libsmbconf0-4.13.13+git.528.140935f8d6a-3.12.1 >  A a\p9|3#'!0F+.ٱ93yz9Du4'LL7z~Æ(,cې-9_-w{s~BP,&]0N, ;!{1\Tݼq~l'LojhU_([J Uk4k,xy]dN_azSv h>p@H?8d* 1 N .EKTX Z \ `  DddXd(89x:(>@FGHIXY\X]\^lbxc!defluvwPxTyX`z4Clibsmbconf04.13.13+git.528.140935f8d6a3.12.1Samba3 configuration librarylibsmbconf is a library to read or, based on the backend, modify the Samba configuration.a[]s390zp38 `SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/System/Librarieshttps://www.samba.org/linuxs390x `a[.b445fca9306a8f87a4f9e73441bc99e8315d01d507a7bda87524df02df53d0berootrootsamba-4.13.13+git.528.140935f8d6a-3.12.1.src.rpmlibsmbconf.so.0()(64bit)libsmbconf.so.0(SMBCONF_0)(64bit)libsmbconf0libsmbconf0(s390-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /sbin/ldconfig/sbin/ldconfiglibCHARSET3-samba4.so()(64bit)libCHARSET3-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.10)(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.2.3)(64bit)libc.so.6(GLIBC_2.2.4)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.5)(64bit)libc.so.6(GLIBC_2.7)(64bit)libc.so.6(GLIBC_2.8)(64bit)libdbwrap-samba4.so()(64bit)libdbwrap-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libinterfaces-samba4.so()(64bit)libinterfaces-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libiov-buf-samba4.so()(64bit)libiov-buf-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)liblber-2.4.so.2()(64bit)libldap_r-2.4.so.2()(64bit)libmessages-dgm-samba4.so()(64bit)libmessages-dgm-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libmessages-util-samba4.so()(64bit)libmessages-util-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libndr.so.1()(64bit)libndr.so.1(NDR_0.0.1)(64bit)libndr.so.1(NDR_0.0.4)(64bit)libndr.so.1(NDR_0.2.0)(64bit)libndr.so.1(NDR_1.0.0)(64bit)libnsl.so.2()(64bit)libnsl.so.2(LIBNSL_1.0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libsamba-cluster-support-samba4.so()(64bit)libsamba-cluster-support-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1)(64bit)libsamba-hostconfig.so.0()(64bit)libsamba-hostconfig.so.0(SAMBA_HOSTCONFIG_0.0.1)(64bit)libsamba-security-samba4.so()(64bit)libsamba-security-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libsamba-sockets-samba4.so()(64bit)libsamba-sockets-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamba3-util-samba4.so()(64bit)libsamba3-util-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libserver-id-db-samba4.so()(64bit)libserver-id-db-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libserver-role-samba4.so()(64bit)libserver-role-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libsmbd-shim-samba4.so()(64bit)libsmbd-shim-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libsocket-blocking-samba4.so()(64bit)libsocket-blocking-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libsys-rw-samba4.so()(64bit)libsys-rw-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libtalloc-report-printf-samba4.so()(64bit)libtalloc-report-printf-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtalloc.so.2(TALLOC_2.1.0)(64bit)libtdb-wrap-samba4.so()(64bit)libtdb-wrap-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtdb.so.1(TDB_1.2.2)(64bit)libtdb.so.1(TDB_1.2.5)(64bit)libtdb.so.1(TDB_1.3.0)(64bit)libtdb.so.1(TDB_1.3.11)(64bit)libtdb.so.1(TDB_1.3.17)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.12)(64bit)libtevent.so.0(TEVENT_0.9.13)(64bit)libtevent.so.0(TEVENT_0.9.14)(64bit)libtevent.so.0(TEVENT_0.9.16)(64bit)libtevent.so.0(TEVENT_0.9.21)(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtime-basic-samba4.so()(64bit)libtime-basic-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libutil-reg-samba4.so()(64bit)libutil-reg-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libutil-setid-samba4.so()(64bit)libutil-setid-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libutil-tdb-samba4.so()(64bit)libutil-tdb-samba4.so(SAMBA_4.13.13_GIT.528.140935F8D6A3.12.1_SUSE_OS15.0_S390X)(64bit)libz.so.1()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3a@a@a@a9@a`v@`a@`<@`@___i_@_|\@_{ _l@_i@_d@__ @^@^^2^2^^1^^Y^J@^2@^&^&]]]])]@]@]]@]nU]nU]i]e@]_@]J@]B@] #]:\ڭ\\@\@\ \N\e\e\}@\o@\\\\\4\ @[[@[[%@[@[ @[[t[#@[[Q@[Q@[\[[[{[z@[r@[ @[WZZZZZZ`@Z@Z@ZZ@ZZ}@Z'Z@ZOZ@Z ,@Z@YY@Yo@Yo@Yo@Y@Y3YYu@Yg`Yf@Y7Y7Y, @Y"X:@X:@XXsX@X9@X@X@Xg@X,XƉX@XYXe@XX@X@X@XWXAb@X-W Wv@W$W;Wu@W#WW W@W~D@Wj}W_WYZ@WYZ@W=W(W!@WW@V3V3VV'@VՄ@VՄ@VVIV@V`Vl@V@V@V<@V<@V@VjV]VI@VG"@VG"@VG"@VG"@V(V'~@V V7@VBUYU@U@UUAUĝU@UU@Uy@UUrUq@UhTU_@USanopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2020-25717: samba: A user on the domain can become root on domain members; (bsc#1192284); (bso#14556). - CVE-2020-25721: auth: Fill in the new HAS_SAM_NAME_AND_SID values; (bsc#1192505); (bso#14564). - CVE-2020-25718: An RODC can issue (forge) administrator tickets to other servers; (bsc#1192246);(bso#14558). - CVE-2020-25719: samba: AD DC Username based races when no PAC is given;(bsc#1192247);(bso#14561). - CVE-2020-25722: samba: AD DC UPN vs samAccountName not checked (top-level bug for AD DC validation issues);(bsc#1192283); (bso#14564). - CVE-2021-3738: samba: crash in dsdb stack;(bsc#1192215); (bso#14468). - CVE-2021-23192: samba: dcerpc requests don't check all fragments against the first auth_state;(bsc#1192214);(bso#14875).- CVE-2016-2124: don't fallback to non spnego authentication if we require kerberos; (bsc#1014440); (bso#12444).- Update to 4.13.13 * rodc_rwdc test flaps;(bso#14868). * Backport bronze bit fixes, tests, and selftest improvements; (bso#14881). * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal;(bso#14642). * Python ldb.msg_diff() memory handling failure;(bso#14836). * "in" operator on ldb.Message is case sensitive;(bso#14845). * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED;(bso#14871). * Allow special chars like "@" in samAccountName when generating the salt;(bso#14874). * Fix transit path validation;(bso#12998). * Prepare to operate with MIT krb5 >= 1.20;(bso#14870). * rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb;(bso#14645). * Python ldb.msg_diff() memory handling failure;(bso#14836). * Release LDB 2.3.1 for Samba 4.14.9;(bso#14848). - Update to 4.13.12 * Address a signifcant performance regression in database access in the AD DC since Samba 4.12;(bso#14806). * Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache; (bso#14807). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Address flapping samba_tool_drs_showrepl test;(bso#14818). * Address flapping dsdb_schema_attributes test;(bso#14819). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Fix CTDB flag/status update race conditions(bso#14784). - Update to 4.13.11 * smbd: panic on force-close share during offload write; (bso#14769). * Fix returned attributes on fake quota file handle and avoid hitting the VFS;(bso#14731). * smbd: "deadtime" parameter doesn't work anymore;(bso#14783). * net conf list crashes when run as normal user;(bso#14787). * Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7;(bso#14607). * Start the SMB encryption as soon as possible;(bso#14793). * Winbind should not start if the socket path for the privileged pipe is too long;(bso#14792).- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./sbin/ldconfig/sbin/ldconfigs390zp38 16364573094.13.13+git.528.140935f8d6a-3.12.14.13.13+git.528.140935f8d6a-3.12.1libsmbconf.so.0/usr/lib64/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:21699/SUSE_SLE-15-SP3_Update/08b059d7b5a0f63758fd796f8b3745b1-samba.SUSE_SLE-15-SP3_Updatecpioxz5s390x-suse-linuxELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=cbfcd207f317401d541cc3ee5042c81245da76cb, stripped`PPRAR\RXRRZRR!R1R9R?R+ROR^RR#RR%RRMRKRLRJRIRHR'RFR;R/RDRCRURRRTRQRSRVRR5R7R)R3R=RRRR R RR R R RR-RRRRRRYRR4RR>R6R$R.R@R*RR/:_eO~W`&"' !g#h]RJJ2hVټF$Ν׺pS 4(EYуp+%=r|ȠA{^j<u(Z?} MX{AgM1DJ)"H~u$ChR҇bJy4 W1 M@[?WnιiZBl+ZA0,ic|"`Ék6M>c.ϲ͍A]*qpVB !|t7Lh$|*خDPdL5%.ֲOR1 pV`.i<$|'O0.Py+cSz, [ ",#Ir9VF9l]F|lJh,\u nڀXY6_FˣWy 0 nxTQLa&IȔU":$V9taդ8 e= uk@) y:Z̽JP qSF{@g@ iިd2P ͿѽKkX(M:$0X*J9/>%J NaE0E89rQ9eOSiY0-"̐^C+a>emOW Jz{ӝ[H/g^6.xRQT#6iy@zw٘C ؤk7Mc?[[?ǾrBka#|_lL@/Du> C1K!#FܗQauDN݈zUι0+agQ_7ͨ,N C(#I?-4LJ3G% 6h5ʗ7K(J{؅c/VHPgKVFxa+%mk< j%:`~;Eśh@-qZM\,L4N1+ܷH$ӽ _" !rr!"|M4K_8Ld,A;J֙warI5WeCM$1c3p| yٰs.-Z!6M ZTw9wybn`֮l"*((fl7# e#Sq j/ޛ /$ +Dvmt+YgLyy“ :5zGh8*>ZmZ৶"}]Nc6eNb] 盡%0?Р[4aigf|D}f=vxq(H f3'd/4M@cq(#:;-VSNd (%,sƘ}3^HFѰ\j4g[TgX*vQajY8̮E.NdxC).VBc ̬wVz`y24IkVkTT6}kxGrn,;rƼhn=xG*jnc{H =_` ꜠cXsXQ=@z􊄻c ћל- $kW5]TT>8;亼/w)7ʯI HrEO]88k5VLHfS5V~Tz _q ɬ R hKA7w!|>0u}v,搥*ƏnTYY`_m0Lcz8O ShJ~"n'C0𢡄:"FBB`CΔ >Z=hvC\0v&z6M(kƙ2x[ NP5rС,;|ef=8@i2OY@R'*Z,.ߴWBCTem=ekN1ajDC=oZA~wߛl::Q5SOʔx8S %,\֘dh,80H,wWf9fG!HqR-(CrPRZ2[RIeL_sf\S ) OI)qB:Tax^hU̞u͆NIűI%ݿj<6%iuY3ŗ=hmKI}i f1A&#]rH{ڈMAN?ct#{%<{k1'Nc\B %B )_k'hFR>1bTE8L)μ9#!,T,Һ#"2sF$fR%-_cTsKT z9͙b )u`JR@_`p{oh䍑'ηÞ{u{ߠ+@Ƣb@_uvVDP XN*Oi-6o۠F}L[ٛy9H1`>%4%hy E4P&^2i*%@:|;ß`J .Ηw!l˜1 "Чz*j%S[pGRи,+=nݸ0UO }F=3Kfߪ{a6To>4i/6bPpemЛ/BtLb4>vp.cm-I_. %V୑CiZOɿ?bxV[E}jCyRArvGe"+!&ćPD8|jx4x2ދ;|zn1l8munVԵ^?pؑf`4ڶCЬ N%r{gUrc~& @=O;?>RhϙR~4(:aЉ=(58,5. v lCyGf&Pգ\ ¸?ЉYS,y*e=D́X=j#Q!,a!F"]^﹌%ܮt,QyT}gXaK[n 1:F*?BC³[0OⓂwzA'5_p$0 ĄttH`Cq:5Dv Lx:.\Z&]D7‹N(- h2JUɂN,H-囐+- .HEөZLS}\1C)w;.CIƢE T-uASnDZ$qb> k% `s- C )&Xjn3ԏ8pp~2G*ZuiNЍf׆M7m d =E/0&8Z3WǨGhiy0D|nf)C[9Y3۲=ҽD֞zES m B,_M'0z[m\ݯH/{;;l<.jpa\%aim96w}ޯ,L#qWdrQ Y 4^i B ͋3{W|7DR3UE^+ī]QoծK^]qwI#vh>o` J<%jQϜ$9oBKY[[5~+qC!bp5'?ͧ %0I~HH 'VL.$kPPpc'*R &_ӼlIQ_F 4G YĚǍ JEY8F~i&Q2Ytn d]r$10BE|jʿ rv3GKw:,nGvu{nm0峠7#j+?f~4|aVJ3:rG"R9> 0 _]PلAjw5-/R3EeEy7WUWIoۈ!;zDv&q(nM6x?+}tv\^yjzQxSs'P,gqKڜ7#Iۭ ^fx!Υ5yѻTUgb\Ʒ n. wy$ A.J*jUR795sԪ427KE4=^~>3 wVrw=WK\dM%];UnCV =wr+O*A~1/Qmrl?N2,P ^$2.uB_X~f`=54,19َ$Lzһ{&v NE $Eٺ4lޞ9;H(#x5$ÁZF "nAE8/M.`?ıVUjpmܠ s^*~S:l_ i `24,H =Ls::KU17'%o2iEU8[scKLHlz ]JM4յ3̱Y򍝑@Sf@a=R,5N;Y w*ثAvF9?1eǂ/\ {puv*Ȫq*ȁJvb@ q "8`5WvXTeosdj.x?g"Q~C-Xdx%Zl͓<#Xf2dߏ~Y: hs& ^qE)dv!2H.)aγ!=E3Z"-2Na_g9^/^)w,N"_{}i tpPJ)llVs[_?f3pR{?ӗLv 8N7:@T%䷣gde5^lVs~ ퟋ~Yx7ٿ/J3҅|}c-pxBդav!cD[(f;O4ѷ(lp7i 9(Vф??9eu@5Aʡ,B_?sM{a߭= 3:ru+8NLmix<"ړ:K4 ~7nXYۧDK\reE=i/Ǚ_U4Śϼ\z/\T 덎 Rʸ7PԨNTX.q@DG9ʗG$2BAbh /` At.tsB?JڞA&@jtVdETu[]<MØ)t fp]؜d?[-פ w}10y4B2)i+ A{,2si)cDγT 9ps?`|QG%P&۸vVs cU5lu{CbF5$X2-/$ܘTb4yf^LѤ3-RC m1kLZ-WO' Ou2i]Gس$Aҵ;~p.?LiPOƸ8d/iG31'?xC 6[:GW@܇EL'7JG' dwEv͌elWJ3`^-NvU*s*DX{m׮tN*,zX ڙ @f+ϻa!H݊o`7 _mB:wEEhjJ@w/NbQm[l7q{Wx w59"kW7q1L$ [UQ)f-xYd]pØ~ 6p "^w$;Wf7`i-6DT:L;bG>9/V(\)$e/7爭"D#vԠ6é#a'=]$G<̔l| >WޕOgg߼#/fx}x2glʉ| +6b< @~MR{Ɋ.ʓ#v] ?2y2 qm4j2~'Y MZ>+5"롧sAu2)P O? ;j( u"XaMj\kJ P!WZ@/~& `v E z, 8EG T!=Ϝ2 l| 5ԣKT]R^lPbnj`8˂@_ܠ0^bZ{20$uLK"h 3 9$ᎉxOe(!19mYҏ̏#D;~pM]*uOCKl!R,)Cd X?ob n* t޶)Y6XL+3vo,m 5eH58wFו_-_ɣSw?YZS~Fb8NT8O[Aƥ Lf3"=f; t^DW*Nry@/{ )1>3;lJ*G:*`IRtdi.[\vnSϡq!RG(n%#(zKtIH{4ike[~>7QuX.1d.Y u ǒaMa#R-2z+9ᚷSqh_R ̣/\- wa\oa./WB; Zk5i͗tz}hfn@F+$b Չm=]*J<2$Zv"<E)3,@<6tI5vzZWdT1;''H牍Ͳ3ˌV1R:3`E1Po Maa8VYQy[ڴ,B,X#]t6ˮI֦ͽjǔvKnRaY$#PhژaQl:7tFM弝ɵLdrz?lR lWc`Y5L{'e6]Pܶ12 ՘\r_j=u<~Tvhx!E+78*f_+=< Ry>xf-`uxtj "F=p_.!0E}TymMt#|N 1QMΧt~4 t,1І_'{4_mJRƽH l"\,2#mle5PTM,;_C?qjP#Z(ѡeBM{g{-w5ܣz8@x|4ԃyB6|qZ2`B{MrvUO3\\Q\Zs` x|q'ڛ{i+%?(?j \>Ƥ6n2(º%bGZ,ؕجޫR]BKc'Q݃15l9DWY EckQ5\=ħBuEm -#;oO̱YNBg qrD僔 )D,qƽ6=TAfEf仡.0O."tSuag )tbHiJ %k T3؞qv7$uZKJ4iv/[\I0imov;*'Z(D6bo냅ґʋjЂZNb#+*Q&fỄ8{f8NDv ^ kNu1O ~\<1G (SU=TZ/5y)]Dhugu :_US5D_iP/xR O>EѐDն fTqˮTxYTp9ii[4DA`4Xo HJR{,8N[0v|&Wa2zx99}ja톉akQEüYC?3E"uxN)1a1ߞ/{]c,fpO;~04uou87b\K+>GrL^Ͼ,bT| Z]8 c #y}s|X,k~&SZJ e b,$JP{lڿ?W'u E3Xy #ۗeQ:mMl9㼜hT> #%Gm"XJ 99AAf-zTQLLdI@X.aoDy_ǥk-7LnArVé[|ah߭Nϯ@([wùTu/W?d2HiÓK0[ Y0)k !mx'=^v5!_֨8#BQZ6:\Fګ.v^p#Xtiޞ+n<W 6 יuxtU>7 wVmhv&n؉O8,hՉv ͻkZLF ii{Z/DU:#m3aI]PoTCc~Rq/,;Tzr1voYJDzH\hNTycݖ4Ƨ^ʏ}s;]\ 2Qsa h@-p,h%tӀ c7qO Z.L~k"А%lۨ=A&Txg]8+BJFM%&6>ެ_W W=SI.+^͈!e(I<) %C or@<1yGZWE siwi pš[@DxbM-:ҋx Pč}p0R2PmYp6TlQ="l?a#*_NVNlm~c!2W%m%3D sJ_ւTd~_Ec"lDMW šid:gc4vZ*:ή֠sCӑg')i'xE#d{.p)ZOF4޹)OGs xLNb&7uL> Jo"lK$! w@i?'?¶fiZS^N`8T|,׬\/I^(Gbk Y[9%8y㚻itohO ڱ1Qf"Op#X~PA$-Oq[%S%`! Ek_&ћU+RFf8IqmNľ (7r9X4͜EVUNJόf/T>se!4#h/Vm@#;1u鎚Y@"A311:f d Рox$u#K'\1*\[\h 1V \|7jdgYFngJon#Fևu%s݂- p,T*ѼgO Uo+J(Fl4tq3/wmRܠ~"0 ]$ޑ`kr$PU<zZW=1=O Xf/1!Ah|ؠ5\*,`?k s:PӖOT2{mz&Y1-d[j1~5MQP BKm7I+Q7[KٗV^'<mb@cZb7 Z‚ -X2t5GV:/A"SkcG}bXʝ3lz_u+,ts^F×N(yY1CPcVYFH+4_T5 37)~cMlKrD!T~5 Ҍ}$ ,54$}بrd'NRtu¿FzQLڰu rՊ`̾mFSqE"ڣԳI0c7>VǠ-5xY-6tpRV.\ߵKPߴXUZ2bP؛˅H^oO.[v5hV}&OW]J3ܕ{ @6<2C}Zrʱ1z_YR>T;k.+ #C Ɋ= :~+7=M74~&'0v pVןAl]D.u5;W_0$bԹ}~ĨX`1޶/V 1TȽ#heu3;Sf:Wj䶔5: &ĩ}fW/'_6ґ<) уbn4@lv|] c^oULѼGG-R߸Vﲫҡ uݟmH6Q0Fn q{,{|S1a$zlк;OiNΨ3{)WF Pq;yw,Es+͎j]h2{e8& =g#n!f' {'n,ϣߖ6ILf=- 8{*yﺱ뉆xak4 =a0V.:|xP˶&m[ N891u/,^57Up,у/L/?agPKsn67KXyhA+U K~g[3~fUK)3ХB3 xcҸaH@ORM& v]M:wEiT/Yɷ$SchL=̡߁p#*靵تPqQX@eZ: Jm,ڑaϨH_tDՐn*X!|P甈L7VYmOMþ\(Y_jq|.CFPthfHckȗmԽjx<ئ>7<簗5Ngȇ`+9 H2G9}x){vY:9{\* Z(׽kʾނT!En70mӏqRh\نumYq;N C71ي# y in?|LP\aP TuS;3[ @MŻX6u׏׽0a=ݼ?2Lz^s۩>-"PO.S^:-aZ'%=Ӌ\U7a#A 6$tg*voÚb4)gnN^Js[BJ[磄p6f a 7.h҇>WVt]ovwi84~m uXG؊@@j_ ]CרB!mu0/U-L1Xn<$1V"MDM}2 gLKBzVУčrׅ!b*=ӈ,E n-I`t6͢XRr_]^_H,x̚] `tW L iß5y9RaZ-FO9PfH6kXNqOV!^q'Y=G1vK%mgJ)k´.bˉR{j>gkwmГvwPDPXzsZұZ9ASLIy I4R@O+P̙| ]yJұ$YxrKdЪGޘL:[!ZH,2tw``%ƒҟ8=c@Q3ʝs<2z@h_l0=YuG,H lѯK*~[S41`֯KkRK'A #Xj^^V<8%q\ow~i YW̜og T"ݜcYxKU$mlZ.=mΡ7avE#~#Hjv~%#FԚ5( pѫQb W&IK ?ʐ{FR1YB>~p={r1nzv[wW41zk`?WCi{-UEaŴa2Z PZ:Ob5)6ƬJT5kZ]A99!]dJK@#NIAƺT4e62!0rVՖQ{nOr$S15µKOՅ5nd{'FlkËY9B9\42 0=T 7>5}p)fXZR~ ZI9ܖgG$' *fQٕiA7>HB nWz7* 6w$gJ*f+Q̓G "&F !P,ƴ5Q%A0=mGb [!ƝZ.9i@'uO @BI, vug.(R lp{ 3?¥)n22s`&4%}sLtgcgQۄh";[-v>z^P XU;ΪwAq2N{0/SȆ{0e4MۈUK`HnG[aoH-P@`6CxibEG\dfEsH[.T_fNH\UkbCG=^Ma?+U&IJ6*60%^I P~rr$^ dj-tB@7F!-~>ڨUe(%L\&q煑lzb#ڀc󐫴HYiex9دE\z+Ǿ{a񴐠wWD㧸t=9m?bDbߨxaB%ۓP§ tk<ڇ~!gTYA I %M`?,Y6v"~_q-dqTR7Wi׸d?rKoCS}I4ZEaeEM ^ȶ\;Vxj !`۲ t31h [)BK&[@3nC#!P, ox%&Rh/['E{rǿ&=V{ a1zxYS =dF_V;˨ " `4y\RZj#c.BQd26P-EBcQ>Z ?z( `bW՜FFwA.^z4ҧm8fL})^dCRS'aWulĜ+}`׽_u}t3v9­]cSCAIuigR*\.󄊵 z,}L 8-@CU.Te*3%v+X \ @\&U$G=!AVUMӁJj3z'2H}>CN0%L8iul0wۉZL*m RC; E+1K6)>8@9O]fl fb..rf)/\3MGtRQO?]d `ӆtumy$\ 4|"ҝ9(%W'M,p!P9; 5SSͲ{F^"~\gp#z qL^llW"݄eIEo1TJS!XΊ.w{(GOo@*pz G;jx0 ӿϠKW=:z6j^ƻ`'k&*-X\_jVsLBZ9)}%p-N.Vt"T`O29-$ӈv7*VdehhGKed&Sm%e6R)]O2ȊnP(!P: W&w9#?8SIT]u8EHK2}gLfqDS,>4F9ZS@-Yld`ρcglYR |-uU<Y/V[^:|0vk>q"ק̸s קIN |#{Iфa7KSχ0kR:bC_ܲSDf~łiIfg*b8Z 69ϛ/~?٣vlqyY[`#;`[F&|5k\Aʲ,;'F>"LgR{)0d1GST~9nM;[qsƂ$\ɓ6'g]5;'_ ?9gi鬁|`Xg/,B̸"@\L7nk}gLDdX:". /˪]yIH!P#izB>ڒy1e;ܡL?*Yֳ`ɻׄ=b?`RKl6qWkۧ%u%-|F7}Em@Et,@Fa&UuA`׀效{Y_)дUP|‡7fr  oNj^dxTxмL*m`kSɽEM.3T%a-Q*bG 1׍VcMcOox3bP8KpEe?J9qro~vwƍ ;ӀʘuNAkǼnUlۺjGdݝ1irmzC+)AWubRAehIz*#M&졾}C8SK`DŽ|Z: #]I=ÈDH[)cxؙd((2$E̔[| />pFICt%U)X6,=$U&o0ʴ > bA៮b!-&)IBCx.4ZTݱPQ f^YBdQ9]aVLo0rJ )+2T1*Kf{~bn5+ǮyɉQhvf6Чgb{7/]0F[yR孛lqO27I\RE ?'x֫*nwM+;Wq:ڲ9 8D??$ֳ[7Z@p(9 \s lS!#S\KFo9Pq 7͙" o{U %~fS|m]{8]&xK WgK8L5E^9h+0,~ϙs}ɜes(+=%)|a쉚e  bjatic'xٍ6቟h5f;J]4 êfjK1.vy±;*3{ q.bd$pkgvP 睢A][MZ6YtȄ!xZ@Yp+t\>"s@׆hWM'RhT+L!!mAMYuah^u' Ҷmҷ݄Ԗ]w8!QCI 3h m K [KẠpPNճ+bڈ1сG~'|-v[+a Y)Tȋu8d֒g9̢rί ?vh˷*ݷlf|Ư=޻]i1@a* ԮqzệN{LiZoÉM\9mJO5;cliUL 0/pAf,_s` = _9CI$Y9񁀒..օSpX|&\h7aS.v1ۇ3L} o_z1nX#%{{}_I|LI0NݠWiP~f\rT*Pфj 4iZ]4d 4swrHʋhx[A:]Vrs#2uQK,Ֆ},X>dڳ/؃њ Kyit?ag'*͒8Yu>%*_eA"Fi)fFz5zyf;tlWL~|=++Tt!yهSd͏-\(j2C֗=9lL4$'kV)->4c$^|+ 8YXgnަ%z#H |#yyMQ2zz$ (ޗtJ"b&b?vFJjc;׈!h]AI}Ìvͬ*5L#;% . u)*)6[[^4JsR]ᇽoY|MV_H5³1nE`$>1][j~Fo<9CTUe3$A54T5GPpzyjyX!