libsamba-errors0-4.13.13+git.531.903f5c0ccdc-3.17.1 >  A ahp9|%T5\'pQvU E [2+n}=rb+2ěӞSb!Ʋ"ϑ9ߦƿܦ(CHuN]˦q/\y3L_>h F**(hyrQ;6nf7 ,PĄveTr@DVJ^)rE}[4\U&K3Smo*5m#' N(z\>p&hKvt]ئ|CO%@9g$D*.[MJ,Y{C1wK9>p@`?Pd/ 6 T &=CLP R T X  X   (89X:>5@DFSGhHlIpXtY\]^bcdef"l$u8v<wxyz LClibsamba-errors04.13.13+git.531.903f5c0ccdc3.17.1Samba errors handling libraryThis subpackage contains libraries to handle and translate NT error codes.aes390zp368SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/System/Librarieshttps://www.samba.org/linuxs390x8aeU39a97f6eeecba3132690cc1cc0ba7f838b2f7541c9e631e036073dbf089e05c1rootrootsamba-4.13.13+git.531.903f5c0ccdc-3.17.1.src.rpmlibsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1)(64bit)libsamba-errors0libsamba-errors0(s390-64)@@@@@    /sbin/ldconfig/sbin/ldconfiglibc.so.6()(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.4)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3a@a@a@a@a9@a`v@`a@`<@`@___i_@_|\@_{ _l@_i@_d@__ @^@^^2^2^^1^^Y^J@^2@^&^&]]]])]@]@]]@]nU]nU]i]e@]_@]J@]B@] #]:\ڭ\\@\@\ \N\e\e\}@\o@\\\\\4\ @[[@[[%@[@[ @[[t[#@[[Q@[Q@[\[[[{[z@[r@[ @[WZZZZZZ`@Z@Z@ZZ@ZZ}@Z'Z@ZOZ@Z ,@Z@YY@Yo@Yo@Yo@Y@Y3YYu@Yg`Yf@Y7Y7Y, @Y"X:@X:@XXsX@X9@X@X@Xg@X,XƉX@XYXe@XX@X@X@XWXAb@X-W Wv@W$W;Wu@W#WW W@W~D@Wj}W_WYZ@WYZ@W=W(W!@WW@V3V3VV'@VՄ@VՄ@VVIV@V`Vl@V@V@V<@V<@V@VjV]VI@VG"@VG"@VG"@VG"@V(V'~@V V7@VBUYU@U@UUAUĝU@UU@Uy@UUrUq@UhTU_@USascabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899);- CVE-2020-25717: samba: A user on the domain can become root on domain members; (bsc#1192284); (bso#14556). - CVE-2020-25721: auth: Fill in the new HAS_SAM_NAME_AND_SID values; (bsc#1192505); (bso#14564). - CVE-2020-25718: An RODC can issue (forge) administrator tickets to other servers; (bsc#1192246);(bso#14558). - CVE-2020-25719: samba: AD DC Username based races when no PAC is given;(bsc#1192247);(bso#14561). - CVE-2020-25722: samba: AD DC UPN vs samAccountName not checked (top-level bug for AD DC validation issues);(bsc#1192283); (bso#14564). - CVE-2021-3738: samba: crash in dsdb stack;(bsc#1192215); (bso#14468). - CVE-2021-23192: samba: dcerpc requests don't check all fragments against the first auth_state;(bsc#1192214);(bso#14875).- CVE-2016-2124: don't fallback to non spnego authentication if we require kerberos; (bsc#1014440); (bso#12444).- Update to 4.13.13 * rodc_rwdc test flaps;(bso#14868). * Backport bronze bit fixes, tests, and selftest improvements; (bso#14881). * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal;(bso#14642). * Python ldb.msg_diff() memory handling failure;(bso#14836). * "in" operator on ldb.Message is case sensitive;(bso#14845). * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED;(bso#14871). * Allow special chars like "@" in samAccountName when generating the salt;(bso#14874). * Fix transit path validation;(bso#12998). * Prepare to operate with MIT krb5 >= 1.20;(bso#14870). * rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb;(bso#14645). * Python ldb.msg_diff() memory handling failure;(bso#14836). * Release LDB 2.3.1 for Samba 4.14.9;(bso#14848). - Update to 4.13.12 * Address a signifcant performance regression in database access in the AD DC since Samba 4.12;(bso#14806). * Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache; (bso#14807). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Address flapping samba_tool_drs_showrepl test;(bso#14818). * Address flapping dsdb_schema_attributes test;(bso#14819). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Fix CTDB flag/status update race conditions(bso#14784). - Update to 4.13.11 * smbd: panic on force-close share during offload write; (bso#14769). * Fix returned attributes on fake quota file handle and avoid hitting the VFS;(bso#14731). * smbd: "deadtime" parameter doesn't work anymore;(bso#14783). * net conf list crashes when run as normal user;(bso#14787). * Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7;(bso#14607). * Start the SMB encryption as soon as possible;(bso#14793). * Winbind should not start if the socket path for the privileged pipe is too long;(bso#14792).- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./sbin/ldconfig/sbin/ldconfigs390zp36 16366565614.13.13+git.531.903f5c0ccdc-3.17.14.13.13+git.531.903f5c0ccdc-3.17.1libsamba-errors.so.1/usr/lib64/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:21756/SUSE_SLE-15-SP3_Update/d81ee65394a4fbb1f1c97248650bd532-samba.SUSE_SLE-15-SP3_Updatecpioxz5s390x-suse-linuxELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=b5267ce8669a9cc98f2746baf5049adee5c48823, strippedPPRRRRR@"'"Uܮutf-83b7b2f12896abae5ea581bd9d4b49b0a97930ecde9a904f070580d8ea67b5141?7zXZ !t/k] crv9wWd?PE츂nDeKT 1܉X3i“[Y=6B".Q' =.ߟڙW,Jʵ UQ%'#|wTg N<̨*7[HY^zkWt쨉*kj͸N"^PZFpMumZ7dG"3?ʉyޕ$ִnfex#WMU˰XPqfs$ YtS2ORh'D)nT&V :!p5Ap&jJ-egNātiut 1W(2Uɏ`~m?C@ GNQv^Gʼ`3DQ((jJ2$2:An:qRLw$T+CN00.*JC kYnx8I#@49Wx|L[h,g4m 3ZQl!NH`:HxNעǃc#ҸOڶF'f jB-T6/o&V!-|$u+ǐ0\vEb1X pIT9X̵ P bMd`6_N^/gi?x `3_h&YȮwUHX2ilx`Z/ 7TVi*קW _V3 M}BV3vC"w|`0s(V"5'J0MϊgL߮9%TP6(_* 2%Z -wI:]^=Tˆt" n~>tѩ߬9"TGȞosy# }'@ JiY A_ ѐZy ( :ݺuy2+F;so/eī[+k T:UE<%ۆ9b^ b"+@rY. \!) .%͹N#hL;+p?l#nu5:/gk2UQI7T j#8;gy 7iT$MLLQ`Y[-Ƽ:v ́.enYlIBؾ}ijb/r/A3"`C\f3A+mfe伓nTRVq$,DVɁWeݪ%'jt%P&_iۍn瓅_A! _/M65QAMC~@pa= OsY,AR#>c逜a7)H@r~+!-B%ÓC&#u!GVV+UC$bLx\=_7ln;^p"՞;*xޘU 1v$}i6;_$p/\z -aH,旡ޣ7hR>D)PB٪vPz`(5ժ߂Zzs]@,w-/0O/'"{HE6F/8_-,aFVK\Zg0E950gG% dȜ٢H'c*,m=zv;jr9Lg{7sz}H~6Ao#J\4*(N&{i^9/fnyz_=`.0ckC>SWy)m'?Sg0Ws(т4($in-Pd8^bb+'țC2%U-1Z ҽh/'nDґP/:$=!zҦ7⼚b{w37S3cpLT9 FرrGi["fS=y?B鲡+a&cr؊\-zD\ yAl#zB%e^}Ą=,sg䕮g(IR&`ޑXpOODp@0Q\%MJYVk$)^v!g*HD%H!zFg k, IL+ۇ}]WTpI&5Q)dm򺟴̎,meiޏlzgTL#ߤq»,alAZC~}7ӟ*-"^W 3O3{~3D@lZls\+1x25yOzQZ8}0OlI~b`F%]E9Cu¤3Q5W؏xm aWA=8⨠z+ ߿8k^ UL1_/k}6UGT|k{*Cװhab 5b moR5RGY$b j9XmNm+q;&D61]0dITEaٶ6 A!8j~4hS~{(22)7$ZyD Jb|`{'^C۵,, d&9Ϧ47ۙrz} r dNB/֔^eF<K_WzVƷtTǎW #M5LH_dvRfg^ՂQbd#6' S[-P W!WY@ UpCsJOb|h lcd.V ]F] oXL,ʕw6/J9Ҡmm&^_2a1uځp#vM&F!XB{/w^ۗC9uj{\U'x7q 鱮V\fG!5Y`pb}T6\ 2(3+woQ8 m0T4N ˩-ǁraU71{Іuję-}'Ž% ,}|՝oFrux$TL@&PUf^ω ߣYPI(+ѩ>_֬o;-d㾉?;# 珝hR Ч2ln)Ig*J_#t`S y]+4T *30ׁ V^ t{òiPFGC,yuD- < ?^SP\,~6D](; X,ZY%[bѭE0F=~\qkJƑgTW w3@RQlԈ_ϼo5锋Nu ;n5 ؁U %b`CR',ϝ]`Wy˶^G,cl1#l!uɑhaj4ֆLEatPNj%Q*in{(jX"1SI$Ś1=3٬Gxr떢U-I{Kk& N6ϋprq}'ĆTܰ7!{x 6Ө;ɢ3Xh5hgCƦASP&é:!8m\@BKF{YKyYKk:^Pt m.= R[?rP(3 ~F3|MRjk ml6'SjTiuvuMrEr"UсFNmъk;*5%Fv B\C?c: + Wi \ho@U=Ȅ.ĕ/l th;nӟ dGj[X785uO*=Wu ɚafŒU@#>31K.u,dӧ[%MKڦ$D0C?4[~@^!Sz:D.@Fm:Ng; z)-e7n۝ 㻀OA܉ui' ъAo؇UA\UU,[] qD%戼 =6 a鈊բlAxw}wPFlksJp:=:V+* V!j-`nId;9pfo@=iN;lNY #b˜F᱄dbgdpXzH닆=LST''?: X=cg*_#TV5Bt ho]Ӥ8DTr  =`{gг4gq-&?)\B9\l쬳PDGva`V௢Lkf9Q87R-MQX`$^+wmbK﯅^;}D Rļ&~)N1%R$8}S54{A(w򑁥Ӓ2-3ik<7U029 Ԭci=\5؄I#ZZ]zIQR#YK*^q!o1dȧ <+Ǹt QnQn:l(e-?Aš}JDӜ*[d,*H_t2?zd G?Ȝzџk)b@)@FȐF2Uh¡M *AVʕً(V'PVZ!.ZZ?yB؎tS|c U`(%y`G`q TzΌ˾[0R3M[Z4|s0OPiJ·b^*#'h{hO",Q vT+zWLdM!['.Lg Er."N\rĥ0H&ٻ.e'R~(;_ͅ"^t+T0NgDOӂ!|uv #Wjf~h@tp&|(JE49F]fsx d)¯Pqg)d]ړwI>CPҧѴkGCɦﷶ ڗ1Sh_<,1^rxKDžy7'ozOw;q"hzNTkh%.B;fj XlHLkvkh,!3ֽM Quz* Tk ,o'^fZlU( A4STOuI ۙz:XwaLli| f=`eAFGvbB0w/~XF}(]_hm(G~z%/x6&;`e)A}[_y=3UUL[\7*x)e:KEjp -c nR9 8j\*RgeWMdh0㲾2ǫ5 mS. Iư=O,a7 _J*DPL ܲx\ s?(=9+KWSP9J( ##O.rD#0a}PoH$5k#ɓ'{xel[Ca[?鴫 JD_eԖu k_kĜv8OZ t}4G5;-21*"{d^F^tv,6ARt!n΄`'!2*R?l-vQ~8o0 8$9!S+1gs$v%go``.ݯbHϼV`[iкd#nKOWB]NBǥԊmdey8Dxq_ֺ*r8Ɲt;Bt=J_AJMyYW}8( ʣUaoGݵukL|Ij58წEEyg޽W&˾JR5q('$ XԈ!9 G; з!mVG]H8`\ EX\_SKЉ"ƽ_&Aie1Ub6ۑ$:%vDovJ@?X׳)QG4'E@ IЎS1JOeǓ75=SxRUT~66R! aL3^w2D{KvP= >}xs" S7jaĢPmO-Ѕ$-dw@~P;9^c+oģ 0<3_*mx\P't_ ? >%dϖbkMv @DD?8ٚ5`u4w[fk=VK@{A8L`<^-s?~b( dք4Tn,Q꼖3o;=6}I:{R3z e3vwl=JW'27q|3^+RӵZ y.#¥hŸe*/WkVϮb\LĬ$ճku6C&su)_4vW"Nbh%Bߙ|8f%t.9;cGlxca}s}l{T6Z}(gØN4hK`Hc#Ml4凲cjYz ѭ jg%!tc5^ƅs/Ƞ$zNe 8)\m2bR[kV]C@&D )WS6]. f8p0rtu!w(IH~kr+m`3B'|}MbDCdjŏLSeh|dPů7-cQ~cǪ1뾈xBjgT8R!NI_\qLZ/Z-=Nņ(82r*p#Z?qܼ;o 2u9W:F sbη{'!B:'d!Zx7@FC܈.h/֕^gZ7Ock>}\nCRh[ (<2q8 _2hϔB`B-; _CJC xsQFkӿ*MlM ,E2T9;T-m,VnA_PwaEH&3@]Khfr:FLm}h/>a`,V'~0Wlv@KQF4|9NWGO=y\JաܵTc6d]E;%QNVwEeN!SѦ7~bj9o;nJђu0kt| _ao~m3xS!,}=ZMJ+C#|6Ny x#,?ḾVd)GU0 4l:uqNߟlX$HK3QԹ5,yt*ZP1ky7'/ ~"IyRů˧4?f2Bi:*~7 Z N[>a&kgso7u!O%ڈ5c4?:-O Nt[BH+s^[N۔`)`*2ާ-q.vb)ƼRp_F Mȁ$ Z~nB3*X$lkEΟN\dMJJjjM/˛9˄6y5t|yFԘ_w; 5nZ-(D+KgBxPDs)Mbݐ Ka`DwpDgQ$ fy_9A~B} fSv~i'Iue,1juvHvׂ_Rg x@($z)ֲs Һ΢0rxE(>OK*Ӓp6g]Wy?FR %!f𔑸J9'=l@Wٟ;k~q o<,D=ޒ+fvs~klm!moN9WNRŌG+ ٥A6<ڵ `pK>X%+"=JɖĘ E^!бs&bfG0˪PdIȡbSzCZQr@׫d#ʘ'PG& F\FAW6-+.Qq-bL-NwU3੢bcSTйib/Rv*]..EOީO$P8aT$4._zS)r$5(槸o76.