permissions-20181225-150200.23.20.1 >  A cO1p9|)Z%ƐJ]*DdXm+WaoUFB% c|y)c_vp@???d & E1R[ qT x           8 e   4 x ( 8 99 9:m9>:F:G: H: I: X:Y; \;X ];| ^< b x? y?Dz?\?l?p?v?Cpermissions20181225150200.23.20.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.cOs390zp32dSUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxs390x PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system.T1W_m`9;@큤cOcOcOcOcOcOcOcOcOcd73f4760679880a45dce3c9cb05db59590dd96a4598a64a8a09e1ac03effb066be4b9c2ecf15cc16f3e2259bcc566d3712c5406255130fcce31901544a0ac93254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3bb06089354355503cb5ac4dd194f1060fbd6e9fb3977fc49d7dbdf4e3ee875b9b7fc9f96753df1265f4734a0c183d4aa140600ba6b4bb03d808cfc651e9fe01fa9ccce7444b81ea52acf4db6ec1c92a264b2b435fcc5d8e1b1178d5a14076814735eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20181225-150200.23.20.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(s390-64)@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20181225-150200.23.20.13.0.4-14.6.0-14.0-15.2-14.14.1cF@cEZc paea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.comjsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20181225: * Revert "drop ping capabilities in favor of ICMP_PROTO sockets". Older SLE-15 versions don't properly support this feature yet (bsc#1204137)- Update to version 20181225: * fix regression introduced by backport of security fix (bsc#1203911)- Update to version 20181225: * chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252)- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shs390zp32 1666157509 20181225-150200.23.20.120181225-150200.23.20.120181225-150200.23.20.