libsamba-util0-64bit-4.13.13+git.528.140935f8d6a-3.12.1 >  A al^p9|30 W +^ oN0M[ 8J-^A".sЎn},~#Zv\l˟3/S+c{?<\ )oc2lĢ::Gr?%5$WL6w^1ǓPop62`zZI?_hrEk:aKiH"nJے_l9lgoI\\{c ICK&8h+ϐJ7o"]gñÊt΂e7127bcea5ddf5c89ffabf1a72b4216a6cbbdab4d05733487353c0d5e00d3dd3e74190e1179785e67dfec1a435dc5bd33167eca3\dal^p9|7~Y| baYݏiua4*n\lIjt!&fd>!.-;9ʺ4WϳhHLKޯa:-lc giD0t H2n/`[wZ^g{%ϱ8P'Ƹ}El':p?9lr{im3}[9/siX6dd5(|SVAhO3y8I֚xL >p>?pd3 : Y  !2IO]lt x |   08((8$9 :!> GHI$X(Y8\]^bcgdeflu vwxy $*lClibsamba-util0-64bit4.13.13+git.528.140935f8d6a3.12.1Samba utility function libraryThis subpackage contains generic data structures and functions used within Samba.akibs-arm-1SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/System/Librarieshttps://www.samba.org/linuxaarch64_ilp32/sbin/ldconfigakak3e2eceb505c269811cec2abe2c1278e974e9eb9b4a573ce5c49743e2c25c48aalibsamba-util.so.0.0.1rootrootrootrootsamba-4.13.13+git.528.140935f8d6a-3.12.1.src.rpmlibsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamba-util0-64bitlibsamba-util0-64bit(aarch-64)@@@@@@@@@@@@@@@@@@@@@@@@    /bin/shld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libgenrand-samba4.so()(64bit)libgenrand-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libsocket-blocking-samba4.so()(64bit)libsocket-blocking-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libsys-rw-samba4.so()(64bit)libsys-rw-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtime-basic-samba4.so()(64bit)libtime-basic-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3a@a@a@a9@a`v@`a@`<@`@___i_@_|\@_{ _l@_i@_d@__ @^@^^2^2^^1^^Y^J@^2@^&^&]]]])]@]@]]@]nU]nU]i]e@]_@]J@]B@] #]:\ڭ\\@\@\ \N\e\e\}@\o@\\\\\4\ @[[@[[%@[@[ @[[t[#@[[Q@[Q@[\[[[{[z@[r@[ @[WZZZZZZ`@Z@Z@ZZ@ZZ}@Z'Z@ZOZ@Z ,@Z@YY@Yo@Yo@Yo@Y@Y3YYu@Yg`Yf@Y7Y7Y, @Y"X:@X:@XXsX@X9@X@X@Xg@X,XƉX@XYXe@XX@X@X@XWXAb@X-W Wv@W$W;Wu@W#WW W@W~D@Wj}W_WYZ@WYZ@W=W(W!@WW@V3V3VV'@VՄ@VՄ@VVIV@V`Vl@V@V@V<@V<@V@VjV]VI@VG"@VG"@VG"@VG"@V(V'~@V V7@VBUYU@U@UUAUĝU@UU@Uy@UUrUq@UhTU_@USanopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2020-25717: samba: A user on the domain can become root on domain members; (bsc#1192284); (bso#14556). - CVE-2020-25721: auth: Fill in the new HAS_SAM_NAME_AND_SID values; (bsc#1192505); (bso#14564). - CVE-2020-25718: An RODC can issue (forge) administrator tickets to other servers; (bsc#1192246);(bso#14558). - CVE-2020-25719: samba: AD DC Username based races when no PAC is given;(bsc#1192247);(bso#14561). - CVE-2020-25722: samba: AD DC UPN vs samAccountName not checked (top-level bug for AD DC validation issues);(bsc#1192283); (bso#14564). - CVE-2021-3738: samba: crash in dsdb stack;(bsc#1192215); (bso#14468). - CVE-2021-23192: samba: dcerpc requests don't check all fragments against the first auth_state;(bsc#1192214);(bso#14875).- CVE-2016-2124: don't fallback to non spnego authentication if we require kerberos; (bsc#1014440); (bso#12444).- Update to 4.13.13 * rodc_rwdc test flaps;(bso#14868). * Backport bronze bit fixes, tests, and selftest improvements; (bso#14881). * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal;(bso#14642). * Python ldb.msg_diff() memory handling failure;(bso#14836). * "in" operator on ldb.Message is case sensitive;(bso#14845). * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED;(bso#14871). * Allow special chars like "@" in samAccountName when generating the salt;(bso#14874). * Fix transit path validation;(bso#12998). * Prepare to operate with MIT krb5 >= 1.20;(bso#14870). * rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb;(bso#14645). * Python ldb.msg_diff() memory handling failure;(bso#14836). * Release LDB 2.3.1 for Samba 4.14.9;(bso#14848). - Update to 4.13.12 * Address a signifcant performance regression in database access in the AD DC since Samba 4.12;(bso#14806). * Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache; (bso#14807). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Address flapping samba_tool_drs_showrepl test;(bso#14818). * Address flapping dsdb_schema_attributes test;(bso#14819). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Fix CTDB flag/status update race conditions(bso#14784). - Update to 4.13.11 * smbd: panic on force-close share during offload write; (bso#14769). * Fix returned attributes on fake quota file handle and avoid hitting the VFS;(bso#14731). * smbd: "deadtime" parameter doesn't work anymore;(bso#14783). * net conf list crashes when run as normal user;(bso#14787). * Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7;(bso#14607). * Start the SMB encryption as soon as possible;(bso#14793). * Winbind should not start if the socket path for the privileged pipe is too long;(bso#14792).- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./bin/sh4.13.13+git.528.140935f8d6a-3.12.14.13.13+git.528.140935f8d6a-3.12.1libsamba-util.so.0libsamba-util.so.0.0.1/usr/lib64/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:21699/SUSE_SLE-15-SP3_Update/08b059d7b5a0f63758fd796f8b3745b1-samba.SUSE_SLE-15-SP3_Updatecpioxz5aarch64_ilp32-suse-linuxELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=d20b1d6d26dd5fabef7062d631fc141411306649, strippedPPRRRRRRR RRR RRRR R RRR RRRRRRutf-8a3a93fefdb45176ec64d767c5cb2bf2cebade4b49daae92f6275cd1b62217e49? 7zXZ !t/] cr$x#EwIcVept7;9[c|D Ͳ$fCi4SE%n`kF_>lrA:zJ% '|\smKIi 9(rDLMFTR2Z,7 T9jݽc KӲh?X2e&ߜ*~. X+(Jҧ}n;ZRz4u<r wXʴ0A6Uf1@}W԰qu3N12h O2C!eWW]a]u(+AW}Fփ!Gdw&4򑫭֏dLd67\e3I#緔D\u|' 4L"tָW`8]bh|j {@L 9ޞFbs,qF2GލINZ)pTVb rr-1 eKgScgГer8 YE.?!"$AC1Ezp}.\~`m*6[+CnCb'f^:u&\/\A|{t\N6 n?(Oq2bX补مjB"^הͷ܊5(~$9cΩb2*rm.k4  fn݋5a&dm OkAhfv Z}R =kqHB`}3.p1,I^%ZB㎯aT:Ar~/gMkg!F' G4R`PѶ9/<'(/ kmNpO򔖞^\?*!@n $P7V$mtB|j-qsvڦxsq>GQ{ET=iQv82;本O o:fvR@ &)t9hYv_ `W6\< 8o:OL61lԩ#n p]U>Ũ,q8|8p(I<7Jo ~2@Zy=2fE:%椪1G86XAm;rpQh& , ⫽,tX'*}˞SzU?~\`v_j ڣj#}a+Y%9F)CZ&#s[+ j:⽘C\]IIni`; koejl7-Au5n,9U2+̖%YP:S:܌<n9⚫z)p. nPUxk X$o`(:ɄSO (` +N H*C!3)Cs?g@Lj(Y6@U8<|0mp'n>x_KT$ڬldv'N3( *^4yS g䨉։f%'eV fV 6\տ!.eNE+oE+`A/{(yѪW Yө$iEi%Xf$^t3`&T|TFg}qWt~b]q^)nnb~LqRϿ*unI0k\4zUjH{Y+o|}jwJkASԪs^Q(踒p p߰;l` ٌ mC)-PBE%G_n7[wI69dq(AgNPIɶD;$ |!QuĤLC&ԮTTIXFP ȅ3фkX-daHڦs<ŕ4?1 g{vP W8VCrO[\v(-6KF[T hCRcu|B@x:MQu~-.uTr~4JG (ٴfAAe[cIŲ>`2"؛^?%9~($V;#}~[V8#Tq㩠-ZiDq#߼xG"_3\t~X>@(+G8K4MXƹER} (B2,lBr(M Vj4 6~ֱ<DV:ԂR1M>7EmiѢKY};.4z^Y\&9mc!a[O@AoA+RN>_.[0L?LVyt?ly@#ETWw})ΙC'IJXGжS 4.ϕL^Hiz<,r\w@;#ZGwF>φwĊ*,7ju3C Qd=Q9\fk9Xt hDЉ_ #u! Z+>P &qe)@8O+/Fd2V[OwVz{lhnN\s<*){8Aʃ4iAjwr/ksۣ_*jhV]l)he*AI<=כBYr'.'VpuMk{L ^J;3OE5K'rb"^̲"vWO$wd]$ i lឍΞ8iXĪ45cy1Y}d¸C9Npг-HZOfH.NC&cvrl,/),0*ĵƋzh=({η5y _'?u}Y/r vE,a-wӵ>^bosiu0>.zĤSk2U; /MЭ⬇ 1cG.UrX8xVf57֛ aRFLeK7j!