libsmbconf0-4.13.13+git.528.140935f8d6a-3.12.1 >  A afOp9|M#Yn5 &[0zSpp?Ii>@iKOmahm3 PhݝNG͊?k?|J8A!RD6vtvo)@✔}AQo }:'nT'@I;rɣW.K3 l >Rֻ-+sp 6M.Ȃ75:za(LS [{Ltp@<?,d* 1 N .EKTX Z \ `  D[[a[(89x:'>@FGHIXY\X]\^lbxc!defluvwhxlypWz(Clibsmbconf04.13.13+git.528.140935f8d6a3.12.1Samba3 configuration librarylibsmbconf is a library to read or, based on the backend, modify the Samba configuration.abxinomavro SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/System/Librarieshttps://www.samba.org/linuxppc64le ȁaa330fc4c86d92492a50e861c12230905288acf87e9242f05cd156dfe263fe8fe1rootrootsamba-4.13.13+git.528.140935f8d6a-3.12.1.src.rpmlibsmbconf.so.0()(64bit)libsmbconf.so.0(SMBCONF_0)(64bit)libsmbconf0libsmbconf0(ppc-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /sbin/ldconfig/sbin/ldconfiglibCHARSET3-samba4.so()(64bit)libCHARSET3-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libdbwrap-samba4.so()(64bit)libdbwrap-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libinterfaces-samba4.so()(64bit)libinterfaces-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libiov-buf-samba4.so()(64bit)libiov-buf-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)liblber-2.4.so.2()(64bit)libldap_r-2.4.so.2()(64bit)libmessages-dgm-samba4.so()(64bit)libmessages-dgm-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libmessages-util-samba4.so()(64bit)libmessages-util-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libndr.so.1()(64bit)libndr.so.1(NDR_0.0.1)(64bit)libndr.so.1(NDR_0.0.4)(64bit)libndr.so.1(NDR_0.2.0)(64bit)libndr.so.1(NDR_1.0.0)(64bit)libnsl.so.2()(64bit)libnsl.so.2(LIBNSL_1.0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libsamba-cluster-support-samba4.so()(64bit)libsamba-cluster-support-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1)(64bit)libsamba-hostconfig.so.0()(64bit)libsamba-hostconfig.so.0(SAMBA_HOSTCONFIG_0.0.1)(64bit)libsamba-security-samba4.so()(64bit)libsamba-security-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libsamba-sockets-samba4.so()(64bit)libsamba-sockets-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamba3-util-samba4.so()(64bit)libsamba3-util-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libserver-id-db-samba4.so()(64bit)libserver-id-db-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libserver-role-samba4.so()(64bit)libserver-role-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libsmbd-shim-samba4.so()(64bit)libsmbd-shim-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libsocket-blocking-samba4.so()(64bit)libsocket-blocking-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libsys-rw-samba4.so()(64bit)libsys-rw-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libtalloc-report-printf-samba4.so()(64bit)libtalloc-report-printf-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtalloc.so.2(TALLOC_2.1.0)(64bit)libtdb-wrap-samba4.so()(64bit)libtdb-wrap-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtdb.so.1(TDB_1.2.2)(64bit)libtdb.so.1(TDB_1.2.5)(64bit)libtdb.so.1(TDB_1.3.0)(64bit)libtdb.so.1(TDB_1.3.11)(64bit)libtdb.so.1(TDB_1.3.17)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.12)(64bit)libtevent.so.0(TEVENT_0.9.13)(64bit)libtevent.so.0(TEVENT_0.9.14)(64bit)libtevent.so.0(TEVENT_0.9.16)(64bit)libtevent.so.0(TEVENT_0.9.21)(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtime-basic-samba4.so()(64bit)libtime-basic-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libutil-reg-samba4.so()(64bit)libutil-reg-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libutil-setid-samba4.so()(64bit)libutil-setid-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libutil-tdb-samba4.so()(64bit)libutil-tdb-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_PPC64LE)(64bit)libz.so.1()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3a@a@a@a9@a`v@`a@`<@`@___i_@_|\@_{ _l@_i@_d@__ @^@^^2^2^^1^^Y^J@^2@^&^&]]]])]@]@]]@]nU]nU]i]e@]_@]J@]B@] #]:\ڭ\\@\@\ \N\e\e\}@\o@\\\\\4\ @[[@[[%@[@[ @[[t[#@[[Q@[Q@[\[[[{[z@[r@[ @[WZZZZZZ`@Z@Z@ZZ@ZZ}@Z'Z@ZOZ@Z ,@Z@YY@Yo@Yo@Yo@Y@Y3YYu@Yg`Yf@Y7Y7Y, @Y"X:@X:@XXsX@X9@X@X@Xg@X,XƉX@XYXe@XX@X@X@XWXAb@X-W Wv@W$W;Wu@W#WW W@W~D@Wj}W_WYZ@WYZ@W=W(W!@WW@V3V3VV'@VՄ@VՄ@VVIV@V`Vl@V@V@V<@V<@V@VjV]VI@VG"@VG"@VG"@VG"@V(V'~@V V7@VBUYU@U@UUAUĝU@UU@Uy@UUrUq@UhTU_@USanopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2020-25717: samba: A user on the domain can become root on domain members; (bsc#1192284); (bso#14556). - CVE-2020-25721: auth: Fill in the new HAS_SAM_NAME_AND_SID values; (bsc#1192505); (bso#14564). - CVE-2020-25718: An RODC can issue (forge) administrator tickets to other servers; (bsc#1192246);(bso#14558). - CVE-2020-25719: samba: AD DC Username based races when no PAC is given;(bsc#1192247);(bso#14561). - CVE-2020-25722: samba: AD DC UPN vs samAccountName not checked (top-level bug for AD DC validation issues);(bsc#1192283); (bso#14564). - CVE-2021-3738: samba: crash in dsdb stack;(bsc#1192215); (bso#14468). - CVE-2021-23192: samba: dcerpc requests don't check all fragments against the first auth_state;(bsc#1192214);(bso#14875).- CVE-2016-2124: don't fallback to non spnego authentication if we require kerberos; (bsc#1014440); (bso#12444).- Update to 4.13.13 * rodc_rwdc test flaps;(bso#14868). * Backport bronze bit fixes, tests, and selftest improvements; (bso#14881). * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal;(bso#14642). * Python ldb.msg_diff() memory handling failure;(bso#14836). * "in" operator on ldb.Message is case sensitive;(bso#14845). * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED;(bso#14871). * Allow special chars like "@" in samAccountName when generating the salt;(bso#14874). * Fix transit path validation;(bso#12998). * Prepare to operate with MIT krb5 >= 1.20;(bso#14870). * rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb;(bso#14645). * Python ldb.msg_diff() memory handling failure;(bso#14836). * Release LDB 2.3.1 for Samba 4.14.9;(bso#14848). - Update to 4.13.12 * Address a signifcant performance regression in database access in the AD DC since Samba 4.12;(bso#14806). * Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache; (bso#14807). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Address flapping samba_tool_drs_showrepl test;(bso#14818). * Address flapping dsdb_schema_attributes test;(bso#14819). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Fix CTDB flag/status update race conditions(bso#14784). - Update to 4.13.11 * smbd: panic on force-close share during offload write; (bso#14769). * Fix returned attributes on fake quota file handle and avoid hitting the VFS;(bso#14731). * smbd: "deadtime" parameter doesn't work anymore;(bso#14783). * net conf list crashes when run as normal user;(bso#14787). * Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7;(bso#14607). * Start the SMB encryption as soon as possible;(bso#14793). * Winbind should not start if the socket path for the privileged pipe is too long;(bso#14792).- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./sbin/ldconfig/sbin/ldconfigxinomavro 16364590324.13.13+git.528.140935f8d6a-3.12.14.13.13+git.528.140935f8d6a-3.12.1libsmbconf.so.0/usr/lib64/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:21699/SUSE_SLE-15-SP3_Update/08b059d7b5a0f63758fd796f8b3745b1-samba.SUSE_SLE-15-SP3_Updatecpioxz5ppc64le-suse-linuxELF 64-bit LSB shared object, 64-bit PowerPC or cisco 7500, version 1 (SYSV), dynamically linked, BuildID[sha1]=54637684f51547f324fc49bf13c098bb479437d7, strippedWPPRORR6RR0R R4RR2RURR=R"RRFR(RR8RDRBRCRAR@R?R RRQR;R:R,R RLRIRKRHRJRMRSR&R*RRR$R.RRRRRRPRR+RR5R-RR%R7R!R R3RRR'RR1RERR)RTR#RR RVR48Jcqutf-8b2b2d944d7e7b492c108fb9878f8decd41d5b2cf1028237dc8fdd522f1e5a519?7zXZ !t/ ] crv9wTlP\ʴ4@gBi*ڄPjSS4#fB6 ; yzCb.{Z;8 quQa @5%NGI/L2˨<a׋nB9L݆8'i˅KQwjgJ's?XA lfO\!a-ʳXrʼnĂY'au$YowjX։.G|IQ\aط>3ug*MD7头ot#N0o$ۉ틱(Ik#Z"*I#WG~aX%Mg1r(ظf[XQy!RK2&;ۈq=9U1s*.XHP3g0>5!O(]cQumԍ>u I-O-ӌW?I5F7)XS,{J%)Ct3NgS^*0d"v}37u:l%T&Ւ[!宪X"5kuF Jj(> dṲ{Bԝ.KA2=(T*ś^tWpvQ;]M4AfFs5(3fuqqPjaat8C2u)%xxtR'>:2K-CDzfׅNUJiۻwΧ췈^"$`;^1v uI"\ؠMP`u,'et)rq %IKm[V.<44h>[ e@S"uuſDԶ\>`{hqAv̂`VYY8 $j8 \ _wKD4][K |^7Y7AxeP`CC #@T牠F #}5C;-n"+nz˧d~g8 IYi?&G;kGH~wzBx jD\4GZC'u-d}f}Օ0?S `렝z9m;pbaZYF%TIi_Jt t8$`y3N#mP|\oS x\Fk!Slki$ }3 ]&$} OgRȃg ?^`'ʏ&,M#ral6zg!܉Wld(dPQhkrʟڒnH9k%_kOu}.QtfCMn(t#jHF GQ/o)!E\8\zcec{a`h㾉&Kv}Is`27Q`dgvQܜQi'y@4WI.8T7gG?! c!/ cQ5j=vz>?D0TajzPha؃H(ؖ1p)j&3i[^哙VY5aDN?L-K̼qCXaYZ1҅bђ4pz%C[pA"{jh3#֫?LY8"YK-1qR {qa8E_> @Jyׁ9-%\*A"Td2.$LIiRU oDպa D%so+cޫvp[w ||Oaa+и\`|P}{HOșgM͝([%3Vd[@Աޗ1Oڎڹ3SWu'i >En j>i|XCH!"Q Lg)E-w]y a}şqQ1Kk@ŪK _t)6CѢ@|UcnYqFR˃I`D*^Ѱwݖ^۶e"QI1^L6k3U}W9`]A$ȯVH%*:+f+~pʣǧ%ȊJ"6FƧ5>wrnXact탔oc\#]awkHe-3sxHpI:MMXanPҎx4n2ZEOGţ>6]^SҀ\n~ aJ7|[8cUT F` hVထ7QD@MhB Ĵ2'AO+CbB?