:+:?:bˑ2O; eNF'2Ү30]dFmN(}2qM<U_/o;`a*C]ȯ=\gŭ+N!5Ϗ 1h7Z&~@WO+ 80pf?ն7:HO5lZ,&;( lyb44ӶrBtY-Cj$FP6hmS|A %i{ qp ;࠿|hGé`E/Um.2υ̉x_U{tf R=zK !.5H1G~36Dԋp?^_%E#œbXkHF"ҙ7Tq8x.bAE;>ikԒrql(!JX4;\ȇבcRim0i~IUi˭$D(TyꎄHo^'may]#(g!52bcTQ=;ɆV|p7'Ĉ[{(eջ3$IK'?6 ̽_MV!Nr7ʸNm}v6S7(;c6r{>,. S<3=g /]:B>M.-ܴFia+ c+yxٕ5$0x2_m"jC z.phO#`du1[5)L‹4SCAo^b=# $(CvH'- k Yiaۖ{_TM,qz~>TPŽ% v>I9ǵ#Kk^B 18B|ͣ,~NZj22˙5">bO'?!.m+#'D!P߀Ro$)jG wtW,ABb~9gMydv g66NYt:#4G* Iɰ<ȝXi6!6v.x̄B<2o1ܮ9b<0b]қD@_LݯIũ9m׌ .).Ϣ ݤ~\C=$s*v x+jqtQŏӯ#YCZA} k725S/uF*&A\e׻%FvM!$#pj-Ѹn䙩XN$5{U-_!`vwˉDi ~l"djd S~R:X?;V>ԜIh1A ƒ)opmT`#˴t-a0<*}A/I.kf`vm(5<7v*Cx Buo~~L3Л&7 Lt ߲jy) @ eiQMT 7mLUx ~U#kā'Aһ2[]F4UVŻG?6җʩ=tm'9Fp5ۉ츝"h2|wmx^voX09F}=>R0obyLM~>x i ݘ}XD7Q!jQ~gī_6>qrW]#W\Y&zb4S"\8<5bլ̦r1}icx5e%QGĢx" 1aaiYE]QTy,`7a>c+Qh4 u?FD:.3I6Zse3U=g1 =VN%#Yŀ b-puVnqA)p{>6qRU?ޭTg^IUbǮDp,gq4 `Ow%6#eneUI\ f+uE[k`n^_w OI<"gHOvOسFK w[l9v8- \h)sn:_D0f8w6"?D\ߤc{3SKiM}s4Ó?yٱ}t1ec^'hė2"-k `mq?>q%/E{}z|~z+z*dy9Vۊ$Jtz5uT!d~K%S2M{BǴ8}J\oL7RWEaLU׭Z$ ҈>G0^5'Oî0(e9?Ǡ@]WN|1,cEvN'GsoC12$K%a$;[@_V.<0Ү6ˉ?]/ڸBw7G[9y&CȊj#>g(ǻ(<+ev@0})e{vr2_?x[4H:8;ٻ59:=r^F_4slQ9}S$6 f,!@=iqt֒-!"}{HI}֕ Łl$f &Tz5'F*溧kWe䀍6 X+kT"fBWB5R^axe2N;֡p@YcЀ_a)2reפuX,7BՁ\a eeP:ٴ_|+ nQ (&P4h!$^,g@?.|}B#& R<:@ Ċm{7].wP(R\)7>o/ HpgLPJEjh. r92@D>"nƊS_΄D_*v-wi/|..zd5@%>⚵@KN7ӌKrjP`3wȝ ;3~I( D4R|n:?(CYoedlNPw4%! 6G2| 4 e|ED9tbl\Hr0U]/O7G r!lNVn(AXxY$=3i Nچ<ǍJJ*qn4dF6[i'+Нw/>a :w,H7rA AyU-q\-ˆlrTSy| /F :7y F|&W{zqzjk%B˧R;L9Ճ=^!ف$T*O@dmH_MG*+_QD >k=IVXk {F7KTmZ .+$D)d }Thڼ{yf#A#_D, [sT.O(saA O8=of]k(`do =sP#ѻEm?R@h}im/}Hu/i#yPŇ[,n"ZX 5,K=sYN:(?x9eA.X_gqxw<(Im*# ]w`T$Zp ;O?;[R>+Ak樔kJyw_C1}.h_E˓ݶܩ-#}cba昢se!'J'PCl@ j o/rȈ'Ldg _=< ;CQ $АIeHͺJnKaM`JǘV’`͋f^r|ƫ]˳|re$hf+]][HA_iW_e1@^lZ702c9g&CE luK\z&*nNdZ̘|8Z!cl5Αsޑʸ^[ά$P2p!6*"wUע< ^]PXZ)JPRy;)& Ci:F0 0K4oir%w{O <#]5 С.sm*r1<BoRL=\,ߟ$:[nyJ C;5.M&c?M M0Tτ%b_|:+su juf ̯H!WS!)Xr에#WC5zZCF`b|~:1* cT<&$- T.o?:Lǁ^X$]{  y]7UGߨK=fdKTܨf9Í.