>!JὨGzpVg݉_%?De,-3.n%73Gɋ R^0>$%]W&](hӃœNƷ앧TD^WԜjG^"_={Bm7XK] FKMī䒒(hF,S=azn+Ŧ~r@AZHJÃg[̷`d1OHk)Π>f4Iw)Ra䉐)<!L5[M/o#2k$ 0ZE'?s~a9 a ɳ7/Jeބq9%,Rl, -Hȝ{3ߛNAWbim\prp̝B%-oAbDH!C,q1?c @Jt'u;h ?-Cr8?lQ<06>Rćи5u ],ٲȵKř28 ǝF{2O9q\J0KS!R?)5Y䧨lY ,􁗂do:Z&8=J)݋¦'f6p`WL%%hxV~-XQh [J-ba]0ikLj}r7hYj"E82q!I,K9{k-o^\H>/p8 Bտ)h*gze9Ia{ܭ 3nDcQG`BeYsцzΛP%!ntdT`y+k1uzSowƤt%V<**6 ::/6U Xl8ey {`*iYЛ@ X<0m"1,e5:v5eVM @"\-u;u+G $_qT[ķۃӀи bz0c,׆Ca?U[Rm8|5 QM0,ѹM\[7xzR0j!;[Dɓ*.!Њ:F ,r ,,kLB%G:!Kx1#|X|c]RA3xQ c,rg?G ZSOj`SPKbAX)`!h]1\[u2PS9PBG:\ O5>st}^4*~LδŒ2*F&Ӎ}H(K$ăJG%T-p]y`[h1d JƳ@sW>T su"fьړna2 =,tcMzkT!hudЧ# ekAK {lU|SL0)fB$/|w=N h$tQjsMvx>Gc]B=btFbȾs="3ZgҲ'ؗyH~s4_ixg DBۇ1Yr'mU(д!ԟYU oN&tflpA_д3׌@l *w/WZ#AlQGxR/Ùq-\V蟙V- S"P_Q $dlxmQvT[;Ew Mmu&wtgΑ48y׬KvՕeq\ R6ֵo Э,,2YUYf1ZxhOϤ۵yYZ)-34>YmZFj;3pղ!7 uZ^Q,AK_+kwU{Wc]h(z 71n|\=~x'bu|Bl3jxIX3P m< O+r%܃~/WmUo|$5x`Xw XrTCǧH&ԕHr֑a nˣV;VE{07-7 s&ha&19N7W#DZ{9BPͣ Aq rED?tջyDZ=ϴ끮3va-ƣ gi}-ސqԸ_]a9g n8r5)4<*)=d Q;h\Ò^LN a&&-mOMAYǒF!>5×ۊ%g3=I^嘖t[̯R=!([ŝwѧA$/Cb;Ҥ-" VX;2<[>g-gOl` \k-^XEw/ *wE {kx(ׁi^G^Z9 }S5M- gW 8.Ey*$հMIꁔjoރ AIQBU:uZ,r[ lLP*Ƶ肚O՗L23eHV#4|3iG}{/  \A}N?vQW9%+%ϡY/}H/OFz: Jէ 0vO[¨-MWYB=݃Yd<*eA܉n5c< \)AvQcb6} zxF*l-_[PZŃRw=Ɵ?);R0 2= V,Fk^KU 8b7ͳ{[;xSOPI{8t8EJOڼR޿gi-,r<BܐZjTĔ2VMC>A񭥜*V9xVA6fFMa1&+$%j։mL7>!U^X5/?:&mn܉ug•o}Tt1T!(JZ$bC:C z_cA" cϐ6 -G'Prِz~S0̷8"#FR<+ n#pM"IB I?O,(>,÷Z[+wJmӮfmŀ `6MzIzM<;c2鸢o?".ԁ˱oo.Ip%+-ehPxd,M64Ndp(N]:껵@b{9iC.еgZAh1q!CɞY&r+/rT۾0 [$ɯDv}M~t)ckؼ.^->孵V4 <>V!s* 缩1go8$a,4G#A.ԴR~ }WVC8JO6^F Bk ʅ"ޫdmnmը O'x'+]"Qԛ}LX`F_\YyXy/P8(yzEd%dk^-O^e(9pXh ڕzg~ǧ4nĂo|J; ,4l׏9l %fIkK֪D8۩vۭl_TKwf*,*D4xPwU "&?k9AW#n\lppOdz\C3'eO0dvnzJH}v +g|ޑ?е—tHpo]Ę/\Jtǿ!vP\]T>b%-VPvF/5}J5G~A'>-5Ī̛w὞OQjyž%_=49!0Wg"ZQ #-qʮ3O%k\\b8rww4=tK;k8L؂CJea<íHz3PzzFeš/5v`4kM d3>RzF0yaNk,ɪ zuD(j 2. u}>a^/=b l)(yih||ZOc7X-$R3Iҗ45BצwhKK)LIn%G֛!g[/A[!]Cʢ;rh԰%+D <\VLքK"{îx?ROQ^CaU6݊9{rw4os6k c[9RNN`1> }E)jT{Gu,.<_2!RfLIW&Uoz&R~ <5}v~Sp$e`IIysXO}k2-V;1oj[Bmj Cb3DzC\CE'VēĻ P1fSqyKh(VlHPiqr vyƹ>f}tE;n:rh2P$+x|bL߮ĆJ%[}ea܀XHwN|ggHhl%㲼ldڥlYØۤ%I>aD/|ł0Qu]t&3i7;(+_D4 } zfP <M_e@X@du-N?;TNR@Z5 [Ya4o?? ;Y=B[\oIhPvؼ٤sДѰE[.ٝ0a-W%) K&,hpr'ulS1r%E>CIQ!yb\9A9-̎v$ N؊xM4opf!}QXou4Ikȇ!v{GP.K(J[S:=Pn{Z[4~K9fD ^(M9 i"]u}%ے>6BՉ"E:p~=zcxl@A}F``X9vme3L*n_.R./)M~A~| zC)G<3fSOM̴L|Ĩ90u]@Ɣ˖WVe0HE}Z'K.!["q"Z:6mI y#iW n\ _?`>Aw:M8-Lps,kzOhPӭ@e X4qtX-'l=,CA/i] [VB֕rՆrˆ N N7_溒j-yUtӖqeĨ VDXҧF8SX*O1"׀PQ.(]XyQR~О@zAŖ]7 PK3 2| i{ju:8g#ALY IZd}Ϟ<;2yfF |©A\/7>}-mo7PQ/n嶱MLlH }'{WO$D9]\H?`a_*6ޣV1S[fR6R"w9=׶l֠*1ש(1yPҸ@O$JyM / ճΣfZ=#Mp<^!,U&~ONFO&( ()j>pm.+4_bT.Gg :ҍ`WrLH+ٿ 7UZ]g !%l̄5CRl1[thЕ^ȔQ*˱;7OD5 O!FE<&8!&eblWtzm;\A3rIbP:YIZ?՟)ܨb[' 2Ky [x0 $WAu oF3a r̴zĎ!:%hϯWqUAĉ[#ֿ"BNPK@G3z>Ua`)+,Dz<Aܔ≜vzEDV8AVIfzն..#vx xRYz۫omKѪ#1lZq(&p'a܇N75%9 sB-މ 5aS#]9}S(S6 7tsOiOT5b(Yqd 78cW&rg<\#NU=!n Jʴ4aצ^P%++[Q UmIc]~{#h'x&cn ; yx뿞*y"< 'Ra~sܱ;<"5ݼ /(ǎApu?j"X6u@3Օ-HUA:_x3Vp"9c4ǙVJUšFD WqNH% .M>ȷNZl3bQLn)~CXTFl[5 ?mU&$`b׊4놻8(& $bf4yV*b.0փ3dm|B]n;a [G.Y~}ƹ.+eCj.ҫ%TȪH#*@m{wVvfï"x*t+WP>݈ww~I\AZ~SM52D܈1+r .ܥƧT`!R)C5b7{N'0ٌ̈́RpL1<` OLݗɏHI ^ph<5)6xRٿsYoJD Hd Ww QS;׃Sݳ= :Ban<ލ,)ew,?=s)$106Hi5Nb79BH7$xmR&VExi$ɜ&{=ѩ<5G9d(m'*? LTtPs"3#=BBo4+[0(Ӷgxlz#danӉp?4@o3&~>t;XK$m7fn`% urOFV& a`&7U1X^FVFN5+,2` *p[ k"n`B4!OX-- []w* SzLzh'43#hmXj2 l gsW1!Q%y}(iSWD="qқHoӏz Lz!13q'8- ֍ 0d)V$Oh+oCu-습|^ Q,*ĦWscp7"vQ->v~QYW)a]p΅ڨl*%+DtAf꛼tHgcO%ki_m1rgPix%D;&2]Ee/il&*.e߇u61DZEnFWS $LHdI9ĐN0c.q7Viuuϸ?u/o&,HR'5T™{xJKog ܼOfΆԗ+nZR2I oA+J|fO~&ZRM \uB*M:]9hkJX4}(s(Pf~M&d9t05gjSXc}kB<:l^z%3'"e"7)+Ő B'3x9~qAQ9X4.S=Eh Ɇ8S Ll{|&h7N孝4hk;ZtN; dLӤ \"WqܯSO^;:Ho.K-+T:]BmHk {@H@¶&RU⢼qM1P,/!yW bo Im |)Tb(}չgD$3Yy^|mUX^̼:\UN=6md ZPP%Ēy-?X$H1sFTD*NJG2,;_=χTw{Y }stiqJ'R_-{.)bk$L$kzk H-̟ pyFJT)"u訆Fȶs L8v92uj 1/'=C=&?o-u9r-W8WNEWr0΋dAH s6^募\cW&%Oz@Pb\:3}!eY^ |d$oe\+qkJBRz*W32u ?M::)U鱢!0ɀHÉK^aHہBviEF#R{Hk7yD'ۛaѢE#]#Sl/Q=J`Dߡ28wlB?)dOjz!򯛭IC L?Eb{QVi1ҹwh= :Lvv{Q-s{# rF3T|Gʅ)>I B'/0ūxr{V׭5[_9,sq:`gVS 3Fg^;2.V3 C|<˻)Qbi9xhUe'2,u>j)Z3 5sHvY")H~yCqb!kB5ϕ[Arx b`|F^F&Zϴ.?: o -*PB&:x0>WJ:NvWuA!Z}LD@ջ|[ Ǥ/РPW6 6gb3g>wh. G.nӼb: N UT 5eSD9 aF_\T9 S ^U(2Sjx;KJfxys4pOrvB=\ ѭjPK{ek{T"elM<2>B5 I& $p=eKCLp 141r+=86vˬK) Ɖ5E Θl c8*JM^nbZ3zH/cB?L}W%U0GǤ~ozs>.ևuw ĵͫVy !1"Fx>iu"Qk'SzomX' I;LJZp['s][1>ȡ(oJH-}:v jIHkͤsS .  K)+Z1 D;d}my0 *%tc,I(2ECDoaH`-5EI/'z^Fk𭎌&Su׸e^֐$̻"%Dyj 3%} ɢnr Z')T"S[؁׈,h.lF|JX\Lc&eK7e*ː{`i1RգM.m尕#O9jO0PO:rF_7tVAR~DM%ztī>^nϺJGMgэHM э $*kme&-+˲9Z݁_Yps.mY}"s)R?XrA48|qX ϰ7l+!76i2{uft$G\N{B\J{rx8)Ž*ļx>>ڑc&)kxD]d?kN{TsY&=df w95Vn#K9ҿ,RfiqZvO[CCS1=k;whb xRtJqzF+0 WBm)mr7) /,w?#]\53H塀ʉjaȒ=~ c(ɸ`vNkLFL~z?eS>~&ijQ7LzDѦ炫_R:Klmn 5RZ1GS5h&CP9qAba5LNZև؏J+XUK<@əuXȪh "'ey Ωs0.')'QF9U@RBl7`oG,~3xJ:GS[unБ.Ĝ& }LYu2i-۳/TL97`eb^ < sB.[IB`Ǣq1: H Y]4%DFNv.{! HQw`p{k`X1K:1ǻ(hoZnDf?վ*TwfŎ~kuU =:7e~ ѧM*daQeYS "gr{ ;Qm}ـԼРoBy,ߝ䬥 7Ax^HpM?s!xh)gxy.|2R!|zϬy!zJm8n-nC0{ Dt^yV@SپE)d(0VJ٦X^ V_ Mp>=~ yKKȟ5Me$a`:(l'/. P%Qᘥmr${[O%*F&E3?!ANЂ {o} 'M}$ns_2,%_{aJ?Qr'*p*o^ư-', )=E6"T"v k. U͖;qwǗX 0Kk$ϭ Ư{(Qo" sh9(4w_CU+zuTKE%:§ӃJB-Uӑ2$Uu˃Yuq J$sV®dNybYu:慍هV1#tb4c$YFwi$b50Z^!.O׺*1+%XTWXХ/v#~ E2vUnL9 Kp -%x-Je0(ϡU+;xg-*v 2\iR7-Ί+K" YDxۺ-ʎK`?0gbמ#`®єل.f|HUgV6{Y ?}ٿx bZ"{I?o  =H}hkti:*|BcēVu8@+K-l ?5$B35pnjreݤBk=Q&vЃWQa<͸Ə6 z-Vz_g@IP8SCO/M8ZHJ71H7eoOW;)@vfHs`BoSqqVQz&0V:\ዛ_eWvR"Ҍ x~286E]̥ٚz7ݩbojJV+O)3a.ӄp`$|ur&*")(Q.c},!o' ybdl^MǹfJ\ _*cߑֺH ,NL+HIؤǸ=t>_JθK4=[ \@*ZFM7y 9@ٵ3JvbdZrWq0>z F_Ů6Kki Y0vnp)73h8)=PFsUjwJ5VAndvz/LX񎉒J5mSmwE9/ !6 m +nAP@;2(byj+O"0,1jJ&yQ`Ҵ:2y΅2pdBkƋU g15LjqD0G-J;{5l8|oMbWw4񪢦k\Cs!.%)` ~loHXp< RFI kJl{si-bɱ%M]0{˨3kBxyɬ:6u^-R%6]9̾X^:Ϋ*#<_)jޭG-"2b;.58^zV.0'' `'me2_ T1dbT A FF` fxUL5л$/y$/|)]-~dLj-\l?UՈ85q|},K0v+76h1r "9&" Je% lRK-6 Qb.GKKdtNɺ01t/K/0?Ub R:IxԞXyUYFm5^[c({ V"l:ΒN?JN*A53Ԗ?y3Aۥ{vRe@Dֻ !W# xHz&~: cYpv/,;y잚vRĭ6 k nkBz @?BnNtE[$&Չ5@<]hELv h(ȂI:0XUÿ`zf5,hO+*8$M8:ۤt.i,34ɢK2D*,z=Ц)h+00 >2p]("Eݯ!x$7 oVzVaˑ{&9PG7aIM+~䃁" %7MLi`Dm%ohp$pNy~dVMi~3K'-vT˖KCv9Pt/ \Sы;<؉ 8_imJY^j?`3,M]e5-(VQfe[U1@XS@\}g&  qylIZY ٳ=/ ^g0‚s@2"됗f׾Grߍ]w{,\@|R@tZVVåL4" _ֶ!ƠSc+QݖXA%H 6H&|e%MgdQ߹dhO\pJB9lX'V n[;/FX_7SNQo6ָ H765w y{>$ i?"G)#|tvDR|I2\\:6. UW٦-2HN>cr?6fɩĤ8W9f7t\]׎_0T"H[<+hzZTkh}$bݒS]O_kYjPڭ+ÀkW(a}icbJ ].~>v\ӡ\B]߯,BLRJtq A&m=^x-^f?mҢrYFq2_˭^3%wg~sZ5ɦ̼.J)uԌW(1F]qKaޅ2f +tLf+ܬ<>x{JVU %<uH#Tܑ^ZوJ[XJ2i/3N{gn,i֩Z-^ʆv0CY{D_7NX;CT ms3i~Ynħ}VD%!4'|lޅZ $lDd8kW`?{.;GUz"mqaA(}eHu|…CZP/NiVܖxq58 50~mH~jh/T()r>ZD:~G tn{ g k=lWO1ö̒V:iZSxBm38'S8=,IbmQj1bŹzBa$<LRV꫶ܕ3w2}/XԈ#oiGqmS8*G%l[(ֹt_sKّg s^BmklK¿U {) pvJ .vc )& +1|XVhr6;PZtlh>K n M01]w״`uqʤq:,IfHc=%XOyo57Tׂ\ i;֨ओɊ><ʤI_%JM6G (f= n2,U7fD~P4{"ld`"KLkz"1^-ySx td QfuR+ R{Հ~?.DgiBSQ~:2C5PMUCäH?9~ߍ1U|ȧrDls#9`́u zH!Y-VzR.B$fqsl3th ljc sv: <+ZrMo:^شNFֿ{ Ke}BLݘ7hhZUfeZUXoąƎl4NL3ȿ^A^p 4M)}@Hw=0ܳG+9VI0ar7 7mi\;82\f½`≅T};~Mwe:}U~r+"lĝ'V(nJ$S$ o>H_ W^-\/% _o;DJWxNOHSN篷TkHaS>Shdif ZnsSKJ "Ri1z fٯRt/uΩky @YMJOaAǮj$K{4[S|t(s!