libsmbconf0-64bit-4.13.13+git.528.140935f8d6a-3.12.1 >  A al_p9|*ΌĵnFP9lV\[#BJX % ;lOy%^XEs:fYRfbRShqt7tQ R 9 \;(s;-ümOMӟfύ8\^f-gHJ H \r&?%4^.W`OvQ-"טGSp|t.io8g*"Kz?Kt7,Kecddf0f2f8648b3ffef1dad1e083d4eb6adfa8359afc48a6384f00ace01f16a37fb3db449e6f36db4ee01efe37ae84faf08d9e7eal_p9|[W+-f&qwηS Wپ'B|&kVU꛰-5U(]\ꠛ[p>d?Td0 7 T %6MSapt v x |  p\\\(78@9:(=>%G0H4I8X<YL\]^bc]defluvwxyYPClibsmbconf0-64bit4.13.13+git.528.140935f8d6a3.12.1Samba3 configuration librarylibsmbconf is a library to read or, based on the backend, modify the Samba configuration.akibs-arm-1 hSUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/System/Librarieshttps://www.samba.org/linuxaarch64_ilp32/sbin/ldconfig hak1fb5b382be23752edc7ed21f5078bb1c66368fe0e958efe937ce277984372966rootrootsamba-4.13.13+git.528.140935f8d6a-3.12.1.src.rpmlibsmbconf.so.0()(64bit)libsmbconf.so.0(SMBCONF_0)(64bit)libsmbconf0-64bitlibsmbconf0-64bit(aarch-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /bin/shld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libCHARSET3-samba4.so()(64bit)libCHARSET3-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libdbwrap-samba4.so()(64bit)libdbwrap-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libinterfaces-samba4.so()(64bit)libinterfaces-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libiov-buf-samba4.so()(64bit)libiov-buf-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)liblber-2.4.so.2()(64bit)libldap_r-2.4.so.2()(64bit)libmessages-dgm-samba4.so()(64bit)libmessages-dgm-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libmessages-util-samba4.so()(64bit)libmessages-util-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libndr.so.1()(64bit)libndr.so.1(NDR_0.0.1)(64bit)libndr.so.1(NDR_0.0.4)(64bit)libndr.so.1(NDR_0.2.0)(64bit)libndr.so.1(NDR_1.0.0)(64bit)libnsl.so.2()(64bit)libnsl.so.2(LIBNSL_1.0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-cluster-support-samba4.so()(64bit)libsamba-cluster-support-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1)(64bit)libsamba-hostconfig.so.0()(64bit)libsamba-hostconfig.so.0(SAMBA_HOSTCONFIG_0.0.1)(64bit)libsamba-security-samba4.so()(64bit)libsamba-security-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-sockets-samba4.so()(64bit)libsamba-sockets-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamba3-util-samba4.so()(64bit)libsamba3-util-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libserver-id-db-samba4.so()(64bit)libserver-id-db-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libserver-role-samba4.so()(64bit)libserver-role-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libsmbd-shim-samba4.so()(64bit)libsmbd-shim-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libsocket-blocking-samba4.so()(64bit)libsocket-blocking-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libsys-rw-samba4.so()(64bit)libsys-rw-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libtalloc-report-printf-samba4.so()(64bit)libtalloc-report-printf-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtalloc.so.2(TALLOC_2.1.0)(64bit)libtdb-wrap-samba4.so()(64bit)libtdb-wrap-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtdb.so.1(TDB_1.2.2)(64bit)libtdb.so.1(TDB_1.2.5)(64bit)libtdb.so.1(TDB_1.3.0)(64bit)libtdb.so.1(TDB_1.3.11)(64bit)libtdb.so.1(TDB_1.3.17)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.12)(64bit)libtevent.so.0(TEVENT_0.9.13)(64bit)libtevent.so.0(TEVENT_0.9.14)(64bit)libtevent.so.0(TEVENT_0.9.16)(64bit)libtevent.so.0(TEVENT_0.9.21)(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtime-basic-samba4.so()(64bit)libtime-basic-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libutil-reg-samba4.so()(64bit)libutil-reg-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libutil-setid-samba4.so()(64bit)libutil-setid-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libutil-tdb-samba4.so()(64bit)libutil-tdb-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_AARCH64)(64bit)libz.so.1()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3a@a@a@a9@a`v@`a@`<@`@___i_@_|\@_{ _l@_i@_d@__ @^@^^2^2^^1^^Y^J@^2@^&^&]]]])]@]@]]@]nU]nU]i]e@]_@]J@]B@] #]:\ڭ\\@\@\ \N\e\e\}@\o@\\\\\4\ @[[@[[%@[@[ @[[t[#@[[Q@[Q@[\[[[{[z@[r@[ @[WZZZZZZ`@Z@Z@ZZ@ZZ}@Z'Z@ZOZ@Z ,@Z@YY@Yo@Yo@Yo@Y@Y3YYu@Yg`Yf@Y7Y7Y, @Y"X:@X:@XXsX@X9@X@X@Xg@X,XƉX@XYXe@XX@X@X@XWXAb@X-W Wv@W$W;Wu@W#WW W@W~D@Wj}W_WYZ@WYZ@W=W(W!@WW@V3V3VV'@VՄ@VՄ@VVIV@V`Vl@V@V@V<@V<@V@VjV]VI@VG"@VG"@VG"@VG"@V(V'~@V V7@VBUYU@U@UUAUĝU@UU@Uy@UUrUq@UhTU_@USanopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2020-25717: samba: A user on the domain can become root on domain members; (bsc#1192284); (bso#14556). - CVE-2020-25721: auth: Fill in the new HAS_SAM_NAME_AND_SID values; (bsc#1192505); (bso#14564). - CVE-2020-25718: An RODC can issue (forge) administrator tickets to other servers; (bsc#1192246);(bso#14558). - CVE-2020-25719: samba: AD DC Username based races when no PAC is given;(bsc#1192247);(bso#14561). - CVE-2020-25722: samba: AD DC UPN vs samAccountName not checked (top-level bug for AD DC validation issues);(bsc#1192283); (bso#14564). - CVE-2021-3738: samba: crash in dsdb stack;(bsc#1192215); (bso#14468). - CVE-2021-23192: samba: dcerpc requests don't check all fragments against the first auth_state;(bsc#1192214);(bso#14875).- CVE-2016-2124: don't fallback to non spnego authentication if we require kerberos; (bsc#1014440); (bso#12444).- Update to 4.13.13 * rodc_rwdc test flaps;(bso#14868). * Backport bronze bit fixes, tests, and selftest improvements; (bso#14881). * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal;(bso#14642). * Python ldb.msg_diff() memory handling failure;(bso#14836). * "in" operator on ldb.Message is case sensitive;(bso#14845). * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED;(bso#14871). * Allow special chars like "@" in samAccountName when generating the salt;(bso#14874). * Fix transit path validation;(bso#12998). * Prepare to operate with MIT krb5 >= 1.20;(bso#14870). * rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb;(bso#14645). * Python ldb.msg_diff() memory handling failure;(bso#14836). * Release LDB 2.3.1 for Samba 4.14.9;(bso#14848). - Update to 4.13.12 * Address a signifcant performance regression in database access in the AD DC since Samba 4.12;(bso#14806). * Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache; (bso#14807). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Address flapping samba_tool_drs_showrepl test;(bso#14818). * Address flapping dsdb_schema_attributes test;(bso#14819). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Fix CTDB flag/status update race conditions(bso#14784). - Update to 4.13.11 * smbd: panic on force-close share during offload write; (bso#14769). * Fix returned attributes on fake quota file handle and avoid hitting the VFS;(bso#14731). * smbd: "deadtime" parameter doesn't work anymore;(bso#14783). * net conf list crashes when run as normal user;(bso#14787). * Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7;(bso#14607). * Start the SMB encryption as soon as possible;(bso#14793). * Winbind should not start if the socket path for the privileged pipe is too long;(bso#14792).- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./bin/sh4.13.13+git.528.140935f8d6a-3.12.14.13.13+git.528.140935f8d6a-3.12.1libsmbconf.so.0/usr/lib64/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:21699/SUSE_SLE-15-SP3_Update/08b059d7b5a0f63758fd796f8b3745b1-samba.SUSE_SLE-15-SP3_Updatecpioxz5aarch64_ilp32-suse-linuxELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=706279e66f08fe42ddc6004fcd497900d350e0e6, strippedYPPRTRR1R)R5R R>R3RRRRRRVR#RRGR9RR7RERCRDRBRAR@RRRR RPR'R/R,F㹧x|٥qa}BPb/Ó>hі?b ,yIw yV k2]j|WdݵjY$+qCvT3R~M`a=P)`/HGП"IPML+iiB tP 8OX ͐ /+}\˲˔K:2,N-zXwX: RbW}Æe/>z' ?L ;@yf;)dB3gA[ZuI{9=uΛ¸>z䲵GnYR0CTaP_.E ]Vae?