-H )@ Ba:4(WNHNs\oi"~֑j_welDS]hJ`sBmc';ƕӪ&+F[ŶKVˤ*MO?CS# gXt[Nfn\*4q]0--)R3`IN o6V "JV8zZ H$w҃ zq򮢋P]JvKaojXʷ;lptMRU,%AL^Г V4g~Yx.$~ALGʾ(R@Fu}]4mUvͦ=MoćpJƃK^v]ozV+q,l90 nё_T(!Ǜϱv=y@Y\3G▤ÌHmo{A=P"t+ڵ%jS= cĈ8Aj--μWW~$p /닸hsK㹶:J0G7A$ 0B8˳A GF$",j |wus )M6MǞ+f6 N5ja(HӮ *-']A+>6){?;YC͸j)7AtIŘ+Cі'ecs2Q6b%*rDVU{cy!woY~cqY̰?!}o$br֯;E t.otnL2_06RNlY3|_8斿@-v\Mt*9iwdDLK٧gGBR ZBQXnkX$CDe>lvgz"# ^,# $ K#*`.(QexR '9-߮Er0ȱ`_ڔmBJM/_fz+7&>^O$4}*%AӴ`T9awZ-><ҍWM7gM'4S?ѸSf6"s.)){k6JjmUi`H'?9E>)-}/ + h;wk9+S>(;IyURQ]((z:9hօژkmxբ xLZ%V@>Frvr2" '1DŽJ6`Rع}V#$A CLLتܗ?p&̏vuc rY>Fb/K0N[] TpGVs=]鞼E&qĠĕa |~MEA)j|15&Eֈn_z^V tuvͻu#x y0B{'t3ʼ|i ]УʩʲY5TWOt~LPlaٲ_a@ܣB$j 2K.oEcTDծ.k:(+V3u@L8 [rMiޣzf9+%-hoQE0 ;i$X*1V2\t`WkI`& *uWSzU4r }  1 jμƂxr<"*]*j$K A=1 )eÿb5MIL&k thсeF2+c4pSࡲZ.^+4!s L3 ,3jDŴgj֋cr`$=^`t]dR 3Re*:L8ўglqJĹeXSS%A&uCD(g &3:xYӿ!@+"8u Z~v۠.v:8x6 b"RaJD!m(3Rq_}'>]cqxwc lz)Ԫ_ao׃d!]"Rna\K&.Ȫ(Uos6sV|<80l4g[w EZlrȦ{8b=_:B뗠(1+m{*֮&e~ÇA±u3hhM Nqm)퍊q_M*]Hr8F#`yɵh͡k1DP&v-n,;}A2PAmɲieJjy5D:n#~x7׶eH*`q?p躋EN`d9Nul!Z){`վKO_:!Oܫ.RBgcy} ǀ&Hwڱ-q*%W/f0_G=L$3LhS f^k|0x_=ubWz 8xY@qAB.h?G8@f̵c:]6Tzcv>S)V{0n=x9ˎj$"ԸX=q&roՀtoDR|!6x] ϼh9>vQp_: >U^O6 vwjȥ)2l33ةo2󀸭j=S2c =-\i 0_]$]K{<3^.NǖDooMF"{g`[h|12* ^fU"o`p7B81t=ɗB](2I _ImubfkF/)b4T$:7g YZW6RrrB>2[9>bk5S&RʶpޞuX^5xGF{dpYk#Ur:8\ '7IOl.gj3}YqyUQiK:%ѼJ0rE~m8vj$9~N7x^ 0Hj~i؟.ߚވ[~In=/ Sڳ~ظxH0\ WL [:SbMT6Bu!oLgFW{\ntY_%YhK3R:CY #-Z<º}8#q1G{OLC3NZR4':M҇gr5ǿq.HѠ4Aj4,d(H{R RlJ VdxoJl:Vz&@0Cc$ख*9jy M~NFbLԤ kS?.qJZ &g}#pr(y/HB[|<9,V rsA}A#z"J?Ş":د#4&-<]Nnc9zQ@;t‹t['nubN&D^h"+7dWo/ٴgFE0d{96_]3_ Oأ5y!p_#.uRX$Xs-: 3t:" ,uT ݋"r(w+Թ wb#_w:SNY.K]r\? b;-fq]?\XC9Lv-LN.VJVHvu@ L?M ^(>\XYtN$ 1_ Or-ͮ! .2R䉜чGޚ 5&(j+tRWfIg~&g¬[R3QPZF^$i59".]#縰yIe!wp/#;pMƧ#~`2c?] ~vΡSt@&̬mX 2:PvWN>M89SHh4kfe$фaxКPȩ,i؆pĖf^_ w?}~B &2zV;ہLKyg蕫D u 1b;YyWj`F1g G}UZ*_`I}\ݣ1j:S`tz|V1[*^n!A^6=Rƣ"oе'HOk:>H<T4T)wLVf~h0? Z2r}|:*B<ū CKB;BWxt"[U@,&-k4Su{Dkrē0'6v _d:OŸXpۖ%USݢNGfIoK /|ے$[,m;m]^#a}Ap.ܯOPl_R4?HUdI595&l,-ROWf8 iAx;#­>C q~֮#7 %Y*h)Ffld5MzqF &i t:%@<^Q;xLS}m}_ws{QWoWh7@Jc^EX7| gѾ+r 1#_!=(/9XnK9E(V$Bs_zX$d >'*Li|㰒~3ǰlvCmnTL?:Z9ؗ9.b&G*I-? L"Uޅ/V,LOX6(u F.Grf{ okb_]F > 8߽hfbv'*=2TBPպ臽eoFةwԩ0~oMܼ\+a )ϝD#1!iٯ hU( =D̸q{Ct^oSb4z1t\LbVjBohkqȔ )6>m)YzzN! ;! JWԯ,oo5Gz@0߂%l bApL 8`&{ ^2Y~b'^ ŝ%2`@YEo~F͊ Qbj{,3ڄ?_/z(2D5_?Xav]̅8=-Qzd ةTPW*C)1 p. 7%1ƜC R[G޳c w Q7N/1P=6O^^aoUs]nb=o%YT?YǮbc $%F2F{qyVeHje-Ֆix 'RDE0.'(rZAbal7ݗ 1Zϒ]r&*G&\c.UY #1KX|6UheVvW~K# >af5XOF`4MnS7F8yu`PzxyyS1oRuabG٥{"ɓ Vs#zDaknؿRܕK9vv٣% 1"y?nd-3]Ϟ}C4\H_x*U&*v=6Gc}|Ww lG&iPM݈.iBQ5892du'J]ZV dhw1 5,NHvuPKKNS~=.>FXf Lgy;R%p3<ɑVTx7LRyLH3GJv&7SvTz{aСNRN2d֨xgjz.9u%}e5YQk+]\ilmqkXOL$a;U]ĽPAue7uHsE >aG 4xاpP1mscfKI8 /ď-]͕$Ӭ9,U(BEVH rLG6ekpv1l^<^n:qYdלe{{g3j^$z5nd%OqjkIN2=Ra/HRC N<8~6gߌjH >b 1ؕ` E8e[?yĆ^x j&@:dC0JGb2-':be {I[ Q吾1?aŶl $-%H+@!7AJC UʒZc6'!Hax6Nrdjv^| CtP=vۧ+` F ${t,ص)Ƶa/]C8-E/P!5뛭D㌢@1%W8xd^ǜWM|AK9`aJ tBTe;m699~ΘHuo2_kfQf\`f4@ f͙})J*+G2"0 ~2q~ϜKp?ѱd])3 50?J) tII,zB'$,'K0iȹ޵0ۏmh) *'J2)D淯X քLܸ K67<}*A2}*}'F#͑I5}GWxKYm|eS;=vsQ 695Le" N)T &'?T~LteFJ>\"8U_7S%?T/P-CH0˱e}>=fSHG:\՞sV8jl EJ` |@-~uOC+BD돫Sn %e"(|#@TqóBzXFzj1.!|Z`;;+= ^69ЗH}Һ=Vy樔'Z,*ZR,)TwЂ3<`(J篱 Yʾs>%¸Ye KCQ_هlZ˯w&[~#-9%JY>C_,#lXHiW#6)؟EXKq]>/ g'Q00'f"ZM+vDt19dS+7x.Mi/m_"_CX"y\,XRa%(*g'S>YrX Π3E, 9.UyD`XPl[ * $b4hAT:0H^ێVv1˧dN.ޓQGꉁ-\^@|k e=XD,&-S unPURHYy`j!_?RyO)A^ M^>ɛOƽ'Dl-׹k/o@?1u/A$9% %%{ozFc3}Af($ J|l(M)/u\gNUzU5o|aS="YFc[#~/1BʲrwqtCU!Yu`)Z?"_jՀ>4Sڃ\ӿ\7eӼ5 P].pg|$Bέd Q7W>n`q}]*t cA7Uv`0dDhw!}U'K1L)HPԡ:, <kPLgkP@8<8(E2b{cxTܪcV)isKm!)-9$~/ 2n]9W FG9w1TT]7 ;L9ȼ0$`cX<Ĩ%>7)WPXC,K?3A S|?B62Ux={WTWYpIz tW+Mj\Ƌ`Moe>HC);ggk)՞#NvB 6vRвJ̭b5fbjҤ[n"?ү% 4ҁ ڄKIe']+i'IGULo1 'Kˮ7H(7ͭ /p_ZDIPR`=dW#7&/_&(TĶ0m|/'XfEUEQʶ^#^oLyVi)hI 3óp#eIM5①'] wՀ ;xXD)7s'ܒ R y] ]%RX5 T{N-n?X<$DȶLu`BB%tR^ؠbʔӢb|mZ7k*cJKjSJtؘWO93 b0h&v3ykVD6˜܅yXbvK5gufoBCEzm:_B,DאȇU\Ӯ.}=? ans %%CA)Q~)뺛1lӼ~:4aڊ"+Sz ZoM&Ic uҎĈ_X48~61DX[0~OV Z^݃PbS d-+J}E ׍S?Tz*AcXN(`Ǯ~ ¤(H~V0txQģ+3CWGp?W6NۭSlzo^Y˯3gw TM̠6h!n\gp[4DqL^JQM7\ D.Nmt:AuU8 <"']$9B\iUǨ\Dw$p_GvjWoM`ei*8Wwg5bL452[M XX88qe#8Zl \p<IڐQK{ٕ _#kO.y-X/ݪB +6[x1Yw*%ſu$*"`DŮ2@ć5epq ǂ&ȿ N*6]vɑLQIL'e% 3b [Α*~<@yh뱄4,'Ū}(1<"Oib9xMlS504WiBzzXP)J|Z=0lEaRIN벐4%+$MAV<~L]Y$LvN?&,=:@1D^9:;fё! ScO o[lxjinxE!@Ck=nim7 dX+S(|롖6,,o0 m0("w37.߄;*N+Hc"|1 5 .~ͣT)ezҬsn$B $#JowT`X>7`Q(Q/iG'Mhk]rp6},rxM] ,;S+NspGlU}IKf4n¡yP IWʱ$$ @>nn"u4t6w _u,Ӳ8LwTBPy1xո̒7,NwBmo}wVBcjT0IrR&&dר%~!̘qpɫ~f?EĀ~H1j\C /87;!0w`Ē+>MS+7n$";rnGNBIvP-A}㧞s)2l8 ÕO`Z ,`Ï8hcw:䇋=v</8CTEt%4ngl 舡_1E@u;C33:)QU6Ғr97}L'v6{oLֆ_Ssi 7x$^h2_W094c}Юi8,`qu=\LWYǜc~8dwbG6àɮX֏kSuǏbl7c?֖à A];GDa, f OKmRL|3~ҶF:@V4mEa>Mn ҆UU|tn;SA='N ,HnF[&/J?eCVM_1UZ*QD!S&Fhw9bIE.h7t6V .wªihδJh8Y̡>lLay>¨uW@k h/d]XMiӠumTGrD̥IR=Yu[FSNH~": qHpCP6Ȱf(74o;2‘H l `nmtA7KAZ VAP,|B6[W˽cs|]ߎ |^)xbW\aX%q53E00cZzk(%Y IF+JM |ϫL[n%}\Y2Dk)(V_X5 "ӞJjJ4wUկ0lRA>`92#<ݒxu: {o*L;%)(-Ȓa|@Ld4+E{X !'AW-]YИnwc^Fރ.*v2ϢI`u(%vIh~ w_z˜W ~T/s( n|dEaa$԰G.@Zn( #oQ::IT@AL9spEuF:↔JΟ,$aUnʕ'v#^aoh5ߩznrJ$c X7",oQf?&BX#'VLPik"#Զ&b&$VeSobk'`]zFyy@xY\iFrh1e B;??_"7d8a 6^Ic5&\[a-ϽsŒj^d뻃PK{̴ ["8ڜ2_Sr_i˦ϋ*56s/؜ WsiZ :+ 8\*#3wc&5Uf7X+)E*]꓃PSHiԨi]0>A6$({/iw4#*kȄ>P36g@3?͌t |Ȥ v|&.0/*,CzBwoŨݝT'aqibK/ͩa$ %"4}iϙM1*rQZE9 / m3ce/j82u^>БgcW(݂T*~H*=+|1HX]澶4O6)w =Y~̏;]*R&]LCZ:g ?G #=㒘 9+EjR)o/ ِ)5q._ j<-MWMu%_(GC\L *Ǣhἆ;HW-[>ӬR>!*H4f$f);;]>Q:-/M8Fȃ w.T'( [j"BHoӡ2Gt(~>ˏxnD>έa0T߹UJW`[PNG8YyL6I_̞%Fgwŋs_>tT@#'>p@F za7B#Ј gKKϸY _|ؔR ef\c ١8'l`Wcs1Wm5Ssgy-/mW#n_C8[}]{ր A[!9og$'g@6`bpǏdd!;q\3ђyYK9g#]S۞ppMK?(k 70 xIhg>MPTb:n@, ?ׂWV젅mI5][{ߋą'Gw'sRiU%/0PLwT!SQzowXJ\LBmW;\;؋ƙR`15MkO _%7ycHŭ -l\!hۇ(uv* ҺT<| 4 ֎Lpa7&󞧁\$6E{Ib`}b- B8ӎK^ԬFia(~ &އJU[[/SʉR=vIU crikHR\ƞ}^7#J7a_06L{~nkp)wVFxz9|Tbi[qA+㬍gzP\1d1é[#}Yjĝ$F<Cct\4$*I2l[(iH],[ Ƒ (a"~%_n)acZ[٘"~~ot@5B9+c]A(^b߶>qF"=Hngةooj?E.iETaP#GD1PW;&KM,!Rcߔ ޑwk="'w~1P]cFҁi x[d`&G"K%*10wE#FL%5 J4s`=կ2p2~ԷvzAGMyh #x?&AaiB9ܣJu71Z[޴H8%&m(6<2rϑι¶ Q;2xS``\<çt1 e.:H=k8hYAl-@ei 4<^XUHkLpҔatj[!R~:O@:Ho5Jcۗ>oX/e; ?"t1)'($kpȓR>'C mcVPӬ1µ?3UUwN2h]ز(k _=lñktM?to#U,&{"Vn;KZ, ,"hEMZb+8ppQj<zDՈA=<ȇ#C(t9@NֵlP ^$1΋6x^/ $'ΐW/=JIyY*$NJԍPM^̎v,G*ۑDNcW6r ˬx,ۉz톄|\v%a l,x-[,82%ߜP00gn-=}<:K-ڣ:XQenCoWz##3"1␴#lj㵦1~L Wa;',ԛԃF+T.-1Ǯyny\^(v+ted|.3ʛ0q~BS n v i1Q`).wWix7N@Q*%.K4ϡ#Á;7G\un\\SUl{S_Bd;xؚmu!{: =+/1"s7JhE4"~ڨvF<*2Shm㎯={ko:y{Q+f*A\6V1&aJ%Θ>2xd*C-hdu.mTJM;sۏ$;?IaA= .J~},܅9@Lщ2o2伓tᔄ b尺Ab9U#H WY^"mJ6<>Q*oDww0,?t˻h;8l, >*[2O+@&bvZq'& )ɛ`Z% Sexlkq*u[?BwХsh>BGK= t9}Bv}ϭ%&!RC O9eۉ"lkVRVaqrjPP^9yD}Y񸽭8S/ Ccl +9:utѡ6Qrf5;NgSv =q_51c|SjmT"{_m'vG8RI}mڝhLƸ)+#&ۇ 69@HmQ"L рŸf,aR"BjH4˭~[51_uUapin*Q} ED=]OD^q!@|B{Pf#KO*vٶW&ṛY :Cp/QP Yp܅Z{Cꠚ9ʍ5jSz*NQ+ަO m^bNeL^`(6 }"qrxV,f9L^Q ѥpjJ`QcI[b%5S[hiX@+f7K:'Wܰ)u4&$Q^#<o3~/;>7bϸو_Ȕ; Kf mbݴ48\&)imM.inWvt^?`PNDۍ )^6L&}56 C!^[N d>Qw 1;’" -tmY!Xq8=:Vi h< K1);CI%HCMp(226jXn2źN e4˲]lT= #ZݜQrm 252 l.0y@,zX[xLh@j,T_w(mSox ewX|Fδa]sH-SP$tH L𑘨+bU88ũJ҄PQ}ɵ?a pO@Xoֺ EKqj79} >zYq̪|Z҈&&9ro=Zt}} ͠ Jiry#{- Dw#wJb`|50 p NԒ#"Q2&G5Tν>*rQ6\6Z>acie⁏͡ciRg cz8oR #$H-fJ`TpR2u]T+ Tڌ[(%G\G Ni:ٛ{`ybϸ'mbA\cyqS#.:}b>9eS28z&KTk6cTbƺ;α&;/Y /A/L68cҠzQ&F N3{+ ucȸ φwc6]|tt81պTŨ=gt ^o%ڎX g]Osf':&t{~앭&8q}Y=~$L7JZ%pCz&&#^oow+)+mmL$>k/bLOU%>N|}v&r!}#ݿT 'OB&T8 ۜ(9FaN|GܗV'6ܒGsxM];ާCIT8:],xK]og 58[X%Y`eyGTԛ)rPO J1 :linZ&34MV2~P辨}xN0T' S`<ٚ68 ~,BO<`E}BVkjôW.ĘH1I>;aDO//]vMewT`Uhno65٭[@X^vV/QE˶qrPF$'8ؓvRb{G^'0W 3)h)Pq&SƥFQ^hhGqL}:rRԤS[b,c2ԧ4I k=la{RQ['Gx[ G!X =*Ia5#Eɫ0aS֗z7F6Uǯ]hwa(؃q?Mq ɺui|3D0u U^̻$= FCF*pN)&jwu13zqժ(c )ZC^kt`8k +IJ>u/6,IDaiEax"N j0FNͩ4V81G_$P$̝+=_}1'c _,Ğƻ)GHC($+|R2zZUMR33[ޗ@ٕ`w :LB+{#zˌ~̀8{{^ohUQSY@PY@aPtд_`&? `p& ꛨNpe%؍ !283"rpq9&:^5Ŕ5a rP({Y4d?3\xTtP&JoS2EG<Ղs}蘒ʴK9Ll|5= D`%@Vř%̙F[HR<ڎV6n츃mp68M1Z{NTᜠBv-;'\A̡=g,w@A1}qřXH?s  ĦJg}{Emϔӂi9|c \Ü'b/qxc c~15cPqtim~~f&zZciI:d&i2BV`򯌘-ļ} ׽ěnTzYcpX6= ??5kAY2 [4V;ۘ(/X}!Q[}:8. zqgQRL#5~R\s&M򴷀 ~y;P\뫙^$|Cq<>pΚ &A<ſ'=˂TE)Ԟi%Ă#K}vt-Vl-%Ud#_R eސ*mrʡ"]2$To޽jZRG|AU&խuMb#߼-=[G = {27P 5D%H ^G=t +7kMb|e}FC STZ [{9{u9u1MuubTR֧Q#a :GHFb!