permissions-20181225-150200.23.15.1 >  A c!e)p9|je |=}Jt(_n Ο7?^n+)/pܪE3i7yڒQU*kL5CMd64JV/,W jdF\z; q1=Q^ *s{¢ U N]˱5o Mirq}1;x T9Xhd6M]9` u:adbR+MYS#Dz8c0ff5f03dd711b617ecdee4865293a7722cdc0e39a9660138d809da49b532062f6e2e822f1859dab4fb501f965371bbe70fb25ec!e)p9|-M)Ơ-`A&K}mL` |jy*D%s4.v'ա4p۬xИJQZFXa!3~r():_DmGN[4z~/N;.<Bai =E2u#)2e3wlPD@"A B6dE %5f8iP\+Fr7ch.+4%Ji6<5HOY6gT,UI zC`>p@>x?>hd & E1R[ qT x           8 e   4 x ( 8 79 7:/7>95F9=G9T H9x I9 X9Y9\: ]:( ^:b;c;d<>e>>>">dCpermissions20181225150200.23.15.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.c!es390zp34tSUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxs390x PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system.T1W_u`9;@큤c!ec!ec!ec!ec!ec!ec!ec!ec!ecd73f4760679880a45dce3c9cb05db59590dd96a4598a64a8a09e1ac03effb067422c5ff5d9dd9db4fff1a3dfd8d40a1a3c85bf2ad31959ddfe48b84a4d64199254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3bb06089354355503cb5ac4dd194f1060fbd6e9fb3977fc49d7dbdf4e3ee875b9b8629bab725bee1b07bba39312965005baffab12b82936e17c0c60977e8d2c74491481b2aad0df0c9959b1077f835131f07ea0dc364cce18df9081e73775af15935eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181225-150200.23.15.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(s390-64)@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181225-150200.23.15.13.0.4-14.6.0-14.0-15.2-14.14.1c paea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.comjsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20181225: * chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252)- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shs390zp34 1663133126 20181225-150200.23.15.120181225-150200.23.15.120181225-150200.23.15.