*{=̌)oi7M%fwtb2BOyBrA/YZ<$/Y: 捊߲hR mfT\N=6d[C@.DԻ\ϫ&NO,4/hByyc`R6:ӏ(D؉fiC5 u̖>5=yYg}{ ïϐBJ1.wPp |.[|x Z˛h6lO'$;rT^󞹤}rpyS!G߈%l>X1WL;Wu>M?4ȏrڽ)X8 6KGhĀy] e"zLbkED522FGwan;0K)OJhdF*%Q̶A<~>}r@%g^a7`97Ӊc?es$d;zv#C=>hm>u;וDXhw|i/[1H|̞0nI ZX[\x?+Y0 $nHwq !,RY$#(ꢾG6},<3:5V,uG?ͪnǎl @ʢ>./ #eaMP)'{i^~0ba7ޝ )9 +sj6ɢ)P&t\I^[G.z%`k)#dkOIugRiവg[>M< !*Q^ĭ>UZ 93õ 7ͣ"Au2aW6;n0E7y)\u1O.HݨӏUZ+À?5lڇҀ( 9d, Sgxp Vw+xǝ{HY6<'uq}ͪ-6EsdsAڤ_n8x|>F2E8wS{pw] -XDVpUf|cHG$ e7kInX{,'s8]L/pr&alCŰM*-7%dje$b *51PRUrݬ'C DJ2},zcMejk<70wvG6%j:X=6]TY·ӎé]K&le(@yc,&C㮁NԆKAJgO`gn,!MR#9ұܴ~K"0] ]ܭZ+@V_b DwaGt-M#d⹟w%RxȵZ7L MW7ٺY5+A[@oU=ԋSUbFdÚvJ] Kp3c+$lE׿CeQbЈCjMZD17f5 Kf : m[s[r' jxEV:;,k`$ { 0 Mvd~t؎ڼ4AJm>s%t*s9R[mPiQxq9W%i^Dfu-\rSkZ_IJl=vC8 ŕ9CH~lRww䆔X^~ZBlh;^ L]Y3RB!ث9 NNZEjeܭ{oYB2s"d@-z2쨙pmXoT1_mijq'C؍s =~t y)?pvq7= W[+R2 rULz/]~ ==m_S: XcA<*"Z.#8w} j/ w:\C6!vԃaho袕;nOWHV5ɦju۩AߥKܱEȽ dY5IN-t1Y;)\Y }QFc ?spa"VFp~5z,OowGPy]N%BP [qjjP]ո',$bM BC):Ub\#G@!*lf|n')`v$ 4/¤ء [X46c`%FSw޶y$l,3 Xo_6kt ]ꂼ\+"0o PupgKf࿆cg *PÃht6A.OATwl5S]8K߼Gg^݃o Oi4w~Y8xrFM)"ϔh[l!BQ /$ꦽJo_($T툪׻nN\F0 ;LW\,-Mk0DKo:IBqN½^ (>~H0H2HJj՗ͅ.0!8F} lʡ=B0Uݼe5Px]3"}R±<2PF*N1Ԟ!^k|}YsŊ|4tHrBqʈ_|GRoLߥIqq 4l 4၀2uj[ZX ~:SEVdZRX)9^S V3?|yĄU0{͑?H9]c,GGr{gc0e:Eya\'6Nש3pFCt͸WǦ9̡=`>?`yýccVpNU?M+w1 @Ć+7f,S8BXӨ528ڱCG&(2J4rV)$ӡ~׭ o):LE?7רrŪmSp7 ^愊#Ɋՙ_]NҿT,E"Zz9yH Xc_gHΪ $w*qX{׬/᪓WQkDl")uZ 1:[i%N>7J=W._t /Gd}KbgQ$|ЦMVj.,A,2mf"g4qd,]?l _ۏx {X+Z:f5}6^P'k٫Y(7gZex,ڴkv=XT|~6R;W)#|>&0%iWS P}Mjf~m؛դumLMzk{x'.7%|d!R1 BP?;z#*Bxl7nH1l"5b0 T,"ܵ(eѥŐ-h|VXآۿQ+ړכHm.2z\kݳ//7'd<XFku%y䭥`+ky\{MX)NjRc4Qq#FĩhWmKfڞ0zN?я[ U5@xs-59r]윿Q44J Z#c5|m̂59 ,StoyfE<,GOmbpY0<֚u3]+(W9XLn /MevN 0@]?ƢZ7.TϾ'3<KF/Vs+\@ר/$& $H{R.DmAS.a+(nˡu[(P)XV$:>QJ|:\sST^|/py)>@sJ8 47[79qXkY&= 3M.P03Hn] c/[vno2>Ql.vI\R#tR@ n,t;|H%^J[o$)uM$٘m EW""ȖhHG[d;wZt z u6y_Qα_b1(O!u tC$Q'+eB c_vB4d“f4idcP/L=`֢@eh9u%*WDCBS 2;%nsU8 傏hfӂ1OÝULnC>;Fa<>ݸ-i;ur?x`Ő"sfgK&FFբM77h灖I<5:T9KX}PxL<}~e_k @WH⳪36O zq!,I_5Exi=<`:'"YcuǜY_RDhІ[ґ TERf˗E$CxPqM2PS{J~j57-NJn'',6taHu͈CS6ds(ꎳlzl#ST&ȜѬ[[#,xG w8Q Q9Qu"{Mm|%#dURحe;4Z1vF"%]@Y͢mF[s?R§1rޒw88hg2uabGn,XMTQg@މZi[1j@ӴkiH(C1R#'COcFA@-l9Ye6ⱉx50p!OGOFoA.FEh9MxhW{1핹Duӹ7ӡ; 0D|> ĿP3SCʙXsڿ>'Xpך {[ o <&%.gW4aNK5]Q^8ՄY\; 10$iy[YK rBl9ј/^അE ϝ^Oܴ'21^:9O7||۾(ͯ-W@4ڙrud({$)h8&XHߠ9l2H[x l;+:fRZ8 oZLcWwVtٽW/d"3H6Gx\1_ȣ{L1yoZ R쌐 eټH9ˊ$8$Owf6\=x+82yC"dzG`DX^XGQ>љ[eZsk?7!;@4l3hMU~]&EwV nߗ VLqp9#ʅUD49}T>:WDۓVHg~gp؆Rs|T UG>w#וKrwKiٜO7kѪނŒg*/;'^rF"GN:`@rt)-qXE6w;;S]G&\-w- UK߇ͥKŠzθϔkXǎCp ?rñmm/o12U#lm&xf5_Rgx{o&AW='c'Y^ F#$IX7zגq`x$6P\ @ TZ`>pjQYC{3kQc_QVӆi+UQ_@Ksw5R{,D&W${_G |Am(dAO[c"U8VU7#_3N`9YPd g(zx%Ų6@j$гIdܭw壪_Ҁ7G#89_D8@z/viu|Ü tF]PzóY@OJ_yVW-$6YN㨆ȸ3wVX'zù{ HWhsƋI]8,q/G“! Ƌ"'\xxG6\8ESXXKBWs*@#s-],Ǝ-J>c`ƒY> ۍakNQivdNl[#A\׆ An/տg Bp:w]P0涑:><^Tն)͆ W;gzNAB#6_*Yx|Rl>}H8yFUjOfCV e|ʜ5?Pj)/IXmpʑB@¬}5;ԖLxqy/M~\ pZ+`#g.޳< U}Ȳ Haa:ʳjgU2t\MI"RR&"uXEC3,Fu @,);&c*OOolFRdwrpJJ09upff ]hOd7R^r< Cj7U1y+$bHd3g3,5$;.12ǵi(аyBzĊG!o%?n[12LR+H8"+yBgX}(%X.G>t8aU!@iu;0~,d3]5BDdUA2i/[ۀNk;ɪ2"o0"k~̮4VI@fA2 [c81gzZ[e `} uGc8]|xJ3Zh[8zIr9R-W_ Wy{w'Bӕ!qyԓU/#_ʩ Ee PJ-C!RǠo [%Feal氨 iv\fgN9?O7vCxU%3}?bnue wX,h(}$ |%k8IGBe[ۃMt؏Ü}.ap@O&C|DqXhjɛsRd`ݚ81U6f\.Ml zF/$A1ϝb|! *@k9xH2y:#F{[R$(hW-lȞ4} _R?_]bxFZxR+@1=x6)B dwp: !iu ь \",>>/v_,/{8zyȗ$!w㍜gޤvW,AלsiQg 4:=Fo^`|JaH ee<P5X TTaSR1:ucZ׏i:YT+i>/$VHe%aOxКcHU"LIQmu*lʣ vd)rߕqa$9{tNtj1K"T3YN 3ɣqnDdF^tZ6@'&A'Hz޿uQQ#y%qp2Zi)د*ò4_w&.lu7BVx5m?=VI/BGP(eq!s>X=װVNs>|: ONT[O#z<)pv_xzfDQ )5RK{͠tvC|/5N\15bu2\v]Z= μRg(ܙٟ<T,qƏw-rAƒYyۮ'NǸOPCX#9JGc_ iq7.t\,. zk}NAi LɤO#CKHzc\P=GG1U,mK03 ^_h;锅w+(l:I268[D^яu*N:4nh(VH()S 4r 8Ζ׺zybq'b}ĉiB{ًaćtUn^J}_P]368521s &40IѸV2ɰɎnYvP8 Ll 06](fSr [A7C r.1GP-\B!?n8׉Trm j.A4oC2q7/돼GQ(DuvX;rqCAY)hXxabI+R^,q_W嵐s|.Kgj57q9!Ma$H̵;X(U{+$7q/O9ci?D91 wj1*,GƭQ>K}%p /`]LxT kL߃Kr,{baN (N08ҙV[4f}\f4 `Aon^{E0R'nVjn㑠k3%v%%܏šüooQF'KgԦO{1QԷQa=`8s!9Ğ qP:C8Ct\^eYL-$ù`O:UD8X\7cCP@PK'Xs= .A] A8fLmS\ ;ʙAM0$`PΜ%{V0=+]l'G nH$_{S% %iJ+|*9j*aVu_ d??FBP ~*\O}NhVf0=~;2 1th' `'4ċPw/ʝjEO wn^/1iseIv!F %S\J715Esk8fI}?˵H/ҊڸfV?PZv_gm)MgF\[\/I~sd%²S$S$01i\YDv O"A4"ǘL+iTPȗ3g@ rGoǨ.弄|kk|K:V-4-9%~\#Iђz0Px2:gy rsn ^$jVvu L?zFyg&ˏi zK_oR|q-mL*OK+ՑY䂔.vHKʦS$N`E]bmQ*Lk[|3l|qI:p '|,fɭ3Kutدذb}4$)DȇO'i0+\kEkȡwY^Dit6YUErbv~|b Y C5I+= Fz 8~:gMdkg8}&7yaj+RdH׾#ƜOJ|QjGri9^LDe KG,< )|xסAp9FߒQ(*1mpK>9Y5):;!-oR?.zȼ= qu:QVpKvׅdlcusXQt ƣSrPg!!&7|ѽ<{2/kt0#}_ڀ9A}X3jVe4(#'XʬƧ{JW@Zr:$& / ,,Lruy198ui*"wo;kPK9f c?R,C*Ȅ3 C܈[%AD,}_!{bиR<s<"3k3J@ Vgmh뱼’Lo6>-M{ͅ tGgbErnG*RpuJ*tFNA#Wt"?F0jԽTM!:59Nk{f+h(ӝD*H۝r7Y DH+-wˆyē6?fvۦtK9ȸ~s" TCHMtA}d/|m.cۮ#UQ)I% f9"ofD^/7i`O\nBA0:bi%˰vYn`#ݑR>ˑfEʦ n rK/#P#Xr>g"}]]4ESy1iC]5Y93I+A, wr/lψ cH0 uO|7WAsbLe u+hkeT*`J2qР v~ЫoM51OK1+OMyߡ5mE{ yejojQg*eI0ɟFL ]|$$O !~\PYL[:ĶpJhz"RT$Qs u/Yr5s\+uS}瘋YΥ?J伦?7߈,Njtf.k J}:B`*0;l[(J~47-1 v|K[J ~ZfŤ>{cdl͖F᝘S$M2lIG+Q R5BUŒpKWq쐒xXMo^Shy"rԡC'F#diAѹ@_=D,cC؀r,b/b5{h>K_:$!"a(;̓o1õ,N!W]뢀JZǑ ͧrB!J^v`w2؍Z}luΚPm`/]qB_L|cэ-ʯ7%hF|†(5-J%r$U<ש1IL0;F:aom*'­SlHoXЗu1b[S t=]pkNi+437WD8Y|`%MvK!00Y {4pq3!!b H]ϖer;ܮh_s!R>ʅʃ6 rKA`m{k?Dc#-@ IUݺ'}`ica6\KϮepǬb 0y[$lCE.m$l1(ݙHVse+1[ӆO%ctliFzkM]龙 [(8&yk"$Q 3EF[oVdu4i|Ϊ,Nw]]{fiܤW}fߢ+.R#h i31v =;ZZǪz&-"TtX2:=d69 ^ߒI%V1!ɟFu~#϶UvͬtbxmZ0Ums]y)'T{O'/2XjARڂTx ([NQ?`޴=@4!%;sçgj:L,`4(_|W h( aʣwb 21x70 vhx?;Nqfk+h3yFٰ]#7g#y^8ʨLdnjP:v+{"@TdR=Lm]}ZmcQjO{RϫovoUY϶wЀy*7ڞHڢK_k鄩.=CLDSg(bdZ]/Q ]ɩI)&IgK8y'Y;X!.&KF\'T=ȣu:PjN>4xf4|]c X/&ɘ+˫@&%U820ZbY3i}og2nz 1?|(D/zDj^5؇RiIrI)h-ܕ7N xDtZ<>iFN[& No.wk҉+gd 9Ks~ "!l/H@rˍ@^Cz7@M9}J]*M /=P0Tfx.'NО,U @񻼿nO%w\mS&s#NnN~o6~1ZtHzCpT=.@L`|B?ZK#" ,=}/h&Ѣץ0wNE%RnJ Ў~yK4X?DŽYfp$祶 tgdX!k 9O[><" [PP~36ŀGȑ~8?Z6E] VX q+R^n\x㋂'V*A~Bl`$LZI#σ$"y7l( .>'O!UuztJMJ+V910(- _zJlˑ kVfQK\Ș{#Jv{maz8FW# 0.sATЄ~+0˨<3Se 1DŽ#Y6qRf+[< 291?t~Ty˷O!M YFf2& w+V4XkK34+sۋ22$5,^JkG;η9;"Ib2w[Oe Qlj %HǍId2`x*SWyB&?uh|@˗sxu]O-"K>19R[ Myen ;#KẄ>vf2&UPX`& z sGٵ ûOǢ I;/LXИTxp֒9v@p v RפƜI%A\4;FE%D nÙjxO9tQG{l Q`å಩!*KvWےhyPx*dV #!Nr⣰0oRSu"|}[(oN.QtRy(%EL|4;iמ._2 dIv)"Ӝͥi l&H?$moQ)WV6s'L\ʶtZWe9zaVeF[l/jHv <_h 馑4)'. ^f}d=d!n妨>(% `ʼn8 2 c^kdb%9@kxL8W\8+YohBnh$RQjMpdkb lMmz4K\c.֧U嘳@s +a8ko}GuLnzoW?=Wp\wJ3li8mA&3m?b{ $rlzɷ& bXqXPk}:8GĠ][F/J?8󋬕W$&tqX]h ^?)4f S:sX d+aDJ9`RG˽ŏ?N*r> l|):[ޥ%iz[R2|,bŪopv+nccA knhѫ ڟlI|m~qH{WW ߚnp+yH8?JǸLӕR.Qs+P".nOH- ml$ K~]?~q}w)J4$9uf,p|J /!iPDõM+,#J:/}t Cz&[Xbm64n, f<*?JO cS=*q^G5eqtXFfU8/95ϢS΅̴2g?X3p۪CM4\DTE`XXώ2qi ,ep8GKM{XKhuu,Bj NsHfr(N>A`5޶R uYٛ ZҘYכ%fXd\ A7/TO-j+xh'[D"g '_nux8Lit>upRU a*?V :">~yz9ی+ߝA*\.Y>wnoN{=8GRZ/ .`|S}a;M_VT2cԻFt p=@,9T\a<+I9PHdA~iC3ŦRyPRtdo'7">Xf%Η]1-D>oXV?;6 `D-ռ8o97Lfc1cEz`[c6Lo(ؚg0Z&wî_xmɔYf=Pp-i܅Ujeo2a/w(1+)bKH0TEy(?v3$6ѶM۰zu"-uIDPь)0iSٛaOI*V֕ё[DGdǡds E,Pmp~+F'5$\=[@J4s%| 狊-}1S'$?L#azlK G3UvJ XC1B B+Ce\$(%Q2: U{QbI;]r1,St *37z(d%ZA5.ly&CmLUj Ѽb;.k%KU/dMHgh 4򲾗EW A,pwo$5c?V\%@&3ĺSjR dCMkpo WkX'Q\(SM|b uްV"m>zWȭŐ5Nbe1ӑ WQi3qp c-""qH7-;UF]u(By֒"=',8+#JcؗX-mFLIx>)?Զw=!3T|5*ơ S %Z1_|//\_ :/R:(#5l] +1bsmi77dHTO^GvT*%WX俢q'N'i4- ,VtOt+ U׏%?8%Qe_([4jOV9D$Wz!>s9}[ ~k!!]6P^b7\%0T䱖~+H(pGhN=,5((՚}OnCflE Mߓj]ZX٣[E4-!8`$te~l_{)=mxXc}U}I&FL1gjJb?23Ze<7LƋg_}"aAm %M=V|b7_2d-KZ;0֪?(J& WIojE+di'Q_6¦ KYVr}Css'z _! Ri] bYh1K7Eu$ PG!VuɆ`䀛!q* 궱pSۄ; t|عRнf<%R.nH0IB jwp2O^ B0RD y?yo^ SVT9.8=G`$Jl5S 4" xBĝڈ'mޙY08dM8R|&Ζ"2hbMꐪy;EՃH̞ov䴬x4{5(᫞&w[}%R}y%aOO96D@ @e`=W"\E=%lSB\ύ,^T[U^tj$8ꇗ~&h)sNbUטe`D." i{:G"+ʎ7hfS&7.} }%L8 |Wf]fx0S1Ł*YsOW>VUL09žn7*c8 ϲ#prUgK3B CI &ѳ-oMfeb/ө"J`H$'[|T͚δpG mlW`2؟,*Rm*®1״KXijϗ`uA;4Ue<Ԃ7.*.X{2&tMM@ 6ViLA-;CNWtVw^\\rcq-2yh ۩Jy Dv#zXZyݳbk=oHw!