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:26483/SUSE_SLE-15-SP2_Update/6c460f7c6848dc3f6bfdad8030a0d406-permissions.SUSE_SLE-15-SP2_Updatecpioxz5s390x-suse-linuxASCII textELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=447702cf11bd53b1235afffddf2e9e800d7b6287, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R R RR R RmVdfN^Z90utf-81b795c33a38dc71092a360fe805aa27bbe0fed09af5fbab809c00df23ee81bb9?7zXZ !t/U] crv(vX0_apw*@CI~[۳fG8kRtS*RFHQqٻmtJҴt r/bRhWVC s8i?6hYဴx !W*Ě>B%2XO"ȏb[ccf -GH tt!sl穘l$N؅<7fi|>_sqM(#:=C/u%Y w,6WvprڻdbSUMBhaZBҸWJFh\-ׯOvS*:r)ݍSPlJ}yÅuHI>{i{چm[kX:Spv_#Xy0w7Ws"Jf9}UYDXÔ ._8OZI%Cw!~P DF8ʫ%-֮3b ' F *^E̾ǞQ8R7 ږ =*hEHC{ٯ\Bk eMڄ 96L AO  XYA'[})03yiA\cƵg2lR`.&Ε9õZq:@fʂ%֡xa97KX*;O}뱿sApQllo@~ɦDȁ6[-_{"W'<.Ϭ4q^:S?YB1e>wġkt3<(ԋvjJBԫooS:9޻53u A\~G\>0qk|VQY9 /)b$Dv)qHOelLPMrӄĕ؂Ϛ("$H)hvJ^L]Uk P\|J~G[4 'OxbIH",aHl.G,V3@Փahg &Gu\M=෮8ԗ*= 3Ub%=&fbI '!Pj/˶t)uSH( P!@o]NH : N3nנ K/z̡$iG`h.vn&o!iN.?-j:vvZO=%XL#z"a_N[2`n̼wc+{Hy3!82$'x?(/lqvVwXſu)g =Gsm4LdS{FR~+ W0M7c'cb35#%ox_s [=*w5tBR_0+<ӐE+|VOJ?lẺf#ZM ] 0mUmehL1Y裮M4u(!wa+-Q?6fHz1lgQ Aϖn>_PvvE@*ytQv%%{_;8xl) ;ٕm\8r77@I`Kq.Lmj*A xn }l3L<ƀvgF4*{K VZEʥ6۰NjXxl g鹋Hڕ{(jĉgR5b[qL=r&*4}o4GBKj. 89pOI%vHfkWR">c̊#Bc?Wq$՜Ŭg&0&Go&MQ,P]%;7ʮ@`Xm\Rޘ_=@I=wGPoFkiz+BUǧl>>Z*ԓ /aY[y*bJl0bOn,t(nM]}E nz lrkʹn-:=M*RhV@_$JӷdYrD+|YտewŸd?qi',U6kщ)1^Sxoq]=2a[]n6@S3xg#ږѹ-i.` ۈ.ʡ&Ξ sVj_>? pW\YBal/NLE_Tqi:ќNm'#tù{0ZKjgy:U@M=d[ԩ6[ݠƺnX)JyN}qدER( d!DyR28ܩүJl 9g6w f`ZUc3]JW99 :M#\6DۡB8?6X 叅@o82ަء^UN.+"MCH K~(.~&ygxO$UeI$++w H GiS'DFJehzM=wwup y20WGX/}-!k%&HIk-"(jC1uBT$\86TfNWG/2dwSA5mk\>3g*֧Qfrշ%@x V7Zjavܫ ;ᔟ0w#>pOzȇrP54{ N1Q--o,s:z-QVAK {VaX6a8U(:}aEÚd4lмxɾ;R7[Iʊv!wZ;E=}HPlnnXJX l+ ɵvŬd%̱CA_[fUVHH.ФXt׼#A)~Z9; ڡRf֨ >g iGAʉ!M9-"gqP6x߮^ǣuC>`f4W^}Q"*_U//Y2"VᣩJ1N\ʯ G'h S 8VkB `F~R>|=6 ;E(6`}MD,]G+ =Ůl%Э%D#4 7+gzF^ 5h+ԋ^OnucpWIޢÆZG=%x~*q"HƜU%P͟6KL7"]zIХB/w ~`a5L+ľšDSA 15Q৳#N/HJI N$H?;M(}!YAulj@$%e`]v;0ha~*hnVN$b_#ջZ0E/=EC2No5BnYhaIo q J4 k4E i4ԞEEF!+j?ׄ$s$H$~ {oPv&m(ז88drj0 iWGvFvqƥd|\KMs hRO WݠƶրHAjnGS0;z}g JfcCuabVQ󄏫^_.