[3\4IF5ڵ̅42f4#< mcK,iɩkFꉃƈxc;1w_z f{IsZ]vu;̜QAL%u# j-S]&p1u aa\TTP%]0i>ڸ_ւpIlJ=?ttv$('~M, 6wLhG&q3$")V&O 9:#'P"gpMبҬĩD 5&NGV M:kd ,[:ٶG+ ҡ@,pq5?O/פK-wXCgߴe$ Wgb5Ce2FPfT>^ҠD@o%hmٖa bbK1YdԺȟLlMTѭH9Aaliݻ6zHwºX/qs~#h8 2 Σi()߸+IC8i^75]86O h?SZH=Q=T"R#T2)E:?_;y:vkwjm3f6Vw dG{pU.+yeC91)=6%]$Oll_L*3Ll;Owؒ3Yj ?LZJZۄà#R-;FˍZ!o - Yi_Fu[rϕE_ յW%\K{ JyjV dO;Kwg3[XqO 3=^k&Qe7@jZi8 C52*:U3CjZp!akLî):=%+NaM dM TS$s*M\}LF!&R{ +rߙn;mTBWp._4ھއ3M2(ly{M߽!++ż9-5{cYZZF6}kPښ;@(zs9ՠ8kP=%)3p_~`vߴFg&4r0wݾAf$=Y&НPH|8>gW Zx-4emi`Q+օjKrovMO0YBYYl*RS, VteaU]m9ܡ$f%mBнBŸ0ܨ9._ q*?s,{ yD\Kj#RLDkaxqj?^gw.× Km1WK}CORq9 v-]n#r/_Ņ刪,sXdX+= a/hwZ;HONSAu?;y[//w82 R>c&6ae~4yY_pr|: ~[nbY`pWu҂4ݜpvC0W,`z BYHz<3Ǥr-K>}YĆ_ja') n7f1E#$_ؤ"X3{.H&~w~Nyw! dq;o^  ޿tմg =Ms:,Fyr}Pk<Ww5:vHv_ϼ{͋~`{drL1;Fϫ&:Nn0ȅZgT 1KX#y~ǥG5Kq#uy6ȡ Er750}e>L8=;NE0D hVLa czX >l&)"E aUR8Z17IϨGuö>xGhyE].Y8 FbH\\+ܻAz$Fjد<+sLvUBK>q>q6EwB1p]¸ c~^i>t8ݦ_B~1hgB[B\ 7Mi >\NDcid\]V3jS:9P>$Hb;,W6$swߐ*#*:"`a? ~ؓ(Er(O5a;UC~z-"0Bڋ@M@'eC_4);ddiSBiYCvԐyܺUFr QWKXôd2T}53ޜꒅb^AS D oat"Vhu%_%uc$3 >}6P'ajWF6(4!B 1kFp}μ e<4| ," ~ hVs.-dM5.ӲSct:@j<Ip3J"GeN~+24݊k~Y/ozeҫgP)5̫ 敤xj"]$U?WO1v/2f/4lqɸ5ywC zNe2)"Tѧ}C'Ӡ6BF$+%z-95| ٛ8"R/|!WӢG݀tEIߜHF Rl\LJg<8'1)>oZ_nsX OGGXГ_G!(~GWP{%qOZ6:f!tm8jB%#ћҜ.r!\p(y`_)}GZO)7vw ;TjDJz)j߬g~dM( 1F-A{]NsL4B@5lGHdߗ4N]^y,t7靳=B0֍F򯹑;nT'lѺ%'4ƿn46nuprAIa-bq%O1Kӹtm ΀';N):d\ ZD]_3&tO#l `E4彩Kg_Loyp É}|Rڅi/+v2BfJUd<1@Z ;c>n=+*/ ˩ٯ*!?էm@A=[W!gӓX/0\%z{F߉~!Q~&)T{3PIԙܗ֏-S9In3) >tqKuZoh>PBf2 Z=&uʁ@ mA\H' t- 7a |t%GH@ ڂco8߷B);GOg/ŵy|9ۆg GzlH5&F#_1Pf Z$xS ᨭHBI2PaMwܳ@W~n|ײn̦>ɿGL־ Z7\2*06ܟƀἣ>:`T0sC覘)TD->1 tXUeKEPTP= PB=Q}w+D{F+;R΄Skr, J&~ثI9E%+QtHs5rj_)x㪊x5`dž' -:y\z}7| 8 5\s(l +3y0X=PvyQ]Fl(t3]¿.vMfI h| ,)eMkIDո]+Ka_|9NV\ ('ěV3ofO|=x3м1JAU:#D"J7ũAtA}ʷEXdGy}N%MUɝ]MJj@ .o-hځ=Ȫ-@y\B ?pz19⾾M*C}َ]j$G^tQ_s|@fI𜖠!8$>LXA{NE4¯5 ddIT5/(s ? : ZBM3,Oq4|kE͈BWc( @:!Gn?c{1qt E;Yc"uSe`5ٌ5 3$˱[\!f+iylx`{PP ymhϳEډwϷ3̏3*f'lr+L&q [P ɐC\ I@L@ }o Lah.k3KpVWT[,*/45")~]=/JPoyY&XƤUNgV R *Q8f-O"u6oBxG$p5$xݤVQK3c)2\QS$eEj>|ojP{?*Ў{JZ:E ]q~B+[ thNVPƶ=6;0rv7B QwrjyZ  :\6%T,RCXQ.iI1':IH( 2+TW>'K_֘^AFٵq"vNf.]<4`\'%UM'G}C4m|j%"WߕV>oBKxSB1 m򧈱jx ]T+QAO /9T'0 8Q68֫čZtqmr2 ޵V+X$,w%ݬF4]eU[+eN=ũYlcvvGaϴHcr><<Q>H0TkͶjna+| ъdXj5VJo`*>ģ.%dY8txG˥`9]S0N6g$2G:#)>炦,0PwJԗ9M1Nf ҁ¸Ӆ;jWkP΁%RLKګIĎYI@P%LWaV> # V{/~fq~ d8L_DX{%=vui^6HvBWRʌ_-g}?g62;%ŰQXbNY4G=b4OkLR#-J|E|R\K;@qCf7Ƥz[/P 16[U9+Or"M<{ %}Wn  7|&srr ?$ Ӝ5:+T>BkrWD*_u%% wN>h&a30,HfZ35{4 =NjALO8YDrznzǡOPo'k *mٸjwcUG7Q(LLVklKZӨK࿶)2[AnE O*W"!a\!9j ʠʄR\g}GŒB4z.kr.@ힶ$l߯P?3_$S6jb`gn4&"eSC!Sԉ2F BܨK2rRwÛ5g[g:4A &. %/yr|.2I]=Wc[&PIEJF|ȌKPꖼߪ[x*%ɝ8a21l$ۆz,$,TWZУDPaK\a񣑬{52ffv)kCF)i%X LtǫC>t"v M5?<ʁ&e9dq+ϣ붃G<j eu+2/^*Ar Z"Tq@y1)b9[OD/GZ?$*yf{w6G* ^ҧxp.33S/K@\Em@P|z u;93afUna-U?i59۴Hď0g*18{5=[Oޱzny)vaT@`֌}W{ۂ'V u.;C='!)0ᓳ[b?.$_#epNrNr|cwN_MlK>Dy{ո1 7k~:@y׍vuwc.O4ɫs,qvrMk`  U^is{[lͻd[&ͣΧv!Hğ,ԚgC8UZc0؃e䥥bݤD!kh!~]x)ed²/Vb2= >^(6UNk~|BgE+9K,"/`%T'?nV#i\ 6 f6t0w,L4$a5|nTp UoǸލZ1my,:ayOT0]bY"WѱFҠ* 9N"N"fIC_^u ڎ8 #|Q"-Y@NX0,E"`h+fSc-*yi\SE|w6] /^?/1hZs"¼spa$DKݔk2jԯDTeB="1^x@v5CHݯt#|yo:vj@ ata^Ytҁ5Q}(){JV`jw&E|q"lS>2\@ZM":'2Ϥk]b+Yc3'Vgi/KwTJԏQkc΋v{;+q4b()3SI\փ }LISOYCg<>צ2+ہ5!vف!nf]Ѵy ĝ|mcyD9 9Z*#dZO=,$S\픡Ts SUl?QmHH k\,' w!鋹Pp+ת7';tHBJ gL1HԗU`|wg&>CD:o򙉇ΗJop qq$USNtOTşb 37\"*B0I@\~TN;LШx7Z4 o +ffve:EdcG:d>Z>~= 5˥2dyip|n%=>2Qnvґ>?Zhlxwɡ9Vv"RXs؏{!Я^]NzL7~c1镝Ju?kmȻ! +zZ%;9EV,Ss"]3g7ŬsF } !S5F UX N3يmsI`39AKLo%?tZV`rJJ*i-6<8r`!8EzX9KYqi/E?"A0?/kRBFr$Q@79UCtC _NfQw })Q_'T{(**"|y ՋGra ֶ"]4pèQuda1J|G-x9 kTIȱ4;OhVCE7O55ћ ]qlz&K**J6+&(4dr0kA:(iMJ,l?_a"ͧV]ˮGuYq@؉G֐$V(pNOOnF*mB^d·saA+\`Ī^QHm{ {;ѡ%{9 0'jLoS\ I1'ͮD$ӸaRBƟ ܁Xyk$xquQ ԛBV:~/!O>Q'^"j#7^?O3뽨[x8-Whc#L$X/RUqISdNskHvl"U@߆ƾ~ 4~GkpuN:k-zZZ~B.>r*v1Ymo\@{'ǂӇoD߸QB7p1x9 U/$ +d2| 9yOXFlT7EDx ̡N h[(& 6[`Q@UK0Y-&c4^ŝ wl?y輻ytu,P k~ `W!:υo$및L~dqg56&{.u=}ʖ'l ?Wh 23odmr=̠eRj'<}fDzHUB' EH&e+xE8dHר7LG*DTj %k[5H[CbQBhCTځ^C-9ox8EKծiJ,@LLB) !l&Y`E6:>^mIȵnq%i]%fiXsԋsOQU4A˔i2JXUVu=S6{" Ae?>}"äb=q1C7b7['&{96 RPvzU+,@ٍnyKp|/"-]6ƺue e\5~`x ț}S?ܢR.FC U.zkI-ҔO,Hn}%,6늳~ƪ+lq`,7$W"7/?u5k̍/_:& ״2Vf(XP Mq15.GP1K E=aG@\nl& Go''MѦs9F2̺v{ܽ?}z %dꉗZIǺ-!;GQ':5b,-[yқ8@mg>E6Fdpu+, +<xF }VLnHD\QŲ>oB0x 'DtۢLQ'쿯KriJX5"ālcKA!%2 5du+z ,M>Nbγ"h~"721$xg ]\bjv Hl@m@p\bVBilؐ)[ [ O}φUB)E }6/k[ }ԇCYjFp;H S@7rj A ϏH]4¸"ZM凖—}/@2p~F 72fڃY<ڡII9$E UqޟK/a{^'sێ9.&mK8~l)^u]"*.QfעYt| MA6>'viٙ zAnG^c{&(9T'ݍQ$xɨᮑnHEv>|16 4`VRQ IxY^}ߥ!~D@|c~*Gʭah +.-FRJV;V E:is)K%9SYḮ= jEQ@RS-@f Ku+"Xx8a7:87"lISuki%?7@!2<=zN&A߹!גrZ^Ƚ =xM{Feݶ$݄]!Ye$Ї-*VY#/L I('1$SV'^{ԷS3ƭMi`_v;rn6y-9' aYXIl Y`NRT;I&sSh@LrWb["z=6$?Z]X"˼nSI|ᢑQj\H1w k5X6#D1s\~v?^^N,h gI19 [ ӇLCC!Jd ,&O 6B#}ߧ\SWuۨ޶!tG-]bۡވ{- p!,a>߾z[$p'Ԓv~K"L,ê`sSQZR~BJ ;tmM-PJ9. _,Ѭ3~~i#%50FMW7弟ٳv.Yoҵ5;&NYm'*ŗݡQ_{[Q{,g4I@ĕ*z~@ VߨcK16!N8>\+gQQѮ"UmFIm亪͆PJ ,v:(pNplV.PezւPd^m}J ) ^&g7Vز\ܝquj;%;n&zutTsSXhl )4#TiGMJ~4!yW5H78sW&~Ԙ~б,6O1N#JZBg2ӥ!0a[{"t斣 tÙ}J*,q 0O 1:`H: |@exTM%2žfN? C<^zZz`oKy]tneWbG׽uIP2$_)Mewr$ܝ>`2ǁz`Z })DUM we\!v b`jHhEeHiLp_ܝ4k 9JKbקKܐ^+y`˔ X=o& S̀*TG,B+p Eu/A(vP MHߩmE/ qq"zņW2ij&"Qg.'xG5.|GHka6:[ q [>C̭jY3򖙡PCQgRoT2=m6~`.GUcEeʴ Ʊ[WW],6חs{_f~l56uzLCKKQEtB8B)ZSgC%j= 43Y8UzRCٜ/:T5fL6gҏKpq +ԖXXPLLh4֠p:6B-BLmoCo|-7=`'0W5zTy 1mw̹H:=G'AK?|F[dJlҲC>_n$޽gj Р:֧Ӂv*!ޝ F:m.Qr,,i  H[P>7Fqf&}bd.qfO޺3|c /q cK ƂFy&F /j+k?qf!=ð!^Ӻ _jy Qq'mie4Efˆ E2b!KˣdއB9؊ <)i**,z 1g4n. 8JuK\$eC6)\X>f EE:aynaFAPʏٴ=)(fZC*LJoGuET$:W}.Ր\AoqY O#soa=L%N ֤ǯ>k h=ZH^cun܀TԹ-klA'D"PvS-뙗 'B US7a&W̍J}{&H [҆*5~^2nzw1Sv̛Mp63t^b5] ra^0b$vN_VxeUv%5TUdJ31'1/y6g,6:;9͕R"Et_gT=iB|T]rԚRC֓ #q$ס:')du3zE!Aq6I\d:j1ӊi:ED@G Ga@3yKPԑzi ZV KOFy\øŬ0{V_nZyߡz0*.y7 =YJ3qY84^_ TZ`A.hS 8 l n9s@5PT>%\A+}YwL%9Eښr k RGӬE_doE>;;S;z "𧔜q$m! 6Z2nQ/?n5IL3sg,Ƅ16NjЈGAK=o.fML9+>gTZD# i*(7cNX 'g`cQJ GLEHeX/yA i%2RBjtfGX:%\ 3i@w~gmv"+r`l?9\Q,ᏸOj\ 0Yszv%?b|ۂTVR{2Wۗ_Tq*Y5z왍 $ٔϰ\:N;PpQhn[= %nceI8 ,I:E7O9;y1%~9+ ]*-zttn)hoz W&5= W1RhTOtKOyVaw'P9 ֥\dr9I'vkeBsÍ"iQ#ݬÐewB,,J<ૻbYіc?8IhBKcy933eH]w/N|/Iqq]A͟dM|Rbaޤ)5,s. LD|n#C\>;쪘*m3VT&BM1cOH߃Q>6EZ&FOsaYL x|(htE1exf:fj*@M!oiq,l0+i)/}&6#5s>ŻĒ:T;"_iw٢/M+za >919 oOCh*َw+D 7[-ؿQg[#)cM>Dt=#›~e63{P]~/Y6},-N_>llJmX0 3xv&񋟗˻Mxn8ATs7-^yv)V4vs&Ww9fѰRĄ.wlnh>yx1⎩so?x#O>5P ꤚҒ}'+P,~)qJ)6 $.ЧJQ%sgyK*%Wqˮ# .5GkP- wg .f2ct;ܚ ptN=Yo:ʺlU_,j @ C󬰦Bj0LB9$ jl"6αPy Vz=ᙕ0h3ϛ+)e9uqA)p I2K'䄪Ao[FO<<ɘU7m)^!-~vM8ɪCްŀqQՕEHeKnd迳fZub, ,(rƹX +A!g03vlq-[P7U_+L^ Alzu"}(0}v >10I:dm\J<|L+^]ݰmI nh#\v_syE?;:U g^,~Mռ @ >nݰl/!6& WZ8E9J:ӫ]Cùl7: %u랔jN^,X<kFoͦEʶx'*UkITn/Iv0#RPBu֝ $`;O.ҙ?*="~0C\ j“H# jSXORJ#Q=FKsS5e{7c9l?x \'آj`cǎ1+_Ӷ|+U*s}{#lUdtPrۂC py{jЈy-nQ;9-A"Z8tf|#έzyic!,z4Ӛy2}`E6R *ă]+}Ob-bW C!|d XuTxoqDg Nvq'pnaLZQ|A3, @9qƁTN 0c@(IL)wJ!ތ*..&brX&R}Ͻl_S )gs hO8w(F(^˾y"8Z: ElmTI%9rv"@&RJuqJ)X3a*$,`=1Ͷd8i+2;9mKj)55G)ς7: )'"`.RrF ({.E] |d5Z&-ˁ4|nCՃ=%!,X *re=aO=b#Ni"0ͬĎ1 T+5 ?ʕ-|C,C!O#"*$e1s}Da.R$*tP<@Y֢탳kt^租jųC{]@09b=~=sAc``ʺT?m-Ȫߙ#y78 `(}OMb*[V9Gؽ|1,ʮ*Gp@&^g8( پ}P,Y UQ%Gyxq5ST_4& S<)B'\ HwHWƓY,- g L Z1Ȑfwe!8+zFX_(UnXKe0i nS|@V[a>LAN>/ki|ūf 4`L#۪}Nb R-цr\`-aweV}H7>%8nzSk*ֈPeCIg'%(|a7-Jd>*[a<'zI+c䲧 \Ǻk}òdg'H;a(_QBGV9z8(| ~ Sk 7ǀΥEX:JtT<ҖKG' fi*Y#@ay0 * !V3eI0ȧ)i=鵅rJ_6;'7IUInzJ*'- xYž5}x:G2)\,Ɉ:pp?FnV(W};Ң>𨜙uid eY1Ώt/ZF톚哝_?LE,< #mRy\kd^e *i.|ś?ɔ‹^0S7;<#Dk d*>h M⹁K8BL{ٳnnf`F`${L %uQNy,5K@{3|6{AW D4նy!x0qv[È0Qy.XHPboNwT'ݰO-qT.f wn$[:S1ٹ҉W>{7x3V+Kpb:y<ݾnߨX!`MH_xϯ#W#;t: DzQ W7xL6,*. ]!ØEъ[$elYԙq Vkc}|{ɔB--\|y3#؋)*}wœ!X\gZCО99۫= @Oxhگ;H( ba oقL/LnДa+[}gB˸AK'#3n2e/Dg]YQ< 38)w\@gEW,,/@˱wf{)kLau7f{Vn ͛: 6.&(_ݵeD6N6GÚ.Pʊ3JV ́-":ڧQ@!@d`K}#Fl&2˩ҍC+R`Wv]tFr4]Eԉ`M)87nj%q`D-*=n q1|vH)pTJKBM2LtvG@Ffv@2d/0бj;@vc0]M4z?y>i hw i.Z-Qy=.MtbϨ7[Ց[YSvsUNXג6DA1\N&3pZW.FvBr~s޻@lV(_pmǒt5C.H})a0F5;hf=Fν"(7 ַܹF @(EݭMa5[hJ1&qTO5rJJݼZ Kql W1ؕJnp~+0+AEEenl@\)k-ÝQUeaMEWMe~͠%1Aorh.=_-d2k Sפp2"tSGi75h4Am 1_}=F |fs*udS5׌$:kb I7p]$D{y;>as湱35b k&ц{ @}=!qd7+UU}pz:N*iv5_Lchnдr %!F5`}P0# 4lW3UPnVEGKdx(|Z,Z=2)@ +x9`߸=!trt(NIEP_"QDZD0vXFQyt/&75}GIPd`I_hTZ!KFج[ #L׌I[SU rYZrJ7s@WB$ ho7Ao,淃:!lJ3kjނ0Wq z<uS'[<5z1W؆>o7ITU`I.]F2Ͱ: ߘ%[yZh=bԙ!1TZ!#珇Zi'6Od.e N2t]7%$eS&Yp,`sBP0߲U$m15EhkjsD58c+"dU|+=2$]^^{W'@kƺK}{*f_Ȧ٩z " 8x<|r 33$b&caՕn?\*zǂ< 嗑,W*Q׾R7c[F-GFB-*&r1~@"a5[x!>iZ9ЯpN8?68:q˄{;P k &s<+_W4;Ҝ#d+|fիCMN qhn%1[;صwwv*CzيMNKl-mT5WC.nYubN: i;5#AJA1A4z9צI@ oǜkQ2)w/H@.WG@JtD$ 3H}$4r:~Nh?p m^4uɦgney-sjuD,B~i^(d="0gkoz>t1KB?<~?;#?iN /_p,1yK,X#M4]L0 >ĽFq*ܓ4SfwKcΛ-׉p?|"1sŀ%0VuD[b0ӝ7ٙ2Qi( 2OPX)i\D~piO AB;<9L.X!7gZfI }2wYetPQ oH 4iI?$Byh*o Nߚ× ]O@|K +nG?5 c jT^k1&NPv:ʼnYrbsoKmx2M;<2 4s7DddUF v,_ UآIw祈 ^ ʗZyQSVXB1n IF,' (҃ zxD1̇Sm jJ !r'c/yI*8M?4%ۑ9}25k`JzAc OUji?94Œ늼 8RV a31е6g]Iף 1ΐ T %&DgpO38Anz?w`r=|E (piR%~Gs- W*xؑ]ψ; r)P Q e)wj/MuȔXɞ1(1xNa[)nm'Ǹ㙻UɵƋŦܻ$uQƸ*$Ye8{'%P̙eeZR,fs%NLmmӉ!e+#1dYXuÀavX3bjt'J̗M{Sfp֧ȟ~ m|з@I52]]CiOl~]4ZSslM؝MgbBp794Ɵs*n2vQ!UdQ6}8G0jH> js(DVcv8, w)/ Je|ǪbOoEX'mtIk{00|'#WJ$XlHX͈Q c@;tW/eLN/s 쒯T%lڽ&2́Mn'汁V{s;ѿ`86.~<~xA/ʀHVRL:{BC; rXIk,(|`ng[H7`N;*921xm['Qj%z\=z p-&[\e3/.q?J@RvvPȣ'C y2Zo]uHq&) sKO8>Drq >, _U%4+bFvb[P_듸I*/vR-Of,El,_IhٽrdU[.~|]ެN}\p'չn&Jg#xRV*|1oq@{W1尪) aJW  @Znֺiz/ ,STa%LZҼ3`)>M&6&X܊&R i֯,άRq(@2G- X0Wj_$km!NjMRw%=Np<.S~.ȱwZ[;$Lq^!2 Չ2yĠǔ ĸdՒ_ڹC f?+Ow\ Cpg_, 6&ߴQzFRʡϹfډ2b4)LC2CNf{x٭F5jyشq.(9bܔ9U:o1r"p:ZdW0-f2P$c8N5C Ca7nwxm GN {Hvuf桸:$-W?'g]˵|Bn>1L'@c6XWfgB M[k yi=zF>daZʶo.