-7"pu̞I?S*'"ZPRo"qaj8R} W8݉kl*)&0 i,ϝȞJ_"#Pw\ckv\)0rNWsQfE!V!L [\ʙov-%|Ӥk<۬n"߮(h_Ymq9-J`|۹v+IY ~$9,_u+*B,9v[OkV ȣNSWAF?9*z՛Q?ַbRl8-11΁ V#)c 4#`agZU,e̳K9gY"qPײ&W3(8xD/Kgw~iX,X;7uZן Z+u㷮ms'e`GL$ ata:QH,]P3|> ~h~T @8I۾i' $AE5ldz# vDl.)稀jel/ w#}+KR|wӕ4|gk@w2$cumBWbkCBV- 9 !'K}4d~n@E G7$k.QhbMs;-^˺"O})&Q.E@wMgTkW#N4։Ms]+.@#s_L IAzƹ/ xEƒ|g yw1Ci^[ !prg{#o!J<_!'42g)Bf@=MQц/ӓ}7RyS2C 0H.FUV-8" B hK}f^^jwO/ޗ>Pt|c]N]{.m 2\ <!J{@P͋H' ٘v<@4MH}4.jPfɜ=lzAz:!&/Ѩ+ JV$kIk?R}[ OI6bD;׼0[J7)"qL~W;zy##=<y5k~rYM>k<1ZLs $6tsB9;ˈ k&r^.kZ3Ux~Vy@6zu5nI 8D4~[GܕcXyQsBNQ$}9}0՘o%9ig\L-o>mziZh:c6*:c϶*2Bh%#fTfX)ʫ@;KxV3i_ 0!4s&`g]ʫKŏEE/aaZ DelU9LŌmǓdmץ"; 5mj|bG÷[ղ!MwsJ{ھȯֽ=t8Zݿ"wL#sPE2/i×%y,kYl1Hx lh!dT W\Gx@+w۠VDt?сw0=9KE5Hw<1K3'QM=̓ $qdqK((-MS"IQeDPxK,>Q!_dQ*rmau_ R_=0*F >;6^"U' $;B3%_nNP7azsh`|+,?79 YH>ݸ}KOsr1wt*Wcw{;e07Fpߦ1y e?&WfaCP}f!Qr1HWx^\n`1>x,O9Z64BOu; I%|y Q4j|>}a?h`_[/p>HeKCzϬA"gou>K|%T#a.U k^38yCdy[Ylfi09$ώm_O u4s+NYzZ|_ufur># KD淴t qdQh {دrxtəRV<*/EI;yLZ x`ŹZ.ܮӶRDl` F- =5\je_FFcá k`jHjH`aljkC ,H!96InR0g8Ζo8Zz{MP:+}"Sƙ}PEea d +8 ^GO+,6 kme=XEcS Jj|iExYنMbW3/h?&=1 Ѭ̐+!d%,/6Ӧq+`Q?)H١"Il0vW *ǀfy9Os[ J o7xC#)bFχIm&8'kP|G9a8aU;*s{D)eH@z'`0VDQ VſgRԠ3 R YSq_wN,-}?ɗ̼{7\z|X?.Uʊz皱׶@6rKv=Ѧci afF1(sJQ #D*hi?6p M`Lj'Egk!v`zdt -D(_t96w-RDeWwHHcxx/;l ds *˘X td@9EJop"0qtq[Ow)T] xg=$ࡨ[^Q"I PB u}kCN)횟E^#g„xXLKJLgF7~"r m=?]GM4 ] O?@3L*P33Rr 9t- G -qL Q8ⵈ+_?`1m8!cӒ$,qХ 2C_DQ_|t{IICN`wEEHUC03D`9  3, I|()" "iLPdSſkz4b5p ~Ɇ_NYQ'UuC[k5#BJ3Y-!ˮŰWW[08 cA KF<=f InG,%Up\6w_Tx|iwpWye7u |Lk>hb:uˍPB_$3Ҁ'U_Ln"inʖV SM|?%H.;0eQ 9'R>s?q7+6}kNf"RJŏ5nV0m@3.< _x*_ ֏2m^Hn8(,/(n1`g!(}#G): GUd0y;CX#Y93xiW|M,|"p16?j(89e\-1@JQ]ϔ#CH춡o!{gY/r$fo ʬIni]ԁ7T X¬ywvXJ5* @xIsXg;܊vmwLa옩)Ns:x! 1iH4<b]2A y<fGR"TXq{$RY`M`7ؖC=FI?^@WN %tSڱxy{U g ?K0L!xbl?#tk˺#m? 'suYɀ0{7՟9&s3?S6d}$NKWqHB5O:yzѢ[p "#|Zd xb!Lh馱rmD2xϞ׷ ;H5׍ƼؕEz52{?BҝW{c[:tWr5vLա=&Q "H IľE0um7\Z! $ǫ?Pfj8tZLP&fxwnuaxI#XGEKiTJJ*be^b5h;-~.Nb *_}xZx8`s/ދ!wzBhʥNHL0f]RcL' WoXoiH&ylNثŧH$Py٠ɓ_= ;Qu,lWIdGrv1 zD) M_fo _=S!H+wd!hDrE\BD]x0e_V`<dճM :əh]1iDH0^ ee:ROqk?}WmE]lzHC[`.pPPV[<D\A jdvݧęSF]0 3W5Iԃ_ {J@#8jDyܽT etl/Fj>6>y:lx*jSFU3O%F4/QT Ν 3Dd)%L i˭ d˘膍s^QQʺ \Yk3ؚNki" z>~Tӳ{q d43]SY%&O5/vjeG;O#1'O7^T>(+= >VnÃْ8{W U–aQ-D>0C:\}I"=Q물X d#z/tw$$+n &N|оg4.I"YʱlZ X1 vxpn RE~}dL&k ݌h|Y<6S@rONK|,!-_/qf׻M2~JY//we23m$0e9Z_|%vA)Uٹy^UtvgþjѾ@4lXYѻVCċ"8 g4 Kc@ N&=B0rU7HT뵜0!h|]a0 owqY/  +%fƘM`L$7M5QtX_8IpO tn7>9z##/'NL11$9GX޺4O0'iP@My>5[~,\ڌ GJ BCod_ 8qdıσHӭNr Y7ʌ}ii,(Ca0I`.~,򿐙:a Hܱ"V%6Јk쇩qE\) Bz:٣q3vJC͐3w 4'Xs莐N)?FpsMqT0rj#Zy?/B`a.o>[ij.!ln#QJ5f_9"zq/.}7O&.#bPJ?SZԋB+& r6h878)5!XygiQ酭tȅؖC {Rjǔfs AJIHV)⅙;CPm>(LnTG"-F.2 [44{B\bE Ks( HkcLfbV}v.0ji&mͺ#90mZcB &1w?bP%oW_ )R%>Z2~A|oNY$Zs ^#"oˑ@&'0+=M /< lL h<쪩 ,dTќ1?R,!O=J~}7c{rvj'޽s|QK w]د;x%Tdj ;)tRn~ .p+ٲ^l#c9z)Y(؋~C3&&%i9O!?HfoxVI,Mx4UV]R'еĒP\4##ф<-<ff+('Fu\U E9b_&CwݢPA;7wTN9.D8Qgś;|gڏL"(~vuvP/hn{;I;"2K cɒ ^iW ! =6:˂>UŌw0!T07$,aQ)XE b[ ;%5U4>ĉD{ Ȟх68 3&NWĕԑ9@=Yu,-`%QZֶoiaM,2?A>̵^* CX3_a|T;6†Lz‡8XV]#<ܧc詩?c6}p&@/}HhfTU+"~CI%yOΫ^I`ǥZ ـ a.fo&T"^r1"\GLJع^ 2Fl钮ӈG\7 lfO9ND ? pȶDG,2L;̷Tgo @< Vc˛ 4%;;Ν&e'8<&ADb!۬Cya-M zքF%*(0~]hE!J䋌j`Dqٽ=GwZC)CL"Cb܃"Wپ࣯b_/̰ӋvS[/E6a"*}i|)⓵+޴Rb_;ƻ/ɺ$fZm %%խ76ISy^Dd!KD) ;nV_G%PLV/(|.Q44{\69 Ul xR>o:/Kv0?FKےSt8][]v\R5ŬMToHuK=R=~EmWqvA/q7^O{.qC41qpH Ntu1 0t2s~)) êI>th/̳=*RЦʧ0T| ?jOq87>*6OR]ғ[GNbJaA {+rW")ⷽ6JnC*'Rryhxew5x/(WO JW\Os}uu Pf)H LˢYЈHb#k=Lu_nzw+Uؒ\=oW$icJFc})'Yd}~pf+(LV \&AHs=lY\1hS+/o UGc@WЬ L_7 y<Qt',2h:ʫjBhjg E:= L5aJj [¬"46L 'a@kIQе"Q1Z<>IU`cE&7[&7U+aE*V n;=Q ƄuQ+<„ݳhM\?x)nkp@$AUӠ5Y 3dst9 GvO^%M}7pQܝ$kQ#Q-Sfz%Bء]vdQ+ jF l.7G>ϳ<|`{PbWX\lT/muխX]2"50SXw8VUJBɟ@'bvl.X `\bǥ*r+jVRl7M*!/H4½ X )U0e2;Iד-o;Fi[:@3& z7 KD׊hqֶ GoW DٳuoGXdVXsnA+nPc 9z!8[@Ja&P3>iu12G˂ '}֟ltAr1Dy?% 㗙;]2T.LD޶=z©Eqf .kKŜkқqBzP0d2nUo6 ݫB|{rN l&`BM ,Αdp|یkek kR!ME Kj4mt_&$+ӳn xYWZ7}0Gi I%%a߷>pbk=%y2rVpfO+] y 쾍YYB{*7': x+sXgSBv6U/FԿAކpB+R3xQ7j6iuv)rdG;a͸68 {=1+7$  ʘ:y:krZpwy)j $Dʹ& CH il4e>R"Jŏp?P`/UDM_u][o@<_eßJ K$VL~ɼvnOkb ,} k"(شHjS4xśVJ9L7 ʛϹY :J4gbFv;z;3t@IڨK\AlȾVD|8;g펶cHow2蜻,޸y=JitYg.I{,vBZHnpʣʼn~oCRG"c)"ƀ 37Q@Q޶=*FolERed+]7 V lYoÎl 6TɥхdނcoOfxTWmgif"Ϻus"y QpsнV8Fv/<={Uh7Iw;n`ps9c hԌ&YH 9sq8O6J_DeI4^ZIY>=> 5&{G8qjl[)H_( S) GkQ&1`O o;*.V!q陻aΪΛ7a\/Su3 us h^NWb~{WثwOF 9+Qy馨(1;L5!+qqg:;a~h.10uA_'ɿlGGqɫ#9Lxg\98v;:焘`,"!˒4Ő%;$H|GUL(N'"pKo쉓x,Y^F%,˘5mAjH8+{?HCyuvOcO[y#Z*G5n3!N6 0a'3lz_Lh#}*:_$-*"İ o`=z!Լr f-P#=kc!W5qީK} 8BN4gQiGzq>'`o.ںb,1zT# Zw$.92HCeަS뽴9~QbpFϵ[~?<Ă,,[lU4Py6&Y.nÇj6N󥏺KZ X/ tnϛM7sk G47-(l9{l)Hh$*;4 aqE%*K1LY#O׌V aR Cʡ`E 8zڡWD?hI=YpGwNʥ&^R{DY֘z0-CX1cP%S8fmUP' v~m揯Aj! KV W!ẒcDTlZz&C4:K¯>f{u?aF(3-4RƮjV䡶wixvN,˅tHA P}I84y},sAIf#n#FAtz<*SO=}3Ãuinǒ˰"THo|TU`)V⃰el6ٿQw{P iI<7B{)ȫݕs1 9z6pf!4Oh 5bmxdmܔXZWщ߿1fqI- M Nb8|fz}OC_ Ɉ"a^o57x5Gp-|Xr3]^֝ڢJY_wGsȖkZ%:8V4zYg"i/B >9|zU8$2BtVf+6-%j%'r`/-;4= !'[)` tKNč?Q8zt; m>Q3tdp>p-||uma 8sY+!8tj==u~& $NlB H)BJ 6I"m MscڳU=% V T@?'m;Wz7Do]%,:H E ¿V6׳r C|P42[%jt_>Iձ\5H('ZY>W8!'WVMRb[38<i(7XԖJk.yIZB_ƱS{ ]$'PVL&;҈vh"ľ֋8e?`Ǻ2 {iMp>'A_f$*"=ARa֐u3 J~F0n C UD by*ȓE jYp=2O'LcG J렂24#5RzW/%t%P *]&>Gy+P-KX*)M=yށr,MQm3P*goBy^%뻦Ɇ?sֻgAx: rC2sHRA( v8@#Aƺ\IEC@PheՌkw2Lu&L$ 609]n ڷmkz"Ou p6(-r!" D?bMQ2 :c؄960 Z6 DOp Bkiz}fi`"IQQ/4sAT\`S(<VMBBJT'ZodZ&}reַ`HuxE!V kZΑ-| .o#xoCv9`~B )N'ޯט|75N5cp? Hd.42S4}KT-o"=_fqWpՌ 7XnjRg?ue(3m'tjq͹+׺sG{v_tI")mv<ѧU2VT; #mٌ^w~7G9ڔĿ'eoMe!pT{uJ qoq#u;B+-uA!9yNL2&۟56tFR z_=VG!}=nre"!̥g̋SiOƀ{4լ UA?6Pf F2Œte*kPFfM{zrh'gvFhm1/Gh 5硗X5{b#hYǘlKbu]snLpkh'Z.{hBՒ*q0q:Ցg}E4\ru!ryQΑo?6#Ydpʦ4v<찼uЫ΂Tg\8~KW2[N*yBz6_&0jNNlI=Ͻ[o #IC˳зXz22a DUPՠ!䅉TUx 9 ݓ¡Il`XLz|9?(V2G^TTeIלQ]I;0efRwչɓOGqcaSR0jX 2tv62ڇ=X'ɇM /h]$Ů )Xl*Uup,?5[aaHsha@!)}Rߛ/ȉBݭfEB6'Tc2ɽ`sˍ?#*#O*i(K(O- 8wAdM|G\^Tٔ,7w}jWRxet-"Aܶ?'%F(ǶP1|5+/\h鱆g`1ʍj|{ *S~! ݍW[.3ǯw+6g*Unz:Kao^ \0CPMEdFTDRMy6[~(7ɬCjIlʔ&y3S.k4t$?1j` nQ{,%+f&ߘy! ݭ ̋V X(U_i6skWGtJ8>%!u+HJo8%h( fOU;:6րV{Th){*_}CYJq*< VڋW aHnEV pқ%DWP˲6 |$wO{_b,YgkdPD  Q,O>\-tQ͐KcVsc'z?VYaNC7ႿHF)>[xc=vb1RB~I9uL&R(C<T"FMM_8\oŴXs~p$M2OI;q;I8{J=F;0{Չ-`Ӓ.xhadۧ*y. >%"}QP@p8?Eg7?SpmaO  | lJ4]C )?(qg+VG/TPq0 ~pg~~XZ;0zR]b4$%P\~QS}-}P֡ڸXUNf;q&-M*ڔpS|$sIo <ʈyAE#%.sV:MLS VH115`$ބm1(Tz/3ar{n {(| O֭W'ߠst/vA9",C _j5Aљ rFt 6 ]*Afd1o]tOROÐ*[$9 !Q32#' ( ʇU,+Ǒ&hq{Cb WW olZ_oa6M_afy>DcSLAXu H33t+Jt=.sz$6K%6D dljDO/ذEn{yg9']j?/ٷoBfB(IiH*JX°Z~W)&(˻DE5|y?:?F>z$',ͦ#5_`ɷEe_  {U1? xT UTw6y]/ޓ~Eu FWօ[ Y'x(MjMhe4/бo9ꘜ W=?ϯ=.?Hsyw7XSr g : a6`HFUQ-$2ZK.am;UkdJ-SnNuЋZGڀ 𭖾#efdk_Ȼkd% 7ڊbԲ/5h.Rf;Kзu(j7vp~د3LJʘ"tԫӱ{Ix0R -%mjqL^|Y[,}RRm.r8Np[no#lB;0|ǎaxŷP)X<+Jв B S 4$pW-rrGL)Oio4)UG-RPHLY=pϽ)笟 2g1"~3apvi5 ܡ~9ޫꊪn2ϼ]~/ӊA`ӒDydKCL+MJM\ ^3dRfrqmO4M-wr[&DS]GRcY",-UMq4$tAHnvcWyGlVtg8v6>k$j=y/+UT+3RsN^1IE%VzU/DGn~\E=̙+M+P?ou)UA12гQƠؙ5ȟ[<8(sIϑ%#ǁty24AnSMl`|ON&@^:4Ċ/VRjlnS؝m؊_ Od &z[{͉_`m hUd~bAqi7Ya|>ǵdwPoâoۺƭV(qC^Gw8GGGkc7(\~l` 1½CC<B%WPd7( yKqGCE$ѴOh1p^Pr1o@4DRoCcU\v5xwm/q]6If(ٙ|5R|$E!L&k\C:! I6"N R[`O9w>u/юc1LWY& kRDN}|fȇ1xTV]qNs#7(ΤuY:n.b焝R"v-s$H?Mxmf;<ǖ>/ NRu|T>?I^I_D=0}y8Ϧ䇎fd`lsQsCc~W3PEw;cuq@Z5966a 6sE3޻(^?QGؼ94ԧ%!ڍYa*t |LdrVe?!7Q-2O^u"a0-YV>pL-{d5Q--)S nͦ3oG25Qh0ӨMr  +Atwiשuf.Xn+\Rg\}Ut&ljL#PA2N:=+ ⿽^ s[ `yRt ^a65%/d_2 p?ŜkPazj5kCK%t!:Xc}KCȕJ c#na t ,Ŋ`)WU%)GG,@p@~U#%9L/_W\sjKQߞ H%TG<Q4`yvJ Js~ }c&=KCQM(%F++7.fU~FA7rk8E pDE {B|PfgnE¦ U|ڔbKV"oGj–<5[ cDsAes+:U %¶ /p23aAP+1͡ ,iML"5,U$ck;1 lon0R.{& A3|wÔLq6D8+I(4D3pСƬ#k)VeD*uq5}JtH$r IZMvk; GWamk\.~ʟ}E} %iX9 H]*KAhU : WF*bUNZ;g6MmolT`=؟qkNy鷠׭=3XU(1:&٥y(ߔ: "8wYq[BխnFdYXpIJl~]ٸ&,0ͧ'. @{SiHʅs0U=f%w#9^5[@oA೸81Z@$JljS "b9!,Gt,``>p!tC׈_pm};P[Ͱj( I[wօ!J3( }g&rȥӜ4 n^_P:vl=)FͩizC,M _R',(wxշ4Ja-w^?iA-(/Ć[7 )~3wUNp,^{#xiAG$! hP ("yw HlV#XKo*!;hv%8aYr^`۞3ºcecj~b$x9=U!Kc 4Yӿr> ߇sRb@'DnR%Gf)G|*XxTIW8yc/;"a 0%@g,hD,R ^J*¶"[,;'%*V8-Zh,8^`߅5Zf*pۆX)Ϟ2Cykg â:lQ+Z=B[O mr4_z&yު'~[aft(FoHIDSZB}04cbxMd\EDH(g/$ d!Iihdh0r05Fu\9:xLlwaj\̙6u. YQ9ҩΆ>uˬuiB$.{ CeH8>7RFF*ʚJiP&>+g/7C*ն- tfk]A8Mx:ð?+7*q\:|p֩%9^w.?S}X,>%71WU?E*yl^kvEp$v"xhM xnjH+23$+4 RڵGU3_ҽW';:\B-ISdk՝ϤكAnC*-R x2è5>#DC-P@tf#AT_ڐZ9LLTv7)􁓄|K&T҃TE>6EH1,|yc.EBom%o?b#Ytmp>۔o РSB+,)*[Q}&Q-#{@r$[N(+GQ\620pOݳW;.~[kڑ vS$Ӗ2sZ M-5wU'C*\<q FM^aG+2*%xm@-drFxH>z( zc.]C{U".(??)K`MV26rbZ~1oWS'fj( ]m7rBloڢTnݝːjҔq SX󎞅\: CPK3#,4c[:S$&ua-ڥӅ$2 %`*`:LG: 2TuA9|uzUf޻&zwJev4:'w9%Rڈ=OSwmEI*!H@;oOę&Y6|$n7U dL++"GU_j7O+(Dг{?>2W6̍0R ^A5*BA,|ԃ{m|]y8ItMb-U%\0nFbguĈI+@p7%@Ëڬ LXT6=w[d–+'|p 1zפ5y~v"*$ι2?9nM?Ï/Zqϰ0 @YD>QSChنd_T>|':-`<*﹋rfJ<>9"5ͷS'Pl[o XZ֭jcs9Q|3q6:!d̝d5yT^Juu( w%r`8{{t4 ){:"4m *+/nQLܐOa7tm<_{2}SJ~`BQhDB]jbE\6>6n55st1J^9ᐧ[#i5Zv{Pz}Siic}5Vrz0Wq|ծwWeڹ?6l- 9,A8 =q|6J2XͧG1 >y[X ѱy}Cør~NR~t$f?8EE}qTَvMcҗ9U`¤ %TLqwІG3qΚ4LTQ@b~#g僕I}q2 rSӸֵ Q_VZ$j%X!