*〨trzD).##&&=atBXk4Is\ǝL2\ņN]pLh!IHR,..#BNҹ7ퟵLYmx eJ]HlXj㢜?uy-5_/1j@ /75 R4{] ؎ic!x;T`} Hd{3ԃ2{ɸ%ȸTƀE,vIT@=K|{9  v)x,mr#n-ҹ<}Z%!PnQR?~WzgB@[`*I2YZ*yl^i;7yQ |Z'*Z^ӥ^u9%֦hwkܳ9;V Kn֔//]Q#hHqūEJ!y!Q IKx䑂2Zn[ #yt[e4zmGfLBib$z)(,WOʼ/W޹#>d|Yz:!m~;j󕣺B"o-JC-Ҭ?C9AGjC\;]rVI3AbG|+Ʈp/9U~iO9ENg\>@xڿOP oUB ?14ʤwXSqWxl6sRu鍅9?]] }*%8"=L_R{y}<*$Pg "8J8%dh͓7gd$Wb־JGm a@* ]"6Pɛ|e/XU_ zmw޾T)ZV58}V<&I7M jhOl=l\- !FmN2C, j%OC+\G&$^d؁.̢Nާм}ȤS/ϐƯ1H}9}Kpf XEH7o헠,%yz?pX <Ȧb⛮=z-͉3rȿVn&ÞWM-Qb?a#CbNr-36 Ap=:yլ` wLM6'<FC!5ҭ.@Hʺ 5ggS+NOѱ~R7yUfZjsW1Fa-3MHHLqq ѧJ/DN/0,)V_YZEͺY)FzpYUوG. L R z 3ʥ"P'9G >FIy{orO`4M̨5(|na_!jk:9 . ++-#QU)6c5S O:YeQ(@>BRLxi4Z]N/IVak\B!T2ޘW tmDo`22^S2ݬԣ j;u&H|53c eUBzm_̫sl'6TB!\N)j#u5\s{*ϗ)12J1^8aE1d3 AiW_#֌ώYH/JI_pO5M7+"RWIv4I{"N' ӝ:"ҭ%%J!:5cEfU4we=pFųW ])`:XOY#GYt nR~/ŸYn(G̹h&qq?9Y=NiOXˀ]UV{f/FbsB*fDG<BfiSHtӞulw:hY{6Co,ٛy*)Ph[_K7f4f*[|(Oz-=AF{>tey5edݨmN00ddCQāsb qW42U_gw mܑ&6}_ JԎn^buv7;9Dp^yQw;s]juHB"@hȍqo#UVtLOGƎp$t5XG/eOrVzkm\o#hfPA aħ3 DZuQ9vo̭# d]׊fo!q=yicaECc`I!2c _D`_v3-]O:އC5i~BF6uteVUǫ[O}$Zh5q1}$&hZW!1!2>_]H2XTu:Y7 r!M @[ #b+/ϝרKIz# >@/d+֒WћZmf>稍Yi{?o/Ib| >XYRTq0t?-̥vY߳r%+(_T(C *ԏN*H raT%W-+w+,o!~qTkUk1\l+5k+s,i}2VMOA\ K")9zJS3~sEӐ%R6-rbLٯFM~HM*h[/ uxp=盵cC3Tp*I*LȻ4`2خmq*o歬_K{49V ͬ}U yN퇒NO?Srs9*|Y!6Tᑩ.X+%1|)>{7D+ToeRJj#Po^g(KaWPd=GǶQT)#YjIy}DX5ll~R(mN%>qQh^ ɟP٬.ӿ֚BM.a&X5ԙ[Z랲R=u^GLdJr´`zpto}&Ӌ"Kan6 WSs6cLH%k!_ש vo}B/[?(nf!;k5I.1wr2&PbS\j}"~40(v Պ&LN륛*K*ͼ":emps{TG п1/|(<S9ZiJ +9,A,/;tu0ThvaNieOkXQYYVQ]&kj$7qT?=" D+mW#NT^oP@u41\DfXg.EghII2x@Ni\MK:?0_7Aw*߯Vf^0?vyf 3Xi(ͦ` "rek($Q|Ç<cshԼ4RE3.;Fݟy+J9&F3n"5gmRAy*<Ƽ8bҢJ?ϧPU0b}; # 'e&LLO[?SL:q_%mg=na>\r*_1M&#jJGHiO,#''CcG;ʽ̎SriQn$9M[|Uwd6 Ūfyˍ[.D3_p7ݪW\uq+PDb~E4R Oz}=tQN5Ң~@ +1n $>2M9QD7zrmO8Q1*Q -%yxn[-j_O>l>;|:x2K]m_i\7jl6H2Rrp-կec1Hњt@Wk\F @‘m J kS\fu[01mw6dLYj)P8(JP4#5vnJEȋOU$9rǐH=G@szemºS?\<Wߐ<) I{֛ Qt-clLyRyAY/ wK:0-aY ?X_"{>#Enk^};`p3$}nQT? WEXiJ23sJY߲1Ik̗T46WNkZpx*'f5g> z6%7z9͏X&^yl O M:X% NP ϔoT'eG ]~ccHbH?G@n _F߇K?a@:|jo=A37%l} aq_T~4&jё`qM}b"vb|ew)%Z5I3%(&}Y2d[ŭNM2pJ"8E_p^u7)#~db9~_NFh Gq+GNa ")~3Ƴ+9 &DkRj}口ЁPI.odKC+ uӞd?(/sP_ o#S%8Vuwgv8LZ5)d<(HCj~6ŋ(_7AfcGKw<#dSG2 N masL?ow%z2LG }W|=\=1y[ν -2<Cj[?9!x;b]fr!y5p fzN Q a9Cڥ 4RiBLڂyJ'п>ղJK7ѡp64V`Md1.;]ZF5틐A`fk¶qjU}Q;4 ΨGyuM73b9{)!5Eë(aXwX?ʖ!*K@쩐?qv DG-? qNn8&xH1_TAz?pGa"KZ?cjOZ D] &8:If Be)Iw*Ih5BQ媶| j#Թ"AѭĉswB1|?q>̧#@P t! s:.QcGKsuOl:]=;m m8@dIEW+=hR=x s`~})ﭷ~65dAoqJ@9S_Ԓ|`*u/k >]w6ӍU;꒐+ $cD; bn(aŸq3~珆)s>+A?$m L%If?*.CC]DΩaLi n6=o{aûꮱjOdۨE1O(/aU Bz@yhhg`_F{#kFX_rsQY^MB T:sGT5(: ՒwN <7bTY0 c`DՑȽr:g "c3FA1d)TbvW0,[IM{`Tw>iT @Āү[E +*YދB((ߎ>6/lsJ}Dt(v33e`:k_mըE--&˞7GbK'\ #c\Ц `&*m.V"&:86;vo4T&  n ZtjV%.߫4=wY^,I)3#]WQH>ˆXŀnJcE.xkɪ bg%!7eMt"IM 1_2UR'pHa ߽i2 ;;eX~ $Poji=TA8I`&;|"7zcN4,f$1`K).|lwxMG4TpDHp=>wyӜa.WkwKywȞms읅R7.Ny$[dh?p&T/S/.Ig`qH^GO\OF=E o[י@V/cX_Mr^KO0~fqmqN%]_UiWih?W5q"uiT(H;iU}(J#=78U?%s]o̥#Rd/qE|d\kz!i>p hf-;Ȉh^730p2Fbhŭ>9eE\ȒC{|㤍^pNTgd"mHRJCL }BDՉ:ꓙvU/Q\s:r~ Gpf㥐Vk*Zp$ ҡIj׊TTO蚲DC WG}Ͻu@N5N'b婫A"kc+:$Ad\`,In|bnڂ,]FjM}0`U>mYCP#C'Vi+k zu"B} Zy@^7p~6ΩV2ZnO7!,r(k-X1=XᏝE8C Ǡ&jI|H.qm+3a"[6K?:Ospc"S1Aè q-)q5Եo!(斢7?xE٤tA[vT> r}<cj' ~Lu+ xwr ksiS>8AJmGro5cDik;bwRT{V| tͻ\C!`#N @ suppM8^~B@璲wƦ z0V"BQ$joQQ]CPO~$Phc}~031`"a BY^_fwF1RG᫱u[vO"C!e5$d=)J'Dq\0:3]__|+e+/˺vEvݛ$ K ụ |Lo rWf0ߘ7!ݎ4|:ȉ1TCW_vIDESmhec>&8=OKV *f[I'axdY$)3وyPt,n<3T\hKn6DeM9(0_ལJStM{jzQ!8x<8VIJHL=DF<y9ڵ`p][[^kpX@򽘼ynǬ5faXWsEȱqgc0|٣ki&7*θ;l>WHnXHtC; G_$ՠ}@F{dŤEQGA:jڤk/`P u4 ,:\2"ëTT8]D~8WҪ`~%g<:k_Ȓk)>/wLǧ{^d=ީ7?FaOحϔ>~"dIWr5}Y1|YBWSÅI/6haݟ#݊/jAmQjpb}f` ΟD&q9٢xJDJڴ>cO{@x#@ ^4V'DG.8IgȚ%#Y{S 5xs\:]x|'4NH뼲EpX vBd}EVw(asJ+TkĻȭ|!,f~+U)oWQD\_'@; ^g4x'OzMԚEaH$}+} 5܇7UDŽN\Z)FrK5x&|4,f'ԱP7Z*Z_G&kUixwy[Ȧ%Wo-iahHn1hqF)^*Ư&{ʻ8+c'}abnFYyRM6PVMsS9~[D"i]b#]]H ,pq@4gRp߱Ivlg㱹<*B;\-wRi`'5@o!W 4ЙVKFqqP4X9 0 *1װ@7XOG.3}&gJURǬQne@;P`)ǔy5f[^ Ƥry78/ޟ[#si~ }Ƥd^hg@1 Jk"e|hx8UwK*]Ѿ"GVu\XŢ..x&wr2H?ڣR)3ޕ.VD4?MK7/涞$N /3 d|C4Gz^Pxe.r+}lR%Z^ws@)3m(t"Au"ϲ M} p^3@ +Q153-4x;([i"hls7/]༥iKqW-u"q{KW_<V.2,|r3rYC)P{8u+Yr‚QM.MFF8ʣ )OE65M즹4N,F݄F~uㅋ \ %̃1~`nV7&Ot'˱i:Y9af4XxWMrґ1z|ah~Wz7iLƒwܜU=4lbB5vkSa)m.E $iDX9D7 (x4Wr. ކs">h|F6̑+ïh$[_nt| JR50XpL2_+zUcp[> |QENѡݰSnMs-B}w 4ub-VJ2PM@Eh{{MeQ/BƩN|)3H02mm *Ԅ,2gEf9 ? 5V"gz_%fW oNf,[ˠ>bk%$]ZꖬWKL_7Z@)x閦RVbXu\GŹiG_6(6Q^/P ;Jl7 D@Rfl#y6A%b|~l f*4@{Y| * E@IG1=\ƥhI`䢌h N3{j_ɗ*YOԈ@׽fvPFF "HƊ)S\}a;P4\a<]kp< AcNmx7 aI)] 氎nJ9ţ9PiD#h[=J?< uBm&Gbs;0PJh,n2M `˜?H|VH.w r2V Gk293ڂ&IĎWI^!,PK,V19 e@∑ w)iZ1BJo3}M-o\IsJ0gXCȯ~sm5}P" FiܕMPȲHNU7?TbD.6 |wa5&@3~h^sHEqh@>ޟ1]#ri%+W;`eXz]˛=P)̘uDјz7z ͞_}e<b6ƕ+$`$'j&J'=^[+ ȀTF™Nܤj4wR{BL+#= i<.0|׹|^$=΀,5'6lJ7tgo=jH`G;>XĽZގY~XmR܈?;ʁX.Vؓ0"[vH5&:gk/Mnt=)zCLi&OascNEI%ٜx=PCUܶGd\/V: _(Yb~t!r; XMU 0BS;("uz~R8(߅Ho~K_sKCG!Z7eAABT0"}"6a],nŘZ!׼*煁33g6%VZ8P܀$ylwz85 >~s)|rb~YWU&{ɍ uZ{ϠഓuMe,~d(K<&d, fh9=8Ze\/*,`]=e,mNr쿙=5ie} L|%`®_ a TJ26](0!k~QKo|{N]Ƹ9tNDduT.r _i,OcrYP_ sE__N">@1)Qdo0mKZƋbpAՌL@qf}6Q<:@M!e-xPg@{ YJcyPU:s`MxD0WdiFCр" .Ra,VU]( L!M@J{Du5pѲTuf{t7&Ka_CGK?F M;!02JFncMyKᐒbG(?v "dUT-PIz\9~%TgfB/_p ʹR=jpw`FOjdɤF+㛆9zsnܦ;Tu#/ gVF4-eϽoePW~a'kqA"U뵠l2#) %&: / *DEVt-d>T*G ۱32X`!Na.˻e@7$8 ^`bD4e399=wk&ဲ\2aϗF?n-~Cs2"x*Zҟuxl&$Lj¡҉jPU?8rH?Hpgo2ğA E799d6ɅCǽ{ɨ0}TiUr-GO,l}l߉I<7w.z P SR؋y7ڡth1)6BGVR 43acN϶a/#F4ӨVTVUix0[3ͭ!+GJ6xs>wtxAwm{/{&tb"muj®f0!1mqCFj=^BGf Pb̑~ `LD 3yqaZζ -y @u%1G} laЕKzo S ('_ (>d߉:o.ԇ37jBWXf̲vĀ KL@cqW Gy\NJ{Ҧ*$cCV#9qidǹzÕ ~0[#7zoVDvVs+hXX|{L9i!?"څ냡m'PU)UcUxbIya(@xyȟQ)!_6*4|Ɂ)3>OWCi|"{C*kC]!w Z# يG3m%MtQW^LS fyU9=[.l7`ļT?;w@uod=O4WI%IzI{į;vꔳ QGѳ4d.XBl?wD}V~"g,klX-B2mp’0ОF_!Sn:LoSDȾLPkbyyonopPY)r,c!NrY c|=ř(,d՟U4xf&馣0 $?8ߩzz|gy(,@d6PSɧ^Bi|2AΙ Ij폗QSGzf'danrkMbyW1â-9)!Ҷdg7)YuL8ua5 q)ﲰ3w$1Ü͟@AQL ?%6VZan~ؑ姐ٳePȍ,. eP  EX4\~>hc9Pf#V {wɍ3lm[/6E&ۭ}6)jtrHPmˈ$qO.O1D V -syD}˕ wCkz&fl~WG+^ t{ARfnZw*I6FC!b V۴; MwU3"Gș2:׼Ʋ&fþKF![ĿZjS%g?JfJv"|gοɶ`:5#v3ҝb}E?2.0 3,csVoRj^6s`0L֛3GqY\  us!d}Yn<~t6E5b̏6g.z VnNOqIF^o0n9@g{lUu6Ӌv_;}= D\͏7WHЦ'Ս"wkWcRсmBc?C#2t~~ɉ @~uƈ R[ Ss[l0 =7; 1s l#Uv=BH@5li`.lFÇfyu`~i֜}3ڊm~+k2 "=|d&>{m`ZJڐmU_,۬ IT"eZMx yPhQ.f.Q, >yKvs J`i/ ~{]I v!ۆ"JDukYNI dK @@-@̍˱z?_Ijk\=H0/,Ba>۫ oFD2Q:Fn뻕$6?Oag2WtX&7]b? |ͅn˾& W&JT\1LL9 J, cտIaޠZO.e' (yef&>!QQ7C#J,i,GP';3{{dl|~z_Y8dzJ1oؒ{^w?kB)Fy|AKvm4.vnwxevfo&Uԝ6NSTMP`A *oCB~9 vZ9>:xa#9gD'S"j Tlujw+j ywQ졡-`pF yb,Fc|M.,jP5҇td'l1w+:'Z蟃c!w;sځ-/M EC:Z/JBt$}/V0d' U'!+CpUzB3U DP Q!}괽Ee(`"`ib> KL_0KYse!y+{q٫xuߢ@/MѫyX^%t#ڧg:_z_P -T]epJU3bw J$ld{JD֕[!Aᓇ9&䎪[ 3bBsdqRĒHOIȀU]c ś*e$69֮^fX]KcUsn Rt4TRP8knځyzBKB=*'P3hL] Os-m52 |Z( NdcEQRyuEgf!bUN$ϕnR=d-4A-shA2, ^gLٍ-LϠ!ZZ4n5ْA}6)@ /Wh^>c'3 ׋;{:v 3.fͫǸEcB/ <3C:MpƵ uB|=.m+0j+G#$^/Kwu34"'!ײ,.V!ayuU<)YXZΧ6-)B{OʰI8ГR`rs,Riz5.Hfʧ?b?#6F~G?I4Z%( g&,9b풶'22-(| ](Hz]"Qy+vj#؆(8OPd7T b5pLNa͸P^ѮK&.>ZnQfV=^ B>MG7\\e;jv(;>r/ :a}T QNVS ߃h .gp]M=C&:$lcwuOJ>YJZDnҏ2KXtj;\>9 Am6u[%Jvx}kkKb1'c J;Y;]nsDqPIx93,Gb|Ο~@Б PQ4sWw畏cfB d P#^go_֫Qt(=|kGA(C޹TU@p#+4r@B-iuCȈ*}s]Fl[sl_(f;ԣddiIҎ&ct4n/SɏWg9YIBC}7=$ ^xw$-k1Ӕ6tρFamB90c0 &olSRH5Yzju` C&S-z$DJශTBԜS =VIUEYi[e1QnX[\Pۃ=$w{ڜN1 3RC$Ke$nV"&X~;JP+ JW ?2D :f&.{??ˇgP6DQO>Yu|db[A>gn|]=կ=B+rNej1_jjug=Kxq_^?6{)cQ xSV&XfyT)E,"fyv@}:AёѤQ]eK\=R\1/_W,Y:T0U"Zul)9%j{Yr^XaeŒ2M#Piݿ%B)04@s.&B"/TZL/CO2烕k^4$UOs3єMM@ L {D}׷n5XrudSq;&)vѢD\O'1^#Δ1g*\Ӝ 8ju=AR$i$>[oɯ^~Yw!?ƹRZeaQqڈ,c !N5Aŀ_ηD,)ŲA~\Tz%ښl)Ϧg@q"8۞P VcXLYo?j2pʪgmW+F?c0L,\p-[u` s >vv ZۼD^K:쉴L][T A]Q~,;ۥRu!sW%~mq,ڨEȪ_}¤ =r`$u4YbV @GX\V-elϜgޞ_bZ dU~#&a!+^/SLcAO͑*Run*Ө5YCLieGc/ eЀF׼9 =4m& oקTAt+KVnA5Js[LwF&_]#:LKɗE3~klpݠl#F0ߣӟc7ڬ`MHc>Zxy{kmAվ}iՀ4)5 qy5pqP1dn"PnOJAV,d P`44w FK7arדb./I9]Vlg/\An4Z,fz'އ6VgʘAq@6ԹXA<k|,$Ii9F9Jx.y^m04a"GE1/kty. sB%AT^Oc篇%sQ@=@d&Yu%Ú|LT{JN<^^ުY(˅H Ֆi@lw|p]BϜ$E܀8V.G6SDHI*`y= vNT l# LkR=qUz@KalWR#&|v=yP.bY4 á#F}0-5G칆r W@ hDeaW]oпDhhs&J+1'd>srihjq)eJXuĮ1w(K^17C3" R- @IؑdԘcsyImWץKGFOF&t 髸UchIwkX!7i:`I1Z54 o.7u F3} T',YkR5`q4+7ijC\MYE$ẔSl{KJC=3eHU}s[(0 v$y wuTEy!2=ʕOmRmN.