`C7'אwCN@dؿH& m"i[ZhܿKo`հlt܉zy[K[F߿ !8FtB~3EBl5:2HnOc_yH/ɱ)z`0շI- ֑*eX.1{3sz]woo1)2XRvL O\'e|IHOx) kI~{E6勋Ȝ^T YU5+Ϩ Mw q^5cfw!>0$Q:iqEĪu@vd_ &~ik{<@{S$yߊ{l"洗UD#wDj(B҂Vt{ k0Ȱ^)@I2Q; P`P bh=4 \#M_F&!RFqt 7LEyP471jНb1Cxb8k}=8/LI.Н_=S)ʋe$u3ͬ[@# x|Eu=kH&z >){eޤ\g aU "n`02,Wp ڤ3J=z$|\ Y4ܰR&Z6pHϐ0L^\S^29`j6ݫv6<)4lɵNaHhX[o3M &QX^aX-nc!~J.2iqN ni>,?'61\aAodZ8yB:)b oov$c$n oI*ΤՃ Puъ$rNmgͩyÏ^ R TpQ >Lpf%fLl?pMp{_^\k ]/k{ϧ(  b#SM Ul蕋e#thD`+X?`Q:V/bTT}o`ro9/7yGREca 7&?4l _y:0S)gUJ0Ayt+\YN$`ˁźCaٲ|J ŖX# 4'':I Gf12#6,} :y 5aL.,,fW#uQ;zc-l Pucvii s8J5W}[ ,C7PG`kL{2Dٲ۠"ߟL~鰤u.G45+O UѯQw14̬VrY[ԏPG SyaRRlp>Op.=-&e1+~^bXKA!b\{}iL̜I zM@QO:_58C"ڭ%M笃ux*.ieॿ:\\ZY9"]Ԉ#MTqIcX@xIC, -|8ۼW$8|%)1Z}\K) z9RNԯ1mm`׊mX @'QJܣen0mXk4rQJbqM 0j%P7H)3߹cg9$7\uYQ5PAyA;`U7_uQu_df=-VG`g:.i\5Hq{W--pg> qt5 e)F9l YP_K2TǍQ{ɕK w}Yv8u#4]Ri<;Α1;t:eڀ!Wix 'R Ue Q"6@ |Xfxd~YE/! kT֟JvXx5sIOYSPjGxqmֵ{ )lH_\W"ڈNa -z4I['t/'N$}7N1!E-X >< oŒV8O5#0J3>$q+U/<ϤJ}jhХAyLiO4Fo ``P'!ԵҴq|?9jgw2&m_ZiZ(YJZŌ:.y-Z{ #'XkQNI:%ڜDUGTfK{bxϩn{gH0]h|:@D0+aV1Cd-{N$&v֑Ï{F%ʁ$$;0M#Zr (ʦ634xjx0YI%{p_by*^B?0f*i2nCOGѰkCݰۼEoUnB?%Rc;Қ+&?pF͘,É@{RF݉x0S\y6-jJ,8aDBƣ_8'*9 /%1P^صB}@҉(r$mC}'/2fHK9%IAq*<OWXfkY"`a3{^)e0seCh<7yablhܕRFU;\?`l:楊{F7Tk9>1T;&:djdRC%rid-۶-) ?F~@ Fg=mhiVk;^&S2R5,GWrӗϙcl,pQ)"sCȒYS8taxi1[!7k|9-GC['[Pq>Ijo} ū]5G NXU\s(Is.jYЂg뼞NK9+q~p8䪾+ƼlmLLpOk9A%9f9qxǂ d-8]>1z,[DlӗWajup|ɩŁ!AJ3&Yq4_CytBS)TqQܴˍu#h/0V\eԮT DGԺMߦη97'ґɊ$ /͝澶:+ VB1͋B&HZ5GtQ`bK n)DlCY g~%q@G. *_'V$: 8ˆHSq5coV4R)RlgesdLQJ^2$i/M@e,t$Q :^vWQX"Ԯϔ=IeĽF3 {xD|hRQ<|*.LҋlˢoEmcR5~cM^a2'Bzr5X0Y 91 _  RoUҤSh7?6 Z+`RL6M[ˇƵGSZZ@4>ـ dxeV`;^5CPNg[z{RS<3+DE&(C'8hē)p-."Q 4E3}j$Cq?rBe Wä⮲q/Nػ@8xʿ5^p*~ OwXQZ^p,PʪLyF6)[,떱NecctT{\=c5[:VKf&< o!i.#Ǒ Mh9i*q?A(CҒH>hOG9T)Fa?}trTuB-QdDuf @71Gao-X$ 8p0hYj:Sl.Z*9tlߘtk66EE`)P[4NWDv;`Q9{mVV3ݞQjoV HsܛC~zMovW:/T޴ O@5CXQu2s)禂J:lq] Nw0q~tIqT!to!khwB]*>xȱzSD/me֪K6GB@QNc{Bk.eK=#x..\geJe?Ț=yPb;[S>P92Ri"'D@[/\ :bv2>;M'ȓ~Y K$%^,H *NjĹz\d{vp* %W&FuZ,T;A Eo*`+)tUD,Y;-6(1J'=3W>VPtD2E OP~k‰6.FCsrD \Wx+| jT Yj-mDz $VTؾL@*:$*6`1M0viK#=0NJ!|y;oZ~Z61kHgfy̰!H51cggwDxb۸H9xHiUqxSnj%wqq ) V>ڑ6=y̶b1O *3Zj5jrIn+wweDʉej s{~*BW: ]\k: \Re?dzz 鉿ar(z7޺L~Ps-B-LxK7c 2Gch?7Zd7ءqD/iUNQvkW^b6{#2wE|%ֵצKp6dɇq=4n ǽztq,]~8lHxǝjI':g" 46DA91;jBڪsɅ6VkC9Xai]=uXӳQ OC4%OKG9ͶNbQt*T'bnU(Gs_K7?[o*8wTg:XXk7&V,T.Q.m_bt[eͬwBPH&+8 vC2y)n㒌l؊]\o xzh ҁ#~Ikѧ=ӯVU<ES|;Oy^'@7d$ug(MkxpDu]+ a$2 ӥ 櫓8nNsUР3AZ{ț5e fK3*ɴ2_ȿOV7Fz)ߨɁ;yۅFe|Ptp" !E8aEu88n4mq~L6#5jB/I?,xAퟔR"#ln]61߈d_Rx'l&~ى ɹ'ٳc޵T$v25^+/81k"Z@ڕ g݆硹6[jՔH!>.p XyRNSл!Qa0+TN<3қB43JRIyCP'Vy柉_9fӌ >\x'v՝~nH,-S[&9Z-ͺFYmۡEإW7.|cǪ]#~n j{DI(^Ya.#1]ACp3ҬVlVυBe ^b<|%cBʜp8\Zb5f+XHv2EhJ^*3f'\2g;@s%lc~ɣZa-N 7&M&{ ! ehƴ( H@K,Jxڔ/ĜaO+ƸHA,2eКZӇș:˓Y0݉%f/;JjgSxU# d?LJM fxͣC%G4 |ꅔCZYT`kI௫ 7g2HM c-I PynJ|R/Z6T B<\ PV#~ZqH$"ՕВ7t{EißT $% a!i%ku'oC]P9<HЅi hLI^7kHVJkbĄ_(4^hm;Q±BG%D^b}c_Ƭsݩ)ϱ66\}\[թXȯ([xymIU|HnEroQlߧp3>U k`@tPb{3Sa Npǎ9;'_uQL df,Ѧ'YZ`::[y+GC+kr/#2 eI+U <9-F\n7Fs41~գ Uڮ6*ˇᰘ PA8/ ǹ +yW;ZQf-AH4=]&7i?bK7zUckю&?(7qb%\ʗ^-GfMv;!4$f맟pGȤ@ؾlwERȂtAvVhļ̱`sxv\mbzMk!rFJL]aKMJF5Zl $]e {HW^:* R:tX^wlۘ*S;ݞ f|P@exJ(JnX1wRNk65Q>}myț #X;l_^* e8J \mݔfGK:M}bTfEkڌ&\`1ɈI˭U"3T+f8tMᜲbk:LV0L@W -PqcJ[eyK; S2nk2vt@ڝ ([K(;bϭD-|8dP)wņo aC=AK.9'c{_L 8!F-qH޴d6b{2ı [u*AMS ϰY;բ)~I(;l²bjGzȣEVilZ#m^A;khgH⾺pX_((0a+ \HT&hny?~^ʊE }W?{,%V t?'`qB}3|̄T([ԮGXఖ<ɗO'ʆ+ H|3FSxko7k WgZ:&Z&_?on_dLHEnixe&brХs0THi);gK1wB"r#55碽\eN DbX#HkXLQmo:LGK&ꋴ~0ssbAmV[d#`GA}p1uw6Z:DABcu*u\VLl}}1{F靚( we"ˤA)E|p6X| \,|a"":Վ']JEM˿Tvo$MZ-k=k8rwsj-oxz3_}Kð F3͖Q$0ӗd~'4 sDD|'LfgB>dhmnKGO2zgK:tX쩤Og%bkwD0Bn;;[WrL̯>f}MTe']c7:yu?,-I9]8]FXN  TT~u 5L0߈Kbq̡i> K`,&B` sKK+l%&WMr@UṈ ObP9kS>AۑfI0Dvf!v'}lK){~kww )0邫9SO'bT-w(rTNELα;QٳMmUۊS<2Q* 쌦AmN{Dg<1lf6G{WDz=.-LW 62'bTy\I~88x>-v$タZ ȂeJ6|&kre2,|>v.H rYoZ n vVRQ([[8"h,:c@ E!қ=<_ [u Ld@1>+61*T4O}Q|OJ}O:_{Z7+fM`b9o ! ^篼\X({91+p ae *7$T q@])T) ćoF`=3nGqGmU Ynv<-IM)>!I~syK9 ϠET=^,0|͠qĄ2"x;\R@4]D];R`qYBOw ]'6u懰*Qq gC)~Ƀ0BْݠiE+F#i%H`W4=|GhTЌk6I *?d^ K#JJz)5^V%|8 3bdZIsTW|X[T 5/!>.1VatA HG\:Ur 9x:({۵pu׼Wq]:f #O١@[H?20DO(Z2J"9J\_rM0kaՌyvPmʹ_ #.]D!z&q:yO&KYJ}, HTl´ S/rօ)-T :|kh^+>xEcEFLxnsaF| %U{fX@}"4u(15؛Pŗށ!ZDZ- = E~('X3}?TJąT>+U ӧOT-Ii$EV9D~[}=fH2ԄP&f2s2Ƈ:#OW,?O\UI\Pl&h?#23eV!ltXNY0?x $2LXF!y u}\%elSfAK|g*ڎ'aKɚKm?NUh&G>t'`iPZ'$iY bCOnsOL;,R89htUž>Т6G:l?@6Y?F:\c"-< SBtf#Ӣ.;Q(lTVrMO:,Nwh Gohh ؗz&k?hEGU~;< :"bazY^R_JIs]}mAjLY2Q%"Wj9RY"ZAWxa+ ]5L[YDY_-"<Tz- JvL?SP$Z&okӚ~*TmLj{7DtQwD4SF \MF 0$`6 /1l0n5"dkĐ0=L. "9tuS(1`P ',m6|BE=YMEA\CLTT*; +Y6+L~E,)ruw!ÒGnOJ򅌊,E;3G-cXFuFiq̜Bc/s&Ɖi;ЧȮ8{B**bwl[`("9vuވqO-;ndB}54#6 >w?.#V F|Ҷv |V1$\vb4%[@oҦ5ʴ7oPg KX"/R(ğbM`"-rSDN!_[Zu#r1S >+(q6ރm.a%n$EMZ_eJ iwCQz5T y_<]<ړ n2ͣd+o(s`?پG7^ ` 0j ݥ4 }j7t^TFN?evH!%e"ڻ΄dDD3A.*ָ# r}z5.vg"&##PUm5{o '<c0#^|YAKR 2 (Y-w%즖<:lӡV-vdP0j3j̒B,\LjHپG2%ju-:KOT'ndhkstm5#O7ߥw֕Bm%9`"I)tff[i"feǐ:lS}q@K<d{RGnK69 ΊTo7*f|zZk'M6Jt+zb]KuH=)}\<~񹞷4Qޛa$/ݬ`QƏ̑ӄT..x;VL<+K p[R}ΟX>"n*|n~Tg}V!j\5 p;~An"Ql}!A7Ñ[122Sad)Q[ ]D'rbiѨY-2ȩqx{~yy?-`PrgfGj|dCMZ^I JFLx?DX0EjAXt+4 =-S-^CC9 $NbkO/[x2R xNxqzsȻ3p)RܚOޯ}jHxf7Z;>Rp2Usa"UBM\u~[RA|2YtuT]niwIn yuR@5[q 爑Tbر]c7'!Oժێ,E,@`pjbo9[7)%q;`NsH>#mFj4 :Uf:b r(! U蔈-ٺZk1{rFX2rs\:`hmI}ЪOP6U@ Ų8&PC އK-: وMi*GOQNqDp2-,qTC6>A?O$hyqHm3'߀g" 5x԰@ip66_uhͲ*ۖCahWhabOҚA}0ll PBø-ϏoL,!KjT}Qcd 0>5?h @e{υb"_L,UwU mO{H]ݱf`ycFir; bTo RbI:GImiT!PF-[6aPÙБ7±@Jͅvu5C~Eb8)kdJ$%8Z=[.(oSiG?Яo P'eVt$뢊tI:]Ur=712{=`#TPz򟢽"Uv5p%j\&T]&1.q+78 ?L.- ,Gʥ4$tr֓FlIIcbN#"_N 1 ,2 S7Mp`&"_{rz)(:\hq&ei3v1iC)fXb02M}GXÂ}svi)Ne}"ʺ;=2W5l+ lu820_ܡ>D,UHR&HLʅD֯ t1pi8)@*=s$4CL$?L! +)*L~T=$ Rs,UTڸS7Cjv#w:팙-\'4,Oܵl_?pQ*uL~k?-*;I%*LPM>uo'(%}L{Cw7F:A7۠z6;f8~m*G-9AK6T➥@B g@oj3Zlڝz)@C@ g>]Y 3^F޳|f-s#2u^IwHn&y++~}L'&1~&1^ xEdo.j3πa0<itSB2Qk`F"i c* |(,BwF)EOA-="v[;E"޼,|<ȈRۗ"Tox,T׹P+wqn/M'͆o/;4id&%t*2E<Ņg'&9|Zb۸Gy#l`d4-hO|S~ZbƻňaM)|?>5=myO^xX?N\ARq5붆e H_&}p;trF'(C5D5pf,,IrG:ʳ_r ©d( E`<\c,%Lu-AF#+:i FcF璊q.-)>SU 2A5 pޱKwXE# AX4}`+ fHL"OI:."LߟĆ^1A)O  Lp`Tf=Q 6K97w+7=@ѴwڏUhA$|^P+V$݄5.?Ar%~e<@fiMf~ *<EB񞬃 =~*E,QyQ‡tgO"$I<'+XE%Q;K$*16+YYoR SF9T1xB:|ǾO!$rIqC$`Q.S2aCfSl,8Tp_'ǯaG$;FJscW 5%{)YCSAJH8iB%]BgZFUF Kץb HD_1&)6ggJ"Q=҂7a\k;b^,@'K***h19F& Ƕ! !p{S+XOmI(AW}H0QT X V_mq\VQBCnKQC|'~J;D #nt~3Wiӳ0m"!2&O[7~ ;ejݡ_Y*4Мrk`(g[ҁrcu;j1JMI9𰲵D_"x$ϚIJes5`X Hl.(?ܨż0:s GDsONR+"&"Z~ݕw&&ԾynV 1sy̼bZU+E`.6,`|ëai=wba9Nq4VJuk[6~kۦZ}&'>v[DNVbwm !ly钪Lrq|ٵhBl_ K/$eg,-Kղg V kJ]k=Z5@o(1)quJ&y3]0Y+},%A<ԩgq0%sN4pUns0n' >#H3G !Bq̦. cc[Vyuۉ9{ 5ge!O(S> pPE>GMj\&7Ⲳ-_8!z#*IIl,z8.niw2E^9o@;΍`rK0|7Cl8w٠Dh%LGJz 7)h[5C.fE^ Ou*P3]*EX94Fϒjn|rhhQLۆcdu$6|^{_ }9U< wBI 1W;i>Lfy(DzL^_tT,.Vƻ9r1x0QM{2Vudގʹ`!hGdܖ1rksRXPɛ0a .<ԗ;WL(I_N[+.o3ۻ$;wqE0:4;Y .DnILJ^/Į]̿h1[W:ErA^šnEއ'f Y)[;f(5;~ned ux6 ӯn"W몖X 1 "헠#\yQiYp X8S_EJuu!q+g6Tilt["y,,npΣJ i)ǐ{:bL=bԔj3i8$@=RS 5R`5|in@}>^B6-!M h8=.Ro  ǹCAe)d4}xGjymLz78+_FXƌ#{Üos~)D_DγR rTCuTF Tj[we؋udG+Lt^E PyED^M{r@<y guU}x '\VFh9|W~μp~<.4jc)0DJ;`(MQ1SQ/ VUn Sd*se&, %ߑJth@cG:gE5Ug 6*gݲ?MFɎ Tkm~V1AޓC{|$'cS /Vswa@`m °@@m٩9\Tk5O F3qNJeC!l=MƵ i&tW n2P?! Eq[z :!"zgsbL Əe;cr^Os )Բc Cr鈣FW\#pz")EB5l`-ƒ <|ݘcOٗ}3Gn>@ږC?JF*ް&'Oe^K$mfıGiٵjc02,53 E%[ tLv!t*vU͵H Q$4=wf 5}j&E+\"9E 0)fmЦ/ 6\~]H:ɯ>yU B-ݴ1'z0ޗd(0h7]c)ByҢïiʶ !mZ!2ï<\{&2/F2h[iR$͂fJ =!aż<܉x6 {شZyn}C^S% *rQU>__;P%` [GAN%j=ppoP[*C,B[s3ϗ _z V@ړz|<Ib6M;+DR5;Gc(> 9/ 5};e|K΢:Lj.dDpz~^*WesGR5{!o'"*}}%}ɾ-׭vtS_@ B)իk-aY(nbzἘ_YȕG1+X6cSgkKAᛅl mpiW4OӇS=hK=xrBHmVWZh@%Xh7>h}^'~4_L@VY"stfm`_^7L5"'|M mcAj6`XJbߣx/3OC!cb\4=X|+)ᯚ^ܰt ۺg1d ¾.))6;9#mrݯb%Q5BO\z|ٯ6^GґyW: 'K-n陓 $eOS6q{534LRSnǓ*i>\aL'J=8FԝHČ%CK$Yo%C7_WE:&NEi#""m tOͻ!o>zH{HGG λ!qYB>[+Yy@k6IMRȚMf[)REzDS 7rA%y;[<,KDFzy '[^H?()G &#*"^3XHt ]v"7]iݶ]iO}rk ۃCJ㋉9{sSAMLB"AjulНA`k=O~Н";Z+ws8G"1Z&@ 8@Ss5@RPĢyϦZn;j SMY>y Y6q12!Z.Ltl%}1I:eJFRv @1%Lsh8w@Y;@ RZkR %O}R͂Q1VɃog C?:J*3}}1`o ?i`4 Q 01iƕi[yyj߂ޤǻa%SwT2<Ld+B ^ss^ Ŏ2<4ُ?z`eH U vw)-& bk`dԴA\1:<Կ7F0P­PCXdLOD5!vt,ngifRTmS y݁1 `Xo8`[s;i3M#*NC?Eڠ,^HZs!1|0Y V)ٹק_1X~a`%#lxƙn@.YG!P8 X,LмLƈlJaee8rzGEK4 J౩BrMU}Gqkg(x9PIc(*VpK)Sokڹxך~vtF$.~0xUnZEL˴=<0Nv JM>vlwj%DX5OH>)NU\_\t`ܹfS)XPpw*[Ab }"v)3԰?\ "0v2 Rf1|e= OQF{D1pv(yimԕd0ި.Q'H0ReC1?{$'zk  *Ƴ,h~M??6qs}㒳 Y= >ҦOw}**W5gFFjTXc8`9C>D"9IF7ԳQ)x3NJe*n&Da3w'LV͕‹G`eފ؝ vf ^υ&*% ,{#eZ\abS!7hu@RV#.衖 A{ u\X{ `-:[KKXqaYE+9奔1=Δٕ&`~|ö >3uֹ]LRN*xAB^\?wdP}?ts.V|t-Nc[5Vk wun|=`` ԭ a~tb8Ue>[&AT侖??3j=74$kR܀ś8 ʧe3UHFw=]s[ j)`uk[,Cs{EP;&G2'(P T(fK!i]&x(Z9':c6l s ߾!َǺVD@a[1ƚhꡖrW1)(1-n쾍 \&^|F\~ilVǤ3Im5DkS͙T؃s)+2T] `R MU+.Mx̣ܷ4JJ (5g9v׿l{Q Jr#뒑)kT46H +q] W6pvAoLaO aZ_@Bc}q`&\若ۨȲvtg/Kji]yhJ1ݲ z4 -$nP2.qes'D1xWI+ʀS!(hܺ Lt F/a3ӁUi XƻKTJݬM7%M(3FͭLǭa֔^V&! ?@VJ :m8ILP#~S!L5ę,kD]>B -߃ȏ8rtWD TϚCu6pLr,su@ߞٺ"a>ʱ@Rqz$38=~g5$Y4~b=4 oA٤~?kMijρ_)<)WOncGzO#ZIj8G;{/2%O/({ڂV6ťœB}s; .9LɎ1ܡs J)(c^?OCZD{J6rohv^byj7堯5i^G&X*`{:E?茿^%fXb%E<`5 xl*+d2B"ˌԱ5x~}j\Թ9rGypv 7D@f 9!ѩEv@y Zw0PCSymʜȝᫀP=LB ,+cFEQRPJϹ+ػg띒HCk?*S%%td)kCc\s:y Y¼:շH6:ΜDl9# gZ:i]+"/6z]xucYW` +M9zs ?AqfOhȄO3!dS#3@-Uif%>^C@m|$!4*%ge, %r9:\ݛ:ΝFDp]ԳqѲKxQh\Kh6BN[M6C2qajIs{oe^/#zks?Rwgz*'yi5 e]g'SP: pa-^~=r*TIO_&;e%MGCMb.wRrkAu˭yWrf E^(h775!'85j5f|‘ID)jx8ü\My}w`r.N `;SK%ֶ٩2Վc8C\ ^?:r,5u&:KPyܾKր}&Tf*/=FՏ{Pf@(u5xU5t.Oe҆&^(Bo~3ӅaVk %j_ˈpbމN 0bNOGRFm5NeW%k>66iAR͘MH~LI,WO0xLpi62>"ad:2\8%Nf(mgEՆkB}`h&AVcmuÌ LdY^&[i0tT-+5OXdGt*9%s{xvEH=Ym8e(}  ˄`~/%cq7@+4ԛhߴ3R  uLkL0"i|Ú^׊9K;FoI;~kBՒHB#sJ#nM#IߦAT/h4!LQȤ?'\eDD/Ԛǡ3@i:@>BInieYjVH=YьN]+TAiu{)xe {[A"&,R9cY%ԦJa@zMJ=/:(Tc6E(`FD**̋+Vm}>CvB9B[|_񫷜= 9 [6%\ l=rKŘĖ;EpeԲ4̓\0/֨Mw"n IP'yEl&<~LAN/a+ū=WM􀐇NhS(iA\EU?R\ʅR MD8==Ѱij, )@-Hh{@6HŇ3yPʭs p<(wItdIΘo^e$(S!g&{ND80S} TU &A@[=U?xev FD2No>ꛡԗHa6Z/!qQݯ{>EiҭgvLxӐZ6NվaN- iFTc