\7KqTGʒ̊0x0}\=/a]Sڞ3iKZnf>OVdf?p:qQ\JtK|~c8Wu:|rh~A !oY%]R MGL^o3PZL GXoj9QEX3LŚ&D[3C4s~4]v}dKU_LJA4\ 2ҊIYLS6Jq3ޱUn\nm5. d% ]2dY!vxW>QOf% lB 9tS(J4XFQKV[9 YE0*XOOCwQOh[ fO_1H$`HJ+@9X$Z5, Je!\rz> ŧi%yOnit;9UVFmmB%s$K4rFUbQM?5#j H吓w 8y0ǯp2JS4U<ԧ 8 ڧKl+fn, hPʕ@q|G%3>(Y%7+XO-i(5N ۿ ϙ?YjƄ>9'}"Wںjtn,~&{Q$Sb:.t||3sj3Tԅʃ\KH>/2( \G)Owإ(rm?y:/QUjrgRzficn'a̝0}+#y$zܸ.buz ޣ=XIOW: z&GEKQ>>ژ_~wY^G;-9"PyȎ6T:H19=NMxpH!ktƖ0:FUb]/Tmfnl~B_ `z1nA-Us9LٔV-8Qkam)Utx $Yn sQ<ٟJن~Qm^ @bo_y|:{ 9Y2"@+]\81APHEôɸٕ ڗ+MsjSx{5j Ϙ]DtCzA=|`/NMך8bH6blN+";+P!#_M R#![Ibv\0PbdZ 9𜤋u΢uP&@Mq@u# kOp\2|(3 91rshT0EgrȄ*!K&v}DvL(D{Uƺvy+qq"D.ˍJYץ`](}@T;q܍D҃ ]!faVÝ$l|%ѹjVp 隐u]c|z@|Тm-䉄w9=cB Bwq5HaRr:Reʙ`1AE&X8*1uEb2|2U G4 ۸(+;I.Ionaoj850ES%n.4ЙJ7hU3e gMjNSi"|fce3m آ:Sf9 |׺͜a{&uewul`mc\-Ok6"9R/6tݵMl1X+Mxhh%ZOH۷2@jK2V Nӥ7mȄв FY}* ՚lلgp*gLpR^67jײ%a:k%4"3cJ}QI q6?q.~fI+7B$}wszd '$=lϗMGl0p65z#K#g[ys4]Re(a2h5H Nٹª{ʇD#\K;?+*&u_o<ö k^hzdݫ:zRN@CU>ܓz56 &C kRƵ'҃Y v(: ՙ48e>I49:0̒^ q(:..}yp>(s6"jx`!p4]NϽSF_v>04xF63AHS7n:74Yy-~͖v6Mj N64I ;iEԁ2t ۠+ ^͛va6\Ȥ’R)|=ZޖLeF*U8F&dO`{'W>.,n{;Ao-l_Q\Yl 2ȢvM#? {b5|<M6DA:S6U6G8,mb"&1Aam ਄;Z# i^ bSp5h]1̀>}9 څf~ǠhqPd/v9,9#,9u]'sg:R;Sq_f `sR[ʊ9G:zu:zmѺMwU8S1e%s!Һ 4 9NQ !Jk2 89_P0O !g=GRqs1NS0SҚ(bk"r$]̛B. %WF 2x2yiwic%PVҀc!p:nl"Uȓ#@˰И^RHG1 xN/5$MO V=,?/i O(vXC|wBa#{(mi1 xэu1S8N{CϮ?AuXu s0Vgr,np4qcK+Z&oN9Y7"Ms㎷X[`aV"g닠I,X=lsa!Yt nGsZB0ŷ}&!^TM~砅}iU)(l'-poi.tU d4^q䉢U;)VdЩ%*rדpOxX0{B^=RN4/t\:̲fU4_(#JWٛB0uQ<:eZF9Ukδ}lַř-/ꁦ=iC@p2,TZa!5ca}g{ ˬ6?H|]&vɻB9'VQLWD*ŕ@}k=x 呀Jv{TA99[K,K\ krE@r;% GNIrd NFD%F.SO4ӧQ G2blANǬ) qဎpMD4Ah*6Kwdک-\4C~NvwBWmZyl=Sj:y{Rv/H[5{P]~{^DϱFqtzg>iڱQADyl!$WG~v'UU<`Iw ?u%xN`ΪFǿNnoS{j{$Y2I,5-AvK$SSgVEॳoFPѪ5V|pQ,EjnhQ|Cz[MB+/(e&|#bSHY {:rVL 3Ze?VV6(愆)w7m&?Ʀj#(TgJ.9t !m١.aA2o-ʖbwiA}AO}ǝ4 ,Ut6!:gƟG{#݇?6M >ņo6c5mf[/`:[Oty:]3dJ7#Zʠ]AfSvݍr6wK 9|?ܬ} .,+ ZۣU4G6c/O V:fTR;a/ÀSj寮Y-J.7úKgB)ĬMٛZ{՘%Cۊx0-3pyG=[H'7&-5rgGیayY!]ЀlV@ )lf=72ho GU<* O4\,ɷt&vsKC"BЙo|HFsB չI@)¼ ), +|~7&ozܶkCxDeVtlErF0iWm?H7+8 o2K4/ UߢNDs^"xkƐ($,o8r6Nk)QN=Gr`;i޲:?PJ^scrb],f˫}ģ|Jd[V֟*cͳFH@ѽcj:d>s{li [Xgԍ";yq)gVa}Ab%,[XZOmon1uibz9F%C(u ;Dq[3}3 [0mN`fu{%M^2DnJS!3)Kc#v,"˸g w5z RJ (hD5rB#Fr'1/N9qHyvCkŽ'@I"U5fr?:G]wPFRl,!9;U :V<6g:IY`o<ϋ(Cv8/ ][ܥoR&_ 桩n JDcc3Tk`UVN͎`wATdc{cp;h)#Xs#Xu**Z֖ܔVT) ew1OIy%WtI6H'jYxYo]KLa1I/jy;JK8S؁/nښk('/GU;A,8AF뺸hב,a,H%HN: HI~,L!@@:b6vfn(Z:km.o=o@m -Ͻ؛ ab:X HY ݀ MƐ#ϐ~lP&_Ub M?O[U1v0P^sM?͖f胓}n:< !bM)c3Za96o`]ȗх|-{򗥛q`SlCc:u0d!NzB19q)a8LЧ MO 8| F#{ZPާpz ^D'LqH76EiR'UȾ1 vnkZg/KCm K*H:X!jC(mI JI1dX}w]Bq $IKue4ZlK~/O. Mm*,&Ac]QA]NtJjRY7w7wB8~^sByU}Y|[4i~!Z/E_J&0zɣh^x Fl^Ev }ZDo;XL#P V6{58C 4@ ?TZ@"悜Y0T#͸Mk$(q:%ڻ %nB[ #VZkqZ?\&vmc⃥g٪nVu q7o'1u;gE ڟb"rgZw!E(d\Nd̰Hʬ#_~"~;7O$|)DFJ$Zl*0å'm2*H@x3N! sPt~! p:rT\]ʃY_zb\Jv,jԗUdJ[)0GCV8& v3Nt!QȳFE7UM Y~2IPK&P:~k^pk6 -f ?bq#ewa3jsXYu(vs (WJ5k:W2N 46(Mv|&ИmHy9#iF\M%~:"z;uQD0pXXxYp/-3$3!K|piȝWa_s5?A(sj mnvkQ#2(IQ鼢/.ZIz6> #,tR| wU0mD׹k]q.eσ! ;ɍ hrSRy]O+s,xXgq6uf!#H%o/836^WB[rD!ҏ@VW lPVVMKRTҠțwa2en/+lU o>oGqS QU0[+s+b(+ӠEBou[d oy@)-|~AOzBKωnF:3 QqH_1YK75{!vt.+M5hY~F6v\?2;B_0]f˵4:1uoVU{z㦺 č0w^[(XGe`:*+H.:μO ʛUhK@zU.[3=;?N@ Fw Z;B8mH۴ta0Xټr׀bȇ̵GӚ1LsunB kFofGYCE?oᄝzƆw_!^1;>w IJk{\ N8@lxԩّ%KJsd^I Lw5njCiwi@/Y=\Z??I"u&~Z3b9Tr ;S=<z\q^1,k uzӖVUinAOR0UxgM헋#/@AE'D&"# C5_c$b3r1?$1;0p&\}Q|<ݣ!Oin0(oMxĵmV^2(YmȪOubǝB;M+BDC')o5{w֍$ԣ~lYỢ5enc8ڢ]eӜZh^ kL=s"tv4~';ڕﴍmPoTmQ-U<*裸ZvzU}+P"<ӨI3'ai69ŢXbZ | ,kri$ | 0y‰\'bγ릋]҈O'x!sTfж|PZޚ;snUD{AIJGlG1/%w'EP ]C='}xM-/y)^!sho0)la{ZoA;gh؛GOi$ldJ/R04YI7ZJ| !>1$;2ު Mr+Ե 5ڇC/Fy_$j*!pQ%tNKR(7%y*ģm΃{B >+s, `zN__ 2k J>m@n6`V9@GukXg,(,:F#8 EK!.hH _9@,4fw7!O;ct%\q8R@/(R*n iPPjMuwܛ"+z#%|Ζ`gqzV{8]@V9t0e%Zԟ&D9d CxԳWpH0{'$R%P\.Jt`@HFSqbct^rjՑ yKWMCN|T7NܸկPh4RK2=9r}l闦ЦxXbȇ|GG/TեJJ=d4׏d%v0h&'9M⭗a;+6",`aկ-V Yp\Mxd !{_n]z'uĤ_@Qq=x%?LRTH1uj v1>/r;t{{<b\DVy<8̟Vҕ}],ajeMX3u T,&B>p smS4q7IN+V ˁgėMZM2)Эm\k/N`nd 9֊Y|POtpmc7X(]v{V{:@^C0X"~3u|R859\'4ʄsOW?3%ǨqEj e#,aWHZt&%Ih0܋~~Gv5S{ lh80 u܊` gM+Ҳx9nX͔ &lUanPğ0>zΌ,Bm&Eް"̛$(Ws3J͕Τ9Ȱ##_dR7uQ}]Dwn[_--#9)tJ]kr5)%# 3R|췅fNx.lΑ3/! Bor-ʾ%׍YC.V6⛄]iJsuf¢}+[Q"/xA(|p[CDXF IqHqyd!$%E$< TbpQ󼬕8QH yFp7%8sB:Jx R;_W꼧p[ vI-Gբ]J>&E6:@-ZY6n]h6+` $UO4M98|#4oتr(0#ͨ]HF ^)ѼGұJU.++qv72d˜\4פ0GHߗJ֔>s(dqai>k+5hv`_{~ߏ1 GfFߚr ~>knl]x{P8p^[J2NE5pͬ@ f营5c+o{p,OۈiRN9&1~_=;OZGp/k_G2Ue"G qhR9b@#dPkVvvvbc((eir "uN T+I?BP6F ɌiTQ?RPxtnKTЏQV2i|eۤ2uZE~UnJTϸOc.J B[w]*R_\$֋03ϨfRM)e.,_cy*@da;G bH|p |w,j; D݂Q2WA%vnw h9O e E/0__]uMQD@ neVZƨH$B1eK~5Še:A}X)7 <P"Q%8"5L Z:j@GY?n6N%NK ń)F^)|oىO>zse=nj$si}GR#1w='HRڡsjJ4Es">%XŻgiRR/`}?xƈ=M,£{+4TrjS+2Rf2CEoCdF B \@2<Ȟm2[lV/zL xxh/@iݦ!t `ֈ)QZgmuhmH mƋ;nCFFM7,8aE8`p `D{?o@xۂ?Œdkz/׺ϨA*vJhyS^ۣ =bih/YO`rbu-> T_J5M$*+ߌ ފGkrt,bMOۛO+KSujL U2YҮ99-<%)pңN-:tdd6ØrWK Yj.ƅ1DQt,d6=u9}e}>*kh>J!,b&s|˥zlB>ݩ躼Hs9Xwy։dm$ m h,H/jlLd|( 8qvTmWꭆDI~GX-E:gbkw9 [WصzFO _"M}uȟY_ߪvw?`ӲROlKTL ocÒO @˿Wiy5dOjPׅ9k;^#}B2]KMf$G77&VLyB(ɭm p'K$Ъjk-)o a|;\vW>B)"O4d zeyD,˺! 436VLVo bջ+ݮ2*s9^c'ʹq}Jr2&w0EUv27o7qe pם|`urÄ,ZsƔon(>H\N8;R;˘'x%giUw+o1$l<%( K!n}ixGၒmUW^-]t),auTS17|apU/hsW˂&;Lk U&e׈X*|h  # EyQ#Q_qv KY&n½e]{xGI/DXv߰>Z)6 ɛ1K|cR pa>Ȁ31Ec$r 7Hhl 0Fb]G*I lu|u+"V_(\]5fe'#ct_F|\#2%@BB^D 6#"7l:{ce8k;i3R?(1Ȓ?WB oH ==jٴr=3 ނdtH czJFVIA=hn3|B5;TKoޱQmwvZN7 ,әLRqY)=6V%n wXJ"|}jf 1h3nԐBH5MkӜjNΦotwb\N"W,W̭޴6 Bi1 I/.w&s*w.vazه"8N 1֮o<`y7O4~i<";~o#GdKJ5GSMG_(F׵Ӯq.J >T=8(m: XkYPb_+(Y*_V\$`E*am`?&*M!Y2E>X)Uq|Yuz`\LE/I`kcFAR<^3g3k$"{70 سX&s$Yh[|4aÎVލUpܽ*V}`7jJ7ov+cdZ q;O]ܢR )Q ,@]/_#BoҨka73#ʞf sw2$Ν䑆ocH rl hQ8Ϣ&YG<̠fUV4 5eϸC%ڶ#6RrDN"Vm?wD sslI#\%_Nk<X(Ը%t-{Ѵ0o0ik6+<$)=@KQ]/DYEX&F8Дʠ ґl@85p5\u1>EG8[)/\,kW,O;ڤzo K*CO79@$[<)I|1)}Qe;lO3C|)2A`X_B 0ԞA^׸.p5&ёGG fNM U< B*\`hFͥZ+~xij4cմیGܓ44k\P*/E-F6҉D/J2TkOAmiXV34IJ]f+<>,ߘ(ڇA*Z 1 twճIs댑6%#_>Ci\xK6bU4;7[MoZhYh~~m͹ܑ j% 9ϱȀb9_c h4{Ξ 3}A|x%183@4<`|1c%Z>*"+!y KjNHG2Z0yq|4 !juKUa:Q;8J5yZPOJeҢ!ӤT[`c9uG(0Ise' ;8z SgN2~{~BPH 04{[(=vT 3ݻO~Gp€%mf;?^{áZZw'_g9%{v3.n+nӄS?YdZ(+u}h,4өM>tA,,Wj&7cGaMgUr0Ł !cY(' t; F0f<#'=*xjp$ Aȱ]iiy=^2~7 .* ڕD&^O.&t6"5\}VL4/~.V[(]|ð"&V-{y߰c}\9ݹ_ 5]+&ƿTGVČ߻7nO꽞w7^nYsjgEy! q?!!>P&( &:tQd?Fc״EmynE' 0Sd9]ޔA+/3Lt>D=E|?~`!gJ: %UV6P 4`Yfz 7ˍQ5r!켻4 e}!ݠ0uV`/i%A,.coc;!JgEx*]fz]Shv%_z(&vwt\.A @ -$LE *z7H)J:Z3V}oGmJ|&DFfߤH;Y%pT ip𳴯^/)jf[гH[1p^7o9~ ;1j#@O+*nHұd*Yκ)0ڲm84ʞHNi%uo"VhB{Y=ɓ!}y|t߆YS<$7/v]vfe0j^눮Ux;ux6}fi eR(%<*5SfYi'EJ8ٍ(M$8>Rt#b!7Z76q|lZ8xn*\8w'.!J'rE^x *(Nd 0;eMh&6q#Vzmw&&fN o/'M=\'(U‘9c|Ef|b}k"!} 5b9ds?O(bءaf!:i9wUO8r\a;z UkU}cL!@f|#xHY_*zZm5;5C$Ka˙zl,o Ej(&]ɏ<\~ܽ?UZޖ)P,AlWfo}!:${%7ڏYxQh Ik ߆}+ev>iԴ>Ve8X~Yh:~K|`ȝO ʼP/`[ bkg$u *~{;7nca;{mFO+c*NUlb `t =Y >]ƁX_h9Q ScZuaaѢy 1&5wڌ5\O|(E޸hU7jY4+xeM W}Lt;=˴``c30>9OB}J-keh9${4*x8淜t-cyF H!7BGB&Tp\HSM"D9?5}z`X2^ĬJW6t "g\}r^t>tUUeX8NK÷kGdxd;:TfVJ C^C Х?Ef U6Zpw6uph%F&&~rhYQ[k< R+ e:n$X+O""d23 ՕUnnhExΤ09] 綼lj'Hef8MdPBڊ%>@dˍMГKxH70 S=El؟uFȒ4ZBi_CJjEi 0 "4(JwBI7V+"eesXnY'u Fl4 ڮ_ꢹLzf=[#ŀkd5`Wzxj_zcى5c t8o]y>#8+HH~"̴au,>;/KxqCÀ+N79 ֤ORv$N2=E{iB /hAY~˸Faöl`PbƲQ+WPnzB}mcI'nxCLwX'u3vRu`D(T0jEQ(M |k1DvpEtjr͙,pL\Y+T4N9O0iλ%hBkE}PqlB.e?LaOI[e4& ƅK;J@xD'aCV'] Ѝڂ,؟rO6-2FŸ0z."S³VA1@5x z'9}4eҦ/y7B@Gw2:Ġ¡:.;Wz +ƋÂLଜu pA8t?hZ:Cxk[J[FvӪQL+l,;y0vG? ^[RBBO2. `Dw)Kj5e49Ng =n<Wes 7cnwzl!!r5zלޯɧcG>\-ɻF~*aN.#-f ,-$oM*igz m.In^ɥޑhg%}%r *}EdfI[[\޴܉HX҉ 1Vo^. L@/=Io )cf|@rt#)4Hr !EMI[h~%8Ű2 -` G(Ȁ + P̶u{F~~{O~6G#ʺxPe>RAs/A9𘛖`he7}m~6a]lk#!{=xVuk?u7x|EOkDwlD3#;IZR7X4hЙ]Rn29W+Ry 'r'0Fat!DA q[6krR)2VП1ic99!WFdcu\aŒrR(7Kzgoͧ|&ߕ 8q)f& rBǹl;yF~c:?mE?w k_ρ7%k7_pۣ|1]B'b'z7c|~nC0/IZAk2 B糪Ӡ`C/!@pG{9{x* X7Z`=yRE=<5y%i(9O/[PW`4m.塩 PAA-œ܎5>kE”03bSY,a{gh5A`DJ>rMjúo TP4ݍUfK_ovbxxL^̟\m_ꄁV*֌dz7f ! _Zb3WA jI3A-c!FNJ[[SMHl "}'S9͐O/'a2Gfb;V(GqqwFdJh&MB&5"WF2xrJ~>6AwY0aZgItOR oD8%<LjoXP7Cx֢He$vnFev&9ChGA?4>'">ČGQ6c:tG |11`c>_hȆ2^8#o2+s 4b[:sC{RnLH|GlRn:@L@qX@eѸbNh 9>W΁OED&OZ/BG񜢆v< TTGX# cc= $q'NSDIf[];)W]ߥ)@e8wr0Q=̬ }FTwhSPiCf=s(~K_U=ULBV iӟh @M ([B3hfnT…ˣ$Rtp&LmI8 2;ԯD*0;}7t9*6h++`u0aZ<{ AuM9HZ{wTp0Ѡ$g=ݷ2>s:*>FO{7:G\BVRa%ޖ 2݁8ue4pßDP1,seuo4/R^Jy9n&7y_Ffv@3JD3fg9|;kĝmֽR9@nl^7f86ו;CeZުŭ=S1zPGv7By`+F"f *CАhw'0r;vsP9Qf!}FX5XT+6uCuؙۚn4f0в\\pQ^bXKc|2| 5ԊVhI⺖yt<z#TS,!=E=a7#&d:56&b)nqNvlFͣV7Nח 4\WEgqa0!g~~?KHe%lԼx+oH0Pl[J]lڰR!n5Tm;Ҩ{ 7*4ø?G؜tIE:̚) 6qu(\9{#1sҀ ɀ[en܈SW8fЊ≉g2M#@򙺮16p:(n$vjJkpAԪ/%f>8J~al{(%v[O#l H/#&y1C۽:2=${9a%|-nv'tXC,MMX~ad,(ܣ͓9M?<Tbb7uE e]ޢ <_?v0rWM2$q+BH7#T3`-çZGEKڰJ^*:|٬ǒJ8mIQM@Q~.fYݝr(e,{ ɨjP 'R~L!+a(H ,6u>S@| V؛b 54J{$֞bl( 7nH9׬!\;ǘѩ81{dݯ Z$3.*QLcf&1:[+8̕M ֣|?Hr3z2+⃟2bn#a{d$B9B=b=?l/WOCԊM!]͕ZGV\@҇[btxչ cxW a˜nyq1Qj-V *9fۘj-d9B=rJ`ҹĶ@2XSkB3Wt<@[C6晉ۗP̗KN LM,^0{`; _YR?]