%fֵj5S|oowGxk2c̰mY6훈L̘ws|S5PnJ5B`%r[\B+?`+j36Y'Q8ZK vJE*u1u Hح=E p|έzjɼv4u=>\p{,+GF3efv+zM05,:)%TP`[Jm a`01KoI#H[HɌz ?bB_L] Ptx||F!FphV2踁V|wta 8Q&tٴ|{;k)AfAyVS6Nc H60ni _VIgCxE.*Clep@1P8l tgD'R4W>WtDӊY8_8V7ԡ #HFni[1&x˪yQ;ٺ6)ULWeDJ?WXϬުlŋGI`VSp[o+Ϗ&$E[A ?~Efpo^Fb+}^GES#ۭtJFR?}Ǥ Ni6,-z~8.{N:I C^pk@j0e=۝lFu,5 1g՜!P?!:CpE ك ~(ع n8x9o,awصOm-yF 5AMc}ȹ{]Ivl3'041ͤ\\TiO'o۷Ӡ'W,f#|e! Lv7,z>3,*lKYaSh|Su: - XeKBժ7x/#=N58NB0PuEg hs_&Ti:yJ,r%V 92- .j]qt^lC'_T#?X){--\nZ?u T\tYMɇIifm(m43}w+l٧(ֳ_U.}e QqiHuKddu}R?X uZN(*?0ޯ9ƲU.@ Az͐;qXt*l[z3C. 6!2M,hQ:bo+MAlq7ubGrtZ^m>>W&wR|Qʽ;>$>"*~*NrWcEc\h0SiWn3I<9Nҽk_-9T#;gt\8G9uSi@Ϋ;$3=;AP\P{u#)/)5np3Dh>z}K,]g)* \Nq[,4pG'i$J$#0 i❉͆H+Waё nK베9WrxI1WMXN{ &(;H7f3T9.bPadI ChXmomT?$ۻ'sz 2c0#)/<9fx iОь3J bZ:) WeYD]'K20c֠~?uu +"DZ$jcMz}r:8\×335陬dsm9JΩBvq+c__/0dtCu&I:Oeiڈj.jFA< &IӧA"tw߅|̞w{ \_tnPnQ ?ց>nýBߥ<쇃?{l(i&J ;{b޳(cl.e4xL,*ӱyS;}=X[=4lް^uɠl,Gxc ǨlݮTU^Ar,= [ntP7u$5URmTg5h"8daqU"Lav 5bw,.WyD4ɨ 3 a;}TXP&4qvSNt\$Iv>Ӹj5DQZG0ie|HN.yj#<\OqbO֏Kcu浨b8n*Zz=7FVX'WI~%REݤkD )z)B]&Ѥ޿]|+rD<8d2b`Դa. $31z :\XХB jP距"3[#R2SVjCtn=EWre K>_bC]}HȂF,eN'+b,؀jrȶ .݈.p3j J.#%X3;Nk6ߘb$c hdGk^"SؚgբkӁÕI$n1?۝ j?YXtSA<~\+1 K7d7=j1 ^~Wi Zt.6D0bgUћHS4t3uU $%cJ˹%aW2-l<>/>80r._ Is/%΢ɩZZbx1'E^# CV2U(kTWQLc41@ ' A0feUH4aA'I21 Z# 6 4VRfZ(ٞs׃QcL@Z6P EO|k&TU+^ :XgD*, Ez)lmC >_P`~?(,S7P"#<}v<w8 B.DrY9@ #:Wr2y81۲:NW!!HlPt{s4j$ZQb#-ޞ6w[cܔ'|3cz~Hj߬&;d͂M[ h}򦥊n`hp}:L;I$'| M~MD0a姈T:WK'u,k%K*;&v]AteQi<{'#b.|GӉiYs19\{o kՖlWY LME,y3E&Sfζ9c(2=!5[A\.sBY'ce}9<)hX)K9qW)F\xFA"ƢSu" a + {whc"?~ {d@`v {)NqcnYyQc;HgqxҝY@8:-9TAjQJ`oeNElw'.ʶ/bebs%Bn̐e18"ӈv@WrYjT[Z', (tq?!IŁ}8va7 +1ci#wHSSlqOƍEInLCũQ md|{RpՐ@j 4<Fͥ=p6!MuU}fpʠWn4okyduY }&zh,M9}z !,*hZF Vn>2Yhvz)z+]xl qƗhNS}-BWo/S[x=,gQJ9v%V2N s09.l8˪)_!$:;IH׆y+}!eZ|' oKO^n:q<7:)keg۸nEZ&񚳴aLZ-44  $q9>醓yJ((:X2Yi6CK#@!e(Y.xqjqhN+ J6hK53@$hoR;1&}`ǎ5EB~Ez<`/ʅ1GZK$bx,"QeıuzjDnƧZRR($o/ !H@D f%^P#LJ\3;U F)Z{Cry㊇m\Tu~xiL,"c'U^?ӟU&#j0_BZsSGf;x C[f2lݣz32琻>8wNq+02<`XCh^wW'$mݴJoլM $J04 X|MEܲhڻYn#$k ]UEX@tiNX<'F5(g(z:`̹ȭwIr-V\HѠd:rsBz2`+PV mvűP;*ʟD9F'1U 04'˛4l/tV )]$ Q1)ʬ6lc٠w {鯝=0Ayȉ0c:"B$ lqpcBgn'1L[(7\U 6&VJ_=^_:9q.Mch J/QCʩzkЫr֪TD:c_'SG$֍ ? t:x¢ٸ$]Bpb;Mjf_?t.F{ 㰇ۤŬDjCtPW^Y Z~7ִvҺ=إ>zeV9HRK`cgؗPay v鞮"r!zK#R]t "wM~Dy?[1p7y$@zZzJxq/b*Or3t$ؑn'MV)k<ҟFo4oW50H.E>'OB?A=[EG~bDVaw6O6__WhæoLQvITA%bTEts;Tx̹]Lβ;Iߩf U) |TL_8S#~< dT nMիHjt3;"\FA>(R$ (hBn=qtCLe0*HO`hO6oً02+!^<\а`n.#NgWjKMIOn0H3|[%!Y{aK`ϊ,yrb)ȗ'r;}~U޻Ȧl}VAm2aboO!.h(0aPSvp(?*Dφmx'rՍlg)Ka/ <Pӿ'G'xX-xƱ6c9"\; }i! n xj105z򳨛`ӡ,!F=祌13b8,kVd(Q^yiOa*Ga5( $:Eӭ a 9WYw9K5n&9@z|] XՅ6qi/VG#p.ɅwD2_/3;9z7wۮHmqZa}. AYUv(\yP@ i9Ut%)+-Tj=8/6Lb:S?жRFۤl#pR(MVo(G+deqLǶ̣v`Sm H-FNXVXZOYl&TZ ':;8ԍN~!Bd; g*mA¯[U:WsWr\BiYxKffkidzQ ) (ƽv <'yL>TVwf3.WH;f:s̝FI52P"nb%εJc4o+8 ącX6i {Yj9wU=r u)+ lYذ䏉=*MWHjؘC]#ҙV>'ds O":Pu*'dp xƫgQX {G#YAUPM\دS򵸀,UoH'oV`GEIfLEekR%J+d%RLVsh,``YMv/jj~{=ma_QnɎ!qqb$[KorjZ`; ޒ%N{Os%~%Wlζ!c׬)P D C]r:1ب>qWFcs8^^yD`T1d 1iw?akbX+$*,ihqnFdtG-s4xM IMp}4άSsd*#L}*6FH4譟Q*pI4 eyթ;F|ߍD<=puZ<*we ,Xg2, nTnd% ڳKyqI>iԕ=͉"JtŔ++Dmמ8;$zKmI@8/]3u|o5T,/b/&:C`mz{|pBdluP7ULGZL:Wb*) WɻϪx[Ѵ2(XMaQ`>]BZ ܲgB`*8,ާu_^ q7&{x>V1њr#]F3| W!A4. 6[Lҁ*PZv Ja 䝖i![Y; e!<J/|G[H\pGzpvis?53^ ^^fQ+u9Pm4}e*kQ!ޙ"L"6z1nQceӣӐe7eӪczK}[,oLLB<y]Mb9 r{!JHb>>2@m4=}q̐tpߌ1 fC~,к mTYJ[" zkٽJIK)2G9t͚ug&r=.b5pĄ8дy<4%e,vNδ{iG$Xh[W{NpUq&Bi3  lTC- BiDŞas~֜&$.&B(u3tG,H-߹A۲Wz1 P  9!c.J7moM)$)xQ`|=Wc"0' cjz׿$v*d5\ PaHef*6}D@u}U6;!/&Ut qQ*?zxMN4-JS6mCxב!pHmzP*Iְ Tǿ =Pow=S&kᲑ/fH4OW*bP̖f xyq H*=We|eZWxIAC3iJ6MZb=&lWidNr "AI۲?ϬaUk_6-P%Sd=a\i|#WqXF#W?b P1< B\W&ap1M^0kW8Fsӽ|Qs,q@[JF=WgNvz9MS )~& 0Y2ud?:!23& kzFLޢ?BdX b'"h^6wF^() wrF! #nk8uG͛;@"^+$;- ݻUdJWr;"㼪ӄ3ȴٳ@j \ F1Cq4)e#~Awg(*0"^g9L/] 8Se.-e~^݌ƋB*wm8+2PJjE"> j"=T1]J`>O*-{i8V/PcL%z bL~ z[A5='UD2C;[~ؤ$!|m(;@qB((cdCUڥÅ_4LYK,!+UJvRM9 V6)V  *iW_y3"VwO3ؠ4 K%u^ut| [g}#敘9'1B†ڠЈlǩ"߁ZZ" =s#Мfxklxu{4M^!|?M7^HQbȗ2>JC KZҮ,-e^fuD RqR,ba *NV5[aq,bnBZ`q]-jt G!'Czj.{cFG%/x47F _OuM1f $Zǀ4^  X~\aV>Ž?V;/{g^iJB\ؙ&:$b ZmuwJ>9(^&2۵#eMEe2%]%ٜ G(j~m|%7Vkw逷 x;tBŕo D qUH{_dUaHQ4A.'ݭS H ~BT#),Eb{Vb۟qM~ IQPEи*?^O=gJLϥؘW_%+fqgHǧu$R걠駠 _UT>w=)F6_:R<;;1d(@HBk+_ (6d!v̡ksgT-|'B5ym}BC:u>o/H ^3rqmq;EsKH Zu=nn#6fq³yc#\mQm|1OŜvؼWsI2<ېH >Hknpfo4menQdY+p()XmRڴngߩh([#,Wz7j@2}o<, \NR !%TKxV.M 'Xs{HFF9ۛoy3[-WC~C'>eiD6X5CP"D 8'+ׅsW]K|Kͥ&Py?|X T}X{acw!fgQTnOWɖ$ ]<<)dhV#`t=z[-M{2{{na0K#0N.}KZrHHj:A$KUoK"Yb s >r̪ݡ,a({۽;PaR q! 9&jmr_ .K}wz~f;6$u/ŤL%35mmI.]9l'؉QN\^X7$>wg*HN(w޸gvm: YކyS_ЏٛQ2'sh3mF@\'a|^ƴCX5Mh5o^oPYAVy܉e)9]hm7pBZkEAv:6=`mM7d?I޻y,/qOjdĈY|B'joȞ2a@\JϠ^*לRyx\^ C}$Efy7,',iriUlr):vx<*=afP%s',3"\!Qc$ŭC '0ӢfDh]퇎v*,#F$ijz6wg.jn6gGN UWi5I!t>+ =kj (k ~ Rs0S:1<+Iw vJλ`l݃-- ̀{t3(+SKy8` I-BvSXc7u_ p8}aBIN^mB`XRMEɠOX驡,P|b .tkq>i =aQo38?T\̌+ G|㈻uT.q\"\FzW4@9Vc}"N=u'y#t0&0Oz]`~u 8r2h]tηjVX)e+u?xtǝ5}Gz?+ia׼τ盘$<bGHӫI$o'R1oaj] I5߉jY8r#TQwv;:d.~G5le=e4H Vu46+֛j2'k!6 Ny$DQW&[IG?kpԏ@8!l8(Oc i^:Hw>' A3tzeQ[8~=#zD-xv,-lK Oi0NgAlO4SGih+3GtC s(hL>!Oir}jd!xq7a8(. *t {ݑ3qMp)ѕUO[s{LZl/:ݒ+e> Fs> G2Tm ޠa:f옛##Šj 19mjuRy]<9,p=+:@ťwh3+ߔ'C3,*zôe"UARod4, =XV m7Rv9A/!KC`qa_خF\" (ajNñ b/AAjޯ%;S5 m{5mX:Ɉr%Β$C9bVVgɖax©D8He<Լ3eJT"\IZvxs&ڪP RTԯ:gk[7tHC{SS:a|G詈HLh L[;$v;Q=Y29NF(ʖ|.2uTkhK>{᣿=) XL&u~GU J]*ǜ쪾*jk#20 +PcؐuLt[`s@[PGX)D,CwD<{_Mc,z|W.^G v Dz^H0 rpt3eo='{bm o i|[dcWԱc%L٣sVڂNA2&$qEQxm&&=Q,\x79De2Ħzտopޖ_72̴}cG)? 7Wh;Ъ t+_'lvr<!Kjަ:vC8twrWYVߵ/NTҡ[\3SicΝzPUX \%rtqPX鮭TNF>O;ώu)Eiydw#QrӜ1jQ5M]ih ى vm\f\Y=˧L 19,#ΫيV$厼aVC'A=k8ۈ(ISLK*;RAQ[xx8UA7{Kw.lR]ڧ,h޵3k0] 濊ŨI̛`Y 5olv_O;Z3qڍƙz7 -Ϩu5]`lRIGDưQxu$ٵr sab1JHن"f]x$OHMpu-Z>DwfA:o4֕H@7#V u,T,9vtGG,d*[vFh=׍OIcj W쌴,'spoQש\K1p~҃0x|Vl('u_zcW*u#(E@Qr9rNYǛݍ:mthB2rU9NNå3f?ץ\kZ;Aju\`+f$7=G , iyyQEݺP6;#9|̃w-˞a)-1} >@^6LQ۹uh8"ꡝ[iNX H/$Z q_'?L7a,̩iN>\YΙUuXJ`wT g=,Z{Ȝ6zs3Pض5jtqiݸQ#acK@9*6Mt4N{}n'ѧn7UyE6=1oY[;kNNjMuHMK(cSO}=39 A6b _ @ǂ UX`~zQswAA6%s~֮Q6Fv y#',I?%}b~CM3y9xKTbMpbgPe8?]ߕa;e `B桯jkİ;IaɥtӦ)W>:#iy?CWf+#ᦹ&[mҤG䮣9-1ɺo@Ì~dMX1 I,8KbKH>d_Mf=7ȧKdq%&9lY=}{+p$fFz!V;yc #[CQMtMOK}6-r{JqN==fkafDGMSVbW${K 4:FF٤ԃq:NLMi"ߞO.'h{5}bi3*1K5)Y>PT7 Gr27)*o"֍CtrQ^}V \C{4gdw,=$CR<‚YkE[1|+d鰃/qːNlZ׀SkFVN *_GqYλSmkNWĿy\X} ]S4 ^!+ tzk5AY nR/z7XM͎74r)'rK=s9,!^a-֠&y<񎇒>¼G`l.Nϑg(SM!Q*iPjr,.mW?z>16D>|5پHl"3ߵ|lXFLEz[o (= w6Ә$K- |fR=tK{VMbXJɍm7_IC,? yEWT%8D<Oq5ADNqɒ%QeMz^)e6X:#زBx͑3k.P {k]gy3bj90.{Ut@焳n60z.U+m {.~+lH~rի]b^̤}V@!ZW9>n>\ `GQ7o8*`}aMCM%W' !Whn-IbCIYa[܊G>&ءC=%+ xfrfw|h7* ʍk9iG.N1Sfw|c}hҖ[b>;WlU{Qpo ^>+}ҁVگR :1} f~UO/rfWၝg.|1+C' '}cpl !+ا!zpxGYm#ᢃɸ190f~UNWz;ݬoѶ, ALcYO^I@c\ BRHnl6H92ѹ sWAwAP q!FdKdnTc z,{;d'"xT:WUl߻xu&;7PVy^5XCAo0{%tOT =E rux+Ru8⍘w%Mወ0n& *s7!I$ڇ7Ik@ޑ} {;lr4M2wH{O鸩Gb uQ+ʪ_~"<Drԭ;E\/\Y/-3y/B˯,iKGB9jC lYe2HFuy48Ng|!