"˘ . \)lC2t 0qȅ ^[L;sXAfJ $]J5 tW*_%xd+ͺ mːQ,ؐlswmqUŎ2k2F A]4TDI M4mK$8|ˀ֜gp}N&ߢ-xEgJѲ"DG v<^<>Z.`Dᶕ$ie稤\IOv W,.vUQ5:_XLjM*;(z+- @EScb8EZw?LVpRR$25P:(*gvNeuRϪRO %&<_m#t64W;ls,b5V4^0"6~RD+Xܰ5HtMH%_v% S(XA8H0Ub˅Fv([`=e2E[ufdU )MK}~Qh,TL}^UHAg7"Kcl )x*H[D:NBG;ov*Q`'uSO~ q}i/o^ZQ[uD+EJ:-0hM 7A[ͨfZX.q.h]L[ JU"dG{ ɱF^z~A39/m[[Vw&v7ARɒ!Y]?bg]#Jvز7Z/V4!&l&EPvz宻PFY{ZĐiteJHLD4FRtvHaG$*S4eS tr DL2I~S<0!+cen+ACp%cM^}<ޖ [JD4'~שg09~6k!lbKؔK A Iaaov!P1S<0.?~$ X 4P`Lኹ/2_1 "f zw5_ȸő]x(E*ؖyA"STj}?BpSPKi뛇J݅KN?^?ɗ7 K0v9eW\yk”C]z uSO\/(gɹƍ.\}mP2|藓4{hpÖKcū: U/9# `@/hҾ@Ŋyoɢ{iޡ۳>R22<:EvrFڝEY{™DW9n~ x棈j{2Zg?ݎ[]fNnHaݑVf2 _z?Qu3F]kA!GK5 Y~{ϕs%#7Q'l`E7O{qܞ! e{je B4RB"I(X&x =\Acʪ5wgadYF#4vjkN-7bl㘨0HT2٦ItͲ.lxċRf E6:ןA$ Û7BbGb?#Ku!s1[ 4x-)p48 8!8'+H++D27*eԏr`o+"b5Բ64Ku+X۔,1ְ@$xӦw#^y۱]v- 0$_lfX $3T%2)AT}Ex[]s3{PU Q}8` nZ Oێy9Pyݗ hGR3<:mn%^Ei TIbiȰi*{`,ls4(im u '㤐`' URb:EZ:x gqdhJd"P?,1W Z^BIC P>)ƣg3+c(ʢ=7-RH0;EEA*`a;2rKn 69xV|\C`, 9 7L1&ڷ" %AO=P ^ܓ5^^j_\ dV1+p3zTs _ +SiI;~cl}xz5(=u 9luOWܗȑ Rz°tq ^YJF]J(]NK"j@~pP }S|{B>h{ kyk%}Ỳn=N]6 FH:)eK1mTU݂B.k>ߞ{u825p>`6RQ-]QP0 Ù$<>+^eun.Dcr[:3ry#cmz(Ē5ue= 2|䞉~B XȾC'.eNim6?熠A 熒0GHE YYdGc]$ytL(|,ּiwj^ϗSS~2ڧe)C: ;^@&PO.llEA'ڕ FS GDōkh#g5SI6Lrp?0Rkq{r0@Z+wJyub RKq+[.LUwAM E͚,|)Lwj~ʹDP=)VLݳLHШE2]FG^4b o,]A~CYg!uDa^'-D8H1e:2M_Ǣ`N<_ЕygU@Lx?=,J*\FsS̡ukO] %48z SP5,"MwjM!7IݔqRXw5TٻS)۩q P+Uԏt~Ao6&Yqr4G;-I$.E`#th.|y'L%쥮3bBsAB@!߈4h>o@kZ8tgZ*H: h ʉNU" dj;& C&AKB)R!*B. "pU:WP$Sq}@$za"*#'tw±WvpO*srȢa, J?:C~}49&.iS襎/| K5Xr--7[qv-ʮ(P"uŭ.Z6 SZ@3rd, +΅Px=F BE^e!8mrI 8Hal;ZV^[20!j`fI"8d]rZ!Ik|Fř=#Emm])66oNml%VK-mW]z4 a}Ԛi Eu0*ol罎+6ts`^T)^i{IyPx$IRX{)AvH⺷EP,= 44iO' \^*򳓖0&FdӣCd? "•s` V"r9tfAjk2$\M6 vȝGeXDFbFFY@7fE p'?fY:_c+^bC:Ej=Ð`Ɖ.cOeVeQG`Ƕs|#Ҕn<+@]b&1 _0?G{}Mg: (|zZnR1DE7fLrIPT^s ɳj%%Λ>7׃m8~s`+1~ H,;aO!^+M6JGhuV_0`K˛>.7W{[yӡ EUuh  C}C_B ` '}p]L=oM^A3ӫDdye\Ԁ pmQ4{KxAf?qfφ˵DZd,GurH26pȂ!ٓ-2X<9UuVYAltfvC:j:N*ٳ6Q_*LR)ᖈHߍ"."GϠNO =P݊tEmAߦG?t5'xE.,q\-?$n%`~{T}9j8pݵ', 7J `~k?=TadB/Ɲn~U)x!ѻBmy0FD?b^Y7݅#Umw[kb*rQ <Ar}/``  TM٦y5󶖉R԰ʜ2Ffت;Ilf/ěتVc:Z9/hǛlɑԶ^IQ }`t*kE%29 76a]֞H$4ϩiʫoXM.s#v[N$i!/*7N9vV 5hy8BM1ZNf"E>%H6Yi31F-Ùw+xͥF0_kֺޡ`lFʹ;aqk`ߣ-~W^svg J%+B:pxk W1jl܏,oG2N'b2U(JZ6x`Q`r8W-"!8m;z6dYmS 0뼙lV(i-4=I^*%OVdM0{^d;}Fx,S.9f p'mi1 G`ۧ܁ Awsu/w tD'ř ~*WC=cXFTiݯ:;%tÛӧ9ZEm lC=+ ld= ͻ̗x1,y@Gve'Gi,;B5 t>HɄ9iJJpB a*3hMwsS4m왏Ett9f~RϽǎx_0 (\F.Ě;c%aDL ݒ9&4PGb^.įfբё)! X`2j!(-_m # TR Ts <>"ZeN ~2Zx-G-LLXQ%`}k.h]l Jj>]}3:E[ [w< c6{\;EH (~&_n>'!TѲ`ӳp^M[ޡJ%ID˟2j'|v[r;)BS2FEv0W0XVbbc="hSvDTV:*Lyc /ma#.IJ*4U:'Fw}e)o"i'WEjڣ^gl*RN~}v0ZUXU՛FJ2KNeT?qVokzX:0HJleҊ7ZET Z֑K`e,_E6I7OfrN%i%؍:R҆ڶr"ɮEcl |`\ ~wXöfϕ_f b=M\Σ FL~fkO+aF諱|w49apTSt5J*$R'U>˛yW#n!V]=sy|Tw$1iL^11FB}=L((\00va \FR:<ܽVq#I6D%zN̕]famvpB!Ӏ;NU)t/$FUL[-M7D6iT83Dۀ?mlaz@VBl>~)Vlt,+J3h"~l\懕5*Ci4ߝGKCq Kg?!G(xobh?SG' ~̲86MB'iX2u0:IPO"n)I{%\%B"1 O&B`Ũ)|p Ύ` ub-sFJQ9m0.$2lнzyP ݰdW565όC5Kc;1 &A3aw" MX;#[(~1u(`w/X'*G+Fi0悼$d,uE Շ'#C|tk *Zzn^׉D 8ݕFPu|oOL2 #L;46lA_*dD5G.W€"ʕ.զA؝h'W/SUPnك(G.+ i.R'pC'4tѹy7rhzƗM361V%f*;Rs)BQ|Ǟ;V6Via HMưBOJf }؛ki"$'9MV.3h>i]18NS#gǗ*]=:ZkK$jPT~t.yl2k[Wd?%gP~)\?M=׏1e<2vha5/t<|LoIn9X`-WǯWd~-u#.^uvU Dʹ)5*-2职=eLļLB}d%1xnuVy+l),A WmOլho:)a?(c8u.4l CBG0WF𓇙Q~l(0& GfltOgV d4X 0 Ff*Os_nٽP+c_w_T ;Gy)?`{[!-#N,WhM _^]paQzgde!zJ)e>x2(b ޔ-2Ur=ۊ5(1;1[`,Gq()ȖR0]¤‰0Gm9MBwpQhiPSxdPK*#8j ,Mŏ{L0ʻhh7Hϙ+pj(5e{6* )MPYQ,"8P_IKpKƇF*k/._=4ӂzZ:tS̻iNJݧpQ{z/r^S%02a8`CUWz Ɏ|PEѣ:4MPVPMB>?jvM"OtPHn>7N_M~b6k7JWINQhT^loК1HES%\%\4WvIM |&Z˃ 8[Oi\ :;\q|)'0WPRS**W[S3g,&R$M[zJ-^>a9osQόF䢸F"E=~4 Rw d|^`pjE;8ţO >/}r%EJNҵY8FpQDWM.։s>t__ʸ=#9,K#٬Sb zWأw,/rWT\҉ᑀÛ{-\D C5~47pMQj[kRvJ}ȹO_V.9GC8\[(`|℀W+?v7z_te@xTZ]P߽DpjDrL 5WGR o26nxaʻ?YŖ?k~E:u"YZ \.T$+rFwе̸WN\%KϹd?E8"EZ5CH {W'7JN2.O=fɧȝ 9o!%'ޝ~O%S9x)5>V8 |xX8uH / 5 LQdl\jkq쩢 ZE?-չ:<}XJAm146BC粣~>.UV93m""QH=v*l]}ڨ(c#ˠmjX`U~JL!cw"Qe:hS 5U72GnJ?=h/6gڢ迲{80*C"ׁ)FCOڗ's9>,&H SqL"@ƪ2pʡZne3H1QY"zf+gݶzŏK\އKu)"$ diJ&j|S^ A J~d eo,H 5M [|moҧJ㙀Fmc* -Y\;gܨOxj;ɑ0+w86١vZL^ IBFWF?!DnFOJ-P64%Z&VkB~{&DmM|e1b>"M@XuB#Ind .P$g;+Sv0})1-ZMSE::%+c `]>BB'Mu။VU!dʖzL S&=b|:bdUro=M-y.VAt kkwdxa@g2|Y P ѤEyuoo~5Qr@z|On*\`y]Վ.e@JesxE <ĿEoTcmCB:c f‚DۿNγR]{[Ӛc8jo3=WM\%{z x CR+7cuRf idޝx//(׾"L38Зr[|~񜺤.=hjfjV A0j/NWjw+yϡcsM7v_kءzt: )`7co9y{6^,Z#qu>{\xgp4H^Iqkab, KYIbc7fE|Xl? /ՠuϾ i0A%YQ|w}}ݒ%} &TSͰ>HUŭ*zyurj3/oW,>vӳ)Ӽ*In= ut6@Q趂|w! ҉j u^puuԌf._ K:HD.c:C̷KA;=U|P غ?1qdVjW7 `>&Q<3gN(eB(}7lu垒4!u *h˦aLEɗC%].upRI9awKom:h /X " ɠtt{ThKsf4GG_#mx'!qMkUM̿7]`}9C+lXo=J7:L 52=ͥ9MqpW_E*ռ*ZT9Ϥ3: 52'leҀEcqe2~Wjdf\Mrq8O1åty3WKlҾg\:!i'JNrݹ撔oV VKv1>71jؗɉRvN! TD ZXOtH-w~];iswf]PCk't‚quSw-X@:[ W*x4) tA64-V \/%iDEo6Zo0"ufK2487_PV݁F6'`3ܽ;x3g<tJr- YnOǎ!!rXm^jsU4ˤ66p@e*rNBX_=.=Vw9s2.3ey^x_:ՠ{dU8C2 ہ"4_H;gk rm`UZyC olu\. !7b#dw/爔6xnwS~GWaΐ%{k1@mWSh4c D+"ej >zvi؈Ԯ(jX1B fۺ.vDPkEzI6%ӤE Іc&^۩^V+j$鳒pdL12E~K9l̓{ol*(q޾̸><3g"]/Gn5:(ɋޚDشW SU]Ǖ!,Y.[iGd$Yn% xZp]ܒW3{@o RwTn.}V' diēCc!'L`a54mR\ҞM'@wkˑCE GO I6_g4//ahQ1(%;󵣠z'NpBF C=_kCX Ī8ux m$O3JzMkƚps\ʶd6Y4N $f Rj:cgo@A"] cvgq.ϥs m˟Ck!m+g?T0C89Uvo~(ٝ /?w4@Fmho4ɴ)&|Bx}7ie][˕;C΄:5˗J$RE%pL2 L;RܕsS֤nl`'"ao}_IǷc3l&97"Ms@ʆ:i%աr'aDQ@C-CN=hRۉS]39p$D!E 9FF.mo&5'o7b-U SA^G[D`Oԁ*+c@*%SGÄ"E[7Et6֮f |t+RDb4ڍX@y X lirCiֿ]6%7CZxý`seY;O,0 \E=9X(_ ZRGm=R<_.x<ӛ^r>Hh9eB?E lg_S{ְk{ĐYWF+Bn'*th({N%Dchn(lIW9c֣4>l)LJZk,WB*(l4V9sN Q-=X,#4zT($WQ }h.r$!^j+(4 'ii2jF%S?u>Aˑ4}m"cN&=aa #SNLU@lrd ip ?Z1G{󘓢i*-7R|m/Cm OXّH)2Qoy'#e*闕* /#m;oS%{d!O1)0y`fNp䣚QRe&0ROc'S@0^%<)ߍs0Vw`<+;7Е%q Ӥ3B)O@1 ׶(Cc8odjfUOdG9chGc,U.QF\Fn‚vTϵ:=‘I6Pu6nLmiFJ[qx։4)3z3QPQekX^bBJ9Psbyz1.`hC.|bM8T8(#+bbos `QG_?qѸ-Sy*Bƒ_͢Mh'Z#Ǯdym#npUv6}mp?9׉A6No_T*xf(u$3I+#ʖ]ħVꠂ)?oPPUFCP9ĥTАXVM?yt'Ns^b}w$Kl7⮣ԚvMh2@[﨎wT`LN(0:s.qTaN/:]YFfPBK|56kW&l[^u]6Zjm=5VVDzu=n2"ܝj$Ayx=r-#Mae(oy%~QIх}#~3Ox7N6ͩ_Dp}espǨ796Uݔ INjc/&J<95f&nĦ|Pl6l-~te!XCļg7!s4WlK-LGߪ*'C=?i +NCĀ*F۳$g ˛>(JP[8CnΥ~k?ղhBM-n+X4;Z[=Ij軙pr7Rܚ,n, Xx{3lK`xY(#6?ˉO|3YX`s=:}$;.֝v$lQj/ ΗE9)21|YDs)VEVQV*@žKx]JgY FN EՃ> O!1>X6&%wl0>lSkXC󻵡B*~#y"Wq(`'=l,"H/*lR0 X (| s )*O.dБrS5o+ 1ңAft-! Լkq#1Z x`nޖěDŽLޣEJ=xzQ:ϾvĪ0ʼnf29kG&w³UK9C?g K*#Þhn!J#n͕ H90 j+E%v@ 4}^AKҁom07 ȱFǸu`?]UĴWazc2 d}$ `hF~ 1Q/ Ҍ~SX`1i;|8+)+X&,@?),#ReZtj8)a7 զQm9(ÉP!&1_vI%ui*VaZ( _1M Ro#_ 1¬4;KVn`ӢYeCd| /w[U|\*=ir  Hy8)7G6k>[?>zd5D?J25gΐc di,܁k ݸ]/!_m:sM6ɓNE͵S;gD_Ѩ3m40oMMZPڕS5"9sB.v2_JwT(z B^i= f\4E.z?^inפS[AoWAAB Jn$Y9Pd^U-,Ā Xjz(wb-$0XBw%"AyC}S(4oѿd)-ZM@˹zm[lCAސfW!r CECWvʦ@q1OI0gy&lQ3i`҈اO[ʔ ;KgrvȽؙ`ٛ1,ePr/jZ,,&lhmUD7TrR{;ʋwv"~4:,r58Sk} 7L+ŬExUB1A<݊ H&,ݹ YP{ĸ;B|X2Xk_uMfNUQW*&f PDuv|>]-xйͽ!B5OqqfV2pjt02YxT 0CRhrrX˝23jLZ\}]a`S/~Ѻݹ/,WŽi<}0F^l0`pF;jBJWZ:Cy;tBvv s(&knEV)6-ٟ5iCkx09$>ùә>dI>cDFMN_T}Ĺ+BzP _bldv5z#;ޜ!c% A Aw]qf@A*S ͤ8k`V'a΄fEN^qμZߏ26;UevQe% {I]OR$3^uϷ~ƺLevi<V*kf-A`?F4M2N"W&J ݞ%{2L"Gd@HI=̡C]ʗ6тQ=iHЍiƓ/Udxk{D(fs'򊝿O _.q7pKH*m~ |%ډZ(C42<60 U(AIlÈDp `IPO \2A0;~6l1JDjSƞ->vHuQZ 3 Oy&DX1nC(o)㘇`M+Of_ʢfw=I ɬq`H޼BgjTw:x}hگm\l>uh)6PgTp^# 魀Q2AOA2eI&meٲP$(~sM p\[ XKފMK1b830Qh//{'%7ųTċUˈ1}e)!|%tV G B@; ku :ppD&J&L3ݡ7::;=B'G"^oQ)Ie`L=}aR 5N.~F\,1Ed" ӺLFX* J&3.y 1O3DY_@MU/5i:}Ct@ my3m2PE[$mf4x[kkuT@ZJ]f>nr|?j轆T:4F].!Lgѣ>-S~ WD%ֈfđ+ӲJ1CaW=쪡lMD 5(.-aXAM1AoD52LȰkyuG ǼH,S_Ԍ^lˡ=ՇOƤ 4!NvV;z([ehι*KuleadfN%>2M2;x2!Hh eTC9AW*7!(R|(+*U" .|Ouz;$jYhZR53 .ԃBRXHC'`dG]ڻZe>ZӪ19U Z(`N qfʭI/c$)!\(6 8eg/V<=&at.:^ ӈ]7r s7V8h8/86w }֡d1eWoKAI˶"8/Ph\I~\jz9? O O9WTMd_@TγUg.@2NmR3tFabe~a! Eߗԫp2ڄs 5EΪsϋAVP|#gwSu04ۈXf ݻ9ȧ&tPI&NM*a t/TJ}[;Nzv4E/1,ˊͰѝD5荕0_TRcux{B[ ~&RwxjLb0Mۨrp?1nذ!v* =/N=%mηbwa[n2tt]LXeuvz 7ɕ!f_@y+ ȕ*/8ΧBIz҅Y20E~JA7csU+cԐ:_),vLuPw=io_#޹/]b'A}9~[y*z4JDVr  df" GwvkO{X$0r1!@sMJ.uPשR#uW<ƗM>A^X+CB29C?5/T4N&lؔS^HlOb*XGs)Fg`9r4t-`*,m%wK:tw1b96+tܖE'@m1&BgݵZmQOS E[$qo]i!=[ 4!M #-qIg=6VN:Z\Hh__t.قR.FvoB`..$r8F tޠ89r+LKN!s5-L!ՠIjX(W2T[QTOS8ģKB?K:5!2` a_}zkeqH4dL*]+N`)0s认=#_@d(3<bp[͛Ѭ\,7?tP>CΡX.δqT5[_tV~[cE:gV_ܶ5OGP{8$yWC{7rF-+1x:AĄ@Χ-v ̝d=/ա&OwdYY8k-ۅ=.[Q@YWtzB(mʦBHi/~N'T+/Q(PMXzA-s/%Ө}| 8uo^Վ@Q cqc/S` i1gkKyzG1].7}森%B&)C Lk[\:#\JŎݪB5V9/d֥m a0o47z)4[ٴBꠀ'!|c;U![lYV'OncNxNKD72ޜ1 SU0<?h%6!Yjߙ7\F71p Fa! C@j%?|hCG [k{FFo cŶ "\dzP1BOƀOz@pS|+.]J<Է8A*]]kunׄ$UWuMSwv*Q\Ur~t<":kLS]'YhP*^?:pzM]'h!FP-ͺ~k~ąTlHkx$ΝT=o[[ jM%+W<8F^.Ch@cþrєMq ASw'72HY6=zF!֬Zt­JB%CFplhbR{f6w3+3 [n C>SH0f{M6"5:߲5%J(QBu>,US;D&ߥ4Jkz&\L %4.!Ds/PhHr_}L6.}OAENV]^OK`U 0H\u[Q6L}76SUF5NU=n ŷ[ H8pN7] "iAE ZiSo^".BTdyv.ԫ |C |oUG.pK7jCVkM]W7r`aޮǦg,Y D@%m4o̜6cPFW/{"^{!E7TyI=P'ʊ}g4@<ثYU|WlR k2KYeRko#tkߒS`$PMA'5ZHtVέ Y *29|c9lV~7 *G'TU֐TP3+Mx؉s@5MSctFniޜ!b!nYE=~trxA7RcO<{3)*V 'n9tAaqhk6IzW'&IGW1x&Vhm̆4 ږ ,b_kZei\jR6y?j]P;hKg7U S ~?g3eRd;>7 qEBN aAF;`pBn|OrY; lQtB6*TtfZ|ͨ-|o%C@vN!^GmmB47"ac[t"d{G14-"ąatǁ<輓 OU#EM@^_vjG*4=hSnd0'5e 73L5/q)[,a45׈\u=˦}1g%P##UBjᚳ=3/-.Ә bKpa_druL峟Uߝ$}v~,*l En"Y.vuTT:CꏏymT3!w-5d|ZA6fL-t#wruGNuP _tD\L>#5QlB.ɪ1QV97v\i1dDyވ[(RI_B`RYقzwa,ϼe~]=@p?!vˑx)95@?