-^R2 jkz*o9j9ڪߢ Rd\8GqTEK6L%ئL<=oEuq W啿Tx-\N!}:0I$j}("Iǹ4MَPi;L(ۄLoq6ᛞK%›[b@Z cFN9CmsMw#Os/ͅίy(O(wlm_&p$<$&C`YYg;6jH4ћOi7pJK J7$Eb*/9)#qM1YJˀjx˒e";aEviWR`H2fք#q"(rU`B]YfVko'S=:z!奔!#hN ^$@'Ź]P4BڻEQI+'۵js_9y? 60^kG DSg$,7!|6SCPpg#r䴗9ґ1!i 14lr:d\ZOl$7}+0b5` ]rlNcB1 GdgDjqjQdk4ȃti¦xx҂N/7{bz)Qϲe.IA x ѽܝܐ}NY|.5wr10C$U> -J˓XF J&EFH™ջmOeUXb? 0Qe#'OlyZ~T29KQO"JX;(phY*յeVcUfüX;g]no$ X1.qѼpa{gݿ{e9滜[!3) *nMlHpNuGn}叱دgVdKGeY#R!@#̅yvmۭ=8,J"K?mW]Y_pĪe-L"n;*2ۅ^|.d^C۩} ZLD1i%$4<-VEA71Tot1e_gr'a#AYx?huwzGlI7[5z(2 lA~ ZGv:6Dpx7н#Dž9y>FQ'J+৺{ZKA}I2*mp92܎CrL^31q-|8VSeuiqtfKLdF$6P+-| xq7O HFg^qp@`>FfO aeS iZ-DDk!ށ_7N1lmzʼM'匩A%3a6%a!NhKTh_"װR` 7L!e*G/~v4< g >3~m8FGbʘ"@~h/mR4S/~~gTo0mƬY @:!,o2#@.%k#CEqcұ3ץDэ.P!I,{(bdPRzr%巈R]Lc LqmO%\.֍<-ViZ}~ˆf. [MmFD <=iz5+Y)y}ɂa^_'>1VST1Fѐ|as !/5"?_,eoS@FhR~lqz=ʿ`⍏t9,B 7}|gr0ɦn*-띋LaM*X 7%\]o?\8dw8DkQ~/,lz;fR0'&YԋB)1W24 )y.3].2˴Ѡ J9Zm|oʰ:oN푾n1_A8{;QQ3nd"͉#ǃPx=.YWpq8tG@OL,j @4B =~MgK;٢.Z"PO?|`;K*$0>yw@ˡ/򕢟2-"|aqI0uCcx/?RSDIyꏉTl?OHX] rXv`*H5lO^뗎.=tdzVo|oUA<\q#qXۓkGP-Em ]$k۟c樯.'ڐS|> 4 \dŌ<4zA!hUJBYˉROYVo6d#h "dgavt{?rySq4,Cp$byԣ*ɏ% JN.0kxWQ%̷4ز\[Kؾ>hLP@2]ئǺzMkڲqG&O @{vŰϲ 8řD,*`#s\u{E%<]+97?& k jx\aOH(lpMmd,u7km[5٨Ո~ñ## I7)wrflT<{"z yowe6e*hω+"n ;fue<"ܫ 4*~]M "hQ.VN6rGK;Q\EZU-hgGGAp`UlT72c]>N/~Ջ".si('TK.mBHCW%:ܗnu~ f%rJJbў8iw#wdP=L'  0ْ.4 P)09)oj ߾܅ۂav1/h#]775'|yHNMx)ܐt Rr1/ʾgSo)ڪvGں{6!E޲%2Ry} Fò[tn~|o4 C>b QpƇU繞]=piXbc38(]&aM?'({WϋNjx1 w9BU\jKN^%4.@VOhUDhAGVs)~5[M>LR1}USV16g~iit7O陪{HݘbV,"[|V?2HqsEa%Z {Pnq\^}[Qh|eOS[W>"e nKAzڤcNX`z 41ԋ(HTAckesxO 'wO{6M:2R$V 7~1/g7!9GqÐ"XW +bIQh@@q9K Nl˛SMuE~glcoXК5{^ zD|GYXg:M/c)N 7PIaEt.Owc-%*w;zaEn QZaǝUEIx׊KLZ*O|YHd=wavYR]J>Ɓl Xt,bܣ:> NT@=+3r>ɎmJ~vf .1GI,r km`y]O6͛aˢ0`LT sI̠Mgfks%P!