ώ^l_OM9J?<74OFI}uUw^9 %T͢ uy 'Tw醭uNg9Ѻ.rfj8qNwק(oАv~5-cJ^rfcJCh+$wDuP'?)dƧ~`VW+ ."(%%]ɥ)-JOMפTCnՈWXf[d1Zn hC0 62VF7IXݖVebQ)ޯef!nz&x(4ЈpZrZym&;Ws"%Ɛp0{g-&Fģ|S&$Y0DdA_"γ9devx"O Gҝ'E^tɍi;#*O2 <*KT` m(oL 's-N DR!$#$rMYKf v/AsLL,.\2}+_dZ%zvv,W;A*޼!I`NP5$S]He}}'n5a47$7~O ;m-f3tt6nsFKʵl_+8Xdn?vc$ p.GaXqA74J|u׸I;pR;ͶgV#h/]  *9BWV̓~J+WZޑM'?_) Kؓ@MB'L[~ĿClת֙Ja(RFS* . ʋJմ|kzgq-jj94c_BM*/p9щ ͦmPlBuSt6]5``{+aݮnK}8 }0g]c|(+NC]"7aSrJ X^2z1rPe]VW hnizF1S `tY`sȮ+t@{ ]I͜=#ŠK[+K[$7ӾC_Ao2uxbLz]5"pR@Jcd cR= .1NaHXv]rUcr(d'"0kpi(KBZ*"p~J&xhC\M""{tG;ڏn;15;8%401orihY&rì[cL$̭&J5NfӃvRnԏ)@KϽX`a}sXh_C5eoY,q7痥343V]GG裝XJ9qѶ*B1;[kdډGk-ǜŚx"Қ^խSsai?u,{:BʗAjTjCPcaʂGYc~?W|Dh ̢ETC2%_뭈A)2|{ ǝyMivkh0QOKlZI Zl%n#Qe]I )/`p6"|3Ɓ9WG-6~Ejtc,Έ4\,ѿoaڏZ G6Hp;n=RWgw;+iȱ}?*Wcv`S/yr=3*N[T{5(o`4wQ\OT7o 0¡Îwx4;Wof,A0*D3" pR>-Wc ; (umm$ZT&ad\?_A;I` [pna[m-eI{-uѹs w%o5dƥcXAiq.)LMѫ2{vGkL6Ҿ"!L뜐&ƊpX|\dXWBdE=W8= zz`^h_N-YB{DpLF[R¡'JgƼl+$lkqu|se0XUD [ߵ; OMۙ'# F߲^ҧ \^*v/A \BH3o}FcW6lkCNx$=jn$X"#5(j~% -˷]9|ݤ/tsAl%Qnx%NeR {_z( |ühx=(()N[y>xm#~&=13D[2ٴe@2 cbinENGY(ʢޑ'@7" $os6l0яulWّ踫V@)B u4Poe' LP$ =Pf?4*8l V(غn_2cטJN_ԩ$S|t:wϷqnC]}u7^Bh|oP*:A8i^IL NvSJnCB76ē :PS:tO)Qe.֑"N(IY;H>Q˻ sB +nEkI‰mƯ)ǍuϮ& i (畄®Kdn4?cz0&㒰jvId,Žޚɴ@VBp0PW_/biL{`5=ߎ4{ DS p!> X>=x]'' _'Yj$NS[D%dZH/k#=#N+6n#r(|[g8*|E QeݵGފLYZˁ.kM7?T\E%B @E㭥̩J;Q}Z )Mfp|s@rCYM+z7;۷FIo:tGAMP˽|e)%!_O.pt bnMs֤ݫ?8ȭjykqFXD8J<*i#816t_0$!~L覙\JFk.[_YdZ؂/`\tEV!I."Ե ( lg]y'XM,y'ґͻn]i)*ҺWF|ޑ$J~)Iw{z;/KIS"_Ρ;"N" ҇϶$Ge+2 _2,v LdL$mn۬*]Zh H+PpZsj 뢮|a21Fjˉ?I,\V`64hGRUkӪh``ayA=pC2> {a $SEueBhG ۶ݘCʔ&$nYﮐ;QdJ(%IPfAl CE=4B{/iu'(#3{2w+^:}3NO59Q0X/N>K>\㫎]16g윛MpN x~X nV,sBO'S?;KOfsyP8ږ8"L'T}d  lCd~ǃIL_xf wu/@ة`f2R }!VܑkblE<Ғ%;Š|# *!7DŽ4G~퍴_.[xD?lc'،kvSE2u_lVrMh]CD,L6+2[ uu/Vd GG{4K /,B\v7 :LlK:Uo.GoV +eq99_ju/;dl?|d8%cq}qVݢLm )ހ Dz]\VfĪ}(~7XyDJx8-Zd.υ &#ަKQuc7 QWyXT*-w;P}ۘ:unA4 #~r 6] 9Ɔ;QuK& J(H|~n$bQQF\F{Q2g`cs Rw0dknkAHu41:F$6'0qqkîT` K*\.l ?`U邐:q '݂s 7%phFF2SsĚ4E0cAhy;Σ8L3$HҦ 5Npy#Xain˯T.I0ѸSgjn?Z/αz,`bSU۶mسV\;V&$M./yû< SG'z6A*gLЭhةsmJEę:dhXGp0V'˴)D9Vg`vXi:8N9j}^sk ~4׻5̫h-59/hAi*eBkp"\eqyydº %lGⷁRR*IaZ|㚩 x_XC,x*\Pe0BlLFدrh/& i85jQP5>6?tH.1~0mGE5_&~!`3jU'9㠀nzpY vfמVm"g=ӄaG9̤Ɉ!~D, Ʃ**H j@8\Th( ֱq^1?x"vL/C6B)/̙iP6`J?A }C|ݩgjs?Eexx%HCp ioPdkow[M'dտVRc~ʗ:Ŵ~-T@ĝ{|3Hsfj wdtW8|ѽc[E}ʁ{Oպh6teAM+*iL$ /|%QQ#kS:|%=z O[) b5!bp"VھiZ][77(JE:`+f@oV3G!'LdacQpv'Xzr@㷢wrMigs c7Tad/8ҩPX&[ވ5ߋBkaC; /FG5jjK`u1v,&,Ԓgk3;\u_Pj*MGiD5,;ﱵ!7LP"&OK哝p.W0qT%^_ECx @< b6Nw*qo5N hxJn˥)hF%|=<L ;%cV}I|9mt׎)àd&gX7ON^ @3^ Nf~wB7ePӤL4}lniJ)Tȼ|<1_R(N {ʪ/b]< |ʴvHd\d_~;(p 3 t(93v{QLWը 'csb0#]c= &Y\=;* BmD 6JS80@;~3xSFG?#\`q\U2 Ş+5vAKcr\<'RNW8mѰ75f[~ODHvnPKـeWc',yKguGv{TzPlE8T2maLˎžֶ{ͼ4e%D~&`et~=3,cjVYb/w6@fX/1::EkQZT7(QP@Ub[ R#-9r[KocXm'ПEdFF.x*)&$yn[@d = 07sUQlP%v)|߳^OvϕW圩ejon `ת_'[M HIKL3?R Us[)ZQ q4~d s{F&iF9k#V63vF_E'B#~BE[?V-;|DupmUbوz,&Cv=gT{)De MBj? M\w3mp 4:%\n\Bp]Z<B*~mví{ ![~+/f؋h"4j2|"%eC.umJh~X>.+ Z^uSD߁ᤌ_p1R9>8 *HDv5 K~/׻g &ǪIy\lڨ̊z}JD+yΙ InN [ WMWK{C%R}ng뭁6 nXtC/ k_J=3OT'9sґ\j{{{?a,"Getk)Xgm>VQ&vn_Sa% {c;C99-u\j'0^Ln2O,bke9L?=Ìir*kEK,~ |25?upliCɓZ b]0v:BVNP`TƤfĹ^ GDg׍]mt(ȥl fl !7_hUVOcT`z.zi14/\lhEOsѕn4%ٲBU[3C)ڳ0aǦvr̻!0ъX?A2ƣ&( .,b{Ջ ::#ݡ]ZG}i{ŀsE0:ڍ ^/pX*J@q/󥒤"ә Hk7{u)І"l6WӣZJ1]:y KACf}X!]% yxWT\_f@d{iRi0VKv9Z-*~yJQM'_=XGVk,А`NE( CkFcVd?Kg%tDDǛxKȮo3 h2kɭ5bgjisPqJŝm(NFhm3JS[%?:\e @dU/C64W.iS3uQ̂13:V2q vt\?w.xfŶC!>րQ1bE55.k36.gw-bnNN՚H7ˎMJ8¦ nUTZd$xC'6 <Ή3YΌ֕2,&2/ =F#caiUDev3C)* GNf^1yOĵ3$gٴI}-@s$KR el3kCOf}3\@ $KSj+:wȽöӇh!KYBN7 78}TFW>;A0LJ>u2_%&jiJ <]S*LUFO\A 4R:SRڙΣB!>fyrQR4fV5 {!;M_dkLo* r[DI 9uI{Ub'1G,4։.ˢO!2wFcZ&7tEk~W0Ng$I+sX#Q@ ǃQ8A>UKn>2AŃGp1hXtm]Bugs:rPM7etoH/YIH6]m*E.*d }7WƁ~>n̈́ 8*R:e`JdDi7ļ,:͍fۦ[=.ro; aA6ޢ& Y8pЕG-{W ҍ\+1Rb#W*pp*^RhL y2;!~@ny !vAIh(7_1+'5jub Uaj۽=T 4R{13J()L +usiP%1H*OZczJWHғf1aiôq2(CqF#hʈ{.Q"︡ ~RĄ*A૏W}WcpTMo{b+Z0CC@1\t΃;. {R:pԸ9Kd\T޿oT Q]Z ';\D F5!u.""jɛc͢1G9 }eU9arnYzjX2-dr"9lm>OQu+Xj[+4@uo'|ڷ|jX]ՈB>V&hP;`g_LTиs;Ty/uwH {&>X/AFdc_)t\j+C`V"\\e#h:kh0lRQSR[.)ewXxEX]_Q4kUƩx_ fnKR,Dǐx]|E$_Dm,dޛWkE__[TVB7׏NT4^&|\+57!:=)?q:tNFCVJҴ5=*`+5Gx$Gr' ؃3:󤜾XY#$:{@6;U%@b"L)11ȘU=Ԫ,+ ௉Rx$1$Nb~+JC\7SZTHhoyPX&Xߒ>vV`x& 5ICOfe5 lMRl?BP'umna[''g3xIai'Bȅjuq|=r֦d/7zڡ|6;,bSdȑ:5|5n_•qd#6;E = )idrJkNPn= ZH}1}-5ѓŅ>IhP%VZ1)Apnm^»I ^k3'f^ƷETu"vddd񍼉ddJ [d2.EjC"2C@'NxȾ=tj1nCSBc_ju3ېOٔNO (I) $i}f ~E5"%_Њ[Td 11HmE4j(aZ NWR W"sb+۪+RXu@;F7՝<,-`NmܔC+ ;|4X8b\|!| f \%wmB,"Jּr@k r f\\'Z7xDV zI8#ib]gh≤DFw˹ѥ/EXqu\KU!CesSrtR;M[&A#žї▎샀">Oz I5 ir gnƑIa[5fE\!>hʁ ژsuf 5p@xl ;Ʃ׻ |Q qh}V)] ޗ _GqD;55$~"ĤOū qk[?aH<7܎oQf}@ނ}jZ~";? ~ۥCw Fi$89ުk%_9|Qld0F+p!?Ni aP:iKI*J[}⋵ߦ9#gD$xp6È$AdcnOUׄJ܈<Se@wW˳8a(ϟP 2)F`%觻!C}-ehUb*zW鈉)b08ܲ#ȬDQ qHDŽ57 SRh&;Ln"+1 >Z\# 4:/.R<[.ͻ߲4?|LSE&&vlR<]&=gE!|Y ־%Aq=Y_1&tyY5w58Щ$'0e7@x[ |!o ?Ӿ@e .zA޸VQZ XS.R-@X\X,"XwZ[B^!v#oZ%  ۸ggsaEZ-p( mk@LܷO*%^J_{%&*8LMsT6;߮Q_Ҋ' ~&Y7.7yA⺭׆kNȏϧ#$k \D]WQH7?LA s_eQG a"|r12wgsMN=mj5 ۢY!)KZ9loc5F< K%_jC =̫d+/CL[DŽb@~vy*`6IS,/j9\kZW`6?QxNU?װ`*Iy_e(׆bjSɬrl Ѕo}iL>Wd) !ݪμ*_ԇk-GK%qtqS4ٜ}u@S.@)9s>*~!X#m @B@j!)?$?6bVXg0GW8"'{epiyZ=/~ cjpKޠ͌kqi>t亚(^66॰96sH9`5#;iWoĦ@$ c>EgZ;6v;l,r :+w"qI[ ff+.B *^f҉ -S <&q*dU\35,[=Xl~Wi-K6)Bu5cRgMusG O;TVVJ3& ‚< &A C dw :wYR 7wI#S1=&EwV Kq]xe9J .ĞXu^7y(njҙŜ9&a)J lteYV8kY(lǁpt A`oj.B *-a]T|s:'L^(,YKk&(1Zy]ΩƙUzh"r7nƓ)9MGqf肓}rp4;uKgF?#8itd*Y& Fʿ'LD!4#,-XÉ3*e3VNw7c}nRi:IUn2h 堐VYmNCY}Ge*SXxxlm`͊gZ''>E*.|?}`7u+ѱ4ں˔Zg3 !bm)ÐL6]~Ch]`2ʪ7g#=}.ŵdiRBI9h_/'#O{Swt#VmaRg* ޏrPè;54kUaTOl xJ|.]cS bo;**MgKGv.e  2~&zv"}3\bE33s9!WFAaP&cDNFK}d>ˌMֱ eaeEcER_ k?v(|\T`J"5C+؜^.snm;UIbH)=<}<ڿ[liMMUF&meX'~WBً*Ұ;9!jͨ>`XLvG7R&Nedsƍp (%Di(})E?#U@HU(Q+c?g;zr9@$aǬYK*!NZBb1pa ms (@(E#z_|&hO bcZe8!a'1|ʍ&&vʇMXnk:X#^xҽf,Z{rt6H 9{Yڻl:PWӺ\qpvl @{gy^t:K鷙h[Lߓ Sn`'7`BL62'[-1<)ؤw0O[zjwX*)TVGL{{.`e=ҥ, > ƂZw ɰc?,kgxH23uIh#ykvH4ADx88UKɋYbꓙ:D‘K0`QV2=*s~w?Î^?ny$&V8֓Ͼe,< rơ5U>_J}hiR!/Jeb9I):jD#@gIq\yՔsE6T@5BElbV#N%YD5?"Y!$d0⶜ Kq.~ցpy]mFd>Mcc(-D}{Ce\M]@z&n_j}V˃^KBB ـ_]ZM]m$,Z\߉-QOdMV5 :4s|4>H:f*f%@P*5 vŠ7 5 $/2bY!)ԓٯTЅ .4[L*BZs5dl6T|68%=.'>&lUnBr~E9JX c6ų-qS0Aw|;`ЩP%CܯzoV2#sc@`b* ׹H "XfkLŝ44^j.Zi݊%gĀbٻIUH C Tf *Ɩ%شDNQHgj$)@G3[ӳX<% z4@:mykwல^A1 .G5]%Syb{ L8E ;@T!Y6!0ZZ|Qk-:{NYf-`ꅨ+Xm kl'seJX&:-: X}!U^v6ZA22vgedw\4n}śְ2zqc#Щ(Orb'7by*z!5-0pA.Fjy '0Mz,60kGqC>U;,ԋ]cpB^TGl>B!C+_P Mđ$.8\FSWeqf0N~ML(.2zҼv',aׇ2 ]\Pdg-U#96~nGU8ۖ*IQ{pNrR0MfTrqVz4$37AE1="_A1%4W ?gKq:[yk[4@TOφ|CHM|53)袌1ϦW#kWi]W>[a/9-geGxu;!,>EqZDEN,_JjngP7I]7:Sn F{?1:m%"@To{@{DCx%iw.dUAгs.hB iQV1{/WP˞Ε*ϫOsI G~1i*VYWHmXO1Ȳ#'>?94D*ŽfH54S!V<*:1`6֐NɊKI3S=LD07d̳d3Cr);4VG?~5|k/Ll6X-b nCW(n WI 8P:tGWvx΂=J_ yGyR=C@d7Ż³6Dm\gfX&z g/ya&<޽N醞k'xi+ޘUkŘZD}bT5'iI&ab큳 "#᳨Yf\;f? /ф%N]iHשC" $LPݧيL<}6?*{!?$R.x"ϘAazht`b2E^}ϠFx)@&t$w gE'\g+ V!#q,N͓ҳktP`s$\je 0of6^Lb $m NRY!x=!pFpߌìVՙ(^ a$*̟u-]h\XJ aJ.