=܁Lgޏ'+a`JU}tNxH\:)ES-=Q*K.6#q~fP2ֺ .)iB@f C,$qz ߲[8yf,ի?+̑`tJw_W YrvJcP?Wm;@l 2uZ}K ž CU:%WM Žv[ .KT:  j3hoH3e=+W%:#qɫ{ʿle.J>.6<# vJ};Vt õ׉ *xpuz4"-ݳhʷeɇ,׫iuh+&W<9t1[&*by *h)&SCQU3H _ i*a[;gRC􉊒r%489 7ծ5>@-UXRQ͐hS` ÄЀ9lHx܅=J.F}y  i9U?UJ3px^xS ϱÄKegʲ$3|,y v(gɹ`> a"+@c'Xp*e*O#+xNV[TQ='xQs_,9K9-6W<\~1lHn da0YKlݤ$b`%!1 FS^(*KjuKHh Oggjh F\F8d̋zQτ?̩uVlECo`j'xlgoȚRjmKn]rUQ|]ˆ1_R\cCtSkqp>ٌIg~5 Zƥl7Y.S:-s9혚3B3j)M7 p@ŅE$la9>}{mWtI_R<)r,y_αQSAABdIcAg0n.ޒJA_>R_Sܝj7tquTLԑ`EN5'}aPzoxճ'uM^lNFpJ<Ư DE$cc(PT8K.TTϥ|l0|̊G$b[@8O r<ܲ . 1IUkpTlWn凕+FV ĩt ́MCSm#p+t\j*mӫrI. f\ّ`/1G`Ό\?sFH]u-GI]|nI"kD@zsFjcdRF0W,[rի[P:y$b+_q4[tPf9ZGk4^P\loA,BS+I7v.JAy=V:faJa^o&URDQT3: M4c%et0-ZV~֑="J `@Yh]Uh2-|]#H'((zh؄l/|RÎӗtW=ܙDq#dkê7T PV]153yZ!\K)}FÀb2fWj wcwo> Ɇ._0{^L$ _ m"})x?hACZr:"H1)M(9BIG{,]1+ѩoڳw=jEYB %f=lHF1u82incB l)nvt2uo؉Tڊ%ҫp2r1/_52.^I q8l>̣~>obD-9=B6KQ`vpC (&?ex,8Fn;`4gfԏ ?dL'yxSˊ0NatOg1%Jb^ ?Hfm땘M"e|գD MXAd2!st,*YRT))TRB5SmԮ~|}jاk_Euf/A5$ָ,fAlWXܽz整DA,Pa31RPN{Ǹv۰<`z7|bP.hxD鈬Vu;g#)"a:oVw|YF-%;+ J `]GAAj9b9G<{v).cΙ+}. 6t.x$ȶf ߦIBYwJy(٭ ZQBOa*-DFy\|\e+3G DE& (侦ds}-q&m6"哭z*?1$8rw]-iK&2-}&Lk)]For ʮM.dfǽoDtP9=PcMo`* ”Phݟ@!"ȀPh 2VG"3K˖& QMP9h˞Rlz0I:)06 ]T+)NVO5N,D1rt."PW98(~6Hb kWEu< &MwfQ;u'd1LcZu L%|nggav- >ҡA Å Un N$0GӋŹ;c>睪1{K/6+VSԀk&si6TQ 8/ibW a>nZ"|hbBHĎ"2Ը(#"W {ym pmԆR܂Pr< j)XX].{ EoZP "W}%bx~U&W/O9$v&Q>#Sob0ueZG`"s9k[pz~>Q ʿѦ+@3' "rE ];. P@ֵs(O IkIIxo{?ꍯ0HP.KL%5PZXH[8O 6B{8±[Sg k%{gb'ʃ5ut(af~af8LR/z&c? `<(2Rb.n+ upyߖd;bZ YDC_zR'=RS1A,u7͟XV]7 2ܩ (|ƺ6G-(se7`O0.Q4u&,~kT 6o{֨R_G!\\ |DWAA/K\w љjP#r, h.tKX8|9"\д=/oxI8W!sjRvO=˒sU{4mMy!JYV$- iZj6&ȓXf|S㼷֩w-n|%J6&)BQ-մYCe$(R^4)cEy^Ջf>(І͏C_DD6X})̚R.4m[?e?~ؓBW#tb;lM0Aɞka%1ЕbE_#}( 觟Ub-iCPn]cx>$73GPBRB.mK APpT3MA LwnLXCo{ͷ)E8tGSiE}|X3I;~KY |q2ۇdwZ 'm`{g{ NF4o2N/y"'pҦ7eP\%/馈ЁYR4"oV@Xkl P;(֔xiAK`?ɨLYER^~*p )Bd1AdݽrtTne{h; ŕB,"!`%,_jIX@m=694e?BʗD_~2]v>JS)ṧ0=U^G^.S[*pzB|9F3P+q%!LDe[> `M<Ta$->`an&\+оXr4l-чSCђgog!5QVqh zsX%U5,]fy4cOF۴ ʼU^b4E$rnݾXz^?L:FF[$.O7 ^oI=kAF@RCx xh|t ^rlqzBd h1#olWqeE/o;Y|N vTHHl5Jh QDS;2En%߭4; zԉm MꋣL F Gmfd+M0Ca "n1>#^Q3P1"byp$Ȩڨ1>Eϑ+PnZmd?SYIYvץv쑲jԟwTЭ2SgbtJ۞P|Ex;rf~ И½kίeTEU|S5~Z桎Wj2 x?p.wqM(ЫH4"Sv,. m+8²@6 qւP&U=jՋ#eFMr^OƶfAƩXBz_<2׶h@™U0tn!؁/[^KR6h[-DfI8]΁8Ĕnph@'(~Qy&cG1vŇC%{;7 ƛ9잍i_eHl^|8ѭ >'PyV{ T*ܺ"_Օ؟ ![2 aC|+=']K/|IImYN ث A:ڪ+G?M n{Et:P[̍msp(.@ SoCKʢ^eq@hE~m@Y25j8~ ;} b.Pht w !rGh1iM "NSo?a N9hL%tz>U|^5Vݕ1 ZJI37uڡr"@DKLp47 u>|5T`l t"_D7;ݪ1,%%ꠧR/u!ڷA'7JHc0vEя  N,ĤS̄yaU8FD4XE+l{{qHMcEVl\]<9$۷GՑ}C̄#PA~ yQUz 9H׾iēs6Ǟo=7ܻ! 3)hPx҇-% {ַzpyh,J=WX"n_ڻV պAI:zWpNvz[n"{|!CQ#-%#5%Ph\2;jM/ K$~p0VQS81##-_ulOzﶒSCќ蠝2"1۲MxXzyȑl{d( % a@ĭ/nKB5 Fy %fEy[ 0^Vsz!<"dŽaq )~: Vs4 $ْY&4Ţ$ބq!HY1TzE{msWp\٠ږXJC\' 9Itߌ,ӝbbԒBHR9r h: 'B*ߚe9f9]tR-Ƞt@dʜg$ sHҽZXS<3\60+k `VGV8G %?B $si>&1N8 (4 WNdzewF Lc^^/ r-'>MD<_B\5܋o:!4g%,Ffe%Ux_74CkZ|KQ~Ym]\uȳs}"j:ʃDލqzBDG=\iܘ78]]Qk.! qTrD3)N]cJC2h19- ܇8_|eY !!wǗU&ü^_&0*^P:Fms2p-ė?vqn N=UہKpp> 3F 0`N yToM#( | 5s_%MW~}ݙ"K5^k`3C΀(fozl(m4c[v#}CqrU`*d@?6QH0ߤ|%v=tv"pcbJGz' xTno#jP郵mx/2ݭCeKXZ$4a8 %,茎<=!t9dsbXEfu z'ZHcwqːz̦J8 3'rP,jt6E[g>F15t_7gLV`ԗ o m$IעmS9zL= s*a"Pf VJ)r>^>)O%u젾{V)nqt䖼 A4{ޥ?R^e1 tNaN3Vi)0Վ-C}alegK"ҷF@PKD/ýjYS%oG5:J6M⬁FѪJ#z,`7 FuKw~ɤݙft\ve28*/fxie#e7 S ʟ 8K{{RUG NgBHdX S)A93Q#Gw_@MoKoKsR+|]"rX>*: 7-IlBaCrl5 Q}\2sX&V8gpѽ3oĭ酾Tģ>Y%r:5![xsmY3L#[ ۚ/Rn$2$v#R@Dn#}%0u.V9eՕ:orՒѦW?][F#$f0亽Z)+MI1!r"lѧMf/jP3]&{il}m8up(IA;WɆoѓeZ.JIHL~DZ}]";C" P{ĻّV<ݕ6НeCyDbW|D.{z/N,M)!e(s:bC]v#8a$Ed 6}X 2Jp3э,R3qP17t`C,MzF]!)Kg%?:`@T=˦Gdڔ,/Z7X^rs[0ʔ\W)aw@YR" [B* ;ONhH9`>ݕON u.qEZSˣEX,Ce._M;TWFk*x3+L&\Gw (C2Gx/"v<qc;_d;4CGg/i W {O8>%["0<Wk$(_5& vF) .O!.CXwQ_˸E^7- X&FNӏ/ŏƄ_U+cBK,ʙO2D~e9HM}AM4lM)WCδR_&8N)fvJCrѣ9 >Z iథU>N]|bj{RYN{:P 1˖=_]+=eȂI,~Y5 lF6`z _5{V5f^xxbĪU;ߎ; ~r}jʨ8+/Y"bW֝fiD:Hwd۝iG30]EQYqUfU(g5woWEk k_ۛt2wUg$53es^E%d EԳnq-#x/9:Op,8qmfV c 60PRPy5v˨: ?֋*E O_6v > wE,'` ~[wZF&{U$x{](ټKt'ytf]B>8)F ;K>Pc‰%[u?94 SDēGˋVJUT#:1gz7dMOɧϾj{\/;~'~@L6uI ~X;"m*G3̤T_`Ëk?̪8Z~hX'Zݜi5JMbSv>kh"ӽeU )ݝ,vQ$XT:}`p Wt*?-Uc.E2;I`wlDJl*hwZ8(~qK'Jgg?be8 uÔ7c'Kk k|OAe JڹsdJ'TY $ d5|Y?j{엪fH Zw]o!}Ft-HNgG)"Fm򮎺LuKI*>+fX˟Pq2*v/tqn ޓXSP>v! @ Ӝu' cC\O ]Rٳ[}r2*QnB9Xml |VtLe/͡)x\gB߰:~/vĐ' ]%R*t^Grj*-_ն\G)Mi )E".B 9Y_fqaTIXG<:L B]/o3:02IXMC:7˭⯠ڦ 4 bA!X)ƈuH(Ao\U`~Is.7|7pVv22DմuǑ:b dv\JL.dIRc3o}O ؑ"'2db*vɟ5&k?Rfg†٩3:]x-}:$+R;{m҄أ r@b{o&!V 40* ӧNF"DsVti(AZ$Z*W=pPчuTP %eQq/;Plbè% jlդmg] 4f 0_ Mp|YnKC;qL̍QH6 եzi(K[’H6$Qd[' 4OʊԶk(b|EmiWSWgGj!o_qCs/[͓2;W+{8?SWSnOry=\erT Bzi_hV{DM`Ӕ5Ygv}0,/GL)!jv-`I봦9; aʖ%5-i7+Wyݽ1o"݁qEֻxe}#Kؒ_,5}gQ7cqBvZrWT;y$MXkKJ-c؜M!^c@Jޝ{xssD\$TB@}Ѫ: "8'u7&KcJ)WlEeWd!`(OZ(t2qog9mF6!b^JC7x\޶fzӣb ^To-3 w) fmچYQPJj{FH#2eȑ?~X oj?6^q0vtRاp5$o-䇂Ӿ4vsH?X3 g 1pu g Ai_LFRCv.42OIV ?u*{9C4}xbEaO ;pF*R7;(XT;/a*zzi-yw'FORu"bκɝgS( *Ѿ(H89tهky ¥*c)JE=LKUc5i5=+ī|bA/;C!h/ĭ4*ԘUzYhuW$%IdYĝCx:JmE i%h j/wDҽ M_H48Asd5I /d:m4^!j, ӂ,JB|q Le lks3 X¶`y_>+- O>m| z5[S6I*T \wͤ1y`~k;4V !6q$gxbAJރQYIbgi*OŅ2 9fD37JO*d##h/y=_1Yq 4yy}+$ŮiE"ÓW{?ŧ(a1qpzg/@ibѴ0\#)kGE氽gN^*e#֭*匈s?J"d8h@kPiv#}+A&8vdolBF =$6ÀYOh:_( Ֆlc(SuKx(=wE^MSMSDp:( -ң>_3IUm򇳋5eٴ*Jz%2N9k <~;X*wǴ[RW$%6ta;1#8'⛖SE\/궕eY}1xzFQNrlo.Ӫ w ! OH2đ{=@#BU̲m`->G ՛"XD^896 .DH3?gtGP"}S^Ʌ*eA[ݷR34CVhB}̘A~R> yN6Z 4 FX+/fN EJ  o29# 0OJɰB|׉&C20*޳ 7wg&\dYͩr*_::x܇\92Nj^f;<4ħx53t1InU-cC'+bN#]vxl&6T~F$UY&n KA¡vyY/t 2h2/*ڣof>=ˠΞQ&K<K0{>#D\e4 XXU֩Å0ևMjJV,aQl+? (?2]xYK.c{e6:Rɛ'R0VRk9vX~6ĕq-3muWg]##W.5l/ӻbt T7:1Hv]8۠`;[h!IŲn?ݲ0D8O) ?X# M>$l֦dnF/[|^gXoc2ab=.mkܑԧ[$S(O:yАNuBuj'2,evOCq~ 3.pEԄϻE9[.Ƌ uZȘ{|x $G^LVZH%v빺G @JqG9y<.[wyiO?0T_2JnT~G sGTpx> > R͌>VdER8*<=åk$Jf>oXq86 1xt~HVan7ӯ/u{#9pڤLH9>g@x^"WXAwS$Ѯwީ)0S3Ƌy}Eh>EͭUnNh9'z==d;_iHo[ꄨU2`>V([ 0{F4_` h7R2I xXTsUT4m!Y5icWwR[ZSp}J-OlG r6!ƅg8&{xFq6cDX__xDAX*dTq>i;?4ӀV4$~D޸*k`CfW>XAd K)AZ;vFjU:-7&:r1;{ƅ` $>`BϐHԎF`I2B{??7yƱnRƏGY\$>nٙ)S5# 3Af<0e˧R֊ j"nza'wZ,TȲN JKly#L%X`z`7T/ 5 ѳ'෭IN+7BCI "$wP];srmQ+h HU8k*sme,.:ׁl6NRx]ЎNIxqO(oP~`&N ;"UvP.Ws_ᛄҗĔ qt3%ePV|G}|`Dn\[M}TD} C|Hn{LDz]W I\t;x4 l7dŪ5/1)3% ZSZ8vQIX/95먯lqiUt'1-88Fc|ի]I>/42y@n.V; x^` =+41񡍡򓯘kإ\`wcnĴT!Vtm\6ͷwC?i塾j-T,LK[*lu㏥ HQ" xoSl N\_G_1,bNbYO^cd3mp`tb/h#?̢R1ϛ0͘Ӛ^h tLwD=~1'2HY{GEg*?f >%%'Pd4FBi b'4Zg}~!5stz@&(5ɦuXXG5g,k 0ϳondr Nc3#h3{yܙ]D9.ZXzڱ]Ig6 kſ1EE7h1Rt<"IRJyZn \T}ESu6ɏ/v#ϸ9*=K܎ #fVc{;g·Bh6G/Y!iZh'"bz-Ǜ!C|hR>3F>=moUX;Łg [Dz9npUX +Q7ظz 6![Rng֙9 䗙g;GZy$"M(t}1g~2L,#wml:{)ih7A+9އ>mۑK;\JC{d{n1mIG TJ@;h%Zy$;*٣#|bIvpr..g-Vɨ=lޗd',a '|@VA:+1X+$ >#脪E8*^A~Z3PVLޥȂJ%yfss6Is> ձ!@X8RTY'׷zs.ה<{ ~ǐWV/cg,VI&'ӹTpNKz_Px_1]rr+K$ha&7l Po1R]"OD@MnFDŽM5AUG%̨i4[֤@84 ;][[D}V\i}qh.9KLFa=yԩh /%>V^o[pn˼m$8_Oot<) l+@xڤf̴ӜD:yd%@R6WXHqm$~ Ws剠lJ &ًO(fuKML,?OO/%}9J ` b 26[Н. f}G1mm=Љi?^:&}:r,E<5T͎nФ: <%0$]ݠfnKLnS @)9(#yB\lU텔WWᬦ+^XQت)iѢB1z80B6>W\TXĥzIT|nG@zN\>+HMt kڈLK=@NX%}k,~Ҽ/kxe'$V M\|\AyN))&46Qx-<1vX " 7.Iak1]#]>*`ei$;M?g̹Ht ` ~:8h}Y'l dk5<2a !F-UʣN#ɯj]fs~l:C)FG [ I#4m9;z"` -A4kҎL?s#711KZ~ޢ]yB!4 Y }g+Yw5Ҟp}Bi@7\U{]p@-$K!$YJEdnCl02R.~~~XZ ֌lCf^ޚk*7'fRZ@l_ċ"Q;GXUC*3"pt*[*ҽ@]yU0z`f7BÆ NH z 0*['T+Zv^t*5xf^-bzgz(\'4Kޮ2qˏǠBHQvW"$éozwgw t~HN0ȲAZ㇄OIpu;Hnn,nyܐݮ׫.  ujCD9KH@OH/TY4#djgyBףہEPI)g gW4v_9K"Ŏn u*]}(2 3-L|LJ"8dR뢻<HP2P ͔Ps%v1.\m67 wPBF&8c>tAxB8[>n:d7|a Ma%}UR`o-p !4&\+"zcMoUFWDH5ӺD7SQ(R'ZnFEł`8q;75eGn3R9+bѰBjv;'3kA$2"@YE^hܡPd ͇rO3l ,T܈s=e Țtj;!{oܘŒ/LO>fۯ@H'8%S/̣* ` C(7ĵHr`y3L1H[߽Ʀ[TSPBD  :cãh^Л]tRHJE -=9=.3Q$ZlvlTFAE?L+.Ln|]pn3*vsWEy妤bYn z Oqw/Oݴi \Fz]VZ@O,EbHo ҽg'+d|ƏDѳ&I=֜:F!\ӂndbiW*h(Wo(\ OƴԔo^7;3lbee@6uB Mѕl]LwϚ|" j+{lV|x&S;_|#_.k›<<#;L mYm>"wJa9dgONPut$CArS \# ح]ab!3Uػ0nH/ߜZ{`ů~|߻`sU:B.g+϶K%op0;PT %T#:2/eo ԟ ,rgw/ˮq4YEh ##c aSǏtЏtƝ-mjmkB<޺!-l(-IZzЖjT~ҧb]K{2BWhUPZqAo'W@"{VmbAmKX]}"QF8ꍩ%Φs&}N<Ə0LF4H03 7t}!w܎g bQL[I~C586T{lNSa3y+Z# {w }z=dX8ڣHЌ_>53)03m3ɛ7NH᪯NPTE X*c}Ƥ 7Tb{-rRLw 2Z=Ej7-LzzNݹXaE'TRgͻRkpGv]]ؐ|o@ajcMEߵH(~EhT4U$CqOɫW=҇%cV9><1]z{Dp $#&h3%=cΪ: *|sdV"$ 6n GC 0;m\uJ~8?^f!V.E f$ 0Sح{'`XW[1Y~68f=B  ,ݛhg΂V6>BESW~uH3RTB'{FaSiCNR}~yƗ؝u-_YXhSGx.'IUY*,^Ś~A|hLj\k"֤y;=Jڸ!5PKrm ßsٸ 3rivBW.Ap=^Nn,c3xFePz]v܌"I_:_WţTM2h"\⓮BH]>rIqYŻކ&X ,X5w(_Ywޮi^|#z”v]R䧚xۉ%3`Tw+F}|ˑ$ pg$OQCϓ7ں, 'hC"Xdj =Gd"_,b\l:Y xr[iFHTζnOj[Я,V^kQȋ~Ûs{&ޓʪ#LXLЛJHMoRh)3^ݢN!G~u $6?{ީ$8HSUx0gaϭ׬4I,**'}cp yd,g -G#S5+5Ǣ=`+RRȎ湞'\,X[d@.+JJ3 $\4}uϚ'Q<|+?3-5I?,-'Ll6Ȣ-/d+ 25Z#Tx߭Fqji]d%Y_~`PI0 )H}DO#X!7φcXOŷ$;C{l@a{FaJ¦۬;}[kv+暔]LP|כ Mpt`zΩýNar>Fэycɛby|T!T*T*7:ǯ4Ӌפ77R@ !~N1gX~.[%1 +.R q U~o8iuhŒ,Ey NиbHQrC)eKǗA?uS~&`|Nv7G$JCb$G^[CԯX03{KY.1OAb-St/cU5Mr8KdL0xGy(㭢 CMM$6b^"5S(o0#! ]^EnSѥA\:#Vv+["@T%Խd O.HcD?l ~<2p1}A9vfuZ2{E#[R""#SzupLZ7 Ԁ^)X'"\l2fP Һɍ 3+f!FXǹDO2J: 3 `sIu313ݝx;7*-Voa|A5yR<ľFeIF ,etoT#s E*<=3Os2N$aˆr}b,)FNq*:t@ @L#EEEX9Q|PAi/ v#{|1P(F_?ăH0rް6Z"s? T"Eyb3f&mjŒ0\Fځ]/DubrG%z-m]R{U9żF:L*rZNXCKb7?;@(a߶ 1*):`ETefk(q.o)={ >WXj#6 n@܊L uV>Ьfx?/&QbW{OjU`4ynt|bRCA7$&IL#\mYq^#oL Z-7-U|c&4w>Mi_7%$WQ"sEcT#Mr27N,NT2Qչ+Sӕrfd$g7p>9~f~/Z]Ź-׌Yw@uygϦӝ w##crqgyJMFFįF犇n?p4-]K( ^c aK,ÜXT}ٛU2DS`c749w:7,5[ί*1[ȿVĚ ϗ-uuaA*o1pR{Caۘ]A[ 9J>i ThhjHd07}ˍw)엥F\?J_Y Tb02ٗČT.-q/a6&i)*J.S! ̇OT3Ⴛmmӷ/CHޚ9apz=ntv  De=ucgP$!F>@KmN ~ (=] V&`zDp1, }8?3omt^0qMsH&ol#IԧjW"Q!ݕ:RP-b<yX)C8t4>ߐ[]Jd"62g.c'`E^}*. stə&n}!Q<߮UE$r]G?j.Ԟ??V1QmIK!̢( 0coِ@wNA̲8r݌4U mo:](a f2U̅gK)ߺpR^ ͷɃ5ED_HD/2V|N68i]EIDDȆ7p{= 7;ۉi@?0XauD!