Ɛ[U4 f)*ʷҕ;!i-s$.2YS&3tf7/8:=}2z]I1ꮨ.y17pAC[ 4%si{S/`ZYQ^2YY0C/\ǍˢˀqmuY$垍1Yu5 0hLGeDt%^UxC_Л5ͧ B+ŋ*+ ,4֣M;B~ 5Bg}fũ8/bU>1]z9vm2*( giH ,'wJu2݄@ aV&Stkגx/n@)ƒU?@Gp۫k1!mj XT/i$ھ*[Յӷ-anY*T4s5rg >yJP1hʼn eS{&"3<O"j EE%B=ҟ %yÅ]^v v iBR{n^b_ r !lW '.HfA}c@h9rIch7=nzy-RR HUO6>gR1f:QJ / :ڟzS5t%Ά^PfIj)mPTZ\v9FJ1ɮ JȊl>~9D۩g .!/mIym w?Am1ޫO:Zp)I=ݩs44˅o:Bs;_bN%X(0ay4?/ȈN_w] c%-"A[B< oixAUB wr2g&Dg8>?7 ( X?Y`zКAcZ {'m:[/O#JOe?6SKA#cB2Xɰ&oY FU}Gey,gUُsYtX$QR47gN745( \G0^+*zpu/ՔU"=e>jpskY ?Ft`r:,HaJK|>UP;kpZPloq*{%'K\e}[K!ARN/Wž~9 2T{+7Ulp/۠VO LXW'k}_\tͧALqn!)'uCgIirNb #8ӄш3H cE/:o%}e޵1l.%rjZK1"JRRpr慸a;)8SU ~a ƪ^9ȉ\a&ӾLEe !f+F(b Vq{Ep䆬|7FFZn/9͸-{G{TN˖0O*.xps&e7ޱ}\dcw/ɟ`@%dVlg8>,Nmo8%ǫ;6J{>@l\2R@!6-$g۳sb9}6dtI;]Nl;MGg l`:LϞ 5>i덈.;f[|Np]Be>inY;<\g $[8'?KwX`$ !t6!">O :S/c td"4+/ԝ4;$qFTQvj<٣"]vbZD3^j8>Аѝ5S];0j=uSfhAN5C^$C{7 `G1[*q_U tmy ,Q0iCe/`7WΠe?bvߎĸ) ~VuťC~Tn~ROQ/Nw~T7bg` uqxITܸGP:ppU1+0?q 4xpl_HEFbqٍ_~JVQSK@r iwxXgg)9^ *ک@Ps[K~TSd819 ѤH Vu+l֛-hr}bp_orU+|N0g}kjcŰ0*U~ɟFݖ=Wpmd* &J1;?48v *Yk)WV%M8du7d<^XjtG2z3$fjfdyIOϦ6(2_uqVK.5At\V}1N?(LY!-Chh "Cl'jRL~J IJ[&>[.Lѧ2i eȌqZ/.,͊Ɋ ‰oi)+p@u!'AF*Eh%wk98WtAMt)_ݬ|?<[8Kg_bIiS;{s4#x`nT;&ZyaYCHVG)Vꋉm 3ʮ5HSWܲ͛qIu cz(@ T Džq ݟ/tb=1J*m^ e H,2/5d-(ݝ@^O\/#Rg?y',u8F6𤮺4-kB4(HBEGRȎiS-!N0R5b#x;\je{ ~W' dv79a4;M}ֈ .ՙb'#ZLɊ1$!!r{clDrk*s'f ,jyAX.?kŕ",)(Ji9wLMTӻvd6s=}ۋcCGOŊƌ-ݤP|2zS80`"s01mȏ\btiQl7:#D/gDguA-&cz Ix^:K/HCK}4auRR5L i! y}"L egz7ޏp sx+'ŭ@Nޙ뱛 V|!N=4cu3S v`S/lqFdehv}. TYƑ 5#Im'UKp@{c3aaMŧ,-)e.RғӢH;`#6*Y+] ~]<ɱ$oH0,4xJ3v?sJ^E&}?;cZ|=Qs 6Ca#IKk B<Դ=J謧֝h7=wDҁE'aD1|#Mo7)"#+"{cOI_WL:YUDI|ȳm[_oѺF~4l'W*Rp  iFp;N4z!O[NXx}4cyK1?x$ qV{-#;siWĜUuiwj9g0No.0T 1k}QHS [>!$i< \i`n ޔpbrK]?.O{FMg=Z*-t?% o.wk"(:%G$K3SP}[cfӿ}SSJ̻&C>f } N8뗏/. q5&(B=7DLAzFpZi \YYѳS0w;5z&L;g,E QhdMoA8 B"9GSH72Iں`)9Yث`콭^"qe-s j ? )R,L.JJh-DuK|[9AƭYtզױ-,c<>LJ *k}Q_6Ր R(xd},4AvnldP-3Sr%Y@2xTށ5K4 =@ H߄= 窢4|2[=4SR͢AN@҇XYn rډ>khT1əQQ݀|7~>VS d#riINuS0$iT %J: _ J~<+~,}AԾ>rIؐ{IK}g?7;4+^;~=ͅA:Nf!-`N/PM!^ŃŲ654ј; &yr'==rij^"IuD`*G# ͽ=Kz?^__#l7$xyϯ> >0'\( <}xb'>>w99&]#SV`4,kNB%z?BGF(<5&78rkFd}>(3UUT+(fl,L̕X_;Ve8)Yղ /]<9}:.G.,GP-B2Xݻ+՘Č%0'ݔBgٍ 1zB?@+>-t;N*7&I)(M9N;d~he#UE3 ~^n!CZy.BɆ V`'+ Q~dlؕ|ճ E ]SUpX]ʜyKޥԍHbQ ,DtwY;*o7qIPA"laMȜ8$msp܋gE< +8+|STٝl=z(W {ݐQݙˊHi0BQDnI؛z_?^S ['KlTo LӵH" J'V G @ڵVZUl@[LTh,d{ csېŰqjO?; ;܍әBe=Ym>(='$qe'E$ZfbA4K9ԏ::8@f[\}%Ɍu D>O~0uq*(Kv|t'kpєx>fq$f 66=^5H V Bi7Ɲ6N^AeEtTο}u14~ɦB3Tø;κ]a*ϡsbR hv}A*ot hlLQ #Z7C4kA\GM!Hpj1Mwda:Z=Qt#pHJ8P=_-y9%}?&r=b3Kз1UBsU>?pf_A|`e%fW{7Y(Lwfe Kp*k11ư}t]q^HGlY8i9CDEQ4\A"mNކ,%e,-&X-+"į\ ey̢t8J)}bېkɿՎ^Z*kډaA%"ZoZGVN-TPJZ3@+"a7w)I\\ۍ<Ɠ<4|r1$DX89LL@%0+đ*㦼ngS彼! Bӹمѐ:1ֿPκD@~R{"T}hAf_ѧ>d~YG,(:l'HƔ4~lR@2VÓcXhs%(7\4r!*fr;eEBx$# mcUR%B[G3;itLfGQheunOE[x*iL ,${OFsby{YW{vE_\>N'7MǯEPܖd>欑CON][_C0I j0x;1' 휋TIQ7Ly5=$|}Up42/D;2>xkۢr !I_@^y^TK2٩*j>6C~ RIPtBT܌F@Wll%-2_R%dger)Q{duhMo>|$&CS Pm4Z. ^.yxV[ia9wؒ:8N[nN8?L#p_=[[>6!O&WrU`e$Q53StqT0iV}ɣM]*Wq1[VI8; Ǟy)rm h1v? KţX > QJc2A NH*Y Vu/@wFg jYڸ˺got>@+&u Uj,Goilm^MTUJs 3N`n[֔"&}aXҾ{)F_aZ.lW5U81(uZB]n/& \_i\U3Ze˺x7[n=օNxCGK.?v5ܩ&S~ͼA6q8"!s%m{PEZ[!׌|o M0PRĈsW {,ICqK{$N yGJ/(њ#"OMw28@0-45֚Hsdk!"ؐ7YD02~`?1}6eAҲ(f tmƲ9p9LLNd\@I%m2 z#>J]2Jo勦B q=xb-]پL*|AH;kY4Bk÷&%J}]dB V,>Qna0*r<>cnYETޔ 8WT^q4{y7 C&YfE Lx Rn6Mhِ/n#R~+ƒrx/3teсi-1tAk*;ww Ρa;"qKmʡt/xV4x&IۺZ6ϱ/B1FO#bf"2d0#lg0_PfZN6;*MEcJ#\oa3IAbFdStuA>'(Shc 쥇bGjB䡫O:GS/o7lP ײ0bbK4/ڷm]ϴˇT Cʘ+i#X힌tMZ0;V{l!|e]SBiTQX >1`-S%61I5/\\RB 7uCM6 {m]ɸ7NjÌot`.Fkal,m-Vn6S1^I3S=/k$,tJQ AlmswQkIJY~vK*Ub@SM߄OKL6fӹ+ K9Z~: bZn v!PB3^30OLV-m [[4:N@߇c#2h߰ U$F~!6ݰ& a}ɓ΂MϏ y<1K7.a5_}1.><#Vf4\ɿy +*smU͎IMfM X&`/ɻ,$08crgFJc|b;7~v*.y}jV{?p AL<Tµў;4#,I7z*^S¿izVi7]AV?g]\Mz+~W쮨PVzQT P/r5)}Ջ%TݙgL2FZڃh[t JϳX\( G[e9xT`ftj~b[ef4zqE:+=b Q\Xve3W J'J:pmkSE'D_#єk]ͺjB]S0%uP#@MBvi lձ/h 3`V1K!բ[7\?ً@HfѨZƎW]Udh頻~-1=tV|4܍SP3$DH&>{$W>Ȣjh@ ;UzS  N>P(*īնTkzͲo*yQ 'pu0 r=**v'1w`>cw'_Yv wƍ{'|{jⱒO*<6ǐ 9{1ݸ3 S"K08=HOR:k2 ->*PKXSQGNJqP6-}V-2#ҫNȫhIk[D;q%CoYyOex[n)b& "~C&mk)8d{k`>Җes(o} $䀽,>R5VAP˨ZM Eh>l+ρ#VN5Vy [ѦKt3LRUJSWFkYPgr"&vs8oCp9J$S3ym󣊃OX.=\ƭO{a7WjMxg_ͦ'aU@;= p"2rA*ző@YeZ#z$C(k*ޅpKCi  Ls*dwnG2R.uO~RQƉJrFꑉăG9fq/R)17ampoFLr [WJqHI+qӅ7ʳ2~@ Ltz!TeHrBσ~1}&J-eƶ2liO^si(CєspkdrNCH 0CxO ;VwrYsؾ,R-7NREHqm#Ftd `s.N: +6owbxٯ󓗼7h^x6`u3;|f~Æ+0 Gn-+L{TqkpXDV8m+X͕K3>hZOe Bv12jeUQd 'j>ïŷrP4cg$G:% "QARwrJ`ߵk?qQF*:ކa[%a֫Cy C<55ih#Is`)1t5LGO ՈyfܾT}{ k5GsvVw)"0Qbתol 1c '4&:F5sڨeE][rSX wW8uf,htm0x R(|/tt6w֋ȹTme?< UQAJ+~hG+p˧N@# \tKHfzݗEz3ǔef!k`]8zny^nyw[_Q$9O:Q g?EH Dn Ə=yu|b&S qBrD&O݉ zGͧA4J޼?-̔wO*N?!l$dgA5䤧1ӡ ń?;VM%R."w)'ɚ i܌Jf>-VY%P# .vc >V r}<<40y`UNGql%ߔP57 9~` j ah.heϚjmV5]*"?)"e~~t]c~WƃP=oces>}umDLș,7JHɌ|=ju56jOB] EZL5@nbԉQ?RƗS`[F>]$0yĉlr1UI,E/l&n <ڦ.l4vo&]x !1T3lXçYg8 }ui,qb=o@P d;6G{w~?|wੋ.)P ,꯵af慀n 3y RfA*0Oոez|~vA٠F g!Oe)Z- a_1LqdD`>ĝSBkXwPߛE\T4ӾQΝGGPE|vWS#CRlmUEMIN*>8C{IAYI[@$Ƕo}3izIš5yOG;hy622p;Mm+ƀ:&CJUh.$nR3EHEܫ iHQ%ޘo|)i'9g̳3Mb?m2T?puŜkɚW S 7LgvwnTz[|ci~L&nì,skOzÙQM5GYuC˅ozj{*`˻0҃.^*TM>Qi2J# wrm_GhG ,u>Y8WJPgBvt‡+"[cxvRc|G#hBXYv g6 c6mI-1 6Tbj`5Wvb~>Wa#l!JJ0;?YOR}VseD,Ex3F V(#zt` hL5C|E<`U7_Q9$stJlH׃"8VdF KyUiB K0 l'lm3%%=꟤G!Fߦq QK56KHɷ-18X-m:80:*8<́tI}4n"vno}ZD3,+gax*q6}k۷A688"t.ZvR-q.m4V F 7,g u]\ 1LX=6{jj$LJUG5[Jin(kgKK˯-l)MF hm[uh>QƘfz"wйc؛E4vrH uwÑ1ce*HihhoqV7PPyĠph_ZI-FAR^Z;0?C`; lu[X?IEN;jQ!EMܝZ~AIuYrB'Ѿ^i`|oK5uQT8ϻդM20$PXiYF4d}I 8OpT A]M턯4հƴEI?8!t2+<4H=SsgryDsF Ɨi6K 9ݛ<7\*Zx4ASbu ҚJ F8EWO^LGEF G5]^ \T!p%dA]ͮoaB|Z&m5ʚh8 Qγ91#f(ǴY/R\ <耷Xe|JPˌ"Tҿ6\l-XhѠ7a,bJ-@O!yy7oO>)WMZ]ɽoKn.7v($F iy׈]& ְmaR`peEs׺!U5cX0ndHиɍxOFى|ƺBy}<tEac(:=LezB+fF+P =3*<]=dUW{:cf-ڧD ('5_DCre= aT2=xfLVEFb(Ovg&Hͱ}3ͅHҐHgӠiACITGS:,gx ]tm4Hd4 t4㦭Z#srx&0,;Vo\Z)`:oON|bӨ~>Ѐw{i\"Ȳ?aը)od&b(_|+e51>bC2hE}UK&Cn,sTYn/ֲWy= y^~5Fǐw9G1;LxzOˌfQ2=L ~hok%_ ސ\d)c:cxѱboBdoɃ.Lk,G0d{4ή`&V")6n>ҤUB_HE$!<ņB+'g=kNgKB̿)ecMk'(Gp9~NKB&aW i*x#u5nlaoI Q:hR\~Ճe'tТp̸6{J'A.[%zXe`hSN_NvZpiV_[?oY0qj<>>:͎_OhT̴*l,+(/{j5b1Ϟε 4 @|a!h? JgT:m,B&U(\6HBzˋ +~@qRtiWv(3`ZBî >Sa]8wYĹ[A\CyzȲuGo"y]dqmfxԺSDgwR} GdQAb}->dl>ɏ?tnnxځq:Ns~N,.=x"_Obf&vػeU> #3]8LXxkIJ {=8~x@ R^z㰳Vv04FER9Y14sۢfSjnSVEmP \;.m@\HȊ6*gM#W|ߓWvtqkOjCՑJ kjiiB~ F1-k2}UrGH yP!0躘$tg|TW :jMu/lH/aPx6R(L!q@+z~~bJߤ4B ̙-Gm9o/]1K.cP]/tF&3r^60Ք|^yg7v߫k{538WA"ܬIyk6%J]QbhL7bMp{`cH2S!w.%ξd<,b9W$بKqWdv_U>_+X2F9,-%.'h6ӿSa^2`(:Yzx1*r?+r7~'@+Ή\CGU "@,TCx{+y"Ew&iC(3Elc `|[Ov+K4Sʹ5{钢Pa7 x3JDE ܆Ow0,ÿI8x+q*a˓!lFO >ip5Dҫ2}z0`qMS^$ɞ8`=_ fn. J S!9JDG9 -I;1;4w%N$5 Fa&Z, V":\IPܝ|q }҆q,SQL0kb6j#_ x/[WQLF;u$0#nju/6O|S9 K-AQ: bo!7j0%E*PSu\A{MvJὛHVL֚.W@0[;<xꉞ//.i2RM.83䄳=NƈD]:ڈ]>.Q#t]~owZ''gsyypOΑe[`q"g/D` 6~JCoU}" ނ4ʊ4k\Ũ#l3JxGU_p%fi};cF/ϹqPb|=iMJZҦ+Zhu_>xSuJŞʍKbV3 T@b̉{k$Lcy~j0 QfQ*S>-(jLk^򱒴w~7~dNJ8{7V,d{qH̚-֐J ?Y咞3Z>tDiO)l컟h@#ѲFPѵP% 7j;O.;c n0L:֤Fx1~ϞrD}U Bq$^0[[`/(@6i6+Y+" 2g%KTp |J~wŔ Iq[ȩpMYӺWMG yzUʬmbX< hh_<]d kH4bA| u0#ՙ}xbr% ( 0< -si坔Z}L埞X]bn5nOe*\U1FѩR}Qimuq>2zŔ[{} t)>(g9#(xO%y5wrz6lc/8Vu#i|u7m<1 /teS-JMY7{wlpeZdV\"w`fG ߹{(2$G27%Y@=[>k/rs2pJu JgG7o!̴B R\rLTNj{َjd0rG ףJAP ;yKKJ2҇8P?r)TZ)Ah-NeUj ɤMJűϧӌ0%M܋ VYzBf #^Z^WͤP>^4,y-J}/ 'y%qڋƂIXV w:kS&?\;т԰dž5rR9J7NLP^vպcmG4?m"YgoZ8k' ݀G *Ebc*1t[>:~ޒh+vL "M?1hԸV0b,~ƶgI2 &q6$gvTYcmYIPJSlJ gC1U|>m,p z.ӼewtU$t~<~^:jRKP}}+*V@]ztP_F pO9U%pA[SSEY( kbo5$EvGbٰ?"j{ܩM7 m(Je+.lYVpȀoLk8Dkh9m'PU-39dBC>$)p#묌#Cqzܴ3ZQP׾34?6ƌ V @[Yka!c߈Z#K! B<]sהst֤h3LfkYS6=D  *ܳh6f+O<Ecb֨L3 PXs8r_=vo3- McQ\TpvxnptӅ?AJzdQ{ ?\K+֠nGzeZ3wf鴳{[}?1m~EĦ}B:NRVmh.^nНo!ҺolV`UJ, sv/R*LDZLttPe-9&NVZ8 C>pB Ä ˠirﺅFlLdc, Ih3Dn\ oD"PJ%T RR_Kw\!S.˜Ǎku;,R"!3,ny&?hsCU a^CmՍWb@Ir]7˨( b2V2.ez:4*@$`Q]ORɊ9w ![( iͿ9%]'LנUZ*gu <}3 O`I#YTv!Z>}G8x4KA]Pp*93IV6Q6d}HmzWwf2Vcx@SerbN[I#ytfR).4|ck[3l0S - &>hSKaLG5tEe-l\-vtL뭤kݷS 3;,ɷaRu;LETiup "XMCr;k1Hujo ̤aJ:==p |o&NL;%ړY wV0n3ut!