= C`B(Z߭>3_)RGdp"|sW?wdT%.;6CWe qSZ{j||I{P딧RW_K*25q5)&+( ҕ+L˔OP-]Ώdknpϧ7rE˰ yTC%fVKn[5p[M\QCT*E#فGH 'T#Y"{rcD47Ϧ./xXV 0UE LB+~uglWf{ %kE-ӯZ$J,Z~Y*5sWFߗ 搖V-1-Hї["^qXmZ:)5\BG:gx&J /@ƞye`ἳr$ ?S P[}o-7LXGkws i؆aǵ~8dYkYl|QD ȬM)XWsíV_"+K/MA?]5-Y>)+Dza Zh1lvIߜQ"Hk<M 2X){VP˜_C*VK\VcHJk嗢a4q0p{!(B8D쥵2/YTeZ^߱T:Wi˰(9^y% qY+dG|T*HhR#\mftt؂E(~kY9]cy[h}N2E%żP?PW0ET]ߜ^jl^Ɨ{˘šU s=bcbA1pUg#GR]aa*:[)r#Hz ttS!e~hcdV7ҢoyF\)ݒStABT+X[9",:YUrf|>Uo(} ܽ`Yo`ۼ L*KP3˙;}28TXus0}`ulNK,4sOPLr4AV߉'hȴh5p#Ѕ̾=ӗa]$dwV^䠖,َPG߱ȮR tI~^. eZ%`2-ghm0Xg-Gi#, :``x2>gIcֳZxDЭkp[B|L$ P3O{}kq$Jh|[rap:Ƹ]dW1 jqF~Ci jG~ Jk1',TX,Π->԰#j)EHIՙ7:tuSY2IşgZo; -pq laG]޷x%headMn꜔**eA90|$gte#-"݅WKxZTj HIJuaqsj/yMIwxM̷PN_i.|lD5:^i\gʘJwF{0>,{~§&Xȟ%eUQH]$w@ZI8*Q0X] ][N\է=y cc4N+I(aC+ 4DhGIF"-`|+iQaE7md zvJE&_u b8N(r LgèYG~$'IW?]󏿉\.s,K [kƃ@/&6V3zO( )ԝ!mw[CQl''HƠYJC*ϤO%up$K ;KFH2G ϼƼIsZ<e rCYYlv.L: | Kbg3^"' Zn,zj!Ֆ;#>ݜ_)oLArS?GRjmYN|̕8ݐXBUg=!VV0_tk%L(_K_9Ht(Es#^pY]r\+C&x"+aUx] Oݿǡ'sG]&(pk} &G1U,u [OJ->g)!\QK6鬸XѸٯ Y7p }xtKJX,ᴹ93Z .4hLԛws\"qvzƚV,ij1~S=!Q O6o# x/`=bQ"> {lj|=|8+anP𲚢ur{}bKeaxWz:GJ!s{$p6yTサ{&c19Gy܈ !De{۪b<!ϿZߍ[ON/ɹA<*oϧS4pw ZȴwAp'J s 6DžFk;hr66/_LnZvȊvD dy0l5i OXUFdL?b(5 #ڗx pP/;ɀDgi LK7CDejW'B߈y6f5ɯVm1&i%#@gdu\-A(1Wz\2ihhՈw@ME|nn`/5 PF%:N$7vK׈ڤr7$+.]J1SJMiT]BxWk2D jb(oj%.uQaٯ-DA$P7Ժ~z!"Gz |uOU<ӟ3eYVU>il﹊DaAi Ԁ:S H6K%S Ֆ7>S/3 j`a(N<؇"*,̜l*qtص6N"1ٸf(՞"U"aN{>Sw+U[p6Sf~ɔ+$ap9wp#F[}xbkHh< N}!}[iZRp8yb(䂥Hc`ȶع3>BVBb=Rvۏo-` wڄ{̮!ȬbJ|KEy.UUֲXCe0%EUhɩ= q9;tvLp:=Us;W`Vzaf'2TܬZ(Ҁ4hdSy;~}z-ӑiH ,6~KRO)Uxzr# 5њJ_ q7_.{"iɆ$Y עt] G_{sﭫpxjB;0jɲl!4to>!sf͞Wkw_[)󾧓(-q}]O+'v)zYOLLHvƿ5 gF9`3kBo:|Ѧ;B4ÛC%q H0jۤY7R29Z}>Y=et^;0hox)rr-2{͐$$c/.9/I .lI{njtᏰqsE;c'2ae7sh@B3s'{<.ccWJ$=ihfIDh.s&ȳA[a5e6PmǏ]P_3x/ʚVԖiQw}g7YN{>;89Z֢ iYJ)dn=^Q[<b&=`I pJW_X \ :cg#Ql *ZDFj! ]f ˟,ccP#խ(pY@dzZNa`! Ol\} FMĩc憊V(~˙T5ݟ9Q(6L5ިܡ7sB^:3peLepd0rZII&^OwMψX$<ҡ] }ʛ3k2tR|IGq%_+bً]ͤ\ &<>}sOP{]Γ\vx6T9$V=(for|ZkHdڿ: T4iPZyWzfAJ|렏\y"ʧ8r5D*ܵ]b.md^}(cI/B0ޚp;J7Vk>xu꾭РcyD&-^z/ى3NG̟*`¤X|f5rƭ>5ulF0܆fN3<7FaCzÉM3IkkKmUfc攄^ΣVj LF4gU5~-~d#9P3+A=-fǴMF Z<ځ},CӎZnV#YUlZ胨Q$xԜ{Zk/GjԑLf%D] ë0AWv5-JslhFgDlI |JIqsO=B]2;2- F"A{S#Tp.Iú~b-)YH[ =THhɠdV9@=BNU$-0NϬBdP{žcX9ŏyOҍ>D)vxJd 8 .Z:l'(=܇d!qɔS$FFο Oƍ%gIG?ijFOM4)w6&sث^<26cb @,fC4qjNu }&J\FZ+qT:^O<03)c_:*ɸ'4İTaeOQ{R\%RsP Y vA O%x3P]Jf F" w* $)[tzZbtۓnRZ&S:}5[TS° \ls[~.,HfV7TdE{s=XNSit ZqdY ];z;SGp,>8;KM1:y6,a.(_5`=ve6Fzw5MKFB:gL[IH"'|W,_ռUP) =I_gAoPLsnSUv!䀋A4eC0_x(qy%JS\%7㭅J֮fQ-UF$cYbkƈ{CѻL^:r5V8s,qr*d@Kdj:*nh% vo> 4)^MPT(m=Y{]jqr!Ȱ ڱ )ع"bPa2+ca#ck!+n/Hb#QARVLzܑ pNgMi̢T 9Y<<7^:@+DȫAL7Q$FF<2ys^$0Kck!pO 2 ~S\e4{8{hp6*_u~RZ~o_m]IBnDd= #rpTp߇Ȝ iZ7 ﶺqrّ@8ih DIżLÈ]: t\mjp+O-~Jbj}TX,&;'G.e jc!s$9As4AƷLFkN0BgE>ŲIc;d G>YL]ʅB@pծEE-|%wKY%&ު?ernFFoCފp s좂)y[뛤 ֨9k"Ώ4IR8KTw4r꾋yG#5SИqVyswV9(L{WBG]āyF~| U|7υoMB /E/tV"֣U`㘡˥G4IZ+#~UG#SCs9Hʆʍ ӝ]̟U$lPR)r3u{(GC%a i}$DUEѴ6<h. p{< yBK<brޘMjzk6D"Q7r=l9^yc_=8M8,jsdnG*ͶfxCD\޸$3ֺΕ$+cO>Ue%p@]0Z>UfGD$wcL  aJYI &X~p{h]dzIۉpWW&H*Hn-w6R9ӱv4Gd {-uӬEB@0K-em# BȔ'h L! B㞩'cb8.u2}lP>Qvq꫿r&OMoϷq0!XLޗMg6HL+[]|3hVq&ʮZ>p"fVj&uK&90ڼVݯSrf(=w2iE#:EYW0k{ 01k}m͇k6{+5]\HQ(̭7ϳ\ǹM=Y<[a>BUK.xDjHtfK/`)ǎ52Z.wOJP{ R# Oi HchJn.b2"xJX6\Uˑ ɌdV*q͘ws4' > #:/"Q ?ZB 45N ijL-@}M_ƌ2bbyJ`C{?d^t,G}/m\?AYpTwa$r#e0P`ϗ*hާbV FKmT׭QͲ鹂?Ü6`쭴pqO 2ITC/y\D&s\d䋍'ao.n>:Ά返Rx exo9ihsAz(x,#3A+P9!)}i|G#3Tr7ڴc 4bݜ]bEf  a+]kkEez^Pܝˀ V8.)! )4Ѣl`"`yպ4Qs6ɡ]g7|㕩8H$KMqˉ$q$M8vyv _$ Wws}) 1y09zyS! >\psC>hdǼǤUZvWW5Q6](X yEb9՟5 q0ӯʩ.!XZ,%]l$&6Ycc&CITBq'*8A N[N87]Jty,"ם1ieQ2.#b7$3@uI0CPTyL :{ COpYԊ ݳp`C^UNۍN` q~$+N5)0G*A†<>y]ŠlG c]XYy6$PR<K`,صᣞAYIrmF$ho}ig䫁)prB7(+(}~XA:/{sp^'%Nj.8qI͹@_dzj눫[3"^ f_&z'cܜlZ$ׁI=HDzOh0#-3YוiȖ?4њ g=v PqgFψ(x9P֒#J<-sPוI8&Y|Ckyll$FJ=K?FQ{gre7ӈ}+eT F:;~0Zx/XpKqJySP鍘K=?*ɟ[UIg_us7-5AaF8Q4}EٙD3ҦSB"ZON+a u@We$.v= wKMWV#!Y[n̈́o]J!rY9VD,±y`3EFbkju덞O D+:8 5 ͓Ѐ(qd4OUtkPVqby$cp\[H6?;o֛O-tw,;(iu9ttKENT(/f]KED^kd`XIG}6RRVB,|f>tq-qt֕0`ʿ^ |T]UUO^_!Ci}.e{hٙ8udEl`_Gre|dױPrV ;2dHP?k5x,䜘=)+SRЙP(|)bOt;όb:K̸ yY@(oQTL(0iw W%E2EītDBEzKy l;G1A3}_eIb#˾`CՉ6⦷ۛ1i?[+N>ܧ7> 7"vǒ.ScD-vQm$#LĿ%Re({~ 891i<B]М<;q ˱b , E`G'^[ؼ{&Tl/Ҵ^c0Q0X"zzCLt Ijw4_н:ѕ-:Š1_WeCv*[2պEC91|-v4/O̻UahI9B^Zs\3"'3r7ם:^ƧEj@U}aߴsJmtYv&`Pht,y$&"A=*kVg-bN(K4mmy$e镶#<}`xx$(xACݢĞHGoex!zn,d&%!1pJ%")XUm=2Vj( 2Bk_̕KQR[G:&D<0i׌U"UD~} \t;;NxtXLF2z9#{y)T:> JgU`QɝgfxH)a3}Ŷژ="t(@Z;G oh}ݔ hH!0ƓgEXl9kٸN$ҝ@0m(dB2s2f_'g1Q ѝqck<:\&>ׯFҜ'eq$BM\_ mD0t*P+ĈL}PV8yS2ГY:U:Q9MV~+6C>jw }jↈa$*k=4dN߱714jey[fW4ʤy3=ߚtP*t|ح K UM[|h12ɫd5kG{' pSĬ $`}]Zd٨SShb}n m{{y1_,UI9ݱk'(Q6F u뱹t~3h兹U7RY'p04Y:нN0Xv%rV@Cҩe>ec^ऋzmT猂-bpPtW)yu_ಘ΅d&Ҳ_h\F38],;XL$(*ajݞ]^NȜm8ӿX/*c *驚(49aEU "85LUE?*˪_Ii#acr|91 K@AR}u>îg[%ak i+e'<?f r -F!M*; zY?6AyMSZq:'2Fw'%]rݰC+xyt+y9&n-.ԠRL9N)B4H:hZza0v!V={J@nzAUSQ:KD^;";]飺iix^ea n=AjvgBl(zYv2*Jz?OO/u͹7l_&*"MZ2C ӅLA03}y`M=˓r`QPRS64"/7E{{Hn9P+9QY}jkQKdA 1J9'!/ ~}ް؋uFheBs$pͿ21ٗ.KI8NXdM`]޳YX錖#FVP%@P$r$sH OACsVnfu9ˌ-9$U%kNhN~iXXKd`uKNU}?`V;Wx[!ڪ1sx9*|FI 4K:OL[ y޼r@i{L]d5'Eg'|%Sz:T ̧,OK Hc 5u[^xC`U4p7ЄK]Xp\3Xbz3Pظu8&t;x^2M)^@`#OhBדa LN^A{Sd ;'V '?xN223)Dr b%x"D'O/Hޕpo(Z QӨ(vG L( IQC7%|yJC?C=v|%rh}fEL*Q$>{ؖrjjvYhdE`=O~"Ȑ֤bsxk4-ݿ.ob齄ua'1UjDelH㹨bc ᛦ;< a0ghYO&I>X7~?p\ZʊjmO{w־P^g<[/::4T n6.5]J@<3qr5QZ@lZ@΃Cstc3Bl Z^ZϫZF؞GFΫ_ֵ!TKՅ,BҸGB/dup:$%SOe]=@] <;>5aF`Pe8$s=߉틡nPfq\N?ifXxSgg T"uf,w_;A6%>ti+[H~~He `%9]W>WѫQ,z+ҍ:U+#m׉7R%㢌`m‹]Mxo.R--F3zza甏؉~N)K(UNE41hxuI=*j1}[‚IBcV䛖&_û۝ w8=v lROCU~~%$J˯B>PF  N'?\s1+JVX\{=LDxy/~XkQ%Pz~eg. VX qGmKR'{d2Ω͉C%NɄ5>RGf Jt`WksѧuqBQ?ҼlնWYW)&Zv n$ݴP[3['-)s@={VB^soXvLv`|3tJ! 4n, ޚdFޙ%Yl@O2&Fڕ ~Lvݙ'Vn@Q{0<ϗ_FP@SgX\᨟ez;bA'Avd0fgҿ?o\L$lȇU$D 3(2 NeMU&8#?I$l!Ω}=rg%1oBC}#>6ʾ'kYhjT`n,`=Uzq_4I(RDS":V"06_6`.9gL +0VFLbC_|XŜI*[X}U17Cq᧜NoIn|^ 7#-hɮM::^,fŽuz/Y=Ω™Y,>yL UeGI=v8&@B%4g f2F;A i Ʈ`0z R_E~YΈꉒh8ɠd"% >jA0ou@ EFcԫ96!FA5LiΚ)ל'C6ZguFJ5Vw؛C̰)vkRDE 3tB('/6%/+Tr~*qƪt圖q0V;AZcҲ^ͯ[K|S)XzE, ڽr2ojIum'%@K7WqU$Yoj(v^Qd`EBGB̨-0;;]K@:aPN8Hm$IS!k^fj|C&K癃U)YObҺ@_Oa-0բw (*L@Wӛ#䴟nG܅}؞ j_4d7j WFtGiOkT'Y)ڦPmГb.Y1?iTZu{" \d=^X}iᄈNvC—Cp4lO%|Lm\Li ~L aQ"FǾI.t0YyB49PH w:Ki ógRno(<Y:y1a*'N403mEg̙K# YxyQ9u,5M[-s1v<$YadJYaINSȺ̆1n.9n}uɘ* S0.K7B؀=yYֈ!j?Nsk vj$FN!fkzBݍYFk\ Kmb\Z^Nќcu|fiua͒@Q9|u:xO!kc{H0f8s.X-KnjZi m,81)w}m/%KyɛoibUkԿQ) z^$[\padJĤ4 0 <4z)89UE5g}` .w&pYQW@V4gk5ۙzGx bmhhH=^^%pVO / ..F#0v6;6*o |=S"]go ᮿwLV$\8#B~s- W'VlՕiy1NQ8Ƅ;:d6BHTzRScyx­iUe2 A+_@=urg~AB4 2'L(MoI)kcg2݋ Z CARĈة`tkP'?+ZfP1@>q<}d= }P25vҐꢳlt3 9$]KKFxOn/DGj-Iww(vEm#~y%w-_Ӟ ܢ<ݡw##\C0Ɛp\qL'աƒMk7]s/4H۪qSkZgˆ+gI= s .K lm)oQX8`6dα~Jc!4/j:CX',y:õbZuox1mit>q鹂Ryȣ>?ky}G.aSSaf+}w'?*5\o?R ۃ` /RO8 fbؚNo}|Q7& J^I]d\@ R'?N#=(odYAIN1 kwfTt8I+P"@Ze7 Pe1KCCt̡ j$?-lbM2E|4 V%WjzCGCTڂ΃m^Ş ŏ9m9+⯔zUރ䙀h_1^ fd䨕6(=lDSdfǮ93@mRX l#[`D0*D+R0aX 5PQNT舑ukY@ xQfzY|eܴJ2ҮD8$OPjOlPn&}j!2(I3Mx#n;[$_$!oXRkͺ0-CLvʄ98V{h0l[ڨ,oQe1ӋfFX#gJ4DWUX,hq!ej  HcȌ^tDŽ R!GK(A^||YkBY|(י+=!x vwN22rXE_uddn@ F9Yd[z2U8`"vsG|( "ܻT,wMͤ34)-}zT2BdWIr+粴q)͔7L6^:ABڦکeQᤃ<ߺTϿbK읫a;ResV{,6oT@Rb*ը>C!i-O/ {I̛ؽ|" GBvF'RZԇ vBDU2IxJ$M,u}+0kȸ(҂J1bV8hk^C1;myg }9j> 8h(LrM8_dj_aFlOpYK[>1KxYT\kXE8 2'm~0}GB?bI(sx\vbQ_$8!d|s~)?