*jӵIf<1t3E_ũ:^ G,iCbR+JLyU)V$Wks̢H=G2|Hl e#jJE*L:DNI2ޘ@iqJtQ@CqlT!aAD*KUsfj6C#DDra(x\l2ГAfd1|E=TJ8g{Yi}Sll՞_#.uok=vOV/R(gZ=Č| "xbEU'2B#HؤD愣OXk陖1h^/(r;֋bRK#i-}};e@wB ]fji&s&iZb;GXhk\txc"z,/Hع?o3brGm,'lקY]Cv|wj[EGZzcނgݖ=MWE9 }^І>$Nƽ+i#`' ycJX3S:H,21zD?dRWL_9e t#;r=vNH͙b;F4$~3ߴ2HP \mglLBIMb?!UN67z6b4e\B0b<`҈.bWm]dgetl:SǑJMtb;RZICS0k#;r1uʪ],\n˥<@qc0[Q?@cro]jdtA ]Ń")"9 Vb,4ɋi^ّypPS3o^|*#IbpakByq{eO!H\0zwLkn|[;KO^ Ga:NڠȒ${j8տBglg[{jfp%Z39޻:-|D+$CSc# riC{Nɣdtj/N41L#|e? lRKlzyEf|wΡ`Xܿ%'nF兩Hndba}Fٻ Cm9'V?˧v-6L5~"ܚEޡ\ܨxg&Cpaa(RqÎӧPu5ϧp5r8DzfSO`?G4D[瀗6 ^i>lis~=lMEW!LwYЛ;ުKAVy^3# -l ]{:p 8{Ql4V.m ru m g/DzLD?PFq7J'yĦ>1B[).ˤ-T$.$R*Z4ܠv (2a/>Wrڄ_5G)Yo/)%:ew f!x#M \Gn,KjYZ>cܚ/Հ[ d%0cZ!qQ!`%V+k n])hEx 4?]+V``$k`qȹh S|QyRk D_εcgOQIy6epQ,y 1ay1ZfGQi5iö_P{Cz7jxKu!L,q+6n#@Liyp0;7 I퀦yF)`{l`_ucQJCr"Hkj.s3(@!/m2Yz(,5 -@9c-DzDz[s#e"S樓X !$n(|dӪ4񠳢KVU}gbtM.ϐy-s6Z{bB[$ǣ8~Ad:Afa6fds1J Ɗ}4De:J84M:0xHgimv*p\mepV4P$g%f#6*) Q%>i(-E {a(I#D5U<CXrFNiͰUdUaWsw>,&?>orr#h[&<3S*gj4+ cB=e`ǖy$cB @p&Qwv,Xbfд{ר {ӕ$Q.ѯ "Ǐ 0ɷ{gw wYElϛƛP,,HF-Qu֧` TK +0+p˨ ͋Hn|ƒfr~gtR~#ͬ' akz{J+ ĻdN0A2M0{6q&H.lVM롷/_>/?Օ+a8*OcWIqܵ1-  hzm(h.fPU+y{(7 YXH [n DFwbjRd_OҵNT*;bRLҡCYyRfY)_VWfsr}4ϳ^s&5 eæq0i 3%_Jg7 *"Q@Yc]y5%Sez*Ojk]5ɨ /='yD0ƍ>Xy;RUIfIca 8콶Z9eNN[:*G9ř`F" KD#a죗[гM~o9b}Yp:;ߥB#&EKSHB# }m_t8ŔٜD9SewEc:}2Ú`YSR9U4gѲP7֋,/ls#Qׁ5o4JiQzE۲>SŃeyAwT $n!XI1ŵ3" _0r7h Yfa +޹mnaң` _Cf3M!#T:pK[%-\[z5B!cL7?8t_fxSLH [&,oa~0[ȡv°IơPR9bnѢn8A}1kTWb 1Hrbi֏#:¤ѫ ~q T q%#3+-tҲa\܀d{kKJk z_zs @C#M+aTFؤx3FܽcǘTX4QcMݻ˩$xDv Y1 gksY_Xj@*ݱrS:fNە9?@)ЕG'{^wB&!佄!O@IEs%M\+%"?gXVsyf#Qg}-W03EI(H i@c伉Wzդ"KC Owͥ?IV2Ml,ɒ͙~+2oa1vъ5J`c\$Ese彸 IL,!ԓruIwo|p&;V6~5Bg|?}ڱ샅Q@OD4ºCQ:#}vwOf>iѲ=wf0k>SaLh4@)QM /J@が?%:$u\'v)|Lu!3*FIe*LϦO)H[I Gv\k2tAЮ2y?f~gɔFC>%Be[dPp=ɩJB%`Dn`64q1"yj,{Ǟ.⇪ɿCCE?51z< 51:ͩ~^s֚s9n!rɪ`||C& u8PZjVLxl"!{H i62ܘ 7XxsV5\YzD1_/{ovƦ:rG]οŝpⰐnG;ma:{ʻqnD֩|Q e'6ɨ$X+6N x3O90HyOrsEk)x5(|ɏPcVt"+8 +IQo 4)'֢Sgqօ);yI _| "^0e#W9@UYrIɅ)VA/^Re/yW6תiFғ%Dy0۫֓qg*z*k~GQ=d.b{CfB~ vϢ԰!9R~1^PG2 hZ ĭ穛$2ZHZ`/vDerpا'CHgW|*6zu_Pׅ),܁_ D\$An>IֳLafY߃nN |S+K&ԻѴ_?qښswشb 6H,9KO5PcEn}M벖w׽Uai\z s (.