+h#",|aY'uXƣtgƾ1}*\ltӛ%yhcaG/uX#OkN80V@1o/Hy2g]3rTxtqћQ,FMrKlg8?YMr*:E,}HKbe5E߆0G,zVQ7"s ݬ S% `|*4|%i0%y9"Y'E̤Eŝ 0?7櫤ZJre*|1UW}Zqgvʊ ;fG]ʉp9}1%I!]k=VSB7E$Θ"S&{!k4E>>`reRl{"k,=̱Ҭgil{boVu  O.)4aTAe4_ s7Q)d6}c,@)E0R>N9eSbX;5!Za[w#WE0Pl;Zmœ"-_MVnhy_nCpU(! n<>*+>'/Hyr@EXH=zbSԝVORfrOȎ^^4\p1/_HєL{Q%*q4y6OaSJ/ܥ=$,1tѺN/dUOM3=hàtNvwì@`ntIvs5pKG̈mlfzL`k \4Sr;]">k)8abvA pL)t*[o8=ly@ P;t 0i"Ufm]V)eқu렗R! m3rLU`SKJw)<3~J rcYy<)R<Rf\ saI/v_6Uk洓A@(K|&4kNXPNa5?(.:F58)8 -@ =06|>=m(bɺ[`42덂ߣcTlU (Z?(5%\eAU AҪ4d'< 1w9Z/5%Ȗ[v5~ʤ0X™cBr*X}M<[&p1N̞4fN4Y΄b2gop(UKRF)It@7a>BX >I; -f^JtG{QHY旐e=^d"SUf Z*,2Bљ̓K-M'w%^Hd,ViKaz̜;k/ף9.<@I #l=gS^]p*~ %i⦁n)IzXuFuY@[U/f1ݹ ^v~bx&XFZbg^%'ܐbI)tͺ7%8(?r]#kVvmo˶@#/Iބ`4-|)U0\)6 dCGY ?HѺW7@,ПjE}Bph9Kĩp~)`O?g?P RH)jU,Tvj/"^ԶA;/.t3b:BPg`G֖䐹 2®WH@kh4WhW)2O7K"4ԶE0SbUMVu/Y\Dyת%" .Ga4@ Kx#vN@s3QS aᘵ>h](EBc|q,` }GRHg>zҊFC xޖ&-7CxY54ύ"B` Rxqr5%m (gx߀dMLq {Y/hq֊ f4bl@gTr1_ϒ vsXz%C8!m/0TQL>I5XB*ĬfȕƄyކc%JgQR~GN˷FlK`F P;'sN}ݧPhcqJ =O UJIl2VR8iM9iEkd&PiIi؝.eOڳF(7S, M0M -ϼ[< ӗG>{YݜÒbc'.K[ty:a4(*JPXE lHAyBB'*\ r%ދ ,c+~ 5y *.,L] ¹(:Rq8*L3RIT8ʚ-ׇİeדU&lCn6a '"&l!|, @{.)y9R\8wQDE3+`S5?g H I(ZH;V4e_Ʒ xCK4d>7c-V p:oBAE qmwnڄgdcSJ)_戀 g)V}OnلPo9OF)L# Td䯙"?m"ҎHmes\r]zH^n̊AX>cɍwa[ZQ ϙQʫeV ]3WXB] vNSU(p2=O3fjsB{$2M`T-T{ N&.9|vuo쏦"-VGDM{;ȏ炜rS=5VBFȄ WҊSq Вs3oveFL?*ߎ 8o;K}GkstxDFQ\t4t9^bQ OԃѦ8ӤD˝2|!~uW3WJ % ͤx8dд<^*7x_7R>gά*iDMi0[9)Rg}9n9}X50,݊/=eg$}$oʗ\7`_G}joG#a0WՂڧ2|l1KFOϗxʄ*{y@xhtr Zr{^>9{S5_1MmV2s§&u%xe8V$l2u$!*V"sF'zL/e:BW}F6[UO,2̀*}ح],N^d|.)D~XRW@u6V=MbʰMJ^m^sJjXacpǑsn / 0`o.jOߋȺ6LCIЭ%Ð`,e,ѪCG.o}`V:>*Da0=yNo[䖁zβyaAϮڎf1(LnC,r&a Vw+s[YiWk`=Bu]vѥnjN2^Nݢ|t)?č7|`AksnYhTO0g@2+q%@SV۠4)m|z_#:~ܮȨ9$!-H x˹}kDyHyMGSNtPX_!bXӋnKvMn!4">/7BL8]\H39UQa!N`%glR - IUO[PΚJ2t`Ɇ"ViVO(PW\@feo@ө*QrJݵ:-֟Fh2/^kh̟Yn̴ $:D:.tI-58vM }IX^ mhP"Yõ>64~,}Q #/m۸#h܁`_ NBwe-h%J/=x)zͯ9ߠ96+S49T3X.$DE)5t(v ^ד=mZOil>*9-sthR1r ~ ϲl*Aа%h4LZ7L2 P^0R 6!NʚbF 4iSZqz"HИ1ˍ@{%WV+ 0(C0i>|k/O|ӳ6ie7=4!mSz|6y;GVc&I9PInohYoe7F_ce|F|j Pƛ/bc&?\/M˗Pr,&'U}>;i>0Ḿ3ˠ߼tÒ-[M&[pYw\j3 = 7}7wgsXm-N?QXmRؠ{Qϰ4njb"ء[x_kMr5=D;rS(xEC+Ym gK)$VƁnjwy*.Kb&M+\'<~8x= ׮oyD.oGrl#K`d\,z̖|r]Q!y. p=ӌ(c6GOI^ѡjJPZ<`_FI\\¦=ٙ8i])/;4Zztbg.~)@[رd>x?t8Rxa |˴uiޕ0ayx]hGs^~&^/x= ^^rfjQB{b}˩S|T7\?.j0[l,APLl:g4C~ R@ W&W9Q]GC×J|ԙǧapk+joZy#@/ݹ,6K{+Z2v|%9$4..|Fcx}) !Dzjo9b`[B s܌, 67@Ծ\ m4lY}o3WOL/PO3)|W~~IKt`/A0C7} ',S?@}JwLc'#ק+#tmo;rlW"d :ж%,"WSԭ75!Fe#os`+ڧu-y$W}(WlLhеr{-!Lhά@SBFKi%KpꌟDz]igl5?JWtK 7ZէH"J#T]!N>*jiF'< I-KL9#: 8,Yr{Efцhr4Y+v\t6W2)X5_YS.v9yѠw/ /[@~7>p^]$(yxaKg=큎'fDsQE$U\'O%VNL;yX5PRK!`9+A_7ai 4e+`V*Ȅ|8w ;O}cIp♏ˊp 7pt B֓ă \$|U Q#1ر^Y%$M/Upſ=Fu!Zv\=4ikՔpBlWq{goLec5Z?!`Tq3;jvƷ1K?OY=TW~zJzG< Xaj8ܒsPU(DBaA& ;n~;^N]bsJ= ՆT^|;vM|k: C6G͛;M`瓛+.dH󠛶_Mj[,, ;;; B/4d787~<(o>k@HU k:x$Dte X{U'e{2?/cb-9 H_n,'Rß@%g1{/"m+ۉ!qYK-GV>):1lXM-b0e?qdN"P:'mP`?3{Ѣi $Lf,s)~5mZJ,ۓ٥؃1;GNm' M@(>fIs?jR-ܥ#pP^<[L)N4֫9ObASNS3Y"ĺ 13[NI$8#ɐ WHI!L #/h/$AK+[?m6Y_7BcϏPj.dII"Nh^/]Km`qa3mg_@X>\|0ܤԜ͏Ptcto!xvA4%x(Ih {r!pnKEBOyX7-'`ʨʭ0٤ʵ"~T&=D+CP+[+U*ilu?v?tfg&CUnQٰT L}.`URW)TA9PFdzȡaKrZ:Z>5 ι4"08MtL2{i!*=v] Hqdd+1vw$Nhcye+/pOƓ-{ wo ܩ%)Fu^Dhu@yH͖%3oGn7 S[s_F^}uXմ50pԤ4SlO:| PqE0^MKy89^~bҎdhZ!H$?򋥲Sg0vkB0xƪT4ͺsqsdkn@M{CvLµoshntCd`^G뼂}J4&  )}r1fHbYnI5*Sڋfl _C2ܑ-b'. 0O|:w?I `0e$ņ›c/~e OJ9OޖXW6``::7j+;M}& `Wߨ$Xy+ÿ";.sw]JΉe@oV'S̹],e_Ꙥ)IcAdJ"\;8X|,Dt'w>\Hka!(-k`@;?xS3` D=Ng5b׉9|PRP Ļgygm2ᓳO&Cul>شY'$I] lk3{xrS, ZEY$eʵSV ?ǂrBuut|-kBT橎l ~=rCH|z6$ Royb{yxT[I <("$˳EMi&ȸރ0,%PTl"!trUs.NH 剫bt^3|Na24R1QB?a - @xr\N#g2x7|~bt/|>:@k/+3u'W$r*} k e#}JBw}&C.u1Z)jYb*B]LbQTMmyF!ȐZQQLݸ0jlc'\(_KGDv34(ST7seLti T9PXZnsmӥɎ%/Ø2p;$q{_Ug`;,`ۙ@q*6E~ey(_ߑ mMGK~|)vh;3ԏ3%u)sz%AZ~(q\ضh-lvra5$;x\4.pxLxSj>gJTq$lOҌ\0„{) =!48)ۍ s]UZH4^Ron`{ Wg?PP< QR\Pxf^0`#7!Pl`NhJk}\?k;=JER7d  ʐZt2--:I[fъSVj )wZVaǐۑaR5jmV };(^fQndiE%iC`گfma>Tcj1gɛ _Fqdf~X9,]$K^%/{C-@dnMɷԽ(VUz]8.SK:0tb*XN&K[**Îu "65AZYCĀ&î0 a&&&MjNÃȍaE~*Xϕ/ K5^FrޗMb 5Z#_;OH u!l=r?cRYbGVV=; ̙EXE6#F[+MkW+W&y`+caۥ}uoxR`Tp*@(Ju%AQշ% u V{⮄,d%Z#giHx;ut{sTݶ1Eaf{w`X#aVv#n,TxDמQ,s9hZW?L8lMiyQojbI7AJU<&V 9hlyQkOۆy 6Y9i) x85?&yOBC{r E$f҅K66lϟD~Ǖ'"o׫ 0CFO^==WJk%W sNUC`\v; +#L}@,DZnbxֹcvf8$~vU5_ŵbu*Ebw_渄 L>'W40 los}]"X7ϨFڡS#;Z /nOEj0mk=J`yGqO @^M2Jqb~V EY6CrlʿCP?E$aX)+T[zJ WVDВV}ے70SOgK Y(?Tl_&]]L_OssmKG6SQ4Z:w)4$Ѫ^݆mSC!JG7O4ja+y(z"48 $A_zv-mB%8?q1x{EI5H]b'ֳ}5ܷ,~Jiwfcb7,v~9~M܈*gLS{Ѳ3ЬDN fny.Kw;ߚƭK [z,>׏d ɭU&1ӌZwUκ+c2LA^;ƌGUzX8fWT+v ҿ|j/Pp<^~րߕC'^wNJ4r᭨ fgsnE%5IDUJp"y~A?}_ MʣH_LP0c*jNkїJėDwGe q䝔qv0D\3hCpCy:s(\*YDVrLhfHΨN%f䈑8(# ISQS.8(0OLxTtTq*m!mJo eE &Փx4$$z?I`1pTֳ95'@W>oӐwkveKL(ή8x]?;wɆRUwVOKk?rQY[9ө"W%]?M/ op#KuDڐG"TSS؉jk^)2XŠa +rUᚋ΀Hp5Hbn\2A{LpƏTi< e1?>/%+1ެ;lv6(}amwYhW5V/sVH]zIHcӭcFVSaࢗ?Ζ87W|ffFiśiHW$A©ENbѸ?3o)mzT:e:)CނDQFMYF=VO^xRmq O=C=հ`b l?4SG/n՞f>tCdֱy meGljUfS(TzRd8-y:cB+&@zl/j_J~!->k饬dHb?e^PNF:4G/(c>g<'=ry:çJצKyeݻCt%]ӓ~ks4~My:dZH 5D`tM`(zxdS\5-յSdv/m [ؕ4ɭ}Xw(Z 4OϐI?rB~RW'*`- !hS6rEFfj0^^`E+|LJ) _B`5neBnb) 4ޜ b[Ӏ^3PY)#KPٓz3!C1xrcїe_ڴQ ђmY{.|jIY$cŨiP)rq:V7P6Qq\C kq<=M^Y;Y;1ڂIPr{[g\D Q}!Fݧ%|L5j:P)`~0ݚ(J4[3nC.V&>~\iHi۰J f#_:?g Um ˿12š6OVnZ6 Ϟct B XJGP$gW4O ;šBhn JKȎ m8H]5Ho&w)~*`4.hgA`\1I-wimaɽԧYH k"=7TjwЍ$)mn-s+ &,5/-{u9, tV3gW/qظGND]FA:  P#jx1[Ruce^S v-sոE%OkLwRVM4さt 6U.T^b0Hq۪+k]eW?W3rm'9i5NXT,S0?J.PWBU#q:xhhg f% J Ɲw"{G)$|㕁CKɧJo°ypUannF[~^x~yxN-cu]ԓPPf]4ۂ͹r2hSFj9!Lgcv* y4 lwp.3s VS=%]n:G-ѦK Yw@,D)c'Ϊ֞5"Shxĩl b_[UJ :&Y9Xw[#p._^1F[%Os0 Bv51pf!oBIQU3RT49ja6U O`y}0R֮z|K J_5C oa@ ͘_1<a{:KZ*(w |dnXC(}w?LJIP)L0RC2 #߻&'wxS%F95a~֛dMX;+^aX]T0Me2u=ks9H;zhUB1sm'-YIZCjm`4p|b,zH3<F ~_95W8(ZvOݶz`1ٝ6~D; ؝+AZWz*ㅫM'k$g48Ko6vk,<./gJȪ?ZZsq-q ͜la[V[aw+lPa.9pP kM,k"ceio#_V!$ mpcFΜ2"TNl2:okKx eP({J;/;s4so$n4u)!k"1XS_pLl뵈{/jY8J(Y$$}-&]0ϊakQ8c݄ #G/S޸3 aU0f]Ҩ`)&@#:gN:)/| NUU@GX, 4c'D٥@x\&K[ Շ?6ȧ,' |<(wѾ7Hot UE*OWgMmVƀHH0t'KtVQ8mVs#vvl $;cP5P'e\ө{:~C}؋FΊ- *D蛑[P"hQ'2@Ct7|Bܨ0eY@Uߏ"y(R>ʪ%޺O;<J̧۞z 6 9Cy,MnӐ; Z4Z{Bq/9 1ig Oi*6M糈|P3.p(B[w"X.]PQ4g_rYZmeo/9Z;7z: sSb^ԜSg :UtݩB߸lq-5^l)_ ;n+> l-ںʮF=pjgsK}4d;jh-$JM,zkrK~\J;)fFdC;+J0 5u%j, gS:ff GFic[?[8Jca;pS&v,cúJ. O5A^e6JmrY<0KUKn6@lԎe~i N M_%7E> #)r(7gC4\V>dD8&Y[Uu9V GC;ㄐWW;dJ?V#$s(\/o LNf  #بDmW` Ek=WHk`gS,z(@ |"sÕ4!7IhW@R2j1W'.? A@p$wM%њnftfZmݩIyƧ*8҈ Ȥ8JW٨$n0p3"e_0=G]!|ZR g+UuNo:nl69˵64^]|! /D9ViY?+Ūb"ըLe3h X1h4A_`g|?@DS*yUfmD;*#AB$#.7cI"5BHМʨ絍 '=GLPDq3w6r^6寀;$ُu$Ddu ,z5sbZ; Q#l#ˈĖ}=Hz=1} j>"dF O vY-^dg;x\ppug:m0QִYACbΠQlΈAa%5+_l__5f#ޭx1eE0C:r8o: ,0{aڞWMȜUMb.}>>9 s%p ӀNAЧGlLٻЗ'>#^0ӂ[5jǦٔ8&9V-r+abqdԃX M,k33;Ɨ|%\UX ~{׺VZ`ߎ ϶!W&YkQT![~ k=({">#n*ZGHwX)؞U#l=ы|3hhK [m6(-0؉t'Q[#>i;rіI(x[sI1h3YEEki?؟<pk*(+:T rg퐪 ęp] ^Fbl7+x~r7^fGS15탉̇a|`_]e~Ûud{u^2 6G!MHgx(b!"ꎡﱟ2tA֦.D>%1XÃ&qJAɡސxDv'3 l1qo ny-Dxuҗ. І}ۺ˼Dż@;rǾ -lr5?/ z&f|Ά5w3w>W:\_ݦ﹏@uQʐ!jagȖo78(t{YK/`O%vʌ:]\&g6&Xp m_jrhu{@(JIaVo RE;-^>2SiP$C?k˚i̵t߆2p@$)^būDSMYQa%:7QSʝke_/ IܨAz&I\i jػ7uyH ͅgEӣR8&XͽN7Ȓิ5\ŐYƟA|X׆r[F-6z$$0I+65޳:=-6r 2 em\;[x3 ܗ)]Ma-B{w#L͌Cǭp͢kSryKi$64΁&^p Q_8_%Xp 2gn /OvW>\D֤\wRvT^09>qt4_wC~}A/D،[-EMm{A WeÞmRMnTwڠ"/'1AYG Ձ P Vo!v~=^ oПPzV%,)ʵ=3< [{ ܃L0OrΝwnCx#5mr@s*rY%PQdM =M=C,k'8 !(a/kE&E^xdMDPN̫3C?\} V2< 1Ꝡj} k9u^bkTvb**l(Ph 6x[umY9P2EgFlheʌo:dE_a@U(\5.e,ӉOXRX$~bj봅I(JB0LGR45Ŧ\xyh24r'k|0/~Gƙ KQpP$[I \A^JEǣlV;U [%&SG5d?ڧ@lV+eCD2qW{]~39'R4qy ku -T˵`AA|'iAg1qC>|Q~26Y?ө֋U8%A0Y)֔2p6G#;|ܨKD&E00VMkꏱPy=.:'~n T@9pP.1tx 5O%>{z {ِ=>k\2.gpWs:1ٌ|?.3-Do[ t:^F|pP&)H q&Dɮ 6ZӿH7˄+Az;\ݕ-1'ÁSJk'hf\*4$HzB˨B/DVRހ;E`P$`֪%[SYpaXHO#<>/#N.?2 \4EzT@˕P3>{ f)-Q{A fdl4 [[BD̪,±aVZ+Of N=`)WгF= ł$Z" " ʒg v21J_L^ 30܉=VAwZ{ڵ{4W>UbQ>5ًZc?: ],ZS,(2GĴjWm2wz˜P[53:U 1oJ[Ed f=uVػT:@".rmҐ$kZå x4d zQgb8p!VǑ&vS0uD֗y7DP~΢+Z5EXRK`7΍Y<>庴qss$ŭ4d5'=Շ!!}mjOxʫ;(mvc#q St. ~;!w녊;cQ 87E:2*;{ȴA:8EE&hȦzVMѥ!@~Et?uyoLSm)qeRsLcDxw^ n<|U6pӉWL,aZb(2ś 0^LÔmi)_{ijxC+,ǭ]w{uoRGDS?'Zgy#6Q],3s'1U[EUwj^vmp-QQDEL{3ȧYߜM_q`В6|}= G}yŭ&fu,D~A|znVJx(?x,b+Hb ^fTI09!~K#h^mqͪz%HT_pm"Rڅ}+u}&1'C% /h@Kn?a"_,+ < GIej?8u ^(.oV'_<RKeѱq3W#?%тdTܦZo/,|y]eA '3Uki'(&!3nRe S; 7^2жӅlgUxr:* 5T*cxYlMɲ"~B΀U2Sߤu@.Gib,+1{ mސf?AuÇ*-(S)I[VfYؑ y/:ˆ~z>3\ǩU;[e mݸԎք}{ar+MgR1+CQqVH"]lDsOW{m4L/" +)g{Ar')rJ:ʩSU.Y3UyA4T H7ARyx?HՌȚo.Lf18luKY&v: :+uw#?0c`ݠPQ5EtsI$u,d!s. ޘ>G;xksQi(,[' g1^ӜPcO]| K(nDAl~Uשw =8"K~2Ob:n'>MK=#㘵!XU>*1@—Qf̞֨`[0%]iDI0P/3_MgFlJ< T8)]r{XM3]F9Pr[\<-9[cdd@e/%4SCf OHJVD_oIg]/vo/BHe;8?mJ]hP*4VTk4M3Ez9b/;.OMF96F {+S9H) W_MOKauq3: bbfwXD<|eG̬L5 bz ҶP=wƬ.