Ћ#Z_Y iʪ^\Jȕ&G%K#Q, {bz6҇EJ[u&bYy U*Ns-]V Q&.P-;ҵa=%g)턥=|` "{8`a2ۜMom<nǖ A4bZ p\KA@) ixyGiCv, &:z>|WFJX̒XjTsےՕi(f.cv`nn6J1[&Ӓ'$[Gy~IB?hչMsúSVGL:89R"q?wRPS6Rca$XШEW-:)F{ϊ? &k~3iVS|vLǤaϺ I{if:339ElCĈ*E0$=Gvhf%A p}XEa"Y~؊CEv 'xњ#0Jwo_QZ<~_or.3tW|F^:18,TL^)T䲜?PҬ dB?JU] h| XNvI)Fz ͏ChrfUb8BF%+6(RaLO8~;3Z0$ew!Ug_xLU 8CIqk/3&w;HTБE %( Hu'UfzGH_?sqS'<6:6'uu$"=C˖B.ؑ')gukϷ_INrhF 7D_ԩEh :W[׀"`*NdBK!8՘"q+T؁3GXmPOE=039ۆK*ET? B RN0iS|}cF!F$45&P)-\Т&#ˏR`i"N"2'FLhٍ,OM0[fL|5p13`  d(.Oeaè3^)udrIuM'MgPd'f> 4(/0Dno)UԐ3$Ϣ#&+oR`*枥&bE4㮶DLc.|ןi".ḄQ͌M#yu2g-Oz DcH7AsIIC Qv/V"[2E7F4gO$m[o>V$MHLȢ#hCREpd/X0TnYoCRI`f&sK+qsFΡ \ 56ȧNͬdh*]g/~?,ҧB6~b 8 *k]NzɭAzg۲S'0/ |W)OQ+NЇBtnQO\ݎh :43h jFň?@~_mJ C|e{ yQ|Y DYhW%m@Z;zgݨOdf p&X7PbsqQPKk#=be&?BEвg׌Hs3X |UZ׋5,7)]a2\[s^\!5E˗/86v2cYqyTC #JBoParx0WVRwHI0V L<ݠ⪊j!uK\uVxmG+AUCE<4~C?_ZmS֡.:sܴSpuiorOyf/:1(\.90Xsh3dXנNP4!?$?u䛠;I@ 9@51erMus3WH PEf3e2;W}^q'&6i VMi%8%UtcFFaW"\kh9@6Pw nsjFKw?H>p' o ϸ;W ԮV-ٖ@ NC7. QP )_J69^jhJ(b3CR9}>$ޭwNMAWb'~h&% ašyIԄe+@đG8&C, Q!on/kox }gzvqRn'8ܽ>W9jwBQŌzMtDE'B6M!"Wo)1]X0ED'8ܝcqWeM8juvHnO H2DA"|./uOJAnzՄ;eUuW.7ng1&tD^dOQ1Ur_}t8h$+a sndn`j[]M0l@YKK+[V/k++;Ķ:v<ٟf=ΔkTf?V emG wv*wgD!}ݵTUJJK'7CWxPDz+!{޷R,2Mk"Gm{mH,L&1'+xfdAm=d!ƓЋ.a|U7,|GW1'3F~fK|G$Y86!x#XpK_cE/Z<#IӀ$q řM{.K9f(b))w㪤\MNG Yɿ=mm-}!4N.x'#6fbe0Pp Ӊ6my~Uw0-Ɨl3K:" ֭߻0!yar]JqGY%h@uv=|=&NL;Ժi×5S %U 6D4=>] &˽Z4 }RʂW}BQ.vPx[r$4_PfDL FjmHtgłT%kv]1x4΂slC$GW]B{=ըћ"}`GpZϑrυMXg~dѡML \{^80+A]U)pX~yBRaT;ۭVĵ8C)Lv)znqk,+H! L[`Up4 (nONiF%[$q†(̩W|5Ks*K_mES0#F]6*I#Hbo:8;X*ҫ|z=%c1?m:U6jA~o3MiȀ pa'ӝyMS*˕ba̬mq=$ev2XI#> o/N#ѨK+x ֺ! ,dE(): kyF1+34蠗l.d:\Rc#$U9yĮV*Q.CeŹ޹\L ~{C" % PeY[b ~N/Ȁ`~Mib=g P&CWl$xc&9Dʍ,**/_c(!Iiω(STcख)/ex>7'lwޔ|appu\O8J;e)l ˬ {&sI]sYlRB (| xʳ|2N(uH\=[~|Bj=T_b:bE%)hL-&#Qr|եY~C%(p^`_ _NML WS5}5%hj$HPAP _RҒ3ǚhk5]*]{ĞbteP4<30[1VjBNS}P X;@][ TBBY..vZ{[RB\%2wGn-Ű}(sx(AH«& -`}+'bs=h|CG&,b"ԯ1^]GJhh+[?bR~ǫsN졨& J}HG;cȝru+d}'1QFN-^o.( D`dowłLi)N~߅/E,E^5+6di79 fl qN؂5UK[*RY2\3b\O={6R>0n6eAdsm. 1/{c[U$bǶW\`O/Q҉A5t4P| 3vM5"Dj:YYnî*. Pc`L!:,&EQ&Q3i :ug;P/T@NڙeE*q?;4VGsR@]=ʲT-'x斱( ¿jzVrtDgADT&y=㢡~ļ@65=^Ӊ-L:oXJ=zE/2P\qFE;b'uŌ^*#?j_[;u AmN gm1*^0!aX@QCH)r]sfQnAF.ՎK%m[{i0- uGye! f2<{ZZ8Ф\.{aau7AH_;D]VtSPY.^vM07@ x>MW7^ X| -ӚH_1t1Msq5JDv ݾ&8_s@J߹"10Z7Z< AG{λ2܊>SC((AD +!   \GhE,3j1`k %YNs .vF=`.ҢDIDū6@9bg~~?W:yt[#xuX/(e#L|@yDtAǁ 'O.چ(0ϗ':ƈp;2td=[0(KyybS!%$84e= \  { >x} `vag<@>neFOX}b<ο""JT˛\;9Xjp̓PjvN"1H1: MO 3GR_CIP [!m$Tv | vƠX.&8Л8eD@ަɳV?V[%jN^J[d s7jѹݠ/]0+ͣĀ yp$G`Ȧp<]ː7V~p:F*2ےX^3V" %=?1ս>?_Z1OYVYc&џ5xӛ(rLobn!?kro:# Ci6b52[{g%JƢ*/ce<[ْԜNOաP;[kAnJO4&ƛ)|4Ru&6-xnGet<;`eDk ɜK߮]8KEuL,S{i}`ru$$zD?U?eڝp[\׶h)JFp g4,w". QzPت$}B(bUFev2|Ò7YfcjH\ zImZ!b3R1!` bm\cV^ U:6+ڕ[ ,rtdMe/Ӊqw ~̛/aͲf%D=o0M~& 6 +}H5ꡎUm# }U nkxGoP8G-à"2Ht궬NV6ixq#e*CںwrT7b.4hsȫz_O>bIvѽ޵ԶU/,?.ۈߛY "xwX:l_$-LHH9-O/"N^7Ug|OYphs?;O/_ <&Ek 4 H-誰m0?/KZk9 KtHvO%E㐨k :ʊHa 9}T)#gV5/#6iȅM>[%v9c\}<"$`xhEܨ !]戉T(JtQ g7~dfǙgpMůu~1UoNK IԞdW9<J5^f"F0w0m5&! $d?鹥Mfy dt\愍·U,J`ͳa!RB2s.'6E.ߒm)C>]dl=+n]53}3w5%La Zhϙm+rieEEV@;(0 "2$ W ,\9(adFvJ qUZqͯ0mPHl ,G}a/^O1IB۞ F '%e_qg'.a(1n~UB@qhTkm 0tgζLJb4*| p./)kXD-)~uq6Sm@`s">31Y~|dyLN ,q3ےQE͂VjQ/4ZeC2md̼tv~|BW<Ҿ|ԧZݖtP%:nP0 7,Mzi) 9=m wlj lS*`1l`޵$I9dX''(CH2JjWg 3 L]Ykp" [ĸ|8meM&k䌹MztUq]X\ OjZ4Sa\)(.@zӺ٧! gR,k<{I.~gP^,Cp{| @>95jќwã' T0 §-ʚ Aޅ3:jX?]^+Ts`i&Eo.fT0@uDN{U8Kr+9V? m6>]Upq(Ր[ٴN;'+A?G<#y!p^&08t0T?fԷ+◷%=ܲzO?0^݅"Z@6f`E$TclAhmXڻGbvkܢ2U2˰w=Z,4J`$uB\V]|rwCѽ}0F_1AÚʸ-N[I1)*@uue<0G3h׵/eiߠY>d0і%SUCXT8jڹj e3zP3lXGN;C65K?gҢEY6Qk#QT5h!!yժkOW|yQDTKSEU?>J~H? bAraW<,"$/V.W.0гۊq=#WM "CsiՏyYgnvUd`kMLqzm< U D(}ڀ>߷BT5~ZKR|a&bY\-Xe !Qc0I`jVB|S!2+ȃG8+c6Χ7X?Q 5)R`8& 14q3"Z y!16jˣ%䯃uZȓT|Kv~WQIYV5&1R8_4e˓x="o_VS}[SӒ(iЧ%8G_ Ov:݇;5NX/ cc? Мxi3,yH^6Gu[/Aw8s۽a.b3ȕ>rj 6|0iX G#80#T*]cŒsT- `eĸL 9,2g?:N&Bv唵 d>g.k-IT*U-K.ϋ^ 2,681J 6rD*ȱ$^ }ݖvs?2Պ^?~PUm5搉x[2 K?W~O>SZSN?zM-0Kbxj)S*CF5$T*@FȱB *@ nǭyttfsqI6dǧeR+2 B\(I"?)Ij^eI&]76AԔcI)Sd|#id߄|H":@3yueQCV \0qҒA/zfA+ir] M' !+jWo&f+v6ߘc-ɨWarZZkx]w>)# Ō4TQU:L=`dP'x8C\@ZNo\Ez?, R}>b nykOMv9_S&jWaHɁiQ)??[0)|Ӝ-6̜dkNb]"4Y@eVRzBEkD'ug^\C+N4wֽ10Lbuxkh_o|l@"I dM|z#'X9ƙگplNN by!,1AӴ(`ĆamkCvjև,!pk+AnnkkKb3'S\_k)4G7'zQNXK:ZZڽM:JH#[K({^82?pFbf94189$?V|7a)jj鮦u:!{Y&/MtNͷz&gX;Z^P/'kMH}; @Rcj1\.P@x+yI{"P9 -1xgεb"x*E(UƾM_9 jCˇ&ql$jE9ΨwwG[ngv|zfՍ*\8 旋<'sw,_%$A5Q7QS~tB p84mc ] u񯶭|0rw@2G.Ʉ>HO֭BÞA =*!rP]T/b]WsG>`FQx{p!4RXrbƳMWAR4&t3EOEɘ6d0m6kYAS LAz_rX S~V";4lL] e,j+"u7Բt;p1iJUe\#H,id,;T߄?/cҍE0E!¶[o'Z7lt[<YGN8 Xj|˧7ZoEvV'| DNvKKlM3y\˟RWl$ytiOtQJ2qgbp8R&O]`SSxt۵ 찝䲘Ru6zP c(f *XX] ͤ:5jؔZ?ҕVIBV-עH% 6/M]TdQ!l\1O-床_IN>oM{pG=AUp^Pn¶G,H!l&rHi1L0,Aޝ6,~X[_{{_cGbrl3mNs>: s@ '5cv%dH FB(#d+uOJ"4\р3amhFu |B&ǠhrUWF(1ؖ>b,]W=$"CmHXC/w8@`$,)f[c - 9rZrӥgՌ?}Ydtz}Y,kÐFMՙ!:W #ux;!6 @ iRדY~ ]tujkd' e9^r,5&[ Q69=9W2.˥υCcrz86u(L'~waq>sslZlrR.sw*-hf:k4իmp؝ڃüOiC+$ yw४ [dW7%nTRfw*t ܎5HϽ l+X6ϓf/Xqt+MuuGsq}%$|`,~7x%r[nu}Kv aHlO-' ʯ/z#طhOU YI^ }Wɖ{ ĕ!gu[{éHV?o^>o[emDk6'|PnXf0$|vq<bjT Sc/#$S5Wq;m;p/%x:Uk^ԸVƿu%4ǾAoB9^횯fyY6, 7 .m8?{=)[!~wuUb&zhG ֩5 at8>f[ =vf7hٲ"D?:p훡^pws5BN/5 !M1)SaPmea69hjU>yv_x|>s5 :ik7:"0>(cf7Ik`H/59\9qK En^=LJ{lR߇_K{:uKOE8%SOZDQb#0`VGކprymP]eEawd$ [򻘅{Nq`15:rԵVV$JytPr{wsE<<%X]q/E ?zyA(qe~CZA]S!3( F`NbD. Ba(E<46E[s0Z͈(0 ~jI1j*cWzC* y (L [~?Ɠ6num2)?`\L> $#{YMOh,G<%ntRp@JrKy|t% y"`ՍR<6L{p|̏O>j!^Bi!lx+6GTV0oTDɧY4eǛSl8kf?5h<ӫ%O7r,?Vw]Nm+!F[+#M=p+53 P! lʺ%6/T7)ŃzAhsiRR`jSm8 F#Idcp:E̻/D4`3<}"e3xHWP\qE(Sޥ[Y;,nDF ߧR}.w ,J]fXS?9;.+.gtV?ZײHZI= o ED p4B эlRmwh0?+ԝS]M]d6>Z O~COFN9̒ EkM*TH?cܧ$vS mEo4/ mk]dm*n]_na?!@kJY{(O"kTi+4I*YEnxܷH-QPF}JF# ⶞?꬀-@:2:ID-H>HTO U%#٢T,\tI(ս0&Α[{QF1~`yg~TO-Bt9ܗx@͊jZT.eC&I*p!.v ڛC6)ɛAqS4컙}h](B|ev oR[0!UrC\‰S T,=EMNW *gjORԹT. ɟ̠ ='b̡h:fVR=&CB…NcA>T"V^Ôchpsx{OO|3R$ IU`^ {B#?=o z4wuM ˾’Ir d1qo=#xq9.&[9k!%i ~k',GZtIrm:OD#yX5B.\ō#2/ Gj?RNBM7g:Cȣ?~BI;G9?-(UWSxV .`Iw6ZOv@)(?W>3=wu#Egws:'Ss%x?#fz&qbJ銈Tǐ)]N\F>i-Tc*g\+Q'%C}%ӾV O!LikSt!$I+q{~vKSPfiqo#Epk][ E/d($/ĹU8o46}.Ϟ.\_Ldl0>`RI}C'Xg&Wul]6~PlY>%& ޿IN"b (.93<O 7H r;#U.UȦ^4ހ NttU`uE:AD̶ {[~wEu=9RMBӿщyslڬ5\,@NniSAߌ|ZY5D fC!M\bKP5dŴF d%Y i~ Ssf1s;>:(6on1DߍGo:hQGч+fy{u,GDR̿{=eաbO}pۗB۹.VEV6}S Օ(:P$tu_np^`}*%Jw?_[c|ZwI *Pl>ْT=H0qPf< oG<a0B"13g-Kٜwiq]|r׃ܦa[1KS1ckHgkLnPse.OFnb{[hD0\#rh8o8H!ؐb^Y꼸 52CKM)ˢeD4p;L>;3wֹ7c*"ƛvyMJz gOϖ΢+Qqӛ^ﭵ_~<񽏍ɖv+_XВ+?Y,nRaxdM x?ltNHB96r#B$"3RF __f:] I"K:J}[ ?uumg($ݜ$n%;g$l9V ,B[1joWD(1>(\%5j :sXc0(e$~CFO]/w@o-rK$=",ţNr (-(^Ad&liA@VW'Ҷ(Я@ͬQۛ}ܦrSh>k` r`1c&<3 9bZ 8cP{j>_7j9 n8 W2ȥqyC@4aH `v?8x372weVtdc)hWyA_6*| 4Ko:j[ ,&n$S'r&^RljG^jXEq02an݌8ci[C1W0C5ؼJtKt$er+FH@n'*ggd6Wu..uƐlH ]*|^>N@nݭidmb~ƍf^ۇ3Qʎom}n7O]œvo Q#P ѭ]cryCjTt?OѓwS9ԷQl<4"M,507e!