ˁ ޒJ2%eu} :4|Ptg17"b IUpt"!˗\veӜJHWP/ց_NYJڙ\ff:{rG'Dsy(_J~~9OhE?]mM?ʪdH~2D$^9ĥ91Y`A:GqA9z5 \-8QLV9 mЋ,ۅ/Oyۿ;|\"5Ryif<e@t| Ce pRsPQ8w \b/<} ȥ^+<0~/7;nrGCk 6|^;9{φ)) yNnMkaO{e 3#>KX^#PCm#!LڲW M_lf] d9 }=+Oy=a%?2\TGAr?ˈ-=:+2-$S+/J9+^.,?u+GR}|s'\zt}rxR˖p(ǚ}΢l&vNn+îO 2 őbY0k-ʃ\m>m@@)gdv}(gy8XqA|.vbFL3dx*"V$0`e_Mpܭ͚(,ʑl0Vr l﮾l10meDל:⮅+X':a/l:(KH2`^'q+G޿`D2[1ckş#ޢ g pDipK /b9T*rƙkN.ᚔ X #U 9UM14(bM>P bkj`YMEkv؉̂>~zKf{lLZЇ&봮^ZXS(3PTh{*y)#'al˼_SH#Sj0da*xOq~Fz҉Т8ݖ5hgȪ*r]o+!Wie_v~ &{fZi\=B_򶯌j mJbOFE#a-@ ҢU |)!GEMM§Jƒ%IUTvgL~$y( 9>]=ֿyW"FxeLat5%&>XA@Tw/3B 4'jw"VX1vtwyҤ 4۠ų M'N1 ǹ _?}EDFx؄ΧFX5|N]mLUc dN3gQFPAU~GUpDr VT%D@LyVN=?1"n)-nGWlW$oaΣ/Y u*Hꮷ/+xls݀|B5w\6ry6@`] '<6Gfj} 8JDP˽kw--?݌9x& /8S\ȻN.89~vÌ{zQ\?=" 7DG(W?>*x cW c \"YB\k`n-1ۿ_y0R˰ d,8dgj ݸb$N7KzԻC[+uuJG9Of9-ĠC#[MQp1eX7 v(F-rl ᾝw1In*&#J O4WymU~|"FˤnB ~42I?Zur MKT_٦f,upOҢ>z&UY$sfcx> vh҇F$B#H5.4:kjdۏy ΦPsyӃhm N~p Lt\q#nvv3 tH-nZۺma^o JHj"޽w.OyD&l V]Km -]00B+END+k;R!$䷕Xy;M.r/Rfp*Lfu\=:,+i ~&<:D;17 kX]BW~)μ tjH[Mֻw5Wv(gKf < $*Qqp#% ) ޱ䟆}xӷ !/'Wa։]Mn$O7[oF^kFVJAUKD$wh^Yژ!M{R&I=S9f6Ng[('}6bp/ÔlE[h$);r!PqЋ%3@f_wwW5ܣy20 E Xd;b[-ŧ%f+:,2hs-Xb/MU- ,ǞҘKlgy)XXQg(KvoS9^qR.⒦>ڂM(BrZ*Ŀɔ`ۑhԯw`|"n!arY ~9/הh,,SB_SOqƳ¯ٓZv`|wG2ꮴsyvksLn{ѩ ibS/UkgWR..:ũ9X֊ﻊڹlqY(ZixK)SؚG]3MLz<:-] ǡ`R+}ƸO] 1u0hkfÿh.gm?%ӋKĒ  arTɬ6`}ߨ @2%# i˜$` ;M|_qq R+ꈁA'WJf&?ʡVؖYʠ=k_-,sY0&RsU!e rJ9!?{閼u`hbnݜ}QF].=L&T@Q89^ [L@ʷz# pT]"MgqTtŽ,k#Y'h~KajanL[͍y{)휵Цr @y뱭B]55j/ _BP/^߲-hH%\a곅j,35 `d1[ C6S-RhW (koQ=6(]6 *\_ E{Fjyt済x{C:GbzbD@Z$R7~|9Y.\t}l|} HHHA͝{-xVUN 5F rI =MNH] ,h.aĽMrO. I4?ӸG{udq " ^ /KQ6A&] ݕ4ŭ;R} S=Gq0OT7@6窒 6m!0)>Vb&˧][~Ur5:𬩆+L.ܓQ(T ~G6}\)ELL떟G7oKy}55PaB<;V"~h26f<`5Pxk/axYqRsKF1\ewP8(!r5 pQEacSO9fƼjg=o,EX2(wg${GZrh!7o-N1vߔ3cOB1dUڴ^R2`EY)1pU(V@-5U ,8[ȧLT|SZ80`.Hi|6;bẜlӛE@Qb1δ%+p-Fێmm F][j7j1Q_CE ]_QV]) Fˇ' h v~8"%v ]p{# fZt iwms%%[ԇjfO"vaAon?p3Q I[9uK/cv%zUe| - ِ)ʳuafWb5.wU}TxU4;C+  8+l^Ke5a0³GJGMGv $-\-H _|E02 (XT4(3Ap\Xz!+p>Ze$m ӵeInU*7rA\* .KKApmW(KFئ!op%G yS &/p""w)aA  a/`ONMzKĿȤ}B/izT402ό4D3.M!s&7]R߉ё` 6V+opOɹ,,+S9pvB '`6G}*bԉ P[ B pqX*-Q$Gal*63e'Ch_zGvɱYŻKċ1i*-O]7GOYADeXKc Ӵ`eGf6,r ?^M'95wXEB큪Տ`i5ץ$Elqck~d5V)$bR054hL4'Nc:-jh15/-E-p9ճ/0k`Λ0NX#$:%Ѩ SDUjQԝ'rG.'ض{˧aocO؞5'p*Y}[n( Ȣn rOfݐ$XVw d (kIۄj6 O(wR_.eqNS=O=-Ok8[~-; K逸PJgm_z,>nW+ޣUPy=86PNVSh OU"֓"սogorR,d]i J J; ~5g nwݍbmnݼqE4t8*} ܬs $!5\ /lq ki0p(Vfpmf R|Kg˗vCve;Qr:cAGB7틢 N7|-v^KTBq*#bUz4r'o_\+O'YڬH&ؒC?uJSgH:%pktɔw]x`6XLynU&ʰ824*+@J tDQ:02[prҞ~+|V?!n4EjT i{_5(t*7ȩ$>)8ރ>Rt+/U^B*_9{Xܒ@3$n9)hz5Я9(8\>fb \:kav`?*rmo,K w;QЦy- ْ r$q`IT, ?8EڧG{ƒa>Dc29&uT%9QtKg7ÒaﷲY0>)75$B8lzDrbB3%<*Vol"4$ K4Ӓ0묋Co=YW'5"!o Rˠ|==spCXT$6I.X@%*(6HÌBU b汝0:Y2;yrhE@6%3!B0bvB/L"S ˇcPM\5%62`үqԧ.Rc*v>Q^&' WwuE~[}-OV9~RSWuǜ: 5NL޿|w)G0Pwd#w.P)/9!;etae›΃x6+" qCǜgk`>FWM -P̰jgr41uh#BG 5}=70"'aR7b[-?ي]R֌Z&'!*H l!W!$ÁA"Yf5ST liv˥/Wn~00|8/%YjO|but~RUvL@ɏnY#b]FjP |DЙ]ѣu*P1"S<"3&\]ZRbx[瀸=rv['Zu 3t5/Cvv5Z_OYݧ8 |daB2~S 5+29{cњKTh;#p'KDy\(3QDk~I.wqVRē{CQTu6[FϮP6:#ӕwgU20*YoQŔz`󊞌 npAa~g2k#03qhs0JKΌ+NBnV*3h#yޏ'nފ`8פiǡčٙ*SD)|#: HBhi߰Ӧ u:zgrI4Kt70@[_θP!F_17tA3xShk C1H7( ´&MIS*LxbZ5|tkؓ%[̀ķ AOL]yE`QOsZ:MTJ~45!La+[R?8EgKU< >߰<aQf=kxI_$u=eDY2B,`Oj-.:e RNvn`nN rGQM!p@3BЁ˰c7.efW" GjgD.QlŅ<_Kw̲IY};bSh3aC+bz0-MĿyXW9uHbxH.v#-G%nN %ȷRUhR\k6]kcYLvDHK)^:J~_WSԊ~z͚zl _f="錠ޙDtm *C,3]*7\%Ab8xCӕ##7EuG9Ï%x>j\S70iܡL$]uc4q%xywX "#]^8^y"dkU:5U=5JQh7:7 !:ue?I)R6$0Ĝ гyT}##mfD9<Ř= E jTӽ&:.`>Pl AF԰a+Ҡ6;iN)d7껱6:}x볂$Ii 04C .By߳?e!!L鴵}Dt˖v8hEGa9Nkf5Ei\0vXMW>#}C;a< pt陴6:ke3@+>,ˮ&LE %ܚ=ekFWZCڔpќoFJlCGO7իi85z*l_ -{'=jwLe00)H /d}Z8:n| \HO<3Uyf1 b]g@ odRaDÉ Hb8Gd aOWULI[Wra}%|@SkL"Xi@qB҃_ ΐgj4P-ql-g|j|y{dޞ)yWbCcb|IipF$oE,$^ R%i&Yx19q^LN,?@-}ƚMF'QNO3ҙD\JmDcs#:~䨧H]F89uIVSG.)~nJJ_t.I%R`B9WIq8spMy}e0Z *piÁ`\S=E(Z~U*FD=Hӹ-;^͸$+.fyiG)c`KIXJPky}Te+ S{f3J($srL`@! % i&@ 'e N H#^H łWơ}%TMcd|Giwhup4N(PVed CF!׈ \&np2&Hz^Q$1~ +)]?!⊏e9 A_gn% Ž9d59H宂"EQdDpN*?jʪ[lP I]z,MXY-\ b'cy ,]_Wn<݃U8>t%F)5)$2 Dȅ}'Q.寭x.& 4@RLxDw'@Yy"DDiT?jƸU_\>r\y0HP~f\ۚgrJ QyV;Yyx&UKỽ[;'u;Ѓ!͞#"Lϴ .v a׺E&V\ xz˔.ДqèR@HXxf%=W,'_e|'p!IF*(͸BE Il{MW2O9FWфyɸh$uDʋ&WvOy;k;OD9$WZKu1ug;).Uh2u_g&&*@͂ab (I? K@ޒ:l;Yl^' =;%ih *i׋r~c܌9k'&%>iAc$Âf6 WiB%rdcPg%lrf"O?u{gR Cl%ݦlP1YET`kmEX?KO AZ“|U3{OP / BxQ !Z:0&I^{ 733&!1G by4NR(w5qVis K*XEycO1|3s+Iޚg}ڵsF@VwQeY^ٌM ;\;[FGmB,/xR WFAdy{`JYȊVzjnJ\A@)*U 5RpS˜yھH3v,c}6a] |}i:z,|m FvkT|A] ˸ Yl-yU.a+ ‘+ƙ־ 0[+\w6J'ieybk[=.~]i1+A#zRXqPץ.W=&Xߥ66d=/\jFY+a~<7k˄0bpx^L6戝al#B C^Y 8Yq*{lPmHoF+ ;-)9&~4qQNvxww?wH'a"9;'=[[4ݭF M}LdkLg$;ʜVH)C%%P,W:EVjF_T¯(?^(zGZt1>5T̏ αmحiF8̓xh$RcDwgJD- +:',KO(O79 uЛj3aF.NI};x\ރCLZo>Op˪FKx.. aTXv24 U{l93' q ގWxhbŜcO7{8xA muf~z6`S#^2/&6COpէvqGd~%)0]CUS6Aqw{6K=NzU.-f{tJGU LXWe] )WO\eW7iASI8IcIAEn_ڠeg oK,⮍W'JZP1KLØ$Y7(#|Jy%tS+q|P7m/< g!^ m?CS#`#w5;DYV5BۦsR^10hܦ1- )2v l,\]\]!{rŹ`RZ,-_Ť2, {,\RHA%. qzyqS:5tq:G{ڣQ2qJ0%}PIt(|$<Ǫ> [״D5O+0N)2*q<hP`'HţL%yWY]UDi;Oz+|rɩckP,dǢQH@=Zo֓#.͡)Y45sYWdN]Ĉ'_) {CSZ׵{n jaC$UeL!vڡ8V@l߲(|WKw##o?Ŝ#y[\IΈw*RDG5 ۉ`ڼvO~X,U}p>$݌O@'=1]Z7GBB&:C9$^s X.wjS{9yicNMa$VQ)!22G0\O;,J%+۶KIDmv%ߧz:jRH ubMi2]v@AT:;ēBq}mQ@A\xفL?DŽλwqByQE.^qʣ~7l^D!ϊ]rH eK*X75M\cnQ;zz6VGjv~"=,/~ F TRR(;@}KA[[*yH%BoN]dJ.cx  _R\ v6 /y5YJ$";]J`Q?o'aZ/,\DZOuՋ~[Xۜ!imT)z^6KaPpHTHf.k݌M w7~4.Yma^xH]' ƞk%Ђ 'L vCr_>"0݇HA@oM]׊Kk5hk? h-혯KΌ/S|3xL}Cha,(2|DJȬV%!ɬ67HM@! 'zee9;s?fGe,+X0㳨C݆nw;-]Gr6/ez6N](m=oa)g&@KsJ;AFEɱo V n}VYGE*C\KaT#GܻEL>alu+_BYCł{^뻈 Gd  @R;x! >_XSp\չ}<I9J!_ 9}/ۙnZ}3x%['z 3^әz~~Om7յh')kLrzu̡8O,p'I7r n=U6{p>`;2';q69_RؿGۖwG A \p`繷s \GlT]2Ȣŧ$Gxళ>byJVL`mVTŽ;4(:2B8f6q1w>'5ދR6$y@944l5;C|ɔ歲9ghy m(JCvvCuA}ާT7LÂyӢT8 :L1ep5FY7D%Tbc8jH7wOgk)rgƅϩמz+Ly ث˲콵Ѥ*5{y*o4Y\x`ySOCXKI羍|.dZY[bB`>'nڶ\ЮyB t >FɥE+V\]~N?"i aĮkڰ;,MnDďf):[ BU.,IVrvsv xi'{ 7\ȉ?Z>S9dc5>GBf ~!h|tb?.a $^"#WA7M8-m0:oy~:X@yf7\H-~䄿Y3_2>VkVSRF<K!iWize;3fŋiC6DS4 DHn#lH"M#C:6ƆeM c>0޺UAĊwx&%gQ",4-I0G8^mZV}.\c:"_u3BKyyy`i (+j3VLt-O ck؈`͉ܐY&^gy㥛"( l|f;kF%C|̲z5.m[D,Gg򠼭X'$Xn }O TKX${*O#PFB5_uES1k6#I՗!_Q+VY= JFsMHӛLƛi h2k0D:v+6X"%lL9xn:{Y^l&3vSM؂ Uʠ˝溮V_MіIE vW rX( blѲ8nBT-ZZ8tdfi DNw/*2_~}b?8; (*7 Y /lZ9 I5hE`(]g UY6IEZc? -VoWB V2x-]:(xn >lJ_Q._ νwm ^8xH$I`@cRu#'H֭xf,Ƹ7//lKMw$ׁ??=xx*UF!Ԓh*eucF߿[ AOQ,DpN=7mf(OZ^8>fH&ۙ尬-sΣ%OWՍ^7U}( Ј>>ŬYMaj/'>Ansg]cTPTt#R{oiɘ!sBWZ!4z|Gng^mtY>fיR 1%Q9A9Ie) ZU ,\sVR7Ș@%ykJO,^-0oa޴\rۭWfUt s0Eq.h!,lfa P(Ÿ2B-oF2}R5Π̮Juk~'BGnZ'Ou+Ӕ xOtJ6g)4}uh 6D&2WG#;lhkķw. FKRv't5nj"#ӓ4~\}t-R/-qINamx.).[^] ]"yIGhyD"mk%D|7~HoJ.A=҅+yʿͶW?u#ppg. QAͣc۵2c: g~<&N֊ Fz7;ES7}Wkf%u~RHe{"9 GiYZ܄hlfWo{͗p`8{ZԮwsd5ӴW)XaCG#$j悦z[Oda$f4TbߟdGœb$YSa(pIap/au\L;J%|Ը90`Dɾ9QGXXS{k锪UUQ\gXU!Z&1Щrn1B;"6* rÅmb }sJ+mlV7_GZ'#SDlzJR|5RJ/t+JLqQ9 ݸd$fotM?o:\|^cT9F^-0:G}h1#mӝD[&d]L;SɓDjLtǍ'利*s]-͵[̳1jP-Wi_K*߭ƾC9ŭN *ֹ0 mki=@q\~fn!v9mh9CSHo1sz iyS z^MFcu9]6ા0Dk 봌gr,#+n͌NU !1Fn !OI;HiUٴ}u~(AXwT]Ave|[ӊZZ_[/2I1zؚ[)Ijμ˴):Sd76ss0~kX⻆X ǹK׏|0B9K%03gg5\o̶+7/0!@H `f}z nll*߃+0Pa9>޼xE, (و(W&qU.>@/A`lQ@ZN'B_1!aڹ͉\2 4VHDed|alw׫M,ͧLj4˨bC~LI OOC؇Ru\FMOսB=΄$Nk/<{O/ީj PHـGp3`-j]SuW/3g'1u%4p!;|k@(t\.˟6BeiHQZyQ%@Qdk:xpsGpy YX?HٹִM4w(h)b/sx/bYh|s;/c P§vԁ־odB5|vrՎ _ҡ-jq V¥ڤ nF:\Ip% NןHV0ym?E^JF^bHN>1UW4#=O7EU] i@b.ԼVfK=+bX5&o a߸r:κ{n]ĵ#lW7Aw4|Z" lCE\~? f-(`e*oqv 6 Jyihl[T*Ѩ(T{$xCphO(_q&y0^3sk^$PO}4S)MG^" uĺ&k Abcnl<.`' !2]`Ln~,0_f`OFPCw@+V6Ɠ16T("y1HLzK4d|{E92L=: .gWvԷ)'ǟQ|wRd-B_,8%PWt8D#ACg `JE#vAⱣհMc۾#¸~ kKb~=h:HB#Ԙ&Vuq &YS_(TI1FbQLDlwrʪ54΁[ut~_H ȏ4g;e` xUx7ĵ (3s\\}4.Sʤh˖1TEω XӘ* 8 %)_nTR'u+_Qi@7?Urٟ~V&nUψ>w @tD+A ; > p fw䴒+)  H^,t<2Woܼgm,e%t3}]W ֽܷW,1A%t^I,J2C@ҽ;j3(J1sHNʊ;-54ޢ>]%kYh^+Aiqa|m-|$i1"@Ijϫ}+H,M~^yA5'g8oؘĦ4t/lN`tޓTF# s4uE? GS;n8iZĚ xu+݀2>+O, `kf| Z Ɯ*ŋz%w!<Ƨ B 6Sj'n1t0D1{e)JDm'>"dZ:L? |Zuc xiwI8ɿm;ay&B'C/g6<<qq Zzs>)ߤ`ǎSwS 2Ѱ8e2XmO5Cdk;y\! 튁,ߣMeS-@7M)}՞\&ߩm]8o$pWUlu.>tjπV˳KRtըaƣaQĂyW"M="j^RiȘ&78NvmC^r(en^m5mAQY#O 6>9R'Žh4V"n+7s]gR  cAفK]mO^JD/J/g3ore"w45zօlɣi&;]F(B?Ubs{X0C<5&m*A\՞I]sJ;;dw<[ ͇?Šst%D*,񔠍'Mvgv _ g(l\1 *c̗زJ\hG^FQcn CM%G|_DxZ ee` 2ȫ š@6q6{|f²k۔|L+nQ.?K'.zTep*gmm~%D̛PGe'.) QJu?PcY+Jh~&(ȕCczbTN]5>@a( Wт '/D}86oJ-=# L.7Y#h[s nd5]Xo!n/>@tD߫$DS,&* \.u76vʛ]vt6%"cx5S]5rN\EA97ʴy KhOǞ"z>qQ ٮ^No._e6J#=11pDiQtS4+A6;_[mwK[sXdvuRM gFׇ$n~.B8ذ`y aXaHyD->qg,jlia-mb^iԻ6Lb逧HLvOV2說^K_Uh+8/%˛ A8s"Lo!AɧFI|{dvmw0z道%(h^ZX=wbjRq&`/~ aG%DŽ/jʡiyf6gobAP킒Jz>w}fTp/#1wreG=qݙaCaMac˟FMx+0v+S\2>?=9a k =710Fa .BrvbX1hqMø|>~ //y}vܟCwGNщUIa]50nip}W,Co8Tj m諘KC^lo1l7PdJ)3> b{9_m]|{{4d ^EC=u%e#{c[:XNbnqtssm>\Ŀ)A}RF}zɳ}Fv~g[o}$ss,;* 6>$7nYw0{ Z'/AWj?έAyMHOJ$J@h24ˮ=m$|g])7;dH(rIr2@&oHT<*S_aU!dcaGRr'2;gQP\.y[%)+(drʫ2?$姆,,[+5(PJnбZ*Q!(HZ=\]('F=ttiTqDG!YlȰ|M#%w*m$$v8SSv;7fƅkQI.ݩ#zo'G5L=pVSROTC=m E6a_ [@G/Ta{rwW ֱMA:ZB~g j ,7 PP"srw`=K?\ӏpj2Dϡakh#Mriό[':Nޛn-sp :DjuE(:3~.MC LD$ThŠgwceƒJ QIzFb SʛlPǓ禭n;ڃ!YOA]<V K`nP #6(s&i^Cm h)vuc_[G5Xj&=G U5ɔQ28N:^^-šm;7UTeGS6~;1O+IPD6]PQʛź8vRƅpd%^=jfU&.l~X蹊U+}sUӈ')* !.{ҽlLeFd^1Νh9~wgz#X'6GS΁Z uvjNrd/wN 9)`1VP&tyn;r'GnՅz'УزF-g|@rƍ <9OSgh.yDB.R/y'>XM?8@p-?SUc夛,-,hC"s" U}uS}Pw)w) cPodm0~z I-holw53*ְ1`|j Tz~Jo@. !2M=P.\{A(G`:"Mq͘|$%?J#@"i2/wQ9`lRk7Fjn#tpljqȇIv&{}6^*},L K握&HnfH(i92 |u ycm61 6*8<Ո]RN;M_6Z ̊ 3\m8߃^G ćNAzZ~?iq{C!pr3!+9i߀sd}8qwkXV4+[mnyF$Ģdw6Rg,3$,u~'4Օ]&:UշrQCPwyǯ^0[ rM" md9A/&너Xz\1}K({w\cB6X \~Os:ŖIlÀ u/5γ^>ѝCx/\I3“ y^nwh&v0f. B~M~c7p2ek͊̈ZTt7pRb7}+ H?2"B駻^J?Yz`خ!Z~R$@/OZav2\*"+JOWdW$I)LXEs"`'`OT=nܔԯ WSY8&K~ u랁%82~36IijZ1E7= z :Ԫm>OĬ<4K}_[S͝L %lj~Ck"a_K( i!x0[&@98/D=C. 4ߺ !