\Pɇ/@Qa}ZG/G1C^g_lG>CqvLg'XQ{W]!*J y3)`x7u+{_z;ô *QYPtz"$|9M.v@ ^KM &j Qu _$r0qc A_N T~b07?9lds꒴řSN(kѯ(>}y:>E8m|wkï'19ЦnG΋ O ߶nVtu;gHtKZI(pL򾫗5{y7Չ6S 2Y8xiɆmiȄHIrϠ ?߲yu>E~m|5 ׺|z% x|Unj @ ~ ,cۻ[[ :PT>!~uJ=^#Rӆ b1sƇ$UW}CrL u2sP{wQ$ BvhGz>-WoxBR5JYYZ-Ҽ]S۞iT\l9T8Lq戱}!-:743vryF|r㎁gK2&պޜuubb ]4,rJ}otx!vݻX w8|6%;Jf<دe}u[M{%JM[Ʋ6OSdB0-LHT[bc6ӃUmu9⧪ ?;#^7 vsh 2yIP|iN:K*]|d-Z`N!]%nmٸZ]Gvkt ჵ}XAר|zˀ[zܹa!ַo`rI^;uw>]Z 7mKV=w" n6*3$O\:S;J@b:߭AQM$8Ȱ獙@9kL!SNeίM2갨GXI zWgl/#(#o| D(F "AfA/zFP&)|ʡņ7yE{cV@=e(hb<\e 8uH=વ`bS6S3fbyR7ebÝ|X\1ian)jI$JtT,zp+mTzkq=8~%flJM@r#yNE2|lb/Lh0U ?CElk5\7>Ԧ,Bc',6h `yYk;7 Cs#/BJXJKyTv$ZE-pvD ] êi>ڃc^*3^ ЃDhsݧ۠09Y-Mq X<Yik^y'=YzyTĮ/EBB.j?*l2ȼXBCH[mk`aNHz c^KA Vό%2B])X6q<+.bsҠ8*HAB9W/hxm- 5*FCm`{#k`-e8suZHK+'V1{]hچOdвf+(]ٌYDUO%d. eYA&A4Q=a($QciK %MK8 kXlؓN/36Ip  L Nx?v)5%R6O6*35a(X,oרgGwwOk==-WV*2c:ЎC-QMK-?"M?65Cm$,VGo%| < з4qty˧8nB[3?o;;Ezx8{mZO΂8BPG`4#W8P㩏ۧUDm>ؑi|pqB YAWCwh d=>4SM-pD+^ \8 넸Ɗ=G+Hޏ!lVAh9'7 V>oq6kB(y7;a'8zpH32qd&sGzITذqa(3p~)C{@槒l#* pv/Vxk)63gW||TVAeЪS4uĶڥ!(!fy?V@MN8_l`#pL"wZ7D%VIEo y Y(صG/ HX jiƂoB)Dg&UCidַ`K28fkrmfl@w,!``#cJ7q!N6Oc3>B O3F{k &UzC(SBH 3X>n a K<4 {hj$<>Yz!uuT/9ڦ(E$[RfTɮ30d&edJe5ˌ /gN m_C RE=~ "]alrf7EAbѝڷtaz[hC~X(> L]>ot'_ڪ΋1vQ.xê`I3uKI"#.Bhi~7v߹[h)Qe#΃diXXsRW%tnx . _ɴmPFf 3\.kQNK{E*<*:$t9Ȱqr½zK{Uš8Cū`Џ ʟ;TUp!Q {Pr}̫dC8LA#"iv1:vJNB>Nqm/tC-槺3@ꈘPj,Ķ3n2׮@LԀp [\d@} x$G6xdDTKf(LǔA,[>VW&^DՄ[$[R0A_6P[BƓMUG/!pq m7iY <YưSEVt^ڴe]lN,v,eHܺixALYq5piv)C{ե\ȋ@Tkή4c+T i玶 4篅m%E=`TDF9vG쒢88+ko%v8SLnBh \O"X'[M帟qB';9J4I0Tf (ҴrP^j9̮oq":bl+l'ړfT0Y(O+EFyv2,=ػ-N7^vFZCWDPs`8a m}{Νe }y D!R֨.Sь6{1fϼGu{_(/DpWtTiMyVZ"մ1zO"eMN7ݐWya# l}EQO˳B(3u #ADZ%eb!plqJ'2D*m՜#hV.F~ƌKwoXl}axpJaMq;4;k`ז뺣ԑ+ oK߼"kԍlsTS%l3IQ.F >8N_LNkٝaqq30  @=v>6.ܝn]G?57.O%>M!:ڔ[܇Qb+ 3IN۰'e ÆkO;kn>F.hgers DpQ`-1jV2( +i'i2P^{)_w׭~PbSخuZhuR)f{ѩU*$ jՓv.&_g _7_3^Aqr}ˋ TN|){(gk7ǩ&aMTQ2H}Ncx0蛝QY0Z4i,# =.,~g=S?#a]݅MQ5^+ׅ!ЄUF\,FlՅ cvXzdUY 3z m*[fG G;82A4HTx7~SEoRvRȷĦ&_o:l83M:͓R&2zi( fLuI'oghʵUY⁺[=oDu6*h{,Z ϲS}\b޶/:jgUzs1^aRW (>U.u3 x8Vct6)C@Nءblov2A.0%exv S!49J5{Q!+'^%S%9̬b{Ry5аfgpi'bR\?D643t[)43 3u@{|J>v^Kќ=[ӑJ1ӿ#t c3Dv {T'coKߓⳤKxr>([L-< vO8n'0w #9`Gh@|Jyr[KR ?9Y9Ij=Ld`kif<,N:~K$B\TtehQ?O|?pzFi*vLg`TFd fJR_DܫK'몠2xd+wQ/~ _Żm^xkn}٭+߃ir;Ưo֕$ Ģ޺QvnW9fUC;ܘF>bշoؾrW[ %P~cߔf}Z/adž򅬒&6|/`klj'꾨r+~ovGQ…*2\#GRBB#Rj4UT"R~ttm Gx{ɋ Krt|ĝH$LЍeצd*Ƚ%8pO{-I1ߧI{(>^7%Qt݂i;>Þ؂ș Q#tm՜Mx94|+zkqLcFן6N-a5 цN~TZh.]YV{ O}@6+N;lDl2wvRS #E9[C<_n-#skҩJ|E5!z<@UOW2[Qʷ37M$+ꣿ %W]gR%)sZJ93v5yܷ @%q[SO;X7d Ԫ$5zq`!"Զ3T_;( 9+j 7X;r^e0[]QŕOS ŴL`B& G赂&EB)}wMus,eKYzz[;4D':pgGJGYHu.S;JmzQ9P ~_TE[ . %LT@~5vToJZH/&?<jY<^Pad5%(7N\[r-gh~L3ڿmtiq2K_K!ǔ%o1hdLTu:69 ߌ!- f%ׯ]K/~l-XhsnR0#~x &>ޮ9L[7yO0mjр:jǓZ 0JL&.>;4-K*CA׍nQ 뇤 S[OP M/{fQuS]!?n.4p5P`Ot/85ja/S ٻ<0*H#1(/4u)A8Ls/܍knJk&5 SW NJ=>v B`i# [94%Ɂ`0_p2V'd V߈^n/;9/ G2'ɩ)<lxrSD 7aDp4YKlrO1EH[6&۲|v9vt%'Rp(fS6ˡ:{Wt ܠ@  E֡i6)&\ _^S#3Zr/ٸJkc kcµWwnDWOX$V}xC5dtIθ_x tζ "@CӶA _qVG4\aQx3Yox3LMD"?!=z#$)YOC rT i`?[3,8Wuw$hp ).BuA^ !nId;?o44Qx)0H^hĘyM?]8Ҟ$zIq:SXs ֘H|A|}c|970a03!8Q{i(&`np"b3&o'W?ՠTY_@2Xe{uQ՝3*=r/FloA0_kWgImFI4EЙsg0X]Es/#e#L U5p. #aA2:6,k|66[믹(SG/$9ٍUcmś,H[LGn<;Z+W@u)8A P$F4~I1~5܌SCN~.zdA1fNIG0H@cXeG0Z^ҏT1Sdl({Wcbk*hO+k7"SaL):03]VU'5gsn':]nM{_q5!mg䊢BFޏzm 󻛶4OK}(e~H&«|\lv15Zef4?U\‹yĥ_`h5tx)̀BDGeBn IҌ'nnj*j tA \4 ʹunx.:CpI_-Lإ_)Yx9+U-EyҾ̷#J3G+6B!W.-/Qlk/I"Lxy!僖qK/[i&M, gK8{e_S,WNP!dF< JÓ5!M&e)+תL&Ê_0r2h"co:KR9| \#b(ZP[ LdUN.ak_@ux?^<̋ѓibpj.F^Jlu!8ۍa(3rn6v"Ƀ,љ[2)v3_~ qQCsp;TAH͗Y\2nܶi7_Yô(њm0 Im]08uN&Ap'F-*0{v7)sBUt^r@URhw#d5QCsoq;_v70^Jt,zvnAN+pS pʰDFC~7: *U!5r'ssUp {g(:7`ȾP1^O/NB~!X\bXt(oCD볡kuzCbGs)HǞ?6,Z5BZ]:YzW_ 2^7g\9+=Qm1/d{!jpԢUqד7c>ͬ?}-ύWA}5 OǽҰ*WΝꈫ[\=##>uD\sO<0hhubWsݛ1!\" 3KA_!7xqR*y'C T^$NT?ܭ{sKn2YG Uh@VA9BƵgϺ0B9L2`:,_ "fCZP~t|Ivm7 ļ2$Y Z!TiiwxʉHw,+"V@ 9 i#*_4_*Ck\o_wM {xY  W6;._F 'Jtꏌ|P,KmznXۭ}DNK ,&\A;ɋiO::/_BH .DqZJ\v7tBL8F^bJFds1zyUC^ş 䃡kX^p>cƱ ;I|:֔dȊpoz>qs F<7E*Y+>0u ^`եBRD~tr]ZG6Dj(dMÞT";d͉6Os$(jf46u]/lGftP26)m퍅^W=xq.nuݞOMk}\n /t]q>Rn4\q7z˸Xj~ک]da8z$tz) O](,^돋U*6m\X~p=\R6}rluZ" QXB_0ujQFX>I_mt `AIܒb'!-*aZ0OM]DžO_W!k^^?KEdFh'p3ԡkVG"v*sRpϐ\_mw ;}Y{+YH}mL4+:IjTYb7lSqH#V) |yKDgHm8d|ŋ) ZK,?#򚄭)A>V_,9lRdB"o~J8$ֹ\:@f@7LHjA>4R] ) l' P$C7xPrq#Ƞ~ '";^͙XŐ%SV]핆0`pŐ#TxPRe OUjAt 9mBM Nf8QG$~7P hm4^2`8`fd)ox]3ٛԨ1/Iysc8p<LD0űw뺈JT׈W׿W/dL Yjm'yʩ,w/#g!A6la%tT{zĬHp-tnNEj hIӇUlI9Khc!b5ۛ*E)Գc э0҃Iz[CR+70/:mrj=yVЯqLʒr#2[t¼f¤^=&1NIˣ:of"ǻ ΌٕRiv8wвw<shdR;|Іŏ*ox\@ϳc DRp1S&a8a^GK,]ΑO=cK>[[hnhj.<_ #z.-8_3?1>12xQcs˳+3H-3(w";rж^/:\0Qijڇ}mʉH0})^F_b=\u}Zpݨ3]⁇2 "( e]qTan , {;YSՉu)tς$GJ"3 96 t*&3iHז ~_"$i{J)Ƥxg͗i,yŎUi \b>tiJQ\aR H7ɲ;4Fly}Zۊ 7R8._}vw0dLp+?@C9Ҧ O!!}ω j.!::Ea괝^㌟6l>~C47+MSZ*e21 {jG޾vs%:e߻90NzSSg 2?76(sTS]yV{#0=.lX<0c>%rԥqLzp[kYVi Q-|ʴ5l-'WpLˁ꬧9`Ɍ#tk[ܣQɽP0gͦ6*ڧt?LVZ1"9 ɭjpc'5S%GG puF e7k#Rdo`Do.$=QìM,4E2Wǁ6Q7⹦[ <)l@)iR³.`GEk# aE#_e]ZM}PyE+16af]œqB eRDJf^Z˧`[nxSrS$ZDnq< y^ X,DN]HE16b`0'yJBqelEխs;ZJQJ}~^ vՄ=l2k]4֖a#-݃RkGM_+ް-.Ɨ!$M{y"Ur)f>j!nV7JSq7h3J0ţ~4:8-Qs 8^vTO{y߳Ҹ κ }/V CeH01yHj/(~17B˂sdR(]~"kfY1:f-^ :Ko2zūZGx^ ˹&mS/[뤻wj-b!TZK^&~!}j;n[o_ڦ[B Sڙ>R'DSy{Z^Sh'E71lT0H̱DGw <3IumV2u $NK[n1]Le_m.gý+փ.2 B})}=6üܛ@92-:v-&zxQJ]m@(X(A6;ڷJ\?F[[,YegqHzn%HB;z7;)Ɓ/$K6_ˏ*E7T^{gn6S߲iڶ!1{:!%a_MR(fY. >o,gDR.8q[[-`dS#ײᄴ%1O%Zm#'.϶-Ȉ!F' P~cz qzK7cqK|N2ľ!dorR[bI:X{UUAiv_Bvf<篣 tr^9n ؼg' Cjf9:#FS|IPr3=zj a OAͣ:C %dBjuF-Aw5D]&FvHā .=_E 5`UAcۺY>o]􃹌=ӀUÈg,g!k4詑bxq?ߧ)O)vbQUf,G{L+upu\訠&}xRh%?!,fypNmN%msu&I?fȊڤ^FL>}ԲjxRP*UӇ|@ w}%_McQc7;(C]_ F5oХhK8?zRtv'!(xZ!$w9ij ԚdH9].XW]&x++L/|.Bn47ln=2jYnARb+e`ozdL̀#AU&4궰 FQIJ"(qWE<WZ;r=fOH{:5v'Bپ9>(L+΃AH'Ng 'WHXXn>N+{i} ,m>9<TX5E*^-xceW+X4MVz'kۥ2SUԘp6%bc UO+hǞ`|C@x=FvV/iTfkx\ Em]-FDdYcL0U;c \x6`!fbe أ:ޗ)5¢k(x2إؽ7?[i"?1[6Ws h+@_O/Q ᮍĭS9DE W5=+۷^9F 1? GoKLcX9]rnXM>arXX9xVYGЩ:]~?~0f* -3﹯m uitX3㟿O'^W hdz  _*(htn{]eʱ'_E5eGF֟ HZ?)g^(O],uK ~CHy) 1U.F ՁyM v, e:vJ%ǖYY sxnȳ4 GyK*3AXI<=䁃c!0tQ\8Uma&첾K\$\2|d? XwggЉp3Sr[uD )o63X@b?]cš O}S۝ï|;$şULy?7{NBQ8\c/p<QdMJPMhqEg}PʶC@Br}.$ !GZ=9n_hOlT{ ~F m9EI7kwo.M!iYl@vkv}[Qڰ!?Z[;dmdxyN&\A C{vWq{Wq-wy0s4\^T8@i,,<7ymeZ ^U\4C"f&`ϥI,sTdJ%t, 3h5+^&qCJA34Sc*M=q"e1QQYa˺I"ΚGv ٥ ل]1/F_Bv0j~Z\EZAB#_A;O;N4ZB! 69-;WH}#nSG`"ځHZ׺&ZPj_ПQZ hFV'GrK3~֐84cx;쪫EaI -4NX,,.֪l9&/;J`bC|FL$^"mɡ+,d)pDYin{nKS&p:[0 M^ XZw/Mw>;PjJĺ,+o~mM>LR0>нJ]3)Xf!0Y0ޭhRh{_*p5*ϩa<͟8*4P9JBf'O: ( kMQU [[˲!i*w՛FSjKsΓL=uH$:Յs:xp%U"|6he'jڂXQ^Brkt7oے`*D5zCLoAqt2v'ZK`w n'Va2] ΋)o^&a47iRϘ֛ul͏vTrTͥ\j$eb$\v>KrPFJRprOWÕ2~n]0C} Sh "bO/&ywTyc3=!Ѩ=}PyϰF_7%7.r^1J3;"N5@B`.7ӓev7K-ds{9>DoJhГdrnMz]bG Y{bW.§`#ܙ.zQNlќOB š<;jx1 @%dVO Wo@lTj2Œg[{ZMݴU Y/a~OL) "6BFG0F'֤0Y,8!2Q95DiW<;Jiy4*qQ+gK>Lp{LS_όEĂJZwvvU>tRz čeBh3\Q!"j##;A5% mֈT%>ceEc>ȺG'xc:<륊lN.+8 [O>:FDC#OtEkI‘BtؙiShFX!|wF1=D҆7@Zu %4]A#EVT)MzIN2*!H%frU!.Pv4T;'ڣɿ"M/r]Q*73H{#D)Llkx5,]Am[z1jTTB^"s>}v-۱xZhnC݄i:,p|?‰hVWc`pZQ%U[rtǷS*b":zK}kp@a51MG?LpS&*✙1.>7/=UxfѡBCUO@qOa+NMLϘv"< {CDZ4VG|Zr]ōY(Dn| A/o;hb,+ W+g2 xdMŤ|j4-LޙM_G|S%W"T)([SULIDYCߛ G5q3ED)jkDLx]O3k۽~':<~zKZ1J!o:ad9LJHQ˳r׻ 族n=[g7"LASRv0Fo/"bM n<_`H-L|1V9[(ӷl f_.%mZ{kǎձ;&u}YŶtO|6_ \?Rڝ g Sr ^<ׅm9L d }>p)tv>T<L&L}%GZBJhz ti Lsm]G &xD; b]#y3OLv*z!#\,`Wңirf,jil:E7-~)*(rhV| LqFϰZ37M{89ZU 1aby5͹d= FS>=+v9`tr,h^r]njw4H{Xof^| CRFX7 6^-z}%P7.Hj~<]zYu*8]hZ#7⪂*p#0D`u!wLOCZ^ }<ؿ$wBVYq`agqgQ-Z-h? M{%ڹYoĹQRtOx~p/w5 ˄b~Sӄ" kxq~;\A;~詸IM {cY߷2L ct_$3QVg}5eRԛaOfxטO[<v-b, '9ԜO ǞhXYr2nDi3<" V7N |8QJތ@΁ ])w/V? pr2!<*{"?^ #K7!cjϢ.`9ap`4_wsC[H lJ"a~B{Gb*o._ D!(V(Δ2_3;l툦ׇi,\3ԤWe׌Zo1U^-F+x/=r>l(Zb)}w<&/)q?5:^LЌ̉y`Uz+[4XjIނ)~oҭC&1bAWQEaK2ejB}Hq>19R<%CB rPk>&Xv$1#|-@]PBK~#^:F7!~ƄYVONviD2.fuq52#2KE$۝ޚ%&Yc>\h>׫XXEsWB~kMv#2f㉳/ןs0hU.G՗# 'xm:{])w>*:^~7!S(vh6H#r9%umkA%NEk(1~{ ԯX?|G7T6Xɽ`ȉ)w͜hwuh= U9qL(ekqe/i CMz&J5hG&vE2|3^b ,y7`V(ĜFVtڔ& y n9#>p:Fp)/<#sl w<<>SшϞ2qoP;$VgƟlɽee=YRJ7,'}wwEDr ϯ1T1 \_Ql`mdlsT_ͤ >6*aͲQZAlz2=*ʘI*9oѮiAXݸ,&~ws 7hfLgi0ߗY4f{%7ٖ"jjXBS"z!