ᘇZLꉷп~]^K:%=VK)nGȝI9MNaN02HM_L/Jқ.ڋzОw=X܂zT)#P#N+1ޖ:'8Us L:A5!FD0X>d3rO e- pjIO|¢At%(>Y[ذ⭺1S0s}ԿӱtKJ:M]Q̔ ,37lG\eKR[-oY>C6NP1L 3EI4*-{.PZXKmAbmolD8#r]ɫ?9:^o/L&tQ:>_'o./Q$Z;6@i;L)]sq]08>&`y4s0˓_P̖2"7 {qToxv5\ cRLduܥͅ7ڮoofExW:sڃ'.8l&j,2#%N$"`a n7Ҹ ';ϫ;'ERlK*"{`f53Iu'gr+x-QSOPAWq~SD4TrC\mzSDyӀ"HJl+ ×F._JD]%٤̚S`Ρj·VCml*G: P6}aq+5m[&#FLNѐ3 v*ӛfhz fuձͫ^As n ^7vk5Of#[k"Y| Zt;$+ le06GF1U wf6vhx^~f?9`|ӳ| V|dq{EZHMY?%.țXXƌ \bbY#xdXcE.@lzM(C+a' Ю! L?MAG͐[TWb3pES yР!$3?z2 y4|X`zvծ1ؽɩڤ֙ۯENrX:4|TRmMUT({遙S Ai. {0PMdZJ-8¢`4&fQg szC1c©sD9[$qh!z0$e1lrDDlQ̶ E^.I~F*dWe7<=8U5<6Ds Sې .*s)MCԍG+ :/le,zBZ<5R;Vp$x Y f5Yì ?Sm5;.9EM-$e}$,%R^ẳ -fT07X4m#A4Еe~,~?T3ỌatCjXE{2L@G솃 ҽsw6q0*Xcp[ѸM:=`p9iBFH/_: 1k:Ji'wy aĐ.AԺ^ 볳AZe\Q|zYM0NB] /\tNtq1J a b&wA:GAs|{,婯 w #W:}ޤ >?(0Vt|eTa _@dɼ,nbir8C 3*wZ[Ұ|i{Qa/32Wm*ǛBE'7u#!( d}9՝r`Vݒ}jo8ߝ{Zh [ ރGerZ"TcФDRUV>]#1Q&2JU6! D ӧKJ7 F5m-8WmHGM̪G kt> ˃I&,~6Ǫ  hxX\ta yI'FNCFҋhU>E߯N.qhz//nθUQs_ɝǂ2Q^oEkL;.: nxJɟ5t} 5ո 8Lұ_8%0;nҲ#7 @7ܮic.2r?s W 47+Hk۽ȧ}b/k)YǍzb񜼧Q,;u~; 8Y܇&8,Y" Pa"l6ӎ(y#K EhjJ3Xd> Rn9SGǫ3u>"΀T颦|G!I֤QMT_yrf,9ZԥЇyl<NP9Buߴ,qIyfͅd)NfO*.VKI0>EE3-)!a lVRA#WQa&d ­h&9?4?t7Q/yczI,u {ޔީWL?%Mµo ߩ{p_'9G(8^p&6cbX9\ǤBZ۬>}7dk[/m?D&J\uM^YkR} ݱ| hМ'fodCLl*4ZB27.(^J}ԑBԆQjcB*5 hHFc KKi ER.f ^*O Ld6. Rh`C:>eVK]Y-bExF[km,}s:{:̥$[I^c E2KvzLrb tTe%uB+ ^ʦDKp|1J/TӦ|!N!;"aͰlzEs(y?[AZ*Xʔr7_m ]hfP2)me,{8 Rsa#yYWz/5ҁ_]f~q])^M`DQa SE˽, E7 7')2|"#49Xy韁%4O, huOaz*;Y$Hgho|㤢CnVW6/@[>\?*pyM;TwXP.K ŧxnCN+[ǁKA0YR_sE!=sSJc;5 x'#^X$x^ @ M*hs2f E.jK^bǵ:2r){H#%$l|x5]V4<\GzUD" /6&Ajc[? "?bP|`IX. ȥ~Dqxm#/Ƞ]rroun ޾'y ,EQM5P1l#=:gj-ȕ.F `ibAM\wFIH(Vqx]B%e9^!f3ү$q`t=} ^24|I̖b PM'լkڲk!% Dygr4v;aOOnlǯn\@2MkW<p"'BO9P.!ǫK x.C־H`X}e"t)h QHzA7 {.my{7ZJG.cpn Roe*${TF3w5: !Y]ޡgwe3gNQ :Cis`|N%38Y|liط>66Qչ*f9]f5̓s҄s8v.&(%0E>|H<+ sA$h͝NUi#;kgKH C pXbA4ٸ h5S(ϲxP`{m7 y9x.]<ysjEoX =!G.CƤ=zuhd7?庇{ORjn)LV[x|"CLQfⴒ;a'4(jaA _5d\z4B3ԼWx Y@vdQ{xeCwL% rS$-Ecb5_jq}o]([S>E!G\ޮzp,(*tgAxA?6*P5I$fÞ,$dQF>Iၰ IwL V[(=z!lz6*w S(gV'J) xeV^ ^MNyyLy̆FפN JgӾՆj eUtG|v"9K`w=ĀdApK=hNpJz'&b4wH<#O<Z׭/(1p5{[R~=1㾝Cn%B 9KPu^;Zch'vl(Gzy LFnʐ?63q@i&,::/.K'DJ(-zџM%[S1k(phJ?1-kfcSB~GoL12-~+z/]|s̟ۯfmc;JM]׍=@vv{tn_Όs?#Ȕ`f!yQIq疷 #89D&ެ-B62sxƋ |>NZ@2JMJA߄[)(9+H1^{0;fP uVDJib3=#SKGPD( F+nU.yhDO>ITK*4 ^`A,iΠn2ϼ&ʀG5Lo-:rCv v$$1m4Pa ,yF$k<"TH98a P"%zPEpੴIOp&I#Wtqz`Hjc qf{XΩIm4_痔QMRR:J Ύ\muj.0ՎWye@хcQ7tBl6yh kci>6ܺn67j4}^sL; wsL+3Nm ZoPѺ Vy3 `wƈxG՘@8jgS8k}K[}F'b܅.7Ķ3;d ?)e*sQ۳EZ3y@b]FG֦uBϤ#{]ﰚ<3ˤI!!smq bd |nybx2h+􋂰JAGd:lik jGR4lMy{"tѧ6HW &zEъ9s1 Ƞbu<9nr1wT"ޭ-o]7Uf̖#d9yĩ!-5k 2uvǫ~&H + hb.Vo@cApsV#67H_ t&9*.4KEr = RN \/{&Y=*ak%Kɗzݨ%H~ox w̨JU3~ob+EDoy&256X^ro8YT;M3.8EwrY_V|E|~6w+QMJHB Ny\.@ɋhw;2Un[yrB E{zy_Wov 7ejg (R+#R>@$ˆIn`m`Y!V᪇ElN;Vq3f7cvF0D[H2Ur^phf6E3,AzSӫWYn5j*\ն~Am٨!_zՉYڦ&ֽ(OD6pC]YNv!]z=*x<>6,q'2܎L@s{k*M~bo{&R]YY.<-f 1٨64]L hZ٬pPTq < =ac.i>b9I!-\͠E,&וa;0a=%!\ksB52 BD(t%D`#Mf\W`>17baz %ur ΂g %"NXדx3)vrP.aSxn.cD_,f'vNwF@%LMf>G/BV(MCrJ/Ջ5rr"mE]|&jD=CU} ⧰0b#ASDfA(TxP1RgKr Kzl-zFS/բg{5JFV˃}lUΰX` d澖<~ /Q .؄3pdWIHH?4wIA7$n ;R8`Lol:՛_dk.U`pVaWl+ )y ~ *,[GRȚdDY2t3 Dhg ւxݨÇׇpY#fiXۀ ȩ4> TVuUȭIo8 #{[,Iͧ\9׾+諯,EOm1g&#ga?!U1_fZ4Nu0͔pjl:0i(*@~@.v/*VGggϽب4֔"$Y<% Yh&@27hVfћAF%(#'=s5d4Ir~gܧ,/Lm (T8cE"u S[2}߫9XW s,WF3,ڍNJ q1}5U)a; 4Yyg{7_s. FWˏ%m.S(n'Åq$͋"Gk\t=G(՟gTSN*ՙ+乹JHj#1x<0mAW#Ә;~\ uKQTܚ̅W z61eCx/ѣwn7`2OH!rɅfpL+*μ%gt3К7SEs(L?" 8I WzPhڬmpVYGYm "RDZ>jh:FJ69r bKP-zI~єsInlfs<-*멣'5|&5q)xIB/hȀR>#OnG!=VOX-9*bff]ٌE]8c*3{ fxvGM$0\'%ZF rj~:I`mڕyGucm'qRe%6#Ɖ u+VQ(8|IlP?eB]/gD^6-1a֝p!Nj<eRrM~#VOn$rB a^=IIP:~&vے9o! &*h)gl;7%P'9/L5[ybk/p}rK0 Em `MSD;$FZsdv6쌩Q2s` * KRDJȧBU2/U$P7!gMI.-ޜ=˲c9?ey(hX >cX/kGv[B"+BB:ZCUsf  WwOzT1,#-" ʏi߮G?oA6,t w3%K0isUaZϿb|GvVCdsJo6ƞ/mq4$U5Nfc |\bS'm(X\"-`\󵫐Ø#Dt߾qKLy7;YBz+XaWj4ɀ-Ktد(/5Qb\»OF:hnM<c̑iW/"`m 8 Ot03𘮵~FsZ(®97mZXaP *qg7;O?vYmhY|h-C=\S@9s.pW(L)6M}j W 9H[ݴkebrg-`_TOO mhϘřʼnxElsOڮaO00ܭ퍕<P*Oj~ʄ ~䛊cqy^֡K~oygH]-~gijX|_&CP^RfkO0s>ŷ]#xς"#]dy$> xuQ2LQJ7%Rgr8CxTS)x7ǡT0WFqkcW{1#2[N>+יZh?A1LT#s1r3fxp od *"޾چ ?CI:6?9Y<6t OAqnn_5ԭS\JT?µ* qrc[OΩZ^I[^n'臠b2hݏb5NHӞDPe.3%2^@DJn!ІH 7CJfΏ7toe~ *;t$z`X#a>0z j`ׂ$2ߏp;si?U8JWX:Yomx~M=]8SLh5eWb]\͉$3[`°󌵀Shfa" gXK}d1c/𭚅rF²,ʋ[>8 .`J*>O4 F# iX.Z[ܮB*dE[͔8C]~\ ]p kRm䌘魞7S ^鑸"HS Y&Oد,̗t߂y(q-D6j:Y$E#ݵYF=D*U11Vjℿ'}ʴZBExH;|wr9(jҘA4N7ƈy(.OM Y*\ΆJ2!V4Le;lAƒ$<]2GNNN|  9lEbAş L[>[ [b[JZy. N0 PC3cQu+aK%t2tm*NӷΊR:>T2"$iDƳKҝɝT t[QtjP1 jݝ_itӁoG\YҋN@Igi\gF+?qU, Cܹ \q˚ZU o+?tS`UuI46YM1TSMω  iqzboA'VxT޻/xM#-J\gbǜ&b@IjM%C\L{<0e xByČ5~?,Q2Nvq ?ʹj9dͻt:ֱF+͉'LPC`zڟ8:7"}wC3jc$Fp>IJ![߻QFG]g X2ZofZ6 p=Ku$<&Nr%ú_\U~GBׇlZO5`ޥnBkՋ=#̷So`,ռ|'B CfTFfQ9xm/ z=;<2Gk:N%΢>}OzUD q979a !OWSD3w\1| ƒ'?mNq w罒8귂&99#xXT%g)=$X{nC*ߋTf{/JiR$SzzX©eDZ#u.1ϦdD!K(PjX1VEMl{-@}?d2b,r]?;s|b@"?nF~pssaK!JН6AfwӶq f]} glw_8",ǐ?}E1W -|t%@8v:UwWC)cH;pbP^cJuZ$&,ς˨QOy}$ ᭮;֏]=mH@dIm”dX@|Q&JTUCTW[Ԡ-4K$ғNzx >jΫO•11]x$ξ7xTNR<aBm1;-jEH%_ahڑb?㯘َ0>!oPXB2t]tPJ 9y+]w&;ͽ,F" q=5Qj犫(qk*l4 C"uD> M= /euN>*1FKSy1wU ɨ.)IEK $=l7L6PyKM9߬ E;_)@l qn )dSZ '\ (DA 4/X! ,Uflg4M6_28sNЍȦT unb\쫓 -–%)$Jɀic[hww}@ZwX85T6CP/̖±*.3#*EQlY{rDW6 7pw,"aFMԜ0_D[8Hڻ);1HM,jԿPzԀJ_uLR |ىonsZJp`p0ifm,nN,IWo^uȏXD9xx[R72$Hau-+o\;]Ji8b_` niF1z{N+Vߺ5쁊h<ÄG7I!n. )B@i!CtŚ$.r]izϻb5 M-%LEerH *?d np,`!@NUsPi5ZgLj+L"dWEמW]0ӳ LJz oVغ^'2٪=,>!i1 F`RErWִ5,:aM&t3FՋܿh1ᏋX4;Z rI5|cU]v52x,5Obċ)و7a/[RD6.O~%K?L\21z$4%` 2=8` rϵ nV}emUjM{OO=s`kgNw_[M^ k e8FW/=/_EɢU;q*V);R~ 4w/=O?d0y%0T3 5:X} ۣ T=H*có&aSOtj7|Gok, Ж&K22ƝtG`Y1%!X ͜Н塄L_>@7EeRg|29X:~]j]|}j?{$QԹ{ dUsD_H|s_6?gJvh3>Sz)^oXK"q OH/ܞ^ z,vvtl_XEr!P_`X ܕzvT?nTZ濌7P`dSVM 7,\ h޵5 '"U 0}$-hǡ_Lxh=,j鿜L ~xT㹮a#R˫ED2L1+o>o3WXo3)$yB~5@ FyxK֚ڽ"kQ",U`2gV2$Yݭ6 8l!Dn*ʟZ/`m#tuV~l!;CwDIs슃e z{=$d5g_LdQd*E=|Xa'v| i/._YLpj }HC;GM %`rM~b, A@݉aeT$)) %U!X\bZԞޤ34i1Pb;.H'J> !5M@#`,8[#@⹊er6 BXNvacɦWy l>mgJV!z֕v)tcɻe8׫m 5RUӝN6B(23yz+qq.$ੀfn.;Jo,-1j`2qU X=KN:ZEƴYTD=sب\=#mҹȹ>4L¡G OFuAbrqOmGܯ\[V|c_aq;P]՛uݍ!@Jt݁!j"o4H?!xę(Ϩ74~;Xku\i0` '̼?'SG%^aPmv6Z,Ƽ+ebnY+48$0'9ۺB6m <͢Q 0F{ j#yvzˑvΏCox'+zAB^| <{W ɒʽ#/(' %]8?$Z`cq߾ˠ{ԣ}>F <^cTt1I 4^Ѯ8x {j{XpՊ1:;+j:íI5|C d4rõ5<: \*U/$w=`rM(WyC|T->CtBb:ƫ/1OUSG₴MlR 8`b;Zx'SE/F.lKΧ >gۃwjujDq&1! hUqfen H| M|Co8Q <.Xi븍~" HhBQ {?7*G2HaIBz..DA#- g&`i%nJey,DŞNgWċ xbA4xYK&ň|G#[6W'qRC/)v:P+Y|ӍY'xOFg24.`K{ä5(,; ͣarSCE(& <.VlV#$GQ{ kּhsC҈L'ռ !2tܾ؛5$;!)JeһZ{!7ȥli mu#)ixdeWPSM|8l*7҄D$6)QT͋!- ͼ%vETB?67 *kU`/rǯVOes7cbͽ*؇[*ܻZܯ !eDCA_.LFf8Bb PqlVE1\gt=Qd<'prHE~Ch~-:7D\T>G<:gbA{)M8]Z> ]RV׸aOPV|BQ @=+*Z+a--:>Ï~+beB69DE"l zs.ތk\.+9KOid*/w 0{w %!*3'hIiiNO ˼oW.\+- UW&%dt49h_]pĢ'Ҫs1FOwrFSy}Agfl)H*\d/:}s.t JD O_paGJ4h4-%dK9eo), ~c1bs?CF$z2Ta!/K.ὸoȔD4 'UmY+NKR21ژ(yztgecaHىl{AQ"#TB$+﬏YN>c ,ܯsm -+:n-l|ZFī7ɾ\TI]{^۷՘Q뎈Ǯg$aC~ei!" ;@ Q 1N`UV }7W9=6-)D>/PI.AD1wV`jALT`dzId3 k"ɗɜ~}.cXjxa%A=~[nbl9ݼ `ͰQnBy@Ifi"\m\qU v/u:uDY}]\kѐ'кsPD#9d2ZyP>LjK:3Gk e(msq]#vrZ Q’7 ːڄSF<-:so r\~1a\_?sɇ8&}RcWBsel}/W U {">sgA1c.