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:25918/SUSE_SLE-15-SP2_Update/b2073a6e79212dec5a376adb0f1b5388-permissions.SUSE_SLE-15-SP2_Updatecpioxz5s390x-suse-linuxASCII textELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=a2cdd68ee8e9eacce8eb17e1b4b125d239e38c54, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R R RR R RwFL vJlutf-8d4c8980b727ad8a0b75d2fccb18dccd4bee509329cb2d43f1bebf122242edb18?7zXZ !t/U] crv(vX0M{]}:cg="wRO+3z2R8KEv&eU~U j/I}iD65T1ZGK-@Ff5*OU" B^rT!D5L?w V 6'<hQ(;WA.N_ڱAZ?/[5(j6HDѶ}%n/sR1s tbE$5-e&y I+g'^_wVγVZDd߮n^FfFySg`3Sc\ 38=wz!f)iY9i(ڹސh+p ܮqp  6 EjF'5Npڅ?z/[Y GC4EA_C=7AC@n޾:L7deJC𮡱xxLR OE8KВVZb(i/\(v37#!nSиڴ(w6*l0#'r P]oڱ WйyN)r␪em``y,!u߀؛ Yԓ j٪w(֨57~L'&Rs:՞DMRX< I߀t l fO; )H욄לE)A#GB;:ibu86딈#jf0 2 4ֹ]j)NvD-xhg9O6Il)= 3͂Ѓ s.am*kx,b=7.By2zVΙWT~Gcx5r7D2YG%"@*^ :".`gb2i-g/Ko(rN SMfãS4VTu6\ޛ zB8] ~ ~J:.9 x,v"dQ+`1+0sRXВ\Y/j[_]׋ z2]I31এ1l4VY@ # 12~\?G7$::R{eDV .nC Q("r5P5ҍ ʯ/Ї/ sK}[cZIP.$2YQbfACҡ;KO8&JY5u/HW2mSe_l]Ok8r4i uϰ Nj';| 42yELzVɾe~D:~V¾I9p}y<29y"93C}?$GafF Ho AcC9=l6GȆ Z!='ƆNZ#A!OJ4O&ޟwh(p9 (jX!T+*>,&{ۚ!U8؏f,\]o`M.` Q{ Іɼ+?ZaOu{>,=ɻ &Dn6|VId+%}h$R=5E&SM gב[fZPV m"KB'ڧOVG U2or_o_& o|_7Pʴq͠W͂Z?aDZH7)-!~k"w*V"9ՊSG `@7F9cHЯR\_glFV3?m&)o@syo@㲈;~i6A '; '%dI2vB8[,_zɔHE*qcX04!_Lq^Od d-2'f6#m%?Z'"!%[Ó2 wC3ChcĒf[Qqm,B( Sf|4.FSRu1Xv]_>5`_pgU1̘[ե}.uWs֭mRdqi˭sބ,=T U~IЅV%"0N-r[0# )ӟ"rBj"ZviG]֠*~u1 5`Wrz%> J2{Ŏs@e7TJcWbzb)ܸTa5LN4z3>Ӵk\ MQ@"l+֎d3 lAbb\ݗvOG`3V_%1%߀_]yc&dhHXF"__4zD" 3(VK6nrۓv]C gw Fv71$ru!I=w9kAX'4HJyZ ,@x?-sAX ̖Wi5ǭG$߂&@B iқ&ni*x;y1vu[ʀdhp1~q9&9:5d}\RaҨ4oD( 5y_M`0^o@bU@ObS ~Oxp1N~0hH(B.zL\_\z(eBpי|6Wc>"h^t8؞hI ~'v$+tꞦ7u3-5OcQp,ud"֚ęָj%zGjʖwg _ UghaZ`ju擤C0/sWIP W>w>K2ɂ[)q?/t}{m\oUm=m״|yK~'Ս(j՛3\~3>-k4_Z{͝flܽ/tt)!VKTk޻)w}kEj.zxPfBZ9[Ska)Ny5r㈺0bffMp '$KIsk4rM-{S?!K2{Xxu,L=N|-FP+7u^23L|~'E1Ⱦ[d/[3v A'i?cڌ,jENOuN%V4nbYns۵GoF%Y@XgYA _ɊW6ATrn:5nY<@L)׍@nRb~:QZMkFwӬ<#xOԉZ?