˺F0peR&MhIP'C'WI`(Z(m=o4Q z}jh"gg-psfa<{PpVڡs79EvSoVܯN$5PTIdt;ҵvWѿDbLa6DI 3~SͶyr=EqTQ%=v6sGZ+ D:v/$HK۫H%{ LHil)rڸoLŽ7$eQ0ҏj>9fqԱZb-|+=-C萛m`K( = Uy{TbTڑ|H7KRVIk}5ݷ9NU9mqJ~,JDxz#Ueac#*a.6&\i.gzjOKK 8fc:qmG4t35a&vVivu*8?SYڹ ?v$6@%ENp7AyJZZ L\ ̠msM./5éC2 *UlWF{R\RtzpQ(5tz9|GK.GT~_6}*?xL\c(@9bK 7GN9<Աc[q-"s~L%]dmv(WX ąǺO޸A9 ,FFLn!DN=MҢg:/e\fiDu$Ad5k.DtǂR% * ]w"ngnf.k&G^F6D\|ಜ2#^,;߯-1i+nw{ǠjzCɑ/'OtNS֕moǾ]ģX~|l"r64AeJ3[|5͚+0aKB^c~l D$ޝ$3oeNvi\FW(|6ђ2*h@R&$+NN?:O^d b4e)s~mDֲԜzM@k0BʹV{Yv rERf"vUFӘoPL)FPNr5m?LK@aq4AբTfAU {q|F|hqe1`臃33&ƃZsWIG7d( pZWSM(M5'Rg%ILR\mYjjVZg%jbyF;ګ̭R%̬Os[9ɑƑ0`AGӢT:fgu?@+{1(ǿE EiP@8f0AJ(EZW%VZeQBT f*!=MIPoTS[d&'F7L~k TRe|nYnCjnMfBfg^#ȌKJI.G˖s0nu e3nUNGrdOYeui$dI1\Li4R|,:4+~y؋jfH TWXM$ ҋT;c- G]%sK맙$8+QȂ' As z}T?sMr%x]s/q+׎+m;5{i̳?̡&E/td^Jhr2ٍ00djH;kU8Ʊ@/&fc1FnEog . @T̶X>uI^+yNsU1 A}=|f֢||%,HHs+_± nK]y{yM\=tMr!Lp GkA[pT:a?f! h%7 (me#0:+ZQKעli="g O8o9GEb9VI3^ eIx _~kP!dWMZk40?`؆׹{ b\LJ2{wLSgH,9D$g CGcĸapYڌD<V㈂W#y<`Ժ%wЩl!UZΧѓk~*)is|4;uN+<1J\|ݨz #v,xFB#RNnTȓǥS~vpjZTl=DchV}y',ʱ>HDŲ7AB˵2;7pif[};K[-N52Z:V|;{yyP/|:cM1LIyS(,deUކ ^h[\0>$Yf׀OƟn7O_fBC+aw31]?#RjlVi`M*P<[ﶺs\2ʥd7TtJC׮ /1WKeBiFO`Sc*4RY+-"I֭ sJNrO[CX1os}|dvVtg҃̍V/_D#((hJ)b%Wz> _!. ](Ə2~ .y6>9[V \HْƂ(& ПBmi6b3a |Y«$wN~oyp3HeSYXk nxI[\n͗8_@`DG0KacȮA^ѢAΞ"LT&28Ewg[@pjrv_~JE 1. s>əS$:ǢqW"^_:(Bo7q q0m .ZZjCt +ZiPY.e/ȕ_Bض^ .ؤnЏ3RGH#y[}r"f 93ڬ"$!q pȀp9Q>VI%_ B LdT$P_˸noJx!tL p#>LA8F|'l7^muQ6Th_Aھlc |RV~'vj%NKƪn! |>U;hd3G=.pKYbZ;ER9J$⍷ςT)c@зUU/WS + ډ28Y fJ| / [Xw YJKhkD[RBt CT+WRYwa,y'?|h|1M] wi7ɇZ( 'K͍@uq|;fkM{QA2\!s' j1<su#6_k-{Z*Dl4D5^7Vr×7KIXn]dŞ킸@?Ha!ǡX 84{e_oĸ2|>2غY'E-ćT^lm@nt K~ZG #9d#HyJDj_Y- P2I5E3i[m#..lh'XHsSR ۧ4c ΂TDT*uM4vyL*Kث]%B;fZ< IFX[AsC=؆TZd2L5+Bݲ*I'Z·ށ9O@,%e[TC9ɊJMn@ԏ;O)Dߔf%x'HvrSD4L%Tŝ q@o1  ]):!"sy,W6nj7ӵpVX)[vpϠjWpb~$摶¨|[>ДoM=vkM*r dizk3ܫ,5YK$ -/]jK,\C޵~3#fevp_'`U%~QN'D/ wpY̍Vӿ{ٷ/=.n9NT.TQ!Oጔ,oH0B"бqyġs)geF;V_0c@jjX*m|ZrQ%BǦ7ˮ.3Bdxni@YͺZBI6AkԆNֹqv'YpF@-9z0k+,Wbc#%ҫӬ]NN}sdmjz?Wf6oν::@8Ymm1ªWȍN2Z;W__{ήD'NE`"N',WΏq\N9rf;9"K䋒To$05*!GA Vvн`Z`$ԣ\^+)son'㘐eW۳͍jdXҒc"b!oX>YTOHIplAH >(6xAj 6wOҶGeRTn.nG -|' f P.7NKU q04}PFql%)ȧ)A' 3LVhK<(<_e4a=\߅w;a'E_՘ DhD~u_0 fe |TtEe'#_n6Y!)"BTU69<"0Y3hoJC95 2F_2r{5)V =e]_ea5{&3WNV jUMw:enȫ3-,F f~VkLk<[Jbp>OO[Tcgg n07Oeue6 H-AkLٶL1eƋq;a*ģp`ZXG^ƂWŢ/лu5- P i"uGq{fyxΉ`2ۈG.QvkY,oS%/qJlw;fbٗ@i4uI{k=0O Qp~#ZR1$繧&"ƄimKŻo]$ h)`o@JS +bEvOy@"cqp:dź-KoC=Xa'm7)\Dk df֕FάZE1"d2(pqcl3294=<‘_~fXo &Ald_Ff#5Ψ CA0 ~ @u0ʒVy.(Y0'zN^"<٩j_.3>Sj@ρixFtc@5^2hnG\|ԼG*uHBJE*tVcS:q >\EA~+Fa!{_ }kmBQIe>ll8⛡ ,(а,iGf[ZxL7NHT_Ac&} "2j Ca 3YXI2??) ȩXQFXBx91t7m87ch/}ƤܬK'HJ[:6$>_*1:T^;[`rɪcN5?po+ʬ$kVmhЁsyWmE1@@J(`;WMݢ<t<1c'7{ ZͨKrs:>"I3)14NSY' Ltq v$PLOI@L5|X ow}&Bo PxLrq 5ks0B[?tb3 *m $$ru86 U)#SG; Uy]SidJJy/2f~U&ڭ,;ް&:(9Djo 3L[-2T]5ΗY  [!Q`A\iQ9.C.YACv: D=aS!h+M+L2d.&o_;ϖ%1!0!08AP;ϜxDgpE~TB /_^SN1ߊ!6=ra pMuu[-_,m49BdOȂ'm a]jV+<6l,,iIpM[߄D;rn6Qk+ qͮvMcaW?BVr, ]іaxkeH#GY|ֿ7\Jx)_,BϚ@rbz-B+)3;4|!0Y2wB|_I+}g(n+8WG5g3z!/ا> quFկ%-CB֗;fֆbSZiׅggeqM'dHSc*gF:<^hi%ƏK.av褕1h ֗m0Ɉ+Bz5:3aV:|U0<\{<ƨu@hҍI\ڼuғž<>zPVPm_v?fA"h $xH@<u]U@n[4@qgtZ{b0bwH=|wF3b x%d\&ֈiJ)( ߠflGI;cWc %yA`A,&فWɋuX~ V?/i ΪcNjJs*ݷOHnǰ=P }/"8❣LRjOnrJJr8Ϊ2ݯ`Ȏn Ck^''9lΤ=Zbb;vr`f!*S$4 %:2 lJ>ofoXHL%4x)O9tqx~=$kѶxۏo(d5`֧N Wxiu-%GUZR_e*!~^ AqIWQQޣKԙS-.m1Me,J,0#`E6".iʸO`6ɨ-?ӹ(&En^p x$sNIB"" VR8A+5j [wOUoC>_]&Vb7>k M6{Ot~,*&;6~FQx!.*`@1cKaM@/1'%Q"T k7 NEN HB mP48`]:@3jV7hc&r? b9KяAtτlcLcZz"˴p6r7km \ʰːٖ,(+ԃp&96R4z%~ rck[wGN##JDBEcȈ QvK, "}Ʈ j?* ]zLqeUb !42زȣ'yy^H&n >W73:8"~z溺fP.(Qh{d@@H\WoVď䫜")/U [aJ7glj!qKZ&W5ip˿q]e[ =b@;I/}!iWDqޗk>o'#_P8TdWLK䀭OyaQq @$gBd|bu[?($V\nr ʦ Hjcu2ٌW%+N^lF>\Ȋ.qLUff/ΕahN4i5 >tb돥ɹ6KpWCeNQU}m1?Ňr91 W1jylo^*dvy"u-{4HZ8nu>j xǣ!ɗ~qRzr%!Tu7" X-;8qsQeGٓЛA(4Aw|ɯ7lHƆ| AH׀c..PC ^Zcx&lz9-|MN Ұf}UC[ |.Z@,N gU7ڰA6ϿpuK)CxD]@Q.xN13 >Ʋډ-`OzqB/ėJ:?MԼxBDCl_hflĭ!=b%QRxKHJC0%۠8/Ђ ~WA ȭj-DuAkL#GOXbd -ZkNod(H *3F j;緛2PZj/CB7lݘ 7FIb( Xa.y`,!t:glrjEmOCdyXR?6@@'RA[5#):j,_ʞf*pֻ Ѷʦ|yګ~gY)@HI6xT-1G8rہj9~\gi0jaU #{y3xS ց. z؏rQ:W53u ~5sBtPЭ}jpˣV V~k̲hu@O^3C;A#GB$K4NKb Gj;]?x9'@Ѵa`ヹu3*Sd u?/>X}[\MpE@!pbNڧ;;KD MPڎdxӠuT-sLIԛ[E䊧53讍*TeЧe,'&m<ȏ% 4^\" 8DWrFgo\?*CeMfg ?-᤾s/KD2rQE5M?!Vct14KBb:cs"H^ZMimRw#[kR[7H^ڎcΊjPwS񢲆 zRbsiBKD cl`ti5Azݭ{1/@pk VﵢNV h7/X iXsT t2:w~W^Ibc(c6㸆P*& Nit.U!}IOl=֝SMVΊm=G)xԋOK Nr@9}r3Qy墎ovt(F(‚[30334/|&59HeT,َ4T'oM 6Av·*⣜VrVk"2-bX".+Jy˥: 5?]NlmOBi4q7ѯUzoQņn-Ƴdm1m8/^-H06-{b5No/;r I^6{kz.\Jo^5|CjҽZߚb3wgT~7@{)sWa*ŷe}>DSYcuVv,k!npj{+|2ygYQ%ۏUGr N4]Dt9o#:@N%ӭr1|C-=K'[Ȓ| ^"uկSnRXJmdfwFq>ɬ)Q.1^`f[w:"%)M祆ԀnCi`GQ6@&)V].$~k;*AYjKd~0v$<%IuY۴:\v+h 7-s\Px3g;q u?k wm!pUqO3OcG2ENhS7R#+ʼnE;١0Μ'X\@ w{,L_$%^DK=կV󹡹=u0p)o2}Q =To.haX|%ʭZwTB,:եB[F3BRR[tG.V%E2l;k$/N/jS lNdXjŰʪ5FG]bTշ-z9D),y0-~$3viY5zu妎&JP*Hޭ$+F!8%lJw1O;Pc0v0':hR(["EiM4LW#0B+dc6ZR{L!-ţ'Dͮb(:n{*xTUHDbuX?+*L{))JN k.pytmJXμ=zKugD>\=;cx.J).=tZYb;.cZpʀhꓨ6}ۡVh̻?x]+|۰-gb ŏZި6Hh)43"?̚®sp~c 0 v#{M=)slx~BWhЩCB'Xwϓ79\89>zq-P~]/d|:V;lU[V;>z>Iej#)"f X=nZqt̕ldJzw>tCѲni6rPq_TlNj}AiZ^7lTDȚ%ڱqL,fNUJv:l!" T"`Zq|P]2q*&T A4#ESVe0!b_Qx{āSV9WiZJf\j %i^[1e"Q hXەPG:) k4ai0YΌ:ϞdЗm2u8}iGs`! [lcH U4gX*yhΞEVcQ C3(O!& HphKv+a#ofMèۊ%Lq fHxŗ%/S}rx bҬ`QQNu0 JvCT;pyP< ';<} `N򐧞 Wv&>8&yijys0fzځU6DA WA?ŧsoZ<5(v6~G݌r6`av%G;˰\^|=v),ԓ04!h2jk.!>h0Wqn%|1 >AUx^-y|Aem&'/h+356; W!ͻhl}ߡlvd*PIzEBi6i9z;\/ims]s a!H R&xtgpS.L`K64n_-*99ͳl=Ec<TI%LtU%lUhl`Jzw\ӪsE(E qF@q\*q#I@- /Z|G m y [Wk; PU]ImFl8@ARTF sZE现Ù5]Ki_W[NV_2ke8HqPQUiV'ݳsQukk (x Ǎ-mu[L:q~ g?3~\Q(5Eq=2] ~ia @I/_F&#V9NȠgY3pNkAD=@%p.Y*{qLԒii7SsYD'Ms`KٳP 6ʤ= ߙ}6ށe?1UÀ1Tter>_ "]77#) ӄ_:**|9/I fD#i@Ňv֙+[uX|yޣIȵIT>FԣcZ5)E֤-p|V ?ز߱ k?wަ_ÀM}9Q`g@w^D0Jae2v t )=' /݂20$k[H.<,I6.G+ l`&zB(r,uTz!I>5HO̪5LjF J8 GKWT86\yV{]ߚ" Wshyq :p4I9LܑJwv#lU:j$Z}g a^CE@Qe`\lz<_EbţZ]Vq`,*U7O`VaVm*g8F+d-gm,]j&P>A0Ou}ۊB6'1vA6 Zi7'd J:_B8^sfRjF85 㡩8gBkRIG [ x~+j7AcLؖBgȅ)cS~<uaX͖W 稟n-!L:mx0TogMod=nr: &8>cji5x\,A29El8>l:Uu yQTYٌ !lY~#dZU]`<*|$#_%HOA'0nIp7ӷp,l),Ƈgݻ6g?Dbs3_6'$`S2( E)aCxCLO`q;7<鳳ԡfϔqaҷdgY@,ޠO ɎPHL<ϋ5Y:Q jR2bftbեzoN[@sA"HP?i6 ]/mu{&x^WOY$d9_F]ߡ{nw5[ gQިltl.-H$Sk>( LFo#Se(M2,qocIs"Tլ/V_G'gxVAB!˴Snx\L=7}w W|6}ʐ4f Znw}rm$>НVʏU}xX7)-p^tjSq-t"wp"T ];8mMّ Ud궮[b$y Bly\Qv{-^U^i%qzCT ]UbWkSU 5^* 6ЯG+0 B݌7-+F0tGN8E n»R<ꥮ@KG0qYHp Qm#pٗh/àЋ8a_fA-%?̈́7prolLߪttf=28_ )$E$0W@NmEl +%Q4AUTQSeCrw,d4E"vMf!id {a :҂ y0X6ޞio!ɥijkd6\ ["iB'F'r0 ZvQvN`2܅^qP1;FsB{e𹍋 q%l֌Am[Hrg܁8BĎ{SP޺"[{4Y z+^ˑt6퉚F<Wï9G>~,=pMZgv 3r5u(~zT]7'<djrqO?IĂAK7$b}dV^w>FN]md+^\Dsy!/%lfk^ I;%Т(\ŪGn(oSd6j4I 9f#,KZWBr7o&@$+Uh (&rb؞#KiSnN 7<|b`)Ȟ'שAѐ@^u)1ILkH:w4240T蚕>k@ʲrl`^eQ?Z\Kq 9HQu x/)!ovyX79ᓮ pHυWRVOa$^Qhdyѱh/4&ãIkOFo,=&`"n@2WNewQ.[2jli[MnֽPi"ĩBq>L sץ=MxNe7Z1yJPh![m T.ds[jYE򬙡&UnHr|#Vc$y8LgɜqZA= jx t07(7i2QYKII<c˗M0|Ur郡Ib|ǁF+(wC5㯡[8JD%>tm ^d7i 51@CGfNy9 1,±J{yjH'i~?E~)Yw:ilF}1<Un<>?[t儳s5=" /gQׯU<5M-=Ks!X%Dď-Bzg2ThӘ7%\'}:XoP P>ST Bfu8( \u5]Cnd@[L[;wvטk`^d:% !1f`/^IA(7M^VFJjlx2\OXJ]ZOΒ4 Az،o#( U_\Q8Cĭ:!:,>Rf0wYMƳe 9 =£&#nK4R+ߣC_ 2W]+OZKƦ Ke1'MDeCQ$Ub9LXrVS}s|'xt:{uM-gbZXpڟ|\.;84vAx%1´B,ڃشSBw6DJha 9LNbE)Q\bTbC_5*FF,,Qm"_l֍c3lcEvyuL|;;0!=kJjn|&$JBWYdWL!SrT+UOIA)Y&VOaW|TڭOv`,s(FоJY#C?νrxZM3DQ@c{"gzgsc*V.a|6ݸ+TXp_R5?q˨} =4VEOJ~>z`ao=(_A*≌ [Zzr :@^#E2FH$=[y)+5_Sold;\"lg) KXyUd#b/2ZEBo UD&-v gcGmQ&}VjۥAPmE!1&f;UcVڇ 9}Hxt AۏĕC=TƒQFʺv&%fF 3,&tCN% &/ljrU&vV9 Ŝ#oLuO,i':+L`7s.0#f|,Q5i4A8 5Dc4S`S<@=d^*ŕ ߿Ulk|yᯱ"on:x͊P\Ϟt ]% 8?@cZ-۝?TyLV"7]9Bg6x^ Jɳ`Dc^lF6$v'=)`Pcu]Hc3KjV x?RY!EGb.1*Ng,lf^{R3zVhM73{D A.n9D}ʺ|?tY]WcK HX!SU_VE9'-q{T +a.鰜'Haa\H&6gɇ-has%jXw $J-"bX_ pEvshwlegK#{vM_3VMaſyl~֞܊ oUM9J3Yŵk|dUEr&GIN8g,ƶ- YGxU<Ts-Dcxܷb;H/Ftoscb}Џ-jבX[ 3w." [MŻ-gRPǀ ,앂,8Wa,գJx If aY$1]K5Tm%S{D- Ύp@ݟ?c[";RukksCi |1[DZH|VJG;!%[jqwlJ'/,mNCI hj'm\Aw7X5<]~@h_CW7Q} *١ Vɇ{X6j#m)(x[}RͲbģcC,L_'Iv98=$xwH@XshaY @Pi{%Y'&e# ryvR-GoirG5qSv0ΉaJ| jMATUI؜V@Ӣ?UqQP&֠<=K ;Ї>XIТedP5I3qP':;6Ѡ649ŖFrhIr!b*^ |FZe[G."&&=!#ceN1ݍ5zhkjhjK&pT־ےPc2o-\J Wiz5@Fً=:GBwJ9W!(2G<wu~Zl{"rدܽ%ߎ%j-K~ƦC8E#HȲ2 SaFYoV0`.YHStć{-m%`3*yZKU7"(Q|HJ rAV{”/^,m,i\*`.MFp6 5ņʉTq!¬, <9ߴC.1|j3o8JHi>L}!l4XHLJ]Qh3+ ccA *#@I}ͬa,8H@}d@ȉonddAe7J=}SMM=sE= eO:WzTiq +ИcC2#[D ~ Sߜ;=3wT&> zӆC JG_f^"N=D 0k?3enev(hNYeF 0d qeYzsߍpRLcty&'~܁bkְmLj^籜v7a@:Kc"m@ D˩{>^*o0÷\|'EnDMPs/=ϝ$&P5_vk06l *S-x,+ZZQ.AFםNxAF/BŤ!V2W`:+@[|b!(U$f7p!/\%v~5RMLht꿦jsW.tqc@}Z=0X!R0[}V$)y(cU9x_ϼO 9yDHm00#_:PY|v/] }g`Q/<. k`*qީiH1`muak*E'dD;w㑍`OSAc0DcxMRJA'KtsްY- *q&G=;ɼNI@Tխ~GR}ag6F=^qX4C\5bEj&\[&]"],!SѸ9uJgB]z7=a㤃7j ?уؖ=1ǃr"~ _>1u#:I#]$yܞ>i%KO(Ĵ%Q|4XE.q&؞n婓 FX= p*X?[\.ڕ!b{:O/D%"+? Mڸ&O3L%F0nqsfC׮`AzwXIlYjfv+ʣSR#m36xUNw{5wg\i,qg.({S\t&DBP)^-ĸ:xao-y=6pG\ȗYK&b@;JaOG;|ي;(^2P"7A-:D4-HY^uY\⪪7<+ yTT cF$Q֩l<2Q{ע{I2̾:[:Bt٧EHQ\y=!"]E.Md_hqy ٕ%^iyQ:2єW23C? ^- wz'S[SFu=loTeSW? ``{dr~W3r#,dxJqoޖ _~Mh'W_X* %UaC}8zsӯ`Tn-W%iPz@la]m{Τ+Zu"NYz.]X-@גSٝSWy31^7ȁv#.t: x2W_PV/|Gi~r"N}B x1nedzBցO0SםSjVSt@'?2\؛=툖jDM+௽"ȅXpI!|~6V&CHB/ͱ: ?|>r#E褼J8vJ|Z˱\t,cp_6K, 1W*z.m+Kyph侑I(!9H!u̼ջ(ΓUg ߡ)Li_: bYziܪ;9'|.!BQx34J>ZO ] Xkit&VAQ4o>sZ'SɈޑYȖ8kan6{WS;Kmok|=OSTj.