ͼ˜y7m|R~U nPv'D,'9c~65_pcLTm5 `!4`8(EӜY fRIۓEB`NM 'fH\zqbc̻iX uG%/Y>ZJ.xĂ>,\Z$y t׾hh9R5TεtwtHƳbS jJ]M+Q䖂'CX*tP3on@gȶ'rL묵vyʻK^Ar$X:@ӹ %O."nvl]A8ĬNMI?q_Yv re.0QrĂ"9;C"=G|&=@ ُ+a!f}EAnF4׃kT@ڪyi8H86דmgserVqlMPZ ӓƮQ%m䡙=;.7V /Ha?'7)f)JdHa>N^ܙFBkD߬kUmrEJEpDZE#dsnqg}˧2PC[': 暮cm4oab)xj( *]k!l3vAp.̻C|A x#dllߔd5 EuZa34 1gtfI--y=w1A~̦;Uz0Y=ok9c9_A.էW@`2_)0M/Cw͑"<%ݢ'DUOўIm)x9Oo5( +z MNyCգ]*8&4KA1QFs\92W6Mb6{m]}R_R{cr)#/K#a{2D*p̓क4 ,~ҲļaNlHN$*ֹq nG'b{PP^ҍ`b6p]]ANǗ)!R ~oI>u-^j]?oGʻH͌"-%w^x4h?j1zH˪ Pޓ&T(uه;.{|8쨁HꎳyFF\3*D j5 vZ( Q&P$csN{/@bI6 uyv@&r 3c+pG\Ls(}|4pSb'_b7[h[ym7Ɗ6ZKiE+)b\L3+I릮@OBq$t`lw 8!^ǣ5 I_"p_Ʀޏį(iDkC LաFP,*)1Gy}̇(܈(NH p'iXd#ܾAZXC8kItd_kU>Bz(R6O8![+L1Ӫ7Q{ukq3Bz=pƽM >F$7Ed ΍6հPqEJiGAV[.otHt*/:}~qMI>3"IvN]^l5[858Jh^<F]os % xHQBP@do퉈(:$O[6UxHN6+[8tnEw⣫7vnN/K'}'N8q;6m_@ȟ;4h]8t.$, _-p(4E>a˺FVv3Nl?SʷV:l# r)!k"SNƞeS r"n?G5re>kV-4^`.9M­rf@'0}>,?L^R< c + ?Mh9$5eg_OA=-B'a=Oڻ48ezwHΥ WRX\/e>wT4Peub@sv0Vцi0\i/ YZ.ɒ@ȑ F/BƠ~o|3'Kj& 2>D)6< A빋P@*Z˂3Qza 85-B-l*8 o.H|ϙu>̄EVcvUCd2^bjPd{PКE[l%-! s?dje*4k${u'xQ?Mnl{4| qL `Kb=kmeU\ ,)}RղyĥI#bs郂5Ӓ4Cf545SCFK&އ~bq]kVWA(.JsxiG#/QvIv@2 AGtwFz-nb!Q߲DՒ7.3z-\920 -sN hɺ{ ̛֛$] 'wG)NǗ-ZE5H)Rt)]c}yG ǣ?i`Kv&%!q.NF) HħVjTݥ'o',+F8XDe2"=%lv(\sZ_ΔA3ħY;"j~ \8>D]DE? 5Sd8 mfc^3[=AD7!86 ߾XxEu%=/T Uj{cxUp&15ޮ}3edeudM[$fgrhէ\lhj9fd֥":]D7~S vyE)'9jJ)F(m>'? û6`Jb#aYGDa:Q`Gtkvb>C#a_3QGnQc\u"5rA?8ш.&l{Sg@*GIX'jvmKj+qZ>k| '~~0 T/Djɤ ^i ႬJp;8T _i:m_uK_ԳCsvanG. Ok] Keb-vAܣg* ꍕ.&,o6azwyVWbb  $F. =E2!~ E@x!1؉.r?sMB]*lgtnL# o(Ќ:Ҝ A#X\>_XMuW4e,ͷ 3{5OcPϐY4J/"~~X7>./BJA Z댣O$wW]e2y-0g'Ge3=a$-68뗊\y`r&XmX QlYgh4ﴱ K.=]{'JVD'|ok ,k% EOQ*v$#Zxu;.YܨJ ]]ҡN x'igw^@3A{6*N@=KO˱ȽZBb݂e3{svlB)Bf*X||[.±!]`SRblmT#fj).N5WWcވ& %8*}Ψ$p+7.`p& Ta4`7p LC NJ=TϽA/*<^DZО x?Zzm[ /+h>.Ǚm+:թ_asǀE~gۄຎ_fÝ̈Σk~>٪/5Bɶ.⿨&TO-AQ-d6{ )X<`Zv?|2#+ uw}-OՃ#ItvF6Cv;{2&=_~ݻpt%weC08ZX$ Ogٌ*Z#t 2yqSoqdTmE9f #cXRB봞Su73A$ vgăi?:h2@,ֲݧmJY3_WjW_~l. DCֽNඃRiGL«!S[LqkZE\ ҡ R VFXI+UWV^jJ*ln,@yD{]xS ZZ\3oCx^l9zM8Ihհ;{6'Y(4h: DEg.MD9ho'p#hڑ:7d1hy>=>Lk0pU9:% WmcCGUZ?aJ alR%]71P^;j!9#GS&[ۋCa>XMq2uGowx\T:@3C(ϹA` VHlmR?2W 0lI.)Z3^dmP')XcXB f))OG2+ų2XQN~He&b!Y3.z?~dF'@Ht6 J9I\Z"Xۈcn}`l2mx CG>O%"Oi1|s1}kXS",#cdf A3VڪO6LiqVU'hCwgU"zME&F7E nR)uOab\K A>klJ}޸d3dp6˱ΐlXr(4g)gxS9 %"շ3&ƴcP ؁B^M3`욭6O*M8;ZN9x:y=Z #uĨCB 7n Α)$.)lZruBaA8òA+: L6m)OP]#a#AǮ`B[_?\=e8t ӊ(Nልv-z {UܡP-\d:lWƍd?*qBoR -0}>fa6tgPVK˛pVO{dd)ب 4M^q,3N*!SaZ=gƨh"%TJ?Ud%Sa&c-4 j=׽7NM%mz%UzqwݲL'/c]ߘASi1"k ]b$\Ba4w<rL>]{&O$`cx0 dxL?(!VlU=/<͗BF%RkU(RsW?~o#o@?;>,|4z)n]K8~Gr+z+ L.1tM/ٜ`?ixS*5]vgƒA}f%JN#v"|AQk-򷬥}]E+x) VȗTD[Њ\5 X^ojOϭģ+[;( 7k /bUitTZ:"XSSe TYiHUS}W@{`+G! vrΌC3¿Ejϸ,σLCMWݤv;DꎈRhGli2r-YlMkQ^3VherQeYa*q$ LPבXU䔟:V5F@((њE`'Rv;Rq xꛑ&1C;MWTP'a(V2q} ۘ+z'Qvx8ܨm_:ϥ>zqS?ˋ:W}CrqCs)EV0cju? R-pUZdְePnyX+2`A8ɟvQ3`] s󚶢U{/o0pFÇ"+ @ ( G ,&~x`EpԒ=uluXSK&sHl]$1*4ٝVP8/;M`=sa`#r im֏AX'g vd"` aU|h7b/LlH;9|Ьae3fM<٣P”Tk;Bq d`9T\>?1HW=XslTQG4+d̔.E h|[92΋-v'LIY9Ty2i߬feXuK=Jby@S'p)(.eO,^1DJP:L2WP:o&GZz_#cyLɊH'doH[UwOô#gt@JLAYAu=vTQTg)dx~gVtEg45^Cہ||?̗|D y B3.a~T'bkjQiٜ Gؼon+ad}}lL쒮r6>9Ur|PǤ/b:B.CJ6 \sTE v p?YpGޕ_d XיУYm e=!5z;^'Q쉘Vǎ-R;_ e= z /2g5y⊋'-%`זgMJ*Z~!Tr曥zP;QHPLf4UYf3#y2''!@ZC&1>vdRϷI]5}h&f5}TJbflQkg4pF. -c2}(dz3dX%!rNۨ  *k xvB' 0Epߘ7= 3DSfU6O#O؅ Ѕ?rG%M BORI{%"*YgzubB"'W k(=%> 0,/꟩gXr`cӸ1r+!H7#JB O[j:@tEap čᄋ?_]@LU*"@nhDJ>,~z D8cFm yǏR8,Ҿ G%ݍd\x✋:J6W"ς:$)^UAt(t\wC*y$A$ϴ~Z=̬&XoCєAzӤ[&p5SSLG%#y̭QAY~D-QƇ,Jt"Y~ ݉P/g-m9#SGSRhu՟ dP=r䒳VQWsڮri<3 |n0NɧEQJ=Ytޠ[aA4A~j6g-@yHPpW:;bb\{c^)WDS06.p(N=:Do8)ofn¹uݷ3fQɴ{`lYD BC u=H-[IJgt;'<$O Y.'%-(Uok?w[5/1bz2ǰOXtljC/Փin5QRtsxm1{n&'zjh̟)ܱ'lWԈb?hm d=͢ctb<4t)ޖOX8EǷd+$|EF?pG 8*'_&Vι<^0ݠ]N&vXoΡ\8xbKF5 U0-ʱhj11!葱nɷw8+jTnPrrKfuZ_@0I6H xf*Ye-!߷b$L0ƷIBʳa~Xor}̦U8^;ͨ;o$ͼ hjǬWb E^^OVث'.c"/akb[.ÐM!u#[]e(jV"-MpT5^04JgEdSԏ5 4vxQVAQY^|j?TW GJIx;̀jͅ )~BDct c*{m!fRTT6!~[0P{`f3K+^75><#`w"1mCx EI%:Js (I'tp0H9y ыEA ^h<"9&nPWCyp'F%J8h[]7Oʘ.> cƖm!'wK&7fxTfynVS|՛.Z 0Q&5",tm ;gTHrkB:C'/`dEѹonC o+dKNdCHFW}:2*kw;\0jahs0 6]20goʟ&b/EjGvu'֐k6f&ĔR*lGZe#)JR=k; BM[wu Nv(|ߴIЏ55翻c\ظpXemЫI|i4s8NԐ C~%vhz2=BF#}u@.PKUޘ\)v65"e\y9Ɵ*)́|=2vYitϣ^v_oYKp߼aLqliGxճH^Xv@CUY>;(9ݢ7 B }g>7[XNJe}cd66Ӹ]E/Dی($ >G&^6|E8=j'jT f91 I/(:$*d\(ⰂLZ lгD{%譍lJi3)'W WNaƺ"{^r^ܕYqF{gA%`5%(kQC nb|-Mľ#>_'5)kLTa2KO ccj䠃o;;砯ˤD7{̤5Z {0b!M@['hd;wVbXӟ݂%t}@Z .9Qey۾2$*Rz .TnzJLaG?+B<^~DzDD}}idQt:ckKICW(_swh^ﮊO+9e 9/&0Ӵ"* }b%G0Ժ ,v?ϛf%AfH+ptf1 e@ xB$:pe[IrGlDAn(bRLE5CnKI40%E(@>D(3>Xm>'~x_{a RFR0f\u76^ewmOX)v]o|/TvĆ.-ͷx 絔^Nb_uE̩zd8d¯6h*ZK˫?_Gq'yLJr;Wa%;6f]_b k)G-\go=wم=s-#Tɐkg" S3`6SVw.&ԍp٦@*9v3\W9C(prUJ5, aH%F{W7l30@Q<WWU.kИ'/PyS%0B:%پ*ژDRBEٛڿϹ6RBZm>tLx7hiZ|FRj#og&t9&{O!48Zj:b)ޓݍ- j?+c%oDI p&Rmx{g}h.ᅜbi=*oSdYZxY#dbh$en9{MOGKҾQ& XpWmG\,7Ћ1UP/)) ؎D ,:xĪH`?,W)#a, Z҃v`Կa.@\:xd]9TtpĦxN\!c(^lG&)]vyqY`Kd YFQG_bLƞ@_R#'c>H+8uK`"ޣG3;`#H/rzWۓQR`uwH 02CCփz 7\k̍{U1WEQ AtDHb9:Q !1)s{Rc(`.`TcIo)zaQF]:`Փ ylJKi_{Yy[?.`ZAN}|+_ [}6 .#gSxLhO޺!M GۣRdUTR^ഖ}`VD|q;4{7Ծ7!v&eHԮ7,GXKz3'PXR rw8%l<_;9.eVUc[j|-mٔe 1"xa1 Vjz,}h] Z׈aq*/.E_BaD5@#v$IpdXAf?1MbD)"iygI_=*LvJA0ih ut0rK/~g\ ׀UW>1"7##?د%.7`czd&KDhej۸N;)E G}*$; k)ېQ&PrG04+a)!?QC Xy}qGԶZfRJi^#Wr tcJC: ~~+JV>MqeY#9Pqֽ x6|pv=)Q>$5HL9jy;6)m&3(/1c>&kkףBhn2oY'3 ^L[TF9(Ef-&2TCP3>ovCF(^kίGIkU.ak>SK*|f;ax.ϽpSpnd-TMHZ2e<Ҝ{z&Xm%W 9R:\[P|385SU!f{M`{>5z0>#_ %hCT6CSLyCSل8H|9 UCc5 U dfOzdF7ta[9> ;Դ֒my=7T [\޲Oڡ.98Z$DEF`6<|r#Pa'f1cSoh|\\LsIV4#A>'2t"DU)><9[%S(Z`e*I> N !Y՜9e?~C D X&_Iw)ڗbBh(y Z.NJU$Mêk :Zq Ukg Aoϔg[FYVX0s6 ?}&@%&Woh[I~FQK JpIz[Iv&̰o6e4Ό%Fg/kS[ܔwUf}y ,7w*U[<3XE!(x]+.v$.KwAuϿX#ψN2O_QA :bn 1!p6&Pe3GFU-vſP WD2]f3_! /뿸n{`L>ozԤ'?n˽a Χ/I:5iþ< )*oa t!2?gǴ; +[K:A-추&qWqVPhpO UH41K0%cu2"L61fX{!v1qĹ 4l1y~*XP`n;[__/_:%N)|) YKDM aM}1g=~=c gkS/f )Rϑnm+ּ#v@y1CY^ 6=!WM0F~JhT(`­3Ye΍ՌQ0.N-~DZyR=f B'2hj~Ż<}hq|wD<1LqUfu衹GRO*߁Pr'B_|p˶R9b1Ig95r떔X=x2T#7mXau˩; dUTHcd a{{w< CWs0|VyVPG^Dc^Ը ]T gfS/؋cF[g"ugԩPb^"-i5Naa&yޥ@^sf{]^롈 fvx9TxE=ǝ_/VV*8qGOž.]HO9JTSF8g^^F(`'8IW rI]4ٷ=yQJ5 zmW3(ʃA\!<Uplac8Ut*z 2Jm҈ߚby"x %vUH=BHpSC2{^x'ykmt\ʝb(G[f` '5 .]t C H`s B?*WjT``+l7& it-^[)+;ʼj$5X3q/hsFP.Gakk/JTDE:J4AX 5o/UPĬ,mZ>zV&m~|.٬ vb>$.ڼi̕SXA=DB6?L.F)5trPΟ$4@C$:XZ1JW/Q334%h͞|;ka0#\ˣCb ih/K;>;f23@ftuEF__M]@@(}P@&~NM2 (FГT 6q*]އOrvj?H~ ; O:D7Ŧ5L;E%K䏷Ùb5V"uRA7٦_mZQ]M! AT-D :4H/{W3 |=*{UvOmhbH:"Dn]Oe.[ ;woQFH`n;!a @a6X',fsh[ȖXY-i:AijbgN;Y+7 Sh6|$?Fr ?ǽj6sľZ$͓NN}k1q?z8ՋMCaPj\]&ag. 3H"0:zsgnhk{:\ldf&"icO x{9~m6H5+[h.^#gT.dVE~~8>OY_%<_/JD ^K=D=% nL:/#U-4kj, 87v XUiQkmȘj*y3! I(9ZdPY3ZXTDoV uE wSgh?e5.j{cXlMHaydORoz"Η#qMB|/'ɌR[+pw1dBm/MeNe+ֶyX$ԦUxV^ e̪#VJ밥'T, >7pAst 4fVlK؆G[V:HZ1SMl1Ӧ gKRUOi#FF7LN9,NGFN^Hlđ{ G TkC'Bvyl.+ Y.q߈pAcjSӏBqL|ҐܳO?kUkBSw }b'Hj^wa`Ҿ9_ŧ xU%#po{2HER^5 vf{$wX?%R\_lhDJ̼ag# >ƭȾYԬ(xd+lg_,aJ%1Ct!FhC7?i-/#7)3+-2ZF8p1V s-LhoʶPى@9P *6h@2#T_CRџ;A{y#$ʝe2ZJw& dTW^|x]ٍ_c}lw2+`s~Yo@.cBIQ'ުHX.-|=g3`=DդB֬@d aXh%ګם>z=z.5I9YC@ C벉S&}v.4п;ĞAq@uvNu(m3{#W\ށ\.Hij#܉-t>a HIVbD:)AuQ?HAk4$1hw9{U]ƍDYMo`nBRr?:bQh9ڳ+X8[Y@9LbNPOT-$C%T9*?+U ɾGn< <j*m F0 @zw%$?7=OִM{f}*M9pmߨ-)l8K&^}r/fI,IwV$x3qp,mҞʊ:7#1y  ߳>0EO@XE;X"o|o-iZGk: ~]L ,(G )&hi8 9G,L*[s}'i 9sFM /Ãdv&]̔d>w#Wrq^?y.يypo|f6IP~v~>cKio)kC߀lict Y׹ 㝜7I5uc褌;ҍ%WRؙ+HU˂^KuO|)mf5WRM4" ;:& !P lʹ~"komZJ\-^d!VFY"M<OLDH5jV8q9&p%^zV`NEdq!hnؤF1s#T=AqoȾGwg\>E1nDinv5:W|r>݀,|DR$XXwam|=L3X،\l$d(W_0{Da!:ó;uGAFJx5k蕂" ,8-2Mp{QPAz;[t^B]CYN@P=1 *֛M[07yh/_1%WmP$ `BR~"Kqh,cN3-Gk%^qvTrރ ))`zBέ?{&a.[m ċ. ԴJ6m9il .D^:DYKswz9R?b7?2vٱ3d{*ؔ] +^[@tLV`PSxFLVl'ăg+x_Q1G >.1S x7e^BnLh&Ր7_c{E<bT2;*05#8_lkDvH8Rג4Ϝ=Iq92'r_C{h;y?w;_VQ(~=cO9|@Ov8׎&6hsGn cjg}TaK|a6X$&x8ʓdg!G4]@u!ĀG*`@A̙}kw x ]+Vh >WrctceNPܝ[޻/H-2X ýK%l8 -!NymxQmOLnhunor2v8HKI}Dxw`{{[2PjyU*Gݎ&v?`,YaNi۵^x\!b#ʗ7MPV:_=tag)^Pgj>9ZTB %+W|pF>A:6zI.Ҵ*1B{FV2VmhǺQF.-$"PNxa+_q=_ KG<@Ư>qُ:/֯KbwEjuwP,.zT%òZb<e|q<;=ܰH5FdJKT=xLY>VMi" | @G/\tUȭ"]Rog~[S@g]9u}}7M{vUDn_L7*}g@ȓT7 čiL-úp\ 5ͅ٣xӝ- :4ϕHn Ho qV bŢ oA!^? ]>-+2^ Wb"ಭ 1TT[v|κc?zx'sxT WyU Es L< fLxJoZ7&RAXL΃cH{7e,сy[$D{osI~wO7AC!