ݯs 6+:6ZZCy/Ta-aE/9Eq9(ᭉȉZT!E M wb8̍֩/HD˅*I*AGfrg6{?q+Ös(UHA 0\'{ճ\lpJQmξa_Icte cMd )uVzbijQڳr#`P򼔄Ԛ$ڳ"aۇi2cهęH!zCy7]0DOAg 2tT\pVp+(G]Npև r< L)2 UYmjNS~ĭ[>KMG>*rgA\ޥ ^op@] @gWQ8L bB>?R\е-8uHsJ omTnU#]+g'rPsf!ZgH}\U".I;S3~mWgFUW)nK'ྥU:Έe,/ @3`]\QbӬ&?}j,"/d0¤.tH RЭ6;z C;M.=d=%3a5sA+ Ql%T P{ D>Vܓn~B4)r6]%Y] k"w^1 yH6ue6[^_vlȺyu$K-+9EWI]L ]Z"bl-am43{6YD w~, $N7mHBjظ ^F;ݩwEY!9Q:!a`ǟ ["n2\[ȴӜ+घʢ,X*,՘3m>-lŒD/$3H,Mj5=ͣ@!RvZL6DDK_Ym /&eM}P N!ozj^T=ė h\l*܎YEjyD\NN,R_Ù|p Ioz~Xᶱ\Jϴ>:DzR> >`>:\Zr iF`bSЈ5D7uym\=XA&4.mB+eEr_<$qwsF@I[a~ PÇ8hr1/YTgg8>$ίr#61IxqP'o)Y($+\<]#WG#'>ήKg,L$uX)[:FD׼L%@!E7}+IإuaػZ3% A P\9Oиڔjt d5? 9PЙ+59cf,㤑6_nv Hiw,dfT.(3elpȞMuSY%QH+js"Y<PC̵J"OV>N6FZZٝd]P!~Ͽ21ӿܭ?!=#𭃊GdxShJ"p)OEƀh`MT֝anHҠ]O*<%GEP!µ1d) ( g* ᚝_#ShR2 [d$!$ÏD܋}rqMU<݋mkN50sbovi pI]OтZx[S;V}U3 D̰Gڡ:{0F}a]f)BGh0ݧo F _vpTmMlU AAH5b)DWc Z ̓dO=F?<2Yodw4B 2% j.P^Y3w#$-;3 w#ncܶh,jwEAi?)-GDPfsBG>=}yI!ݘI]2XE"% Pǁ ~:8)aʓNI^T5 .NX%`%>FѢW{0>#K )5<-Mx=ɇkan2md! 8qX>Sg +~x$weU^U2E!}gup[Ywspg?Ƹp +G4(|B:ԭy vr)L.+i윰 c4XACn(Q(-AhMNV6ԏ5V@`d,|>bi}ȶq܃fù1\ܮw O)I>;I$vCқs& (0lG%T}.җ&!&G+xΧpEKԁHA+ܟ\ mW>oWg젲&Q g^Uye\ۇR_6UW\DxVakϷ߲njrݑkmSe= ,ZaSg 85蘋@|Wkҷj1& ^IiK'x77 RI ) mBƜ+_(EbfJ nB 5 mEdԐ=SH:0Q3 ;]A_c7MhO_2bI_#.tX_럐ZX_IMoR@NWJA"l el"w8+T*OU2j<fXLmAOCZT9hQC>AgNn@| XwlD/sJ~6~[?ʻ'ڌ4&nuo w0jj uvX(ʬbƒdD_ِ\c i[rFw+e}J5Ե{ӊ(8^;HCє_d5!inb5zYff-{zT %5~[٘k." }'ӁnBYE!R3u6m~h"{X3_|Q]~F/Tk|iV; P*}ݘ\ ֕F U:SܗE-ӇõYzx{@}l;zu#%v bBuzOJδ-uj6du[^+ԏgvf:k/kۋOؓ'[EPSåy?lGU,e8h| j-} 4rjk%ܐKPbm !/9ko ! >Gˊ]`ªw[_Q|J[~{P\o.YjA~ta:3C#b =+4C9 (N[5K,*dɁ4(_} >+9~bsoWwa-BQF 疚3Ъ"ﳒd߄3N1Z\n^<} ?4VP.m~(UdIե3T؊cOSv`{L_Ef Ӫ!oPBg=Qcwޡb>0߇^ڋ&Lܙ!S U ㌾R9l<`,_. 1䟖D tT=f_tVK(WGpy~ރ\1YVW{TU؎OX־3ej4vA{l b5ZپU)- @>* AIOɬ:Iu(A /ĸ?$Q ])/ۈj'2>-Ri`E[ŪaLy"hM'j3nLC~jZ"vP `$2rUuߚ j,g{͸Itfٹ=a d4V\&+bj5X K=UGeQDtө!j3P ]So2mfi Pc ̅ + e.jܡ` R IFd4 Fc%i;//JOG,2U/Ф@Id-YHƣZYC‹KKq0`ZҬ'_ӥ& aʎt< `ˎ^IWc+q4zE ʸ,y{Cw_)yl̢-"[/̘X]fv!