*YN dtJx.4lt猜OoejqL, !xR֯X5Q}|@%PDlfkn #K3LkWgukSʢhRl"vЩ%o8VsG~u^tEY ] EpL=63NC+Y-~f;rͣ I':D%si;e1rNtV BP k3.5חglZ\H)&0-) % "{;QkZ |~!8xY6!%%ܱBK.OR v ~c w`_N%*Α7rY%NG`+lbлٰ/BfH`2 j1}Fed 4V~ҪX#ei "AnmP!^Г#ùkbE ū,o*GebKDěAx<D#wvU<|> h)Q}JS_e)`A`taO)Y<4gTɒStʵ|[tՙTTJU_gR'Gf0dZzhD)ZYx8v ]])g1Up(x ",ݳ:IߥcAcs^%yέjihp8YkE ꍿJ?JtE+.W# <di`sg#~ᆗ67 ?vLEqunAoBex5}S=8kТDB(Zyk-*n L'/` &V>} -2i_o݁_QCgzS[dsrJaovi&z䘘^mV dije ]*k90]%D͇7/? Nͷ9͜WӉR^2{)h;GYsX`Î"%f  dqg2Wd^fo8|R{C8T#?@gq(p}E`)kB8 oMȇkU>sr)XԨ0?΅߆Qz['(x@)Oׇ`:D*t1ːV01XSz/V05EC2fma3N*0DXw ΃[ѷՏ/1ΤsL)I|ugCRtaTRzLa~ p]#hxTY(rbTsn3 oy:.'?M'3zKqnVOjJj_@Ѧ5YygQJ>ޔ=;QryY~\+{@%8|&H%Qd 09ۀ~XS3z<i໷Kt X3!m%]>GTExj`>?٧y~ov} q#TQL4r@]I|btTPζL;>FL[lkw-m8NUzeMYf.530^Ka]+uFgQڅx152H2"d1'GC5gyրt K~|;?5K vJ;Aj]_9rH ZSz}yNqX[ⰢAseJSx7=OtkѹفoP7;knSNȊZVm oAlI 7Y)ǼU@$>1BJ^CBUG< /51ĢُgUJ\CWʝ@J6`IOts*Uy=A\i ~9+knf~(*NL/K37 LG]C8t NpE#VJjYHKƾVΊ7 `BciIcC]O1\: 72 E^qg%y qR},bL֯]}7Yak\cSkM-s(rvw&gLN8KE_|< pxsV7eБ7k|@V=Jإ^7?۔]˞£>iP~hfp{"Xцn>A5tg$EPdPq8_|o10ʗvE2SQV4P٬#t8">+8'eJBOMu ,SY9@ FSz&^_\kJA,\Ǯ8Q@thrctѫD8zꋸsV1T!ZIPS}'Uv!݆\ODh#CeM!\2d5;fh2;Fը0Z-yɖ+|0xU鋁T[\|Lg`t톈"v5( <->/ĆWu&M|̧|.Cڀ?׈l?U2g_=3_۴J_G{9 ɛo.ա{z[xD[iT3"􏌜i*'ʛJhߨJ ѧ) FE&˕e?y|m@o"WfkDWCQJ;>tXA>#=A*k̤q/\0G$od=ӵf>LMfM~tŇT"ϐeV?%C?JRh[!܀p0Hx \ Ч44V#&#f͂G|c_QBzNy3 AX}rgcsߣatE1osB&l19IB[F]&إHk7+dhC;0@~x"1.Q?&K|DKyG!24T4L?Ȼ6)*w➨6ܼ$+$/qo`8UEQHT@,3dj×igXZsPsƒ%Caĸy0>!ҺطQ3ڗު=,Z$۹eVO3Xj~an3\𔲢ySĸFt"'y"J˭*GSǜIsAU9s^4 !D8 {mFPt1,;$\HV^Q HXRN jpLcVn).`o??>lj[4 ՐhO(/1.LT UNtt a^[Ҍ=уO<^> g7R;oR#% M!,/˙ ka+܋(0gxJ=O'v+aȸ1m VeܦX|T)ă嵓#I$F?7: eJ3VVʼ>fI@>[avR@7׽u0u lkUGwo`tS3ºI^˻D`]fmYbz n0u*"Y2O 956|]m̸/BOUXr".b^ n %K($Yuݭx_R5Oˇg77қ*(d ٣nL_$UJ=Fr hcPm. ְ"tNM/+?HihŊj#e_O۸L\ײhK hx[r}=i$:gh2F)8wI8~&G72|]b>8{شn]ֹZwxR`+2,3ᵘtҨXx>!ApyW_X6,!NV4R9ň>XB΍YUyE1xV)ra<0dġ[ۓ;QU_PAR3߂Orl)v Iγl] F1$ u=f&iEfpaT@g$G_甜5$fb¡ X73!a򶕖tV\0:[.ZFoSD us涕yCn<0^a&l?{LO3n(aT\ԫtA4g#~>Ot#ډ.Aj| $nťؚq|D'f=p ur ]E.0,ٰdʾeͽG/Z3c垟[Y{n(vEI_Y4#lNބWV*u@IXnrwz@S]|0a9h 6=A y™`{!Y@5N\ mx{UZU yAH#carB2_! F:q̢[,bxpD>xL$VQCEATv5!!)jmFbAԌ8rR}+=+35If`9ww&7L H‹1&qI6-cg(]gNq۞Y Ìڽ{8X.Gd nKҨ$]O_P{ɛB[,u[Bkg$O8}'![n >F;E䁻\j?]csI=~X=G姯hC'e=]漹1֎>}(%cx.i%t`ѝ5mC\f Ui fucW3>!d~4 T:W2f<ҎRu GAx'(aNUNWN C=kCeSd$$Y F.&#bh"W#ёz$f5U8MNVba-Ӻ7byU/ @*jJ_ybժ^TiΎƣϛ& D&ڷƅaפ͏>-ϻ"jFszPIf}PF8M'A81vŊE8T(iz|EAP}A $Ԯ7v[#$w yFV.QB௟R-jt =/{)"Kƿ>3rFTXC=\T᎐v:qlb+SWuW_H&o4G˲^:V)LE:Viʁ^)G%E.8 J}`pbCFlxijLG-+pEr k'VvIgjx+)LK$l}`ejOAf Zw$6ѮN\DҌT894BY hܽK"KSFY1mrWQIvfZ+x~_  sEY8 ˸)WM9Xe_[[xqH-Ai~;@oTX["H3=9Z! sk(P-65埲Ԙ3wR(R4|eJm^o Fk) 9`!BLͤĦt{)?|Jp(} {#-ޒ 2k\oqjFsͯt$X%yug-t#PwB17:dہCDށ](UxF4<%?Tʀ;Dg.D]̖_~%IkI:XdFb\_b㏚.GXjyPI Hr /'dTBݫu>vI,o~xlt>!}'Q0j^wՃ£^n|[5D<w&>↯UzXb}[^eUe[ *XҠ$7,g<]"1ݟ~uց]]ҁ#?Yx?*"g6!4fV ^HCD5!UT fќD@`v/iI8/Fq 6$HKOdQ /[9Jl#o9qU܎D\ZOGĐv|8(~7RŇ|2q<]xO:mȯt*(FxZ#/%uR=w\HvVec+s$O%i.O SZTEnу9JħQGʔ,жAÊJu͌FU<Ri9rYG5iTc( V]T7zlEo0 z&eF:`,s L^PF=W`1OR NZa~1Z%o<@gX)m2"Af$-7F6l.n{A7\ lA\ E&F.O?U_S_ sÚx{,Βi'zEpٰsKjW*'B!s1}E~Shٌ/Q_Jl-6+[Iϙ]IO,vK^D?D!S[}tN^$EN^{kOpW$O*E^Lţ*D 9M,זhʡ-m"{hڃv]tuBUoqB80|0 H6׭fGoHFde5%GS|pd Z굆G]|ȕ:K#QPJ6{o@|P8+U1qPRXU@D:lgG {)$BXU(Iۡ]䚼ZG ޿}`PD}WB'F1n,WI)'}Ff[ИXI~~1UUTqƤl!)(\z7c_16mIeKn<$C_qzF"9T*A:C N7c.o1> +n51 sfͮ2u 7-(=A""r#!jbΑs>>FroS/М"#I钁j); x~<1?]*V"#V3ȕ LDmSFw6 QJiUI =vWMX@nt$"fT~|QG;PVbQd85E b~ԝ!!ߦl2Jf|,w ιPLV@#esƄi-`*7}7:7xaH琻a`[eu'Y]y6Hוa9ugf¹7~TYjFn'\"/ܐVbdh߃ E43?o;;տX?IpHܗ^aǷ6yI^] FA8\ǃ3)fdD*l$Tȴ+#~ fMK{)͙0 1 vJb \`c0_.pXF󫊨|<w#~] o}/!0($-=?%~ TK= O#Mfm»;b–r߸xSfnڸоIqE{ nja8RGM ܥz,siiT֕CN4qؒK9}tι3G1w^2"/DAB+ƁZ)H>tK)Hbbtf,2ܱ?F+4r^*rQY=BC+,vK ȃlx,8h-K(TZ rykFf5v)3̛4E+Nci" ?ϤdW=}vhSv }Ż12+| =O tDDd"XErl53poq"(OFSKC-6h,v>0cy/EDNTJ?m5nfTGD/Cs>Z&Q $՛K[3=P&#I:! _b>,!mwTVǁ؝H:l*XB1PѩR55 1tgv1$˼^"^@HC^33i[!f#f4Vh3$'?~SI]'YTZg hh'b'V;k s(вz ֎'P,R^SOϪ9w[N=l+9,#ܕ(lvMm9j(h,e`s"UKWO7C@ dFzU 9ٌJiR%PnGpL޵TUAHj junvi0"ɪL f3(~>IZ_Е[;AE!RQ2xrq,pVP棗H]͸>9]$y[uc#!G pC`A)=abS$BHKuYT#rSڄc]`9frTۓpٚ*eg>2A%"!z[?ƪthkAe#\ ;ajJ;Y[p bzZ1#1Py[z6blHdm/jBIT@u C]c#?痎jL o2*!;ЦrVXbF ;4*<|B_5)P7tzP绘ZشY I4bRnkSMQfК2X@-BTWsoE:X[ajvGllJ!9A<-'lxL^'hĮҫ-Rƽw:8پҡQЍιwLFNOq< {(qkBmZYf$T+3_'V+b\ENh_=^HeҤnujM]87mWnKwk\6`Fe*ǘ~XY Kf'rH팁Gfֆ՝#v )삌Iu279؜kZ8Lq,\Rf_'?*(;ykQV4bL"|uGw ~f_ܷ6hxnHeaB)r =8{w~6͍4ʩOjF&^|HVag3Xɍ_|o cGI;ԛʶWIBC^]cYΪs_3ED&; % NpHbS&[a \cƹLU5H.U,Rp0cU}3K~g4.Kֳǿc ]8ណzF8LE OX`iMtČ=3~Oe*|L s\hB\}_&DJ60pmM<*ۚՍw}w#Ε*+n+hA@$/(N6O=z? %?ah%l팝8uVK# V|+-콓*x}5|CRw[@2 ]⣾U^~!R`+yh*-\9rO|22P٦4Rc; xbˉO90iҽ6阯s2IUZXԠHk+cnf R̤a]>"UdFTVα6ܿGpnu߃&f >4!u&+1XsQk_(%;SnO71=Ib= }LjzǮf:mKKowl[87dfH%"P*4♏E"?!J4@]TzB#/XN S(ӭFY;l3C} o= ! )ึ⎪OI=3rGFaoPnӋ#o 9S#AlE~A:FVa-ɧih[ Qx։پ^Zv=ӰWIb;HQHI}g]_(zY/Տc;/ܓ8lFx>w،|:"By" ;XT?֟X xxOfŏ QY  ʗ!L(A ]=4b1Vjq? R7Pb䉹s+^ \*E 3GKe4UMFS覓y,F]u5Ad7 1"{F89~2U6 Q[&t{WfTk~iZ_].˧,EUh< x7q@2uSEX#C 8a0B"I,#< Llz4L]9lJR㷪RJŤak_q\KmX|d󭀆 ^LNTUu=ZNqðoG3S LP **m?-$O\8*[IQtކr iC^f9lq.Շ{/ kI-Si Z7MD;'l+Fk e#U7'e)5񰥫KCX8Ւl",.g F0\v&*v}m'EVz)5ŜYιn>dv~`̌9{+krp yGuKƙx0$E>|1gN.ɷ9 # )U'DO/~P%?:ylQ8cr+mno^OC@u#!'3P!#+DJth(ץD)c2%U/ĈzZӦ99%}(gX(:f%7jQִe9{钺P/a񖒆w .^w<˪մ(W"!K`@aPU21:kDaKSΦI=:iTHRowI 1 nѳ\݄􏴡w*bP_Ԩ}C"yUq[GF]Ca5k#^Z*yA(%l!ޜ[$e5,YIհFt9e.8K р(8M|LlCnvx&&xi1Ø(ɶ/4eӤR#&SHTCFѹf7_unQEPcRAidC!4^عtG{ns+7b ڶq7ko=r[H;E&?JQ~d?^n̳k[A퉖: J] TYԀq;U5O!7YZpkÉd&"ͬuϹ:ڣYq4e i0N_F:tXƆNOBڎY4.i=0'0a!)Zcx Et~Jc9j<0puYVG.N=P>AGM#(?Gpّ iuO ; jCfmS%1`Eʓ=UWCwTL^*iNjy==YG JX0"&^$MnV+u`^7oYxӭK9⺐ۡe}ɺM(QC%*R綴r=x4e}Qg~rVb%srҖO@=;+[ywn5;05QV(/ 6xZdm]̐:*vR(%v˳qJ>XB@ۆ(XNJ„ r3کG(>_wnYPJэ:rӸY͗W@sl>HI}IG\Y~_n2/6f )v/;$FW擟%l=P)N'B3uqW h_@wuzI59χ$W8N늉Ԓ2/0?##pUmU!"DA3=DqhxNrsV9I"򪑬RyϪ󈓋ߚ~69!~ĤJj,p暾ZEsnn 2 >T̵/8uC-ҭ NyGh !rtN|AѴnZ O&ZI+Nθr/J3lUkc"C#uQjY'baŕ;ʠ{U@tMdTd?+Sgv#x9.v]4$RnNAZWQdshzd>hw+%\% H~y$;*r87>IP9{DSO\SS B-ù-Qf>ˠ ޅFOW:E*@VY10(TgdS~}4MkR2_2 :aR@fs@Wi^}B+3wuSzzqc"σ0wt熍(3FoŘ F@HvE›cl]$ Rt RM( g[L,W,p>cG+ 7lsqՋ؆kD-=Qz]sD&;ѧ&#pEQ>ʻA`0t|ƍ+>CG\oH )8~SC{?H jiJr="Y@F!R5&ioUzdP58m\xWۙfw< WP8oda Djm(N|nfQ왹V F4g 2:#$Q1 %%Rk0*SyҮf!6] ~:ҚMxAGOs\y(h΃L5j0Pj6(Xr|0GMXXQa>C)QZl*VҪ|%9 +]6mz~  xeADD6* !0j RiL2nYzzζ N47h4ЙLՙf`OM3ј$v&5ѦQ!jb _NMޮ& ;nY>Sm,B?8AO?U)=եmI@}ZpIr]cDro;Կ 1*{FPAY,Û4ໞGZ4m< PDd&CkƒdB _ёf%l4#| 0r.m:?уdf,*F@ Dvr4ylܩk؂v)d5o6ձ:ϙz^jZC #)humcXZ-}+  9c?d\nL+ωvGf흊\?/k/93li=;~Z\`20.H O+Q7o*-?ftFZq]/6tzw\%/h6S+X9=F^hi)DzϾ*~ܱb(,+UH{0t+b5kɸLɒLc-3ގie}6V,[4j2\PqjLP,oph==zsQB%W^?װI=~91uRAu9KBܝxRD9 3pNH߽ [h]+(k݇7],e^0 *p)i` !9.H 7ǰ*h۰`NyeoDs$ڑ. U0>[M5ҊkW3H)78q5h+^fȵi!q5NC7j"T؅aIyD 7oε-ƻAt@s%ڝnPfF~BE)RI^o3"`x1C@3 `KJ'"CF? "7>|Wd5[:A2̚K;R*{;Ιۍ3챸;{ 9>8Z,+2++(d`왒>'/qPɽ/MTPXLoծ{Q"fևClH, 9̊'K;7F&!l1 <,+p[/`/z`3sHSk± JYlH Sʄ@/<^?5f>!nTQ|gu8a+JNCDHd[e=ʫJNu bO<]9$Wy|m tvB/ 'vv9ـ ?}rByRq[x+v'6xOVgUFz~-X)4vQ 4lϦȓ*+, KWfs N,@0-:Λ[&Oh+LV6)0T08򚱙j ݑ4b6~܉;Xh;aP !G,^A+SAY̭g-@$*