ФL4:>3^uJ$ʼnu}XC6#H ̽oyso>,<壹U5 n2ca,-4HÞQf(eTȷ&tu wkb  EsK Y[(b $a;>zOXe AzedjL00Z~ @7ve1GWae GDxz+43#(m~UZm)zi܏fkyʶ~QwF.+Mp.q țfĈasGGX= o&P 5;,%=tVP:'>7vƑ;y I1)z+4>d% 8oJw , f\"žv7"Twqy=T=$XՇԬqxP@K9I۰ iwf [h³ ZaQ'6 G"GqrԳOPů>-&H+BUnL 5/H Dߛɕ\rDEqo;'h.gGCR>AÍ]Snm]5w "ZxD65D*Q6!sU|2$Sh#bKTCm^g8:+8/ߧcvv 2P܀ D.ϩ')iKpi=뵲x=]>-NT0E$t@h,Sb$!mr3 !w6آNS_ :QKs]-R[lBWaLA&vkxUɴ ArLH-UXG8iJ`e1mN`&Z`u6K-p ׅxiU 埼nGڽQ{ V0#jt.tr>d.ӟ5nK,eh;񠋙eo5*+/Ippg*$7~FJGX;zu%ZBrw87:l#P'N%YtM\8͵rt҈{wL ج>s,rA)9z'y2! @<kHx-xM)N>tc7WoVo;ɷR-")ςܩ=4I̓ -ŮPa/Ls] ~`3uegȥ5kPrI@ɢvafP2Mh@ML%#[n$vu1V¢{T٢DalvcV1VKC<24 lADct+R2[ hAʉMGŃ6"@~]S+#4+ 羓F\0RӮfl?.ǣnI7iAXHssh>d2K,2OEJ˒P ikkKkz"`9=R!&t{:(Yo9?1tQqdXfpeg)J 3A<yvGP&'W^C-yr,3 w~-U%@rH]m^y{j >$2+!\˒|Fu6sz$]9#EU E7<Ϭ ߓ/m.`brE<%A}1"#fQ)y &kH{V$4P >Js$nK^tKoT|c֏4.xej⹞1hԵ?c19?wdn<V7T0seK4 gZzyEH~I"ȉ| ǚU|=X3O%[fkF OE1pDHdtYd) NGoM 'JQ6{KI!N#i1YD4Cݤd!2"@!zkcI<#В'.~=HU3GLYxVྻ0?{&i4dlo4EB[.yoXq+BC[4ZqE 9ܨ^|Eqxݛ (1[qr`jjޑ(ܝQᑔ -ۚmkGT2yϮ4unt&v堬ÆXthun=%3š=C{ e2B *TgRq}a1-V<(G9xW9ܢ鉣;(i4r/m,!F_9kt -_`V?;~rFX&c 2&VC+ ,Z\1qڄ *K CNqZh }|=Qc Wn[CA;oh `N.D:{DKʼn+Dq=+~=k"ZIb-"%3a,:Ot09+{L 듳DOtH0-H>Q+J{/Y4V":I&&C~w'C:,7bJDoE;0m3 qNc_]2|{IlMu⇗]:-x\Y\D?q.8⇅eq79!8E#bsߏDZ̎[==]:^Q㏕M 'c;FlqȬFlk34. c!=A%̺\LOPu6TV,ij"sy@Hj ÝJ@DAگ{-fwh(멛By1][ۢo'BqAVO y.DQ6/a50ԖOӭ vUCJ'C%~T1̹.D!p'xj{86m0gdu,6JB n96Ѐ mfksr{jIZsopŤj*|^L5;83 ED}esp5S;A'oLm1<pZ=51؏G34x[5F_[o@oY5@\l#EN&A冻m@?2%ǺceUshmӯNʳu1&d< X)ڱ2@ :S(g֋H<5% E4syI 8GJ`D!inXcmY :}湳n*USj W$p6WigsvPTz-_VCZg;ㅨ*w8O4bYײ[ۺHh4ÞXﭸ8EX!C(6'^$(t:PY_~AGA*­X\=Ղ42=U:a&dkӼnVJ&A @zEH֣kiX2p2F:!< նRAySU i=fzCQ.7tsKk߉Z㯊iz-įLDg(>3lk+w:M;@8.Ix2B VN`[7z#@Vy!ސ؈lN,..Hpûe}VmhYqHKXKL su[Z}A.9(U$=BۚGڒv HpMˤM($I.bσMXh}icjM}KwT` qF{Drᖅ@VOcVb Y9rNn7SgiH?Dj|#G}E Uz, 9Z#I@ӇӪ;.&ycPmG7FMeE ,ZDYv8)tvo19k3Ej~@7abZ$:ZE+y'~jP.$#`1蕾?{~ݓ,?W<I4ٛ-oQ:ʢ_6 S-F죣Ntz"Ώx EJ3w1p_z8I#X;k~hXTK(x;h\ L\yʵn[w;Cɮ|%-|Eoz[~ZO |(.bdXhBNFJVz&Z|0{3d _rܦaKbIfe-I+߮JEaV,g$h8GLvCTD&uOzbh5'1 JVxq)@&\&ƨFSO{ :Ӷ 刟@)R!Ũ6y "& ?Q#,mCU%'[o:ztr),yUꇭ̹sR)VG$,(-;@Qv 'ɰ09 _5&8f́NUZV v4,ݿDB0e>*34WL> % "3 ╮]bWtw$5vb~Թ ;o^8 q;GKSi8iZ؁S95ʆqO_l-GTɓYx< _aY>1hXp q @e栄]bօG=5d1C/4Mq o=U` 3Q93]Q;в<^X%|VJ9 Hq{Ru-.JDt  nTm5*E!w|Aw;BC3_0}]RY+edܦ|CK(a?X8 dI`&h:v5 L{{Pvd A 1pAxL*o~ rkߐERe60ܥlV%Z#=tn{rB v1>{qN0gzUٱW ;uk/ W'.h8OꎷL!/N{HϣJ)XRi_HL)')]l2=e=%uq"ŭ[X~M/!#DWS,7}~t[ ٕԘ i+ߝ)_9Ft%KiJEv>n~@;.JsX/nZ{B(h+ڮYui#eyx K8NUc^X?h/{J|!c #ypOB \œ6<5 a@B .x0},mAYv1TNtPS,MH]`?l:a_6^Oa:w?R"pSD'/1_*==B1CUO1N?W};Pv5lCbR%!#KՑEd -ӯj&AnLcqE}7dzRc:,nhZʘ{?EQU4jw&0 J~e~cJw>) 7\;+I>KVp`G*<QP(5b8@aх}6d=fe-X̽45t%{.xԳ1 gz=ѱ|dT ;Y$]eiJ .#L%eֶ\xSZc6p|koui'm+ 6i|n%]:*T/d z\Ae jr->7(<#kK){CPB٢VCDVD0e#\wU3)-?1˙굅4 )%Ptρ>eh FpuȚT(#2wc^H l^1˧mo/|olQ!gf'XM<~, p>`skʏ8kspQH,ոlc=wu< :/7$0kϜ8T?/b']5R3_>zQqE!ʓ^ dK56BXi`QT\ 9*֧6TWҁU SZ± #]P GoQ^@>d3@Y~_߸vO&'mjC;@%{y'0 { :Ddm:l AYQpapED7MU+K-/8-^pǭ7W#bKd?xl7ضᨰfQ]Av)(plFIߗyL$ ?#Ts.ʲ_;J)O7[ƶyÅxp43",/?+K6;Zu&u);q '5),@W?uVeޙw>Gr#m;cr?{*i9 Lq6ͦ4^1:tt$#5Y{ X;۳fAO;wqU03f=ѷ) .1zճIC;lk`H p9s%qP[w˃QPLO-isR Ͱi'N+xG`w}>s^# 1Ƴk9 iXO/)> Kn~o DֹS3MGzwuiAOH@q Û4_tN<{,vC@!/Yg>iTg;SÍ}:>k>3bK|&o78MjM>>" 3Z@\0:Rߔ iEaP tDIn]j&՘Ӫ|{7cn"g2 nPŃ9XF~'ە ʭXK‰+KJ/#alC"b}ɗHo]Pnndid%Ve%^߲JV o#rI̹""*C2NLm4bI,{o5JD B {ޡ?"ڐmOa\X)?ZbODqY(m`95mS 2,A[7Ф  ~S诲 z>RNv7?ݾ# 8yݭg9~s< | x憿_B%_5OYm;l,k+(>ȅ/ڳԾt4}Sa/eH{nºF;=5oPb9[ygecЊؽ֊I#m1 S׻@=7AlĈ&SxFiWGY.YV]WUk^^ 5yi&ktwɫ"nPMWn~_+B"ZN~ӔoHP Hd@ܜY{2/̔%ekJ?)Ufyن㎃ \mkJ6XxQkU{_@|~њl4늘 TuQ&Y{R໦R%xFW;<( Βi[UبoI&pg!M*VgA0"3)cḷbsͲjya";A<6rX[L^zɴ˖bm`bQ'\齙o5u-7vEfbԃiE7FPql#jԀ2{L>b  dx7M>legD M!<|`bdD9D^ p<0^)Իo (8T#4ºJg=l,$ph %DGN~RTy#L$es`R'3Q/SOOx@f7X[,W%Ձy̟HY3C(JSoUr(R qeua.` _MWɲih: )FyONTMXbem.X,r4+ W`\%3GFtΈ[YUK-vulpsQ6sNT&G*2lU;L]=i؞k+b zs9q542ӷmִ| .s+7Wcלזɳ) "D7B4(,,N_Ԉ&BAl(;otXRmǺM7 EV.1dȭpӻ/],y^/T1ܙO5=t wO( Zܔbl6Z i(cr]}wB2YBkåwK"X uwa7KA!++*/bwwb[+vC[")'>ic;D]&2j}ޗQ+9/ӑ;>U AL'bXSP1Ļr c2뮋eIxmiZn]7i[R@jWEb`u]'_Ŀn).>D$^kd[FwOrYӨِyEnʸ@"@ʐJ z^֊cq[HGms;5C\PL ruŐ : W6Qݨۡ񓳂1,\},-7cInbd*v0mX;MPԹ˾keªVfrӅ]]^Hcm3=/>Izgq5C$/*x()-ҋMen|']Um>O*Ä ehc[Ba/YwE縋Mqyʜ3_tVUroK Bn*E-mŸ1v'}T5W|A4{# HW4FJг4Րꆲd13KFCTyP`Qj]yg[)Yc/A7V}u9Vbl?C p!--0%ͲcpmJOr,w38S`KX&FI7qmF@ :8.=;;RlS'S&'HNw]  PngQ&@v۟O:^ՀDkƆsjT)ji C!>Lm{@#Aq !9/֞Pi wfO" vZ84QџY z֪-#YSN4.v9MJFr<qT_L}Vl A\A`N8nѢO?X(]|(UwjKeK̯)/ժg @WdKDA-YB=_gؾ[{# cZ&nycO'IqBBm;oxrL%>]N=ԸsHrʿJFد6UWP7)-\-Zt慚')c=K&ֱPF+8v&θl/~_nCcTd;ZEvHQa2gm`47mp1S3| [;.,?l͊7J-9BX'Q6E?Av4u>jZ⾤] =zsddG2e^Ut*R1S4 {I}gMGK"M(4*G#}Q]y5&ɶ4]J+C\a86zVpZe6 j] -MKpm N;PY1wUB+Rj$~ B?oZïs}W*RU%sjA  ?xPFmb *`e&`݉ݨ:;樢.]-R?a'apj(k ?3f/q?GNԵ\t+9`rMxneo3SpQsS59pw)G(Yi:LH_aɢV ĥ\6=D7 `P[ ( Xsmo `px_@5ʿ˲D*Pc_Ɠz,@ȴ&SE\V\^(ݓ~_XlrB`Y rp701f0hgytUCmR %XMVZ|G&d#&Я޽Iҋp=Ԓ ں#g=GZCeQq΀Wk X(`O pNZSŚ@; 8COrypϺ#qeZ.cw.L_6捫U%6ԗJ0E-{=p8y;&  fU9ҙO(2N^HBCꚰmopYC" wQ_GVȹz8X!m6aOR}RpC^F&#j>Z% L\d_c ٙ"#|TFRjQxBYUtHBz s6 @)_)R8?3P'o kpE$>O煘Rn6e};~@Io-H{!W7|+D&&`~0tRGy;=唅H&7Oڧ7̰Nлosr'-loHT-p md. $37U_'HsfH7 Ov06u6 %~0v.*}R+; NYJw5`&`|!\MɏCz^71H뢥B22Gȓ3b9HC^ #&v#nrrW# pmbI2X c7 FWb[Dc ]:9nE1K1H4sjTU֜*\c _̒MuKR'vkL 7NbΏbt-l"TLtVėZwȘiF\.sDO^M֧c4%KoquA4]Uf{("QKx֬ =AEU=`vt"?V$&37 tp'@tyЙR=_1; s6^ia ^uJKt։8 `Wh:dW@?u޳Y! @`;4l*#D7W4OtU Hb~:6J$b,|Zp+s6C$Ϝ۪3e冬aV,%ǣȉFJ8leݩf%^`Q!Y IInOoZYM2x~ūˬsO5!IM$7X˭̾#a{JE(x"kBE5(&.h:tm87pΥ,k+в_%9!Rt>lkޙwl6e֘m~:Id}WXi5͠ Yۛ3=_LinA0)5:Bh)+uѶWU dI\4gkgEpshZ4_b g=!XmuϤ!'Z3-5!9+.^lae|KUy1Gk0sFSIWǶW2ziC{,,yOrBt!#R5] Y}6zaVFWkY_K8*?"UkwtiέMh~3|}ŮnaXCͫO*i[W}*C&_S5-jF 90t+<m%l07k }N߁+Aje+=(ӗ٪[:MƷuliaG+-뇦|vo#w+qxN> kLU̞<4秦 EV cmB\aHJ?G%e77DGeH6Gz=7U5Ҟu/[b̠)> l(QIஜ^/lZBaVΖ8S8HC{>dj'\ "SiQ[+Z*I474Κ_`]C[!TX|'F9B8i*U:pL/5u=-S`E8ip48h$R_.]pygCKEXuhkݢCǃֱiq ~޵ݟ[kP }p51r`N]I̴N5*J#l-x 1Үgm^7- hH1li]9.Azo`X`@ǬZD`i. !tPoIDɐ7| &UP|y[b1ڙDLB 9 xg$B зLeGR .jTO'0묘 (=wbUY*o~dWG=v(%cϾh4kQOk̃+>y5?ybh:D/PYtdٸY!q9o:cȯ(83$1 +~I(V#zGC*{ <+Kx](n連˪-afiKbaAJf ˰{w{]=Ǣbb薹- "9|K.t,O#&G+c",I Ɔ7N<'/)5#/lZX7n,L݀uyMjNMH"=ԣI~UU K7yP(Jx8#2 5'&$*f:ށށ C3O/V,К0]F-O6jxLB2a\Yk#9K wbUv tX8<>,ny\䃏F!0ARCқvdI "埢`Sx>/,b'b~ "\%_uYݡ^!5wVJY/I7w(q\UyrH9+b538}B*(cdP`.*buI:TñtbP*'4@uvO#pػXٱrљ/3{>xOEAf4-*]oK%/4w lK{O5* I`q JKyE&gԽyL {kfXH 1{C+,pÆo8&9o1Tb@ U:\*'՗鏯ya(2̋A@O*qgBMcj4Yj(?(#u K4r4%XyvૈvtDQ ;6 (2)MpFNc%`CG4_Vh!=ÂwYq(ZtiЂV87Mi+.&jW&g#'}9puDrXY*Q?wm&(yӧqkIKs OW~]_*}IئsQ_zq+E`Nݹ3裑dnUY ۀ_8䶋@b8]nmːǒ;/c'cg<3L3]#gx&L s _Q,i\'IU1X1J!ˢ&=4D4Xys@w>&!dQ˵-dBb%}!fp.@@̶9XD\d5.  *+Iӎ,BB'3Yð3Z~D\l4KL6[ZR͍M԰\*s<>h'`'ogWm!'du(MBfzc]Yx^1O3xkxaaR$;Ԇl &\ҋ4y=g)&$3oh.cP_Xt=;dE3d{1;s#+mήLW2q]<*Ȅ k< Z}G_7\(/0yq+\[؏:=W1a(HJ%'~'/?cBjQ:T 8 RVPߧ9Hel tRki9)} _/f?ِҝE:84kIe\o未L@VtŠoei^,w۩͞PWA+B90*a06'ѭ $_U,/{@`eM`'QRv\ !7(&5{+,2X#'a>ity?@އ?13&t/n47\c!_sqxc ?=1 : -F W: 8>)ޓ=1}d 2 PլT W,d4R]T۶nrR( izH`GoLv=m-:էq7>: SxtII}C9y ^̿6 .ok7(rp.n0c72]4&|%/[Yu& |1˃'U'-զ[wC(c J% X[3=ցFa[K#)"ꏸ~<&xn-:0DHe+$I5,(!(vLoL%ץW/V fIf s6W_+(-f%weJ@)rk_jZ PPnݺr%}сp2 aÀDA齠kw(~췤eʎUt|<pFth;i;>ƛÉdz|x')e4?BƁR9]fkS_D"ix3@MW6,Ŷ$ey1p*TK ZǑEP ZӡK5 ǶDbJS)rA~9Ibjx ա3Td.l(5 g0B{ڽQւr #!Q/29AF ]`AiӫQ(Jc )vj.TKwH/:* #l1o/˥8+Z6cU:BuBD$7 gF.P%}8??{[Uԝ~rsU.4$b^,\)}44Ob'ɣ5CvJ[, ʘ$_q՞Y/}}ntIղzlOsDzx{V"B>} 5Sr`__Ds^ aK:ms>s [͘}?K 'L۝4! cǿ :7Z[1s A ̍-!/z+mȃu>%]IQ ࢭ~Hq]T<˰yrB@L=IMfeh?TFG*2K`e`L UZW^_t\~(ɝ"·T4&ܚ,LpE0C`aSH]LX]Ԯ쒐nq`ޕF7=-H^9omšٮሐ?"sӖyk痿|Corޏ%{7qÌvʵ+Fr=p'0"TTͯUW޳Wny<#rf:q!\z}BP[*,~^ ]8~@h~cXnG%EQajgHqL͇Z!96`?=euwKuߓpvb\qiw2湳(WOi7~֯x|M(ڬ+ǁ2O6rj!CJ7AP`S\q}=rPUkȂQBz>&B^}%`bxfS?1 ʫFfK5YR-=]vsU]cQҨ|elM1 U#xGkyASXzYt h#~.1,-9$a-@9>Gx|-Al)2s>?}pF}E,ķTփƧB | SPN^kkIy̠M8Kl99_>4Yt Z T#ddl4և4#!"<O*pwssG [ĀdؗUKDG2Yƌ2E,瘏2JHp"~db" i |4f"'H%Z<r<E>z=R Cޚ@7i8l6I*)njsW`?FA9Lk*sC{ }JS}\5T;lKX0>m&fq-75I@SӁ'~m6@9 ܢ.%7H,q 䂼˷2ڟW[y B9s]2@^}?Ka)4>=,BM]]>,(MuW*'ݘ=pufL(}e e3zUC|;G^4`'9FFqb5 ^ cDFn1BH-W>H{ h1ĩa  uDSQr'6 z!c@gyӚ\=B2>)g% jxHܲbǝC Tt)ܬJi|c\ޛCY1p]OBXgp\G'zZ *V,UMh.