*tn-dY^Syu"v'c:;n-p^̼TEay!в,P @׿!oöAu=HTXcXZmjHIs(U@eϭnT:k:V/*yXƌs1AQ?_X]N9$y)!4Bgi*Xna_==l EChG]}|%'N+sv*LO5dp4X!INw)J=$ 0<:OIĝbL9~gOw/S;.P xKiBC-~i9@,;Kagm=y w.H{ ûU>zaRW#KI6 n]x%`UW3طI,  8qU{U>kgl7$b3&pCoL cloa))aOh[o?ѺcƋOSw{ﬓNܘ'áX{YUgFan/N-A}dڸ{_HXkV HO֭pdz}#QяW a;%$+&7DX_- ȱ>>J%|x8.U˜-bSO'Eg>ƵN!!l {*ahVtj>Es""l~r΢ب=ݒY;QLY,aT0tM:^{W_u8R7{ 8]};G;*?_W Ŕ)z! r^5m3#RCx$ʺ s?BwmΠ<qdձtURDىZklzd r@bJ=BF0-%qZ B~bwOO=jD߱ <QlC Er(zN0ʻ"/Kd%ZS.{ÅVT1*i+Ĕ4@&U5HïXPj:p&ۑ ]ev0Dkv[)ԝ?vQ3DnގaC W; mSҘ! hcc$Ԧ}%I:L2Ƒ%7׼[WͶJ'By/Y@>:uAui |]_CghdcoTvv;_aK0Q?/ "*23*:S".|#bhKm%iLfFuJa)SP.5*U-@!W9 98,/6r&gSUCn9J|)m^׽%3o7*de3kBn kǯq M.Y5!;3|2>CR?Ff1ukF 7*Qc#H<2֌fėk! po,. K#L&)Q) 0%9w_l웠Xo:S&-/&kJ!HblL7,),H܋f.)8^{qgM{#j=[M`]B^, v 8^?(m* ziD@1 ˠN3@$9!fΊ{%ei"l: A0WH2~%އ}1ܫ9Ղ%s  $vL00r@ٺ{&-DbsuԘ dS\^e^/۪87эt ̜UuU5҇{clt0.uF=\E`bg~j*/0L֦e a' `-ކ9< *bERC&GMs0Ǽ5 H!Y{dm MBjlgd)B.P-͊Gk7@#BeH1`JCosaھA JP$ #u_^>բRh?uq +J뙃]zzw#!K@[%|EQ&zNks U})i_*lDF_1(JX9ma(IqWxH'SAl {h?"Acl#eTi4jBJM-cBpP?6#fwMFp\h+=r{7Sߦڊ4W,( v!KbjDmۖ %e~ɷ~l Vv=< ܱ=F+vs)c);\ š `6s81{xJ{P0:?saVk"YTΊESu}!'5Q76Mf.JnSez QLj(Z;F٧,j$,?>4>4Ñ1x%/βGLʸ M1oo'sXG%R"gXR!`Y&?:^:S-7K( !q:; rca khiMQy6d  Al%'1 {D)ɚthS0_j)x tH^W!9\# ]{ӈxB0֨vB<7H/!}ep5cZÚ X"|]N^•)|N*%Y=~̲QGCk %t QaԹ_1kW(З76+B!d}7MШ% == DVHgжU ytsuGi }9SO,岕%wxB!y+Y*pAGL-Ke6|P8fAw5Z~.xXl z8Jbi|ONT'NdGL6vP:6. SV$ފy-bi zPΪ:vܳP}]@ÝqVvWg` Џ>kE77{̈́bqpʓghD$e2T;FG"V]{"P!i4,C6}yx֦|o]ݩyۗ\{W2| C *B>o r${Lsqh_Mҳ˵is&Bg9#X2gv 4h/=V=ҴZ=5+z>!Lf&+Rcc'/τu\_z5Q_1ɔ2pFx2lM8yͩp$E 2؀'Afº@䨑 _-QlSvn xFӎk3?xJa^勻6 [c8e>\Ҽ[K0we7eAх8qxR[Qin8Eqc% G1uEzO6;/j$JC  iOzv h5ώj3 (pEV#*@i?ХIH/- Z*,w3R&f<7tEݒ R~F Pu,ȷ.H \|"oZSZ&z5S%o&&oJV~a30V7/Z0;$+*+ơϠ5ŻHso߼sG3#7/E. 4bm]( _CߜK7*݀BdZ1x}ކ1#wy7KJ.*M=?vmcZ5E/X,dV=zoȣΫE ޼}U5pE>;v] ,!YjQ! l"xSmwuv=7Hp:fCk׈c\#r,j'w)L&@d̍ǥ)}qE@?*-3_jnۘk 8k9/Т~Y%آdf 6[)?j}>g@@;Lx3Q<#$t|