#V L<_u2԰P['_mF9ÜxtD=+sʒSXy08V)jv8+'U,ta&~Jͦ^ Y #(V̷'`N;}-I.lz9ڦR3u#ɕbMxAU³ގ3RcÍy`:z&;3ΌsC 'g sɻ< /úT P4Jc1Fܖch (_!=no3R XX :[cڣ!s,dcmvP#?{!:3Ԗ'H; ̕tk_L-LZD"o3! ?'+{͇ZQ VLx-|P??r&|s?y7_wps\p-qG8-zzsݒ ⛲80 @I|#QE:qPRQުZv"9kp <*gVr93W55SЪbz׆+ NqZ U|?LV'vj`!LΫ|И |*4B9AH0OUss>&BpRrN:ȣ] aYozt'97UU$?]L}zxl#*U`7 OY 0ӬzUy;ܭ(㖡Pu| FL퍬D*S}#;LXI-2lzupcZkSa\Rp BaE?2$MQTr%YuY"Pai~S4Bo!g|OrcLf-LjBHv*' H3}Iw|:5hϻZ"[|՞f`liӿi;@y#f{"G芒QEErpj:ޯ]x:w 4$XXbӜa~(ǞOl,F<ި|?!‰ؾ ֤M#h4w 9n&ͭ|sa6e_ ܩs%Q%%%7he|'8%_F2F vl|L} 78]HW^Vrﯦ{./@{7v Eyӭy LK %9_?CnSл4izlGwmvO:N#~|S/gp><b58}I!ϖ,[81GA vOA6ѪPhU5 Y{~]@qxuQCUWEٛ,61;6i6%O)"5 5 !ǧf !X.pܞɥ/~Dp̖7~G] -!4FfGnѕ[BVm) t= L+,̉EZm6T‚.MQc2R'Sκk+wktz5Hznu 1n,3nAkkP'x l ItT+JGK_axٯ1g^s@.dvayل /M6)yn&7#y {y'W,Q|QF>Vt )iY]$xEs X*ůztLZ=U3Uz<֎AWpf%wM)L&J,% cp 啞/vsbap61o-GؘT~X8uo"|'B 9PGR21srӀ+ZQ.f2&IBqSFVݜbV%"őm{[h_鹜Z=2$\_?3'Ys\Ip|f,OƉ.Ju J9K;#km%A nb^}_uʦUd'M:%Hռ9@B v:Q9UX%O)F:i'kB[an+5D@rTr-<vAK˖mہITr}YBپJ5czXQNЎ ddK<_S :dM^(&,b+B#r9,W,ʗí _2kMHFS4A_X=G"{Haڰ NAs0MBS fjR̰KX""Xu4B$ŨS$ngQsnS>6!6 B $ozNcʹ,WXd~i(c҅'NLGoZ>*ߧA@j FC?}:_% c=;a#zg(F|f7sw}`=f k8hM={tjce?)Cqׄ_-8%8geKTᬮ#>:{?\[XKMmP`y\h贜a+י~?9^'K4yZ@1ի&:{aDn٠/_U/Gr~6Lx2>K\< iLHI_"sID~EH]}xպayǓ<`1 A~3j'sw0[arvgI=>١χe7,@]o_ PL̉Q{nX˴%R@qb9bOC7vVJ֎ gFь{J2=#Tݒqm7@AuG'բ'%WUQ2ܻq.+]7KLR,DN*Mdotf$sFLE|/O{}P@^HY6ca*x`u\InfNٴ5wEBMJ]aۓ].D*Kmw!vs~q`Pϰ ]B4Y>YMHX_1.0 ﱧZlV#tCp6rͽd)C7| aU(<ѐ'Κ1J{ѱ4>mc*6ʣ`.1 _|^Vj"hpΨ -j&j 巈lO)`GF+v'7tf;h_C%W ry|l<;uNkH0}ţ~xɄ_R ;?DcA@*% f9 }KdN N}s^уR3oөp4 XmCY]**.`aܟ)RDiGN_ 2)L~kIӻ#VG߇u8ƭ]Kx<vpBc|[n !cl2Fv` X=\{xrmCPioG*f6%!ktPA@YSw"KY)ѧR;•`^"%KC EsBpt(~t}NM,?`OEIzTG Dgw~tch$"[ P/5Z]Nիl+^Z-W"l&_ihEK^1qA Ɇq`< 9,6H;31TӹUّ2W;))tj [`+8*{" x$BKIf׀l$/M@~lx wj?G^59KS{ p9>A,o5nܠTfiryMCh[CDTiݐ -..as|ei)%j3 aG,]r}#,0* QF؝' V(w)AZF)JBY,f.)\; )Sy #E EzHsqRču=͞(oݾ57}U8#ʕ#܆x DžǷ=V?pf2lV'I 4}) ake.n+t\ml]oiͲD*->Y\,\ҡVw\:#:*2J {53.I͙l֒ks{nL+}AB6̉NlR1mqY",4pVvPPpbi%) zWtDZE MHcA&eIߠc-V'KfyjZ^A'>ì_wfRb:݇k1hb"V:aRTk[fN.ۣ2,V -8Z\MMo)d_/FbT2+h 3jre%?JC.=~4- &mT1;&RQxy`XFet&S![̾y͝-T\#e%"ΖTleim␉XE6=f(89$XnIH{:/gKя<|LsK"3=O*ezqW8Hݜivewo!vkkmUr^Mm_ [.Wؤub.FӖH;Н)P,!Zt°AsM!z@n_1ELnHɐTV t,|39Wo9k# p[f/znw}LN bMiN4/#2YGb,Ϗ],P'ܖpR6[b/NeA_\}"i~:@^ւcp1PIvQ'qIUlamf@‘bZZj w"g/0ྮbo)s4lp =.p YDeb[F q\j ھni;ifYnDq:y+$S?ٟT-Xp)=,؉sk>CW\{0TUwc"(35aޮ C1ϮrF7⠆.q1/?yl=U eGwBmAL QWwhDJ֕`&wFQi4PS/48SI7<Nt S/H+~ ET`$Ivqeޝx8UШNXK㌡K  G.6 )98jH^|j%*J@4y-0"f2> 71 H׀t͔5D'Hȱ-,טJ9_k4xٮ _(PE&t1QhB7L. J|cFow;T5qV;*8vX,{)%m tf@ϰm нv֎Ttk8d&>|S '8,߭.25@޲lvZ;eNx} -C#";?JQ 2>찡[rB /@7h[PIC&r }Ǒ–Bt3|3Jt ׈J}XY+'աfΗS0G++{L mDd.`i#uƤCCU~#h4V6̜ĥ^ ᦕ{>NX0= ˔P3 ʛS3 #ɚ (M [Ri{NxTKKAU[6y }`c~}WRlA kd+ KǙvi*Wf$×%#ܖ8B;j%\dy_Zkn2IX!Zo!D j\ _CBx!dsDpӇ@WnDZ%ˍ=ih >oBvsmL[!nWvѮjz|*@GNY] 3<ޯèavH'pbxx çujQҏh5j`ҁ !41K+vF+UzDʮ+@3-AP\~vrxؒD7YC,"Nqn{hnձם,։RuX[^ ij\w~,K:`c^Abr#q h/+;cP+ZgX̩,919/=U5@ej_ \ބ?$r.S Lr$:G ˷Pxz=r 50u.a$Fv2TPq>\Y%$H Vo6g9?F`@SwHLo+坏.Tu戋/e=gu[N~22N݀ⶂLYy gsn :NpOSSnl!OSMکx댵}/SJ%t4ߒPIOi!λ `tԆIHvHoDr5S9qKP"`C 4¤Ǩ'hs{LorfS18]\TծOzTeTקMJ/ tHRweqL`GP`J _LQzਟJSc;ۙ;NA7@UmcȬ-Hszc*Y8x[p;][1}iD,0=L5(ߔ| .F~/ f\|{ʭHe5"AF|:.U*gZJWcx _&*Q[wf!c@Y0*H+r=j"1F9?S `%%Q:kArQ—M㉩_a{~4F9#` LCW TD!}c@p5 3k bڶ.20"N vOH0 ^ey;Cm[M&c^gtwHq@ʚrwԿ3r+i!`T%hOWCr((sR6+N LNf_8r&miay x{Qss[Cvr_G2[UM~vZ܊Me"bEIE)ЏhkL>(Nf$I ѐ 8,1A MO!Ћh~o%FR©^ŜLʱ֡i|,w5 ͆qm!+eή,W8] i-eEuip|@LTxrO\4f?E'V&>D<s$NAϛ*x۟^ҬBš' Iв 90xHuVK"}&RuW{=z(}eIWRӅ3:2?U*1jxF<͔0WKRo,%o 4)OWjMlV?#-o"6#Ut4W;EJ/0$ UFi3IҔ'q.X6>ëKxy'[}5m}"'6(:1 !kTZWRz 3oH`+#;Q%Z}Y4;ƀCC7bmx+ƤCgve-}xx.o뒾wt)f~3/=&2@$+H}?$f?P'Azܓˋ-հF=52,KTo8´XjF 8G(bۘ-2ky L C{޼e ~yɾpbZIBEsFI[j [^ͣ"Ym- NDX+8{;h 5HxO麖D{ϧse? 🞂b1*e/{ɖ5&P$DDŽU`3X_Ω7{V޷v}M i#sԮ><{!rz9JXiL;u39hQMx eW.N&6p' & CZ@ǟgYّ#ϢMcnjmOp|&yub}FY n< !M݄F_kZ&n \$+ cgDlчE2TJ ScRg j^$_Y֏qJOGmTվࠈ{"l*=;ܿs߳=ͩK&X {Gugs$woNՠ R#o8ZD>4|?\4)ˢh; ĂXf,mrWoI߹~J+'~~&1aԠIe;q^v$4,0x0>rx)!`3ʧ/ qfnIqsoUY~=Sd8¥gd6L'`8ޛop06O]X)"qf񏖸fx ,3~zb֊4KQ0jѕ]77j-?g*,>QwJ|Uh<H_Ύ;H& H090#C+9@k1t}Xm/{Hy^3|Dۂsi\QFӊ4ksB{|l2\@b",M$"ɾKƗ3E'> d }Mϝ[!٫2V/N}LJ> -#^ xw1(w`ކ/N܍m Y,*[~(0J`cVœU.qJ#9DVBAY+)BpHMaӌ>8^JVhx.K­Ht e菜\Cl%_2HP;!j1N>G$ 5 Y7?:Sr sz$o W(e]y+E*HY&Mi'~ M:+{<Ba?{º4:8s108"(>#Y1G H.I2tP䜡xF*n2뙳 c|ԑmOͧQH5&䁕DD{ w0{]뙟J7$ @jt9`kְW-$>)d| #ҝM ϱ%o.-X7 gcHF>hНuY_l)H.ֳ9LeLNVHXyWQ^]4P%8H{Aaāu:&17SI4cًR4 5*dqE(H |ϱayV4Ӣ3fi@-9j(N]w&bKDFGEOyH&F޻6js {Ưn&Mo{%>& Ҿ&ʦX<'v*f-aXP͙KJV~8ijpz^;?vXndYcL.UbJ9Y\E`*Ȏ@vfwƗk$YX7& aUz~B~,{q*ȰA:i hcv0y9i +hZj21ZAU~iЂ4C3d[A6JyJ--ЂbH,-bZFKK ƱeXSxϥ1uwI[BI EQ2*y8hm1RTWQExp{0EY$'vpPPK!k"Xb&I[JdSTlޯb*5$:~cR•e&! ~ Ҷ/Gk,#a80ˮWs'{RJ,_ A֘/m0O|ė+:ճ"oHk҂t Hў/bL>a*ƽ9ܷNi&G1 _yEQ;`_OnŗiWRU,xwB\G`&X5ׇ֋FuZU6 mExP(م\k.5XS̨!'cͩ>SGu nKPKQ2tZ5J#P r'||ă~:TM  []d,_ٹVY~ g1L8()Ua₈~I fdji+' !1!#f5_sCD2WhydRg [ry|QDJZ73,לŔ@H#$xZ,bMZX`_ oSL(X]鰲脧Q}a@h-'-qmo[Hn(kќg<}f߯t;DK/}u| FƓ!(+-.rp` ܋0xn".sT1RNҏ1=)1}d>`*-(-!IvTgy_O9E){q-˟{LTP ebh6[x帢O} WERfcai E_,ug(VPs}iv+ȿBy̅9,S[s %}ְk S43l5uņAQ|ES{]Υ{B*Mp'B$tVD DX:1UL{sQ ?Ed65Л=#-ɡ)AzlA)>SN˜+#B N5p9% oبC߉-(,'&fD g`-lz4叠^2iW]Z5ˀ) mf 7}W f7:Dw+"KCIM#OM]Xjgg$kok혃-ڕ}HEI_y:ӓ*}6lWb͂=;{Z7ay:e;N%s2]0)tԘj$xP1?vEbi2W9sBX;%72!\?wR!,g@~|ꀱts"f15,CQ%>oG߯~M nlfuEuz8<<ݵ_&8Y\q&1x mh( +gַ<O>߂~arvIPIuJyV?rw.قӢ+6gI҉hWhQ=7gVէ:kJ}BA*5Feʁd"JLWx'e8`Rp х,LFm2)"SDU~87UsiXtCQ4cFXB]8ڿ[۪Gg5Catgv)Sƾr (L]" IjI!,%^mkH#6=} 5 p%7E(iA #ր7A#ƐG9$Nu ƌC(iDVB*V<{O6Ujb-8_x:PMޛB`ӪڏHcZUpXԙ2-ݫ&gP,l5 *w}:lk(܍*)G]|eM%M->A:C/ w;4g+ͭ9jJj4&K<LCޔ "~?±FG@1|Yߓ C2%"zeg}M`RT')ꬢpf[N(Ǜa8'Vtt>bVIv?ФxUP8Np9a.l*\kQ0aﻺZmN aRpK4)%](-,!wp+ܭ`130T&l~ZMf}񂚦4x81b$^.A_6:mDhg1YVM^r +F&!tn1)$CŢ -<4*liZt=da1 YŹğ7I'Y4}/!PikX2?QWBҺ$VyRR.Y?0 w a &I = *YO[ڦݭuVbWZ(i @ĀYηC 6HbkJ8%9 ӑŜ4% }*pNX*+avӐ_+ 9&1kʎg? # Hbke/)"Q6e5q=JiEl'"t$@g`̔tH2Xܵ 7 qGoa2p zvx sj֏_P Tn״@pY9C*c)A}5oAXݬmE v0 fx;'8FN۸3`H7OQ(] Ⱥ( } K-g,[D[WQAXQ_p:`,O7#)t]56YcB-GGq\x?2 /Bُ+`L$Iu􈃳M)x+ܭК G`KOuqdJZf|;T0"FD$-t)炙#K^,< (CZ.:rDd6fmϼUY ![>Ij+/\:jdR.CĄx iI[->^\J@x}؁CluP춀cїFˮ9piOX:>HxF0[;>'*<#meDF6(Tv~9 2L]lL[:1n\rֈ^YeP:Z\ {EƳ'~h >s/⠀y ->h<&f㭽YgR⸈R{RzTYL,XڃRJGpLB͑ KĔnFebخDQDA0W3`aUI&@~]~< ƛB'7lK0piڣ QH{ Hj`,ÆHUmtLK՗LKнE+Bk%~ CwYWc}[8Ư}ދ TUR|?]f!9cOg:TOpwyh~VT&LJr&C~F dWO{ֱ˜T#d [`t.L|i7fn+S[u`aBN@ϫs<_$!o^d1?KuZ?ҫX? \3!IgqKîJz \jc{8L6shk`iT:5q 9l|TM޻'Bs[!@y_YaHe_g?z 3DkBpo`QdQ_#eaVL3b6ِJ5bF#0fbeȯT0ӣ)ODcbs_iNS@B $^otmGm R^SC@B,Rnt]*IBGtńmyoU wwWۗ-WhJKO@b0fRynT-pV :H{|#z2|ȣ1 aFSơ6 HPm2X R~"ep軧s!fdG1,G?n۱炫F?hfB^J ǬrȒWk}{‹18m{xI C!^;ԫ`M_Ƃze`A!uK}7CvL6RV2(d?OR \B˻wun_TikBvPPa^]OVrovVwCk,'K|,"gR3J bMŧnזGM7G˝x=Ove"gyC%n[iUp0˻0jdd< iz h /͏V$Ƿ5mpĶV[_ Q_b\ qX??ز] 8rx3(+8ݥb*btr).p>̕?JO(@ǧ1} t?tZ\5H2|h/6 b}0lR.i52ӹo}ʥ /M;߷@H_6rщ>Q\fە[ׂKث>|CX/(w7rw*Nζ@] U1(w6(-z|dA/[e{D W$=Y:X{4!riS#b'H MrZԒ4ԼXŸM=Κ q(3{0sS5N 룬/)kV a?>mD֏89[18?kh'ApDXg^H"=G;c䞨DkIڕɷdm('xl3F]PW2n|y̏ĭ^tՇ߰h?P D oGG8~̽A"Dw_5LѻCgS[f L45;IM}`,U$[t\Cz2\vV `Fڴ% xmk gSr@$e4DNt fu438`w,F  57b{™5gv g^)c='.諿7d ^@xU>\ z%3@=ߋ;P^*t¾tiayHz/pťs_Ikr0-Kf]1 6 J' ̶uxHx߬ ̠e^ lUಖ}Lt,rUCȐ 0SaӒ-@V#ge jlޚ2Uޑx6MmWI!]PC:8T7Z0QH3f0'yT#)'~Rall9X&9jͶ uByWëGgU8UC44h3CP6Dd*򎈛)_eTJF#>}{#L0.`|+QNQ A3Jz4( %#CMؿՠ PPIV%{CCsp/::VJތDjf%&RfaL/UM_G4 -cce(_-c Y05ц~nw b @{4࿲4WFgh9fBc8xy-&k~=Wb–ooiv:K—c<ǝқ3P5}MSBKЀLB"'fKSt62hNj8˂GŠ,6D4FO <*dp)1|:o,_J;L`,ʢ0i 5+fR+`=4heMyG%6":FCL#̥XmjP*wxlZ/e`"*@9l[3#ȷ>^+wd+p!Vk9|7gzY> %@t:JH?pk7AjPpp:q϶iKzBWw|ޠ~mH/ati :l&-gD5?t$/Gs$uFpu/ 0lldH?.ӗuD z!dU kM NV+6}e 5v8J?Bqn5y:z.`o{wv0\ k(97Bu=~1-Wtpoޯ!4`fv;Svy>">/6SdBX-ASjz=C,E<w[c(~~yj2C4%*l\u.* L`TYKVg/-|H85:cñ^E)7bIX8_4kgee[.e䈜e|b2`D &ܱ:Lju(J--j (OϰsHR|u5 B8/!+T%pI Uʤ~ :e7b_x0cL7A1TQA Mda8_+&WVn7(x|\e_y.3~5L¡KHy29 ^_-?bM~Ǜtu$:?LS:#k\ ~~G8Ŝ$>30rtat+f=qA`Hkge^\O3vUkt@ٲDҕuXjni\NtZ9ݿ[ ' I zQ O%[[~ `cv@ٿ,_,b<ۙXi.ʗG@4g/-E 4M ^E9` DM#O8>tW${J, &ߤ(;՘'~gw6V?xIt1;ɤKr~fgG;*!A<~{YZi匬БC II@Io3Gf[A` pRJ-}\_{mM_HMc%D"ԣ#zW1#\SAQSN+NEQ G~EU';K#!NĽۚ/^b 8/Yc zi%J~L 2I%ܾ1#LH0VmS& RLRUCJ0qr !R_>x63awsvyCޟVvu%s_ SKIo3'g-ÜScx H Ӕ$3,C8@[ ZC()TKipj6ԡS9 S`sga|[rroj)W.18򾥉QWUćC~4*2@o C5ߞǠ-ݤ0r,᠅DWmeCW&[Da"df_W @[8[~WhWf[SbLg*\lP±4`Shɹԝg'扳\vɴeo["OP|ˀ-7Om pK!5YR>jw*Nq[r> vZmqԕrj?$:fzFBdgiw!w+C"ME| R=]C~O tMbrFK3D=?FHJt+EHH8 (J4F%M?}MV´SǮ,~ ydrUm*2lAo=B"er,uVãH9 W$0xfҟ6J,Cja3Pݤ_F`^13Ý`e!zW"Ks`Dt7=dپt(Ds|ׇ,lT0 XZe1}WcgL1Q0`EX@5f#cI `WkOԔ95pݕP˸ǀ5)-,cK:D7ژdɹK9eV/ܞ^06d0vG훺iQcH;rs@13xeT E+=uE/eV''Ff-x2WΪvۗԷ Џ@b2:hR\~"ُJo O14⍱g@olK 6B{Y Pm6w?U9ԙ'9N6q$\HEne;w85|~7yڕ`{&$I7 ~j9n&w-hv~ac[h+N\ot3;Ҵؤ4 ]ppp.#} SiU?GrRC(4-k >Ea A߹GbZȬ؈^7y2mP2jF0R:%떂 r hOڛZCMi\U BR>s_.9;sH^TD/AһOE_Q|%UZ rѷHG~jl+sT8g'p L{(!ە&}/SH8 ʈ'J@(ƞ 8 re KG淁d Ľ#Qkr/U`6q/ro-Kmϓl)bRY@< n|u<Mz+j]C&`17a2M<(vdd7*E}E\L Akl#*is둢S ˞c{.