|Z6gnts-{W쩱?f Sl\ufH1+%cbzkcϕSfKp,/5fGOljE!JJFԶ&_ĭ-ʑ6Ρ'wDӌ{XJ {uJgׄw7 2lej#.O8̴T"eI=\@T鬖[FLl(A ]@M5[2CI4#e Y,Uer"ܧz4q|9t>m[Ʉ@MOwX-(-#һTiU~ l6;'W3Q~|.V PhKݲhm8mA |r:ᒼ?Jg[tnܫãOyy':um6l\ٵ:B\6~o uS,wV:=OkIL1VI~m٧t:iuw,+Q(-oiŅO]"^Ν$<aOLψϱ;@;Ycvo%,=#Wz 1앵"TQ;dvM(}S. IkF 1_D~哔UpABW%W'Hi`YN`\bhhjz _pĆ^D`ytwT%_~1<`aU:<ƛ1D+U1kZ@P*B w(^k<`W L'K3T>q T_e#`=J(:⅍[BAq5Q˃8[zeuoKfǀfUl]xd3jeAaAU*^>֔gt(p-SO5_7B)cȚlz?#]FVe0 z~TZ1h ~xdzŪ g>ʈXo" \#J|-57хF1d͊U6lj"PK\w5ݩٽyF/7?DGRu 34 yc c7zIkGx$Uڽ"VuRoRy<deɑXFu^ J[zsͣߡ_aK8w>NiLRΖ0R*b~bBnDKzPajiA:!=r4V{j`6qQfU!*Au@8l4qǽ. '$ր!K8<:! M@Bịp3Da@5vtgȟU2t-R8N_ Uo5-TEq"427* 㱁Thn?F3WI9팥Sp8 f ?|ޠ/wʹ3\]iǸy6pX0et l?sHIQ(̣|dY#*p5<Y򾉖Ͼr#yaeWOQJ> R>>{ TbINH+y,G/n?Yk=B\4pS}me;e ]-Û"|zKbjLlٚ'{zlNi=Vkj(Q` @ ܷUa (`f.m<>Jԧ-d$c9|8b>Oଏɧ?q/8\ȇڔ o1"Bamu|X[O#uFYf`/-8L0[? g瑞.ad=y1eCn+^ Fԃ?M퇹Eyn-EAϤ WK9!h 8=M~G["*~H(řzZ xAbhD.I b c1rtx&+U~_8 w^װ!2؝lA]}l u ClS^aEq`H$aũ2(UlVbO! kL Uh00Bpg[Au,ht5Ŗ"rrk_cCYqY#3_G:386o54-9)5~i+Gwy.`㵳M F_qj+}dts8ѯ- |hEk!aL`M~0-ihq1+*;J0SJTԿ|GC;Sݱ"q T ϗd§'I8føNt_ެT|T-}q.\!~Vp$qnrd9(tjD3K&dΞde;5%TXe`2)4qOH{]o>wcjڹ3 V[+zrR@!$/v("ةckm?/Ľ1:n9q^DsC^ ѣ¾h#+࠹b J)_ܑܴxkoQGx۩Vz/ '6zCf=U,P=}uo{I Nl{0XOT-ѩkQAxNd{IEڶI!E<#o7I?$u-o QK'i"FoaARnrWטB(hp/ѫRك'ue.dA"%btY(̌Q'PMeT)VQ鑍^]/+M r8WCBH~=Qn@߰u㯓pݯ ҧ`?LHTo)wh12O rh-/2 iTĶC;_pfBd,in-IO{Z5~jE(M޶E ͻPKa0h~m̻[O 1jz*6fHZ]B=9ckkX9M§v"VyL0tRA1qb*xcX;Yg.@KRnN sά3 >2/;l2Е,^6؄vNJ8LOʿZ[NG/S6dlawh;Db~_,Q6)Yb/{E|}[4_VS2I 2`{VJ!`ܷ[sv?,Wש.Ud"fЀJjUvK8n'4qW^ +]EM}a{b:OW{ ! "Ƌ*J 2si/h@鐒O2z7k)r0ileo$M`tAN9tx!Lj %k2,;Ā'{˽Egp-q$z!sTAxY+u'5IC(.-żlf:aO՞;hXEF/@~RMx.Z0!f:'L垙(1҂mE*?]&U|0TiJ Pz$O'lr 7&K aqX0{gK]ヸm5f?9`"I C rJTXSQ{؈mG%6̮d%Y *=32HvG0ƽR$pZ%bqI}-O㏊p+axTd\oLG8E $tBs -^)EdY/&̈~@ 줋{&LBO2E/@Z[} M1v=i//n<ϫZyAaf͓2$QVkC׀]-?a*_J|1@l[dhfak/PZqO&C^mxoEw H4¨ MkqS2&ɊʱTɠeͦ!K\ ҨvSʪ~rR>I1nM*GG-I hF_ѼetnnJzQ^|vgm⑉Bˬg|g3WPmEeAʀwOGN4A )+b]E8ri՚ a68e23T fa؄2la5a x|}Fnm ln o)5?s7&(Fn|>i^G/HktgAw$߳c^/ZЄPPbǸۻ+؋#FrEVwDQѹ>y1Q_Dj~`|^ⲊpڥNw6 K\N(nz3PxQc?=MUbhE"yƛ4u/vR>'|3A w V|0zЏ1M]rb9=0|A\ JV Q6.'>CO*f}虲@-`ܧ2zG.o+ݥS(VCjȷ{$ 4G@z109o`xw^$n0ST5 - Y2ٵvh0S,fg"ռ},#J]*x~jQ 5{ b6vlxBun%u[t(M0wR߻fbcM@Ocbws6Z ?YT!H잸HH}uNlUB=Ocv-QS@x?,3i鲍/Qmf"ʸ3 ,{26yasL[JV)Zn݈Hȸ>5T\CG sj PfabM(aPF2e9IVDI.ATL9WY_m|#<-.jxH%iq{:1uOU؈zzcs;1{ȼ/z`8JWb Re9͐.GS-fΧ`3j@ҹ5dcv]k,9{xgPf!ͽ݆T Gwmg~o((۲(.΀F22  rVBe9FdVK?㎨/6y"nΔzu!Ccܔw]9c':4_Ov22밗jy Zf'o^OnD~%Mo69S~B.v9˂.״ W^qt;DOZ?roМjZ·{%e=+P<#_ Sb;;<xd,O U )3_ ðx54P54&&U ktMQDM͕cٳ74|=PQ [q佔Ciș f-|R TJ+UgU[E!5d4Iq2TT7j|zJCkǂwp`n]^r@B+@g9r5 a'Qt3ruo1K0_7gk8ső`D. 1(Ʈ׬gY_9cJ\!E#uSִXKuFJl58UڻD.p_:a bq_p`|m;IGލߔ=T\~٬7갌yDt<'m\z$2K&5`Vy7<̫qM+,{6$-ޞמ˸AqHS*N2Th %m3,pʧi*Z%6nMC |Ot5(+yI$hos55|@Ln&- *㳩sVjxõ1H} yBƶ%DG PoE8/7s?h<:b\ap 'MIE΅Uyqq,H"1rCKEϤXդଽS)e8XxU`i4#KW JAbr|cȅvEfB>D4 ƀ$t)w"L|n{j0<Ҥخ-ـE4(;(x9_DdwY({yaQCޘ_R5W4.# /)4ӏn҆q]2t\ZE^Y}7z-.55yX(u4M+aMUHcXhqޯڊ끢e]2&SJG<;Ե s3YLn/bX ^T8S+O2ߚ|d кT"1w[0)wn>Qi8< ią{+kuJd$:jp^vEIfJ#ߥi]Br(vMU>]u "0Ҹ4BcSt ؃diZNHWf4kKݦd9ҹo*:be<ῚX+Dp|X-HڧCY]֙Hv=I(yWn&<"WDԯ隡>rp~ +OF8I!\?JgѤaN?5zE\ щ9%N*Q{_TL4#BDᶺ>RD|VQt[v\[4Bo%G:EZ Z0^uDjLo Òau?SdBKZĂDrË)X3rf1OJvpm -C &SgRWND ش+z4#2O ۔YsE9T\]͓rz \DsaHŘeV7^d-ϓẏ ZHF}f,-OH "|`]>.t3c䷿?isCКt\{l^ c H/b`PBFit9H]m(``Kx~b t3D3W/N;N#.}(W{ѣF#P54D (YK͎$ג&6sۈ)z2'caDӧ ^cJ`"=Vap7=>K>ΝKh,hp3vT*uG9 "0i#W=u$gy?!S-=o:b$qv`)THAzd9O }Lh6~<1F X~pyO?o̕])t:Fo66Tk]%aRÒb7Sz:>9,hr,؅Ջ1tpY^ѫnNž RGY69Px pMA޸uϷ56Y.}gP <(CT`wA]yGk_i');!yFz n2).y}p q{J&σ(zeeϧ' Kw+;2m"P:^ ?hhKwQ7W @3鲷<]aFbIoCȅ=hYZ?y*x}ecS _1#%4(qo*voNX+M"f'gLJ%o͝<[(B-{ywͿ+?ٕ{K<xz%3* W003j:u~mUl*kn=w; _bɟcbݯD64arU%|Ve8h8{Jnn=(@B0P#O&#^9axb# f>M|EC*0[VEi =@_U6wS-g._9#: x-r $y:\' licS?;6QQ]+IX(糬eNuv=uZ$&} SAg\L Jyg$%)Ȱ!d<,8 +\\adG4\L2}flȹ.'‡pbBG K; Bia"1j3Uh:3d!太}f}oZSӓ|pR0B>BvzcZI ;㼲g)sz6R?~дF"v s]½lDO7dMyZ/<gifL'{'rPR K(Zpvfc@ aZ;L U`` jBOD+ U<'{FӭPߺUAt[׆> vs`-t;1׍܄>F4lp`maafSeMST?vXʱ:u9K6 촉̥FG !ӡ|^NjEHY 5U='R]ӫٍ9/\ӝKAlۻZ;e$ܳ(8Q,=-[W0!ʖqOwn=W~<ӕM7f/%-2vȥ_ѩpZ& ϱӪ辴?oNgȌ3UXG/ӗ "jZKE:e\Ut^EL&z"P7ؿ9YF 9Ⳓ?KYNj M*oRX~ ^;j}ڬOQemH^F=5 m]4f*$j" l#t6,SBe)Rk+dڈ5>aHGXH#e: N[0H:<> X>Xt,L"hfRPh*Z-w\1ϒPX] ?a C}zB~j"+7i2 7DIǾ34͐k\-Usԥ`9_UP PS~O} j<-Ши'1"K/5#5vn;0FvK# >QDгY/ )Jn#2FSp#ʍeZJ95N]K1 BmRM, Q8[|B b >bSܘ>2ș?2#۽CmbM(, Փdir;)r NL?M NFktN+_T3Gh%_$< wBk7G3y U6cA 2:otjZ77hP&IJڅDqŵTd's.m.gtu竪9sCdh? Upx8qHko鎑^2鶉qZM Fb0Y2fWS݀`iwΚfR]܍Ռo|Yo.vƏMZz;8 @-ݖ2825S4t'p0gRc60c?OGEy'?lG*X8hyut|]a_d` zҘP_ܐbNM*:Ėp<~_)ˎW< o]- ~BK1޳A_}@eY^eH .u-f%É"w0/'}3FBqcNL 4l \ >"0p`d6+ Svqgq:y`aJ7WOL-^ϳn"fNjt| "nV[!0. \#O/x\܁F0m|はS,^]|*Ʊ*)Vf h7#:cb.{R|_8*;s{l U a`N? -ɀߵnHT& N( ̻zWF.MNdjԈ6MQ(KHn֫xC \c(.X`ӧ,% Zv1`ү5 e䥱UU+6ɱ#5 #Au*.;# N I2}-7uaK0[\B:C?02C3'8 qH$#Yp(L,Et9ċtD C9HB},Ssr"hՈ) RA‰x*]%ΐJjNέ?N<301!J.lqơLMfj2?K'lq%t1|Б&r0-(3BFec̚ךE=31YT_ţgF W%תel+9C/Y1ʰo5t1b3#MbޕG^@ g[ .ĩ]5XDpxGPn{,ge~#6$7I ŏ=K,W72@ qѴš4iU5腃3^Oa=wV/08#NpYoj G9ROCI҇ l5uAd2ٿ.D2$r3cr@Bus^ %¿/tkSTu\?BD޴ȫWy!Nݒvg>SrC!V>tuU F NQ9 uc4"ϑR# {\{*4_GH3jD}L0˝{uˀnܨ)ruqF޼kDX) ʍ2_t:R_Տ UFatwE ?Lԫc9d §haDxCeC`3͕DG㉝[ėK8.L*u[8:9:bZ!%pe,?uÛ A;N9(2?@gl#^- 9W?IcJ"b)GdY ,J]x}5WAlPHV=[:"Ʋ\wPN0eR?oܤV80w+(/`Uv{5A1X+~3ߴ#([{AAUG<o8gH]ËX)^Qe ^Wv-$sJ RCmU%v19:=&ʘN܃d9l8rI3Km~N v~Hhm't@ 4,~ܫZ URdE%%6ݕ/?;3ֻ,%E l Ȋ&p4HBkV yP?{WjTt#k(:LAqsLicO wy۫l=5#tC%A"~gOtDLq[h`'AyRBa ),#ƟIS5Y4&!3_`6EWڝܭr&`.ݪlْNeh IOB&+GwgiK$aF$r, oS#gvR }0Qvd*h6Niz2=+VOtnݵ"bɧb̏N4ܨr#sHɱZڰPfKnKZ^ `[4gMy *WpKCB=DO'=ZҳAhͶdHDUYȆ]Au@]Յ/ju 3 [°l]BfJ7:k1|ҥrY_*3CmU`ҪR ]G"۟<pdͲE6^uWbyl`|5 %EgUn#Gk{Ҵb!^X,LhB[:B&8`nn]ѺOw{?!5ϵ/p 9|aOq>wx!3o<`g)z禍qR榪`4fR2-Zj$T9 fh1Q#䫬ދ\=8\+RʁLSkE^:-i>D`@BI iyG!^Ora|mR_:L=&D6;nWMKU6OߢQ5w!lCm2IaNV?°o6b1uinT ZƕT@BNJ@@z/ԝ;ۡBg^%W|-ju\ַ^F㫠Nv  X扣!P݋P# Gӥ]~2D6ve-_Z*A''' f֢=\,5@ KՃm/TvU)f n6>M,&|{HVT7 GyԘF~L̺փb-kn16̓`z<|euyp93 KbTk-s%Uѷ狓3uW%m?}Rd) 1}04&ػ>V\UiMqBBI1S"8sꎈI1F,A-'ȥVoQ~ ~>=L~&.f?qB=$u bl)hgk3[' ,\@ٜoت}cLg4!b3 NU#|Č\]UuV7p )M%=)qsw-p@\󝞎o?=!Js8o3]qЗ-+֤^+Kqo7jsF5%H! ¶Y|5͹a?m&`/k|I5V0=݃>fs* ޤˑ֔}tFbX٦5@e{ |JcFI+6JOaZH暘*n2quFX9- 7R7//Ƶ~EW @/"7'G`D}2cm4oxȆzӅȇnl v\h›Ŋqҏuk$Qʹ0ӵ;38gM Oż2uBVcנXYWeJ+`YATzh* R} ᣜ#W<3\i $سUJRY%^m.[FWh6o~ .i P~LVnxD8czJ8rt*Zk`M[%<;k7| bz43@Lztqĩ˄?ߡ_LiȦB_wb2&.p%nv.XSҸ^'>`R]]#M`>E֝xFV_O5xo&9#85I3EK,.DI>Ze`jK[ڮUt\)_"\HBL^W`N4=U\euez;OEpZtCx ۀl{ [!{fڇd3XX_O=iG= 5q;,CaE/I&Y錕NToÀw ]GZotG#u쫣k|?F{mi0ɟ5.51ĬqTN?Lg2N>EPvx{6^թMWQd噠s1]W-\D(^;ߍ(9QtՎGxc;~`ThmEdij=-@huòCahRjF}nFWb#oy"`5/rZ]ۙ$ڟPxq4Y..pWn2HIl;iV N Z1 Rp[ߢ2:_ZWR!ҋg3{&R3Ϗv#K\ \4ܫd"_Ҩ*Hq{`quĜ"˾(tjNWNKyHR@!1M>-Cw-c/S)ГyVgȦ(Z?nvk&Zw v60Dj`2#2aENlj/%Vw?]/@{-Fd l>=xLXx+.ſzY*V=a_MVҿDaS]Nj>Y#Mc-gȒz0/V.{`?;]m̑ӗHcAa(ɂq3KT!q7O?vHy zHD|˫(Ur _!0K2#n~nO)Gte$# R_ywu}DoiR/}v-RĻqZ젼oA@ca!o]Q@z:_#`{bcӖ:0kl^&Xyiq*ݥTq VOwVÄxӫRp")>ZuDlrDN{Cʩo`V2C$IB3U]Q,kch޴As/HN^ŶX?5}b]ϫaGTۘG폟 zs\5jCd˓xQ1ߠJjYw`Of0jV 6DdŐE╧Td Ҳm_}n '{^ tF\+:kIdn{V+2- ! G:$œMh@$O*6a}Gdu~8חX΢4%|rO*dxĐsM7&[>r[|ZB -SyVLVL>$7zdaaSnjƀϼP58k>{!o-'fl@ P"ng1DK7D(G,8e'u(NZ(>&!S}(t[ E.7sD(=\3]uXSӱյ=E4>0?٠j;ݰ-' (A ,nG_/{kġ:9b ҲN8`J;ڤbZF=)sBWHqn()QnKuVmKS Ӯbo? :º5^xgʮ^ˍ *!@W)Ҹs|0֭Sb]bDm!v2HnbAgP~@@px^5у8񡜆vA*f4c`lgiU'Bl)nZbX* ^-E## $g/6,\%NgÁݎO9 T0=w$a =2?"0~t'r7w_%"SK/zqR5,_Y+ޟA HAkcs#KUOHhM.l~Wl3=_4dKhkx5>k8IEU iO&x|M7[0r(|AGlJ4@0' /z_8vBW9 @O]kF$Z>P$VㅲBY\s4G&~2tm8)_ێ7uta{xBzn٤֝6_k7ڈNB&fCW9Gk9.y M7r\TbZ8erYQ$kԾ7)n<fEiHxXڶ;}D@Z"o!MCH];vf`vX?̥^H)֒t '=VvOg_[5{ OچgUGLc>bvk)Gq<53DZюE 5#L﷔صeԘ$PKn0 ,b!D:ā TKF᪬Pt=_3$c?_Z9E*!yI7ZwVfו=wYg!_ e7#80$7Pz:ҍs^j4e*@fB*M9!q!.xP>jEj,T82ۼkSp3ފJٱw``6q~`'=xpT61y-m-Hl7[_1 VQU;`2Yz߱3J:h yxuny,`|>fMK,izw=Bql5t6_ݝ G*nZɰ*9`^g~nn-fݮ;+jyd~H?:nvѥ,w_p:Jʋȱ,/*>WY*ofptI,\Lqɟ+w.p0XTlt;}DC #6,REZXuQCLYӾEe5H3ޓ(_Y\g! fs1ln:a l.\W-nj>]0lH":G1KG Uh"2M`Ӧs:F/?D"> T>V6{,ۉǫQ}_GO( IL| )溊h{Ӷǽ IK@I4ݡL4`"8['$ͨa}}gC|_W}]qb oʏd+i\?mW Yo g} &Bju>!SS[{T))+(Xm{;-a@"ګهsKqgRLFLe<\I6m[?L8SGi  : ۷A6LK5*9;&֘3g+f1'PU.&=]b!z#6Wpv`LaT!}܌{XI;F7:w#Q|h",eOzC EzsW /A!o 5M/ڔ6Ä5}v4Y r|h*Ic#tXu}8ʫ@OX Us&G6Aܡpn|$#_x~/*fa|DoUN;Fc *8*tHʑ# ˔ }Y+ zr ?iqs $FN+^2n ;P| KOye x9C崵dDӏҕDY@~T6uV^zǧ^{+LD.%PXV`vk\Nud9! 02^XIp@ 5$٭r gKdQp9\)k}M ?nY.ɗOSAY^SHܡHG1҆M +lޝARKdGD%pV\$q"O(הo+|pݖ:1s-XmWS%k7Ǘ(vo(C”.LYn}} ]x429$AČ4vƣQE1wrs:dĚ) ljrNFx|$d+HEh*z3(,#$fр \3XSDyy \VgGr 9HW#0^hU'!I3gy WPSW6:F 4Z}t1_i_GiA<;6RZ9¬ pT: T SYwp"_#FV8|T5ѿBb -Nv;Sڢ1tš!蓩aq䇍rð.O. +Ա8Zl3H=0|M#LvQƞ7hRG߳'"6u3:M >Es1\po|}*%"'KlKHDD? ] w]eʡ {3+4iztn3u L?Ár2!74x]7 >6)2q<;8w/$e1-gORrߓD)擭)O`SvQ1ϐHDN渕 3VmUH<-vNN5OGt{E?@i$5>@M!hp<]:uDAcC[M:ѹ 꼅"^ۼ|B!oؽX U D 6{|oH1B'.mta0h>$ JW}M"tH-cKHʭ9|׍,Nk4rRl,?$YNQxY~W[[8|"'z"7Cf*jso, H{3M:Ny)3\ɫh)4icoLARv+ћt@ϾOav%/n[zQVbS dyFOhͣtͻ  u;6a䣕dtTYpCFV NFvBѝޅV'j1Ch<(oMt08VEWi}hn&(]KY8q&(TC_ /@dQ8PT`6f ƛ"`s m2,E}g0 PYd?G7+ۼ.Yqi>fJJZ4 qnX*Uzt؁ik̸sJvW4u *_[KD^+zHT'+6hjꙄ.m.- S7}eHz& od=2BSid(8sN_uyzjlpYxzJS}P{S|t| ?QFVPB8nY$BI\^eQkOh^n4~%ؤȤi'[*0_տwMҰ9%PɆIQpûD Tܒlvuzh[WM=_+ٷqjsR.go.[AI:5lcDr:u:Op7Ўi%^P2Ƶ !RHuoYp2L 50Z{ nj14-K80z>Sw;BoAPDo'Z5"NԿ&d4=hSm)DٿƵE]y7pB7V?-5XC쮨[侮*FJ$c "MKTu^:aIG6H.v7#dWMPC; YD;H),v5Jk0i-tCs@_;M!AG2VeRKZ(K.