(vܷ[:f 1P[6q̈́3yyU}(EvsJ13nJŊҎX=~S)0 9y<L,_tzb59'̯SXT1q hM*6 .s4Ψ5bP96 !e}\G{q1u 칢/ZS/ 1dm OvӃ8OZG^?e|YATJFzLL!\yY Ͱm sNkL?A @V Z7v=;+NW@)2V4$ҎE&/ !+ktY of_xuCe7U#+)OHSo! NXyLaw5ša*Tt7 G 3q5IAƻ ڗ&.J 2wwϸm v: &ӛ?E9B_ 7^9n?'tTUa+h2 RñMBhST#CU`:&?P}B;&3vJ[ ESCJcWrGN beЋzP#`LHeSZ}wvB^Ɏz>@<9p/^pB7Y6ͶmDo;} +*vp>[[36R";ۭ~ūٱwpPqSw%͊}` Ldr.H#HfF͝\̐ΒnpRJ;Yo%}[J "˥啅/JyW X}Ga4s 1! 4c}nh3eLP@:)˳jS\bwxtgSr(G#}OL¼{b|7|rh|x^ KcY<c=;]*BEhh-;Eyӏ8mZ_p  L {#3@9-,Z<_=Yh4@Jx QѰkb2-ilO*"4zu"Fud3Fs *fSx+a"Ox\RӷF2UsIWXT4ju,[ܖ%І?᤿BɓP~2cd57q5e,AWe2p7@gc.^ت3PgSQ| m4KmY3pSn)ھ[j]XȠ:֠p3z$L.H=a;AZ$LKFpY Dęb1x߉hcM1X m׭W`.%_Wܞ/4{C)hVv^Z܃gma nn|sH$n7sرDJYTwk|u_)\"n=wmffq3dQ/DUH2^O`p7*&ÀAtg}ȳ*(jĈtB0,L?7 ~DбK(ڌ-}u&9B߁Und߶ &Ew/K>}<88RxʹƖǢs$s9GӕqA#s+rCܟBֲn4&[1-h`k4)QHJ*w]^sۚKEI`JUSfolik^7jeE&Uڄ/hb.&#OsU n9j>Esk( "[ RV]%dGA&[N5 ^~zlGR'&4q+T.9ɆhT Jb"2zDAZo}œB"~S\5>K,A~)$0 GToET8x ޤ`|^GsbS);ǰJHz6^<8|ǻǙ{s5ȕaxCWdf~_;%W ϥ8|?u6.˥~?4a)%˟*È>uk1-20_C8],OphdԧqŊmağb7q T5S;@ǀzIKQ1`w:!XE~{ct%eor1Zei0kA13 3;ID®OIN;ufqZ:Wg\YMA8K2*LKiT?p,O[Pbލ:$ Y5Hw: Mbs0fL?E`NCju,Ln؜[} Z߰ZD?PZz rJ;+ G]=9_(L٬$9%?G8RAy&C_.u?%Nwl&!:6A8fJN?I3[g V/Ǜ}.{[,^|@ԧUJ:y$ӼˠEmJ7Gdq^w\z5gH;j&l2cNjoOJKcavfj`wxA Y?x\+}?ܮ E{ٮGY0"%n?8uẀCN40lLdxH$8ȒB_FKzk!Y QLis wM$+jumq;~q6mEmU,63$iMV=*n^r&<ǛQfq2ir7,0{Y%0j$3?oiQq,Ɔ M 6b-mL9Yi5r,.ev9d/\= Ѵ@u$4pD,[>Pp2ϐhsf}!Jwao;?%o_*,W4:&Et"p)_EҫZVax yN} h@@DD׼E40Q. P/(i@31{nKp`W|52韯#Q|Њ1 Է_ӌ$O/$]═gudZ">i9KMB[+H /1ʕ犖vHiPR !HJgS4~;2he#3oev9{d.JŘ`VlL~ W"^Мe͢piB _i6|T# z8' T3C zST."{/vt5)o]ĿM- xIau~G|<thHl|\*CuZ3_6 ִQP_᷅wn]WoکNm{(~V̾ S=!>e^9#W{BYNMǵ}~e#nMB覃̭c~~x9z2GI>P[xpй%ȭ+;0Em2b~4f>:3  & L}c]hbu ="fOo͐VVp( eo OQX@ C]W)zlK.R/N+BD{O0">τT?9[9SͣF:st rf o:#Vn۾!0ꧫ|_R|jDa-YMPrݮh%a[ dsg ?c&R2Z٫qf8F}\Mi/`,my4AQW."J/NY'L吰2J\?tG}tf!ͨg^S%":q҇3/"񆟓#HDGâ&> E9%0oT0Ǖ,̫y,Ag{ckBCЉQ6jL,4*\T:7Ӟp/|R.;zha#PLMM~s! ~:|T[SփyPZKgVo4Nto 0ң_QE[񥑙j\~;JGtq~W?t"CVDHM"g#}BR ||?DoiwHWI"_ 7 @<ـ\&_-i:Id GU &K-z.Fx \[òTG="J_tO5c)is)h-^Vok> _ԯ2mF'NʰFz% tRB+zŲ̤]ı&R?]5OևW)9Q8HFw׭_uqe.u 5Oq\`I b),@.C73K3ԋ?ý߸gTl? jzQ4ӱ S 5%P!9O` ĝBBZMDNUY 5|LbٷC#&s@Xaq5A12:ē遣[zhCHqݗxs汵?K8n5FGaƟ`Fjx}vuuyX3#YFosfja仚GGJO6w,͸)*{̿d녟xѽgBD_nv=./,w&Z鯩Ap l(É(*`51!uVW=ح:41cyy) 4B`l98F{7|8>Z] 8:@TDxߺ5S-2DB=k*(-!%2|EdU׭SuͱdثZnNw;6s1KG õ&/y:Ƥ4$*x)M>KG=G/>Y3) y'*EVA[b9ߜO_ZS'ȳ\K ԿV4J#hB9yT~_]^*Wuo϶x^rfref vnFQ:@~ԲӬi(`#u*0kRkq03-Fo_LnQ4FÄ_ lIjˤ[@@j 'g_^xU@g:r`v:mUbuJB #cG 6^LzRͨDrU椸g%2ɹ׮M ޜ%lm\XDo@lSʥ3a!MMsn- p@E쨓X )"a\VpEKn:f-K#pHb&ЎOYu/w6AtTי(/؝ʼn8vxI95` 52Ey F  +s5n\t`ؕ3Df b=sbEG 9rݳ~d`ݒUqcK5}//|M% v w27sSu@a5|(ՀwlSn,R @.( C^Ӱ]Jt&u h?cBws5EPVlZc. BcYpb@+k<9Q2a!Rtv71MTH-e.MCO7yCJY\-x Os`ÔXlp"p},lC&b;K[?,ޗ3k1U|Nud4JaS;x21"J18@x ӯ᫢ta/[>(9UX@ "mT)'89tS;`n` "];hgNOg_nup?:I:|ᒎ҇ֆDr0{Cl>`+?^ya鹂B9#$]o&}Ic[̓ -9vw姟C`HW+dL]_&~{EQjkGmb!*I'XM4NCf^wSvrt>> X=K]H*;?H7$}f {?RC".' qa`*\η*]wEM,X~U3DSf}%!H NϕзHu:ya+iBNBIZ}.8Eo}^OPK_q375{ws%`bG1Bt00|J M\ FMB_NV\Y'~߼zZ-> O=\PBy ]0YcId 5r}T#̋`[h;UX盘 r%7l ^Y}\:ƣi/+7]{yJ6LsѕbP S(s{'i!z T. 7JdX^b8(@`sGW܄ |cy~x6['dxʪJ1_qŬ*P:PTtsE[ SxDNJkO߰F,JNx[K&X HN޴*zI<ڏ;ehUUM2]r 蚫VUQGnYyYdt|] é"1f#\Cĝ^ȁOͿXy^j$PF ji\z[)I'm_blшܭ}qD$q3Ń#9DmR&89ǀ Q#Xn H>\4jltA[lJK*l]7vY7 OC/#%Zs'kqbJQp!a]:vVPKOQDx`JM[UYjtTBUr(rnpMG7joB[ s, Bc;#v&![0&?*<*wĩnS;/i@l|n[33,i#l/Sz,?0MPٟMC{ɲYlr~_^Ъ,I3A|Ph B5DDXC| `$a H=2-#HEDArUYD\8/!P{l5G4`hfQΫm_b!$;D{~dU}ݯ:ո4 Ev#~9jg)<NHZQ$Y+?ڔAV=zn~ U4V@]&s|g@!gǥIdM&E6eKjhqןOb9ۆ]~{"S_el}Baı/ux=^0hS%HX)]ғQosU5aƨɟ/yt+(g/bv!)aIx>=m=md$R h6AM(*œL?_ \k@ˡi* t}7}.Ȏ~+.B05~,Ϳxn E,8 Lh0(h֚1WC^6ĒZ̿2[I |:žBB#3"f ULau?ccuA|74j7&v_kz}{N! =5]۵ĞK^+Mc(صP P{k2a/l+ 6LI T UvO39Cτ$2,ݞΓ8LZV8`A_b ]&YDGa+WwE[DU?ք]0gE3y* +08,p`(%7 (."#Rj { ^o졯XK1lcu $ۊ26H:1q$n.ssFzIat7[ZIdNx @+D(z<'@t33OV/71fQ3eӿLe_SOr1e_NCFPƿ;gl ۮr'Ip/jҸ6MCC}9T;Gfq+]s 2ָT>39NHq&y* x X[/G|X<'1Q,g̬"gkK Э[BpqE]ep$$PɁ} f1}rҟpK] 7Ֆ`g;vlpx%;xHIE7I#5u:ҭޏ#Ns){gm-ŝ0EkmV(]?驛齲i}F~d׳+ fU* + _"?u[ыrt>B`MRoi x@gF=>0rYФFuaed_b`^=fUK3% 2M{#Vu*ۆFS]`?Kk}CS|J{&m+!tLdD+i?S9V.oop}S*ϕ2$;j%6tfݗ;@D ?v_'}@gRg㦢340FI|(sT&j* ]#Xu ۘ-0db!2{#1Ogd;Y*p[p9FtFuMkM4N.yj]ax~dphg][/pNu.40X6Wϗ*g0xGǘI{ 1:7Y vh9R,ڍ(;s 7fW5.*9@&qo?rcɭey+]ݓ 9SD9֍Z""̑TE[Z*U8Lc BweO:TB}Q?::TwX2+V˗$J%0yw*ċ#NͶ֦E D}=V㓁@^T@iY:V"Eh\>odg`j~rK v(^KG*G峹ڪwtw;*,`Sb4q ׆'g>pU]9i [,cb96Wi:B͉OVYGNeF6+Zxoӣg9Pk37\=.HFV{AQYڕKIףpWCi^kV\R~YNuÉ ^B#M7/dFDDfF5Ū+jxn rzoH0R~Œ0"{gf@JX>ѧHfE -@U/&eZef)(K>.byP7e (]W4tM njGg緍quA2$J%%!ݣ!п_xiA_sha_9umRi@T?=-b|ZGg,26Ri~soy|d! [*=,ʺ|(^PgϰPtF`_q/OB=Ńv?>$2s@Ч#qH|ЍqVGYEz<[s&+Ci1A 57'؟0H;Awgldm:V. yQGZi-3|ahGb눕+H׿cl:L&P=`CKrkȹ4"w8 Sx:S\fre͓_MtktgU^ۆ4 lܾ لo@6/ZEbuYǍGohk2pŜ/ ;8H1^[-C}„kRM ~l](Íܡt Oƒ 4qܹO7b՚J|)OI4OV,PVVS.(\4$$ 7"vp*{ot`t7̵e:LqI9Ogqc9s^@yRpؙXj6Pd2O'!uZ1eIlB qt1&"*(9'%4x:;1&BWRr*6m5Yp=R+.=,xjf״ ;d*"+I"e?%lu@iSFr>䄑<Ô*ʁ`rFOOYpd)L<߇ 1LCCQGBصudlGիBgL_t:\@q&)bk! CbWqQzF$k2Vh}L8-<2d}6x5F^C[)`!3!}q)瓛@ϏLT<0OOkk=Gkп#y=1q v4@C\z÷ynL Af7$GE%u$sg3gAL:^Rdyaȵ9;[bz  oSz3887{}MYCu.B?$ZV0Fq}/C{Aɭ;ĠVlyy%0.Nɗ/;g*UF%9Dl_W]F6LQ2ffَ[gyUzb4h#mu5L,o]ֽq"BBKg'o4HOAxױ.^n U]o\%|2~SE!pN*E'22T",pj~)`@:7ᔐ SJvE9u.;Mx;eXуR>EHJƝ;=Ӈ}4ʶ"Y$+/"t'>@'yn~}|\6OC]/&LLL~,ȹi% 134c0.B9;'%<>MDHONBTLP%qF*asZZZ8:.1e;t%UPѥGꄮ+~sL//;pXl IfZO4qb(Ģѿ:%LIBxy˺,2SwOPajP_G S ?91 NMH;?L Hz[UT¼z)u6lԖ~GN}i9 %![`n2dT*6@nrZG]VM]©Ft6˒"Mj DzϾ͊~j|tmąw j!Y@ڋKE,UcٽH~)"ؤ p"*<>W1TH8N]/'Dm%T:˨uL&kO7K}c*;B<͜jnoɗ~:>-ɾp!Yu&p\Qo"N7ZZ.8-G}1&Aݘu#@Xެ&<|_K35kSJY[h?$CZ7N5(ys]\ѓ|0T$6+p;+K=7|zds{y\9uX-w*XV%_#/ItkS M0WaZ=QB1z(wEr(xg\/堚E q(*(} G#=HҘ<)JM|&#UÜ|Q'|S}*-)2H^yU; z[O[tN~¹HL15W1G2=Z0+i"ҭ1B=Wl/ G|q˗%W`4Sь)6 WWg|:]h%ނ ЉmLBU$d|YPBNC\ "?+qgۙs嬁E c:}kقk5z7XcS2Yl3UeL#T1<` 3F9{7#A:tUDTojA=VTtvk4wB9*:HCRNN>f|z; =(ǀMR_M̐m^< VAJ&KBF<%GTs2@b/dةLkWU7U³U K~CvؽbGnv Ő|4_9o=d-?3T̠#p .*wJKhm{hըuw _p ]xઓhPC8[K5Nq$lVk`(z6w3TCaRO$:v81poY9lvx >PS h *`0h6 NoB#/"1T)tÔn+louA^*S3cB%#_J,oia֟۵k?mgiR|IKY߿J]V D 'Mn~?JZyXF>r`zFa>"ʨ[ӡ>:$}zB *u&Zjؑ,Ί7%(O SM+Jvلw0/R+$vyy ciukq?-ˬ93o-grwqyag3a?HmY%F:)MX.`{[5<[,Mr:C ƼyS5M$$5Iq$;>')6i->АH:5ZX 4 Vi<5*5ʾ*.GLfA@ܣt* $l".FrNF"*͞.JFS?+HW?6l )\!vWOtaLyhޏTWU090R2a \n5jZURbȵavU@<"ѡotmgR\~ն#>S!}sAL/NHM 2%6Ikk6yz<`')GtbGKB)֫n|^ kKc2l OC1N%C2lGnRгc. 4z_fr (T.OͰ*Щ#8b:R)*W/جQ,.qhP:2Ǹ?L/eH>iXѽU!j n~WY֊!l z% ͖jM:%2^ 2hvX/ fe['$;UKw^B b P)vf-hĝ7sƹIa뜧/dB%K&@-2>t?%0O+ʀN r~Q&C)fi_+PvohB-|.v v6Sg&L1+ڍ0]];޴mU]p7:tw!)r(1GzK+nL;Yp%ҏ}l "q,ӭ:q(Q &1SHR"mOU7*O3Å[Ƃf ֜+ 1CnթX>E{ v}Ʀ4sFI/K@#\z-z"R0;1oh~es%zҐTx+And eSi.<}{Uٺs.vKph yŔ$MY<T.Z19 ћ;:?h18Gpr7Ihp?Y^ h}7;A:9prhGқV[Rm,9~?@=M6]eऺ ˝OΤ 8Pt3xy0v|{9}S.mUʾ?|؋T / 4ס%o . s$2ȶԸfaOj_o#H+D.{dze+ ?3fWfPMM}snT෱hݺT Xʻ'`%dx<褬8-Km1 M{]b^SƊOΜ(~0呡$5CDo4$|ʒ_BT_PˢL{X41I[_+GBJ$'҂Cv^^sv$owGdŷ%! loz<"u2w3BX6q*E7qi1SXNcOp cP:qF'jy$j^sNv5n#C "Fv='qVY}?Fv47D^a= ~#V]yUۜYo & O˚[_ʞ"_a|ߑ>W9[)nv30b}sjrT74٪WI߆t[fZhAN#vLk-/+BXF,ڈr8.RtSe满4Ғpy8 I #4gU0;#J oIjˣ(G`ڣ[Q%";'yt, zAĽix㢏ۆmT"2>1ϝߤjXi?7ФbBkԋkR^xsToD[׭\18EH/!~ c25M@9Z՘9j/ъ5TEhJY9!,oʡ&`@'"wE"FJ1j(a&Oh!ьmF~Gz#Q"pBR:r =պӳ_u+iie{붶#e6n-IQ&mkɵiݔa$:cN%3j/A]ahL3Jtj*U[Œb9 -@/,b"$weґ3Tp"?i&I]& ^5* ~\.GFj$1Q֏ YN[Jmr /.#tD~.ffI[E: 1=1{k>+ =j^ WGp.ˎ51@{,XF,}*e[ c[GbK[r{jif$¶ %Hr1|%Y9!PDzL͑zP2*.dq(S٤'Q8ofgߡz{scVvm9$bcJӯ`Q**_,wxG8|Է"x[ 48nKJpe'Ғ¢Oo- zB{|\S~}s%)etۜvqF%~vbk䗘ܼ Sٵ!y6\VJλ8; ̚iF ꝸv z/n ?sOum  Hj )t/V/FGoJ*ʐXeKGږ|j5K-7˯B'~/u_ҵc~`('ԽZp.cakVюh%c@'}躪Y s34\i MԱHp]+Νv:W̶D:NѹA9>;.|?J`ˠC^bаİ_+ܩI914>yqA4cj$#1Ʃ'~[|UO)kTh,0C X{-jD亸ҥz$%woѼ9+Ú1=DfͤϩFcK GϘ4C#͒"7Z`/\tPn0Ⱥem41MlU"Pէt 5D)θ3̂85;  zB8LDC^˪Ɗ2Qi>5\zhwBx| \+m uBqs󘤇qұ{| qwH#K{抩v~‘O_Hg-Q C @.^:UT4oWdʥtbkvAόARZJWA/ZݙҼOnUQ<+[[}#X C8#XloC#TDpk(b΀GWa8SI%>nL._~'}-8yB#,>+ tX 7;{w},Bɨ./L~5N{47Py Ww4vLXTfy=I47(M"6ޅjm/ݤ ]m"Ey"#;6,0JM!j *F1Å%BpMP”4\KEI=.wλm"M%g{Wnc^a0qhw-M[.j Xio;3 ʦ) |KEI{6 1KohS<8 (p8b#D7xA8H>xP =^Vr:xcݬ##~y?LB7I;1B Kݗi7;<\ac*4qۼ "JIVbPUr;'^GeJvg&frj杀V{8X !^ 1u:]X0{8cwE*+f@2:C] 7-ͥq$B z-۲?=#6|6qk]f=;K]!3:O#,p N& E6yH0_!%-x^p©'N家6n4-4xIu#fZP?\a^rzXZ:w?H'GNhW$6#ÿݚk7U5< ,Z\W\ɞ纘GGPT,>Y]}ET؃ƞl[c(r3xm=vsas^B5|JҞXj-^> Eϩo!28ɾw{ ; c8R %SzAcЁʪCH+NR,}z64q"b@24s6sOl#.j1i#W6P~ʣIЯ{Is'6Mlj8Fԡf\1.,0#usOf$aVIvf9]rWao 9rʯLe&sL #(#=N)P W3BAtU1aylh/xW>11+nEv~8FAjxXV@ (%KS O?QmSȫ4RE #_?