=ɺӰvާ(@^K-])LvѠWA’B\0N\$_']-ӈYW XUц9Mӂ5%dR}AecvruJ5Gwǔ>`5삭fB_'d=}5oN^kZsv_!Hqo]ڹ5:LVF/eC&?tg?zs©FRM CZ"อ6jyTX!opsicاpkd5R VQ~"]ML}0,~}M]?ДX_ 8MK yvlǽ1LMPSn5+7js̒Y/wMKz+kBKql*.H )E5[=Ư(ɱf;f-0QŽSj"E eOWW0?_x_dACp& ^*I)'d\zq~y"fn LuB,sl[؆@&ڪ9ZYݍ26!"7!G eZu&)-J=_$T'\[pl//asfUYnnI="p9WȭQC:V+* sYoT;#[>qp-o#+(L'I-0_WmrZL38h Å !:wl!枚W^*(# ?.GMBcg;C2po!:j[d""dD!=~ݤh'u1,^cت#[d<#`續:.oأS-=I3I(O_K&7RsymK,S)%w;'/'W jJ%ċCf-}NU3HTE1"W譈B_B2OI@=cC'/ռpOG2 ]:yeh{H2k xd[FR#j'_ ɘtcJKbVpɯ#UadX\r߯X΍3q!F_z90Ib#|qOOSڼ1r %Faa 0{dZL4iAYFn]M-۬4mBFuȏ=K  8¸_>p$f1Ԍ[>m"՘8k µEJB jhs @ !etP|{$?RPZqF]TK cWHDI!7#BWx i&2`,gIR)2>fu 6η@\0N=5BltѦϒiL\8BkT(zQ1ZRۤ=Ԝ]s31*kO`݋1 tG[_^톃HXmLe;}Y G4rv"G6s ѳhcWgBKNYcz2h4.JKPtaZ|_-BRPR~t6k̋704/HT U uೝ9A[fYgl6|ݬ]u^ڧmS Ƒs;($604hHb,S wwةU½;`htIl;[EQO)RWUV6gT4kS!}&mJ )PZ+c82'(@0Mm(N$}8|aZ, r֫tG']+qkk$8$1,fA~o7F+bPבGmjEɇ ľ9ʒ ȫ&j1k>ijbR9XTLζ1L6 `cG20"?P T2msˏq>Wf^+%V!~~v+|a)yom :bbmN~ 攗:BAZ'If[%bR^Z=N_Guk4O_'ǷM}cj5Akct(辅ĸU5 7S]4M ٺid'ё"NWO18]RBGcH8sOQ% Ⱦ(T~ޅ<=}j[Z&D3"dLpB (`X~`rA^;< mLvN8UYxʵ1[u_vx(C&}:ق1­IC_V?G$|$ 38mQHqHDkji4LlDp'Чk%xx|}ȡ#k[QKDQ:^5q{2)-]/fuBwI` 8YC~[ NY9OZdNWR9u|w2b )K ڝ({OrA+LDb[wwD #-Ԇ@P-dg r;bmQaܘPo,y jDzX6!GQnPrpm>ahML7 |t05$]4"lκƲ@mO~ZM$ASZjq E] Hx xEw>rP;ZJl)ykb]|]lvdt ק=+irp0 i- j[ jء lepQs5ewݛ@n7":s(OH8}B@1xXTuTúDeR1:VdV<%r/±bn:5,!liʯ(N3EkȤb~V:wsW&Cu$9P ;ħ4PA/o77d$\{y/kQA3Ե4NR0&,av~o䛟}kl2k =+sE ϶'z4x=@@8oOj^/²U9+uU?BWIR+t~ jyKQ< C#`fM_ѽy[odKt&8;'N5weZӣn)Usc<>D4xM-2v_7.7RZ^/,Ҹ \W} S̗haST<+ u8/FZ 4qHp=C?=ЉAl{^ᴟ0Yw_ZtbHgB0x9vM_sėB1s̠F(䙫Oc pg]pj1n@n:J_2g|/$,p\] *'MIC(]scC|&QmW k#$`B;"D7".Bt0y!{@?!qNR293w18NP*[y 2@Z⣠A\*ga9DϮ7{Yu:%,i+b}ą\q8:-G !ȋ+Ъޑ^ڸho-. &`@y*rMxPI9\Dt—VhRLp{C-ݒJy'nu$"̯]v3ǠEX'(`f^_bp|&5:_Φ66ˠl>TtmleEJC66۶<1Eҙ.$%$I{ctCE#d'ߐkڗG?&4;;a"aJ`{r?)dH#3L `o?eAͱڏν *L(yn5m_ŢBae"7_0Fg^;d=1> RH0jͫL?;FsOODo89riݎ0RHqYiVe@;zxdT&VW Ϗ υX2ӛn]IWDR|[%i\V)>W>)׆hu)z}{-}2ZG_o\ƙ# 2X?ױ lX#5`B8:ĺn,}VZx@O'&&֒> !˝7ׁ'M&eu(<7iv¾}\FD&yD쿁>ŝ@Ac%ՓsQMÄd[0RFժ.,uEӷR״d+{W1k 5s[ma{VKŅ@%:p%y7XC/[:-3 31`3|p1$b`Id F۞{r'X͘Gn-ԕMIvQB.扳sm;LzU "_Kh0Fi$mԁD崾Uw[o_{ iND0W~!:>BJHlZ0ټՉ*I"@ғ1rLVzYx9q^6BXykBl(*79/!g-_l\*u˃+q)lb h\q~ޫN_O0BX Z&qzd7h?caclJ1 QE]en tBz +htd"ZH٥VKnt1q >ۨC/bg/uI =5$ J_^ %NB?*~ =7Ѿg1aP?oèl@?,W5Be:ee9@"wWPCa.ok;NcR^u9BWfnI9GrjK'$#AB(caG\|(fHbժl۟HQt1fbn m<92t {u1o+%@54H%ʴw‹))O`pη78U-Xe}/-hc¸a ݣE_|?2DA< ^ Y1a_- f+/.ipks&SRQ[ V ξ7ɦi\,or#o_!;xo,)ˁ0o:0KJQV)og(oz ҀЕzRбx'i#+Lzoǥ%A+k4uS+!GMG9Tm+ ݐ㘮&e?;~B+a=)M[lbqBy5@Xݘjzjg[V%z,''6m Okz2#-]-KF^4('~ ^?'];nJ8T7SI /Tyke(=r ULY +7N78ު{OxRak}h,NbĘ'2vrH`'K0-Z .Y Z\j4_n&&^rqE#ip'Yao{A(i+)!79sW5sLtP m{b'_E^CyT\zEz? ku7 F݈ "._ <IG[o-M ȭS ,SrK7ekZ;&>I7F>$NfrݏdU)'pţ\!~hW~^{{n(! BRBht$V!# 7'*X'""``KSʠNsBx@1;a9jÎ/vDi' ~Ŝs'VN(|YZ>#ZQCaF`#4yl+v9NNuXgzz3!c>/=+nsG%@ocǜ.--Uz~*3 dcrbXFLKzV-,MFV鹆Kwj0@Sdt**q'5į,c–n~c~ -Ӥ1݀nN1؝tuiSlOW,>ZW^.xԃ΃o%4#r#tsQ|'tCF(fzf/ 'xؖ$7BR9wn!GP<[]c}GG0u02a >(\as3rGyɱTW_};r_JQ4*,ARtj^ߔTZCi%RPqu=mM+ac5gLWAXyv1 GDB ;a<6ʖ/-۹w%qp6P5c4ppv>9(񥁬T 8EDMpϰ.ֵ =|6 pawR5lM'%`CT 4eTȑiP_?{E[$8yJ.'%uhFG~a"Gx#vcu!ճM}b,-^$ !*cSj:?QرZղ2ڒ0aE֥Vz6cʮR)Z(Tw{D##NZ!4d+mE:(cy-Ղ?J'S)6;>~OɘD0:bGL}P}\ );J6kL5>j~@ 8.C{oBr?I" ;kB0:r+3>ͩf?`a$Xw}_rs a÷1AMRi;|& MA}OzVo)smiF rnL~\k_,0z`8t! TNR['@sA3K\^T7Xd9"c & ^ l*cKndE<*o[ySc\c]& ]h@|^Q`f'߭ϔiK6tS.}@5r`<-u-iP11&rO 6}p̔Z䇅.mOaTaX,~gֱvq{>FAF =1&2I7=7F Bv!KjNş'ecWfl\ AO4JL p;XA7Q =#ŇT1cӺ~LZA~=ڡ i:~e_YڊK·hNtBh6}$xEz&ێ/~\/2j TA)JK e=(ՖK`{:K5TB2aQybY*hL[Q @ +4:ã`>Ej[绒>h=lum?}V/DҤ Zy11-W9*uݙN6;U˿,:(TZj:uKXgL1^NN`I=%v^R,Ɖ[CYrO(7GEEZj6P/D){g,ߦˈ$=w2SyS'\A-W<&5qLylˇ|v j'oMHC6_yU}>1GXt. Hq%I5O?"J7{_w6ѥ,AWt649j\4)RJrmteq0Epֆif^ؽd J˛ؘ7,e[+]e:m\?QgQ`Pb ?aN2] iŽ*;EVzYQ݇l/%,80$,{ߥ.y;G98Ō&B&yR'h˝%mi{y*X![(v:?) D 5u䱯k?ƊY`';_~L gaOmABmh6/7-܌6g* ǂa&͜r#uc .ړHu~V7S_S1љWL~d፫j nݱ\nWs[P8Z+uTL\BBˌ[S)5,yoF$tZB[YU8V(eЮ71$o?eSiIG;X}?}Y&']6Ía>,#m^kn0ڜ*h}11Hm•[U'W@[_4TL9s43 ?aV%%6-LTd@Hm#zlp]e$LyD5b|&]?3XC!df>+3\a{XLRP{x ͷ@߉P0d'ݔVa;cz}ϧ0X <"MFRhxy#߉4zVW n<T=D+ڣ}Zm1]fB^3]OB3^,ĽU}W⑲oÓR`X=b.U#E`yk2Gelfɞ67χP7=e-=C)~0n\6 l)~l=MH\lne,kLߐQ\=C;$u*:M Ԥ}EsjM g嚙| "xGm (|Y;hDu+C)iw"Cp;_X-ή1'hŸtMY?s,ZlZpPP Aֹ$ ;޼s%1IjG xAi Jb}iuU̓qet Ww< F$ =l3g}ZzkĸJw{otIv{NY4cܐk7xnVff[t&{a#=!(?$H㲥m!W^ VzwCĞrf7/#% wic-aHq>)N(\hhn"} 1eo dD ᬽ`Ofn?.;_. :P}]BMqi;m,;@Tp=m۔_ r%2Cn##T)GEcE2$E2m36@RP0$e>}̭cV[!vH&_k.%і%s[nU7Ϗ鍯F&'{NWhVq-Ԙ?-Ƀl+Bz /P*/QKO3zdH$`\TA'&!]BXttl3Gܣ} pUe я~gU deӭ\a(E|p; -,.P0bj'fx!oS!BbRô>!i^!Rв, G:4Jfۓfq~+% t3a[rp4"cp^tKgiӲf Œy? Ƹ|9QgTPsKR' 5r LcVA/EY2Z:Rs?V"A~),6V=f~!uVv!D~( tfb$%q׬KBmŤw@pP~R:7n4zԯ5ƠJDs|ܯ5+<e1(< KTF)6 [D~>b>RG1qoP׵%?JTt2f=J\XLCb>#IAY0.>#ZS гêB}c iL8@Wİg-'8=t{IbS۔u5HpǗ/hb^+Q'?0a|(;V)WNѠE7>&]S5&YRUQEd+!X'+ WUҚn"xrgE nJ䀴NN !SPU&E/FIMǃRBt:\r$vyVqnvbdhFN$pbv "ˠaj2PF9GF;]tyy3q#C Ȅ«Qd-|OE@8ɸ_g^]7 6^{ׯ%szCHlhXzm);<<ԇO*J9,&dT\dy2UTno76#=X+޶* s)mxW,wBډa ;6'_^Bאƒr?q„0ݸRa>ђ _xJI~3c[4w8WnsYTaY>H[zsL6~ao-f:I&DZ#=}oGN1MZR4Ksg3Ȇ68HYfPSMbC2ƣqF`nMh^V؉_0!1PaLPV"~=HЏNUV@_ȕl}y:Zssg<^ gdBՊ^5lqx1ܽ![s7 o L"Ъep RnleKB:)93\쓘Wj p$R85uTHuQƏf9LDC'j>V[ڝ.DH%Gu!Ɂr|myHپ#÷\C݀(c[7r C[+Gqoؘw:.c 1<W_u/#<$p#;79vy=;%2e8ca~ʚ1%ݴnVN?,BSNqc ( ZgՋqy\5kΚ\O=( ԫ@ތK dUfivU]B<YfD4!QeT"Cbo=Z2Ugvy$-yW,-bSrMoB ȝ^wOhrr2_3iWآ?cŠEJ(UyiOe !:@8ZL&jK -hT,$v`a i߀%@z9i,|/ř .d\ƷPߎhp"tdQ׹?ZpnU%= [tOy*8ja,뫏㩥rVF/Hpɶ %εT#!@+c!^FY(Ο[Rφ0 tiӣΖM1]șP[bF?ꊙx+DJ?؁V$4M+*M1Z kT=x%K,im#PIx_8CV1ȹ{3ļZ\Lɵ *&. G0 uj8:8A"}89o`8A }D/azigq=1hH.6;RȆ;J]=x-=r^ {ҭ>^׭9R 0{ǀ5Ѳ3),:֬ʼn?E]TV#c@bр'4lc=Dztq h܏_f6ש?<\܋ :,Z3&"O8ɧg_:I-{&%ԊA;vQkB/}p+5N?nL@)9 .:cs IbFX,BOĒUJp(;N5pgަXL+}y6hy;|2^a?Z[8EIxcN~c S&J[0 x^+{WMbȓpTl9Wu۶vKMDg{M.^qPIf%/m*dDCpzZ#ñu|^UZT#W]mxsި.RdtP̻G$& !-IVx1{)(Z2m~0,IfBpǸ l[6qTO6śbjL:CZ.9z0gY,^>5ȱ{E2 Q{Q,D'6Fѱk<2I.{Va$L5PK U !gֻ9t^y˫;@QJ}F4VAzspakIEv<,PliV >FB \q}1'oBb%Gf:a^_>:˰ dtJ['[yB+U#6a%)M\=8 "R1AѸfR RȚMejotI#γvR/ʭ%dYGnBѩ5'JsWdg@Q|}LV&*ǐheg,!>QDi1Hu"rӗG{,^ 9cThHBX|1?"uE ]yy}ͷB8zo+w̻@EF;S&G55sg>׷ C ?pe jWyic:*"Ok$\l\LzqB؈G֚xg-˧2lX&]:州$ ?h&:1K5J.quN;,NkG 1 {V]B% uDDj^7QQäE;li=j pcvBRd9^,sZhM2(7Dzt7g wUťĊ0B#}j/4v+T0nr8Am4I~?Z EmL?3n P&0Ϳ(0KhylOv6pKueBd :⛜)#ArtLb֏J$V2 羮e`3,pVr>\6a-E*mv'+} Y|Br Bm;/|:ޘ֣X%O'%PGn$8U.&s֚n<ٺcalTϪvr)O-5:Z,#eVI{Fs6GawO'[l!~5sRsML HQP?׏?مj5iƈwmVJ >SDxy"&oy!5JcC+C EիĶ p2p9­9fRӌ*FmbOIQjuyɅk OK)\d(3G,ṡೕ=ba9^iDCR3kxqO?8ADBLߟ/D.%~Vch7UQ_IFkN*"]H<;6f&sXʂ'2J˸3Ќ-qz\!ieUB_ç duC_{DublbRk/m%69/1놎eˎHŠprNql!޽fk505K̔Gs$4 Oˑ\8+2L$/X +ͤtJ> ϫԧNb2 v\z1$"ku+E ]ԛº `ˤ@7K0"݌y=*&/sא:h@/Ө{|0.V0~cj ɨOU?KKw~%yam%yUlBҍ*9OXPxMrB}ʭe򫱔m?"$ dcVTBeb ־u,^.KGVZ/ޠ^jmMk>@j;'ּqc F4zV O`LX^ Q sO5Fq=>>Ǐ58TxrX$("Z_HHu.z{ȻᖶK䯩p ' Aw d W#9yVi2- ftcI7*5qV4ocRb%*ٛȃFYՆ;V:ҿ#)EӋw( lw zdp ͟YvL-h9ngdހIZ;4bW^bA%!csr߭j :I|%Gš#j5<":e^O9&>znZM/`[ Ҏr(ƎM4J$ =Yn׿%q:_kdWACS6Ts=u36N- 0q6JCkBeK-+{K(aPZm[}ѯctL#:FtrPU5/~/,%X&A P[a1Apx>SpԾ/O]YP8`ӣvShg_Xqk f;[~@2uN: #ƶu诉I ;ʌwU8Q7 Lm?8ɸ #3);LfxLz4DbZi~2ș=4T`]#,M=%1$ĺȁ ,_t';gSm$cTBE+úErK6KaD!k' ӆM '0Sc6{ *K5}Rʴpʫ^P0}EK$Ҝzc\Ԧe T;"n=s61ӞxpqJ'CFh@v>%}ZmOqUi qtKK`MED"ZI8,M} 2K) ȡ$03uH!9ݝJXBb+S i20w0T[2m6٢'OpHpSQ4'+K4aRkE~{Wڶj6 >PizgqQl'뒑Aܨp c@sbAwo-@&F່g>&^B+e:W F؍w"}kcڵƶC,V ܷpxɰ]oOQ<0sϐ èUQx;=ݜWjH!? 윽3 `8$ހ'JȊ4R,ul˜0"G-@CY=Ax@<(_RsIj^: ?4b빣{u N -CyHbĽg+[S7H\D W"yx׭Pq͞4?bEsf8ZA wWoW$zk5ݸ/S>j;ޕl'Zqzmuc*ur~:ry36y0 H_7ٴVRMB֒&9p 2.sHye<fnmuU<) `r nFBGq˪X .O8 P5[H#/玬[WP0+Y=H4LGm %V7EӐƋB!/n҂Hгbر]z!5ߩ4ʤt[0mUNPGvV(Aw='"qK-Ƃ^@yZUHVnRJp%@5ĩZ8n=X.iyBՃl=q]- a?'Za}"= br0|Ȳl3 ĩDJB&Nݞ]' jćHP!$ IRb=hيe}xӖ~lo)Ts_LLcFǨeHA652MMZ:F(D6)pBw:_xֿj{ͣ賹[+wo<\hQC*`:(ʣ|ED+2 P:lr c{9^/yQɎPz>9_/` &K$w~ _uHv(:zi/{i^ߓɣMȦJw\l$|=0TXkGG!vCj˥Bն6Ȟg) RN[T${'&U~W!nT=3Kp9Sje~OTxB87z6S(iIP®fC.=$[ ]AHeg2U}4?IK2K_}drm1 TlYx/g%7nO+''QbaV "V` zY5Z-LEDa&(A>Ƃqb|?׀ccN QӬ. GAPUyP ,"IG;,}=ffNk NꮝFKo/5ncm ,d*ݡ%`ʯS&EQGш9nHsAW٪X1uō5[/w*=:  <0Iib8Q#5:{DB KFH'b ԇ3(G/4%.hӈМ$C9iW;XhGe-(_"uP , F.8'J !OQ[v?>bKEl3QVX.N,$~T9 9**3<4##h($I13(L)qMukz/]Mt&eKa6B|dT=)㉫d¿my D^*o|o-~ӑ4vU#gd M)!7!j74nJΛN5LxF(+#׾h!żct1֩@J}hS /R5ԉA]=S.O(!us]5>dgNQ01isfWTq]53 Q8}g~]N0dlɻSlH:˺Z>W+m}•v7>ƊӋ P|Ǔ{ L<nDLNJU3:ۦ[-zݶH4 U e<˄E.tTvq۫T6}ćژGn駏j%h^̙ !!Q`RM9QI…*{az_D/bC F(,xzvDJc!n]C sYb5 q ;eEe ]g!<})QdT[oD%Λ ĸ}oBH MDPWzWh(`qø1 C9tJ=l-bKPA?4@ז4ޡRMfij{!aY|N=ԇt*;Q]5^& I{d~K9/G6F97x')^2T Bb>{Mhu'J%Fvwi~'De*Q- 06APnh65pn7C`<$LxM2[U!q2qlS ΜvdTaq6uR'行"$j'b+om]'QFΎ~=Ozʮb#f1g !8 {̥Q(.%8j.Zޒ*4/DH3Ak+\=CQBw`Z=O.+ބRm]F!ٱW('aHŲ ]&ѥaEnoƂԧEw..R@N/m7"~u|3A!c]{Av81tx\6E!j0;GX i3q]_ xJdθTV֕t'H\diɑ ڃ1>ģY#RM=q.qHD9 J$ȚiMQT:wf ;ItiS9ۉsߞsOK]o[b+| e/s x&ҏ=Pz<0P(ht60:U d%aEz3)!XIN jP20V !`Vʚ{kgA^ 17-+X߷ݍ q䛥! XA\lDEQXE/|]A+lvs1ڲ4@1YY ;i򤋆k;&L gQV1ߖdcA(,Xȁ4. @,ً޻w;N@:#HF'u^ɫ w`eG{2W94%Q s\7Qa 5VQvj%.;R%"j| FIO |>k8xۯW|l™m8t8W؞1)vNIc |H'B/!E!r"وTE6ͅd3) Ef1(qZNEOBk؉4w zxdiazk%F,W g$?MŞj`7Q\Esi`.3&,Eg>9發x ;+́vc+lep%*8 tf-/+kϊ{) 0R>MWyEN-ak׃.