Ǿ1d[ u7*^r' HӋ;KFߢWψSBX MZo 09\ _,1v*t#fN8[@^dY¿ܼ|+egD$D3[ NlqН3#IV9%pcg(XyDAfS /WkҘt. ۚ7*/vw5T*HSw@;C*kr`g0 S7 N}ѽ_'z`2|`jL(8qB3AJc.Ϟ[ޟSgOŠE~"3st.n`m A"$+LoaI H4Ǔa]'t4 9GedCSpe3O*\v$# V, VyJT k1p` ,̄{̰WGS \ 3qg&Q{Dwnܣ:ZS!D:PF3w\e|L.Õf<"M55Hޱ^)H :Nh{ ^+n-Bʋ:lA$v٨8lO 6[?#m^V)HWko٧Ò3  .hc +AFI"a>5f Oz/L\G w _e:f ,g]4H -P~xsW6%.(/ZcΨq^q!U/{^ iTm-R.`t<mDR{,u60.*e&8ϿkLKʽ(]ƒ5vvU?{ nDZ30HLX mA-yv22N*F0b=HD{.g_!`-J{8wBr0?qa`z+k_74 -i*fR]?$8-}xTevk^WXS-$ M6j8ȕFJc]1[ğM뎒 u$7Vg~>YX N"| IX ϋ;5sU*js3+"8@yt(6X9W_?f#I5;/ DPrFK5Y@Cvt%-{tr"{Ҙ 쳉ĩMf*QB}V<|&}7iM;LmZ8KsQDȃ+pj٪v˛ΘT5?o8%nj1j&-z @E8d.:6W>?=kAIIW_gƷ6[jʹmvK`Ty7]b>Y!d ئif|DNљxj Z[F`"E¬xq=2pxkוYЄ157e*MJ(mP dk5@vB7j(_4tTNyƂ-®Q09rJ7xϾVL!ccgcTRrJcRJK &R%fA~? H9SA'8IQ"C6ul j7(Rx?Vh6G{gp(,S>`1H_Xwk'7?4[!Ոk5/>Bk[8[C-b+*tV{1nAF#bZdFI_.C͆\JG^^=6۩?W7Kګw6M+f#)y < l"O".@8@)"3Y!~,uc+YWEΡ%սa R 9= ?J HOZٓT:x2 /&*].1f%L{4 E[Ûd? G7JRgjg_PJ9F˹ c%%INVO7ɉW^ӑN.xN:\FIJjt1C(KpbIMH{3>} I`܌ .3j,bUHY[1:Eh]QiZSӱߣ#r?j3;{;WqOT76B}x#?'e(hS(37 d|Êw޿ͳ q0ȯ%N#GL{؜]/Q;ؔ ֤eWsqX( v|&ec;}nZA(9p \G"$^Uէ9d=Z jQ*`^Gh *ŵ>Ul1MpS\Џ2]ޓPk'C} [y¾Q3FEDu/ #FI`AzAO=4X#1j=e}U= 7kA9jI' s&{WȁL4 #l}| ou6ʝ#>}Ɓl@cPuSS$$=%b^OX/Xdͬ\tC+;(~3 WyH189HȍMɷQs4|[#n_aPg~o'C>_+blaRWΡl/-2Z(BY_O[t)KNfj1`w:*/ IE}XO=>Ϣ2ుۡ)v$"Dkࡘެپג'@ʪt|%LLOE-ȚB;V8֒Wf".8u>\]b^j8sq6L|-b+`h#1 6DO6D#$E$vgY {Irg]$'@~Q96Kd!9 2t82DZ5M*.^6]Բz?n v)1cԙ[Qhïs5״.6XM3^~Tj,Q~4t3L"E=V4&{{GCTr?~W$IṖlܠD73:gNP$ wm z~Bf*sz3ݭ9.c7G'X/w5kܰ"F:f zWԟ'Z[Bo.stΨ}8n`,1'%{oR 'h:x=jp)k@Di,ح$gC WUKC|CLA'4Qg9`5!n6J >e 쩢VU+1]@"0 ^|sdKJeQG.KMIy)bznn "?Mn$4huة4˺G] uec ǥ0Rsg]B1E {S֋It:C+ M5C2 7О&@:62JoSIS3%@ !JD]cN,HrʙC[Ylvhf@"#V:ѬY\$UcbъhϘ|لh OibPz.^VSy2$h7%3˝-ZL1NSQA ɏWwx104zBOHg]U zq92)QN!VIQ#Y;;Pu_Fس̫;\q0))VYi<[=iۧ5xάy1 8tGWb i(2ₗ xkR+P\J"%r EWЬv,or =[*!)3 Lt04+-wgUQlŒFJJGJ Oȅgº wԁ?Cgӟ8hG|ـUvL@Id zġ! %?n;4#HYJuДvQZxzxYH) >j;TCd 348H>|:t*<$vu6A}AY@,v\̻"B>=jbW)(G <)vǠHLC/ $v K="d8ēpd 6NvlƙFzڒx -:slϦa<6 _HGD2kW` `z͈g+(b`W1 JN~koA8pԴy-A i+M˴|Fgb"IaZ0 _HB<t榜oU؞z J?