{*Y8<:Ѯ`V`*dQz V lm}ͼhj={u[%x{4yٖP<\lOR OSXܡe~d9nSl,+țX1,ؿ Ɯ{ \uY?H"Rx5:y`uZ&;ڿSƣVУp~K5hibrfɄ}Q$(42=nL#Z#sn1 I<|՞TC*]U|X m͑Ȥ&JLT$ |CD~|B`fN(iff&w0*c,dil &06䈣AJX:-:ӹ/:5Q_/G`U^,렸#~ue"c |(Pk~ke+7w#RIal̎hX?%gN`cTd{ŷuÒ!` Ώ _F~3Ff?ɁE TLɧDv*Kw%#v]oעcup#`1>\ΜdC,9&| tH6[>,r W!eU߈&v|,3D!<˩=i=};\p=O= AƗy> WEte!4>snge1Yr~'McƳU79}xRP-ٱLowm=#s /& sHØn qH 8o,qϡ]fjn8psͬ-߂2?M:GR\-K(dU1a! nX<,g%AFBTA IFz?YR袔:LNV. (nz/va q&E`]ncNRc%TY@:Z}LL8gs1 O-iJbQG;q L'('R\6|F!r)}`B#oY.❦BR\Sat8 <=d b 126}]io@簄!MgjTb ]b‰nIU|4) 'AW)b,@y0+vZO&'2uH>^4SbHGqr$a{-pCHSL JaUPaze 0\ `bha-+OZxA^ӁCg52t2\O*F$;!yW9*(!'#ﳧ!?Qlt[LݴGlML֯Al(q$oIH>KOlec{s.VL?Q>ؾ*!:2@ߊ8`r۞ aK*QsZ$Z2v-+T7odMOv %揄Ȣ\Fu#"_S]lܚsB#NrcXVk+?0eͿ @s*N2LƱu QC];_ߦ4ꥇpHII$p&}>qHޥ{ApMvp-E;To:`#B$XgފgZ+>M&6`EajΔUkp*9e>숶8+D\V .W5=".(MET+vȅeYԩ*C;#E(ZX4^[E]A ,c6X(/?=l \Jwo2VTbAZe-ս W™N!aWJkvtCgGbQ,kNώsfGhI:2X?w:`Thn$@Gd@'{s^ YHr,ZYsY2A}3Q!E)gY=G+N gytG6sR֯TnX$I?*9 +6\t2 0$7N"oq[.@9hd}ڭ \ey vx˓NS%5r|Ld£V@3 ;S?l}"|`T|_>6 #dc6o1"A L3&Ҽ&}sq$;]E fZ ye?Q$"\u7_u`us']QnՈrClGqTP7t\Ki!(aM>"֕kf:?ǮMOK9~cAvIHy2T˲2!cȃ'm%Yvt;71IM$LȑP~,7hhqc 'KG {Ԁ=fK9?oR#RFwst>G*qڮy:T=4hEAЕ%f tc^Y83& W`.V(M{A}a({>ܶO2sɧ&c.bh:yy[kLȌ ~XM;*Sߜ3Nj(4M^ӭ^}V.d(%"d@-<0c2Y TkqHdlߊw ovЭ «uMܽ!&Si]P(|'B^Z$|ݨ:Ti/L0F,>g QpyKvtw-c^:V}\䬁iYU ?l5-vGaSp+PQ:Veݵ;({fT}; tB97[YWq.wkQnX:MnQUF6H pdb;C#u_X Tey`BOM YtjF)^Sa w y,7/NJ uhQMқ4zT 0h{Z`cEwB˴@|G_I/4&;6.[\G/CQZ3)vQÇ+Uk,r'n ` έ̗I(f93"(Y[w)l("3PUM˔TS|l8U]~po;)he5! mÃ9NkD)\ep% I kN̢ :zAw$9E\Ќ_+(WgAAύ*IM/D6*#M:EB2 J8<#I5^Eg;BHDTQZ2<7L<#sw=iMfDAHU1\8$~`PE:ͫ1O/>Ve9q((/x \NYaLƁʫfȍ{QQ8Eup(Ie60/5r} Y.P%Л=YQ)Ӈ:T$e6SCYo˵0|2 AO] RquPu }}8Ť5 ($Sk':zHg~quy4/}Gre}Y8%Y-`l+&'q~ft7W1U<n ?+~yGl TQ/Ye! !Ipo_Dz13cEDDZ|5;8 ]Eq'wNJp1/+SAuDZа@a=aln6tO,-E<mF'#;lGoL?vDwC3Wȳ'Tsǰme> k~pM'͂b3fL0{ %rM%'E^H9rvx{):kv>`Ө gmnF ˜CReGqWҫK* cl|ĕ}Nۭ*&0 U(O_Cs'E;OL%SsAhWr%)3)էPu(QQ̇N7ʫod6U/ sVy^ii -=C9nbRZ5uW.tB)3Xaz~Ode.R}`žӨŞ)JqU43gm(-~ZNp>ǕK͈W"ܘfeiy TzIsq0S]Kv .sZF;XפrK\3%9,S%b rM Ƅ o&lR kMG?%Z|hkh5h:70>I: C3u6˃A,{R 'c}u;RhE%ݝmkDF牥w%zg s_>W 4Ps998WÊݟ thAK-6O*Ç8#'^'3d䊥К_{nW-ulWWGoF&H?}g\\"CހJz;6uDodg\; ˿DA>:gpcö(F=ivn{a"OOOR 8(GgMbW%("X6w &GgsIbKkC1HJ:tcW< ? 8F,mdP XZ FZ8)M7Tgṉ w6`5z5)_ojg-,j\Ō7}"m>8'u7sNn-B4GЅch͝˞HzUG2Q{KW)#<,ZfzBԪ&YY!ӝK/3gCBF4|Mtk͌xTკh Y!mIc||y(U $\ |EvC)7PxE6p9A^}xư+>E_غÒs;xiwO 7-Л{dh~Na`/ѠkƵHP.deW?srȡ3HynJz>H9|AmqŊ^1t`xqa-"T6%\ wKX9eIidqh2<7,Yif٠sϊ(e; T8fҖnFRg-# yj񳊯 Ο{Z4b|*Q{^ vXN;24O5<܉<-D> ʳq>_Bר[wn" '>sweןf3,adI_d&)"ծNKTϮ0$;rAiy4&]z1 l&vʀJ%j>)N Cn[0ZEq.c2j#o΍9A1iR_I}*T-,6qeYdH(7j$#5Ԯhia,2X~e> O‘qW@fܶ猷U=}o86~UmNխQ _[N'qS#,`p')W*K=MtT2k#YF(ض}6MNLRǸ. nm \L{ʛЅX,Fy4nhT4&B/ FpE.fI`L}[zyΑчJUX@VLm%*58}7)]{DI"${NMoNWY(}+qؼ Eq+_&v ?eKpת^Ϟ%_e|G˼ڜ;Z[7 $ A|14220&eq 0MNY= D(=4{kD>sײL҃mNI ܑ.fпgH˿i78T5^З|0EF6u}vά d5WJ@&/Uh5fT$DVCgBX5K }6*']D=\#ܨހv7t-*`աs-fԾMk*$B+sϳb >IͲ;/%{/h:b׌+^/͢pvy6fU3yQn!jw_=RrL7ƹ3 ם:MB@|ٕ{~ِ}lӏ| -:YJȐغ m4Zi@~dݏY3+ L&0UujfuYқ< wbu,Hڎ25U41v|WݚԧB(}#AM֢Mi6\|5Bv<# OGXW|kMrYd7>u5;^BH]Kx M4D a-|3>F*QĆ Ue9u fn*H)Q7}M[CX ủ鬛Z Bx)UN )VIK^&hwVSƎ.vo;[+f *o]tˑq8 &W.Dz_"ȾdtBZ8L&0Da#MSf$KZ .دb0*) )qT=3HJ%(תe#.ց/Yb- Fw3=q` e$Gr&?f!->7n VO^$2Hv;:)X£BRTPx(3/RTmI@5jUِwOz+$,4:Q\=C(JF\5(c@/m2Ndj7# i5Ҩ~FV; Nztd #/w_w18oW=۵8$戮 Y{}3P?\"Z ۿa,#u`dH9ghA4vTCB ;WxٜLyծF`ooȩ~? ,,)6ʰ}FF*o#*W41E"ͪ9䥁h"m@{4TzJ8/01$[1F+ 0*%Yȓ.Vۦ"ӸaV愡E3!Gu_Ɖ.bJ7zoa1Yo2r7TU[ZaO0?$RU\nG$zU=MGm$̠AndBDisp-~K}ĮJ|~M1Ԉvl7v61t$X_\'<|x0ĭC1pӓoL7 1 f W 1 =!C Aлm96 ɪ~.֭{&AsESM7ҠYw/|pz,QF&>'`ӈ@CLip$y$Xz%TV =|߳vF]ÀB GHG&Jkْ 0brE8 LgLБl^Hd\>T_nsȄBj?^a> C .DL@ o:R;}?sNq;"'uSosfg8 .ûKY=Ag6uWZIၷB 0iS =Z`C]R }Zx%% Tdu\g߰FZ{hkl.q0,?M!~%cuBRm_`03n ǙqsO&";|P ;jwVcz p`=y2^p)8a|jN_ w(i lSC烗OA~Z0LP[>&QO&QH_ v6_~GBrK5sj mga+c>-~ t9m{~"YGPau3DPې)|!R)8P+=Epl$i];O⃠M WħpLǿirGn#O*~m%3$\}eO 5m`]gR̽m Xi@$szzx'ugZ_ (!%I r(2(Zh FL0`pP}i"&倿#i+CR$ݖ=|HBߋ-f K)e 2D&JGo4M%%.筞8Μ_8P[oGncN=qju1a` &qǃ34ZS@qĿ<pP^ #]7md'ܬL3Nً58`#(H*"/)BX |1=\|lŔ ^nِ}w. . Pe2\{D[|{_pu4D>aS~&nLqueg|-dv]S W`@۠n;lj]ի4QIF&#4T+U)r3m7*)@9%ƇЬc rr DU 35k.ISTL}tCeDCBs(:|!-f "ڂK>M5)A كbvиzV:+nVp MLvFXqgCa|&M _1ŞyRvfUYGAvo6\z[GL(!MʎMlr^"@ 犌JPmS v AyUq ^CNݏy_(5Wuծ4\7q&ia̛M@oDR:*/c [u6TؾuKdY(l61uh 2tKA64Yod(H[Zi]Z,@f$m؜tA1J'=mTFrK(nwWӃ(*9DqsYͮzFCw}7ľ"_Ub^+o=s^"۞=3xd=А5 1!>v+YK4~>:F&D.d]ꆾm,vAȖS'oiFm{wFց+]K殸Vc50A)"AdW -Z/Ao=,U쎌fOއ*w̬wt$Z; [u 7IɸMkw,_Q*BKs[\6#c\b6J-ѹ ́:QW؆,86 nDS`0A>жa{5A'AWֻe܎9JILd{`=^{w3+0F74  ה%;P&rsCtBB`HMknco%NW0FH*ڡ51z;EE= ֏.?OJ6!uZNвҹӗz29hVcPuI1}vx#km.23--A4j9+ /#T,7Ƥq0q7~y> J{wQV~kRF_,T~ p-sD%ܑmU)Xue1D*G)2m!N7v-Y/?Y1aWfs:IQJ Ci€HҬڊ I! '=˚Ϋhڮk.99G$*1+pr'wn.dh; 1:W,h%"Ne~9ӊ˗HYj[1=?!-&%R=8Ș5bߌDg^ŔᰎO1VuY =Ë6EfPt2wPpSoͻ i•i`UǬ@8e8+k|lZɭʟ}G!õ6%#lHe=u8)0ԋ0LL>U,9Y"]f ^`_ܘݠ,dئ kX\Ќ= 1ag@C9"eogz-QRgT|-ޢYTI\R7iSn/*v }4}/qVJB;u«y_0`"B ZKR-vKВH0 W+cֆ6;P&}[c NZn剂vMd)4uxNѦ? !Tz'?H=[eé d@C)HERu 6Fk9wt^l>qN6F}LM]Nz-ǭ`S5)=Q,aNuu@K%ۂ>Zn#0 8Nmf( d bXNOev.,)s|Ylvu`V+~s1=!qޞ#iLVf5AԷ?| ~aٛu7 aj>RO) ^MJ}mX+6T^A_`\"qU%%V`ʐVQy&A6܉S)߱6_B`jC}e8svtLjm2hʇpB0)P9'iri)e76Z@~o eӱFr!<Q%oJY_GprEuZMZdW \T m2XPn=kj,M'1c%BFBqY τ_WFX{'-uR&OWGa[ ?22\bu!0׷No|QzX" {]C+ϊi2+fl- ̬n3i\,%S» y'`lYXE0bXuE+{"6ĕkLC=}ʸkEV_56WD֟U!IɔRmTutSEVy.hJd#fW93J u?XƧp(ba(m% /ڝ++lwCɟzuU]S~F6`C}"=C5oCf.5*ƹ*'y>C,ply0L r ps Yfr"G'FX3ci8^Or n_)m,wy.̿C3k sș\.zsU DK<#Ib4ت},,㻯j{.Ǣ\]2DٙhD8E^q8 $; ~L1(V-d4\T MTҨY]h<~N_{h?D=;_䢃1%Гd7 b~IGD}:9mSTuԪ[s4m@pF9J He"9lϖTf_'ģr{qrQ ϑ 9>N _nҎ.y8TA,Ozi(kTKgoq؄Dټ hb1g45+2ͣJyYA[6+SȑIx,]7>0Ma@@Z0Urͷ0b%ޠL}-i˯HW;jOdI` <OnpYYN'+SYAM |IWYd]t{Gi։,6f^,oPU.Mfq j~_hO 83L)^ӯVD'Z1p/duwPo"gҰ}΢-)&TC'Bh,#P\cW_{ NZHDQnނQDwIYV=l3Sf?Rjn(pYΝm*Ac̅/h0+Q s8%6jP΀^DÎ-SwomP E|5^1x`kR^ 5;@5ȪwM ``Ġ=^ GV ixݪRN<_E\N>@,J-m^#6TdN7QezO?ޮSgEk}PNS*!X?'1//6l2Kok5^b&߸A7b0_:pDQ5"/nv"m<8xsFotMO4;1^K+9w^.xH nCMQ@&8 $bb}S'oʕpʌnwܶ:LJ4> "ZxZcxڏTT3|)G,具ߥ*%nH{],L\ztYY]@ދ V^#B5Jc#`"DBZ8VAg%7TF;yK4b@oyӂu;Y웼9;u^#;\$\[qEEHWD琄% ? ]lғV%tb8ͨ&0J,[L'i~Մ^Q;ciwMm;c%KfGϐ(^e-Y{& 7J6"ntbs[q4AL閷-ewJ- W nry2߬ w Zm&58쥡 .3WZ5(KfOia[WCN[2YHpiBDվ] ֚IܜcA 󬻦PuF |2)wsK{և`# {X%_J>8Ұk[U!bjZ` #VA[܅T'em !6&Afr+|e[j9D8oO-/]b7!Dy=b+ y_:=>+@;+uf&Q8O:ړ~ƃ V{2_/tdh )=0Ouߣ:ڒ6$Wz^RuO'@wIGs$: 6f}ۋCR ՆQk?kKM:Zc1MΖHr\Ez %pJOwC Φ/@A*:5 Bɢ>HB&AaG+uLm[=,Bx$zŸD9kAHujUJzNE1:'zb:ٛ*l xb:,܄greXN.d=<[7g/OŔ7ny4L06 iJ'J/7GzgѤ/a68cIUXMTm9po2%Ao1Neܷ ̖ڦ0ϢKU&{۫]ʤ_21L'!E[DhRi+my^[n)@ٙ9nIY̩-Y CZkJGDR> =ya頶2 Q6.$'毥,ύŽqL)a`:5p1qkH^9SGRNSkX(z|P ĪtFݝ=Rh 2vaT(0ʢCZ Dokm0V]A[Mݪ|qsyJhdV? u)Rr7ߥV{$oƜ ]4-b;G ~FAS-;i сP္ϖժ7(_"HWq7 ǻI*;o.,Ɗ/>AZxR2|nrnZ#n) osKr,N a :Dc|$U|zSe!k2@P7NӐP޶ ֪UXzdPzނ?7~qf RTDR+t?$A\'W{x@KˣE&piJ$n+PE}[B=)VD+i٫#i0$U><d-BLZX.yE. SKXC@=j^MpB>QN}'?~WϿ-`(.4OWgq1vʭf G?daԣ(* C,^Uzt0 mVR"pfoY0S\4L RnjZfblsQRU/0U5bRA}φcb`/@dJDOٞe"_ uk \QUTC崢Nd7 g&[\U|<>c9Qכ.*2^fg*j+[34Z ݜzE RQ&u>#"aPzCvdF.|NP+3Bh#375=f_8R^R]ZäKb" 1(iV@Pj%꩝іYtEpPs@?'8}f$yƅK\F4$& ~DND]%XV^$J~ EV;A몬MFVgxƕU/ ElrmIb]«,[HR{ vu7bOSU;.)nIc :s*wmyK"LpZWڻXeC%C$S\vZ( >t)U`D%;[p .b{{EPi05BĚdj-XuwRǔ5}t8&7̘ǀEj.|vux=az@1 $(8k܇^r=Tv^Xhd%z$"iU+jhۗ|T7f%#N-_u1b/3#b62ێsq aPմ ښ4-2yeٜi'"i}660qawzICrGl%54łKFsl6R~4+.4߶r)9G: ~@lnhD$D|Kk UTˊ ­g:W"^on_*nxf+/7 KӁ}QőA??s9;asq_/4 Y C.]2 d{euy%F݆OJnUk. .a|W7x7԰?0qpvXsg,,3 ӟ߁v̛A)Kw`I9K \` %&_v~*v8M-\=`myt |7! )6TEiNlJ8.J&e[2r~5`Qn1ueB|:A^_N>9 h!3h[1bhrK'^i9Q*8=5do0dR/%t^.VjPӬ}DVoE se/:@뉔+yTߝ=ֆK,CX]oOKL0x-*Md K\}0 Reֻ <)o{LpҸ{z{$SS9bbP5FJܛfH#Nbմ)։Mnɽu7zo gAd'JI϶LFH1JQV(uK(A b譄0fO eV !?wO I-`>C]v*шKV׺b5=4.3VQP< F9'4q<=w [;=~ۊ/pޭ@J,FJ$?sQ(3ޕ֮gidԱ"Y3,QQfeT"DzF+nl`nEVe(: +hpS[@%0$:=mr҇>;}VY{f7kNy@ecChg}q`t^sV?4 z1†a}91EniH;*(0<Ӳ˷$!iǛ%!T<|#P='H!܇!XԈkZߤbS|n"s#BpNlAOzYa3`p)d\ɖ9cC‡֜Beųg[0fxHH 5j!зg'^Gr"?"Q#wgʕ8d9s2L2nބM[ }BXހX@ltQʿ7K<ѠpOzHJ,N[ "KA!\.P/<;P BUi܇<7c@ML YQD飁4՗jAR!I#|AG/01H֋&=!8wJX2sMh9'# & w_{"kQҏXz{TH`!ٝ*bh uizG$['TU%Y_~ CZR6}a#µ{ Cņ(OZ\Ot O| rlU<}|Z:/CY0TKB]?ygm`o=kLǮ*ő1l P֝3\?Xs@3.f7hsÖ^z/NLp*n"!l4Y{F}0یяe5ic7^O^LS 8CUVcwhs@ĸ &_MoF3#8hev`6 v/V@*M8j tIv䪇vY2B,NRvo;}R `> qLx?