ȳgxć.~+7ة. /),ƬŐߕwǐ=Dwմ0i0l>p$/55z纙.[N8 S*1B ծBH0M^{B,Cp 47rIT#/ZTjzBٔIEg1-D)u6RGKV r$v'[InCwDh5Ƶn; s팧iGi|Hǧ(2Ь^*zDF]鞁C3=>4)TPhj. pIVf'#8S C)9jlK1 s1dqN(Gi$fe;wDm7]\ptLy VIQ}mv9پj*z|H-}&9煯}-%Bey#f̊<-d42/mtx#$Xw=ro .MR7B`fMgpms:1Ec9_'x<~4kEy'85U9^[*B,e B@ʁbktxȍ=#,q[ӧ 5+fj1"qƣfMKWʄk)uhD(>^r kY뜉>=j18?_wGc6s9[>򭼠g#C ̪#`'Ev9hf% u P~LᅩyE/0qDw~SF¿ܝ4Wyc5W3M_Y:,2W#g\cyc5n(J%v,[U'v~0{^]QSn; jܾo+^nS#pxwʂD} ;rҩ¹/240$z{X u'{L-CiOz"F/2my$!(eiE0I PtG펇9|BV 32@r B)o%#*/`|”K4(hTOS|SzkҠ]Y8fJژT+8 TǃScM:ح-io":s;*FĂS@-4YS| #g qE:AK1eF=?f8dd~ 9)% ,[?FLM]m>@X&<[@ M+%bFNtp ` r! bXvvO&XDžgg<h2B<̶44},~h_񯆉e+ /54?lg$ɍHGk=r HDi Q4 Tdrd$"Vgac}&N2buh Ә ,h1$Plmco{㈰t='aE_?^Ҷ=K&uWe~mu[.llaRiP\f ?J6.Zk,4OK5!)^.MqZKdDn3JKF3MR3H3oĻe9c}%lĴnm0jZD)2` +R/վaP #ub}(gs-3iH0~G/Mڻ P5;48噆mwv?Vj if YJRnc &+ b9qg‹Z:_'xYT%U6N O&sRsoN住\E=BSaa<\гXXi478j1T9'Fx 03ss `j*y &X7@ G~4lj(&겆C׍~L(57-?*e߰%TLСf^, r`kUߘF_TnF%(NR&˧u'GW#dr;K@/&dV) UR<*칀Ը1qJ#@|&P}ξp7L/ o4Z4}e7 3޳U2 078^o{ñuGf 隆hkYnS4zt@EYjUG ld*7M3k XH1\ߑg/ AQ auB֙e-%0 9& dm56٢dsޞO $FԒ> .2eqj"lǒf l1Jds,bʄ頽d& g0Pve@y馪Hq7P r2nRǰg4E2Z#鐗Jdn(>h ܐ&gf-fYUOG[.1\(5\+ydƊ/*Y9װS}u?zH{ (-PFo:7P58&ގiyQ`q0#,͠d/s@kR4ƀ,,7-6Cύ H$s8E/ ceJ EpZQGvLmvo@G!Boe,B9%>ܹ`}˄XQ_צx4~'Y_>I4(;t(4͗PDuژy;H9jl$z:.e8?_G_9Z<ƓHl!V=DiSR"f~;QYw^%U<#*wUvUdmq|}eO9jny[tA_FxaA~E]y`/eKÔg =^sfYN l'!H$m(XHx-lA0s<44!*Zrxk-31$gxx>U:J |:EB62񕵦K3x8qso+v$j).ojE N pj2>U+9}zBR="g?r_ze Pp-OtU=ɔ5lk(JWt=ǰK!Zy{w2Gw;.nށ3Y=_u(da4N9aZAk,w@>Mo=[˜6_,lE\"k|K9Qkm_,[i:{ P!60=D] pTĦe5PaS[5BW#~ Ԓ4YHzS yT)XZ h-pd .+bsy-*T'iߛIdl^ZeO1V!hR捳!::+*3/QwʟHv*t1-!1"lFӛE$-p;bE_^Ǡ"ű6=XXwISNO?ʹ1 'C{~@U^pz, SjZ|]W3H(9vf)1Z֫sAXg4#Z<1њ. C ~49C_(Y-yD-iyH}fRFxjT%_׈GZms ߭Y3?.1#0}`@9Jd0܎m}%6"{'kCˋVB\*H+d6:ر)-ڼ:zϊ}*z2?u9#DWkW,\DF3TN8-:6{~r,dg0:3׻1&?x%&F^#GS^3CO8uOayJVƇhvE1k[wV}}cqLNH2=1=`X`y&u3vijkۊE0]P&(@,`@Q'0#}& 6՝fгcc((5Ym rыyM<7Xlm8 tFCQvieDaܘs$G8 $xhLh D{~5ϳR|ֳGSJa'3%bl,#߫?2iUTIdYxD/man?I0Q!nmM xmX:4.#sne/lyXZDt'xITLL~|AO,֟ YՎ8}@nrm{,Ⱥ#ͨ >N]|>* *mhqKZF, =/v݁\^ MT &Pf7hmxOpd@҂.ԹjʃZ򪴋Жyn{AruLr'KA0>2Xo6؆_iNpR)ÝЯ=LNZOG 65Ղ`/QK|AҗP.Ԋb L4!=!?BO:zaT"?bqǤ@:AΰʻO02osª1&[UuRqD"py"zRCR8àcV[G' 'C "'Ō@$޿y= fY)Q5$bUQz\cg-11 v3!DRTͱ ~r_722z"y>Ss:%YCGr ࡤe>"y0r4V^*c./ӅOFkAIM=1qb1ʏ\MGFPiG;e3/In"~.‚ DioUю<vp$s#m/xengx\ Ҵ]ӜRcXeîZ 1Kq|s?H [^&z ;V#q\>J-.#\u&()E>%ZD2xN@ 8?ޟ,] $ - !~8mED/3]j'OocT˥>8~NOz/v+9:plkr UŢ^mMHe 7GyR#Uɔ?%k͈j/ tPoQEA(cֿai^ C F)ChCLP (AشkGB)b #,֝jdvu<-UFcoϜ9Rzml~[Ł QRvAԜC[KOlؕ! Xx >HE_G8f[k/Eu#2@ 5!,[;)T oGnDD|J}BY=RƁh1(%dtXoc+rHa䂷Yb>{tsDnD8d䓳G[#;"<ߊf{8f ]Վ'ޔmQdh2l\.3 xd'"{A-nA?ǶKVP  @7$؜G;Ȇ,vx>`k:\z읤ۏ~ ˋd)| Qu!שqMaY4w56oEҋ,d3You@2"WS'm!]˅`ێYO jupN$_O AG D3@05 \.E5PQ#os79Œ'.Пb " .0 z4OG:61|ya&F8= 3O|"_cQ-˽Ynb%SBIO7R ׅ9@:Y땴-A,5bJ1` 䧯Ӹ66[:iY&Ny]ƹ1~0a5W:~mu̧4В%x{T쑷FezM[IF`edCGOՓ6<  }Zn3gI=oCr86@ c5U{p *T?BуQRK~^\F5QXK 7al$EO5& .3,.p/q,~xWg!x@RT'!79hiCR07}JGQ4RE?6"& ݰ_;lV^@co0 `3*`!/I JR%d W`ݫr\H!7/_ 947U0蛫 [WPMhOͿ%Eidž[#IȺ20vǼ)X>:*ßìkx HZOuPfYֈ#e[fM?I-.IM/nS_3)3HP5zn c⎯'u7lMYp5F\K&ł#Hkw$^X- 6SJ$uձw4 zz،Hr<\@rm8H!ROPY)Tv=mާ)nC1D;\5ˮgMO/8|ŗ4>tcQ"ɛ X~[C8Iș?ˈϿK$H;C`(2%:LxW`v%KӽAýΩ*]V,ڣk;m$G@ Զ Y(^kF-ĶAOP?ޝg^[e_gP Mn5먞i?kPw/WhI݃`ٟYg1ɮ2VB\3T}芘+]$DkV4&1@D˳ao[jv;AkO'8"B>Y rlmT x ] 1iX O…Vk.]bJ_/qa o ST{?yaH~(7) ,u=@cIBCSpSN2V|ܔ$yA4r! )@Fb}L -؍ur@?Q,\ߔ(LȍvGxƛ=O2?["r+B4n :n!6Dwշ%OtkU3ݯ,oLSFuN[tRE?yZ)/dR3rqh| *noKYxϞ—_s?D(^G/p0+ ieJR(2}db:]R&-Rn O5LV30wh![Pe<_hu#OG(=MFOM|Bb]0rͨ&#h§'. '+RȿA[|g)d Dz=ɌiQ ЦF` PM1ܮT[z>z˦QKU1邵Ek´L+" @; ָUEnKĬO"9~p+du^RAS (y˚N (F.cHN+JZ|[KοgOdkqպ~rl,-4R>{z#?E<,! w+ 7nA[/ENrBlԳЅLJQ֔>d:۴r/}Ӗ(T mYDCnp<rOSSpPCAoTHPOy28EvW<=<}1@vTyYW|җYݫMeDhَ̰2MCx@ n'-+0ٞ獊}9[ N3&]O^Ngui,FIK!=$ #=bH^XA 1z$o~!>A5@F5& ~ a+uk݉%of W5 BaOޭ*~Q (K:΃~mS^e7Ĵ7%Epƹ@ "i_-Uyr%91- Mz1ULKVJmbgLE^A,-R8,V<>.vȎ>+U0U,~KK܊^~2"v;#`(ߪGDTRɼ{Pch⬡yGIw6S?8>c浃{un$y௖l`'É"b[f$x+؄96Q\ :z`dJj1arX'3k%(E5#:%8md+8XuCZ͹#MLRlhro zzzp:ehp ]Jk×)젫ydF1x".rKqqs>bvv \f{ }^ DjmW5sm]"_Z&,l4KBv |(!FgUQ,,բrh`U&>qGcz4j!wDF{WE*RgKѢR\ch2HiӾqj(8ycCji]~NLtB  |zaOfsSs7YbBekꎾčE@* VIL_/2M0LEcᗙg.ci/jU[bFWyhXMV.{C4x9_c:#&&%zǍo&?b /tENSqCS#K_jq .wF45 Ӭ)HBg=D" IKZǃ y 0fS ωzK(Y<ВxQ^1e{~N& A.`/H.3qՒ]=iõS"bӻuAuZ FX}Hf9]| H)^ Ѿ}V=ҹ _}d+dZՍm1{bO"8'A[H!Qs>#*|_ j> U&dW w闯w t~!dpz a[JNlrW<Āoׇ" daf3Pϡy7/﷢n8f0Lö"F1rO3P|~l &M}EBE/'-@2<ٴS t\*6E΅<Ȼi:*Soj~?TdEGN"YաY|v~v&j,瑷pd3uAʥl ZҎQuVitN^<<;Th5pJe F 䐦8V8V{CXF!= DCcl֒Z9h{yn1%G-=*10 Yle1Pʅ H,Vf.K^H![-#.Hxqw _L]X}yߚg~y9G6MY!i9m.zCB;D„2#YdF_ש֋i5%NU 9Б_y~z|k늴*JC sp݅6.SOLf9=;D/dف86cr]˶76YvŪi׎y4] >1x8CT$cIH] )AhNt%_\1 MmhDLo↞t+`1]{7 1mZ YǻTҤ|GY1$G N<)׊)x{ĮG3RԿTd:7 z!gb7x\.wW1 pj8 R Ȍ;tfx/Z d\6UB sUqѲ\*TnbU}Gv)$G _ʽLka ϲROFpј(튯Lh|]VQG6(Lc>r\u4aвVxH=nةc.h]y%$ 1tȊ毚:XHdjMƪWNiC*{8R\ŷ=QߑV~=Q@Dq q9Q.:Q~mw.۝Qg"UFxC:@{6DJFJY)?RC:x\7` ^ Y2']G Va:5ӎL (3:o;X^Qx-l>-w$a@,a4FϳO#(SҤmZL;U j)hGƩXJȃ,G>λ q 7Fʰ_WԬW٬)ڋCD, AjDu-ͻWHb7Aӎ,W2g<fl `W}]Evf^ m"$G&e2T+9Wݓ6}z= 2\HӬeV$噀 TC{U{p+ˈi>i38iGtIj)7+~eks9}_8BB4FN!gO53op^*aUӿӻ;H=-^t*W 65גHmA[ e!FsL ?<hzJQ$ #]"Li 1}zk&?Y(; %D6 Axm8dV+a4ɧ:UH2W|?ر
    3y(̡!ݱ pZrE|erOرBVq['۸O M1JWXtBO)ũM߾G_+&ogd:<ӕ Ci_Fo M;*NJ>-v+dP@cb*-q}$o=&oWL@FhLX SgI 3\VLr b̗"No&y0d#Ty* ?axj Y G2 ZIl>xAj~܈T#\Qd|rryp!'-*mi`LBHr}uD|˧ŀ~h|WTژk[ƅ-γ;䞂1#!HOx {ߌ=IسOXAg:5=Jg\]r}~BxV:XZg9ُ>ڲnrH-}eh!N8M4y5=}[Z*!"_f{ w;Z>M˻V: 9@XNL0"#WkCl`h]X\*ꩩU>l2TrWjTRg"h9T٤QO {!X\fBiJ4!*`XKv8Rd,wTNd}PG?Z\i[hXe] K;{KQY1"*s+֩X1~0}ϑҿ@,a'!{ŶB2n)(ᅆBJOQq@h?"DI$X-˻9Rjlg鬈}8!͈|z 鰒Kb<%Ln*+,B;M&'UETenCNw*M.ʼY4.2BVyϻ-((hqˣyή޿$Df N }K Z8+eV.t2WK|:kNNєX:Qr#pE D|ܒ5⥔QU s0-:7#X"t𸐻uI5wh֠xBOzij9EuawRA*fNnrXjj5kEaհV6\~GM7J&$;|礒O%Dv^CTY@z>*G ]/whb>sNnh{tO4@PP 0%/@c."hG=y5- ƕg~&v*֚ܺs =(1nbS\h7:"}ZƌoK)$Xmr:[_`8aLh*;0DqDRo{a#3<>ٟH Tn?2kwDQ-ƌjз,}KoH0E;reҺO6n>yۑa)+2jrC,_ёnd+8tWVJTV.;.pb%;,Tm{8-zėQKoL gp@ ^!NwN|wWy9 2ik0`wqm~οBOX{8p[$> zæ1l`4Kf$Fwe ظFgqR-gP!i86RzRd1qZ˯|B>-pLC_fU/@$6qVZ\YRߓ:yʠG!Yϝ0ugmQ_]Q8m+*/5#] ~fV|hwlECzmذk Pi(fa.dm2W8a؀=h EJ?qZ 1/n_ZTPlApX2Q+~.>j'H7P,nTx&Q0E얹_"@}l>_)/]+a5U,e 2Ũ|ad?Li٘r-By0W% > R4r[sPSZ*z/]F1dpP'S_f-hĸ #aےD0G) 0Eh~zN.d#8 {=|#Qx4C.//*lBoFURQFөT {v5˹-6.&s/n_ Db˵ s׿?6LKV-P}ڨIpxύ <`Cy+~J,Ù\`$ū!UT0r #ʲna½R.|`3Ǧo[}7ۡd=V+c NKUXXQ}4s%7kiexwgظ9WSB m;R}(kL?zhP| 7 SuIg*vy8.nj^,ŵs5Y 6SicvbvZm͏{ԨWcg(XP2ek-k:[? giGv@j-׊s:g30T,c϶Eo[n1C}uA78&Cg>gA~ivHC..XZ+b b- $c稉GR׸Nuݻ*[bR)qb+,M޳&k  :{G#G2Ru&e(usj-zr'I\7'INDHM- _nkK^F`e!>/ʎPүjݝ,uY~ =B{O eUTЌEQK3ܯ@Ren۴d ~P[HTsԪsDKoT.a$ñs[Ve4#:dɵ4a( !M`6ə9zmabj+Ȱ%IP=2OBHa廅o;9O| a}.(~nZ1L2֯fgq)JaLJƓ֥|Q窲Y՘lr]sc:M;1LB|bAi籛>Ј6yaV Lʨԡ@dR 4t8-YySkA{u}Z:7vԐ:yD<0+ܽ``#cWlYnQ04PcV-b4 r"b FbϿ}AgV^?} )h8Dw~l.Q̂XA G'm?{9dppФ|xIi#Snzp?؜3yX%Yסp#`σj^rzR]Gc&,2X%riuLQXQЧ Ԩ|@7}}?XU,T""ٌn@ 7[_pvuFi1tvu[OC綦؟#K&eᾸ? IQ n3aO=i $|ף6mH*ߞ*Fv[%9a@ :quE%i>"kJm% B B,@;$f 45WiG$UiqC^N@VrF ,FM=%Rb߅:9'hLP"rʗ_2s"З׳5KT<`CwF]QxT댪o](;EΡEwv9V3TpV-'} Ca{,U a\{139q4Q'NxD}Gxp4",,jS.gD;5I ٶ&+"|<:Zͷ>&ᚉt(91^1h~6 =^){bgx ٥H[/f <_خ/ ,9Fbmۡ>8a N`A+@T{PAͥⰩNJtxF˵h L(aH:o@^V&ʄ!cTt(esյiOzH5O~7Ye2ddK-f۳D`aQҴzucd'z>"Uf4&塞ŕ6|׈ D: WBFN@js0;K|xSke'WЏQyG \E4zfdtuǑ#=H;($s/*,·u[kw?|of(0V3@:eSoAl@":ek,eoR'HaQ ͯ,c̩t; ]lSGxjY]DǕIqi/Yi k1C]jkHo3~[?mml6m5US"4ܣOOޮp.Y@ƞS<QT )[POHG㫗:`j'#t9f',#Y˓žY=DS"> V9"Ǽ(A=}`Q0z$p[.a-,GpBv]ȡ\‹jtp6 D/(|14nSs*0Bts{'1f# u.]u\(`LwyS̷L~I7fw=^4Gh47C(ӞǗc(&,Ns` |B5XI^PNU•Sg6[o׋2RP0ƭJ3iZpM.|#zR7>VЄzű!:~#J=<)@1Q3Gj6ͬm3aXK5/k?<l<3eTKcY'Mb{K\KBlo ʼn&,^nAQ 3v] 9-c_(ͼ{gA3ALw=m߯Z2 BxN0i*S6څIZf]Rjˇ4^0+9JGF.Ikˡ26Ƃ"}(f _eh`m& ?RЂ :܀xL ?~aze8RubxabǮ"4;K8I` a~Dsʑ # < k~7_;{g!] >:S W+'>W0S@*%.<;h)Yl0g(Va2D #]pAG$@ d95DMh*رK[B=D s UiJ*>AC#8?wy^O?:NҚ#YBR ;Ts[ ~q\ 㷛f;C3]@9! dL=Ouqn"G|dJ%lҝ$c!'ΧK_ߵZwҤkƖ3a3Od#k.eKZ{Y*>'JKF|qNk̹F>+& C#^}5.8Z@6 =)W$W3Y%3@ƓpŮ>;EC}),^EQ yyfMt>'L'ZؕwxY(U55%vIFR/.ѫl_/%+ H.ufPPSD&ږĦH؅7pcՖ:/f6ZۑP+c2a3-C](8&0FR>dtUA?0Ql n7H 3yìu=*n7KƔ0_f,=jPWI3IMI >Xؕw13]E *JXnBk0UW^p0{0Em 5ʴ#gy QZe:Bvi*VbD59cTQl_9 gDҟ(R#.