=ٛ/~ _j^N>q ?9s>E[{%.%]2+IP41VTfXV+zf'#N7DC2>^J0O)ݴk kP4zҫA] |Aӡ=iMO\]-NuWK%U+hgU6Lb9$F)xdz'lPC~'Ճ|0aοѬBč-o34aj q0˨a{։ꁊ̩ր-<0#s^G-݁G^yG_&N@oC:6zX uĴV yLZA*4;&޸)@'Oe-sRWxg_2Z=rta6]C+.`Z~ښX"%_U,x>ksR 0YGu6TA{XY~#I+c]wbKN!E}i2@["<ŝcQ#)XDgy6&\r!B5A<"eꁘiC&mljR)q~X`>t:)鶣ݣaЎcϑ[(D: ;Ȣ}$͢JJ|0[JDŽ@8l 姌aa2cPXt0TơӲF1"Q?e>TPTJբgkc H]`-x^APU"G>u*mBu!1b?@xciKQ:!:Ob +\ɞzglpw2#)GF C]:zL+޳JV.\P;1fjiv-~/,B_р9&pS=1D}Z-DK*N4ƚ3=[u1^s|Se N kI꯾{*̝pbdGyEi}6>deC/͆13s +Aɀxt_llix>{ W Ϡ CɻkfJ¿W+kt=xQU"s[~Qު u*kW [üDP]J9L|7?۬!/5P ғ/  fpǭklРa@d:[8HZAa02|0.d2REo[pN89EJǎQ$<-;C L=DK+ D :eȑ&|VQpӘ~n$/Mkv '>}u=K4fX ]%TkkٛAH㽻jNC톹 tVEaK.%wv&~{u;q#JkY[%~ DG+ ,q;Kzj Qw~g\iM qP`3A >Bϟ_MmwmI܁Sˆn0*.FtK۴Ebf=!2*,_ ܏9ԾFpĩ1*6$FBjvwj,UpOu&#FD0cDO26tJ"+<|nj*+ЍV|Z{@)k_ /:`qg¥&n9)TJ&;0F݂ Ӫ,`CXCW6 `6gX&vUK! brR_%s l쿾5i.?i\/FDX$>wOgKNm܀fS4'c9_16i4q"(~ OpyjFb)f\u՛to 6ǫ-U5O~G]$_=G%qKo 5`ްwICF`x`{Wl7NJP [[z™BzG)KO U7];z ^\.(~m^|D5|NbqֽL]&l&L>5drj붨kYm/ yhJ!? Ѿ-߯ǩ΀Dl}-zlY)ʚqP~h}3Hm_aiV%U䒙`zpu_vkہQOV/T۲M~~YWMoi adLq]c`E/TjmSu\N~,yR)$ê{e(4pUtmmKhN YN/t㖜a)}Ɋ k G%@c̎Uݚ Inp) (ʣj$Cd_7}`0o]sR#|zPOԭl>Jmzg/>zs1E'8 2{1 /g#h#Z;o'@C9՘Y}9H;z'-`1HT1mUA{؍+- D j{\ߕ(oγ(q0cccAn6Dk$a7ӷ1I" `]eJt 7ͧڔ*S'od (7xBPW52Aa}l,J I#B'ߴs'[V/;s{^0qM ?G1H Q186P5ne4*̥:xp{g fkeoPE &hqtSDRnX*ɺ-=KjRdۯ$8Zog#'_{ʦWT%pk*q4t$v};M3ŜEÔs Ҋ§:XpĪhd $#\] ᘒ3a cU;L9DQ=luKب/c֝Q2uo&Y7Ay9-l`h]ՠv$Vڛyֲ}-aI V/FK76و9=|lA:'uvox k ^e& *d,24,+ރ(ZJ>uq7k6]+"-J @}y"FTԻ5Ô-էp.5~7ޙH:~BZQ(dgy|, BK. ht}USU jmjO V)2zOPE|q) Q(xn]|D'ح~_5~jKA&kC4R[U9Q;}BI׎]c*Cb"fD㮑;/\+D{,2Pʁr[~`>mkTcmCme18ˋzG*v7f[SwĚ]6{Oun/=lҚCa&ӍîyT;fr5NYsKMOt;`,w ѡri.bPը+ uSĸ[̴Y% eVlzHX8 4E,w3އ.+sɏW79F'boDJ;6rWX ߓM~ pfE?&\ |lSXpR(e6h4` Iq~x+0ŤU9YdmsEWin1Մuv*2nbU|to7T]J!b/V<6*DjS4x.?g?%TɴXj΅b:q<_&7oU89&l Nz2ΦKuS'<D8@kmg|:JA ML"46pU9Md$gwU06cNE761#swT_Ŋ-̡dGWn)OzZȫK3bHNOK_2G߻rdsUL)%Kw{T0,">BZwd3:i Pq/6D0{vybY Xz*1'GHHo~F؄@n+Bot BZ:xЪ+>'{i@ȣ<KQg9 MCe@zx/48Cʫɨ, &'TY88tq`oDp KrS)4XUwĨ;=kf(dwhEU{,2V΋C!eە4>,3@:R(.dGc+Nw(mrDm3~V Q\")LE2k< V`7 օ`0dR-xѧ Ik"ƥZIͦ#Tt]Blԇ=[o(ԓ_a͉auw0v'JP\oÅy;gepr m, })jjQ[Yq|OŜ1!TSD&*S1_N?͇;K 9j3r^Ҡ[7H& E$#n: %Zx<卌|r2W<;6nlCK'| p(-+K; .Z9oe]{fOdj fc$hOөeeHQ.==cu~ ezsZnɺ˛7=RӗUMK[ 3.y!&F81PF\nDNAZ-ӮWW;G9rbMYs{ggebe8ᖒub,P Mb_䊽zg>0Ic([~sJpEv-K: O=! HզXjl_Ԑu;2I$GL{zT pl+InR!5ߺ`k#iAG6( EUUzȶ߭]`VyԛnY s.):تNzMVE 0>\I"fsɗ)_!=BD  Y@byf(OI2FvF}qkt=/Zf#vTfHUz;iz5wd;{z{xKf̚c>7T!\5*0'A34o$/{ŝLf=@ZaU.-ʻW9eRllSwYQ !q4'/2GS-Ff@x}tkY8iTh?$lB\cCr.[-bg:JYI4.*>!V))0ؕݨ1b fCee Ygo^}<[Ny0Qo&ɉथe47fDi9^&դ_ HVG4›!\ [@bGHaS0&QL]x ㉶z`]A2f`usk>,$)I. F]hZef25D~3d"5Ii d@ 3"3, _G>;NK h?"]Zgs7$E0:*}7b$Xǰ No9\5~]7qW(챠 :2},ҡ_2nfI2;&>EA87C)FW(o(ǏXoez d KhB=J<F { {eR֜O3ueH%F %dϤ9aE.jeC4fGg"f ;< >"!+#@z+s|B2RL\d lv1Xy'\"h*-kg$ۨ0K̐PѶb$3V Gi2}qA6ltr TD [-Sz3#Ze&TYk%^轑6$6^V ]W ^k)$p8v?, mg}@'ĢAy}sxk%vA/դ{UL=~|v%"0 & /G+EߴM2{uˊ &$OdeIsB'?;?6{̊*ac/ypXb=l+M`e.)oS@Qd7x&kfH.%3W)ٷ ;Di$ޏazC/ٖx^ ʥ[fm5pG_d$k3Yd&nޯ܍hPq3T\2``Cwաmm QAD&Mc/]2d#g佩ﶒfqbWcКF53i_Q`?BE!)\Y g C?wx#,vV9a&}}F csN $B+%(de F"BAc gdzVe:Liӆ;F:\(iV2v˝L :贫'`i41x51vY# ﯓzm.ɢd( |/󙌼;B`M,K|Kʺ.v&T'eJ y"1){va ִƣ]" DKmoc4"u.%# 'I78y$ٷvFςnE oMEb3ϢurYEV A]2@0[/nT'y-MϭS?2`E%brM(*.Eke#"nR9c`]3 IU*"29pA jj9t9 9=w}JߜJYU쀱A"俿BM#>c2b:&-WŢ0#&F䱭?j>':sVj<qưkcC72(>{y[mm81_)y6- : 5]]=zx˹m fNRP<0 =VEuՒ8 cbJ#i{DArǓ-5),MtWO i`IU_qϕcTGw7R 'o\sZ#9G)4%nA_iAW48Bb'L`]*6 -uɿ)"&;ơGWI#)c]t>0Ub'9VX 0}tڐo@,wRØrd yQd"Ջ ^W|V{/9h]rP 툚^Vg(t(j()#7+Tr-hzyge" :PgXn/eh9D隦6JIRΪ 𯟔> ^] re/:MI<K|Ykf穹lCS-ҩ)QZ-?AWĞ.ZbvnSϳqI~ %Xy;wEhŤ;RP6NfnJg|s0(q+;U0Ձ\tMT}~uLz D 2Һ*F=DŽ %zhXE3>,FNⰠ#{K˟桩Vٴ>LeB4Z,FIgm@pT^FxBn zG# -vʻ(5NY}Orª$gXٝV 5D`/oki>J9vNziz?uT ȁsFmL n E@sn2" X[s}@c"4\ `MWZ/- >mωE[Կ :EUj3],]|ڑja8ǣٕ%hh^7$͜Fpˍ5,jBh܆&L՜kzDϰ6ZJr3Mul|iofb_Hɤ-LZ%݋L$`w >[T对Eun)$NA)i,.P ChH'ůC[~x&d@eR7~T²F`gD s|Me I49*乘?Y67lSViCG;rIKЛaȧDD?)3@zEx?f$7~8(`}m-2&g=hY"$3OS6 ٴNdtuʉhre_va@!u)@{9#ГFIZ0VpjceI;eW*% )<^KKr9ؤȟJ3QhNhlM{9ygzdzWs6 ~n{YrӜќJWw^Ces“ރ@l1"_ xRᒃ  ܴTߙU<Ԟ.[76$u]4;/9%l ) ㉣YDž<V5\r:F 2q" Q?$yW<ۏˮ:uߣvExN~̑ eAb ʹLf/DDmPL~$(%#,q^k3TqUUfO +i>܅bTKPNֽqdF>ԶZiNdkN.Ԑnm^?Yl˖0{¾i(GXm+1R)hMc-$ªBL"Ϳ j{K3b +O)ݰx> 42L{vrT@x'|+: I,[%$6{po 2٬v姉]Ӷß]^owPL}ƚ>l#*? \i&E+VVj[xiVLC׵ LVsy:QEbĽh߇$Gi'3ʆi2]}Ԓo5sbŪ*_`JY" 3/㗎_xFʺ3v/#.G,9]Fa+$Q Iy2lQ { ]#Pn<<rq6QŵᏏpʔZ?AZB,]f=SAZ[W2B[9<3_<ԅ/D=x P};{}>BYA-WбE O{ 4^/>v{r#07\1Z5,%A7$ pa tXB;2ȹ&.$F( MuܠnOvD, ypk۞3Z?(z]4'=LwHOa3ξUs*̐tco$фRHa^# $j-koٰϢx~޷_Za++s0glY"_Q LW1^]kƒ@vʨu$%b=d"uv߷ilET/ak󻊗]}2#.Ng'Ƀ˻_`|e<`FAxv$Z9}я:GQsR6;Lo78Bbr#Sgˤ N]Lp\sfh!?vw &F/`94E E$I zmu== 6O$WHmvJx1`*Tx]vnU^]D0 Vg*%g)j#McQa*xt^Ͽ&gg/T?PCcQ GˡľumxgoۥEddF"#C !} 1XM֛u⢝>Qv~ӕ,$kq+)ĮyˆHQ%aii;tk*@ԕZ\X?$o ~?"U/@*c{n Ek;c0wsdkU V  -D |ocS6o^l.M^`w7?YT:_O+d : 2wZّ'뗫#Bn q(WF2NY#E-NA}:)i㑰 ;]vpr"͎w0>u@@,8+Yˣ>j\p{F7n{J{d>_3>Wuם5+SE!.u h 0A5gW@)4Z2A?Rki_H5>zL2cC>ֵVbdE_ kh*]2>z$&?9 ⌃sGr%{yUZ/x2s2g.ZQñD0`rDAжIJZe4Mۓ2ny ww[ޜSȕ.Ռw<-EY|E4%&@c$!a``yXZЈV|k*1(5,y,jɵ[Sa.Q9|)}Y[Irѽ#aZ\]Cq1KPDzYU59fț:lW~U1eDH c0~%үG5Ұ,)3)a4)5Wۗ[tCAk[ 'eWQ‹pg`U%6{wZk\rp1T!Rb`{1 4ݼcS(E fq !@14V>ڕ`sҞٔG7VBvEGrh5Q{ Dhy`qh i]H.`m W3i{me=[<*U58?D^ )o”"kQh}ic>Zp ؗp5f({(ذtݶQ>yyet<-״蔁 #%UlX>*ŒyR˟5 Eq6 zđ_6`zNXQ-xXGu2kPS8!%)+{xsTO~Ah[/3AA㝇m\Tx$^VxFJ>ʔQTwyi:j$Sc?G0mH> f`14-6 "p,9溿y8ͪM&yzq"m6_BP21J|-:ؘN+ǰWy]fI̭;{%ZݢJ.t|nZG<|\C pE;/+D1Q+!#4d w8' fǣ:$4/ 9eP_() ~Kx|FR;"V(?T4Y v,b''dCNEi}SgJ6Ա(7jT@n!FuUW:9ReNtb)^%x,P4q7I igrR =`F~dP@"ϣ/WtEB:qسZxf 6͝' Nf'ԭ2&bXq1 !?TӰi)mN:\6:mlXIrƺP{8,\{! 9V n/ԋ=99OC4)/Bc0HlN|+<מӋ2Cwh3H]9[E;5Zl%jɸLz?Ij dR2MhE$nrSL$ ݜ[M&tP8-FU o@=,'Hs"bS[ܱ,n0Dˣw-8+@DHUa3ьeEqD j)̕a#W f dRCȀpʥ.q&[GZl/`#',6* gUK~JS}yɗ|Y(s65*%dಾt/g#2g(yDP"[}ڀ*UG3R$RJHccj;ҼCrLCFǦK~6s1mU,֧gn]rh8I# ic5ϢpV 5^;f+UnKN7?u ra/ۚ1\CS:lx>1Ύh6^-^q+H WR,f 7n- _{!.Z0a$ ڢ?̸מs"q/D!' A;$Ú0c:;@ЇOVv#*4+~Qqy;MTɁ: lŋ)g;^TUmkXy~otEL,ʺ ɚ. B@\SIQp"C |Bp֗f p*3`wĒ(FVj^i@hD\kɈX#SṮ2s S5O@aBs\ :X1;"ޅ1}x=DF@D2?f‘ VHqj EḨ Ÿ|1۬<dnrOm;$xBGJvw̼úv@Wc!c`i ULi:lD 0vL9ͫQx8)e0 (3ZXJg "d<,}O&+m#3 XZR'tmԫV˰*8t0č.mQ;m~{t֯ۺj\gu}!doqF DMPAߩ{* 4,R;[ Ww"tHG# SD7B<=@;%T cUڣ(G# ,eDȏ8 9OFLx5e^}$ctzi>SЃ'_冰yo/T%2NiY̛Ol."G17 25NQ{bF$Ƨ%pGip| l.ŰDN+%Nu$vh-]U-> O8uJ UI> ~%G:َfw?2*{ ViH;wyʺob,Z—t-s] W&2Gݠ E)mmٙ^̴ .æe|cXpgV,onx:7U%5(*8aɞ Ԉj] ;0[,pt#O)(aY tv S "#z˜R?b_V$߇tk[9yX/- bSV&} n 4"㿈)raY2W(A9LH@6﵃WXgh9 ^'6~G݁\ 5ǯ}>&,wǭOC;FV72քRC_HI+yL;Q&^U0]OQg7AZ.ߤ*?/.ݹ|e-MB lW:@{|«BBSߺȾX6sC]K9&wnRa-Ջ#ILyMXBoXN$ky+=OCI(L`l~'4ߧ7'棻@.u5G !qS>O)y;բT؜Wfl0QDx+)n@ŞwD` C$$+2I\%|\ø Z%5mfZٿd@%y$[*(Aj@(Sg'~%0cOm)ylLx_*SlaqN 9"͓mOqsd׍0$Óːݗ6~7Ɨ mB׌E"ԥ^o,M::FҞ(z)6"{9'Lu#WYR&mmByd4,"Mr%H,l7711̞krR|(,v;<vf|]#UVey4G0DPh\M;Y|)ֺqhRGۖhкf_=>5a܄MLpe XcXgDk`%WSfO@ԓrYBrjYg&0ں$5Es_?840EW_^ig**$`Vha?KM=]3R3x뙕Txt}A33kN#$n7|lab}X48'מ4C O~HNarШD&o\0ͳKzj(Z~cɰ,(=o:ۉx;kB95| *5}}"j: oX?7Lxt8G8f-~T\xCm|`Y`x~  fWY17Ro=Tф_KEy%& Fcp9,c N-חcWv$ܮcW7[_XW-:|g[Wmt{=Q=NοaJ@EJ6ÈBmha NFP1:``sԤNgtEz#RE{:9>![!c,UE\/uq|]9ZGN(Eu<̕, Wwy0f'ǡŋAAkg<(z+j͞yV#V\]i" CMIMcY'J?MX\ 3N M҈Xe).LXw0y׈,GHn(\=f\  `1{a-db#X;닇=[b5(4{$*FG2ԟ1D@"G9 B m}f >uKd4ləvngw5/Hg2zo;]Z9v]6vK皉VuLL[Ĺ[߇A)dG ;NmHVĤK0*HX#DŜydvi_,)ެZrxN<||9ZgzS\]_A#XGn9X7`jy|Lz6)Y}*妍{N~Aɧ%mH8Sx{]>u;1NȨ\^L"xR@Ug@o@xԘhgX`&3drΕ0F4|J/c3. p(BodA/{ %%W!5 ` TmZU\gɽƇCAÚ6㒧)ڻH@ !jtXKoR7,l2b ͭR3AQ 4ԫ8;Tsw\hYR8 ξ %PoO󉭪gkyR8t|ow%z뎒 =-S)MqH Ks":Λ{H:wYGbö,1%f ;TZOϼb֋ܲ!V#VN$b j&?T yX{|5;]v-8G˜̆cC '&i'ڜ95oFmCՇ ̞H {kNϱ&VedϮʸ5@ǡ!ILg?\Sw۲ qO:mV&AzI@ƅ<᥸>xߣ4t/,SO^ 0k'K7໸sJPz46_ ܮo iL ]RX<.fʽ\.ϋc4K}0DhTJ=2q?XrBy :M(1ne~F\ObCPv6o{<޼OBrW-DANP-YIݩA4a]Psvx{@7r頜A >!k+}4š|1' 6lH_@~m .EĖ3d[ĬBh\Z-c$ R7Cy !Vv4ax _WyŤ p̱Dפ{G!YC9o3e,a*jg͓d4=W,#_ʟRϸ$P6*@2E.[,'DY2Pe\lsK_SRyf/LL׊`L‸ ڳz'{Z#u9&AONo&&o Dp܇A_?GRccS}&p`AX91fv#9ѻ;;i8ٮ9w)Z4N㉊U'~@E#;fHӞ$_CO#}Ҁa"‾[f֣xO_$vs5d?j3߮2]շfV$l&vH\7@K˅0Sr9IB٢Y\f{]N8Qx|7{|NV6<;l[_o Q7a*Y'x xYGf(LMvh<-7ve5cz%PImNˏn+/_ZlQ8Ar/z `b%r#-TfG+8 Ĝw'?I Cϔx8 _ߣ A[rMs0u1pJ5]A'ǩ!z{b7QшI)+wnd>+&WXۍ)l1A ג"T&|D% @ḓ ӪC}~}yq]Snc U}A[58Şzdž)}2m,[NQ,ʓp9 VRrW|T&/Ch PY[,N1%d7˵7j?6㺋R, e;=#hq,o*mקع (p𾱩K y%-|.r5EC1حP.$ˡݮLD45Qf\\|ݥ|eArXz R%)0O5>$yőa#:v87#L >(l55#cRP]wUhI}pa|P0VA"m:ϽΈ1a%a|z)CC:eӧ*VGrYjS(&#/3 ;}-zk5Mg.˞ ILqdl!}_Ok2Mdn%D7$DVh:Me;",U-ݵ: 6D Vz +>)BB$Ysh,҈͸%)X (DPnvmxb9,%_M3HFrQ@Z'ͥo-E̤~NkLݳh)[27hi@Юq`I:4_ޜYYfMfulgiΣKޞ_EY*cOJBmMj٫vHp%zƞL({? ](o9w?[Bxl W-Z y-ߡ7/ 1:JyVHKOѶcy6u@E&A)q7,񙡂YYPA_'ܘkwy*CynЫg^!FjΕ`yyLb#בzpqfuxAB ?T_TQwǜU4rf1Cv ;>(Ma%|YeR}(hP'?.FU3zJ}U_bM;aUA|bCSV Gz 8ݶӅdk!6AO$`tO-:YAa&E,0u#3])SI-;=+KbeSGfr(n5aLKSrƻr sy(+Z.o7<%TlVހp}iݎ|AW^8" 6wbX}V}LI+IFnj{5]Mz>R\Sj D~dgGʿx8d5T6@sNn]KDoowOY£*ogLll r^ŗ `N4οc[AΏE+2ߠ}9g巳Dr%su"SlcPB}a?P.|Q)f-wF$#>>Ň AMPj` g -;>~[p'wfa|Oͅ|ŕlּ`蔳')id*wVߐJw7tPrk LttGo@.ԅj %?F>1L}vyoī< n͙{ӫHPv4V _mTCP5BV|d( ?p+0bLI'7܏avV#4+$9N=_'ӱ @P+ mv`=*L44bĆH߾$-:=" (Y!