{m(pyJEb3Ck@I V%rAv s927_9;q .BwEԠ y7T<- deqjQ#2GםBopYań2Whf)z{'yL|us!<zv֖,| |(0]7=p:'xwxQK]){t(Ϻxçp\Լ֝bbcˋVQ/s禰>0 `fu  B:O^z|,Ұim֍:{Y~`1̵gŮ͐~.()ZbJ6P|a!pFBj$џWSIy~ ?:w̠/3&fajJ!D[s }}7[1bqBŽo#%7#sƥ_|O{ *}؇4 .QX|Zv[q6@qyIRoDgw-ew7YbX*nQ?pGẗ́X㕃w:8zEXۢEyu쯷 d/BuKZ Vly MK;UL*cR:<\M;qw=DQJ;GqE <3G6Yʘ be[/[CSIC1m?sE䱨 ~rP&{Թڅ" _14+4UΨFҘ hEnԔY:鵘Ƥ-qo%S/R >ߌ2Sy~THJ?۲7X1KnӜC)~.H؁Qb+>6 LSә9:tZL{gn7mEYb GF014ܭٕD*[BiV%, +Dx;#SHG ̤;grۭ&?yN5E'Z@}S7,ʋfOse+;FǩӵdcЧNnX>e`Õl_i.Ǣ}ᔈC"}.~Li]͹Ewi;_NвFr1V|hi^?weGӀl?+p?L{K!9)b_Vo.g((Id/w;ʖG8KӎYF|߳5&pH=u\H:@W]UVL5>@uOpu)c3 Ζ;?I|co8JC ”ܽ˵TۆG2qljP#k\*Dg+:|̴~Z:|@61OOG?%^OAm {ﭒψYEf*$+1FRq2S$3N3&n.b,ڭΚoLJt}!1%F|3֪DQ\iP} h*G8͙50ؗ_(dϦ-(yxTZyu$G0d|]lʮanG2E]fML;h0Hcq҇.DWG %k[+rZLBtx_:_\q:S9 YoD׹Ql&oF~4ַx2+JlWx91:0BbIϮN aJts湵.>y>%Qip1k 3kb,HOьS M3L'p~D=cdz0G wWh׼ADT#>p_7lZV/.QSV&w qb>^G“Lc1xE솒ƎGAxVZZ?-3sc=-]egp `S}8N_ tS7T@rpE$ 75GʎcӞ=nJCH۠&[21j~Ҡ=#-`x^80nZCu #@ݏWDQx;9r&9&&i۪$)/z^<5_pzz C誗CIBMˠq}vR㵔-\fbT:21Rs2Es$)ߤj;En^*a1L IPMX@HD]MۈG֫h`QvJ}8k۬bs3X<#ώڅx}9Ȯ$vYqntASہ:sމ :c4ifF^uKz`Rh;ZVlyn ~fPg~>\dD"ûADh'Gt3عѱ51DniQe)~kYP 7m e?}H߄଱RV.{>4jw7qmRd»EmZMN:m؁-Ȉ0^5j2)oWmn<$"+'~1 pQv{2O"#WHn׭"}W g7WfGʑtBqXЯBp.e|l6Hvg>^aDRn~s_\ڥDoBo 1ߕ:6&:֢+dә8LMOI!r EJnҳmr]qbDM|׸k\i@kBn&Ai:.6ť0Z` =p2Jcp>{OVݳ1%M:1mprR/)E"+تOb()6 +qa*PFAa}ar f>qsz_N;x0MUFr^*flIa6yۈ~t92s!LVg@]˰-+:vSf)zPQrC\y;?᬴~)-+c<_Tx\:xʄ(zDPظ7 JiR5j.VAy7PlCnxRQ<&rܖqv۬4?ٺ:Kpu69̇AGa>8U>hB+4]"8={0n"YuqDJCtxycA0NThyMS~߿=$J'ٳX&)t@0: XvTM U4& "Sru,JGÝ>{C@"΋n\P`>@m^2G989F훺B23=BᩡA!