&7B8._ ;a$n8f+{[J[0 H, 7<Ez3&eQW806v68m,PXy'3Dg7-g]Ph+}!0}, X tPC*)=5 X#&qHWv06bE3*$_>'%VH:a$aioJXO7 d0Pk60k9jrYZm Cφ ̀ r{|.srႳ"obK"sF8if AxqT2s{L[$FsW( O6kyZkwRN|=coƄ%@Ÿ(%St:=aDٙm2*-{{P*;&Q8ބ/'̻_'3 w9V|ɹ|{tx|GӮ.>$R<KLpFc}ts*L'>ʩ6lUij >? aVzHXOpE8 Od0Q xq3jlnp)tݘ1}IK0#w@>z&I*Q{DCzMOxotzWo2{meOp P ⽊PؤGHY5nbWʥc V)xwC9s<\uȻ ,8;[|b2Ѯϧ`^@o&HzoP ܤ IBn<]dE_n[6MKbb/۾'=%[M3rO;G BFBj-nx!XWv:DBX J=A9L~3L{bvC L@{ğ3NX4]2o@+h=R˒/ŽS89+;.%WV3 BK腙˻gt}XB_> _?뉐~e|DFF ^͕!Hs!pU$+Q,k\7%n&@WR-g8 v؜i|̆7K/5 }>5'Ng:[d% 9n R|8I7f 1xiixi햔Q$I-uM%ε|\D<Js,zУwO{ƬPRpWTB`_s#1aȾD !qQT0#3yKU8ҡ"vT*J4prBf{߄y  #`ʖV gR(Tl^ɖMZhӀ8!ilDqoVRȅ(|ZfB?}?r,7:ފ2yEf[{ܽdxJaDR61Nv뼦Z -M.IBJ@Zm(LfjG ƑTCtWZ<3]|ǚ/]`TYU<A?} ZC#w#UsF@O&mQ"os2?6qg`yDG߶D+J _o.BzM̺ 'Vlv]}SGj<.dq(j`=BcZ5 x)蚖8y[=\5ه!{,nu%@+%a5@7Cy1uZAhx#W@տ!ۀ+M- NT0jd*eCD=ɴ7C=]1-,F.KA\*mAZQ^'3(% g*sݷ?ԍݮ#Gċ]|HZۮo.]~ :{LOWx8&s젫@8Vc.J_ՀVyR&|k^?1p닚S;T+({?%h)@$:*g[ R&Gj+Q+؜H_ o)5ZX|R Ջ[g98E%)z6Sn1m2.S͛`y3g2sUv2.NV_"rYHF_rK,k'6pwc_b ^X{&fZB?fOQdrL(1<Ƌ1)e,Ýj$~VX/ڤxlp-O53\' úM`=H+$I˾-ӧ'n%XO:!FrݭឥK̄@BWR`j9(ch*. r |~8ysBoo:LDә,W-q` K%9CRы,d$w쓰?K*Lg]h>hud;]]7 h| : lkMW;m\oOƇJ(a5I5cT7rZ>p8^oPȕE#i es_}R)A@+*p_.,GuXv@Z:'wov[f'((֖FL?ه*@-g/5-$1 ki ~‘*7=cLeBqADf S1d^v2_LceM]i;4"]#a*n!`U ܋sWesJJ&8?ϛL=v_ Ź| 8?@o` Wyj= `H"D_ `|F9JTu6bds x%_QˇsF݅>w _ ) +a,v+3_̞fӯxcy  7Ѣ[@52;, i<5 %f ^9]z#|]׎nP =AL@G=={0k]!dXТKNߨ-!~u;a^[ :_u#e$9A[ rbl7ĴNΡ4PTv**'9nL*/KW9jY*|&ް7^>NW wU^{u~)+Aٵ~܉#V|sŴS=0M9J~nrhXtghCmYxJn7HnG$ZEs4] jrӎ8\ld}-Չ)`QcJSR]">>^wu"ÊiƭOm[EMBrG\>'W%d2хh+r[^0o*B-gUIbx4S{yl NF8?tYȭ]k3T8N̮UaF_6G/H cu#}q؀IIOW0LȒ1۳9`$GN\`xQXi[M#`O8 7jO8iec~~xe- XX>k+!pܠ{wK?.̼" .g}=-[-8e px9jsFoZ ªn(π蚟g0XuDTK/6 m\艌_ KNu[5[z/X?rC5 -nJ UVePA36 mBgp@E٫R YZ