+YHo&b U[o8"vO-4 *΀#c}[?! k i! 7;{ªϒ9ۍpKEEJOofd?! pwQxIM-yM5@391$6F1wN$JDVỦCɆPy1/Q `{vͬ~h|4Ķ& !GP\|a/@- ҮЏg,Β-%F1Q"y t-@e6BG T{ٴ7r{4D¡dLqByzKI%tV~A,e t;%y' #**j2YmS" hSh66DuF  S%j>er{:8Z3#Ə躴pfB\nsX0 L+nF,ooQgq9NY}qHP+z|mbWT^(Td>演lx-$mFv8+)Cb?iۯf]U(lķ(F fO<}q̕.ah|G vLY[d%Žh h4cD=DFU:bfȫunp){cчmoV>:cZ__Zs:lY`\}ۑܔgiGվk‘.Ӱz8y (K| |ac]5-g C_IN p~Ba|2>UK2zˌ\؊h3?Oc#vNl8j(I{A菌s @)CΠSHj~I6 Z02r`;6N^e t=glV[.D/+vLv@PCR,Gpodrȴ0j ys*R FiV?+{΄_xPlM3m;u1[.DHm[ H ]FF=!EYJJ10J(7DB0C'zwOx8 eGqh;k]i< ż$Eڥp/i7MD;x5a96F[\[=eЙg;f#uer%l 5LC{{W0Yok~QCnPs!POS?o(Qx2u[>YzJ %G)b>FL^H*eS{U>eާcʿ^f-yKuعƲV~گ̡sաH}Jٿ(5RI h nfTkj`rp#v`䴫psai-RJLEKVS;θ9.og?6*&S(.NCmceq7@c=2,&Qe?qQ tVx æ)%9|qZ㞀o+F1Bu(ipdJ8R$|/ه -?D&g:cX݃lo6AQZ]S~b@_(2Em h i$aV%}]u{G(UG3 :G@7KeG8( .ɣfPuR ][`,^I;"P W:D Dwy5(lԑ:wЯ;(o'eXjrìE8MW2% #==Ss@`{19 j>[FZ ԉ}r_j]fİzT׻$W4簆3w k`>R&Z*>KEcmr Gp@ m~@L 8 T;M{'7%yB?9 U}\B;Wc& QMw[{}Ȍܕ̈6'/Hoybf |xՉb6G=b6_I[6 ,vqR KRꎍN $՝m.t~Ŷ9*qc #7՗Lo!FJb|VYNX <}(axGǿv EJY5|.#q \[-@vŨ+y̦_ddYq_县U؊$u {bZI.I2p"Ob%-;T>U>%Tr?%bp.O 7&Lp3>0kt2KHE]Ӓ^ Ļ\tEE Yoc_}fdۦbB57ɩӆû尪 E'r^nG)2gPrXۜdG5#U&(Jx;"4Cq=&C! PI i#ɧ:ev6yPr&P،)^@cڥU7]/?7M8.gYUq#{5 _?[k\ YKxJЯ]$W HuuOMͫ'-s5=G ]lm|',DJz}}Owwn.0HVڹ ?&r|9GMx _W+M-k#~My$bJG5-!NaF|+a8 FM3nȰu_*DGbxPyYSUPOPlIZM- RVc*;.Ja|Fz{2q@ l!bDIu!eu~lXMc3 LD4 #}hYQ0`7|ʄL؂jB+vvAN 8S92PpmG9(k繽2QӘaKzq~k-SQFO ff[_<3NNJjxd'EH(h _g:{ ޶Y^PMK֍TnJBgkJem!Aĥ1BY+הHmTHȒY,>8S_crBiʸBXs+ʭ:u<>Ϳ:,":7򎨭A7 d>1MqEQdگYkDm*OЄ粖 mȤ(n}cB>j ]  |Bx=0`O>9Z  ; #Mӊ63>.[zaܝXӰޏg 7Kd3BğyX0Yoi dtJ RV{Z檬#9;>+qG]wQ\^Y4aĿB*Z=I;."8W,ENVAW@%["Q%q+xBMVuֆ9TFCi(r?+_j V c?";(MDJ~y'esva$ w8ǀpގJa)HA >yи\%/^6S\)2S ]7g©a}W27K~ȀQ5 閃fI Ig=7bcNb$ >_WtI8U,-Xb.vLuFRGqw6L[S(0y uQnd<p- }x tRm:H"*5]Ϝjdi_'2A[&*)3 ;eRlH!oEk y~lGC8uɡO&=[Ra2c$d LcѱC*hkރ } tNn޸$3LA%, }Sbh1؂RG֢d#*3XO$,Paobao-[ߑ_ק|sSAT8kQ&T0)ĵ 0˿-PGj*,Jn8xF*ELA:lq[ 73q%%va|0z }f5՞lCdvzH a; barM ۲"nKYrYAbf-ˇWw(2@pugJ6ߝ …nk4^DTEգLA"hB^G٤l%%NQM=L)E\[o~1'oXk軭{.2T% ٪H)#3{CJ䌙<FZtn fBU"ɱ[ @SI\HDSq52F"rTD|(cȲW ˲b_EtHԢ E?/[a|q{_0H Y<8٩88EX$NcwUI_%(R%qlbVĪfV0$C(UHv/=n3eWf|\GtǸc:젏c-~u6Y3H:vT1M9| Pkdȥ&UqU u@i9\j 0mVVKErK?ۼKhj^'?M-@6[C|׃rU@ϊ0މ<_H#iÆvт?ůIݞ*X"ٌQݿ/o#<GEHh8EoQE\'|wCLGȮɡ6$VN_̍vZ@oCr#lH"Z/e}e`K,!Fku,29`- Fn7{,b8*A)xӚʴvg4Yao>ÉȀENג̣@giju?6vR:ٞ J[`T,_B+a1wb3B%o_8w6+ZuiX}TE(RJj"NC ECU㖋_`+Qu >s(g!>"zhp܏o4]* E)06YPx"[v׷-n;-nSv){wzv` ߧ#:-!XOf a*oԈz';F\0.Uy?!Rc/x>uP8!x#j v2_Atf{і=ʩOQNf6^q-6 E%^F$ 7T"4]rn7jMP(&}gۭ0@06W'o6 4d]ދ  k7W=N l0@D>zҺvǪ4 yOOPڱ# _'D-3˻@`L0"U˳=we?r6aػF@J 4fu(˔GXXS5}17ڄ)c[jj~/+D'z$InQqRi!2ƈRQ(I6G$LҏaGd_VNkۢ&7a}Ic|́>;|S2v-Bt*Np~&{p:" J膟#<KsiIA'X^*.BMU#ἶ m <WGS@d+5OӪh•PpTd5s+Ѩ=/ L* Ԓצ9FW%F/lL/ɳQrXnD\'aF_Cc;i Eo}L5욬h^؝ujr#w1AFvQJ^ (ƒBWM3==:(J6nS\h㣻FR׎&#l7Z$zk,.$)ݡB+N%kջ/4Ⱦ=p䢺4 vQUGѡ!_o#_d߿WpJŌC rXN?:/Bsn"ˌyְ&S|޶Sd YldEhj2 Lh$;f|ֿbxmLXHttcS YҘs3/#c Y0Vjl&kMzTU((/{8W^-Ӊ * bhAv]b]U<ﺣ>B2ej[c{b!(]iMY}CwLLx3JR GG{qp'V՝üU%}C ckҒjRlMY{"t (osZHؽw1b}n`wG$ɜv7D&`@PG #E`k4걘^);FUc)jyb'ሲ°m,{nw.7UQU5mR6KkBkF^8g 4 _So ߾wn<82`c!~#paX@7xY[ |f$m#[x6˜5FaAC4bF^ /۴ȩMlOH'1L-"?_T^('1GDƏԒ]'!yIb#Uf/)_!].bJYH]s2轌G5C\ ܍&:i23N.g4c}3iHb΄}5KMh{eiZY#4~0]oB%jrL,cTd a(s~3Q#o~XEsX( ?%e+;!NݧɅCl : ,%`v4r4Pe쾆ݷVTr*:vɻ6iO.?6YN^TC\ ™5hS{9`;aUj762ӂ/p[i`ȗm{l/:CG.IqIB"Wb8V\X;l7&ip=jgzn,ofOGbd`Y5Tc1ɕ4B p 8oq a]yC%rH7K?$P ՗6(Lվ,FT+[o&-PVVhA}_,2nݪ I= |p쐺 F~CV9w,ȲqL #[T+P(wp[,O&Fҭy 69/P1Ts݃Cby,5]QKGwW6ˈ3eDTO+5EjԖb[ߤTUf-fHSս'FgoW~̑So=^]EL`xU  c"˦o[ rʄR70J>Uqgӏ.#ϕ_(tt"K0*#Z+XB pD(@suƥ7?|()Ǭ^Eɵzsu2yu3frdt?%8e% B &`D٘ u_G#Uf6k%q2Ię)ҧc.|OnAťRMb^&͕Y wB\=B>D2ޓKVC0+Gd %w</*ۙcpxMt+6ٱ x\7MԮsghA(:%FU?^'޽tfOb;M  י-^`|f&&@>uʠQ\w.;"0H9\ZT 49a/yq`vD'kD[MG }I2L c85$6I0{xw c1#w9*۷!`K;S7niWH,m.Xop SF+4I+^ $Y6 qAV 71~Oˆֹo!wm'{ҳѾT8[Z(pJ{Ot5I@@izT.@w 54a|s浒DQ6c;y [WVl?ۚ/r0whG,r2X_> ^xO4= 0C]!wQ6}papœ%$~:?Z7Q)n |naXj :& yO;9a.C٠=mFN-) M2CZN5;Z,+ ڣw?bw7[PE^zZvBC6up|H 6%Ĩ5+uTTz`=fg5&bޟ@VcƑa˺<5_ 0O0L@R%$ ?d}==aiiXZ/JcJ:M12"$6׹oID.FXc1T6 )T!S;i?BB[5Pȍ|PVk5B{䭮6P}_=1E5:%Ȓ͙Xh-l<|K$6M1{ѹTi*AG$w  WX< g%crΝT W jڑ_wmaz-y#Ș#-HqZKiv{ݩӝ1]>6ߛ,Q{χIVoJHS{NA1k|6Xfӵ~`S޺o fd?(iw߀i˸sTR)kNJMu204T9P+ele0:e5%㺯G=A9f?}xQa"ӧv7ܺ4I]{9B}cnxY44 a=4CbzOVٱ~wq837DR|`WV\<TihڸOВH-Pͧ+IrF{& fd\^,_V޺q&g%srTejR`PGꕗEz_j '?j1pe/ u) nR#-dm79 >0ڄ_P[w>ispkT M~iJZ,UMZIrDZ1ȩ ɵ_!Z$xnIuԕ@"遒6l  _!87J20}`-K4W0e׌UiGsڌ09 وgX Cb7Kw_9%˒_hY9=N=CKj5=o}9.ɷ@v-s ᶈb*'0Bs,'o+igReK@պMɻBCzп* $+bBB)$SΟ^3I>܃݃R`P42JMCLY9t M҄]3.Tadd'8 j#s70dV5 LUl+%Nݽ$0G*Մ1ܠ.>r0Jȯ=@|r)V t3xTSwh*]Ԋ}P7!ΜZ1 <_-) 8njqyI@s_)Ү_ܿw[lU(]!9>S~:˃N{x1eGAnP=їMq%BF-0k^U*Wv-:SDN= S^&ĝ^F"7Hڠ~xd> ЄQ/FG) Y5c mdQl[kd֞zLFŀߨb \Zm=9l9ƖpIVdmnV_%ttT_wmoH9*t2=;LuueIF8}ŢPQ"?b){TxΒ鞗OT>ȵUy^5VI4F߿/3/HGis8iMu<ioNQdKY3YFzre<v$!T4~+WSiA sI=v8OwTylKtvrڠbK6`0n佳F8{/28;O+J'F*wS>y8EԃIF\MRDDƎIsP_n~O-zg< A:߶/"B ]/ Vx./&}7һEg/5薷`Ez}g,1y1$vM\SpH'W}l+'(NfMyעec<Jǝ9W\fK\`wJwII|̢eղS0 oɁ.J~P]Hv4XKpܷ!şP1`_&RdZ:hFӣR۶;`d"S|^5cqKHD*K)E9T"|` GV z"${0_o Qy=`]A!9=|jpNzh7sC_=;:y]"Txڎ.|To}kp2UC(Xq%?{ 2FR05Frxw=>e2PV{7y%ʥ)F7ȴl%.ĩ֠x1j/;$/LKlOfĝ"́Y*k'ĺq.o|}[/{@_y! 9qSiu]2&/&I8嬧=<"-adfħ(80J3ޱC ^@,Q;4njlp eFbhrF0|i?60Izp2}L[79`quetWd:I/1lY[f7D34L8WkSc堋wiT/Кo˘5XՒd#h-FN+sZ=n[T“nW-}D۔>p7fW з@:|| U%4b-*By}"&`1UeJ*_!pD{q.Ҽl8dȼDh"vM&"CuT(=!$y;yRG𬦡SJ;%Nd/7+nin7cZYA%p)>$&l-72.VZk4"p+懱NeѾ,?GFbW%_öS2!5d@JF%FÏ1E eR{Qx&CsF]OG^jA&!*Q6V)d! J+alvՒz;>W&'ss1J)%1U`bY W.{QpO7UvXiBЎeg"A쳂semY~fÒ#Ejc},>[q&UuQ8KZ.\T~эm-Z$ -\/ژ{aj_UT51\3y4fvIj?b7/oAtdi߬>GUF9MRXnNߪ1e< C0**ˠBpTh(Y0CqkJ&M~ihMXzSJ򲶤?< > 3"fL}TZ#k @C4z@ Se&KZ ׯc5h'/bԘTXvvqt1Zzh-'2O P+ qODg7lr0#{!p / U/F6U3,n_Dz ՔX18Lw毾I PX$mԘ2QѳEytclT'@*LŮ q^ah!v*&A?}?[h&"Cs0(\RWyHg ~M{"1,2I n]֥zϲ S//Ė)[1jK'wanA묄p>Tb:'Ɣ@ sTŲ&# 4t L \5ƕr!9U'y;+Ϻz \S6QFEI `vxf+qǐM_d E/ a*cFD4DRi&WWteQL1;5+NJHKc*'zT"R5֕VJXP#\OlQYOP]j ]wQN&g/ fx)B3@+bNJB!Dp4 a担kn)R TnQ,'Zl^b<7{Rݻ!{ſ]АT$v*{[ru#mdkgHǃ>rV,dܜݼo eڮ̗_^V7h؞0+NC}U+4̐ Z3,@07ӄOdwz7ӆ) P&j ,qt2~RX? LY)`Uvf˸fk`OVH(e*\Ἢ3> i`TJ[/o rz~>#<3دPUKJ( /w0d:~+y&6{@C2 m"" t-g5_?~[/l~$Z*q0kpw6\P:/2Ej[ ̜ eNEC M}_TiG)_x+1i3gs<,a"à, o=8mۣ(lO\! ~9Vbswu:qA@qk3cFqN#gbN>2r|\(PxoUXςB!'#='L:j,Ll'9Ae$]V6 7H![V}͙QҵkN¡e,d]O|V%lyTqjr;#Z-in_|krĨcɖO=o6l#I{&3Icf#3 )մ(uzHF;4~()C'NZEf,ѩ2 jt 4lWKד[[Z4I?=D4 >D*,4%o7^]_ZCѡ~ X& ם9k*$ Rͭ/JNdsvOk] 㥍N$PU̔E`w$2 Fv -rWw Skgc=+cS7S6SQFTlu :$TX`lU:o/5U{ dH^:K/nZn7J"rΓ&@M~i¤ p'%M10oX$ߩ~ ]L]>6_'+aT.%k+'MCl)Yi:\VX91)EcƄ1Ȧ/ʬ?jC38?e??MYmxF>~wĢt ז|ϧQ~O⊘ޖ(2L4wbbUzcS`(Ko?:EڬF)T=(r:`֓xA JÓ˾< '{@R!9F E@6x5c6(5g!*<} <^6G B}CsE(#|Bdv ,I,nGz[0k&_jW RE61`L1;SU4û@h,Vc ij{`WaO%(y0Qt0[f7`4c.#--MuJUX @c/8eEo!vF2FiyhXZOX$>!:w $nVlYb1}$IJL & {y<kI}M7nZ4xv@ԧ`gs]R\89w(tT'[>HVk#U-NKd0wkkc`$ID t Zp7в)S]#XB?vW]l)l|Z*3|j 6vX:\ҧT޶0Ā2[bE&I'ARd=y - ZqZU+\.$5ٺ 8ȔLY D]eA.rH>c7tEV J .st*5[ȟEz \lוdZఁBˠb(5y%6t{SRsAP3l̦.;-ջZ׹BF#5=_#SqP!ʣԦ1q}>`.]p~D3<ٺ"Dnr{&ZGL/u4V=E~mcsp7wDߟY "Sl0,+HFSlZkKKVf 3U*Sr'ds,mnN)d)"Ic]`Z贫#r(]P3Zs:놩:U-ӏy:򂆟w⛫ yyg.Bu.܉/6s Wxt\%1?P?|r6z^;`7;<k##hxܬ_&qPB}vʔM9<`ݔ P #m o2iϨ&GF83ܑ|)x S9H:aarb.}<}!UjFB<"ƀ'B~HqJ6g3.J"'nmIs6V*hLZnwk.+>?yU$y@P7taعM "ݷy/6 #ܹASZus 94ן*+QG:E;Hy,hR80tZ$+&I|k}Q&{ v`]ia/<}8Bs2tT^)Bc*5>8o=5Q8MrƳT[b&qu`/έ y',gNn{}vay^( HLm;[@0,bG$U1:.KC@%kwXwE>JCqyOqlc94XT! ZWfGxAJ C)lAk.E|m;;'X96HCG$o\H165xvG`HFp3Ȯ6>Ƙ$]E R'{r'W*M Wiyj}C| R珍zOqMy hoiR H ?tBΓ$DstQ܍_H%=O cT:< w9mVE87 mɌM~ B[ cLu,x>O8XU= ) F%Bjk\&=N`aD~l"RK$dayǞ 'tq)9{eWo5[)ETQe%W/#ZH/qAXA+nG"&i-kôqb}?SRp 4mgfM|fR -`Kq 6MOvv S/8ppZ^5 }IN-d%m{2*<+@lWmSArupy&$v6 :}D({ e$|__ޅ(HYԝ.MEET=|VLA{»;#?-)LzR?Zr% ˛Y8oܛQ3/3-┢n,F$& xNNv8ӟ tH]a9ʛᲯgs32V1Od ţ";ۯMj`,Xj߂r*Fʎ0T7@.Uʿvs W1VAc xBՌlБ\oIG.ȎXV@ Le`BbӠ ٗV)Ļ(5D`5Fo̚Fue-4"@O8}4|A(jԨjr+/ׅj e#Se=(_Ie BFF϶_9!jF Ls1aa˫/'z]'֢i_8 z70;cȍ-Fy35`ybЂ,Y*&(-_{ iHfyW+=ÞkK)%LwqD ]Eπi%ffiRFF nHRHR.(@>"hFMod6PZՃMM+b * !2ij wFW?|q w%Y~E$3?<]v# |e S 64fO'xY20HEhaKF 6\dq)ԃ$lm:y] /4Iu=P}>+J];L'WeJb`Qlݰ$LjvpcKhTD\Cf]w:J,T*F-<:AfSs80 -}yyK煼,ɖcz? DW>▒l[¤b&ąG::o7Z|K/D*֙5>Ӫ 飈ԭ`0>AZb;sbӥ͔t÷P:6u屾+R_9 bԽU5n/!˪6O  [ǺHni-$u}y6Sp5:JJ7#Z w߇+^L6_^g}΄uSxmpz/b)$nɳ]3u|'ƀҫ4qjQݟRzDvTF1aXpjl%mNj (F JsP a;f91@D?0,R)&c;nf:u+Y~}Px~A@ R3 CeSF[MSc!j{/u9$i&?{ˬu\)@jAн_Y:ǐʢ7Vy${ Fg>Y0GU ,Ys$ÖE1H< 29;޿|LQq$AC\;Ğ VB4W]b>{_>AS-%;>EdjFScI ;ʛS7Q]V.Ӣ.^K=jPk#'"8)uV}f 8:a1 $9ik X;/*F6O j`%rD7>?xs{:9|v*/4XlXng2Y>I r}OӺkܥ.S)t)~ήi4pqEJGF0RS%B  guq `c%vAj?߬`j;j?ަHkp7b:, rؼ M:„'Kz`U ogS,=ht۶IWH03rdTzkǎb5#lo -ԵK|iBRCj_'αn28%yt9qג*:`+Lۨ^o1+UhCwY]x:?bp.o*$+zEj%4-qjOM:f#jyp+ 7%{uO((WqY,7K @N"4`pdF0`pub&; P/ٕTӫZ| m4$/c0AVKam~-x'+ko*Ȝ+4:>˱_&f`K;HuaVY(B9we-͊6ƊSʼnc 6 D0wbiS\L2;۵{L0V@M fTB%\l‰r+{?SZ_il$>UsS4V ad"v!'k(D>ˤI}M?n7{z1wGq3OP -ȞFsDip;#p-zF$ آJ 3wWtprJG4ZA 5 $M,eALhrp7.oS*0<^q(ՠKmd:È$|I9GklZ6;6r0L]fT-K, (Oh/Sŋ,@{ w\:.aQ 6PNZ/1FFo1[ Kٔv )4P;V/!DHZ (U)Ϛz!݃\ SSPq1PP0z͢q9O[:YuxikQjX>BcnB}*;Z J`K,tݔyMMM̼x:@Uh 38DnmG7ܤdK~~ԍǨ V쫈)a+(3ФLps @ VÓoAAŹ<`jn5Wͬ㽯dtOI2+Ã#3PWRILd+3-vs%@O粒x6_Y&zj<.O(-=C3\U^{JDޣYù`lպ"EəSC5bllVa"|>)v unr?m'<5rY]2?} ?zCY7l[P#.K0nG ZE4 &MDrw7nPr/ A[?ku8-嬀-,׌:OG)` ˊo`oet_w Ӎi/G%|' \Xl]ZMĺ͐ߡ[L6ĢOB1[u1.~%Bo|\] tV+JCZ(O2`TRwL!ls0d>n}籣f%汩2>-ϑ'?b?nFF8Flt61H?>ĉ\u(qM▻xgX0А? .ə:(e`3/r/CbrЍ]i5rv`8/RQ*m@ MdnHuj{>ؖ! -Yv7(OkO[oU#&SSg&4Y6,Zq#X}Vc"] hB)$-X oh<2 X2ķd?A$!`n/9AYÔJZ-|9 F{"wZ_.mZrZ/47 RV L**DŽw@,Z<Q3i62+"ڭRwwRZ 92h)a/| s1e9&fP 6,E{PzXtCؿ2h*Ftf90Mޣ5k0uav/9I-g}5o>(HyA:5DBGp4.wgLxO+ '„a8x_Gb.%݅|[U6#V"=b(%ä8:]&AM/$!"FKyU' oKIpp"h|ZHq/oy 1) D`\9Ft8wúZ.