#̙BS_p(e_.!o#N\ieZ| zp"@jP@=ۺ_.*훜v|a'^o2+&dJòs[X&wH䟀K2x_(c9 \:CǪ ]MKIu%J0A)@ 1)Ӎ+'Qq_UinLZD杮^{[Nu99M }k(y}KuڷgQ5txmz.Qg9-†3u ?_lQ]trB>$u(Ҵ{_0Cp;=ǻQ&P+7__pɽo3.G^DƞA;L0Ͷ p͗w=Yy*ˆv"\")"gU&p7cRhgI_& ȩ`k KQ!02cNps10ZRM4LD'j]+ ֋uIMdT 2(7uI(geSơoRFЋNpCV+PJD[94+*슎ho0}8ja?n1$!4mu񨕲bzęz Q`pp~؟Z+&L}B}ZGgkHK++mG*lr%]eE^L€Gu>FKo#.Gi Cŝ /RLGkiMb3c҅sqdp2U5?і†粛^=#}/f8S"$dD\3*/s?_Ț{rTafcoGF(v2qo+Y7lR}|{?clZVtmW$D<,7-N0uwT?wI~('Hj C_]u,xPr6;IaB# ^A~]xE5҄\·Rj8U!2\®#!6P5r'c:eGX zQHaFݭ!L_􄟛TJRM549dq8EXu*nNOt Z7 )r'!Ju|a8ZjjjqV` КcFo"W177uuq!'buT'@#󫱋q氈<$Zp/1~bE/yA $Ir7޲X gX}φLQu ,5'Q=:zl{<ⵃ(4R"J35 IP]_Ow5W\9!JoVPD4Kq&n6}/&*}4Ŵ( ]@nsvb ڔ!F*5uQ(gyzbefZ}ۘ0aIj|e'ǟ)zU0b]Ɉ_#Mve*e=cSA @81;3DE+"L? W1d:i%*4wڷ`T\o$?!B?FTz `X.My;Ȣ_ _b0O}emHa^!(KP{YµqUS͝]E)wFHޝ%ux`Y }W- ۏ]R4x3OS4@(l\ܐCF,@ ,rml4dT/%T?{|EM=op,T9f LټMX#(’jƵ1-`Kx9ka( 6Uv$X>`* X [ 缭 prIG(F~Lks͝sy=KXFMm&@%Q?Eơʄ[*m@LF/C7}kXZQf 7&H>p PszlVc8J_ơ :v-zi}LyNP;m6Rm@*H Rykڹ AqoJ+'MB)ʍG2)3{'?a@cJpw0XX ~,9=QJ?jr5H_!rCD3'Y軹1 xƘztWAV;!JdB: 4=1;^ͤs Jiǹ6V{{j>bG=o G¸]5,> Lp>ܼM e0E[}/RøQg4͟2Iz#F<%o#$X( )2ZWJL!=ո`L7w5v]rW'UTۙrjx4,hΫˆ0oh=U'a LyHyȁT ؍Y(_tq&δ29nvϕspNtL7(*ۺTu#̀o!.;}d"oWˆS2qG7WAU#'D-y ?E{W 'i/@"e*TaV 2[l;}'l/poFyB=Gr̘PO ҹ)C30UTS6[wO z C0C@K5!5,8arq>mko m0n^9T 7ZZe4+^KO?GK8v:#zLeQ`RKznkdQ ._UL7侮{8jMG RQ-@k*,MHc3B-V種'm+AhE@*k~71b# (Ьmᅱs9[d}Y3`y; ylZ*Vq4ewB1E`U=ymvA+g78 ˾;@6iJ@64mP2c@%Yk[Ru3wEpFS2.Uoq.\Pka18]2G$v763؝cԮ} $G<)TGZf uݖ1m[V诏 39 "@h#kہ(_ܼsl?l| -vǃwyRJhWV8wk뉛OTay3sJ~'rbOH=](Ωuy#T|s8@f 82m?N7R])g S[̯vCkh=J!m`a38vPd#\pQn6"JB6oQEdO̧يAF!O;'nX~MNM2E%*KtȻ) ؗkqAנ.6nUl%$Ety:C}3`%(Q]5/`]2`:~Lr+xؼ>W0ܦ.҉?*8_#c-h3ίa@X'KFdRT^@ )1h.BC@2Xm֗SeD4 Fffz/4z Q߻G?.Ydw."Tr>HV [/eٛЍ-Fڗ6I͞o+aupWZ jVg =Q ͟v|0 pQ>OWY'7\:GNL-OOM=@z֖?/VḬ[xMb4qT)@WԷcvi[q`Iabɦa4ܪ'sYKV P4 CDf-\K ;U~n R@0ԹK}vJ0Ln)GPJ;el P2q*h ͝rH?5l%yFQ#W=r hrgw "fڹ= p`O(~ @e"@gʄ2i7P:Jk.-7*xrrDį*?Dn"_&&l<2g.Xe^ W1ldRkxKުb1" 1:VC ~lF9/}N./l}mm ; z.166Ƣ =Qnܰal K8l738T&󒚢š"R\MTZ`5H6EHHq|ݎUގ|bgDEW9]Q^o:ӫntqirQ"<lΡޅt}']Dw X(@"DQ>sf"!7Ο 4' X⒓c')`;q= 7[oBX 8>T&L$>qEX:㝙rI+B9thA%J_dPmf`N- Hui8{- 5 "' k#p\ aNA3nR3ꖴ}.lLPǛox0gY<ބZT5UHWr9Kۄ1e /eQ0Wo/'IXy!x :Q:{5 214 j{&æn?~麬6^ITԅA$D|Ӈuw  V ݴ}>DIڙ?҅);ۊ{|ۅ;0;Y"/lG&|2gG(fu7j3J0z$ 9P;(>V@qZ2@&-uYS,Vzt%`z։'NT>]UH/cyi/d]) ȺT h1Ta}-|:6ನf-A*#CfOpDLgrVH #!-@&:wjIn{ȝra Z{iR?Hkpԃ gZn*A# !Se*(f4PuVQ1F6>9lLN+G{OLB;o.7LvG߁0L éQ,#K`Re j "iSsds\Z=KC YքTOa%Gm{aM)fD Ty9FRIHeՂd}Zv<ڭ3O49t=_YyK$\L/,34)Xc я_L.{N0 =|.uj%.A:=h# '{3:s&Gh=EupHఙtF]S.eqA:z.ۅg_<\ t6>pRۄ4(c`  X]a9Pd'xſC2X =2,?lja){88՞MyC&E40) I)&?)Umŀ 3ՄKdbd G._,nOTA*#f.N]V(ΣV,Oqh\h2÷ep{G%nCf41كmXghWrxzxGʔE?X aL{ G^÷9B"qo3}MУ$OĽU=[g\HZ%UL󋠞X6 raݚPeA/X6S yoߌKk^. i?ޚz,l}O18t92 [*\o{sB-hoLXV†ViKjl ?iu%ۢAs1"r7TjC4e"B|+Im`Z5+\Qף}B8IQYE WF<9CCRL9U,O}SysR8jQ;\,%~u.[aޕ07y>gA^IHKuJHҟ4my#^^\sCV<)X?*zgմ}NX ް|:@n+' X3F??d}H"ݫ]^ZQuaZ1-P 2^4}|#jX,BqPp<#q~̀i qtZ1$q͸~%w'ρ~2U=ecz9fa2n 3esl0ӯTr`PA߾G0S9h>dGt>Up26/qh a/J^2h"x (1Ԕ,a)LsP@QSSX1O="ix@@!\,վ v EDE1 (@Wġ~!@7'Ȑ'{( I5ƾr Bfx{U $> ʼNGdG3/r: vޡ=V%2zIjN+fC JeOi֞?x&.aSfab~閿?J DŴى^|qS}Ou8|ܱu0t7tO[GIҤCCS#Jݢ$'=] 1 C8)YJO)JAyGu~VH0Y&V60~ۀqU?L0ޓoƚ\.Z6ryz-@r~15tgURF`܅=4h IJs$O8w9@\\eT2sMv[nSOcn9~p4 #9&O( _m'$g-&Krl}:%/>V խɀSFL]Mz* MD{ zq@*^3gE6/`IP ېoez/hnjlVRjc1v-owcIe1Wd #+<{d[AC-K//\ SL_ԻQ}S ?2A soD0YPPJnǽHUr6䕭:)pj+at~Z>@`<ů>p[m8R 7KNqXؼO#luφ~~b[ǁ1dXDyw&gRF>}۴ EEkp F"+.G3O2AdNN`U+}Qc=rϋW|vutwh^)]C (Ѡo)LB=yD}o^1IMEN+oWxkږ2OrIK ETgֶO`/;厴AvN+?#_ZdfHg°c H)Kd9cjVLKb$ J7*[B%Ӭ׺:i~!֑ZIMO"adiK~u| a--Tig/Nݬ?HH8jS$2XDz0/Z R;n/=ukHmf /Zgd!Rukhl}F;kjsGɅ6 ?*s!`yF &q31|)ZFDr,gvg5>9<3jY& ʸ&@8T݊Ea0,7sXT0IhGH<`C/m$6 y&J HwS C1~"2?uxT0(\$wvuVgQFRENg%.bG~~ {>Cg:ʅc9PDD?^ Gp2엦/ ;O8#>ȊF3U0&j"63Mo>QObŜUc*- U h@og7D 7zMW9-yVJ 3kdq`U}_? -#c }/i#f&;,C=]=?xzxGixSC D*5X]@k(vmҜP*DhtRH#.A\Rrk??i8H85]@Z4u|)Q\U~&it2矀ʞQ?\FQ)vov|M~(Uމ`vMDo9[.Ige;XB]%x qUG? .y61ץ,gkKvztLb )ǼV/AynP( >&l!k TK5E&/A&mx:VE ^^b[=^b6QG/델=yPA诃K=?+OGc"K F 3vfd*꯬(' ͜i/܂,CT5Ijk#>B0. յW]J#K_@aMܙGSW'LThUjw44t ѕ함Z?oj>jm2@.4%n>@I{r20>^p '[ɡJ_@cqƘ_;Ltfn.O[khs|0e沢eo'c/n(/р9p5\/48q^C"VF6ӈxA?X5?1X-W] aYOTbcȞ\J%M-VIo|`TOGU:)*4ݐ<|Tj'g-z?0)Q51{uca+B[,J6{ZH3:|EL`c52qkV倎}Shn.)¶gϵB'{uWPC K/u#W:r1"o2,}J_cgԄ`K`BL b!K=K6[8k_,&oC~ Y3ѴH'aW϶:#k~֖<_{J{^7#܅}=串\F݂)*1ma$%c'nmNL'V ua%-8џ!ʼ.@^&(aZj$޼, YIIuq-l0Mpc6fÞEAAbhfiOdJ#$Z spС` l{B ;c\A8Ǵо, ?#=2*m^mT5+%gsNq6܎qV~ZIȔnH/fNwEiQΊb!Jy_2^m]n̹Bv|j(]U9ѓ+> l:RPNT1LT"y΄ F PeQ9Ԙ|r8ʹIUNC+:&o"e00ҡ3y6LLjSP#`#4m޵NS0KSS.ڑʷ YF%}V)ΞQ 10e h$HAœ}L>>4>ujT·E+k{)b %slFb;(!~ߒ9 ûv f' |wT=Qeq!m}ge I$űE- \}.O~]ItP9:KLJf"[էzÆg#Wc~>.Nqls%rê5q?*CMR͎y2>^%ŧx1-`zyMW~CTݟ0Id|'`"?]bO !/gv*ѥ11?3bA-ul!py1VPԃ^W(&<#O?wF=]evDOaIkٖ6(c:O_gA"v3eb I'$<1 /$>f#ҬhNaABOxi^q_,eSնWQؒrjr"=_orL/hFMp6>#\vMC.$5.v,b*h{76TLTkI#;c[A %>nnZ2g13D9av֊Spta¢c|'w6nEY ,Ƹnr^S G.%xtSaryoCjI'zx)y.V'f}*l"SPgw'x)<ȳgTers `LAql Hl_'+|Dž ϻ=5<pۏSWer%m5VfaYzcU.?4% Ä#yf0V6>QKL] vK֏c:;n27V9oh_SԱ٥aD[e 9nu&hۛ?3°5X^+JH>yq z7-< # N)Kqd$9i'y(v.A_`[:>Z.0ո?gA/r0ZKmL+N<80K3QwNShh)|/['DZ+U] ֽʖ:r7o 2JȅvХEq3H%?,&^6XDl+A Wz'Ѭh&7暈j&Hmp#  HAԼ,F/5oA$Xʂ_]ad|7+jA<]pr,ȊpF*47B>(߶"B0Fd +P oE6Q5 pHET鐉(Ds)y$0jH!E<8(KIKe&l)VM|72?AoH{|]DAlw?sK EVҰx[9[f)$]J;"8 'yQ|!1S._FU=T$o/'C_lO{JМ bz2%&,|6`3|4c1`;U.Ie~uIz6 ?Q\-3'>Zð'gHR36W>5VRUhS] w،}1Iz4 P|XLyIg ɥEsN^|s] =-5Zi?n{ +Gp'4tXj[^Ȁ~^RuK}ޢz8塶.m ">yVQckVz^;n|w=D_/$Xe0'/ Ld +AySky5F,sUGٔw6c O^mQ#JJN˷H+sagÅ!.D'! |⽎zcgZD()X~ F8l[ /ām.'nrR;\`={-ũ[Bxe&R,G.zW;.};z V 8nBӔ-+u *x=T8[@,]ˎԽUeDd. n/*@T(pF*XJ#v%: $}z$@ݬq1ؔ ]vx>h]ir[kh/7B4ao+ wJH j@}OS45TETNTgjk/tY52Rqo;NT:7{g}1gΞ&z0m-4amry-sY< /TSoN 5)>suTIiK;]Cɮ%)aĥ .ibc):D]39 G$HEǫx?^ :VS"LmGdE,qGUpM@U6T g8А\n[ @óq+P):o/\xP|zMj mpئ xS); }TR:d bqml7;Ik1llv}bgG͒WW6z` J,= ދ9= 8gJenD^8(p:1K~8Bê:en <(t794'?_!Ek[lYѯu3HjN"6)pn+ۢ^bO9j$|r!72COy ~[  CZ(aUoGLyN_ҷ+ax=E٩^_l*b &ݮ$&}T"5L%P K$3ʨoN X^+NLұLۘjmˉH;.LQ=4䧅nZs*,XI"?h푔'Q'@z&(q͊mɺFEwJybC?˭a,fC"_ qIISk$7-CŁS4dJ܇<> hs_؀\"ujSTZSS&N.)NZ^>vļ,&`_bЇ@pXI D0]/DZ L3eybN 9P^fqP#.>\^ƛJzdHTGFYɍ5#*8 -,m㢦 Tt~B}' F&z}A=MX#LQFpUFC{]aW֣|A%-\t\>rWjUK`47;)/Np Jg60i1 7 L:">{΃];YB7)Gl[־- 1T|W|I:]ā 򜊖!,#D{(9=ѠKАέ;=F* _4bA:D|;Ì熆?,we4ID Z$}uq^*+X,N:+7LH]]]*/du-ՒAk~yxZ$UYl"G-;b B5'[~[pUͼfuŒNcVg?Z)kN8?v H\g<0 bQ@;="OD< (/5jE1ٔu"d^(?n4V7Tz-=MTUE6BS\#mSDŅDvy"3KSMJ?A3)vZgڌ(ᯚ=*rC…x*MEݒ. e-ӥ.ٸȲ>Po`֤!z!聾,dEcNB[/`Ao™T˔wQ!_!B&?; K+Ȑnćg%uY;k !c9~ f?*.^n n~L@csn#tR|b!n*PKBгd3v& וs]20bc"dѶtYCh!]y 697}* HOmg=sJW-+#/:^  aൃB>qv%X-$|bg-,SQU|@gd 1Shˈ4 S2mgܑE/ )J> Ο-FU vnG3}qY Kl75dUk" OUZXeP†>,4g! A8fEJK- D/d/1ӿ^eT]:&-Iգ4\fGCF(9Tx%jiDK#&H1ksc٨/A7Ε 2@x)FBf}rt2;-6tͥH2"'KTZ?0@1gK+D'UL`1N'~ɑW޺3p6EU]l W_BvB(}15,:TQ1T#206/= 鯾w=O3ֺYfN (2]aFh joN235TڊУ@FK~ʗESJCbF-wL?i[i=[D1FG(#~۴iVBBX˾˿"UpeCfC!OiTdAa'\AЩ]ӭ*cVn_nG.=A`9\98.!4 bDi+WHBй GOs}n=53{|{A'ttL]Eh郩v/ -bhX(~S"dO~LŰ] \ζ ~fu|?Q|x( %>6B(]5 <WL?BIJ%G-_ TՕe"rotqoM5"x1s/oYv> 5} 1yxlZJrmXyoP!qLᕚ3vE::x$lf{T귏G^CoO mnz]O3j@. * 'fޘ-B`dΞIMY\mk9RD=ٹ$x tsF˵>j7m"g3! !,2˄>] Rքt''.9~zE7s LPkp_v:rO5uvٓa mMOmŲd=>mȊg:L^zTn[l<]+(t<6/ &BBIV+@"1O9NW.;M c6Z 2H]ZwLkq|>S$KmV^Q=lu6F 5`O M(ęɡOͲѻR'`~4MtgV0,'S+B8W Ec[60rV]kvmgJ%XU 9U6H]BT"%]$t'7V&Nx~.w\1PoDL{$n鲾_ Ft Ƅk"\ KWK2h! "7v "6"&MV*N*~#MPnckI+ 7StR?_ ]]=s6# eG~/ӷBI<]z'. L@i'Oj7E^ym=>`<WamqA῞}7F'oC\}c#Z<^U14TNBc*嫿XTvCcH n+tL@oFABH,TTӌϹ8LJSQ9 umQZW-ȵ4oR]v5Vb|(| k€&]ډc8/$cSQCӐ{K l('gok3Sէb<݃1_C\)O OpA&Bx`O?13 8^*?R-F\ L2qFBxd 0S-.89 7) 1 qӽd;޸_6-.W9S1zE}tMK7FFڞI">pϔe?s {>Nf9jӽmP!:h2=zFTgǴ9}Ide?+pV{x1[Py}|o rta#;:h®_G0 ux01*Q 1x_X|Yq}6hBD2OPr|<ٮPs}iHw(sBoh'DRcct\zQ×KrUSZ$hwƓWm}ZU ᇩcAےs/†viX_7y+З2W&7.$M {\y>0rM #j1|@ .P- N?a%*ۓ^{]|a #7 Sy#5<( f*ǢXO"Ӣ`%"N+khOMn'7تe&-bC|mcfESt ߶<12 ]#`2zrz|U€;ɓSLUz/$3|{trG[tC?d-f[FLxv,[vFp X.L#V뷎 ı~v8*}GPKMYmXIxiCvw֩m&8߮{e^k'IF:7os$ؼP/'eHIz'm8\܀`Nf'~mvLL*GrvPԕ#?JsTxAEAA( ne1}B[8m% 4zgK6kݚ4CBetQ[VO_FXb+3D&?{׌ٺX)YqF`-#{fٔBEX^,ͷ ^ۭyQ !~Xx .&ta xLˉ^ ܣZ;}^+28%[jNX0qβo`!:h%UV'ġTU o\@PA @BnrC[F x:]A۬7Ѵk+nܭ_8!9ۚ4ǖЦF(nJ:ż̚V]0F3w4.5FIPa,]b ˵ .@@Zf ($` YZ