=W\14V yfSn[htNq W <ᆝƕ16whs*d?7GcqrpяqBV̦UfUsDleoBZ:Ӌ![S55) _/9+ѵG+6)̶l"Tfp Z@jgØ*(9s*QTZJҮ]#uÎwKxX2z@}XCVht+ P>)Us55I1_Wٝ9 |O9=n*8 qatC:N]]#̎󲣮rR} ncX`I}l_<${<\hw8%ئs X<0v4Snٞ jea>\WlَG48ud?lK,`^ StͅߨHWRMmVxC9QB䵳ˀ\3ˆptl&h65!ŗKFcPS{]aa_}Zz C>@]'PqJw|jpruPšY1pA}S@f/\6‡/E*Nc[FE juo}ֽs@H ^0RP_5,Y%0RdY#ˣk%u\F8udv!m6,Lk36D`yDU-\D·+O.w3&ij/6*aΏAB"PaO*TxyR[*e|Y_ (2k i0}.~<%@ rSە,5"d1XsL"p|`\պHMOE=2d/%g wVl9ۊ@L /.ϯxRl*&>:-fwF%~LsO&JZfةt 8r˖c rT qY$CꘌUo#iTf1)!-jVjCPU6>$9B]5 567(l`8־ʿ7pk"BT νwxz/>FhJr>=;b n).5BBTH{HЖOw>G8X"mz aNA₄ qz=?DVDtEn\lfB'Hgu߀iDpf)x,Q&B :5=#U,rBEb0ۅC6LGIzRQib2D${4d2YΗăc넹v}{+LuI< d Se@|+bfLCQ ߼۟\y̆-63=N^j|%I;W7ɶQHi=˻Cy.U=p"D9†sP ilmHuȅ߳3lChٹn@;\w~'3972q ZMjZ4j";E* RD@܂#aGMJQ$$MdD>,Øvdv6oFkxr{ ]Qn =quHsLp#g>J=}{Jt]Պ6> ;+Ky57&/kAZ[JI?>Z<͉_%x`S[Œ]lõu 3K(;=[AM =ZD} ֓qngHBmsnQ@r4b'ۥUxjAkڛAH+P~oT7*iDwb8q+em1hX@+|P1`I-T5K?|&y%LI<[{P.0vx/lYHr s  ^{:7|?pxIbL(Y!{I f1%kF~;~K-Ajэ\ڲ-)n苔)Hư/?ri{<J:7R?wq0vc"V<UV9 M"Dٜ1J7Q+ݷ[+X   0I"Pa+=*X2sL0Y@cͬQs[=U}. duOa *NvTފTyG _w95cvC yK׉uOm1M4tyriAܦVP$E͖ Ɖn5,v&jEu>g==h]8^kFT䉍dISc/wvciJe̳-H8| s"կz@B? C͎_2h1 {pKлX"kkԍ.@ / ]b߈OF"$T]tiLEeŠ"f%4hpV^;mJ:R`=tgۋFgs@cb5yz$G @oh®YU*@Ps$z!٢0Szv+ɬ"_҄n C÷^1O'+żi$Zg+x&b+969pA[n]IKU;߆ Qo"1՝IrvA`ABHzT,?&|c"{-HE'וџN?}i [ Vƕ^3TO%%4nM?tu\b%ǖM 3$/._Z)lC uƑBh;I՚0.eRlyWa;WY|d b>b89ilԏקx=7%yx('z4}Jrќ{Οi,9E7j@>a8ڷ;PUYj nۇvDf#{ e4q,Ou(ͪjJZ֤bWE##GuN* ycșis/-o!H0=+@C:]/'=pleZ@',z?k?14eU>S{3rU%9EHNWSZDcP6U^K]_S'ޓE#J 6l My5m)h_h`e "%CtyOc$smK{?ݪ$QZD4\ NV3oB[,,\.ɝ: }G.amE~AMꢄ9nsƒ>KYqPD HT[AE^Hg MSLBRe ¶h8wVu5-'gcQ2yZX<0Ȩe(_1YRjcڂ}J{c(~&WU!Ԇf/ RogG5c*ck 2Uu HDhۗtbf` mۆDŽ<m˾.=ܲ!}8[Dy4ip$l~9T&ҠBy#j2~`F%+s e[K( 3 n<ڴH:۬kz1 g7.o_4LG?c2 TU&W=dY.장=O(g_fJ>7;U5{辮ZZ<^d`^Y]RZ &)q]dժrlEd.6YVn7-:;DҽQP3}[}TصrLȏ3B^k$GZtNcd"$qX[ѶemС8]qaTB{;̓2N>[ 51Pq$n(JQryUH Ly_p h X/УVT){!H%f̯ebߓ>9w1p,^Q pLV0a @fk@L5/n!x1Ao4v})GARK%R/[G epa5)o^js?DݘΠP&E|L1%=X>'0? niW1òWC[%TWa$5,:r!?Z]_Y/3Ļ#b:̌a L,z4[ JB*dypi2uYO)+k?'nKbOlŔN,ӣ ܚ! *֧>kKRiT.1nނg%zSx ,0RCPuPDns:R^2֟uKí8qdvF38}~-I95TGQ}^\${#-/*2oZYư6 \L!Nټٽ*՗U0BMFe*x\.dP W3n0o$C%j9jL0K)~-h S5֝ tAx=^OK{E`MjCb<-Q=Za6j踼!.'_iqjLdhy;-';[1,f|a~nyx~KD!<:6cU)|PD~@-JutI3z!v/ڣl\L%-aDB@B pJDČK;_ zh}9,n7l|ΆD x%"F@RtnASG~nyD88X釤Z +VK74AyaiX;P,$*Mob$Wf3kOhBn{U,K  Q}ÿYwnL2ϖD!(&Yzq74zNB& ѓbj{^kK|2 - !N@c[m'v~1T}6ߛ:oZBKO6D 'Qw~WY7ԈCllg2+W).7(Iq-MX썏c0b3`r}OUgsc僭j4Y.߰S!*YXŤ}mlyج-]5vŎ+bTot΅ФW I1hو d[֜]NG8 3b`&hC]҆'Q"kt^F N& "Ġ2&.YrPDWoJf0ZFxTjCF ouЃ XSDKs[Zh'I'pgp`ɠAU|39s<-\ J$IZ6hy**O,0c 0B\syNZ!C6Ri8hL܎hX,6X`J#*.2[^Θ ^I д sqDXr{>"e܅{ {hXq`8;=BRշ 2 4SA0!֘!jm]뤸[WY}%yǡ'̾9FL~3kz úg]XZ:WVEu_<^kdd/hq- ̜DPČ\q)2|OD{=ҳƇX-K]װWF9lO8+e5oӪzmoXS_ hƼ0JYX4ꕾ⌦0nkz;o+V{s[02E]qPW5K\@ Gȫc!d[~;0xd#bN*"aV&̧z:X:]gB"nJ-JVW8\JE}G CFniM%(($"KtXȢ/E4s~ZUzSK_\_-+ տ 2*xWˣ:^`|?U~jxwo),]{ҫHS(-&+vMq5F•/E42>hb@hRuKh(V5ƙ'nZ-}Z2]ekvk@zq"^}Ș}l߬*U͔n'klOfZx3tjz?PZӴ⧇}EJyHD4k> GpԸ4`2N!QsܴRo'͇K=6(㚩3$k08NJkHY1xt' +pNlw>1c 4n"Y W0B 9aB 95}V3W|u}}cxnFI8%Ҝv gʅDC<\ } 3D鷽{E+ }^9N+MSAg);+F; ȬLfۜn/.Gn VX#“"4I_9שZ}`\ꞑ",QlpGͪ3ypm?VbgT _w?u(ґ>f0aKqX p<[hd7 "Y@U@;[fp,+nEx91ps]@SMqP YYx"Prz$ cjz봸l};{ڧb9 kr7t +U> kaǙ&r'5g?sg,1ZH\B8Ĉ*+b0beⅇmIDn*g+nᡝ E8{M&o5rɪu**cb܉WÐq>T 5wC@8(ɥyA(&fv8{NÍ6:I2v^G&y(V\҂].ɽ5ʟzy /0gjD b?)TgA āg y7B?\hFr^3Tm^="K3}s=}p:W:vHBcC[su~C&K)C;*Luu+ e+ oen^Ozx%4p~}S{L7j{ /n61D!~N=!6k**z<&ȗ)_͸z3q"\_xȧ.b {C5-.zuXM?2oύVs:C#bk(ֲsuMP'&yzsDx MdۥtܕHJA|Oc=Z܍IS҅b=ؒ kXTAZ.1[=>N޲SB$@_.UQ+z _3&͚9fnoG5LjT㼜=؂H&g8|;NPsPز#GCdga^΅3Lɘ9#$qvbd\jH 鱸M'+eItZ_| N$JW(ߩ6 {bփQ!/,Y"W+N̻NwS[ڤlXtqUoTBm ه8e&1J%Nh9vd8y uNaVhzxKZJzM"W%>?]_hn5rX%{PoЫ"3 =u Fj Wjq"ŗA!.l%7\fw| qWDH}0CrfF'F?k1-,:FOr9ڴ~ABEHeqhGlg5υqRbIhoZTj Z.G Į,i:]搬*y݀v yf|b{,z`~F,VqNCo!WuFMyzر*O`20jFy)J-!b74!Cby*^c;QSI?k+ʓI4=ڤnY%tp/8uSycThx^ ڽ%v1 h('%aM@`ʫpg0 6UZʇB4Kp7 WȡF=hV~;MSzGU'8sTE@-)e#}j*z#4ϱ5?CCd(3G$j8 k3-r( xZͤ nMGK-yr )0SR SPJj% F$c{rʚ >`=m1E!rB{&iŻe tO _]S0`ÔL3rY 8Fi,9X#y@8U_,R{,o˿=(l gNEHt^kbvkX{K 'X5ns ֻDb6D'?oIK-J%!;@cx񭅹%nBkfCQpѢ)ba*sT7v8$E8AHwYd0f-Ф'q!9N7y?Ʉ}/q P۱Uho3t4>d)x}F?—{VO2'@N*jH/*pSǝ zb"ؼ0i1V:scX"B<}K1֖u㖙|Mٖ5KzKtܼ$0Yī¶2F{)1<08CLYv8XkK$(> L,&!W~VY㮻~lLTDZ׸9=TL{-ͻ5L^ _x0ìU0Aenzuj?81ϼy_ƍ?3E^S-ӛ SiBQVq5)}íV6,Z;GvG.ɖ8أPLWs_UHNwI}6y\ZA {Kr[)oC&\WƨҘ8r(n xX! j 4Iϛt!H#}Ku/:X,AL ƨ2gykMbk \ j%hFi{qzaŵHZ)2XnHp+ L'ajTz#(GD4[إCѹ/c]KQ[jA;@HlXlw;/¬1IFBnzRKuY%}Ci] 4tckf׼{AؙmLontzpsj`t֊7{\c=1{XSBiU1F2'0u`ΪwOSLf5́Iińjʧ532{oŇLxdFZ$\8\_8}B* osz-g\Q!5R,ue(I/ ɰHUDS""7[饛jc.Vur :!KX[:%Im=qLd`jmpDE2 zDn7ʌ:V&V 7A%Nn6mx v+כAI3*D׶Kj,g]X!g!RQFŲ5_ @4%Z,GޭUNTWYAOe*6cv VyyXru̅ɍ7\unN+Ewv;%DTh[)1OSe, 5BĘ6 łdh0ȋ 'x?bD\D#y鸌lޱs-ȯY $yf1X^+r>I!Ä+}taP5f,TA0=lO=?<0J#IӻzM~f* +iaU8n؉0[Țo'kk3'$Q( C @ozPD)yo5wTU%=Br{L v7er_]c7d:hKt]:vU}Ayl#5-v`k FJ= #%$!T9=8u'0Uw=̫F䈿S0 i־yXɻ}#;!>=kH*aѻݹQF"0L0MXul40!*2`HR`4I 1qtH6Vs$.; $jc-=| N\%_G#/Ղw35P|zLZ]Ɋ+K-WSaD{w>Ius:vuzw[e-:*NETM&!]=+py$/&0XGqs4cX *rlgt/ޒB/GїXLDLI,vqUȑ|.{J-U .7,t. "Nwy=mϐg|Sob[7ۦV^Z,jHˮw!i()>kֿL7pAN**V5dN]ʖ ّZa#7#!HA *{, +mj4&+/Ro:yqm@cG>G-笖r3ߨۭǭP'¸㖌m8[ a׍^e]H;:nRoUƅ 񥧬ĸv>hOT!7^W>Q X+vM$"hfG N#R[\l@Pנv!(x0Js;qybā|?b7oYWbf-Zz}}FUyMstTU}j ۠`?@\l!"gZΖ7HUe߲t^]{9t1pJ0NW;hzYG~v1վjЙef)SM+hgDžIho`w1PJ2D Z Yb(eƹKxt4"}>bZ6U3O~`A:X' mFny#,HKo{XbZk!p }ܢs/l=Q(K\_^6FM4DCW;s$hwobyj!L:v BUA'o.]s; zx4$,(Ԙ{\vdkzGESAcPR36^] @-Bg  ѝuXs&bN$ ׅX-UU[3f=ڵR!ŖʩkE˞S㵛$K{@2 T9:^aiFUskdc4T8LH,:pUkРf {m!s߈r pL`? 2J,7l]/X[TtآqԸ{2̆h|{2(h@>ؔ\aNQNĶ| T%/գUy/" 7c~^}0zJ>drK$c;#74MuTX@NaE%Gٚw&Ӯ/Slo|ݰ++ V j9s";6QUvF6ҞH>_K[XY*8 ;tEhVGq= [4bpKc 7 -VKw'X?ɢmucdVBbpXqJg{?@! \5m  ')QCX9ZGͳ̔Ut1U'Oq;^6Z ͱk .r0YLsVkA& jaa)MfYE89BwnAd6h @i%cftRB@ V uui8o/i Su݋ɦU( E<%Ns +Yܟ {}AykύQed)JϻN- y;MS|bJTs*54 l(f1j۴n#BN$xȎLAH_na}en[Zx>vޛjKLXq#$d8E@cP XHM lw7L BaR/࣌BPg?m2aR`|P_ X^}ʑTdL) Ԧ.دH7]s<pEG>?R|U?]jMơ[yݜ ʜ#AJ7]C=^s͢_H^;rL3ywY[&&jZ74"&t?NΌ>WGHzu iM6,b2Mv*36tMdJ2"hrWX\]z'4A5]J !a0g2TzQ̏_úɠװc^Rc v傲0-|N>?-v[=c1{΍ ![79F u53Oh L=IeN噁J- >t\C7#b҅2T8]"<!0?L Ypwrͦ_Ӂ.ҺN`_by\5J\ L> ?įXѶ4UF|qW*LLB,*[hEV>k2~oȥCJ oOSC٩ĂEɕW>uZͺl#b.[/P_Yi~3Jbm +i@3xB%$JnVo9e yL15*A( s2 }0$Wbк~Ykˍ')R+tSP `]gtnc kJ:5:W)ƋH]>*ID9( ?`iUi}HPw@$y^o٪dul#H+OP;fI^HQs4sa}Tnmf{.6A9P?U 25 ZQ͙إ #5eݲPQJ=QCvagHEE?(E?iu!Ax ~*/KRtִ57D7Qvea5˴f -@_0=puG6v7mܟ\LH}OyNIv,#pAVކ .m_9xh ߹ͧDiyEt x#WfG"2Jg\G@~%dCNU%> 7P`JƏY\z!}N2)F"FScpCn,NL,@ʿoY|>wuy4E<}ջwNgAN(P\jGAO2F[w[Jn~zW>zZk yu78k"?fg7b/^5!$|16sA߁F%t !@MN&W叅ژvODf T!`>>ٰHjr ͵@=-9%6tg~4Ԣ|a ׇJ Ǝuj$biqDc1VԢCdNVOX9ZʖMy* m`dK-D3v%TeX y`pHTXeL3L@n+ le%L$gA>ãQPb0+'aKhaѣe8ycU#fE#~H-?Tq$XKY56l[] ɚ | RTITm7pє@{?Ho' `K] &R_A5+d|aI  `~:VGBn6IJIkʻ0jXz^/,8у $ɖN]q<$tW+ {۬ͯOwS' B8iii2ɂm+%vXy m%D!P-`;> <A)+YdV:~tgC` +K=f-FMI8Ow5i+g_Ou{ݘϧkh}^B{CqfG@G$= 妧t4A$S꠲%)ޟb}TMS/w*fؖtg FXAۡ=;*X&nQqP9>)1?!(yJ8(`,pr:.%௫*a.zLBIO#ɱ`C{H㐂m71Sq3Pn@Y7f(=t_%d5~bqrOv EKU(abZtʬO~ cm$1.~>jIe5k"zʉTO} ۸胁mɚ|!kߙۜtY 4Yu1|$7Du=-cp/Q,N^'ywr T꩹бF?rt;IE$#ImLmg؃}_aBk,lsORWpLS_D tD3Zg qݪxފMsi#A*+>Թ i8aG<$UX& A}3xjpԇ"=3Io[㙴-N$`\-ݛp]0^+P'aa<:z]qW'n+C)N?Jc $$/&>N_8AEʛ» *E'ܑdN"`gC\7s 9q;9<tjYjCp  ;6hd?3i./&G+;h}&z_r\yDwS ʃ)J{ O"OQ*3/ 4AYp_Wm iJ e&@FNh.R^Irܵ*вky PO2VOD `&_} ,q|uHUuȖ[ `=2~X)b瓚rʸugdP"144<3Mδg"^k**Gfx4A/${cn%zfh,%܀n҉ ^|UL NST]i.ޔN87Jm+t D79ሺ5XMh]4)Q4U ATMqLdY2%cSjgl"QAOt~8rxkUN2Dĉ~OYQW딻r)+\C v.=դ=@toTTDgl 4eN#P*pKn<,pE஀+i#~Ւ0'OPK&=( ?gօFK|lv|r"ޭKU#:_n3a:}ӈI\V5hIGf!ShȎ͢Xig^:dv8 lBR5@Q>] Li[g~Mxda*ðB21nF~Q'ńGX$ ʐHhK gٸP=LU) mo*th2ʘEI$A^D3. zDi'uujo: 咋hC_>ۖAU{ MW;=,&`K9bFM;`#u`|HizP8[2a75Vc'q!o% Gpduni _nH;@]͘}àR)qsR.S?D$3`Prpd}nz%N ƎF&[fK.545\{aV[*fi^U\ Iv΂S&{_nk#w;$J G)ݖ4Җo۬DtU( N7hØzڽRRgzME#Ch'+tL錽kp5+ؙKTj0ǰ1;%Wh{E6Q}8Opd7Ä̾ {~qlpʉ'yJHB|e8Y=,=N6W{v +kwz72$ gS:#wiƦM\:eq?C[NתviI2SnNwShg-[-vk/XWATE '~&%Nʯ$U09O{QZye׺,as 7/0 񋛑6^73Mhkl{G9hm:!N3ou\ӭu10=aMB!j nP1u~匄~ .Wþ~/g$"n &ejluMKv bwoM0!1^x M8Iis VvNvݾ]ꜜ'<}cooÇ1 s%}'w"1|CQ<jn=J? _-XcK Dtޱ;j!n3J9PshVEzO0/=o?͛Ӡǒt]+Ԗ;O%C)ڸ`0u:KƱkwy8D{ aBo$e/XU ͯ~SGOwC縬 !F)b$wc:Z7'T3*Ƽ au?av[W8f٘dV 6 s$.eRFcF#J}N'^bhB B"0l|D]t؁o3C:^0ŧ9dǿ\5 5ab;'ɯҫ_\ycuw\wS__A2zN'VewCr3w5DD^ úyď\)p-gQQxxXFj5^T'#-"{TL",|T SjpTFhT31ՁHPHNr윦ix > f]:auk!NE~ v7R-!?G_(AT/ Jq'CzlZ" tvQ;;#XGnj_hQWTDwJtv(|k+[F|Fc1+[ _2Z8AN+5%a(%'$xOɶRgZH (I\oDXtt7 >QqSu`|ʮ /6#Üy_yJ8au^3DvѮ0k$LZbxN4; V>6CF^Qu)ف Wt K`;}oꪤ~=ܤ%y~k_!y4νGn8ɬf:` XN$CBpml 5#ލm=r25 8jPA[ڬx6a28G4`Y1۴صG셐UΧM27{U6ܽ5͗kWאɷ|DK~W3dPؽ0ږZ3,FJ0d #Ӟ%2@fg{̵ i Ѻ˙(Jd|u`U˜ Vf|\8KA^۹c`ڹ\. r&Oj#?M5+-)/= VW%RSf |f*E>_Ak.^![HVG"]rY@m3( =b`"cCR `?c +OSzn6c,_[qQxAiRÖ"PVg?ѫv$>6/9+mo:6>c)r? a~x GY qI!"*E%TQ/P4"foH?2ci5(H_p2}ML\礁kLN8B iid/V'H [yp^TA-'[gL@ jCKgo䩹'*!׽%Puf[O8lm67nM<4( *,%* nA(1֫umA fcWnZcCv)6L&3* JF5AQD\85-nz !hx׳}u9/(޵ R6;?bDWG'9KY;Ta{o㾥ﲫ]4V07z#'6*$Fdo)!H8: ŭ5=aRZ\SP-*v=c;6)|@j,,޹Y=GD0eITVuX5f< >YZ!| P449 YZ