(QERe~lkhITD! /Kin1&u}@~P1XvHtYa,k@i0ƦLF):P1cռ̖O)Oq\w,fյX"Tޗ;*Bw_lz3K~&eeE$17CyH,}' ($*a rхmޥA9M  o Wgbj]ww偬4ai/cمCh$'o|.tΓE[%j_F^{C, lnʮ]#p5}*cG>[d7.I4BȌHd?2˄ыKpo=x7rN7 !k?db2(1TLڪ'_ۥpkQy!H/+\'s@)ǜ:2oqp9\#y(;vxt[c;(MۨLxyڔ>R>=X᳗s{ 8Kҁt?DWS10z4 ƻ9jJs&6nUĈݡB␓]p0kAJE儭*ze.g/?tʚq0ISoXc MJqwbR-`(/a8no1ħ&2 9.u*׏Ξ9dǰ@[;h!r`*Jc3DFF `~S4+HԙIU^3#3>d]<لi{X/ĩ6ЫtdxVư8߁%,e壼oKS2uY`tm5^+er(Ę!+$X1iVK0_&&BvQR6m)D,P9aTp 'gz%K(ۗ!/+c?yE9ߗJȠBHzݛLS]z<jVT5B8=`/]z )@@I<Ys//Hӌ}㊯Ԣ[-LV< {E'2MPw+uH@2aAv3ro8hlnk*̕c @lo?Vy|KBDX:þ†׾+iE/v>QT{_C i|;Q&M0EQSig?16>̟u.P>]PgUjan21PB<0>rc+q05bB~r2l֨.ú\]uKpժvcՃuLJu]t@!?^w٥9䜐Lr:J˕ fL.8f,nlak7}$H<5?<Ɵ^A gi &#:"pLOȒlMibJC,<+(qi>hӉ8\}Ehw C\Ӵkz|?AjsYb M7㋵C;JUXZh;79Ps~ oA'L؆ *%ųՀ LMaKO=!vj:7붾DW*w+$z!(3|R8E/w@Gojڹ-)J:W^՛ߺF~p8?kX/P"zF`ͩ, ĖOF2&u̓NT,?z!78Ep|~͐G8\q0Wna<(G%ݪ/\+N~,kW 7o%UdCy}襹;S*ȏ);Cqܺٴ7` }mRo^Ux@<@Jũnꗦ5t>t kp#|6鈈A}~Wּ|P`j ~P͌-XO$8&ywگ-'fӒQ&X-OC"R\~W39ɬDkhD"&+Ӗ{F. q_T s?qe=]3u47bطL"}r $UI'-{j*zv-/'٪7**;)bi zҝ{j.cC_lq9݅ߵx ϡ.2qVcC[cK)9+#sH6//D % Zk!ѿX"Ї <+I LTϸ3u&7ä'hz QBݠ`ie#$YxI6t!b0cؙؗ)Pvh%u%[ٰ*4:IV[<:cЂ#2-q VV#&׃!&RƔ2j=(Zʹ*CCŸut?'q9X=,cɪB~\cGAWSq_M-݌mb< :~j%?]];mIȲL 8_F(7CnVna0@qW{I&BC ڠ8}̸TC-M"xfwջR7խ&RYG$q^&Ԛtq\ G ZyǙshx{Z-canvl#WVKPNLQ=; o C||o|tHeΩNL+|'aά?A m-̮?.pe QS(s &Rxegvυ_V4iag=ZX î ZlKv.s~z gI d􁑀,I2za%do"~voKx)LD¬BwVSuOE*e %-Q6¢M#1Tl4 sTlRJ$D6> ^ "x`wI+?_EL ۱<1NBR*>+$^8 (9 (X" ~!Ezg*Eߔ;;)bt+@O/HEa^3ILC2ek@ W98v;z!X֝xw|`>3hVLlTR+gdk߰pgl_QؓJbQ:U>9yb\Q9zrmU9']Qb6%18O0>|Gboa: x_׺)(ٹ~1TOP7E_~ofod7NqJ.*mOgwaoPOa,qG$9D7o^UEh9\*Ϡi.U1ƔJQ,0kKpct+QѵG+峰V1pl-*a5|;K35|=`]N3.ʖ;!gVP<;G큐b׳「|/"=$5u>./1.zXu^!NO;*HQ0ƥ4$ZeQ3H\ZJC=iTw*zxc JpC ߵ' ̎%7ŒMiӗ9XêZss1(E싨B)ioZ>v;-*14@]]DR)_GMb={ 4YTu~gDĄH g3&q^Jk;O^:1f52,uWǢBޮ%7Nc m`TYTtṴWPx窦a~?͗,Y7 tKzy\PUn'Ϧ77x)}k'^ɣ'7c3FrnjĜ+҅$|ܣ Rqv~~G>}dZ]T+U[-@poL  )pnQi~Hdš HNJOcrI 4l91\-M ={9/8oFEfH2Dy$bv t>3  YQ;p鶁2#(uF7dw[N4HΣ;ڋhԛwz -zѝQGґC&<.