^ӐNz@AHpd7}KzKa'L#iT.Ru9c8ʰcPRQge+p'H*M!ra|{ g$7ii93%rS/6AͭE/ƣs5N6~!2x{=40![4>k%1r8,v UFv@֔ T{c PhTF\ޝ28P@{2L\AfΨ>y;@=D0aۈj=[=N;'p$J˺q~!e;9 r)O״Lmq afO2Z$5y]@kw~~lc,U銣zr,NO:ns}|O׶V7X|CPυ 6uuO(xƝV*/!Ew\aya G]iI/tX,PƏ5hXH A/۫]{i;_&+"zG yz .>ƼfȉSKq\tiÇlE({ݡPTXXdX{52kaGzƼ70>n2Tz(liֳ̎H%?yh۠}Hoܼ՗ J 2.w.5etvCŋr `*f˾v;+;Xyq5 pkz\' G{;FM|U0ӄ褚{$yoRXuT64tqwbz X ߊ|)(#u8.db.u}>x5u~\_3^S ݄I .s_Tt< O3|N%zl_ x mg67i\_ GE< g;LA⾮rߚ)Zn?+I6(&0yB 4>Fe;@dXb#)PK+Sq[a%$_5ʥVM:Q3 e[<&//}(ݘ-Ik15;duvMn[[4nDEcϝަZw5z:O1~W@z֤C`˅1B9&;74aVyY5~B. bFn~ؗ9m5/{^jD3ƢoM~[*m^4[L눪S(zƅ pcO?ei MaS4: .o2$E!8( uc#TM9_YZ#Byz?F 9NNbP1~ =; Y}T.d+hgt)!!PA lS;,STNb#h}BnX:#U 5&tJ ~}c.Nׅ'(*^e|]XBbJf # Ia2/ʱ }_w?]M|P˂ uNڿZ?,* J% ?.GP U vc=|tNÍpKŢIfdP =ꜗ럌x_s=p.̫|Xj6l{BN+tSCAt)1+Rz Ə§qrvr[mFSnIe]) ^= lޕ.F4^cB3Wn]4NU]i ྍ'HXto4'_G<\ ׃ks @'ys`}/S 9Lu;#6%*/ LnH4ڒH&58R0: vL.[^.]/EorTng~@H+F`6E&؝wMM[9tsr;wKխK819 uHu1Мgc ~b|lAlJrt`$SB#⑬AiXaRQ.@,->C)$wrWnIZ/qFnIQ_6%J'R%Y?F7.- 6=ɟ*9J.VlԆ'^҄UD[ӻN+mS>#kC'ql1un,[o=];|b`*թ0=GT0܋a|[)Xtx)վy0P&h 3Ѫ9~Q<hD(YV KMisqƟ& 1C=<ث: Hdkߎm6^c҉+xZ크BtGN\3 V[mf҈hOԤhAFb.yXgAY0LXr\jᅿd-<;V)1ֲCY{BSQ%&pӍ.npH^sN"XkgcjİJb,Ӻ)A\Ǜ,nQD12n(67 ;LwJ=p9iH6DH f{m=2Nul?XhK3S\ AEa,TZݺ'BΑ$u䤥8'Xx41]aQybO@"0oecFg<&9N$u1݂O!S1|2H_T>t~L_ϺZS-c8mDw*M9{'Ad?S \S9TCx^@l\o"TT$K6)v˔o:j7` ˜zPWZ ЀYj-%&A$,Ů.4@ayQZȤ}YPEzOC%-!4xsVoKbIϞږL} ?p)0K4d09('UT)C!wbʭW s$[dl N2wV2Yuj)Uץ8;ЇM4/[GiH!ĦLҕkNEn ?ߎ#ҏ\(F:T(o8/Tk}p{$B:&,|܎pycL~8 v.d[Wa;^+FJ giP(M{E-zYgLoK\RM:"?{qǸOWP,?ތdIn7qlMh,2aP@MŵF~P[Mh40AL3܃މkx3LoG.vв\zMtX!!"8`_,)҂Yˆ EH_Hjfh\~6 lN$[z:u͵yI&{m_'q6|¾~ap &,^;s$ iܲZb`sjIjOK.L?5Рp9_qnf()dH*SU86 r\\lJ!E]$&{ׂw6 KP'E$ gcl7gNK5sYP[i L:j[NTڒuaNO,~߾Je|S1GEMl2 j!S+yG[d/#LrkJqH~@*ֶc]Ì ~4 vC6tWq>rdu xOJ)ൌҥQ{FccsM:w Jdn<A%FenN J]wx#a+0)^оkB[8'H:ԌDXƑ>$Xpl㶠i-^C$YyguS[Վ,Ku,yٴVJEu`EynHD&hT1V.ḎN΀KbMБDѦjAfYۘp"3AB`юK/=m ȋIcp(Zo޾z˵; \]}RœWX*GDrW.Y)jZ 08/[xQBzZ2Nj&|W$QHω̯' cFe֦SWDGUavPT?6O%r0瀵˭eЫʴ,_SzNlI; 0WTxA!  5)1SPo,ЖS|ϬcR];̹۲"Ni 5MPߨP203c>`)@A (nN`S1`7X?}7A擷_ Yn@3 K:`aeݸ`E}8V>ꉜxGd(-~.P|^ɟWH<1_!fkiS,5* 7rܩe"fh꺑DvF<Kn"f#|7#(&b~v*vBVVkc0mRܖ#X2Y*I}Q&2#[@YKeұPjh/4*PŬ= d=wTP=TiQڸH||&d'%aC|(OG SF6d3.'8iPO>Yw ۭDRJQ|i*I0Y4@5JzFtZQ4G݅j)=#yGgݴM)/@at^*P\f DP. MNF>WzH4vy #M`Bؚ`\}㊕Q@R*vWyC rb XW&Z!_rP:Xvw.kвEk|hvn?B=jd8M@ČdH*2b eJu"[m.֨^ a_)mȡʆMs]d{GJ,͡-+_ODGuk?o{ ڻB (߀ӵOkx?v!wym_f|{-YCۉ c'ȧ^W':o " +*Ai*(NO/ŠArk1hA}ڌЦkِ) ?ˎihI:uu0|"fd^hRERs~dftS&G֣"pl&>]es:6g$C!^wv;o0eR:4^+.儦i#_q.eǹ8YҁFnzJ\kMHl\O0 c}y[v87<@0=?< 5<-q^ځz KT ڦ=K5U4_%J0ptad8om%VCrkHHzI2nV5h4;FR p5"HR+~ȞCP[׋D 3:YNCk7x\ |pk l|U |txu%jpj w M&qM@Pr RU% &ҲAh%sEp>ywe7**eJ,>,%C7$a8%ÇaAa9J 41\G݉/}ovW ?7Yepl|vƴon<7 SW SY!&'Gg%4Ijo{wfqO,LIT%4"fIyE"q|ᾉMt>); fy`GUv )5G`z 47CŽ$f& B|+>E\0/n!=WG }Գ\66YuԮ rDs3:ճxa <ՐkGs~6s'lDHҪsCOrVQ!QZxcǡ *27pYrRqsʒKj`{fB%TY ٔ^G#ΗX(Ubjx|9G35eI:5#5qOs/cZ]6,Ԓ?2ed.r:j_[;S aʛnIIgYaYg)* ㈉z}H{URO@k͙7X|C~}) "a,奙)~Fƽ/I<̔c=amf*eǮ0܃";l*I^+#ao+//@h͐W+>G@V7^uFC%F w#Ԓ+.e=S P.PM N{BZIb"pAդo:?5#MPS0ҋ%/ÍC7}s֦&@fVM҆ӆvdd2|4F,˘ZvV=0@o( (oUb:I\V#~Ӎ;V6` pQXo]"3cmvc*Jˠ+jo"DIF߼{0>^ }#J<@Ӟ_J @FM[ #U"oф;:)HoǹՌ/b2ޔ!NzصFJ0]+uzcBCG UtrBV e̷,MmpR^ˀĽŻj d\sSovp?Kl6hY^ Rs) S˿8A_T Ƿ_Fn+ 8_<|u bph8Z HmQQA-JjK"ݜ׽"~X ,#4L, K 9½4'5oyŊQtƺgmJ뮡ϐ*<1@WƇyv}iwdEySD!Cٜ եL.RyC}6i]u0 u+ $ ۻZB2Z^#*1HqaK9rk7&8Es}185M1)$1JJ+u`l_ mKϪ8ڂ[xupžu-?cv":KDP˄[E6ZW% Y}w〬~.(s3Hag /L`e_ۺ KBL1Aȕ>B e *yu9(Fܶ?|FFt| uLlSӒ;aUb0{7d R 'E!Q<_#߷ܿ \#3jGq{NTFС I_y7->KԪo|߂^Wi\O?Gџ iKJψ1ˀԘSV,͵VՕbU 1R8[m0_68 O?DntJBZ8H7Rc'D>j',i.r X@jU/ !%n̤j}X)J6j(ՠ?2l%P~-lviAz'OT\Z1?`moۡσɆoG{26ȫ*_ 4P`L|/w69fYyutjֱH~GJ1#(p)Q'Ѹ֨E_1,B3O*c ŧ^tM9Q>k°,sEwd0V1fY`umU(A|Ϧzv5D.MhQWF銳@K,57wbζm+Uz~g`~Xpef14w<8dOpF'>OdMiNsɰC~Wtm*{.JߟW,e$QG_BxZJR}8`/Bk2J=潅D*: Rm9Gw`mI*T7W+% ?As,f7\;LQwWٶJ s}#V A h *௨zMVNjݘ5dLKݓ?~8 v$?HaKa-)'{f$Ⱦf|%GV_YylάF|=]`#'[~ոO:&})w*qrϴ'F`2V8cukh6,}x)} /g< Y)*ΓfZ裢X 0B{z6qg̔gj/$ibC{ܞo(.[ $pycLLY#ůWUL6qN|)ܬH&bD:"V\?;TCtW8oZud:n6޶c­c63/]? uJ^a3(w{荜0]GJ)Z3,;:u=6NH_@G3 &M'@ĎG(#;Mq{%5-)lMo ʅVJGc% =pN⺊]?^]OZHpjʊkIRDI*Eg Jw6/\Ab;^">g1Q/J\ '8bVC~}Qå:|E2G~ʰƄ}1FQO6Kǂzp+dR@aq`erv\TZLm 50Ιl;unJq}nC ^2Pd-ɡUsa;ǓthV'W/)HKbc?UǓn #uLnÍ F1$]939aV*5_4lsoLPGj=PdkmҿH?;pV@UjF=%~) i;Gݟd9`jdI 'F d_e=4`n|jQ~@h*IpF:1ޕS:z8dחqtAG[SKsF>HAn p1֜}`ժ~fM\_X[`P,_F65^uWß1g~ HdvFpG_Q뢑P J,u_8^/]P:Vk$_%+yl}t;.C_l?, ,1RdDJ0ށ'PW"踾:X=l@ (j'͞D P +أ"6G|we5 еL<Uۄ*eGa|m9C^{V >c.Cv ʄ8jByF 9Y`RC-B+4{౞}) Rvh{M]~-dIyBY]Cr}W Ni$pQhC R({{ $61v , 16 ! 1=X|lZmqGνӌRx6F7$yMpȤhɯgn!5caQƺ 첆޸Of-[yBQR1~5R^sֽ @¼jɳ5ɩ=`N#Ԫwnѓ!>j rs9AJ_<."G.={/8yzD72:+bG<H_!Et`iQ<\=NK>mginOW'UR<>!T0Ǘ1;A*T/vQ4>-?%:ʺ|ԝ!"k %'_5jԞ;;zXi{akV>횝A6eܫLQcIy" 8)qYM$7~-*,ÈbeZĮ0]]R{U<<4i=(}.P aUTPWd*J9|}Ѫ`0ΰzo6!&X/6,/iF2_>aXEɶ#nrX|sT{ >bDd9%=K ރm2 -cUP]yflvt^іg1;ʯF [c_Z8002:*a{8vh-C5*fd![ s8ܒ9s3 7!L$As]@d3R[0;VfJG3uir5ckȋw ;aJ*!7|GJJQ bKO;WS7 ,+C+ҲvrЙ_4V"v5<#w"ϡZRTXn Һ)#<!Qe"nd GY?$.iғ^̣L׫J/&\XlueWZ(}Đ&>ZqWCk~!ٻoK)Z-){ـYcԴ}4|5d'/lԫX"l !ӹ^w͓Cx/(D*҈A{;om e>|B*ZRI?R߄o_Ki? S{~t؊NbZeyCwiT"g 6ݦѸTUǤkS7XV1@C3.+k({$bMslzWFD34B)~<9V`v+=%$698SqƗu%23}7C[TňDV801L:p\"f<o$}zM Y q X[ݶ>uZ&!k9V QF\v"ADwybJl< A7k9CNW\3i0Wښk?}bo*Kl.A_.:b@ĩ?oG.ُL =G',|p gY/;UZ`Nv`k{9PYI٪}oIѳoX}spH*n'xiϡf;}ObM[I^ĸ0V怳Bew ҌAׇGQ'<{?v{)Gw[6r hs'oϬ=xr`TF 7mZ ~!f6VDOO-X \g~|y .IJsq,&oeq0b{ L,h/u͢o3iY$p'5:qT?\".1#$S" {A[#5&7:-J!DAR%RLs؇˓3ˀ&pzy ?TWÓ`>aԡռOz*C3q-f_aRmtBz'Ҽp!zp2c |GLk ̯TO{>AG1`_,jHVɓU63 AG|`HEAպ0N|B+~6ؿؚ18@NDbyC/xәȚdt`T9]-f A.E;N9UIl} #i_v/=\{++PB# iؿ/#p"K`}MH@!ċiv3.|Y֒<JрJrtG+ԠFUH9Jvmo;ZD6E_D5s%BAzjjJ9kJYLV[OSd%)A@&|>Z@pf"D|GUQBfx; $grU~Wf8РS5*@mh^)[%}dl<}/}52gqS_KpQiB>n2V PV7#(>iǰ,'."X {?圔-(eM%#Qq#T Ȼ :-]OV(uOtaw7-EW=+ $[^K.݆45{q~y!{m0 Maղ~ysWJOG2]kOE=$龍vw mwwE,pF+!p[:QLFy?9\՗"o ?}o=͸x5a$nF΋ (5&UQ*׭iO )\-W'a"&"`.XTWa5_":,ca7)r1<[ yMHgzߝBޝ I.X+>gH~? symrRmU~C1[Dzoܾ_ <[$m!dCdˠ 4}R !fz7O6+V q~x!Oݙhf;kcpJU}h6j6 uP]'z__MfkRsL'4$zɊX%aYn7΃"cx;|~`߼n7dY΀HivD7PޤJR F]3 ]ս #utA|CQ+ДGm@ЍR3b~P,}t $0 lBǰpc\[9םKKF0 騨LL!Cߗ;fTUy@SfTu'2QZԄiv7yu"цR `c-:Xf4DL;ju|٬}똥bzjEpGN#Yf6o8<\z7Sy,u06bPs#1X#g{{D<: 2FtA:"wR8rz^u}\Owythџэv2XԾUs^$G29X,Wԣ\?mTK?шZETb - PA}Y4t23C m.%dJmU ,}őG`v4 Eg@ؠNi2>ʡQ!XVAdla.v+.- G_$a4^D:G,/TJ7S}LGQF28M龬9$pG wlr`ȸW HYd첀Yw?[NW4'-~($–>޺Ydhrg9~.OX?gǧ2(*lmk'v9G~ 5H3 ]\vcJy[+M,+(ΦBa3:ԹΓŵq/ 1S,T,ArK.A=6wrC v=r2Jޙؕ$D9NJa/-:-š!Oll0PBFBK ޤm8)F1}2)dFGU2j[l\.F)n=n|!о> $-/<-pnu Q,lozoGT{v/,ISmjq Z M>YjM01hFuǿ}s͠6ûz '}ҤZg\u1F0x¼Dƨ3(͖QO5|:4Z׆lsge,^ =a-d},܏C*~ᲇny&6ӝY^ *P?|KPA5OB:?S@ !qPF -9hF?Tַ*tX Q`Z `q;^X,ЛD&,6=Q&x@JU|8fju%LA?~'?ztAE񫞞ʆ2Qd7ʕFvAdB[o/^}(p-9"ذ hi><͈sH 7"a3]gN 3d@]w86#{rsY07? g.1ɲ`+ln0T˓\wKөw?k-^ɏbfѾTpBd$+f6k3bD@):p=4ܛifĨA( AsƖ6 KvOKV=3N員T`={c. jhw\mM(c7#:ib}uyU9 Kwpe^9X,ɤM~(#ktA@;#FSsٴ2H 8fЭP]oe͌V!C9k[cX@@=tmwQju$Ƭ3g;-g핪W<G`G5njǵԵGM͜C0ls|a-e6F f= :G {W=̙ve,[@<{W,tU tI6`Lsjw^(G"GF-:'I>.+sEW-@ho{"e ޿[#5 e߳6~+nӪE*QfQf;y7LE0'e;|%UufTyՠES"R.Yr>(/gV-`SŹt&KR:Vwj9cQ8GjPhUU+A& c9EEXqeZ]"-xmT"8"Svq‚oS`/xe,ۋOY%6wE'С~"Xw8#􉂏Z/ K *te-`9?>tdߜQoyԟ,v(4vP WZ ,JbصY**N|ɜ X8PpVqI#Qrehn-F𗟠f?wת8#wD5 @>]{TO'#z:A_g)al F#G-kzG=V*{ʟQI f:LNPZ1-=a`$~詪|PW^&&j%Q('~ϟt&'gU? /BmT)iz\iW H ~r)]Υ ZP7]jOfFܝѹHlxfdxQd-%Q(_O8tQS5Aq}2szSD `*;Ł 5V3HЫ\z$zM:Xeb@t&C*ۉ,4)tj}-~Qi F;3|Z;rTh؎łHi66MmIa,vHB66q}vi*n!$fا%Nr8*F +{r ^}߁SmY{᯾<,Ee*$/tK(@zoD̚NbrY4HO*V"A9h@6l%Oʹ~ POrQX||1Sic澠S$Ւ.]ꉕe.ĨF[Eޒ(f@4'i>(i.)Ε٥-'9(lm|>g;gmmt{ lMqg?& V$+ܞ˟_4c9Wg`{#1c$.*n/:}OqԮYn).W_eKT% 5hVމ1l!%ϰe`K{uNbL7NU+ hX#RU~XfÈxԎl\=Xc~@%.t%?axK9°h)Y^R_F Ht~G a)ly ҫ ?\K6AʺD >5Jqk6@ tP0VxNYKXZ~^Ɫ) }a3^eM I?j+2~{M#pJ=# IaTuxF#wN~r3Bz13 LA|}0覈ۗl/I}+RټV/ BZ_锧y?ɴn|$^wDZu^xó_%ԡW )o)f0'_p|ҝhmwrr!YȟNp_}6#0py+(kbv޻GJJxSY7XtǓ""y—LǾNyy.drD5$ PO(H5V.M\dE `7L>y> nd~[(B_YXJ:M M갦=Am@|_8[w:vc]I~FxqeXA9k޲8ݗHoӢ1fv% |eq.JBfȆ!"e˾J7UoV^M{,T^*!XV"%_)=pBM_p{=T6?]WfGlpg6$mRp Lm9kkX\ƪ1#Htt< p)[er|amkAzCAݷBHzOBgMNbMjs`Ѣ.P=gv8cÅ=ŋnADJpCA·5+1GM#b;?m}r+D")\ (I8l YZ