ɢyFIB0'$9n6!9"#4`gJEaH]n#ӿL[#j",ei>TfD{|f4M$#e)RQ mtV9["1Ďe%$|q*L/&?$EoAgZ͂*o6K&ӥhc=AGV/AzpNd4gor̆[\=5XP[Z .E-;Ƶ elzqi}Cf^uhao2=7?ȣӑ V`ycJC}Jj^ =rw>Z58DE(<B]uJPhq6J(# ԏq-)5Hc*kM_PSTTdpYK=y4ITc`Jv|~6z{Gg ἦb^0}+!Ϋxw߱$;_:z-{r r𑋖8(Ƀ _Uǰ⹽,\B"Mlaݒ1?A?.EZfUͪU~Lf|L1J$A01 XLNEbN^ n.6w`zf@FI+]-^9ogb):t` @`k?ۭS5Cm\j M_J6tMf]̸}eʞ^M9)%ȫ"f'2E=Kqa'עOr Ol{smHthOZl }/)%@,Ԙz238z\lbXI)o6g,)Q#&i8@D!{XKu;%HBt#z> 5a-';,.Pc"&9c0]Cl3P)9M3P>c[]ZI]4=%O TUSʜ7Q2܅4by9 X #y/q&3 v"4 QZ5vM/ jh9ߧy`+!ܾWg<TP'N/rrF]j e[OX:(kO1]a$%T>l)T7 }=NsY@BK vd2;Щ%W1@C P߯P5^.;U`'2RsbuHV0geUɹ4aGJ$hӪ ^Bkm{3pd?4\ѺaaN@G״43`a?w-S_5v]W}iWbn7u͢3H wɬKݒ =)W\ uJ̋FA^}]WƃH ;wc:T¾;|h9 83f% e +asVA^85~h ~ϳ}:P*|_;&y$9DͶ퐥 qcFhrj׽^&zELL_{pDܝwaRoi_J:8U9`J2sW& ;RyXܣ kO]~9^uƊi[$'k8e_ ^3$:_JjBXWx{ J ɧ]]s$ -Ei ݠdG8 W(k ϢNҔWcB>''Cxϗf[eҀ%ӖG6/ՍE┽ZD_xw} ?%sOG=GҜѬzEuE`\%TO  ,Tc(ܘͷ*52%Lh]/>ҁ!(xe\9d9GٜXIdhv9c@ŗ)#>N \ҿ^b]%$%񻓴SS[ήlXs NJh# In {% *wݓ'uI}Q5?9 9Ug rH=#F+;`8j 8?7s:? 3AIj)dhcYKRS7W*\c41 *#qЀ+ MHPיAGe{J,!NvPnYfr$״_o)6/d&€kZUIBquApţشWɻe |%?%#X ' 1Hs^KyiؽHY򹔉۷7jdwNUcAB'yDR\C)- d^J\IN) t.kXyc"F꬐\&4 skePǙ߈_[ tF"ѤRy@MfT`,DRlD=7lq1~Rk U0;I-&PA!B~πXGc ++1z⑌4n{a5 NV"7z*\$v<8V(3]E~[Ƒg3l;76~qR],h,׈M='V,]h;5jq L p4ov`mtU!(,S"@kl/бJx?N-bhF@ifzg~X(HIns[`5Q`BY .@GGrPB򻛙1cNMv28Yʶϯ# άb%46nQŲ(X&k9+,>&>H*yXх3t-@X6 Rj&QV!{P/T;\\ڋ?ʁ6_ȉS{ʁ P"(=-6)gW|壍526^go~DYFYXKtՒ1)ؼC}KoOq ;Ge8)I!SZ Dz~1C: IM?XyX׆rŘutB;3?2 ;9F"B"uK;QM?'lO뎔=mf%J'q#t/ŹzzގC.%G ̭)0 >\}p}whs&Ϭu)T#Q_2OS5 `b{(:DD> V)ѺŽ.@G ~marw (塪PIvik4ñh?TvϫW]̤w;ug,/;AD-W_rc9kawɌ(]1(T6M9<2Uߵ Ê =O9p;愨+$Ll ^dUV R4A'|LNk>-=OB^xPRLDHp Z."Uo;gEj,o 0%Snz*/}jϯA)&Vg74l:JiCCgNp{*jjC"GB= s톙_B֞9UxəS *f~ [<"~ 5EZ_ v HhiesrE{z"Z ۿL_x,. ݄/;~e5h9&m Ѱ&#R}>IMixCXCEC1w0I$ZDHG~J{+T(9:O-ͺ-ex m Q4)] kx YZ